Ath and tools

[Alexandre]

Hi all,

I looked in man 4 ath, man 8 ifconfig and man 8 wicontrol but did find 
out the answer to my question:

Is there any tool like wicontrol for ath cards ?
Typically, how can I scan for access points ?

Yours,

Alexandre Stefani

HP DL 380 G3 + OpenBSD 3.8

[Лебедев Андрей Германович]

Hello! I'm have problem :( My server is HP DL380 G3.
#uname -a
OpenBSD .econmos.com 3.8 GENERIC#202 i386
#dmesg
OpenBSD 3.8-current (GENERIC) #202: Wed Oct 19 17:52:24 MDT 2005
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Xeon(TM) CPU 3.06GHz (GenuineIntel 686-class) 3.05 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID
real mem  = 2147041280 (2096720K)
avail mem = 1953165312 (1907388K)
using 4278 buffers containing 107454464 bytes (104936K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(00) BIOS, date 12/31/99, BIOS32 rev. 0 @ 0xf
pcibios0 at bios0: rev 2.1 @ 0xf/0x2000
pcibios0: PCI BIOS has 9 Interrupt Routing table entries
pcibios0: PCI Interrupt Router at 000:15:0 (ServerWorks CSB5 rev 0x00)
pcibios0: PCI bus #0 is the last bus
bios0: ROM list: 0xc/0x8000 0xc8000/0x4000 0xcc000/0x1800 0xee000/0x2000!
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 ServerWorks CNB20-HE Host (GC-LE) rev 0x33
pchb1 at pci0 dev 0 function 1 ServerWorks CNB20-HE Host (GC-LE) rev 0x00
pci1 at pchb1 bus 3
pchb2 at pci0 dev 0 function 2 ServerWorks CNB20-HE Host (GC-LE) rev 0x00
pci2 at pchb2 bus 1
ciss0 at pci2 dev 3 function 0 Compaq Smart Array 5i/532 rev.2 rev 0x01: irq
10
ciss0: 1 LD HW rev 1 FW 2.36/2.36
lmap 4000:0 scsibus0 at ciss0: 1 targets
sd0 at scsibus0 targ 0 lun 0: COMPAQ, LOGICAL VOLUME, 2.36 SCSI0 0/direct
fixed
ciss0: cmd_stat 2 scsi_stat 0x0
ciss0: cmd_stat 2 scsi_stat 0x0
sd0: 104183MB, 104183 cyl, 64 head, 32 sec, 512 bytes/sec, 213367680 sec
total
vga1 at pci0 dev 3 function 0 ATI Rage XL rev 0x27
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
vendor Compaq, unknown product 0xb203 (class system subclass miscellaneous,
rev 0x01) at pci0 dev 4 function 0 not configured
vendor Compaq, unknown product 0xb204 (class system subclass miscellaneous,
rev 0x01) at pci0 dev 4 function 2 not configured
pcib0 at pci0 dev 15 function 0 ServerWorks CSB5 rev 0x93
pciide0 at pci0 dev 15 function 1 ServerWorks CSB5 IDE rev 0x93: DMA
atapiscsi0 at pciide0 channel 0 drive 0
scsibus1 at atapiscsi0: 2 targets
cd0 at scsibus1 targ 0 lun 0: TEAC, DW-224E, A.1K SCSI0 5/cdrom removable
cd0(pciide0:0:0): using PIO mode 4
ohci0 at pci0 dev 15 function 2 ServerWorks OSB4/CSB5 USB rev 0x05: irq 7,
version 1.0, legacy support
usb0 at ohci0: USB revision 1.0
uhub0 at usb0
uhub0: ServerWorks OHCI root hub, rev 1.00/1.00, addr 1
uhub0: 4 ports with 4 removable, self powered
pchb3 at pci0 dev 15 function 3 ServerWorks CSB5 LPC rev 0x00
pchb4 at pci0 dev 16 function 0 ServerWorks CIOB-X2 PCIX rev 0x05
pchb5 at pci0 dev 16 function 2 ServerWorks CIOB-X2 PCIX rev 0x05
pci3 at pchb5 bus 6
Compaq PCI Hotplug rev 0x14 at pci3 dev 30 function 0 not configured
pchb6 at pci0 dev 17 function 0 ServerWorks CIOB-X2 PCIX rev 0x05
pchb7 at pci0 dev 17 function 2 ServerWorks CIOB-X2 PCIX rev 0x05
pci4 at pchb7 bus 2
bge0 at pci4 dev 1 function 0 Broadcom BCM5703X rev 0x02, BCM5703 A2
(0x1002): irq 11 address 00:0e:7f:ad:0e:e4
brgphy0 at bge0 phy 1: BCM5703 10/100/1000baseT PHY, rev. 2
bge1 at pci4 dev 2 function 0 Broadcom BCM5703X rev 0x02: couldn't establish
interrupt at irq 15
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: PC speaker
spkr0 at pcppi0
sysbeep0 at pcppi0
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom0: console
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
biomask e7ed netmask efed ttymask ffef
pctr: user-level cycle counter enabled
ciss0: cmd_stat 2 scsi_stat 0x0
ciss0: cmd_stat 2 scsi_stat 0x0
dkcsum: sd0 matches BIOS drive 0x80
root on sd0a
ciss0: cmd_stat 2 scsi_stat 0x0
ciss0: cmd_stat 2 scsi_stat 0x0
ciss0: cmd_stat 2 scsi_stat 0x0
ciss0: cmd_stat 2 scsi_stat 0x0
rootdev=0x400 rrootdev=0xd00 rawdev=0xd02
ciss0: cmd_stat 2 scsi_stat 0x0
ciss0: cmd_stat 2 scsi_stat 0x0
ciss0: cmd_stat 2 scsi_stat 0x0
ciss0: cmd_stat 2 scsi_stat 0x0
# cd /usr/ports
# make search nmae=pci
The search target requires a keyword or name parameter,
e.g.: make search key=somekeyword make search name=somename
# make search name=pci
# uname -a
OpenBSD web-access-c1.investstr.econmos.com 3.8 GENERIC#202 i386
# dmesg
OpenBSD 3.8-current (GENERIC) #202: Wed Oct 19 17:52:24 MDT 2005
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Xeon(TM) CPU 3.06GHz (GenuineIntel 686-class) 3.05 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID
real mem  = 

Question about isakmpd on obsd 3.7

[[EMAIL PROTECTED]]

Hi all,

 Is ike over tcp supported under isakmpd on obsd 3.7?? where I can 
find docs about this configuration ??


Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com

Re: Ath and tools

[Marcus Glocker]

Hi Alexandre,

I don't know of a control tool for ath(4) because all can be done over
ifconfig(8).  To scan for access points do simply:

ifconfig -M ath0

I also did a wmdockapp which does a bit monitoring of your wireless card,
which works pretty good with ath(4).  That's the port for the latest version:

http://www.nazgul.ch/dev/wmwlmon-port.tar.gz

Regards,
Marcus

On Wed, Oct 26, 2005 at 09:42:09AM +0200, Alexandre wrote:

 Hi all,
 
 I looked in man 4 ath, man 8 ifconfig and man 8 wicontrol but did find 
 out the answer to my question:
 Is there any tool like wicontrol for ath cards ?
 Typically, how can I scan for access points ?
 
 Yours,
 
 Alexandre Stefani

-- 
Marcus Glocker, [EMAIL PROTECTED], http://www.nazgul.ch -

Re: Ath and tools

[David Gwynne]

From: Alexandre [EMAIL PROTECTED]


Hi all,

I looked in man 4 ath, man 8 ifconfig and man 8 wicontrol but did find out 
the answer to my question:

Is there any tool like wicontrol for ath cards ?
Typically, how can I scan for access points ?


I think this was added post 3.7, but you might be interested in ifconfig -M. 
According to the ifconfig manpage:


-M  For the chosen 802.11 interfaces, show the results of an access
point scan.  In Host AP mode, this will dump the list of known
nodes.

dlg 

Re: Question about isakmpd on obsd 3.7

[Hans-Joerg Hoexer]

On Wed, Oct 26, 2005 at 10:24:25AM +0200, [EMAIL PROTECTED] wrote:
 Hi all,
 
  Is ike over tcp supported under isakmpd on obsd 3.7?? where I can 

no

Re: HP DL 380 G3 + OpenBSD 3.8

[Uwe Dippel]

 My problem (!!!) - bge1 at pci4 dev 2 function 0 Broadcom BCM5703X rev 0x02:
 couldn't establish interrupt at irq 15.
 Howto ? RTFM ? Help me!

Try to set it to a different IRQ in the BIOS.
The whole matter is strange on irq15, which is usually for secondary IDE.

Uwe

Re: HP DL 380 G3 + OpenBSD 3.8

[Лебедев Андрей Германович]

Thx! IRQ = 7 all work OK!
- Original Message - 
From: Uwe Dippel [EMAIL PROTECTED]

To: misc@openbsd.org
Sent: Wednesday, October 26, 2005 12:43 PM
Subject: Re: HP DL 380 G3 + OpenBSD 3.8


My problem (!!!) - bge1 at pci4 dev 2 function 0 Broadcom BCM5703X rev 
0x02:

couldn't establish interrupt at irq 15.
Howto ? RTFM ? Help me!


Try to set it to a different IRQ in the BIOS.
The whole matter is strange on irq15, which is usually for secondary IDE.

Uwe

__ CC-C4C.C0C,C C6C(C? NOD32 1.1208 (20050902) __

CC2C. C1C.C.C!C9C%C-C(C% C/C0C.CC%C0C%C-C. CC-C2C(CC(C0C3C1C-C.C) 
C1C(C1C2C%C,C.C) NOD32.
http://www.eset.com

Migrating to a new HD

[Han Boetes]

Hi,

I just wrote this article about migrating to a new HD after the
old one got too flakey.

I maintain the original over here:

  http://www.xs4all.nl/~hanb/documents/hd-migration


HD MIGRATION:

It started with my HD failing to sync when I was rebooting. And
some odd errormessages I saw. So I was holding my breath hoping
for it to be something else or just an incident. But it only got
worse. So After a reboot and nearly loosing a lot of important
stuff I decided to make the switch. And after a struggle with cp
and rsync I had everything set like I should I found out that an
old lilo was still haunting the MBR and I knew no way to get rid
of it since I had no floppy. So, I could start all over again.

I decided to write it all down so noone would have to suffer the
same as me. After some tips on #OpenBSD I found the following
procedure:

My original harddisk was wd0 and the usb2 external drive sd0 is
the new drive, which I will swap with the old drive after all is
done.

# I use the whole disk and this is the command I had to use in the
# first instance to get rid of lilo.

fdisk -i sd0

# Now I could also reconsider my partitiontable and I increased my
# /var partition which I wanted to do for a long time. You can
# also add or remove partitions if you like that. After having the
# right partition table in my mind I disklabel. It's a pretty
# straightforward tool, so I won't bother explaining how it works.

disklabel -e sd0

# newfs is also really simple.

newfs /dev/sd0a
newfs /dev/sd0d
# etc, etc.

# And then I mounted the new filesystem. The extra options speed
# up the copying of files.

mkdir /mnt/new
mount -o async,noatime,softdep /dev/sd0a /mnt/new
cd /mnt/new
mount -o async,noatime,softdep /dev/sd0d tmp
mount -o async,noatime,softdep /dev/sd0e var
mount -o async,noatime,softdep /dev/sd0f usr
mount -o async,noatime,softdep /dev/sd0g home

# First I prepared the dirs I didn't want to copy.

mkdir dev
cp /dev/MAKEDEV dev
cd dev
./MAKEDEV all
cd ..

mkdir altroot kern mnt proc stand tmp

# Also make sure you set the right permissions for /tmp

chmod 1777 /tmp

# There are two ways I found pretty comfortable to copy dirs. cp
# -Rp is fast. rsync shows what's going on, and you can easily
# update the remaining differences. So if you don't want to use
# rsync you'll have to do the copying in single user mode.

cp -Rp /etc .
rsync -aP /var .

# And so on and so forth for all remaining dirs and files and
# symlinks in /

# Actually right before I swapped the drives I went into single
# usermode and copied over the last changes to /var and /home with
# rsync.

# Then I installed the bootloader.

cp usr/mdec/boot .
cd usr/mdec
./installboot /mnt/new/boot ./biosboot sd0

# After that I switched the drives, double-checking the
# master/slave selector. And I booted with the new and HD and
# rejoiced.

# Of course I just removed all the errors I made along the way.



# Han

Re: Migrating to a new HD

[Hannah Schroeter]

Hello!

On Wed, Oct 26, 2005 at 12:42:04PM +0200, Han Boetes wrote:
I just wrote this article about migrating to a new HD after the
old one got too flakey.

[...]

I like a dump | restore combo, because dump is quite fast.

I.e. partition the new disk similar to the old one (sizes may vary as
long as stuff will fit on the new disk). dump|restore for every filesystem
(partition) you have, installboot on the new disk, and be happy.

Kind regards,

Hannah.

Re: dhcp overwriting resolv.conf

[Siju George]

On 10/26/05, Chris Smith [EMAIL PROTECTED] wrote:
 Hello,

 Running 3.8, 2 nics, 1 statically assigned, and the other using dhcp.
 Problem is that resolv.conf is always overwritten. Using
 resolv.conf.tail doesn't help as the information is just tacked on at
 the end of the dhcp supplied information.

 How can I prevent the overwriting of resolv.conf?


First I tried the advice on

http://www.openbsd.org/faq/faq6.html#DHCP

--
No matter how you start the DHCP client, you can edit the
/etc/dhclient.conf file to not update your DNS according to the dhcp
server's idea of DNS by first uncommenting the 'request' lines in it
(they are examples of the default settings, but you need to uncomment
them to override dhclient's defaults.)

request subnet-mask, broadcast-address, time-offset, routers,
  domain-name, domain-name-servers, host-name, lpr-servers, ntp-servers;

and then remove domain-name-servers. Of course, you may want to remove
hostname, or other settings too.

--

Thant didn't work for me :-(

Now My /etc/dhclient.conf looks like this


initial-interval 1;
send host-name caleb;
request subnet-mask,
broadcast-address,
routers,
domain-name,
supersede domain-name-servers 172.17.1.10;
--

Now this works for me.

Hope This helps

Kind Regards

Siju

Re: Migrating to a new HD

[steven mestdagh]

On Wed, Oct 26, 2005 at 12:42:04PM +0200, Han Boetes wrote:
 Hi,
 
 I just wrote this article about migrating to a new HD after the
 old one got too flakey.
 
 I maintain the original over here:
 
   http://www.xs4all.nl/~hanb/documents/hd-migration
 
 
 HD MIGRATION:
 
 It started with my HD failing to sync when I was rebooting. And
 some odd errormessages I saw. So I was holding my breath hoping
 for it to be something else or just an incident. But it only got
 worse. So After a reboot and nearly loosing a lot of important
 stuff I decided to make the switch. And after a struggle with cp
 and rsync I had everything set like I should I found out that an
 old lilo was still haunting the MBR and I knew no way to get rid
 of it since I had no floppy. So, I could start all over again.
 
 I decided to write it all down so noone would have to suffer the
 same as me. After some tips on #OpenBSD I found the following
 procedure:
 
 My original harddisk was wd0 and the usb2 external drive sd0 is
 the new drive, which I will swap with the old drive after all is
 done.
 
 # I use the whole disk and this is the command I had to use in the
 # first instance to get rid of lilo.
 
 fdisk -i sd0
 
 # Now I could also reconsider my partitiontable and I increased my
 # /var partition which I wanted to do for a long time. You can
 # also add or remove partitions if you like that. After having the
 # right partition table in my mind I disklabel. It's a pretty
 # straightforward tool, so I won't bother explaining how it works.
 
 disklabel -e sd0
 
 # newfs is also really simple.
 
 newfs /dev/sd0a
 newfs /dev/sd0d
 # etc, etc.
 
 # And then I mounted the new filesystem. The extra options speed
 # up the copying of files.
 
 mkdir /mnt/new
 mount -o async,noatime,softdep /dev/sd0a /mnt/new
 cd /mnt/new
 mount -o async,noatime,softdep /dev/sd0d tmp
 mount -o async,noatime,softdep /dev/sd0e var
 mount -o async,noatime,softdep /dev/sd0f usr
 mount -o async,noatime,softdep /dev/sd0g home
 
 # First I prepared the dirs I didn't want to copy.
 
 mkdir dev
 cp /dev/MAKEDEV dev
 cd dev
 ./MAKEDEV all
 cd ..
 
 mkdir altroot kern mnt proc stand tmp
 
 # Also make sure you set the right permissions for /tmp
 
 chmod 1777 /tmp
 
 # There are two ways I found pretty comfortable to copy dirs. cp
 # -Rp is fast. rsync shows what's going on, and you can easily
 # update the remaining differences. So if you don't want to use
 # rsync you'll have to do the copying in single user mode.
 
 cp -Rp /etc .
 rsync -aP /var .
 
 # And so on and so forth for all remaining dirs and files and
 # symlinks in /
 
 # Actually right before I swapped the drives I went into single
 # usermode and copied over the last changes to /var and /home with
 # rsync.
 
 # Then I installed the bootloader.
 
 cp usr/mdec/boot .
 cd usr/mdec
 ./installboot /mnt/new/boot ./biosboot sd0
 
 # After that I switched the drives, double-checking the
 # master/slave selector. And I booted with the new and HD and
 # rejoiced.

some thoughts:
1. make backups: dump(8) and restore(8) are your friends.
2. wouldn't it be much easier to use the installer to install OpenBSD onto
   the new hard disk, boot from the new disk when finished, mount your old
   disk and copy over files as desired? (you could consider unplugging
   the old disk if it is going bad, and plug it back in when you're
   ready to start copying.)

-- 
steven

Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm

Re: Migrating to a new HD

[Han Boetes]

Hannah Schroeter wrote:
 I like a dump | restore combo, because dump is quite fast.

Sounds interesting, I'll look into it.

 I.e. partition the new disk similar to the old one (sizes may
 vary as long as stuff will fit on the new disk). dump|restore
 for every filesystem (partition) you have, installboot on the
 new disk, and be happy.

Hmm now you describe in a few words what I did in detail, except
for the d|r trick. :-}



# Han

Re: spamd extension

[Lars Hansson]

On Tue, 25 Oct 2005 20:57:15 -0500
James Harless [EMAIL PROTECTED] wrote:

 What I'm looking for is a way to whitelist them based on user
 input.. before their initial email has been sent. In this somewhat typical
 scenario, the user has contacted me and said I don't want mail from
 [EMAIL PROTECTED] to be delayed... whitelist them, please.

Sure, it can be done as long as you can figure out what server [EMAIL PROTECTED]
will use to send their email and that's not as easy as it may initially seem.
xxx might not always send using the same provider, the provider may have 
multiple
outbound relays, he/she may be using a friends computer, he/she may use a wifi
hotspot etc etc. Bottom line is that there's no reliable way to determine this
ahead of time.
Just whitelisting email addresses themselves deafeats the purpose of spamd.

---
Lars Hansson

Message from:  Lars Hansson [EMAIL PROTECTED]

Problem installing nmap from packages

[Rico]

Hi,

I tried installing nmap and got some dependency problems. I am running 
snapshots.


pkg_add
ftp://ftp.openbsd.org/pub/OpenBSD/snapshots/packages/i386/nmap-3.93.tgz
Can't install 
ftp://ftp.openbsd.org/pub/OpenBSD/snapshots/packages/i386/nmap-3.93.tgz: 
lib not found pcap.3.1

Even by looking in the dependency tree:
gettext-0.10.40p3, libiconv-1.9.2p1, libdnet-1.10p0, 
glib-1.2.10p0, pcre-4.5p1, gtk+-1.2.10p3

Maybe it's in a dependent package, but not tagged with @lib ?
(check with pkg_info -K -L)
If you are still running 3.6 packages, update them.

Best regards

Re: Problem installing nmap from packages

[Will H. Backman]

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of
 Rico
 Sent: Wednesday, October 26, 2005 8:55 AM
 To: misc@openbsd.org
 Subject: Problem installing nmap from packages
 
 Hi,
 
 I tried installing nmap and got some dependency problems. I am running
 snapshots.
 
 pkg_add

ftp://ftp.openbsd.org/pub/OpenBSD/snapshots/packages/i386/nmap-3.93.tgz
 Can't install

ftp://ftp.openbsd.org/pub/OpenBSD/snapshots/packages/i386/nmap-3.93.tgz:
 lib not found pcap.3.1
 Even by looking in the dependency tree:
  gettext-0.10.40p3, libiconv-1.9.2p1, libdnet-1.10p0,
 glib-1.2.10p0, pcre-4.5p1, gtk+-1.2.10p3
 Maybe it's in a dependent package, but not tagged with @lib ?
 (check with pkg_info -K -L)
 If you are still running 3.6 packages, update them.
 
 Best regards

I got that same error trying to install etherape-0.9.0

Re: Problem installing nmap from packages

[Bernd Ahlers]

Rico [Wed, Oct 26, 2005 at 02:55:02PM +0200] wrote:
I tried installing nmap and got some dependency problems. I am running 
snapshots.

pkg_add
ftp://ftp.openbsd.org/pub/OpenBSD/snapshots/packages/i386/nmap-3.93.tgz
Can't install 
ftp://ftp.openbsd.org/pub/OpenBSD/snapshots/packages/i386/nmap-3.93.tgz: 
lib not found pcap.3.1
Even by looking in the dependency tree:
gettext-0.10.40p3, libiconv-1.9.2p1, libdnet-1.10p0, 
glib-1.2.10p0, pcre-4.5p1, gtk+-1.2.10p3
Maybe it's in a dependent package, but not tagged with @lib ?
(check with pkg_info -K -L)
If you are still running 3.6 packages, update them.

You have to run -current if you want to use -current packages.

Bernd

Re: Problem installing nmap from packages

[steven mestdagh]

On Wed, Oct 26, 2005 at 02:55:02PM +0200, Rico wrote:
 Hi,
 
 I tried installing nmap and got some dependency problems. I am running 
 snapshots.
 
 pkg_add
 ftp://ftp.openbsd.org/pub/OpenBSD/snapshots/packages/i386/nmap-3.93.tgz
 Can't install 
 ftp://ftp.openbsd.org/pub/OpenBSD/snapshots/packages/i386/nmap-3.93.tgz: 
 lib not found pcap.3.1
 Even by looking in the dependency tree:
 gettext-0.10.40p3, libiconv-1.9.2p1, libdnet-1.10p0, 
 glib-1.2.10p0, pcre-4.5p1, gtk+-1.2.10p3
 Maybe it's in a dependent package, but not tagged with @lib ?
 (check with pkg_info -K -L)
 If you are still running 3.6 packages, update them.

try a newer snapshot. you probably have an older version of the libpcap
library.

and please ask this kind of questions on ports@ ...

Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm

Re: spamd extension

[James Harless]

Chad,

I appreciate the insight.  I do realize it's a difficult problem but,
I think that there's a solution (albeit possibly from someone smarter
than I).

I do have variables that are known (the sender email address and the
recipient email address).  The problem is tying them to the IP Address
of the MTA when it's seen @ spamd.  It may be that there isn't a
solution without direct modification of spamd.  If that's the case,
then I hope the developer(s) will consider this suggestion.

I definitely won't be disabling spamd ;).  I would have a minor
revolution on my hands if my users suddenly had spam again...heh. 
OpenBSD greylisting has been very effective for us thus far.

--James



On 10/26/05, Chad M Stewart [EMAIL PROTECTED] wrote:
 James,

 The more I think about this one, the more I think there is no
 solution to your issue.  Well okay there are two choices, either use
 spamd or not. :)

 You would have to have ESP to know from which IP address a particular
 sender would be sending.  If I'm sitting in a hotel and using their
 WiFi then it is very probable that my message will be coming from
 their SMTP server, not that which I use normally.  Given only my mail
 address you have no way of determining for sure, which server I use
 to send mail.  The server I submit a message to does not have to be
 the server that eventually connects to the recipients server in DNS.

 You can't provide an email address to spamd as the redirection
 happens before spamd, rather with PF.  The default is to send the
 packets to spamd.  Once the connection gets rdr to spamd, I'm not
 aware of anyway to say, redirect again to your real MTA.  That brings
 us back to knowing the connecting servers IP address.

 You could disable spamd protection and see how long it takes for your
 users to complain about the amount of spam they are getting.  :)


 -Chad


 On Oct 25, 2005, at 9:57 PM, James Harless wrote:

  I appreciate the suggestions, but, not quite what I'm looking for yet.
  Either of these would allow me to whitelist someone AFTER they had
  been
  greylisting. What I'm looking for is a way to whitelist them based
  on user
  input.. before their initial email has been sent. In this somewhat
  typical
  scenario, the user has contacted me and said I don't want mail from
  [EMAIL PROTECTED] to be delayed... whitelist them, please.
 
  --James
 



--
What would Bilano do?

Frappr openbsd map

[Petr Ruzicka]

Hi,
slightly OT, I created Frappr! openbsd map
(http://www.frappr.com/openbsd). Join it and well, we could see who
and where does use OpenBSD.
Regards

Petr R.

--
Security is decided by quality -- Theo de Raadt

Re: Problem installing nmap from packages

[Okan Demirmen]

On Wed 2005.10.26 at 14:55 +0200, Rico wrote:
 Hi,
 
 I tried installing nmap and got some dependency problems. I am running 
 snapshots.
 
 pkg_add
 ftp://ftp.openbsd.org/pub/OpenBSD/snapshots/packages/i386/nmap-3.93.tgz
 Can't install 
 ftp://ftp.openbsd.org/pub/OpenBSD/snapshots/packages/i386/nmap-3.93.tgz: 
 lib not found pcap.3.1

i take it you do not have a -current snapshot running, for you don't
have /usr/lib/libpcap.so.3.1 ...you probably only have 3.0 (now old).

keep base and ports in sync.

 Even by looking in the dependency tree:
 gettext-0.10.40p3, libiconv-1.9.2p1, libdnet-1.10p0, 
 glib-1.2.10p0, pcre-4.5p1, gtk+-1.2.10p3
 Maybe it's in a dependent package, but not tagged with @lib ?
 (check with pkg_info -K -L)
 If you are still running 3.6 packages, update them.

Re: HP DL 380 G3 + OpenBSD 3.8

[Bill Marquette]

On 10/26/05, lEBEDEW aNDREJ gERMANOWI^ [EMAIL PROTECTED] wrote:
 My problem (!!!) - bge1 at pci4 dev 2 function 0 Broadcom BCM5703X rev 0x02:
 couldn't establish interrupt at irq 15.
 Howto ? RTFM ? Help me!

In the Compaq BIOS, make sure nothing is configured for IRQ 15.  It's
an annoying issue I've seen with the DL380's - none of my boxes can
have _anything_ configured for IRQ15.  The G4's make the choice
easier, they only allow 5 and 7 if I recall ;)

--Bill

Re: spamd extension

[Stuart Henderson]

--On 26 October 2005 08:21 -0500, James Harless wrote:


I do have variables that are known (the sender email address and the
recipient email address).  The problem is tying them to the IP Address
of the MTA when it's seen @ spamd.  It may be that there isn't a
solution without direct modification of spamd.


By design, spamd can't do this. It neither accepts mail itself, nor 
proxies to the real backend server. It always sends a tempfail result 
code, and if it's the second time it's seen client_ip|src|dest, it adds 
to a table at the same time, so that on the third attempt the real 
mailserver is hit instead.



I definitely won't be disabling spamd ;)


The type of functionality you're looking for needs something with hooks 
directly into the mail server itself, there's no way with spamd to 
avoid delaying a connection unless you /already/ know the IP address. 
Maybe milter-greylist or postgrey already do what you're looking for, 
or if not they'll likely be easier to adapt.

Re: HP DL 380 G3 + OpenBSD 3.8

[Лебедев Андрей Германович]

Thanks all! The problem is solved by recustomizing IRQ in BIOS.
# dmesg | grep bge1
bge1 at pci4 dev 2 function 0 Broadcom BCM5703X rev 0x02, BCM5703 A2 
(0x1002): irq 7 address 00:0e:7f:ad:0e:e3

brgphy1 at bge1 phy 1: BCM5703 10/100/1000baseT PHY, rev. 2
bge1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
   lladdr 00:0e:7f:ad:0e:e3
   media: Ethernet autoselect (100baseTX full-duplex)
   status: active

- Original Message - 
From: Bill Marquette [EMAIL PROTECTED]

To: lEBEDEW aNDREJ gERMANOWI^ [EMAIL PROTECTED]
Cc: misc@openbsd.org
Sent: Wednesday, October 26, 2005 5:51 PM
Subject: Re: HP DL 380 G3 + OpenBSD 3.8



On 10/26/05, lEBEDEW aNDREJ gERMANOWI^ [EMAIL PROTECTED] wrote:
My problem (!!!) - bge1 at pci4 dev 2 function 0 Broadcom BCM5703X rev 
0x02:

couldn't establish interrupt at irq 15.
Howto ? RTFM ? Help me!


In the Compaq BIOS, make sure nothing is configured for IRQ 15.  It's
an annoying issue I've seen with the DL380's - none of my boxes can
have _anything_ configured for IRQ15.  The G4's make the choice
easier, they only allow 5 and 7 if I recall ;)

--Bill

OpenBSD on an ECS A900 or A90a

[Lars Hansson]

I'm looking at buying a ECS A900 or A901 laptop and i'm curious if
anyone has any experience running OpenBSD on such a machine?
Tech specs, for those interested:
http://www.ecsusa.com/products/a900_spec.html
http://www.ecsusa.com/products/a901_spec.html

---
Lars Hansson

Message from:  Lars Hansson [EMAIL PROTECTED]

Re: spamd extension

[Frank Bax]

At 09:57 PM 10/25/05, James Harless wrote:


I appreciate the suggestions, but, not quite what I'm looking for yet.
Either of these would allow me to whitelist someone AFTER they had been
greylisting. What I'm looking for is a way to whitelist them based on user
input.. before their initial email has been sent. In this somewhat typical
scenario, the user has contacted me and said I don't want mail from
[EMAIL PROTECTED] to be delayed... whitelist them, please.



spamd only delays the *first* message between the two parties.  After that 
there is no delay - as long as sender continues to use the same SMTP server.


Have you tried whitelisting these servers:
http://greylisting.org/whitelisting.shtml

Is there an underlying assumption in your question that spamd is the actual 
problem?  During the initial weeks of using spamd on my server, half of the 
complaints about undelivered email were not the fault of spamd. 

Re: dhcp overwriting resolv.conf

[Chris Smith]

On Wednesday 26 October 2005 07:38 am, Siju George wrote:
 Now My /etc/dhclient.conf looks like this

These two lines worked fine here:
---
request subnet-mask, broadcast-address, routers;
supersede domain-name-servers 192.168.107.2;
---

Chris

Re: spamd extension

[James Harless]

On 10/26/05, Frank Bax [EMAIL PROTECTED] wrote:

 At 09:57 PM 10/25/05, James Harless wrote:

 I appreciate the suggestions, but, not quite what I'm looking for yet.
 Either of these would allow me to whitelist someone AFTER they had been
 greylisting. What I'm looking for is a way to whitelist them based on
 user
 input.. before their initial email has been sent. In this somewhat
 typical
 scenario, the user has contacted me and said I don't want mail from
 [EMAIL PROTECTED] to be delayed... whitelist them, please.


 spamd only delays the *first* message between the two parties. After that
 there is no delay - as long as sender continues to use the same SMTP
 server.

 My experience is that greylisting requires at least 2 failed attempts.
Maybe my pf.conf isn't setup properly. But, there's always 1 'extra' failure
that seems to me should pass through.

Have you tried whitelisting these servers:
 http://greylisting.org/whitelisting.shtml

 Is there an underlying assumption in your question that spamd is the
 actual
 problem? During the initial weeks of using spamd on my server, half of the
 complaints about undelivered email were not the fault of spamd.


I do whitelist the servers on greylisting.org http://greylisting.org.
There's no real doubt that greylisting is part of my 'issue'. It's not
unmanageable, by any means, but, I'm just wondering if there isn't a way to
correct the problem.
 Greylisting is 99% of the time not a problem. But, sometimes, the client is
on the phone with a customer or in some other situation where they need to
receive the email quickly. With my current greylisting setups, I can't
guarantee any time when they'll receive the first email from a contact other
than 'will take at least 5 mins and can take much longer depending on how
their mail server is configured'.
 In any case, it's not unmanageable. I just set expectations with customers
and they're not wanting to move away from greylisting. But, it does *feel*
like a 'solvable problem'.
  --James

--
What would Bilano do?

Re: spamd extension

[Bob Beck]

If you are using spamlogd correctly, so that it is whitelisting the
destination addresses of target mailservers, I find the actual need
for this to be near zero, since most people send mail to
[EMAIL PROTECTED] and as soon as they do the server is whitelisted for
the reply - this is not the case with some big sites where their inbound
mx differs from the ip their outbound mail comes from, but it works
to speed up the process most of the time. - and when it doesn't
the email is delayed a half hour or a little more.  

Basically, the correct answer is suck it up princess, in
pathological cases someone's email might be delayed by a short while
getting to you in normal cases it won't. Usually users ask for this
when you tell them what you are doing and they don't understand
that in 95% of the cases they never see a delay. 

-Bob

* James Harless [EMAIL PROTECTED] [2005-10-25 20:09]:
 I appreciate the suggestions, but, not quite what I'm looking for yet.
 Either of these would allow me to whitelist someone AFTER they had been
 greylisting. What I'm looking for is a way to whitelist them based on user
 input.. before their initial email has been sent. In this somewhat typical
 scenario, the user has contacted me and said I don't want mail from
 [EMAIL PROTECTED] to be delayed... whitelist them, please.
 
 --James
 
 On 10/25/05, Bob Beck [EMAIL PROTECTED] wrote:
 
 
  spamdb -a `spamdb | grep '[EMAIL PROTECTED]|[EMAIL PROTECTED]' | cut -d 
  '|'
  -f 2`
 
  -Bob
 
  * James Harless [EMAIL PROTECTED] [2005-10-25 15:50]:
   I would like some advice on extending spamd functionality. I'm not
   sure the best approach to this problem.
  
   Problem:
  
   I administer several independent mail gateway / firewall devices that
   greylist for their networks. I've done a fair job of educating users
   about how greylisting will affect their email but, inevitably a user
   will contact me to request that an incoming email be whitelisted. The
   only information they have is 1) sending email address and 2)
   receiving email address. Of course, spamd only deals in IP addresses
   and it may be difficult to find the ip address of the sending mail
   server. Additionally, I'd like to provide some method to the users
   where they could whitelist someone themselves without requesting
   directly from me.
  
   What I envision:
  
   A script or extension to spamd that would allow me to input a 'from'
   and 'rcpt to' address. Then, the next time that combo is seen, from
   any IP address...it gets whitelisted automatically. I envision this
   only happening one time and then returning to greylisting as normal.
   I understand that there's a chance of someone sending spam through in
   that window with the proper from/to combo .. but, it's small enough to
   accept.
  
  
   Thoughts? Does this sound feasible? Is this a reasonable solution?
   If so, what direction would you recommend for implementation? (I'm no
   programmer.. but, not afraid of diving in, nonetheless.)
  
   --James
  
 
 
 
 
 --
 What would Bilano do?

Re: spamd extension

[eric]

On Wed, 2005-10-26 at 09:06:11 -0600, Bob Beck proclaimed...

   Basically, the correct answer is suck it up princess, in
 pathological cases someone's email might be delayed by a short while
 getting to you in normal cases it won't. Usually users ask for this
 when you tell them what you are doing and they don't understand
 that in 95% of the cases they never see a delay. 

Hell, I usualy just blame the other ISP and by the time the customer argues,
the mail is re-sent and waiting for them :-)

Re: spamd extension

[Graham Toal]

  My experience is that greylisting requires at least 2 failed attempts.
 Maybe my pf.conf isn't setup properly. But, there's always 1 'extra' failure
 that seems to me should pass through.

James is right, it's a design flaw of spamd that two failed attempts
are required.  This is what happens:

1) first attempt, goes to spamd, is logged.
2) second attempt, goes to spamd, is marked as good ... *BUT* it
   still went to spamd.  spamd is not an application relay, so it
   has no way of passing that currently-active second attempt through
   to the true MTA, so ...
3) third attempt, redirected to true MTA

The only fix for this is a *major* redesign of spamd (or equivalently
incorporating spamd's greylisting code into a spamfilter which *does*
relay connections at the IP level to an MTA - which is actually what I'm
working on at the moment)

One of the pre-requisites (in my opinion) for a filter which
relays connections (rather than routing them through) is full
transparency, i.e. the MTA sees the IP of the original caller, not
the IP of the relay.  This is so that the MTA continues to do
third-party relay rejection and does not require you to duplicate
that logic in your relay host.  Fortunately for us, OpenBSD+pf
have exactly the facilities needed to transparently forward at
the TCP/IP session level, albeit not a common or easy thing to do.


Graham

Re: spamd extension

[Bryan Irvine]

On 10/26/05, James Harless [EMAIL PROTECTED] wrote:
 Chad,

 I appreciate the insight.  I do realize it's a difficult problem but,
 I think that there's a solution (albeit possibly from someone smarter
 than I).

Nope there's just not.

 I do have variables that are known (the sender email address and the
 recipient email address).  The problem is tying them to the IP Address
 of the MTA when it's seen @ spamd.  It may be that there isn't a
 solution without direct modification of spamd.  If that's the case,
 then I hope the developer(s) will consider this suggestion.

How would you find an unknown ip of an unknown machine?  About the
only *chance* you have is doing MX lookup's and hoping that email
comes from that same server.  If their organization uses various
relays and proxies to send, you are out of luck.  There's no way to
get that information without a previously harvested email and looking
at the message headers.


--Bryan

know any neat tricks for 2 * dhclient?

[Graham Toal]

I wanted to set up a system which has two ether cards (it's part of
a transparent bridge so it'll be inline with someone's connection)
such that it'll pick up a DHCP address on *both* cards ... the trick
comes from not knowing in advance whether the DHCP server will be
on the inside connection or the net-facing one.  (i.e. if the
bridge is deployed near the network edge, the DHCP server is inside;
but if it is deployed immediately in front of a single server, then
it will see DHCP facing outwards).

It *ought* to be possible to configure both hostname.xl0 and hostname.fxp1
as dhcp, and whichever one comes up first, will then bridge through the
DHCP server for the other.  Unfortunately it just happens by luck of
alphabetical order, that the one which comes up first is *not* looking
at a DHCP server.  So after a relatively short period of retries it
goes to sleep.  Then the other interface asks for its dhcp address and
gets it quickly.  What I expected was that the first would sleep for a
short time then ask again, and get it OK.  I haven't seen that happen -
about 30 minutes later and the interface still has no IP.

What's the best way to ensure that they both get IPs as quickly as
possible?  I can think of some dirty hacks, but I don't like the
solutions I've come up with. (For example, if I kick off the dhcp
client requests in the background, that interferes with the rest of
the boot sequence).

Has anyone had this configuration before and come up with an elegant
solution?

thanks

Graham

ksh segfaults

[Tobias Ulmer]

Hi

I'm running a 3.7 (all patches applied, everthing else default) on an
old box (dmesg at the end). It fetches mail for me with the following
script:

---8---
#! /bin/sh

LOCK=$HOME/.getmail.lock

if ! [ -f $LOCK ]
then
touch $LOCK
getmail 21  /dev/null
rm $LOCK
fi
---8---

This script is run from crontab every minute. Sometimes ksh segfaults
and dumps core. It only happens once a day or two, so this is not a big
problem for me. I was however curious and compiled ksh with -g to get
more information.

[EMAIL PROTECTED]:~# gdb /bin/sh /home/tobiasu/core/sh.core
GNU gdb 6.3
[...]
This GDB was configured as i386-unknown-openbsd3.7...
Core was generated by `sh'.
Program terminated with signal 11, Segmentation fault.
#0  0x1c027ed6 in _weak__thread_fd_unlock ()
(gdb) backtrace full
#0  0x1c027ed6 in _weak__thread_fd_unlock ()
No symbol table info available.
#1  0x1c028025 in _weak__thread_fd_unlock ()
No symbol table info available.
#2  0x1c027b48 in _weak__thread_fd_unlock ()
No symbol table info available.
#3  0x1c028095 in _weak__thread_fd_unlock ()
No symbol table info available.
#4  0x1c028395 in malloc ()
No symbol table info available.
#5  0x1c03c90e in atexit ()
No symbol table info available.
#6  0x1c0002e9 in __register_frame_info ()
No symbol table info available.
#7  0x1c000155 in __init ()
No symbol table info available.
#8  0x1c0001ee in ___start ()
No symbol table info available.
#9  0x1c00016f in _start ()
No symbol table info available.
(gdb) quit
[EMAIL PROTECTED]:~# gdb /bin/sh /home/tobiasu/core/sh2.core
GNU gdb 6.3
[...]
This GDB was configured as i386-unknown-openbsd3.7...
Core was generated by `sh'.
Program terminated with signal 11, Segmentation fault.
#0  0x1c027ed6 in _weak__thread_fd_unlock ()
(gdb) backtrace full
#0  0x1c027ed6 in _weak__thread_fd_unlock ()
No symbol table info available.
#1  0x1c028025 in _weak__thread_fd_unlock ()
No symbol table info available.
#2  0x1c027b48 in _weak__thread_fd_unlock ()
No symbol table info available.
#3  0x1c028095 in _weak__thread_fd_unlock ()
No symbol table info available.
#4  0x1c028395 in malloc ()
No symbol table info available.
#5  0x1c03c90e in atexit ()
No symbol table info available.
#6  0x1c0002e9 in __register_frame_info ()
No symbol table info available.
#7  0x1c000155 in __init ()
No symbol table info available.
#8  0x1c0001ee in ___start ()
No symbol table info available.
#9  0x1c00016f in _start ()
No symbol table info available.
(gdb) info registers
eax0x0  0
ecx0x5  5
edx0x0  0
ebx0x0  0
esp0xcfbf3fd4   0xcfbf3fd4
ebp0xcfbf3fec   0xcfbf3fec
esi0x0  0
edi0xcfbf4034   -809549772
eip0x1c027ed6   0x1c027ed6
eflags 0x10202  66050
cs 0x1f 31
ss 0x27 39
ds 0x27 39
es 0x27 39
fs 0x27 39
gs 0x27 39



My _guess_ is that it has something to do with the test condition if the
lock-file still exists and then is deleted shortly after (This is called
a race condition, right?). I tried to grep /usr/src but it takes hours
(PIO4, no DMA...) and I didn't find out where this thread_fd_unlock
function is nor what it does.

I might also be completly wrong. Can someone bring some light into this
and give me a clue why it happens? Maybe it can even be fixed :)

Tobias

---8
OpenBSD 3.7 (GENERIC) #0: Sun Jul 24 17:52:18 CEST 2005
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Cyrix 6x86 (486-class)
real mem  = 83468288 (81512K)
avail mem = 68890624 (67276K)
using 1044 buffers containing 4276224 bytes (4176K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(70) BIOS, date 07/25/96, BIOS32 rev. 0 @ 0xfb710
apm0 at bios0: Power Management spec V1.2
apm0: APM engage (device 1): power management disabled (1)
apm0: AC on, battery charge unknown
pcibios0 at bios0: rev 2.1 @ 0xf/0xbc30
pcibios0: PCI BIOS has 4 Interrupt Routing table entries
pcibios0: PCI Interrupt Router at 000:07:0 (VIA VT82C586 ISA rev 0x00)
pcibios0: PCI bus #0 is the last bus
bios0: ROM list: 0xc/0x8000
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 VIA VT82C585 ISA rev 0x02
pcib0 at pci0 dev 7 function 0 VIA VT82C586 ISA rev 0x02
pciide0 at pci0 dev 7 function 1 VIA VT82C571 IDE rev 0x02: ATA33,
channel 0 configured to compatibility, channel 1 configured to compatibility
wd0 at pciide0 channel 0 drive 0: ST38641A
wd0: 32-sector PIO, LBA, 8207MB, 16809660 sectors
wd0(pciide0:0:0): using PIO mode 4, DMA mode 2
pciide0: channel 1 disabled (no drives)
vga1 at pci0 dev 8 function 0 ATI Mach64 CT rev 0x09
wsdisplay0 at vga1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
rl0 at pci0 dev 9 function 0 Realtek 8139 rev 0x10: irq 11 address
00:30:84:41:5a:54
rlphy0 at rl0 phy 0: RTL internal phy
vr0 

Re: spamd extension

[Chad M Stewart]

On Oct 26, 2005, at 11:54 AM, Graham Toal wrote:

 My experience is that greylisting requires at least 2 failed  
attempts.
Maybe my pf.conf isn't setup properly. But, there's always 1  
'extra' failure

that seems to me should pass through.



James is right, it's a design flaw of spamd that two failed attempts
are required.  This is what happens:

1) first attempt, goes to spamd, is logged.
2) second attempt, goes to spamd, is marked as good ... *BUT* it
   still went to spamd.  spamd is not an application relay, so it
   has no way of passing that currently-active second attempt through
   to the true MTA, so ...
3) third attempt, redirected to true MTA


I agree this is how things work.  I disagree that this is a design  
flaw.  Instead this is the fundamental thing that makes spamd so  
great at what it does.   Maybe I'm a little too RFC biased, but if  
the standards say XYZ MUST be done, then if the sending MTA is not  
playing by the rules, I don't want their mail.  Though I'm happy to  
talk and work with them to get their servers fixed.  The side effect  
being that all those spammer zombie machines don't get a message into  
my servers. :)


spamd is ensuring that MTAs are following the standards.  The  
standards say that a sending MTA must wait 30 minutes before  
attempting a retry, thus the default passtime for spamd is 25  
minutes, which I think is a good buffer.  If MTAs should retry in say  
15 minutes, I don't know what spamd does, I've not tested that  
scenario.  I would hope that maybe spamd would update the initial  
time to the most recent attempt and wait to put the IP in the  
whitelist pool until passtime has passed between retries.


I often see delays of either an hour or two when first getting a  
message via a new MTA.  Which makes sense to me, and I think is  
tolerable.  Email is not instant messaging.  If it absolutely has to  
be there NOW, then use something else. :)


00:00 -- first connection attempted
00:30 -- second connection attempted
00:31 -- IP now whitelisted

I've found that some MTAs will try make a 3rd attempt 60 minutes from  
the first attempt, while others seem to wait 60 minutes or more from  
the 2nd attempt.



-Chad

Re: spamd extension

[James Harless]

 How would you find an unknown ip of an unknown machine?  About the
 only *chance* you have is doing MX lookup's and hoping that email
 comes from that same server.  If their organization uses various
 relays and proxies to send, you are out of luck.  There's no way to
 get that information without a previously harvested email and looking
 at the message headers.


Well, that's exactly the point... you don't find the ip.  You put in a
temporal entry that says 'whitelist the next ip address that connects
attempting to send mail from $sender to $rcpt'.  After that, the entry
expires.

It's been pointed out here that it just isn't possible, currently. 
I'm ok with that.  The issue is smaller than the problem that it
solves (removing most of the spam from my networks).

Thanks for all the input.

--James

Re: spamd extension

[Hans Kremers]

Graham Toal wrote:


The only fix for this is a *major* redesign of spamd (or equivalently
incorporating spamd's greylisting code into a spamfilter which *does*
relay connections at the IP level to an MTA - which is actually what I'm
working on at the moment)


Why start from scratch ? There are enough seasoned, full featured MTA's
around that will allow you to incorparate greylisting. And you get all
the other stuff like STARTTLS, AUTH etc gratis.

I'd either accept spamd's few limitiations or incorparate greylisting
into a MTA.

Just my thoughts.

Hans

TV Tuner Cards; Philips 7135 Support?

[Whyzzi]

I didn't see any specifics in the archives or from Google. As this
type of software tuner can be had for cheap (locally here I've found
the Asus TV FM tuner PCI card for under $40cdn), I was wondering if
OpenBSD had support for it?

Many thanks in advance!

--
I know too much and yet not enough

Re: Allowing roadwarrior connections from aggressive and main mode clients?

[Sean Knox]

FYI, Hakan tells me this isn't possible now, but might be someday.



Sean Knox wrote:
[I didn't get much response on the openbsd-ipsec list, so I'm reposting 
here]



I'm having problems allowing roadwarrior connections from aggressive and
  main mode clients to connect isakmpd at the same time. At the moment,
I can only allow one, either main mode or aggressive by specifying a
Default ISAKMP SA negotiation root, a la:


[Phase 1]
Default= road-aggressive
#Default= road-main-mode


If I don't specify a default phase 1 connection, isakmpd uses the
road-main-mode connection:

160001.993149 Default exchange_setup_p1: expected exchange type ID_PROT
got AGGRESSIVE


I've tried setting the Phase 1 Local-Addresses to listen on different
IPs, but isakmpd still uses the road-main-mode connection for incoming
aggressive connections. Can isakmpd be configured to accepted main mode 
*and* aggressive mode clients?


thanks,
sk


(connection settings from isakmpd.conf below)

--- from isakmpd.conf ---

[Phase 1]
#Default= road-aggressive-p1
#Default= road-main-mode-p1

[Phase 2]
Passive-Connections=roadwarriors-aggr,roadwarriors-main

##
## Phase 1 definitions
##

[road-aggressive-p1]
Phase   = 1
Local-Address   = 10.10.10.1
Configuration   = aggr-mode-psk
Authentication  = supersecretpw
Flags   = IKECFG


[road-main-mode-p1]
Phase   = 1
Local-Address   = 10.10.10.2
Configuration   = main-mode-rsa
Flags   = IKECFG

#
## Phase 2 definitions
#


[roadwarriors-aggr]
Phase   = 2
Configuration   = Default-quick-mode
Local-ID= lan
Remote-ID   = anybody
ISAKMP-peer = road-aggressive-p1


[roadwarriors-main]
Phase   = 2
Configuration   = Default-quick-mode
Local-ID= lan
Remote-ID   = anybody
ISAKMP-peer = road-main-p1

#
## IDs
#

[anybody]
ID-type=IPV4_ADDR
Address=0.0.0.0

[lan]
ID-type = IPV4_ADDR_SUBNET
Network = 192.168.5.0
Netmask = 255.255.255.0\

Re: spamd extension

[Stuart Henderson]

--On 26 October 2005 09:12 -0400, Frank Bax wrote:


Have you tried whitelisting these servers:
 http://greylisting.org/whitelisting.shtml


That list by policy only includes 'shared queue' servers on blocks 
larger than /24 (the greylisting software written by the list compiler 
usually masks the last byte of the address anyway). If your spamd box 
regularly receives mail from users at large sites that use different 
machines for outbound and inbound mail, where a shared queue is 
involved, and don't have enough users yourself to ensure that the most 
common of these are already whitelisted, greylisting software other 
than spamd might be a better choice. As luck would have it these are 
also often the sites with crappy retry cycles delaying mail multiple 
hours. But then, I wouldn't want to run a full mta on the small 
hardware I usually run spamd on sitting in front of mail servers, and 
larger sites that are less affected by this problem probably don't want 
to devote full mta resources to their spam senders either, so it's good 
that there are both lightweight and more featureful choices.

Re: know any neat tricks for 2 * dhclient?

[Samurai Chef]

On 10/26/05, Graham Toal [EMAIL PROTECTED] wrote:

 I wanted to set up a system which has two ether cards (it's part of
 a transparent bridge so it'll be inline with someone's connection)
 such that it'll pick up a DHCP address on *both* cards ... the trick
 comes from not knowing in advance whether the DHCP server will be
 on the inside connection or the net-facing one. (i.e. if the
 bridge is deployed near the network edge, the DHCP server is inside;
 but if it is deployed immediately in front of a single server, then
 it will see DHCP facing outwards).

 It *ought* to be possible to configure both hostname.xl0 and hostname.fxp1
 as dhcp, and whichever one comes up first, will then bridge through the
 DHCP server for the other. Unfortunately it just happens by luck of
 alphabetical order, that the one which comes up first is *not* looking
 at a DHCP server. So after a relatively short period of retries it
 goes to sleep. Then the other interface asks for its dhcp address and
 gets it quickly. What I expected was that the first would sleep for a
 short time then ask again, and get it OK. I haven't seen that happen -
 about 30 minutes later and the interface still has no IP.

 What's the best way to ensure that they both get IPs as quickly as
 possible? I can think of some dirty hacks, but I don't like the
 solutions I've come up with. (For example, if I kick off the dhcp
 client requests in the background, that interferes with the rest of
 the boot sequence).

 Has anyone had this configuration before and come up with an elegant
 solution?

 thanks

 Graham


Maybe I'm not understanding the problem, but for a tranparent bridge, you
wouldn't want it to be assigned an IP address on either network card. hence
the transparent part.

isakmpd - Single Phase 1 - Multiple Phase 2 Address

[Roy Morris]

I have been reading through the archives but have not found a reliable answer
yet. I have recently been converting vpns from manual to isakmpd, with one
of the other endpoints being a Cisco box. I can bring up a single subnet/IP 
no problem but if I try to add another phase2 connection it fails. 

Does anyone have a config showing this setup? I read something from 2003 
that said this *might* be a problem, but can't believe that would still be true.

http://marc.theaimsgroup.com/?l=openbsd-miscm=104621687611340w=2

Cheers
Rm

Re: spamd extension

[Frank Bax]

At 11:05 AM 10/26/05, James Harless wrote:


On 10/26/05, Frank Bax [EMAIL PROTECTED] wrote:
 spamd only delays the *first* message between the two parties. After that
 there is no delay - as long as sender continues to use the same SMTP
 server.

 My experience is that greylisting requires at least 2 failed attempts.
Maybe my pf.conf isn't setup properly. But, there's always 1 'extra' failure
that seems to me should pass through.



Correct.  One *message* - two (or more) failed attempts before 
delivery.  Extra failed attempts can sometimes happen - it depends on 
sender's retry frequency compared to spamd_flags values.

Re: spamd extension

[Elliot Foster]

Stuart Henderson wrote:


--On 26 October 2005 08:21 -0500, James Harless wrote:


I do have variables that are known (the sender email address and the
recipient email address).  The problem is tying them to the IP Address
of the MTA when it's seen @ spamd.  It may be that there isn't a
solution without direct modification of spamd.



By design, spamd can't do this. It neither accepts mail itself, nor 
proxies to the real backend server. It always sends a tempfail result 
code, and if it's the second time it's seen client_ip|src|dest, it 
adds to a table at the same time, so that on the third attempt the 
real mailserver is hit instead.



I definitely won't be disabling spamd ;)



The type of functionality you're looking for needs something with 
hooks directly into the mail server itself, there's no way with spamd 
to avoid delaying a connection unless you /already/ know the IP 
address. Maybe milter-greylist or postgrey already do what you're 
looking for, or if not they'll likely be easier to adapt.




Not to venture off topic, but it's at this point that I would suggest 
you look at qpsmtpd (http://smtpd.develooper.com) for your anti-spam 
needs.  It's an SMTP server written entirely in perl and is incredibly 
extensible (easy to do so as well.)  It's nice and speedy:  apache.org 
and perl.org receive all of their mail through it.  It can tie into 
Postfix and qmail, and there is an experimental SMTP proxy function as 
well.  I hope to getting around to creating an interface to sendmail as 
well.  Its connections can be managed by an internal polling server 
(using epoll or kqueue under linux/bsd if available), a forkserver 
model, tcpserver (with speedy-cgi/pperl/forkserver), or apache2 (via 
mod_perl).  It is my current perl love, and I would highly recommend at 
least a peek at it.


For a quick summary by one of the main developers, see:

http://www.oreillynet.com/pub/a/sysadmin/2005/09/15/qpsmtpd.html

Re: know any neat tricks for 2 * dhclient?

[RussellJ]

Graham,

I use a bridge and assign the IP to one NIC, albeit statically assigned, 
on several production OpenBSD 3.5 systems. If I ever switched the IP to 
the Other NIC, I would lose connectivity until the ARP tables on the 
various LAN hosts updated with the new MAC address. Maybe about 10 minutes 
if I recall. I don't recall what the times are for ARP table refreshes 
average.

Agreeing with what another individual said regarding this post, it's a 
transparent bridge, so that IP living on multiple NICs is a really moot 
point. I would venture to guess that the kernel gets really annoyed having 
to track an address on two different NICs with or without a bridge in 
place.

best regards,
Jim


[EMAIL PROTECTED] wrote on 10/26/2005 12:42:43 PM:

 I wanted to set up a system which has two ether cards (it's part of
 a transparent bridge so it'll be inline with someone's connection)
 such that it'll pick up a DHCP address on *both* cards ... the trick
 comes from not knowing in advance whether the DHCP server will be
 on the inside connection or the net-facing one.  (i.e. if the
 bridge is deployed near the network edge, the DHCP server is inside;
 but if it is deployed immediately in front of a single server, then
 it will see DHCP facing outwards).
 
snip 
 Has anyone had this configuration before and come up with an elegant
 solution?
 
 thanks
 
 Graham

Re: ksh segfaults

[Otto Moerbeek]

On Wed, 26 Oct 2005, Tobias Ulmer wrote:

 Hi
 
 I'm running a 3.7 (all patches applied, everthing else default) on an
 old box (dmesg at the end). It fetches mail for me with the following
 script:
 
 ---8---
 #! /bin/sh
 
 LOCK=$HOME/.getmail.lock
 
 if ! [ -f $LOCK ]
 then
 touch $LOCK
 getmail 21  /dev/null
 rm $LOCK
 fi
 ---8---
 
 This script is run from crontab every minute. Sometimes ksh segfaults
 and dumps core. It only happens once a day or two, so this is not a big
 problem for me. I was however curious and compiled ksh with -g to get
 more information.
 
 [EMAIL PROTECTED]:~# gdb /bin/sh /home/tobiasu/core/sh.core
 GNU gdb 6.3
 [...]
 This GDB was configured as i386-unknown-openbsd3.7...
 Core was generated by `sh'.
 Program terminated with signal 11, Segmentation fault.
 #0  0x1c027ed6 in _weak__thread_fd_unlock ()
 (gdb) backtrace full
 #0  0x1c027ed6 in _weak__thread_fd_unlock ()
 No symbol table info available.
 #1  0x1c028025 in _weak__thread_fd_unlock ()
 No symbol table info available.
 #2  0x1c027b48 in _weak__thread_fd_unlock ()
 No symbol table info available.
 #3  0x1c028095 in _weak__thread_fd_unlock ()
 No symbol table info available.
 #4  0x1c028395 in malloc ()
 No symbol table info available.
 #5  0x1c03c90e in atexit ()
 No symbol table info available.
 #6  0x1c0002e9 in __register_frame_info ()
 No symbol table info available.
 #7  0x1c000155 in __init ()
 No symbol table info available.
 #8  0x1c0001ee in ___start ()
 No symbol table info available.
 #9  0x1c00016f in _start ()
 No symbol table info available.
 (gdb) quit
 [EMAIL PROTECTED]:~# gdb /bin/sh /home/tobiasu/core/sh2.core
 GNU gdb 6.3
 [...]
 This GDB was configured as i386-unknown-openbsd3.7...
 Core was generated by `sh'.
 Program terminated with signal 11, Segmentation fault.
 #0  0x1c027ed6 in _weak__thread_fd_unlock ()
 (gdb) backtrace full
 #0  0x1c027ed6 in _weak__thread_fd_unlock ()
 No symbol table info available.
 #1  0x1c028025 in _weak__thread_fd_unlock ()
 No symbol table info available.
 #2  0x1c027b48 in _weak__thread_fd_unlock ()
 No symbol table info available.
 #3  0x1c028095 in _weak__thread_fd_unlock ()
 No symbol table info available.
 #4  0x1c028395 in malloc ()
 No symbol table info available.
 #5  0x1c03c90e in atexit ()
 No symbol table info available.
 #6  0x1c0002e9 in __register_frame_info ()
 No symbol table info available.
 #7  0x1c000155 in __init ()
 No symbol table info available.
 #8  0x1c0001ee in ___start ()
 No symbol table info available.
 #9  0x1c00016f in _start ()
 No symbol table info available.
 (gdb) info registers
 eax0x0  0
 ecx0x5  5
 edx0x0  0
 ebx0x0  0
 esp0xcfbf3fd4   0xcfbf3fd4
 ebp0xcfbf3fec   0xcfbf3fec
 esi0x0  0
 edi0xcfbf4034   -809549772
 eip0x1c027ed6   0x1c027ed6
 eflags 0x10202  66050
 cs 0x1f 31
 ss 0x27 39
 ds 0x27 39
 es 0x27 39
 fs 0x27 39
 gs 0x27 39
 
 
 
 My _guess_ is that it has something to do with the test condition if the
 lock-file still exists and then is deleted shortly after (This is called
 a race condition, right?). I tried to grep /usr/src but it takes hours
 (PIO4, no DMA...) and I didn't find out where this thread_fd_unlock
 function is nor what it does.

This is strange. From the trace it looks like you are crashing in code
that is executed before sh is running. What is extra strange is that
your code is executing thread specific stuff, which isn't supposed to
happen in a single threaded program like sh is. 


 I might also be completly wrong. Can someone bring some light into this
 and give me a clue why it happens? Maybe it can even be fixed :)

No clues so far...

-Otto

Re: know any neat tricks for 2 * dhclient?

[Graham Toal]

 I use a bridge and assign the IP to one NIC, albeit statically assigned, 
 on several production OpenBSD 3.5 systems. If I ever switched the IP to 
 the Other NIC, I would lose connectivity until the ARP tables on the 
 various LAN hosts updated with the new MAC address. Maybe about 10 minutes 
 if I recall. I don't recall what the times are for ARP table refreshes 
 average.

I'm not talking about switching the IPs, I want a different one
on each interface, both assigned from the local DHCP space.

 Agreeing with what another individual said regarding this post, it's a 
 transparent bridge, so that IP living on multiple NICs is a really moot 
 point. I would venture to guess that the kernel gets really annoyed having 
 to track an address on two different NICs with or without a bridge in 
 place.

As I said, not the same IP on multiple NICs, different IPs on each NIC.

G

Re: know any neat tricks for 2 * dhclient?

[Graham Toal]

 Maybe I'm not understanding the problem, but for a tranparent bridge, you
 wouldn't want it to be assigned an IP address on either network card. hence
 the transparent part.

You would think so, but you would be wrong.  As I was when I started
this project.  In OpenBSD a bridge must either have no interfaces
with IPs or both interfaces with IPs.  You need to put an IP on it
when you are generating traffic from the bridge, specifically if
you are filtering traffic going through it at the tcp session level.

So you're right that you don't need or want IPs if you are just bridging
and not touching the traffic (except maybe to block something with a pf
firewall rule) but wrong if what you are building is a transparent
filter (or cache, such as squid) like a spam filter or a virus filter
that intercepts web pages.

Here's the definitive word on it:
http://marc.theaimsgroup.com/?l=openbsd-miscm=101814255119388

By the way, by 'transparent filtering' I specifically mean that the
server sees the IP of the client in incoming requests, and the client
sees the IP of the server on replies.  There is a half-assed version of
this that is sometimes implemented where the client does see the
server IP, but the server sees the call as coming from the man in the
middle. For my purposes I need both sides of the conversation to
be equally transparent.  (That part I've more or less worked out
how to do, and am in the process of cleaning up the proof of concept
code right now)

Now that we've cleared that up, got any ideas on how to use dhclient
to pick up IP addresses for both interfaces, when only one of them
faces the dhcp server and the other one happens to execute first?


The solution should work in any installation and not require local
knowlege (because the whole point of doing this as a transparent
filter is to turn the spam filter into an appliance that can be
plugged in and just work, no config necessary.  Like a commercial
spam appliance, except free ;-) )


Graham

Re: spamd extension

[Graham Toal]

 The only fix for this is a *major* redesign of spamd (or equivalently
 incorporating spamd's greylisting code into a spamfilter which *does*
 relay connections at the IP level to an MTA - which is actually what I'm
 working on at the moment)

 Why start from scratch ? There are enough seasoned, full featured MTA's
 around that will allow you to incorparate greylisting. And you get all
 the other stuff like STARTTLS, AUTH etc gratis.

 I'd either accept spamd's few limitiations or incorparate greylisting
 into a MTA.

 Just my thoughts.

There *are* several greylisting implementations using MTAs if that is
what you want.  The attractive feature of spamd+openbsd/pf is that it is
MTA-agnostic.  After it does its thing it simply routes your connection
through to the real MTA at the IP level.

Anyway, it's not starting from scratch for me - I have a mature
pseudo-transparent SMTP filter that works well and has been in service
for over a year - it's just that I have not publicised it much because
in its current form it requires configuration, such as telling it
what domains you accept mail for, which IPs are local, etc.  I needed
to learn about transparent bridging first and recode the I/O so that
the filtering is not visible at the IP level.  Which I now have, mostly.

My filter uses spamassassin plus spamprobe plus uvscan plus clamav, with
some automatic detection of spamtrap addresses thrown in.  I haven't yet
added greylisting to it, and indeed our deployment at the University where
I work has an openbsd running spamd sitting in front of my filter sitting
in front of the real MTA!  By incorporating the logic from spamd into my
code, I can remove one piece of hardware.  And improve spamd while I'm at
it, because with thi sarchitecture I can forward that second connection
attempt to the MTA, and avoid having two delays rather than one.


Graham

Re: spamd extension

[Graham Toal]

 On 10/26/05, James Harless [EMAIL PROTECTED] wrote:
  Chad,
 
  I appreciate the insight.  I do realize it's a difficult problem but,
  I think that there's a solution (albeit possibly from someone smarter
  than I).

 Nope there's just not.

There is, but not with spamd as currently implemented.  The fix would
involve this:

1) accept the connection, remember the target IP
2) go through the rcpt from/mail to protocol, and when you have
   the information, check it in your whitelist.  If it is present,
   open a connection with the original target, repeat the rcpt/mail
   exchange (not forgetting the HELO) and then sit back and transparently
   proxy the rest of the connection.

It's doable, it's just not easy.  That plus a lot more is what the
filter I was talking about in the other thread does; maybe if it's not
too difficult, I'll do a shorter version which doesn't have the majority
of my code, but just adds the logic above to spamd, if there's any interest?

It does require spamd to be running in a transparent bridge. *NOT* a
NAT gateway, which is the most common configuration.

By the way, the other improvement I'd make in spamd if I had my druthers, is
that it would have the option of accepting the initial email and returning
the tempfail code at the end of the data exchange rather than before it as it
currently does.  This would allow proper QA on the rejected mails.  You'ld
need to create a signature of an email and when the mail went through
successfully on the second attempt, locate the original copy using the
signature and remove it from the cache; mails which never retried would
remain in the cache, and would be swept after an appropriate time out,
giving you a good record of rejected mails.  You could either use this info
to generate stats, or you could run the mails through a traditional
spam filter as a consistency check, to try to detect genuine connections
that had been inadvertently blocked.  Or if you're sure all the
rejects were genuinely spam, you could feed the saved copies into
spam filter training, or to a cooperative net project like Vipul.
Lots of scope there for new features.


Graham

Re: ksh segfaults

[Ted Unangst]

On 10/26/05, Otto Moerbeek [EMAIL PROTECTED] wrote:
 On Wed, 26 Oct 2005, Tobias Ulmer wrote:
  GNU gdb 6.3
  [...]
  This GDB was configured as i386-unknown-openbsd3.7...
  Core was generated by `sh'.
  Program terminated with signal 11, Segmentation fault.
  #0  0x1c027ed6 in _weak__thread_fd_unlock ()
  (gdb) backtrace full
  #0  0x1c027ed6 in _weak__thread_fd_unlock ()
  No symbol table info available.
  #1  0x1c028025 in _weak__thread_fd_unlock ()
  No symbol table info available.
  #2  0x1c027b48 in _weak__thread_fd_unlock ()
  No symbol table info available.
  #3  0x1c028095 in _weak__thread_fd_unlock ()
  No symbol table info available.
  #4  0x1c028395 in malloc ()
  No symbol table info available.
  #5  0x1c03c90e in atexit ()
  No symbol table info available.
  #6  0x1c0002e9 in __register_frame_info ()
  No symbol table info available.
  #7  0x1c000155 in __init ()
  No symbol table info available.
  #8  0x1c0001ee in ___start ()
  No symbol table info available.
  #9  0x1c00016f in _start ()
  No symbol table info available.
 
  My _guess_ is that it has something to do with the test condition if the
  lock-file still exists and then is deleted shortly after (This is called
  a race condition, right?). I tried to grep /usr/src but it takes hours
  (PIO4, no DMA...) and I didn't find out where this thread_fd_unlock
  function is nor what it does.

it's a stub in libc, does nothing.  i don't think the test has
anything to do with it, certainly shouldn't cause a crash.

 This is strange. From the trace it looks like you are crashing in code
 that is executed before sh is running. What is extra strange is that
 your code is executing thread specific stuff, which isn't supposed to
 happen in a single threaded program like sh is.

there are stubs in libc (that's why it's weak).  i think the trace's
tail is wrong, the crash is in malloc.

Re: know any neat tricks for 2 * dhclient?

[Graham Toal]

 It *ought* to be possible to configure both hostname.xl0 and hostname.fxp1
 as dhcp, and whichever one comes up first, will then bridge through the
 DHCP server for the other.  Unfortunately it just happens by luck of
 alphabetical order, that the one which comes up first is *not* looking
 at a DHCP server.  So after a relatively short period of retries it
 goes to sleep.  Then the other interface asks for its dhcp address and
 gets it quickly.  What I expected was that the first would sleep for a
 short time then ask again, and get it OK.  I haven't seen that happen -
 about 30 minutes later and the interface still has no IP.

I was thinking when I posted this that the problem was that the
interfaces picked up IP addresses in the wrong order.  That would
be true if we were routing from one to the other, but in fact I've
just realised that the real problem is that the interfaces are brought
up *before the bridging is turned on*.  So naturally only one
of them will be facing a DHCP server.  The other one should only get
its IP address *after* the bridging is enabled.  It never does.

I think the problem may be a misunderstanding of dhclient.  Why is it not
retrying?  The man page doesn't give any clues.  It *is* still running, as
can be seen from ps.  I'm not accidentally blocking it with pf as my
pf.conf allows everything from anywhere to anywhere!  Do I have to do
something special to make dhclient wake up?  (Yes, I know I can manually
kill it and re-issue the command, and I can even automate it by writing
a script to grep ifconfig -A, find the interface that has no IP, look
for the dhclient for that interface, kill it and restart it - but as I
said I'm looking for a guru-level elegant solution, not a crude hack...)

Or might this be one of these bridging problems where the packets
are going out on the wrong interface...?  (thinking aloud as I type here...)
OK, I'll go do some tcpdumping.

Assuming that the problem turns out to be that the dhcp request for
fxp1 is always routed out of fxp1 (makes sense, right?) what can I do
to have it routed out the other interface via bridging?  (Remembering
that the solution has to work symmetrically, if in some other deployment
it is the other of the two interfaces which can't see the DHCP server...)

thanks

Graham

Problems bootin after installing OpenBSD 3.8 on Compaq Proliant G1/G2 SmartArray

[Eric Ziegast]

A while back, I had problems installing OpenBSD on Proliants.  I'd get all the 
way through the installation process and reboot the computer, and the BIOS 
wouldn't boot OpenBSD from the first the RAID1 hard disk. Playing with 
disklabel and using other commands to copy the MBR didn't work.  If I boot from 
floppy or CD, I can chroot into my installed operating system just fine.  It 
just wouldn't boot.  Looking through the OpenBSD lists, I didn't find the 
answer, so I posted asking for help.

I found that the problem wasn't with my BSD install, but I needed to perfom an 
additional installation step with my Proliant.  When installing operating 
systems, best practices include using the Compaq SmartStart CD that comes with 
the system.  If I boot with that CD and use the Erase Utility, it erases all 
past settings from BIOS, NVRAM and hard drives.  I then go into the BIOS menus 
to change the default operating system from Windows to Other OS, and then 
initialize the RAID controller for the hard drives that I have installed.

When installing OpenBSD 3.8, the installer detects my first RAID1+0 disk on the 
SmartArray 5 controller (ciss0) and uses it as sd0.  After installing, the 
boot loader works when I reboot.

I'm sure someone else will run into this problem, so I'm posting my info to 
misc@ so that someone else in the future will find it using the search 
functionality on the mail lists.

/
Eric Ziegast

Re: know any neat tricks for 2 * dhclient?

[Graham Toal]

 Assuming that the problem turns out to be that the dhcp request for
 fxp1 is always routed out of fxp1 (makes sense, right?) what can I do
 to have it routed out the other interface via bridging?  (Remembering
 that the solution has to work symmetrically, if in some other deployment
 it is the other of the two interfaces which can't see the DHCP server...)

Confirmed that this is the problem.  Two ways: 1) I changed /etc/netstart
to bring up the bridge before it configures the interfaces.  Dirty, but
it works - and the internal interface still didn't manage to talk to
the dhcp server; and 2) I manually killed the dhclient process for fxp1
once everything was running smoothly from a clean boot, and manually
started dhclient -d fxp1 - and again, it did not talk to the dhcp
server even though the bridge was already running by that point for sure..

I could force the traffic from one interface to the other with pf
and a route-to option, but only if I know which interface the dhcp
server is connected to.  Since I cannot make that assumption (it
depends on where in the network the bridge is inserted) I can't see
a solution.  Well, short of some really hacky code to scan the output
of ifconfig -A, and rewrite a new version of pf.conf on the fly.

Can anyone think of some ingenious rule for pf that will get me what
I need?  This is the last significant stumbling block in a long
project to build a completely idiot-proof spam filter that works
just like a commercial appliance - plug it in and use it, no
config necessary.  (Actually the *last* stumbling block will be
a completely idiot-proof installer - or a live CD - but I'll cross
that bridge when I come to it.  No pun intended.)

Graham

Re: know any neat tricks for 2 * dhclient?

[Kevin Frand]

Why not start the system with one interface down (so you know which way 
to route to) then up it at the end of the boot sequence and start the 
dhclient?


Graham Toal wrote:


Assuming that the problem turns out to be that the dhcp request for
fxp1 is always routed out of fxp1 (makes sense, right?) what can I do
to have it routed out the other interface via bridging?  (Remembering
that the solution has to work symmetrically, if in some other deployment
it is the other of the two interfaces which can't see the DHCP server...)
   



Confirmed that this is the problem.  Two ways: 1) I changed /etc/netstart
to bring up the bridge before it configures the interfaces.  Dirty, but
it works - and the internal interface still didn't manage to talk to
the dhcp server; and 2) I manually killed the dhclient process for fxp1
once everything was running smoothly from a clean boot, and manually
started dhclient -d fxp1 - and again, it did not talk to the dhcp
server even though the bridge was already running by that point for sure..

I could force the traffic from one interface to the other with pf
and a route-to option, but only if I know which interface the dhcp
server is connected to.  Since I cannot make that assumption (it
depends on where in the network the bridge is inserted) I can't see
a solution.  Well, short of some really hacky code to scan the output
of ifconfig -A, and rewrite a new version of pf.conf on the fly.

Can anyone think of some ingenious rule for pf that will get me what
I need?  This is the last significant stumbling block in a long
project to build a completely idiot-proof spam filter that works
just like a commercial appliance - plug it in and use it, no
config necessary.  (Actually the *last* stumbling block will be
a completely idiot-proof installer - or a live CD - but I'll cross
that bridge when I come to it.  No pun intended.)

Graham


 



--

Kevin Frand
Systems Engineer
eFilm
(323) 308-3013
[EMAIL PROTECTED] 

Re: IBM Thinkpad X41 report?

[Mattieu Baptiste]

2005/8/30, Alexander von Gernler [EMAIL PROTECTED]:
 just resumed my work on i386-laptop.html after vacation, and I noticed
 we don't have any reports on the IBM/Lenovo Thinkpad X41.

 Does anyone out there have this machine running under OpenBSD?
 Please report.

Hi all,

It's not an X41, but I want to give some feedback on new IBM/Lenevo T
Series (T43 2668 in my case).
All works fine on -current (beginning of october): apm, bge, iwi, usb,
sound, aps, x, ... Only EST can't adjust the CPU speed: it seems to
require ACPI on new 533Mhz bus Pentium M.

If it can help, I attach a diff (the lines of the page are too long
for including it in the mail) containing the details for
i386-laptop.html. It adds my entry, my contact and links to dmesg and
xorg.conf.

Cheers,
--
Mattieu Baptiste
/earth is 102% full ... please delete anyone you can.

[demime 1.01d removed an attachment of type application/octet-stream which had 
a name of i386-laptop.diff]

Re: mount_null

[Alexander Hall]

Jonas Carlsson wrote:
In what ways will I suffer if I simply re-enable null mounts to bring 
some discspace from /home into my apache chroot on a much smaller /var 
partition? I've used this solution without problems for a few versions.


Maybe you won't suffer at all, maybe you get corrupted file systems 
and/or system meltdowns. If the latter, no one here will be willing to 
help you out since what you've done is officially unsupported.


When I used it things went bad when unmouning the nullfs's, but that was 
a long time ago.


If at all possible, and it most likely is, try to find another way. I 
store files at /var/www/users/user and symlink ~user/www to it. 
Possibly move the entire home dir into the chroot.


/Alexander

Re: Migrating to a new HD

[Alexander Hall]

Han Boetes wrote:

It started with my HD failing to sync when I was rebooting. And
some odd errormessages I saw. So I was holding my breath hoping
for it to be something else or just an incident.


DejC!-vC9. You are describing my laptop with its crappy Hitachi hard drive.


But it only got
worse. So After a reboot and nearly loosing a lot of important
stuff I decided to make the switch.


I wonder what it will take for me to get my thumbs out of my ass. 
Probably something similar. Hopefully not.


Anyway:


# There are two ways I found pretty comfortable to copy dirs. cp
# -Rp is fast. rsync shows what's going on, and you can easily
# update the remaining differences. So if you don't want to use
# rsync you'll have to do the copying in single user mode.

cp -Rp /etc .
rsync -aP /var .


cp does not preserve hard links. There may be other issues too. If not 
using dump|restore (as mentioned in previous replies), I'd say pax is 
the OpenBSD way to copy directories. :)


mkdir $TARGET; cd $SOURCE; pax -rwpe . $TARGET

/Alexander

Re: know any neat tricks for 2 * dhclient?

[Alexander Hall]

Graham Toal wrote:

I could force the traffic from one interface to the other with pf
and a route-to option, but only if I know which interface the dhcp
server is connected to.  Since I cannot make that assumption (it
depends on where in the network the bridge is inserted) I can't see
a solution.  Well, short of some really hacky code to scan the output
of ifconfig -A, and rewrite a new version of pf.conf on the fly.


Maybe you could use dup-to, both ways?

/Alexander

auich and linux emulation

[James Wright]

anyone have any luck getting apps running under linux emulation that 
don't check whether they can play at a certain sampling rates to play 
properly on hardware like auich(4) stuck on 48kHz?


I've tried running the redhat esound libs against the native daemon with 
no luck (sound doesn't play).
Running the emulated esound daemon lets the app run until one sample has 
played, after which the apps loop forever on failed socketcalls.

Running the esddsp app against either daemon fails to play sound.

Re: auich and linux emulation

[Michael Shalayeff]

Making, drinking tea and reading an opus magnum from James Wright:
[Charset ISO-8859-1 unsupported, filtering to ASCII...]
 anyone have any luck getting apps running under linux emulation that 
 don't check whether they can play at a certain sampling rates to play 
 properly on hardware like auich(4) stuck on 48kHz?

most of the apps do not bother checking the actual rate set.
it is not exactly a problem of linux binaries.

 I've tried running the redhat esound libs against the native daemon with 
 no luck (sound doesn't play).
 Running the emulated esound daemon lets the app run until one sample has 
 played, after which the apps loop forever on failed socketcalls.
 Running the esddsp app against either daemon fails to play sound.

cu

-- 
paranoic mickey   (my employers have changed but, the name has remained)

Re: Wireless bridge setup

[Anwar Puthu]

Robert,
If I remember correctly, bridging only works in hostap mode.

Rgds,

Anwar Puthu
___
Sent with SnapperMail
www.snappermail.com

.. Original Message ...
On Tue, 25 Oct 2005 12:36:04 +0200 Robert Stepanek [EMAIL PROTECTED] 
wrote:
Hi list,

When setting up a wireless bridge to connect two ethernet segments in  
OpenBSD3.7 I encounter the following problem:

When sending a ping from one ethernet segment to the other the ARP  
request gets transmitted over my WLAN. The counterpart on the  
wireless bridge setup sends the ARP response request on the WLAN as  
well. However, the ARP response never reaches the wireless interface  
on the source bridge (at least checking with tcpdump) and the ping  
fails.

Here is my setup:

192.168.1.1-testbox1 --ethernet-- sis0:wi0-bridge1 -- wifi --  
wi0:sis0-bridge2 --ethernet-- 192.168.1.2-testbox2

All boxes run OpenBSD3.7 GENERIC kernel.

I am using two PRISM2.5 ISL3874A(Mini-PCI) cards with the wi driver.  
bridge0 is in hostap mode (Port type 6), bridge1 in BSS mode (Port  
type 1).

Both bridge boxes have net.inet.etherip.allow=1 and  
net.inet.ip.forwarding=1

pfctl is disabled.

I somehow have the feeling that I am conceptually wrong here. Any  
help on this or a similar setup would be great.

Thanks alot,
Robert

Re: Wireless bridge setup

[Theo de Raadt]

 If I remember correctly, bridging only works in hostap mode.

Bingo, someone remembered -- and that is correct.

In the other modes, MAC addresses of course do not get exposed
correctly, and your access point cannot impersonate the other
hosts it is required to.

It is fairly obvious if you think about it.

Notes on RAID1 Root Tutorial Adaption

[Brian A. Seklecki]

...a while back, i wrote a tutorial for RAIFRame RAID1 as a root FS on 
NetBSD.  I used the bootstrap method.  Sometime not soon after, NetBSD 
added RAIDFrame to the INSTALL* kernels and presumably menus to sysinst, 
mitigating the need for this approach.


the boostrap process is:

*) do a basic install on component0
*) use the base install to create a RAID set composed of a single member:
   component1
*) copy the system over
*) boot component1 in degraded mode
*) destory the original install on component0 and import it into RAID
*) sync component1 back to component0

...however, this is still the applicable process for OpenBSD, as OpenBSD 
INSTALL and GENERIC kernels lack RAIDFrame.   moreover, the boot blocks 
lack support for booting RAID volumes, so there are some caveats


here are some notes for adapting the process:


Firstly, per:
http://cvs.openbsd.org/cgi-bin/query-pr-wrapper?full=yesnumbers=4567

  pseudo-device   raid4   # RAIDframe disk driver
  option RAID_AUTOCONFIG

...must be added to GENERIC.  They are not present.  Update your src and 
re-roll your kernel.



16.3.3. Initial Install on Disk0/wd0

  for simplicity in the original tutorial, i recommend one big slash
  plus swap

  its important to note that although only a basic system is required on
  wd0/component0, you simplify the system bootstrap process by laying out
  the file system slices/mountpoints the way you plan on the eventual RAID
  volume (*even though* the sizes of slices will be different.)  see below


16.3.3. Initial Install on Disk0/wd0

  apparently /dev/{r,}wd[0-9] behave differently in obsd.  instead of:

# dd if=/dev/zero of=/dev/rwd1d bs=8k count=1

   one would use

# dd if=/dev/zero of=/dev/wd1c bs=8k count=1

   note: use the character device instead of the raw device

   ...or disklabel -E wd1 and then D + w, but this method won't blow
   away the MBR label.


Next, instead of:

# fdisk -0ua /dev/rwd1d

do:

# fdisk -i wd1

   and y at the prompt.

   next  instead of:

# disklabel -r -e -I wd1

do:

# disklabel -E wd1

   or -e if you prefer $EDITOR style.  create your file systems as
   as you prefer.

   this is where it the process differs greatly.  in the netbsd tutorial,
   i suggest disklabel'ing each RAID1 component member disk entirely
   a RAID slice.

   for a number of reasons, this must differ on openbsd.  i recommend that
   each members a: slice be a 128mb 4.2BSD FFS slice.  i recommend b:
   be a RAID type slice the size of which the SWAP parition will be.  i
   recommend that d: be the remainder of the disk, type RAID

   this will be explained later



a d

offset: [1310400]
size: [25389630]
FS type: [4.2BSD] RAID

w
p m

device: /dev/rwd1c
type: ESDI
disk: ESDI/IDE disk
label: IBM-DPTA-371360
bytes/sector: 512
sectors/track: 63
tracks/cylinder: 16
sectors/cylinder: 1008
cylinders: 16383
total bytes: 13043.0M
free bytes: 0.0M
rpm: 3600

16 partitions:
#sizeoffset  fstype [fsize bsize  cpg]
  a:  127.9M0.0M 4.2BSD 2048 16384 16 # Cyl 0*- 259
  b:  511.9M128.0M RAID # Cyl 260 - 1299
  c:  13043.0M  0.0M unused 0 0 # Cyl 0 - 26499
  d:  12397.3M  639.8M RAID # Cyl 1300 - 26488*


16.3.5. Initializing the RAID Device

this step unchanged, except the magic absent keyword trick does not
exist in raid.conf

of course, raidctl -C [.conf] and raidctl -I will need to be run for
raid0 and raid1.  -I should have different serials for each, so
2005101801 for raid0 and 2005101801 for raid1.


16.3.6. Setting up Filesystems

   unchanged.  when disklabel(8)'ing raid0, a: can be offset 0, size of
   the entire meta-disk, type swap

   when disklabel(8)'ing raid1, a:, b:, d: - m: can be your
   optimal slice configuration.  use the disklabel on wd0 as your
   reference.  however theres an offset because b: on wd0 was your
original swap partition on your inital system, therefore map as so:

   wd0:  raid1:
   a:a:
   d:b:
   e:d:
   f:e:
   ...


   When newfs(8)'ing, raw devices must be used.  the following would need
   to be newfs(8)'d,  -0 flag does not apply.

   /dev/rwd1a
   /dev/rraid1a
   /dev/rraid1b
   /dev/rraid1d
   /dev/rraid1e
   

   /dev/rraid0a will be swap and does not need to be newfs(8)'d


16.3.8. Migrating System to RAID

   two changes:

   instead of using pax(1) to recursivley copy / from the wd0 base
   install to a the FFS/UFS/4.2BSD slices on /dev/raid1, i recommend using
   dump(1)/restore(8) instead (because the work on the file system level)


if the base install looked something like:

# df
Filesystem  1K-blocks  Used Avail Capacity  Mounted on
/dev/wd0a 1035440 38460945208 4%/
/dev/wd0g 281260812   2671966 0%/home
/dev/wd0d 4125138   1285796   263308633%/usr
/dev/wd0e 2062928  8086   1951696 0%/var
/dev/wd0f 206292888   1959694 0%/var/log

the the steps would be:

# mkdir 

Re: know any neat tricks for 2 * dhclient?

[Uwe Dippel]

On Wed, 26 Oct 2005 11:42:43 -0500, Graham Toal wrote:

 What I expected was that the first would sleep for a
 short time then ask again, and get it OK.  I haven't seen that happen -
 about 30 minutes later and the interface still has no IP.

[This goes vastly OT, I know:]

I am blank astonished that it seems to be impossible to get two
independent NICs picking up their IPs from different networks; or even the
same network, that is.
What is wrong in my understanding, that if I plug 7 NICs and connect them
(or do not connect them) to a DHCP server, that all of them independently
try to get an IP ?

Uwe

Re: know any neat tricks for 2 * dhclient?

[Pereresus ne Vlezaet Buggy]

Oct 26 2005 c. 20:42 Graham Toal wrote:
 I wanted to set up a system which has two ether cards (it's part of
 a transparent bridge so it'll be inline with someone's connection)
 such that it'll pick up a DHCP address on *both* cards ... the
 trick comes from not knowing in advance whether the DHCP server
 will be on the inside connection or the net-facing one.  (i.e. if
 the bridge is deployed near the network edge, the DHCP server is
 inside; but if it is deployed immediately in front of a single
 server, then it will see DHCP facing outwards).

 It *ought* to be possible to configure both hostname.xl0 and
 hostname.fxp1 as dhcp, and whichever one comes up first, will then
 bridge through the DHCP server for the other.  Unfortunately it
 just happens by luck of alphabetical order, that the one which
 comes up first is *not* looking at a DHCP server.  So after a
 relatively short period of retries it goes to sleep.  Then the
 other interface asks for its dhcp address and gets it quickly. 
 What I expected was that the first would sleep for a short time
 then ask again, and get it OK.  I haven't seen that happen - about
 30 minutes later and the interface still has no IP.

 What's the best way to ensure that they both get IPs as quickly as
 possible?  I can think of some dirty hacks, but I don't like the
 solutions I've come up with. (For example, if I kick off the dhcp
 client requests in the background, that interferes with the rest of
 the boot sequence).

 Has anyone had this configuration before and come up with an
 elegant solution?

May be I'm wrong (only one OBSD box with two NICs with different 
networks attached I heve this time is production box and cannot be 
switched off now), but maybe this helps:

1) Disable sysctl net.inet.ip.forwarding in sysctl.conf
Then, in rc.local:
2) Initialize network manually (call dhclient)
3) Enable forwarding
4) Configure and wake up bridge

IMHO, this'll look like static IP address given to bridge 
interfaces...

-- 
  With my best,
Pereresus ne Vlezaet Buggy

Re: know any neat tricks for 2 * dhclient?

[Graham Toal]

  What I expected was that the first would sleep for a
  short time then ask again, and get it OK.  I haven't seen that happen -
  about 30 minutes later and the interface still has no IP.

 [This goes vastly OT, I know:]

 I am blank astonished that it seems to be impossible to get two
 independent NICs picking up their IPs from different networks; or even the
 same network, that is.
 What is wrong in my understanding, that if I plug 7 NICs and connect them
 (or do not connect them) to a DHCP server, that all of them independently
 try to get an IP ?

They're not both connected to a DHCP server.  The DHCP server is
only connected to one of the NICs.  Nevertheless I want both NICs
to get an IP from that DHCP server.  I thought I could do it because
they were bridged NICs.  I was wrong.

Graham