Problems with static vpn

2005-11-03 Thread Andreas Krummrich

my OpenBSD 3.7 box at home establishes a static pptp connection to my
companies vpn server.
>From any client at home, I can ping any server in the company. But I
can't ping any client at home from the company.
I have to ping a client at work, from any client at home, in order to
access my clients at home from the company.
PF is not enabled on the box. It seems, that the vpn is static for
clients from outside, my home net.

Can anyone help? Perhaps it is just a missing parameter in the config

Thanks in advance!

Kind regards,

OPENVPN - openssl question

2005-11-03 Thread man Chan

For the past week, I am trying to get information to
setup a sceure way for my obsd(3.8)AP <---> XP.  I
find the following document:

Is there anyone try this out successfully ? As I was
stopped at the OpenSSL CA & Certificates.  The error
is like this

openssl req -new -x509 -keyout private/CA_key.pem -out
CA_cert.pem -days 9125
Error Loading extension section CA_extensions
12446:error:2207C082:X509 V3
routines:DO_EXT_CONF:unknown extension
12446:error:2206B080:X509 V3
routines:X509V3_EXT_conf:error in

The openssl.cnf is 


[ ca ]
# Default directives for ca command

# reference to a new section name

[ CA_default ]

# Default directives for the ca command
# referred from [ ca ] section
dir   =/etc/ssl
# openssl working directory

crl_dir   =$dir/crl
# directory for certificate revoke file

database  =$dir/index.txt
# index file for every issued certificate

new_certs_dir =$dir/certs
# where copies of each certificate is stored.
# each copy is identified as nn.pem
# nn corresponds with the index number in index.txt
certificate   =$dir/CA_cert.pem
# Name of the Certificate Authority¡¦s
# File is used in signing or revoking a certificate

# The serial number to use for the next certificate
# Same as ¡¥serialfile¡¦ option
and serials text. 

crl   =$dir/crl/crl.pem
# File that contains the list of revoked certificates.
private_key   =$dir/private/CA_key.pem
# Private key of the Certificate Authority

RANDFILE  =$dir/private/.rand
# Private random number file

default_days  =9125
# Days a signed cert is valid

default_crl_days  =30
# Days before the next certificate revocation list

# Message digest algorithm- md5, sh1 or mdc2

# All certificates must have a unique, distinguished

# Reference section for policy enforced when signing a
x509_extensions   =user_extensions
# reference section when ca command signs certificate

[ policy_any ]
# Default directives while signing a request
# Referenced from [ CA_default ] section

# organizationName must match CA_cert

organizationalUnitName  =optional
# certificate does not have to have

commonName  =supplied

# certificate must have commonName but is supplied by

[ req ]
# Default directives for the req command
# (Public Key is contained in the certificate request)


default_keyfile =privkey.pem
# default key file location but ¡Vkeyout command

distinguished_name  =req_distinguished_name
# Reference section for assembling the distinguished

x509_extensions =CA_extensions
# Reference section when req & ¡Vx509 commands
are invoked

[ req_distinguished_name ]
# Default directives for the req command
# referenced from [ req ] section
# Presents user prompts to assemble the distinguish

organizationName=Organization Name (must match

organizationalUnitName  =Location Name

commonName  =Common User or Org Name

# These two values above can be changed but not
# their values will appear as prompts when creating
# Max characters in common name.

commonName_max  =64

[ user_extensions ]
# default directives when ca command signs a
# referenced from [ CA_default ]
# The certificate is not allowed to sign other objects

[ CA_extensions ]
# default directives for req & ¡Vx509 command
# referenced from [ req ] section
# added extensions when request creates self signed

# Certificate is allowed to sign other new

default_days  =9125
# Days a self sign cert is valid.  If not used, the
# of 30 days may be applied and VPN clients will not
be able
# to connect after it expires.

[ server ]
# Optional directives for ca & ¡Vextensions
server commands
# Overrides [ user_extensions ] section normally
# by the ca command alone.
nsCertType  =server
# signing a server certificate requires this extension
# prevent man in the middle attacks.  Allows OpenVPN
# to use ns-cert-type server in OpenVPN configuration





Ralink 802.11g PCI wireless cards

2005-11-03 Thread Andy Hayward
In case anyone from .uk is interested, are currently
selling a couple of Ralink RT2560 based 802.11g wireless cards
(supported under OpenBSD by ral(4)):

  Edimax EW-7128G 54Mbps Wireless PCI Card

  Gigabyte GN WPKG - Wireless PCI Card Ralink 64/128Web Roaming

The Edimax card is slightly cheaper and has a remote antenna with
about a metre of lead, but otherwise they're identical. :)

This message may contain mild peril.

Re: device timeout when mounting cd

2005-11-03 Thread Lukáš Macura
Hello all,

I can reproduce same error on my machine. CD does not work. Everything
ends with timeouts.

Best regards,

On Po, 2005-10-31 at 09:49 +1300, Stephen Nelson wrote:
> How did you go fixing your problems with the 336? I have a couple of
> 336 machines that I want to boot from CD as firewalls but I can't get
> my 336 to read a CD. When I attempt, the device times out. Can your
> machine read from  a CDROM?
> I've posted on the OpenBSD-misc mailing list, so probably best to CC
> to that list.
> Thanks,
> Stephen Nelson

[demime 1.01d removed an attachment of type application/x-pkcs7-signature which 
had a name of smime.p7s]

Re: PPTP in 3.7

2005-11-03 Thread Steve Murdoch

/usr/ports/net/poptop works excellently.

pf needs to allow protocol 47 and tcp 1723 plus need to allow traffic 
for specific tunnels created tun0 tun1 etc.

Generally the client will determine whether to use the created link as 
default route. If using windows check the tcp/ip

properties and advanced tab to deselect it as the default route.

Logical One wrote:

I am trying to find some current documentation or pointers on how to setup a
PPTP connection from my OpenBSD 3.7 firewall to my work VPN running PPTP.
I've seen quite a few things, but most are outdated or conflicting in the
instructions they give.  I have seen some references to the kernel
supporting this functionality natively while other say that recompiling the
kernel is necessary and still others say a third party program is needed.  I
am just looking for somewhere to start that has current information or maybe
even a copy of the configs from someone who has set this up before.  I'd
also like to find information on what settings are needed in pf if a PPTP
connection is used, but the networks is bridges are using the same
addressing scheme.  I also need to know how to configure the router
(OpenBSD) to pass traffic to certain addresses out the VPN connection,
others back into the LAN, and the rest out my cable connection.  I need to
know how to configure the VPN so that it is not my default gateway out since
my home connection is much faster than the T1 at my office where the VPN

Thanks for any pointers, hints, advice, configs or whatever else anyone has
to contribute and I'm sorry for being a bother, but while the information is
out there, I have been unable to find what is relevant to my config.


USB ralink vs. PCMCIA ralink

2005-11-03 Thread Lars Hansson
I have a hard time making up my mind which is better:
a USB ralink wireless (Surecom EP-9001G) or a PCMCIA ralink
wireless (Surecom EP-9428G).
According to "man ral" they're both supported so this question isnt about
diffrent chipset but about what bus type is preferable: USB or PCMCIA.
Or if the Surecom USB (or PCMCIA) sucks and is crap please let me know.

Lars Hansson

Re: perl interface to pf?

2005-11-03 Thread Jesper Louis Andersen

John N. Brahy wrote:
Is there a perl interface to pf? 

No, and it would be totally insane to build one. PF is not a low-level 
assembly language for expressing ioctl(2) calls. It is an LALR(1) 
grammar for specifying firewall policies. Because of its high 
abstraction level compared to said assembly languages, chances are you 
do not need perl(1) at all for anything.

Hopefully, this shuts up the thread.

Re: bgpd.conf md5sig, iBGP and redistributing routes to/from ospf

2005-11-03 Thread Jesper Louis Andersen

per engelbrecht wrote:

Q: setting up iBGP I've used our own AS as 'remote-as' but can't find a 
'no synchronization' option for this connection. Do I need it at all.
Been poking around in /usr/src/usr.sbin/bgpd without solving it, but 
it's needed in zebra and Cisco IOS hence the question.

A: ?

Using your own AS as an remote ASn will, per definition, make your BGP 
session into an internal BGP session. In the Ciscoeee world, no 
synchronization means to begin announcing your networks before higher 
priority network protocols are up and stabilized. Without you will wait 
for OSPF/IS-IS to stabilize first (For OSPF, there is a certain state in 
its state machine it has to reach for all broadcast clouds etc).

However, in modern BGP setups, you screw OSPF/IS-IS royally and ignore 
the stabilization. This is viable, since you ``nail down'' your networks 
as CIDR aggregates (to minimize the number of BGP prefixes you announce) 
and give a heck about internal reachability.

Oh, and while we are at Zebra: Its crap, kill it as soon as possible or 
install quagga. Case in point:

mirah% pwd
mirah% grep OSPF_LSA_HEADER ospf_lsa.c
  ospf_output_forward (s, OSPF_LSA_HEADER_SIZE);
  assert (l1->data->length > OSPF_LSA_HEADER_SIZE);
  ntohs( l1->data->length ) - OSPF_LSA_HEADER_SIZE) != 0)

Lets see... On the last line, we have identified that l1->data->length 
is in network byte order. But in the assert 2 lines up, we do _not_ have 
a ntohs() call.

This took a medium sized ISP down in Denmark because Zebra suddenly died 
due to the fact, that certain packets, if certain size, will be caught 
by the assertion and ospfd gets to say hello to the kernel thread known 
as reaper man.

Q: running ospf with all peers + carp intfaces in area and 
internal intfaces in area (and from ospfd.conf)

fib-update yes
redistribute connected
This is about redistributing routes - will the above let BGP and OSPF 
"play along" in the same way a 'redistribute ospf' in Zebra/Cisco IOS

A: ?

It will push directly connected routes into OSPF. That is, if the 
machine has a network to which it has a direct connection in the routing 
table, then the rest of your OSPF speakers will learn that this network 
is reachable by going through this router.

redistribute ospf in Ciscoee in the BGP section of the router 
configuration tells the IOS to take all OSPF learned routes and push 
them into BGP. This can be extremely dangerous to do, depending on the 

Q: default gateway is added to the routing table after all interfaces 
are configured. BGP is adding information into the routing table and so 
does OSPF (updates). That's 3 times "redistributing" of routes between 
different protocols and with 3 different administrative distances but 
still in/from the same table. Since directly connected (0) or static (1) 
connections are superior to e.g. eBGP (20) and OSPF (110) then should or 
shouldn't /etc/mygate be removed from a BGP router before putting it 
into production. Will it/can it mock the routing decision despite 
'weight' in bgpd.conf due to the lower distance.

A: ?

A more specific route will always match.

Normally, you do not need to redistribute routes between the protocols 
at all, considered all of your routers are running BGP as well as OSPF. 
BGP will then handle prefixes for external networks and OSPF will handle 
prefixes for internal ones in the case both BGP and OSPF have the route 
then BGP wins -- but note the note about specific matches ;)

回覆: OPENVPN - openssl question

2005-11-03 Thread man Chan
Is there any difference between openssl 0.9.7d and
openssl 0.9.7g. ? The said http used 0.9.7d but mine
is 0.9.7g.


--- man Chan <[EMAIL PROTECTED]> ;!!G

> hello,
> For the past week, I am trying to get information to
> setup a sceure way for my obsd(3.8)AP <---> XP.  I
> find the following document:
> Is there anyone try this out successfully ? As I was
> stopped at the OpenSSL CA & Certificates.  The error
> is like this
> openssl req -new -x509 -keyout private/CA_key.pem
> -out
> CA_cert.pem -days 9125
> Error Loading extension section CA_extensions
> 12446:error:2207C082:X509 V3
> routines:DO_EXT_CONF:unknown extension
> 12446:error:2206B080:X509 V3
> routines:X509V3_EXT_conf:error in
> value=9125

> The openssl.cnf is 
> ---
> [ ca ]
> # Default directives for ca command
> default_ca=CA_default
> # reference to a new section name
> [ CA_default ]
> # Default directives for the ca command
> # referred from [ ca ] section
> dir   =/etc/ssl
> # openssl working directory
> crl_dir   =$dir/crl
> # directory for certificate revoke file
> database  =$dir/index.txt
> # index file for every issued certificate
> new_certs_dir =$dir/certs
> # where copies of each certificate is stored.
> # each copy is identified as nn.pem
> # nn corresponds with the index number in index.txt
> certificate   =$dir/CA_cert.pem
> # Name of the Certificate Authority¡¦s
> Certificate
> # File is used in signing or revoking a certificate
> serial=$dir/serial
> # The serial number to use for the next certificate
> # Same as ¡¥serialfile¡¦ option
> and serials text. 
> crl   =$dir/crl/crl.pem
> # File that contains the list of revoked
> certificates.
> private_key   =$dir/private/CA_key.pem
> # Private key of the Certificate Authority
> RANDFILE  =$dir/private/.rand
> # Private random number file
> default_days  =9125
> # Days a signed cert is valid
> default_crl_days  =30
> # Days before the next certificate revocation list
> default_md=md5
> # Message digest algorithm- md5, sh1 or mdc2
> unique_subject=yes
> # All certificates must have a unique, distinguished
> name
> policy=policy_any
> # Reference section for policy enforced when signing
> a
> request
> x509_extensions   =user_extensions
> # reference section when ca command signs
> certificate
> [ policy_any ]
> # Default directives while signing a request
> # Referenced from [ CA_default ] section
> organizationName=match
> # organizationName must match CA_cert
> organizationalUnitName  =optional
> # certificate does not have to have
> organizationalUnitName
> commonName  =supplied
> # certificate must have commonName but is supplied
> by
> user
> [ req ]
> # Default directives for the req command
> # (Public Key is contained in the certificate
> request)
> default_bits=2048
> default_keyfile =privkey.pem
> # default key file location but ¡Vkeyout
> command
> overrides
> distinguished_name  =req_distinguished_name
> # Reference section for assembling the distinguished
> name
> x509_extensions =CA_extensions
> # Reference section when req & ¡Vx509 commands
> are invoked
> [ req_distinguished_name ]
> # Default directives for the req command
> # referenced from [ req ] section
> # Presents user prompts to assemble the distinguish
> name
> organizationName=Organization Name (must
> match
> CA)
> organizationName_default=ORGNAME
> organizationalUnitName  =Location Name
> commonName  =Common User or Org Name
> # These two values above can be changed but not
> required. 
> # their values will appear as prompts when creating
> certs/keys.
> # Max characters in common name.
> commonName_max  =64
> [ user_extensions ]
> # default directives when ca command signs a
> certificate
> # referenced from [ CA_default ]
> basicConstraints=CA:FALSE
> # The certificate is not allowed to sign other
> objects
> [ CA_extensions ]
> # default directives for req & ¡Vx509 command
> # referenced from [ req ] section
> # added extensions when request creates self signed
> certificate
> basicConstraints=CA:TRUE
> # Certificate is allowed to sign other new
> certificates.
> default_days  =9125
> # Days a self sign cert is valid.  If not used, the
> default
> # of 30 days may be applied and VPN clients will not
> be able
> # to connect af

Re: perl interface to pf?

2005-11-03 Thread Markus Wernig
Hash: SHA1

Jesper Louis Andersen wrote:
> John N. Brahy wrote:
>> Is there a perl interface to pf? 

> No, and it would be totally insane to build one. 

Well, the only use that came to my mind was a perl daemon running on the
FW that accepts rule updates from a remote client. While that can be
done with other means (ssh, sh scripts), i can imagine that a perl class
for manipulating pf rules would come in handy for that.

Re: bgpd.conf md5sig, iBGP and redistributing routes to/from ospf

2005-11-03 Thread per engelbrecht

Jesper Louis Andersen wrote:

per engelbrecht wrote:

Q: setting up iBGP I've used our own AS as 'remote-as' but can't find 
a 'no synchronization' option for this connection. Do I need it at all.
Been poking around in /usr/src/usr.sbin/bgpd without solving it, but 
it's needed in zebra and Cisco IOS hence the question.

A: ?

Using your own AS as an remote ASn will, per definition, make your BGP 
session into an internal BGP session. In the Ciscoeee world, no 
synchronization means to begin announcing your networks before higher 
priority network protocols are up and stabilized. Without you will wait 
for OSPF/IS-IS to stabilize first (For OSPF, there is a certain state in 
its state machine it has to reach for all broadcast clouds etc).

Hi jlouis

It was more of a what_can_option_[a-z] from Zebra be put on par with in 
OpenBGPD and/or do I need these options at all (different 
implementation) but thank you for your explanation.

However, in modern BGP setups, you screw OSPF/IS-IS royally and ignore 
the stabilization. This is viable, since you ``nail down'' your networks 
as CIDR aggregates (to minimize the number of BGP prefixes you announce) 
and give a heck about internal reachability.

Screwing IGP's from whitin EGP's keep things apart, buy they are 
(conceptually, at least in my head) still manipulating the same routing 
table. And yes of course I only announce our own net.
Returning 120.000+ prefixes (at that time) to a eBGP peer with inferior 
Cisco hw works like magic - the phone rings within minutes .. and 
they're not returning a call :)

Oh, and while we are at Zebra: Its crap, kill it as soon as possible or 
install quagga. Case in point:

.. install quagga ?

mirah% pwd
mirah% grep OSPF_LSA_HEADER ospf_lsa.c
  ospf_output_forward (s, OSPF_LSA_HEADER_SIZE);
  assert (l1->data->length > OSPF_LSA_HEADER_SIZE);
  ntohs( l1->data->length ) - OSPF_LSA_HEADER_SIZE) != 0)

Lets see... On the last line, we have identified that l1->data->length 
is in network byte order. But in the assert 2 lines up, we do _not_ have 
a ntohs() call.

This took a medium sized ISP down in Denmark because Zebra suddenly died 
due to the fact, that certain packets, if certain size, will be caught 
by the assertion and ospfd gets to say hello to the kernel thread known 
as reaper man.

Q: running ospf with all peers + carp intfaces in area and 
internal intfaces in area (and from ospfd.conf)

fib-update yes
redistribute connected
This is about redistributing routes - will the above let BGP and OSPF 
"play along" in the same way a 'redistribute ospf' in Zebra/Cisco IOS

A: ?

It will push directly connected routes into OSPF. That is, if the 
machine has a network to which it has a direct connection in the routing 
table, then the rest of your OSPF speakers will learn that this network 
is reachable by going through this router.

Which is also what I want.

redistribute ospf in Ciscoee in the BGP section of the router 
configuration tells the IOS to take all OSPF learned routes and push 
them into BGP. This can be extremely dangerous to do, depending on the 

Yes that could easily have disaster written all over it.

Q: default gateway is added to the routing table after all interfaces 
are configured. BGP is adding information into the routing table and 
so does OSPF (updates). That's 3 times "redistributing" of routes 
between different protocols and with 3 different administrative 
distances but still in/from the same table. Since directly connected 
(0) or static (1) connections are superior to e.g. eBGP (20) and OSPF 
(110) then should or shouldn't /etc/mygate be removed from a BGP 
router before putting it into production. Will it/can it mock the 
routing decision despite 'weight' in bgpd.conf due to the lower distance.

A: ?

A more specific route will always match.

Normally, you do not need to redistribute routes between the protocols 
at all, considered all of your routers are running BGP as well as OSPF. 
BGP will then handle prefixes for external networks and OSPF will handle 
prefixes for internal ones in the case both BGP and OSPF have the route 
then BGP wins -- but note the note about specific matches ;)

Thank you for joining in jlouis.


Re: USB ralink vs. PCMCIA ralink

2005-11-03 Thread damien . bergamini
You should prefer the PCMCIA one.
The RT2500USB chipset has poor support for per-node tx rate
adaptation and is thus a bad choice for hostap mode.


| I have a hard time making up my mind which is better:
| a USB ralink wireless (Surecom EP-9001G) or a PCMCIA ralink
| wireless (Surecom EP-9428G).
| According to "man ral" they're both supported so this question isnt about
| diffrent chipset but about what bus type is preferable: USB or PCMCIA.
| Or if the Surecom USB (or PCMCIA) sucks and is crap please let me know.
| ---
| Lars Hansson

Re: perl interface to pf?

2005-11-03 Thread Chad M Stewart

On Nov 3, 2005, at 8:17 AM, Markus Wernig wrote:

Well, the only use that came to my mind was a perl daemon running  
on the

FW that accepts rule updates from a remote client. While that can be
done with other means (ssh, sh scripts), i can imagine that a perl  

for manipulating pf rules would come in handy for that.

Putting something listening on the network means now you've got to do  
encryption, authentication, verification, etc..  Seems like a lot of  
work for potentially not a lot of gain, at least IMO.  I'd rather  
rely on ssh, keys, sudo, and scripts to do it.


3.8 -- svnserve on inet6 only

2005-11-03 Thread Dominique Jacquel


I have just installed 3.8 from the CD :-) and FTPed all packages from It all went well but I am having a strange problem with 
subversion. svnserve does not seem to bind to inet but only to inet6.

I do a simple
sudo svnserve -d -r /my/repos
netstat -a -n -f inet | grep :3960

netstat -a -n -f inet6 | grep :3960
tcp6   0  0  *.3690 *.*LISTEN

I can confirm that

telnet 3690
telnet: connect to address Connection refused

telnet ::1 3690
Trying ::1...
Connected to ::1.
Escape character is '^]'.
( success ( 1 2 ( ANONYMOUS ) ( edit-pipeline ) ) )

I am running 3.7 and 3.8 inside Vmware and this problem only appears in 
3.8. Under 3.7, svnserve is quite happy to respond through IPv4. Have I 
missed something here? How do I force svnserve to use IPv4 as well 
as/instead of IPv6?

help would be appreciated :-)


Re: PPTP in 3.7

2005-11-03 Thread Logical One
Thanks all for the help, but I am still getting stuck at the error:

PPP: tun0: Warning: chat script failed
PPTP: log[decaps_hdlc:pptp_gre.c:129]: short read (0): invalid argument

I am using the stock ppp.conf sample file with the below text appended and
values changed to match my environment, but upon running the 'ppp
-background pptpclient' command, I get the above errors.  I'm using the pptp
version from the packages and have also tried compiling my own from source
(1.7.0) with no success.  Although this may be documented well, there
doesn't seem to be a clear concise howto or mini-howto for setting it up
with all the software together.

Thanks again,

-Original Message-
From: Mark Rolen [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, November 02, 2005 9:38 PM
To: Logical One
Subject: Re: PPTP in 3.7

I'm writing this assuming you're connecting to a MS VPN server on the other
end?  The default on OpenBSD seems to be to use pppd, instead of ppp, and
the later is the one that supports a MS VPN connection. First, install the
pptp package for OpenBSD. Then, in /etc/ppp/ppp.conf, put:

set device "!/usr/local/sbin/pptp 
set authname 
set authkey 
set mtu max 1490
set mru max 1490
set mppe 40 stateless
set timeout 60
disable pap
disable chap
accept chap81
disable ipv6cp
disable deflate pred1
deny deflate pred1
set login
set ifaddr

For the "authname" parameter, if you need to include a domain, ala
"nerdish\mark", use two backslashes instead of one:  nerdish\\mark.  I found
that the MS VPN server I was connecting to didn't require the domain at all,
just needed the valid username and password to successfully connect.

Then, for a 'manual' connect, do "ppp -background pptpclient", or to have
ppp automatically establish the connection whenever traffic tries to use one
of the routes you've at your tunnel, do "ppp -auto pptpclient".

For me, adding routes via ppp.conf didn't seem to work to swell. 
Instead, there's a ppp.linkup file that works much better.  I believe
there's an example file in /etc/ppp/.


Logical One wrote:

>I am trying to find some current documentation or pointers on how to 
>setup a PPTP connection from my OpenBSD 3.7 firewall to my work VPN running
>I've seen quite a few things, but most are outdated or conflicting in 
>the instructions they give.  I have seen some references to the kernel 
>supporting this functionality natively while other say that recompiling 
>the kernel is necessary and still others say a third party program is 
>needed.  I am just looking for somewhere to start that has current 
>information or maybe even a copy of the configs from someone who has 
>set this up before.  I'd also like to find information on what settings 
>are needed in pf if a PPTP connection is used, but the networks is 
>bridges are using the same addressing scheme.  I also need to know how 
>to configure the router
>(OpenBSD) to pass traffic to certain addresses out the VPN connection, 
>others back into the LAN, and the rest out my cable connection.  I need 
>to know how to configure the VPN so that it is not my default gateway 
>out since my home connection is much faster than the T1 at my office 
>where the VPN connects.
>Thanks for any pointers, hints, advice, configs or whatever else anyone 
>has to contribute and I'm sorry for being a bother, but while the 
>information is out there, I have been unable to find what is relevant to my

OpenBSD Metastore

2005-11-03 Thread Jared Solomon

This looks like something cool to add.

"The AOpen MiniPC measures 6.5 x 6.5 x 2 inches, is powered by an
Intel Pentium M or Celeron M processor"

The only way to keep your health is to eat what you don't want, drink
what you don't like, and do what you'd rather not.
- Mark Twain

smartmontools (smartd) kills system

2005-11-03 Thread per engelbrecht

Hi all

[20051019 snap i386]

Running smartd on a SCSI/U320 based single-disk system kills the system 
at once! - dmesg further down.

(sysctl hw.disknames=sd0,cd0,fd0)

Snip of /etc/smartd.conf
/dev/sd0c -m [EMAIL PROTECTED] -M test
/dev/sd0c -d scsi -H -l error -l selftest -t -m [EMAIL PROTECTED]
/dev/sd0c -d scsi -s L/../../7/01 -m [EMAIL PROTECTED]

I can run:
smartctl -i /dev/sd0c

   Device: SEAGATE ST336607LW Version: 0007
   Serial number: 3JA6X87D7426SUX6
   Device type: disk
   Transport protocol: Parallel SCSI (SPI-4)
   Local Time is: Thu Nov 3 15:07:14 2005 CEST
   Device supports SMART and is Enabled
   Temperature Warning Enabled

smartctl -r scsiioctl /dev/sd0c

   [inquriy: 12 00 00 00 24 00 ] status=0
   Incoming data, len=36:
   00   00 00 03 12 8b 00 01 3e   53 45 41 47 41 54 45 20
   10   53 54 33 33 36 36 30 37   4c 57 20 20 20 20 20 20
   20   30 30 30 37

I can not run:
smartctl -a /dev/sd0c


smartctl -l selftest /dev/sd0c

   "Device does not support Self Test logging"
   ( and then locks up hard).

Have added entries in syslog.conf and newsyslog.conf but the logfile is 
of course empty since the (damn) tool kills the server.

Anybody with a clue (any) ?

Kernel have these "changes":
maxusers   64
(that's it)

OpenBSD 3.8-current (BGP) #1: Thu Oct 20 18:06:54 CEST 2005
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/BGP
cpu0: Intel(R) Xeon(TM) CPU 2.80GHz ("GenuineIntel" 686-class) 2.80 GHz

real mem  = 3220807680 (3145320K)
avail mem = 2931445760 (2862740K)
using 4278 buffers containing 161144832 bytes (157368K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(00) BIOS, date 09/18/03, BIOS32 rev. 0 @ 0xf0010
pcibios0 at bios0: rev 2.1 @ 0xf/0x1
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf3000/176 (9 entries)
pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82801CA LPC" rev 0x00)
pcibios0: PCI bus #4 is the last bus
bios0: ROM list: 0xc/0x8000 0xc8000/0x8e00
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel E7501 MCH Host" rev 0x01
ppb0 at pci0 dev 2 function 0 "Intel E7500 MCH" rev 0x01
pci1 at ppb0 bus 1
"Intel 82870P2 IOxAPIC" rev 0x04 at pci1 dev 28 function 0 not configured
ppb1 at pci1 dev 29 function 0 "Intel 82870P2 PCI-PCI" rev 0x04
pci2 at ppb1 bus 2
em0 at pci2 dev 1 function 0 "Intel PRO/1000MT (82546GB)" rev 0x03: irq 
10, address 00:04:23:bb:29:fa
em1 at pci2 dev 1 function 1 "Intel PRO/1000MT (82546GB)" rev 0x03: irq 
10, address 00:04:23:bb:29:fb
em2 at pci2 dev 2 function 0 "Intel PRO/1000MT (82546GB)" rev 0x03: irq 
10, address 00:04:23:bb:27:94
em3 at pci2 dev 2 function 1 "Intel PRO/1000MT (82546GB)" rev 0x03: irq 
10, address 00:04:23:bb:27:95

ahd0 at pci2 dev 3 function 0 "Adaptec AIC-7902B U320" rev 0x10: irq 10
aic7902: U320 Wide Channel A, SCSI Id=7, PCI-X 67-100Mhz, 512 SCBs
scsibus0 at ahd0: 16 targets
ahd1 at pci2 dev 3 function 1 "Adaptec AIC-7902B U320" rev 0x10: irq 10
aic7902: U320 Wide Channel B, SCSI Id=7, PCI-X 67-100Mhz, 512 SCBs
scsibus1 at ahd1: 16 targets
sd0 at scsibus1 targ 0 lun 0:  SCSI3 0/direct 

sd0: 35003MB, 49855 cyl, 2 head, 718 sec, 512 bytes/sec, 71687372 sec total
"Intel 82870P2 IOxAPIC" rev 0x04 at pci1 dev 30 function 0 not configured
ppb2 at pci1 dev 31 function 0 "Intel 82870P2 PCI-PCI" rev 0x04
pci3 at ppb2 bus 3
em4 at pci3 dev 1 function 0 "Intel PRO/1000MT (82541GI)" rev 0x00: irq 
10, address 00:30:48:70:d7:30
em5 at pci3 dev 2 function 0 "Intel PRO/1000MT (82541GI)" rev 0x00: irq 
10, address 00:30:48:70:d7:31

ppb3 at pci0 dev 30 function 0 "Intel 82801BA AGP" rev 0x42
pci4 at ppb3 bus 4
vga1 at pci4 dev 4 function 0 "ATI Rage XL" rev 0x27
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
ichpcib0 at pci0 dev 31 function 0 "Intel 82801CA LPC" rev 0x02
pciide0 at pci0 dev 31 function 1 "Intel 82801CA IDE" rev 0x02: DMA, 
channel 0 configured to compatibility, channel 1 configured to compatibility

atapiscsi0 at pciide0 channel 0 drive 0
scsibus2 at atapiscsi0: 2 targets
cd0 at scsibus2 targ 0 lun 0:  SCSI0 
5/cdrom removable

cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 disabled (no drives)
"Intel 82801CA/CAM SMBus" rev 0x02 at pci0 dev 31 function 3 not configured
isa0 at ichpcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: 
spkr0 at pcppi0
sysbeep0 at pcppi0
lm0 at isa0 port 0x290/8: W83627HF
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte 

preventing OS fingerprint

2005-11-03 Thread Gustavo Rios
Dear gentleman,

i have an obsd firewall and would like to prevent external entities
discovering that firewall is openbsd, is that possible?

Thanks a lot for your time and cooperation.

Re: Problems with static vpn

2005-11-03 Thread Joachim Schipper
On Thu, Nov 03, 2005 at 10:24:15AM +0100, Andreas Krummrich wrote:
> Hello,
> my OpenBSD 3.7 box at home establishes a static pptp connection to my
> companies vpn server.
> From any client at home, I can ping any server in the company. But I
> can't ping any client at home from the company.
> I have to ping a client at work, from any client at home, in order to
> access my clients at home from the company.
> PF is not enabled on the box. It seems, that the vpn is static for
> clients from outside, my home net.

I don't know pptp at all, but from your description, it seems the office router
does not (manage to) establish a connection, it only accepts them.

Either change the configuration of said router, configure your home machine to
keep the tunnel up at all times (no clue how that would be done, or even what
piece of software you're using...), or - the simplest - just start ping before
leaving. ;-)


Re: Problems with static vpn

2005-11-03 Thread Andreas Krummrich

Zitat von Joachim Schipper <[EMAIL PROTECTED]>:

On Thu, Nov 03, 2005 at 10:24:15AM +0100, Andreas Krummrich wrote:


my OpenBSD 3.7 box at home establishes a static pptp connection to my
companies vpn server.
From any client at home, I can ping any server in the company. But I
can't ping any client at home from the company.
I have to ping a client at work, from any client at home, in order to
access my clients at home from the company.
PF is not enabled on the box. It seems, that the vpn is static for
clients from outside, my home net.

I don't know pptp at all, but from your description, it seems the 
office router

does not (manage to) establish a connection, it only accepts them.

Either change the configuration of said router, configure your home 
machine to

keep the tunnel up at all times (no clue how that would be done, or even what
piece of software you're using...), or - the simplest - just start 
ping before

leaving. ;-)

The office router is a windows 2003 ras server. Isn't there something
like a keep alive in ppp?
Or just a cron controled ping to the other site?


Regards Andreas Webmail

Re: OpenBSD Metastore

2005-11-03 Thread Martin Schröder
On 2005-11-03 08:20:47 -0600, Jared Solomon wrote:
> "The AOpen MiniPC measures 6.5 x 6.5 x 2 inches, is powered by an
> Intel Pentium M or Celeron M processor"

A MacMini is cheaper and runs OBSD.


Re: preventing OS fingerprint

2005-11-03 Thread Hans van Leeuwen

Gustavo Rios wrote:

Dear gentleman,

i have an obsd firewall and would like to prevent external entities
discovering that firewall is openbsd, is that possible?

Thanks a lot for your time and cooperation.

I use the following line in pf to prevent nmap scan, including -O:

block in quick log on $inet_if from any os NMAP

But why would you want to hide the fact you run the most secure OS in 
the world?


Re: preventing OS fingerprint

2005-11-03 Thread Gustavo Rios
Right now, i am running into bussiness. I would like my client to get
focused into the solution only. I don't want to give him a chance to
compare my proposal to other.

that's why.

2005/11/3, Hans van Leeuwen <[EMAIL PROTECTED]>:
> Gustavo Rios wrote:
> >Dear gentleman,
> >
> >i have an obsd firewall and would like to prevent external entities
> >discovering that firewall is openbsd, is that possible?
> >
> >Thanks a lot for your time and cooperation.
> >
> >
> I use the following line in pf to prevent nmap scan, including -O:
> block in quick log on $inet_if from any os NMAP
> But why would you want to hide the fact you run the most secure OS in
> the world?
> Hans

Problems with HP dx5150/ATI Xpress 200 chipset

2005-11-03 Thread Jeffrey Williams
I have recently purchased a number HP DX5150 SFF desktops with idea of 
using them as basic infrastructure servers (e.g. DNS, DHCP, and 
firewall).  I prefer to use -stable versions of FreeBSD and OpenBSD. 
Following are the specs on the boxes:

HP dx5150
AMD Sempron 3000+
ATI Radeon Xpress 200 chipset
ATI SATA/100 hdd
ATI Integrated Graphics
Broadcom BCM5751 network
HP/ATI specific Award bios, v1.06

I have tried installs with fbsd 4.11, 5.4 and obsd 3.7 and 3.8.  I have 
done enough searching of mailing lists and google to know that this 
chipset is problematic at the moment for BSD and for that matter linux, 
however I hoping that someone can suggest fixes, work arounds, and 
expected upcoming releases that will allow me to run these boxes 
reliably on stable versions of fbsd and obsd.

For all the installs I made the following changes to the default BIOS 

Advanced Chipset features:
GFX Multi-Function Mode: disabled
UMA Frame Buffer Size: 16M
Video Display Devices: CRT only
Init Display First: Onboard

fbsd 4.11 was the only one I was able to get to install fully and with 
basic functionality, including network working. Although I am not 
confident in its long term stability (continuous stray IRQ errors, 
incorrect drive geometry detection which is not correctable via fdisk, 
disfunctional APM)

fbsd 5.4 boot fails unless APIC mode is completely disabled under 
Advanced BIOS Features, I tried it active with both MPS versions 1.1 and 
1.4.  It will boot fully with APIC disabled but the bge driver fails to 
initialize and drive geometry is incorrectly detected as in 4.11, and 
the install invariably fails with a panic at various point during the 
copying of files to the new volumes (possibly to bad drive geometry?). 
APM driver(s) also seem to fail initialization.

obsd 3.7 boots and installs, but unless USB Legacy support under 
Integrated Perifpherals/OnChip USB Controller is disabled the PS/2 
attached keyboard ceases to function (stalling install at the 
install/upgrade/shell prompt unless using serial console).  As with 
fbsd5.4 the bge driver and apm driver(s) fail to initialize.  obsd also 
incorrectly detects drive geometry but gets closer to the actual numbers 
fbsd, I did not try to manually correct, I am not as 
familiar/comfortable with openbsd's disklabel, the drive did "seem" more 

obsd 3.8 boot fails completely unless USB Legacy support is disabled, 
with it disabled I was able to complete the install, however as with 3.7 
and fbsd5.4 the bge and apm drivers fail to initialize.

APIC settings did not seem to affect obsd boot or installs, also there 
are no specific BIOS settings specifically identifying the installed OS 
as PNP or not.  The PNP settings consist of "Reset Confifuration Data 
[enable/disable]", "Resources Controlled By [Auto(ESCD)/Manual]" with a 
Manual sub-menu of "IRQ x [PCI/reserved]", "Assign IRQ for VGA 
[enable/disable]", and "Assign IRQ for USB [enable/disable]". 
Manipulation of these settings had no apparent effect on the obsd or 
fbsd booting.

Attached are the dmesg dumps from the various boot/install attempts, if 
you need any other info to help diagnose please let me know.  I am 
hoping someone can help me get these to work, as I am not looking for 
forward to trying to return them to the vendor.

Jeffrey Williams

dmesgs for fbsd4.11, fbsd5.4-APIC1.1, fbsd5.4-APIC1.4, fbsd5.4-noAPIC, 
obsd3.7-legUSB, obsd3.7-nolegUSB, obsd3.8-legUSB, obsd3.8-nolegUSB

**  fbsd 4.11
Copyright (c) 1992-2005 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD 4.11-RELEASE #0: Fri Jan 21 17:21:22 GMT 2005
[EMAIL PROTECTED]:/usr/obj/usr/src/sys/GENERIC
Timecounter "i8254"  frequency 1193182 Hz
CPU: AMD Sempron(tm) Processor 3000+ (1790.84-MHz 686-class CPU)
  Origin = "AuthenticAMD"  Id = 0x10ff0  Stepping = 0

  AMD Features=0xc050<,AMIE,DSP,3DNow!>
real memory  = 233766912 (228288K bytes)
avail memory = 221896704 (216696K bytes)
Preloaded elf kernel "kernel" at 0xc055c000.
Pentium Pro MTRR support enabled
md0: Malloc disk
npx0:  on motherboard
npx0: INT 16 interface
pcib0:  on motherboard
pci0:  on pcib0
pcib5:  at device 1.0 on pci0
pci1:  on pcib5
pci1:  at 5.0 irq 11
pcib6:  at device 5.0 on pci0
pci2:  on pcib6
bge0:  mem 
0xfdef-0xfdef irq 11 at device 0.0 on pci2

bge0: Ethernet address: 00:13:d3:95:43:b9
miibus0:  on bge0
brgphy0:  on miibus0
brgphy0:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseTX, 
1000baseTX-FDX, auto
atapci0:  port 
mem 0xfe02f000-0xfe02f1ff irq 5 at device 18.0 on pci0

ata2: at 0xfc00 on atapci0
ata3: at 0xf400 on atapci0
ohci0:  mem 0xfe02e000-0xfe02eff

Re: 3.8 -- svnserve on inet6 only

2005-11-03 Thread Sigfred Håversen

Dominique Jacquel wrote:


I have just installed 3.8 from the CD :-) and FTPed all packages from It all went well but I am having a strange problem with 
subversion. svnserve does not seem to bind to inet but only to inet6.

Yes, this is known. By default svnserve will only listen on IPv6 on OpenBSD.
The workaround is to supply an IPv4 address to the --listen-host option
to svnserve. To listen on all IPv4:

$ svnserve -d --listen-host -r /my/repos

I do a simple
sudo svnserve -d -r /my/repos

You don't need root privileges to run svnserve. You
may add to /etc/rc.local something like

if [ -x /usr/local/bin/svnserve ]; then
if [ X"${svnserve_flags}" != X"NO" ]; then
echo -n 'svnserve '; /usr/bin/sudo -u _svnserve 
/usr/local/bin/svnserve ${svnserve_flags}

And in /etc/rc.conf.local add:

svnserve_flags="--listen-host -d -r /my/repos"

The user _svnserve you may add as follows (change as appropiate):

$ sudo useradd -u980 -g=uid -c"svnserve daemon" -d/my/repos -s/sbin/nologin 

I am running 3.7 and 3.8 inside Vmware and this problem only appears in 
3.8. Under 3.7, svnserve is quite happy to respond through IPv4. Have I 
missed something here? How do I force svnserve to use IPv4 as well 
as/instead of IPv6?

The Subversion team added IPv6 support

You may run both IPv6 and IPv4 svnserve at the same time. Just give
an IPv6 adress to listen-host to one svnserve process, and an IPv4 adress to
the another svnserve process.


Commell Systems: EMB-564 Series, distributor in Europe?

2005-11-03 Thread Didier Wiroth

Does someone know if this product can be purchased in europe:

I recently saw this boxes in a presentation available on

Thanks for replying

smartmontools (smartd) kills system [trace/gdb]

2005-11-03 Thread per engelbrecht

Hi again

Followup on first mail with only trace/gdb info:

GNU gdb 6.3
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain 

Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-unknown-openbsd3.8".
Core was generated by `smartctl'.
Program terminated with signal 11, Segmentation fault.
#0  0x06485b22 in ?? ()
(gdb) quit

Running 'smartctl -t long /dev/sd0c | tee test.txt' gives:
smartctl version 5.33 [i386-unknown-openbsd3.8] Copyright (C) 2002-4 
Bruce Allen

Home page is

sd0(ahd1:0:0): host adapter code inconsistency

Extended Background Self Test has begun
Please wait 12 minutes for test to complete.
Estimated completion time: Thu Nov  3 17:54:14 2005

Use smartctl -X to abort test

NB the 'sd0(ahd1...' line only appears on stdout, not in test.txt file 
and the test is not executed (seem obvious from the line).

I have a ktrace file that's quite long (844 lines) but I think it's too 
long for a list mail. If anybody is interested I'll be happy to mail it.

So fare smartd will not be running on this box. I'm a litte concerned 
about the 'adapter code inconsistency' part though.


Re: PPTP in 3.7

2005-11-03 Thread James Mackinnon
Here is my working info on 3.7.
I am running Openbsd 3.7 stable with Generic kern.
I am running latest stable version of poptop
I run pf on this system

My clients are windows 2000+ but this would work with windows 98 but We
do not desire 9x junk...

We are running a custom client that we built because we have 36 locations
and we want to route pptp connections via 1 server but do not want the
clients to be using the default route as we don't want them sitting at
home checking out their junk online and having that go via our PPTP
server, thus eating up our bandwidth and slowing them up. it also allows
no setup for the client side as we got creative and built it to use scp,
ssh and such to create authpf connections without the user having to do

Anyhow, try this out, it worked for me well. Now, I havn't tried this on
anything other then windows, so I can't say how it would work.

If you search the list, I have posted the details on how to get poptop to
work on OpenBSD 3.5 in the past as when I first did this, I found the
details where all over the place and everyone did it differently so I
wanted to put together the full details on how I got it working.. in
3.5, you had to do a custom kern removing GRE, in 3.7 do not do this for
poptop, it works now without a custom Kern.

Here are my details of everything

PF rules for PPTP access
# Setup PPTP Ability from clients
pass in quick log on $ext inet proto gre from any to $extip keep state
pass in quick log on $ext inet proto tcp from any to $extip port = 1723
keep state
pass out quick log on $ext inet proto gre from $extip to any keep state
pass out quick log on $ext inet proto tcp from $extip to any port = 1723
keep state

$ext is my external interface
$extip is the IP I am listening on because this system is also doing nat,
natp and redirect and this allows me to control the connection as to not
mess up anything.

rights are 644
owned by root
group is wheel

#  Remote Net Access #
#  By: James Mackinnon   #
#  On: June 29th 2005#

speed 11500
option /etc/ppp/options.pptpd

rights are 640
owned by root
group is wheel

rights are 664
owned by root
group is wheel

name pptpconnect
mtu 1450
mru 1450
lcp-echo-failure 3
lcp-echo-interval 5
deflate 0

rights are 664
owned by root
group is wheel

 set dial
 set login
 set ifaddr
 set log phase lcp ipcp command
 set timeout 1800
# enable chap
# enable pap
# enable mschap
 enable mschapv2
 enable proxy
# enable mssfixup
 accept dns
 set dns
 set nbns

rights are 660
owned by root
group is wheel

joeuser joepass
janeuser janepass

rights are 660
owned by root
group is wheel

exec /usr/sbin/ppp -direct loop-in

On 11/3/2005, "Logical One" <[EMAIL PROTECTED]> wrote:

>Thanks all for the help, but I am still getting stuck at the error:
>PPP: tun0: Warning: chat script failed
>PPTP: log[decaps_hdlc:pptp_gre.c:129]: short read (0): invalid argument
>I am using the stock ppp.conf sample file with the below text appended and
>values changed to match my environment, but upon running the 'ppp
>-background pptpclient' command, I get the above errors.  I'm using the pptp
>version from the packages and have also tried compiling my own from source
>(1.7.0) with no success.  Although this may be documented well, there
>doesn't seem to be a clear concise howto or mini-howto for setting it up
>with all the software together.
>Thanks again,
>-Original Message-
>From: Mark Rolen [mailto:[EMAIL PROTECTED]
>Sent: Wednesday, November 02, 2005 9:38 PM
>To: Logical One
>Subject: Re: PPTP in 3.7
>I'm writing this assuming you're connecting to a MS VPN server on the other
>end?  The default on OpenBSD seems to be to use pppd, instead of ppp, and
>the later is the one that supports a MS VPN connection. First, install the
>pptp package for OpenBSD. Then, in /etc/ppp/ppp.conf, put:
>set device "!/usr/local/sbin/pptp 
>set authname 
>set authkey 
>set mtu max 1490
>set mru max 1490
>set mppe 40 stateless
>set timeout 60
>disable pap
>disable chap
>accept chap81
>disable ipv6cp
>disable deflate pred1
>deny deflate pred1
>set login
>set ifaddr
>For the "authname" parameter, if you need to include a domain, ala

Re: 3.8 -- svnserve on inet6 only

2005-11-03 Thread Brent Graveland
Dominique Jacquel <[EMAIL PROTECTED]> writes:
> Hi,
> I have just installed 3.8 from the CD :-) and FTPed all packages from
> It all went well but I am having a strange problem with
> subversion. svnserve does not seem to bind to inet but only to inet6.

This is a known issue with svnserve, the svn mailing lists are/were
talking about it.

Until they fix it, supposedly adding --listen-host  should
fix it. If you want to listen on both v4, and v6, you probably need to
run two instances of svnserve.

Brent Graveland

Re: perl interface to pf?

2005-11-03 Thread jorgen . boberg
-Original Message-
Markus Wernig
Sent: den 3 november 2005 14:17
To: Jesper Louis Andersen
Cc: John N. Brahy;
Subject: Re: perl interface to pf?

Hash: SHA1

Jesper Louis Andersen wrote:
> John N. Brahy wrote:
>> Is there a perl interface to pf?

> No, and it would be totally insane to build one.

Well, the only use that came to my mind was a perl daemon running on the
FW that accepts rule updates from a remote client. While that can be done
with other means (ssh, sh scripts), i can imagine that a perl class for
manipulating pf rules would come in handy for that.

   I am working on a program similar to that but written in c++ and
php. However slightly different functionality, uses token based OTP
authentication via SMS, and and a PHP interface to create the new
rules. However the reason I am doing this is not because there is a
need but more to learn c++ and encryption. There are much simpler
and safer ways to achieve this with pre-existing tools, but sure
it's possible although maybe not wise. One problem is parsing and
syntax checking of pf rules so that garbage isn't fed to for
example pfctl if that is the method one chooses. One problem of
many. Like a previous poster said, it'a a lot of work for very
little gain, but if like me you have the extra time and have
something else to gain from the excerise then it could be

// jpb

** Jorgen Boberg  **
** Managing Director & Senior Consultant  **
** Intellibit Consulting SIA  **
** Krisjana Barona Iela 37/30 **
** LV-1011, Riga  **
** Latvia **

** Tel: +371 83 80 803**

Re: perl interface to pf?

2005-11-03 Thread Dylan Smith
On Thursday 03 November 2005 13:49, you wrote:
> I'd rather
> rely on ssh, keys, sudo, and scripts to do it.

Erm, perl scripts ARE scripts!

Re: Problems with HP dx5150/ATI Xpress 200 chipset

2005-11-03 Thread Stuart Henderson

--On 02 November 2005 15:19 -0800, Jeffrey Williams wrote:

I have recently purchased a number HP DX5150 SFF desktops with idea
of using them as basic infrastructure servers (e.g. DNS, DHCP, and
firewall).  I prefer to use -stable versions of FreeBSD and OpenBSD.

A few general thoughts (no knowledge of the hardware, but worth a go):

- for OpenBSD, try -current snapshots (may fix bge). Ok it's not named 
"stable" but if it works and -stable doesn't, there's no loss...

- for FreeBSD, try 6.0RC1. ditto.
- if these options fail, is using a PCI nic an option? cards supported 
by sk(4) can be found reasonably cheaply and work well. From what I 
read, vge(4) aren't bad either.

- does the machine have apm anyway?

also incorrectly detects drive geometry but gets closer to the actual
numbers fbsd, I did not try to manually correct, I am not as
familiar/comfortable with openbsd's disklabel, the drive did "seem"
more stable.

$ sudo disklabel -E sd0
# Inside MBR partition 3: type A6 start 63 size 1562353317

Treating sectors 63-1562353380 as the OpenBSD portion of the disk.
You can use the 'b' command to change this.

Initial label editor (enter '?' for help at any prompt)


Available commands:
   g [b|d|u] - use [b]ios, [d]isk or [u]ser geometry.

APIC settings did not seem to affect obsd boot or installs

$ grep apic /usr/src/sys/arch/i386/conf/GENERIC*
/usr/src/sys/arch/i386/conf/GENERIC.MP:ioapic*  at mainbus?

i.e. it's only used on the MP kernel.

Re: preventing OS fingerprint

2005-11-03 Thread Joachim Schipper
On Thu, Nov 03, 2005 at 01:48:56PM -0200, Gustavo Rios wrote:
> Right now, i am running into bussiness. I would like my client to get
> focused into the solution only. I don't want to give him a chance to
> compare my proposal to other.
> that's why.

Now *there*'s a noble goal...

Anyway, you do know that there are plenty of other ways to discover
this? You should at least mess with the setting until p0f doesn't
identify it either.

(For one, I seem to recall OpenBSD and some Cisco stuff (IOS?) being the
only two more-or-less common operating systems, if you can call IOS
that, to use TTL 64 - and since it's obviously not Cisco, that would
nail it down quickly. I might be wrong, though - I was never much
interested in preventing fingerprinting.  Removing some banners is fine,
but that'll be all.)

But that's the technical point. I wouldn't be very likely to trust
someone who has apparently gone to the crutch of blocking nmap. (After
all, if the system was secure, such crutches wouldn't be necessary would


Re: quad ethernet on netra x1 (SOLVED)

2005-11-03 Thread Miguel

Miguel wrote:

Miguel wrote:

Hi, i have some problems with my quad ethernet in a netra x1 
firewall, this is not the first time i face this, some months ago i 
had the very same problem, i was able to fix it following this 
excelent instructions:

Howerver, after the upgrade from 3.5 to 3.7 (a full new install, 
format disks, etc), the problem is there again, these the dmseg log:

hme0 at pci3 dev 0 function 1 "Sun HME" rev 0x01: address 

ukphy2 at hme0 phy 1: Generic IEEE 802.3u media interface
ukphy2: OUI 0x00601d, model 0x000c, rev. 1
hme0: using ivec 3005 for interrupt
"Sun PCIO Ebus2" rev 0x01 at pci3 dev 1 function 0 not configured
hme1 at pci3 dev 1 function 1 "Sun HME" rev 0x01: address 

ukphy3 at hme1 phy 1: Generic IEEE 802.3u media interface
ukphy3: OUI 0x00601d, model 0x000c, rev. 1
hme1: using ivec 3004 for interrupt
"Sun PCIO Ebus2" rev 0x01 at pci3 dev 2 function 0 not configured
hme2 at pci3 dev 2 function 1 "Sun HME" rev 0x01: address 

ukphy4 at hme2 phy 1: Generic IEEE 802.3u media interface
ukphy4: OUI 0x00601d, model 0x000c, rev. 1
hme2: using ivec 3005 for interrupt
"Sun PCIO Ebus2" rev 0x01 at pci3 dev 3 function 0 not configured
hme3 at pci3 dev 3 function 1 "Sun HME" rev 0x01: address 

ukphy5 at hme3 phy 1: Generic IEEE 802.3u media interface
ukphy5: OUI 0x00601d, model 0x000c, rev. 1
hme3: using ivec 3004 for interrupt
pcons at mainbus0 not configured

hme0 is using 3005 for interrupt, the same that hme2, hme1 is using 
3004 for interrupt, the same that hme3, etc
I havent changed anything, i only booted from the 3.7 cd and started 
from scratch.

what can i do?

Hi, the problem has gone away after installing the lastest release 
(3.8), without the nvramrc workaround, so , i configured :

setenv use-nvramrc? false on the ok prompt.


ppb2 at pci2 dev 5 function 0 "Intel S21154AE/BE PCI-PCI" rev 0x00
pci3 at ppb2 bus 3
"Sun PCIO Ebus2" rev 0x01 at pci3 dev 0 function 0 not configured
hme0 at pci3 dev 0 function 1 "Sun HME" rev 0x01: address 00:03:ba:39:bf:9a
luphy0 at hme0 phy 1: LU6612 10/100 PHY, rev. 1
hme0: using ivec 3005 for interrupt
"Sun PCIO Ebus2" rev 0x01 at pci3 dev 1 function 0 not configured
hme1 at pci3 dev 1 function 1 "Sun HME" rev 0x01: address 00:03:ba:39:bf:9b
luphy1 at hme1 phy 1: LU6612 10/100 PHY, rev. 1
hme1: using ivec 3014 for interrupt
"Sun PCIO Ebus2" rev 0x01 at pci3 dev 2 function 0 not configured
hme2 at pci3 dev 2 function 1 "Sun HME" rev 0x01: address 00:03:ba:39:bf:9c
luphy2 at hme2 phy 1: LU6612 10/100 PHY, rev. 1
hme2: using ivec 3004 for interrupt
"Sun PCIO Ebus2" rev 0x01 at pci3 dev 3 function 0 not configured
hme3 at pci3 dev 3 function 1 "Sun HME" rev 0x01: address 00:03:ba:39:bf:9d
luphy3 at hme3 phy 1: LU6612 10/100 PHY, rev. 1
hme3: using ivec 3015 for interrupt
pcons at mainbus0 not configured

thanks, great work,

After installing scsi card, cdrecord stops working.

2005-11-03 Thread Marc L'Heureux
I have been running 3.6 for about a year on my server.  I have a backup 
solution that writes to an ide-cdrw 4 times a day.  A month ago I 
installed a scsi card to hook up a newly acquired tape drive.  My cdrw 
backups have been failing since.

I did not change any kernel settings (that I recall), I'm still using 
Generic, and I didn't have to change any sysctl settings.

I've done some tests against the tape drive and it all works ok.

$ sudo mt rewind
$ echo $?

When I try to -scanbus I get the following.

$ sudo cdrecord -scanbus
Cdrecord 2.00.3 (i386-unknown-openbsd3.6) Copyright (C) 1995-2002 Jrg 

cdrecord: No such file or directory. Cannot open SCSI driver.
cdrecord: For possible targets try 'cdrecord -scanbus'. Make sure you are 

cdrecord: For possible transport specifiers try 'cdrecord dev=help'.

I used to have dev=/dev/cd0c:0,0,0 but looking at my dmesg I thought I 
might have to change it to dev=/dev/cd0c:0,1,1.  Providing different 
options to cdrecord does not help, it still bails

$ sudo cdrecord dev=/dev/cd0c:0,1,1 speed=4 blank=fast
Cdrecord 2.00.3 (i386-unknown-openbsd3.6) Copyright (C) 1995-2002 Jrg 

scsidev: '/dev/cd0c:0,1,1'
devname: '/dev/cd0c'
scsibus: 0 target: 1 lun: 1
cdrecord: No such file or directory. Cannot open SCSI driver.
cdrecord: For possible targets try 'cdrecord -scanbus'. Make sure you are 

cdrecord: For possible transport specifiers try 'cdrecord dev=help'.

I can mount and read the last good backup of my cd, it happened 17 Oct 05 
at 18:00.

$ sudo mount /dev/cd0c /mnt
$ ls -l /mnt
total 447724
-rw-r--r--  1 marc  users475 Jul  7 22:11 backups.rc
-rwxr-xr-x  1 marc  users963 Jul  7 22:11 burnbackups.ksh
-rwxr-xr-x  1 marc  users936 May  7 09:15 homes.ksh
-rw-r--r--  1 root  users  198488314 Oct 17 18:01 homes.tgz
-rw-r--r--  1 root  wheel106 Oct 17 18:02 index.txt
-rw-r--r--  1 root  users   30739621 Oct 17 18:00 

-rwxr-xr-x  1 marc  users   1138 May  5 18:50 mailserver.ksh
-rw-r--r--  1 marc  users   1966 Jan 19  2005 osbkup.log
-rw-r--r--  1 marc  users   1274 Jan 19  2005 osbkup.rc
-rwxr-xr-x  1 marc  users   2584 Jan 19  2005
$ sudo umount /mnt
$ ls -l /mnt

I've tried searching google and archives, but I find it difficult to make 
a search query that doesn't just tell me that I need to find the right 
dev= using -scanbus.

Finally, here's my dmesg.  TIA.
I'd provide my dmesg from before the scsi card install, but I don't have 
it around.  I did send it to [EMAIL PROTECTED] though, so it might be 
there if it can be found.

$ dmesg
OpenBSD 3.6 (GENERIC) #59: Fri Sep 17 12:32:57 MDT 2004
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: AMD Sempron(tm) 2200+ ("AuthenticAMD" 686-class) 1.50 GHz

real mem  = 527867904 (515496K)
avail mem = 474603520 (463480K)
using 4278 buffers containing 26497024 bytes (25876K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(00) BIOS, date 08/06/04, BIOS32 rev. 0 @ 

apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
pcibios0 at bios0: rev 2.1 @ 0xf/0x1
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf41b0/208 (11 entries)
pcibios0: no compatible PCI ICU found: ICU vendor 0x10de product 0x0060
pcibios0: Warning, unable to fix up PCI interrupt routing
pcibios0: PCI bus #2 is the last bus
bios0: ROM list: 0xc/0xdc00 0xce000/0x1000 0xcf000/0x800
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Nvidia nForce2 PCI" rev 0xa2
"Nvidia nForce2" rev 0xa2 at pci0 dev 0 function 1 not configured
"Nvidia nForce2" rev 0xa2 at pci0 dev 0 function 2 not configured
"Nvidia nForce2" rev 0xa2 at pci0 dev 0 function 3 not configured
"Nvidia nForce2" rev 0xa2 at pci0 dev 0 function 4 not configured
"Nvidia nForce2" rev 0xa2 at pci0 dev 0 function 5 not configured
pcib0 at pci0 dev 1 function 0 "Nvidia nForce2 ISA" rev 0xa4
"Nvidia nForce2 SMBus" rev 0xa2 at pci0 dev 1 function 1 not configured
ohci0 at pci0 dev 2 function 0 "Nvidia nForce2 USB" rev 0xa4: irq 11, 
version 1.0, legacy support

usb0 at ohci0: USB revision 1.0
uhub0 at usb0
uhub0: Nvidia OHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 3 ports with 3 removable, self powered
ohci1 at pci0 dev 2 function 1 "Nvidia nForce2 USB" rev 0xa4: irq 7, 
version 1.0, legacy support

usb1 at ohci1: USB revision 1.0
uhub1 at usb1
uhub1: Nvidia OHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub1: 3 ports with 3 removable, self powered
ehci0 at pci0 dev 2 function 2 "Nvidia nForce2 USB2" rev 0xa4: irq 5
ehci0: EHCI version 1.0
ehci0: companion controllers, 4 ports each: ohci0 ohci1
usb2 at ehci0: USB revision 2.0
uhub2 at usb2
uhub2: Nvidia EHCI root hub, class 9/0, rev 2.00/1.00, addr 1
uhub2: 6 ports with 6 removable, self powered
auich0 at pci0 dev 6 func

Re: preventing OS fingerprint

2005-11-03 Thread ober

Gustavo Rios wrote:

Dear gentleman,

i have an obsd firewall and would like to prevent external entities
discovering that firewall is openbsd, is that possible?

Thanks a lot for your time and cooperation.

Or you can take the complicated approach and use the Wafter.
A kernel module to do what pf does.
Albeit with more knobs.

Re: Commell Systems: EMB-564 Series, distributor in Europe?

2005-11-03 Thread Stuart Henderson

--On 03 November 2005 18:12 +0100, Didier Wiroth wrote:

Does someone know if this product can be purchased in europe:

I recently saw this boxes in a presentation available on

 is probably a good 
starting point, I noticed one of these in the photos on as 
well, so Wim probably has better clues.

[Straying OT] Re: preventing OS fingerprint

2005-11-03 Thread Nico Meijer
Hi Gustavo,

> Right now, i am running into bussiness. I would like my client to get
> focused into the solution only. I don't want to give him a chance to
> compare my proposal to other.

In the years I have been in business myself, I have noticed that unless
you are as open as you can be about what you do and with what you do it,
you will not get the respect from your clients (and sometimes peers) you
would otherwise. Respect means business.

Most of my clients know the tools are there and that they could do it
themselves. Some even know how. Yet, they don't. They trust me and my
Open tools to get the job done.

Hiding information from your client (out of fear of competition) will
not enable them to make a valid judgement and eventually you will lose
that client. This is not a moral statement, just one of life's lessons
I've had to learn.

Be proud of your proposal and be proud of the fact you're using
OpenBSD to handle the job.

Do as you see fit, of course... Nico :-)

P.S. Try and sell your client the two OpenBSD cd's a year. Works

Re: After installing scsi card, cdrecord stops working.

2005-11-03 Thread Roy Morris
> I have been running 3.6 for about a year on my server.  I 
> have a backup 
> solution that writes to an ide-cdrw 4 times a day.  A month ago I 
> installed a scsi card to hook up a newly acquired tape drive. 
>  My cdrw 
> backups have been failing since.
> I did not change any kernel settings (that I recall), I'm still using 
> Generic, and I didn't have to change any sysctl settings.
> I've done some tests against the tape drive and it all works ok.
> $ sudo mt rewind
> $ echo $?
> 0
> When I try to -scanbus I get the following.
> $ sudo cdrecord -scanbus
> Cdrecord 2.00.3 (i386-unknown-openbsd3.6) Copyright (C) 1995-2002 Jrg 
> Schilling
> cdrecord: No such file or directory. Cannot open SCSI driver.
> cdrecord: For possible targets try 'cdrecord -scanbus'. Make 
> sure you are 
> root.
> cdrecord: For possible transport specifiers try 'cdrecord dev=help'.
> I used to have dev=/dev/cd0c:0,0,0 but looking at my dmesg I 
> thought I 
> might have to change it to dev=/dev/cd0c:0,1,1.  Providing different 
> options to cdrecord does not help, it still bails

I know this may sound to crazy but have you tried
dev=/dev/cd0c (without the rest) I have never had
to use the additional items for mine.

Re: After installing scsi card, cdrecord stops working.

2005-11-03 Thread Otto Moerbeek
On Thu, 3 Nov 2005, Marc L'Heureux wrote:

> I have been running 3.6 for about a year on my server.  I have a backup
> solution that writes to an ide-cdrw 4 times a day.  A month ago I installed a
> scsi card to hook up a newly acquired tape drive.  My cdrw backups have been
> failing since.
> I did not change any kernel settings (that I recall), I'm still using Generic,
> and I didn't have to change any sysctl settings.
> I've done some tests against the tape drive and it all works ok.
> $ sudo mt rewind
> $ echo $?
> 0
> When I try to -scanbus I get the following.
> $ sudo cdrecord -scanbus
> Cdrecord 2.00.3 (i386-unknown-openbsd3.6) Copyright (C) 1995-2002 Jrg
> Schilling
> cdrecord: No such file or directory. Cannot open SCSI driver.
> cdrecord: For possible targets try 'cdrecord -scanbus'. Make sure you are
> root.
> cdrecord: For possible transport specifiers try 'cdrecord dev=help'.
> I used to have dev=/dev/cd0c:0,0,0 but looking at my dmesg I thought I might
> have to change it to dev=/dev/cd0c:0,1,1.  Providing different options to
> cdrecord does not help, it still bails

It should be dev=/dev/rcd0c:$BUS,0,0 -

where $BUS is the scsi bus number, 1 in your case.


Re: After installing scsi card, cdrecord stops working

2005-11-03 Thread Andreas Bihlmaier
> > I have been running 3.6 for about a year on my server.  I 
> > have a backup 
> > solution that writes to an ide-cdrw 4 times a day.  A month ago I 
> > installed a scsi card to hook up a newly acquired tape drive. 
> >  My cdrw 
> > backups have been failing since.
> > 
> > I did not change any kernel settings (that I recall), I'm still using 
> > Generic, and I didn't have to change any sysctl settings.
> > 
> > I've done some tests against the tape drive and it all works ok.
> > 
> > $ sudo mt rewind
> > $ echo $?
> > 0
> > 
> > When I try to -scanbus I get the following.
> > 
> > $ sudo cdrecord -scanbus
> > Cdrecord 2.00.3 (i386-unknown-openbsd3.6) Copyright (C) 1995-2002 Jrg 
> > Schilling
> > cdrecord: No such file or directory. Cannot open SCSI driver.
> > cdrecord: For possible targets try 'cdrecord -scanbus'. Make 
> > sure you are 
> > root.
> > cdrecord: For possible transport specifiers try 'cdrecord dev=help'.
> > 
> > I used to have dev=/dev/cd0c:0,0,0 but looking at my dmesg I 
> > thought I 
> > might have to change it to dev=/dev/cd0c:0,1,1.  Providing different 
> > options to cdrecord does not help, it still bails
> I know this may sound to crazy but have you tried
> dev=/dev/cd0c (without the rest) I have never had
> to use the additional items for mine.

This is a good point ^, I don't have any problems burning CD with or without a
SCSI Adapter.

An even better point is to RTFM!


Re: After installing scsi card, cdrecord stops working.

2005-11-03 Thread Marc L'Heureux

I used to have dev=/dev/cd0c:0,0,0 but looking at my dmesg I thought I might
have to change it to dev=/dev/cd0c:0,1,1.  Providing different options to
cdrecord does not help, it still bails

It should be dev=/dev/rcd0c:$BUS,0,0 -

where $BUS is the scsi bus number, 1 in your case.


Ok, so this works, thanks.  I thought it was 0,1,1 because of the 
follwing dmesg line, but I see my error with the scsibus1 id.

cd0(pciide0:1:1): using PIO mode 4, Ultra-DMA mode 2

Anyways, now that my problem is fixed, I'd like some help understanding 
why '# cdrecord -scanbus' doesn't work?  Any thoughts?

Re: After installing scsi card, cdrecord stops working.

2005-11-03 Thread Spruell, Darren-Perot
From: Marc L'Heureux [mailto:[EMAIL PROTECTED]
> >> I used to have dev=/dev/cd0c:0,0,0 but looking at my dmesg 
> I thought I might
> >> have to change it to dev=/dev/cd0c:0,1,1.  Providing 
> different options to
> >> cdrecord does not help, it still bails
> >
> > It should be dev=/dev/rcd0c:$BUS,0,0 -
> >
> > where $BUS is the scsi bus number, 1 in your case.
> >
> > -Otto
> >
> Ok, so this works, thanks.  I thought it was 0,1,1 because of the 
> follwing dmesg line, but I see my error with the scsibus1 id.
> cd0(pciide0:1:1): using PIO mode 4, Ultra-DMA mode 2
> Anyways, now that my problem is fixed, I'd like some help 
> understanding 
> why '# cdrecord -scanbus' doesn't work?  Any thoughts?

Should be clear from the FAQ entry.


Re: preventing OS fingerprint

2005-11-03 Thread Jasper Lievisse Adriaanse
On Thu, 03 Nov 2005 16:32:13 +0100
Hans van Leeuwen <[EMAIL PROTECTED]> wrote:

> Gustavo Rios wrote:
> >Dear gentleman,
> >
> >i have an obsd firewall and would like to prevent external entities
> >discovering that firewall is openbsd, is that possible?
> >
> >Thanks a lot for your time and cooperation.
> >  
> >
> I use the following line in pf to prevent nmap scan, including -O:
> block in quick log on $inet_if from any os NMAP
> But why would you want to hide the fact you run the most secure OS in 
> the world?
> Hans
Haha, I sort of want to reveal that fact, but Netcraft keeps thinking I'm
running FreeBSD or Linux :'(


"Security is decided by quality" -- Theo de Raadt

Re: IBM xSeries 336 - atapiscsi/pciide bug

2005-11-03 Thread Nick Nauwelaerts
On Thu, 03 Nov 2005 16:22:53 +1300
Stephen Nelson <[EMAIL PROTECTED]> wrote:

> Thanks for your prompt reply. I misunderstood you last time, I thought
> you were suggesting that one of the drives was defective.
> I tried swapping the CDROM, but the x336 are 1U rackmounted servers,
> and they use custom IDE cables. As I don't have access to any other
> IBM rackmounted servers, I don't have any other devices to swap in. I
> could order another drive from IBM, but as I know this problem exists
> for others I think it's unlikely that this is the source and I don't
> think that it's worth the cost.

It's been a while since I last opened up one of our x336's (don't like
them, x335s are much more stable in my experience), I thought they had a
standard IDE port somewhere on the motherboard next to the PSU. Perhaps
you can give that one a shot.

// nick

Can't make 3.7-stable release

2005-11-03 Thread [EMAIL PROTECTED]

   ...Same problem, again (it was already covered some time ago).
When I run the last step in building a release
(see , i.e.

  # make release

I get a message informing me that /dev/svnd0a is full. This occurs
while make is working with ramdiskC (exactly as the messages posted
last July).

Tried also on different hardware, same result. I've been struggling
with this for a couple of weeks now.

Three quick questions:

A) Solution is the same as previously suggested (removing a non
critical driver, such as axe, from ramdiskC) or has anything

B) After commenting out the axe driver, you have to start over
and rebuild the kernel, right? Userland as well? (I'm asking 
since I'm working on a not-so-fast machine, the whole process 
takes quite some time...)

C) Please don't flame--I'm just curious: In the mailing list
archives, I noticed this sort of problem has been around since
March (messages dated March 30). Why hasn't it yet been fixed? 

Thanks in advance for any suggestions.


Re: ibook+openbsd3.8

2005-11-03 Thread Bill
On Thu, 3 Nov 2005 08:24:25 +0100
Han Boetes <[EMAIL PROTECTED]> spake:

> Otto Moerbeek wrote:
> > On Thu, 3 Nov 2005, Eder M. G. A. wrote:
> > > I have installed OpenBSD 3.8 on my ibook G4, all fine, but i
> > > can't switch to another console, just can use ttyC0, i tried
> > > different methods but without results.
> >
> > macppc uses vgafb(4) and does not support multiple consoles.
> Therefor most people use screen in the console.
> Sample screen-session for beginners:
> $ screen
> c-a c  (that's control-a and then press c)
> $ echo hello world
> c-a c-a
> $ echo first window
> c-a c-a
> c-d
> c-d
> # Han

Screen is wonderful, even if you don't use it for this...  

Here are two resources I found helpful in learning it...


Bill Chmura
Director of Internet Technology
Explosivo ITG
Wolcott, CT

p: 860.621.8693

FYI: new mailing list anti-spam measures

2005-11-03 Thread Todd C. Miller
The mailing list server is now using several blacklists from the
SORBS project ( to prevent spam.  So far it
is using the SORBS zombie, spam, web form and dialup blacklists.

This does mean that people sending mail from a dynamic IP address
(cable modem, dynamic DSL or dialup) will need to relay messages
through their ISP's mail server.  This will probably have the biggest
impact on cable modem users running their own SMTP servers.

 - todd

Re: ibook+openbsd3.8

2005-11-03 Thread Eder M. G. A.
Thanks for everything guys :)

Best regards



Re: preventing OS fingerprint

2005-11-03 Thread Damien Miller

On Thu, 3 Nov 2005, Gustavo Rios wrote:

Dear gentleman,

i have an obsd firewall and would like to prevent external entities
discovering that firewall is openbsd, is that possible?

why care? fingerprinting is such a non-issue, and spending effort to avoid 
it is just security through obscurity.

Re: Can't make 3.7-stable release

2005-11-03 Thread Ted Unangst
>  # make release
> I get a message informing me that /dev/svnd0a is full. This occurs
> while make is working with ramdiskC (exactly as the messages posted
> last July).
> A) Solution is the same as previously suggested (removing a non
> critical driver, such as axe, from ramdiskC) or has anything
> changed?

that'll work.

> B) After commenting out the axe driver, you have to start over
> and rebuild the kernel, right? Userland as well? (I'm asking
> since I'm working on a not-so-fast machine, the whole process
> takes quite some time...)

no, just typing make release again should work.

> C) Please don't flame--I'm just curious: In the mailing list
> archives, I noticed this sort of problem has been around since
> March (messages dated March 30). Why hasn't it yet been fixed?

i don't think it's a critical problem.

PERC4/DC Error

2005-11-03 Thread Tom Geman
I have a backup server (Dell PowerEdge 1850) attached to the Dell PowerVault 
220S.  The only function this server does is backing up remote servers 
throughout the day via rsync.

The 1850 uses RAID 1 via the embedded RAID controller (PERC 4e/Si, ami0).  
On this RAID 1 is a generic install of OpenBSD plus the rsync package.  The 
storage is connected via the expansion RAID controller (PERC 4/DC, ami1), 
and utilizes RAID 5 across 4 SCSI disks.

Unfortunately I am having areoccurring problem, the connection with the Dual 
Channel RAID controller hangs, and I am unable to access the disks.  There 
is no kernel panic, I am able to log in and do anything, except access ami1.

I have tried 4 different snapshots from October, and an install from the 3.8 
CD, all ending with the same result.  The hang takes anywhere from 12 hours 
to 48 hours.  Also, each time it hangs I can't do a proper shutdown as the 
command "shutdown -h now" never completes.  For the mean time I just 
aggressively monitor is status and cold reboot it each time it hangs.

Is there any thing I can do for better system stability?  Is there any 
further information I can give that will allow developers insight into the 


ERROR LOGGED TO /var/log/messages
(this is the same error logged every time, sometimes the ccb # is different)
(sometimes it is "... ccb 58")

Nov  3 01:08:17 backup /bsd: ami1: timeout ccb 126
Nov  3 01:08:33 backup last message repeated 2 times
Nov  3 01:08:33 backup /bsd: ses0: status read error

DMESG (from snapshot Oct 31)

OpenBSD 3.8-current (GENERIC) #203: Fri Oct 21 12:35:57 MDT 2005
   [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Xeon(TM) CPU 3.00GHz ("GenuineIntel" 686-class) 3 GHz

real mem  = 1073065984 (1047916K)
avail mem = 972574720 (949780K)
using 4278 buffers containing 53755904 bytes (52496K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(00) BIOS, date 09/22/05, BIOS32 rev. 0 @ 0xffe90
pcibios0 at bios0: rev 2.1 @ 0xf/0x1
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfb140/272 (15 entries)
pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82801EB/ER LPC" rev 0x00)
pcibios0: PCI bus #9 is the last bus
bios0: ROM list: 0xc/0xb000! 0xcb000/0x1000 0xcc000/0x1000 
0xcd000/0x2200 0xcf800/0x2600 0xec000/0x4000!

ipmi0 at mainbus0: version 1.5 interface KCS iobase 0xca8/8 spacing 4
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel E7710 SMCH" rev 0x09
ppb0 at pci0 dev 2 function 0 "Intel E7710 MCH PCIE" rev 0x09
pci1 at ppb0 bus 1
ppb1 at pci1 dev 0 function 0 "Intel IOP331 Channel 0" rev 0x06
pci2 at ppb1 bus 2
ami0 at pci2 dev 14 function 0 "Dell PERC 4e/Di" rev 0x06: irq 7 Dell 

ami0: FW 521S, BIOS vH430, 256MB RAM
ami0: 1 channels, 0 FC loops, 1 logical drives
scsibus0 at ami0: 40 targets
sd0 at scsibus0 targ 0 lun 0:  SCSI2 0/direct fixed
sd0: 69880MB, 69880 cyl, 64 head, 32 sec, 512 bytes/sec, 143114240 sec total
scsibus1 at ami0: 16 targets
safte0 at scsibus1 targ 6 lun 0:  SCSI2 3/processor 

ppb2 at pci1 dev 0 function 2 "Intel IOP331 Channel 1" rev 0x06
pci3 at ppb2 bus 3
ami1 at pci3 dev 11 function 0 "Symbios Logic MegaRAID" rev 0x01: irq 3 Dell 

ami1: FW 351S, BIOS v1.10, 128MB RAM
ami1: 2 channels, 0 FC loops, 1 logical drives
scsibus2 at ami1: 40 targets
sd1 at scsibus2 targ 0 lun 0:  SCSI2 0/direct fixed
sd1: 419700MB, 419700 cyl, 64 head, 32 sec, 512 bytes/sec, 859545600 sec 

scsibus3 at ami1: 16 targets
scsibus4 at ami1: 16 targets
ses0 at scsibus4 targ 6 lun 0:  SCSI3 3/processor fixed
ppb3 at pci0 dev 4 function 0 "Intel E7710 MCH PCIE" rev 0x09
pci4 at ppb3 bus 4
ppb4 at pci0 dev 5 function 0 "Intel E7710 MCH PCIE" rev 0x09
pci5 at ppb4 bus 5
ppb5 at pci5 dev 0 function 0 "Intel PCIE-PCIE" rev 0x09
pci6 at ppb5 bus 6
em0 at pci6 dev 7 function 0 "Intel PRO/1000MT (82541GI)" rev 0x05: irq 11, 
address 00:14:22:17:c9:76

ppb6 at pci5 dev 0 function 2 "Intel PCIE-PCIE" rev 0x09
pci7 at ppb6 bus 7
em1 at pci7 dev 8 function 0 "Intel PRO/1000MT (82541GI)" rev 0x05: irq 3, 
address 00:14:22:17:c9:77

ppb7 at pci0 dev 6 function 0 "Intel E7710 MCH PCIE" rev 0x09
pci8 at ppb7 bus 8
uhci0 at pci0 dev 29 function 0 "Intel 82801EB/ER USB" rev 0x02: irq 11
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
uhci1 at pci0 dev 29 function 1 "Intel 82801EB/ER USB" rev 0x02: irq 10
usb1 at uhci1: USB revision 1.0
uhub1 at usb1
uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
uhci2 at pci0 dev 29 function 2 "Intel 82801EB/ER USB" rev 0x02: irq 7
usb2 at uhci2: USB revision 1.0
uhub2 at usb2
uhub2: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub2: 2 ports with 2 removable, self 

Problems booting with floppyC38.fs on Latitude CPx

2005-11-03 Thread daniel
I'm unable to use floppyC38.fs to boot my laptop.
It is a Dell latitude CPx J650GT with bios A16
I've tried different floppy disks with the same results.
I've tried floppyC38.fs from 3.8 release
I've tried floppyC38.fs from snapshots date 11/2/05
Using the exact same floppy i can boot my pc just fine.
Any ideas on what i need to do to get this laptop going?

probing: pc0 com0 com1 apm mem[639K 510M a20=on]
disk: fd0 hd0+*
>> OpenBSD/i386 BOOT 2.10
booting fd0a:/bsd: 3306020+195116=0x356d74
entry point at 0x100120

complete freeze at this point, can't hit the caps lock button
I only got this once. All other times have been as follows.

probing: pc0 com0 com1 apm mem[639K 510M a20=on]
disk: fd0 hd0+*
>> OpenBSD/i386 BOOT 2.10
booting fd0a:/bsd: 3306020read text
 failed(0). will try /obsd
booting fd0a:/obsd: open fd0a:/obsd: No such file or directory
 failed(2). will try /bsd.old
booting fd0a:/bsd.old: open fd0a:/bsd.old: No such file or directory
 failed(2). will try /bsd
booting fd0a:/bsd: 3306020read text
 failed(0). will try /obsd
booting fd0a:/obsd: open fd0a:/obsd: No such file or directory
 failed(2). will try /bsd.old
booting fd0a:/bsd.old: open fd0a:/bsd.old: No such file or directory
 failed(2). will try /bsd
Turning timeout off.

Re: OpenBSD Metastore

2005-11-03 Thread Daniel A. Ramaley
On Thursday 03 November 2005 08:59, Martin Schrvder wrote:
>On 2005-11-03 08:20:47 -0600, Jared Solomon wrote:
>> "The AOpen MiniPC measures 6.5 x 6.5 x 2 inches, is powered by an
>> Intel Pentium M or Celeron M processor"
>A MacMini is cheaper and runs OBSD.

That's not entirely accurate; though a Mac Mini will run OpenBSD, it is 
not cheaper. The original article that was posted gave a $399 price for 
the A-Open MiniPC. Apple lists their Mac Mini at $499. But, if you know 
a way to (legally) acquire a new Mac Mini for less than the $399 MiniPC 
price, i'd be very interested in hearing about it.

Dan Ramaley
Network Programmer/Analyst
(515) 271-4540
Dial Center 118, Drake University

carp incorrect hash debugging

2005-11-03 Thread Jon Hart

We've all probably had or seen the carp error similar to:

   carp0: incorrect hash

In most cases that I've seen on this and other lists it was because of
something obvious like a mismatched pass or two supposed carp partners
using different vhid's.

I've taken a look at the code but wanted to verify.  What pieces of
information are:

   1) used to determine that a particular carp packet is intended for
  you carp host?  

   2) given that a carp host knows that a particular carp packet is one
  that it cares about, how does it verify that all of the parameters
  contained within are legit?

I believe the answer to 1 is the version, type and vhid from the carp
packet.  2 I'm not so sure about, but I'm assuming that at least part of
this decision is based on the pass.  

I had a situation earlier today that I could not explain.  Put simply,
I had hosts A, B, C and D all on the same /24.  Hosts A and B where
a carp pair for and hosts C and D were a carp pair for  If A and B were using the same vhid as C and D, both ends
would complain about an incorrect hash.  Having never been in that
situation before, I figured the vhid's were clashing since the pass
happened to be the same on all 4 machines.  I destroyed carp0 and did
a 'sh /etc/netstart carp0'.  I was still getting the messages but they
seemed less frequent.  I worked on other things which required a reboot
and from then on, the messages were gone.  The two carp pairs have
functioned as expected ever since. 

Was my fix (prior to rebooting) the correct one?  If so, why did
I continue to get the incorrect hash messages?  Gremlins or operator

If the answer to all this is to just ensure that if I ever have more
than one carp pair on the same network to ensure that I have different
vhids, does anyone have a vhid numbering scheme that they've found
workable?  I had been using interface number +1 (so the carp for em0
would be vhid 1, etc).

Any input would be much appreciated!


Re: PERC4/DC Error

2005-11-03 Thread Marco Peereboom
I'll start looking into this ASAP.

On Thu, Nov 03, 2005 at 02:17:12PM -0700, Tom Geman wrote:
> I have a backup server (Dell PowerEdge 1850) attached to the Dell 
> PowerVault 220S.  The only function this server does is backing up remote 
> servers throughout the day via rsync.
> The 1850 uses RAID 1 via the embedded RAID controller (PERC 4e/Si, ami0).  
> On this RAID 1 is a generic install of OpenBSD plus the rsync package.  The 
> storage is connected via the expansion RAID controller (PERC 4/DC, ami1), 
> and utilizes RAID 5 across 4 SCSI disks.
> Unfortunately I am having areoccurring problem, the connection with the 
> Dual Channel RAID controller hangs, and I am unable to access the disks.  
> There is no kernel panic, I am able to log in and do anything, except 
> access ami1.
> I have tried 4 different snapshots from October, and an install from the 
> 3.8 CD, all ending with the same result.  The hang takes anywhere from 12 
> hours to 48 hours.  Also, each time it hangs I can't do a proper shutdown 
> as the command "shutdown -h now" never completes.  For the mean time I just 
> aggressively monitor is status and cold reboot it each time it hangs.
> Is there any thing I can do for better system stability?  Is there any 
> further information I can give that will allow developers insight into the 
> problem?
> Thanks.
> ERROR LOGGED TO /var/log/messages
> (this is the same error logged every time, sometimes the ccb # is different)
> (sometimes it is "... ccb 58")
> Nov  3 01:08:17 backup /bsd: ami1: timeout ccb 126
> Nov  3 01:08:33 backup last message repeated 2 times
> Nov  3 01:08:33 backup /bsd: ses0: status read error
> DMESG (from snapshot Oct 31)
> OpenBSD 3.8-current (GENERIC) #203: Fri Oct 21 12:35:57 MDT 2005
>[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
> cpu0: Intel(R) Xeon(TM) CPU 3.00GHz ("GenuineIntel" 686-class) 3 GHz
> cpu0: 
> real mem  = 1073065984 (1047916K)
> avail mem = 972574720 (949780K)
> using 4278 buffers containing 53755904 bytes (52496K) of memory
> mainbus0 (root)
> bios0 at mainbus0: AT/286+(00) BIOS, date 09/22/05, BIOS32 rev. 0 @ 0xffe90
> pcibios0 at bios0: rev 2.1 @ 0xf/0x1
> pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfb140/272 (15 entries)
> pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82801EB/ER LPC" rev 0x00)
> pcibios0: PCI bus #9 is the last bus
> bios0: ROM list: 0xc/0xb000! 0xcb000/0x1000 0xcc000/0x1000 
> 0xcd000/0x2200 0xcf800/0x2600 0xec000/0x4000!
> ipmi0 at mainbus0: version 1.5 interface KCS iobase 0xca8/8 spacing 4
> cpu0 at mainbus0
> pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
> pchb0 at pci0 dev 0 function 0 "Intel E7710 SMCH" rev 0x09
> ppb0 at pci0 dev 2 function 0 "Intel E7710 MCH PCIE" rev 0x09
> pci1 at ppb0 bus 1
> ppb1 at pci1 dev 0 function 0 "Intel IOP331 Channel 0" rev 0x06
> pci2 at ppb1 bus 2
> ami0 at pci2 dev 14 function 0 "Dell PERC 4e/Di" rev 0x06: irq 7 Dell 
> 16c/32b
> ami0: FW 521S, BIOS vH430, 256MB RAM
> ami0: 1 channels, 0 FC loops, 1 logical drives
> scsibus0 at ami0: 40 targets
> sd0 at scsibus0 targ 0 lun 0:  SCSI2 0/direct fixed
> sd0: 69880MB, 69880 cyl, 64 head, 32 sec, 512 bytes/sec, 143114240 sec total
> scsibus1 at ami0: 16 targets
> safte0 at scsibus1 targ 6 lun 0:  SCSI2 
> 3/processor fixed
> ppb2 at pci1 dev 0 function 2 "Intel IOP331 Channel 1" rev 0x06
> pci3 at ppb2 bus 3
> ami1 at pci3 dev 11 function 0 "Symbios Logic MegaRAID" rev 0x01: irq 3 
> Dell 518/64b/lhc
> ami1: FW 351S, BIOS v1.10, 128MB RAM
> ami1: 2 channels, 0 FC loops, 1 logical drives
> scsibus2 at ami1: 40 targets
> sd1 at scsibus2 targ 0 lun 0:  SCSI2 0/direct fixed
> sd1: 419700MB, 419700 cyl, 64 head, 32 sec, 512 bytes/sec, 859545600 sec 
> total
> scsibus3 at ami1: 16 targets
> scsibus4 at ami1: 16 targets
> ses0 at scsibus4 targ 6 lun 0:  SCSI3 3/processor fixed
> ppb3 at pci0 dev 4 function 0 "Intel E7710 MCH PCIE" rev 0x09
> pci4 at ppb3 bus 4
> ppb4 at pci0 dev 5 function 0 "Intel E7710 MCH PCIE" rev 0x09
> pci5 at ppb4 bus 5
> ppb5 at pci5 dev 0 function 0 "Intel PCIE-PCIE" rev 0x09
> pci6 at ppb5 bus 6
> em0 at pci6 dev 7 function 0 "Intel PRO/1000MT (82541GI)" rev 0x05: irq 11, 
> address 00:14:22:17:c9:76
> ppb6 at pci5 dev 0 function 2 "Intel PCIE-PCIE" rev 0x09
> pci7 at ppb6 bus 7
> em1 at pci7 dev 8 function 0 "Intel PRO/1000MT (82541GI)" rev 0x05: irq 3, 
> address 00:14:22:17:c9:77
> ppb7 at pci0 dev 6 function 0 "Intel E7710 MCH PCIE" rev 0x09
> pci8 at ppb7 bus 8
> uhci0 at pci0 dev 29 function 0 "Intel 82801EB/ER USB" rev 0x02: irq 11
> usb0 at uhci0: USB revision 1.0
> uhub0 at usb0
> uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1
> uhub0: 2 ports with 2 removable, self powered
> uhci1 at pci0 dev 29 function 1 "Intel 82801EB/ER USB" rev 0x02: irq 10
> usb1 at uhci1: USB revision 1.0
> uhub1 at usb1
> uhub1:

Re: Problems with HP dx5150/ATI Xpress 200 chipset

2005-11-03 Thread pedro la peu
> I have done enough searching of mailing lists and google to know that this
> chipset is problematic at the moment for BSD and for that matter linux,

Really? My first time with this chipset was in April [1] when it worked but 
only as a bunch of "generic" or unconfigured devices.

Since then I have seen (and participated in) a complete change, now they  
[2] [3] work so well I use them in production and as my primary workstation.

Some suggestions:

1. Get the latest BIOS update, if you haven't already.

2. Install the latest snapshot, things have progressed since 3.8.

See the following, the first is from a machine I have in production  
(Sempron/socket754 - one of several) the second is my primary workstation 
(AMD64/socket939). I couldn't be happier with them. Fast/stable.

OpenBSD 3.8-current (GENERIC) #0: Fri Oct  7 19:14:10 BST 2005
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: AMD Hammer Family processor - Model Unknown ("AuthenticAMD" 686-class, 
128KB L2 cache) 1.60 GHz
cpu0: AMD Powernow: TS TTP TM STC
real mem  = 468295680 (457320K)
avail mem = 420282368 (410432K)
using 4278 buffers containing 23519232 bytes (22968K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(f9) BIOS, date 03/10/05, BIOS32 rev. 0 @ 0xfa5a0
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
apm0: flags 70102 dobusy 1 doidle 1
pcibios0 at bios0: rev 3.0 @ 0xf/0xd474
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfd340/288 (16 entries)
pcibios0: bad IRQ table checksum
pcibios0: PCI BIOS has 17 Interrupt Routing table entries
pcibios0: PCI Exclusive IRQs: 5 10 11 12
pcibios0: no compatible PCI ICU found
pcibios0: Warning, unable to fix up PCI interrupt routing
pcibios0: PCI bus #3 is the last bus
WARNING: can't reserve area for I/O APIC.
WARNING: can't reserve area for Local APIC.
WARNING: can't reserve area for BIOS PROM.
bios0: ROM list: 0xc/0xf000
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "ATI RS480 Host" rev 0x01
ppb0 at pci0 dev 1 function 0 "ATI RS480 PCIE" rev 0x00
pci1 at ppb0 bus 1
vga1 at pci1 dev 5 function 0 "ATI Radeon XPRESS 200" rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
pciide0 at pci0 dev 17 function 0 "ATI IXP400 SATA" rev 0x00: DMA
pciide0: using irq 11 for native-PCI interrupt
pciide1 at pci0 dev 18 function 0 "ATI IXP400 SATA" rev 0x00: DMA
pciide1: using irq 10 for native-PCI interrupt
"ATI IXP400 SMBus" rev 0x10 at pci0 dev 20 function 0 not configured
pciide2 at pci0 dev 20 function 1 "ATI IXP400 IDE" rev 0x00: DMA, channel 0 
configured to compatibility, channel 1 configured to compatibility
wd0 at pciide2 channel 0 drive 0: 
wd0: 16-sector PIO, LBA48, 38166MB, 78165360 sectors
wd0(pciide2:0:0): using PIO mode 4, DMA mode 2, Ultra-DMA mode 5
pcib0 at pci0 dev 20 function 3 "ATI IXP400 ISA" rev 0x00
ppb1 at pci0 dev 20 function 4 "ATI IXP400 PCI" rev 0x00
pci2 at ppb1 bus 2
ppb2 at pci2 dev 5 function 0 "Intel S21154AE/BE PCI-PCI" rev 0x00
pci3 at ppb2 bus 3
fxp0 at pci3 dev 4 function 0 "Intel 82557" rev 0x0d, i82550: irq 12, address 
inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4
fxp1 at pci3 dev 5 function 0 "Intel 82557" rev 0x0d, i82550: irq 12, address 
inphy1 at fxp1 phy 1: i82555 10/100 PHY, rev. 4
rl0 at pci2 dev 11 function 0 "Realtek 8139" rev 0x10: irq 5 address 
rlphy0 at rl0 phy 0: RTL internal phy
auixp0 at pci0 dev 20 function 5 "ATI IXP400 AC97" rev 0x01: irq 12
auixp0: soft resetting aclink
pchb1 at pci0 dev 24 function 0 "AMD AMD64 HyperTransport" rev 0x00
pchb2 at pci0 dev 24 function 1 "AMD AMD64 Address Map" rev 0x00
pchb3 at pci0 dev 24 function 2 "AMD AMD64 DRAM Cfg" rev 0x00
pchb4 at pci0 dev 24 function 3 "AMD AMD64 Misc Cfg" rev 0x00
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: 
spkr0 at pcppi0
sysbeep0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom0: console
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
biomask ef4d netmask ff6d ttymask ffef
pctr: user-level cycle counter enabled
dkcsum: wd0 matches BIOS drive 0x80
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302
ac97: codec id 0x414c4760 (Avance Logic ALC655)
audio0 at auixp0

OpenBSD 3.8-current (GENERIC) #0: Mon Oct 31 11:25:49 GMT 2005
[EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/GENERIC
real mem = 1005121536 (981564K)
avail mem = 849719296 (829804K)
using 22937 buffers containing 100720640 bytes (98360K) of memory
mainbus0 (root)
cpu0 at mainbus0: (uniprocessor)
cpu0: AMD Athlon(tm) 64 Proce

Re: Can't make 3.7-stable release

2005-11-03 Thread Raymond Lillard



   ...Same problem, again (it was already covered some time ago).
When I run the last step in building a release
(see , i.e.

  # make release

I get a message informing me that /dev/svnd0a is full. This occurs
while make is working with ramdiskC (exactly as the messages posted
last July).

C) Please don't flame--I'm just curious: In the mailing list
archives, I noticed this sort of problem has been around since
March (messages dated March 30). Why hasn't it yet been fixed? 

In the strictest of terms, a fix is impossible.  Think about
it a bit.  The problem could be mitigated a bit by dropping a
driver, but then its not the same release is it.  And then
there are the changes to the documentation, etc ...

I'm not going to take time to go back and check, but I think
I am the OP of the Mar 30 msg you refer to.  Just do what I
did, find a suitable work around (there are several) and get
on with the show.


Re: Problems booting with floppyC38.fs on Latitude CPx

2005-11-03 Thread Joachim Schipper
On Thu, Nov 03, 2005 at 04:56:34PM -0500, daniel wrote:
> I'm unable to use floppyC38.fs to boot my laptop.
> It is a Dell latitude CPx J650GT with bios A16
> I've tried different floppy disks with the same results.
> I've tried floppyC38.fs from 3.8 release
> I've tried floppyC38.fs from snapshots date 11/2/05
> Using the exact same floppy i can boot my pc just fine.
> Any ideas on what i need to do to get this laptop going?
> Loading;..
> probing: pc0 com0 com1 apm mem[639K 510M a20=on]
> disk: fd0 hd0+*
> >> OpenBSD/i386 BOOT 2.10
> boot>
> booting fd0a:/bsd: 3306020+195116=0x356d74
> entry point at 0x100120
> complete freeze at this point, can't hit the caps lock button
> I only got this once. All other times have been as follows.
> Loading;..
> probing: pc0 com0 com1 apm mem[639K 510M a20=on]
> disk: fd0 hd0+*
> >> OpenBSD/i386 BOOT 2.10
> boot>
> booting fd0a:/bsd: 3306020read text
>  failed(0). will try /obsd
> boot>
> booting fd0a:/obsd: open fd0a:/obsd: No such file or directory
>  failed(2). will try /bsd.old

It's always possible there is some weird kernel bug around, but I
remember seeing that when trying to boot with a defective floppy drive.
I.e., the floppy *drive* was shot. I binned quite a lot of floppies
before finally binning the drive. It was only 1-2 years old. I put in an
oldie (no clue just how old, scavenged it from a Pentium I system or
somesuch), and it booted just fine.

Of course, trying other floppies first might be cheaper...

If you already have OpenBSD on there, just get a new bsd.rd and boot
that - it's much easier.


DNSSEC/SSHFP, getrrsetbyname(3), and resolv.conf(5)

2005-11-03 Thread jared r r spiegel
  holy hell this OS f'ckin rocks.

  so i waste a day and a half because i forgot to 
  do a 'dnssec-enable yes;' in named.conf, totally my fault.

  after i turn that on and setup named and my keys/zones
  right ( or unbreak them, after the day and a half of barking
  up the wrong tree... ), i find i have DNSSEC working for my SSHFP 
  records, as tested by dig ( i have 'ad' in the reply, and i get
  RRSIG records printed in my Answer Sections ).

  ssh, otoh, is still saying to me "found  insecure fingerprints in DNS".

  i spend more time on it and read [1], and get to thinking, ok,
  how the hell does ssh know if my resolver verified the SSHFP/RRSIG/DNSSEC
  crap or not?  i thought it has to be in the data given back to
  ssh by the resolver.

  so i peek in /usr/src/usr.sbin/dns.c, and find the verify_host_key_dns
  function (?) and see it does some error checking and then it 
  runs 'getrrsetbyname'

  so, what the hell i say, 'man getrrsetbyname'.

  oh.  look.  there's a manpage.

  so in getrsetbyname(3) i find:

 If the EDNS0 option is activated in resolv.conf(5), getrrsetbyname() will
 request DNSSEC authentication using the EDNS0 DNSSEC OK (DO) bit.

  ok, so i check resolv.conf(5) and find:

 options Allows certain internal resolver variables to be modified.
 The syntax is:

 options option ...

 where option is one of the following:

 debug  Sets RES_DEBUG in _res.options.

 edns0  attach OPT pseudo-RR for ENDS0 extension specified
in RFC 2671, to inform DNS server of our receive
buffer size.  The option will allow DNS servers to
take advantage of non-default receive buffer size,
and to send larger replies.  DNS query packets
with EDNS0 extension are not compatible with non-
EDNS0 DNS servers.  The option must be used only
when all the DNS servers listed in nameserver
lines are able to handle EDNS0 extension.
 The options keyword of a system's resolv.conf or resolv.conf.tail file
 can be amended on a per-process basis by setting the environment variable
 RES_OPTIONS to a space-separated list of resolver options as explained

  so i 'export RES_OPTIONS=edns0'
  and then:

$ ssh -vo verifyhostkeydns\ yes
OpenSSH_4.2, OpenSSL 0.9.7g 11 Apr 2005
debug1: found 1 secure fingerprints in DNS
debug1: matching host key fingerprint found in DNS


   thank you Jakob Schlyter

[1] -

( i checked
  and it doesn't seem to have getrrsetbyname(3), though perhaps it goes
  by a different name over there.. ? )



[ openbsd 3.8 GENERIC ( oct 15 ) // i386 ]

/ never unmounts properly

2005-11-03 Thread Michael Favinsky
I just installed 3.8 on a server that never had OpenBSD on it. Whenever I
reboot, I get a warning that / wasn't unmounted properly. This is followed
by an fsck of / and bootup goes on as normal. All other filesystems are

I've tried reboot, halt, even sync sync sync reboot. The bootup sequence
still shows that / wasn't unmounted properly. 

Am I doing something wrong? Is there anything that can be done to deal with

OpenBSD 3.8 (GENERIC) #138: Sat Sep 10 15:41:37 MDT 2005
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Pentium II ("GenuineIntel" 686-class, 512KB L2 cache) 399 MHz
real mem  = 267952128 (261672K)
avail mem = 237613056 (232044K)
using 3296 buffers containing 13500416 bytes (13184K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(62) BIOS, date 08/07/00, BIOS32 rev. 0 @ 0xfd83c
pcibios0 at bios0: rev 2.1 @ 0xfd740/0x8c0
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf40/160 (8 entries)
pcibios0: PCI Exclusive IRQs: 9
pcibios0: PCI Interrupt Router at 000:04:0 ("Intel 82371FB ISA" rev 0x00)
pcibios0: PCI bus #2 is the last bus
bios0: ROM list: 0xc/0x8000 0xc8000/0x800 0xc8800/0x1000
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82443BX" rev 0x03
pcib0 at pci0 dev 4 function 0 "Intel 82371AB PIIX4 ISA" rev 0x02
pciide0 at pci0 dev 4 function 1 "Intel 82371AB IDE" rev 0x01: DMA, channel
0 wired to compatibility, channel 1 wired to compatibility
atapiscsi0 at pciide0 channel 0 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0:  SCSI0 5/cdrom removable
cd0(pciide0:0:0): using PIO mode 4, DMA mode 2
pciide0: channel 1 ignored (disabled)
uhci0 at pci0 dev 4 function 2 "Intel 82371AB USB" rev 0x01: irq 11
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
"Intel 82371AB Power" rev 0x02 at pci0 dev 4 function 3 not configured
ppb0 at pci0 dev 7 function 0 "DEC 21152 PCI-PCI" rev 0x03
pci1 at ppb0 bus 1
fxp0 at pci1 dev 3 function 0 "Intel 82557" rev 0x05, i82558: irq 11,
address 00:90:27:87:61:16
inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 0
siop0 at pci1 dev 4 function 0 "Symbios Logic 53c895" rev 0x01: irq 15,
using 4K of on-board RAM
scsibus1 at siop0siop0: switching to single-ended mode
: 16 targets
ppb1 at pci0 dev 9 function 0 "Intel i960 RP PCI-PCI" rev 0x03
pci2 at ppb1 bus 2
ami0 at pci0 dev 9 function 1 "Intel 80960RP ATU" rev 0x03: irq 10 HP
ami0: FW C.02.08, BIOS vB.02.04, 16MB RAM
ami0: 3 channels, 16 targets, 1 logical drives
scsibus2 at ami0: 1 targets
sd0 at scsibus2 targ 0 lun 0:  SCSI2 0/direct fixed
sd0: 4066MB, 518 cyl, 255 head, 63 sec, 512 bytes/sec, 8327168 sec total
scsibus3 at ami0: 16 targets
scsibus4 at ami0: 16 targets
scsibus5 at ami0: 16 targets
vga1 at pci0 dev 13 function 0 "Cirrus Logic CL-GD5446" rev 0x45
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: 
spkr0 at pcppi0
sysbeep0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
biomask ef65 netmask ef65 ttymask ffe7
pctr: 686-class user-level performance counters enabled
mtrr: Pentium Pro MTRR support
dkcsum: sd0 matches BIOS drive 0x80
root on sd0a
rootdev=0x400 rrootdev=0xd00 rawdev=0xd02
WARNING: / was not properly unmounted

Re: / never unmounts properly

2005-11-03 Thread Fred Crowson

Michael Favinsky wrote:

I just installed 3.8 on a server that never had OpenBSD on it. Whenever I
reboot, I get a warning that / wasn't unmounted properly. This is followed
by an fsck of / and bootup goes on as normal. All other filesystems are

I've tried reboot, halt, even sync sync sync reboot. The bootup sequence
still shows that / wasn't unmounted properly. 

Am I doing something wrong? Is there anything that can be done to deal with


#shutdown -r now

Give the same problem?


Re: / never unmounts properly

2005-11-03 Thread Han Boetes
Michael Favinsky wrote:
> I just installed 3.8 on a server that never had OpenBSD on it.
> OpenBSD 3.8 (GENERIC) #138: Sat Sep 10 15:41:37 MDT 2005

That's not 3.8: 3.8-stable was compiled on september the 26th.

# Han

Re: / never unmounts properly

2005-11-03 Thread Ted Unangst
On 11/3/05, Michael Favinsky <[EMAIL PROTECTED]> wrote:
> I just installed 3.8 on a server that never had OpenBSD on it. Whenever I
> reboot, I get a warning that / wasn't unmounted properly. This is followed
> by an fsck of / and bootup goes on as normal. All other filesystems are
> clean.
> I've tried reboot, halt, even sync sync sync reboot. The bootup sequence
> still shows that / wasn't unmounted properly.

running fsck -fy / in single user mode should fix it.  i never tracked
down why this seems to happen.

Re: / never unmounts properly

2005-11-03 Thread jared r r spiegel
On Thu, Nov 03, 2005 at 04:31:56PM -0800, Michael Favinsky wrote:
> I just installed 3.8 on a server that never had OpenBSD on it. Whenever I
> reboot, I get a warning that / wasn't unmounted properly. This is followed
> by an fsck of / and bootup goes on as normal. All other filesystems are
> clean.
> I've tried reboot, halt, even sync sync sync reboot. The bootup sequence
> still shows that / wasn't unmounted properly. 
> Am I doing something wrong? Is there anything that can be done to deal with
> this?

  it may help in diagnosis to also see contents of /etc/fstab and
  maybe outputs of fdisk/disklabel on the drive in question.

  i wonder if you have anything funky in /etc/rc.shutdown

> ami0 at pci0 dev 9 function 1 "Intel 80960RP ATU" rev 0x03: irq 10 HP 438/32b
> ami0: FW C.02.08, BIOS vB.02.04, 16MB RAM
> ami0: 3 channels, 16 targets, 1 logical drives
> scsibus2 at ami0: 1 targets
> sd0 at scsibus2 targ 0 lun 0:  SCSI2 0/direct fixed
> sd0: 4066MB, 518 cyl, 255 head, 63 sec, 512 bytes/sec, 8327168 sec total
> scsibus3 at ami0: 16 targets
> scsibus4 at ami0: 16 targets
> scsibus5 at ami0: 16 targets

  i've got:

ami0 at pci0 dev 7 function 0 "AMI MegaRAID Series 428" rev 0x03: irq 11 AMI 
ami0: FW A.04.03, BIOS vA.04.03, 32MB RAM
ami0: 3 channels, 16 targets, 1 logical drives
scsibus0 at ami0: 1 targets
sd0 at scsibus0 targ 0 lun 0:  SCSI2 0/direct fixed
sd0: 34730MB, 34730 cyl, 64 head, 32 sec, 512 bytes/sec, 71127040 sec total
scsibus1 at ami0: 16 targets
scsibus2 at ami0: 16 targets
scsibus3 at ami0: 16 targets

  who seems to be not identical at all; but fwiw this
  doesn't happen on mine.


Re: / never unmounts properly

2005-11-03 Thread jared r r spiegel
On Thu, Nov 03, 2005 at 06:13:22PM -0700, jared r r spiegel wrote:
> On Thu, Nov 03, 2005 at 04:31:56PM -0800, Michael Favinsky wrote:
> > I've tried reboot, halt, even sync sync sync reboot. The bootup sequence
> > still shows that / wasn't unmounted properly. 
> > 
> > Am I doing something wrong? Is there anything that can be done to deal with
> > this?
>   it may help in diagnosis to also see contents of /etc/fstab and
>   maybe outputs of fdisk/disklabel on the drive in question.

  please let me defer to tedu@ 


error : pkg_add analog-6.0.tgz / webalizer-2.01.10p2.tgz

2005-11-03 Thread MichaelBibby
hi all:
I use OpenBSD 3.8 release,but download packages from 
When i install analog-6.0.tgz and webalizer-2.01.10p2.tgz,i got the 
same error message.
i run "pkg_info -K -L PKGNAME" ,but not found lib "ttf.1.3".

Is there something wrong with my system?

# pkg_add analog-6.0.tgz
analog-6.0:libiconv-1.9.2p1: complete
analog-6.0:pcre-4.5p1: complete
analog-6.0:jpeg-6bp2: complete
analog-6.0:png-1.2.8: complete
analog-6.0:gd-2.0.33p2: complete
Can't install analog-6.0.tgz: lib not found ttf.1.3
Even by looking in the dependency tree:
libiconv-1.9.2p1, jpeg-6bp2, png-1.2.8, gd-2.0.33p2, pcre-4.5p1
Maybe it's in a dependent package, but not tagged with @lib ?
(check with pkg_info -K -L)
If you are still running 3.6 packages, update them.

# pkg_add webalizer-2.01.10p2.tgz
Can't install webalizer-2.01.10p2.tgz: lib not found ttf.1.3
Even by looking in the dependency tree:
jpeg-6bp2, libiconv-1.9.2p1, png-1.2.8, gd-2.0.33p2
Maybe it's in a dependent package, but not tagged with @lib ?
(check with pkg_info -K -L)
If you are still running 3.6 packages, update them.

Re: error : pkg_add analog-6.0.tgz / webalizer-2.01.10p2.tgz

2005-11-03 Thread Josh Grosse
On Fri, Nov 04, 2005 at 09:22:41AM +0800, MichaelBibby wrote:
> hi all:
>   I use OpenBSD 3.8 release,but download packages from 
> "";.

You've missed FAQ 15.4.1:
15.4.1 - I'm getting all kinds of crazy errors. I just can't seem to get this 
ports stuff working at all.

It is very likely that you are using a system and ports tree which are not in 



* Do not check out a -current ports tree and expect it to work on a -release 
or -stable system. This is one of the most common errors and you will irritate 
people when you ask for help about why "nothing seems to work!"

* Because this is important to get right, we will rephrase it once more. If 
your system is -release, use the -release version of the ports tree. If your 
system is -stable, you need the -stable version of the ports tree. And finally,
if you follow -current, you need both a -current system and a -current ports 
tree. If you use X11 as part of your system, it must also follow the 
corresponding branch! 

Yes, this really does mean a wonderful new port will typically not work on 
your "older" system -- even if that system was -current just a few weeks ago.

Re: error : pkg_add analog-6.0.tgz / webalizer-2.01.10p2.tgz

2005-11-03 Thread Steve Shockley

MichaelBibby wrote:

hi all:
I use OpenBSD 3.8 release,but download packages from 
When i install analog-6.0.tgz and webalizer-2.01.10p2.tgz,i got the 
same error message.
i run "pkg_info -K -L PKGNAME" ,but not found lib "ttf.1.3".

Is there something wrong with my system?

Yes.  You're using snapshot packages with 3.8 Release.  Remove all your 
packages and reinstall from or a closer mirror.

Re: error : pkg_add analog-6.0.tgz / webalizer-2.01.10p2.tgz

2005-11-03 Thread MichaelBibby
sorry ,what a stupid question :(

and thanks 
Steve Shockley<[EMAIL PROTECTED]>


Re: carp incorrect hash debugging

2005-11-03 Thread Ryan McBride
On Thu, Nov 03, 2005 at 06:11:20PM -0500, Jon Hart wrote:
>1) used to determine that a particular carp packet is intended for
>   you carp host?  

carp(4) does a number of validity checks before treating the packet a
real carp packet:

- was the device recieved on a interface that has a carp device on it?
- is the ttl 255 (prevents routed carp packets from being accepted)
- packet length
- crc32 checksum
- Is the carp interface UP and RUNNING?
- version

>2) given that a carp host knows that a particular carp packet is one
>   that it cares about, how does it verify that all of the parameters
>   contained within are legit?

It checks the HMAC, which contains the password, version, counter, type,
and the addresses.


> If the answer to all this is to just ensure that if I ever have more
> than one carp pair on the same network to ensure that I have different
> vhids,

Yes, you MUST use a different vhid for different carp clusters on the
same link-local network; the MAC address for the carp interface is
generated from the vhid, and if you don't keep this unique your switch
will likely get confused.

>  does anyone have a vhid numbering scheme that they've found workable?
>  I had been using interface number +1 (so the carp for em0 would be
>  vhid 1, etc).

In many situations, I use the last octet of the first virtual IP
address. (If your virtual IP is, use 23 as your vhid)

Re: / never unmounts properly

2005-11-03 Thread Nick Holland
Han Boetes wrote:
> Michael Favinsky wrote:
>> I just installed 3.8 on a server that never had OpenBSD on it.
>> OpenBSD 3.8 (GENERIC) #138: Sat Sep 10 15:41:37 MDT 2005
> That's not 3.8: 3.8-stable was compiled on september the 26th.

Yes, that *is* 3.8.  That *is* what is on the CDs.  I have no idea what
you are babbling about here, 3.8-stable is only started to be maintained
on release day, Nov. 1, and running 3.8-release is very acceptable.

$ ftp -a
150 Opening BINARY mode data connection for 'bsd' (5281094 bytes).
100% |**|  5157 KB
$ config -ef bsd
OpenBSD 3.8 (GENERIC) #138: Sat Sep 10 15:41:37 MDT 2005
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
Enter 'help' for information

(yeah, a demo off the CD would be more impressive, but I seem to have
already misplaced my 3.8 CDs... 8-/  D'oh, there it is!)

$ sudo mount /dev/cd0a /mnt
$ cp /mnt/3.8/i386/bsd .
$ config -ef bsd
OpenBSD 3.8 (GENERIC) #138: Sat Sep 10 15:41:37 MDT 2005
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
Enter 'help' for information


Re: / never unmounts properly

2005-11-03 Thread Han Boetes
Nick Holland wrote:
> Han Boetes wrote:
> > Michael Favinsky wrote:
> > > I just installed 3.8 on a server that never had OpenBSD on it.
> > >
> > > OpenBSD 3.8 (GENERIC) #138: Sat Sep 10 15:41:37 MDT 2005
> >
> > That's not 3.8: 3.8-stable was compiled on september the 26th.
> Yes, that *is* 3.8. That *is* what is on the CDs.

Odd, the timestamps on the ftp-servers say september the 26th.

> I have no idea what you are babbling about here, 3.8-stable is
> only started to be maintained on release day, Nov. 1, and
> running 3.8-release is very acceptable.

What's that got to do with anything?

# Han

Re: / never unmounts properly

2005-11-03 Thread Han Boetes
Nick Holland wrote:
> Han Boetes wrote:
> > Michael Favinsky wrote:
> > > I just installed 3.8 on a server that never had OpenBSD on it.
> > >
> > > OpenBSD 3.8 (GENERIC) #138: Sat Sep 10 15:41:37 MDT 2005
> >
> > That's not 3.8: 3.8-stable was compiled on september the 26th.
> Yes, that *is* 3.8. That *is* what is on the CDs.

Odd, the timestamps on the ftp-servers say september the 26th.

> I have no idea what you are babbling about here, 3.8-stable is
> only started to be maintained on release day, Nov. 1, and
> running 3.8-release is very acceptable.

What's that got to do with anything?

# Han

Problem ripping audio CD in Liteon DVD-DL drive

2005-11-03 Thread Tubnor, Jason B

I have a problem ripping an audio CD with cdparanoia.  Software that I
am using is grip and cdparanoia from the 3.8 packages tree.  The drive
that I have is a Liteon DVD-DL (IDE).  When I put the audio CD in the
drive while grip is in operation, the CD spins up and is read, following
that a DB lookup is performed and the tracks are labelled correctly so
the CD is being read correctly though when I hit rip, it briefly reads
each track and then moves to the next track until the whole CD is read
in only a couple of seconds.  The error that is appearing while this is
happening is at the bottom of my dmesg trail.  I am currently following
the -current tree.  This problem was also able to be reproduced on the
3.8-release.  Sorry I do not have any previous versions of OpenBSD to
see if it has functioned correctly beforehand.  Data CD's mount
correctly and can be read without error on the same drive.

Any advice would be appreciated.




$ dmesg
OpenBSD 3.8-current (GENERIC) #0: Thu Nov  3 10:12:47 EST 2005
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: AMD Athlon(tm) XP 2400+ ("AuthenticAMD" 686-class, 256KB L2 cache)
2.01 GHz
cpu0: AMD Powernow: TS
real mem  = 502833152 (491048K)
avail mem = 451862528 (441272K)
using 4278 buffers containing 25243648 bytes (24652K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(ff) BIOS, date 01/14/04, BIOS32 rev. 0 @
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
apm0: flags 70102 dobusy 1 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xf/0xc744
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfc6b0/144 (7 entries)
pcibios0: PCI Exclusive IRQs: 5 6 10 11
pcibios0: PCI Interrupt Router at 000:17:0 ("VIA VT82C596A ISA" rev
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc/0x7e00
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "VIA VT8378 PCI" rev 0x00
ppb0 at pci0 dev 1 function 0 "VIA VT8377 PCI-PCI" rev 0x00
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 "VIA VT8378 VGA" rev 0x01: aperture at
0xd800, size 0x1000
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
uhci0 at pci0 dev 16 function 0 "VIA VT83C572 USB" rev 0x80: irq 11
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: VIA UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
uhci1 at pci0 dev 16 function 1 "VIA VT83C572 USB" rev 0x80: irq 6
usb1 at uhci1: USB revision 1.0
uhub1 at usb1
uhub1: VIA UHCI root hub, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
uhci2 at pci0 dev 16 function 2 "VIA VT83C572 USB" rev 0x80: irq 10
usb2 at uhci2: USB revision 1.0
uhub2 at usb2
uhub2: VIA UHCI root hub, rev 1.00/1.00, addr 1
uhub2: 2 ports with 2 removable, self powered
ehci0 at pci0 dev 16 function 3 "VIA VT6202 USB" rev 0x82: irq 5
usb3 at ehci0: USB revision 2.0
uhub3 at usb3
uhub3: VIA EHCI root hub, rev 2.00/1.00, addr 1
uhub3: 6 ports with 6 removable, self powered
pcib0 at pci0 dev 17 function 0 "VIA VT8235 ISA" rev 0x00
pciide0 at pci0 dev 17 function 1 "VIA VT82C571 IDE" rev 0x06: ATA133,
channel 0 configured to compatibility, channel 1 configured to
wd0 at pciide0 channel 0 drive 0: 
wd0: 16-sector PIO, LBA48, 190781MB, 390719855 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0:  SCSI0
5/cdrom removable
cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
auvia0 at pci0 dev 17 function 5 "VIA VT8233 AC97" rev 0x50: irq 10
ac97: codec id 0x56494170 (VIA Technologies <70>)
ac97: codec features headphone, 18 bit DAC, 18 bit ADC, KS Waves 3D
audio0 at auvia0
vr0 at pci0 dev 18 function 0 "VIA RhineII-2" rev 0x74: irq 11 address
ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 8: OUI
0x08, model 0x4063
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pmsi0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pmsi0 mux 0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: 
spkr0 at pcppi0
sysbeep0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
it0 at isa0 port 0x290/8: IT87
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
biomask ef65 netmask ef65 ttymask ffe7
pctr: user-level cycle counter enabled
mtrr: Pentium Pro MTRR support
umass0 at uhub3 port 5 configuration 1 interface 0
umass0: USB2.0 CardReader, rev 2.00/91.38, addr 2
umass0: using SCSI over Bulk-Only
scsibus1 at umass0: 2 targets
sd0 at scsibus1 targ 1 lun 0:  SCSI0 0/direct
sd0: drive offlin

Re: Problems booting with floppyC38.fs on Latitude CPx

2005-11-03 Thread Uwe Dippel
On Thu, 03 Nov 2005 16:56:34 -0500, daniel wrote:

> disk: fd0 hd0+*
>>> OpenBSD/i386 BOOT 2.10
> boot>
> booting fd0a:/bsd: 3306020+195116=0x356d74
> entry point at 0x100120

Don't know if this is related, booted cd38 on a Proliant and it did similarly;
only after several minutes - I was already sitting at another box to look for 
help online - did it finally go through.
After the install everything was fine.
Tried the same CD on a DELL Latitude D400 and worked well.
If I had access to the Proliant, I'd try again. But I'll only be there
over another 8 days, sorry.
Maybe a media problem after all ?


Re: USB ralink vs. PCMCIA ralink

2005-11-03 Thread Lars Hansson
On Thu, 03 Nov 2005 14:35:15 +0100

> You should prefer the PCMCIA one.
> The RT2500USB chipset has poor support for per-node tx rate
> adaptation and is thus a bad choice for hostap mode.

Well, I dont plan on using the laptop as an access point. Is the rate
adaption also valuable if you dont run it in host ap mode?


Re: preventing OS fingerprint

2005-11-03 Thread Shane J Pearson

Hi Damien,

On 04/11/2005, at 9:56 AM, Damien Miller wrote:

why care? fingerprinting is such a non-issue, and spending effort  
to avoid it is just security through obscurity.

Ignoring whether blocking NMAP scans is effective or not...

I agree that it is not good to rely on obscurity. But I don't see
anything wrong with obscuring a detail which people don't need to know.

What do you have to gain and what do you have to loose from holding
that info back? And what do you have to gain and what do you have to
loose from advertising it?

If someone wants to know what you are running, to ease their attack.
Then why not make it a little harder for them? That extra time could
help you or a process detect the random attacks and work against the

Not that there is much likelihood of a patched OpenBSD getting rooted
though. Conversely, I guess advertising OpenBSD could make them go away.
; )

Shane J Pearson

arpbalance bug?

2005-11-03 Thread Josh
Is this anything to be concerned about?

pf beginner: my firewall passes tcp but not icmp

2005-11-03 Thread Cameron Simpson
I'm setting up an OpenBSD 3.7 firewall for the first time.
I've been flailing at this all afternoon and have exhausted my ideas.

My ruleset looks like this (from "pfctl -s rules"):

[var/[EMAIL PROTECTED]> pfctl -s rules
block return all
pass quick proto tcp from any to any port = ssh flags S/SA keep state
pass in quick proto icmp all keep state

It was more complex, but this is as simple as I can get it and demo the problem.
(I have also tried "pass quick proto icmp all" with no useful effect.)

With these rules in place and enabled, existing ssh sessions continue thanks
to their kept state, and new ssh connections work also.

However my pings, which work fine with pf disabled, get nothing back when I
enable pf ("pfctl -e") and of course spring back into life with "pfctl -d".

Does anyone have any idea what I'm doing wrong here?
Also, I have seen elsewhere in list archives debug output showing what rules
got applied. I have not found out how to produce such debugging myself.

I'm loading up the rules like this:

pfctl -F rules -v && pfctl -xm -f /etc/pf.conf -v && echo YES

What else can I do to further debug this?
Cameron Simpson <[EMAIL PROTECTED]> DoD#743

What the hell, it's only 4 month's grant - I can live in a cardboard box, and
catch pigeons for food. After all, I've got raytracing to do!

Re: Problem ripping audio CD in Liteon DVD-DL drive

2005-11-03 Thread Jacob Meuser
On Fri, Nov 04, 2005 at 03:25:48PM +1100, Tubnor, Jason B wrote:
> Hi,
> I have a problem ripping an audio CD with cdparanoia.  Software that I
> am using is grip and cdparanoia from the 3.8 packages tree.  The drive
> that I have is a Liteon DVD-DL (IDE).  When I put the audio CD in the

> cd0 at scsibus0 targ 0 lun 0:  SCSI0
> 5/cdrom removable
> cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2

that is an LG, not a LiteOn.  some searching on google found
other people having issues with these as well, but I also found a
page where the authors used several brands of DVD media and they
recommend the drive, but note "I have strong faith that with a
little more firmware tweaking, 16x single layer, and even dual
layer recording could be made quite stable and effective."
you appear to have a first generation firmware, "A100".  perhaps
your problem is related to that?

I can confirm that cdparanoia works correctly for me on -current
with a LiteOn "DVDRW SOHW-1633S" with same IDE controller as you,
"VIA VT82C571 IDE" rev 0x06.

if I were you, I'd try to update the firmware of the drive.


Re: / never unmounts properly

2005-11-03 Thread Ted Unangst
On 11/3/05, Han Boetes <[EMAIL PROTECTED]> wrote:
> Nick Holland wrote:
> > Han Boetes wrote:
> > > That's not 3.8: 3.8-stable was compiled on september the 26th.
> >
> > I have no idea what you are babbling about here, 3.8-stable is
> > only started to be maintained on release day, Nov. 1, and
> > running 3.8-release is very acceptable.
> What's that got to do with anything?

it means that "3.8-stable was compiled on september the 26th" is wrong.

i also fail to see how this relates to fsck running after reboot.

OpenBSD CDROM layout definition, Copyright Infringement.

2005-11-03 Thread Siju George

I been asked about

How is the Layout defined???

maybe Nick or Theo or some other responsible person could give an
authoritative answer so I can give it back to the person who asked me.
If the md5 sum of the ISO image of a custom made OpenBSD CD is
different form that of the md5 sum of the ISO image of official CDROM
then can it be considered different in lay out???

Thankyou so much

Kind Regards


Re: arpbalance bug?

2005-11-03 Thread Ryan McBride
On Sat, Nov 05, 2005 at 04:05:17AM +1300, Josh wrote:
> Is this anything to be concerned about?

Only if you use arpbalance in a situation where it really matters (as
opposed to a situation where you use it because you think it's cool)

It will be fixed shortly:

Re: pf beginner: my firewall passes tcp but not icmp

2005-11-03 Thread Ryan McBride
On Fri, Nov 04, 2005 at 05:16:22PM +1100, Cameron Simpson wrote:
>   [var/[EMAIL PROTECTED]> pfctl -s rules
>   block return all
>   pass quick proto tcp from any to any port = ssh flags S/SA keep state
>   pass in quick proto icmp all keep state
How are the packets supposed to get OUT of the firewall? You have to
think of the traffic crossing both interfaces.

> (I have also tried "pass quick proto icmp all" with no useful effect.)

With the simple ruleset above, or something more complicated?
This should work (as should the above without the direction)

> Also, I have seen elsewhere in list archives debug output showing what rules
> got applied. I have not found out how to produce such debugging myself.

Add the 'log' keyword to at least your block rule, and maybe your pass
rules as well. Then do:

# tcpdump -vvvpleni pflog0 -s 1518

> I'm loading up the rules like this:
>   pfctl -F rules -v && pfctl -xm -f /etc/pf.conf -v && echo YES

Don't explicitly flush the ruleset like this, pf does that for you and
with such a command you're running without any ruleset at all for at
least a moment, more if your new ruleset is buggy and fails to load.

> What else can I do to further debug this?

tcpdump on the pflog interface is probably the most powerful tool; you
can also look at pfctl -si to see if packets are being dropped for some
other reason than ruleset evaluation, and perhaps do tcpdump on the
physical interfaces you think the traffic should be crossing, to see if
it's maybe actually coming out on the other side but being dropped
elsewhere on your network.