low priority, pf rule set debugging
Hello, Just a stab in the dark, does anyone have advise/experience/suggestions for debugging firewall problems? Every now and then I do something which is just brain dead but takes a while to figure out, its usually a typo in my rule set, but just wondering if there's any tools out there to help show where a given packet will go though the path of the firewall... You're all probably going to tell me this is possible already with some discipline and pfctl -sa. -- Regards, Ed http://www.usenix.org.uk - http://irc.is-cool.net :%s/Open Source/Free Software/g
Unexpected "Expect timeout" in chat script (ppp -auto)
I'm running PPP 3.1 (/usr/sbin/ppp) on OpenBSD 3.7 / i386. Every now and then, I run into a problem in which the chat script stops working in -auto mode: Dec 20 20:45:05 wally ppp[20296]: tun0: Physical: write Dec 20 20:45:05 wally ppp[20296]: tun0: Physical: 41 54 44 54 36 32 33 37 30 37 31 30 32 36 0d ATDT6237071026. Dec 20 20:45:08 wally ppp[20296]: tun0: Chat: Expect(650): CONNECT 115200 Dec 20 20:45:21 wally ppp[20296]: tun0: Chat: Expect timeout Dec 20 20:45:21 wally ppp[20296]: tun0: Warning: Chat script failed Dec 20 20:45:21 wally ppp[20296]: tun0: Phase: deflink: dial -> hangup I'm using the following dial commnad: set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 650 \"\" AT OK-AT-OK ATM1L1E0Q0 OK \\dATDT\\T CONNECT\\s115200" As I understand TIMEOUT, my machine should be sitting around for up to 650 seconds before it times out. So why is it timing out in 13 seconds? If I go to terminal mode and let the modem connect manually, the rest of the chat script works fine. What key fact am I missing? Many thanks! Andrew Jr. Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: OpenBSD 3.8 PPPoE Broadband Connection Howto
Siju George wrote: Hi all, I have a new Broadband Internet connection. It uses PPPoE with a username and password to connect to internet. I can connect to Internet with Windows 2003 (easy click and configure) so the DSL Router is working and the username and password is correct. I would like to use OpenBSD 3.8 to connect to Internet with it and not Windows 2003. Details of my OpenBSD 3.8 system: I have two interfaces "rl0" "rl1" rl0 has the PPPoE connection and rl1 is connected to the LAN Switch. Not entirely sure that you have to set up PPPoE for rl0. I never did this for the interface connected to my dsl router. All I did was give the interface an ip, set my default gateway to my router's ip, put my isp's nameserver in /etc/resolv.conf and it just worked. I don't know about your router but I can manage mineusing a web browser. That is, I point my web browser to my router and I set all my PPPoE settings through that.
exit and eject should have their second letter in upper-case in cdio(1) help output
Since E is an "ambiguous command", one must use either type EJ or EX
to eject a cd or otherwise exit cdio, but both have an E shorcut.
That's why these two lines must be changed:
{ CMD_EJECT, "eject", 1, "" }
to:
{ CMD_EJECT, "eject", 2, "" },
{ CMD_QUIT, "exit", 1, "" },
to:
{ CMD_QUIT, "exit", 2, "" },
at http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/cdio/cdio.c
Thanks! ;)
OBSD indirect call
Hey folks, i wonder if OpenBSD allows for RPC Indirect (RPC_PROC_CALLIT) call message to be received by means of TCP too, or it is only by UDP? Thanks for your time and cooperation. best regards.
Re: isakmpd does not enter phase 2
On Tue, 20 Dec 2005, Matthew Closson wrote: matt, all, [Remote-peer-quick-mode] EXCHANGE_TYPE= QUICK_MODE Transforms= QM-ESP-3DES-SHA-SUITE notice the typo (s/Transforms/Suites/ for correct operation) that only became obvious after a healthy dose of sleep. thanks anyway. -- [-] mkdir /nonexistent
Re: BGPD on FreeBSD
On Tue, Dec 20, 2005 at 03:53:45PM +0100, Reto Burkhalter wrote: > Hi list > > May be a little bit OT - but are there any users with experiences > in using OpenBGPD on FreeBSD? I have some strange problems here. > Are you using the FreeBSD port or did you patch OpenBGPD yourself? > Setup is OpenBGPD 3.7 on FreeBSD 6-RELEASE. Just a basic config > with one transit and one iBGP session with some standard filters > (check prefixlen and rfc1918 networks) works fine. But as soon as > we add more peers and filters, the bgpd daemon dies "regularly" with > different messages: > Could you try a more current version of OpenBGPD? You have to pull it out of the CVS or I can make you a tar ball. > E.g. > fatal in RDE: nexthop_cmp: unknown af > dispatch_imsg in main: pipe closed > > -> This should not happen (the code could not compare either > Inet4 or Inet6)?!? > I think it is/was a bug hidden somewhere else and the af did not get initialized. > We also have entries in /var/log/messages like these: "exited on signal > 6" > Hmm. bgpd does not call abort so that is comming from somewhere else (malloc?). > I can provide more information (config file, etc.) if needed. > I would like to get the config file, then I can have a look at it. -- :wq Claudio
Re: OpenBSD 3.8 PPPoE Broadband Connection Howto
On Wed, 21 Dec 2005 02:54:23 +0530, Siju George <[EMAIL PROTECTED]> wrote: >I have a new Broadband Internet connection. It uses PPPoE with a >username and password to connect to internet. Hi Siju, You left out a few important details about the service package from your provider. PPPoE is cheap way for providers to prevent people from stealing service (i.e. hooking up their own DSL gear to an abandoned/unused line). I've seen PPPoE used in service packages with a dynamic IP and service packages with a static IP (or a small block of static IP's). At times the service provider will be using DHCP to configure the external interface (often based in the DSL modem/router itself) and other times, they don't offer DHCP and you're expected to configure the interface yourself. Details of the exact kind of service package you have from your provider and occasionally info on the DSL hardware you're using are needed to figure out how things should be set up on your end. Kind Regards, JCR
Re: OpenBSD related wallpaper
On Sun, 18 Dec 2005 23:50:02 -0800 (PST) Viktor Berke <[EMAIL PROTECTED]> wrote: > I've found some nice wallpapers here: > > http://www.bsdnexus.com/wallpapers.htm Hummm it promotes bad code: http://www.bsdnexus.com/wallpapers/carry_code_single.jpg Should never allocate memory within the function. At worst, pass the pointer to need_coffee and free the pointer after need_coffee returns. I suppose some might say its possible to do that anyway, but it's just bad practise. -- Regards, Ed http://www.usenix.org.uk - http://irc.is-cool.net :%s/Open Source/Free Software/g
Re: OpenBSD 3.8 PPPoE Broadband Connection Howto
On Wed, Dec 21, 2005 at 02:54:23AM +0530, Siju George wrote: > > I have two interfaces "rl0" "rl1" > > rl0 has the PPPoE connection and rl1 is connected to the LAN Switch. > > # ifconfig -a > lo0: flags=8049 mtu 33224 > groups: lo > inet 127.0.0.1 netmask 0xff00 > inet6 ::1 prefixlen 128 > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6 > rl0: flags=8843 mtu 1500 > lladdr 00:50:fc:7d:4e:50 > media: Ethernet autoselect (100baseTX full-duplex) > status: active > inet6 fe80::250:fcff:fe7d:4e50%rl0 prefixlen 64 scopeid 0x1 > rl1: flags=8843 mtu 1500 > lladdr 00:08:a1:7b:bf:52 > media: Ethernet autoselect (100baseTX full-duplex) > status: active > inet 172.17.1.1 netmask 0xfff0 broadcast 172.31.255.255 > inet6 fe80::208:a1ff:fe7b:bf52%rl1 prefixlen 64 scopeid 0x2 > pflog0: flags=141 mtu 33224 > pfsync0: flags=0<> mtu 1348 > enc0: flags=0<> mtu 1536 > pppoe0: flags=a851 mtu 1492 > dev: rl0 state: session > sid: 0x10f1 PADI retries: 1 PADR retries: 0 time: 00:00:06 > groups: pppoe egress > inet 0.0.0.0 --> 0.0.0.1 netmask 0x > inet6 fe80::250:fcff:fe7d:4e50%pppoe0 -> prefixlen 64 scopeid 0x7 > > # cat /etc/sysctl.conf |grep inet.ip.forwarding > net.inet.ip.forwarding=1# 1=Permit forwarding (routing) of packets > # > # cat /etc/mygate > cat: /etc/mygate: No such file or directory > # > # cat /etc/hostname.rl0 > up you don't need this file, since hostname.pppoe0 effectively brings the interface up > # > # cat /etc/hostname.rl1 > inet 172.17.1.1 255.240.0.0 NONE > # > # cat /etc/hostname.pppoe0 > pppoedev rl0 > !/sbin/ifconfig rl0 up > !/usr/sbin/spppcontrol \$if myauthproto=pap [EMAIL PROTECTED] > myauthkey=zz > !/sbin/ifconfig \$if inet 0.0.0.0 0.0.0.1 netmask 0x > !/sbin/route add default 0.0.0.1 > link1 up are you cut'n'paste here? that is not helpful... - the spppcontrol line should all be on one line: you need a `\' otherwise - try `link1 up' -> `up' to debug this - try following the steps in ppp(8). it is easy to set up and debug. it might show some info you are missing. jmc
Re: src.tar.gz and sys.tar.gz in snapshots?
On Tue, Dec 20, 2005 at 09:36:05PM +0100, Andreas Bihlmaier wrote: > On Tue, Dec 20, 2005 at 07:10:02PM +0100, Raul Aldaz wrote: > > On Tue, 20 Dec 2005 18:59:35 +0100, Raul Aldaz wrote > > > Hi, > > > > > > Why are not provided the corresponding source files? a resource limit I > > > suppose... > > > > I've found the reasons in the archives, sorry for the noise! > > A link to your findings would be very helpful since I couldn't find it! > > I was wondering about this for a long while as well because the ftp > mirror I'm using has them for every snapshot > ftp://ftp.freenet.de/pub/ftp.openbsd.org/pub/OpenBSD/ huh? That mirror doesn't seem to be updating at all. There's nothing there that's been updated since 3.8 release. They most certainly do not have source files for every snapshot. > As stated sorry for making noice, but I guess I'm using the wrong key > words (on marc.) http://www.openbsd.org/faq/faq5.html first article. Nick.
OpenBSD 3.8 PPPoE Broadband Connection Howto
Hi all, I have a new Broadband Internet connection. It uses PPPoE with a username and password to connect to internet. I can connect to Internet with Windows 2003 (easy click and configure) so the DSL Router is working and the username and password is correct. I would like to use OpenBSD 3.8 to connect to Internet with it and not Windows 2003. I read the man pages and FAQ and did accordingly ( I suppose ) and it is not working. Could some one please point out as to what could I have done wrong? Details of my OpenBSD 3.8 system: I have two interfaces "rl0" "rl1" rl0 has the PPPoE connection and rl1 is connected to the LAN Switch. # ifconfig -a lo0: flags=8049 mtu 33224 groups: lo inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6 rl0: flags=8843 mtu 1500 lladdr 00:50:fc:7d:4e:50 media: Ethernet autoselect (100baseTX full-duplex) status: active inet6 fe80::250:fcff:fe7d:4e50%rl0 prefixlen 64 scopeid 0x1 rl1: flags=8843 mtu 1500 lladdr 00:08:a1:7b:bf:52 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 172.17.1.1 netmask 0xfff0 broadcast 172.31.255.255 inet6 fe80::208:a1ff:fe7b:bf52%rl1 prefixlen 64 scopeid 0x2 pflog0: flags=141 mtu 33224 pfsync0: flags=0<> mtu 1348 enc0: flags=0<> mtu 1536 pppoe0: flags=a851 mtu 1492 dev: rl0 state: session sid: 0x10f1 PADI retries: 1 PADR retries: 0 time: 00:00:06 groups: pppoe egress inet 0.0.0.0 --> 0.0.0.1 netmask 0x inet6 fe80::250:fcff:fe7d:4e50%pppoe0 -> prefixlen 64 scopeid 0x7 # cat /etc/sysctl.conf |grep inet.ip.forwarding net.inet.ip.forwarding=1# 1=Permit forwarding (routing) of packets # # cat /etc/mygate cat: /etc/mygate: No such file or directory # # cat /etc/hostname.rl0 up # # cat /etc/hostname.rl1 inet 172.17.1.1 255.240.0.0 NONE # # cat /etc/hostname.pppoe0 pppoedev rl0 !/sbin/ifconfig rl0 up !/usr/sbin/spppcontrol \$if myauthproto=pap [EMAIL PROTECTED] myauthkey=zz !/sbin/ifconfig \$if inet 0.0.0.0 0.0.0.1 netmask 0x !/sbin/route add default 0.0.0.1 link1 up # # cat /etc/pf.conf pass all # route show commands hangs for a long time :-( # route flush default 0.0.0.1 done loopback localhostdone 172.16.1.0 00:11:95:c0:c7:33done BASE-ADDRESS.MCAST.N localhostdone ::/128 localhost.broadband. done ::/128 localhost.broadband. done ::127.0.0.0/128 localhost.broadband. done ::224.0.0.0/128 localhost.broadband. done ::255.0.0.0/128 localhost.broadband. done :::0.0.0.0/128 localhost.broadband. done 2002::/128 localhost.broadband. done 2002:7f00::/128 localhost.broadband. done 2002:e000::/128 localhost.broadband. done 2002:ff00::/128 localhost.broadband. done fe80::/128 localhost.broadband. done fe80::250:fcff:fe7d: 00:50:fc:7d:4e:50done fe80::208:a1ff:fe7b: 00:08:a1:7b:bf:52done fe80::1%lo0 link#6 done fe80::250:fcff:fe7d: link#7 done fec0::/128 localhost.broadband. done # # sh /etc/netstart spppcontrol: SIOCSIFGENERIC(SPPPIOSDEFS): Device busy add net default: gateway 0.0.0.1 # What could be the problem? How do I debug this? Thankyou so much :-) kind regards Siju
Re: Hardware RNG speed
> Hello to the list, > > ...I set up OpenBSD on a board with a (Soekris) Hifn 7955 > accelerator card, but the rate I'm getting by reading out of /dev/srandom > is pretty low (200B/s). I am happily using VIA C3s for a project that requires high-quality entropy. In the industry I'm involved in, hardware random is de-rigeur. The VIA C3, using /dev/srandom, gives me somewhere right around 6KB/s. I was hoping for a higher rate, but we just ended up using multiple machines as a network random-number service (also yields fault-tolerance). In doing reading (but not of the acutal code), I remember having the distinct impression that /dev/srandom uses MD5 to "cook" the actual stream generated by the C3's on-die HRNG. You have to figure that it is compressing the stream. You may wish to look closely at the device driver code. There is quite a bit of very good data about the C3's HRNG available via google. One analysis of this HRNG made it clear that "cooking" may be redundant, given the right settings in the driver. I made the decision that the developers know what they're up to and left it at that. Hope this is helpful. -- Jack Bates Venice, CA, USA I play Texas Hold'Em at http://www.fulltiltpoker.com
Re: src.tar.gz and sys.tar.gz in snapshots?
On Tue, Dec 20, 2005 at 07:10:02PM +0100, Raul Aldaz wrote: > On Tue, 20 Dec 2005 18:59:35 +0100, Raul Aldaz wrote > > Hi, > > > > Why are not provided the corresponding source files? a resource limit I > > suppose... > > I've found the reasons in the archives, sorry for the noise! A link to your findings would be very helpful since I couldn't find it! I was wondering about this for a long while as well because the ftp mirror I'm using has them for every snapshot ftp://ftp.freenet.de/pub/ftp.openbsd.org/pub/OpenBSD/ As stated sorry for making noice, but I guess I'm using the wrong key words (on marc.) Regards, ahb
Re: OpenBSD 3.8 and slapd 2.0.27
Bryan Irvine wrote: On 12/20/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: Hi all, I am learning to install and configure slapd on OpenBSD 3.8. Followed the installation howto (http://www.openbsdsupport.org/qmail-ldap-OpenBSD.html#2.0) but here is what I get when I run slapd -d -1 line 10 (include/etc/openldap/schema/krb5-kdc.schema) could not open config file "/etc/openldap/schema/krb5-kdc.schema": No such file or directory (2) slapd shutdown: freeing system resources. slapd stopped. Hmm, apparently "krb5-kdc.schema" is notpresent in my system. How can this be? What should I install? Any pointers? From TFA: "This document is written for users of OpenBSD 3.3..." I think you will just get yourself into trouble following that. Brian is 150% right and it is identify on the main page as well as inside the document. Main page: Installing and Configuring qmail-ldap (OpenBSD 3.3) Inside the doc: "This document is written for users of OpenBSD 3.3 and all commands and syntax used below are specific to this OS and version." So, use it just as an idea ONLY or may be as a start up, but not as a "do this and it will work", please be wise about it! And if that creates more problem then help, I will remove it from there. I am actually seriously considering it! To indicate this fact even more now, I actually just put warning in RED on the site for what's out of date now, to do as OpenBSD does it with old release, not supported anymore! So, anything that is not 3.7 or 3.8 is now mark in red. What's there is to try to help a bit, but don't just copy and paste, and most important, please do not make noise on misc@ for document that gives you error. Make the correction and send them in, if they work for you with good results and someone on the list asked the same question, then you can refer them to the document you used before, but please don't do the following: " I followed the installation howto on openbsdsupport.org" and then complain on misc@ that it didn't work for you! Please DON'T! That's not the reason for the site to be, sure not to add more noise on misc@, but may be to reduce it if possible, and to give you an idea. Also, please follow the "NOTE" there on the left that read as follow "Note: The content published here in no way implies that the OpenBSD project or any member of the OpenBSD team sanctions or approves of such use. Do not complain to them if you find anything obsolete here. If you do find it unusable, inexact, obsolete or simply bad, then your help would be welcome to make it better. Send in your new document." So, now you know what to do right? Daniel
Re: OpenBSD 3.8 and slapd 2.0.27
On 12/20/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > Hi all, > > I am learning to install and configure slapd on OpenBSD 3.8. Followed the > installation howto > (http://www.openbsdsupport.org/qmail-ldap-OpenBSD.html#2.0) > but here is what I get when I run slapd -d -1 > > > line 10 (include/etc/openldap/schema/krb5-kdc.schema) > could not open config file "/etc/openldap/schema/krb5-kdc.schema": No such > file or directory (2) > slapd shutdown: freeing system resources. > slapd stopped. > > Hmm, apparently "krb5-kdc.schema" is notpresent in my system. > > How can this be? What should I install? Any pointers? >From TFA: "This document is written for users of OpenBSD 3.3..." I think you will just get yourself into trouble following that.
Re: ruby on rails derailed, chroot httpd reported DOA
id almost guaruntee this has to do with chrooting. i havent touched fastcgi with rails in a long time :x but id imagine its set to look in '/var/www/users/...' where infact it would want to look for '/users/...'. personally id recommend looking at scgi, and its apache module. thats what i use on openbsd 3.8 (with apache chrooted) and it works seemlessly. as well from what ive read gives you a performance boost and more control over whats going on, and statistics. - Zac On Sun, 18 Dec 2005 12:33:22 +0100, Rogier Krieger <[EMAIL PROTECTED]> wrote: > On 12/18/05, Michael Steinfeld <[EMAIL PROTECTED]> wrote: >> any ideas? > > You're probably dealing with FAQ item #10.16: dealing with Apache's > chroot() > http://www.openbsd.org/faq/faq10.html#httpdchroot > >> "/var/www/users/mike/rails/public/dispatch.fcgi" (pid 9195), chdir() >> failed: No such file or directory > > As the errors reported deal with a directory not found, try running > without a chroot first. If that works, adjust your paths so that they > are located while running chroot'ed. > > Hope that helps, > > Rogier
pflog and ftp
Hi! I have OpenBSD 3.8+vsftpd (from ports)+pf on my box. pfrules: table persist file "/etc/rusip" block in from any to xx.xxx.xx.xxx pass in from to xx.xxx.xx.xxx pass in from yy.yy.yyy.yy to xx.xxx.xx.xxx where xx.xxx.xx.xxx - server's ip. when I try to exec 'tcpdump -n -e -ttt -i pflog0' - all ftp connections are droping and blocking new connections. -- Sizov mailto:[EMAIL PROTECTED]
Re: src.tar.gz and sys.tar.gz in snapshots?
On Tue, 20 Dec 2005 18:59:35 +0100, Raul Aldaz wrote > Hi, > > Why are not provided the corresponding source files? a resource limit I > suppose... I've found the reasons in the archives, sorry for the noise! "Este correo electrsnico y la informacisn contenida en el mismo es de caracter confidencial y esta sometida al secreto profesional, dirigiindose exclusivamente al destinatario mencionado en el encabezamiento, cuyos datos forman parte de un fichero responsabilidad del GRUPO CARRERAS y cuya finalidad es contactar con el titular de los datos a travis del correo electrsnico. Le informamos que cuenta con los derechos de acceso, rectificacisn y cancelacisn, que podra ejercitar mediante el envmo de un e- mail a la siguiente direccion: [EMAIL PROTECTED] Si el receptor de la comunicacisn no fuera el destinatario, le informamos que cualquier divulgacisn, copia, distribucisn o utilizacisn no autorizada de la informacisn contenida en la misma esta prohibida por la legislacisn vigente." http://www.grupocarreras.com
src.tar.gz and sys.tar.gz in snapshots?
Hi, Why are not provided the corresponding source files? a resource limit I suppose... "Este correo electrsnico y la informacisn contenida en el mismo es de caracter confidencial y esta sometida al secreto profesional, dirigiindose exclusivamente al destinatario mencionado en el encabezamiento, cuyos datos forman parte de un fichero responsabilidad del GRUPO CARRERAS y cuya finalidad es contactar con el titular de los datos a travis del correo electrsnico. Le informamos que cuenta con los derechos de acceso, rectificacisn y cancelacisn, que podra ejercitar mediante el envmo de un e- mail a la siguiente direccion: [EMAIL PROTECTED] Si el receptor de la comunicacisn no fuera el destinatario, le informamos que cualquier divulgacisn, copia, distribucisn o utilizacisn no autorizada de la informacisn contenida en la misma esta prohibida por la legislacisn vigente." http://www.grupocarreras.com
Re: cruft?
On Tue, 20 Dec 2005 18:28:27 +0100 (CET), Tamas TEVESZ <[EMAIL PROTECTED]> wrote: >On Tue, 20 Dec 2005, J.C. Roberts wrote: > > > I hit a panic while doing make build on the Alpha PSW-433. My uneducated > > guess > >http://marc.theaimsgroup.com/?t=11082572061&r=1&w=2 Thanks Tamas! jcr
Re: pf and two ADSL links
On Tue, Dec 20, 2005 at 04:05:31PM +, Stuart Henderson wrote: > > Have you looked at the lists of LLU exchanges recently? It's not so > minor any more. > I think Oftel are pushing though the anti-competitive legislation against the BT monoply.
Re: cruft?
On Tue, 20 Dec 2005, J.C. Roberts wrote: > I hit a panic while doing make build on the Alpha PSW-433. My uneducated > guess http://marc.theaimsgroup.com/?t=11082572061&r=1&w=2 -- [-] mkdir /nonexistent
cruft?
I hit a panic while doing make build on the Alpha PSW-433. My uneducated guess is that I somehow managed to leave cruft in my -STABLE tree when I moved it over from an i386 box. I did all the expected cleaning (make clean and rm -rf /usr/obj/*) and I tried to repeat the problem a second time while running over serial (to save myself from typing it all the ps and trace output again) but on the second try, make build worked perfectly. The only thing I can think of doing is running make build a few more times and see what shows up but that's a less than scientific approach. I want to know if I'm dealing with flaky hardware or if I managed to cruft myself. -Is there an easy way to identify cruft problems? Output for trace, ps and dmesg.boot are below. Thanks, JCR cc -O2 -pipe -I/usr/src/lib/libmenu -I/usr/src/lib/libmenu/../libcurses -DHAVE_CONFIG_H -c /usr/src/lib/libmenu/m_win.c -o m_win.o panic:trap Stopped at Debugger+0x4:retzero,(ra) RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS PANIC! DON NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION! ddb> ps PIDPPIDPGRP UID SFLAGS WAITCOMMAND *10545427555350 3 0x4006 biowait ld 4275 2798955350 3 0x4086 wait make 27989127455350 3 0x86 pausesh 1274 2610955350 3 0x4086 pausesh 26109560755350 3 0x4086 wait make 5607 22755350 3 0x4086 pausesh 227 1 2270 3 0x4086 wait ksh 20897 1 208790 3 0x84 select cron 19219 1 192190 3 0x40184 select sendmail 24576 1 245760 3 0x84 select sshd 29076 1 290760 30x184 select inetd 12040 11304 11304 73 30x184 poll syslogd 11304 1 113040 3 0x84 netiosyslogd 8 0 00 3 0x100204 crypto_wacrypto 7 0 00 3 0x100204 aiodoned aiodoned 6 0 00 2 0x100204 update 5 0 00 3 0x100204 cleaner cleaner 4 0 00 3 0x100204 reaper reaper 3 0 00 3 0x100204 pgdaemon pgdaemon 2 0 00 3 0x100204 pftm pfpurge 1 0 10 3 0x4084 wait init 0 -1 00 3 0x80204 schedulerswapper ddb> trace Debugger(6, fc787758, 2d, 0, 2, fc8248a8) at Debugger+0x4 panic(fc766e74, 1, 1, 2, fe001226b7c0, fc827a70) at panic+0x130 trap(?, ?, 1, 2, fe001226b7c0, fc827a70) at trap+0x51c XentMM(?, ?, 1, 2, ?, fe001226b7c0) at XentMM+0x20 pmap_activate(?, ?, fc7064ed, 0, 0, fc827a70) at pmap_activate+0xdc cpu_switch(?, ?, fc7064ed, 0, 0, fc827a70) at cpu_switch+0xfc cpu_switch(?, ?, fc7064ed, 0, 0, fc827a70) at cpu_switch+0xfc cpu_switch(?, ?, fc7064ed, 0, 0, fc827a70) at cpu_switch+0xfc cpu_switch(?, ?, fc7064ed, 0, 0, fc827a70) at cpu_switch+0xfc cpu_switch(?, ?, fc7064ed, 0, 0, fc827a70) at cpu_switch+0xfc cpu_switch(?, ?, fc7064ed, 0, 0, fc827a70) at cpu_switch+0xfc cpu_switch(?, ?, fc7064ed, 0, 0, fc827a70) at cpu_switch+0xfc cpu_switch(?, ?, fc7064ed, 0, 0, fc827a70) at cpu_switch+0xfc cpu_switch(?, ?, fc7064ed, 0, 0, fc827a70) at cpu_switch+0xfc cpu_switch(?, ?, fc7064ed, 0, 0, fc827a70) at cpu_switch+0xfc cpu_switch(?, ?, fc7064ed, 0, 0, fc827a70) at cpu_switch+0xfc cpu_switch(?, ?, fc7064ed, 0, 0, fc827a70) at cpu_switch+0xfc cpu_switch(?, ?, fc7064ed, 0, 0, fc827a70) at cpu_switch+0xfc cpu_switch(?, ?, fc7064ed, 0, 0, fc827a70) at cpu_switch+0xfc cpu_switch(?, ?, fc7064ed, 0, 0, fc827a70) at cpu_switch+0xfc cpu_switch(?, ?, fc7064ed, 0, 0, fc827a70) at cpu_switch+0xfc cpu_switch(?, ?, fc7064ed, 0, 0, fc827a70) at cpu_switch+0xfc cpu_switch(?, ?, fc7064ed, 0, 0, fc827a70) at cpu_switch+0xfc cpu_switch(?, ?, fc7064ed, 0, 0, fc827a70) at cpu_switch+0xfc cpu_switch(?, ?, fc7064ed, 0, 0, fc827a70) at cpu_switch+0xfc cpu_switch(?, ?, fc7064ed, 0, 0, fc827a70) at cpu_switch+0xfc cpu_switch(?, ?, fc7064ed, 0, 0, fc827a70) at cpu_switch+0xfc cpu_switch(?, ?, fc7064ed, 0, 0, fc827a70) at cpu_switch+0xfc cpu_switch(?, ?, fc7064ed, 0, 0, fc827a70) at cpu_switch+0xfc cpu_switch(?, ?, fc7064ed, 0, 0, fc827a70
Re: Hardware RNG speed
On Tue, 20 Dec 2005 00:52:13 -0500 (EST), Michael Alexander Hamburg <[EMAIL PROTECTED]> wrote: >On Mon, 19 Dec 2005, Theo de Raadt wrote: > >> Until you can justify actual real scientific reasons why you cannot >> use it, I think you should use arc4random(). >> >> And I am entirely serious. The entire idea in OpenBSD is to have many >> consumers, as this strengthens the source. > >Thanks for your comments, but I will attempt to justify why I cannot use >arc4random() or /dev/arandom. > >I'm working on Professor Rabin's HyperEncryption project. The goal is to >create a system for distributing random numbers to form one-time pads such >that even an adversary who can break whatever crypto you happen to have >devised is stopped by other limitations, such as limited storage or >limited access to your data lines (that is, you have several links and the >adversary can monitor some but not all of them). The idea is to offer a >system which is cheaper and more flexible than quantum cryptography, but >almost as secure (i.e. perfectly, information-theoretically secure with >very high probability in the ideal case, requiring more assumptions for >this ideal case than quantum cryptography, but not requiring a short, >private, dedicated fiber-optic line and $50k worth of hardware on either >end). Obviously, within these design goals, truly random numbers are >necessary, because a computationally unbounded opponent can break >arc4random(). Such an adversary can break other things, too, so we'll >have to do a whole bunch of other things (turning off SYN cookies comes to >mind), but the random numbers are a more immediate design parameter. > >Now, the project isn't in production or anything yet; we have some >prototypes are exploring their design spaces, but a very important >parameter is the cost and data rate of commercially available high-quality >random number generators, and their software support under various >operating systems. Under a limited-access model, the rate is not too >important (while it adds to the amount of data that can be transmitted and >marginally to its security, it is not essential that the data rate be very >high), but 200B/s is still probably too slow. > >An important security and maintenance feature of this system will be >whether it can be engineered cleanly. OpenBSD is considered a relatively >secure OS, has a wide variety of hardware random number generator support, >and perhaps most importantly is relatively easy to configure minimally on >embedded hardware. So, we're very interested in supporting it, >particularly on embedded hardware, but we need to know what kind of random >number generators work on it at an acceptable rate. It looks like this >will probably mean the VIA C3 or C7, but we'd like to give Hifn cards a >shot. Also, given the terrible performance of the Hifn card, it's not >clear that even the VIA C7 would be faster or whether the drivers are the >rate-limiting step, which is why I'm asking for clarification here. I >could, of course, write a VIA-specific user-mode RNG driver because their >chips allow that. This is a strong draw to VIA, but OS support would be >preferable. > >@Jason Crawford, we have considered and even prototyped sound-card-based >solutions (mostly involving running a simple radio noise source into the >microphone port, which is likely to have less pure-tone noise than your >suggestion), and while they aren't out of the running yet they have two >important problems. First, it will be more difficult to determine whether >the output of this system is sufficiently random. We can run FIPS tests >in real time at the rates we're dealing with, but the audio system will >almost certainly not pass this or even come close. Massaging the data >into a form which is both "white" and sufficiently simple that a breakdown >will be detected is rather difficult. On the other hand, most hardware >RNGs create noise with only very local biases (in raw mode) which should >be easier to filter out without hiding breakages. Second, most embedded >boards do not have sound cards, an almost none have microphones. > >Thanks a lot, >Mike Hamburg Michael, The best thing you can do is call HiFn and discuss your design requirements with them rather than trying to guess what the throughput/rate is for their products. The guy you want to talk to is probably Russell Dietz (RDietzhifn.com) VP of Engineering (cc'd). I once met him for lunch to discuss opening up documentation. Though HiFn doesn't quite understand the importance of making their docs freely available without EULAs and legal click-through hoops so OpenBSD and other open source projects can properly develop drivers, none the less, the folks working at HiFn are still very nice people. Kind Regards, JCR
Re: pf and two ADSL links
--On 20 December 2005 14:32 +, Craig Skinner wrote: On Tue, Dec 20, 2005 at 02:40:28AM +, pedro la peu wrote: > all UK ADSL is operated by them, with the minor exception of LLU. What? > AFAIK there is only one UK operator unbundling for ADSL, in some > southern exchanges (eg London & there abouts). What? I can see from whois that you have some connection with the UK, as do some of the other posters on this thread. Therefore, if you don't know what LLU and unbundling are, I can only assume that you are a dialup windows user who is posting on the wrong mailing list. Have you looked at the lists of LLU exchanges recently? It's not so minor any more.
BGPD on FreeBSD
Hi list May be a little bit OT - but are there any users with experiences in using OpenBGPD on FreeBSD? I have some strange problems here. Setup is OpenBGPD 3.7 on FreeBSD 6-RELEASE. Just a basic config with one transit and one iBGP session with some standard filters (check prefixlen and rfc1918 networks) works fine. But as soon as we add more peers and filters, the bgpd daemon dies "regularly" with different messages: E.g. fatal in RDE: nexthop_cmp: unknown af dispatch_imsg in main: pipe closed -> This should not happen (the code could not compare either Inet4 or Inet6)?!? We also have entries in /var/log/messages like these: "exited on signal 6" I can provide more information (config file, etc.) if needed. Please contact me directly if this topic does not fit into this list. Regards, Reto
Re: pf and two ADSL links
On Tue, Dec 20, 2005 at 02:40:28AM +, pedro la peu wrote: > > all UK ADSL is operated by them, with the minor exception of LLU. > > What? > > > AFAIK there is only one UK operator unbundling for ADSL, in some southern > > exchanges (eg London & there abouts). > > What? > I can see from whois that you have some connection with the UK, as do some of the other posters on this thread. Therefore, if you don't know what LLU and unbundling are, I can only assume that you are a dialup windows user who is posting on the wrong mailing list. > > I've seen it often enough where [...] a JCB has dug though the footpath and > > taken the lot out > > There are cheap enough alternatives. > > > Look to different media alltogether for HA. > > Don't exclude the cheap, predictable thing right under your nose. > > > This is all fine for messing about at home or in a small style, no SLA > > business. > > It's better than you think. Ignorance is bliss, until the shit hits the fan. > > > When an ADSL is faulted to BT via eCo once a fault has been detected > > though Woosh, the GPMS case will sit in the diagnostics queue for 48 > > hours before it is even looked at. Then resolution will typically > > take another 3-5 days. > > BS. Shame on you. I work for an ISP, you obviously are just a user.
Re: MN-520 802.11b wireless PCMCIA card not found in -CURRENT on AMD Sempron?
> The CardBus slot can not be used as interrupt routing is busted > in ways not apparent without documentation. ... > Depends if you can find documentation on the ATI chipset the > laptop is based on... Doh. I figured it was going to be something like that. I'll do some searching, but if you've already tried, I'm not too optomistic. Thanks for the explaination, Jonathan. Benny -- "As a general rule, don't solve puzzles that open portals to Hell." - Unknown
Re: pfsync/carp via 2 ISP's
Stoyan Genov wrote: > > Joachim Schipper wrote: >> On Tue, Nov 29, 2005 at 10:31:03AM +0100, David Coppa wrote: >> >>>On 11/29/05, Joachim Schipper wrote: >>> >>> Why don't you just put a switch in front of the two firewalls, and then do CARP (for firewall failover) plus some smart routing tricks (for ISP failover - search the archives, I forgot the proper keywords)? >>> >>>pf route-to? >> >> >> Hmm, wouldn't that require some additional scripting? Would work, >> though... >> > > We have this running for several months. Setup is the following > (sorry, no time for ascii art): > > *) 2 x obsd37/i386 boxes, 4 NICs each > *) each box connects to both ISPs > *) each box connects to internal LAN > *) the two boxes are interconnected for pfsync purposes > with a dedicated crossover ethernet cable > *) CARPed on "the inside" is the LAN gateway IP address > *) CARPed on "the outside" are IPs for a couple of pub services > *) each box has it's own IP on the inside and the outside > (so, 4 IPs used on the "outside" -- each ISP, each box) > *) pf.conf on both boxes is identical; they differ in the > default route (master box defaults through "master" ISP, > backup box defaults through backup ISP (we want to use > also the backup ISP through the backup box when everything > is OK) > *) upon becoming a master, a box would change its gateway > through the master ISP, plus starting a couple of services > *) upon becoming a backup, a box would change its gateway > through the backup ISP, plus stopping a couple of services > *) upon unavailability of its default ISP (cron+ping checks) > each box would change default gateway to the other ISP > > An over-simplified pf.conf would look roughly like this: > > " > # nat on both interfaces; default route will "choose" which exactly > nat on $if_isp1 from $net_int to $net_int_not -> $if_isp1:0 > nat on $if_isp2 from $net_int to $net_int_not -> $if_isp2:0 > > block log all > > pass proto carp all > pass on $if_loc all > > pass in on $if_int from $net_int to any > pass out on $if_int from any to $net_int > > # pass from my IPs to everywhere rules > # left as an exercise for the reader > > pass on $if_pfsync proto $pfsync_protos from $pfsync_peers \ > to $pfsync_peers > > # NO KEEP STATE HERE > pass on $if_isp1 proto $pub_serv_proto from any to $pub_serv_IP_on_isp1 > pass on $if_isp2 proto $pub_serv_proto from any to $pub_serv_IP_on_isp2 > # also, pub IPs are CARPed > > # KEEP THE STATE HERE > # FOR PUB SERVICE, IT'S THE *RESPONSE* THAT CREATES A STATE > pass out route-to ($if_isp1 $gw_isp1) from $net_isp1 to $net_isp1_not \ > modulate state > pass out route-to ($if_isp2 $gw_isp2) from $net_isp2 to $net_isp2_not \ > modulate state > " > > I probably forget some minor but important details. > > I wish I could get an AS and use BGP to route through both ISPs. > > Best Regards, > Stoyan Genov > > > I am having some problems with a similar setup based on http://www.monkey.org/openbsd/archive/misc/0409/msg02994.html, but with CARP layers in front of the int/ext interfaces. Have you tried using packet tagging and decided it would not work? -- Sent from the openbsd user - misc forum at Nabble.com: http://www.nabble.com/pfsync-carp-via-2-ISP%27s-t632647.html#a2027119
Re: VPN: solutions that interoperate with win xp
Stuart Henderson wrote: > The same problem probably won't affect ipsec, since there's no extra > network interface involved there. http://openvpn.se/xpsp2_problem.html I meant that if one user can misconfigure the openvpn setup, he or she have the same potential to misconfigure the ipsec setup. > This is no different to ipsec nat-t. There are both advantages > and disadvantages with ipsec, openvpn, and openssh tun-forwarding. > Use what fits best for the job... > I see one difference: AFAIK when you are using ipsec with nat-t, you have to give up some of the protection that the AH gives to you, and you stay only with the full ESP protection. With openvpn, you use the tls-auth directive and have the same level of protection that AH provides you. Implementing and keeping IPSEC solution is far more comples than a openvpn solution, so i would definately try the openvpn solution. My regards, -- Giancarlo Razzolini Linux User 172199 Moleque Sem Conteudo Numero #002 Slackware Current Snike Tecnologia em Informatica 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85
Re: VPN: solutions that interoperate with win xp
> > i have also setup openvpn, which works great for me from home, and i have > > been > > able to successfully get this working. however, one of the users that > > connects > > to my VPN is having problems making openvpn and his kerio firewall "play > > nice", > > and a working openvpn configuration cannot survive a reboot due to win xp > > being > > such a great OS. > > > > I would definately stick with the openvpn solution. It's simplier to > implement, and i didn't understood the part that the configuration > cannot survive a reboot. Is this a problem on the user side? If it is, > the same potential to damage the openvpn setup, could be used to dmage > the ipsec setup. The same problem probably won't affect ipsec, since there's no extra network interface involved there. http://openvpn.se/xpsp2_problem.html > Yes, that's another advantage, it use only ONE port, and is NAT > friendly. This is no different to ipsec nat-t. There are both advantages and disadvantages with ipsec, openvpn, and openssh tun-forwarding. Use what fits best for the job...
Re: pid of last started process
Dimaz, #!/bin/ksh somecommand & echo "PID of last backgrounded command is $!" Read the manual for more info. Andreas On 20/12/05, dMITRIJ lEBEDX <[EMAIL PROTECTED]> wrote: > Sorry, may be I've written in wrong place, but what variable contained pid > of last started process from this shell (script) in ksh? > > -- Andreas Kahari
pid of last started process
Sorry, may be I've written in wrong place, but what variable contained pid of last started process from this shell (script) in ksh?
Re: MN-520 802.11b wireless PCMCIA card not found in -CURRENT on AMD Sempron? ScanMail has blocked your mail due to a mail policy.
[EMAIL PROTECTED] Reason the mail was blocked: Scanned by ScanMail for Lotus Notes 2.6 SP1 with scanengine 7.510-1002 and pattern version 3.115.00
Re: MN-520 802.11b wireless PCMCIA card not found in -CURRENT on AMD Sempron?
On Mon, Dec 19, 2005 at 10:57:44PM -0600, C. Bensend wrote:
> Hey folks,
>
>I've never been lucky enough to actually own my own laptop until
> yesterday, when a friend pointed me at a special at Staples. I
> picked up a Compaq Presario V2405US (AMD Sempron) for a pretty good
> price. Yes, I know, Compaq and Staples, fear. But for $500, I can
> cope.
>
>I installed Saturday's snapshot, crossing my fingers and hoping
> the magical 802.11b/g fairy would grace me and it would recognize
> the built-in wireless. Alas, it's a Broadcom BCM4318. That's OK,
> I didn't expect the one that's built in to work. Stupid Broadcom.
>
>However, I was a little surprised when my Microsoft MN-520 PCMCIA
> adapter isn't found. This is the same physical adapter that works
> great with my work laptop (a straight Pentium-M Dell).
>
>It's this one, and works flawlessly with my D600:
>
> http://marc.theaimsgroup.com/?l=openbsd-misc&m=109286218613735&w=2
>
>So, here is the dmesg from the new laptop, running Saturday's
> snapshot (pardon any funkiness from cut-n-paste):
>
>
> OpenBSD 3.8-current (GENERIC) #320: Sat Dec 17 10:09:10 MST 2005
> [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
> cpu0: Mobile AMD Sempron(tm) Processor 3000+ ("AuthenticAMD" 686-class,
> 128KB L2 cache) 1.80 GHz
> cpu0:
> FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CF
> LUSH,MMX,FXSR,SSE,SSE2,SSE3
> cpu0: AMD Powernow: TS FID VID TTP TM STC
> cpu0: AMD PowerNow! K8 available states (35400,70700,79500)
> real mem = 233349120 (227880K)
> avail mem = 206016512 (201188K)
> using 2874 buffers containing 11771904 bytes (11496K) of memory
> mainbus0 (root)
> bios0 at mainbus0: AT/286+(51) BIOS, date 08/04/05, BIOS32 rev. 0 @ 0xfd660
> pcibios0 at bios0: rev 2.1 @ 0xfd660/0x9a0
> pcibios0: PCI BIOS has 10 Interrupt Routing table entries
> pcibios0: no compatible PCI ICU found
> pcibios0: Warning, unable to fix up PCI interrupt routing
> pcibios0: PCI bus #3 is the last bus
> bios0: ROM list: 0xc/0x1 0xd/0x1000 0xdc000/0x4000!
> 0xe/0x4000!
ATI IXP PCI interrupt quirks aren't known. I went looking
for documentation on the ATI chipsets some time ago but
couldn't find any.
> cpu0 at mainbus0
> pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
> pchb0 at pci0 dev 0 function 0 "ATI RS480 Host" rev 0x01
> ppb0 at pci0 dev 1 function 0 "ATI RS480 PCIE" rev 0x00
> pci1 at ppb0 bus 1
...
> cbb0 at pci2 dev 9 function 0 "Texas Instruments PCI7XX1 CardBus" rev
> 0x00pci_in
> tr_map: no mapping for pin A
> : couldn't map interrupt
The CardBus slot can not be used as interrupt routing is busted
in ways not apparent without documentation.
>
>
>So, no wireless as of right now. But I am curious to know why
> the same card works fine in my Dell, but not in my Presario. Would I
> be lucky enough that it would be a quick fix?
Depends if you can find documentation on the ATI chipset the
laptop is based on...
OpenBSD 3.8 and slapd 2.0.27
Hi all, I am learning to install and configure slapd on OpenBSD 3.8. Followed the installation howto (http://www.openbsdsupport.org/qmail-ldap-OpenBSD.html#2.0) but here is what I get when I run slapd -d -1 line 10 (include/etc/openldap/schema/krb5-kdc.schema) could not open config file "/etc/openldap/schema/krb5-kdc.schema": No such file or directory (2) slapd shutdown: freeing system resources. slapd stopped. Hmm, apparently "krb5-kdc.schema" is notpresent in my system. How can this be? What should I install? Any pointers? Thanks, Yance
Re: disklabel and ext3 partitions on amd64
On Mon, Dec 19, 2005 at 12:00:52PM +, Simon Morgan wrote: > On 18/12/05, steven mestdagh <[EMAIL PROTECTED]> wrote: > > I see the same happening on 3.8-release vs. 3.8-current on i386 for > > systems with foreign filesystems. Not sure why. > > Think it could be a bug? this change in behavior is caused by sys/arch/amd64/amd64/disksubr.c v 1.4 sys/arch/i386/i386/disksubr.c v 1.46 because the context is gone, here is the OP's problem summarized: 'D' in the disklabel editor now wipes everything except the 'c' partition, whereas it used to leave 'c', a modified 'a', and foreign filesystem (> 'i') partitions in place. maybe someone can comment on this? -- steven Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm
Re: Hardware RNG speed
On Mon, 19 Dec 2005, Theo de Raadt wrote: > Until you can justify actual real scientific reasons why you cannot > use it, I think you should use arc4random(). > > And I am entirely serious. The entire idea in OpenBSD is to have many > consumers, as this strengthens the source. Thanks for your comments, but I will attempt to justify why I cannot use arc4random() or /dev/arandom. I'm working on Professor Rabin's HyperEncryption project. The goal is to create a system for distributing random numbers to form one-time pads such that even an adversary who can break whatever crypto you happen to have devised is stopped by other limitations, such as limited storage or limited access to your data lines (that is, you have several links and the adversary can monitor some but not all of them). The idea is to offer a system which is cheaper and more flexible than quantum cryptography, but almost as secure (i.e. perfectly, information-theoretically secure with very high probability in the ideal case, requiring more assumptions for this ideal case than quantum cryptography, but not requiring a short, private, dedicated fiber-optic line and $50k worth of hardware on either end). Obviously, within these design goals, truly random numbers are necessary, because a computationally unbounded opponent can break arc4random(). Such an adversary can break other things, too, so we'll have to do a whole bunch of other things (turning off SYN cookies comes to mind), but the random numbers are a more immediate design parameter. Now, the project isn't in production or anything yet; we have some prototypes are exploring their design spaces, but a very important parameter is the cost and data rate of commercially available high-quality random number generators, and their software support under various operating systems. Under a limited-access model, the rate is not too important (while it adds to the amount of data that can be transmitted and marginally to its security, it is not essential that the data rate be very high), but 200B/s is still probably too slow. An important security and maintenance feature of this system will be whether it can be engineered cleanly. OpenBSD is considered a relatively secure OS, has a wide variety of hardware random number generator support, and perhaps most importantly is relatively easy to configure minimally on embedded hardware. So, we're very interested in supporting it, particularly on embedded hardware, but we need to know what kind of random number generators work on it at an acceptable rate. It looks like this will probably mean the VIA C3 or C7, but we'd like to give Hifn cards a shot. Also, given the terrible performance of the Hifn card, it's not clear that even the VIA C7 would be faster or whether the drivers are the rate-limiting step, which is why I'm asking for clarification here. I could, of course, write a VIA-specific user-mode RNG driver because their chips allow that. This is a strong draw to VIA, but OS support would be preferable. @Jason Crawford, we have considered and even prototyped sound-card-based solutions (mostly involving running a simple radio noise source into the microphone port, which is likely to have less pure-tone noise than your suggestion), and while they aren't out of the running yet they have two important problems. First, it will be more difficult to determine whether the output of this system is sufficiently random. We can run FIPS tests in real time at the rates we're dealing with, but the audio system will almost certainly not pass this or even come close. Massaging the data into a form which is both "white" and sufficiently simple that a breakdown will be detected is rather difficult. On the other hand, most hardware RNGs create noise with only very local biases (in raw mode) which should be easier to filter out without hiding breakages. Second, most embedded boards do not have sound cards, an almost none have microphones. Thanks a lot, Mike Hamburg
