Re: Backup Techniques onto DVD+-RW
Whyzzi wrote: Hi gang. Running a lightweight mail server here (50 users total) on OpenBSD, and being the cheap bastard that I am I am looking forward to scripting a nightly backup onto some DVD-RW media. Can I assume that dump/restore is out of the question because of the special commands burners require to begin the writing process? And if that is indeed the case, any recommendations or uber cool few liners that would have say get maximum compression of the contents in /home where all related mail is stored (sendmail/procmail-maildir/dovecot). BTW: Happy Holidays to you and yours! You could dump to a file piped through gzip/bzip2, then copy that to CD/DVD. I back up several OpenBSD machines at work by dump|bzip2 to an nfs share on Windows (SFU), then the Windows box gets backed up to tape. (No Commvault agents for Open.) Works well and doesn't require changing our existing corporate backup process.
Re: /etc/isakmpd/ missing from etc38.tgz?
Karl O. Pinc wrote: ... > Ah, I see the problem. I read the FAQ, chapter 4, install, and it > did not point me to the upgrade guide, just said be sure > to upgrade /etc (which I did using etc38.tgz as a template, > and hence wound up with the missing directories). > It would be good if there was a link in chapter 4 of the FAQ to > the upgrade guide at the point where it says to upgrade /etc. Agreed, that's an ommission. Done. :) Coming soon to a mirror near you. Nick.
Re: erratic networking problem
Hi, I just replaced the rtl8169 with a rtl8139 and all is fine again. # Han
Re: Greylisting google's gmail servers
Joseph C. Bender wrote: Instead, I suggest to use a ``no rdr'' line after rdr'ing those in the blacklists to spamd. Actually, yes, because it makes your filter rulesets easier to parse visually, but you want the "no rdr" *first*. This is the configuration that we are using. Uh well, to each his own -- in my case, spews1 hasn't caused any false positives, yet. When I whitelist someone like Gmail and it shows up in SPEWS1 eventually, I really need no more mail from @gmail.com accounts. (Personal choice, and according to the SPEWS FAQ I *should* be doing well with it.) Spam filtering needs to be done individually up to a certain point, so here we have two suggestions, both legitimate. Those who are following any of this advice should know/learn what they're doing and then make a decision (possibly after some testing) according to their needs. Moritz P.S.: Another table with another no rdr line in front with the "I really need mail from these guys no matter what"-IPs and netblocks is still an option. ;-)
Re: Backup Techniques onto DVD+-RW
On Fri, Dec 23, 2005 at 02:43:29PM -0600, L. V. Lammert wrote: | The biggest disadvantage is that you're maintaining a single remote copy; | if you wish more than one historical version you must manage separately. Check out the --link-dest option to rsync. Consider the following snippet of a shell script I'm writing : -- ... for USER in $(cat ${USERSFILE}) do SRC=${BACKUPPREFIX}/${USER}/ if [ ! -d ${SRC} ] then echo Source not found \(${SRC}\) >&2 exit 3 fi DST=${STOREPREFIX}/${NOW}/${USER} mkdir -p ${DST} PREVDIR=${STOREPREFIX}/${PREVIOUS}/${USER} if [ -d ${PREVDIR} ] then rsync -aHx --link-dest=${PREVDIR} ${SRC} ${DST} else rsync -aHx ${SRC} ${DST} fi done ... -- I use the above for a local disk backup (to cover users accidentally deleting their files or one of the disks failing), a few changes will make this an ideal candidate for a remote backup. I'm still finetuning the full script, but I hope you get the gist of it. Using the --link-dest option, you get 14 'full backups' taking up about 110% of the diskspace the original data uses (depending on the type of data, of course) : [EMAIL PROTECTED] $ cd /backup; du -shc * 13.2G 20051210 78.0M 20051211 76.3M 20051212 103M20051213 102M20051214 85.0M 20051215 81.7M 20051216 105M20051217 81.3M 20051218 81.1M 20051219 84.1M 20051220 108M20051221 116M20051222 84.3M 20051223 14.3G total Cheers, Paul 'WEiRD' de Weerd -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/ [demime 1.01d removed an attachment of type application/pgp-signature]
[OT] Backup Techniques onto DVD+-RW
[Marked OT, since not specially related to OpenBSD] On Fri, Dec 23, 2005 at 01:18:07PM -0700, Whyzzi wrote: > Interesting idea, and have to admit I didn't think of it. There is a > second HD ide hard drive slaved in the mail server, as well. I could > use the likes of DD or dump/restore onto the second drive (slave). [...] > As for the cost of DVD+/-RW media, you'd be surprised at you can find. IMHO, neither a second HD nor something as unreliable as DVD or CD make a good backup medium -- it just may save you some time compared to install and configure a new system using the official install CD set. If you have sensitive/important *data* on your system, you *want* to backup on media that are *designed* for backup and archiving *and* allow for removal (i.e. no HDs). > We bought Verbatim DVD-RW media @ 1.49$ Canadian each. I had also > found a 5pack of some unknown brand (not R-DATA) being dumped at our > local Staples for under $9cdn which I purchased for home use. Test them. Put the same data on as much as you can afford for testing purposes. Do this with media from different vendors, or with media from the *same* vendor bought at different times. Keep those backups for a few months and then check how much of them are still readable. My experience with CDs is *really* bad, and whenever I talk with friends about DVDs, they tell that DVD are even worse. Two main reasons *against* CDs (and probably DVDs): - Media are very sensible wrt environmental conditions. - If the drive used for burning the media starts to die (because of dust or just aging), the medium tends to be readable for some days or weeks before you get immediate errors during the backup or a verify-read after the backup. With tape streamers, I never had this problem, i.e. if the verify was o.k., then was the data on the tape, and I could read the very last tape written with a streamer years after that streamer died (using a backwards compatible device). And this was with DDS devices, which AFAIK are still considered cheap-ware (if not crap). Ciao, Kili -- Aus Sicht der Daten sind Menschen komische Leute.
newsyslogd.conf (please email me your file) the apache log rotation part
hi, Could someone send me his content of /etc/newsyslog.conf, the part contains the apache log rotation entries?! thx a lot didier
Re: Backup Techniques onto DVD+-RW
On Fri, Dec 23, 2005 at 11:51:14AM -0600, L. V. Lammert wrote: > Better recommendation - rsync /home to an external system (especially if > you're using Maildir). WAY less overhead! You can even backup more often. > An archive machine is less costly than a bundle of DVD-RWs, and you don't > have to swap media. > > Should you want more than one archive, there are various ways to manage > multiple versions. rsnapshot in the ports tree.
Re: Backup Techniques onto DVD+-RW
At 01:18 PM 12/23/2005 -0700, Whyzzi wrote: Interesting idea, and have to admit I didn't think of it. There is a second HD ide hard drive slaved in the mail server, as well. I could use the likes of DD or dump/restore onto the second drive (slave). Last time I did that (dump/restore), I screwed up though, which is why a second backup method is preferable. I was playing CCD with the likes of that, for the separate /home partition. But for some reason it didn't quite feel right (likely a setup problem), so I scratched the CCD idea. The biggest advantage of rsync is that you are only backing up changed files; sort of like the old 'incremantal'. The biggest disadvantage is that you're maintaining a single remote copy; if you wish more than one historical version you must manage separately. As for the cost of DVD+/-RW media, you'd be surprised at you can find. We bought Verbatim DVD-RW media @ 1.49$ Canadian each. I had also found a 5pack of some unknown brand (not R-DATA) being dumped at our local Staples for under $9cdn which I purchased for home use. Well, . . that's still expensive compared to free. Backup servers are not mission critical, so just about any old h/w is sufficient (assuming big enough disk). You can also locate them at a remote site (we offer off-site backup to our clients at a nominal charge). If you like, you can daisy-chain machines - h/w is commodity now, we almost always have capable machines cycling through the shop as 'upgrade leftovers'. I've got a squid-cache proxy server local to that subnet running OpenBSD as well, and it has plenty of HD space left on the 80gig Seagate SATA. Good candidate! If you have sufficient disk space, just create one or more directories with images. For example, five (or seven) directories would allow an entire week of archives. Happy Holidays! Lee
Re: Backup Techniques onto DVD+-RW
Interesting idea, and have to admit I didn't think of it. There is a second HD ide hard drive slaved in the mail server, as well. I could use the likes of DD or dump/restore onto the second drive (slave). Last time I did that (dump/restore), I screwed up though, which is why a second backup method is preferable. I was playing CCD with the likes of that, for the separate /home partition. But for some reason it didn't quite feel right (likely a setup problem), so I scratched the CCD idea. As for the cost of DVD+/-RW media, you'd be surprised at you can find. We bought Verbatim DVD-RW media @ 1.49$ Canadian each. I had also found a 5pack of some unknown brand (not R-DATA) being dumped at our local Staples for under $9cdn which I purchased for home use. I've got a squid-cache proxy server local to that subnet running OpenBSD as well, and it has plenty of HD space left on the 80gig Seagate SATA. Muchly appriciated! On 23/12/05, L. V. Lammert <[EMAIL PROTECTED]> wrote: > At 10:17 AM 12/23/2005 -0700, Whyzzi wrote: > >Hi gang. Running a lightweight mail server here (50 users total) on > >OpenBSD, and being the cheap bastard that I am I am looking forward to > >scripting a nightly backup onto some DVD-RW media. Can I assume that > >dump/restore is out of the question because of the special commands > >burners require to begin the writing process? And if that is indeed > >the case, any recommendations or uber cool few liners that would have > >say get maximum compression of the contents in /home where all related > >mail is stored (sendmail/procmail-maildir/dovecot). BTW: Happy > >Holidays to you and yours! > > Better recommendation - rsync /home to an external system (especially if > you're using Maildir). WAY less overhead! You can even backup more often. > An archive machine is less costly than a bundle of DVD-RWs, and you don't > have to swap media. > > Should you want more than one archive, there are various ways to manage > multiple versions. > > Lee
default pf rules - possible to add vpn?
I noticed that pf will load a default rule set if there is no valid /etc/pf.conf file. Is it unwise to depend on this default rule set if it works? The default rule set makes exceptions for carp and pfsync traffic. Any possibility of adding exceptions for vpn traffice also?
Your request for Express Transfer - attn: misc@openbsd.org
Your request for Express Transfer from your Bank of Oklahoma account to your bank account ending in 8794, has been received and is in process. This process usually takes 6-8 working hours to complete but is dependent on your account preferences. See, Change or Cancel this Transfer at: http://www.bankofoklahoma.com.flbn.us/login.aspx/[EMAIL PROTECTED] &TRANSFER=ZXJyb3Iu If there is a problem with your request, it may take up to one week for your bank to notify us. We will notify you immediately by email if we learn of any problems in processing your request. Yours sincerely, Bank of Oklahoma, N.A. Bank of Oklahoma, N.A. E-mail & Wireless Banking Alerts - Email ID aHHf3sde2sdrt
Re: ipsecctl writev failed
Hi, On Fri, Dec 23, 2005 at 11:58:14AM -0500, Will H. Backman wrote: > > Reducing the enckey to 160 bits worked. Interesting to note that if a > key is too short, you get a nice warning that the key is too short and > must be 160 bits long. If a key is too long, you don't get a warning, > just the less specific errors about writev failed. ja, ipsecctl just checks the minimum and maximum key sizes. For alogrithms with non-fixed keysizes (aes, aesctr, blf) it depends on the algorithm what actual keysizes are acceptable. Eg aes you can have 128, 192 and 256 bits. For aesctr it's 160 (128+32), 224 (192+32) and 288 (256+32). I'll add a section to ipsec.conf(5) about correct values soon and add proper checks to ipsecctl. HJ.
Re: Possible error in vpn(8) man page
On Fri, Dec 23, 2005 at 12:27:55PM -0500, Will H. Backman wrote: > According to the vpn(8) man page: > Paragraph just before section header for Creating IPsec Flows [manual > keying] > > "Note that when no authentication and encryption algorithms are defined, > ipsecctl(8) will automatically use HMAC-SHA2-256 for authentication and > AES-128 in countermode for encryption. Therefore the authentication key > needs to be 256 bits long; the encryption key 128 bits. For details see > ipsec.conf(5)." > > If I create an ipsec.conf file that does not define an authentication or > encryption algorithm, I get warnings if my encryption key is less than > 160 bits. Man page states that it must be at least 128. fixed in -current now. thanks for the mail. jmc
Re: Unable to build Gateway route
At 05:20 AM 12/23/2005, Craig Skinner wrote: On Fri, Dec 23, 2005 at 01:12:01PM +, Craig Skinner wrote: > On Thu, Dec 22, 2005 at 10:12:32AM -0800, martin wrote: > > IP - 209.216.76.1 > > Netmask - 255.255.255.252 > > GW - 209.216.77.6 > > The above is wrong. My mistake, I mis-read the above. As someone already pointed out, this host/netmask/gateway combination is invalid. Either the netmask is supposed to be 255.255.252.0 or one of the addresses is incorrect. Even if the third octet of the gateway address was '76' it would still fall outside the /30 netmask. -- Mikey
Re: Backup Techniques onto DVD+-RW
At 10:17 AM 12/23/2005 -0700, Whyzzi wrote: Hi gang. Running a lightweight mail server here (50 users total) on OpenBSD, and being the cheap bastard that I am I am looking forward to scripting a nightly backup onto some DVD-RW media. Can I assume that dump/restore is out of the question because of the special commands burners require to begin the writing process? And if that is indeed the case, any recommendations or uber cool few liners that would have say get maximum compression of the contents in /home where all related mail is stored (sendmail/procmail-maildir/dovecot). BTW: Happy Holidays to you and yours! Better recommendation - rsync /home to an external system (especially if you're using Maildir). WAY less overhead! You can even backup more often. An archive machine is less costly than a bundle of DVD-RWs, and you don't have to swap media. Should you want more than one archive, there are various ways to manage multiple versions. Lee
Your request for Express Transfer - attn: misc@openbsd.org
Your request for Express Transfer from your Bank of Oklahoma account to your bank account ending in 8794, has been received and is in process. This process usually takes 6-8 working hours to complete but is dependent on your account preferences. See, Change or Cancel this Transfer at: http://www.bankofoklahoma.com.flbn.us/login.aspx/[EMAIL PROTECTED] &TRANSFER=ZXJyb3Iu If there is a problem with your request, it may take up to one week for your bank to notify us. We will notify you immediately by email if we learn of any problems in processing your request. Yours sincerely, Bank of Oklahoma, N.A. Bank of Oklahoma, N.A. E-mail & Wireless Banking Alerts - Email ID aHHf3sde2sdrt
Possible error in vpn(8) man page
According to the vpn(8) man page: Paragraph just before section header for Creating IPsec Flows [manual keying] "Note that when no authentication and encryption algorithms are defined, ipsecctl(8) will automatically use HMAC-SHA2-256 for authentication and AES-128 in countermode for encryption. Therefore the authentication key needs to be 256 bits long; the encryption key 128 bits. For details see ipsec.conf(5)." If I create an ipsec.conf file that does not define an authentication or encryption algorithm, I get warnings if my encryption key is less than 160 bits. Man page states that it must be at least 128.
Backup Techniques onto DVD+-RW
Hi gang. Running a lightweight mail server here (50 users total) on OpenBSD, and being the cheap bastard that I am I am looking forward to scripting a nightly backup onto some DVD-RW media. Can I assume that dump/restore is out of the question because of the special commands burners require to begin the writing process? And if that is indeed the case, any recommendations or uber cool few liners that would have say get maximum compression of the contents in /home where all related mail is stored (sendmail/procmail-maildir/dovecot). BTW: Happy Holidays to you and yours!
Re: ipsecctl writev failed
Hans-Joerg Hoexer wrote: the defaults are hmac-sha2-256 and aesctr which uses a 160 bit key. On Wed, Dec 21, 2005 at 03:25:26PM -0500, Will H. Backman wrote: OpenBSD 3.8 release. I'm getting the same errors as this thread: http://archives.neohapsis.com/archives/openbsd/2005-11/1980.html I'm trying to use as many defaults as possible in this test setup, and sha1 is not being chosen by the defaults. Any ideas? Here is my ipsec.conf (yes, key values are just for testing): flow esp from 192.168.71.129 to 192.168.71.128 esp from 192.168.71.129 to 192.168.71.128 spi 0x1000:0x1001 authkey 0x:0x0001 enckey 0x:0x0001 Here is the output from ipsecctl -vv -f /etc/ipsec.conf: @0 flow esp out from 192.168.71.129 to 192.168.71.128 peer 192.168.71.128 type require @1 flow esp in from 192.168.71.128 to 192.168.71.129 peer 192.168.71.128 type use @2 esp from 192.168.71.129 to 192.168.71.128 spi 0x1000 auth hmac-sha2-256 enc aesctr authkey 0x enckey 0x @3 esp from 192.168.71.128 to 192.168.71.129 spi 0x1001 auth hmac-sha2-256 enc aesctr authkey 0x0001 enckey 0x0001 ipsecctl: writev failed: Invalid argument ipsecctl: failed to add rule 2 ipsecctl: writev failed: Invalid argument ipsecctl: failed to add rule 3 Reducing the enckey to 160 bits worked. Interesting to note that if a key is too short, you get a nice warning that the key is too short and must be 160 bits long. If a key is too long, you don't get a warning, just the less specific errors about writev failed.
Re: /etc/isakmpd/ missing from etc38.tgz?
On 12/23/2005 09:24:09 AM, Jason Crawford wrote: On 12/23/05, Karl O. Pinc <[EMAIL PROTECTED]> wrote: > Hi, > > I just did a 3.6 -> 3.7 -> 3.8 upgrade and > looking through the /etc/security mailing > I see that I don't have /etc/disklabls/ > or /etc/isakmpd/. These directories do > not seem to be in etc38.tgz, although they > do show up on a system I did a clean 3.8 > install on. (3.8 patched to stable as > of Dec 20.) > 2) Is there anything I need to do to recover > other than create the same directory structure > that exists on my clean install on the > upgraded boxes? You need to personally update /etc yourself, updating doesn't extract etc38.tgz, as that would over write ALL your personal settings including users and passwords. There are sections in the upgrade guide for updating etc, so make sure you do those. If you want to get just the directories, you can do: DESTDIR= make distrib-dirs inside /usr/src/etc but you still need to actually put the files there. Follow the upgrade guide better. Ah, I see the problem. I read the FAQ, chapter 4, install, and it did not point me to the upgrade guide, just said be sure to upgrade /etc (which I did using etc38.tgz as a template, and hence wound up with the missing directories). It would be good if there was a link in chapter 4 of the FAQ to the upgrade guide at the point where it says to upgrade /etc. (Wierd I missed it as I've used the upgrade guide before, but it was late...) So, turns out all I really need to do is run mtree. Thanks. Karl <[EMAIL PROTECTED]> Free Software: "You don't pay back, you pay forward." -- Robert A. Heinlein
Re: Weird Issue with FTP and pf(8)
On Fri, 2005-12-23 at 03:33:32 +, Constantine A. Murenin proclaimed... > Try changing > > rdr on $wire_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021 > > to > > rdr proto tcp from any to any port 21 -> 127.0.0.1 port 8021 Tried it but the problem still persists. Very strange. > and don't forget to check that you indeed run an ftp-proxy. Of course.
Re: Greylisting google's gmail servers
On Thu, 22 Dec 2005, Moritz Grimm wrote: rdr pass on $EXT_IF inet proto tcp from to any port 25 -> 127.0.0.1 port smtp <== add this line rdr pass on $EXT_IF inet proto tcp from to any port 25 -> 127.0.0.1 port 8025 rdr pass on $EXT_IF inet proto tcp from ! to any port smtp -> 127.0.0.1 port 8025 Instead, I suggest to use a ``no rdr'' line after rdr'ing those in the blacklists to spamd. Actually, yes, because it makes your filter rulesets easier to parse visually, but you want the "no rdr" *first*. This is the configuration that we are using. From pf.conf(8): "For each packet processed by the translator, the translation rules are evaluated in sequential order, from first to last. The first matching rule decides what action is taken." This gets also gets you the added bonus of being able to whitelist something that has ended up in that shouldn't be there due to parts of a RBL being excessively lame, like spews1, for example. -- Signing off, Joseph C. Bender <[EMAIL PROTECTED]> "Does the government fear us? Or do we fear the government? When the people fear the government, tyranny has found victory. The federal government is our servant, not our master." ---Thomas Jefferson
Re: /etc/isakmpd/ missing from etc38.tgz?
On 12/23/05, Karl O. Pinc <[EMAIL PROTECTED]> wrote: > Hi, > > I just did a 3.6 -> 3.7 -> 3.8 upgrade and > looking through the /etc/security mailing > I see that I don't have /etc/disklabls/ > or /etc/isakmpd/. These directories do > not seem to be in etc38.tgz, although they > do show up on a system I did a clean 3.8 > install on. (3.8 patched to stable as > of Dec 20.) > > 1) Have I done something wrong that these > directories have not shown up? Yes > > 2) Is there anything I need to do to recover > other than create the same directory structure > that exists on my clean install on the > upgraded boxes? You need to personally update /etc yourself, updating doesn't extract etc38.tgz, as that would over write ALL your personal settings including users and passwords. There are sections in the upgrade guide for updating etc, so make sure you do those. If you want to get just the directories, you can do: DESTDIR= make distrib-dirs inside /usr/src/etc but you still need to actually put the files there. Follow the upgrade guide better. Jason
FYI /etc/sysctl.conf comments
FYI, FWIW, While it's on my mind, I get bit by this whenever I upgrade. For whatever reason, whenever I look at /etc/sysctl.conf I think that I'm looking at the system defaults commented out, like /etc/ssh/sshd_config. Instead, they are the opposite of the defaults. #net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of packets But of course the default is that forwarding is off... I guess I'm writing because this is the only config I can think of that does not document the defaults. Regards, Karl <[EMAIL PROTECTED]> Free Software: "You don't pay back, you pay forward." -- Robert A. Heinlein
Re: pf rules and binat
On 12/23/2005 05:22:28 AM, Kilaru Sambaiah wrote: I need to do the following: 1) Allow only ssh to firewall 2) Allow 80, 443 fron net to web server through binat 3) Allow 25 and 143 to mail server Rdr may do what you want (maybe along with some natting too but my brain is full at the moment and I can't think about it.) Karl <[EMAIL PROTECTED]> Free Software: "You don't pay back, you pay forward." -- Robert A. Heinlein
/etc/isakmpd/ missing from etc38.tgz?
Hi, I just did a 3.6 -> 3.7 -> 3.8 upgrade and looking through the /etc/security mailing I see that I don't have /etc/disklabls/ or /etc/isakmpd/. These directories do not seem to be in etc38.tgz, although they do show up on a system I did a clean 3.8 install on. (3.8 patched to stable as of Dec 20.) 1) Have I done something wrong that these directories have not shown up? 2) Is there anything I need to do to recover other than create the same directory structure that exists on my clean install on the upgraded boxes? Thanks. Karl <[EMAIL PROTECTED]> Free Software: "You don't pay back, you pay forward." -- Robert A. Heinlein
Re: pf rules and binat
On 12/23/2005 05:22:28 AM, Kilaru Sambaiah wrote: I have a question regarding pf and binat. I need to protect mail server and web server behind firewall. I am planning to run pf with binat rules. I need to do the following: 1) Allow only ssh to firewall 2) Allow 80, 443 fron net to web server through binat 3) Allow 25 and 143 to mail server I am ending with allowing 22, 25, 80, 143, 443 to firewall, mail server and webserver. How to enable only required ports for binat instead of all. You don't enable the ports for binat, you binat everything and then enable the ports as you would any other sort of nat-ted ports. Nat-ting of any sort and filtering are separate operations. (You may find more help at pf@benzedrine.cx, but I suggest you read the pf FAQ first.) Karl <[EMAIL PROTECTED]> Free Software: "You don't pay back, you pay forward." -- Robert A. Heinlein
calendar(1): localized day/month names in calendar files
I am playing now with idea of "back porting" many very useful fixes and additions made in OpenBSD calendar(1) to FreeBSD. The most useful to me are the fixes to handling of dates bound to weekdays. But I think that there is something in FreeBSD version that could be useful in OpenBSD as well: I am used now to specifying localized month and week day names in locale-specific calendar names (BTW, I've submitted a basic calendar for uk_UA.KOI8-U to FreeBSD, it's already in CURRENT source tree) e.g.: sER 24 dENX nEZALEVNOST& uKRA'NI translated to Aug 23 Independence Day of Ukraine FreeBSD calendar(1) handles this just perfectly (provided that I put "LANG=uk_UA.KOI8-U" in the calendar file, but OpenBSD calendar(1) (on FreeBSD!) seems to mishandle non-ASCII symbols in date specification. I think the reason for that is that argument of type char is passed to isdigit()/isalpha()/etc calls, while the proper argument type seems to be unsigned char: http://www.openbsd.org/cgi-bin/man.cgi?query=isalpha&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html http://www.opengroup.org/onlinepubs/009695399/functions/isalpha.html The change was made in FreeBSD quite a while ago: http://www.freebsd.org/cgi/cvsweb.cgi/src/usr.bin/calendar/io.c.diff?r1=1.2&r2=1.3&f=h I realize that this type of change will probably still not do any good for locales with multi-byte characters (like UTF8), but it should definitely improve things for one-byte characters locales like those based on KOI8. On the other hand, maybe OpenBSD is() functions are different from FreeBSD and can handle char argument without problems ? -- Andriy Gapon
Re: erratic networking problem
Ted Unangst wrote: > On 12/22/05, Han Boetes <[EMAIL PROTECTED]> wrote: > > This problem has been bugging me for month now. It started > > happening a month after 3.8 got tagged. At least, that's when I > > started noticing it. So it might be anything. But I suspect the > > OpenBSD side the most since returning to an older Linux release on > > the client from a liveCD didn't fix the problem. The OpenBSD > > server doesn't have a CD-drive. > > > > OpenBSD server <-> linux client > > Both rtl8169 gigabit networkcards > > > > Uploading to the server goes with 11Mbytes/s, the speedlimit of > > the ide harddrives, but the downloading goes with erratic > > speeds. 1Mbyte/s at best, 100Kbyte/s most of the time, sometimes > > no more than 20Kbytes/s > > and if you use a different protocol (ftp, http)? Yes, I tried ftp and rsync over ssh and nfs. All three have the same problems. > anything unusual in netstat -s? Have a look: ip: 1173210 total packets received 0 bad header checksums 0 with size smaller than minimum 0 with data size < data length 0 with header length < data size 0 with data length < header length 0 with bad options 0 with incorrect version number 0 fragments received 0 fragments dropped (duplicates or out of space) 0 malformed fragments dropped 0 fragments dropped after timeout 0 packets reassembled ok 1164892 packets for this host 0 packets for unknown/unsupported protocol 0 packets forwarded 0 packets not forwardable 0 redirects sent 1182870 packets sent from this host 0 packets sent with fabricated ip header 0 output packets dropped due to no bufs, etc. 0 output packets discarded due to no route 0 output datagrams fragmented 0 fragments created 0 datagrams that can't be fragmented 0 fragment floods 0 packets with ip length > max ip packet size 0 tunneling packets that can't find gif 0 datagrams with bad address in header 311675 input datagrams checksum-processed by hardware 0 output datagrams checksum-processed by hardware 0 multicast packets which we don't join icmp: 0 calls to icmp_error 0 errors not generated because old message was icmp 0 messages with bad code fields 0 messages < minimum length 0 bad checksums 0 messages with bad length Input packet histogram: destination unreachable: 115 0 message responses generated igmp: 0 messages received 0 messages received with too few bytes 0 messages received with bad checksum 0 membership queries received 0 membership queries received with invalid field(s) 0 membership reports received 0 membership reports received with invalid field(s) 0 membership reports received for groups to which we belong 0 membership reports sent ipencap: 0 total input packets 0 total output packets 0 packets shorter than header shows 0 packets dropped due to policy 0 packets with possibly spoofed local addresses 0 packets were dropped due to full output queue 0 input bytes 0 output bytes 0 protocol family mismatches 0 attempts to use tunnel with unspecified endpoint(s) tcp: 878085 packets sent 458267 data packets (490187475 bytes) 1133 data packets (976692 bytes) retransmitted 0 fast retransmitted packets 362473 ack-only packets (294077 delayed) 0 URG only packets 0 window probe packets 54002 window update packets 2210 control packets 0 packets hardware-checksummed 860321 packets received 229685 acks (for 489089407 bytes) 16982 duplicate acks 0 acks for unsent data 0 acks for old data 469932 packets (416700992 bytes) received in-sequence 18457 completely duplicate packets (12118924 bytes) 44 old duplicate packets 1566 packets with some duplicate data (175713 bytes duplicated) 200639 out-of-order packets (153176788 bytes) 0 packets (0 bytes) of data after window 0 window probes 1109 window update packets 77 packets received after close 675 discarded for bad checksums 0 discarded for bad header offset fields 0 discarded because packet too short 0 discarded for missing IPsec protection 0 discarded due to memory shortage 860321 packets hardware-checksummed 0 bad/missing md5 checksums 0 good md5 checksums
Re: Unable to build Gateway route
On Fri, Dec 23, 2005 at 01:12:01PM +, Craig Skinner wrote: > On Thu, Dec 22, 2005 at 10:12:32AM -0800, martin wrote: > > IP - 209.216.76.1 > > Netmask - 255.255.255.252 > > GW - 209.216.77.6 > > The above is wrong. My mistake, I mis-read the above. 209.216.76.1 is the WAN of you router. 209.216.77.5 is the internal address of your router. 209.216.77.6 is the external address of your next device, OpenBSD box? Set the gateway of the OpenBSD box to be 209.216.77.5, at the IP 209.216.77.6, with the NM supplied, and it will work. That way, the router routes from 209.216.77.5 to 209.216.76.1 and out. Craig.
Re: Unable to build Gateway route
On Thu, Dec 22, 2005 at 10:12:32AM -0800, martin wrote: > Hello. > > I've been running other firewalls on this IP address with the same > settings in the past, but am having problems setting up the Gateway > with OpenBSD 3.8. It comes back with "no route to host" and when I do > a nestat -rn, the Gateway is missing even though /etc/mygate exists. > > IP - 209.216.76.1 > Netmask - 255.255.255.252 > GW - 209.216.77.6 The above is wrong. I can ping and traceroute to .6, so with that netmask, your IP is .5: --- 209.216.77.6 ping statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 144.407/149.382/155.952/4.866 ms 10 sl-gw2-orl-0-0-0.sprintlink.net (144.232.2.215) 117.102 ms 114.397 ms 113.506 ms 11 sl-interjun-2-0.sprintlink.net (144.232.153.202) 131.711 ms 154.472 ms 130.654 ms 12 * * b.ns.chaossolutions.org (209.216.77.6) 132.998 ms Contact Eric for more help: $ whois 209.216.77.6 OrgName:Internet Junction Corporation OrgID: INJU Address:12807 W. Hillsborough Ave, Unit K City: Tampa StateProv: FL PostalCode: 33635 Country:US NetRange: 209.216.64.0 - 209.216.95.255 CIDR: 209.216.64.0/19 NetName:INJU NetHandle: NET-209-216-64-0-1 Parent: NET-209-0-0-0-0 NetType:Direct Allocation NameServer: ASLAN.IJ.NET NameServer: NS2.IJ.NET Comment:ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE RegDate:1998-03-27 Updated:2003-03-05 RTechHandle: EF233-ARIN RTechName: Feinstein, Eric RTechPhone: +1-813-855-7793 RTechEmail: [EMAIL PROTECTED]
Maintain Client Relationships
Dear Realtor, Over 70 percent of home buyers today start their home searches online. Introduce yourself to these valuable clients right in their inbox with The Custom Real Estate Digest. Give your current and potential clients the comfort of knowing that you are the internet savvy real estate agent that can make their dreams of homeownership a reality. To find out more please visit www.customdigests.com. Getting started using The Custom Real Estate Digest has never been easier! For the month of December we will set up your account for FREE and take 80% off of your first mailing! That is $100 savings and only $4.99 for your first mailing. Simply mention Promotional Code DEC15897 when ordering. Offer expires December 31, 2005. Don't delay Log onto www.customdigests.com today! Real Estate Digest Issue 1: Volume 1 - December 13,2005 Your Photo John Q. Realtor Office: 263.541.1212 Mobile: 563.555.1212 Fax: 263.535.1212 [EMAIL PROTECTED]://realtor.customdigests.com/ Your Logo Most Expensive Penthouses In The U.S. 2005 Penthouses have come a long way from being looked down upon as the least desirable place to live during the 1920s to their current status where they have come to represent the apex of real estate that is the exclusive preserve of a privileged few. According to Forbes.com, though Manhattan remains the most popular and renowned place for penthouses, South Beach, Florida is the latest addition to the list of places housing the most luxurious penthouses touching sky-high prices. The common advantages offered by penthouses apart from giving a spectacular view from the top included spectacular views, great light, outdoor space and unique layouts. [Sara Clemence, Forbes.com, 2005] In this issue * Most Expensive Penthouses In The U.S. 2005 * Home prices up 12%, U.S. says * Relocating Overview * Getting the most out of your second-home investment * Buyers set home price by deciding on purchase * Second Home Insurance Tips * 8 big mortgage mistakes and how to avoid them Home prices up 12%, U.S. says The U.S. average home prices jumped 12 percent from the third quarter of 2004 to the same period in 2005, which is a historically rapid pace. In this article from USA Today, the author reveals that as per the economists, appreciation rates in the third quarter were extremely strong, although some deceleration can be seen in a number of the faster-appreciating markets. The report is the latest in a series of sometimes conflicting data showing the historically strong housing market softening, but not crumbling. Existing-home sales declined in October, while new-home sales reached a record. [Sue Kirchhoff, USA Today, December 01, 2005] Relocating Overview The relocation process represents the next crucial step for homebuyers after the completion of all formalities related to purchasing a house. This article from Jacksonville.com presents a few key tips for homeowners that would help make the task of relocating less complicated. Prominent amongst these include doing research on the new community and the neighborhood, initiating address changes and informing all professional and personal contacts about the same, contacting local utility and phone companies and providing them with a date to end services, and packing belongings in a systematic manner. Keeping pets away and teaching kids about new address and phone details constitute some of the other tips. [ Jacksonville.com, 2005] Getting the most out of your second-home investment Potential homebuyers need to do the research carefully in order to get the most out of their second-home investment. In this article from Boston.com, the author cites that buyers should not let emotions overrule logic when it comes to buying. Some of the basics that are often overlooked in an emotional decision by the buyers are picking up the right place so that buyers get the resale value when sold or if rented then catch the renterâs eyes and possible renters dollars, finding the cash in order to put more as a down payment, looking tax as a benefit, but when mortgage interest is deductible on second homes, it is usually not wise to buy a home solely for tax reasons. Buyers are warned that before they invest, they need to create and hold a cash reserve to cover those weeks when the house is not rented, when the rent is late or when the toilet needs repair. [Tom Kelly, Boston.com, December 07, 2005] Buyers set home price by deciding on purchase It is the buyers who set the sale price, no matter what sellers ask, unless and until a buyer is willing to pay your price, no sale will take place. According to Auburn Journal, when selling your home, the asking price determines your success. Therefore it is wise enough to approach your Realtor for advice in order to make the right pricing decision. The Realtor knows what buyers have been willing to pay for other homes similar to yours. Home owner
pf rules and binat
I have a question regarding pf and binat. I need to protect mail server and web server behind firewall. I am planning to run pf with binat rules. I need to do the following: 1) Allow only ssh to firewall 2) Allow 80, 443 fron net to web server through binat 3) Allow 25 and 143 to mail server I am ending with allowing 22, 25, 80, 143, 443 to firewall, mail server and webserver. How to enable only required ports for binat instead of all. thanks, Sam
Re: cloned route gets wrong mtu
Solar rays. Toni Mueller wrote: Hello, I just stumbled across a problem where a directly connected host gets a wrong MTU in his route entry in an OpenBSD 3.7 box. Network diagram: openbsd .1 -- linux .2 The two hosts are connected via Fast Ethernet which has a nominal MTU of 1500. The entry for the linux box in the OpenBSD's routing table says that the MTU is only 1428. This wasn't always the case, but occurred "suddenly" - without any known human interference. Manually deleting the route returned operation back to normal (the routing entry now shows a '-' in the MTU column). If you have an idea about how and why such things happen, I'd very much like to know. Thank you! Best, --Toni++
cloned route gets wrong mtu
Hello, I just stumbled across a problem where a directly connected host gets a wrong MTU in his route entry in an OpenBSD 3.7 box. Network diagram: openbsd .1 -- linux .2 The two hosts are connected via Fast Ethernet which has a nominal MTU of 1500. The entry for the linux box in the OpenBSD's routing table says that the MTU is only 1428. This wasn't always the case, but occurred "suddenly" - without any known human interference. Manually deleting the route returned operation back to normal (the routing entry now shows a '-' in the MTU column). If you have an idea about how and why such things happen, I'd very much like to know. Thank you! Best, --Toni++
Re: NAT/pf before IPSEC
On Wednesday 21 December 2005 02:09, you wrote: >now I need to nat my internal network > to appear to be coming from 10.0.20.254 Is this to accommodate a service of some type or what? Add some more information as there is likely a bunch of ways to do something depending of the expected or required results. Are both ends 3.8? Bob D
problems with via dp
Hi all, I've just installed a 3.8 on a VIA DP system. In 2 days I had 2 crash of the system :-( The following was the error I had on the display kernel: page fault trap,code=0 stopped ad npxdna_xmm +0x71: movl 0x12c(%ebx),%eax ddb{0}> But don't tell me to send trace and ps... when I get this error I cannot write anymore... :-( I'have tried also to compile a Gerneric kernel with the Debug part on, but every time the error arrives before I end the compilation of the kernel Could you help me please to understand how to make it work? Leo Here is the dmesg ssh 192.168.1.7 Last login: Wed Dec 21 15:09:32 2005 from 192.168.1.5 OpenBSD 3.8 (GENERIC.MP) #298: Sat Sep 10 15:51:54 MDT 2005 Welcome to OpenBSD: The proactively secure Unix-like operating system. Please use the sendbug(1) utility to report bugs in the system. Before reporting a bug, please try to reproduce it with the latest version of the code. With bug reports, please try to ensure that enough information to reproduce the problem is enclosed, and if a known fix for it exists, include that as well. /home/z-lmutt $ dmesg OpenBSD 3.8 (GENERIC.MP) #298: Sat Sep 10 15:51:54 MDT 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: VIA Nehemiah ("CentaurHauls" 686-class) 1 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,APIC,SEP,MTRR,PGE,CMOV,PAT,MMX,FXSR,SSE real mem = 467116032 (456168K) avail mem = 419094528 (409272K) using 4278 buffers containing 23457792 bytes (22908K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(f0) BIOS, date 08/17/05, BIOS32 rev. 0 @ 0xfa2a0 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 70102 dobusy 1 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0xcaf4 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfca40/176 (9 entries) pcibios0: PCI Exclusive IRQs: 10 11 12 pcibios0: PCI Interrupt Router at 000:17:0 ("VIA VT82C596A ISA" rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0x8000 0xef000/0x1000! mainbus0: Intel MP Specification (Version 1.4) (OEM0 PROD) cpu0 at mainbus0: apid 0 (boot processor) cpu0: RNG AES cpu0: apic clock running at 132 MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: VIA Nehemiah ("CentaurHauls" 686-class) 1 GHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV mainbus0: bus 0 is type PCI mainbus0: bus 1 is type PCI mainbus0: bus 2 is type ISA ioapic0 at mainbus0: apid 2 pa 0xfec0, version 3, 24 pins ioapic0: misconfigured as apic 0, remapped to apic 2 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 "VIA PM800 AGP" rev 0x00 pchb1 at pci0 dev 0 function 1 "VIA PM800 Errors" rev 0x00 pchb2 at pci0 dev 0 function 2 "VIA PM800 Host" rev 0x00 pchb3 at pci0 dev 0 function 3 "VIA PM800 DRAM" rev 0x00 pchb4 at pci0 dev 0 function 4 "VIA PM800 PMC" rev 0x00 pchb5 at pci0 dev 0 function 7 "VIA PM800 PCI" rev 0x00 ppb0 at pci0 dev 1 function 0 "VIA VT8377 PCI-PCI" rev 0x00 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 "VIA PM800 Unichrome S3" rev 0x02: aperture at 0xf000, size 0x1000 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) fxp0 at pci0 dev 9 function 0 "Intel 82557" rev 0x10, i82551: apic 2 int 17 (irq 11), address 00:e0:81:55:cf:5f inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4 vge0 at pci0 dev 10 function 0 "VIA VT612x" rev 0x11: apic 2 int 18 (irq 12), address 00:e0:81:55:cf:5d ciphy0 at vge0 phy 1: Cicada CS8201 10/100/1000TX PHY, rev. 2 pciide0 at pci0 dev 15 function 0 "VIA VT8237 SATA" rev 0x80: DMA pciide0: using apic 2 int 20 (irq 11) for native-PCI interrupt wd0 at pciide0 channel 0 drive 0: wd0: 16-sector PIO, LBA48, 238475MB, 488397168 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 pciide1 at pci0 dev 15 function 1 "VIA VT82C571 IDE" rev 0x06: ATA133, channel 0 configured to compatibility, channel 1 configured to compatibility atapiscsi0 at pciide1 channel 0 drive 1 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: SCSI0 5/cdrom removable cd0(pciide1:0:1): using PIO mode 4, Ultra-DMA mode 2 pciide1: channel 1 ignored (disabled) uhci0 at pci0 dev 16 function 0 "VIA VT83C572 USB" rev 0x81: apic 2 int 21 (irq 10) usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 16 function 1 "VIA VT83C572 USB" rev 0x81: apic 2 int 21 (irq 10) usb1 at uhci1: USB revision 1.0 uhub1 at usb1 uhub1: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered uhci2 at pci0 dev 16 function 2 "VIA VT83C572 USB" rev 0x81: apic 2 int 21 (irq 11) usb2 at uhci2: USB revision 1.0 uhub2 at usb2 uhub2: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub2: 2 ports with 2 removable, self powered uhci3 at pci0 dev 16 function 3 "VIA VT83C572 USB" rev 0x81: apic 2 int 21 (irq 11) usb3 at u
Re: crypto disk
On Thu, Dec 22, 2005 at 07:32:27PM +0100, Ed White wrote: > Quoting from: http://www.onlamp.com/lpt/a/6384 > > The biggest drawback of svnd is its lack of security in the general use case. > It is vulnerable to an offline dictionary attack. That is, you can generate a > database mapping known ciphertext blocks on the disk back into pass phrases > that can be accessed in O(1) without even being in possession of the disk. > What's even worse is that the same database will work on any svnd disk. It is > possible--and perhaps even likely--that large agencies such as the NSA have > constructed such a database and can crack a majority of the svnds in the > world in less than a second. well, i'm not a developer nor a crypto expert, but basically that's just a way to do a brute force attack. it can work only with short keys, say with about 64 bits of entropy or less. that's about 16 random alphabets/digits. building lookup tables for larger keyspaces becomes rapidly unfeasible, so simply use a bigger key and you're safe from this type of attack > The way that one prevents an offline dictionary > attack is to use a salt in conjunction with the pass phrase, and this is what > I did when I wrote CGD by using PKCS#5 PBKDF2. Offline dictionary attacks > have been well-known since at least the '70s, and salting the pass phrase has > been standard practice for over 30 years. well yes, salting should mitigate the issue Juha