Re: Traffic analysis on a per service basis

[Alexander Bochmann]

...on Fri, Mar 03, 2006 at 03:33:53AM +0100, Martin Schr?der wrote:

  On 2006-03-02 19:01:13 -0600, eric wrote:
   Best you'll find for reliable traffic accounting (and the most flexible) is
   argus http://www.qosient.com/argus/. I'd recommend that route, then using
  Seems to be quiet since 2004-05 and has its own license :-(

The argus mailinglist ist still quite active.

Alex.

Re: Backup MX server

[Lars Hansson]

On Thursday 02 March 2006 09:03, you wrote:
 Really?  So when the box goes down, just let the mail bounce?

Mail will not start to bounce the moment your box goes down. SMTP was designed 
to be reliable.

 How would it break spamassassin (which is what I use)?

It doesn't.

---
Lars Hansson

help with source-routing

[oliver simon]

hi bsd-gurus ...

we are currently trying to set up an openbsd host, and have a problem
with source-routing mechanisms !?

Setup is as following:

(all IP4s examples)

hme1 - 10.50.0.10
hme0 - 217.5.23.69
hme0_alias - 217.5.23.70

default-gw is 10.50.0.1

If you want to connect to e.g. 193.44.25.2, the machine has to go there
with one of it4s official IPs 217...

How can we solve that problem ? I read a lot about pf and other things,
but nothing I tried is working ...

Is that really only possible by using pf ?

Were great, someone could gimme a hint, or better, post the line for pf,
if there is really no other way to do that .. !?

System is

OpenBSD 3.8 (GENERIC) #607: Sat Sep 10 16:03:59 MDT 2005
[EMAIL PROTECTED]:/usr/src/sys/arch/sparc64/compile/GENERIC

on a Sun 220R

Thanks in advance ...

...olli

Re: help with source-routing

[Joachim Schipper]

On Fri, Mar 03, 2006 at 01:08:43PM +0100, oliver simon wrote:
 hi bsd-gurus ...
 
 we are currently trying to set up an openbsd host, and have a problem
 with source-routing mechanisms !?
 
 Setup is as following:
 
 (all IP4s examples)
 
 hme1 - 10.50.0.10
 hme0 - 217.5.23.69
 hme0_alias - 217.5.23.70
 
 default-gw is 10.50.0.1
 
 If you want to connect to e.g. 193.44.25.2, the machine has to go there
 with one of it4s official IPs 217...
 
 How can we solve that problem ? I read a lot about pf and other things,
 but nothing I tried is working ...
 
 Is that really only possible by using pf ?
 
 Were great, someone could gimme a hint, or better, post the line for pf,
 if there is really no other way to do that .. !?
 
 System is
 
 OpenBSD 3.8 (GENERIC) #607: Sat Sep 10 16:03:59 MDT 2005
 [EMAIL PROTECTED]:/usr/src/sys/arch/sparc64/compile/GENERIC
 
 on a Sun 220R

Sounds like a routing table problem - please post the output of route -n
show. In particular, do you have 'default' set to go through hme0?

Joachim

Re: help with source-routing

[Stuart Henderson]

On 2006/03/03 13:08, oliver simon wrote:
 we are currently trying to set up an openbsd host, and have a problem
 with source-routing mechanisms !?

PF route-to/reply-to options will ensure the packets are sent out the
correct interface, then you can either setup your software to bind to
the right address (which I know works since I do exactly this myself),
or maybe you could use NAT (not so sure about this, experiment if you
don't hear another answer).

If you get stuck, post back to misc@ with some tcpdump traces and more
information about the setup (maybe ifconfig -a, netstat -rn, pf.conf and
any details you can provide about the app you're trying to route packets
from).

Re: RedHat and Linux emulation

[Reyk Floeter]

Ted Unangst wrote:

you can use whatever libraries you like.  what's the point of a more
free distro when the only use for emulation is to run non-free
software?



or non-portable software like OpenOffice

reyk

Re: RedHat and Linux emulation

[Antonios Anastasiadis]

by the way,what is the status of the openoffice native port?

On 3/3/06, Reyk Floeter [EMAIL PROTECTED] wrote:
 Ted Unangst wrote:
  you can use whatever libraries you like.  what's the point of a more
  free distro when the only use for emulation is to run non-free
  software?
 

 or non-portable software like OpenOffice

 reyk

Re: help with source-routing

[Alexander Bochmann]

Hi,

...on Fri, Mar 03, 2006 at 01:08:43PM +0100, oliver simon wrote:

  hme1 - 10.50.0.10
  hme0 - 217.5.23.69
  hme0_alias - 217.5.23.70
  default-gw is 10.50.0.1
  If you want to connect to e.g. 193.44.25.2, the machine has to go there
  with one of it4s official IPs 217...

Are you shure that's a sane setup? Why do you 
want to reach the outside world through an interface 
on a private segment when you have official addresses 
on another interface? And why is there no address 
translation elsewhere between your private segment 
and wherever it connects to the Internet?

  How can we solve that problem ? I read a lot about pf and other things,
  but nothing I tried is working ...

You can NAT the traffic going out through hme1, but you 
will have a nice split routing situation, as the traffic 
flowing back to you will probably come in through hme0.
Not that that's a problem, it just doesn't make any sense.

Alex.

Re: help with source-routing

[oliver simon]

Hi Joachim, thanks for helping ...

here4s the requested ...

[EMAIL PROTECTED] ~ # route -n show
Routing tables

Internet:
DestinationGatewayFlagsRefs  UseMtu
Interface
default10.50.0.1  UGS 0 2796  -   hme1
10.32.0/24 10.50.0.2  UGS 00  -   hme1
10.50.0/24 link#2 UC  00  -   hme1
10.50.0.1  00:11:0a:54:89:44  UHLc00  -   hme1
10.50.0.3  00:11:0a:54:89:44  UHLc00  -   hme1
10.50.0.20000:0f:20:79:0d:42  UHLc02  -   hme1
10.75.0.0/25   10.8.0.211 UGS 00  -   hme0
81.6.70.16/31  10.50.0.1  UGS 03  -   hme1
127/8  127.0.0.1  UGRS00  33192   lo0
127.0.0.1  127.0.0.1  UH  03  33192   lo0
217.5.23.128/25link#1 UC  00  -   hme0
217.5.23.70127.0.0.1  UGHS05  33192   lo0
224/4  127.0.0.1  URS 00  33192   lo0

Internet6:
DestinationGatewayFlags
   Refs  UseMtu  Interface
::/104 ::1UGRS
  00  -   lo0
::/96  ::1UGRS
  00  -   lo0


Joachim Schipper wrote:
 On Fri, Mar 03, 2006 at 01:08:43PM +0100, oliver simon wrote:
hi bsd-gurus ...

we are currently trying to set up an openbsd host, and have a problem
with source-routing mechanisms !?

Setup is as following:

(all IP4s examples)

hme1 - 10.50.0.10
hme0 - 217.5.23.69
hme0_alias - 217.5.23.70

default-gw is 10.50.0.1

If you want to connect to e.g. 193.44.25.2, the machine has to go there
with one of it4s official IPs 217...

How can we solve that problem ? I read a lot about pf and other things,
but nothing I tried is working ...

Is that really only possible by using pf ?

Were great, someone could gimme a hint, or better, post the line for pf,
if there is really no other way to do that .. !?

System is

OpenBSD 3.8 (GENERIC) #607: Sat Sep 10 16:03:59 MDT 2005
[EMAIL PROTECTED]:/usr/src/sys/arch/sparc64/compile/GENERIC

on a Sun 220R
 
 Sounds like a routing table problem - please post the output of route -n
 show. In particular, do you have 'default' set to go through hme0?
 
   Joachim

Re: help with source-routing

[oliver simon]

Hi Alex,

Alexander Bochmann wrote:
 Hi,
 
 ...on Fri, Mar 03, 2006 at 01:08:43PM +0100, oliver simon wrote:
 
   hme1 - 10.50.0.10
   hme0 - 217.5.23.69
   hme0_alias - 217.5.23.70
   default-gw is 10.50.0.1
   If you want to connect to e.g. 193.44.25.2, the machine has to go there
   with one of it4s official IPs 217...
 
 Are you shure that's a sane setup? Why do you 
 want to reach the outside world through an interface 
 on a private segment when you have official addresses 
 on another interface? And why is there no address 
 translation elsewhere between your private segment 
 and wherever it connects to the Internet?

It4s a server in a DMZ, so we have one host-ip (the private one), but
the machine needs to be connected from the internet (apache) and put
some requests through other .. private-ip-ed Servers/Firewalls to
other apaches. Machine4s default gw is a private-ip-ed firewall, but
otherwise we need to connect other servers in the internet. For being
routed back to the machine from the target, the request to the outer
world has to be done by an official ip.

   How can we solve that problem ? I read a lot about pf and other things,
   but nothing I tried is working ...
 
 You can NAT the traffic going out through hme1, but you 
 will have a nice split routing situation, as the traffic 
 flowing back to you will probably come in through hme0.
 Not that that's a problem, it just doesn't make any sense.

That are my questions .. How can we solve that ? Currently, we are using
linux (which shall be replaced through openbsd), and there is no problem
to do that source-routing:

/sbin/ip route add 194.78.111.123/32 via 10.50.0.1 src 217.5.130.99

...olli

 Alex.

Re: RedHat and Linux emulation

[Paul de Weerd]

On Thu, Mar 02, 2006 at 11:32:58AM +0100, Hannah Schroeter wrote:
| Hello!
|
| On Thu, Mar 02, 2006 at 09:54:35AM +0100, Ramiro Aceves wrote:
| Just for curiosity, yesterday I was thinking about Linux emulation and
| redhat OpenBSD packages. I would like to know if it is planned to
| switch to some more free Linux distribution like Debian instead of Red
| Hat to be used as the base system for Linux emulation.
|
| In what exact way is Debian more free than Redhat with respect to the
| portions OpenBSD takes for the emulation stuff?

Using another distribution (freely downloadable etc) will make it
easier to update the port in case of security issues after Red Hat
stopped fixing bugs in their legacy RPM's.

Not a very strong point, I agree, but a point nonetheless.

Paul 'WEiRD' de Weerd

--
[++-]+++.+++[---].+++[+
+++-].++[-]+.--.[-]
 http://www.weirdnet.nl/

[demime 1.01d removed an attachment of type application/pgp-signature]

Re: help with source-routing

[Joachim Schipper]

On Fri, Mar 03, 2006 at 02:01:22PM +0100, oliver simon wrote:
 Hi Alex,
 
 Alexander Bochmann wrote:
  Hi,
  
  ...on Fri, Mar 03, 2006 at 01:08:43PM +0100, oliver simon wrote:
  
hme1 - 10.50.0.10
hme0 - 217.5.23.69
hme0_alias - 217.5.23.70
default-gw is 10.50.0.1
If you want to connect to e.g. 193.44.25.2, the machine has to go there
with one of it4s official IPs 217...
  
  Are you shure that's a sane setup? Why do you 
  want to reach the outside world through an interface 
  on a private segment when you have official addresses 
  on another interface? And why is there no address 
  translation elsewhere between your private segment 
  and wherever it connects to the Internet?
 
 It4s a server in a DMZ, so we have one host-ip (the private one), but
 the machine needs to be connected from the internet (apache) and put
 some requests through other .. private-ip-ed Servers/Firewalls to
 other apaches. Machine4s default gw is a private-ip-ed firewall, but
 otherwise we need to connect other servers in the internet. For being
 routed back to the machine from the target, the request to the outer
 world has to be done by an official ip.

Not a very good setup, if I might say so. OpenBSD can do it, but I'd
strongly suggest placing the server in a DMZ (*not* on your internal
network) and using a single connection to internet from there.

Anyway, use pf route-to and reply-to to override the routing table for
select flows. This is a much better idea than the split routing
mentioned below.

How can we solve that problem ? I read a lot about pf and other things,
but nothing I tried is working ...
  
  You can NAT the traffic going out through hme1, but you 
  will have a nice split routing situation, as the traffic 
  flowing back to you will probably come in through hme0.
  Not that that's a problem, it just doesn't make any sense.
 
 That are my questions .. How can we solve that ? Currently, we are using
 linux (which shall be replaced through openbsd), and there is no problem
 to do that source-routing:
 
 /sbin/ip route add 194.78.111.123/32 via 10.50.0.1 src 217.5.130.99

Source routing is evil, don't do it. No sane firewall should accept it,
either.

The proper solution would not change any of the information posted
above, but add something like the following to pf.conf:

out_if=hme1
pass on $out_if from port { http https } reply-to $out_if

A slightly more complex variant can be used to let internal network
servers talk via a split route to the internet.

So, it's quite possible. That does not make it a good idea, though.

Joachim

Re: help with source-routing

[oliver simon]

Hi again .. ;-)

Joachim Schipper wrote:
 On Fri, Mar 03, 2006 at 02:01:22PM +0100, oliver simon wrote:
Hi Alex,

Alexander Bochmann wrote:
Hi,

...on Fri, Mar 03, 2006 at 01:08:43PM +0100, oliver simon wrote:

  hme1 - 10.50.0.10
  hme0 - 217.5.23.69
  hme0_alias - 217.5.23.70
  default-gw is 10.50.0.1
  If you want to connect to e.g. 193.44.25.2, the machine has to go there
  with one of it4s official IPs 217...

Are you shure that's a sane setup? Why do you 
want to reach the outside world through an interface 
on a private segment when you have official addresses 
on another interface? And why is there no address 
translation elsewhere between your private segment 
and wherever it connects to the Internet?
It4s a server in a DMZ, so we have one host-ip (the private one), but
the machine needs to be connected from the internet (apache) and put
some requests through other .. private-ip-ed Servers/Firewalls to
other apaches. Machine4s default gw is a private-ip-ed firewall, but
otherwise we need to connect other servers in the internet. For being
routed back to the machine from the target, the request to the outer
world has to be done by an official ip.
 
 Not a very good setup, if I might say so. OpenBSD can do it, but I'd
 strongly suggest placing the server in a DMZ (*not* on your internal
 network) and using a single connection to internet from there.

Internal Network is another IP-Range ... DMZ has official IPs for the
services and its private ip-range for the hosts themself.

DMZ: 10.50.0.0/24 + Official IPs for services
Internal(!)Lan: 10.23.0.0/24
DBNet (e.g.): 10.28.0.0/24

aso ...

 Anyway, use pf route-to and reply-to to override the routing table for
 select flows. This is a much better idea than the split routing
 mentioned below.
  How can we solve that problem ? I read a lot about pf and other things,
  but nothing I tried is working ...

You can NAT the traffic going out through hme1, but you 
will have a nice split routing situation, as the traffic 
flowing back to you will probably come in through hme0.
Not that that's a problem, it just doesn't make any sense.
That are my questions .. How can we solve that ? Currently, we are using
linux (which shall be replaced through openbsd), and there is no problem
to do that source-routing:

/sbin/ip route add 194.78.111.123/32 via 10.50.0.1 src 217.5.130.99
 
 Source routing is evil, don't do it. No sane firewall should accept it,
 either.
 

Why that ? The next hop just sees that there is any IP that wants to go
to whereever !?

 The proper solution would not change any of the information posted
 above, but add something like the following to pf.conf:
 
 out_if=hme1
 pass on $out_if from port { http https } reply-to $out_if

Thats all ? If we want that not just for http/s, its just from any ?

 A slightly more complex variant can be used to let internal network
 servers talk via a split route to the internet.
 
 So, it's quite possible. That does not make it a good idea, though.
 
   Joachim

...olli

Re: help with source-routing

[oliver simon]

Does not work ...

After putting your lines in pf.conf, it just puts out a syntax error !?

oliver simon wrote:
 Hi again .. ;-)
 
 Joachim Schipper wrote:
On Fri, Mar 03, 2006 at 02:01:22PM +0100, oliver simon wrote:
Hi Alex,

Alexander Bochmann wrote:
Hi,

...on Fri, Mar 03, 2006 at 01:08:43PM +0100, oliver simon wrote:

hme1 - 10.50.0.10
hme0 - 217.5.23.69
hme0_alias - 217.5.23.70
default-gw is 10.50.0.1
If you want to connect to e.g. 193.44.25.2, the machine has to go there
with one of it4s official IPs 217...
Are you shure that's a sane setup? Why do you 
want to reach the outside world through an interface 
on a private segment when you have official addresses 
on another interface? And why is there no address 
translation elsewhere between your private segment 
and wherever it connects to the Internet?
It4s a server in a DMZ, so we have one host-ip (the private one), but
the machine needs to be connected from the internet (apache) and put
some requests through other .. private-ip-ed Servers/Firewalls to
other apaches. Machine4s default gw is a private-ip-ed firewall, but
otherwise we need to connect other servers in the internet. For being
routed back to the machine from the target, the request to the outer
world has to be done by an official ip.
Not a very good setup, if I might say so. OpenBSD can do it, but I'd
strongly suggest placing the server in a DMZ (*not* on your internal
network) and using a single connection to internet from there.
 
 Internal Network is another IP-Range ... DMZ has official IPs for the
 services and its private ip-range for the hosts themself.
 
 DMZ: 10.50.0.0/24 + Official IPs for services
 Internal(!)Lan: 10.23.0.0/24
 DBNet (e.g.): 10.28.0.0/24
 
 aso ...
 
Anyway, use pf route-to and reply-to to override the routing table for
select flows. This is a much better idea than the split routing
mentioned below.
How can we solve that problem ? I read a lot about pf and other things,
but nothing I tried is working ...
You can NAT the traffic going out through hme1, but you 
will have a nice split routing situation, as the traffic 
flowing back to you will probably come in through hme0.
Not that that's a problem, it just doesn't make any sense.
That are my questions .. How can we solve that ? Currently, we are using
linux (which shall be replaced through openbsd), and there is no problem
to do that source-routing:

/sbin/ip route add 194.78.111.123/32 via 10.50.0.1 src 217.5.130.99
Source routing is evil, don't do it. No sane firewall should accept it,
either.

 
 Why that ? The next hop just sees that there is any IP that wants to go
 to whereever !?
 
The proper solution would not change any of the information posted
above, but add something like the following to pf.conf:

out_if=hme1
pass on $out_if from port { http https } reply-to $out_if


[EMAIL PROTECTED] ~ # pfctl -f /etc/pf.conf
/etc/pf.conf:37: syntax error
pfctl: Syntax error in config file: pf rules not loaded
[EMAIL PROTECTED] ~ #


out_if=hme1
pass on $out_if from port { http https } reply-to $out_if

???

 
 Thats all ? If we want that not just for http/s, its just from any ?
 
A slightly more complex variant can be used to let internal network
servers talk via a split route to the internet.

So, it's quite possible. That does not make it a good idea, though.

  Joachim
 
 ...olli

Re: Traffic analysis on a per service basis

[David Elze]

Am Donnerstag, den 02.03.2006, 12:29 -0700 schrieb Spruell,
Darren-Perot:

Hi,

 You would be well served by Netflow graphs. You can get traffic breakdowns
 in a very granular fashion and the right frontend will allow you to drill
 down in a very granular fashion. There are a couple of utils that can give
 you netflow capabilities, including flowd and pfflowd in the ports tree.

Well, tried these and flow-tools (also in the ports tree) in conjunction
with FlowViewer/FlowGrapher but that didn't work out.

pfflowd runs and there is definitely something going on due to
collector.pl (test collector from pfflowd-package). But if I try to use
flow-capture from flow-tools, it creates its directory structure with a
initial file but doesn't fill it with values.

On the other hand, 'flowd -d' breaks with chdir(/nonexistent): No such
file or directory though the only configurable directory seems to be
the one in /etc/flowd.conf which is correct.

CU
  David

--
David Elze Tel:(+49)(0)441 - 36116410
[EMAIL PROTECTED]  Fax:(+49)(0)441 - 36116419
http://www.bytemine.net/   PGP/GPG:  5F83FEA2
bytemine  -  Entwicklungsmanufaktur fuer innovative Loesungen

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Sun Ultra 1 and Ultra 5

[Gustavo Rios]

Hey folks,

i have an sun workstation in hand and had never had a previous
experience with sun hardare before. I would like redirect console to
serial port. These machine are very old, and hardware documentation
has been lost. It has a serial port, doesn't it?

I was trying to get X working, but no lucky. Does anybody have openbsd
3.8 running on such hardware? Could you send your xorg.conf file?

thanks.

Re: Traffic analysis on a per service basis

[Joachim Schipper]

On Fri, Mar 03, 2006 at 04:28:53PM +0100, David Elze wrote:
 Am Donnerstag, den 02.03.2006, 12:29 -0700 schrieb Spruell,
 Darren-Perot:
 
 Hi,
 
  You would be well served by Netflow graphs. You can get traffic breakdowns
  in a very granular fashion and the right frontend will allow you to drill
  down in a very granular fashion. There are a couple of utils that can give
  you netflow capabilities, including flowd and pfflowd in the ports tree.
 
 Well, tried these and flow-tools (also in the ports tree) in conjunction
 with FlowViewer/FlowGrapher but that didn't work out.
 
 pfflowd runs and there is definitely something going on due to
 collector.pl (test collector from pfflowd-package). But if I try to use
 flow-capture from flow-tools, it creates its directory structure with a
 initial file but doesn't fill it with values.
 
 On the other hand, 'flowd -d' breaks with chdir(/nonexistent): No such
 file or directory though the only configurable directory seems to be
 the one in /etc/flowd.conf which is correct.

I don't know about the rest, but a grep nonexistent /etc/passwd might
prove enlightening. ;-)

Joachim

Re: Traffic analysis on a per service basis

[Michael Schmidt]

David Elze wrote:


Am Donnerstag, den 02.03.2006, 12:29 -0700 schrieb Spruell,
Darren-Perot:

Hi,

 


You would be well served by Netflow graphs. You can get traffic breakdowns
in a very granular fashion and the right frontend will allow you to drill
down in a very granular fashion. There are a couple of utils that can give
you netflow capabilities, including flowd and pfflowd in the ports tree.
   



Well, tried these and flow-tools (also in the ports tree) in conjunction
with FlowViewer/FlowGrapher but that didn't work out.
 



In case I am not misunderstanding you, you may have a look at these ones:

http://www.andrew.cmu.edu/user/rdanyliw/snort/snortacid.html

http://secureideas.sourceforge.net/

http://www.l0t3k.org/security/tools/ids/

It might look a bit like overkill, but perhaps these ones can be of help 
for you collecting services you want and to build graphs and more.


Have a nice day
Michael

--
Michael Schmidt MIRRORS:
DJGPP   ftp://ftp.fh-koblenz.de/pub/DJGPP/
Ghostscript ftp://ftp.fh-koblenz.de/pub/Ghostscript/

Re: Traffic analysis on a per service basis

[Reyk Floeter]

David Elze wrote:

On the other hand, 'flowd -d' breaks with chdir(/nonexistent): No such
file or directory though the only configurable directory seems to be
the one in /etc/flowd.conf which is correct.



looks like the home directory of the unprivileged flowd _user_.

you should try 'usermod -d flowd-directory flowd-user' or even
'usermod -d /var/empty flowd-user'. i don't know the correct values
for flowd, just try.

reyk

Re: help with source-routing

[Joachim Schipper]

On Fri, Mar 03, 2006 at 03:03:23PM +0100, oliver simon wrote:
 Hi again .. ;-)
 
 Joachim Schipper wrote:
  On Fri, Mar 03, 2006 at 02:01:22PM +0100, oliver simon wrote:
 Hi Alex,
 
 Alexander Bochmann wrote:
 Hi,
 
 ...on Fri, Mar 03, 2006 at 01:08:43PM +0100, oliver simon wrote:
 
   hme1 - 10.50.0.10
   hme0 - 217.5.23.69
   hme0_alias - 217.5.23.70
   default-gw is 10.50.0.1
   If you want to connect to e.g. 193.44.25.2, the machine has to go there
   with one of it4s official IPs 217...
 
 Are you shure that's a sane setup? Why do you 
 want to reach the outside world through an interface 
 on a private segment when you have official addresses 
 on another interface? And why is there no address 
 translation elsewhere between your private segment 
 and wherever it connects to the Internet?
 It4s a server in a DMZ, so we have one host-ip (the private one), but
 the machine needs to be connected from the internet (apache) and put
 some requests through other .. private-ip-ed Servers/Firewalls to
 other apaches. Machine4s default gw is a private-ip-ed firewall, but
 otherwise we need to connect other servers in the internet. For being
 routed back to the machine from the target, the request to the outer
 world has to be done by an official ip.
  
  Not a very good setup, if I might say so. OpenBSD can do it, but I'd
  strongly suggest placing the server in a DMZ (*not* on your internal
  network) and using a single connection to internet from there.
 
 Internal Network is another IP-Range ... DMZ has official IPs for the
 services and its private ip-range for the hosts themself.
 
 DMZ: 10.50.0.0/24 + Official IPs for services
 Internal(!)Lan: 10.23.0.0/24
 DBNet (e.g.): 10.28.0.0/24

Okay, that makes a little more sense. Still, it's better to let the
gateway device(s) handle the weird networking stuff and let the servers
just chunk out data, at least conceptually, but this at least makes some
sense.

  Anyway, use pf route-to and reply-to to override the routing table for
  select flows. This is a much better idea than the split routing
  mentioned below.
   How can we solve that problem ? I read a lot about pf and other things,
   but nothing I tried is working ...
 
 You can NAT the traffic going out through hme1, but you 
 will have a nice split routing situation, as the traffic 
 flowing back to you will probably come in through hme0.
 Not that that's a problem, it just doesn't make any sense.
 That are my questions .. How can we solve that ? Currently, we are using
 linux (which shall be replaced through openbsd), and there is no problem
 to do that source-routing:
 
 /sbin/ip route add 194.78.111.123/32 via 10.50.0.1 src 217.5.130.99
  
  Source routing is evil, don't do it. No sane firewall should accept it,
 
 Why that ? The next hop just sees that there is any IP that wants to go
 to whereever !?

Well, it allows IP address spoofing. This is not too useful with TCP, as
the handshake cannot be completed, but rather neat where UDP or ICMP is
concerned, for example when (D)DoSing a machine.

  The proper solution would not change any of the information posted
  above, but add something like the following to pf.conf:
  
  out_if=hme1
  pass on $out_if from port { http https } reply-to $out_if
 
 Thats all ? If we want that not just for http/s, its just from any ?

Hmm, yes, but as you noted, you'll want to make that actually work. The
proper rule, according to pfctl -n, on my system, is:

pass out on $out_if reply-to $out_if:0 proto tcp from port { http https }

Sorry, I was a bit too quick the first time round.

Joachim

Re: Traffic analysis on a per service basis

[Joachim Schipper]

On Fri, Mar 03, 2006 at 05:01:01PM +0100, Reyk Floeter wrote:
 David Elze wrote:
 On the other hand, 'flowd -d' breaks with chdir(/nonexistent): No such
 file or directory though the only configurable directory seems to be
 the one in /etc/flowd.conf which is correct.
 
 
 looks like the home directory of the unprivileged flowd _user_.
 
 you should try 'usermod -d flowd-directory flowd-user' or even
 'usermod -d /var/empty flowd-user'. i don't know the correct values
 for flowd, just try.

Or, probably better, force flowd to use another directory than the one
from /etc/passwd.

Joachim

Re: Sun Ultra 1 and Ultra 5

[Jason Crawford]

On 3/3/06, Gustavo Rios [EMAIL PROTECTED] wrote:
 Hey folks,

 i have an sun workstation in hand and had never had a previous
 experience with sun hardare before. I would like redirect console to
 serial port. These machine are very old, and hardware documentation
 has been lost. It has a serial port, doesn't it?

 I was trying to get X working, but no lucky. Does anybody have openbsd
 3.8 running on such hardware? Could you send your xorg.conf file?

I've run OpenBSD on both, however never with X so I can't help you
there, sorry. But as far as getting serial console to work, all you
have to do is make sure that a keyboard and monitor are NOT plugged
into the back, and a null-modem cable plugged into the serial port A,
and when you boot the box, it'll just work. The great thing about sun
boxes is the serial support, it Just Works.

Jason

Re: Traffic analysis on a per service basis

[David Elze]

Am Freitag, den 03.03.2006, 16:58 +0100 schrieb Joachim Schipper:

Hi,

 I don't know about the rest, but a grep nonexistent /etc/passwd might
 prove enlightening. ;-)

Uuups, thanks a lot!

CU
  David

--
David Elze Tel:(+49)(0)441 - 36116410
[EMAIL PROTECTED]  Fax:(+49)(0)441 - 36116419
http://www.bytemine.net/   PGP/GPG:  5F83FEA2
bytemine  -  Entwicklungsmanufaktur fuer innovative Loesungen

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: RedHat and Linux emulation

[David Terrell]

On Fri, Mar 03, 2006 at 01:58:27PM +0100, Paul de Weerd wrote:
 Using another distribution (freely downloadable etc) will make it
 easier to update the port in case of security issues after Red Hat
 stopped fixing bugs in their legacy RPM's.
 
 Not a very strong point, I agree, but a point nonetheless.

Yes, but do these more up to date userlands expect more exotic 
(politely phrased) kernel features that OpenBSD doesn't emulate?

Re: help with source-routing

[Alexander Bochmann]

...on Fri, Mar 03, 2006 at 03:03:23PM +0100, oliver simon wrote:

  Internal Network is another IP-Range ... DMZ has official IPs for the
  services and its private ip-range for the hosts themself.
  DMZ: 10.50.0.0/24 + Official IPs for services
  Internal(!)Lan: 10.23.0.0/24
  DBNet (e.g.): 10.28.0.0/24

Usually, you would do proxying or NAT for the official 
service addresses on your outer gateway. Not much use 
having them on the DMZ network, it just adds unneccessary 
complexity. 

Alex.
(Yes, I know that doesn't answer your question :) ...)

Re: Sun Ultra 1 and Ultra 5

[Nick Holland]

On Fri, Mar 03, 2006 at 12:51:31PM -0300, Gustavo Rios wrote:
 Hey folks,
 
 i have an sun workstation in hand and had never had a previous
 experience with sun hardare before. I would like redirect console to
 serial port. These machine are very old, and hardware documentation
 has been lost. It has a serial port, doesn't it?
 
already covered by someone else, though I'll put in a plug for 
  http://www.openbsd.org/faq/faq7.html#SerCon

 I was trying to get X working, but no lucky. Does anybody have openbsd
 3.8 running on such hardware? Could you send your xorg.conf file?

Read /usr/X11R6/README on your installed system.

Take the sample xorg.conf file as a starting point, BUT DON'T EXPECT IT
TO WORK.

Now, edit it as indicated by the rest of the README file for your
particular system.  You will be looking at your dmesg several times.  It
should be pretty straight forwardr, but you WILL NOT be able to just use
the sample config.  (well, I can't say that's true on everything, there
may be some system where the sample config Just Works, but the U5 is not
it.  Not sure about the U1.  Just treat the sample as a starting point,
a framework where you hang your system's details).

Nick.

Re: Sun Ultra 1 and Ultra 5

[Craig]

Try this:
http://slashboot.org/openbsd/sparc64-openbsd38-xorg.conf

I've had it working just fine. I now run it without X, as a server.

Hope that helps,

Craig
Gustavo Rios wrote:

Hey folks,

i have an sun workstation in hand and had never had a previous
experience with sun hardare before. I would like redirect console to
serial port. These machine are very old, and hardware documentation
has been lost. It has a serial port, doesn't it?

I was trying to get X working, but no lucky. Does anybody have openbsd
3.8 running on such hardware? Could you send your xorg.conf file?

thanks.

Re: help with source-routing

[oliver simon]

Still no success ...

On the next firewall, tcpdump only shows the private IP-Address from the
bsd-machine, trying to connect the outer world ...

17:51:38.109862 10.50.0.10.47888  83.146.78.121.ssh: S
3774377327:3774377327(0) win 16384 mss 1460,nop,nop,sackOK,nop,wscale
0,nop,nop,timestamp 3223610022 0 (DF)

Thats, where we want to see one of the official IP-Adresses from the
BSD-machine. Thats why we need that source-routing ...

Maybe we have to stay with linux there, its getting much too expensive
to put hours and hours of testing and trying in that project 

Is there no possibility to just tell that bsd-thing, to connect with a
specific IP-Address, when connecting for example 193.2.4.2 ???

We just want to tell the bsd-machine, to use f.e. hme1_1 (hme1
217.3.3.3; hme1_1 217.3.3.4) when a user ON THE machine wants to ssh to
199.9.9.9, and use hme0 (10.50.0.10) for the normal traffic.

We have to do that, because this machine is a stargate for us, where
f.e. some developers and supporters hop to our customers networks, and
the customers only wanted to open their firewalls for one specific IP.
This IP(s) shall all move to that bsd-machine.

We connect to the private IP on the bsd, and all other (gateway-IPs) in
the dmz are private...

Any help is appreciated ...

Gereetings, ...olli


Joachim Schipper wrote:
 On Fri, Mar 03, 2006 at 03:03:23PM +0100, oliver simon wrote:
Hi again .. ;-)

Joachim Schipper wrote:
On Fri, Mar 03, 2006 at 02:01:22PM +0100, oliver simon wrote:
Hi Alex,

Alexander Bochmann wrote:
Hi,

...on Fri, Mar 03, 2006 at 01:08:43PM +0100, oliver simon wrote:

hme1 - 10.50.0.10
hme0 - 217.5.23.69
hme0_alias - 217.5.23.70
default-gw is 10.50.0.1
If you want to connect to e.g. 193.44.25.2, the machine has to go there
with one of it4s official IPs 217...
Are you shure that's a sane setup? Why do you 
want to reach the outside world through an interface 
on a private segment when you have official addresses 
on another interface? And why is there no address 
translation elsewhere between your private segment 
and wherever it connects to the Internet?
It4s a server in a DMZ, so we have one host-ip (the private one), but
the machine needs to be connected from the internet (apache) and put
some requests through other .. private-ip-ed Servers/Firewalls to
other apaches. Machine4s default gw is a private-ip-ed firewall, but
otherwise we need to connect other servers in the internet. For being
routed back to the machine from the target, the request to the outer
world has to be done by an official ip.
Not a very good setup, if I might say so. OpenBSD can do it, but I'd
strongly suggest placing the server in a DMZ (*not* on your internal
network) and using a single connection to internet from there.
Internal Network is another IP-Range ... DMZ has official IPs for the
services and its private ip-range for the hosts themself.

DMZ: 10.50.0.0/24 + Official IPs for services
Internal(!)Lan: 10.23.0.0/24
DBNet (e.g.): 10.28.0.0/24
 
 Okay, that makes a little more sense. Still, it's better to let the
 gateway device(s) handle the weird networking stuff and let the servers
 just chunk out data, at least conceptually, but this at least makes some
 sense.
 
Anyway, use pf route-to and reply-to to override the routing table for
select flows. This is a much better idea than the split routing
mentioned below.
How can we solve that problem ? I read a lot about pf and other things,
but nothing I tried is working ...
You can NAT the traffic going out through hme1, but you 
will have a nice split routing situation, as the traffic 
flowing back to you will probably come in through hme0.
Not that that's a problem, it just doesn't make any sense.
That are my questions .. How can we solve that ? Currently, we are using
linux (which shall be replaced through openbsd), and there is no problem
to do that source-routing:

/sbin/ip route add 194.78.111.123/32 via 10.50.0.1 src 217.5.130.99
Source routing is evil, don't do it. No sane firewall should accept it,
Why that ? The next hop just sees that there is any IP that wants to go
to whereever !?
 
 Well, it allows IP address spoofing. This is not too useful with TCP, as
 the handshake cannot be completed, but rather neat where UDP or ICMP is
 concerned, for example when (D)DoSing a machine.
 
The proper solution would not change any of the information posted
above, but add something like the following to pf.conf:

out_if=hme1
pass on $out_if from port { http https } reply-to $out_if
Thats all ? If we want that not just for http/s, its just from any ?
 
 Hmm, yes, but as you noted, you'll want to make that actually work. The
 proper rule, according to pfctl -n, on my system, is:
 
 pass out on $out_if reply-to $out_if:0 proto tcp from port { http https }
 
 Sorry, I was a bit too quick the first time round.
 
   Joachim

Re: Sun Ultra 1 and Ultra 5

[Matthew Weigel]

Jason Crawford wrote:


there, sorry. But as far as getting serial console to work, all you
have to do is make sure that a keyboard and monitor are NOT plugged


Actually, just the keyboard has to be unplugged. :-)
--
 Matthew Weigel
 hacker
 [EMAIL PROTECTED]

sun ultra 1 / ultra 5 disk layout

[Gustavo Rios]

Here i am again with my new old sun ultra 1 boxes.

When playing with i386 boxes, i used to let a initial 63 sectors for
the boot procedure. So, i never used my whole disk. For sun, i don't
know whether i have to let some space or may just go using from sector
0.

/Thanks in advance.

Re: Sun Ultra 1 and Ultra 5

[Jason Crawford]

On 3/3/06, Matthew Weigel [EMAIL PROTECTED] wrote:
 Jason Crawford wrote:

  there, sorry. But as far as getting serial console to work, all you
  have to do is make sure that a keyboard and monitor are NOT plugged

 Actually, just the keyboard has to be unplugged. :-)

Cool since I sold my U5 and I don't have a Sun monitor for my U1, I
could never confirm whether the monitor had to be plugged in or not,
but I figured better safe than sorry. Thanks for confirming.

Jason

Re: Sun Ultra 1 and Ultra 5

[Craig]

Or, if you want to keep your keyboard plugged in:

At the Sun PROM ok prompt:
ok setenv input-device ttya
ok setenv output-device ttya

Will set your first com pport up for serial console work.
Connect to that a NULL serial cable and from another machine:

cu -l /dev/cua00 -s 9600

Should let you hook in.

I think that's all correct, my Ultra 5 is powered down at the moment.

Hope that helps,

Craig

Matthew Weigel wrote:

Jason Crawford wrote:


there, sorry. But as far as getting serial console to work, all you
have to do is make sure that a keyboard and monitor are NOT plugged


Actually, just the keyboard has to be unplugged. :-)

Cyrus SASL2 LDAPDB Plugin

[dontek.openbsd]

Does anyone know if there are plans to create an individual port for the 
now cyrus-sasl2-ldapdb plugin, similar to the FreeBSD port; or should I 
redirect to @ports?


thanks..

what is next? 3.10 or 4.0???

[Bryan Brake]

if the x.x.x versioning is followed 4.0 would mean 
there is a major upgrade to the OS, while 3.10 is 
minor updates.


Just thinking about all the goodies that a 4.x OS 
would mean.


Bryan

Re: what is next? 3.10 or 4.0???

[Daniel Ouellet]

Bryan Brake wrote:
if the x.x.x versioning is followed 4.0 would mean there is a major 
upgrade to the OS, while 3.10 is minor updates.


Just thinking about all the goodies that a 4.x OS would mean.

Bryan


What was it before. 2.9 to 3.0 or to 2.10???

Each release have major changes as far as I am concern.

ath and 802.11a

[Fridtjof Busse]

Hi
Is anybody using 802.11a with ath? 
The manpage lists a/b/g as working, although g definitly doesn't work
for me, only b does. Now I'm curious if anything besides b actually
works before I buy an antenna for a. 
Or is it just my cards? If not, why isn't there a note about this in
the manpage? 
Thanks.

-- 
Fridtjof Busse
   If you want to stay dad you've got to polish your image. I think the
image we need to create for you is repentant but learning.
-- Calvin

Re: what is next? 3.10 or 4.0???

[STeve Andre']

On Friday 03 March 2006 15:29, Bryan Brake wrote:
 if the x.x.x versioning is followed 4.0 would mean
 there is a major upgrade to the OS, while 3.10 is
 minor updates.

 Just thinking about all the goodies that a 4.x OS
 would mean.

 Bryan

This was beaten to death five years ago.  What happened after the 2.9
release?  Using a little logic it shouldn't be too hard to figure it out...

--STeve Andre'

Re: what is next? 3.10 or 4.0???

[Adam]

On Fri, 03 Mar 2006 12:29:46 -0800 Bryan Brake [EMAIL PROTECTED] wrote:

 if the x.x.x versioning is followed 4.0 would mean 
 there is a major upgrade to the OS, while 3.10 is 
 minor updates.

Hmm, I wonder if this question was asked 5 years ago when 2.9 was
the latest release...

 Just thinking about all the goodies that a 4.x OS 
 would mean.

Yep, the developers magically do more in the 6 months preceding 4.0
than the 6 months preceding any other release.  That's definately how
it works.

Adam

This is an automatic e-mail

[central]

This is an automatic e-mail

Hello from Barcelona,

Thanks for sending your message (e-mail, accommodation form, etc.).
This is to acknowledge we have received it.
We'll be answering you very soon.
We remind you that our office is open from monday to friday, from 9am to 7pm, 
and on saturdays from 9am to 2pm.
We are closed on sundays and local holidays (1st and 6th of january, easter 
holidays, 12th June, 15th August, 11th and 24th September, 12th October, 1st 
November, 6 and 8th December, 25th and 26th December, 1st January).

Best regards.

Barcelona On Line

-

Esto es un email automatico de confirmacisn:

Hola desde Barcelona,

Gracias por vuestro mensaje (email, formulario de reserva, etc.).
Les contestaremos lo antes posible.
Os recordamos que nuestra oficina esta abierta de lunes a viernes de 9 a 19h y 
los sabados de 9 a 14h.
Cerramos durante el domingo y los festivos oficiales (1 y 6 de enero, semana 
santa, 12 de junio, 15 de Agosto, 11 y 24 de Septiembre, 12 de Octubre, 1 de 
Noviembre, 6 y 8 de Diciembre, 25 y 26 de Diciembre, 1 de Enero).

Saludos cordiales

Barcelona On Line

Servicio de Reservas / Booking Service
http://www.barcelona-on-line.es/cas/reserves/index.htm
Barcelona On Line, la Guia Interactiva de Barcelona
http://www.barcelona-on-line.es
Barcelona On Line, the city guide of Barcelona
http://www.barcelona-on-line.es/eng/index.asp

Barcelona On Line SL
Gran V!a de les Corts Catalanes 662, 1er 1a - 08010 Barcelona - Spain
Phone: 34 93 343 79 93
Fax: 34 93 317 11 55
E-mail. [EMAIL PROTECTED]

Re: ath and 802.11a

[Theo de Raadt]

 Is anybody using 802.11a with ath? 
 The manpage lists a/b/g as working, although g definitly doesn't work
 for me, only b does. Now I'm curious if anything besides b actually
 works before I buy an antenna for a. 
 Or is it just my cards? If not, why isn't there a note about this in
 the manpage? 

There are many different models of the ath hardware.  Not everything
works perfectly -- but much of it does work.  I think it is a bad
thing to make simplified statements like you did above.

Without specific model information *taken right out of dmesg*, noone
will be able to help you.  And your mail joins the archive, feeding
future pessimism, which it should not really do.

Re: ath and 802.11a

[Fridtjof Busse]

* Theo de Raadt [EMAIL PROTECTED]:
  Is anybody using 802.11a with ath? 
  The manpage lists a/b/g as working, although g definitly doesn't
  work for me, only b does. Now I'm curious if anything besides b
  actually works before I buy an antenna for a. 
  Or is it just my cards? If not, why isn't there a note about this in
  the manpage? 
 
 There are many different models of the ath hardware.  Not everything
 works perfectly -- but much of it does work.  I think it is a bad
 thing to make simplified statements like you did above.

Well, there was a thread some weeks ago that stated that 802.11g
generally doesn't work with ath (in Hostap and 802.11g):
no, only 11b with atheros. there is no implementation for 11g in
openbsd.
Or does g only not work in hostap?

 Without specific model information *taken right out of dmesg*, noone
 will be able to help you.  

ath0 at pci0 dev 13 function 0 Atheros AR5212 rev 0x01: irq 12
ath0: AR5212 5.9 phy 4.3 rf5112 3.6, FCC1A, address 00:0b:6b:36:00:dc

That's a Wistron CM 9. Any chance of getting a working on this typ of
card?
-- 
Fridtjof Busse
   YAAH! DEATH TO OATMEAL!
  -- Calvin

Re: what is next? 3.10 or 4.0???

[Theo de Raadt]

 Yep, the developers magically do more in the 6 months preceding 4.0
 than the 6 months preceding any other release.  That's definately how
 it works.

We've been holding back about 50% of our work for each of the previous
4 releases, and now we are going to throw all those very large things
into what will become 4.0.  It is going to be a fantastic catastrophy,
exactly like what all of you .0 release people expect.

Right...  Get a grip.

basic routing in 192.168/16

[Harry Putnam]

I'm not sure which way to jump with this question which is a
reflection of unskilled, inexperienced networking background.

This may not even be the right way to do it.

First:  This is all something of a training exercise and not
an important production setup.

Summary:  
I'm attempting to add a second nic and address on a machine running
current.  I also run an authoratative nameserver on a separate machine
not running bsd but running bind-9.3.2.  So this problem may slop over
into the named setup on a gentoo linux box.

A simple diagram will convey more than a description: The prefix to all
displayed IPs is 192.168, but be aware it is simplified ... there are
more machines involved.

 INTERNET
   | (Dynamic IP)
   |
NETGEAR (consumer grade router FVS-318)
   | 0.20
  --
  | 0.4| 0.3  | 0.5| 0.19
  ||  ||  
[ m1 ]   [ m2 ] [ m3 ]   [ m4 ]
  | 1.2| 1.1
  | Unswitched hub |

So the far right (m4) is the obsd machine and is sent copies of all
connections that come to NETGEAR.  All incoming on that intface is
blocked and logged (0.19).  Out on that int_fc is passed keeping
state.

In and out are passed with no restrictions on 1.1.  This line
in /etc/sysctl.conf is not uncommented nor is it set manually.
   # net.inet.ip.forwarding=1 # 1=Permit [...] 

I've tried to set this up all under one domain so my network would end
up 192.168/16  all under `local.lan'.  I'm not sure that is the best
way to go but it seemed to be easier to setup bind on the other computer
this way.  Or I should say I lacked examples for doing it. While going 
net/16 is similar to the examples in `DNS and Bind 4th. ed'.

/etc/hostname.* look like:
/etc/hostname.rl0  /etc/hostname.xl0
  192.168.0.19 255.255.0.0   192.168.1.1 255.255.0.0

/etc/mygate
  192.168.0.20

So how do I keep stuff from happening like firing up 
`lynx www.google.com'  and not being able to connect because 
192.168.1.1  tries to handle it?

I think I'm missing specific routing for 1.1.

Re: what is next? 3.10 or 4.0???

[L. V. Lammert]

At 02:04 PM 3/3/2006 -0700, Theo de Raadt wrote:

 Yep, the developers magically do more in the 6 months preceding 4.0
 than the 6 months preceding any other release.  That's definately how
 it works.

We've been holding back about 50% of our work for each of the previous
4 releases, and now we are going to throw all those very large things
into what will become 4.0.  It is going to be a fantastic catastrophy,
exactly like what all of you .0 release people expect.

Right...  Get a grip.


You're been saving Adaptec  Promise raidctl, for 4.0, right?

Lee

Re: ath and 802.11a

[Andrew Smith]

Seconded (as if I needed to with Theo responding :P)

I have an old Atheros based cardbus adaptor that will supposedly do b+g but
I know for a fact not a, check the specs of the device please and do as Theo
asks... dmesg is useful.

Having said that... Theo it may interest you that the man page says that 3
devices are supported and it states for each that 802.11a is supported..
(AR5210, AR5211 and AR5212).. this may just mean that the driver has moved
beyond the man page but I believe OpenBSD man pages are the best and most
accurate so maybe this needs some updates.

-Andy

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Theo de Raadt
Sent: 03 March 2006 20:48
To: Fridtjof Busse
Cc: misc@openbsd.org
Subject: Re: ath and 802.11a 

 Is anybody using 802.11a with ath? 
 The manpage lists a/b/g as working, although g definitly doesn't work
 for me, only b does. Now I'm curious if anything besides b actually
 works before I buy an antenna for a. 
 Or is it just my cards? If not, why isn't there a note about this in
 the manpage? 

There are many different models of the ath hardware.  Not everything
works perfectly -- but much of it does work.  I think it is a bad
thing to make simplified statements like you did above.

Without specific model information *taken right out of dmesg*, noone
will be able to help you.  And your mail joins the archive, feeding
future pessimism, which it should not really do.

Re: what is next? 3.10 or 4.0???

[Daniel Ouellet]

This was beaten to death five years ago.  What happened after the 2.9
release?  Using a little logic it shouldn't be too hard to figure it out...


Plus it is in the OpenBSD efficiency model too! Typing 4.0 is shorter 
then typing 3.10. That's 33% more text to type. My finger would be tied 
each time I would have to type that.


And I am not even talking about all the Linux new comer that can't see 
the difference between 3.7 to 3.8 for example. Now you would required 
them to read one more digit? That's asking to much...


Plus think about all the art work, cd cover, t-shirt, etc. All would 
become unbalance now.


Isn't it the moto is less code is better in OpenBSD. Think about what 
you are asking here.


Put 33% more code in the next release for what

And finally, all the passer for the dmesg for the 12K plus in archive 
would need to be rework to process one more digit. Where is the 
efficiency in that!


Plus:

OpenBSD 4.0 (GENERIC) #675: Thu Nov 1 00:00:00 MST 2006

Looks a lot better then

OpenBSD 3.10 (GENERIC) #675: Thu Nov 1 00:00:00 MST 2006

Looks to much GNU to me! (:

Daniel.

PS: Just practicing my sarcasm a bit here.

Re: what is next? 3.10 or 4.0???

[dontek.openbsd]

L. V. Lammert wrote:

At 02:04 PM 3/3/2006 -0700, Theo de Raadt wrote:

 Yep, the developers magically do more in the 6 months preceding 4.0
 than the 6 months preceding any other release.  That's definately how
 it works.

We've been holding back about 50% of our work for each of the previous
4 releases, and now we are going to throw all those very large things
into what will become 4.0.  It is going to be a fantastic catastrophy,
exactly like what all of you .0 release people expect.

Right...  Get a grip.


You're been saving Adaptec  Promise raidctl, for 4.0, right?

Lee


Yes!  along with sexd, a new daemon which will support a wide range of 
teledildonics devices.

Re: basic routing in 192.168/16

[Bryan Irvine]

uh, what did you just say?  I don't understand.

What are you trying to do?

why would you need a second name server on your local LAN?  The
netgear can only port forward for one.  Are you trying to route
between the 2 nics on the OBSD machine?

Gmail b0rked your ASCII diagram.

--Bryan


On 3/3/06, Harry Putnam [EMAIL PROTECTED] wrote:
 I'm not sure which way to jump with this question which is a
 reflection of unskilled, inexperienced networking background.

 This may not even be the right way to do it.

 First:  This is all something of a training exercise and not
 an important production setup.

 Summary:
 I'm attempting to add a second nic and address on a machine running
 current.  I also run an authoratative nameserver on a separate machine
 not running bsd but running bind-9.3.2.  So this problem may slop over
 into the named setup on a gentoo linux box.

 A simple diagram will convey more than a description: The prefix to all
 displayed IPs is 192.168, but be aware it is simplified ... there are
 more machines involved.

  INTERNET
| (Dynamic IP)
|
 NETGEAR (consumer grade router FVS-318)
| 0.20
   --
   | 0.4| 0.3  | 0.5| 0.19
   ||  ||
 [ m1 ]   [ m2 ] [ m3 ]   [ m4 ]
   | 1.2| 1.1
   | Unswitched hub |

 So the far right (m4) is the obsd machine and is sent copies of all
 connections that come to NETGEAR.  All incoming on that intface is
 blocked and logged (0.19).  Out on that int_fc is passed keeping
 state.

 In and out are passed with no restrictions on 1.1.  This line
 in /etc/sysctl.conf is not uncommented nor is it set manually.
# net.inet.ip.forwarding=1 # 1=Permit [...]

 I've tried to set this up all under one domain so my network would end
 up 192.168/16  all under `local.lan'.  I'm not sure that is the best
 way to go but it seemed to be easier to setup bind on the other computer
 this way.  Or I should say I lacked examples for doing it. While going
 net/16 is similar to the examples in `DNS and Bind 4th. ed'.

 /etc/hostname.* look like:
 /etc/hostname.rl0  /etc/hostname.xl0
   192.168.0.19 255.255.0.0   192.168.1.1 255.255.0.0

 /etc/mygate
   192.168.0.20

 So how do I keep stuff from happening like firing up
 `lynx www.google.com'  and not being able to connect because
 192.168.1.1  tries to handle it?

 I think I'm missing specific routing for 1.1.

Re: what is next? 3.10 or 4.0???

[Matthias Kilian]

On Fri, Mar 03, 2006 at 12:29:46PM -0800, Bryan Brake wrote:
 Just thinking about all the goodies that a 4.x OS 
 would mean.

a) 4 is the first non-prime, at least according to factor(6).

b) you need three bits for the number 4, so the 4.x release will
   bust the current two bit major version number limit.

As a consequence, the whole universe will disappear in november 2006.

So don't hesitate to order 3.9 CDs -- it may be your last chance.

(SCNR)

Ciao,
Kili

Zero Risk Invitation for Realtors and Mtg People

[Mr. Real Estate]

Hi Realtors,

Here is the invitation -- you cannot lose.

I am giving you 50,000 FSBO leads ...

OK, 50,000 leads from the whole country.
Larger states have more leads, smaller states
have fewer leads - logical.

Here's the deal ...

Order the March CD. Use the leads. Review the
Monthly Marketing Tip. If you don't like it
or cannot use it - whatever the reason, send
it back for a full refund of the purchase
price. And still keep thousands of leads.
I'll even include a return label.

The only risk you have is 87 cents for return
postage versus a slew of leads you can use to
generate business for you.

It can't get much better than that. But,
first, get the details at ...

5 Leads

George P.
Mr. Real Estate

P.S. I don't believe there is a better deal
available.

P.P.S. No risk to you. All the risk is on
me. Don't let this pass you by ...

5 Leads

[IMAGE]
[IMAGE] BHP Inc 7 8983 Okeechobee Blvd 7 West Palm Beach, FL 33411

Re: what is next? 3.10 or 4.0???

[Bryan Irvine]

snip
 b) you need three bits for the number 4, so the 4.x release will
bust the current two bit major version number limit.
snip

this is the best response so far. LOL!


--Bryan

Re: what is next? 3.10 or 4.0???

[Bob Beck]

* Bryan Brake [EMAIL PROTECTED] [2006-03-03 13:39]:
 if the x.x.x versioning is followed 4.0 would mean 
 there is a major upgrade to the OS, while 3.10 is 
 minor updates.
 
Why would 4.0 mean that? where does it say that.
Unmitigated horseshit - and OpenBSD release is an openbsd
release.

 Just thinking about all the goodies that a 4.x OS 
 would mean.

3.A

-Bob

Re: what is next? 3.10 or 4.0???

[Reid Nichol]

--- Jean-So?=bastien Bour [EMAIL PROTECTED] wrote:
 Matthias Kilian a icrit :
  a) 4 is the first non-prime, at least according to factor(6).

 No, it is 1 :)
 Explanation : a prime number can only be divided by two different 
 numbers : 1 and itself. 1 can only be divided by one number,
 therefore it is not prime.

Wrong.

You got the definition of what a prime number is wrong.  A prime number
is defined as a positive integer greater than one which has positive
divisors 1 and itself, only.

Please note that using your definition 7 is not prime because -7, -1, 1
and 7 all divide 7.

I suggest at least looking into elementary number theory before making
such statements again.
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: basic routing in 192.168/16

[Chris Smith]

On Friday 03 March 2006 16:46, Bryan Irvine wrote:
 Gmail b0rked your ASCII diagram.

Looks fine here when viewed with a fixed font, at least I think it does, 
but I'm not sure what the question is either. I also fail to see the 
logic in sending copies of connections to the netgear to the obsd box 
when instead the obsd box could replace the netgear and itself receive 
the connections; which was already covered in another thread.

Chris

Re: what is next? 3.10 or 4.0???

[Jean-Sébastien Bour]

Reid Nichol a icrit :

--- Jean-So?=bastien Bour [EMAIL PROTECTED] wrote:
  

Matthias Kilian a icrit :


a) 4 is the first non-prime, at least according to factor(6).
  
  

No, it is 1 :)
Explanation : a prime number can only be divided by two different 
numbers : 1 and itself. 1 can only be divided by one number,

therefore it is not prime.



Wrong.

You got the definition of what a prime number is wrong.  A prime number
is defined as a positive integer greater than one which has positive
divisors 1 and itself, only.

Please note that using your definition 7 is not prime because -7, -1, 1
and 7 all divide 7.

I suggest at least looking into elementary number theory before making
such statements again.
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 



  
No no not wrong, indeed I didn't talk about being positive. But being 
prime is being positive (should have said it I agree) and have EXACTLY 
TWO different divisors.  And if 1 were prime you wouldn't have only one 
unique decomposition in prime numbers ;) (for exemple, is 45 = 3x3x5 or 
1x3x3x5 or 1x1x1x3x3x5 or... ?) It would crush many things down about 
arithmetics.


Luckily I have learnt some things during my two year special scientific 
studies (heard about Classes priparatoires in France ?) and this is 
one of those.

Re: what is next? 3.10 or 4.0???

[Steve Shockley]

L. V. Lammert wrote:

You're been saving Adaptec  Promise raidctl, for 4.0, right?


That, and NdisWrapper support.

Re: what is next? 3.10 or 4.0???

[Peter Valchev]

 No no not wrong, indeed I didn't talk about being positive. But being 
 prime is being positive (should have said it I agree) and have EXACTLY 
 TWO different divisors.  And if 1 were prime you wouldn't have only one 
 unique decomposition in prime numbers ;) (for exemple, is 45 = 3x3x5 or 
 1x3x3x5 or 1x1x1x3x3x5 or... ?) It would crush many things down about 
 arithmetics.
 
 Luckily I have learnt some things during my two year special scientific 
 studies (heard about Classes priparatoires in France ?) and this is 
 one of those.

Damn you are so elite.  Now what does this have to do with OpenBSD?

Re: what is next? 3.10 or 4.0???

[Reid Nichol]

--- Jean-SC)bastien Bour [EMAIL PROTECTED] wrote:
 Reid Nichol a icrit :
  --- Jean-So?=bastien Bour [EMAIL PROTECTED] wrote:

  Matthias Kilian a icrit :
  
  a) 4 is the first non-prime, at least according to factor(6).


  No, it is 1 :)
  Explanation : a prime number can only be divided by two different 
  numbers : 1 and itself. 1 can only be divided by one number,
  therefore it is not prime.
  
 
  Wrong.
 
  You got the definition of what a prime number is wrong.  A prime
  number is defined as a positive integer greater than one which has
  positive divisors 1 and itself, only.
 
  Please note that using your definition 7 is not prime because -7,
  -1, 1 and 7 all divide 7.
 
  I suggest at least looking into elementary number theory before
  making such statements again.
 

 No no not wrong, indeed I didn't talk about being positive. But being
 prime is being positive (should have said it I agree) and have
EXACTLY 
 TWO different divisors.  And if 1 were prime you wouldn't have only
 one unique decomposition in prime numbers ;) (for exemple, is 45 =
 3x3x5 or 1x3x3x5 or 1x1x1x3x3x5 or... ?) It would crush many things
 down about arithmetics.
 
 Luckily I have learnt some things during my two year special
 scientific studies (heard about Classes priparatoires in France ?)
 and this is one of those.
 
 

Point of fact, your definition did /not/ state that a prime number had
to be positive.

Point of fact, your definition did /not/ state that the divisors must
be positive as well.

Perhaps you should've spent more time listening in class.  Or even just
listening to me.  Or look it up at mathworld, or wikipedia.  They all
prove that your definition is *wrong*.

Perhaps those classes that you supposedly took should teach something
about mathematics aside from just using them.



best regards,
Reid Nichol

We're in a giant car heading into a brick wall at 100 miles/hr and
everybody's arguing about where they want to sit.
-David Suzuki
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

os detection of NMAP not working

[Chris Smith]

Pf's os detection of NMAP isn't working with NMAP 4.01. Pf detects NMAP 
3.81 fine but not version 4.01. I don't have any other versions so I 
don't know exactly which or at which version it stops working. This is 
with openBSD 3.8, but the NMAP specific signatures in the cvs pf.os 
seem identical.

Where can updated signatures be found or how can they be generated?

Thanks.

Chris

Re: what is next? 3.10 or 4.0???

[Reid Nichol]

I find it interesting that you didn't send this entirely condisending
superior reply to the list.  Now why is that?


--- Matthew Weigel [EMAIL PROTECTED] wrote:
 Reid Nichol wrote:
 
  I suggest at least looking into elementary number theory before
 making such statements again.
 
 You might want to look into same, especially if you think you've
 already looked into number theory enough to discuss the subject.
 
 #1: he didn't say what a number was.

We are talking about mathematics, NOT philosophy.


 In elementary number theory, numbers are usually the set of
 positive integers, including or not including 0 depending on
 circumstance.

And you even use the usually.  Perhaps you should check out the
definition of divisibility and what a divisor is before you make such a
comment.

Even sticking to the positive integers if a divides b (written a|b) if
and only if there is an integer d such that ad=b.

Notice the work integer in there.  Notice the word positive is NOT in
there.

So, -7 is a divisor of 7 because (-7)(-1)=7.  We /must/ restrict the
divisors to positive numbers.  Which is what the original poster didn't
do.

Or didn't you notice that?

And what does 0 (another special case) have to do with this
conversation?


 #2: these definitions are fluid - by some definitions, '1' *is*
 prime, and by others it isn't.  The question really depends on a
 particular mathematical writer's view, because it really has no
impact
 on the interesting results of elementary number theory.

Really.  Point to a reference.  Because the wikipedia and mathworld
agree with my definition.   Not to mention all my professors and every
text that I've come across.


 #3: you are a lot more condescending than your demonstrated knowledge
 warrants.

Deja vu.


 -- 
   Matthew Weigel
   hacker
   [EMAIL PROTECTED]
 

Someone who puts hacker into there signature to describe themselves
really shouldn't be making such comments.

best regards,
Reid Nichol

We're in a giant car heading into a brick wall at 100 miles/hr and
everybody's arguing about where they want to sit.
-David Suzuki
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Relaydb question

[Steve Shockley]

I'm using relaydb to scan through my mailbox (maildir format) to 
whitelist and blacklist.  I do something like this in my Inbox:


for message in $MAILBASE/cur/*
do
cat $message | /usr/local/bin/relaydb -vwf /var/spamd/relaydb
done

The problem with this is that I keep messages in my Inbox; so, every 
time relaydb runs, it increments the white counter for all the messages, 
not just the ones it hasn't seen.


Is there any way to make relaydb only work on those files/messages that 
it hasn't previously seen?

Re: what is next? 3.10 or 4.0???

[Craig Hammond]

Come on.
Hasn't the OpenBSD marketing department caught on yet.

OpenBSD XP or OpenBSD Vista is the obvious choice.

Like Windows Vista, there could be 5 versions of OpenBSD Vista.
http://www.microsoft.com/windowsvista/versions/default.mspx

OpenBSD Vista - Home Basic. (aka. Vista Home, Dave Fuestel)
Same as Home - Premium, but has all the man pages deleted to save
valuable space.

OpenBSD Vista - Home Premium
Has some of the advances networking features turned off, but don't
worry,
you don't need them anyway.

OpenBSD Vista - Business
Same as the current standard OpenBSD

OpenBSD Vista - Ultimate
Same as Business, but comes with a few multimedia packages included in
the base install

OpenBSD Vista - Enterprise.
Comes in a 15 CD Set. Each CD is only a third full, but it looks
impressive and
costs 10 times as much.

Re: what is next? 3.10 or 4.0???

[dick]

OpenBSD Vista - Home Basic. (aka. Vista Home, Dave Fuestel)
Same as Home - Premium, but has all the man pages deleted to save
valuable space.

LOL! there could be a special mailing list for Vista users: [EMAIL PROTECTED]

Re: what is next? 3.10 or 4.0???

[dick]

 Original message 
Date: Sat, 04 Mar 2006 00:19:33 +0100
From: Jean-Sibastien Bour [EMAIL PROTECTED]  
Subject: Re: what is next?  3.10 or 4.0???  
To: misc@openbsd.org

Reid Nichol a icrit :
 --- Jean-So?=bastien Bour [EMAIL PROTECTED] wrote:
   
 Matthias Kilian a icrit :
 
 a) 4 is the first non-prime, at least according to factor(6).
   
   
 No, it is 1 :)
 Explanation : a prime number can only be divided by two different 
 numbers : 1 and itself. 1 can only be divided by one number,
 therefore it is not prime.
 

 Wrong.

 You got the definition of what a prime number is wrong.  A prime number
 is defined as a positive integer greater than one which has positive
 divisors 1 and itself, only.

 Please note that using your definition 7 is not prime because -7, -1, 1
 and 7 all divide 7.

 I suggest at least looking into elementary number theory before making
 such statements again.
 Tired of spam?  Yahoo! Mail has the best spam protection around 
 http://mail.yahoo.com 


   
No no not wrong, indeed I didn't talk about being positive. But being 
prime is being positive (should have said it I agree) and have EXACTLY 
TWO different divisors.  And if 1 were prime you wouldn't have only one 
unique decomposition in prime numbers ;) (for exemple, is 45 = 3x3x5 or 
1x3x3x5 or 1x1x1x3x3x5 or... ?) It would crush many things down about 
arithmetics.

nobody here is arguing that 1 IS prime. more transparently, the ideal generated
by (1) is NOT a prime ideal (it's the whole ring). also, a factorization in a
UFD is only unique up to multiplication by a unit. i think 1 is a unit, i'm not
sure... :P


Luckily I have learnt some things during my two year special scientific 
studies (heard about Classes priparatoires in France ?) and this is 
one of those.


i assume you also learned about throwing out irrelevant egomaniacal chaff
whenever you're feeling insecure about your mathematical inabilities in your
advanced courses. how french, how academic!

Re: Squid QOS

[Cahyo]

On 3/3/06, Joachim Schipper [EMAIL PROTECTED] wrote:
 On Wed, Mar 01, 2006 at 09:47:35PM +0700, Cahyo wrote:
  I wish someone make this
  http://www.docum.org/docum.org/faq/cache/65.html for obsd pf n altq,
  because very useful for SOHO user for bandwidth efficiency, maybe have
  another ideas for that goal

 It's a dirty hack, really. You could try to get something similar with
 filtering outbound bandwidth only - tags can be used to filter on the
 combination of incoming/outgoing.

 Joachim


if you filter $ext_interface incoming, srs are from local squid not
real src client from $int_net work.
if try filter outbound in $int_interface it's not solution, you can
test download some file directly not on squidbox, outbound almost done

--
Regards'

-- Cahyo

Re: ath and 802.11a

[Fridtjof Busse]

* Andrew Smith [EMAIL PROTECTED]:
 Seconded (as if I needed to with Theo responding :P)
 
 I have an old Atheros based cardbus adaptor that will supposedly do b
 +g but I know for a fact not a, check the specs of the device please
 and do as Theo asks... dmesg is useful.

Well, I'll not try a with an unsupported piece of hardware.
According to the manpage my Wistron CM 9 does a/b/g. But it doesn't do g
and that's why I'm not sure if it will do a as well. 
Interesting thing is that according to CVS only b was reported working,
but a/b/g was added to the manpage. It doesn't really help me if the
manpages lists the modes the card supports instead of the mode that
OpenBSD supports...

-- 
Fridtjof Busse
   This game lends itself to certain abuses.
  --- Calvin

Re: what is next? 3.10 or 4.0???

[dick]

 Original message 
Date: Fri, 3 Mar 2006 19:04:32 -0800 (PST)
From: Reid Nichol [EMAIL PROTECTED]  
Subject: Re: what is next?  3.10 or 4.0???  
To: Matthew Weigel [EMAIL PROTECTED]
Cc: misc@openbsd.org

I find it interesting that you didn't send this entirely condisending
superior reply to the list.  Now why is that?


--- Matthew Weigel [EMAIL PROTECTED] wrote:
 Reid Nichol wrote:

 In elementary number theory, numbers are usually the set of
 positive integers, including or not including 0 depending on
 circumstance.

And you even use the usually.  Perhaps you should check out the
definition of divisibility and what a divisor is before you make such a
comment.

Even sticking to the positive integers if a divides b (written a|b) if
and only if there is an integer d such that ad=b.

Notice the work integer in there.  Notice the word positive is NOT in
there.

So, -7 is a divisor of 7 because (-7)(-1)=7.  We /must/ restrict the
divisors to positive numbers.  Which is what the original poster didn't
do.

Or didn't you notice that?

And what does 0 (another special case) have to do with this
conversation?


using the usual definition of prime does require the restriction of potential
divisors to the positive integers. this is because, historically, the postive
integers were the ring over which number theorists worked, so one needn't
consider negative integer divisors. if you'd like to do away with the confusion
of such a definition, it's much easier to use the ideal-based definition of
prime: http://en.wikipedia.org/wiki/Prime_ideal . note that i'm assuming
commutative rings here.


 #2: these definitions are fluid - by some definitions, '1' *is*
 prime, and by others it isn't.  The question really depends on a
 particular mathematical writer's view, because it really has no
impact
 on the interesting results of elementary number theory.

Really.  Point to a reference.  Because the wikipedia and mathworld
agree with my definition.   Not to mention all my professors and every
text that I've come across.


right on, reid! under no circumstances should 1 be considered a prime number:
the ideal generated by 1, (1), is obviously not a prime ideal.


 #3: you are a lot more condescending than your demonstrated knowledge
 warrants.

reid is totally in the right. i didn't sense much condescension, just dropping
definitions and such, like any respectable student of mathematics would and
should do.

cheers,
jake

Re: what is next? 3.10 or 4.0???

[Damien Miller]

On Fri, 3 Mar 2006, Reid Nichol wrote:

 I find it interesting that you didn't send this entirely condisending
 superior reply to the list.  Now why is that?

because it is off topic. Please stop this thread, which has nothing
to do with OpenBSD anymore.