Re: pre-orders
I assume the artwork as something to do with wavelan is a battlefield[1] :-) /me supplementing OpenBSD/macppc 'mini with similarly SFF[2] OpenBSD/x86. 1] my favorite /etc diff of the 3.9 snapshot. 2] system76.com's Koala Mini.
Re: pre-orders
Theo de Raadt wrote: We have activated the pre-orders for OpenBSD 3.9... More information can be found at http://www.openbsd.org/39.html There's a T-shirt and a poster too... (The whole subject of the artwork will become more clear in a while, as we make more of it available :) This is great :-) If you can afford it, don't forget to donate when pre-ordering. -- Regards/Thomas A. Frederiksen LinuxForum 2006, http://linuxforum.dk - did I see you there?
Trying to Compile L4-Kenge on current
I got it in my mind that I would use OpenBSD as my development system to do L$ (Microkernel ) work. But I'm having a problem with the binutils tools. Fisrst I needed the GNU nm utility (because the SCons environment executes an nm --radix=d varient ). Now I'm having problems with the linker. I figured the eassy way out was to download the recent binutils and configure it toload its binaries in /usr/local/gnu. But it seems like i[3-7]86 for openbsd is not supported. Hmm, anyone know a work around? My target systems are barebones hardware (soekris boxes) so I don't mind setting up a cross-compiled situation. When I load this environment on the L word, (RHES4) everything compiles perfectly. What binary format does curret use? ELF right? l0r3zz
Re: Why packets are not blocked
On 2006/03/07 23:08, Chris Zakelj wrote: Aye. You're flushing rules and NAT, but not your state table. Since the state is already established, rules aren't re-evaluated. Adding a state flush ought to get AOL wiped out. Just be mindful that if you have something going on (like an SSH session), those states will also get nailed. Removing 'flags S/SA' from the pass rules should help there.
Consultants United - Welcome
We are pleased to invite you to review our business to business web site. Our home page is: http://www.consultantsunited.com Our site is designed to help people find and get in touch with Experts, Business Opportunities, Jobs, Articles, Events, News and Press Releases. Membership to access our content has NO charge. Please have a good thorough look around our site, the content is already good and it will get even better. Regards The CU Team If you wish to trial our FREE content updates/announcements please send an email to [EMAIL PROTECTED] (you can opt out at any time) Anexample newsletter can be viewed here: http://consultantsunited.co.uk/[EMAIL PROTECTED]/newsletter1.htm To remove your name from our mailing list permanently, please send an email to [EMAIL PROTECTED] Questions or comments? Email us at [EMAIL PROTECTED]
Re: pre-orders
Felix Kronlage wrote: On Wed, Mar 08, 2006 at 02:19:51AM -0600, Julian Fondren wrote: I assume the artwork as something to do with wavelan is a battlefield[1] :-) binary blobs do not only affect wireless, since nfe(4) is another case where one could use a binary blob from the vendor and where openbsd did an implementation of a driver that works without that binary blob. You probably mean binary lobs and binary lob? ;-) Dammit, I should know better than to annoy the list with comments like these.
Re: hardening openbsd firewall
On Tuesday 07 March 2006 23:42, Peter wrote: Hi. I've set up several firewalls with OpenBSD but I have yet to go to any extremes regarding hardening. So far I have updated the source (stable), recompiled the system kernel, removed the source code, turned off inetd, and set up a tight pf.conf. I have been reading up on an interesting strategy of removing tons of executables, storing them on a cd, and setting up symlinks to the cd mount point so they can be accessed when needed. Of coarse now when you have a problem and need your diagnostic tools. Or for that matter if need to apply a security patch you are going to have lots of fun updating the system. Restrict connections to the localhost to only absolutly necessary services, restrict sshd access (and use ssh-keygen to create keypairs), and of coarse only give access to the console to trusted persons. Doing this, as well as keeping up to date on the security patches, will keep your system's risk to a minimum. Don't forget that if someone is good enough to gain access to your system, odds are they are smart enough to copy the code and complier that they need to completely root the system. Tim Donahue
Re: sshfs on OpenBSD
Lars Hansson wrote: On Tue, 07 Mar 2006 19:59:43 -0800 smith [EMAIL PROTECTED] wrote: Are there any plans for an OpenBSD implementation of sshfs? Or has someone successfully installed fuse and sshfs on OpenBSD (preferably 3.8)? IIRC, fuse is pretty tied to the Linux kernel so porting it would be non-trivial at the best. There is a port for FreeBSD and it works ok. I use it on two 6-stable systems without any problems. Maybe this port can be a start. Jonathan -- Jonathan Weiss http://blog.innerewut.de
Soekris VPN1411 seen but not used w/stock 3.8
Hi, I recently picked up some Soekris gear for work. One part was a vpn1401 crypto accelerator. OpenBSD 3.8 fresh from the CD sees the card OK but won't use it. Quick script to turn userland crypto off and on with benchmarks proves that. I thought it may be a machine-dependant problem (it's for a Dell box) so I tried the card in an old testbed Compaq 4000 desktop and get the same results: the card is seen but not used. (I forgot to bring in my own vpn1201 from home today to try duplicating this problem.) After dicking around with it for a while I'm not quite sure if this is an OpenBSD or Soekris issue. Here's a dmesg for both, any advice or direction is appreciated. ### Dell GX150 OpenBSD 3.8 (GENERIC) #138: Sat Sep 10 15:41:37 MDT 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium III (GenuineIntel 686-class) 930 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE real mem = 265887744 (259656K) avail mem = 235732992 (230208K) using 3271 buffers containing 13398016 bytes (13084K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(00) BIOS, date 06/26/01, BIOS32 rev. 0 @ 0xffe90 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 30102 dobusy 0 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfbb40/208 (11 entries) pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82801BA LPC rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0xa000 0xca000/0x2000 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82815 Hub rev 0x04 vga1 at pci0 dev 2 function 0 Intel 82815 Graphics rev 0x04: aperture at 0xf400, size 0x400 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) ppb0 at pci0 dev 30 function 0 Intel 82801BA AGP rev 0x11 pci1 at ppb0 bus 1 hifn0 at pci1 dev 7 function 0 Hifn 7955/7954 rev 0x00: LZS 3DES ARC4 MD5 SHA1 RNG AES PK, 32KB dram, irq 9 xl0 at pci1 dev 12 function 0 3Com 3c905C 100Base-TX rev 0x78: irq 3, address 00:06:5b:41:ba:3a exphy0 at xl0 phy 24: 3Com internal media interface ichpcib0 at pci0 dev 31 function 0 Intel 82801BA LPC rev 0x11 pciide0 at pci0 dev 31 function 1 Intel 82801BA IDE rev 0x11: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: IC35L020AVER07-0 wd0: 16-sector PIO, LBA, 19092MB, 39102336 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: SONY, CD-ROM CDU5211, YYS7 SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 uhci0 at pci0 dev 31 function 2 Intel 82801BA USB rev 0x11: irq 11 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered Intel 82801BA SMBus rev 0x11 at pci0 dev 31 function 3 not configured uhci1 at pci0 dev 31 function 4 Intel 82801BA USB rev 0x11: irq 7 usb1 at uhci1: USB revision 1.0 uhub1 at usb1 uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered isa0 at ichpcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 sysbeep0 at pcppi0 npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo biomask fde5 netmask ffed ttymask ffef pctr: 686-class user-level performance counters enabled mtrr: Pentium Pro MTRR support dkcsum: wd0 matches BIOS drive 0x80 root on wd0a rootdev=0x0 rrootdev=0x300 rawdev=0x302 WARNING: / was not properly unmounted ### Compaq 4000 desktop: OpenBSD 3.8 (GENERIC) #138: Sat Sep 10 15:41:37 MDT 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium/MMX (GenuineIntel 586-class) 200 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,MCE,CX8,MMX cpu0: F00F bug workaround installed real mem = 133799936 (130664K) avail mem = 115466240 (112760K) using 1658 buffers containing 6791168 bytes (6632K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(41) BIOS, date 09/03/97, BIOS32 rev. 0 @ 0xece00 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 30102 dobusy 0 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xece00/0x3000 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf6eb0/160 (8 entries) pcibios0: PCI Interrupt Router at 000:20:0 (VIA VT82C586 ISA rev 0x00) pcibios0: PCI bus #0 is the last bus bios0: ROM list: 0xc/0x8000 0xe7000/0x9000 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 VIA VT82C1595 PCI rev 0x03 vga1 at pci0 dev 13 function 0 S3 ViRGE DX/GX rev 0x01 wsdisplay0 at vga1 mux 1:
Re: pre-orders
On Tue, Mar 07, 2006 at 08:23:17PM -0700, Theo de Raadt wrote: We have activated the pre-orders for OpenBSD 3.9... W HO!!! It pays to order early! You stupid, cheap fuckers! Gord
Re: EPIA issues...
Running 12V fans at 7V often works nicely (easily achieved with PC hardware by connecting the fan to 5V and 12V rather than 0V and 12V). With my electronics-designer cap on, I'd advise a little caution with this. The 5V regulator is designed to source, not sink, current. If the fan current exceeds the current the 5V regulator is supplying (which is unlikely under normal conditions, but possible under stall or fault conditions), the 5V rail will go high and take out all hardware relying on it. One other possible problem is that a fan is an inductive load - you could be coupling large amounts of noise onto the 5V line. Summary: with small fans, it should work, but you've introduced a mechanism whereby a fan failure could destroy the machine. Steve http://www.fivetrees.com
Re: sshfs on OpenBSD
smith wrote: Are there any plans for an OpenBSD implementation of sshfs? Or has someone successfully installed fuse and sshfs on OpenBSD (preferably 3.8)? Yea, that would be very useful. Sadly, I have neither the skills nor the finances to fund someone possesing them. But I'll offer up a link: http://sshfs.com and major karma points in the next life ;) Apparently, someone started work on this, although I never saw any code there. Perhaps he still has something reuseable. Sounds good as a CS project. mike
Re: Openbgpd kernel tuning
Theo de Raadt a icrit : The idea is that you shouldn't need to change any options. Well then it will be easier than I thought :-) I read some old threads about too small tcp.sendspace / tcp.recvspace in 3.4 time that used to hit performance so I thought it would be useful. The others were about DOS prevention. Thanks for your help.
Re: OBSD 3.8: bash, libiconv, libintl in rc.securelevel
yary wrote: On 3/7/06, Chris 'Xenon' Hanson [EMAIL PROTECTED] wrote: yary wrote: Pardon me for giving what may be a naive answer, but how about putting /usr/local/lib into the LD_LIBRARY_PATH env variable before starting the wanrouter script? It's an obvious answer, but I figured there must be a good reason (security?) that /usr/local/lib _isn't_ in the LD_LIBRARY_PATH at that stage, and it didn't seem like a good idea for an installer to tamper with the system's LD_LIBRARY_PATH. Partly I'm looking for insight as to why it is the way it is currently. I can see it being a security thing, but you only have to set that environment variable for the subshell that's starting the wanrouter, not for the whole system at that stage of boot. This seems to work for /bin/sh: $ (export fff=rrr echo $fff) rrr $ echo $fff $ You have to trust /usr/local enough to run the port/package in the first place... so try launching wanrouter with (export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/lib /bin/bash /usr/local/bin/wanrouter) - your startup script will add the local libs to its search path but the rest of that bootup stage won't. And if that's incorrect someone will surely point out the error of my ways! I think you make a good point. That should be safe to do, and will allow us to not have to mess with the static bash package, which will allow the installer to use the more generalized pkg_add that will adapt to platform and OS version. Thanks everyone! -y -- Chris 'Xenon' Hanson | Xenon @ 3D Nature | http://www.3DNature.com/ I set the wheels in motion, turn up all the machines, activate the programs, and run behind the scenes. I set the clouds in motion, turn up light and sound, activate the window, and watch the world go 'round. -Prime Mover, Rush.
Re: Openbgpd kernel tuning
On 2006/03/08 16:37, Marcel Prisi wrote: OpenBGPD's config seems OK, but I need some help about OpenBSD's tunable parameters using sysctl. net.inet.tcp.recvspace=65536 net.inet.tcp.sendspace=65536 kern.ipc.somaxconn=1024 net.inet.icmp.drop_redirect=1 net.inet.icmp.log_redirect=1 net.inet.ip.redirect=0 net.inet.ip.sourceroute=0 net.inet.icmp.bmcastecho=0 net.inet.icmp.maskrepl=0 Half of these aren't even for OpenBSD. Are these settings from some guide to tuning another OS for use as a webserver or something like that? Are these OK ? Should I also do something for udp ? Do I miss some ? I think you should remove them all and only touch the defaults if you encounter a specific problem and have understood how the change that you're making will help. The defaults are pretty sane. The thing you might want to monitor on a busy router is mbuf use (netstat -m) but that's monitoring, not tweaking, unless you start having a problem.
Re: Why packets are not blocked
Try flushing the state table too.
-Andy
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Jim
Sent: 08 March 2006 03:00
To: misc@openbsd.org
Subject: Why packets are not blocked
When my kid gets grounded I block the gameroom computer from getting to the
internet. The script that runs is
#!/bin/sh -
cp /home/jmays/pf.conf.noGameroom /etc/pf.conf
pfctl -F rules -f /etc/pf.conf
pfctl -F nat -f /etc/pf.conf
The file that becomes the pf.conf file is
# pf.conf.noGameroom file
#
# Define useful variables
#
ExtIF =dc0 # External Interface
IntIF =hme0 # Internal Interface
loopbackIF=lo0 # Loopback Interface
#
IntNet =192.168.100.0/24 # Our internal network
Austin =192.168.100.129
Gameroom=192.168.100.130
NoRouteIPs={ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }
#Services={ ssh, ftp }
Services={ ssh }
# Clean up fragmented and abnormal packets
scrub in all
# nat on dc1 from 192.168.100.0/24 to any - dc1
nat on $ExtIF from $Gameroom to any tag GAME - ($ExtIF)
nat on $ExtIF from $IntNet to any - ($ExtIF)
block out log quick on $ExtIF tagged GAME
#pass anything on loopback
pass out quick on $loopbackIF
# don't allow anyone to spoof non-routeable addresses
block in quick on $ExtIF from $NoRouteIPs to any
block out quick on $ExtIF from any to $NoRouteIPs
# by default, block all incoming packets, except those explicitly
# allowed by further rules
block in on $ExtIF all
# allow others to use allowed services
pass in on $ExtIF inet proto tcp from any to any port $Services \
flags S/SA keep state
# and let out-going traffic out and maintain state on established
connections
# pass out all protocols, including TCP, UDP and ICMP, and create state,
# so that external DNS servers can reply to our own DNS requests (UDP).
block out log on $ExtIF all
pass out log on $ExtIF inet proto tcp all flags S/SA keep state
pass out log on $ExtIF inet proto udp allkeep state
pass out log on $ExtIF inet proto icmp allkeep state
#
The problem is that if the kid is already logged into AOL Instant messenger,
the connection is not broken. So even though she is grounded, she can still
chat all day on AIM. Why isn't this pf.conf file blocking everything on
that computer?
Here is the tail of the pflog file while she is on
Mar 07 20:30:43.516434 rule 14/0(match): pass out on dc0:
67.174.79.141.60805 64.12.174.121.80: S 3652110150:3652110150(0) win 65535
mss 1460,nop,nop,sackOK (DF)
Mar 07 20:30:43.739711 rule 14/0(match): pass out on dc0:
67.174.79.141.52657 209.62.180.190.80: S 4073040009:4073040009(0) win
65535 mss 1460,nop,nop,sackOK (DF)
Mar 07 20:30:43.960820 rule 14/0(match): pass out on dc0:
67.174.79.141.63494 216.39.69.77.80: S 3255465945:3255465945(0) win 65535
mss 1460,nop,nop,sackOK (DF)
Mar 07 20:30:44.014579 rule 15/0(match): pass out on dc0:
67.174.79.141.60482 204.127.202.4.53: 46801+ A? spe.atdmt.com. (31)
Mar 07 20:30:44.063887 rule 14/0(match): pass out on dc0:
67.174.79.141.60937 80.67.84.16.80: S 1960373362:1960373362(0) win 65535
mss 1460,nop,nop,sackOK (DF)
Mar 07 20:31:02.940879 rule 14/0(match): pass out on dc0:
67.174.79.141.51753 204.127.198.10.110: S 2067644325:2067644325(0) win
65535 mss 1460,nop,nop,sackOK (DF)
I don't even have 14 rules. Why is this passing on rule 14?
Thanks
Jim
Re: Openbgpd kernel tuning
I am in the process of setting up an OpenBSD / OpenBGPD core router for a small local ISP (two 20mbps upstreams, simple setup). OpenBGPD's config seems OK, but I need some help about OpenBSD's tunable parameters using sysctl. The idea is that you shouldn't need to change any options.
Re: Why packets are not blocked
On Tue, Mar 07, 2006 at 11:08:51PM -0500, Chris Zakelj wrote: Steven wrote: * Jim [EMAIL PROTECTED] [060307 20:36]: The problem is that if the kid is already logged into AOL Instant messenger, the connection is not broken. So even though she is grounded, she can still chat all day on AIM. Why isn't this pf.conf file blocking everything on that computer? I'm not anything of a pf expert, but shouldn't this be expected if you have keep state rules in your pf.conf? I mean, you've changed the rule-set, but the connection was set up before the change, and pf will want to keep allowing the packets from the connection to pass as a result. Just my $0.02 CDN, even with the current exchange rates, still not worth a lot. I'll let the real experts handle it from here. :-) Aye. You're flushing rules and NAT, but not your state table. Since the state is already established, rules aren't re-evaluated. Adding a state flush ought to get AOL wiped out. Just be mindful that if you have something going on (like an SSH session), those states will also get nailed. There are other ways to go about this: tcpdrop(8) is probably the proper technical solution. Also, http://www.bofh.org.pl/man contains some useful additional commands, which are, sadly, not part of the base system - SNIP would be a rather useful thingy, here. Joachim
Re: Openbgpd kernel tuning
* Marcel Prisi [EMAIL PROTECTED] [2006-03-08 16:42]: OpenBGPD's config seems OK, but I need some help about OpenBSD's tunable parameters using sysctl. the only thing you might want to change is net.inet.ip.ifq.maxlen the default is a little low for routing at higher speeds. 250 seems a good compromise for many higher-bandwidth routers. -- BS Web Services, http://www.bsws.de/ OpenBSD-based Webhosting, Mail Services, Managed Servers, ... Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
New Job Openings in the Brighton Area
Dear Jonathan: Thank you very much for your recent inquiry about job openings in the Brighton Area! We have new job openings in your area and would like to know if you are still available. If so, please let us know by clicking on the following link, or copy/paste the link into your web browser. http://www.ojfb.com/rc.html?ST=MA--Brighton[EMAIL PROTECTED]CI=11308347 - Job Hunting Tips of The Day: Smile - If you don't radiate enthusiasm and energy, then the interviewer is not likely to take much interest in you. If you forget to smile, or if you speak in a monotone voice, sound tired, or walk slowly or with slouched posture, you'll turn off the interviewer immediately, no matter how well you've prepared for the interview, and no matter how effectively you communicate. If you have already found a job, click above link to stop receiving this notice. Career Information Services 902 Kitty Hark #170, PMB 159 Universal City, TX 78148 REG-S-030808-js_b_0308032327.txt 11308347 3003
Re: Openbgpd kernel tuning
Henning Brauer wrote: * Marcel Prisi [EMAIL PROTECTED] [2006-03-08 16:42]: OpenBGPD's config seems OK, but I need some help about OpenBSD's tunable parameters using sysctl. the only thing you might want to change is net.inet.ip.ifq.maxlen the default is a little low for routing at higher speeds. 250 seems a good compromise for many higher-bandwidth routers. What is the easiest way to know when you are hitting the limit? Does it just drop new connections?
Re: Why packets are not blocked
On 3/7/06, Jim [EMAIL PROTECTED] wrote: When my kid gets grounded I block the gameroom computer from getting to the internet. The script that runs is #!/bin/sh - cp /home/jmays/pf.conf.noGameroom /etc/pf.conf pfctl -F rules -f /etc/pf.conf pfctl -F nat -f /etc/pf.conf The script should probably read #!/bin/sh - cp /home/jmays/pf.conf.noGameroom /etc/pf.conf pfctl -F rules -f /etc/pf.conf pfctl -F nat -f /etc/pf. pfctl -k 192.168.100.130 --Bryan
Re: hardening openbsd firewall
On Tue, Mar 07, 2006 at 11:42:23PM -0500, Peter wrote: Hi. I've set up several firewalls with OpenBSD but I have yet to go to any extremes regarding hardening. So far I have updated the source (stable), recompiled the system kernel, removed the source code, turned off inetd, and set up a tight pf.conf. I have been reading up on an interesting strategy of removing tons of executables, storing them on a cd, and setting up symlinks to the cd mount point so they can be accessed when needed. My firewall will be providing internet access (NAT) to a small office lan (not mine). What strategies are others using in this area? As mentioned, restrict sshd(8). Ideally, turn it off, but that's not usually necessary/possible. Depending on how far you're willing to deviate from base, some other tricks: 1. Use sudo exclusively - set an empty or nonsense root password 2. Use public key authentication only for sshd(8), and restrict which users can log in. 2a. If you really need something password-like, use S/KEY. 2b. If neither is feasible, audit the passwords (use John the Ripper for existing passwords; some schemes exist to act when setting new passwords) 3. Restrict the use of ports, and research into the security of a program before installing. mail/postfix is unlikely to open too many holes; www/php5 is best left alone, if security is the goal [1]. 4. Audit suid/sgid executables - quite a few are not needed on a minimalist system, but again - breaking stuff will lead to other stuff breaking. (Where 'audit' will typically mean 'remove any that are not needed' - the other end, a full source audit, is very, very time-consuming and difficult.) 5. Monitor the appropriate lists (did you know about the pf DoS problems in 3.8-rel? They are not in the patches, and very unlikely to cause trouble, but it's good to know what not to do). Actually, regarding 1 - I find myself wondering whether logging in as root, where no suspicious stuff in my own account can reach me, is not preferable to using sudo (which is trivially subverted with a single line in .profile). Does anyone have a good opinion on this? (Yes, I know that root is not to be used for trivial matters, and yes, I know when to log out.) Of course, sudo does have the invaluable side effect of producing quite informative log files. Removing (non-s*id) binaries and sources, while annoying to an attacker, is also quite annoying to the system administrator and will not stop a knowledgeable attacker anyway. Joachim [1] Of course, PHP is quite often impossible to avoid - it *is* the biggest in what it does, after all.
Re: Trying to Compile L4-Kenge on current
On Wed, Mar 08, 2006 at 12:42:27AM -0800, Subcommander l0r3zz wrote: I got it in my mind that I would use OpenBSD as my development system to do L$ (Microkernel ) work. But I'm having a problem with the binutils tools. Fisrst I needed the GNU nm utility (because the SCons environment executes an nm --radix=d varient ). Now I'm having problems with the linker. I figured the eassy way out was to download the recent binutils and configure it toload its binaries in /usr/local/gnu. But it seems like i[3-7]86 for openbsd is not supported. Hmm, anyone know a work around? My target systems are barebones hardware (soekris boxes) so I don't mind setting up a cross-compiled situation. When I load this environment on the L word, (RHES4) everything compiles perfectly. What binary format does curret use? ELF right? While I don't know anything about that L stuff, some pointers... nm is on my system, though it is not the GNU version, but I am not sure if it cannot do the same job (no idea what --radix=d does). You might want to try Linux emulation, but from the look of this, this might be difficult. So, I'm guessing you'll have to either run some heavy emulation stuff (like qemu), port it to build on OpenBSD, or just install Linux. Joachim
Sun Ultra 1
Hey folks, i have just installed 3.8 in my sun desktop. It installed ok, 100% perfect. Know, i would like to strip the kernel to the bare minimum and get X working. have anybody in the list already configured the kernel and recompiled it? Could you send the two configuration files in order to me have my done. Another problem: I got X, but only with 8 bits of color. I would like to have the maximum possible resolution with the high bit color size pallete. Could you send me your xorg.conf ? Here are my dmesg and my /var/log/Xorg.0.log. Thanks a lot for your time and cooperation. [demime 1.01d removed an attachment of type application/octet-stream which had a name of dmesg] [demime 1.01d removed an attachment of type application/octet-stream which had a name of Xorg.0.log]
Problem detecting fxp in March 2 snapshot
My Intel network card, which works under 3.8, is not detected in the March 2 snapshot (I tried some previous snapshots as well, same issue). Any hints or suggestions would be appreciated! Dan Hamlin OpenBSD 3.8 (GENERIC) #138: Sat Sep 10 15:41:37 MDT 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Pentium(R) 4 CPU 3.40GHz (GenuineIntel 686-class) 3.40 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,ACPI,MMX,FXSR,SSE ,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,CNXT-ID real mem = 2145529856 (2095244K) avail mem = 1951735808 (1905992K) using 4278 buffers containing 107380736 bytes (104864K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(00) BIOS, date 05/02/05, BIOS32 rev. 0 @ 0xffe90 apm0 at bios0: Power Management spec V1.2 apm0: APM get power status: unknown error code? (83) apm0: flags 30102 dobusy 0 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfeb00/240 (13 entries) pcibios0: no compatible PCI ICU found: ICU vendor 0x8086 product 0x2640 pcibios0: Warning, unable to fix up PCI interrupt routing pcibios0: PCI bus #4 is the last bus bios0: ROM list: 0xc/0xd000 0xcd000/0x2000! 0xcf000/0x1000 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 915G/P/GV Host rev 0x04 ppb0 at pci0 dev 1 function 0 Intel 915G/P/GV PCIE rev 0x04 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 ATI Radeon X300 rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) ATI Radeon X300 Sec rev 0x00 at pci1 dev 0 function 1 not configured ppb1 at pci0 dev 28 function 0 Intel 82801FB PCIE rev 0x03 pci2 at ppb1 bus 2 uhci0 at pci0 dev 29 function 0 Intel 82801FB USB rev 0x03: irq 10 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 29 function 1 Intel 82801FB USB rev 0x03: irq 9 usb1 at uhci1: USB revision 1.0 uhub1 at usb1 uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered uhci2 at pci0 dev 29 function 2 Intel 82801FB USB rev 0x03: irq 5 usb2 at uhci2: USB revision 1.0 uhub2 at usb2 uhub2: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub2: 2 ports with 2 removable, self powered uhci3 at pci0 dev 29 function 3 Intel 82801FB USB rev 0x03: irq 3 usb3 at uhci3: USB revision 1.0 uhub3 at usb3 uhub3: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub3: 2 ports with 2 removable, self powered ehci0 at pci0 dev 29 function 7 Intel 82801FB USB rev 0x03: irq 10 usb4 at ehci0: USB revision 2.0 uhub4 at usb4 uhub4: Intel EHCI root hub, rev 2.00/1.00, addr 1 uhub4: 8 ports with 8 removable, self powered ppb2 at pci0 dev 30 function 0 Intel 82801BA AGP rev 0xd3 pci3 at ppb2 bus 3 ppb3 at pci3 dev 0 function 0 Texas Instruments PCI2250 PCI-PCI rev 0x02 pci4 at ppb3 bus 4 sis0 at pci4 dev 0 function 0 NS DP83815 10/100 rev 0x00: DP83816A, irq 11, address 00:00:24:c4:5c:e c nsphyter0 at sis0 phy 0: DP83815 10/100 PHY, rev. 1 sis1 at pci4 dev 1 function 0 NS DP83815 10/100 rev 0x00: DP83816A, irq 5, address 00:00:24:c4:5c:ed nsphyter1 at sis1 phy 0: DP83815 10/100 PHY, rev. 1 sis2 at pci4 dev 2 function 0 NS DP83815 10/100 rev 0x00: DP83816A, irq 5, address 00:00:24:c4:5c:ee nsphyter2 at sis2 phy 0: DP83815 10/100 PHY, rev. 1 sis3 at pci4 dev 3 function 0 NS DP83815 10/100 rev 0x00: DP83816A, irq 3, address 00:00:24:c4:5c:ef nsphyter3 at sis3 phy 0: DP83815 10/100 PHY, rev. 1 emu0 at pci3 dev 1 function 0 Creative Labs SoundBlaster Live rev 0x07: irq 5 ac97: codec id 0x83847609 (SigmaTel STAC9721/23) ac97: codec features 18 bit DAC, 18 bit ADC, SigmaTel 3D audio0 at emu0 Creative Labs PCI Gameport Joystick rev 0x07 at pci3 dev 1 function 1 not configured fxp0 at pci3 dev 8 function 0 Intel PRO/100 VE (82562EZ) rev 0x03: irq 9, address 00:13:20:40:15:a6 inphy0 at fxp0 phy 1: i82562ET 10/100 PHY, rev. 0 ichpcib0 at pci0 dev 31 function 0 Intel 82801FB LPC rev 0x03: PM disabled pciide0 at pci0 dev 31 function 1 Intel 82801FB IDE rev 0x03: DMA, channel 0 configured to compatibi lity, channel 1 configured to compatibility atapiscsi0 at pciide0 channel 0 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: SONY, DVD-ROM DDU1615, FDS1 SCSI0 5/cdrom removable atapiscsi1 at pciide0 channel 0 drive 1 scsibus1 at atapiscsi1: 2 targets cd1 at scsibus1 targ 0 lun 0: _NEC, DVD+-RW ND-3530A, 102B SCSI0 5/cdrom removable cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 cd1(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 2 pciide0: channel 1 ignored (disabled) pciide1 at pci0 dev 31 function 2 Intel 82801FB SATA rev 0x03: DMA, channel 0 configured to native-P CI, channel 1 configured to native-PCI pciide1: using irq 9 for native-PCI interrupt wd0 at pciide1 channel 0 drive 0: Maxtor 6Y160M0 wd0: 16-sector PIO, LBA48, 152587MB,
Re: Openbgpd kernel tuning
* Will H. Backman [EMAIL PROTECTED] [2006-03-08 19:17]: Henning Brauer wrote: * Marcel Prisi [EMAIL PROTECTED] [2006-03-08 16:42]: OpenBGPD's config seems OK, but I need some help about OpenBSD's tunable parameters using sysctl. the only thing you might want to change is net.inet.ip.ifq.maxlen the default is a little low for routing at higher speeds. 250 seems a good compromise for many higher-bandwidth routers. What is the easiest way to know when you are hitting the limit? Does it just drop new connections? monitoring the congestion counter in pfctl -si helps a lot. you don't want too long queues tho, that is contraproductive. sorry, if there was an easy rule, we'd do it automagically. -- BS Web Services, http://www.bsws.de/ OpenBSD-based Webhosting, Mail Services, Managed Servers, ... Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: Problem detecting fxp in March 2 snapshot
My Intel network card, which works under 3.8, is not detected in the
March 2 snapshot (I tried some previous snapshots as well, same issue).
Any hints or suggestions would be appreciated!
Looks like a fuck-up on our side for 3.9. Can you try the following diff
and report whether your network card gets recognized again?
Miod
Index: if_fxp_pci.c
===
RCS file: /cvs/src/sys/dev/pci/if_fxp_pci.c,v
retrieving revision 1.45
diff -u -p -r1.45 if_fxp_pci.c
--- if_fxp_pci.c2006/01/05 21:34:35 1.45
+++ if_fxp_pci.c2006/03/08 20:43:37
@@ -127,6 +127,7 @@ const struct pci_matchid fxp_pci_devices
{ PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_82801E_LAN_1 },
{ PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_82801E_LAN_2 },
{ PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_82801FB_LAN },
+ { PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_82801FB_LAN_2 },
{ PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_82801GB_LAN_2 },
{ PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_82801FBM_LAN },
{ PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_82801GB_LAN },
Re: hardening openbsd firewall
* Joachim Schipper [EMAIL PROTECTED] [2006-03-08 12:13]: 1. Use sudo exclusively - set an empty or nonsense root password Stupid - if there is only one user with sudo-ability then this is the same as just having root. if there are more, there are now two passwords out there to get root instead of just one. Don't get me wrong, I love using sudo, and use it in lots of places but view it as a tool for selectively openeing up security, not tightening it down. 2. Use public key authentication only for sshd(8), and restrict which users can log in. So they can expose their key on a bazillion remote systems instead of the password on this system ? :) This is a tradeoff, universal statements like this are frequently shit. allowing public keys means you're now accepting the security of every machine an idiot ssh's from as good enough. My most secure machines do not permit public keys. They also use pf.os to encourage people not to ssh to them from less secure choices of operating system. 2a. If you really need something password-like, use S/KEY. 2b. If neither is feasible, audit the passwords (use John the Ripper for existing passwords; some schemes exist to act when setting new passwords) Don't audit using John, users just cycle between shitty ones. check them. (see passwordcheck in login.conf(5)) 3. Restrict the use of ports, and research into the security of a program before installing. mail/postfix is unlikely to open too many holes; www/php5 is best left alone, if security is the goal [1]. 4. Audit suid/sgid executables - quite a few are not needed on a minimalist system, but again - breaking stuff will lead to other stuff breaking. (Where 'audit' will typically mean 'remove any that are not needed' - the other end, a full source audit, is very, very time-consuming and difficult.) 5. Monitor the appropriate lists (did you know about the pf DoS problems in 3.8-rel? They are not in the patches, and very unlikely to cause trouble, but it's good to know what not to do). Actually, regarding 1 - I find myself wondering whether logging in as root, where no suspicious stuff in my own account can reach me, is not preferable to using sudo (which is trivially subverted with a single line in .profile). Does anyone have a good opinion on this? (Yes, I know that root is not to be used for trivial matters, and yes, I know when to log out.) My most secure machines do not use sudo - there is only root. (on most of my machines however, I do use sudo). I use sudo to make a machine a measured amount less secure (by allowing more people high level access) than more secure. -Bob
Re: OBSD 3.8: bash, libiconv, libintl in rc.securelevel
On Wed, 8 Mar 2006, Chris 'Xenon' Hanson wrote: Thanks everyone! Leaves me wondering why you cannot use ksh to run the script. Are you running into a ksh bug or a bash specific feature? -Otto
Re: OBSD 3.8: bash, libiconv, libintl in rc.securelevel
Otto Moerbeek wrote: On Wed, 8 Mar 2006, Chris 'Xenon' Hanson wrote: Thanks everyone! Leaves me wondering why you cannot use ksh to run the script. Are you running into a ksh bug or a bash specific feature? I honestly don't know, I didn't write the script, Sangoma did. It calls for bash, and I assume they know why. -Otto -- Chris 'Xenon' Hanson | Xenon @ 3D Nature | http://www.3DNature.com/ I set the wheels in motion, turn up all the machines, activate the programs, and run behind the scenes. I set the clouds in motion, turn up light and sound, activate the window, and watch the world go 'round. -Prime Mover, Rush.
Re: Openbgpd kernel tuning
Marcel Prisi [EMAIL PROTECTED] wrote: I read some old threads about too small tcp.sendspace / tcp.recvspace in 3.4 time that used to hit performance so I thought it would be useful. These settings only affect TCP sessions that connect directly to that system. In other words, they don't do anything on a router. The others were about DOS prevention. If the box isn't completely livelocked, you can Use tcpdump to figure out which IPs you need your upstream to block traffic from or to in the event of a DoS If you're lucky, most of the traffic will either come from one network or most of it will go to a small number of IP addresses on your side. If your upstream provider blocks that traffic, then your pipe isn't full anymore. If you're not lucky, you're screwed, and you need to have more bandwidth than your attacker to sustain an attack.
Re: OBSD 3.8: bash, libiconv, libintl in rc.securelevel
On Wed, 8 Mar 2006, Chris 'Xenon' Hanson wrote: Otto Moerbeek wrote: On Wed, 8 Mar 2006, Chris 'Xenon' Hanson wrote: Thanks everyone! Leaves me wondering why you cannot use ksh to run the script. Are you running into a ksh bug or a bash specific feature? I honestly don't know, I didn't write the script, Sangoma did. It calls for bash, and I assume they know why. Well, just try it or show us the script... It happens as lot people just put #!/bin/bash in their script because they copy from badly written scripts. -Otto
Re: Openbgpd kernel tuning
monitoring the congestion counter in pfctl -si helps a lot. you don't want too long queues tho, that is contraproductive. What are the consequences of ifq set too large? --Matt
Re: Sun Ultra 1
Gustavo Rios wrote: Know, i would like to strip the kernel to the bare minimum and get X working. have anybody in the list already configured the kernel and recompiled it? http://openbsd.org/faq/faq5.html#Why
Re: *** SPAM *** This is NOT a complaint (or any other flavour of whining)
On Wed, 8 Mar 2006 15:05:35 -, Andrew Smith wrote: Rod, you didn't mention the architecture... for now I'll assume i386. You also didn't mention if it was an upgrade over a 3.8 or a clean 3.9 install. I'll assume a 3.9 clean install. Double check that you have machdep.allowaperture=2 in /etc/sysctl.conf -Andy Sure is i386 and testing snapshots should never be other than a clean install IMHO so I keep a lab-rat for just that purpose. The aperture happens automagically if you answer yes to the X question at install and I checked to see that it had carried out the necessary mod to sysctl.conf. From the land down under: Australia. Do we look umop apisdn from up over? Do NOT CC me - I am subscribed to the list. Replies to the sender address will fail except from the list-server.
Re: Problem detecting fxp in March 2 snapshot
-Original Message-
From: Miod Vallat [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 08, 2006 3:45 PM
To: Hamlin, Daniel N
Cc: misc@openbsd.org
Subject: Re: Problem detecting fxp in March 2 snapshot
My Intel network card, which works under 3.8, is not detected in the
March 2 snapshot (I tried some previous snapshots as well, same issue).
Any hints or suggestions would be appreciated!
Looks like a fuck-up on our side for 3.9. Can you try the following diff
and report whether your network card gets recognized again?
Miod
Index: if_fxp_pci.c
===
RCS file: /cvs/src/sys/dev/pci/if_fxp_pci.c,v
retrieving revision 1.45
diff -u -p -r1.45 if_fxp_pci.c
--- if_fxp_pci.c 2006/01/05 21:34:35 1.45
+++ if_fxp_pci.c 2006/03/08 20:43:37
@@ -127,6 +127,7 @@ const struct pci_matchid fxp_pci_devices
{ PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_82801E_LAN_1 },
{ PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_82801E_LAN_2 },
{ PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_82801FB_LAN },
+ { PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_82801FB_LAN_2 },
{ PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_82801GB_LAN_2 },
{ PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_82801FBM_LAN },
{ PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_82801GB_LAN },
--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.375 / Virus Database: 268.2.0/276 - Release Date: 3/7/2006
That fixed it! Thanks!
Dan Hamlin
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.375 / Virus Database: 268.2.0/276 - Release Date: 3/7/2006
Pre-orders for our releases.
I would like to remind our community that our project lives and breathes because of the sale of CDs and the receipt of donations. In the last few years a few very large donations have allowed our hackathons to happen, but other than that we are always digging ourself a bigger and bigger hole. Most of our user community increases their use of the FTP servers, while we naturally sell fewer CDs. For instance, I would approximate that the sale of every T-shirt we make probably does not pay for the electricity used in the machine room. It's about $5000 a year. This is placing a severe strain on our ability to toss money at projects. For instance, we want to hold more mini-hackathons, since they are so incredibly productive. And we would like to pay for more travel expenses for developers to these events, since there are always developers who are less fortunate. Yet almost all of our donations really do come from individuals, and almost none from companies using our software. Even though there are many many companies doing so. Some companies are small, but there are also quite large ones. And banks. Government institutions. Ones you see in the news every day. And operating system vendors who reuse our code. But financially we are under strain, and it is not letting us grow any of our bigger plans. If anyone has any real clout to make changes within institutions that could help us in the long term, please do. Like universities, or even companies that want to sponsor an entire hackathon. (But please do not send suggestions, because unfortunately we think we have heard every single one of them before, and people never listen when we say that it is not viable for us to play non-profit games, nor selling special merchandise, nor will it help to hire people to write special books. We've heard all these ideas before. Having us impliment more ideas does not help. It's time for outsiders to impliment things which just let us continue what we do).
Re: Openbgpd kernel tuning
On 3/8/06, Matt Rowley [EMAIL PROTECTED] wrote: monitoring the congestion counter in pfctl -si helps a lot. you don't want too long queues tho, that is contraproductive. What are the consequences of ifq set too large? packets go in the queue and don't come out.
Re: ,,improve'' readability in tree(3)
On 03/08/06 23:33, Thorsten Glaser wrote: Peter Valchev dixit: lg - log No, the original is correct. lg means log base 2. Isn't that lb? http://en.wikipedia.org/wiki/Logarithm ld ? +++chefren
Re: OptiPlex GX620n - OpenBSD
On 3/7/06, Nick Holland [EMAIL PROTECTED] wrote: You prompted me to go back and take another shot at X on a Optiplex 620. I've (again) had no luck getting it to work with the standard, on-board video. What did you do to configure X on it? (I didn't see an extra video card in your dmesg). Well, I didn't really do anything to configure X, just startx worked. I did write an xorg.conf so I the mouse wheel would work. Back when this thing was first new I tried amd64 on it and that worked well, too but I missed Opera too much and it wasn't a 'real' amd64 anyway, so I went back to i386. I never thought to try bsd.mp, so I'll have to do that sometime soon. This box might be different from what you have. It has no slots of any kind and even has a disconnected laptop-style power supply and a laptop cdrom. -Mark ps, here is my xorg.conf, pretty plain. Section ServerLayout Identifier X.org Configured Screen 0 Screen0 0 0 InputDeviceMouse0 CorePointer InputDeviceKeyboard0 CoreKeyboard EndSection Section Files RgbPath /usr/X11R6/lib/X11/rgb ModulePath /usr/X11R6/lib/modules FontPath /usr/X11R6/lib/X11/fonts/misc/ FontPath /usr/X11R6/lib/X11/fonts/TTF/ FontPath /usr/X11R6/lib/X11/fonts/Type1/ FontPath /usr/X11R6/lib/X11/fonts/CID/ FontPath /usr/X11R6/lib/X11/fonts/75dpi/ FontPath /usr/X11R6/lib/X11/fonts/100dpi/ EndSection Section Module Load extmod Load glx Load dbe Load record Load xtrap Load type1 Load freetype EndSection Section InputDevice Identifier Keyboard0 Driver kbd EndSection Section InputDevice Identifier Mouse0 Driver mouse Option Protocol wsmouse Option Device /dev/wsmouse Option ZAxisMapping 4 5 EndSection Section Monitor Identifier Monitor0 VendorName Monitor Vendor ModelNameMonitor Model EndSection Section Device ### Available Driver options are:- ### Values: i: integer, f: float, bool: True/False, ### string: String, freq: f Hz/kHz/MHz ### [arg]: arg optional #Option ShadowFB # [bool] #Option DefaultRefresh# [bool] Identifier Card0 Driver vesa VendorName Intel Corp. BoardName Unknown Board BusID PCI:0:2:0 EndSection Section Screen Identifier Screen0 Device Card0 MonitorMonitor0 SubSection Display Viewport 0 0 Depth 24 EndSubSection EndSection
Re: hardening openbsd firewall
On Wed, Mar 08, 2006 at 01:58:18PM -0700, Bob Beck wrote: * Joachim Schipper [EMAIL PROTECTED] [2006-03-08 12:13]: 1. Use sudo exclusively - set an empty or nonsense root password Stupid ... 2. Use public key authentication only for sshd(8), and restrict which users can log in. So they can expose their key on a bazillion remote systems instead of the password on this system ? :) This is a tradeoff, universal statements like this are frequently shit. allowing public keys means you're now accepting the security of every machine an idiot ssh's from as good enough. My most secure machines do not permit public keys. They also use pf.os to encourage people not to ssh to them from less secure choices of operating system. So what do you use? Personally, I have one main workstation which has the private key to get into everything; one secondary workstation which can get into the primary; and no access between the rest. For logins from untrusted machines, S/KEY will have to do. It's much better than password authentication, as keyloggers are all too common. And yes, I am aware of the failings of S/KEY, especially when in an untrusted environment - it will not stop someone who has taken care to crack it. It will, however, defeat general-purpose loggers and passive network taps. Yes, disallowing access from Windows or even Linux makes some sense, but it is not always feasible. Besides, stupid users are, to some extent, neither a technical problem nor solvable by technical means. And since we were originally talking about a firewall, it seems reasonable that the users can be trusted to be somewhat responsible. 2a. If you really need something password-like, use S/KEY. 2b. If neither is feasible, audit the passwords (use John the Ripper for existing passwords; some schemes exist to act when setting new passwords) Don't audit using John, users just cycle between shitty ones. check them. (see passwordcheck in login.conf(5)) A very good idea, but one that falls under the latter category - i.e., it doesn't help for existing accounts. 3. Restrict the use of ports, and research into the security of a program before installing. mail/postfix is unlikely to open too many holes; www/php5 is best left alone, if security is the goal [1]. 4. Audit suid/sgid executables - quite a few are not needed on a minimalist system, but again - breaking stuff will lead to other stuff breaking. (Where 'audit' will typically mean 'remove any that are not needed' - the other end, a full source audit, is very, very time-consuming and difficult.) 5. Monitor the appropriate lists (did you know about the pf DoS problems in 3.8-rel? They are not in the patches, and very unlikely to cause trouble, but it's good to know what not to do). Actually, regarding 1 - I find myself wondering whether logging in as root, where no suspicious stuff in my own account can reach me, is not preferable to using sudo (which is trivially subverted with a single line in .profile). Does anyone have a good opinion on this? (Yes, I know that root is not to be used for trivial matters, and yes, I know when to log out.) My most secure machines do not use sudo - there is only root. (on most of my machines however, I do use sudo). I use sudo to make a machine a measured amount less secure (by allowing more people high level access) than more secure. Yes, you are right about this. Joachim
Re: Soekris VPN1411 seen but not used w/stock 3.8
On Wed, Mar 08, 2006 at 06:07:30PM -0500, jared r r spiegel wrote: including the commandlines of said benchmarks would have been hot, in this case. i'm inclined to ask how you determined the benchmarks prove that it isn't used ( watching 'systat vmstat', time(1)'ing them, etc ), but it is more valuable to know what the actual benchmarks you were running were. The speed with and without userland crypto enabled was the same for things the cards support (ie.: sha1, rsa, et al). ie.: the P3 returned identical benchmarks with 'openssl speed' with userland crypto enabled or disabled. The old Pentium was the same as well. My older vpn1201 screams on an old Pentium, the difference is night and day. G
Re: OBSD 3.8: bash, libiconv, libintl in rc.securelevel
Otto Moerbeek wrote: On Wed, 8 Mar 2006, Chris 'Xenon' Hanson wrote: Otto Moerbeek wrote: On Wed, 8 Mar 2006, Chris 'Xenon' Hanson wrote: Thanks everyone! Leaves me wondering why you cannot use ksh to run the script. Are you running into a ksh bug or a bash specific feature? I honestly don't know, I didn't write the script, Sangoma did. It calls for bash, and I assume they know why. Well, just try it or show us the script... It happens as lot people just put #!/bin/bash in their script because they copy from badly written scripts. -Otto I always write my scripts using only sh features. So my script can run virtually in any unix, making none or little adjusts. But if you MUST use bash, i recommend installing the statically linked one, because you not only solve the libraries problems, but is more secure. My 2 cents, -- Giancarlo Razzolini Linux User 172199 Moleque Sem Conteudo Numero #002 Slackware Current OpenBSD Stable Snike Tecnologia em Informatica 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: Soekris VPN1411 seen but not used w/stock 3.8
On Wed, Mar 08, 2006 at 06:29:47PM -0600, Gordon Grieder wrote: On Wed, Mar 08, 2006 at 06:07:30PM -0500, jared r r spiegel wrote: including the commandlines of said benchmarks would have been hot, in this case. The speed with and without userland crypto enabled was the same for things the cards support (ie.: sha1, rsa, et al). ie.: the P3 returned identical benchmarks with 'openssl speed' with userland crypto enabled or disabled. The old Pentium was the same as well. including the commandlines of said benchmarks would have been hot, in this case too. only thing i guess i can offer is: http://marc.theaimsgroup.com/?l=openbsd-miscm=108215148805896w=2 and to say that i've used a 1401 on a desktop and 1411s in soekris 4801s without issue(*) from 3.7 on up to the most recent snapshot i'm using. (*) - meaning i see them being used for crypto and i am not experiencing ill effects. also have used 1401/1411s successfully for IPComp with lzs -- jared [ openbsd 3.9-beta GENERIC ( jan 30 ) // i386 ]
Re: EPIA issues...
Steve Fairhead wrote: ... snip... Summary: with small fans, it should work, but you've introduced a mechanism whereby a fan failure could destroy the machine. Aha, I just knew there was more to my attraction to the zalman fan mate than my instinctive aversion to electricity since staying plugged in with my hand behind a bookcase at age 5. mike
Re: Soekris VPN1411 seen but not used w/stock 3.8
On Wed, Mar 08, 2006 at 07:59:02PM -0500, jared r r spiegel wrote: only thing i guess i can offer is: http://marc.theaimsgroup.com/?l=openbsd-miscm=108215148805896w=2 and to say that i've used a 1401 on a desktop and 1411s in soekris 4801s without issue(*) from 3.7 on up to the most recent snapshot i'm using. Ah, it's not working for speed but works when put to real use. I tested some file encryption and the interrupts shot up. Odd but at least it seems to be working for now. Thanks everyone, sorry for the list-noise. Gord
Re: Soekris VPN1411 seen but not used w/stock 3.8
On Wed, Mar 08, 2006 at 07:59:02PM -0500, jared r r spiegel wrote: only thing i guess i can offer is: http://marc.theaimsgroup.com/?l=openbsd-miscm=108215148805896w=2 and to say that i've used a 1401 on a desktop and 1411s in soekris 4801s without issue(*) from 3.7 on up to the most recent snapshot i'm using. Ah, it's not working for speed but works when put to real use. I tested some file encryption and the interrupts shot up. Odd but at least it seems to be working for now. openssl speed is totally busted. They have decided not to fix it. To get correct data, you must use openssl speed -elapsed -evp des3 Otherwise it gives completely useless data.
Re: Sun Ultra 1
Gustavo Rios wrote: Hey folks, i have just installed 3.8 in my sun desktop. It installed ok, 100% perfect. Know, i would like to strip the kernel to the bare minimum and get X It sounds like you come from Linux, where kernels are bloated. OpenBSD is not like Linux. The OpenBSD kernel is not bloated and you would not benefit from stripping it down. The OpenBSD kernel is very different from a Linux kernel and should be left alone. If I am wrong, and you don't come from Linux, then the above still applies. Read the OpenBSD faq.
Fw: Why packets are not blocked - thanks
Thanks to all who helped solve this problem. It has been very educational for me. I knew I could find the answer here... as always. Jim
Fw: Why packets are not blocked
If I were her, and I saw these rules, I would just change my IP with ifconfig :D two problems here. 1. she is not smart enough 2. dhcpd is configured to look at her mac address and always assign this ip. cheers. Jim
Re: BSD Portal
[EMAIL PROTECTED] writes: For your information, the bsdportal which used to be at metawire.org/~liamfoy/bsdportal has changed to more reliable hosting at: liamjfoy.freeshell.org Update your bookmarks! Thanks! Thanks. So it seems I'm not the only one have problems accessing metawire.org then? -- Neil. I think we are in Rats' Alley where the dead men lost their bones. -- T.S. Eliot
Re: Fw: Why packets are not blocked
Hey Jim, Quoting Jim [EMAIL PROTECTED]: If I were her, and I saw these rules, I would just change my IP with ifconfig :D two problems here. 1. she is not smart enough I hope you mean, she is not knowledgeable enough. Shane This email was sent from Netspace Webmail: http://www.netspace.net.au
Re: Brain wash for live partition, or directory mirroring concept idea(s)?
On 2/2/06, Ted Unangst [EMAIL PROTECTED] wrote: On 2/2/06, Ted Unangst [EMAIL PROTECTED] wrote: you could start here: http://marc.theaimsgroup.com/?l=openbsd-techm=108663340015236w=2 i suppose the link would be more useful if you could get the code. if somebody is seriously interested (as in, fixing it, not just using it), i can mail you a copy. new link (same old code) http://gir.theapt.org/~tedu/nad.tgz apologies to those who asked forever ago.
Re: Openbgpd kernel tuning
* Ted Unangst [EMAIL PROTECTED] [2006-03-08 23:28]: On 3/8/06, Matt Rowley [EMAIL PROTECTED] wrote: monitoring the congestion counter in pfctl -si helps a lot. you don't want too long queues tho, that is contraproductive. What are the consequences of ifq set too large? packets go in the queue and don't come out. it is not that simple. first, it burns kernel memory. tho unless you set the queue length to totally insane high values that should not be much of an issue. then it can increase latency quite a bit. packets do not get dropped early enough but just sit in the queue. tcp relies on packets to be dropped to adjust to available bandwidth. last not least, it can prevent the congestion indicator to be set in time and thus hurt your machine badly. details about taht are on http://bulabula.org/papers/opencon05/mgp00027.html and following slides. there's more, but that should scare you enough :) -- BS Web Services, http://www.bsws.de/ OpenBSD-based Webhosting, Mail Services, Managed Servers, ... Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
