3.9 snapshot and pflogd snaplen
After installing the Mar 02 snapshot I started getting tcpdump: WARNING: snaplen raised from 96 to 116 from my cron job that updates a text file on my web server with pf logs. I see that pflogd is run with -s 116 so I changed my tcpdump cron job to also include s -116. I assume that changing my tcpdump command line was the proper solution? And, secondly, if I choose to run snapshots in the future are changes like this supposed to be on the -current web page, or is this a small enough change that I need to be following source changes somewhere? Thanks, Greg
Re: Where to find 3.9 snapshots
Hello Theo and others. not find the X stuff there. Is it a matter of waiting more time until they appear or is that X will no longer be there (perhaps on ports?). Did you not hear us the first time? Look, if our project had a ton of money maybe we would be able to make snapshots while we are making releases, but the fact is we do NOT have a ton of money, so you get to wait! Thanks for the quick reply, even more if it comes from the OpenBSD leader. Nice to meet you. I appreciate your work on OpenBSD! Ok, I understand. Yesterday when I was downloading the snapshot files, I did not find the X stuff where it used to be. I believed that all files were uploaded at once, base system and xorg files. Sorry, I misunderstood how snapshots are uploaded. I will wait, no problem at all. Regards, Ramiro.
Re: HP ProLiant DL 385
On 2006/03/15 08:24, edgarz wrote: Maybe you can suggest optimal configuration for mail server? It will be used for spam/virus filtering (~4000 mail accounts), proxy server (~100 clients). I think it's enought with 1CPU DL 145 system, but local dealer gives 2nd CPU for free for DL 385 :) I won't make your decision for you, but can give you a few more things to think about. Mail server for 4000 accounts: this could mean a lot of different things: it could just be forwarding mail elsewhere, it could be handling POP3 users downloading mail, it could be handling POP3/IMAP users leaving mail on the server (or a mixture of all of these). This makes a big difference. Webmail interfaces can also put a big load on the box. The total number of users is mostly important to planning storage capacity. It's more useful to know the total number of concurrent users: if 90% of the userbase checks their mail at 9AM, that is what you must plan for. A couple of pointers though: If you don't want to take the box down to replace a failed hard drive, the DL385 is a much better option. If the box is just forwarding and isn't storing user data, maybe it's better to have a couple of the smaller boxes and CARP them. Hope this helps.
Re: HP ProLiant DL 385
My budget is limited, and that one box will be cheaper than a lot of cheaper per unit boxes :) There will not be any user mail acounts, it will function as mail/spam/virus filter and then forward mails to pop3/imap server (which runs on windows) :D Existing windows server is dual 2.4ghz xeon. Now i have idea about switching those server roles, xeon as mailfilter, opteron as pop/imap :) Sorry for offtopic here :) Stuart Henderson wrote: On 2006/03/15 08:24, edgarz wrote: Maybe you can suggest optimal configuration for mail server? It will be used for spam/virus filtering (~4000 mail accounts), proxy server (~100 clients). I think it's enought with 1CPU DL 145 system, but local dealer gives 2nd CPU for free for DL 385 :) I won't make your decision for you, but can give you a few more things to think about. Mail server for 4000 accounts: this could mean a lot of different things: it could just be forwarding mail elsewhere, it could be handling POP3 users downloading mail, it could be handling POP3/IMAP users leaving mail on the server (or a mixture of all of these). This makes a big difference. Webmail interfaces can also put a big load on the box. The total number of users is mostly important to planning storage capacity. It's more useful to know the total number of concurrent users: if 90% of the userbase checks their mail at 9AM, that is what you must plan for. A couple of pointers though: If you don't want to take the box down to replace a failed hard drive, the DL385 is a much better option. If the box is just forwarding and isn't storing user data, maybe it's better to have a couple of the smaller boxes and CARP them. Hope this helps.
Re: using openbsd on zaurus
If all you are looking for is a small portable email client/web browser for the road, check ebay for a really small/cheap laptop.. aka: the thinkpad 240. It is fully supported by openbsd extremely easily. An out of the box install of openbsd easily runs on the 240 without much configuration needed. These little laptops are cheap and reliable. The only thing which kinda sucks... when playing music, if you use headphones, you can hear the hard drive access noises since the laptop is so small. That doesn't bother me much though as I whore the ipod everywhere I go anyway. I'm hoping to use a zaurus as a full featured browser, email client while on the road
Re: using openbsd on zaurus
Didier, Here are a few things that may interest you... Java support is pretty problematical.. the desktop benchmark of success and compatibility for a lot of java sites would be to have J2SE in a fairly current version running. Unfortunately to build this from source you need an earlier version of J2SE and a number of other tools - also current J2SE sources carry a lot of assembler, there is no ARM variant in the routines thus implemented and no standard C implementations for them either. The closest to having J2SE running would be the ARM Blackdown Java 1.3.1 but that only runs on ARM Linux - I have never seen the source to this and believe that it is closed source. I can also state from experience of experimenting with Swing on the Blackdown versions with ARM Linux that it is extremely slow and memory hungry. Mostly compilation of ports works well if the software that you are compiling from the ports is of good quality... not all software that is in the ports is of highest quality with regards to portability across architectures. Interested people may correct some of these ports and make them more portable, however, there are some elements in certain ports that can cause real problems on some architectures. - Typical issues tend to be byte ordering (not very common these days), assembler routines with no C implementation for unimplemented architectures and more obscure things such as value types (like char) which are used in signed/unsigned manner but without being explicitly declared as such (GCC behaves differently between various architectures for types like char where unsigned/signed isn't specified). Of particular note, you mentioned Firefox.. Firefox runs at around 46Mb of RAM and isn't the greatest thing to consider running on a Zaurus. Nevertheless I wanted to try it.. there are some issues with the portability of the Netscape Portable Runtime libraries present in Firefox that cause the build process to fail during the library signing stage. (actually you need to implement some conditional stuff to identify alignment, word sizes etc before you get to this stage). We may understand this issue better at some stage but I don't know of anyone that considers it to be the highest priority to implement Firefox or Mozilla for the Zaurus. This is simply because of the runtime demands of them as Theo mentioned. -Andy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Theo de Raadt Sent: 12 March 2006 12:38 To: Didier Wiroth Cc: misc@openbsd.org Subject: *** SPAM *** Re: using openbsd on zaurus I'm planning to buy a zaurus sl-c3200 (the latest zaurus 3xxx model). Please note that you would be the first person. None of us have the C3200 yet. I had a look at the latest zaurus snapshot directories (on ftp.openbsd.org) and saw that the choice of available pre-build packages is highly reduced compared to i386. Most stuff compiles. Much has not been tested, though Is it possible to compile and install any applications of the ports tree on a zaurus (for example firefox, thunderbird ...)? Those two are pretty unreasonable on the Zaurus. It isn't that fast, and it is somewhat lacking in memory. There is some work on minimo, but it isn't completely reliable yet. Does the ports tree system work as well on a zaurus as on the i386 platforms or may I encounter severe build problems? As I said above, it is pretty good. But you have to be reasonable about how fast and capable a Zaurus is.
Re: using openbsd on zaurus
Oh and one other thing.. Apart from the changes to the flash ram size between the 3000 and the 3100 there were some changes to the CF handling. Be aware that Sharp may have decided a more cost effective production scheme for the 3200 (i.e. may have changed something unexpected) so I would err on the side of caution and wait until somebody announces that OpenBSD is up and running on that device before purchase. -Andy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andrew Smith Sent: 15 March 2006 11:43 To: 'Miscellaneous OBSD' Subject: Re: using openbsd on zaurus Didier, Here are a few things that may interest you... Java support is pretty problematical.. the desktop benchmark of success and compatibility for a lot of java sites would be to have J2SE in a fairly current version running. Unfortunately to build this from source you need an earlier version of J2SE and a number of other tools - also current J2SE sources carry a lot of assembler, there is no ARM variant in the routines thus implemented and no standard C implementations for them either. The closest to having J2SE running would be the ARM Blackdown Java 1.3.1 but that only runs on ARM Linux - I have never seen the source to this and believe that it is closed source. I can also state from experience of experimenting with Swing on the Blackdown versions with ARM Linux that it is extremely slow and memory hungry. Mostly compilation of ports works well if the software that you are compiling from the ports is of good quality... not all software that is in the ports is of highest quality with regards to portability across architectures. Interested people may correct some of these ports and make them more portable, however, there are some elements in certain ports that can cause real problems on some architectures. - Typical issues tend to be byte ordering (not very common these days), assembler routines with no C implementation for unimplemented architectures and more obscure things such as value types (like char) which are used in signed/unsigned manner but without being explicitly declared as such (GCC behaves differently between various architectures for types like char where unsigned/signed isn't specified). Of particular note, you mentioned Firefox.. Firefox runs at around 46Mb of RAM and isn't the greatest thing to consider running on a Zaurus. Nevertheless I wanted to try it.. there are some issues with the portability of the Netscape Portable Runtime libraries present in Firefox that cause the build process to fail during the library signing stage. (actually you need to implement some conditional stuff to identify alignment, word sizes etc before you get to this stage). We may understand this issue better at some stage but I don't know of anyone that considers it to be the highest priority to implement Firefox or Mozilla for the Zaurus. This is simply because of the runtime demands of them as Theo mentioned. -Andy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Theo de Raadt Sent: 12 March 2006 12:38 To: Didier Wiroth Cc: misc@openbsd.org Subject: *** SPAM *** Re: using openbsd on zaurus I'm planning to buy a zaurus sl-c3200 (the latest zaurus 3xxx model). Please note that you would be the first person. None of us have the C3200 yet. I had a look at the latest zaurus snapshot directories (on ftp.openbsd.org) and saw that the choice of available pre-build packages is highly reduced compared to i386. Most stuff compiles. Much has not been tested, though Is it possible to compile and install any applications of the ports tree on a zaurus (for example firefox, thunderbird ...)? Those two are pretty unreasonable on the Zaurus. It isn't that fast, and it is somewhat lacking in memory. There is some work on minimo, but it isn't completely reliable yet. Does the ports tree system work as well on a zaurus as on the i386 platforms or may I encounter severe build problems? As I said above, it is pretty good. But you have to be reasonable about how fast and capable a Zaurus is.
Security tools
Hi, I'm running 3.6 (yes, due for an upgrade) and I keep getting hit by some hackers that are using a bug I can't track down to download perl scripts into /tmp: [EMAIL PROTECTED] 11:26]# cd /tmp/ [EMAIL PROTECTED] 11:26]# ls -lFa total 76 drwxrwxrwt 2 root wheel512 Mar 15 12:21 ./ drwxr-xr-x 22 root wheel512 Jun 29 2005 ../ -rw-r--r-- 1 www wheel 0 Mar 14 22:14 .alekspwned2 -rw-r--r-- 1 www wheel 0 Mar 14 20:41 .balum -rw-r--r-- 1 www wheel 0 Mar 13 22:36 .mladen3 -rw-r--r-- 1 www wheel321 Mar 14 20:41 alekshah -rw-r--r-- 1 www wheel320 Mar 14 20:41 alekshah2 -rw-r--r-- 1 www wheel 3589 Mar 14 22:14 alekspwned -rw-r--r-- 1 www wheel 19309 Mar 14 22:14 alekspwned2 I have lots of suspicious activity in /var/www/log/error_log: 0 193090 12220 0 1222 0 0:00:15 --:--:-- 0:00:15 1222 0 193090 41420 0 4142 0 0:00:04 0:00:01 0:00:03 8414 100 19309 100 193090 0 19309 0 0:00:01 0:00:01 --:--:-- 17258 % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total Spent Left Speed 0 35890 12240 0 1224 0 0:00:02 --:--:-- 0:00:02 1224 100 3589 100 35890 0 3589 0 0:00:01 --:--:-- 0:00:01 2309k Can't open perl script /tmp/.alekspwned: No such file or directory.Use -S to search $PATH for it. % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total Spent Left Speed 0 35890 12240 0 1224 0 0:00:02 --:--:-- 0:00:02 1224 100 3589 100 35890 0 3589 0 0:00:01 --:--:-- 0:00:01 384k Can't open perl script /tmp/.alekspwned: No such file or directory.Use -S to search $PATH for it. % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 0 35890 12240 0 1224 0 0:00:02 --:--:-- 0:00:02 1224 100 3589 100 35890 0 3589 0 0:00:01 --:--:-- 0:00:01 461k Amongst other things, quite a few: Can't open perl script /tmp/.mladen: No such file or directory.Use - S to search $PATH for it.Can't open perl script /tmp/.mladen: No such file or directory. Use -S to search $PATH for it.Can't open perl script /tmp/.mladen: No such file or directory.Use -S to search $PATH for it.Can't open perl script /tmp/.mladen: No such file or directory.Use -S to search $PATH for it. Can't open perl script /tmp/.mladen2: No such file or directory.Use -S to search $PATH for it.Can't open perl script /tmp/.mladen2: No such file or directory.Use -S to search $PATH for it. Can't open perl script /tmp/.mladen2: No such file or directory.Use -S to search $PATH for it. Can't open perl script /tmp/.mladen2: No such file or directory.Use -S to search $PATH for it. Can't open perl script /tmp/.mladen2: No such file or directory. Use -S to search $PATH for it. I believe they're exploiting a bug in apache to do remote execution of their code, which downloads something to /tmp (usually a script of some sort). They were previously using wget, so I modified that to log as much information is it could to a file, but this didn't yield anything useful. Now I see from the logs that they're using ftp and curl to download the files. As in intermediate fix, I have mounted /tmp noexec, but this is not an ideal solution, and I don't want to remove ftp and curl. I have installed snort (from ports) with the latest rules but this has not yielded much useful information. The latest attack did come up in the snort logs, as a double decoding attack. I found some data in the downloaded files that corresponded to a payload around the time of the attack. My questions are: 1. How do I find out their attack vector? I have had a nessus scan performed on the machine, but it did not present any security (I can supply on request). I've checked the security releases in security.html and there are no pertinent ones for httpd. Snort has provided little useful information (I can provide access to the snort logs if required). 2. If I can't stop them getting in, is there any way to observe what they're doing, or how they're doing it, so I can get a pointer to the hole. An upgrade is in the works, and right soon too, but I'd really like to know what's going on here. Some useful links: Nessus scan: http://vanhegan.net/openbsd/nessus.txt dmesg: http://vanhegan.net/openbsd/dmesg.txt httpd error_log: http://vanhegan.net/openbsd/error_log httpd access_log: http://vanhegan.net/openbsd/access_log pkg_info: http://vanhegan.net/openbsd/pkg.list i've run out of ideas here. Can you help? Gaby -- Junkets for
Re: Reminder about the X Aperture
...on Tue, Mar 14, 2006 at 05:41:44PM -0700, Theo de Raadt wrote: Yes, they have DMA engines. If the privilege seperate X server has a bug, it can still wiggle the IO registers of the card to do DMA to physical addresses, entirely bypassing system security. Wow. As if running a binary blob was not bad enough, video card binary blobs are suddenly found to be all-powerful. This issue is not about binary blobs for video cards. Using GPU shader programs to read from main memory was one of the ways mentioned as a possible attack on the XBox 360 security system in a presentation at 22C3 last year, though limited by the system's memory encryption in that case. (Could well be contained in some binary blob, but that's another issue.) Alex.
Re: using openbsd on zaurus
On 12. mar. 2006, at 13.37, Theo de Raadt wrote: I'm planning to buy a zaurus sl-c3200 (the latest zaurus 3xxx model). Please note that you would be the first person. None of us have the C3200 yet. I had a look at the latest zaurus snapshot directories (on ftp.openbsd.org) and saw that the choice of available pre-build packages is highly reduced compared to i386. Most stuff compiles. Much has not been tested, though Is it possible to compile and install any applications of the ports tree on a zaurus (for example firefox, thunderbird ...)? Those two are pretty unreasonable on the Zaurus. It isn't that fast, and it is somewhat lacking in memory. There is some work on minimo, but it isn't completely reliable yet. Does the ports tree system work as well on a zaurus as on the i386 platforms or may I encounter severe build problems? As I said above, it is pretty good. But you have to be reasonable about how fast and capable a Zaurus is. Hi, dreaming For faster cpu, and many built-in goodies, I believe a similar cpu (intel pxa270) is also used in the Qtek 9000 PDA: http://www.qtekcorp.com/products.aspx? Level1=1Menu1=0Model=22Submenu=2 including: Intel XScale @ 520Mhz 640x480x65k touchscreen and QWERTY keyboard GSM/GPRS/UMTS radio; 802.11b radio; 64MB RAM (128MB ROM) + SDIO/MMC card for decent flash disk. mini-USB, IRDA, bluetooth. 2x loudspeakers/headphone, 1.3Mp camera. /dreaming obviously I'm aware cpu != machine etc etc. I guess it would just be a case of buy 3 ( one for me, and 2 for obsd devs) and hope that sufficient documentation would prevail... /Pete
Re: HP ProLiant DL 385
Here's my feedback on the DL385 on a recent 3.9 snapshot. It's a ULTRA 320 SCSI/RAID version. What works: everything but RAID management through bioctl, I hope to find a way to at least retrieve RAID status. The RAID array is super fast but I haven't tried anything but stress to test the machine. I'm running an i386 MP kernel since IRQ routing is faster than on the amd64 version. There's two additionnal nics on the box OpenBSD 3.9 (GENERIC.MP) #597: Tue Feb 28 20:51:43 MST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: AMD Opteron(tm) Processor 252 (AuthenticAMD 686-class, 1024KB L2 cache) 2.61 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3 real mem = 1073291264 (1048136K) avail mem = 972595200 (949800K) using 4278 buffers containing 53768192 bytes (52508K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(00) BIOS, date 12/31/99, BIOS32 rev. 0 @ 0xf pcibios0 at bios0: rev 2.1 @ 0xf/0x2000 pcibios0: PCI BIOS has 7 Interrupt Routing table entries pcibios0: no compatible PCI ICU found pcibios0: Warning, unable to fix up PCI interrupt routing pcibios0: PCI bus #3 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0x4000! 0xcc000/0x1600 0xee000/0x2000 mainbus0: Intel MP Specification (Version 1.4) (HP PROLIANT) cpu0 at mainbus0: apid 0 (boot processor) cpu0: AMD Powernow: TS FID VID TTP cpu0: apic clock running at 200 MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: AMD Opteron(tm) Processor 252 (AuthenticAMD 686-class, 1024KB L2 cache) 2.61 GHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3 mainbus0: bus 0 is type PCI mainbus0: bus 1 is type PCI mainbus0: bus 2 is type PCI mainbus0: bus 3 is type PCI mainbus0: bus 4 is type PCI mainbus0: bus 5 is type PCI mainbus0: bus 6 is type PCI mainbus0: bus 32 is type ISA ioapic0 at mainbus0: apid 4 pa 0xfec0, version 11, 24 pins ioapic1 at mainbus0: apid 5 pa 0xfec1, version 11, 4 pins ioapic2 at mainbus0: apid 6 pa 0xfec2, version 11, 4 pins ioapic3 at mainbus0: apid 7 pa 0xfdc0, version 11, 4 pins ioapic4 at mainbus0: apid 8 pa 0xfdc1, version 11, 4 pins pci0 at mainbus0 bus 0: configuration mode 1 (no bios) ppb0 at pci0 dev 3 function 0 AMD 8111 PCI-PCI rev 0x07 pci1 at ppb0 bus 1 ohci0 at pci1 dev 0 function 0 AMD 8111 USB rev 0x0b: apic 4 int 19 (irq 5), version 1.0, legacy support usb0 at ohci0: USB revision 1.0 uhub0 at usb0 uhub0: AMD OHCI root hub, rev 1.00/1.00, addr 1 uhub0: 3 ports with 3 removable, self powered ohci1 at pci1 dev 0 function 1 AMD 8111 USB rev 0x0b: apic 4 int 19 (irq 5), version 1.0, legacy support usb1 at ohci1: USB revision 1.0 uhub1 at usb1 uhub1: AMD OHCI root hub, rev 1.00/1.00, addr 1 uhub1: 3 ports with 3 removable, self powered Compaq iLO rev 0x01 at pci1 dev 2 function 0 not configured Compaq iLO rev 0x01 at pci1 dev 2 function 2 not configured vga1 at pci1 dev 3 function 0 ATI Rage XL rev 0x27 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) pcib0 at pci0 dev 4 function 0 AMD AMD8111 LPC rev 0x05 pciide0 at pci0 dev 4 function 1 AMD 8111 IDE rev 0x03: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility atapiscsi0 at pciide0 channel 0 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: TEAC, CD-224E, 9.9A SCSI0 5/cdrom removable cd0(pciide0:0:0): using PIO mode 4, DMA mode 2 pciide0: channel 1 ignored (disabled) amdpm0 at pci0 dev 4 function 3 AMD 8111 Power rev 0x05: rng active iic0 at amdpm0 ppb1 at pci0 dev 7 function 0 AMD 8131 PCIX rev 0x12 pci2 at ppb1 bus 2 ciss0 at pci2 dev 4 function 0 Compaq Smart Array 64xx rev 0x01: apic 5 int 0 (irq 7) ciss0: 1 LD, HW rev 1, FW 2.36/2.36 scsibus1 at ciss0: 1 targets sd0 at scsibus1 targ 0 lun 0: HP, LOGICAL VOLUME, 2.36 SCSI0 0/direct fixed sd0: 69459MB, 69459 cyl, 64 head, 32 sec, 512 bytes/sec, 142253280 sec total AMD 8131 PCIX IOAPIC rev 0x01 at pci0 dev 7 function 1 not configured ppb2 at pci0 dev 8 function 0 AMD 8131 PCIX rev 0x12 pci3 at ppb2 bus 3 bge0 at pci3 dev 6 function 0 Broadcom BCM5704C rev 0x10, BCM5704 B0 (0x2100): apic 6 int 0 (irq 7), address 00:14:c2:40:66:0c brgphy0 at bge0 phy 1: BCM5704 10/100/1000baseT PHY, rev. 0 bge1 at pci3 dev 6 function 1 Broadcom BCM5704C rev 0x10, BCM5704 B0 (0x2100): apic 6 int 1 (irq 10), address 00:14:c2:40:66:0b brgphy1 at bge1 phy 1: BCM5704 10/100/1000baseT PHY, rev. 0 AMD 8131 PCIX IOAPIC rev 0x01 at pci0 dev 8 function 1 not configured pchb0 at pci0 dev 24 function 0 AMD AMD64 HyperTransport rev 0x00 pci4 at pchb0 bus 4 ppb3 at pci4 dev 9 function 0 AMD 8131 PCIX rev 0x12 pci5 at ppb3 bus 5 em0 at pci5 dev 8 function 0 Intel PRO/1000 (82542) rev 0x02: apic 7 int 0 (irq 7), address 00:90:27:c2:2a:a6 AMD 8131 PCIX IOAPIC rev 0x01 at pci4 dev 9 function 1 not configured ppb4
Re: Reminder about the X Aperture
The current slogan for 3.8 is Free, Functional Secure. My opinion is that it presents the project goals well in 4 simple words. It is not boastful, remember Nothing is Impossible, or aims to create false belief/concept. We have our fair share of those, just switch on your TV. Theo and others did and are still doing a great job in sticking to the project goals. Didn't know how the Secure By Default phrase came about, I do agree that it can be misleading for your case. You could refer your mother or nontechnical friends to the Project Goals page(not too long, 2 pages on my system). Also, I believe Theo and others would give it some consideration if you can come up with a better slogan. Regards On Tue, 14 Mar 2006 18:40:13 -0800, J.C. Roberts [EMAIL PROTECTED] said: On Tue, 14 Mar 2006 17:50:31 -0700, Darrin Chandler [EMAIL PROTECTED] wrote: The often used OpenBSD phrase Secure By Default actually encourages the lazy attitudes and lack of learning. Worse yet, Secure By Default is fairly misleading since systems are always secured by knowledge, effort and dedication. I don't think Secure by Default is a bad thing. Neither perceptually nor in practice. I really like the ability to bring up an OpenBSD box on a public IP without much concern that it'll get hacked in 30 minutes. It seems I failed to be clear. Having sane default settings is a good thing. I very much enjoy and appreciate both the utility and the bragging rights of Secure By Default as much (if not more) than most OpenBSD users. The sane default settings we enjoy have come from process of looking at things critically so as to better understand all the implications. The point I failed to be clear on, is I think the same process of critical thinking and understanding implications should also be applied to the rhetoric we use for promotion. Go ask you mom or a nontechnical friend what she thinks when she hears an operating system is secure by default? Ask her what it implies? Ask her what she thinks it will require from her? My mom, in her late 60's, hates computers, hates the web, hates email and has no interest in learning about computers but none the less, she uses OpenBSD daily for web access and email. Her replies to those questions were quite enlightening. kind regards, JCR -- Andrew Ng [EMAIL PROTECTED] -- http://www.fastmail.fm - A fast, anti-spam email service.
Re: Reminder about the X Aperture
I think the slogan Secure by default is an excellent description of OpenBSD. It implies that it is secure out of the box, and can only be made less secure by the user. As soon as you deviate from the default you are obviously losing security points. Just my 2. Robert
Re: Here we go - more nonesence out changein things (was: Reminder about the X Aperture)
Hi Chris, cool it. I think you meant nimrod. I said I believe Theo and others would give it some consideration ..., I didn't said they must or have to. Regards On Wed, 15 Mar 2006 08:11:49 -0600, Chris [EMAIL PROTECTED] said: Andrew Ng wrote: The current slogan for 3.8 is Free, Functional Secure. My opinion is that it presents the project goals well in 4 simple words. It is not boastful, remember Nothing is Impossible, or aims to create false belief/concept. We have our fair share of those, just switch on your TV. Theo and others did and are still doing a great job in sticking to the project goals. Didn't know how the Secure By Default phrase came about, I do agree that it can be misleading for your case. You could refer your mother or nontechnical friends to the Project Goals page(not too long, 2 pages on my system). Also, I believe Theo and others would give it some consideration if you can come up with a better slogan. Last I recall - Secure by Default was based on a default installation. And If I recall, it's stated on the site. If users can't take the time to read what's here - they should not run something as complex as ANY Unix. So, why is everyone out to change everything and anything about the BSD's? First it was NetBSD and its logo, then FreeBSD went and did something likewise, now we have this nimbrod suggesting to someone that he/she ought to come up with a new slogan - and that project would do well to consider it?! It the project team feels things are great as is, leave it alone. Besides, don't you have more to do with your life then to start some crusade about nothing that needs to be changed? Life calls - you should answer mate. Regards, Chris -- Andrew Ng [EMAIL PROTECTED] -- http://www.fastmail.fm - mmm... Fastmail...
Re: Security tools
Gaby vanhegan wrote: I'm running 3.6 (yes, due for an upgrade) and I keep getting hit by some hackers that are using a bug I can't track down to download perl scripts into /tmp: [EMAIL PROTECTED] 11:26]# cd /tmp/ [EMAIL PROTECTED] 11:26]# ls -lFa total 76 drwxrwxrwt 2 root wheel512 Mar 15 12:21 ./ drwxr-xr-x 22 root wheel512 Jun 29 2005 ../ -rw-r--r-- 1 www wheel 0 Mar 14 22:14 .alekspwned2 -rw-r--r-- 1 www wheel 0 Mar 14 20:41 .balum -rw-r--r-- 1 www wheel 0 Mar 13 22:36 .mladen3 -rw-r--r-- 1 www wheel321 Mar 14 20:41 alekshah -rw-r--r-- 1 www wheel320 Mar 14 20:41 alekshah2 -rw-r--r-- 1 www wheel 3589 Mar 14 22:14 alekspwned -rw-r--r-- 1 www wheel 19309 Mar 14 22:14 alekspwned2 Are you running Apache chroot? -- Darrin Chandler| Phoenix BSD Users Group [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ |
Can I disable AAAA queries in the resolver?
Hi, Question like in topic. I'm currently in Cork, Ireland and in every internet cafe here routers drops `' queries which results with slow DNS resolving: $ time host openbsd.org openbsd.org has address 199.185.137.3 ;; connection timed out; no servers could be reached openbsd.org mail is handled by 6 shear.ucar.edu. openbsd.org mail is handled by 10 cvs.openbsd.org. 0m10.48s real 0m0.00s user 0m0.00s system Above we see 10 seconds delay but with Firefox it takes __hours__ to do something useful. Is there any posibility to disable those `' queries via resolv.conf(5) or $RES_OPTIONS variable? PS. Maybe someone know dns servers from `eircom.net'. -- best regards q#
Here we go - more nonesence out changein things (was: Reminder about the X Aperture)
On 3/15/06, Andrew Ng [EMAIL PROTECTED] wrote: Hi Chris, cool it. I think you meant nimrod. I said I believe Theo and others snip Can anyone guess who nimrod was in history? : ) rogern John 3:16
Re: OBPkg (Port/Package installer)
404 Not Found... is the URI correct? On 3/14/06, Steffen Wendzel [EMAIL PROTECTED] wrote: Hi, I wrote an inofficial front-end for the installation of ports and packages under OpenBSD. It is Gtk+-2 based (you need v. 2.6 or newer). You can install local ports, local packages (e.g. mounted CD-ROM) and packages from FTP. It also supports universe package mirrors that can include inofficial packages. You can use these inofficial mirrors to provide more packages for OpenBSD than currently available. This is just a idea, I hope it works and I stole this Idea from the ubuntu project. They own a tool called 'synaptic' (or so) and this supports such 'universe' packages -- a good think, they now have thousands of additional inofficial packages. You can find the software here: http://www.doomed-reality.org/projekte/obpkg/description.html hope some of you will like it, Steffen -- cdp.doomed-reality.org Phantasie ist wichtiger als Wissen, denn Wissen ist begrenzt. -- Einstein -- Felipe Brant Scarel PATUX/OpenBSD Project Leader (http://www.patux.cic.unb.br)
Re: Here we go - more nonesence out changein things (was: Reminder about the X Aperture)
http://dictionary.reference.com/search?q=nimrod On Wed, 15 Mar 2006 07:59:26 -0800, Roger Neth Jr [EMAIL PROTECTED] said: On 3/15/06, Andrew Ng [EMAIL PROTECTED] wrote: Hi Chris, cool it. I think you meant nimrod. I said I believe Theo and others snip Can anyone guess who nimrod was in history? : ) rogern John 3:16 -- Andrew Ng [EMAIL PROTECTED] -- http://www.fastmail.fm - The professional email service
Re: OBPkg (Port/Package installer)
hmm.. no, someone changed our site to ../site. thanks for that hint the right link is http://www.doomed-reality.org/site/projekte/obpkg/description.html steffen On Wed, 15 Mar 2006 12:51:29 -0300 Felipe Scarel [EMAIL PROTECTED] wrote: : 404 Not Found... is the URI correct? : : On 3/14/06, Steffen Wendzel [EMAIL PROTECTED] wrote: : : Hi, : : I wrote an inofficial front-end for the installation of ports : and packages under OpenBSD. It is Gtk+-2 based (you need v. 2.6 : or newer). : : You can install local ports, local packages (e.g. mounted CD-ROM) : and packages from FTP. It also supports universe package mirrors : that can include inofficial packages. You can use these inofficial : mirrors to provide more packages for OpenBSD than currently available. : This is just a idea, I hope it works and I stole this Idea from : the ubuntu project. They own a tool called 'synaptic' (or so) and : this supports such 'universe' packages -- a good think, they now : have thousands of additional inofficial packages. : : You can find the software here: : http://www.doomed-reality.org/projekte/obpkg/description.html : : hope some of you will like it, : : Steffen : : : -- : cdp.doomed-reality.org : : Phantasie ist wichtiger als Wissen, denn Wissen ist begrenzt. :-- Einstein : : : : : -- : : Felipe Brant Scarel : PATUX/OpenBSD Project Leader (http://www.patux.cic.unb.br) : -- cdp.doomed-reality.org Phantasie ist wichtiger als Wissen, denn Wissen ist begrenzt. -- Einstein
Re: OBPkg (Port/Package installer)
On 2006-03-14 14:37:20 +, Steffen Wendzel wrote: hope some of you will like it, Sounds interesting. Any hope in making it an official openbsd-port? Best Martin -- http://www.tm.oneiros.de
anoncvs + OPENBSD_3_9_BASE
Hi, I unsuccessfully tried to retrieve the OPENBSD_3_9_BASE via anoncvs. At this time, is this tag blocked/denied until the official release or is it possible to download them? Thank you Didier
Re: Here we go - more nonesence out changein things (was: Reminder about the X Aperture)
On 15/03/06, Roger Neth Jr [EMAIL PROTECTED] wrote: On 3/15/06, Andrew Ng [EMAIL PROTECTED] wrote: Hi Chris, cool it. I think you meant nimrod. I said I believe Theo and others snip Can anyone guess who nimrod was in history? : ) rogern John 3:16 RTFM. Gen. 10:8-10 http://www.htmlbible.com/kjv30/B01C010.htm#N8 Gosh. even you should know :) *smiles* -- ~michael
Re: Here we go - more nonesence out changein things (was: Reminder about the X Aperture)
On 3/15/06, unixadmin99 [EMAIL PROTECTED] wrote: On 15/03/06, Roger Neth Jr [EMAIL PROTECTED] wrote: On 3/15/06, Andrew Ng [EMAIL PROTECTED] wrote: Hi Chris, cool it. I think you meant nimrod. I said I believe Theo and others snip Can anyone guess who nimrod was in history? : ) rogern John 3:16 RTFM. Gen. 10:8-10 http://www.htmlbible.com/kjv30/B01C010.htm#N8 Gosh. even you should know :) *smiles* -- ~michael God Bless you rogern Romans 12:14
Re: anoncvs + OPENBSD_3_9_BASE
I believe that all access to any 3.9 installation files via ftp/cvs etc... is not available currently and will not be available in the future until 3.9 is released.
Re: Reminder about the X Aperture
Sorry for my ignorance on the subject and this issue and the use of X all together. Not critical what so ever by any long shoot, but I was curious as to if there is some window manage that actually DO NOT need any of the X stuff all together? Meaning something that obviously will not be like KDE, or GNome for sure, not even remotely close to it, but anything like that, that works well and don't need ANY X stuff? Don't need or use the aperture stuff as well? I hope my question make some kind of senses. What's your favorite if any actually exists? Thanks Daniel PS: I guess my total ignorance on that specific subject show right! (:
Re: HP ProLiant DL 385
On 2006-03-14 23:36:15 +, Stuart Henderson wrote: On 2006/03/14 22:50, Srebrenko Sehic wrote: On 3/14/06, edgarz [EMAIL PROTECTED] wrote: NB the DL145 are neither hotswap nor simple-swap: you must open the case to gain access to the drives. On the + side, it does have IPMI and lights out (NIC and serial-based too if you get the single [shared] serial port assigned correctly in BIOS). The iLO on the DL 145 is a barebones version, entirely unlike what you get on the DL 38x and DL 36x models. I'd avoid it if at all possible. Have a nice day Morten -- http://m.mongers.org/weblog/
Re: Here we go - more nonesence out changein things (was: Reminder about the X Aperture)
On 3/15/06, Roger Neth Jr [EMAIL PROTECTED] wrote: On 3/15/06, unixadmin99 [EMAIL PROTECTED] wrote: On 15/03/06, Roger Neth Jr [EMAIL PROTECTED] wrote: On 3/15/06, Andrew Ng [EMAIL PROTECTED] wrote: Hi Chris, cool it. I think you meant nimrod. I said I believe Theo and others snip Can anyone guess who nimrod was in history? : ) rogern John 3:16 RTFM. Gen. 10:8-10 http://www.htmlbible.com/kjv30/B01C010.htm#N8 Gosh. even you should know :) *smiles* -- ~michael God Bless you rogern Romans 12:14 Can you please keep this mythical superstitious stuff private? Greg
Re: Reminder about the X Aperture
Daniel Ouellet wrote: Sorry for my ignorance on the subject and this issue and the use of X all together. Not critical what so ever by any long shoot, but I was curious as to if there is some window manage that actually DO NOT need any of the X stuff all together? Meaning something that obviously will not be like KDE, or GNome for sure, not even remotely close to it, but anything like that, that works well and don't need ANY X stuff? Don't need or use the aperture stuff as well? I hope my question make some kind of senses. What's your favorite if any actually exists? Thanks Daniel PS: I guess my total ignorance on that specific subject show right! (: The only one that comes to mind is screen, but I don't think it is what you are looking for.
Re: HP ProLiant DL 385
Just my own feedback on this. I have both the DL 145 DL 145 G2. The first generation was much better to the point that I look at alternative to the G2 version. I got the IBM 326m and I have to say each day make me wonder why I got the HP to start with. So far the IBM beat the new G2 of HP all across the board. Just my own feedback on the DL 145 version. I do not have the DL 385, so for that one, I have nothing to say! Regards, Daniel
3.8 kernel with RAIDframe seg.faults during build
I've done this once before a while back with 3.6 and never had any
trouble. Now I'm doing it for a different machine using 3.8, but all of
a sudden I'm getting a seg.fault during the kernel build.
I include the following below:
a) The last few lines before the seg.fault.
b) my difference between GENERIC and RAID as a patch file
c) dmesg
I've choosen to hard code my disk controller (SATA) and the disks for
the kernel.
-
sh /usr/src/sys/arch/i386/compile/RAID/../../../../conf/newvers.sh
cc -Werror -Wall -Wstrict-prototypes -Wmissing-prototypes
-Wno-uninitialized -Wno-format -Wno-main -fno-builtin-printf
-fno-builtin-log -O2 -pipe -nostdinc -I.
-I/usr/src/sys/arch/i386/compile/RAID/../../../../arch
-I/usr/src/sys/arch/i386/compile/RAID/../../../.. -DDDB -DDIAGNOSTIC
-DKTRACE -DACCOUNTING -DKMEMSTATS -DPTRACE -DCRYPTO -DSYSVMSG -DSYSVSEM
-DSYSVSHM -DUVM_SWAP_ENCRYPT -DCOMPAT_35 -DCOMPAT_43 -DLKM -DFFS
-DFFS_SOFTUPDATES -DUFS_DIRHASH -DQUOTA -DEXT2FS -DMFS -DXFS -DTCP_SACK
-DTCP_ECN -DTCP_SIGNATURE -DNFSCLIENT -DNFSSERVER -DCD9660 -DUDF
-DMSDOSFS -DFDESC -DFIFO -DPORTAL -DPROCFS -DINET -DALTQ -DINET6 -DIPSEC
-DPPP_BSDCOMP -DPPP_DEFLATE -DBOOT_CONFIG -DI386_CPU -DI486_CPU
-DI586_CPU -DI686_CPU -DUSER_PCICONF -DUSER_LDT -DAPERTURE -DCOMPAT_SVR4
-DCOMPAT_IBCS2 -DCOMPAT_LINUX -DCOMPAT_FREEBSD -DCOMPAT_BSDOS
-DCOMPAT_AOUT -DACPIVERBOSE -DPCIVERBOSE -DEISAVERBOSE -DUSBVERBOSE
-DWSDISPLAY_COMPAT_USL -DWSDISPLAY_COMPAT_RAWKBD
-DWSDISPLAY_DEFAULTSCREENS=6 -DWSDISPLAY_COMPAT_PCVT -DPCIAGP
-DRAID_AUTOCONFIG -D_KERNEL -Di386 -c vers.c
rm -f bsd
ld -Ttext 0xD0100120 -e start -N -S -x -o bsd ${SYSTEM_OBJ} vers.o
Segmentation fault
*** Error code 139
Stop in /usr/src/sys/arch/i386/compile/RAID (line 713 of Makefile).
-RAID.patch
*** GENERIC Tue Aug 16 20:31:49 2005
--- RAIDWed Mar 15 21:04:03 2006
***
*** 348,353
--- 348,357
# IDE controllers
pciide* at pci? flags 0x
+ pciide0 at pci? dev ? function ? flags 0x
+ wd0 at pciide0 channel 0 drive 0 flags 0x
+ wd1 at pciide0 channel 1 drive 0 flags 0x
+
wdc0 at isa? port 0x1f0 irq 14 flags 0x00
wdc1 at isa? port 0x170 irq 15 flags 0x00
wdc* at pcmcia?
***
*** 604,610
pseudo-device mtrr1 # Memory range attributes control
pseudo-device nvram 1
pseudo-device sequencer 1
! #pseudo-deviceraid4 # RAIDframe disk driver
pseudo-device bio 1 # ioctl multiplexing device
pseudo-device hotplug 1 # devices hot plugging
--- 608,615
pseudo-device mtrr1 # Memory range attributes control
pseudo-device nvram 1
pseudo-device sequencer 1
! pseudo-device raid4 # RAIDframe disk driver
! option RAID_AUTOCONFIG
pseudo-device bio 1 # ioctl multiplexing device
pseudo-device hotplug 1 # devices hot plugging
-dmesg
OpenBSD 3.8 (GENERIC) #138: Sat Sep 10 15:41:37 MDT 2005
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Pentium III (GenuineIntel 686-class) 864 MHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE
real mem = 65445888 (63912K)
avail mem = 52174848 (50952K)
using 824 buffers containing 3375104 bytes (3296K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(46) BIOS, date 11/27/00, BIOS32 rev. 0 @ 0xe7300
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
apm0: flags 30102 dobusy 0 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xe7300/0x8d00
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf6610/192 (10 entries)
pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82801AA LPC rev 0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc/0xa000 0xca000/0x4800 0xe/0x1!
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 Intel 82815 Hub rev 0x02: rng active,
8Kb/sec
vga1 at pci0 dev 2 function 0 Intel 82815 Graphics rev 0x02: aperture
at 0x4400, size 0x400
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
ppb0 at pci0 dev 30 function 0 Intel 82801AA Hub-to-PCI rev 0x02
pci1 at ppb0 bus 1
pciide0 at pci1 dev 8 function 0 CMD Technology SiI3512 SATA rev 0x01: DMA
pciide0: using irq 5 for native-PCI interrupt
pciide0: port 0: device present, speed: 1.5Gb/s
wd0 at pciide0 channel 0 drive 0: Maxtor 6L080M0
wd0: 16-sector PIO, LBA, 78167MB, 160086528 sectors
wd0(pciide0:0:0): using BIOS timings, Ultra-DMA mode 6
pciide0: port 1: device present, speed: 1.5Gb/s
wd1 at pciide0 channel 1 drive 0: Maxtor 6L080M0
wd1: 16-sector PIO, LBA, 78167MB, 160086528 sectors
wd1(pciide0:1:0): using BIOS timings, Ultra-DMA mode 6
rl0 at pci1 dev 9 function 0 Realtek 8139 rev 0x10: irq 9 address
00:40:f4:53:dd:73
rlphy0 at rl0 phy 0: RTL internal phy
ichpcib0 at
raidFrame creating error: sd0(mpt0:0:0): Check Condition (error 0x70) on opcode 0x28
Hello misc, I have an IBM xSeries 335 machine with Dual Xeon processor and 2x73GB SCSI Seagate Barracuda 10K rpm disc. I run OpenBSD 3.8 on it. When I'm creating the raid array (raidctl -iv raid0), I get the following error message: sd0(mpt0:0:0): Check Condition (error 0x70) on opcode 0x28 SENSE KEY: Media Error INFO: 0x224c10c (VALID flag on) ASC/ASCQ: Read Retries Exhausted SKSV: Actual Retry Count: 63 raid0: IO Error. Marking /dev/sd0d as failed. raid0: node (Rod) returned fail, rolling backward Unable to verify raid1 parity: can't read stripe. Could not verify parity. I tried it with 2x36GB SCSI but the same error. Any suggestions? Thanks in advance. my raid0.conf: START array 1 2 0 START disks /dev/sd0d /dev/sd1d START layout 128 1 1 1 START queue fifo 100 My dmesg: OpenBSD 3.8-stable (GENERIC.MP) #0: Wed Mar 15 22:06:08 CET 2006 [EMAIL PROTECTED]:/mnt/src/sys/arch/i386/compile/GENERIC.MP cpu0: Intel(R) Xeon(TM) CPU 2.00GHz (GenuineIntel 686-class) 2 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,C NXT-ID real mem = 1073168384 (1048016K) avail mem = 971759616 (948984K) using 4278 buffers containing 5376 bytes (52500K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(fb) BIOS, date 06/09/05, BIOS32 rev. 0 @ 0xfd7d1 pcibios0 at bios0: rev 2.1 @ 0xf/0x pcibios0: PCI BIOS has 8 Interrupt Routing table entries pcibios0: PCI Exclusive IRQs: 9 10 11 15 pcibios0: PCI Interrupt Router at 000:15:0 (ServerWorks CSB5 SouthBridge rev 0x00) pcibios0: PCI bus #0 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0x1600 0xc9600/0x4000 mainbus0: Intel MP Specification (Version 1.4) (IBM ENSW TURQUIOSESMP) cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 99 MHz cpu1 at mainbus0: apid 6 (application processor) cpu1: Intel(R) Xeon(TM) CPU 2.00GHz (GenuineIntel 686-class) cpu1: FPU,CX8,APIC,CNXT-ID mainbus0: bus 0 is type PCI mainbus0: bus 1 is type PCI mainbus0: bus 2 is type PCI mainbus0: bus 3 is type ISA ioapic0 at mainbus0: apid 14 pa 0xfec0, version 11, 16 pins ioapic1 at mainbus0: apid 13 pa 0xfec01000, version 11, 16 pins ioapic2 at mainbus0: apid 12 pa 0xfec02000, version 11, 16 pins pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 ServerWorks CMIC_LE Host rev 0x13 pchb1 at pci0 dev 0 function 1 ServerWorks CMIC_LE Host rev 0x00 pchb2 at pci0 dev 0 function 2 vendor ServerWorks, unknown product 0x rev 0x00 pci1 at pchb2 bus 1 mpt0 at pci1 dev 1 function 0 Symbios Logic 53c1030 rev 0x07: apic 13 int 6 (irq 9) mpt0: sending FW Upload request to IOC (size: 36, img size: 69956) mpt0: IM support: 4 scsibus0 at mpt0: 16 targets sd0 at scsibus0 targ 0 lun 0: FUJITSU, MAT3073NC, 0108 SCSI3 0/direct fixed sd0: 70136MB, 78753 cyl, 2 head, 911 sec, 512 bytes/sec, 143638992 sec total sd1 at scsibus0 targ 1 lun 0: FUJITSU, MAT3073NC, 0108 SCSI3 0/direct fixed sd1: 70136MB, 78753 cyl, 2 head, 911 sec, 512 bytes/sec, 143638992 sec total mpt0: target 0 Synchronous at 160MHz width 16bit offset 127 QAS 0 DT 1 IU 1 mpt0: target 1 Synchronous at 160MHz width 16bit offset 127 QAS 0 DT 1 IU 1 vga1 at pci0 dev 1 function 0 ATI Rage XL rev 0x27 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) pchb3 at pci0 dev 15 function 0 ServerWorks CSB5 SouthBridge rev 0x93 pci2 at pchb3 bus 3 pciide0 at pci0 dev 15 function 1 ServerWorks CSB5 IDE rev 0x93: DMA atapiscsi0 at pciide0 channel 1 drive 0 scsibus1 at atapiscsi0: 2 targets cd0 at scsibus1 targ 0 lun 0: TEAC, CD-224E, 2.9B SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, DMA mode 2, Ultra-DMA mode 2 ohci0 at pci0 dev 15 function 2 ServerWorks OSB4/CSB5 USB rev 0x05: apic 14 int 11 (irq 11), version 1.0, legacy support usb0 at ohci0: USB revision 1.0 usb0 at ohci0: USB revision 1.0 uhub0 at usb0 uhub0: ServerWorks OHCI root hub, rev 1.00/1.00, addr 1 uhub0: 4 ports with 4 removable, self powered pcib0 at pci0 dev 15 function 3 ServerWorks CSB5 PCI rev 0x00 pchb4 at pci0 dev 17 function 0 ServerWorks CIOBX2 rev 0x03 pchb5 at pci0 dev 17 function 2 ServerWorks CIOBX2 rev 0x03 pci3 at pchb5 bus 2 bge0 at pci3 dev 1 function 0 Broadcom BCM5703X rev 0x02, BCM5703 A2 (0x1002): apic 13 int 8 (irq 3) address 00:09:6b:8c: 51:9e brgphy0 at bge0 phy 1: BCM5703 10/100/1000baseT PHY, rev. 2 bge1 at pci3 dev 2 function 0 Broadcom BCM5703X rev 0x02, BCM5703 A2 (0x1002): apic 13 int 9 (irq 4) address 00:09:6b:8c: 51:9f brgphy1 at bge1 phy 1: BCM5703 10/100/1000baseT PHY, rev. 2 isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 sysbeep0 at pcppi0 npx0 at isa0 port 0xf0/16: using exception 16 fdc0 at isa0 port 0x3f0/6 irq
Re: Reminder about the X Aperture
On 3/15/06, Will H. Backman [EMAIL PROTECTED] wrote: Daniel Ouellet wrote: Sorry for my ignorance on the subject and this issue and the use of X all together. Not critical what so ever by any long shoot, but I was curious as to if there is some window manage that actually DO NOT need any of the X stuff all together? Meaning something that obviously will not be like KDE, or GNome for sure, not even remotely close to it, but anything like that, that works well and don't need ANY X stuff? Don't need or use the aperture stuff as well? I hope my question make some kind of senses. What's your favorite if any actually exists? Thanks Daniel PS: I guess my total ignorance on that specific subject show right! (: The only one that comes to mind is screen, but I don't think it is what you are looking for. Hello, I like the default xdm on OpenBSD and if no need for X I just install without X and use console mode. rogern Romans 6:23
Re: Reminder about the X Aperture
On Wed, Mar 15, 2006 at 02:24:41PM +, Robert Jacobs wrote: I think the slogan Secure by default is an excellent description of OpenBSD. It implies that it is secure out of the box, and can only be made less secure by the user. As soon as you deviate from the default you are obviously losing security points. Just my 2. You *are* aware that the defaults will leave you without an OS at all? Secure indeed! ;-) (Okay, now I'm just perpetuating the silliness...) Joachim
Re: Here we go - more nonesence out changein things (was: Reminder about the X Aperture)
On 3/15/06, unixadmin99 [EMAIL PROTECTED] wrote: God Bless you rogern Romans 12:14 Comon Roger, Even you must have found a hint of humour in my reply. Oh and guess what... The list has just found yet another resource: http://www.htmlbible.com/kjv30 Surely that deserves a few brownie points. :o) -- ~michael Hello Michael, I installed a kjv program bible on OpenBSD. To Greg Matthew 4:4 rogern John 3:16
Re: HP ProLiant DL 385
On 2006/03/15 15:19, Daniel Ouellet wrote: Just my own feedback on the DL 145 version. I do not have the DL 385, so for that one, I have nothing to say! DL385 is much better than the DL145 (if you don't need 1U). Fujitsu-Siemens also have kit which looks good (they tend to use ami RAID on the SCSI models) - only a few are AMD though (no wonder they also sell water-cooled racks!).
Re: php in cgi mode suphp missing(?) from packages
Anon wrote: Hello :) My questions can be summarised as : 1) What is the easiest way to install php in CGI mode on OBSD? 2) Why doesn't OBSD have a package for php that includes the CGI version? 3) Why doesn't OBSD have a suphp package? Is there any special reason? I ask these questions because suphp (http://www.suphp.net) is a program that switches the uid of php scripts run under apache, so they run as uid of the script owner instead of uid of the webserver. This makes it similar to SuEXEC, a very well known security program that does the same thing for perl scripts, and is included in the OBSD system. I find it critical to have as a security tool, because without it any local user can use php scripts to send mail as 'nobody' or 'www' - without much in the way of logs, and they can also browse the files of other users via scripts... and generally do a lot of things they should not be able to do. As OBSD is focused on security, it makes a lot of sense to me that OBSD would at least include the CGI version of PHP in its php-core packages, and preferably have a suphp package too. Now, I realise that suphp is mainly made for linux - but I do think it should be ported for OBSD, because, frankly, without it, allowing local users to run php scripts on your webserver is a very insecure idea. Lots of people run webservers on OBSD (like myself) and we're concerned that OBSD provides no obvious way to remedy this exploit-waiting-to-happen. It'd be consistent with your policy of including suexec to also include suphp. I'm trying to go with the OBSD guide's advice and only use the packages, but this is difficult when there are (imho) essential tools (and even the things they depend on) which aren't available as packages :-( Suggestions would be very welcome :) Ok, you've convinced me now my suggestion: Port it! We here at Openbsd like to SUAC! Good luck! Brandon
Re: OBPkg (Port/Package installer)
I just created a new port for this tool. It would be great if some of you would test it. You can find the port here: http://www.doomed-reality.org/files/Projects/obpkg/ I also fixed a script problem. steffen -- cdp.doomed-reality.org Phantasie ist wichtiger als Wissen, denn Wissen ist begrenzt. -- Einstein
Re: php in cgi mode suphp missing(?) from packages
Brandon Mercer wrote: Anon wrote: Hello :) My questions can be summarised as : 1) What is the easiest way to install php in CGI mode on OBSD? 2) Why doesn't OBSD have a package for php that includes the CGI version? 3) Why doesn't OBSD have a suphp package? Is there any special reason? I ask these questions because suphp (http://www.suphp.net) is a program that switches the uid of php scripts run under apache, so they run as uid of the script owner instead of uid of the webserver. This makes it similar to SuEXEC, a very well known security program that does the same thing for perl scripts, and is included in the OBSD system. I find it critical to have as a security tool, because without it any local user can use php scripts to send mail as 'nobody' or 'www' - without much in the way of logs, and they can also browse the files of other users via scripts... and generally do a lot of things they should not be able to do. As OBSD is focused on security, it makes a lot of sense to me that OBSD would at least include the CGI version of PHP in its php-core packages, and preferably have a suphp package too. Now, I realise that suphp is mainly made for linux - but I do think it should be ported for OBSD, because, frankly, without it, allowing local users to run php scripts on your webserver is a very insecure idea. Lots of people run webservers on OBSD (like myself) and we're concerned that OBSD provides no obvious way to remedy this exploit-waiting-to-happen. It'd be consistent with your policy of including suexec to also include suphp. I'm trying to go with the OBSD guide's advice and only use the packages, but this is difficult when there are (imho) essential tools (and even the things they depend on) which aren't available as packages :-( Suggestions would be very welcome :) Ok, you've convinced me now my suggestion: Port it! We here at Openbsd like to SUAC! Good luck! Brandon For a program to become other users, it must have root privs. It must be used with caution. I don't know if there is enough confidence in php yet.
Re: raidFrame creating error: sd0(mpt0:0:0): Check Condition (error 0x70) on opcode 0x28
Adam PAPAI writes: Hello misc, I have an IBM xSeries 335 machine with Dual Xeon processor and 2x73GB SCSI Seagate Barracuda 10K rpm disc. I run OpenBSD 3.8 on it. When I'm creating the raid array (raidctl -iv raid0), I get the following error message: sd0(mpt0:0:0): Check Condition (error 0x70) on opcode 0x28 SENSE KEY: Media Error INFO: 0x224c10c (VALID flag on) ASC/ASCQ: Read Retries Exhausted SKSV: Actual Retry Count: 63 raid0: IO Error. Marking /dev/sd0d as failed. raid0: node (Rod) returned fail, rolling backward Unable to verify raid1 parity: can't read stripe. Could not verify parity. Is this early in the initialization or late in the initialization? Try doing: dd if=/dev/rsd0d of=/dev/null bs=10m and see if you get the same error message... Later... Greg Oster
Re: php in cgi mode suphp missing(?) from packages
On 15 Mar 2006, at 21:39, Anon wrote: As OBSD is focused on security, it makes a lot of sense to me that OBSD would at least include the CGI version of PHP in its php-core packages, and preferably have a suphp package too. Ports are provided by the community, not by OpenBSD. OpenBSD provides a great framework for creating ports, but does not create the actual ports. If you want a port, join the ports mailing list on ports@openbsd.org Gaby -- Junkets for bunterish lickspittles since 1998! http://vanhegan.net/sudoku/ http://weblog.vanhegan.net/
Re: Security tools
On Wed, Mar 15, 2006 at 12:31:06PM +, Gaby vanhegan wrote: Hi, I'm running 3.6 (yes, due for an upgrade) and I keep getting hit by some hackers that are using a bug I can't track down to download perl scripts into /tmp: [EMAIL PROTECTED] 11:26]# cd /tmp/ [EMAIL PROTECTED] 11:26]# ls -lFa total 76 drwxrwxrwt 2 root wheel512 Mar 15 12:21 ./ drwxr-xr-x 22 root wheel512 Jun 29 2005 ../ -rw-r--r-- 1 www wheel 0 Mar 14 22:14 .alekspwned2 -rw-r--r-- 1 www wheel 0 Mar 14 20:41 .balum -rw-r--r-- 1 www wheel 0 Mar 13 22:36 .mladen3 -rw-r--r-- 1 www wheel321 Mar 14 20:41 alekshah -rw-r--r-- 1 www wheel320 Mar 14 20:41 alekshah2 -rw-r--r-- 1 www wheel 3589 Mar 14 22:14 alekspwned -rw-r--r-- 1 www wheel 19309 Mar 14 22:14 alekspwned2 I have lots of suspicious activity in /var/www/log/error_log: 0 193090 12220 0 1222 0 0:00:15 --:--:-- 0:00:15 1222 0 193090 41420 0 4142 0 0:00:04 0:00:01 0:00:03 8414 100 19309 100 193090 0 19309 0 0:00:01 0:00:01 --:--:-- 17258 % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total Spent Left Speed 0 35890 12240 0 1224 0 0:00:02 --:--:-- 0:00:02 1224 100 3589 100 35890 0 3589 0 0:00:01 --:--:-- 0:00:01 2309k Can't open perl script /tmp/.alekspwned: No such file or directory.Use -S to search $PATH for it. % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total Spent Left Speed 0 35890 12240 0 1224 0 0:00:02 --:--:-- 0:00:02 1224 100 3589 100 35890 0 3589 0 0:00:01 --:--:-- 0:00:01 384k Can't open perl script /tmp/.alekspwned: No such file or directory.Use -S to search $PATH for it. % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 0 35890 12240 0 1224 0 0:00:02 --:--:-- 0:00:02 1224 100 3589 100 35890 0 3589 0 0:00:01 --:--:-- 0:00:01 461k Amongst other things, quite a few: Can't open perl script /tmp/.mladen: No such file or directory.Use - S to search $PATH for it.Can't open perl script /tmp/.mladen: No such file or directory. Use -S to search $PATH for it.Can't open perl script /tmp/.mladen: No such file or directory.Use -S to search $PATH for it.Can't open perl script /tmp/.mladen: No such file or directory.Use -S to search $PATH for it. Can't open perl script /tmp/.mladen2: No such file or directory.Use -S to search $PATH for it.Can't open perl script /tmp/.mladen2: No such file or directory.Use -S to search $PATH for it. Can't open perl script /tmp/.mladen2: No such file or directory.Use -S to search $PATH for it. Can't open perl script /tmp/.mladen2: No such file or directory.Use -S to search $PATH for it. Can't open perl script /tmp/.mladen2: No such file or directory. Use -S to search $PATH for it. I believe they're exploiting a bug in apache to do remote execution of their code, which downloads something to /tmp (usually a script of some sort). They were previously using wget, so I modified that to log as much information is it could to a file, but this didn't yield anything useful. Now I see from the logs that they're using ftp and curl to download the files. As in intermediate fix, I have mounted /tmp noexec, but this is not an ideal solution, and I don't want to remove ftp and curl. I have installed snort (from ports) with the latest rules but this has not yielded much useful information. The latest attack did come up in the snort logs, as a double decoding attack. I found some data in the downloaded files that corresponded to a payload around the time of the attack. My questions are: 1. How do I find out their attack vector? I have had a nessus scan performed on the machine, but it did not present any security (I can supply on request). I've checked the security releases in security.html and there are no pertinent ones for httpd. Snort has provided little useful information (I can provide access to the snort logs if required). 2. If I can't stop them getting in, is there any way to observe what they're doing, or how they're doing it, so I can get a pointer to the hole. An upgrade is in the works, and right soon too, but I'd really like to know what's going on here. Some useful links: Nessus scan: http://vanhegan.net/openbsd/nessus.txt dmesg: http://vanhegan.net/openbsd/dmesg.txt httpd error_log: http://vanhegan.net/openbsd/error_log
Re: Security tools
On Wed, Mar 15, 2006 at 12:31:06PM +, Gaby vanhegan wrote: Hi, I'm running 3.6 (yes, due for an upgrade) and I keep getting hit by snip My questions are: 1. How do I find out their attack vector? I have had a nessus scan performed on the machine, but it did not present any security (I can supply on request). I've checked the security releases in security.html and there are no pertinent ones for httpd. Snort has provided little useful information (I can provide access to the snort logs if required). From http://www.openbsd.org/errata36.html 009: SECURITY FIX: January 12, 2005 All architectures httpd(8) 's mod_include module fails to properly validate the length of user supplied tag strings prior to copying them to a local buffer, causing a buffer overflow. This would require enabling the XBitHack directive or server-side includes and making use of a malicious document.
Re: raidFrame creating error: sd0(mpt0:0:0): Check Condition (error 0x70) on opcode 0x28
Greg Oster wrote: Adam PAPAI writes: Hello misc, I have an IBM xSeries 335 machine with Dual Xeon processor and 2x73GB SCSI Seagate Barracuda 10K rpm disc. I run OpenBSD 3.8 on it. When I'm creating the raid array (raidctl -iv raid0), I get the following error message: sd0(mpt0:0:0): Check Condition (error 0x70) on opcode 0x28 SENSE KEY: Media Error INFO: 0x224c10c (VALID flag on) ASC/ASCQ: Read Retries Exhausted SKSV: Actual Retry Count: 63 raid0: IO Error. Marking /dev/sd0d as failed. raid0: node (Rod) returned fail, rolling backward Unable to verify raid1 parity: can't read stripe. Could not verify parity. Is this early in the initialization or late in the initialization? Try doing: dd if=/dev/rsd0d of=/dev/null bs=10m and see if you get the same error message... # dd if=/dev/rsd0d of=/dev/null bs=10m 6977+1 records in 6977+1 records out 73160687104 bytes transferred in 1043.771 secs (70092636 bytes/sec) # dd if=/dev/rsd1d of=/dev/null bs=10m 6977+1 records in 6977+1 records out 73160687104 bytes transferred in 1027.051 secs (71233712 bytes/sec) # This means no hdd error.. Then probably the raidFrame has the problem I guess.. I have to use /altroot on /dev/sd1a then, or is there a patch for raidframe to fix this? -- Adam PAPAI D i g i t a l Influence http://www.digitalinfluence.hu Phone: +36 30 33-55-735 E-mail: [EMAIL PROTECTED]
Re: raidFrame creating error: sd0(mpt0:0:0): Check Condition (error 0x70) on opcode 0x28
Adam PAPAI writes: Greg Oster wrote: Adam PAPAI writes: Hello misc, I have an IBM xSeries 335 machine with Dual Xeon processor and 2x73GB SCSI Seagate Barracuda 10K rpm disc. I run OpenBSD 3.8 on it. When I'm creating the raid array (raidctl -iv raid0), I get the following error message: sd0(mpt0:0:0): Check Condition (error 0x70) on opcode 0x28 SENSE KEY: Media Error INFO: 0x224c10c (VALID flag on) ASC/ASCQ: Read Retries Exhausted SKSV: Actual Retry Count: 63 raid0: IO Error. Marking /dev/sd0d as failed. raid0: node (Rod) returned fail, rolling backward Unable to verify raid1 parity: can't read stripe. Could not verify parity. Is this early in the initialization or late in the initialization? Try doing: dd if=/dev/rsd0d of=/dev/null bs=10m and see if you get the same error message... # dd if=/dev/rsd0d of=/dev/null bs=10m 6977+1 records in 6977+1 records out 73160687104 bytes transferred in 1043.771 secs (70092636 bytes/sec) # dd if=/dev/rsd1d of=/dev/null bs=10m 6977+1 records in 6977+1 records out 73160687104 bytes transferred in 1027.051 secs (71233712 bytes/sec) # This means no hdd error.. Well... no hdd error for this set of reads... Hm What if you push both drives at the same time: dd if=/dev/rsd0d of=/dev/null bs=10m dd if=/dev/rsd1d of=/dev/null bs=10m ? (Were the drives warm when you did this test, and/or when the original media errors were reported? Does a 'raidctl -iv raid0' work now or does it still trigger an error? ) Then probably the raidFrame has the problem I guess.. RAIDframe doesn't know anything about SCSI controllers or SCSI errors... all it knows about are whatever VOP_STRATEGY() happens to return to it from the underlying driver... I have to use /altroot on /dev/sd1a then, or is there a patch for raidframe to fix this? There is no patch for RAIDframe to fix this. There is either a problem with the hardware (most likely), some sort of BIOS configuration issue (is it negotiating the right speed for the drive?), or (less likely) a mpt driver issue. Once you figure out what the real problem is and fix it, RAIDframe will work just fine :) Later... Greg Oster
Re: HP ProLiant DL 385
As i remember only server with Opteron from fujitsu was Primergy RX220, where did you found with WC (water cooling)? :) Stuart Henderson wrote: On 2006/03/15 15:19, Daniel Ouellet wrote: Just my own feedback on the DL 145 version. I do not have the DL 385, so for that one, I have nothing to say! DL385 is much better than the DL145 (if you don't need 1U). Fujitsu-Siemens also have kit which looks good (they tend to use ami RAID on the SCSI models) - only a few are AMD though (no wonder they also sell water-cooled racks!).
Re: HP ProLiant DL 385
On 2006/03/16 01:13, edgarz wrote: As i remember only server with Opteron from fujitsu was Primergy RX220, where did you found with WC (water cooling)? :) Just (some of) the racks, not the servers. Anyway this is straying a bit far from OpenBSD...probably better off-list.
Re: raidFrame creating error: sd0(mpt0:0:0): Check Condition (error 0x70) on opcode 0x28
Greg Oster wrote: Adam PAPAI writes: When I'm creating the raid array (raidctl -iv raid0), I get the following error message: sd0(mpt0:0:0): Check Condition (error 0x70) on opcode 0x28 SENSE KEY: Media Error INFO: 0x224c10c (VALID flag on) ASC/ASCQ: Read Retries Exhausted SKSV: Actual Retry Count: 63 raid0: IO Error. Marking /dev/sd0d as failed. raid0: node (Rod) returned fail, rolling backward Unable to verify raid1 parity: can't read stripe. Could not verify parity. This means no hdd error.. Well... no hdd error for this set of reads... Hm What if you push both drives at the same time: dd if=/dev/rsd0d of=/dev/null bs=10m dd if=/dev/rsd1d of=/dev/null bs=10m ? (Were the drives warm when you did this test, and/or when the original media errors were reported? Does a 'raidctl -iv raid0' work now or does it still trigger an error? ) Then probably the raidFrame has the problem I guess.. RAIDframe doesn't know anything about SCSI controllers or SCSI errors... all it knows about are whatever VOP_STRATEGY() happens to return to it from the underlying driver... I have to use /altroot on /dev/sd1a then, or is there a patch for raidframe to fix this? There is no patch for RAIDframe to fix this. There is either a problem with the hardware (most likely), some sort of BIOS configuration issue (is it negotiating the right speed for the drive?), or (less likely) a mpt driver issue. Once you figure out what the real problem is and fix it, RAIDframe will work just fine :) Later... Greg Oster After reboot my dmesg end: rootdev=0x400 rrootdev=0xd00 rawdev=0xd02 Hosed component: /dev/sd0d. raid0: Ignoring /dev/sd0d. raid0: Component /dev/sd1d being configured at row: 0 col: 1 Row: 0 Column: 1 Num Rows: 1 Num Columns: 2 Version: 2 Serial Number: 100 Mod Counter: 27 Clean: No Status: 0 /dev/sd1d is not clean ! raid0 (root)raid0: no disk label raid0: Error re-writing parity! dd if=/dev/rsd0d of=/dev/null bs=10m dd if=/dev/rsd1d of=/dev/null bs=10m was successfully ended. # raidctl -iv raid0 Parity Re-Write status: After this, my dmesg end: rootdev=0x400 rrootdev=0xd00 rawdev=0xd02 Hosed component: /dev/sd0d. raid0: Ignoring /dev/sd0d. raid0: Component /dev/sd1d being configured at row: 0 col: 1 Row: 0 Column: 1 Num Rows: 1 Num Columns: 2 Version: 2 Serial Number: 100 Mod Counter: 27 Clean: No Status: 0 /dev/sd1d is not clean ! raid0 (root)raid0: no disk label raid0: Error re-writing parity! raid0: no disk label raid0: Error re-writing parity! This is the same with the 36GB and 73GB as well. What else should I check? -- Adam PAPAI D i g i t a l Influence http://www.digitalinfluence.hu Phone: +36 30 33-55-735 E-mail: [EMAIL PROTECTED]
Re: HP ProLiant DL 385
Daniel Ouellet wrote: Just my own feedback on this. I have both the DL 145 DL 145 G2. The first generation was much better to the point that I look at alternative to the G2 version. I got the IBM 326m and I have to say each day make me wonder why I got the HP to start with. RAID mode is working or no? So far the IBM beat the new G2 of HP all across the board. Just my own feedback on the DL 145 version. I do not have the DL 385, so for that one, I have nothing to say! Regards, Daniel
Re: raidFrame creating error: sd0(mpt0:0:0): Check Condition (error 0x70) on opcode 0x28
Adam PAPAI writes: After reboot my dmesg end: rootdev=0x400 rrootdev=0xd00 rawdev=0xd02 Hosed component: /dev/sd0d. raid0: Ignoring /dev/sd0d. raid0: Component /dev/sd1d being configured at row: 0 col: 1 Row: 0 Column: 1 Num Rows: 1 Num Columns: 2 Version: 2 Serial Number: 100 Mod Counter: 27 Clean: No Status: 0 /dev/sd1d is not clean ! raid0 (root)raid0: no disk label raid0: Error re-writing parity! dd if=/dev/rsd0d of=/dev/null bs=10m dd if=/dev/rsd1d of=/dev/null bs=10m was successfully ended. # raidctl -iv raid0 wha does 'raidctl -s raid0' say? It probably says that 'sd0d' is failed. You can't initialize parity with 'raidctl -iv' on a set with a failed component. You can do 'raidctl -vR /dev/sd1d raid0' to get it to reconstruct back onto the failed component. After that you can do a 'raidctl -iv' (though by that point it's strictly not necessary). Later... Greg Oster
chflag operation not permited
Hi, I'm getting operation not permited when I do this: # chflags -R schg /bin chflags: /bin/chmod: Operation not permitted chflags: /bin/md5: Operation not permitted chflags: /bin/mt: Operation not permitted chflags: /bin/pax: Operation not permitted chflags: /bin/rksh: Operation not permitted chflags: /bin/rmd160: Operation not permitted .. I'n at security level 1 thank you in advance -- Jinxi Cheng,
Re: raidFrame creating error: sd0(mpt0:0:0): Check Condition (error 0x70) on opcode 0x28
Greg Oster wrote: Adam PAPAI writes: After reboot my dmesg end: rootdev=0x400 rrootdev=0xd00 rawdev=0xd02 Hosed component: /dev/sd0d. raid0: Ignoring /dev/sd0d. raid0: Component /dev/sd1d being configured at row: 0 col: 1 Row: 0 Column: 1 Num Rows: 1 Num Columns: 2 Version: 2 Serial Number: 100 Mod Counter: 27 Clean: No Status: 0 /dev/sd1d is not clean ! raid0 (root)raid0: no disk label raid0: Error re-writing parity! dd if=/dev/rsd0d of=/dev/null bs=10m dd if=/dev/rsd1d of=/dev/null bs=10m was successfully ended. # raidctl -iv raid0 wha does 'raidctl -s raid0' say? It probably says that 'sd0d' is failed. You can't initialize parity with 'raidctl -iv' on a set with a failed component. You can do 'raidctl -vR /dev/sd1d raid0' to get it to reconstruct back onto the failed component. After that you can do a 'raidctl -iv' (though by that point it's strictly not necessary). Interesting. I tried with 3 full reinstall and all raidctl -iv raid0 fails, but with raidctl -vR /dev/sd0d solved the problem. But why? Will it be good from now? I'm fraid the raid will collapse again. I hope not. I going to continue the setup on my server. Thanks anyway. I hope I won't get more errors... -- Adam PAPAI D i g i t a l Influence http://www.digitalinfluence.hu Phone: +36 30 33-55-735 E-mail: [EMAIL PROTECTED]
Re: php in cgi mode suphp missing(?) from packages
Anon wrote: Hello :) My questions can be summarised as : 1) What is the easiest way to install php in CGI mode on OBSD? Php in CGI mode makes no sense. Php is beloved of his speed against perl for example which is a powerful alternative. We are not going to discuss this here at misc Perl vs PHP so leave with it or change to perl. Php CGI is buggy slow and has many problems to accomplish some tasks thats trivial otherwise. 2) Why doesn't OBSD have a package for php that includes the CGI version? Not ported as others told u. I don't think there are many that they go this way so probably is no need 3) Why doesn't OBSD have a suphp package? Is there any special reason? Not ported. I think is crap. My opinion: I can not trust a uid 0 program in my chroot apache to provide security and have it help others may be break out of the jail. I ask these questions because suphp (http://www.suphp.net) is a program that switches the uid of php scripts run under apache, so they run as uid of the script owner instead of uid of the webserver. This makes it similar to SuEXEC, a very well known security program that does the same thing for perl scripts, and is included in the OBSD system. I find it critical to have as a security tool, because without it any local user can use php scripts to send mail as 'nobody' or 'www' - without much in the way of logs, and they can also browse the files of other users via scripts... and generally do a lot of things they should not be able to do. I trust my chrooted apache environment on openbsd much more than the suphp package. As OBSD is focused on security, it makes a lot of sense to me that OBSD would at least include the CGI version of PHP in its php-core packages, and preferably have a suphp package too. Thats why apache is chrooted by default in openbsd oposition to a linux system that uses suphp or cgi but is insecure in most cases and by default. Now, I realise that suphp is mainly made for linux - but I do think it should be ported for OBSD, because, frankly, without it, allowing local users to run php scripts on your webserver is a very insecure idea. Lots of people run webservers on OBSD (like myself) and we're concerned that OBSD provides no obvious way to remedy this exploit-waiting-to-happen. having mini_sendmail for mail and no shell executables in /var/www as is by default or have only some mandatory safe sh script is the secure way to go. It'd be consistent with your policy of including suexec to also include suphp. I'm trying to go with the OBSD guide's advice and only use the packages, but this is difficult when there are (imho) essential tools (and even the things they depend on) which aren't available as packages :-( Good luck Suggestions would be very welcome :) -Chris
Re: raidFrame creating error: sd0(mpt0:0:0): Check Condition (error 0x70) on opcode 0x28
Adam PAPAI writes: Greg Oster wrote: Adam PAPAI writes: After reboot my dmesg end: rootdev=0x400 rrootdev=0xd00 rawdev=0xd02 Hosed component: /dev/sd0d. raid0: Ignoring /dev/sd0d. raid0: Component /dev/sd1d being configured at row: 0 col: 1 Row: 0 Column: 1 Num Rows: 1 Num Columns: 2 Version: 2 Serial Number: 100 Mod Counter: 27 Clean: No Status: 0 /dev/sd1d is not clean ! raid0 (root)raid0: no disk label raid0: Error re-writing parity! dd if=/dev/rsd0d of=/dev/null bs=10m dd if=/dev/rsd1d of=/dev/null bs=10m was successfully ended. # raidctl -iv raid0 wha does 'raidctl -s raid0' say? It probably says that 'sd0d' is failed. You can't initialize parity with 'raidctl -iv' on a set with a failed component. You can do 'raidctl -vR /dev/sd1d raid0' to get it to reconstruct back onto the failed component. After that you can do a 'raidctl -iv' (though by that point it's strictly not necessary). Interesting. I tried with 3 full reinstall and all raidctl -iv raid0 fails, but with raidctl -vR /dev/sd0d solved the problem. But why? It didn't solve the Media Error... the Media Error just didn't show up again. Will it be good from now? If I had to pick from one of Yes or No, I'd pick No. I'm fraid the raid will collapse again. I hope not. I going to continue the setup on my server. Thanks anyway. I hope I won't get more errors... I hope so too... but nothing in 'raidctl -vR' really fixes media errors... (Since 'raidctl -R' is going to write to sd0, it's possible that the drive has now re-mapped whatever bad block was on sd0, and sd0 may work fine now... but it's unusual to see the same error on 2 different drives... makes me maybe suspect cabling too..) Later... Greg Oster
Strange carp issues
I have two firewalls (FW1 FW2) with multiple carp interfaces on an external interface (carp1, carp12, carp14, carp15, carp16, carp17, carp18, carp19, carp20). FW1 has all carp interfaces set with advbase 1 advskew 0 and FW2 has all carp interfaces with advbase 1 advskew 180. Frequently FW2 thinks it is the master for some of the carp interfaces. Here is a tcpdump (-ni fxp0 proto carp) from FW2. As you can see, even though FW2 sees the advertisement for carp16, carp17, carp18, carp19 and carp20 from FW1 it sometimes takes over as master for those interfaces and advertises. To find these events look for advskew=180 in the tcpdump below. The event at 19:19:05.023848 seemed to be from lost packets. The event at 19:19:10.013844 is very odd since FW2 saw the carp20 advertisement from FW1 at 19:19:09.07. This should be enough time for a failover, should it? Any pointers would be appreciated (relevant pf rules below.) -Steve S. 19:19:02.290779 CARPv2-advertise 36: vhid=1 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:02.290807 CARPv2-advertise 36: vhid=12 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:02.290828 CARPv2-advertise 36: vhid=14 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:02.290849 CARPv2-advertise 36: vhid=15 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:02.290869 CARPv2-advertise 36: vhid=16 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:02.290887 CARPv2-advertise 36: vhid=17 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:02.290914 CARPv2-advertise 36: vhid=18 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:02.290936 CARPv2-advertise 36: vhid=19 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:02.290957 CARPv2-advertise 36: vhid=20 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:02.890823 CARPv2-advertise 36: vhid=1 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:02.890849 CARPv2-advertise 36: vhid=12 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:02.890871 CARPv2-advertise 36: vhid=14 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:02.890892 CARPv2-advertise 36: vhid=15 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:02.890912 CARPv2-advertise 36: vhid=16 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:02.890933 CARPv2-advertise 36: vhid=17 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:02.890962 CARPv2-advertise 36: vhid=18 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:02.890986 CARPv2-advertise 36: vhid=19 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:02.891010 CARPv2-advertise 36: vhid=20 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:03.880791 CARPv2-advertise 36: vhid=1 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:03.880818 CARPv2-advertise 36: vhid=12 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:03.880839 CARPv2-advertise 36: vhid=14 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:03.880860 CARPv2-advertise 36: vhid=15 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:03.880881 CARPv2-advertise 36: vhid=16 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:03.880901 CARPv2-advertise 36: vhid=17 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:03.880932 CARPv2-advertise 36: vhid=18 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:03.880955 CARPv2-advertise 36: vhid=19 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:03.880979 CARPv2-advertise 36: vhid=20 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:05.023848 CARPv2-advertise 36: vhid=17 advbase=1 advskew=180 (DF) [tos 0x10] 19:19:05.024936 CARPv2-advertise 36: vhid=18 advbase=1 advskew=180 (DF) [tos 0x10] 19:19:05.026003 CARPv2-advertise 36: vhid=19 advbase=1 advskew=180 (DF) [tos 0x10] 19:19:05.027069 CARPv2-advertise 36: vhid=20 advbase=1 advskew=180 (DF) [tos 0x10] 19:19:05.341023 CARPv2-advertise 36: vhid=1 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:05.341047 CARPv2-advertise 36: vhid=12 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:05.341068 CARPv2-advertise 36: vhid=14 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:05.341088 CARPv2-advertise 36: vhid=15 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:05.341109 CARPv2-advertise 36: vhid=16 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:05.341129 CARPv2-advertise 36: vhid=17 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:05.341154 CARPv2-advertise 36: vhid=18 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:05.341176 CARPv2-advertise 36: vhid=19 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:05.341199 CARPv2-advertise 36: vhid=20 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:06.295736 CARPv2-advertise 36: vhid=1 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:06.295760 CARPv2-advertise 36: vhid=12 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:06.295782 CARPv2-advertise 36: vhid=14 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:06.295802 CARPv2-advertise 36: vhid=15 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:06.295822 CARPv2-advertise 36: vhid=16 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:06.297299 CARPv2-advertise 36: vhid=17 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:06.297318 CARPv2-advertise 36: vhid=18 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:06.297335 CARPv2-advertise 36: vhid=19 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:06.297352 CARPv2-advertise 36: vhid=20 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:06.900831 CARPv2-advertise 36: vhid=1 advbase=1 advskew=0 (DF) [tos
can't mount_ntfs on svnd
I have a 1 GiB win2k/ntfs disk image that was created with qemu, using the default raw image format (it's exactly what you would get if you copied the data from a physical disk partition to the file). The OS inside the image is Windows 2000 Server 5.00.2195, with the NTFS partition marked as type 'Basic', and correctly offset by 63 sectors from the start of the disk image. For some reason, disklabel reports the filesystem type as unknown. The disk image is good, as qemu is able to boot it. It's also possible to boot qemu with a knoppix ISO and then do a mount -r -t ntfs /dev/hda1 /mnt to access the emulated disk partition. Trying to mount the filesystem in OpenBSD (outside of qemu) doesn't work: $ sudo vnconfig -vc svnd1c win2k.img svnd1c: 1073741824 bytes on win2k.img $ sudo mount -r -t ntfs /dev/svnd1i /mnt mount_ntfs: /dev/svnd1i on /mnt: Operation not supported (I also tried to mount svnd1c just in case) Here's the fdisk, disklabel and dmesg: $ sudo fdisk svnd1c fdisk: sysctl(machdep.bios.diskinfo): Device not configured Disk: svnd1cgeometry: 20971/1/100 [2097152 Sectors] Offset: 0 Signature: 0xAA55 Starting Ending LBA Info: #: idC H S -C H S [ start: size ] *0: 070 0 64 - 20946 0 24 [ 63: 2094561 ] HPFS/QNX/AUX 1: 000 0 0 -0 0 0 [ 0: 0 ] unused 2: 000 0 0 -0 0 0 [ 0: 0 ] unused 3: 000 0 0 -0 0 0 [ 0: 0 ] unused $ sudo disklabel svnd1c disklabel: warning, DOS partition table with no valid OpenBSD partition # /dev/rsvnd1c: type: SCSI disk: vnd device label: fictitious flags: bytes/sector: 512 sectors/track: 100 tracks/cylinder: 1 sectors/cylinder: 100 cylinders: 20971 total sectors: 2097152 rpm: 3600 interleave: 1 trackskew: 0 cylinderskew: 0 headswitch: 0 # microseconds track-to-track seek: 0 # microseconds drivedata: 0 16 partitions: # sizeoffset fstype [fsize bsize cpg] c: 2097152 0 unused 0 0 # Cyl 0 - 20971* i: 209456163 unknown # Cyl 0*- 20946* $ dmesg OpenBSD 3.8 (GENERIC) #138: Sat Sep 10 15:41:37 MDT 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Mobile AMD Sempron(tm) Processor 3000+ (AuthenticAMD 686-class, 128KB L2 cache) 1.80 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3 cpu0: AMD Powernow: FID VID TTP TM STC real mem = 501784576 (490024K) avail mem = 450740224 (440176K) using 4278 buffers containing 25190400 bytes (24600K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(39) BIOS, date 08/24/05, BIOS32 rev. 0 @ 0xfd5f0 pcibios0 at bios0: rev 2.1 @ 0xfd5f0/0xa10 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdd30/160 (8 entries) pcibios0: PCI Interrupt Router at 000:02:0 (SIS 85C503 System rev 0x00) pcibios0: PCI bus #2 is the last bus bios0: ROM list: 0xc/0xc000 0xdc000/0x8000! cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 SIS 760 PCI rev 0x03 ppb0 at pci0 dev 1 function 0 SIS 86C202 VGA rev 0x00 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 SIS 6330 VGA rev 0x00: aperture at 0xe800, size 0x40 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) pcib0 at pci0 dev 2 function 0 SIS 85C503 System rev 0x25 pciide0 at pci0 dev 2 function 5 SIS 5513 EIDE rev 0x00: 760: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: IC25N060ATMR04-0 wd0: 16-sector PIO, LBA48, 57231MB, 117210240 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: Slimtype, COMBO SOSC-2483K, KCK2 SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 SIS 7013 Modem rev 0xa0 at pci0 dev 2 function 6 not configured auich0 at pci0 dev 2 function 7 SIS 7012 AC97 rev 0xa0: irq 5, SiS7012 AC97 ac97: codec id 0x414c4770 (Avance Logic ALC203) ac97: codec features headphone, 20 bit DAC, 18 bit ADC, No 3D Stereo audio0 at auich0 ohci0 at pci0 dev 3 function 0 SIS 5597/5598 USB rev 0x0f: irq 9, version 1.0, legacy support usb0 at ohci0: USB revision 1.0 uhub0 at usb0 uhub0: SIS OHCI root hub, rev 1.00/1.00, addr 1 uhub0: 3 ports with 3 removable, self powered ohci1 at pci0 dev 3 function 1 SIS 5597/5598 USB rev 0x0f: irq 11, version 1.0, legacy support usb1 at ohci1: USB revision 1.0 uhub1 at usb1 uhub1: SIS OHCI root hub, rev 1.00/1.00, addr 1 uhub1: 3 ports with 3 removable, self powered ehci0 at pci0 dev 3 function 2 SIS 7002 USB rev 0x00: irq 10 usb2 at ehci0: USB revision 2.0 uhub2 at usb2 uhub2: SIS EHCI root hub, rev 2.00/1.00,
Netbeans on jdk-5 OpenBSD
Hello all, Soon I am required to write some java GUI's using netbeans for my university degree, so I have jumped ahead of the game and downloaded it and got it running on OpenBSD using kurt's port of jdk-5 (many thanks ;) ). However unfortunatley there appears to be some kind of display error / character encoding issue in the compile window. http://arameus.net/users/edd/dump/nb.jpg I have tried all sorts of combinations of LC_ALL and LANG, but no cigar. Also I tried the --locale switch of netbeans itself and changing fonts in options settings. Any Ideas? Thanks in advance Edd
Re: chflag operation not permited
Jinxi Cheng wrote: Hi, I'm getting operation not permited when I do this: # chflags -R schg /bin chflags: /bin/chmod: Operation not permitted chflags: /bin/md5: Operation not permitted chflags: /bin/mt: Operation not permitted chflags: /bin/pax: Operation not permitted chflags: /bin/rksh: Operation not permitted chflags: /bin/rmd160: Operation not permitted .. I'n at security level 1 thank you in advance -- Jinxi Cheng, Er, man chflags(1) tells you that superuser-only settable flags may be set any time but only cleared at securlevel 0 or -1. -- Darrin Chandler| Phoenix BSD Users Group [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ |
Re: php in cgi mode suphp missing(?) from packages
On Thu, 16 Mar 2006 00:20:23 +0100 Chris Alatakis [EMAIL PROTECTED] wrote: Anon wrote: Hello :) My questions can be summarised as : 1) What is the easiest way to install php in CGI mode on OBSD? Php in CGI mode makes no sense. Php is beloved of his speed against perl for example which is a powerful alternative. We are not going to discuss this here at misc Perl vs PHP so leave with it or change to perl. Php CGI is buggy slow and has many problems to accomplish some tasks thats trivial otherwise. This is of course complete nonsense. PHP may be beloved by some people, but it has nothing to do with speed. Running PHP as a CGI is simple and has no buggy problems or anything else. Its just like running perl as a CGI instead of using mod_perl, or python as a CGI instead of mod_python. 2) Why doesn't OBSD have a package for php that includes the CGI version? Not ported as others told u. I don't think there are many that they go this way so probably is no need Uh, its enabled if you installed it through ports/packages. Just stick #!/usr/local/bin/php up at the top of your script, and you have a PHP cgi script just like you would with any other language. Adam
Re: Here we go - more nonesence out changein things (was: Reminder about the X Aperture)
On Wed, 15 Mar 2006 08:11:49 -0600, Chris [EMAIL PROTECTED] wrote: Andrew Ng wrote: The current slogan for 3.8 is Free, Functional Secure. My opinion is that it presents the project goals well in 4 simple words. It is not boastful, remember Nothing is Impossible, or aims to create false belief/concept. We have our fair share of those, just switch on your TV. Theo and others did and are still doing a great job in sticking to the project goals. Didn't know how the Secure By Default phrase came about, I do agree that it can be misleading for your case. You could refer your mother or nontechnical friends to the Project Goals page(not too long, 2 pages on my system). Also, I believe Theo and others would give it some consideration if you can come up with a better slogan. Last I recall - Secure by Default was based on a default installation. And If I recall, it's stated on the site. If users can't take the time to read what's here - they should not run something as complex as ANY Unix. So, why is everyone out to change everything and anything about the BSD's? First it was NetBSD and its logo, then FreeBSD went and did something likewise, now we have this nimbrod suggesting to someone that he/she ought to come up with a new slogan - and that project would do well to consider it?! It the project team feels things are great as is, leave it alone. Besides, don't you have more to do with your life then to start some crusade about nothing that needs to be changed? Life calls - you should answer mate. Regards, Chris Chris, Looking at things critically and trying to understand all the implications is THE process which leads to correctness, quality and new improvements. The process itself is a challenge and it takes effort but it is the best way to try making things better. Personally, I find rising to the challenge of trying to make things better is a very rewarding way live. The only trouble with questioning the status quo is running into people who are resistant to change and prefer to make personal attacks rather than even look at the possibility of a problem. You are entitled to think as you please and consider a question to be a crusade about nothing that needs to be changed but you'll never know for sure until you try looking at it critically and try to understand all the implications. I know what you mean about the annoyance of folks always trying to change things in the BSD's but take a step back for a moment. Try to see the other side and try to see the process involved. kind regards, jcr
Re: php in cgi mode suphp missing(?) from packages
Adam wrote: Php in CGI mode makes no sense. Php is beloved of his speed against perl for example which is a powerful alternative. We are not going to discuss this here at misc Perl vs PHP so leave with it or change to perl. Php CGI is buggy slow and has many problems to accomplish some tasks thats trivial otherwise. This is of course complete nonsense. PHP may be beloved by some people, but it has nothing to do with speed. Running PHP as a CGI is simple and has no buggy problems or anything else. Its just like running perl as a CGI instead of using mod_perl, or python as a CGI instead of mod_python. I have tried it and php as module is sunificaly faster than as cgi. And second is even faster if it compiled direct into apache and not as module. As for the buggy problems may be I wasnt clear.. Most using php they use scripts already writen and there is problems geting these scripts function as some paths and settings must be altered if you use php as CGI. 2) Why doesn't OBSD have a package for php that includes the CGI version? Not ported as others told u. I don't think there are many that they go this way so probably is no need Uh, its enabled if you installed it through ports/packages. Just stick #!/usr/local/bin/php up at the top of your script, and you have a PHP cgi script just like you would with any other language. There is no /usr/local/bin/php executable in default chrooted openbsd php install or I m blind? If you are speaking of moving this to /var/www /usr/local/bin/php that was the whole point security. Anyway I use php many years in a production enviroment as apache module. Have tried the CGI thing my opinion is just that is a second option for apache and I see no reason to do it in openbsd. Adam Do not cc me I hate that. -Chris
Re: php in cgi mode suphp missing(?) from packages
On Thu, 16 Mar 2006 03:05:49 +0100 Chris Alatakis [EMAIL PROTECTED] wrote: Adam wrote: Php in CGI mode makes no sense. Php is beloved of his speed against perl for example which is a powerful alternative. We are not going to discuss this here at misc Perl vs PHP so leave with it or change to perl. Php CGI is buggy slow and has many problems to accomplish some tasks thats trivial otherwise. This is of course complete nonsense. PHP may be beloved by some people, but it has nothing to do with speed. Running PHP as a CGI is simple and has no buggy problems or anything else. Its just like running perl as a CGI instead of using mod_perl, or python as a CGI instead of mod_python. I have tried it and php as module is sunificaly faster than as cgi. And second is even faster if it compiled direct into apache and not as module. Of course it is slow as a CGI. What does that have to do with anything? Perl is slow as a CGI too, that's what mod_perl is for. None of that is relevant though, he wanted to know how to use PHP as a CGI, not wether you think its fast enough for him or not without even knowing what he's doing. There is no /usr/local/bin/php executable in default chrooted openbsd php install or I m blind? If you are speaking of moving this to /var/www /usr/local/bin/php that was the whole point security. Yes, there is a /usr/local/bin/php executable when you install the PHP package. Of course you have to either move it into the chroot (along with any dependancies) or disable chroot. Same as with running CGIs of any other interpreted language. And he wasn't asking about security, he was asking about running PHP without users being able to read each others database username/passwords. Some times you have to trade away some security to actually accomplish something. You could be more secure by removing your network connections, but its not very helpful if you want network access. Anyway I use php many years in a production enviroment as apache module. Have tried the CGI thing my opinion is just that is a second option for apache and I see no reason to do it in openbsd. And because you don't see the obvious use for something, that means there is no use? Do not cc me I hate that. -Chris Do not tell me not to cc you I hate that. Adam
Re: HP ProLiant DL 385
edgarz wrote: I got the IBM 326m and I have to say each day make me wonder why I got the HP to start with. RAID mode is working or no? Last answer I got on that one was: To answer your question. Don't create any kind of logical volume (RAID0/1), just use the physical disks. In short, IM (integrated mirroring) is _not_ supported. It is, however, being worked on. My e326m/SCSI survived several bonnie/iogen disk tests without a hitch. So it should be stable. So, no integrated mirror yet, but the scsi works however. That was 5 weeks ago.
/var/log/pflog empty
I have about a dozen OpenBSD firewalls out there and most of them are pretty minimal having a NATted LAN and the only traffic allowed in (other than replies to outbound) is ssh. The pf.confs are pretty much modifications of a template one with just the LAN IPs changing. The changes in /etc/* are also the same for all of them. Just one is not getting anything in pflog. pflogd is running. ps auxwww says: _pflogd 14121 0.0 0.1 640 244 ?? S 15Feb060:21.15 pflogd: [running] -s 116 -f /var/log/pflog (pflogd) There are rules like: block return-icmp in log quick from ssh-scan in there and currently pfctl -t ssh-scan -Ts gives: 61.134.32.18 61.175.248.131 69.60.110.241 125.246.21.3 199.227.176.178 201.20.202.202 203.200.36.253 211.155.23.65 211.162.78.106 212.74.113.212 218.108.1.180 218.206.96.174 220.117.241.46 220.117.241.87 220.119.33.251 220.132.113.163 221.224.14.157 So you would expect to see something in the pflog as those guys would have tried at least once after being tabled. I've been working with too little sleep so I am missing some little detail but it is a bit embarassing when I try to show a user all the nasties our log shows as being blocked and the output is null. Somebody wake me up please. I have looked too long at the forest from too close up. From the land down under: Australia. Do we look umop apisdn from up over? Do NOT CC me - I am subscribed to the list. Replies to the sender address will fail except from the list-server.
Re: can't mount_ntfs on svnd
On 3/15/06, Stephen Takacs [EMAIL PROTECTED] wrote: $ sudo mount -r -t ntfs /dev/svnd1i /mnt mount_ntfs: /dev/svnd1i on /mnt: Operation not supported ntfs isn't compiled into generic kernels.
Re: chflag operation not permited
On 3/15/06, Jinxi Cheng [EMAIL PROTECTED] wrote: Hi, I'm getting operation not permited when I do this: # chflags -R schg /bin chflags: /bin/chmod: Operation not permitted chflags: /bin/md5: Operation not permitted chflags: /bin/mt: Operation not permitted chflags: /bin/pax: Operation not permitted chflags: /bin/rksh: Operation not permitted chflags: /bin/rmd160: Operation not permitted you can't change the flags on immutable files. (hint: you already changed the flag).
Re: /var/log/pflog empty
On Wed, 15 Mar 2006 20:39:13 -0700, Darrin Chandler wrote: Rod.. Whitworth wrote: I have about a dozen OpenBSD firewalls out there and most of them are pretty minimal having a NATted LAN and the only traffic allowed in (other than replies to outbound) is ssh. The pf.confs are pretty much modifications of a template one with just the LAN IPs changing. The changes in /etc/* are also the same for all of them. Just one is not getting anything in pflog. pflogd is running. Is there an empty /var/log/pflog, or *no* /var/log/pflog? (just guessing) Empty. It had 24 bytes in it that was dated at install time (last November): # hexdump -C /var/log/pflog d4 c3 b2 a1 02 00 04 00 00 00 00 00 00 00 00 00 |TC2!| 0010 74 00 00 00 75 00 00 00 |t...u...| 0018 so I blew it away and did touch /var/log/pflog to create an empty one. Next question? Thanks, From the land down under: Australia. Do we look umop apisdn from up over? Do NOT CC me - I am subscribed to the list. Replies to the sender address will fail except from the list-server.
Re: can't mount_ntfs on svnd
On Wed, Mar 15, 2006 at 07:47:46PM -0800, Ted Unangst wrote: ntfs isn't compiled into generic kernels. Okay that explains a lot. :-) I guess I'll use sharity-light to access the filesystem instead (when qemu is running). Either that or run samba and store my data externally to qemu. -- Stephen Takacs [EMAIL PROTECTED] http://perlguru.net/ 4149 FD56 D078 C988 9027 1EB4 04CC F80F 72CB 09DA
Re: Strange carp issues
I don't suppose you are using a quad card of some kind are you? On 3/15/06, Steven S [EMAIL PROTECTED] wrote: I have two firewalls (FW1 FW2) with multiple carp interfaces on an external interface (carp1, carp12, carp14, carp15, carp16, carp17, carp18, carp19, carp20). FW1 has all carp interfaces set with advbase 1 advskew 0 and FW2 has all carp interfaces with advbase 1 advskew 180. Frequently FW2 thinks it is the master for some of the carp interfaces. Here is a tcpdump (-ni fxp0 proto carp) from FW2. As you can see, even though FW2 sees the advertisement for carp16, carp17, carp18, carp19 and carp20 from FW1 it sometimes takes over as master for those interfaces and advertises. To find these events look for advskew=180 in the tcpdump below. The event at 19:19:05.023848 seemed to be from lost packets. The event at 19:19:10.013844 is very odd since FW2 saw the carp20 advertisement from FW1 at 19:19:09.07. This should be enough time for a failover, should it? Any pointers would be appreciated (relevant pf rules below.) -Steve S. 19:19:02.290779 CARPv2-advertise 36: vhid=1 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:02.290807 CARPv2-advertise 36: vhid=12 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:02.290828 CARPv2-advertise 36: vhid=14 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:02.290849 CARPv2-advertise 36: vhid=15 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:02.290869 CARPv2-advertise 36: vhid=16 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:02.290887 CARPv2-advertise 36: vhid=17 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:02.290914 CARPv2-advertise 36: vhid=18 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:02.290936 CARPv2-advertise 36: vhid=19 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:02.290957 CARPv2-advertise 36: vhid=20 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:02.890823 CARPv2-advertise 36: vhid=1 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:02.890849 CARPv2-advertise 36: vhid=12 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:02.890871 CARPv2-advertise 36: vhid=14 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:02.890892 CARPv2-advertise 36: vhid=15 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:02.890912 CARPv2-advertise 36: vhid=16 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:02.890933 CARPv2-advertise 36: vhid=17 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:02.890962 CARPv2-advertise 36: vhid=18 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:02.890986 CARPv2-advertise 36: vhid=19 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:02.891010 CARPv2-advertise 36: vhid=20 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:03.880791 CARPv2-advertise 36: vhid=1 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:03.880818 CARPv2-advertise 36: vhid=12 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:03.880839 CARPv2-advertise 36: vhid=14 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:03.880860 CARPv2-advertise 36: vhid=15 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:03.880881 CARPv2-advertise 36: vhid=16 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:03.880901 CARPv2-advertise 36: vhid=17 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:03.880932 CARPv2-advertise 36: vhid=18 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:03.880955 CARPv2-advertise 36: vhid=19 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:03.880979 CARPv2-advertise 36: vhid=20 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:05.023848 CARPv2-advertise 36: vhid=17 advbase=1 advskew=180 (DF) [tos 0x10] 19:19:05.024936 CARPv2-advertise 36: vhid=18 advbase=1 advskew=180 (DF) [tos 0x10] 19:19:05.026003 CARPv2-advertise 36: vhid=19 advbase=1 advskew=180 (DF) [tos 0x10] 19:19:05.027069 CARPv2-advertise 36: vhid=20 advbase=1 advskew=180 (DF) [tos 0x10] 19:19:05.341023 CARPv2-advertise 36: vhid=1 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:05.341047 CARPv2-advertise 36: vhid=12 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:05.341068 CARPv2-advertise 36: vhid=14 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:05.341088 CARPv2-advertise 36: vhid=15 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:05.341109 CARPv2-advertise 36: vhid=16 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:05.341129 CARPv2-advertise 36: vhid=17 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:05.341154 CARPv2-advertise 36: vhid=18 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:05.341176 CARPv2-advertise 36: vhid=19 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:05.341199 CARPv2-advertise 36: vhid=20 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:06.295736 CARPv2-advertise 36: vhid=1 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:06.295760 CARPv2-advertise 36: vhid=12 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:06.295782 CARPv2-advertise 36: vhid=14 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:06.295802 CARPv2-advertise 36: vhid=15 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:06.295822 CARPv2-advertise 36: vhid=16 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:06.297299 CARPv2-advertise 36: vhid=17 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:06.297318 CARPv2-advertise 36: vhid=18 advbase=1 advskew=0 (DF) [tos 0x10] 19:19:06.297335
Re: /var/log/pflog empty
Is ifconfig pflog0 up? I am not sure whether this is relevant to your situation but I sort of recall something like this happening to me a few years ago. I had forgotten to do turn the interface up and the logs were never written. On Thu, 16 Mar 2006 15:03:57 +1100, Rod.. Whitworth wrote On Wed, 15 Mar 2006 20:39:13 -0700, Darrin Chandler wrote: Rod.. Whitworth wrote: I have about a dozen OpenBSD firewalls out there and most of them are pretty minimal having a NATted LAN and the only traffic allowed in (other than replies to outbound) is ssh. The pf.confs are pretty much modifications of a template one with just the LAN IPs changing. The changes in /etc/* are also the same for all of them. Just one is not getting anything in pflog. pflogd is running. Is there an empty /var/log/pflog, or *no* /var/log/pflog? (just guessing) Empty. It had 24 bytes in it that was dated at install time (last November): # hexdump -C /var/log/pflog d4 c3 b2 a1 02 00 04 00 00 00 00 00 00 00 00 00 |TC2!| 0010 74 00 00 00 75 00 00 00 |t...u...| 0018 so I blew it away and did touch /var/log/pflog to create an empty one. Next question? Thanks, From the land down under: Australia. Do we look umop apisdn from up over? Do NOT CC me - I am subscribed to the list. Replies to the sender address will fail except from the list-server. -- Vijay Sankar, M.Eng., P.Eng. ForeTell Technologies Limited 59 Flamingo Avenue, Winnipeg, MB, Canada R3J 0X6 Phone: 204 885 9535, E-mail: [EMAIL PROTECTED]
Re: /var/log/pflog empty
On Wed, 15 Mar 2006 22:48:31 -0600, Vijay Sankar wrote: Is ifconfig pflog0 up? I am not sure whether this is relevant to your situation but I sort of recall something like this happening to me a few years ago. I had forgotten to do turn the interface up and the logs were never written. On Thu, 16 Mar 2006 15:03:57 +1100, Rod.. Whitworth wrote On Wed, 15 Mar 2006 20:39:13 -0700, Darrin Chandler wrote: Rod.. Whitworth wrote: I have about a dozen OpenBSD firewalls out there and most of them are pretty minimal having a NATted LAN and the only traffic allowed in (other than replies to outbound) is ssh. The pf.confs are pretty much modifications of a template one with just the LAN IPs changing. The changes in /etc/* are also the same for all of them. Just one is not getting anything in pflog. pflogd is running. Is there an empty /var/log/pflog, or *no* /var/log/pflog? (just guessing) Empty. It had 24 bytes in it that was dated at install time (last November): # hexdump -C /var/log/pflog d4 c3 b2 a1 02 00 04 00 00 00 00 00 00 00 00 00 |TC2!| 0010 74 00 00 00 75 00 00 00 |t...u...| 0018 so I blew it away and did touch /var/log/pflog to create an empty one. Next question? Thanks, From the land down under: Australia. Do we look umop apisdn from up over? Do NOT CC me - I am subscribed to the list. Replies to the sender address will fail except from the list-server. ifconfog says: pflog0: flags=141UP,RUNNING,PROMISC mtu 33224 Next? thanx. From the land down under: Australia. Do we look umop apisdn from up over? Do NOT CC me - I am subscribed to the list. Replies to the sender address will fail except from the list-server.
success - equifax signed cert for starttls and under us16.00
-- Musings on getting a CA signed cert for STARTTLS and other gotchas -- If you ask the companies who market SSL certs about sendmail, they will say that they don't support certs for mail, but for websites only. But maybe the help/support desks are wrong? I found a vendor that only charged $15.99 for a starterssl signed by geotrust/equifax and tried it with sendmail I post the following to misc-at-openbsd in the hope that others may benefit and/or correct. no flames please, if you see a glaring mistake, let me know offlist and I'll post an amendment or retraction if appropriate. -- Starting the notes off tangeant... If we want to use something other than our self signed cert for sendmail, we will have to have a file like web browsers that has a bundle of okay CA certs. Getting a file with recent information of somewhat trusted entity has of CA certificate signers to use applications... I'm sure there is a better way, and somewhere to get newer, but the file in the src appears to be from March CET 2000 head /usr/src/usr.sbin/httpd/conf/ssl.crt/ca-bundle.crt | grep Last Modified ## Last Modified: Thu Mar 2 09:32:46 CET 2000 ?? Going way off course to get a newer bundle maybe... I googled several versions of scripts that promised to convert a Mozilla file certdata.txt to a ca-bundle that may be useable. So let us find certdata.txt in a recent mozilla project The below renders a file claiming a revision date of 2005/04/18 curl http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/1.5.0.1/source/firefox-1.5.0.1-source.tar.bz2 -o firefox-1.5.0.1-source.tar.bz2 bunzip2 firefox-1.5.0.1-source.tar.bz2 tar -tvf firefox-1.5.0.1-source.tar | grep certdata.txt tar -xvf firefox-1.5.0.1-source.tar mozilla/security/nss/lib/ckfw/builtins/certdata.txt We got it now for a tool to convert... curl http://www.opensource.apple.com/darwinsource/Current/apache_mod_ssl-680/mod_ssl/pkg.sslcfg/ca-bundle.pl -o ca-bundle.pl now to do the covert /usr/bin/perl ca-bundle.pl ca-bundle.crt Note the ca-bundle.crt includes information in such a way we may can just use it as CAcert.pem for starttls. Can try copy or link ca-bundle.crt to CAcert.pem If you are fooling around with STARTTLS for sendmail, you really really would benefit by reading the man pages man starttls on towards pems for sendmail It is very possible the the following has mistakes or may not work or is wrong... could be done much more elegantly or has a security issue, so use with caution So we may now have a file we can use for CAcert.pem for STARTTLS to use that has most of the well known CA providers. But if we self sign our certificates that will not help unless we concatenate our cert to that Okay so how can you on the cheap setup a certificate signed bya Certificate Authority recognized by most applications?Geotrust is well known and cheaper than Thawte or Verisign... Froogle a vendor for Geotrust... found registerfly.com http://registerfly.com/ssl/ more on that latter... The following may work for us BUT, before trying the following and spending $$, you may want to review the instructions on man startssl and see if you can get sendmail working with a self-signed certificate. man startssl OBSERVATION: NOte that the man page for starttls can skip some steps, using one command to both tenerate a certificate and the private key. Because it is self signed we did not need a 'CSR' openssl req -x509 -nodes -days 365 -newkey dsa:dsa1024.pem \ -out /etc/mail/certs/mycert.pem -keyout \ /etc/mail/certs/mykey.pem IF you did this more verbose... You may make your key then make a csr then sign the csr Something like this openssl genrsa -rand /dev/urandom \ -out /etc/mail/certs/mykey.pem 1024 chmod 400 /etc/mail/certs/mykey.pem Now you need a certificate request, CSR, to have geotrust or some CA use as input to sign and send you back a crt that hopefully will work after taking your money. openssl req -new -inform PEM -key \ /etc/mail/certs/mykey.pem -outform PEM \ -out /etc/mail/certs/mycsr.pem chmod 400 /etc/mail/certs/mycsr.pem YOu could self sign it, but then the above CAcert.pem that we extracted would not have you in it. openssl x509 -days 3650 -signkey /etc/mail/certs/mykey.pem \ -in /etc/mail/certs/mycsr.pem -req \ -out /etc/mail/certs/mycert.pem chmod 444 /etc/mail/certs/mycert.pem - BUT we may want to pay $$ (not $$$) to have a cert that Eudora/Microsoft and other email applications would not complain about. About the cheapest way I found to get a certificate for a website signed by geotrust/equifax is to go through the vendor http://registerfly.com/ssl/ You'll have to create and account and give the a minimum deposit of $25.00 Then you can by the cheapest
Re: success - equifax signed cert for starttls and under us16.00
Hi Paul, if I remember correctly, the last time I tried Postfix on OpenBSD, I can use self-generated SSL cert. Hope it's helpful to you. Regards Andrew On Thu, 16 Mar 2006 04:53:58 + (GMT), Paul Pruett [EMAIL PROTECTED] said: -- Musings on getting a CA signed cert for STARTTLS and other gotchas -- If you ask the companies who market SSL certs about sendmail, they will say that they don't support certs for mail, but for websites only. But maybe the help/support desks are wrong? I found a vendor that only charged $15.99 for a starterssl signed by geotrust/equifax and tried it with sendmail I post the following to misc-at-openbsd in the hope that others may benefit and/or correct. no flames please, if you see a glaring mistake, let me know offlist and I'll post an amendment or retraction if appropriate. -- Starting the notes off tangeant... If we want to use something other than our self signed cert for sendmail, we will have to have a file like web browsers that has a bundle of okay CA certs. Getting a file with recent information of somewhat trusted entity has of CA certificate signers to use applications... I'm sure there is a better way, and somewhere to get newer, but the file in the src appears to be from March CET 2000 head /usr/src/usr.sbin/httpd/conf/ssl.crt/ca-bundle.crt | grep Last Modified ## Last Modified: Thu Mar 2 09:32:46 CET 2000 ?? Going way off course to get a newer bundle maybe... I googled several versions of scripts that promised to convert a Mozilla file certdata.txt to a ca-bundle that may be useable. So let us find certdata.txt in a recent mozilla project The below renders a file claiming a revision date of 2005/04/18 curl http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/1.5.0.1/source/firefox-1.5.0.1-source.tar.bz2 -o firefox-1.5.0.1-source.tar.bz2 bunzip2 firefox-1.5.0.1-source.tar.bz2 tar -tvf firefox-1.5.0.1-source.tar | grep certdata.txt tar -xvf firefox-1.5.0.1-source.tar mozilla/security/nss/lib/ckfw/builtins/certdata.txt We got it now for a tool to convert... curl http://www.opensource.apple.com/darwinsource/Current/apache_mod_ssl-680/mod_ssl/pkg.sslcfg/ca-bundle.pl -o ca-bundle.pl now to do the covert /usr/bin/perl ca-bundle.pl ca-bundle.crt Note the ca-bundle.crt includes information in such a way we may can just use it as CAcert.pem for starttls. Can try copy or link ca-bundle.crt to CAcert.pem If you are fooling around with STARTTLS for sendmail, you really really would benefit by reading the man pages man starttls on towards pems for sendmail It is very possible the the following has mistakes or may not work or is wrong... could be done much more elegantly or has a security issue, so use with caution So we may now have a file we can use for CAcert.pem for STARTTLS to use that has most of the well known CA providers. But if we self sign our certificates that will not help unless we concatenate our cert to that Okay so how can you on the cheap setup a certificate signed bya Certificate Authority recognized by most applications?Geotrust is well known and cheaper than Thawte or Verisign... Froogle a vendor for Geotrust... found registerfly.com http://registerfly.com/ssl/ more on that latter... The following may work for us BUT, before trying the following and spending $$, you may want to review the instructions on man startssl and see if you can get sendmail working with a self-signed certificate. man startssl OBSERVATION: NOte that the man page for starttls can skip some steps, using one command to both tenerate a certificate and the private key. Because it is self signed we did not need a 'CSR' openssl req -x509 -nodes -days 365 -newkey dsa:dsa1024.pem \ -out /etc/mail/certs/mycert.pem -keyout \ /etc/mail/certs/mykey.pem IF you did this more verbose... You may make your key then make a csr then sign the csr Something like this openssl genrsa -rand /dev/urandom \ -out /etc/mail/certs/mykey.pem 1024 chmod 400 /etc/mail/certs/mykey.pem Now you need a certificate request, CSR, to have geotrust or some CA use as input to sign and send you back a crt that hopefully will work after taking your money. openssl req -new -inform PEM -key \ /etc/mail/certs/mykey.pem -outform PEM \ -out /etc/mail/certs/mycsr.pem chmod 400 /etc/mail/certs/mycsr.pem YOu could self sign it, but then the above CAcert.pem that we extracted would not have you in it. openssl x509 -days 3650 -signkey /etc/mail/certs/mykey.pem \ -in /etc/mail/certs/mycsr.pem -req \ -out /etc/mail/certs/mycert.pem chmod 444
[patch] backport of ral(4) reliability fix for 3.8
Attached is a backport of the ral(4) fix about to be released in 3.9 ID'd as: don't try to release references to nodes that have been freed by net80211. in HostAP mode, when switching to the INIT state, net80211 sends a DISASSOC and a DEAUTH frame to all associated stations and immediately free all the nodes while we may still hold references to them in our Tx queues. hopefully, this should fix PRs 4469/kernel and 4953/kernel. I needed this to work now and couldn't get snapshots or wait for my disk to ship so I backported the change. Maybe some of you will find the patch useful. - Roman [demime 1.01d removed an attachment of type application/octet-stream which had a name of ralfix-3.8.patch]
Re: success - equifax signed cert for starttls and under us16.00
if I remember correctly, the last time I tried Postfix on OpenBSD, I can use self-generated SSL cert. Hope it's helpful to you. self-signed certs can work with mail smtp servers postfix or sendmail, man starttls But when you used self-signed certificates, other servers or clients may at a minimum give warnings to users. also it is plausible that using a certificate signed by a recognized CA may help when sending to larger corporations or maybe not If you setup SMTP-AUTH, and have clients require TLS, the clients will likely get a warning message till they accept and store it. Thats okay for a a handfull, but for the non literate or commerce customers it will be an education pain and then most admins will donate $16 rather than have to explain to clients about accepting certificates not signed by trusted CA. thats my $0.02 on justifying $16 ;)
� Te imaginas un llavero con Kareoke ?
[IMAGE] [IMAGE] [IMAGE] [IMAGE] [IMAGE] [IMAGE] [IMAGE] [IMAGE] [IMAGE] [IMAGE] Este 14 de febrero... Enamorate de iBit mp3 player -Unico con tecnologia MKT (Micro Karaoke Technology) que despliega la letra de las canciones en la pantalla LCD - Microfono integrado para grabar hasta 18 horas de voz - Usalo como memoria flash y guarda archivos de Excel, Word o fotografias - Y mucho mas!!! De venta en: Sam's, Liverpool, Vips y Soriana. ;
[patch] backport of ral(4) reliability fix for 3.8
No MIME this time... Attached is a backport of the ral(4) fix about to be released in 3.9 ID'd as: don't try to release references to nodes that have been freed by net80211. in HostAP mode, when switching to the INIT state, net80211 sends a DISASSOC and a DEAUTH frame to all associated stations and immediately free all the nodes while we may still hold references to them in our Tx queues. hopefully, this should fix PRs 4469/kernel and 4953/kernel. I needed this to work now and couldn't get snapshots or wait for my disk to ship so I backported the change. Maybe some of you will find the patch useful. - Roman [demime removed a uuencoded section named ralfix-3.8.patch which was 48 lines]
Re: 3.8 kernel with RAIDframe seg.faults during build
Anthony Howe wrote: I've done this once before a while back with 3.6 and never had any trouble. Now I'm doing it for a different machine using 3.8, but all of a sudden I'm getting a seg.fault during the kernel build. It would appear that the seg. fault happens on the final link. Simply repeating the make command succeeds in linking the kernel without error. -- Anthony C Howe Skype: SirWumpusSnertSoft +33 6 11 89 73 78 AIM: SirWumpusSendmail Milter Solutions http://www.snert.com/ ICQ: 7116561 http://www.snertsoft.com/
Carp, isakmpd sasyncd
Are these messages normal for a carped pair of firewalls running isakmpd with sasyncd (3.8-stable)? FW1/master - /var/log/message: Mar 16 01:37:40 fw1 isakmpd[32692]: message_recv: invalid cookie(s) 222729dc227c8f28 a0d29ef92ee65243 Mar 16 01:37:40 fw1 isakmpd[32692]: dropped message from x1.x2.x3.178 port 500 due to notification type INVALID_COOKIE Mar 16 01:37:45 fw1 isakmpd[32692]: message_recv: invalid cookie(s) 222729dc227c8f28 a0d29ef92ee65243 Mar 16 01:37:45 fw1 isakmpd[32692]: dropped message from x1.x2.x3.178 port 500 due to notification type INVALID_COOKIE FW2/backup - /var/log/message: Mar 16 01:35:49 fw2 isakmpd[5980]: transport_send_messages: giving up on exchange ISAKMP-peer, no response from peer x1.x2.x3.178:500 Mar 16 01:37:49 fw2 isakmpd[5980]: transport_send_messages: giving up on exchange ISAKMP-peer, no response from peer x1.x2.x3.178:500 -Steve S.
Re: Carp, isakmpd sasyncd
There are serious bugs in sasyncd. Please do not use it yet. Instead perhaps (like me) you can encourage the developers who wrote it to... finish it. Are these messages normal for a carped pair of firewalls running isakmpd with sasyncd (3.8-stable)? FW1/master - /var/log/message: Mar 16 01:37:40 fw1 isakmpd[32692]: message_recv: invalid cookie(s) 222729dc227c8f28 a0d29ef92ee65243 Mar 16 01:37:40 fw1 isakmpd[32692]: dropped message from x1.x2.x3.178 port 500 due to notification type INVALID_COOKIE Mar 16 01:37:45 fw1 isakmpd[32692]: message_recv: invalid cookie(s) 222729dc227c8f28 a0d29ef92ee65243 Mar 16 01:37:45 fw1 isakmpd[32692]: dropped message from x1.x2.x3.178 port 500 due to notification type INVALID_COOKIE FW2/backup - /var/log/message: Mar 16 01:35:49 fw2 isakmpd[5980]: transport_send_messages: giving up on exchange ISAKMP-peer, no response from peer x1.x2.x3.178:500 Mar 16 01:37:49 fw2 isakmpd[5980]: transport_send_messages: giving up on exchange ISAKMP-peer, no response from peer x1.x2.x3.178:500 -Steve S.
