Re: Sys-Admin vs Network Admin
On 3/31/06, A Rossi [EMAIL PROTECTED] wrote: snip given that I'm not sweeping the floors or mowing his lawn, I'm managing his disorganized mess of a network. And that job is like a sweatshop, because my employer, a small business owner with franchisees, asks me to set up services that are still far beyond my abilities: e.g a VPN that allows him to log into his workgroup snip most all of us did our time in suboptimal positions at one time or another. go get some paper (any will do, bsdcertification.org, compTIA, a CCNA) and get the ball rolling so-to-speak... On 3/31/06, Lars Hansson [EMAIL PROTECTED] wrote: As opposed to popular opinion not EVERYONE lives in the U.S. Chances are 30$/h could be a very respectable salary if you take into account the the cost of living in the area. Btw, I think you got your replies mixed up, Greg didnt say anything about salaries. You are quite right there, I work amidst the telecom valley. No mixup, just sloppy quoting.
Re: clarification of NAT behavior
On Sat, Apr 01, 2006 at 03:28:36PM -0500, Gabriel Wachman wrote: Everything I know about PF is taken from the PF/NAT FAQ's, and the pf man page. Suppose you are using NAT as follows: nat on $ext_if from $int_if:network to ! $int_if:network - ($ext_if) where $ext_if and $int_if are the external and internal interfaces of the firewall, respectively. For the purposes of this discussion, assume that this firewall has only the two interfaces, and is only filtering/translating between the $int_if:network and the Internet. In other words, it doesn't filter/translate any other traffic. If NAT translation happens BEFORE any filter rules are evaluated (see http://www.openbsd.org/faq/pf/nat.html), then wouldn't it be true that an outbound packet from the internal network will be seen by the filtering engine as a packet with source IP of the firewall? No, because the filtering engine is smart enough to 'remember' the original packet. However, it will be seen as such by, for instance, another box on the external network. Maybe an example will help illustrate my question: Looking at /usr/share/pf/faq-example1: snip nat on $ext_if from $int_if:network to any - ($ext_if) snip pass in on $int_if from $int_if:network to any keep state snip Why is that second rule necessary? NAT translates any Internet-bound packets so that they have a source IP of the firewall so it would seem that this rule never gets evaluated. From my understanding, the filtering engine should only see packets with source IPs of the firewall, or destination IPs of the internal network, as that is all that will be left if NAT translates everything first. As noted above, the filtering engine is a little smarter than this. nat pass would be a shorter way to write the above, by the way. Joachim
Re: OpenBSD 3.8 on HP NC6000
Hi, I'm using a nc6000 laptop since 3.8 and now I'm running 3.9-stable on it. Apm does indeed not recognize the battery status but I did not have a panic. I'm running the F.14 bios from: http://h18007.www1.hp.com/support/files/hpcpqnk/us/locate/64_5837.html Here is my dmesg: OpenBSD 3.9 (GENERIC) #1: Mon Mar 27 20:58:47 CEST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Pentium(R) M processor 1600MHz (GenuineIntel 686-class) 1.60 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,TM,SBF,EST,TM2 cpu0: Enhanced SpeedStep 1600 MHz (1484 mV): speeds: 1600, 1400, 1200, 1000, 800, 600 MHz real mem = 1073127424 (1047976K) avail mem = 972492800 (949700K) using 4278 buffers containing 5376 bytes (52500K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(c3) BIOS, date 06/23/05, BIOS32 rev. 0 @ 0xf apm0 at bios0: Power Management spec V1.2 (BIOS managing devices) apm0: AC on, battery charge unknown apm0: flags 130102 dobusy 0 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0x2000 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf0840/160 (8 entries) pcibios0: bad IRQ table checksum pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf6360/160 (8 entries) pcibios0: PCI Exclusive IRQs: 5 10 11 pcibios0: no compatible PCI ICU found: ICU vendor 0x8086 product 0x24cc pcibios0: PCI bus #5 is the last bus bios0: ROM list: 0xc/0x1 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82855PE Hub rev 0x03 ppb0 at pci0 dev 1 function 0 Intel 82855PE AGP rev 0x03 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 ATI Radeon Mobility M10 NP rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) uhci0 at pci0 dev 29 function 0 Intel 82801DB USB rev 0x03: irq 10 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 29 function 1 Intel 82801DB USB rev 0x03: irq 10 usb1 at uhci1: USB revision 1.0 uhub1 at usb1 uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered uhci2 at pci0 dev 29 function 2 Intel 82801DB USB rev 0x03: irq 10 usb2 at uhci2: USB revision 1.0 uhub2 at usb2 uhub2: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub2: 2 ports with 2 removable, self powered ehci0 at pci0 dev 29 function 7 Intel 82801DB USB rev 0x03: irq 10 usb3 at ehci0: USB revision 2.0 uhub3 at usb3 uhub3: Intel EHCI root hub, rev 2.00/1.00, addr 1 uhub3: 6 ports with 6 removable, self powered ppb1 at pci0 dev 30 function 0 Intel 82801BAM Hub-to-PCI rev 0x83 pci2 at ppb1 bus 2 ath0 at pci2 dev 4 function 0 Atheros AR5212 rev 0x01: irq 11 ath0: AR5213 5.6 phy 4.1 rf5111 1.7 rf2111 2.3, WOR0W, address 00:0f:20:94:99:e5 cbb0 at pci2 dev 6 function 0 O2 Micro OZ711E0 CardBus rev 0x00: irq 10 cbb1 at pci2 dev 6 function 1 O2 Micro OZ711E0 CardBus rev 0x00: irq 10 O2 Micro OZ711Mx CardBus rev 0x00 at pci2 dev 6 function 2 not configured cbb2 at pci2 dev 6 function 3 O2 Micro OZ711E0 CardBus rev 0x00: irq 10 bge0 at pci2 dev 14 function 0 Broadcom BCM5705M_ALT rev 0x03, BCM5705 A3 (0x3003): irq 11, address 00:0d:9d:8c:12:85 brgphy0 at bge0 phy 1: BCM5705 10/100/1000baseT PHY, rev. 2 cardslot0 at cbb0 slot 0 flags 0 cardbus0 at cardslot0: bus 3 device 0 cacheline 0x0, lattimer 0x20 pcmcia0 at cardslot0 cardslot1 at cbb1 slot 1 flags 0 cardbus1 at cardslot1: bus 4 device 0 cacheline 0x0, lattimer 0x20 pcmcia1 at cardslot1 cardslot2 at cbb2 slot 2 flags 0 cardbus2 at cardslot2: bus 5 device 0 cacheline 0x0, lattimer 0x20 pcmcia2 at cardslot2 ichpcib0 at pci0 dev 31 function 0 Intel 82801DBM LPC rev 0x03 pciide0 at pci0 dev 31 function 1 Intel 82801DBM IDE rev 0x03: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: HITACHI_DK23FB-60 wd0: 16-sector PIO, LBA, 57231MB, 117210240 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: TEAC, DW-224E-A, A.2F SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, DMA mode 2 auich0 at pci0 dev 31 function 5 Intel 82801DB AC97 rev 0x03: irq 11, ICH4 AC97 ac97: codec id 0x41445374 (Analog Devices AD1981B) ac97: codec features headphone, 20 bit DAC, No 3D Stereo audio0 at auich0 Intel 82801DB Modem rev 0x03 at pci0 dev 31 function 6 not configured isa0 at ichpcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pms0 at pckbc0 (aux slot) pckbc0: using irq 12 for aux slot wsmouse0 at pms0 mux 0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16
Athlon XP mobile (k7) setperf not working
Hello, I have a Acer 1300 laptop with an athlon xp mobile 1400+. Everythink works ok ,but from the hw.cpuspeed and setperf and the laptop is burnig at 75C with my hands on it!! I have read that after 3.6 K6/K7 works ok with openbsd but I also read some post from the list with some patches! http://monkey.org/openbsd/archive/tech/0407/msg00167.html http://openbsd.toybed.com/archive/2005/msg52297.html That should I do? OpenBSD 3.9-current (GENERIC) #670: Sat Apr 1 23:34:55 MST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: mobile AMD Athlon(tm) XP 1400+ (AuthenticAMD 686-class, 256KB L2 cache) 1.20 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR real mem = 519598080 (507420K) avail mem = 467054592 (456108K) using 4278 buffers containing 26083328 bytes (25472K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(7b) BIOS, date 09/09/02, BIOS32 rev. 0 @ 0xe8a50 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 30102 dobusy 0 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xe6000/0x6a5 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfe840/160 (8 entries) pcibios0: PCI Interrupt Router at 000:17:0 (VIA VT8231 ISA rev 0x00) pcibios0: PCI bus #2 is the last bus bios0: ROM list: 0xc/0xc000 0xe/0x1800! 0xe4000/0x1000! cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) Thanks for helping, Tasos Varoudis www.daemons.gr
Re: Theo is a Blogger :-)
On Sat, 1 Apr 2006 16:07:43 +0200, Jasper Lievisse Adriaanse [EMAIL PROTECTED] wrote: [ music |Aqua Barbie Girl ] April Fools is one thing but someone around here has a really twisted sense of humor. Yes, this is obviously a fake, since there is an humppa cover of this tune. torrent? it's #15 on Werbung baby! cheers, Jasper Jasper, Damn, now you've got me curious... All joking aside, if someone wanted to check out humppa for the first time, would this be a good album to buy? thanks, jcr -- Free, Open Source CAD, CAM and EDA Tools http://www.DesignTools.org
Re: Theo is a Blogger :-)
On 2006/04/02 07:56, J.C. Roberts wrote: All joking aside, if someone wanted to check out humppa for the first time, would this be a good album to buy? You could check out the set from the OpenBSD resident DJs first, http://sunsite.dk/~mk/wth-radio-humppa.mp3 (:
Re: Music made with OpenBSD
* Antti Harri [EMAIL PROTECTED] [060401 22:30]: On Sat, 1 Apr 2006, Steven wrote: I know that OBSD is supposed to have some issues playing music in terms of playing speed, but I've never noticed any problems. AFAIK it only occurs on some drivers, or occured as I don't know if it's fixed yet. There was quite long thread about it less than six months ago. Yeah, I had even looked it up on the archives just to make sure that I wasn't just talking out my arse. :-) http://marc.theaimsgroup.com/?l=openbsd-miscm=112902621404205w=2 If I'm not mistaken the hardware could only do one sampling rate and the driver didn't support on-the-fly resampling. One could use for example mplayer's resampling as a workaround. Like I said, I've never had any issues playing music. Perhaps I've just been lucky and have never had to use the driver in question. The only time I've had issues is when the application that I was using had issues (ie. ogg123, mpg123/321, xmms, etc...), but that doesn't happen too often either. PS. Correct me if I'm totally wrong :-) Can't comment, you probably know more than I do about that. :-) -- W. Steven Schneider [EMAIL PROTECTED]
Re: Theo is a Blogger :-)
On Sun, 02 Apr 2006 07:56:26 -0700 J.C.Roberts [EMAIL PROTECTED] wrote: On Sat, 1 Apr 2006 16:07:43 +0200, Jasper Lievisse Adriaanse [EMAIL PROTECTED] wrote: [ music |Aqua Barbie Girl ] April Fools is one thing but someone around here has a really twisted sense of humor. Yes, this is obviously a fake, since there is an humppa cover of this tune. torrent? it's #15 on Werbung baby! cheers, Jasper Jasper, Damn, now you've got me curious... All joking aside, if someone wanted to check out humppa for the first time, would this be a good album to buy? They have some songs available for download on their webpage. But I have to say that their latest album, Humppasirkus is very nice too. thanks, jcr Cheers, Jasper -- Free, Open Source CAD, CAM and EDA Tools http://www.DesignTools.org [demime 1.01d removed an attachment of type application/pgp-signature]
disable listen on ports
Hi, How do i disable users on a system to run their own http proxy. I don't want to allow users who have login accounts on my system to listen to any port . How do i do that. Regards Nik
Theo opinion of Plan 9
I would like to know what does Theo think about Plan 9. Just curiosity, :P.
Re: disable listen on ports
Niklaus wrote: How do i disable users on a system to run their own http proxy. I don't want to allow users who have login accounts on my system to listen to any port . How do i do that. Don't cross-post. pf will probably do what you want, they'll be able to run the proxy, but won't be able to initiate an inbound connection.
Re: disable listen on ports
On 4/2/06, Steve Shockley [EMAIL PROTECTED] wrote: Niklaus wrote: How do i disable users on a system to run their own http proxy. I don't want to allow users who have login accounts on my system to listen to any port . How do i do that. Don't cross-post. pf will probably do what you want, they'll be able to run the proxy, but won't be able to initiate an inbound connection. The problem with pf is that you have to setup filter or white list for every new protcol that i setup from root. I only want root to listen to ports. Is that possible. Something like access control.
Re: disable listen on ports
On 2006/04/02 22:54, Niklaus wrote: pf will probably do what you want, they'll be able to run the proxy, but won't be able to initiate an inbound connection. The problem with pf is that you have to setup filter or white list for every new protcol that i setup from root. I only want root to listen to ports. Is that possible. Something like access control. Read pf.conf(5) about the 'user' and 'group' options.
Re: disable listen on ports
On Sun, Apr 02, 2006 at 10:54:24PM +0530, Niklaus wrote: The problem with pf is that you have to setup filter or white list for every new protcol that i setup from root. No, just filter on user or group id. Ciao, Kili -- It's a Barrier Of Entry issue: if you can't figure out which floppy to boot from, go run Gentoo. -- Matthew Jenove on [EMAIL PROTECTED]
Re: Soekris4801 drops to ddb on cu disconnect
My bad, see this is what happens when you use someone else's configuration without reading EVERYTHING associated with it. I used Damien Miller's flashboot to bring up my 4801 and hadn't noticed that he'd changed the setting in sysctl.conf for ddb.console=1 # 1=Permit entry of ddb from the console I learned something new today, cu sends BREAK on disconnect. sorry for the noise, I'll go back to being an observer again. diana
Re: disable listen on ports
On 4/2/06, Stuart Henderson [EMAIL PROTECTED] wrote: On 2006/04/02 22:54, Niklaus wrote: pf will probably do what you want, they'll be able to run the proxy, but won't be able to initiate an inbound connection. The problem with pf is that you have to setup filter or white list for every new protcol that i setup from root. I only want root to listen to ports. Is that possible. Something like access control. Read pf.conf(5) about the 'user' and 'group' options. what problem are you really trying to solve? what's to stop me from tunnelling through ssh? what's to stop me doing a reverse telnet sort of connection back to the machine i want to tunnel from. you might want to look at systrace... -- GDB has a 'break' feature; why doesn't it have 'fix' too?
Re: disable listen on ports
On 4/2/06, Chris Kuethe [EMAIL PROTECTED] wrote: On 4/2/06, Stuart Henderson [EMAIL PROTECTED] wrote: On 2006/04/02 22:54, Niklaus wrote: pf will probably do what you want, they'll be able to run the proxy, but won't be able to initiate an inbound connection. The problem with pf is that you have to setup filter or white list for every new protcol that i setup from root. I only want root to listen to ports. Is that possible. Something like access control. Read pf.conf(5) about the 'user' and 'group' options. what problem are you really trying to solve? what's to stop me from tunnelling through ssh? what's to stop me doing a reverse telnet sort of connection back to the machine i want to tunnel from. I understand the tunnelling through ssh part. Can you explain what reverse telnet is . I don't get it. you might want to look at systrace... seems like a good thing. -- GDB has a 'break' feature; why doesn't it have 'fix' too?
Re: disable listen on ports
On 4/2/06, Niklaus [EMAIL PROTECTED] wrote: what problem are you really trying to solve? really, what problem are you trying to solve? the fact that you have untrusted users? I understand the tunnelling through ssh part. Can you explain what reverse telnet is . I don't get it. assume have an http proxy listening on 127.0.0.1 on your machine. assume you've disabled port forwarding in sshd_config so i can't tunnel to my proxy. i then change my proxy program to i connect back to a listener (netcat?) on my remote machine at which point i have a tcp connection through which i can forward my http requests to make them look like they're coming from your box. this sort of trick is easy to whack together... probably 10 or 15 minutes if you're ripping code straight out of learning perl without knowing what you're doing. no doubt there's stuff in ports that can be used too. CK -- GDB has a 'break' feature; why doesn't it have 'fix' too?
Re: Theo opinion of Plan 9
Andris Delfino wrote: I would like to know what does Theo think about Plan 9. Just curiosity, :P. Not curious enough to Google for it? First page of hits for 'deraadt plan 9' gets you some interesting reading. You get more interesting stuff if you play with the spaces in various combinations: de Raadt and Plan9. Nick.
Interface groups PF route-to
Hi all, I've been trying to get interface groups going on a machine and have met with a possibly interesting problem. I have declared an interface to be part of a group, and that group shows up correctly if I `ifconfig foogroup` or `pfctl -s Interfaces` I have a setup where I have one VPN come in over one ISP link, and another over a second (from different remote IPs to different local IPs). I have the following macros defined, [NB: Yes I changed the IPs] link2_if = em0 #link2_if = MyIFGroup link2_gw = 1.1.1.1 link2_ip1 = 1.1.1.20 remote_link0_ip1 = 200.200.200.200 To test, I comment out the 'em0' line and uncomment the IFGroup line. I also have the following rules in place to correctly handle my VPN on that link pass in log quick on $link2_if reply-to ($link2_if $link2_gw)\ proto esp from $remote_link0_ip1 to $link2_ip1 keep state pass out log quick on $link2_if route-to ($link2_if $link2_gw)\ proto esp from $link2_ip1 to $remote_link0_ip1 keep state pass in log on $link2_if reply-to ($link2_if $link2_gw)\ proto udp from $remote_link0_ip1 port = isakmp to $link2_if\ port = isakmp keep state pass out log quick on $link2_if route-to ($link2_if $link2_gw)\ proto udp from $link2_if port = isakmp to $remote_link0_ip1\ port = isakmp keep state What I find is that when I go over to using the MyIFGroup declaration, my rules stop matching and the VPN doesn't get established on the group'd interface (the other VPN comes up fine). Is there something I'm missing ?? From reading the posts and 'man ifconfig' about interface groups I'm pretty sure I just have to assign an interface to the group and nothing more. Is that correct ?? Any help appreciated, Cheers Dave
What do you mean `hand-holding on IRC'!!!
We do it all the time! 00:52 BSDWhelp| I know changelogs are the easy way to see what changes, but how/when/wherecanwesee how the project gets directed for the next release topic? 00:52Han| plus.html 00:52 BSDWhelp| sure, that's the changelog 00:52 BSDWhelp| but what makes one change the big one? 00:53Han| e dunno... :-\ 00:54 cmihai| Check Theo interview on undeadly BSDWhelp 00:54 cmihai| You don't :) 00:54 | scarynetworkguy loved Joan. 00:54 scarynetw| Yay! Theo! 00:54 cmihai| Pfff, you want us to hold your hand now? :D 00:54 BSDWhelp| he's just pumping up the funding again 00:54 cmihai| Apparently he thinks very little of us hand-holders on IRC :). 00:54 BSDWhelp| lol 00:54Han| All spend on liquor! 00:54 cmihai| BSDWhelp, well, he needs his beer! Humppa! 00:54 | scarynetworkguy holds cmihai's hand and skips down the street. 00:55 BSDWhelp| yeah, I saw the livejournal too 00:55 | Han joins the handholding :-) 00:55 BSDWhelp| the question about what kind of bird that was on his shoulder was an amusing inside joke 00:55Han| Come on everyone. Lets do as Theo suggests and hold hands! 00:55 cmihai| W 00:55 cmihai| This is so 1970, but without the LSD. 00:56 scarynetw| The person with whom I wish to hold hands isn't here. ... 00:56 BSDWhelp| I'm here, scarynetworkguy 00:56 jsunn| yes he is! 00:56 jsunn| :D 00:56 daowee| just open your heart and let the love flow my friend 00:56 | Han _will_ post this on misc@ 00:57 scarynetw| Bah 00:57 | scarynetworkguy pouts. 00:57 | jsunn opens a can of hippie-stallman love all over the channel 00:57 BSDWhelp| the 1970s release was 3.7 00:57 scarynetw| Hehe. 00:58 scarynetw| On Friday night we went to eat at a new age/vegan sort of place. 00:58Han| come on scarynetworkguy, bring that person over here! :-) 00:58 scarynetw| Walked in. Looked at my mate. My god, it's full of hippies. 00:58 jsunn| ZOMG!! BEARDS!! 00:58 cmihai| Don't tell me you're a vegan? 00:58 scarynetw| Han: That person is making beer this afternoon. 00:59 cmihai| We used to make home brewed beer all the time. 00:59Han| And then you grabbed your guitar and joined the throng, while puffing on a joint ? :-) 00:59 BSDWhelp| puffing! woo openbsd pun 00:59 scarynetw| cmihai: No no no. But they do make a killer pad thai. 00:59Han| Didn't even notice it. 01:00 daowee| it just comes naturally to you when you're in a state of elevation man, elevation maaan! 01:00Han| Well I felt sorry for the elephant! 01:01 daowee| hey i'm a lover of all things, i can dig that man 01:01Han| hmmm somehow I got the feeling noone in here knows `The young ones.' 01:02 daowee| the song or the tv show? 01:02Han| Actually, cliff did a song with the young ones =) 01:03 daowee| how noble (pun) 01:03Han| Something about a living doll. Go figure. 01:04 cmihai| Michael Jackson? 01:05 cmihai| G. W. Bush?? 01:05 cmihai| Oh, wait. That's a puppet. 01:06 | jsunn runs to the store to buy some expensive, non-homebrew beer. maybe some heine's... 01:07 | scarynetworkguy cries. 01:07 daowee| scarynetworkguy: duude, yer getting a bud 01:07 scarynetw| Ew! 01:08 BSDWhelp| that'd be so funny if Wal-Mart offered upa load of PCs for obsd devs You can find more of this nonsense on irc.freenode.net on the #OpenBSD channel =) # Han
Are we users stupid or what?
Friends, Pardon the subject line. It was not meant to offend but rather to attract. I recently joined the OpenBSD mailing list to see what issues there are before actually installing it on my box. I am presently using another Linux distro. For the last few days I've been receiving so much emails (I didn't want the daily digest), I noticed that there were also from a [EMAIL PROTECTED] to the mailing list. I do hope that the list maintainers/owners act on this spam. I have enough filters on; I do not really want to create another one for this. Thank you all. Archimedes Arevalo
Re: Are we users stupid or what?
Archimedes Arevalo wrote: Pardon the subject line. It was not meant to offend but rather to attract. Well done. For the last few days I've been receiving so much emails (I didn't want the daily digest), I noticed that there were also from a [EMAIL PROTECTED] to the mailing list. I do hope that the list maintainers/owners act on this spam. I have enough filters on; I do not really want to create another one for this. The OpenBSD developers all bank with Chase, and are using misc@ for their notification address. Heck, I do the same thing. It's convenient. You might want to consider switching to Chase as well. Don't bother using misc@ as your email, though. Any security warnings are sent here anyway, so you'll know all about them, and the Nigerian branch of Chase is only too happy to help with your online banking security problems. -- Darrin Chandler| Phoenix BSD Users Group [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ |
Re: Are we users stupid or what?
Archimedes Arevalo wrote: Friends, Pardon the subject line. It was not meant to offend but rather to attract. I recently joined the OpenBSD mailing list to see what issues there are before actually installing it on my box. I am presently using another Linux distro. Are you implying that OpenBSD is yet another distro of Linux? If so - you are seriously mistaken. For the last few days I've been receiving so much emails (I didn't want the daily digest), I noticed that there were also from a [EMAIL PROTECTED] to the mailing list. I do hope that the list maintainers/owners act on this spam. I have enough filters on; I do not really want to create another one for this. This list, like any other list - will get spam. That's a given. There isn't a list (unmoderated that is) that is spamless. Since you are a new user, take care on what you say. You will end up making enemies. Some advice, do your research. Investigate ALL avenues (The OpenBSD site, the FAQ, the lists, Google) before asking questions in the list. Many of the answers that you seek ARE in the list archives. Thank you all. Archimedes Arevalo -- Best regards, Chris All things come to him whose name is on a mailing list.
Re: Are we users stupid or what?
Archimedes Arevalo [EMAIL PROTECTED] writes: For the last few days I've been receiving so much emails (I didn't want the daily digest), I noticed that there were also from a [EMAIL PROTECTED] to the mailing list. I do hope that the list maintainers/owners act on this spam. I have enough filters on; I do not really want to create another one for this. nntp://news.gmane.org/gmane.os.openbsd.misc nntp? is that thing still around? or http://dir.gmane.org/gmane.os.openbsd.misc And yeah, Linux users are generally stupid. -- deanna
Re: Are we users stupid or what?
on Sunday 02 April 2006 07:58 pm, Deanna Phillips wrote: And yeah, Linux users are generally stupid. I consider myself a Linux user - my laptop and a desktop have Gentoo Linux running on them, but my firewall is OpenBSD-based. My server is also OpenBSD-based. So, tell me wise guy. I'm I generally stupid?
Re: Are we users stupid or what?
On 4/3/06, Qv6 [EMAIL PROTECTED] wrote: on Sunday 02 April 2006 07:58 pm, Deanna Phillips wrote: And yeah, Linux users are generally stupid. I consider myself a Linux user - my laptop and a desktop have Gentoo Linux running on them, but my firewall is OpenBSD-based. My server is also OpenBSD-based. So, tell me wise guy. I'm I generally stupid? One could make a witty reply out of So, tell me wise guy. I'm I generally stupid? but it's just not worth it.
Re: Are we users stupid or what?
--- Nick Guenther [EMAIL PROTECTED] wrote: On 4/3/06, Qv6 [EMAIL PROTECTED] wrote: on Sunday 02 April 2006 07:58 pm, Deanna Phillips wrote: And yeah, Linux users are generally stupid. I consider myself a Linux user - my laptop and a desktop have Gentoo Linux running on them, but my firewall is OpenBSD-based. My server is also OpenBSD-based. So, tell me wise guy. I'm I generally stupid? One could make a witty reply out of So, tell me wise guy. I'm I generally stupid? but it's just not worth it. What about me? I run Slackware as well as OpenBSD. Am I stupid too? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: clarification of NAT behavior
On Sat, Apr 01, 2006 at 03:28:36PM -0500, Gabriel Wachman wrote: Everything I know about PF is taken from the PF/NAT FAQ's, and the pf man page. Suppose you are using NAT as follows: nat on $ext_if from $int_if:network to ! $int_if:network - ($ext_if) where $ext_if and $int_if are the external and internal interfaces of the firewall, respectively. For the purposes of this discussion, assume that this firewall has only the two interfaces, and is only filtering/translating between the $int_if:network and the Internet. In other words, it doesn't filter/translate any other traffic. If NAT translation happens BEFORE any filter rules are evaluated (see http://www.openbsd.org/faq/pf/nat.html), then wouldn't it be true that an outbound packet from the internal network will be seen by the filtering engine as a packet with source IP of the firewall? No, because the filtering engine is smart enough to 'remember' the original packet. However, it will be seen as such by, for instance, another box on the external network. Maybe an example will help illustrate my question: Looking at /usr/share/pf/faq-example1: snip nat on $ext_if from $int_if:network to any - ($ext_if) snip pass in on $int_if from $int_if:network to any keep state snip Why is that second rule necessary? NAT translates any Internet-bound packets so that they have a source IP of the firewall so it would seem that this rule never gets evaluated. From my understanding, the filtering engine should only see packets with source IPs of the firewall, or destination IPs of the internal network, as that is all that will be left if NAT translates everything first. As noted above, the filtering engine is a little smarter than this. nat pass would be a shorter way to write the above, by the way. Joachim Thanks Joachim. I understand you to mean that even though the source IP gets translated by NAT, the filtering engine filters on the original IP address. That makes sense to me, except that the NAT FAQ says: Also be aware that since translation occurs before filtering, the filter engine will see the translated packet with the translated IP address and port as outlined in How NAT Works. To me, that clearly indicates that the filtering engine sees only the post-translated packets, with no idea of the contents of the pre-translated packets. Therefore the filtering engine should only see the translated source IP and destination IP of outbound and inbound packets, respectively, from the NAT'ed internal network. Unless I'm misreading the FAQ, or it's wrong, then my original question remains. Thanks again, Gabriel
