Re: SMP error

[edgarz]

Hi!
There was another thread about SMP, OpenBSD does not support 
HypeThreading :/ Bad, too bad :( Intel's HT is very powerfull thing :)


Bill Jones wrote:

Did anyone ever help you or did you figure it out yet?

I am having the same problem and would like to stay with OpenBSD and not move 
it to Linux.

Bill


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edgars
Sent: Monday, June 12, 2006 11:32 AM
To: misc@openbsd.org
Subject: SMP error

Hello misc!
I have a problems with smp kernel (3.9, and Current).
ichiic0: timeout, status 0x0
ichiic0: transaction abort failed, status 0x42 INTR, INUSE
and full screen with that crap.
XEON is with HyperThreading technology.
Here is a dmesg from uniprocessor system.

OpenBSD 3.9-current (GENERIC) #876: Sun Jun 11 13:51:47 MDT 2006
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Xeon(TM) CPU 3.00GHz (GenuineIntel 686-class) 3 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT-ID,CX16
real mem  = 535834624 (523276K)
avail mem = 481218560 (469940K)
using 4256 buffers containing 26894336 bytes (26264K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(8b) BIOS, date 12/31/99, BIOS32 rev. 0 @ 0xfd88f, 
SMBIOS rev. 2.33 @ 0xdc010 (48 entries)
bios0: HP ProLiant ML150 G2
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
apm0: flags 30102 dobusy 0 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xfd4b0/0xb50
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfded0/272 (15 entries)
pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82371FB ISA rev 0x00)
pcibios0: PCI bus #4 is the last bus
bios0: ROM list: 0xc/0x8000 0xc8000/0x1800 0xc9800/0x8c00 0xdc000/0x4000!
ipmi at mainbus0 not configured
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 Intel E7320 MCH rev 0x0c
ppb0 at pci0 dev 2 function 0 Intel MCH PCIE rev 0x0c
pci1 at ppb0 bus 1
ppb1 at pci0 dev 3 function 0 Intel MCH PCIE rev 0x0c
pci2 at ppb1 bus 2
bge0 at pci2 dev 0 function 0 Broadcom BCM5721 rev 0x11, BCM5750 B1 (0x4101): 
irq 10, address 00:16:35:b1:b4:5a
brgphy0 at bge0 phy 1: BCM5750 10/100/1000baseT PHY, rev. 0
ppb2 at pci0 dev 28 function 0 Intel 6300ESB PCIX rev 0x02
pci3 at ppb2 bus 3
ahd0 at pci3 dev 4 function 0 Adaptec AIC-7901 U320 rev 0x10: irq 9
ahd0: aic7901, U320 Wide Channel A, SCSI Id=7, PCI-X 50-66Mhz, 512 SCBs
scsibus0 at ahd0: 16 targets
sd0 at scsibus0 targ 0 lun 0: COMPAQ, BF03688284, HPB3 SCSI3 0/direct fixed
sd0: 34732MB, 50824 cyl, 2 head, 699 sec, 512 bytes/sec, 71132000 sec total
safte0 at scsibus0 targ 8 lun 0: SDR, GEM318P, 1 SCSI2 3/processor fixed
uhci0 at pci0 dev 29 function 0 Intel 6300ESB USB rev 0x02: irq 10
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
uhci1 at pci0 dev 29 function 1 Intel 5300ESB USB rev 0x02: irq 5
usb1 at uhci1: USB revision 1.0
uhub1 at usb1
uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
Intel 6300ESB WDT rev 0x02 at pci0 dev 29 function 4 not configured
Intel 6300ESB APIC rev 0x02 at pci0 dev 29 function 5 not configured
ehci0 at pci0 dev 29 function 7 Intel 6300ESB USB rev 0x02: irq 11
usb2 at ehci0: USB revision 2.0
uhub2 at usb2
uhub2: Intel EHCI root hub, rev 2.00/1.00, addr 1
uhub2: 4 ports with 4 removable, self powered
ppb3 at pci0 dev 30 function 0 Intel 82801BA AGP rev 0x0a
pci4 at ppb3 bus 4
vga1 at pci4 dev 4 function 0 ATI Rage XL rev 0x27
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
ichpcib0 at pci0 dev 31 function 0 Intel 6300ESB LPC rev 0x02
pciide0 at pci0 dev 31 function 1 Intel 6300ESB IDE rev 0x02: DMA, channel 0 
configured to compatibility, channel 1 configured to compatibility
atapiscsi0 at pciide0 channel 0 drive 0
scsibus1 at atapiscsi0: 2 targets
cd0 at scsibus1 targ 0 lun 0: LITE-ON, CD-ROM LTN-489S, 8QG2 SCSI0 5/cdrom 
removable
cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 disabled (no drives)
ichiic0 at pci0 dev 31 function 3 Intel 6300ESB SMBus rev 0x02: irq 10
iic0 at ichiic0
lm1 at iic0 addr 0x2c: W83792D rev B
isa0 at ichpcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: PC speaker
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
lm0 at isa0 port 0x290/8: W83627THF
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
biomask ff6d netmask ff6d ttymask ffef
pctr: user-level cycle counter enabled
ahd0: target 0 synchronous with period = 0x8, offset = 

Re: Spam Trapping

[Mikhail Goriachev]

tony sarendal wrote:
 On 14/06/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
 On Wed, Jun 14, 2006 at 09:31:49AM -0700, John Draper wrote:
 Mike Spenard wrote:

 What are some thoughts on purposely getting a spam trap email
 address acquired by spammers and the best way to do so.
 It is hard to do initially, unless you want to spend a lot of time
 signing up for things over the web...  In my case, I have a very
 good spam trap.   But I host about 60 Email users and I changed
 everyone's Email address (with their cooperation), and removed
 them from any mailing lists they might have joined.   Evventually,
 almost all of these accounts have Pure spam coming in.

 Next I forwarded each of them to [EMAIL PROTECTED] and
 presto...  I have a 100% spam source I can feed directly into my
 spam reporting engine.   Most of these addresses has taken years
 to accumulate this spam.  This is by far the best way...

 we used to have 'spammers ? spam this [EMAIL PROTECTED]' at the
 bottom of each page so that crawlers would spam it. also, we had a
 few systems accounts, not supposed to receive mail, act as spam
 traps which proved to be quite efficient.


 So what do you guys do with the email hitting the spam traps ?
 My email address [EMAIL PROTECTED] has been used as From address
 by spammers, does that mean that I can't send you guys emails ?
 Or do you do something else like teach spamassassin and record source
 IP addresses ?
 
 /Tony
 


I feed it to spamassassin. I don't do anything with IPs because most of
them get dynamically reallocated between clean and infected computers. I
reckon you shouldn't worry about From address because it gets forged all
the time. This is very common. Therefore, it would be a bit silly for
someone to rely on the From field.


Cheers,
Mikhail.

-- 
Mikhail Goriachev
Webanoide

Telephone: +61 (0)3 62252501
Mobile Phone: +61 (0)4 38255158
E-Mail: [EMAIL PROTECTED]
Web: http://www.webanoide.org

PGP Key ID: 0x4E148A3B
PGP Key Fingerprint: D96B 7C14 79A5 8824 B99D 9562 F50E 2F5D 4E14 8A3B

How do I add a new sysctl varible?

[Pnorcott]

Hi, I have tried to follow the source code and and have been unable to add  a 
variable.
 
Is there a step by step guide any where?
 
I want to have a counter (int) and an array[1000] of bytes.
 
Thanks.
pn.

Re: Hifn policy on documentation

[Eliah Kagan]

On 6/14/06, Darrin Chandler [EMAIL PROTECTED] wrote:

I blame neither Mr. Cohen nor the lawyers. It's the decision makers at
the company who have decided this policy, which is a policy change from
years ago. Nobody else at the company is to blame. That's how
responsibility works.


No, it's not.

If you do something that is morally reprehensible, it is morally
reprehensible whether or not you are doing it because you were ordered
to do it. For Mr. Cohen to tell us lies or inexcusably misinformed
statements reflects negatively on him personally, because that is
something that no one ought to do.

Perhaps Mr. Cohen would be fired if he refused to act immorally. That
doesn't mean that his actions are beyond criticism.

I don't think that anybody, prior to the post I am making right now,
has called Mr. Cohen or the lawyers into question for their individual
morality. Up to this point, we have been criticizing what Mr. Cohen
said, and we have been criticizing Hifn the company and any and all
employees who would carry out actions on behalf of the company with
which we disagree and with which we believe to constitute bad business
and degradation of users' freedom. This has included but has at no
point been limited to or particularly focused on Mr. Cohen. But now
that you bring it up, yes, Mr. Cohen made the wrong decision when he
chose to carry out the will of his company. And since he is the
Product Line Manager (read his signature), he was probably involved
in establishing just what the will of his company is.

-Eliah

x.org

[artjom]

Strange problem which appeared in 3.8 and appears in 3.9. When I type
startx it does nothing. After waiting for half a minute i press cancel and
only then it begins to do something but fails to start. When I open another
tty and type there startx it starts normally. The strangest thing is that I
do nothing, X fails to start without any reason.

Artyom

Re: Hifn policy on documentation

[veins]

Oh well ...

I have to admit that I find it quite amusing how some people that do
restrict access to documentation are the same that do take advantage
of other people's free documentation ...

http://marc.theaimsgroup.com/?l=openssl-usersm=114832209207203w=2

Oh ... wait ... no. I don't find that amusing, and Hifn is no longer 
in the vendors list I maintain for the company I work at.

A while ago, someone mentionned the opening of a wiki to help find a
list of specs friendly and unfriendly vendors, how is it going ?

Re: x.org

[Per Engelbrecht]

[EMAIL PROTECTED] wrote:

Strange problem which appeared in 3.8 and appears in 3.9. When I type
startx it does nothing. After waiting for half a minute i press cancel and
only then it begins to do something but fails to start. When I open another
tty and type there startx it starts normally. The strangest thing is that I
do nothing, X fails to start without any reason.

Artyom


  

Your mail is a little sparse on fact/information.

First make sure that *machdep.allowaperture=2* is set in /etc/sysctl.conf

I expect you (as root) have made a /root/xorg.conf.new by running:
# xorgcfg
- and have made corrections to the Display section at the end of 
xorg.conf (DefaultDepth and Modes) and then done:

# cp /root/xorg.conf.new  /etc/X11/xorg.conf
If 'yes' you should  be able to run 'startx'.
Your /var/log/Xorg.0.log will give away what you need to know.


/per
[EMAIL PROTECTED]

Re: SMP error

[Henning Brauer]

* edgarz [EMAIL PROTECTED] [2006-06-15 08:12]:
 There was another thread about SMP, OpenBSD does not support 
 HypeThreading :/ Bad, too bad :( Intel's HT is very powerfull thing :)

OpenBSD does support HT, at least on machines with a proper MPBIOS.
and indeed I have a dual xeon here that attaches 4 cpus.

-- 
BS Web Services, http://www.bsws.de/
OpenBSD-based Webhosting, Mail Services, Managed Servers, ...
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)

pics from the hackathon

[Kroty]

Hey folk,

anyone willing to share some pics from this year's hackathon?

I just have seen a couple of them from beck. ;)

Thanks!

Re: x.org

[Martin Vahi]

On Thu, 15 Jun 2006 [EMAIL PROTECTED] wrote:


Strange problem which appeared in 3.8 and appears in 3.9. When I type
startx it does nothing. After waiting for half a minute i press cancel and
only then it begins to do something but fails to start. When I open another
tty and type there startx it starts normally. The strangest thing is that I
do nothing, X fails to start without any reason.

Artyom



I, for instance, use xinit in stead of startx. However, in the case of
OpenBSD 3.8 the Enlightment window manager(or is it X, actually, I don't
know), tends to crash from time to time and the keyboard layout
setings(gnome-keyboard-properties) stop working from time to time.

So, I don't think that the graphical user interface on OpenBSD 3.8
is exactly too stable, but as I have very limeted resources
of time and monay(don't we all?), then I guess that I just have
to live with that. :/

Regards,
Martin Vahi

Re: smtp-gated alternative for OpenBSD

[Edgars]

Use a postfix and port redirection.
Redirect all smtp connections to your server, and thats all :)

Craig Skinner wrote:

On Sun, Jun 11, 2006 at 03:43:24PM +0300, Soner Tari wrote:
  

Hi all,

I'm trying to find a fully transparent smtp proxy for outgoing mails
from NATed hosts behind my firewall (smtp proxy will run on this
firewall). smtp-gated of FreeBSD seems like an exact match. What is the
equivalent of smtp-gated for OpenBSD? I tried to google too, but failed
to find something similar.




SMTP is a store and forward protocol, and as such any SMTP server is a
caching proxy.

It seems you only want to send mail out from the LAN, so just use the
MTA that you are most familar with.

Sendmail is included by default, I use postfix as I've used it at work
for a number of companies, so know my way around it.

Re: SMP error

[Edgars]

Hi!
Thats interesting.
May be you can say where is a problem in my case, i posted message some 
days ago?


Henning Brauer wrote:

* edgarz [EMAIL PROTECTED] [2006-06-15 08:12]:
  
There was another thread about SMP, OpenBSD does not support 
HypeThreading :/ Bad, too bad :( Intel's HT is very powerfull thing :)



OpenBSD does support HT, at least on machines with a proper MPBIOS.
and indeed I have a dual xeon here that attaches 4 cpus.

  



--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Re: x.org

[astefani]

Just for information:
I noticed the same behaviour on my FreeBSD laptop.
It appears from time to time, and when I have it on a tty, I'll have it
until next reboot.
Oddly enough, when I launch xinit or X on the tty which has the problem,
it works normally. I checked the logs, well... nothing to say.


 Strange problem which appeared in 3.8 and appears in 3.9. When I type
 startx it does nothing. After waiting for half a minute i press cancel and
 only then it begins to do something but fails to start. When I open
 another
 tty and type there startx it starts normally. The strangest thing is that
 I
 do nothing, X fails to start without any reason.

 Artyom

Missing Man Page bio (3)?

[Ste Jones]

Hello,

Just wondering if there is a missing man page or if bio (3) references
should be removed from the following pages

SSL_accept.pod
SSL_connect.pod
SSL_do_handshake.pod
SSL_get_fd.pod
SSL_get_rbio.pod
SSL_read.pod
SSL_set_bio.pod
SSL_set_fd.pod
SSL_shutdown.pod
SSL_write.pod


Cheers
Ste Jones

Re: Hifn policy on documentation

[Jeff Quast]

On 6/15/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:

Oh well ...

I have to admit that I find it quite amusing how some people that do
restrict access to documentation are the same that do take advantage
of other people's free documentation ...

http://marc.theaimsgroup.com/?l=openssl-usersm=114832209207203w=2

Oh ... wait ... no. I don't find that amusing, and Hifn is no longer
in the vendors list I maintain for the company I work at.

A while ago, someone mentionned the opening of a wiki to help find a
list of specs friendly and unfriendly vendors, how is it going ?



http://www.vendorwatch.org/ , hifn is marked as unfriendly. I really
like this site, too. Congrats to the contributors.

Re: developing a backup strategy

[Allen Theobald]

[snip]

 My favorite solution is rsnapshot in ports. It beats rsync and scp
 because not only does it allow you to specify what and when to
 backup,
 but it uses hard links. What's that got to do with anything? Well it
 rsyncs everything on the first backup, and only the differences
 there
 after. But it makes every backup look like a full backup (every
 file) because it hard-links the unchanged stuff into the latest
 backup
 dir. So you get a complete backup dir every time sans lots of file
 transfers and space taken up on the backup storage box.  

This guy gives a great explanation and some bash scripts to do
just that:

   http://www.mikerubel.org/computers/rsync_snapshots/

I believe he also refers to rsnapshot as being a more polished
version of what he outlines.

Very interesting and easy read.

Take care,

Allen
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: Hifn policy on documentation

[knitti]

On 6/15/06, Wolfgang S. Rupprecht
[EMAIL PROTECTED] wrote:

 Ditto for the card intentionally leaking the keying data
into the cipher stream?

oh come on, this discussion is already as off topic as it can be, no need
to add FUD to it. any algorithm the cards claim to implement _is_ fully
documented, so you can test any output except that of the RNG against a
'known good' implementation

--knitti

Re: recording streams with OpenBSD

[Will Maier]

On Wed, Jun 14, 2006 at 03:01:58PM -0700, Bryan wrote:
 Will Maier wrote:
 $ mplayer -dumpstream http://your.stream.com/stream.mp3 -dumpfile 
 stream.mp3
 
 I did find that, but the stream is not an .mp3 file.

So? Mplayer will dump an ASF stream. In fact, I tried that with your
stream, and it worked fine. What's the problem?

 Can I dump the stream directly as an .mp3 file?  

Prolly not directly with Mplayer, but you could dump to a FIFO and
read the FIFO in your encoder (or decoder first) of choice. Or just
reencode the dumped ASF file later on, although that will likely
degrade file quality.

-- 

o--{ Will Maier }--o
| jabber:[EMAIL PROTECTED] | [EMAIL PROTECTED] |
| freenode:..lt_kije | freenode:#madlug,#wilug |
*--[ BSD Unix: Live Free or Die ]--*

Re: Hifn policy on documentation

[Darrin Chandler]

On Wed, Jun 14, 2006 at 11:45:13PM -0800, Eliah Kagan wrote:
 On 6/14/06, Darrin Chandler [EMAIL PROTECTED] wrote:
 I blame neither Mr. Cohen nor the lawyers. It's the decision makers at
 the company who have decided this policy, which is a policy change from
 years ago. Nobody else at the company is to blame. That's how
 responsibility works.
 
 No, it's not.
 
 If you do something that is morally reprehensible, it is morally
 reprehensible whether or not you are doing it because you were ordered
 to do it. For Mr. Cohen to tell us lies or inexcusably misinformed
 statements reflects negatively on him personally, because that is
 something that no one ought to do.

So? If it weren't Mr. Cohen, if would be someone else from Hifn. From
*my* point of view as a user of OpenBSD their reasons and moral standing
don't matter because they won't open the specs on their hardware. If
they did open the specs, then there might be other reasons for me not to
do business with them. As it stands there's already one show stopper.
That's enough.

Look, it's pretty obvious from early exchanges in this thread that these
issues have been discussed by the principal parties over a fairly long
period of time. How many brilliant insights have been added by this
thread? More important, has this thread opened up Hifn's specs? Has this
discussion accomplished anything at all?

-- 
Darrin Chandler|  Phoenix BSD Users Group
[EMAIL PROTECTED]   |  http://bsd.phoenix.az.us/
http://www.stilyagin.com/  |

Re: Hifn policy on documentation

[Breen Ouellette]

Darrin Chandler wrote:

Look, it's pretty obvious from early exchanges in this thread that these
issues have been discussed by the principal parties over a fairly long
period of time. How many brilliant insights have been added by this
thread? More important, has this thread opened up Hifn's specs? Has this
discussion accomplished anything at all?

  

1) The principle parties' exchanges didn't go anywhere. It is time to
crank the heat up a couple of notches. If the principle parties come in
and ask us to stop it will go a lot futher than you, some random person,
asking us to stop. I don't see Theo complaining, and he has a far
greater vested interest than you. I haven't seen other developers
complaining, and the same goes for them. I haven't even seen Hifn
complaining, although that would only weaken their position further.

2) It's not about brilliant insights. It is about customer
dissatisfaction. People are posting so there is a record that they are
not happy with the situation, and this record covers very clearly why
they are not happy with the situation. This goes a long way towards
punishing Hifn for what we perceive as acts which are not in our best
interests as customers. The alternative is silence, which allows Hifn to
continue to dupe customers. I do not want to see another person duped
like this, and it is now my personal mission to do what I am able to
prevent it from happening again.

3) Has this thread opened up Hifn's specs??! You expect results to take
place in an unreasonable amount of time. Change doesn't always happen
overnight, especially when corporations are involved.

4) This discussion has definitely accomplished something - it has
created a freely accessible, mirrored record which points out some very
serious flaws in the policies of a supposed security minded company. As
a consumer I have relied on exactly this sort of thing time and time
again to avoid bad purchases. I wish this thread had existed three
months ago so I wouldn't have purchased a blasted Hifn product that sits
unused on my shelf!

And above all this, this thread shows that, for the most part, users are
behind the policies of the OpenBSD project. This sends a clear message
to the industry that we will hurt their bottom line if they screw around
with us. I only wish more projects and organizations would toe this line.

Breeno

Re: Hifn policy on documentation

[Breen Ouellette]

Wolfgang S. Rupprecht wrote:

I guess the part I don't understand is why are open source folks so
wary of running black-box *.o binaries from a vendor but are quite
eager to use blackbox crypto cards (that effectively run blackbox *.o
firmware)?

  
This is a pretty poor argument in my books. They could undermine us in 
the hardware, so why don't we just give them the keys to the kingdom and 
allow them to do it in software?


HUH???

Given your argument we may as well just let them have root access to our 
machines. Or maybe they could install cameras in our offices and homes 
while they are at it.


Breeno

Re: sendmail config: non-system mail accounts?

[L. V. Lammert]

At 07:01 PM 6/14/2006 -0500, Jacob Yocom-Piatt wrote:

i'm pretty comfortable using postfix as an MTA, but i have only now been
fiddling with sendmail. everything has been going fine, except that i can't
figure out how to add mail accounts for users without adding them as users on
the mailserver itself when using sendmail. for postfix this is clearly
documented in an example on the website (see
http://www.postfix.org/VIRTUAL_README.html#virtual_mailbox ).


Same with sendmail - . virtusertable

Lee

Re: Hifn policy on documentation

[Breen Ouellette]

knitti wrote:

oh come on, this discussion is already as off topic as it can be, no need
to add FUD to it. any algorithm the cards claim to implement _is_ fully
documented, so you can test any output except that of the RNG against a
'known good' implementation


This is a great point. However...

This is not off topic. This topic definitely affects OpenBSD and serves 
a purpose. I do not understand why people think this is off topic. Since 
when was misc@ only for posting about technical problems?


Talking about the World Cup matches would be off-topic. Talking about 
Billy Graham's last sermon would be off topic. Hifn's crappy policy and 
why we don't like it is definitely on topic.


Breeno

USB device nodes

[Markus Schatzl]

Hi,

working on setting up some crypto tokens, I noticed some
differences to Free/NetBSD on handling the ugen devices.

If a device is attached, the kernel reports it as ugenX, as it
does it also on the other BSDs. Though /dev/ugenX itself doesn't 
exist on OpenBSD, so it can't be talked to. 

Typically, the endpoint an application wants to communicate with 
is the control endpoint ugenX.00. The other BSDs seem to handle 
that case transparently, i.e. if no endpoint is specified, .00 
is chosen automatically.

Since stat'ing a device-node for existance is appearently quite 
common, introducing a symlink /dev/ugenX - /dev/ugenX.00 would 
be an obvious solution in this situation.

While I have no problem with creating the links by myself, it
would be nice if MAKEDEV could also create the symlink by default.
Any chance to get this in?

Thanks in advance,
/Markus

Re: Hifn policy on documentation

[Darrin Chandler]

On Thu, Jun 15, 2006 at 09:01:51AM -0600, Breen Ouellette wrote:
 1) The principle parties' exchanges didn't go anywhere. It is time to 
 crank the heat up a couple of notches. If the principle parties come in 
 and ask us to stop it will go a lot futher than you, some random person, 
 asking us to stop. I don't see Theo complaining, and he has a far 
 greater vested interest than you. I haven't seen other developers 
 complaining, and the same goes for them. I haven't even seen Hifn 
 complaining, although that would only weaken their position further.

I don't expect everyone to stop because I said so. I'm hoping that at
least a few of you will go do something productive instead.

 2) It's not about brilliant insights. It is about customer 
 dissatisfaction. People are posting so there is a record that they are 
 not happy with the situation, and this record covers very clearly why 
 they are not happy with the situation. This goes a long way towards 
 punishing Hifn for what we perceive as acts which are not in our best 
 interests as customers. The alternative is silence, which allows Hifn to 
 continue to dupe customers. I do not want to see another person duped 
 like this, and it is now my personal mission to do what I am able to 
 prevent it from happening again.
 
 3) Has this thread opened up Hifn's specs??! You expect results to take 
 place in an unreasonable amount of time. Change doesn't always happen 
 overnight, especially when corporations are involved.
 
 4) This discussion has definitely accomplished something - it has 
 created a freely accessible, mirrored record which points out some very 
 serious flaws in the policies of a supposed security minded company. As 
 a consumer I have relied on exactly this sort of thing time and time 
 again to avoid bad purchases. I wish this thread had existed three 
 months ago so I wouldn't have purchased a blasted Hifn product that sits 
 unused on my shelf!
 
 And above all this, this thread shows that, for the most part, users are 
 behind the policies of the OpenBSD project. This sends a clear message 
 to the industry that we will hurt their bottom line if they screw around 
 with us. I only wish more projects and organizations would toe this line.

This discussion made it to the front page of Slashdot, giving Hifn a lot
of free publicity. It gives them the opportunity to tell everyone again
that you can just go get their specs online. Maybe they can offer a nice
BLOB to the Linux distros and get it accepted like nVidia. Maybe due to
this they will sell MORE hardware than before.

If half the people heavily involved with this thread had drawn up a well
worded message and sent it to Hifn it would have had a better effect, I
bet.

We'll see. I surely don't expect policy changes overnight. If Hifn truly
opens their specs in the next year I'll be surprised. And that is what
will change my mind about the value of this discussion.

FYI, someone recently mentioned www.vendorwatch.org. It's a nice
resource, and I hope it grows. I keep forgetting it's there. Next time
I'm shopping for hardware I'll be checking there!

-- 
Darrin Chandler|  Phoenix BSD Users Group
[EMAIL PROTECTED]   |  http://bsd.phoenix.az.us/
http://www.stilyagin.com/  |

Re: SMP error

[Adam]

On Thu, 15 Jun 2006 09:03:10 +0300 edgarz [EMAIL PROTECTED] wrote:

 Hi!
 There was another thread about SMP, OpenBSD does not support 
 HypeThreading

Yes, it does.

 Intel's HT is very powerfull thing :)

No, its not.  As you yourself stated, it is HypeThreading.  It may be
a good demonstration of the power of marketing, but it itself is not
powerful.

Adam

Re: vpn1411 problem related to software error? (was Re: [Fwd: 'Corrupted MAC on input' points to vpn1411 problem])

[Breen Ouellette]

Breen Ouellette wrote:
I am still going to install 3.9 on a PC and try an ssh connection 
which doesn't involve WinXP / PuTTY.


I finally got around to it and I still get the error when connecting 
from a PC installed with OpenBSD 3.9 to my net4801 / vpn1411 running 
OpenBSD 3.9. So, just in case someone came across this thread and 
thought that PuTTY was the cause of the problem, it definitely is not, 
you can thank Hifn for this one.


Breeno

Re: SMP error

[Jesse Gumm]

Have you tried disabling Hyperthreading in BIOS and seeing if you
continue to get this message?  From what I've read, hyperthreading
tends to lower performance on the BSDs anyway.

On 6/15/06, Edgars [EMAIL PROTECTED] wrote:

Hi!
Thats interesting.
May be you can say where is a problem in my case, i posted message some
days ago?

Henning Brauer wrote:
 * edgarz [EMAIL PROTECTED] [2006-06-15 08:12]:

 There was another thread about SMP, OpenBSD does not support
 HypeThreading :/ Bad, too bad :( Intel's HT is very powerfull thing :)


 OpenBSD does support HT, at least on machines with a proper MPBIOS.
 and indeed I have a dual xeon here that attaches 4 cpus.




--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Re: Hifn policy on documentation

[Tony Abernethy]

Breen Ouellette wrote:

 Darrin Chandler wrote:
  Look, it's pretty obvious from early exchanges in this thread that these
  issues have been discussed by the principal parties over a fairly long
  period of time. How many brilliant insights have been added by this
  thread? More important, has this thread opened up Hifn's specs? Has this
  discussion accomplished anything at all?
 
 
 1) The principle parties' exchanges didn't go anywhere. It is time to
 crank the heat up a couple of notches. If the principle parties come in
 and ask us to stop it will go a lot futher than you, some random person,
 asking us to stop. I don't see Theo complaining, and he has a far
 greater vested interest than you. I haven't seen other developers
 complaining, and the same goes for them. I haven't even seen Hifn
 complaining, although that would only weaken their position further.

 2) It's not about brilliant insights. It is about customer
 dissatisfaction. People are posting so there is a record that they are
 not happy with the situation, and this record covers very clearly why
 they are not happy with the situation. This goes a long way towards
 punishing Hifn for what we perceive as acts which are not in our best
 interests as customers. The alternative is silence, which allows Hifn to
 continue to dupe customers. I do not want to see another person duped
 like this, and it is now my personal mission to do what I am able to
 prevent it from happening again.

 3) Has this thread opened up Hifn's specs??! You expect results to take
 place in an unreasonable amount of time. Change doesn't always happen
 overnight, especially when corporations are involved.

 4) This discussion has definitely accomplished something - it has
 created a freely accessible, mirrored record which points out some very
 serious flaws in the policies of a supposed security minded company. As
 a consumer I have relied on exactly this sort of thing time and time
 again to avoid bad purchases. I wish this thread had existed three
 months ago so I wouldn't have purchased a blasted Hifn product that sits
 unused on my shelf!

You can then appreciate why I lurk on this list, and how I can easily talk
my tightwad CEO in buying a couple of CDs that I might need to use.
For a lot of this stuff, the OpenBSD users and developers will take good
care of themselves. But a lot of this does matter to us (bluntly) outsiders.
If security actually matters (not some snake-oil fiction) the first rule
has to be something like not fooling yourself. Something like this thread
is probably the only plausible mechanism to establish what the ground
rules SHOULD be for such as this. Maybe not a good chance, but seems to me
like maybe it is the only chance.


 And above all this, this thread shows that, for the most part, users are
 behind the policies of the OpenBSD project. This sends a clear message
 to the industry that we will hurt their bottom line if they screw around
 with us. I only wish more projects and organizations would toe this line.

 Breeno

Re: Curious on NAT traversal possibility on PF

[Martin Toft]

Late reply due to mail server problems at my ISP...

Stuart Henderson wrote:

Depends what you're trying to do, but if it's e.g. throttling
p2p users, that's only going to be of limited help.


I haven't tried the approach yet and, as you, I'm in doubt about its
abitily to throttle p2p. However, the idea isn't pulled out of the sky -
using 'pfctl -ss' on my gateway, I've discovered that a high percentage
(90%) of the connections suspected to be p2p goes out to completely
random ports, mostly above 1024. (These days, users of bittorrent have
to choose to non-standard ports due to tracker rules, which entails a
quite uniform distribution.) My goal isn't to throttle every single p2p
connection, just a big enough percentage of them.


Relying on the side-behaviour of 'lots-of-connections' often
seen with some protocols you might want to restrict, but not so
often seen from a legitimate client, you have the option of
using max-src-states and throttling hosts in the overload
table. Care and attention is required though..


Nice idea, even though it's a bit more advanced. Thanks :)

/Martin

Re: ftp problems with OpenBSD 3.9

[Smith]

I tried in /etc/rc.conf.local

ftpd_flags=-DllUSAn4

and rebooted.  Problem still persisted.  I checked netstat -an to verify 
that it was not listening on tcp6 port 21.


I'm going to do Nick Holland's suggestion and the tcpdump idea too.

Fwd: Hifn policy on documentation

[Siju George]

Hi all,

This is the mail I got from Hifn representative for my response to his
mail and clarifications in misc.

This mail was sent to me privately and I am well aware of the fact
that it is not good manners to make private mails public. In that way
i am just going down a little bit down on that. let people see the
response they get from Hifn.

And Mr. Cohen, If what you sent to the list was indeed not a lie then
I sincerly apologize mentioning that you were lying in my previously
mail. I apologize publicly just as I mentioned it publicly.

Also I would like to let you know very humbly that this may not be a
very good way of treating your potential customers.

Thanks for you complements any way :-)

Good Luck ahead with this policy of your company and you personal behaviour.

Kind regards

--Siju




-- Forwarded message --
From: Hank Cohen [EMAIL PROTECTED]
Date: Jun 14, 2006 10:43 AM
Subject: RE: Hifn policy on documentation
To: Siju George [EMAIL PROTECTED]


Mr. george.
I do not appreciate being accused of lying.
If you choose not to use Hifn products then so be it.
I have announced our policy in good faith and been treated to
a barrage of insult and invective.   If I were speaking on my own
account I would feel free to tell you what I really think of this kind
of bullshit but I cannot do so since I will always be seen as a
representative of my company.

You sir have the manners of a pig.  And I shall surely never
recommend your IT and Media services to anyone either.
Having said that perhaps you can understand how much your
threats are likely to have the result that you desire.

Hank Cohen
On my own account.

Re: Hifn policy on documentation

[Phil Howard]

On Wed, Jun 14, 2006 at 08:52:01PM -0700, Wolfgang S. Rupprecht wrote:

|  So what if one of the driver writers for one of the open source operating
|  systems were to design a set of open standards for a hardware/software
|  interface for chipsets in this class. 
| 
| I guess the part I don't understand is why are open source folks so
| wary of running black-box *.o binaries from a vendor but are quite
| eager to use blackbox crypto cards (that effectively run blackbox *.o
| firmware)?

Don't assume that everyone is even willing to hand over their private
data to some sealed black box.  There are, of course, a number of
differences.  What runs on the card/chip generally won't have access
to the rest of the system (assuming reasonable bus security, which may
not be true).  But a *.o binary driver will have that access to the
level it is installed (probably the kernel, which means it has access
to everything).  Bugs in the *.o could crash or hang the kernel if it
is there.  But in the card/chip it is less likely to cause damage,
although that isn't impossible (could lock up the bus).  I'd be a bit
more trusting of a crypto device that was connected via some soft means
like an ethernet.  But that still implies a (possibly misplaced) trust
in the ethernet card itself.

Then there is the issue of whether they provide kernel level *.o files
for all the platforms OpenBSD and other systems support.


| While I don't think these cards really do contain trojans, they
| certainly could at some point in the future.  What prevents the
| manufacturers from storing all keys into some on-chip nv-ram for later
| retrieval?  Ditto for the card intentionally leaking the keying data
| into the cipher stream?  At one point during the cold-war it certainly
| seemed like the US did manage to slip a leaky key trojan into a well
| respected company's cipher system.

Similar risk could exist in CPU based crypto instructions, too, if such
a CPU were to be made public.

Ultimately, I'll personally depend on crypto in software I can access for
myself.  I think that's your real point.

FYI, I don't even trust Theo for writing safe crypto software.  But that's
not a personal statement ... it's just a statement of procedure; I would
not trust anyone, period.  The big advantage of open source that we all
already know is the many eyes (with no conflict of interest) aspect.
That cannot be said for either binary software or hardware implementations.

What interests me among Hifn's chips are not the crypto capabilities, but
the compression capabilities.  No export regulations for that as long as
it doesn't have the crypto in it, so those should be fully open (I have
not checked) as to interface and interoperability (e.g. uses a standard
compression format).  Even data compression in a sealed box has risks,
such as it detecting actual keys being moved around in the clear and saving
them into NVRAM.  How do you know your CPU doesn't have this?

mount_msdos error

[Fred Crowson]

Hi Misc,

I keep getting the following error, when trying to mount a 2GB Sony 
Memory Stick Pro Duo (MSX-M2GN) in my Sony T7 digital camera:


nike:fred /home/fred sudo mount /mnt/t7
mount_msdos: /dev/sd1i on /mnt/t7: Inappropriate file type or format

Can anyone help me debug this issue?

It mounts fine when I use a 256Mb Sony Memory Stick Pro Duo.  This is on 
a 3.9 box dmesg follows at the end, I've also included fdisk and 
disklabel output, any clue sticks would be greatly appreciated...


thanks

Fred

nike:fred /home/fred grep t7 /etc/fstab
/dev/sd1i /mnt/t7 msdos rw,noauto,nodev,nosuid 0 0
nike:fred /home/fred tail /var/log/messages
Jun 15 18:00:01 nike newsyslog[31685]: logfile turned over
Jun 15 18:00:01 nike syslogd: restart
Jun 15 21:00:01 nike syslogd: restart
Jun 15 21:12:23 nike /bsd: umass0 at uhub2 port 1 configuration 1 
interface 0

Jun 15 21:12:23 nike /bsd:
Jun 15 21:12:23 nike /bsd: umass0: Sony Sony DSC, rev 2.00/5.00, addr 2
Jun 15 21:12:23 nike /bsd: umass0: using UFI over CBI
Jun 15 21:12:23 nike /bsd: scsibus3 at umass0: 2 targets
Jun 15 21:12:23 nike /bsd: sd1 at scsibus3 targ 1 lun 0: Sony, Sony 
DSC, 6.00 SCSI0 0/direct removable
Jun 15 21:12:23 nike /bsd: sd1: 1980MB, 1980 cyl, 64 head, 32 sec, 512 
bytes/sec, 4055040 sec total

nike:fred /home/fred fdisk sd1
fdisk: sysctl(machdep.bios.diskinfo): Device not configured
Disk: sd1   geometry: 1980/64/32 [4055040 Sectors]
Offset: 0   Signature: 0xAA55
 Starting   Ending   LBA Info:
 #: idC   H  S -C   H  S [   start:  size   ]

*0: 060   7 32 - 1979  56  1 [ 255: 4054530 ] DOS  32MB
 1: 000   0  0 -0   0  0 [   0:   0 ] unused
 2: 000   0  0 -0   0  0 [   0:   0 ] unused
 3: 000   0  0 -0   0  0 [   0:   0 ] unused
nike:fred /home/fred disklabel sd1
disklabel: warning, DOS partition table with no valid OpenBSD partition
# /dev/rsd1c:
type: SCSI
disk: SCSI disk
label: Sony DSC
flags:
bytes/sector: 512
sectors/track: 32
tracks/cylinder: 64
sectors/cylinder: 2048
cylinders: 1980
total sectors: 4055040
rpm: 3600
interleave: 1
trackskew: 0
cylinderskew: 0
headswitch: 0   # microseconds
track-to-track seek: 0  # microseconds
drivedata: 0

16 partitions:
# sizeoffset  fstype [fsize bsize  cpg]
  c:   4055040 0  unused  0 0  # Cyl 0 
-  1979
  i:   4054530   255   MSDOS   # Cyl 
0*-  1979*



dmesg follows:

OpenBSD 3.9 (GENERIC) #617: Thu Mar  2 02:26:48 MST 2006
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: AMD Duron(TM) (AuthenticAMD 686-class, 64KB L2 cache) 1.31 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE

cpu0: AMD Powernow: TS
real mem  = 804872192 (786008K)
avail mem = 72704 (71K)
using 4278 buffers containing 40345600 bytes (39400K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(85) BIOS, date 10/29/02, BIOS32 rev. 0 @ 0xf17b0
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
apm0: flags 30102 dobusy 0 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xf/0x1e62
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf1d90/208 (11 entries)
pcibios0: PCI Interrupt Router at 000:17:0 (VIA VT82C586 ISA rev 0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc/0xc000 0xcc000/0x1800 0xd/0x800
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 VIA VT8366 PCI rev 0x00
ppb0 at pci0 dev 1 function 0 VIA VT8366 AGP rev 0x00
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 ATI Radeon VE QY rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
cmpci0 at pci0 dev 5 function 0 C-Media Electronics CMI8738/C3DX Audio 
rev 0x10: irq 10

audio0 at cmpci0
Texas Instruments TSB43AB21 FireWire rev 0x00 at pci0 dev 7 function 0 
not configured

uhci0 at pci0 dev 9 function 0 VIA VT83C572 USB rev 0x50: irq 5
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: VIA UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
uhci1 at pci0 dev 9 function 1 VIA VT83C572 USB rev 0x50: irq 11
usb1 at uhci1: USB revision 1.0
uhub1 at usb1
uhub1: VIA UHCI root hub, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
ehci0 at pci0 dev 9 function 2 VIA VT6202 USB rev 0x51: irq 10
usb2 at ehci0: USB revision 2.0
uhub2 at usb2
uhub2: VIA EHCI root hub, rev 2.00/1.00, addr 1
uhub2: 4 ports with 4 removable, self powered
fxp0 at pci0 dev 12 function 0 Intel 8255x rev 0x0c, i82550: irq 5, 
address 00:02:b3:cb:23:3d

inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4
ral0 at pci0 dev 13 function 0 Ralink RT2560 rev 0x01: irq 11, address 
00:0e:2e:51:b2:f1

ral0: MAC/BBP RT2560 (rev 0x04), RF RT2525
puc0 at pci0 dev 14 

rate limiting an interface

[Lawrence Horvath]

3.9 GENERIC#617 i386

Wanted to know what are the possible ways to rate limit an ethernet
interface, if queues in pf will do this, or is any other way, i have a
2meg colo connection and dont wnat to go over it or ill get charged,
and the ISP wont cap it, so i have to cap myself.

Thanks
--
-Lawrence

Re: rate limiting an interface

[Lawrence Horvath]

On 6/15/06, John R. Shannon [EMAIL PROTECTED] wrote:

Lawrence Horvath wrote:
 3.9 GENERIC#617 i386

 Wanted to know what are the possible ways to rate limit an ethernet
 interface, if queues in pf will do this, or is any other way, i have a
 2meg colo connection and dont wnat to go over it or ill get charged,
 and the ISP wont cap it, so i have to cap myself.

 Thanks

You can rate limit with the altq built into pf.

--
John R. Shannon, CISSP
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]



Can i rate limit both ways, incomming and outgoing, the pf
documentation for queues sd only one way, but is there a way to keep
the system from downloading as much to it? so as to keep under my
quota going both ways?

--
-Lawrence

Re: rate limiting an interface

[Thordur I. Bjornsson]

Lawrence Horvath [EMAIL PROTECTED] wrote on Thu 15.Jun'06 at 13:27:54 -0700

 On 6/15/06, John R. Shannon [EMAIL PROTECTED] wrote:
 Lawrence Horvath wrote:
  3.9 GENERIC#617 i386
 
  Wanted to know what are the possible ways to rate limit an ethernet
  interface, if queues in pf will do this, or is any other way, i have a
  2meg colo connection and dont wnat to go over it or ill get charged,
  and the ISP wont cap it, so i have to cap myself.
 
  Thanks
 
 You can rate limit with the altq built into pf.
 
 --
 John R. Shannon, CISSP
 [EMAIL PROTECTED]
 [EMAIL PROTECTED]
 [EMAIL PROTECTED]
 [EMAIL PROTECTED]
 
 
 Can i rate limit both ways, incomming and outgoing, the pf
 documentation for queues sd only one way, but is there a way to keep
 the system from downloading as much to it? so as to keep under my
 quota going both ways?
Think about this, a bit. If you dont realize whats wrong with the
notation of limiting incoming traffic to not download as much to it
then well, shit.
 
 -- 
 -Lawrence

-- 
Thordur I. Bjornsson

Philosophy is to the real world as masturbation is to sex.
-- Karl Marx

Re: mount_msdos error

[Tony Abernethy]

Fred Crowson wrote:

 Hi Misc,

 I keep getting the following error, when trying to mount a 2GB Sony
 Memory Stick Pro Duo (MSX-M2GN) in my Sony T7 digital camera:

 nike:fred /home/fred sudo mount /mnt/t7
 mount_msdos: /dev/sd1i on /mnt/t7: Inappropriate file type or format

 Can anyone help me debug this issue?

 It mounts fine when I use a 256Mb Sony Memory Stick Pro Duo.  This is on
 a 3.9 box dmesg follows at the end, I've also included fdisk and
 disklabel output, any clue sticks would be greatly appreciated...

 thanks

 Fred

[snip]
 nike:fred /home/fred fdisk sd1
 fdisk: sysctl(machdep.bios.diskinfo): Device not configured
 Disk: sd1 geometry: 1980/64/32 [4055040 Sectors]
 Offset: 0 Signature: 0xAA55
   Starting   Ending   LBA Info:
   #: idC   H  S -C   H  S [   start:  size   ]
 
 *0: 060   7 32 - 1979  56  1 [ 255: 4054530 ] DOS  32MB

That does not look like ANY DOS disk I've every seen.

The initial sector on the drive has the DOS partition table. (easy to find)
Generally, the first stuff on the drive comes on the track
immediately following that sector.
this is typically after 63 sectors on hard drives,
but a power of 2 (like 32 is more plausible on something electronic)
(64 might work, but I'm sure SOMETHING would find a way to make 64 act like
0)

If it were mine, the first thing I'd try is starting the dos thingee at
cylinder 0
head 1
sector 1
which would put the LBA start at 32

But this is yours, and this wouldn't be the first time I've been totally
wrong.

binat on which interface?? - Equality

[Steve Williams]

Hi,

I am trying to use binat for the first time.  Been using OpenBSD since 
the 2.7 days, but never had a need for binat.


Looking at an example in the the pf FAQ, I get

web_serv_int=192.168.1.100
web_serv_ext=24.5.0.6
binat on tl0 from $web_serv_int to any - $web_serv_ext

The way I think it would have to work,  tl0 would be the interface on 
the internal network (192.168.1.X).


eg:

web_serv_int=192.168.1.100
web_serv_ext=24.5.0.6
int_if=tl0

binat on $int_if from $web_serv_int to any - $web_serv_ext

If this is the case, then I will continue my thoughts...

My brain is a bit different from this example, I see connections coming 
in from the Internet and being sent over to the internal web server.  
Since this is a binat situation, the following should be identicle...


web_serv_int=192.168.1.100
web_serv_ext=24.5.0.6
int_if=tl0
ext_if=tl1

binat on $ext_if from any to $web_serv_ext - $web_serv_int

Are these exactly the same??

Thanks,
Steve Williams

Re: mount_msdos error

[Stuart Henderson]

On 2006/06/15 16:16, Tony Abernethy wrote:
  nike:fred /home/fred fdisk sd1
  fdisk: sysctl(machdep.bios.diskinfo): Device not configured
  Disk: sd1   geometry: 1980/64/32 [4055040 Sectors]
  Offset: 0   Signature: 0xAA55
Starting   Ending   LBA Info:
#: idC   H  S -C   H  S [   start:  size   ]
  
  *0: 060   7 32 - 1979  56  1 [ 255: 4054530 ] DOS  32MB
 
 That does not look like ANY DOS disk I've every seen.
 The initial sector on the drive has the DOS partition table. (easy to find)
 Generally, the first stuff on the drive comes on the track
 immediately following that sector.
 this is typically after 63 sectors on hard drives,
 but a power of 2 (like 32 is more plausible on something electronic)
 (64 might work, but I'm sure SOMETHING would find a way to make 64 act like
 0)

Who knows what geometry it was formatted with?

FAT boot sector, etc, are quite easy to spot - try 
dd if=/dev/sd1i count=1 | hexdump -C with reference to
another FAT partition that can be mounted successfully
and http://en.wikipedia.org/wiki/File_Allocation_Table
and you'll soon know if the partition table is correct.

I wonder if reformatting the card might get it into
some shape where it can be seen by both camera and
OpenBSD...may be worth dd'ing an image of it as it
currently stands before doing this, so it can be
restored if necessary.

Re: rate limiting an interface

[Breen Ouellette]

Thordur I. Bjornsson wrote:

Lawrence Horvath [EMAIL PROTECTED] wrote on Thu 15.Jun'06 at 13:27:54 -0700
  

Can i rate limit both ways, incomming and outgoing, the pf
documentation for queues sd only one way, but is there a way to keep
the system from downloading as much to it? so as to keep under my
quota going both ways?


Think about this, a bit. If you dont realize whats wrong with the
notation of limiting incoming traffic to not download as much to it
then well, shit.
  


I've never tried it so I could be way off, but has anyone thought about 
doing the reverse of prioritizing ACKs to limit downloads? Specifically, 
assign the ACKs to a cbq with a small fixed bandwidth so that the source 
is fooled into thinking that you can't receive as fast as you really 
can. With a little math you should be able to come up with a bandwidth 
amount for ACKs that will result in the chocked download you require. Of 
course, this assumes that your packets are max size and that this is TCP 
traffic only.


Like I said, I've never tried it, but it may be worth a shot.

Breeno

Re: rate limiting an interface

[Lawrence Horvath]

On 6/15/06, John R. Shannon [EMAIL PROTECTED] wrote:

Lawrence Horvath wrote:
 On 6/15/06, John R. Shannon [EMAIL PROTECTED] wrote:
 Lawrence Horvath wrote:
  3.9 GENERIC#617 i386
 
  Wanted to know what are the possible ways to rate limit an ethernet
  interface, if queues in pf will do this, or is any other way, i have a
  2meg colo connection and dont wnat to go over it or ill get charged,
  and the ISP wont cap it, so i have to cap myself.
 
  Thanks

 You can rate limit with the altq built into pf.

 --
 John R. Shannon, CISSP
 [EMAIL PROTECTED]
 [EMAIL PROTECTED]
 [EMAIL PROTECTED]
 [EMAIL PROTECTED]


 Can i rate limit both ways, incomming and outgoing, the pf
 documentation for queues sd only one way, but is there a way to keep
 the system from downloading as much to it? so as to keep under my
 quota going both ways?


You might find this E-mail answers your question:


http://lists.freebsd.org/pipermail/freebsd-pf/2005-November/001657.html

--
John R. Shannon, CISSP
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]



Thank you for that link, i was under the impression that altq wouldn't
work on incoming, period, but the link helped, thank you
--
-Lawrence

Re: Fwd: Hifn policy on documentation

[Breen Ouellette]

Siju George wrote:

This is the mail I got from Hifn representative for my response to his
mail and clarifications in misc.



...


Hank Cohen
On my own account.



Well, hopefully this will encourage Mr. Cohen to think hard about a 
situation before he wallows in and posts something to a public list 
which is not in the interests of his customers.


I would also like to point out that I never received a reply to my 
message. I guess that Hifn employees only respond when customers insult 
them on public lists. This doesn't bode well for the documentation issue.


Breeno

Privilege bracketing in Solaris 10

[Craig Skinner]

Hi List,

This has just been published at my work:

http://www.sun.com/blueprints/0406/819-6320.pdf

I'm not a C developer so it is mostly Greek to me, but others may find
some concepts therein useful.

package dependencies

[poncenby]

quick one for you knowledgeable chaps/chapesses...

If one does not have OpenBSD installed how would one obtain a list of  
the dependencies of a certain package, say gnome-desktop for  
arguments sake?


Many thanks

poncenby

p.s. this question comes from the need to know the exact packages to  
download and burn to CD in order to get a reasonably usable desktop  
system running gnome, when said system has no connection to the interweb


p.p.s there is possibly a chance I have overlooked the answer to the  
above question on the archives / web and for that I apologise! 

Re: package dependencies

[Craig Skinner]

On Thu, Jun 15, 2006 at 10:47:40PM +0100, poncenby wrote:
 p.s. this question comes from the need to know the exact packages to  
 download and burn to CD in order to get a reasonably usable desktop  
 system running gnome, when said system has no connection to the interweb
 

If the net wont come to the box, take the box to the net.

-- 
Craig Skinner | http://www.kepax.co.uk | [EMAIL PROTECTED]

Re: package dependencies

[Spruell, Darren-Perot]

From: [EMAIL PROTECTED] 
 If one does not have OpenBSD installed how would one obtain a 
 list of  
 the dependencies of a certain package, say gnome-desktop for  
 arguments sake?

$ cd /usr/ports/x11/gnome/desktop/
$ make describe
gnome-desktop-2.10.2p1|x11/gnome/desktop||components for the GNOME
desktop|x11/gnome/desktop/pkg/DESCR|The OpenBSD ports mailing-list
ports@openbsd.org|x11 x11/gnome|gnomeui-2::x11/gnome/libgnomeui
iconv.4::converters/libiconv intl.3:gettext-=0.10.38:devel/gettext
startup-notification-1::devel/startup-notification|:devel/gmake
:devel/libtool bzip2-*:archivers/bzip2 gettext-=0.14.5:devel/gettext
p5-XML-Parser-*:textproc/p5-XML-Parser pkgconfig-*:devel/pkgconfig
scrollkeeper-*:textproc/scrollkeeper|gettext-=0.10.38:devel/gettext
scrollkeeper-*:textproc/scrollkeeper|any|y|y|y|y

Try it from the upper level gnome/ directory to get a recursive listing of
packages. 

You *can* run a make fetch on one net-connected box, and burn the resulting
/usr/ports/distfiles out, also.

DS

Routing trouble with PPPoE on 3.8

[Srikant Tangirala]

Hello

I am trying to connect my obsd 3.8-stable system to internet
via PPPoE ( ISDN connection-64Kbps). ppp program reports
an established connection, ifconfig shows an IP address
assigned to tun0 interface. But i simply can't use any program
like ping, ftp or firefox to connect to any server. They say
no route to host. I must be doing something stupid. Is the
pf ruleset the problem?

I have configured the userland pppoe with a plain ppp.conf:

default:
set log Phase Chat LCP IPCP CCP tun command
pppoe:
set device !/usr/sbin/pppoe -i rl0
set mtu max 1492
set mru max 1492
set speed sync
disable acfcomp protocomp
deny acfcomp
set authname [EMAIL PROTECTED]
set authkey 


When i run ppp, here is what i see-

#ifconfig rl0 up
#ppp pppoe
Working in interactive mode
Using interface tun0:
ppp ON mycomp dial
ppp ON mycomp Warning: deflink: Reducing configured MRU
from 1500 to 1492
Ppp ON mycomp
PPp ON mycomp
PPP ON mycomp


$ifconfig
lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33224
   groups: lo0
   inet 127.0.0.1 netmask 0xff00
   inet6 ::1 prefixlen 128
   inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST
mtu 1500
   lladr 00:50:ba:a1:b1:0c
   media: Ethernet autoselect (none)
   status no carrier
   inet6 fe80::250:baff:fea7:b47c%rl0 prefixlen 64 scopeid 0x1
pflog0: flags=141UP,RUNNING,PROMISC mtu 33224
pfsync0: flags=0 mtu 1348
enc0: flags=0 mtu 1536
tun0: flags=8011UP,POINTTOPOINT,MULTICAST mtu 1492
   inet 210.211.129.64 -- 210.211.128.1 netmask 0x
   inet6 fe80::250:baff:fea7:b47c%tun0 - prefixlen 64 tentative
scopeid 0x6


#cat pf.conf
scrub in all

block in all
block out all

antispoof quick for { rl0 tun0 lo0 }


pass in log on tun0 proto tcp from any to any port ssh flags S/SA \
synproxy state
pass out on tun0 proto tcp all modulate state flags S/SA
pass out on tun0 proto { icmp, udp } all keep state


pass in log on rl0 proto tcp from any to any port ssh flags S/SA \
synproxy state
pass out on rl0 proto tcp all modulate state flags S/SA
pass out on rl0 proto { icmp, udp } all keep state


Do i need to have the above three rules for both tun0 and rl0?
pf is enabled in rc.conf apart from inetd and sshd. Not running
named.

This is a simple home PC- i386 with GENERIC kernel patched
up to date. rl0 is definitely the right interface, got it from dmesg
output. Sorry, did not include dmesg output since it is too long
to type. If needed, i will.

I did not customize dhclient.conf. I created a hostname.tun0 with
just dhcp in it. That did not solve my problem. Still cannot connect.
I do not have any other hostname.rl0 etc.No other config files in
/etc/ppp directory were changed.

I did not customize resolv.conf by hand. Seems like ppp puts
stuff in it everytime i invoke it.

#cat resolv.conf

nameserver 203.197.30.4
nameserver 202.54.2.17

Kindly let me know what i'm doing wrong.
Thanks a lot for your time.
Srikant.

-- 
  Srikant Tangirala
  [EMAIL PROTECTED]

-- 
http://www.fastmail.fm - The professional email service

Re: package dependencies

[Spruell, Darren-Perot]

From: [EMAIL PROTECTED] 
 p.s. this question comes from the need to know the exact packages to  
 download and burn to CD in order to get a reasonably usable desktop  
 system running gnome, when said system has no connection to 
 the interweb

See also: 'make print-build-depends' and 'make print-run-depends' from the
desired port directory.

These are all covered in ports(7).

DS

NFS Slow writes

[Bob Bostwick \(Lists\)]

I'm trying to setup an NFS share, and am getting horrible write
performance.  Reads are fast as can be expected.  I've searched the
archives and found several threads on the subject, but no resolutions.
I've tried all possible fstab options (that I know of) but none really
help with write.  I'm currently using

ip.addr:/nfs /test/dir nfs rw,nodev,nosuid,tcp,intr,-r=32768,-w=32768 0
0

From (Subject: Re: nfs write speed performance... still)A Nov. 2004
thread

...it seems that the problem is known but no fixes are known or planned
for now since there're other priorities...

Does anyone still know if this is the case, or have I missed an
important thread?

Thanks.

Re: ftp problems with OpenBSD 3.9

[Smith]

how do I compile it.  I know I can look at previous patches and possible 
figure it out but I wouldn't know if it's the proper way to do it.  I 
have a test machine all setup and ready and my pwd is 
/usr/src/libexec/ftpd.

Re: ddos mail attack thwarted by spamd greylisting!

[Joachim Schipper]

On Thu, Jun 15, 2006 at 10:02:49AM +0700, riwanlky wrote:
 Hi Guys,
 
 I am going to install IDS for my firewall. According to this message
 snort have problem, is there any alternative IDS? Is there any IPS?

I've heard good things about Bro-IDS http://www.bro-ids.org. It's not
in ports, though, and does share all the intrinsic problems of an IDS
with Snort. I've never tried it myself, though.

Snort-inline will work as an IPS on Linux boxes.

Joachim

Re: Erro compilirg eet-0.9.10.027 Your OS does not support C99's '%a'

[Joachim Schipper]

On Mon, Jun 12, 2006 at 02:34:33PM -0500, uv negativa wrote:
 hi
 i compiled eet an say:
 
 
 configure: error: Unsupported Operating System!
 Your OS does not support C99's '%a' string format. Eet cannot function 
 without
 it. Please contact your OS vendor to get updates for C99 '%a' floating point
 format read/write support or change operating systems for one with support
 for an already very old standard. (Linux is known to support this, as is
 Solaris 10)
 
 howto active this or howto compile?

Look into the program itself for support, or fix it not to use %a.
Alternatively, patch printf(3) to accept %a.

Joachim

Re: ddos mail attack thwarted by spamd greylisting!

[Joachim Schipper]

On Tue, Jun 13, 2006 at 01:07:46AM -0600, Bob Beck wrote:
  Luckily, spamd greylisting saved the day.  If it wasn't for BASE/snort 
  reporting of the portscan, I wouldn't have even bothered looking in my logs
  tonite, and probably would never have been aware of the thwarted attempt.
  
 
   Good thing they're only portscanning and mailbombing you then,
 and not exploiting one of the bazillions of snort overflows ;)

If it was set up properly, exploiting Snort wouldn't gain anyone
anything more serious than the ability to mess up Snort logs. Granted,
that can be useful...

Joachim

Re: Spam Trapping

[Joachim Schipper]

On Wed, Jun 14, 2006 at 08:29:17PM +0100, tony sarendal wrote:
 On 14/06/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
  On Wed, Jun 14, 2006 at 09:31:49AM -0700, John Draper wrote:
   Mike Spenard wrote:
   What are some thoughts on purposely getting a spam trap email
   address acquired by spammers and the best way to do so.
  
   It is hard to do initially, unless you want to spend a lot of time
   signing up for things over the web...  In my case, I have a very
   good spam trap.   But I host about 60 Email users and I changed
   everyone's Email address (with their cooperation), and removed
   them from any mailing lists they might have joined.   Evventually,
   almost all of these accounts have Pure spam coming in.
  
   Next I forwarded each of them to [EMAIL PROTECTED] and
   presto...  I have a 100% spam source I can feed directly into my
   spam reporting engine.   Most of these addresses has taken years
   to accumulate this spam.  This is by far the best way...
 
  we used to have 'spammers ? spam this [EMAIL PROTECTED]' at the
  bottom of each page so that crawlers would spam it. also, we had a
  few systems accounts, not supposed to receive mail, act as spam
  traps which proved to be quite efficient.
 
 So what do you guys do with the email hitting the spam traps ?
 My email address [EMAIL PROTECTED] has been used as From address
 by spammers, does that mean that I can't send you guys emails ?
 Or do you do something else like teach spamassassin and record source
 IP addresses ?

Well, spamd works by source IP. Assuming a sane network setup, it
shouldn't reject too much legitimate mail.

Joachim

Re: developing a backup strategy

[Joachim Schipper]

On Wed, Jun 14, 2006 at 03:27:18AM +, Travers Buda wrote:
 On Mon, 12 Jun 2006 10:41:55 -0700
 prad [EMAIL PROTECTED] wrote:
 
  i've gone through the threads:
  
  Recommendations for an OpenBSD-based Backup Solution
  remote data backup 
  
  and am contemplating the ideas as they apply to my rather simple
  setup - 2 webservers (one does email as well). not too much changes
  on them and not a lot of stuff on them either (under 5G combined
  including OpenBSD).
  
  what i've done in the past is just scp the etc and a few other
  directories that contain data with the intention of reinstalling
  OpenBSD and putting those directories back in (if disaster strikes). 
  
  is this too simplistic and inefficient a solution?
  should i be thinking of incremental backups say with dump?
  does it make any sense to rsync the entire server drive?
 
 What Bob Beck said is all good stuff. Made me chuckle.
 
 This mostly applies to data that is changing on the box ( like e-mail
 spools ) rather than configs:
 
 My favorite solution is rsnapshot in ports. It beats rsync and scp
 because not only does it allow you to specify what and when to backup,
 but it uses hard links. What's that got to do with anything? Well it
 rsyncs everything on the first backup, and only the differences there
 after. But it makes every backup look like a full backup (every
 file) because it hard-links the unchanged stuff into the latest backup
 dir. So you get a complete backup dir every time sans lots of file
 transfers and space taken up on the backup storage box.  

This is a very good thing. The downside, of course, is that it's hard to
keep the disk separate from the machines you are trying to protect.

Of course, I use AMANDA with tapes, and the tapes are just above my
computers. They are not primarily meant to safeguard *my* data, but
still...

(Most of my personal data is in a RAIDed Subversion repository of which
at least two checkouts exist at any given time, so it's not too likely
that everything fails at once.)

On a side note, AMANDA is both very good and very bad. It really only
works well with tapes, encrypting backups is possible but clunky, and it
doesn't like firewalls at all. However, aside from these problems, it
does all a backup package should do.

Joachim

Re: Routing trouble with PPPoE on 3.8

[Roger Neth Jr]

On 6/15/06, Srikant Tangirala [EMAIL PROTECTED] wrote:

Hello

I am trying to connect my obsd 3.8-stable system to internet
via PPPoE ( ISDN connection-64Kbps). ppp program reports
an established connection, ifconfig shows an IP address
assigned to tun0 interface. But i simply can't use any program
like ping, ftp or firefox to connect to any server. They say
no route to host. I must be doing something stupid. Is the
pf ruleset the problem?

I have configured the userland pppoe with a plain ppp.conf:

default:
set log Phase Chat LCP IPCP CCP tun command
pppoe:
set device !/usr/sbin/pppoe -i rl0
set mtu max 1492
set mru max 1492
set speed sync
disable acfcomp protocomp
deny acfcomp
set authname [EMAIL PROTECTED]
set authkey 


When i run ppp, here is what i see-

#ifconfig rl0 up
#ppp pppoe
Working in interactive mode
Using interface tun0:
ppp ON mycomp dial
ppp ON mycomp Warning: deflink: Reducing configured MRU
from 1500 to 1492
Ppp ON mycomp
PPp ON mycomp
PPP ON mycomp


$ifconfig
lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33224
   groups: lo0
   inet 127.0.0.1 netmask 0xff00
   inet6 ::1 prefixlen 128
   inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST
mtu 1500
   lladr 00:50:ba:a1:b1:0c
   media: Ethernet autoselect (none)
   status no carrier
   inet6 fe80::250:baff:fea7:b47c%rl0 prefixlen 64 scopeid 0x1
pflog0: flags=141UP,RUNNING,PROMISC mtu 33224
pfsync0: flags=0 mtu 1348
enc0: flags=0 mtu 1536
tun0: flags=8011UP,POINTTOPOINT,MULTICAST mtu 1492
   inet 210.211.129.64 -- 210.211.128.1 netmask 0x
   inet6 fe80::250:baff:fea7:b47c%tun0 - prefixlen 64 tentative
scopeid 0x6


#cat pf.conf
scrub in all

block in all
block out all

antispoof quick for { rl0 tun0 lo0 }


pass in log on tun0 proto tcp from any to any port ssh flags S/SA \
synproxy state
pass out on tun0 proto tcp all modulate state flags S/SA
pass out on tun0 proto { icmp, udp } all keep state


pass in log on rl0 proto tcp from any to any port ssh flags S/SA \
synproxy state
pass out on rl0 proto tcp all modulate state flags S/SA
pass out on rl0 proto { icmp, udp } all keep state


Do i need to have the above three rules for both tun0 and rl0?
pf is enabled in rc.conf apart from inetd and sshd. Not running
named.

This is a simple home PC- i386 with GENERIC kernel patched
up to date. rl0 is definitely the right interface, got it from dmesg
output. Sorry, did not include dmesg output since it is too long
to type. If needed, i will.

I did not customize dhclient.conf. I created a hostname.tun0 with
just dhcp in it. That did not solve my problem. Still cannot connect.
I do not have any other hostname.rl0 etc.No other config files in
/etc/ppp directory were changed.

I did not customize resolv.conf by hand. Seems like ppp puts
stuff in it everytime i invoke it.

#cat resolv.conf

nameserver 203.197.30.4
nameserver 202.54.2.17

Kindly let me know what i'm doing wrong.
Thanks a lot for your time.
Srikant.

--
  Srikant Tangirala
  [EMAIL PROTECTED]

Hello,  make sure your not mixing man pppoe(4) and pppoe(8) together.
Hope this will help you verify that this is not a problem.

rogern

John 3:16

Re: Privilege bracketing in Solaris 10

[Graham Toal]

 http://www.sun.com/blueprints/0406/819-6320.pdf

 I'm not a C developer so it is mostly Greek to me, but others may find
 some concepts therein useful.

30 years after VMS and 40 years after EMAS.

Ivan Sutherland sure had it right with his observatiion
of the great wheel of reincarnation as it applies to computing...

G

Re: error clamav at 3.9

[riwanlky]

Hi guys,

I am trying to install Clamav on 3.9. Previously I used Clamav on 3.8 and 
without

need to make install the unarj.
Manage to make install unarj. However Clamav require unrar and I got this 
error.

# make install
===  Checking files for unrar-3.54p0
 unrarsrc-3.5.4.tar.gz doesn't seem to exist on this system.
 Fetch http://www.rarlab.com/rar/unrarsrc-3.5.4.tar.gz.
 Size does not match for /usr/ports/distfiles/unrarsrc-3.5.4.tar.gz
/bin/sh: test: unrarsrc-3.5.4.tar.gz: unexpected operator/operand
*** Error code 2

Stop in /usr/ports/archivers/unrar (line 2106 of 
/usr/ports/infrastructure/mk/bsd.port.mk).

*** Error code 1

Stop in /usr/ports/archivers/unrar (line 1561 of 
/usr/ports/infrastructure/mk/bsd.port.mk).

*** Error code 1

Stop in /usr/ports/archivers/unrar (line 1750 of 
/usr/ports/infrastructure/mk/bsd.port.mk).


Thanks and looking forward to get more information.

Brgds,
Riwan

At 12:09 AM 5/5/2006 -0400, Michael Erdely wrote:

sonjaya wrote:

i try using port
# cd /usr/ports/archivers/unarj/
# make install
make: don't know how to make install. Stop in /usr/ports/archivers/unarj.


You've got problems with your ports tree.  rm -Rf /usr/ports and re-unpack 
ports.tar.gz.  I tried on my vanilla 3.9 machine with no problems.


-ME

--
Support OpenBSD: http://www.openbsd.org/orders.html

LostFound with PF-Tables?!?!

[sebastian . rother]

Hello everybody,

I configured a pf and I used the same config for a lot Servers.
But I noticed something.. strange today after a 3.9-i386 Server had a reboot.

pf is started by default and the config was also used with 3.8 (same
Server..).

Example-Rule pasted:

table dssh persist
pass in on $ext_if proto tcp to $web_server \
 port 22 flags S/SA keep state \
 (max-src-conn 10, max-src-conn-rate 3/10, overload dssh flush)

The problem I have is that pf did not added the table dssh after the
startup. I noticed that during another dumb ssh-bruteforce today where the
src. host was not blocked automaticly.

As I tried to take a look at all the houndrets of hosts wich may also
tried a BF already using sudo pfctl -T show -t dssh I simply got the
answer that such a table does not exist.
So I added this (and some other tables for the overload-stuff) by hand..
I just have the question: Is there somebody out there where there happened
exactly the same?!

I just was.. suprised by that (and confused too maybe..). :-/


Kind regards,
Sebastian

Re: ftp problems with OpenBSD 3.9

[Nick Holland]

Smith wrote:
how do I compile it.  I know I can look at previous patches and possible 
figure it out but I wouldn't know if it's the proper way to do it.  I 
have a test machine all setup and ready and my pwd is 
/usr/src/libexec/ftpd.


Just replied privately, but since you asked publicly also, should reply 
for the list, in case anyone else wants to try...


And since replying to you, I've tested it.  It at least seems to work. 
Not sure it fixes your problem, however.


   make obj
   make
   make install

Stop and restart ftpd if you are running it as a daemon (ftpd -D), and 
you should be able to test...


Nick.

Re: NFS Slow writes

[Barry, Christopher]

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
 On Behalf Of Bob Bostwick (Lists)
 Sent: Thursday, June 15, 2006 6:05 PM
 To: misc@openbsd.org
 Subject: NFS Slow writes
 
 I'm trying to setup an NFS share, and am getting horrible write
 performance.  Reads are fast as can be expected.  I've searched the
 archives and found several threads on the subject, but no resolutions.
 I've tried all possible fstab options (that I know of) but none really
 help with write.  I'm currently using
 
 ip.addr:/nfs /test/dir nfs 
 rw,nodev,nosuid,tcp,intr,-r=32768,-w=32768 0
 0
 
 From (Subject: Re: nfs write speed performance... still)A Nov. 2004
 thread
 
 ...it seems that the problem is known but no fixes are known 
 or planned
 for now since there're other priorities...
 
 Does anyone still know if this is the case, or have I missed an
 important thread?
 
 Thanks.
 


Newer versions of nfs are set to 'sync' by default. Change to 'async'
and check performance.

-C 

Re: LostFound with PF-Tables?!?!

[Darrin Chandler]

On Fri, Jun 16, 2006 at 03:31:01AM +0200, [EMAIL PROTECTED] wrote:
 
 table dssh persist
 pass in on $ext_if proto tcp to $web_server \
  port 22 flags S/SA keep state \
  (max-src-conn 10, max-src-conn-rate 3/10, overload dssh flush)
 
 The problem I have is that pf did not added the table dssh after the
 startup. I noticed that during another dumb ssh-bruteforce today where the
 src. host was not blocked automaticly.

What does pfctl -nf /etc/pf.conf say? Anything?

-- 
Darrin Chandler|  Phoenix BSD Users Group
[EMAIL PROTECTED]   |  http://bsd.phoenix.az.us/
http://www.stilyagin.com/  |

Re: Azalia no sound

[bdz]

vladas wrote:

On 15/06/06, bdz [EMAIL PROTECTED] wrote:

hi misc,

i have azalia loaded at boot time ok, but there is no sound out. the
wmmixer says wmmixer : Sorry, no supported channels found.. the mpg123
can play the mp3 file (no error messages) but i can hear nothing. any 
idea?


wmmixer will not help. try altering all values manually, with the
audioctl -w or mixerctl.  this helped me. what I did whas playing with
all outputs part e.g.
mixerctl outputs.master=100,100. see what works for you.




yeah but as you can see (in my orig post) there is no outputs.master int 
mixertclt -a.
that is my problem that the output is full of unknowns. i have no idea 
what values
should be adjusted as all unknown. what i tried never helped. all other 
knownd values

are 123,123 that is look normal.

Re: rate limiting an interface

[Lars Hansson]

On Friday 16 June 2006 04:27, Lawrence Horvath wrote:
  You can rate limit with the altq built into pf.

 Can i rate limit both ways, incomming and outgoing, the pf
 documentation for queues sd only one way, but is there a way to keep
 the system from downloading as much to it? so as to keep under my
 quota going both ways?

Yes, but not in a way that will guarantee  that you wont get more than 2Mb 
incoming. In fact, there is NO way you can effectively shape incoming traffic 
in this situation, no matter what OS you run. If someone wants to send you a 
boatload of traffic and your colo isnt capping your bandwidth you will most 
likely go over 2Mb and there's nothing you can do about it since you cant 
cancel packets that has already gone over the wire.
If the colo can't/won't cap incoming traffic and want to charge you for going 
over your limit they're either ignorant, lazy or trying to scam you.

---
Lars

Re: Pulled out an old song..

[Han Boetes]

Peter Philipp wrote:
 I was just going through my OpenBSD cd's and came across the
 first cd with a song... Interestingly enough I didn't find an
 mp3 with it as combined with newer releases.  Anyhow can anyone
 confirm this rmd160 checksum after the song is cdparanoia'd?

 # rmd160 track02.cdda.wav
 RMD160 (track02.cdda.wav) = 1053805b53962e22028768516285da1cba5e4454

CD-tracks don't work that way. Rip it again and you'll probably
find another checksum.



# Han

NFS Slow writes

[Bob Bostwick \(Lists\)]

I've narrowed the problem down.  I'm running an FTP server (vsftpd)
who's users home dir's are on an nfs share.  If I run vstpd without
mounting the nfs share (and create a user with a valid home dir) I get
21MB/s uploads.  If I copy a file from the OBSD box to a dir on the NFS
mount, I get 8MB/s.  However if I ftp to the nfs share I get 700KB/s
uploads.  Downloads are fast either way, it's just the writes that seem
really slow.  Vsftpd is starting through inetd (but I tried standalone
and it made no difference.)  Is there some sort of incompatibility in
doing it this way?

Any thoughts would be greatly appreciated 

Re: Pulled out an old song..

[Jason Stubbs]

Han Boetes wrote:

Peter Philipp wrote:

I was just going through my OpenBSD cd's and came across the
first cd with a song... Interestingly enough I didn't find an
mp3 with it as combined with newer releases.  Anyhow can anyone
confirm this rmd160 checksum after the song is cdparanoia'd?

# rmd160 track02.cdda.wav
RMD160 (track02.cdda.wav) = 1053805b53962e22028768516285da1cba5e4454


CD-tracks don't work that way. Rip it again and you'll probably
find another checksum.


Forgive my ignorance but how could CD-tracks not work that way? As far 
as I understand it, the only difference between a data track and an 
audio track is that a data track divides a sector into a data portion 
and a checksum portion whereas an audio track uses the entire sector for 
data. Unless the quality of the CD has deterioated, where does the 
random element come from?


--
Jason Stubbs

Re: package dependencies

[Bihlmaier Andreas]

On Thu, Jun 15, 2006 at 04:19:26PM -0700, Spruell, Darren-Perot wrote:
 From: [EMAIL PROTECTED] 
  p.s. this question comes from the need to know the exact packages to  
  download and burn to CD in order to get a reasonably usable desktop  
  system running gnome, when said system has no connection to 
  the interweb
 
 See also: 'make print-build-depends' and 'make print-run-depends' from the
 desired port directory.
 
 These are all covered in ports(7).

I faced the same problem quite some time ago (download snapshop with a
set of packages (including their dependencies).

The problem with all above methods is that you need a current ports
tree version besides the packages as well.

What I did is to extract the information in the packages (foo.tgz) and
download the result from ftp, until no dependencies are left (it takes
care not to download stuff twice).

Here is the part getting the parsable dependencies from a .tgz file
(yes this is as very dirty hack, but resonably fast and it works):

dd if=${pkg}.tgz bs=64k count=1 2/dev/null | \
zgrep -a '[EMAIL PROTECTED] ' | \
awk 'BEGIN{ FS=: } {print $3.tgz}' | \
sed 's/.*\./\*\./'

For pkg = kdebase-3.5.1p4 the output looks like this:
openldap-client-2.3.11p4.tgz
glib2-2.8.4.tgz
libusb-0.1.10ap1.tgz
cyrus-sasl-2.1.21p2.tgz
kdelibs-3.5.1p0.tgz
qt3-mt-3.5p4.tgz
qt3-mt-3.5p4.tgz

Regards,
ahb