Re: SMP error
Hi! There was another thread about SMP, OpenBSD does not support HypeThreading :/ Bad, too bad :( Intel's HT is very powerfull thing :) Bill Jones wrote: Did anyone ever help you or did you figure it out yet? I am having the same problem and would like to stay with OpenBSD and not move it to Linux. Bill -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edgars Sent: Monday, June 12, 2006 11:32 AM To: misc@openbsd.org Subject: SMP error Hello misc! I have a problems with smp kernel (3.9, and Current). ichiic0: timeout, status 0x0 ichiic0: transaction abort failed, status 0x42 INTR, INUSE and full screen with that crap. XEON is with HyperThreading technology. Here is a dmesg from uniprocessor system. OpenBSD 3.9-current (GENERIC) #876: Sun Jun 11 13:51:47 MDT 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Xeon(TM) CPU 3.00GHz (GenuineIntel 686-class) 3 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT-ID,CX16 real mem = 535834624 (523276K) avail mem = 481218560 (469940K) using 4256 buffers containing 26894336 bytes (26264K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(8b) BIOS, date 12/31/99, BIOS32 rev. 0 @ 0xfd88f, SMBIOS rev. 2.33 @ 0xdc010 (48 entries) bios0: HP ProLiant ML150 G2 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 30102 dobusy 0 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xfd4b0/0xb50 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfded0/272 (15 entries) pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82371FB ISA rev 0x00) pcibios0: PCI bus #4 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0x1800 0xc9800/0x8c00 0xdc000/0x4000! ipmi at mainbus0 not configured cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel E7320 MCH rev 0x0c ppb0 at pci0 dev 2 function 0 Intel MCH PCIE rev 0x0c pci1 at ppb0 bus 1 ppb1 at pci0 dev 3 function 0 Intel MCH PCIE rev 0x0c pci2 at ppb1 bus 2 bge0 at pci2 dev 0 function 0 Broadcom BCM5721 rev 0x11, BCM5750 B1 (0x4101): irq 10, address 00:16:35:b1:b4:5a brgphy0 at bge0 phy 1: BCM5750 10/100/1000baseT PHY, rev. 0 ppb2 at pci0 dev 28 function 0 Intel 6300ESB PCIX rev 0x02 pci3 at ppb2 bus 3 ahd0 at pci3 dev 4 function 0 Adaptec AIC-7901 U320 rev 0x10: irq 9 ahd0: aic7901, U320 Wide Channel A, SCSI Id=7, PCI-X 50-66Mhz, 512 SCBs scsibus0 at ahd0: 16 targets sd0 at scsibus0 targ 0 lun 0: COMPAQ, BF03688284, HPB3 SCSI3 0/direct fixed sd0: 34732MB, 50824 cyl, 2 head, 699 sec, 512 bytes/sec, 71132000 sec total safte0 at scsibus0 targ 8 lun 0: SDR, GEM318P, 1 SCSI2 3/processor fixed uhci0 at pci0 dev 29 function 0 Intel 6300ESB USB rev 0x02: irq 10 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 29 function 1 Intel 5300ESB USB rev 0x02: irq 5 usb1 at uhci1: USB revision 1.0 uhub1 at usb1 uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered Intel 6300ESB WDT rev 0x02 at pci0 dev 29 function 4 not configured Intel 6300ESB APIC rev 0x02 at pci0 dev 29 function 5 not configured ehci0 at pci0 dev 29 function 7 Intel 6300ESB USB rev 0x02: irq 11 usb2 at ehci0: USB revision 2.0 uhub2 at usb2 uhub2: Intel EHCI root hub, rev 2.00/1.00, addr 1 uhub2: 4 ports with 4 removable, self powered ppb3 at pci0 dev 30 function 0 Intel 82801BA AGP rev 0x0a pci4 at ppb3 bus 4 vga1 at pci4 dev 4 function 0 ATI Rage XL rev 0x27 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) ichpcib0 at pci0 dev 31 function 0 Intel 6300ESB LPC rev 0x02 pciide0 at pci0 dev 31 function 1 Intel 6300ESB IDE rev 0x02: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility atapiscsi0 at pciide0 channel 0 drive 0 scsibus1 at atapiscsi0: 2 targets cd0 at scsibus1 targ 0 lun 0: LITE-ON, CD-ROM LTN-489S, 8QG2 SCSI0 5/cdrom removable cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 pciide0: channel 1 disabled (no drives) ichiic0 at pci0 dev 31 function 3 Intel 6300ESB SMBus rev 0x02: irq 10 iic0 at ichiic0 lm1 at iic0 addr 0x2c: W83792D rev B isa0 at ichpcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 lm0 at isa0 port 0x290/8: W83627THF npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec biomask ff6d netmask ff6d ttymask ffef pctr: user-level cycle counter enabled ahd0: target 0 synchronous with period = 0x8, offset =
Re: Spam Trapping
tony sarendal wrote: On 14/06/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: On Wed, Jun 14, 2006 at 09:31:49AM -0700, John Draper wrote: Mike Spenard wrote: What are some thoughts on purposely getting a spam trap email address acquired by spammers and the best way to do so. It is hard to do initially, unless you want to spend a lot of time signing up for things over the web... In my case, I have a very good spam trap. But I host about 60 Email users and I changed everyone's Email address (with their cooperation), and removed them from any mailing lists they might have joined. Evventually, almost all of these accounts have Pure spam coming in. Next I forwarded each of them to [EMAIL PROTECTED] and presto... I have a 100% spam source I can feed directly into my spam reporting engine. Most of these addresses has taken years to accumulate this spam. This is by far the best way... we used to have 'spammers ? spam this [EMAIL PROTECTED]' at the bottom of each page so that crawlers would spam it. also, we had a few systems accounts, not supposed to receive mail, act as spam traps which proved to be quite efficient. So what do you guys do with the email hitting the spam traps ? My email address [EMAIL PROTECTED] has been used as From address by spammers, does that mean that I can't send you guys emails ? Or do you do something else like teach spamassassin and record source IP addresses ? /Tony I feed it to spamassassin. I don't do anything with IPs because most of them get dynamically reallocated between clean and infected computers. I reckon you shouldn't worry about From address because it gets forged all the time. This is very common. Therefore, it would be a bit silly for someone to rely on the From field. Cheers, Mikhail. -- Mikhail Goriachev Webanoide Telephone: +61 (0)3 62252501 Mobile Phone: +61 (0)4 38255158 E-Mail: [EMAIL PROTECTED] Web: http://www.webanoide.org PGP Key ID: 0x4E148A3B PGP Key Fingerprint: D96B 7C14 79A5 8824 B99D 9562 F50E 2F5D 4E14 8A3B
How do I add a new sysctl varible?
Hi, I have tried to follow the source code and and have been unable to add a variable. Is there a step by step guide any where? I want to have a counter (int) and an array[1000] of bytes. Thanks. pn.
Re: Hifn policy on documentation
On 6/14/06, Darrin Chandler [EMAIL PROTECTED] wrote: I blame neither Mr. Cohen nor the lawyers. It's the decision makers at the company who have decided this policy, which is a policy change from years ago. Nobody else at the company is to blame. That's how responsibility works. No, it's not. If you do something that is morally reprehensible, it is morally reprehensible whether or not you are doing it because you were ordered to do it. For Mr. Cohen to tell us lies or inexcusably misinformed statements reflects negatively on him personally, because that is something that no one ought to do. Perhaps Mr. Cohen would be fired if he refused to act immorally. That doesn't mean that his actions are beyond criticism. I don't think that anybody, prior to the post I am making right now, has called Mr. Cohen or the lawyers into question for their individual morality. Up to this point, we have been criticizing what Mr. Cohen said, and we have been criticizing Hifn the company and any and all employees who would carry out actions on behalf of the company with which we disagree and with which we believe to constitute bad business and degradation of users' freedom. This has included but has at no point been limited to or particularly focused on Mr. Cohen. But now that you bring it up, yes, Mr. Cohen made the wrong decision when he chose to carry out the will of his company. And since he is the Product Line Manager (read his signature), he was probably involved in establishing just what the will of his company is. -Eliah
x.org
Strange problem which appeared in 3.8 and appears in 3.9. When I type startx it does nothing. After waiting for half a minute i press cancel and only then it begins to do something but fails to start. When I open another tty and type there startx it starts normally. The strangest thing is that I do nothing, X fails to start without any reason. Artyom
Re: Hifn policy on documentation
Oh well ... I have to admit that I find it quite amusing how some people that do restrict access to documentation are the same that do take advantage of other people's free documentation ... http://marc.theaimsgroup.com/?l=openssl-usersm=114832209207203w=2 Oh ... wait ... no. I don't find that amusing, and Hifn is no longer in the vendors list I maintain for the company I work at. A while ago, someone mentionned the opening of a wiki to help find a list of specs friendly and unfriendly vendors, how is it going ?
Re: x.org
[EMAIL PROTECTED] wrote: Strange problem which appeared in 3.8 and appears in 3.9. When I type startx it does nothing. After waiting for half a minute i press cancel and only then it begins to do something but fails to start. When I open another tty and type there startx it starts normally. The strangest thing is that I do nothing, X fails to start without any reason. Artyom Your mail is a little sparse on fact/information. First make sure that *machdep.allowaperture=2* is set in /etc/sysctl.conf I expect you (as root) have made a /root/xorg.conf.new by running: # xorgcfg - and have made corrections to the Display section at the end of xorg.conf (DefaultDepth and Modes) and then done: # cp /root/xorg.conf.new /etc/X11/xorg.conf If 'yes' you should be able to run 'startx'. Your /var/log/Xorg.0.log will give away what you need to know. /per [EMAIL PROTECTED]
Re: SMP error
* edgarz [EMAIL PROTECTED] [2006-06-15 08:12]: There was another thread about SMP, OpenBSD does not support HypeThreading :/ Bad, too bad :( Intel's HT is very powerfull thing :) OpenBSD does support HT, at least on machines with a proper MPBIOS. and indeed I have a dual xeon here that attaches 4 cpus. -- BS Web Services, http://www.bsws.de/ OpenBSD-based Webhosting, Mail Services, Managed Servers, ... Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
pics from the hackathon
Hey folk, anyone willing to share some pics from this year's hackathon? I just have seen a couple of them from beck. ;) Thanks!
Re: x.org
On Thu, 15 Jun 2006 [EMAIL PROTECTED] wrote: Strange problem which appeared in 3.8 and appears in 3.9. When I type startx it does nothing. After waiting for half a minute i press cancel and only then it begins to do something but fails to start. When I open another tty and type there startx it starts normally. The strangest thing is that I do nothing, X fails to start without any reason. Artyom I, for instance, use xinit in stead of startx. However, in the case of OpenBSD 3.8 the Enlightment window manager(or is it X, actually, I don't know), tends to crash from time to time and the keyboard layout setings(gnome-keyboard-properties) stop working from time to time. So, I don't think that the graphical user interface on OpenBSD 3.8 is exactly too stable, but as I have very limeted resources of time and monay(don't we all?), then I guess that I just have to live with that. :/ Regards, Martin Vahi
Re: smtp-gated alternative for OpenBSD
Use a postfix and port redirection. Redirect all smtp connections to your server, and thats all :) Craig Skinner wrote: On Sun, Jun 11, 2006 at 03:43:24PM +0300, Soner Tari wrote: Hi all, I'm trying to find a fully transparent smtp proxy for outgoing mails from NATed hosts behind my firewall (smtp proxy will run on this firewall). smtp-gated of FreeBSD seems like an exact match. What is the equivalent of smtp-gated for OpenBSD? I tried to google too, but failed to find something similar. SMTP is a store and forward protocol, and as such any SMTP server is a caching proxy. It seems you only want to send mail out from the LAN, so just use the MTA that you are most familar with. Sendmail is included by default, I use postfix as I've used it at work for a number of companies, so know my way around it.
Re: SMP error
Hi! Thats interesting. May be you can say where is a problem in my case, i posted message some days ago? Henning Brauer wrote: * edgarz [EMAIL PROTECTED] [2006-06-15 08:12]: There was another thread about SMP, OpenBSD does not support HypeThreading :/ Bad, too bad :( Intel's HT is very powerfull thing :) OpenBSD does support HT, at least on machines with a proper MPBIOS. and indeed I have a dual xeon here that attaches 4 cpus. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: x.org
Just for information: I noticed the same behaviour on my FreeBSD laptop. It appears from time to time, and when I have it on a tty, I'll have it until next reboot. Oddly enough, when I launch xinit or X on the tty which has the problem, it works normally. I checked the logs, well... nothing to say. Strange problem which appeared in 3.8 and appears in 3.9. When I type startx it does nothing. After waiting for half a minute i press cancel and only then it begins to do something but fails to start. When I open another tty and type there startx it starts normally. The strangest thing is that I do nothing, X fails to start without any reason. Artyom
Missing Man Page bio (3)?
Hello, Just wondering if there is a missing man page or if bio (3) references should be removed from the following pages SSL_accept.pod SSL_connect.pod SSL_do_handshake.pod SSL_get_fd.pod SSL_get_rbio.pod SSL_read.pod SSL_set_bio.pod SSL_set_fd.pod SSL_shutdown.pod SSL_write.pod Cheers Ste Jones
Re: Hifn policy on documentation
On 6/15/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Oh well ... I have to admit that I find it quite amusing how some people that do restrict access to documentation are the same that do take advantage of other people's free documentation ... http://marc.theaimsgroup.com/?l=openssl-usersm=114832209207203w=2 Oh ... wait ... no. I don't find that amusing, and Hifn is no longer in the vendors list I maintain for the company I work at. A while ago, someone mentionned the opening of a wiki to help find a list of specs friendly and unfriendly vendors, how is it going ? http://www.vendorwatch.org/ , hifn is marked as unfriendly. I really like this site, too. Congrats to the contributors.
Re: developing a backup strategy
[snip] My favorite solution is rsnapshot in ports. It beats rsync and scp because not only does it allow you to specify what and when to backup, but it uses hard links. What's that got to do with anything? Well it rsyncs everything on the first backup, and only the differences there after. But it makes every backup look like a full backup (every file) because it hard-links the unchanged stuff into the latest backup dir. So you get a complete backup dir every time sans lots of file transfers and space taken up on the backup storage box. This guy gives a great explanation and some bash scripts to do just that: http://www.mikerubel.org/computers/rsync_snapshots/ I believe he also refers to rsnapshot as being a more polished version of what he outlines. Very interesting and easy read. Take care, Allen Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: Hifn policy on documentation
On 6/15/06, Wolfgang S. Rupprecht [EMAIL PROTECTED] wrote: Ditto for the card intentionally leaking the keying data into the cipher stream? oh come on, this discussion is already as off topic as it can be, no need to add FUD to it. any algorithm the cards claim to implement _is_ fully documented, so you can test any output except that of the RNG against a 'known good' implementation --knitti
Re: recording streams with OpenBSD
On Wed, Jun 14, 2006 at 03:01:58PM -0700, Bryan wrote: Will Maier wrote: $ mplayer -dumpstream http://your.stream.com/stream.mp3 -dumpfile stream.mp3 I did find that, but the stream is not an .mp3 file. So? Mplayer will dump an ASF stream. In fact, I tried that with your stream, and it worked fine. What's the problem? Can I dump the stream directly as an .mp3 file? Prolly not directly with Mplayer, but you could dump to a FIFO and read the FIFO in your encoder (or decoder first) of choice. Or just reencode the dumped ASF file later on, although that will likely degrade file quality. -- o--{ Will Maier }--o | jabber:[EMAIL PROTECTED] | [EMAIL PROTECTED] | | freenode:..lt_kije | freenode:#madlug,#wilug | *--[ BSD Unix: Live Free or Die ]--*
Re: Hifn policy on documentation
On Wed, Jun 14, 2006 at 11:45:13PM -0800, Eliah Kagan wrote: On 6/14/06, Darrin Chandler [EMAIL PROTECTED] wrote: I blame neither Mr. Cohen nor the lawyers. It's the decision makers at the company who have decided this policy, which is a policy change from years ago. Nobody else at the company is to blame. That's how responsibility works. No, it's not. If you do something that is morally reprehensible, it is morally reprehensible whether or not you are doing it because you were ordered to do it. For Mr. Cohen to tell us lies or inexcusably misinformed statements reflects negatively on him personally, because that is something that no one ought to do. So? If it weren't Mr. Cohen, if would be someone else from Hifn. From *my* point of view as a user of OpenBSD their reasons and moral standing don't matter because they won't open the specs on their hardware. If they did open the specs, then there might be other reasons for me not to do business with them. As it stands there's already one show stopper. That's enough. Look, it's pretty obvious from early exchanges in this thread that these issues have been discussed by the principal parties over a fairly long period of time. How many brilliant insights have been added by this thread? More important, has this thread opened up Hifn's specs? Has this discussion accomplished anything at all? -- Darrin Chandler| Phoenix BSD Users Group [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ |
Re: Hifn policy on documentation
Darrin Chandler wrote: Look, it's pretty obvious from early exchanges in this thread that these issues have been discussed by the principal parties over a fairly long period of time. How many brilliant insights have been added by this thread? More important, has this thread opened up Hifn's specs? Has this discussion accomplished anything at all? 1) The principle parties' exchanges didn't go anywhere. It is time to crank the heat up a couple of notches. If the principle parties come in and ask us to stop it will go a lot futher than you, some random person, asking us to stop. I don't see Theo complaining, and he has a far greater vested interest than you. I haven't seen other developers complaining, and the same goes for them. I haven't even seen Hifn complaining, although that would only weaken their position further. 2) It's not about brilliant insights. It is about customer dissatisfaction. People are posting so there is a record that they are not happy with the situation, and this record covers very clearly why they are not happy with the situation. This goes a long way towards punishing Hifn for what we perceive as acts which are not in our best interests as customers. The alternative is silence, which allows Hifn to continue to dupe customers. I do not want to see another person duped like this, and it is now my personal mission to do what I am able to prevent it from happening again. 3) Has this thread opened up Hifn's specs??! You expect results to take place in an unreasonable amount of time. Change doesn't always happen overnight, especially when corporations are involved. 4) This discussion has definitely accomplished something - it has created a freely accessible, mirrored record which points out some very serious flaws in the policies of a supposed security minded company. As a consumer I have relied on exactly this sort of thing time and time again to avoid bad purchases. I wish this thread had existed three months ago so I wouldn't have purchased a blasted Hifn product that sits unused on my shelf! And above all this, this thread shows that, for the most part, users are behind the policies of the OpenBSD project. This sends a clear message to the industry that we will hurt their bottom line if they screw around with us. I only wish more projects and organizations would toe this line. Breeno
Re: Hifn policy on documentation
Wolfgang S. Rupprecht wrote: I guess the part I don't understand is why are open source folks so wary of running black-box *.o binaries from a vendor but are quite eager to use blackbox crypto cards (that effectively run blackbox *.o firmware)? This is a pretty poor argument in my books. They could undermine us in the hardware, so why don't we just give them the keys to the kingdom and allow them to do it in software? HUH??? Given your argument we may as well just let them have root access to our machines. Or maybe they could install cameras in our offices and homes while they are at it. Breeno
Re: sendmail config: non-system mail accounts?
At 07:01 PM 6/14/2006 -0500, Jacob Yocom-Piatt wrote: i'm pretty comfortable using postfix as an MTA, but i have only now been fiddling with sendmail. everything has been going fine, except that i can't figure out how to add mail accounts for users without adding them as users on the mailserver itself when using sendmail. for postfix this is clearly documented in an example on the website (see http://www.postfix.org/VIRTUAL_README.html#virtual_mailbox ). Same with sendmail - . virtusertable Lee
Re: Hifn policy on documentation
knitti wrote: oh come on, this discussion is already as off topic as it can be, no need to add FUD to it. any algorithm the cards claim to implement _is_ fully documented, so you can test any output except that of the RNG against a 'known good' implementation This is a great point. However... This is not off topic. This topic definitely affects OpenBSD and serves a purpose. I do not understand why people think this is off topic. Since when was misc@ only for posting about technical problems? Talking about the World Cup matches would be off-topic. Talking about Billy Graham's last sermon would be off topic. Hifn's crappy policy and why we don't like it is definitely on topic. Breeno
USB device nodes
Hi, working on setting up some crypto tokens, I noticed some differences to Free/NetBSD on handling the ugen devices. If a device is attached, the kernel reports it as ugenX, as it does it also on the other BSDs. Though /dev/ugenX itself doesn't exist on OpenBSD, so it can't be talked to. Typically, the endpoint an application wants to communicate with is the control endpoint ugenX.00. The other BSDs seem to handle that case transparently, i.e. if no endpoint is specified, .00 is chosen automatically. Since stat'ing a device-node for existance is appearently quite common, introducing a symlink /dev/ugenX - /dev/ugenX.00 would be an obvious solution in this situation. While I have no problem with creating the links by myself, it would be nice if MAKEDEV could also create the symlink by default. Any chance to get this in? Thanks in advance, /Markus
Re: Hifn policy on documentation
On Thu, Jun 15, 2006 at 09:01:51AM -0600, Breen Ouellette wrote: 1) The principle parties' exchanges didn't go anywhere. It is time to crank the heat up a couple of notches. If the principle parties come in and ask us to stop it will go a lot futher than you, some random person, asking us to stop. I don't see Theo complaining, and he has a far greater vested interest than you. I haven't seen other developers complaining, and the same goes for them. I haven't even seen Hifn complaining, although that would only weaken their position further. I don't expect everyone to stop because I said so. I'm hoping that at least a few of you will go do something productive instead. 2) It's not about brilliant insights. It is about customer dissatisfaction. People are posting so there is a record that they are not happy with the situation, and this record covers very clearly why they are not happy with the situation. This goes a long way towards punishing Hifn for what we perceive as acts which are not in our best interests as customers. The alternative is silence, which allows Hifn to continue to dupe customers. I do not want to see another person duped like this, and it is now my personal mission to do what I am able to prevent it from happening again. 3) Has this thread opened up Hifn's specs??! You expect results to take place in an unreasonable amount of time. Change doesn't always happen overnight, especially when corporations are involved. 4) This discussion has definitely accomplished something - it has created a freely accessible, mirrored record which points out some very serious flaws in the policies of a supposed security minded company. As a consumer I have relied on exactly this sort of thing time and time again to avoid bad purchases. I wish this thread had existed three months ago so I wouldn't have purchased a blasted Hifn product that sits unused on my shelf! And above all this, this thread shows that, for the most part, users are behind the policies of the OpenBSD project. This sends a clear message to the industry that we will hurt their bottom line if they screw around with us. I only wish more projects and organizations would toe this line. This discussion made it to the front page of Slashdot, giving Hifn a lot of free publicity. It gives them the opportunity to tell everyone again that you can just go get their specs online. Maybe they can offer a nice BLOB to the Linux distros and get it accepted like nVidia. Maybe due to this they will sell MORE hardware than before. If half the people heavily involved with this thread had drawn up a well worded message and sent it to Hifn it would have had a better effect, I bet. We'll see. I surely don't expect policy changes overnight. If Hifn truly opens their specs in the next year I'll be surprised. And that is what will change my mind about the value of this discussion. FYI, someone recently mentioned www.vendorwatch.org. It's a nice resource, and I hope it grows. I keep forgetting it's there. Next time I'm shopping for hardware I'll be checking there! -- Darrin Chandler| Phoenix BSD Users Group [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ |
Re: SMP error
On Thu, 15 Jun 2006 09:03:10 +0300 edgarz [EMAIL PROTECTED] wrote: Hi! There was another thread about SMP, OpenBSD does not support HypeThreading Yes, it does. Intel's HT is very powerfull thing :) No, its not. As you yourself stated, it is HypeThreading. It may be a good demonstration of the power of marketing, but it itself is not powerful. Adam
Re: vpn1411 problem related to software error? (was Re: [Fwd: 'Corrupted MAC on input' points to vpn1411 problem])
Breen Ouellette wrote: I am still going to install 3.9 on a PC and try an ssh connection which doesn't involve WinXP / PuTTY. I finally got around to it and I still get the error when connecting from a PC installed with OpenBSD 3.9 to my net4801 / vpn1411 running OpenBSD 3.9. So, just in case someone came across this thread and thought that PuTTY was the cause of the problem, it definitely is not, you can thank Hifn for this one. Breeno
Re: SMP error
Have you tried disabling Hyperthreading in BIOS and seeing if you continue to get this message? From what I've read, hyperthreading tends to lower performance on the BSDs anyway. On 6/15/06, Edgars [EMAIL PROTECTED] wrote: Hi! Thats interesting. May be you can say where is a problem in my case, i posted message some days ago? Henning Brauer wrote: * edgarz [EMAIL PROTECTED] [2006-06-15 08:12]: There was another thread about SMP, OpenBSD does not support HypeThreading :/ Bad, too bad :( Intel's HT is very powerfull thing :) OpenBSD does support HT, at least on machines with a proper MPBIOS. and indeed I have a dual xeon here that attaches 4 cpus. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: Hifn policy on documentation
Breen Ouellette wrote: Darrin Chandler wrote: Look, it's pretty obvious from early exchanges in this thread that these issues have been discussed by the principal parties over a fairly long period of time. How many brilliant insights have been added by this thread? More important, has this thread opened up Hifn's specs? Has this discussion accomplished anything at all? 1) The principle parties' exchanges didn't go anywhere. It is time to crank the heat up a couple of notches. If the principle parties come in and ask us to stop it will go a lot futher than you, some random person, asking us to stop. I don't see Theo complaining, and he has a far greater vested interest than you. I haven't seen other developers complaining, and the same goes for them. I haven't even seen Hifn complaining, although that would only weaken their position further. 2) It's not about brilliant insights. It is about customer dissatisfaction. People are posting so there is a record that they are not happy with the situation, and this record covers very clearly why they are not happy with the situation. This goes a long way towards punishing Hifn for what we perceive as acts which are not in our best interests as customers. The alternative is silence, which allows Hifn to continue to dupe customers. I do not want to see another person duped like this, and it is now my personal mission to do what I am able to prevent it from happening again. 3) Has this thread opened up Hifn's specs??! You expect results to take place in an unreasonable amount of time. Change doesn't always happen overnight, especially when corporations are involved. 4) This discussion has definitely accomplished something - it has created a freely accessible, mirrored record which points out some very serious flaws in the policies of a supposed security minded company. As a consumer I have relied on exactly this sort of thing time and time again to avoid bad purchases. I wish this thread had existed three months ago so I wouldn't have purchased a blasted Hifn product that sits unused on my shelf! You can then appreciate why I lurk on this list, and how I can easily talk my tightwad CEO in buying a couple of CDs that I might need to use. For a lot of this stuff, the OpenBSD users and developers will take good care of themselves. But a lot of this does matter to us (bluntly) outsiders. If security actually matters (not some snake-oil fiction) the first rule has to be something like not fooling yourself. Something like this thread is probably the only plausible mechanism to establish what the ground rules SHOULD be for such as this. Maybe not a good chance, but seems to me like maybe it is the only chance. And above all this, this thread shows that, for the most part, users are behind the policies of the OpenBSD project. This sends a clear message to the industry that we will hurt their bottom line if they screw around with us. I only wish more projects and organizations would toe this line. Breeno
Re: Curious on NAT traversal possibility on PF
Late reply due to mail server problems at my ISP... Stuart Henderson wrote: Depends what you're trying to do, but if it's e.g. throttling p2p users, that's only going to be of limited help. I haven't tried the approach yet and, as you, I'm in doubt about its abitily to throttle p2p. However, the idea isn't pulled out of the sky - using 'pfctl -ss' on my gateway, I've discovered that a high percentage (90%) of the connections suspected to be p2p goes out to completely random ports, mostly above 1024. (These days, users of bittorrent have to choose to non-standard ports due to tracker rules, which entails a quite uniform distribution.) My goal isn't to throttle every single p2p connection, just a big enough percentage of them. Relying on the side-behaviour of 'lots-of-connections' often seen with some protocols you might want to restrict, but not so often seen from a legitimate client, you have the option of using max-src-states and throttling hosts in the overload table. Care and attention is required though.. Nice idea, even though it's a bit more advanced. Thanks :) /Martin
Re: ftp problems with OpenBSD 3.9
I tried in /etc/rc.conf.local ftpd_flags=-DllUSAn4 and rebooted. Problem still persisted. I checked netstat -an to verify that it was not listening on tcp6 port 21. I'm going to do Nick Holland's suggestion and the tcpdump idea too.
Fwd: Hifn policy on documentation
Hi all, This is the mail I got from Hifn representative for my response to his mail and clarifications in misc. This mail was sent to me privately and I am well aware of the fact that it is not good manners to make private mails public. In that way i am just going down a little bit down on that. let people see the response they get from Hifn. And Mr. Cohen, If what you sent to the list was indeed not a lie then I sincerly apologize mentioning that you were lying in my previously mail. I apologize publicly just as I mentioned it publicly. Also I would like to let you know very humbly that this may not be a very good way of treating your potential customers. Thanks for you complements any way :-) Good Luck ahead with this policy of your company and you personal behaviour. Kind regards --Siju -- Forwarded message -- From: Hank Cohen [EMAIL PROTECTED] Date: Jun 14, 2006 10:43 AM Subject: RE: Hifn policy on documentation To: Siju George [EMAIL PROTECTED] Mr. george. I do not appreciate being accused of lying. If you choose not to use Hifn products then so be it. I have announced our policy in good faith and been treated to a barrage of insult and invective. If I were speaking on my own account I would feel free to tell you what I really think of this kind of bullshit but I cannot do so since I will always be seen as a representative of my company. You sir have the manners of a pig. And I shall surely never recommend your IT and Media services to anyone either. Having said that perhaps you can understand how much your threats are likely to have the result that you desire. Hank Cohen On my own account.
Re: Hifn policy on documentation
On Wed, Jun 14, 2006 at 08:52:01PM -0700, Wolfgang S. Rupprecht wrote: | So what if one of the driver writers for one of the open source operating | systems were to design a set of open standards for a hardware/software | interface for chipsets in this class. | | I guess the part I don't understand is why are open source folks so | wary of running black-box *.o binaries from a vendor but are quite | eager to use blackbox crypto cards (that effectively run blackbox *.o | firmware)? Don't assume that everyone is even willing to hand over their private data to some sealed black box. There are, of course, a number of differences. What runs on the card/chip generally won't have access to the rest of the system (assuming reasonable bus security, which may not be true). But a *.o binary driver will have that access to the level it is installed (probably the kernel, which means it has access to everything). Bugs in the *.o could crash or hang the kernel if it is there. But in the card/chip it is less likely to cause damage, although that isn't impossible (could lock up the bus). I'd be a bit more trusting of a crypto device that was connected via some soft means like an ethernet. But that still implies a (possibly misplaced) trust in the ethernet card itself. Then there is the issue of whether they provide kernel level *.o files for all the platforms OpenBSD and other systems support. | While I don't think these cards really do contain trojans, they | certainly could at some point in the future. What prevents the | manufacturers from storing all keys into some on-chip nv-ram for later | retrieval? Ditto for the card intentionally leaking the keying data | into the cipher stream? At one point during the cold-war it certainly | seemed like the US did manage to slip a leaky key trojan into a well | respected company's cipher system. Similar risk could exist in CPU based crypto instructions, too, if such a CPU were to be made public. Ultimately, I'll personally depend on crypto in software I can access for myself. I think that's your real point. FYI, I don't even trust Theo for writing safe crypto software. But that's not a personal statement ... it's just a statement of procedure; I would not trust anyone, period. The big advantage of open source that we all already know is the many eyes (with no conflict of interest) aspect. That cannot be said for either binary software or hardware implementations. What interests me among Hifn's chips are not the crypto capabilities, but the compression capabilities. No export regulations for that as long as it doesn't have the crypto in it, so those should be fully open (I have not checked) as to interface and interoperability (e.g. uses a standard compression format). Even data compression in a sealed box has risks, such as it detecting actual keys being moved around in the clear and saving them into NVRAM. How do you know your CPU doesn't have this?
mount_msdos error
Hi Misc, I keep getting the following error, when trying to mount a 2GB Sony Memory Stick Pro Duo (MSX-M2GN) in my Sony T7 digital camera: nike:fred /home/fred sudo mount /mnt/t7 mount_msdos: /dev/sd1i on /mnt/t7: Inappropriate file type or format Can anyone help me debug this issue? It mounts fine when I use a 256Mb Sony Memory Stick Pro Duo. This is on a 3.9 box dmesg follows at the end, I've also included fdisk and disklabel output, any clue sticks would be greatly appreciated... thanks Fred nike:fred /home/fred grep t7 /etc/fstab /dev/sd1i /mnt/t7 msdos rw,noauto,nodev,nosuid 0 0 nike:fred /home/fred tail /var/log/messages Jun 15 18:00:01 nike newsyslog[31685]: logfile turned over Jun 15 18:00:01 nike syslogd: restart Jun 15 21:00:01 nike syslogd: restart Jun 15 21:12:23 nike /bsd: umass0 at uhub2 port 1 configuration 1 interface 0 Jun 15 21:12:23 nike /bsd: Jun 15 21:12:23 nike /bsd: umass0: Sony Sony DSC, rev 2.00/5.00, addr 2 Jun 15 21:12:23 nike /bsd: umass0: using UFI over CBI Jun 15 21:12:23 nike /bsd: scsibus3 at umass0: 2 targets Jun 15 21:12:23 nike /bsd: sd1 at scsibus3 targ 1 lun 0: Sony, Sony DSC, 6.00 SCSI0 0/direct removable Jun 15 21:12:23 nike /bsd: sd1: 1980MB, 1980 cyl, 64 head, 32 sec, 512 bytes/sec, 4055040 sec total nike:fred /home/fred fdisk sd1 fdisk: sysctl(machdep.bios.diskinfo): Device not configured Disk: sd1 geometry: 1980/64/32 [4055040 Sectors] Offset: 0 Signature: 0xAA55 Starting Ending LBA Info: #: idC H S -C H S [ start: size ] *0: 060 7 32 - 1979 56 1 [ 255: 4054530 ] DOS 32MB 1: 000 0 0 -0 0 0 [ 0: 0 ] unused 2: 000 0 0 -0 0 0 [ 0: 0 ] unused 3: 000 0 0 -0 0 0 [ 0: 0 ] unused nike:fred /home/fred disklabel sd1 disklabel: warning, DOS partition table with no valid OpenBSD partition # /dev/rsd1c: type: SCSI disk: SCSI disk label: Sony DSC flags: bytes/sector: 512 sectors/track: 32 tracks/cylinder: 64 sectors/cylinder: 2048 cylinders: 1980 total sectors: 4055040 rpm: 3600 interleave: 1 trackskew: 0 cylinderskew: 0 headswitch: 0 # microseconds track-to-track seek: 0 # microseconds drivedata: 0 16 partitions: # sizeoffset fstype [fsize bsize cpg] c: 4055040 0 unused 0 0 # Cyl 0 - 1979 i: 4054530 255 MSDOS # Cyl 0*- 1979* dmesg follows: OpenBSD 3.9 (GENERIC) #617: Thu Mar 2 02:26:48 MST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: AMD Duron(TM) (AuthenticAMD 686-class, 64KB L2 cache) 1.31 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE cpu0: AMD Powernow: TS real mem = 804872192 (786008K) avail mem = 72704 (71K) using 4278 buffers containing 40345600 bytes (39400K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(85) BIOS, date 10/29/02, BIOS32 rev. 0 @ 0xf17b0 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 30102 dobusy 0 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0x1e62 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf1d90/208 (11 entries) pcibios0: PCI Interrupt Router at 000:17:0 (VIA VT82C586 ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0xc000 0xcc000/0x1800 0xd/0x800 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 VIA VT8366 PCI rev 0x00 ppb0 at pci0 dev 1 function 0 VIA VT8366 AGP rev 0x00 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 ATI Radeon VE QY rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) cmpci0 at pci0 dev 5 function 0 C-Media Electronics CMI8738/C3DX Audio rev 0x10: irq 10 audio0 at cmpci0 Texas Instruments TSB43AB21 FireWire rev 0x00 at pci0 dev 7 function 0 not configured uhci0 at pci0 dev 9 function 0 VIA VT83C572 USB rev 0x50: irq 5 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 9 function 1 VIA VT83C572 USB rev 0x50: irq 11 usb1 at uhci1: USB revision 1.0 uhub1 at usb1 uhub1: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered ehci0 at pci0 dev 9 function 2 VIA VT6202 USB rev 0x51: irq 10 usb2 at ehci0: USB revision 2.0 uhub2 at usb2 uhub2: VIA EHCI root hub, rev 2.00/1.00, addr 1 uhub2: 4 ports with 4 removable, self powered fxp0 at pci0 dev 12 function 0 Intel 8255x rev 0x0c, i82550: irq 5, address 00:02:b3:cb:23:3d inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4 ral0 at pci0 dev 13 function 0 Ralink RT2560 rev 0x01: irq 11, address 00:0e:2e:51:b2:f1 ral0: MAC/BBP RT2560 (rev 0x04), RF RT2525 puc0 at pci0 dev 14
rate limiting an interface
3.9 GENERIC#617 i386 Wanted to know what are the possible ways to rate limit an ethernet interface, if queues in pf will do this, or is any other way, i have a 2meg colo connection and dont wnat to go over it or ill get charged, and the ISP wont cap it, so i have to cap myself. Thanks -- -Lawrence
Re: rate limiting an interface
On 6/15/06, John R. Shannon [EMAIL PROTECTED] wrote: Lawrence Horvath wrote: 3.9 GENERIC#617 i386 Wanted to know what are the possible ways to rate limit an ethernet interface, if queues in pf will do this, or is any other way, i have a 2meg colo connection and dont wnat to go over it or ill get charged, and the ISP wont cap it, so i have to cap myself. Thanks You can rate limit with the altq built into pf. -- John R. Shannon, CISSP [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Can i rate limit both ways, incomming and outgoing, the pf documentation for queues sd only one way, but is there a way to keep the system from downloading as much to it? so as to keep under my quota going both ways? -- -Lawrence
Re: rate limiting an interface
Lawrence Horvath [EMAIL PROTECTED] wrote on Thu 15.Jun'06 at 13:27:54 -0700 On 6/15/06, John R. Shannon [EMAIL PROTECTED] wrote: Lawrence Horvath wrote: 3.9 GENERIC#617 i386 Wanted to know what are the possible ways to rate limit an ethernet interface, if queues in pf will do this, or is any other way, i have a 2meg colo connection and dont wnat to go over it or ill get charged, and the ISP wont cap it, so i have to cap myself. Thanks You can rate limit with the altq built into pf. -- John R. Shannon, CISSP [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Can i rate limit both ways, incomming and outgoing, the pf documentation for queues sd only one way, but is there a way to keep the system from downloading as much to it? so as to keep under my quota going both ways? Think about this, a bit. If you dont realize whats wrong with the notation of limiting incoming traffic to not download as much to it then well, shit. -- -Lawrence -- Thordur I. Bjornsson Philosophy is to the real world as masturbation is to sex. -- Karl Marx
Re: mount_msdos error
Fred Crowson wrote: Hi Misc, I keep getting the following error, when trying to mount a 2GB Sony Memory Stick Pro Duo (MSX-M2GN) in my Sony T7 digital camera: nike:fred /home/fred sudo mount /mnt/t7 mount_msdos: /dev/sd1i on /mnt/t7: Inappropriate file type or format Can anyone help me debug this issue? It mounts fine when I use a 256Mb Sony Memory Stick Pro Duo. This is on a 3.9 box dmesg follows at the end, I've also included fdisk and disklabel output, any clue sticks would be greatly appreciated... thanks Fred [snip] nike:fred /home/fred fdisk sd1 fdisk: sysctl(machdep.bios.diskinfo): Device not configured Disk: sd1 geometry: 1980/64/32 [4055040 Sectors] Offset: 0 Signature: 0xAA55 Starting Ending LBA Info: #: idC H S -C H S [ start: size ] *0: 060 7 32 - 1979 56 1 [ 255: 4054530 ] DOS 32MB That does not look like ANY DOS disk I've every seen. The initial sector on the drive has the DOS partition table. (easy to find) Generally, the first stuff on the drive comes on the track immediately following that sector. this is typically after 63 sectors on hard drives, but a power of 2 (like 32 is more plausible on something electronic) (64 might work, but I'm sure SOMETHING would find a way to make 64 act like 0) If it were mine, the first thing I'd try is starting the dos thingee at cylinder 0 head 1 sector 1 which would put the LBA start at 32 But this is yours, and this wouldn't be the first time I've been totally wrong.
binat on which interface?? - Equality
Hi, I am trying to use binat for the first time. Been using OpenBSD since the 2.7 days, but never had a need for binat. Looking at an example in the the pf FAQ, I get web_serv_int=192.168.1.100 web_serv_ext=24.5.0.6 binat on tl0 from $web_serv_int to any - $web_serv_ext The way I think it would have to work, tl0 would be the interface on the internal network (192.168.1.X). eg: web_serv_int=192.168.1.100 web_serv_ext=24.5.0.6 int_if=tl0 binat on $int_if from $web_serv_int to any - $web_serv_ext If this is the case, then I will continue my thoughts... My brain is a bit different from this example, I see connections coming in from the Internet and being sent over to the internal web server. Since this is a binat situation, the following should be identicle... web_serv_int=192.168.1.100 web_serv_ext=24.5.0.6 int_if=tl0 ext_if=tl1 binat on $ext_if from any to $web_serv_ext - $web_serv_int Are these exactly the same?? Thanks, Steve Williams
Re: mount_msdos error
On 2006/06/15 16:16, Tony Abernethy wrote: nike:fred /home/fred fdisk sd1 fdisk: sysctl(machdep.bios.diskinfo): Device not configured Disk: sd1 geometry: 1980/64/32 [4055040 Sectors] Offset: 0 Signature: 0xAA55 Starting Ending LBA Info: #: idC H S -C H S [ start: size ] *0: 060 7 32 - 1979 56 1 [ 255: 4054530 ] DOS 32MB That does not look like ANY DOS disk I've every seen. The initial sector on the drive has the DOS partition table. (easy to find) Generally, the first stuff on the drive comes on the track immediately following that sector. this is typically after 63 sectors on hard drives, but a power of 2 (like 32 is more plausible on something electronic) (64 might work, but I'm sure SOMETHING would find a way to make 64 act like 0) Who knows what geometry it was formatted with? FAT boot sector, etc, are quite easy to spot - try dd if=/dev/sd1i count=1 | hexdump -C with reference to another FAT partition that can be mounted successfully and http://en.wikipedia.org/wiki/File_Allocation_Table and you'll soon know if the partition table is correct. I wonder if reformatting the card might get it into some shape where it can be seen by both camera and OpenBSD...may be worth dd'ing an image of it as it currently stands before doing this, so it can be restored if necessary.
Re: rate limiting an interface
Thordur I. Bjornsson wrote: Lawrence Horvath [EMAIL PROTECTED] wrote on Thu 15.Jun'06 at 13:27:54 -0700 Can i rate limit both ways, incomming and outgoing, the pf documentation for queues sd only one way, but is there a way to keep the system from downloading as much to it? so as to keep under my quota going both ways? Think about this, a bit. If you dont realize whats wrong with the notation of limiting incoming traffic to not download as much to it then well, shit. I've never tried it so I could be way off, but has anyone thought about doing the reverse of prioritizing ACKs to limit downloads? Specifically, assign the ACKs to a cbq with a small fixed bandwidth so that the source is fooled into thinking that you can't receive as fast as you really can. With a little math you should be able to come up with a bandwidth amount for ACKs that will result in the chocked download you require. Of course, this assumes that your packets are max size and that this is TCP traffic only. Like I said, I've never tried it, but it may be worth a shot. Breeno
Re: rate limiting an interface
On 6/15/06, John R. Shannon [EMAIL PROTECTED] wrote: Lawrence Horvath wrote: On 6/15/06, John R. Shannon [EMAIL PROTECTED] wrote: Lawrence Horvath wrote: 3.9 GENERIC#617 i386 Wanted to know what are the possible ways to rate limit an ethernet interface, if queues in pf will do this, or is any other way, i have a 2meg colo connection and dont wnat to go over it or ill get charged, and the ISP wont cap it, so i have to cap myself. Thanks You can rate limit with the altq built into pf. -- John R. Shannon, CISSP [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Can i rate limit both ways, incomming and outgoing, the pf documentation for queues sd only one way, but is there a way to keep the system from downloading as much to it? so as to keep under my quota going both ways? You might find this E-mail answers your question: http://lists.freebsd.org/pipermail/freebsd-pf/2005-November/001657.html -- John R. Shannon, CISSP [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Thank you for that link, i was under the impression that altq wouldn't work on incoming, period, but the link helped, thank you -- -Lawrence
Re: Fwd: Hifn policy on documentation
Siju George wrote: This is the mail I got from Hifn representative for my response to his mail and clarifications in misc. ... Hank Cohen On my own account. Well, hopefully this will encourage Mr. Cohen to think hard about a situation before he wallows in and posts something to a public list which is not in the interests of his customers. I would also like to point out that I never received a reply to my message. I guess that Hifn employees only respond when customers insult them on public lists. This doesn't bode well for the documentation issue. Breeno
Privilege bracketing in Solaris 10
Hi List, This has just been published at my work: http://www.sun.com/blueprints/0406/819-6320.pdf I'm not a C developer so it is mostly Greek to me, but others may find some concepts therein useful.
package dependencies
quick one for you knowledgeable chaps/chapesses... If one does not have OpenBSD installed how would one obtain a list of the dependencies of a certain package, say gnome-desktop for arguments sake? Many thanks poncenby p.s. this question comes from the need to know the exact packages to download and burn to CD in order to get a reasonably usable desktop system running gnome, when said system has no connection to the interweb p.p.s there is possibly a chance I have overlooked the answer to the above question on the archives / web and for that I apologise!
Re: package dependencies
On Thu, Jun 15, 2006 at 10:47:40PM +0100, poncenby wrote: p.s. this question comes from the need to know the exact packages to download and burn to CD in order to get a reasonably usable desktop system running gnome, when said system has no connection to the interweb If the net wont come to the box, take the box to the net. -- Craig Skinner | http://www.kepax.co.uk | [EMAIL PROTECTED]
Re: package dependencies
From: [EMAIL PROTECTED] If one does not have OpenBSD installed how would one obtain a list of the dependencies of a certain package, say gnome-desktop for arguments sake? $ cd /usr/ports/x11/gnome/desktop/ $ make describe gnome-desktop-2.10.2p1|x11/gnome/desktop||components for the GNOME desktop|x11/gnome/desktop/pkg/DESCR|The OpenBSD ports mailing-list ports@openbsd.org|x11 x11/gnome|gnomeui-2::x11/gnome/libgnomeui iconv.4::converters/libiconv intl.3:gettext-=0.10.38:devel/gettext startup-notification-1::devel/startup-notification|:devel/gmake :devel/libtool bzip2-*:archivers/bzip2 gettext-=0.14.5:devel/gettext p5-XML-Parser-*:textproc/p5-XML-Parser pkgconfig-*:devel/pkgconfig scrollkeeper-*:textproc/scrollkeeper|gettext-=0.10.38:devel/gettext scrollkeeper-*:textproc/scrollkeeper|any|y|y|y|y Try it from the upper level gnome/ directory to get a recursive listing of packages. You *can* run a make fetch on one net-connected box, and burn the resulting /usr/ports/distfiles out, also. DS
Routing trouble with PPPoE on 3.8
Hello I am trying to connect my obsd 3.8-stable system to internet via PPPoE ( ISDN connection-64Kbps). ppp program reports an established connection, ifconfig shows an IP address assigned to tun0 interface. But i simply can't use any program like ping, ftp or firefox to connect to any server. They say no route to host. I must be doing something stupid. Is the pf ruleset the problem? I have configured the userland pppoe with a plain ppp.conf: default: set log Phase Chat LCP IPCP CCP tun command pppoe: set device !/usr/sbin/pppoe -i rl0 set mtu max 1492 set mru max 1492 set speed sync disable acfcomp protocomp deny acfcomp set authname [EMAIL PROTECTED] set authkey When i run ppp, here is what i see- #ifconfig rl0 up #ppp pppoe Working in interactive mode Using interface tun0: ppp ON mycomp dial ppp ON mycomp Warning: deflink: Reducing configured MRU from 1500 to 1492 Ppp ON mycomp PPp ON mycomp PPP ON mycomp $ifconfig lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33224 groups: lo0 inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladr 00:50:ba:a1:b1:0c media: Ethernet autoselect (none) status no carrier inet6 fe80::250:baff:fea7:b47c%rl0 prefixlen 64 scopeid 0x1 pflog0: flags=141UP,RUNNING,PROMISC mtu 33224 pfsync0: flags=0 mtu 1348 enc0: flags=0 mtu 1536 tun0: flags=8011UP,POINTTOPOINT,MULTICAST mtu 1492 inet 210.211.129.64 -- 210.211.128.1 netmask 0x inet6 fe80::250:baff:fea7:b47c%tun0 - prefixlen 64 tentative scopeid 0x6 #cat pf.conf scrub in all block in all block out all antispoof quick for { rl0 tun0 lo0 } pass in log on tun0 proto tcp from any to any port ssh flags S/SA \ synproxy state pass out on tun0 proto tcp all modulate state flags S/SA pass out on tun0 proto { icmp, udp } all keep state pass in log on rl0 proto tcp from any to any port ssh flags S/SA \ synproxy state pass out on rl0 proto tcp all modulate state flags S/SA pass out on rl0 proto { icmp, udp } all keep state Do i need to have the above three rules for both tun0 and rl0? pf is enabled in rc.conf apart from inetd and sshd. Not running named. This is a simple home PC- i386 with GENERIC kernel patched up to date. rl0 is definitely the right interface, got it from dmesg output. Sorry, did not include dmesg output since it is too long to type. If needed, i will. I did not customize dhclient.conf. I created a hostname.tun0 with just dhcp in it. That did not solve my problem. Still cannot connect. I do not have any other hostname.rl0 etc.No other config files in /etc/ppp directory were changed. I did not customize resolv.conf by hand. Seems like ppp puts stuff in it everytime i invoke it. #cat resolv.conf nameserver 203.197.30.4 nameserver 202.54.2.17 Kindly let me know what i'm doing wrong. Thanks a lot for your time. Srikant. -- Srikant Tangirala [EMAIL PROTECTED] -- http://www.fastmail.fm - The professional email service
Re: package dependencies
From: [EMAIL PROTECTED] p.s. this question comes from the need to know the exact packages to download and burn to CD in order to get a reasonably usable desktop system running gnome, when said system has no connection to the interweb See also: 'make print-build-depends' and 'make print-run-depends' from the desired port directory. These are all covered in ports(7). DS
NFS Slow writes
I'm trying to setup an NFS share, and am getting horrible write performance. Reads are fast as can be expected. I've searched the archives and found several threads on the subject, but no resolutions. I've tried all possible fstab options (that I know of) but none really help with write. I'm currently using ip.addr:/nfs /test/dir nfs rw,nodev,nosuid,tcp,intr,-r=32768,-w=32768 0 0 From (Subject: Re: nfs write speed performance... still)A Nov. 2004 thread ...it seems that the problem is known but no fixes are known or planned for now since there're other priorities... Does anyone still know if this is the case, or have I missed an important thread? Thanks.
Re: ftp problems with OpenBSD 3.9
how do I compile it. I know I can look at previous patches and possible figure it out but I wouldn't know if it's the proper way to do it. I have a test machine all setup and ready and my pwd is /usr/src/libexec/ftpd.
Re: ddos mail attack thwarted by spamd greylisting!
On Thu, Jun 15, 2006 at 10:02:49AM +0700, riwanlky wrote: Hi Guys, I am going to install IDS for my firewall. According to this message snort have problem, is there any alternative IDS? Is there any IPS? I've heard good things about Bro-IDS http://www.bro-ids.org. It's not in ports, though, and does share all the intrinsic problems of an IDS with Snort. I've never tried it myself, though. Snort-inline will work as an IPS on Linux boxes. Joachim
Re: Erro compilirg eet-0.9.10.027 Your OS does not support C99's '%a'
On Mon, Jun 12, 2006 at 02:34:33PM -0500, uv negativa wrote: hi i compiled eet an say: configure: error: Unsupported Operating System! Your OS does not support C99's '%a' string format. Eet cannot function without it. Please contact your OS vendor to get updates for C99 '%a' floating point format read/write support or change operating systems for one with support for an already very old standard. (Linux is known to support this, as is Solaris 10) howto active this or howto compile? Look into the program itself for support, or fix it not to use %a. Alternatively, patch printf(3) to accept %a. Joachim
Re: ddos mail attack thwarted by spamd greylisting!
On Tue, Jun 13, 2006 at 01:07:46AM -0600, Bob Beck wrote: Luckily, spamd greylisting saved the day. If it wasn't for BASE/snort reporting of the portscan, I wouldn't have even bothered looking in my logs tonite, and probably would never have been aware of the thwarted attempt. Good thing they're only portscanning and mailbombing you then, and not exploiting one of the bazillions of snort overflows ;) If it was set up properly, exploiting Snort wouldn't gain anyone anything more serious than the ability to mess up Snort logs. Granted, that can be useful... Joachim
Re: Spam Trapping
On Wed, Jun 14, 2006 at 08:29:17PM +0100, tony sarendal wrote: On 14/06/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: On Wed, Jun 14, 2006 at 09:31:49AM -0700, John Draper wrote: Mike Spenard wrote: What are some thoughts on purposely getting a spam trap email address acquired by spammers and the best way to do so. It is hard to do initially, unless you want to spend a lot of time signing up for things over the web... In my case, I have a very good spam trap. But I host about 60 Email users and I changed everyone's Email address (with their cooperation), and removed them from any mailing lists they might have joined. Evventually, almost all of these accounts have Pure spam coming in. Next I forwarded each of them to [EMAIL PROTECTED] and presto... I have a 100% spam source I can feed directly into my spam reporting engine. Most of these addresses has taken years to accumulate this spam. This is by far the best way... we used to have 'spammers ? spam this [EMAIL PROTECTED]' at the bottom of each page so that crawlers would spam it. also, we had a few systems accounts, not supposed to receive mail, act as spam traps which proved to be quite efficient. So what do you guys do with the email hitting the spam traps ? My email address [EMAIL PROTECTED] has been used as From address by spammers, does that mean that I can't send you guys emails ? Or do you do something else like teach spamassassin and record source IP addresses ? Well, spamd works by source IP. Assuming a sane network setup, it shouldn't reject too much legitimate mail. Joachim
Re: developing a backup strategy
On Wed, Jun 14, 2006 at 03:27:18AM +, Travers Buda wrote: On Mon, 12 Jun 2006 10:41:55 -0700 prad [EMAIL PROTECTED] wrote: i've gone through the threads: Recommendations for an OpenBSD-based Backup Solution remote data backup and am contemplating the ideas as they apply to my rather simple setup - 2 webservers (one does email as well). not too much changes on them and not a lot of stuff on them either (under 5G combined including OpenBSD). what i've done in the past is just scp the etc and a few other directories that contain data with the intention of reinstalling OpenBSD and putting those directories back in (if disaster strikes). is this too simplistic and inefficient a solution? should i be thinking of incremental backups say with dump? does it make any sense to rsync the entire server drive? What Bob Beck said is all good stuff. Made me chuckle. This mostly applies to data that is changing on the box ( like e-mail spools ) rather than configs: My favorite solution is rsnapshot in ports. It beats rsync and scp because not only does it allow you to specify what and when to backup, but it uses hard links. What's that got to do with anything? Well it rsyncs everything on the first backup, and only the differences there after. But it makes every backup look like a full backup (every file) because it hard-links the unchanged stuff into the latest backup dir. So you get a complete backup dir every time sans lots of file transfers and space taken up on the backup storage box. This is a very good thing. The downside, of course, is that it's hard to keep the disk separate from the machines you are trying to protect. Of course, I use AMANDA with tapes, and the tapes are just above my computers. They are not primarily meant to safeguard *my* data, but still... (Most of my personal data is in a RAIDed Subversion repository of which at least two checkouts exist at any given time, so it's not too likely that everything fails at once.) On a side note, AMANDA is both very good and very bad. It really only works well with tapes, encrypting backups is possible but clunky, and it doesn't like firewalls at all. However, aside from these problems, it does all a backup package should do. Joachim
Re: Routing trouble with PPPoE on 3.8
On 6/15/06, Srikant Tangirala [EMAIL PROTECTED] wrote: Hello I am trying to connect my obsd 3.8-stable system to internet via PPPoE ( ISDN connection-64Kbps). ppp program reports an established connection, ifconfig shows an IP address assigned to tun0 interface. But i simply can't use any program like ping, ftp or firefox to connect to any server. They say no route to host. I must be doing something stupid. Is the pf ruleset the problem? I have configured the userland pppoe with a plain ppp.conf: default: set log Phase Chat LCP IPCP CCP tun command pppoe: set device !/usr/sbin/pppoe -i rl0 set mtu max 1492 set mru max 1492 set speed sync disable acfcomp protocomp deny acfcomp set authname [EMAIL PROTECTED] set authkey When i run ppp, here is what i see- #ifconfig rl0 up #ppp pppoe Working in interactive mode Using interface tun0: ppp ON mycomp dial ppp ON mycomp Warning: deflink: Reducing configured MRU from 1500 to 1492 Ppp ON mycomp PPp ON mycomp PPP ON mycomp $ifconfig lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33224 groups: lo0 inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladr 00:50:ba:a1:b1:0c media: Ethernet autoselect (none) status no carrier inet6 fe80::250:baff:fea7:b47c%rl0 prefixlen 64 scopeid 0x1 pflog0: flags=141UP,RUNNING,PROMISC mtu 33224 pfsync0: flags=0 mtu 1348 enc0: flags=0 mtu 1536 tun0: flags=8011UP,POINTTOPOINT,MULTICAST mtu 1492 inet 210.211.129.64 -- 210.211.128.1 netmask 0x inet6 fe80::250:baff:fea7:b47c%tun0 - prefixlen 64 tentative scopeid 0x6 #cat pf.conf scrub in all block in all block out all antispoof quick for { rl0 tun0 lo0 } pass in log on tun0 proto tcp from any to any port ssh flags S/SA \ synproxy state pass out on tun0 proto tcp all modulate state flags S/SA pass out on tun0 proto { icmp, udp } all keep state pass in log on rl0 proto tcp from any to any port ssh flags S/SA \ synproxy state pass out on rl0 proto tcp all modulate state flags S/SA pass out on rl0 proto { icmp, udp } all keep state Do i need to have the above three rules for both tun0 and rl0? pf is enabled in rc.conf apart from inetd and sshd. Not running named. This is a simple home PC- i386 with GENERIC kernel patched up to date. rl0 is definitely the right interface, got it from dmesg output. Sorry, did not include dmesg output since it is too long to type. If needed, i will. I did not customize dhclient.conf. I created a hostname.tun0 with just dhcp in it. That did not solve my problem. Still cannot connect. I do not have any other hostname.rl0 etc.No other config files in /etc/ppp directory were changed. I did not customize resolv.conf by hand. Seems like ppp puts stuff in it everytime i invoke it. #cat resolv.conf nameserver 203.197.30.4 nameserver 202.54.2.17 Kindly let me know what i'm doing wrong. Thanks a lot for your time. Srikant. -- Srikant Tangirala [EMAIL PROTECTED] Hello, make sure your not mixing man pppoe(4) and pppoe(8) together. Hope this will help you verify that this is not a problem. rogern John 3:16
Re: Privilege bracketing in Solaris 10
http://www.sun.com/blueprints/0406/819-6320.pdf I'm not a C developer so it is mostly Greek to me, but others may find some concepts therein useful. 30 years after VMS and 40 years after EMAS. Ivan Sutherland sure had it right with his observatiion of the great wheel of reincarnation as it applies to computing... G
Re: error clamav at 3.9
Hi guys, I am trying to install Clamav on 3.9. Previously I used Clamav on 3.8 and without need to make install the unarj. Manage to make install unarj. However Clamav require unrar and I got this error. # make install === Checking files for unrar-3.54p0 unrarsrc-3.5.4.tar.gz doesn't seem to exist on this system. Fetch http://www.rarlab.com/rar/unrarsrc-3.5.4.tar.gz. Size does not match for /usr/ports/distfiles/unrarsrc-3.5.4.tar.gz /bin/sh: test: unrarsrc-3.5.4.tar.gz: unexpected operator/operand *** Error code 2 Stop in /usr/ports/archivers/unrar (line 2106 of /usr/ports/infrastructure/mk/bsd.port.mk). *** Error code 1 Stop in /usr/ports/archivers/unrar (line 1561 of /usr/ports/infrastructure/mk/bsd.port.mk). *** Error code 1 Stop in /usr/ports/archivers/unrar (line 1750 of /usr/ports/infrastructure/mk/bsd.port.mk). Thanks and looking forward to get more information. Brgds, Riwan At 12:09 AM 5/5/2006 -0400, Michael Erdely wrote: sonjaya wrote: i try using port # cd /usr/ports/archivers/unarj/ # make install make: don't know how to make install. Stop in /usr/ports/archivers/unarj. You've got problems with your ports tree. rm -Rf /usr/ports and re-unpack ports.tar.gz. I tried on my vanilla 3.9 machine with no problems. -ME -- Support OpenBSD: http://www.openbsd.org/orders.html
LostFound with PF-Tables?!?!
Hello everybody, I configured a pf and I used the same config for a lot Servers. But I noticed something.. strange today after a 3.9-i386 Server had a reboot. pf is started by default and the config was also used with 3.8 (same Server..). Example-Rule pasted: table dssh persist pass in on $ext_if proto tcp to $web_server \ port 22 flags S/SA keep state \ (max-src-conn 10, max-src-conn-rate 3/10, overload dssh flush) The problem I have is that pf did not added the table dssh after the startup. I noticed that during another dumb ssh-bruteforce today where the src. host was not blocked automaticly. As I tried to take a look at all the houndrets of hosts wich may also tried a BF already using sudo pfctl -T show -t dssh I simply got the answer that such a table does not exist. So I added this (and some other tables for the overload-stuff) by hand.. I just have the question: Is there somebody out there where there happened exactly the same?! I just was.. suprised by that (and confused too maybe..). :-/ Kind regards, Sebastian
Re: ftp problems with OpenBSD 3.9
Smith wrote: how do I compile it. I know I can look at previous patches and possible figure it out but I wouldn't know if it's the proper way to do it. I have a test machine all setup and ready and my pwd is /usr/src/libexec/ftpd. Just replied privately, but since you asked publicly also, should reply for the list, in case anyone else wants to try... And since replying to you, I've tested it. It at least seems to work. Not sure it fixes your problem, however. make obj make make install Stop and restart ftpd if you are running it as a daemon (ftpd -D), and you should be able to test... Nick.
Re: NFS Slow writes
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bob Bostwick (Lists) Sent: Thursday, June 15, 2006 6:05 PM To: misc@openbsd.org Subject: NFS Slow writes I'm trying to setup an NFS share, and am getting horrible write performance. Reads are fast as can be expected. I've searched the archives and found several threads on the subject, but no resolutions. I've tried all possible fstab options (that I know of) but none really help with write. I'm currently using ip.addr:/nfs /test/dir nfs rw,nodev,nosuid,tcp,intr,-r=32768,-w=32768 0 0 From (Subject: Re: nfs write speed performance... still)A Nov. 2004 thread ...it seems that the problem is known but no fixes are known or planned for now since there're other priorities... Does anyone still know if this is the case, or have I missed an important thread? Thanks. Newer versions of nfs are set to 'sync' by default. Change to 'async' and check performance. -C
Re: LostFound with PF-Tables?!?!
On Fri, Jun 16, 2006 at 03:31:01AM +0200, [EMAIL PROTECTED] wrote: table dssh persist pass in on $ext_if proto tcp to $web_server \ port 22 flags S/SA keep state \ (max-src-conn 10, max-src-conn-rate 3/10, overload dssh flush) The problem I have is that pf did not added the table dssh after the startup. I noticed that during another dumb ssh-bruteforce today where the src. host was not blocked automaticly. What does pfctl -nf /etc/pf.conf say? Anything? -- Darrin Chandler| Phoenix BSD Users Group [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ |
Re: Azalia no sound
vladas wrote: On 15/06/06, bdz [EMAIL PROTECTED] wrote: hi misc, i have azalia loaded at boot time ok, but there is no sound out. the wmmixer says wmmixer : Sorry, no supported channels found.. the mpg123 can play the mp3 file (no error messages) but i can hear nothing. any idea? wmmixer will not help. try altering all values manually, with the audioctl -w or mixerctl. this helped me. what I did whas playing with all outputs part e.g. mixerctl outputs.master=100,100. see what works for you. yeah but as you can see (in my orig post) there is no outputs.master int mixertclt -a. that is my problem that the output is full of unknowns. i have no idea what values should be adjusted as all unknown. what i tried never helped. all other knownd values are 123,123 that is look normal.
Re: rate limiting an interface
On Friday 16 June 2006 04:27, Lawrence Horvath wrote: You can rate limit with the altq built into pf. Can i rate limit both ways, incomming and outgoing, the pf documentation for queues sd only one way, but is there a way to keep the system from downloading as much to it? so as to keep under my quota going both ways? Yes, but not in a way that will guarantee that you wont get more than 2Mb incoming. In fact, there is NO way you can effectively shape incoming traffic in this situation, no matter what OS you run. If someone wants to send you a boatload of traffic and your colo isnt capping your bandwidth you will most likely go over 2Mb and there's nothing you can do about it since you cant cancel packets that has already gone over the wire. If the colo can't/won't cap incoming traffic and want to charge you for going over your limit they're either ignorant, lazy or trying to scam you. --- Lars
Re: Pulled out an old song..
Peter Philipp wrote: I was just going through my OpenBSD cd's and came across the first cd with a song... Interestingly enough I didn't find an mp3 with it as combined with newer releases. Anyhow can anyone confirm this rmd160 checksum after the song is cdparanoia'd? # rmd160 track02.cdda.wav RMD160 (track02.cdda.wav) = 1053805b53962e22028768516285da1cba5e4454 CD-tracks don't work that way. Rip it again and you'll probably find another checksum. # Han
NFS Slow writes
I've narrowed the problem down. I'm running an FTP server (vsftpd) who's users home dir's are on an nfs share. If I run vstpd without mounting the nfs share (and create a user with a valid home dir) I get 21MB/s uploads. If I copy a file from the OBSD box to a dir on the NFS mount, I get 8MB/s. However if I ftp to the nfs share I get 700KB/s uploads. Downloads are fast either way, it's just the writes that seem really slow. Vsftpd is starting through inetd (but I tried standalone and it made no difference.) Is there some sort of incompatibility in doing it this way? Any thoughts would be greatly appreciated
Re: Pulled out an old song..
Han Boetes wrote: Peter Philipp wrote: I was just going through my OpenBSD cd's and came across the first cd with a song... Interestingly enough I didn't find an mp3 with it as combined with newer releases. Anyhow can anyone confirm this rmd160 checksum after the song is cdparanoia'd? # rmd160 track02.cdda.wav RMD160 (track02.cdda.wav) = 1053805b53962e22028768516285da1cba5e4454 CD-tracks don't work that way. Rip it again and you'll probably find another checksum. Forgive my ignorance but how could CD-tracks not work that way? As far as I understand it, the only difference between a data track and an audio track is that a data track divides a sector into a data portion and a checksum portion whereas an audio track uses the entire sector for data. Unless the quality of the CD has deterioated, where does the random element come from? -- Jason Stubbs
Re: package dependencies
On Thu, Jun 15, 2006 at 04:19:26PM -0700, Spruell, Darren-Perot wrote: From: [EMAIL PROTECTED] p.s. this question comes from the need to know the exact packages to download and burn to CD in order to get a reasonably usable desktop system running gnome, when said system has no connection to the interweb See also: 'make print-build-depends' and 'make print-run-depends' from the desired port directory. These are all covered in ports(7). I faced the same problem quite some time ago (download snapshop with a set of packages (including their dependencies). The problem with all above methods is that you need a current ports tree version besides the packages as well. What I did is to extract the information in the packages (foo.tgz) and download the result from ftp, until no dependencies are left (it takes care not to download stuff twice). Here is the part getting the parsable dependencies from a .tgz file (yes this is as very dirty hack, but resonably fast and it works): dd if=${pkg}.tgz bs=64k count=1 2/dev/null | \ zgrep -a '[EMAIL PROTECTED] ' | \ awk 'BEGIN{ FS=: } {print $3.tgz}' | \ sed 's/.*\./\*\./' For pkg = kdebase-3.5.1p4 the output looks like this: openldap-client-2.3.11p4.tgz glib2-2.8.4.tgz libusb-0.1.10ap1.tgz cyrus-sasl-2.1.21p2.tgz kdelibs-3.5.1p0.tgz qt3-mt-3.5p4.tgz qt3-mt-3.5p4.tgz Regards, ahb