Problems with PCMCIA cards
I am a new user having just installed OpenBSD for the first time. I am having trouble with my PCMCIA cards. I have 2 cards, both 3COM, and two PCMCIA slots (TI-PCI1130, see dmesg below). I am currently having two issues: system hangs in bios after reboot and kernel panics when pcmcia card is removed. I am willing to open up 1 or more bug reports if these cannot be easily resolved, but since my last problem involved using floppyB to boot the system instead of floppyC, I wanted to make sure this was a real issue instead of a "new user doesn't know what he is doing issue". Both problems are easily reproducable, so I can easily gather more information. Details: Issue 1: My system always boots fine from a powered down state, but hangs in the bios after a reboot (type reboot at the cmd prompt). The reboot hangs right after it initalizes the mouse and right before it checks the save to disk feature. Powering down and back up causes the system to boot correctly. I know what you are thinking: This is a hardware issue not an openbsd issue, but hear me out. If I boot the system of a Win95 rescue disk, the system does not hang. When I had slackware installed on the system 1 week ago, it did not hang. And here is kicker: it only hangs when a pcmcia card is in the slot immediately before openbsd syncs disks to reboot. Consider the following senerios: 1) Booted to msdos and rebooted: No hang 2) Booted to openbsd and rebooted (card in slot): Hang 3) Booted to openbsd and rebooted (no card in slot): No hang 4) Booted to openbsd and rebooted (no card on boot, inserted after rc.shutdown is complete, but before kernel syncs disks. Insertion mesg printed to the screen by the kernel): Hang 5) Booted to openbsd and rebooted (card on boot, removed after rc.shutdown is complete, but before kernel syncs disks. Detach mesg printed to the screen by the kernel): No hang Notice the last two cases prove that it is the state of the card when openbsd begins the reboot cycle and has nothing to do with the state of the card during the actual reboot. It seems that openbsd is putting the hardware into a weird state that prevents the bios from properly booting. Interrupt related? maybe? Insert mesg: ep1 at pcmcia1 function 0 "3Com, 3C574-TX Fast EtherLink PC Card, A" port 0x340/32, irq 5: address 00:10:4b:f4:b5:57 tqphy0 at ep1 phy 0: 78Q2120 10/100 PHY, rev. 10 Detach mesg: tqphy0 detached ep1 detached The diff of the dmesg of the system booted with and without card is as follows (for quick refence, full dmesgs below): $ diff ti_extensa660cdt_dmesg_generic ti_extensa660cdt_dmesg_generic_no_cards 10c10 < bios0 at mainbus0: AT/286+(03) BIOS, date 09/06/97, BIOS32 rev. 0 @ 0xf5b16 --- > bios0 at mainbus0: AT/286+(09) BIOS, date 09/06/97, BIOS32 rev. 0 @ 0xf5b16 31c31 < pciide0: channel 1 disabled (no drives) --- > pciide0: channel 1 ignored (disabled) 58,61c58,59 < ep1 at pcmcia1 function 0 "3Com, 3C574-TX Fast EtherLink PC Card, A" port 0x340/32, irq 9: address 00:10:4b:f4:b5:57 < tqphy0 at ep1 phy 0: 78Q2120 10/100 PHY, rev. 10 < pcic0: irq 5, polling enabled < biomask ed45 netmask ef45 ttymask ffe7 --- > pcic0: irq 9, polling enabled > biomask ed65 netmask ed65 ttymask ffe7 Notice that sometimes irq 5 is used and sometimes irq 9 is used. The system hands on reboot regardless of which irq openbsd selects. Issue 2: The top pcmcia slot does not seem to work with openbsd. The lower slot works with both of the cards with no issues. If a card is in the top slot upon boot (or inserted after boot), the kernel is not able to configure the card and ignores it. When the card is removed a kernel page fault error is printed to the screen and a dds> prompt is given. This is true for either card. This issue is repeatable, the same fault occurs every time, with only slightly different pointer values in the trace. Here is the detailed info for the fault (copied by hand, could contain typos): Upon insert: ep1 at pcmcia0 function 0 "3Com, 3C574-TX Fast EtherLink PC Card, A" port 0x340/32, irq 5: address 02:01:02:01:02:01 wrote 7ff to TX_AWAIL_THRESH, read back 4057. Interface disabled Upon removal of card no detach message is printed, instead: uvm_fault(0xd05e1aa0, 0x0, 0, 1 ) -> e kernel: page fault trap, code = 0 Stopped at dhooks+0x3c: movl 0(%esi),%ebx dds> trace dohooks(0,3,10,d0a6644) at dohooks+0x3c if_detach(d08c584c,,,2d,d08c5800) at if_detach+0x53 ep_detach(d08c5800,d08c14,d5528ee4,d08c5800) at ep_detach+0x35 ep_pcmcia_detach(d08c500,1,10,d04a4dac,d084) at ep_pcmcia_detach+0x10 config_detch(d08c500,1,d5528f2c,d0603d4) at config_detach+0x200 pcmcia_card_detach(d04,1,0,d08cdec0,d084c080) at pcmcia_card_detach+0x47 pcic_even_process(d084c080,d08cdec0,0,d5527000) at pcic_event_process+0xe1 pcic_event_thread(d084c080) at pcic_event_thread+0x8a Bad frame pointer: 0xd070be98 dds> ps (last several lines only, this is a lot of typing...) ...snip... 6000 3 0x100204 pftm
Re: cat -v
On Thu, 27 Jul 2006, Nick Guenther wrote: > Why does cat retain the -[etv], -[bn] and -[s] options? I am reading > the paper cited in cat's manpage and saw 'vis' mentioned. vis is in > base, and line numbering and stripping can be done with sed, so why > does cat have those options? Is for history, just for compatibility, > or has no one ever bothered to remove them (I find this unlikely)? Once you've added a flag to a command it's almost impossible to remove it for compatibility reasons. -Otto
Re: snapshot always actual releases?
> could some one please explain what is means that snapshots are > *always* actually releases? In /usr/src/etc/Makefile, there used to be two targets to create tarballs to share a system with someone else: - make snapshot, which would create rough tarballs of various filesystem locations (bin.tar.gz, sbin.tar.gz, usr.bin.tar.gz, etc) - make release, which would create the installation media and the thematic tarballs everyone is used to use (base.tgz, comp.tgz, etc). What is published as OpenBSD snapshots is always the result of ``make release'', which is no different than the way actual releases are built. Hence the removal of the ``make snapshot'' part, and the comments that our snapshots are (obtained with make) release. Miod
Re: cat -v
On Thu, 27 Jul 2006 23:58:49 -0400, "Nick Guenther" <[EMAIL PROTECTED]> said: > > > Why does cat retain the -[etv], -[bn] and -[s] options? I am reading > > > the paper cited in cat's manpage and saw 'vis' mentioned. vis is in > > > base, and line numbering and stripping can be done with sed, so why > > > does cat have those options? Is for history, just for compatibility, > > > or has no one ever bothered to remove them (I find this unlikely)? > > > > > > -Nick > > > > Using the same argument, everything that grep, sed and awk can do can be > > done in perl, so why have grep, sed & awk? > > I have been wondering that too somewhat, but I assume it is because > they have different uses and they are easier to use than doing a perl > script every time. > > > All we need to do is teach > > everybody to type "perl -pe 1" in place of "cat". > > That's not the same as what I was asking. "perl -pe 1" is more complex > (in typing and implementation) than "cat", wheras "cat -v" is more > complex than "vis". > > Anyway, I wasn't trying to fight about it, I'm just curious. You haven't heard the term Creeping featurism? It is the desire of UNIX hackers to add every functionality to a command until you can even send mail with it. The -exec option to find is the most classic example of this. With that option, using find, you can do 'anything'. :-) Up to and including rebooting... -- Eric Furman [EMAIL PROTECTED]
azalia problem on nvidia mcp51 hd audio
hi all, just tried out the new azalia driver on my presario v3000 notebook.. the dmesg seems normal.. but i still cannot play any sound using mpg123 or xmms.. and audioctl cause kernel panic if executed after i tried to play somefile using mpg123.. not so sure what the actual cause is.. but if i change the sample_rate to 48000 (in [EMAIL PROTECTED]) the panic problem doesn't occur but it only produce some weird sound... tq # audioctl -a name=HD-Audio version=1.0 config=azalia0 encodings=slinear_le:16,slinear_le:16 properties=full_duplex,independent full_duplex=0 fullduplex=0 blocksize=384 hiwat=170 lowat=127 monitor_gain=0 mode= play.rate=8000 play.channels=1 play.precision=8 play.encoding=mulaw play.gain=0 play.balance=32 play.port=0x0 play.avail_ports=0x0 play.seek=0 play.samples=0 play.eof=0 play.pause=0 play.error=0 play.waiting=0 play.open=0 play.active=0 play.buffer_size=65536 record.rate=8000 record.channels=1 record.precision=8 record.encoding=mulaw record.gain=0 record.balance=32 record.port=0x0 record.avail_ports=0x0 record.seek=0 record.samples=0 record.eof=0 record.pause=0 record.error=0 record.waiting=0 record.open=0 record.active=0 record.buffer_size=65536 record.errors=0 # mpg123 -vv test.mp3 High Performance MPEG 1.0/2.0/2.5 Audio Player for Layer 1, 2 and 3. Version 0.59r (1999/Jun/15). Written and copyrights by Michael Hipp. Uses code from various people. See 'README' for more! THIS SOFTWARE COMES WITH ABSOLUTELY NO WARRANTY! USE AT YOUR OWN RISK! Failed to open /dev/audio: Invalid argument audio: Invalid argument #audioctl -a didn't find Record rate kernel: integer divide fault trap, code=0 Stopped at audiogetinfo+0x207: idivl 0x11c(%r13),%eax ddb>trace audiogetinfo() at audiogetinfo+0x207 audio_ioctl() at audio_ctl+0x62e audioioctl() at audioioctl+0xad spec_ioctl() at spec_ioctl+0x47 spec_vnoperate() at spec_vnoperate+0x14 VOP_IOCTL() at VOP_IOCTL+0x39 vn_ioctl() at vn_ioctl+0xfd sys_ioctl() at sys_ioctl+0x121 syscall() at syscall+0x225 --- syscall (number 54) --- end of kernel end of trace frame: 0x1b, count: -9 0x4650f6da: # dmesg OpenBSD 3.9-current (GENERIC) #0: Wed Jul 26 21:47:18 MYT 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/GENERIC real mem = 1005244416 (981684K) avail mem = 849129472 (829228K) using 22937 buffers containing 100732928 bytes (98372K) of memory mainbus0 (root) bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xdc010 (27 entries) bios0: Hewlett-Packard Presario V3000 (RB768PA#UUF) cpu0 at mainbus0: (uniprocessor) cpu0: AMD Turion(tm) 64 X2 , 1607.53 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 256KB 64b/line 16-way L2 cache cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative pci0 at mainbus0 bus 0: configuration mode 1 "NVIDIA C51 Host" rev 0xa2 at pci0 dev 0 function 0 not configured "NVIDIA C51 Memory" rev 0xa2 at pci0 dev 0 function 1 not configured "NVIDIA C51 Memory" rev 0xa2 at pci0 dev 0 function 2 not configured "NVIDIA C51 Memory" rev 0xa2 at pci0 dev 0 function 3 not configured "NVIDIA C51 Memory" rev 0xa2 at pci0 dev 0 function 4 not configured "NVIDIA C51 Memory" rev 0xa2 at pci0 dev 0 function 5 not configured "NVIDIA C51 Memory" rev 0xa2 at pci0 dev 0 function 6 not configured "NVIDIA C51 Memory" rev 0xa2 at pci0 dev 0 function 7 not configured ppb0 at pci0 dev 2 function 0 "NVIDIA C51 PCIE" rev 0xa1 pci1 at ppb0 bus 1 vendor "Broadcom", unknown product 0x4311 (class network subclass miscellaneous, rev 0x01) at pci1 dev 0 function 0 not configured ppb1 at pci0 dev 3 function 0 "NVIDIA C51 PCIE" rev 0xa1 pci2 at ppb1 bus 2 vga1 at pci0 dev 5 function 0 vendor "NVIDIA", unknown product 0x0244 rev 0xa2 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) "NVIDIA MCP51 Host" rev 0xa2 at pci0 dev 9 function 0 not configured pcib0 at pci0 dev 10 function 0 "NVIDIA MCP51 ISA" rev 0xa3 nviic0 at pci0 dev 10 function 1 "NVIDIA MCP51 SMBus" rev 0xa3 iic0 at nviic0 iic1 at nviic0 vendor "NVIDIA", unknown product 0x0271 (class processor subclass Co-processor, rev 0xa3) at pci0 dev 10 function 3 not configured ohci0 at pci0 dev 11 function 0 "NVIDIA MCP51 USB" rev 0xa3: irq 11, version 1.0, legacy support usb0 at ohci0: USB revision 1.0 uhub0 at usb0 uhub0: NVIDIA OHCI root hub, rev 1.00/1.00, addr 1 uhub0: 8 ports with 8 removable, self powered ehci0 at pci0 dev 11 function 1 "NVIDIA MCP51 USB" rev 0xa3: irq 7 ehci0: timed out waiting for BIOS usb1 at ehci0: USB revision 2.0 uhub1 at usb1 uhub1: NVIDIA EHCI root hub, rev 2.00/1.00, addr 1 uhub1: 8 ports with 8 removable, self powered pciide0 at pci0 dev 13 function 0 "NVIDIA MCP51 IDE" rev 0xf1: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility p
Re: Email Monitoring on Gateway
Hi, you can use mailsnarf (from dsniff [http://www.monkey.org/~dugsong/dsniff]) to sniff all the mails . DESCRIPTION mailsnarf outputs e-mail messages sniffed from SMTP and POP traffic in Berkeley mbox format, suitable for offline browsing with your favorite mail reader (mail(1), pine(1), etc.). On 7/28/06, Tito Mari Francis Escaqo <[EMAIL PROTECTED]> wrote: Good day! Is there a way to monitor emails going out thru a pf firewall/gateway server going into an external email server? I have deployed a firewall/gateway server using 3.9. Pls. point me to pointers how this can be possible. Thank you very much! -- Huzeyfe VNAL +90 505 5260064 --- Ag Guvenligi Listesine uye oldunuz mu? http://www.huzeyfe.net/netsec.html
Re: Email Monitoring on Gateway
Hi Tito, > Is there a way to monitor emails going out thru a pf firewall/gateway > server going into an external email server? Define "monitor". I use postfix and pflogsumm and if one wanted to, one could get a copy of every single message going through the system. Both constitute monitoring, but I'd kill my boss (if I had one) if he chose to use the latter. Buhbye... Nico
snapshot always actual releases?
Hi, Trackig the cvs changes I found this CVSROOT:/cvs Module name:src Changes by: [EMAIL PROTECTED] 2006/07/26 21:52:56 Modified files: etc: Makefile Log message: remove "snapshot" code, now that our snapshots are always actually releases... - could some one please explain what is means that snapshots are *always* actually releases? Thankyou so much Kind Regards Siju
Re: cat -v
On 7/27/06, Marcus Watts <[EMAIL PROTECTED]> wrote: "Nick Guenther" <[EMAIL PROTECTED]> writes: > Message-ID: <[EMAIL PROTECTED]> > Date: Thu, 27 Jul 2006 22:31:10 -0400 > From: "Nick Guenther" <[EMAIL PROTECTED]> > To: OpenBSD-Misc > Subject: cat -v > > Why does cat retain the -[etv], -[bn] and -[s] options? I am reading > the paper cited in cat's manpage and saw 'vis' mentioned. vis is in > base, and line numbering and stripping can be done with sed, so why > does cat have those options? Is for history, just for compatibility, > or has no one ever bothered to remove them (I find this unlikely)? > > -Nick Using the same argument, everything that grep, sed and awk can do can be done in perl, so why have grep, sed & awk? I have been wondering that too somewhat, but I assume it is because they have different uses and they are easier to use than doing a perl script every time. All we need to do is teach everybody to type "perl -pe 1" in place of "cat". That's not the same as what I was asking. "perl -pe 1" is more complex (in typing and implementation) than "cat", wheras "cat -v" is more complex than "vis". Anyway, I wasn't trying to fight about it, I'm just curious. -Nick
Re: cat -v
"Nick Guenther" <[EMAIL PROTECTED]> writes: > Message-ID: <[EMAIL PROTECTED]> > Date: Thu, 27 Jul 2006 22:31:10 -0400 > From: "Nick Guenther" <[EMAIL PROTECTED]> > To: OpenBSD-Misc > Subject: cat -v > > Why does cat retain the -[etv], -[bn] and -[s] options? I am reading > the paper cited in cat's manpage and saw 'vis' mentioned. vis is in > base, and line numbering and stripping can be done with sed, so why > does cat have those options? Is for history, just for compatibility, > or has no one ever bothered to remove them (I find this unlikely)? > > -Nick Using the same argument, everything that grep, sed and awk can do can be done in perl, so why have grep, sed & awk? All we need to do is teach everybody to type "perl -pe 1" in place of "cat". -Marcus Watts
Email Monitoring on Gateway
Good day! Is there a way to monitor emails going out thru a pf firewall/gateway server going into an external email server? I have deployed a firewall/gateway server using 3.9. Pls. point me to pointers how this can be possible. Thank you very much!
cat -v
Why does cat retain the -[etv], -[bn] and -[s] options? I am reading the paper cited in cat's manpage and saw 'vis' mentioned. vis is in base, and line numbering and stripping can be done with sed, so why does cat have those options? Is for history, just for compatibility, or has no one ever bothered to remove them (I find this unlikely)? -Nick
Re: No packages available in the PKG_PATH
On 7/27/06, Sigfred Heversen <[EMAIL PROTECTED]> wrote: Nick Guenther wrote: > # PKG_PATH=ftp://mirror.arcticnetwork.ca/pub/OpenBSD/3.9/packages/i386/ Use following before pkg_add # export PKG_PATH=ftp://mirror.arcticnetwork.ca/pub/OpenBSD/3.9/packages/i386/ Oh. Damn. I had this idea that local variables were available to subprocesses. Nevermind that. *slinks away* Thanks a lot. -Nick
No packages available in the PKG_PATH
Hello misc@, Running OpenBSD 3.9 -RELEASE. I am getting a strange error with pkg_add. It's not fatal but I know I should be able to do this and have never been able to figure out what's wrong. I have found very little else about this on the web (only 3 pages, and all in german at that). I have a feeling, though, that whatever I'm doing is very obvious; please tell me what it is, though. First I set my PKG_PATH and try to install a package with just it's name and get the error in the subject. That doesn't work so I try with the version number appended and get a different error. That doesn't work so I try with .tgz and get the same result. # PKG_PATH=ftp://mirror.arcticnetwork.ca/pub/OpenBSD/3.9/packages/i386/ (I have also tried this with ftp.openbsd.org) # pkg_add -iv ratpoison No packages available in the PKG_PATH Can't resolve ratpoision # pkg_add -iv ratpoison-1.3.0p1 Can't find ratpoison-1.3.0p1 /usr/sbin/pkg_add: ratpoison-1.3.0p1:Fatal error # pkg_add -iv ratpoison-1.3.0p1.tgz Can't find ratpoison-1.3.0p1.tgz /usr/sbin/pkg_add: ratpoison-1.3.0p1.tgz:Fatal error # selfdestruct ksh: selfdestruct: not found # :( This form also causes the error: # pkg_add -iv $PKG_PATH/ratpoison If I do it 'manually' though, it works, even being able to pull in dependencies from the PKG_PATH if need be. (both of these work:) # pkg_add -iv $PKG_PATH/ratpoison-1.3.0p1 # pkg_add -iv $PKG_PATH/ratpoison-1.3.0p1.tgz The code that prints the error seems to be this: sub available_stems { my $state = shift; my @avail = OpenBSD::PackageLocator::available(); if (@avail == 0) { Warn "No packages available in the PKG_PATH\n"; } unless ($state->{forced}->{allversions}) { @avail = OpenBSD::PackageName::keep_most_recent(@avail); } return OpenBSD::PackageName::compile_stemlist(@avail); } By the way, for the record and the mirrors page, mirror.arcticnetwork.ca is also accessible via HTTP. (also: VMWare for the win) Thanks in advance -Nick
dhcpd on CARP+VLAN interfaces
Hi All, We have a pair of routers that route traffic between VLANs on our switches. We need to run dhcpd for each of our VLANs. These VLANs all use different subnets. Currently, we are encountering two stumbling blocks: 1) dhcpd will not run on CARP interfaces. Instead, we have to run it on the vlan interfaces, which means that we must then assign IP addresses to these vlan interfaces as well. That's kind of annoying. 2) One of the downsides to running dhcpd on a pair of CARP boxes is that there is no syncing of the leases file. So, if we have a /24 that has 240 machines, all using dynamic IPs, and the primary CARP box fails, dhcpd on the backup box will have no knowledge of those 240 leases. Any ideas here? Can we simply rsync the leases file? thanks for the cool software. Chris
Re: OpenBSD gets a "poor score" in security.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Spruell, Darren-Perot wrote: > From: [EMAIL PROTECTED] > garbage is third party garbage. One doesn't overlap the others. So if a > third party package runs into a bug (security, stability, or otherwise), > OpenBSD doesn't *have* to scramble to bring the application up to date > because it's not wedged into the core OS. That's true words indeed. However, if I'm running, let's say a MySQL server, and I need to have security updates in time, it does matter wether I can get them from the OS I choosed to use. OpenBSD is secure in many ways, but if the third party app has a security flaw and released a bugfix, I'd like to see an updated package / port too. Otherwise I would need to compile the bugfixed version from source, which doesn't make sense at all. So I need to be a ports commiter or something, right? :) To sum it up: Security wise, it does matter how fast you can get the updates for your third party apps. Being still lucky that the foundation of my server (the OS itself) is secure already and doesn't need any patching --> OpenBSD :-) And yes, an apt-get update; apt-get upgrade is fast. But a make package and roll it out is fast too. ./Marian iD8DBQFEyVcjgAq87Uq5FMsRAnLrAJ0ep+32qWL/1IOeLRFqWKd4GTSpRQCgwCX6 9fKLdCqJljye+OkOek82TCQ= =F5CZ -END PGP SIGNATURE-
Re: OpenBSD Gateway to replace old Linux gateway
From: elaconta.com Webmaster > Thanks for the oppinions and wise advices of everyone on the mailing > list. I've given some deep thought to the subject and i'm > going with an > OpenBSD bridge and a separate box for DNS caching. We're going to have > some work reconfiguring the LAN clients but it's better doing > it now on > our spare time than when everything goes boing-boing as wise > ones on the > list have said. Thanks everyone. You could add some icing on the cake by putting all of this configuration (internal subnet address space, default gateway, etc.) into DHCP and just doing a single client IP change by making them DHCP clients. Then future upgrades of this kind become only as impactive as rebooting a client so it can pull a new lease (or manully renewing its lease.) DS
Re: OpenBSD Gateway to replace old Linux gateway
Dag Richards escreveu: > Webmaster Elaconta wrote: >> I'm not looking forward to addressing the router to a different subnet >> (and i know that would solve the problem) because our Internet-facing >> servers are connected directly to that router in DMZ fashion (the router >> forwards ports to them). The firewall is also connected directly to that >> router and the LAN is in turn connected to the firewall. Changing the >> subnet on the router would mean we would have to reconfigure a number of >> Internet services which sort of depend on the 192.168.1.x network >> configuration. >> >> Now, if you know how to do what I want with OpenBSD, i would love to >> hear >> it. > > You can configure OBSD to be a transparent bridge, as people here have > told you. Setting up bridging is pretty simple, I did it in an > afternoon for a test env. Having a system conf-ed to bridge does not > preclude an IP or running services. Read the bridge and brconfig man > pages, that will get you going you can find the man pages > http://www.openbsd.org/cgi-bin/man.cgi if you do not have a running > system. > > > After listening to the solution, i can then judge for myself if the >> solution works. Even if we maintain the "broken" architecture for a >> while - i'm not even sure if it is that broken, since it worked for >> years without a squeak - at least we'll have a secure OS running it. > > > A better way to config may be to run your fw as out_if= 192.168.1.121 > in_if=192.168.2.1 > > Nat your pcs behind 192.168.1.121 > change the default gw of your pcs to be 192.168.2.1 and continue life > fairly close to what you consider to be normal. > > If its not something you can get to perhaps you could hire someone to > set it up, Jason Dixon monitors this list he consults and seems to be > pretty sharp. > > Trust them however when they say your configuration is broken. > People with heart murmurs pump blood for a long while, but are often > eventually betrayed by their hearts. > > > working( today && yesterday ) != { working( tomorrow ) || good_idea(1) }; > > >> >> -- >> Elaconta.com webmaster >> -- >> >> Em 7/27/2006, "Nick Holland" <[EMAIL PROTECTED]> escreveu: >> >>> elaconta.com Webmaster wrote: Howdy We have here an old (Mandrake Linux 8 - yeah i know...) PC with two NICs which serves as a firewall for our LAN and runs a Bind caching nameserver. Although the machine is getting old, it still works well. Thing is, i'm having a hard time trying to reproduce it, that is, getting another PC to do exactly the same thing this PC is doing. It was configured by a guy that left the company, so i can't simply ask him how he configured it configured. It's a precautionary measure, if the machine breaks down we need another one to go in its place. >>> Yes You Do. >>> So while am at it i would love to replace the crusty old thing with a new one running OpenBSD. The networking scheme is: Router (192.168.1.120) <-> (192.168.1.121) Firewall PC (192.168.1.122) <-> (192.168.1.0/24) LAN Now, thing is, the Linux firewall has two NICs: NIC 1: 192.168.1.121 NIC 2: 192.168.1.122 The two NICs on the Linux box are configured with 192.168.1.121 and 192.168.1.122, both interfaces on the same subnet. 192.168.1.121 acesses the company router (192.168.1.120) and 192.168.1.122 acesses the company LAN (192.168.1.0/24) From what i've googled, this shouldn't even be possible, everything is on the same subnet. Regardless, it works great, and if i went and got an OpenBSD rig to replace the old Linux rig, it would have to retain this networking scheme, we can't afford to reconfigure the entire network just for switching our firewall. >>> NO, you can't afford to avoid switching your firewall because of a >>> misconfigured network. >>> >>> Your network is broke NOW. If that old box dies or gets rooted (if it >>> hasn't been already), you will be looking at a lot bigger problems than >>> renumbering a network. >>> I known we could use a network bridge, but we need the caching nameserver functionality. >>> Not everything has to be in one box. I don't know how big your company >>> is, but I'm sure you have spare boxes lying around you can use as a DNS >>> resolver/server. Split the task up if you need to. Or..put an IP >>> address on one leg of the bridge. Lots of options. >>> I'm an all round Unix guy, but i'm a bit green on the routing departament. Can an OpenBSD box be configured the same way the Linux box is so it can be a drop-in replacement for the Linux box? I can of course depict in further detail the configuration of the Linux box (netstat -r to show the routes, ifconfig or whatever). >>> If your network is dependent upon strange tricks, it is misc
Re: OpenBSD gets a "poor score" in security.
From: [EMAIL PROTECTED] > > Good job Edmund! This is one of the worst articles on security I > > have ever read. Talk about missing the point. > > Yep, let's do talk about it since I see you as a blind horse that > misses the point because you cannot read. The title contains the two > words "patch problems" and that isn't a very strong point of OpenBSD. > (Obviously because there are not as many developers as other > distributions have.) > > > The article is not about the strong points of OpenBSD, pro-active and > integrated security, it's about patching and updates, a weak point of > OpenBSD. I'd love to hear your justification on this statement. Can you defend it? I question how you manage to delineate proactive and integrated security from patching and updates. Do you think there is no overlap? I can point to a page (errata.html) that illlustrates the obvious opposite of it. Patches are released for known security and stability issues, and they are released on a timely basis. Very quickly, in most cases. But maybe you're not talking about that. Maybe you're talking about the "other" bugs out there in the OS that aren't accounted for with a horn-tooting fanfare everytime a CVS change is made. In OpenBSD, that is because they don't deserve errata entries, you can just track -current to get them, and only the ones that really matter make it backported to past releases. So is the perceived problem that there aren't as *many* patches released, for every insignificant little bug, like many Linux distros do? Or is your point based on the fact that some applications sit in the ports tree without receiving updates for months, while the same application will be updated multiple times per week in a given Linux distro, matching the release cycle of the upstream project? Is it not obvious that there is little drive on OpenBSD to always have the latest and greatest, bleeding edge version in the tree? That blatant dot-dot-dot updates for piddling reasons aren't the SOP? In one way, it's not even fair to compare the two platforms the same way. A GNU/Linux distribution is nothing more than a kernel combined with a dumpster full of disperate applications to make some form of a collectively functioning operating system. The packages are actually the core OS. A GNU/Linux distro updates their OS by updating 3rd party applications. *BSD projects don't work that way. There is a defined core OS, and 3rd party garbage is third party garbage. One doesn't overlap the others. So if a third party package runs into a bug (security, stability, or otherwise), OpenBSD doesn't *have* to scramble to bring the application up to date because it's not wedged into the core OS. This article *was* incredibly stupid, for the above reasons and more. It takes a stale and uninformed view of patching. The fact that they lumped OpenBSD in as a Linux distro is not only insulting, but ignorant. Does it not occur to folks that many people use OpenBSD not because it is generally and vaguely "secure", but because their patching policy and procedures are in fact well directed and sensible, a good compromise between stability and currency? DS
Re: CPU cache problem with 3.9 ?
i think memtest86 can test the cpu cache burn the iso and boot it up Xavier Mertens [EMAIL PROTECTED] wrote: > If I boot the old disk (obsd 3.5) it works!? > How can I check if the cache is ok or not? > > Xavier > -- > Free shell account on www.rootshell.be! > > On Tue, 25 Jul 2006, Steve Shockley wrote: > > > Xavier Mertens wrote: > > > > > I found why my box freezes when booting 3.9 (GENERIC). > > > I need to disable the CPU cache in the BIOS (PIII 1Ghz). > > > > Maybe the CPU cache is bad? -- Theatre is life Film is art Television is furniture
Re: sendmail
Hello, I'm a novice too and I have the following book: O'Reilly: sendmail cookbook Administrating, Securing & Spam-Fighting. Craig Hunt ISBN 0-596-00471-0I See: http://www.oreilly.com/catalog/sendmailckbk/ I personnaly think it is a good book, it helped me a lot. Covers: delivering and forwarding mail, relaying masquerading, routing mail, controlling spam, strong authentication (like starttls, using AUTH etc ...), etc ... it has usefull securing tips and worked well under Openbsd. The book was written in 2003 but it is still accurate, ... in my opinion. Kind regards, Didier >any suggestions on a book to buy would help > tremendously. > thanks>>
Re: OpenBSD gets a "poor score" in security.
On Thu, Jul 27, 2006 at 09:24:54PM +0100, Alex Stamatis wrote: > [...] Their os's suck http://fun.drno.de/sounds/Every_OS_sucks.mp3
Re: OpenBSD gets a "poor score" in security.
Alex Stamatis wrote: Ahmmm. Openbsd gets bad score in patching ? Well that maybe becuase the os is so good that doesnt need 30 patches a day like the linux distros. I have heard the linux 'fans' saying amazing crap about their os'es... Thank god in this world there are people that know that openbsd rules. We must all also help the openbsd community with donations for the amazing work that all the guys in the obsd team do. I did a donation 3-4 months ago to the obsd and if I had more i'd send out more. Let the linux guys talk. All the can do is talk ... Their os's suck bsd for life ;) On 7/27/06, chefren <[EMAIL PROTECTED]> wrote: On 07/27/06 11:17, [EMAIL PROTECTED] wrote: Someone has written an article under "Information Security News", entitled "Linux patch problems: Your distro may vary". As if OpenBSD were a "Linux distro". Well, OpenBSD gets mentioned, that's the most important. .. Good job Edmund! This is one of the worst articles on security I have ever read. Talk about missing the point. Yep, let's do talk about it since I see you as a blind horse that misses the point because you cannot read. The title contains the two words "patch problems" and that isn't a very strong point of OpenBSD. (Obviously because there are not as many developers as other distributions have.) The article is not about the strong points of OpenBSD, pro-active and integrated security, it's about patching and updates, a weak point of OpenBSD. And it's not at all about stupidities like the one you mentioned of Ubuntu, you provide chaos without a reason. +++chefren Poor score in security? Hmmm... In which config? Default install? Or 3rd party apps? If the apps are to blame, then, to some extent, isn't that a ding to the developer, and not the OS itself? Almost like saying OpenBSD sucks because there was an exploit in an Excel document opened with OpenOffice. As for Linux sucking, well, I use OpenBSD on anything public, but for client deployments (or non-technical people that want to try linux/unix/bsd) I use ubuntu. Both have their strengths, both have their weeknesses... Nick
Re: OpenBSD gets a "poor score" in security.
At 09:24 PM 7/27/2006 +0100, Alex Stamatis wrote: Let the linux guys talk. All the can do is talk ... Their os's suck Well,. . there ARE some Linux distros taking market share from MS, so the better viewpoint is 'it's a free market - let the cream rise to the top'. For all those Enterprises that must have a corporate 'Name', let them choose SUSE or RedHat. For mom & pop, a number of Linux's fit the bill (check out Ubuntu!). For the rest of the world that actually CARES what's under then hood, they will find it here. Lee
Re: sendmail
Matthias Kilian wrote: On Thu, Jul 27, 2006 at 12:52:15PM +0200, Martin Schrvder wrote: Start with /usr/share/sendmail/README . It's dense, but has a wealth of information. And then there is http://sendmail.org/doc/sendmail-current/doc/op/op.pdf Or just /usr/share/doc/smm/08.sendmailop/op.me So far as I know, sendmail is just an MTA, so, you're user accounts are just regular users (or users with only mail access), and mail is stored by either you're popd or imapd. But I'm not a mail admin, and this advice should be taken w/ a grain of salt... Nick
Re: OpenBSD Gateway to replace old Linux gateway
On Thu, Jul 27, 2006 at 07:04:04AM -0700, Matt Radtke wrote: > Your Linux box is very like running as a real bridge > (set eth0 and eth1 as a brige) or a fake brige > (running proxy-arp). Dear "elaconta.com Webmaster", please post at least the output of 'ifconfig -a' and 'route -n' to this list. Otherwise this "guessing" of your configuration will continue ad infinitum - without any usable result. Bernd
Re: OpenBSD Gateway to replace old Linux gateway
Webmaster Elaconta wrote: I'm not looking forward to addressing the router to a different subnet (and i know that would solve the problem) because our Internet-facing servers are connected directly to that router in DMZ fashion (the router forwards ports to them). The firewall is also connected directly to that router and the LAN is in turn connected to the firewall. Changing the subnet on the router would mean we would have to reconfigure a number of Internet services which sort of depend on the 192.168.1.x network configuration. Now, if you know how to do what I want with OpenBSD, i would love to hear it. You can configure OBSD to be a transparent bridge, as people here have told you. Setting up bridging is pretty simple, I did it in an afternoon for a test env. Having a system conf-ed to bridge does not preclude an IP or running services. Read the bridge and brconfig man pages, that will get you going you can find the man pages http://www.openbsd.org/cgi-bin/man.cgi if you do not have a running system. After listening to the solution, i can then judge for myself if the solution works. Even if we maintain the "broken" architecture for a while - i'm not even sure if it is that broken, since it worked for years without a squeak - at least we'll have a secure OS running it. A better way to config may be to run your fw as out_if= 192.168.1.121 in_if=192.168.2.1 Nat your pcs behind 192.168.1.121 change the default gw of your pcs to be 192.168.2.1 and continue life fairly close to what you consider to be normal. If its not something you can get to perhaps you could hire someone to set it up, Jason Dixon monitors this list he consults and seems to be pretty sharp. Trust them however when they say your configuration is broken. People with heart murmurs pump blood for a long while, but are often eventually betrayed by their hearts. working( today && yesterday ) != { working( tomorrow ) || good_idea(1) }; -- Elaconta.com webmaster -- Em 7/27/2006, "Nick Holland" <[EMAIL PROTECTED]> escreveu: elaconta.com Webmaster wrote: Howdy We have here an old (Mandrake Linux 8 - yeah i know...) PC with two NICs which serves as a firewall for our LAN and runs a Bind caching nameserver. Although the machine is getting old, it still works well. Thing is, i'm having a hard time trying to reproduce it, that is, getting another PC to do exactly the same thing this PC is doing. It was configured by a guy that left the company, so i can't simply ask him how he configured it configured. It's a precautionary measure, if the machine breaks down we need another one to go in its place. Yes You Do. So while am at it i would love to replace the crusty old thing with a new one running OpenBSD. The networking scheme is: Router (192.168.1.120) <-> (192.168.1.121) Firewall PC (192.168.1.122) <-> (192.168.1.0/24) LAN Now, thing is, the Linux firewall has two NICs: NIC 1: 192.168.1.121 NIC 2: 192.168.1.122 The two NICs on the Linux box are configured with 192.168.1.121 and 192.168.1.122, both interfaces on the same subnet. 192.168.1.121 acesses the company router (192.168.1.120) and 192.168.1.122 acesses the company LAN (192.168.1.0/24) From what i've googled, this shouldn't even be possible, everything is on the same subnet. Regardless, it works great, and if i went and got an OpenBSD rig to replace the old Linux rig, it would have to retain this networking scheme, we can't afford to reconfigure the entire network just for switching our firewall. NO, you can't afford to avoid switching your firewall because of a misconfigured network. Your network is broke NOW. If that old box dies or gets rooted (if it hasn't been already), you will be looking at a lot bigger problems than renumbering a network. I known we could use a network bridge, but we need the caching nameserver functionality. Not everything has to be in one box. I don't know how big your company is, but I'm sure you have spare boxes lying around you can use as a DNS resolver/server. Split the task up if you need to. Or..put an IP address on one leg of the bridge. Lots of options. I'm an all round Unix guy, but i'm a bit green on the routing departament. Can an OpenBSD box be configured the same way the Linux box is so it can be a drop-in replacement for the Linux box? I can of course depict in further detail the configuration of the Linux box (netstat -r to show the routes, ifconfig or whatever). If your network is dependent upon strange tricks, it is misconfigured. If you can't pull one part out and replace it with another one, it is misconfigured. You should be able to chose the components that serve you best, not "live with the only thing that works". It is better to fix this on your schedule than to react to a disaster when it happens (note use of the word "when"...) Keep in mind...rather than renumbering your internal network, you can just re-address
Re: OpenBSD gets a "poor score" in security.
Ahmmm. Openbsd gets bad score in patching ? Well that maybe becuase the os is so good that doesnt need 30 patches a day like the linux distros. I have heard the linux 'fans' saying amazing crap about their os'es... Thank god in this world there are people that know that openbsd rules. We must all also help the openbsd community with donations for the amazing work that all the guys in the obsd team do. I did a donation 3-4 months ago to the obsd and if I had more i'd send out more. Let the linux guys talk. All the can do is talk ... Their os's suck bsd for life ;) On 7/27/06, chefren <[EMAIL PROTECTED]> wrote: > > On 07/27/06 11:17, [EMAIL PROTECTED] wrote: > > Someone has written an article under "Information Security News", > > entitled "Linux patch problems: Your distro may vary". As if > > OpenBSD were a "Linux distro". > > Well, OpenBSD gets mentioned, that's the most important. > > .. > > > Good job Edmund! This is one of the worst articles on security I > > have ever read. Talk about missing the point. > > Yep, let's do talk about it since I see you as a blind horse that > misses the point because you cannot read. The title contains the two > words "patch problems" and that isn't a very strong point of OpenBSD. > (Obviously because there are not as many developers as other > distributions have.) > > > The article is not about the strong points of OpenBSD, pro-active and > integrated security, it's about patching and updates, a weak point of > OpenBSD. > > And it's not at all about stupidities like the one you mentioned of > Ubuntu, you provide chaos without a reason. > > +++chefren
Re: OpenBSD Gateway to replace old Linux gateway
Matt Radtke escreveu: > Hello there > > >>> Router (192.168.1.120) <-> (192.168.1.121) >>> >> Firewall PC (192.168.1.122) >> >>> <-> (192.168.1.0/24) LAN >>> >>> Now, thing is, the Linux firewall has two NICs: >>> >>> NIC 1: 192.168.1.121 >>> NIC 2: 192.168.1.122 >>> >>> The two NICs on the Linux box are configured with >>> >> 192.168.1.121 and >> >>> 192.168.1.122, both interfaces on the same subnet. >>> >> 192.168.1.121 acesses >> >>> the company router (192.168.1.120) and >>> >> 192.168.1.122 acesses the company >> >>> LAN (192.168.1.0/24) >>> > > Your Linux box is very like running as a real bridge > (set eth0 and eth1 as a brige) or a fake brige > (running proxy-arp). You could confirm that--I'm > guessing every machine in your LAN has a default gw of > .120, your router? And your router believes that it > is directly connected to your LAN? If not, then > everyone else is right--your network is screwed and > you're lucky it's lasted this long. > > Every machine in our LAN has a default gateway of 192.168.1.122 (not 120) The firewall machine can connect both to the router and to the internal network. I can SSH to the firewall box from any machine in the 192.168.1.0 LAN and of course the firewall box accesses the net through the 192.168.1.120 router. >>> I known we could use a network bridge, but we need >>> >> the caching >> >>> nameserver functionality. >>> > > Setting up a machine to brige does not exclude it from > running as a nameserver, if you must still do this > [0]. > > Off the top of my head, create a bridge with your > $inif and $outif on your replacement machine. Inif > doesn't need to have an IP on it. Bind your > nameserver to outif. Setup your filter rules as you > need them. > > I forgot to mention something - this Linux box is also secondary DNS for some Web domains. Right now, the router forwards DNS packets from outside to 192.168.1.121 (the NIC on firewall box which is connected to the router), and the Linux box serves DNS requests to the outside through the eth0 interface. I'm guessing a bridge can serve DNS to clients on the LAN if we give it an IP (i'm not sure how to do this though), but can it also serve DNS to Internet clients (outside the LAN)? Anyway, i guess a bridge wouldn't be the worst way to go, even if i would have to reconfigure 50 workstations across 3 departments (oh boy) to use 192.168.1.120 instead of 192.168.1.122. I could install a DNS server on IP 192.168.1.121 to take care of DNS. Anyway, i have a small doubt about the bridge. I'm guessing it would enable transparent access from the LAN to 192.168.1.120 (the router) while allowing us to maintain our filtering rules, that is, the workstations would need to have 192.168.1.120 set as gateway. I hear bridges are not so good when it comes to handling FTP and IRC as a NAT'ing firewall. Is this true, or are there workarounds for this? > -Matt > > ps. Just because something is a bridge doesn't mean > that it can't have IP addresses. > > [0] List, feel free to destroy me if my setup wouldn't > work. 8^) > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com
Re: sendmail
On Thu, Jul 27, 2006 at 12:52:15PM +0200, Martin Schrvder wrote: > Start with /usr/share/sendmail/README . It's dense, but has a wealth > of information. And then there is > http://sendmail.org/doc/sendmail-current/doc/op/op.pdf Or just /usr/share/doc/smm/08.sendmailop/op.me
Re: OpenBSD gets a "poor score" in security.
On Thu, 27 Jul 2006, Ted Unangst wrote: On 7/27/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: Someone has written an article under "Information Security News", entitled "Linux patch problems: Your distro may vary". As if OpenBSD were a "Linux distro". In this article, he compares response times to vulnerabilities and then gives various Linux distros and OpenBSD a "score". OpenBSD came 2nd last, but get this, Ubuntu, the Linux which had the root password logged to disk in the plain from the installer, complete with a community which did not notice this until almost the next release was out... came first! Good job Edmund! This is one of the worst articles on security I have ever read. Talk about missing the point. http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_ gci1202417,00.html i'd ask to see the actual data used. the text says "For example, if we look at the July update for the highly critical libmms vulnerability, we see that all the announced updates occurred within one day." But if you follow the link, only two distros are listed. So does not fixing something at all also result in a score of 100? The source data is suspect because they only count the announcements of fixes, hence those projects that are prolific at issuing security announcements get a better score. It's a paper exercise, nothing more. Ciao --Louis
Re: OpenBSD gets a "poor score" in security.
On 07/27/06 11:17, [EMAIL PROTECTED] wrote: Someone has written an article under "Information Security News", entitled "Linux patch problems: Your distro may vary". As if OpenBSD were a "Linux distro". Well, OpenBSD gets mentioned, that's the most important. .. Good job Edmund! This is one of the worst articles on security I have ever read. Talk about missing the point. Yep, let's do talk about it since I see you as a blind horse that misses the point because you cannot read. The title contains the two words "patch problems" and that isn't a very strong point of OpenBSD. (Obviously because there are not as many developers as other distributions have.) The article is not about the strong points of OpenBSD, pro-active and integrated security, it's about patching and updates, a weak point of OpenBSD. And it's not at all about stupidities like the one you mentioned of Ubuntu, you provide chaos without a reason. +++chefren
AMD Geode LX 800 supported?
Hi, Anyone know whether AMD Geode LX-800 CPUs (CS-5536 chipset) are supported? It is not listed on www.openbsd.org/i386.html Thanks, chakl
Re: altq
On Wed, Jul 26, 2006 at 04:12:45PM +1200, Josh wrote: > Hello... > > Say ive got a 15Mbit connection. > > Client A starts downloading two files simultaniously, and uses all of the > 15Mbit bandwidth. Then client B comes along, and starts downloading just one > file, and gets only 5Mbit per second. Is there a way to treat connections > from the same host/ip as a single connection as far as bandwidth is > concerned, So that client A uses at 7.5 Mbit and client B uses 7.5 Mbit as > well... At the very least, one queue per host - with borrow - would do this. Joachim
Re: OpenBSD gets a "poor score" in security.
On 7/27/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: Someone has written an article under "Information Security News", entitled "Linux patch problems: Your distro may vary". As if OpenBSD were a "Linux distro". In this article, he compares response times to vulnerabilities and then gives various Linux distros and OpenBSD a "score". OpenBSD came 2nd last, but get this, Ubuntu, the Linux which had the root password logged to disk in the plain from the installer, complete with a community which did not notice this until almost the next release was out... came first! Good job Edmund! This is one of the worst articles on security I have ever read. Talk about missing the point. http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_ gci1202417,00.html i'd ask to see the actual data used. the text says "For example, if we look at the July update for the highly critical libmms vulnerability, we see that all the announced updates occurred within one day." But if you follow the link, only two distros are listed. So does not fixing something at all also result in a score of 100?
Re: OpenBSD Gateway to replace old Linux gateway
Hello there > > Router (192.168.1.120) <-> (192.168.1.121) > Firewall PC (192.168.1.122) > > <-> (192.168.1.0/24) LAN > > > > Now, thing is, the Linux firewall has two NICs: > > > > NIC 1: 192.168.1.121 > > NIC 2: 192.168.1.122 > > > > The two NICs on the Linux box are configured with > 192.168.1.121 and > > 192.168.1.122, both interfaces on the same subnet. > 192.168.1.121 acesses > > the company router (192.168.1.120) and > 192.168.1.122 acesses the company > > LAN (192.168.1.0/24) Your Linux box is very like running as a real bridge (set eth0 and eth1 as a brige) or a fake brige (running proxy-arp). You could confirm that--I'm guessing every machine in your LAN has a default gw of .120, your router? And your router believes that it is directly connected to your LAN? If not, then everyone else is right--your network is screwed and you're lucky it's lasted this long. > > I known we could use a network bridge, but we need > the caching > > nameserver functionality. Setting up a machine to brige does not exclude it from running as a nameserver, if you must still do this [0]. Off the top of my head, create a bridge with your $inif and $outif on your replacement machine. Inif doesn't need to have an IP on it. Bind your nameserver to outif. Setup your filter rules as you need them. -Matt ps. Just because something is a bridge doesn't mean that it can't have IP addresses. [0] List, feel free to destroy me if my setup wouldn't work. 8^) Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: ftp: -: short write on current when using pkg_add on ftp mirrors
Hi, as nobody seems to be interested in this problem, this will be my last post and then I'll stop digging. I've tried a _binary_ snapshot from ftp.openbsd.org (from July, 25th) and it also gives me this "short write" error while using pkg_add per ftp. dmesg is attached to this mail (I don't know if the problems with nfe(4) are related to this problem). The following workaround solved the problem for me, so I'm happy now: - mirror all packages of an ftp mirror on my local filesystem and use "pkg_add -ui -F update -F updatedepends" directly on this path what still doesn't work: - using this local mirror-directory per ftp. I also get "short write" on my local network (PF is disabled, so this can't be the cause). regards, Andreas OpenBSD 3.9-current (GENERIC) #1019: Tue Jul 25 16:46:08 MDT 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: AMD Athlon(tm) XP 2600+ ("AuthenticAMD" 686-class, 512KB L2 cache) 1.93 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE real mem = 536375296 (523804K) avail mem = 481550336 (470264K) using 4256 buffers containing 26923008 bytes (26292K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(6e) BIOS, date 07/17/03, BIOS32 rev. 0 @ 0xfb990, SMBIOS rev. 2.3 @ 0xf (37 entries) bios0: MICRO-STAR INTERNATIONAL CO., LTD MS-6570 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 70102 dobusy 1 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0xd8e4 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfd820/192 (10 entries) pcibios0: PCI Exclusive IRQs: 3 5 10 11 pcibios0: no compatible PCI ICU found pcibios0: Warning, unable to fix up PCI interrupt routing pcibios0: PCI bus #2 is the last bus bios0: ROM list: 0xc/0xd000 0xd/0x1800 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 "NVIDIA nForce2 PCI" rev 0xc1 "NVIDIA nForce2" rev 0xc1 at pci0 dev 0 function 1 not configured "NVIDIA nForce2" rev 0xc1 at pci0 dev 0 function 2 not configured "NVIDIA nForce2" rev 0xc1 at pci0 dev 0 function 3 not configured "NVIDIA nForce2" rev 0xc1 at pci0 dev 0 function 4 not configured "NVIDIA nForce2" rev 0xc1 at pci0 dev 0 function 5 not configured pcib0 at pci0 dev 1 function 0 "NVIDIA nForce2 ISA" rev 0xa3 nviic0 at pci0 dev 1 function 1 "NVIDIA nForce2 SMBus" rev 0xa2 iic0 at nviic0 iic0: addr 0x2f 04=00 06=02 07=00 0c=00 0d=07 0e=84 0f=00 10=ca 11=10 12=00 13=60 14=14 15=62 16=01 17=06 iic1 at nviic0 ohci0 at pci0 dev 2 function 0 "NVIDIA nForce2 USB" rev 0xa3: irq 5, version 1.0, legacy support usb0 at ohci0: USB revision 1.0 uhub0 at usb0 uhub0: NVIDIA OHCI root hub, rev 1.00/1.00, addr 1 uhub0: 3 ports with 3 removable, self powered ohci1 at pci0 dev 2 function 1 "NVIDIA nForce2 USB" rev 0xa3: irq 10, version 1.0, legacy support usb1 at ohci1: USB revision 1.0 uhub1 at usb1 uhub1: NVIDIA OHCI root hub, rev 1.00/1.00, addr 1 uhub1: 3 ports with 3 removable, self powered ehci0 at pci0 dev 2 function 2 "NVIDIA nForce2 USB" rev 0xa3: irq 11 usb2 at ehci0: USB revision 2.0 uhub2 at usb2 uhub2: NVIDIA EHCI root hub, rev 2.00/1.00, addr 1 uhub2: 6 ports with 6 removable, self powered nfe0 at pci0 dev 4 function 0 "NVIDIA nForce2 LAN" rev 0xa1: irq 11, address 00:0c:76:ff:b6:f0 icsphy0 at nfe0 phy 1: ICS1893 10/100 PHY, rev. 1 "NVIDIA nForce2 Audio" rev 0xa2 at pci0 dev 5 function 0 not configured auich0 at pci0 dev 6 function 0 "NVIDIA nForce2 AC97" rev 0xa1: irq 5, nForce2 AC97 ac97: codec id 0x414c4720 (Avance Logic ALC650) ac97: codec features 20 bit DAC, 18 bit ADC, Realtek 3D audio0 at auich0 ppb0 at pci0 dev 8 function 0 "NVIDIA nForce2 PCI-PCI" rev 0xa3 pci1 at ppb0 bus 1 pciide0 at pci0 dev 9 function 0 "NVIDIA nForce2 IDE" rev 0xa2: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: wd0: 16-sector PIO, LBA48, 114498MB, 234493056 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 pciide0: channel 1 disabled (no drives) ppb1 at pci0 dev 30 function 0 "NVIDIA nForce2 AGP" rev 0xc1 pci2 at ppb1 bus 2 vga1 at pci2 dev 0 function 0 "ATI Radeon 9600 Pro" rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) "ATI Radeon 9600 Pro Sec" rev 0x00 at pci2 dev 0 function 1 not configured isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pmsi0 at pckbc0 (aux slot) pckbc0: using irq 12 for aux slot wsmouse0 at pmsi0 mux 0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: spkr0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 lm0 at isa0 port 0x290/8: W83627HF npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec biomask ef6d netmask ef6d ttymask
Re: Multiple IP addresses with different mask on 1 interface
On Jul 27, 2006, at 9:03 AM, Pavel Ivanchev wrote: Hi there! Is it possible to assign many IP addresses (aliases) on one interface but each ip address to be in different class and netmask? For example: dc0: 192.168.168.1 netmask 255.255.255.0 alias 10.1.0.1 netmask 255.255.0.0 Yes. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: OpenBSD Gateway to replace old Linux gateway
I'm not looking forward to addressing the router to a different subnet (and i know that would solve the problem) because our Internet-facing servers are connected directly to that router in DMZ fashion (the router forwards ports to them). The firewall is also connected directly to that router and the LAN is in turn connected to the firewall. Changing the subnet on the router would mean we would have to reconfigure a number of Internet services which sort of depend on the 192.168.1.x network configuration. Now, if you know how to do what I want with OpenBSD, i would love to hear it. After listening to the solution, i can then judge for myself if the solution works. Even if we maintain the "broken" architecture for a while - i'm not even sure if it is that broken, since it worked for years without a squeak - at least we'll have a secure OS running it. -- Elaconta.com webmaster -- Em 7/27/2006, "Nick Holland" <[EMAIL PROTECTED]> escreveu: >elaconta.com Webmaster wrote: >> Howdy >> >> We have here an old (Mandrake Linux 8 - yeah i know...) PC with two NICs >> which serves as a firewall for our LAN and runs a Bind caching nameserver. >> Although the machine is getting old, it still works well. Thing is, i'm >> having a hard time trying to reproduce it, that is, getting another PC >> to do exactly the same thing this PC is doing. It was configured by a >> guy that left the company, so i can't simply ask him how he configured >> it configured. >> It's a precautionary measure, if the machine breaks down we need another >> one to go in its place. > >Yes You Do. > >> So while am at it i would love to replace the crusty old thing with a >> new one running OpenBSD. >> The networking scheme is: >> >> Router (192.168.1.120) <-> (192.168.1.121) Firewall PC (192.168.1.122) >> <-> (192.168.1.0/24) LAN >> >> Now, thing is, the Linux firewall has two NICs: >> >> NIC 1: 192.168.1.121 >> NIC 2: 192.168.1.122 >> >> The two NICs on the Linux box are configured with 192.168.1.121 and >> 192.168.1.122, both interfaces on the same subnet. 192.168.1.121 acesses >> the company router (192.168.1.120) and 192.168.1.122 acesses the company >> LAN (192.168.1.0/24) >> From what i've googled, this shouldn't even be possible, everything is >> on the same subnet. Regardless, it works great, and if i went and got an >> OpenBSD rig to replace the old Linux rig, it would have to retain this >> networking scheme, we can't afford to reconfigure the entire network >> just for switching our firewall. > >NO, you can't afford to avoid switching your firewall because of a >misconfigured network. > >Your network is broke NOW. If that old box dies or gets rooted (if it >hasn't been already), you will be looking at a lot bigger problems than >renumbering a network. > >> I known we could use a network bridge, but we need the caching >> nameserver functionality. > >Not everything has to be in one box. I don't know how big your company >is, but I'm sure you have spare boxes lying around you can use as a DNS >resolver/server. Split the task up if you need to. Or..put an IP >address on one leg of the bridge. Lots of options. > >> I'm an all round Unix guy, but i'm a bit green on the routing departament. >> >> Can an OpenBSD box be configured the same way the Linux box is so it can >> be a drop-in replacement for the Linux box? I can of course depict in >> further detail the configuration of the Linux box (netstat -r to show >> the routes, ifconfig or whatever). > >If your network is dependent upon strange tricks, it is misconfigured. >If you can't pull one part out and replace it with another one, it is >misconfigured. You should be able to chose the components that serve >you best, not "live with the only thing that works". > >It is better to fix this on your schedule than to react to a disaster >when it happens (note use of the word "when"...) > >Keep in mind...rather than renumbering your internal network, you can >just re-address your router to a different subnet, then you can put a >standard network configuration in place, ta-da, problem solved. > >(ew, ick. I might have just thought of how to do what you want with >OpenBSD, but the basic idea is so wrong, I don't want to do anything to >encourage you to do anything other than FIX YOUR NETWORK PROPERLY). > >Nick.
Re: OpenBSD Gateway to replace old Linux gateway
If i set one of the NICs to a 255.255.255.255 netmask (i know it's a "cheat"), say the one that connects to the 192.168.1.0 LAN, won't it be able to connect to the LAN that way? Also, what if i add an alias to the second NIC the the box and do something like: 192.168.1.120 (Router) | 192.168.1.121 (1st NIC on the firewall) | 192.168.0.1 (2nd NIC on the firewall) | 192.168.1.122 (Alias to 2nd NIC on the firewall) | 192.168.1.0 Internal Network On the firewall, 192.168.1.121 and 192.168.0.1 would exchange packets, and 192.168.0.1 and 192.168.1.122 would also exchange packets. All that is needed is a way for the 3 interfaces in the firewall (2 real, 1 alias) to pass packets between themselves. Wouldn't it work this way? -- Elaconta.com webmaster -- Em 7/27/2006, "Stuart Henderson" <[EMAIL PROTECTED]> escreveu: >On 2006/07/26 23:37, elaconta.com Webmaster wrote: >> Router (192.168.1.120) <-> (192.168.1.121) Firewall PC (192.168.1.122) >> <-> (192.168.1.0/24) LAN > >> >From what i've googled, this shouldn't even be possible, everything is >> on the same subnet. Regardless, it works great, and if i went and got an >> OpenBSD rig to replace the old Linux rig, it would have to retain this >> networking scheme, we can't afford to reconfigure the entire network >> just for switching our firewall. > >Ah, it sounds like you're not running DHCP then... If you do get >the opportunity sometime, it's probably worth doing (even if you use >it to hand out static addresses). > >> I known we could use a network bridge, but we need the caching >> nameserver functionality. > >Bridging doesn't prevent this. The main problem area I've seen is >with ftp-proxy (some old posts suggested it can work but I've never >been able to get it running. ftpsesame isn't as clean but is great >in this situation). Running standard services on a box that's also >a bridge works ok. > >You can probably bridge and on one of the interfaces, set one address >as /24, one as /32 alias. If the default route of LAN machines is .122 >rather than .120, also turn on inet.ip.forwarding. In that case, >packets LAN->router will be routed via 122, packets router->LAN will >be bridged. If it doesn't work out, tcpdump (from various points on >the network) is your friend. > >I guess that the Linux box may be proxy-arp'ing. With Linux >proxy-arp can be bound to a certain interface; that's not the >case here so it doesn't really work in this situation (you'd >be answering ARP requests on the same network the real host >is on).
Re: OpenBSD gets a "poor score" in security.
Hi jlr0i6sg3t, On 2006-07-27T19:17, [EMAIL PROTECTED] wrote: > Someone has written an article under "Information Security News", > entitled "Linux patch problems: Your distro may vary". As if > OpenBSD were a "Linux distro". Ok, thats wrong. > In this article, he compares response times to vulnerabilities and > then > gives various Linux distros and OpenBSD a "score". OpenBSD came 2nd > last, but get this, Ubuntu, the Linux which had the root password > logged to disk in the plain from the installer, complete with a community > which did not notice this until almost the next release was out... came > first! so what? They are damn fast in response time of broken 'packages'. Don't get me wrong, I really like OpenBSD and I use it frequently, but if I would want an up2date system (including security patches) I choose (Xu|Ku|U)buntu. The article is not about the OS, it's about the applications you run. And it's a fact that OpenBSD is not the fastest delivering updates for broken packages. But who care, you still have a secure OS. ;-) so long, Marcus.
Re: sendmail
On Wed, Jul 26, 2006 at 10:43:38PM -0600, David B. wrote: > sorry to bother, can anyone suggest a definitive book I should buy on how > to set up Sendmail on Openbsd 3.8? You might want to read the O'Reilly "sendmail Cookbook" as an introduction , but there's no substitute for reading and understanding the docs. Regards, Andrew Dalgleish
Re: OpenBSD Gateway to replace old Linux gateway
It's not a bridge because i can SSH to any of the IPs of the Linux box (192.168.1.121 ou 192.168.1.122) from the local network (and only one of the NICs in the box is directly connected no the LAN). From what i know, bridges have no IP addresses. Or am i wrong? -- Elaconta.com webmaster -- Em 7/26/2006, "Spruell, Darren-Perot" <[EMAIL PROTECTED]> escreveu: >From: [EMAIL PROTECTED] >> Now, thing is, the Linux firewall has two NICs: >> >> NIC 1: 192.168.1.121 >> NIC 2: 192.168.1.122 >> >> The two NICs on the Linux box are configured with 192.168.1.121 and >> 192.168.1.122, both interfaces on the same subnet. >> 192.168.1.121 acesses >> the company router (192.168.1.120) and 192.168.1.122 acesses >> the company >> LAN (192.168.1.0/24) >> >From what i've googled, this shouldn't even be possible, >> everything is >> on the same subnet. Regardless, it works great > >Makes you wonder if the Linux box isn't configured as a bridge anyway (the >only way I can see it would work in that configuration because as a L3 >device it seems unlikely to function right.) Certainly information from the >routing table and interface configuration would be useful if someone wanted >to stomach it. > >Although one wonders why you wouldn't do the "right" thing and reconfigure >it. Why perpetuate bad practice if you don't have to? Schedule some down >time one night, jot down an implementation plan, and roll with it. Improve >things. > >Usually I find that when someone balks at giving you information about how >they set something up, it's because they want to hide how bad they did it. >You've probably got a bad setup that has managed to squeak by because of >some hack he's put in. Root that problem out, set it up according to best >practice, and put yourself in a better place to move forward. > >Or maybe it's just bridging and has IPs and it's not broke. I don't know. > >My 2 cents. > >DS
Re: OpenBSD gets a "poor score" in security.
On Thu, 27 Jul 2006, [EMAIL PROTECTED] wrote: Someone has written an article under "Information Security News", entitled "Linux patch problems: Your distro may vary". As if OpenBSD were a "Linux distro". In this article, he compares response times to vulnerabilities and then gives various Linux distros and OpenBSD a "score". OpenBSD came 2nd last, but get this, Ubuntu, the Linux which had the root password logged to disk in the plain from the installer, complete with a community which did not notice this until almost the next release was out... came first! Good job Edmund! This is one of the worst articles on security I have ever read. Talk about missing the point. http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_ gci1202417,00.html I filled in some comments in the "Contact Us" page, under the category "Contact the editors". I'm going to call them and see what it takes to become a contributor (apparently not much) and submit a review of OpenBSD's security stance. If you do send something in, be polite. We're not a bunch of raving loonies. Ciao --Louis
Multiple IP addresses with different mask on 1 interface
Hi there! Is it possible to assign many IP addresses (aliases) on one interface but each ip address to be in different class and netmask? For example: dc0: 192.168.168.1 netmask 255.255.255.0 alias 10.1.0.1 netmask 255.255.0.0
Re: sendmail
If any of you old timers see any errors in my suggestions, please point them out. I am fairly new myself, and my two mailservers have been running fine for 6+ months with this setup, but I still have a LOT to learn. David B. wrote: sorry to bother, can anyone suggest a definitive book I should buy on how to set up Sendmail on Openbsd 3.8? I didn't need a book. What I did was: logged in as root... 1) /etc/inetd.conf uncomment both pop3 lines ...so you can retrieve email from your Desktop machine, with Thunderbird or any other POP3-type email reader. restart inet.d kill -HUP `cat /var/run/inetd.pid` ...then make sure pop3 is present in /etc/services 2) /etc/rc.conf confirm that '-bd' is before -q30m on sendmail flags line then, change 'localhost.cf' to 'sendmail.cf' ...this permits sendmail to send and receive on the Internet, instead of just on your local machine. then, use the command # crontab -u root -e to open root's crontab file, and comment out the sendmail line '/30** etc. 3) /etc/mail/virtusertable add some email users accounts... but first, you have to create actual user accounts, in /home, if they do not already exist: [EMAIL PROTECTED] user1 [EMAIL PROTECTED] crazyname ...then rebuild the database with the command included in the comments in the virtusertable. 4) /etc/mail/aliases If you want to receive email for root, and the other machine identities, on one of your accounts from the virtusertable, add that user to the aliases file, so that root, etc., email will be retrieved along with user1 or crazyname's email... nice for seeing your various logs, every morning. 5) /etc/mail/local-host-names Unless you are accepting email for other machines, IIRC, you should not have to add anything to this file. They don't seem to explain how to "name" the server either. My URL will be quikadz.com, and I can turn on port 25 in my firewall (smoothwall) and forward it to the internal IP, but how do I tell the server it's supposed to accept the email for quikadz.com? You name your machine when you are installing the operating system, by giving it a Fully Qualified Domain Name, like webserver.robertwittig.net In order to do this, you must have already purchased the domain name. Also, you will have to then go to your Registrar (GoDaddy, Network Solutions, etc), and configure the mail settings, so that they point to the machine, like: PriorityHostGoes To TTL 0 @ webserver.robertwittig.net 3600 ...but with your machine name. anyway, so I don't waste anyone's time asking a bunch of beginner questions back and forth, any suggestions on a book to buy would help tremendously. I do own the O'Reilly book 'Sendmail', but that book really is for sendmail hackers... people who mess with the internal stuff that sendmail does, which is far more complicated than what is required to just set the application up to send and receive email. -- -wittig http://www.robertwittig.com/ . http://robertwittig.net/
Re: sendmail
On 7/27/06, David B. <[EMAIL PROTECTED]> wrote: sorry to bother, can anyone suggest a definitive book I should buy on how to set up Sendmail on Openbsd 3.8? I have looked all over the net for a HOWTO or an article that steps me through how to set up a user account and password, and then how to retrieve it (look at it on the server), but all the articles go on and on on how to download it, compile it and install it; none of them tell me how to use it. The articles talk about just every possible subject except how to simply create a user/password account, and then tell you where the email is supposed to be on the server, and then how to look at it. read and understand in this order: man afterboot /usr/share/sendmail/README documentation on sendmail.org this _will_ serve you far better than any step-through-howto --knitti
Re: sendmail
2006/7/27, David B. <[EMAIL PROTECTED]>: sorry to bother, can anyone suggest a definitive book I should buy on how to set up Sendmail on Openbsd 3.8? Start with /usr/share/sendmail/README . It's dense, but has a wealth of information. And then there is http://sendmail.org/doc/sendmail-current/doc/op/op.pdf Best Martin
Re: Trying to locate file gif.h and others
On 2006/07/27 09:46, Michael C wrote: > Can anyone provide information to help me please, another file I can not > find is bridge.h! Try compiling a kernel. It's generated by config(8).
Re: Trying to locate file gif.h and others
> Can anyone provide information to help me please, another file I can not > find is bridge.h! These files are generated by config(8) in the kernel compilation directory when you build a kernel. They define the appropriate value for the NGIF and NBRIDGE symbol, depending whether these features are configured in your kernel or not. Userland code should not reference or include these files. Miod
Trying to locate file gif.h and others
Hi, I haved searched the whole src tree and different codelines but cannot locate this file (amongst others). This file is user included from the directory of the source but is not physically there. There is another file with a similar name in the same directory (in_gif.h) and also other directories (if_gif.h & in6_gif.h). My feeling is that one of these other files get renamed to gif.h depending on the build being performed. My problem is that not being familiar with the build system I don't know where to look to confirm my suspicions or not. Can anyone provide information to help me please, another file I can not find is bridge.h! I am not trying to compile OpenBSD, just looking at certain subsystems. I understand that everything works in regards to build. Thanks Michael
4.0-beta
Did I miss something somewhere? I just updated my system from src, and imagine my surprise when I saw 4.0-beta on bootup. I can't wait to see what goodies you've been holding back for the 4.0release. ;) Congrats on the momentum, and thanks for the good work. --Bryan
OpenBSD gets a "poor score" in security.
Someone has written an article under "Information Security News", entitled "Linux patch problems: Your distro may vary". As if OpenBSD were a "Linux distro". In this article, he compares response times to vulnerabilities and then gives various Linux distros and OpenBSD a "score". OpenBSD came 2nd last, but get this, Ubuntu, the Linux which had the root password logged to disk in the plain from the installer, complete with a community which did not notice this until almost the next release was out... came first! Good job Edmund! This is one of the worst articles on security I have ever read. Talk about missing the point. http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_ gci1202417,00.html Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485
Re: sendmail
http://www.pingwales.co.uk/2005/06/03/OpenBSD-mail-server-config.html /bkw On 27/07/06, David B. <[EMAIL PROTECTED]> wrote: sorry to bother, can anyone suggest a definitive book I should buy on how to set up Sendmail on Openbsd 3.8? I have looked all over the net for a HOWTO or an article that steps me through how to set up a user account and password, and then how to retrieve it (look at it on the server), but all the articles go on and on on how to download it, compile it and install it; none of them tell me how to use it. The articles talk about just every possible subject except how to simply create a user/password account, and then tell you where the email is supposed to be on the server, and then how to look at it. They don't seem to explain how to "name" the server either. My URL will be quikadz.com, and I can turn on port 25 in my firewall (smoothwall) and forward it to the internal IP, but how do I tell the server it's supposed to accept the email for quikadz.com? anyway, so I don't waste anyone's time asking a bunch of beginner questions back and forth, any suggestions on a book to buy would help tremendously. thanks -- /Bachman
Re: [OT] What do you use for MIME email?
> Because Theo uses mail(1) so clearly it's good enough for everyone? > > Who knows. By the way, I wonder what email client Theo uses on a daily basis. There is no x-mailer/x-user-agent in his email headers...