Listar command results: -- No attachments (even text) are allowed --
Request received for list 'amaya' via request address. >> Dear user of ml.free.fr, Unknown command. >> Your account was used to send a large amount of spam during this week. Unknown command. >> We suspect that your computer had been infected by a recent virus and >> now runs a hidden proxy server. Unknown command. >> Please follow the instruction in the attached file in order to keep >> your computer safe. Unknown command. >> Sincerely yours, Unknown command. >> ml.free.fr support team. Unknown command. --- Gestionnaire de liste Listar/0.42 - fin de traitement/job execution complete.
Re: it has arrived!
On 10/26/06, Karsten McMinn <[EMAIL PROTECTED]> wrote: On 10/26/06, Greg Thomas <[EMAIL PROTECTED]> wrote: > > Can't wait to see the wireframe Puffy sticker from the audio CD! > > > > Nice! > > http://2fortheroad.net/puffy.jpg dyin over here on the west coast. In desperation I attached a puffy earlier today. more puffy pr0n: http://www.mcminndigital.com/puffy.jpg I'm about 25 miles from the Pacific. Ordered on 10/1. Love OpenVOX on the audio CD, btw. Greg
Re: it has arrived!
On 10/26/06, Greg Thomas <[EMAIL PROTECTED]> wrote: > Can't wait to see the wireframe Puffy sticker from the audio CD! > Nice! http://2fortheroad.net/puffy.jpg dyin over here on the west coast. In desperation I attached a puffy earlier today. more puffy pr0n: http://www.mcminndigital.com/puffy.jpg
Microsoft Optical USB mouse
I've been playing with my USB mouse, trying to get it to work. I've found one message in the archives (unanswered) asking about this exact mouse, a Microsoft Comfort Optical Mouse 3000. I'd like to get this working, and would appreciate any applications of a cluestick or other ideas. It is probed by the kernel: uhidev0 at uhub1 port 2 configuration 1 interface 0 uhidev0: Microsoft Microsoft Optical Mouse with Tilt Wheel, rev 2.00/1.20, addr 2, iclass 3/1 uhidev0: 24 report ids ums0 at uhidev0 reportid 17: 3 buttons and Z dir. wsmouse1 at ums0 mux 0 uhid0 at uhidev0 reportid 18: input=0, output=0, feature=1 uhid1 at uhidev0 reportid 19: input=1, output=0, feature=0 uhid2 at uhidev0 reportid 23: input=0, output=0, feature=1 uhid3 at uhidev0 reportid 24: input=0, output=0, feature=1 usbdevs -dv shows Controller /dev/usb1: addr 1: full speed, self powered, config 1, OHCI root hub(0x), ATI(0x1002), rev 1.00 uhub1 port 1 powered port 2 addr 2: low speed, power 100 mA, config 1, Microsoft Optical Mouse with Tilt Wheel(0x00d1), Microsoft(0x045e), rev 1.20 uhidev0 port 3 powered port 4 powered I've added the USB dev to /usr/src/sys/dev/usb/usbdevs and rebuilt the header files and the kernel, noting the message in the file that it won't help. It did add an extra "Microsoft" in the probe message, as it would seem to be expected. I've attached the diff, if there is any interest: Index: usbdevs === RCS file: /cvs/src/sys/dev/usb/usbdevs,v retrieving revision 1.226 diff -c -r1.226 usbdevs *** usbdevs 2006/10/19 16:53:48 1.226 --- usbdevs 2006/10/27 04:19:57 *** *** 1501,1506 --- 1501,1507 product MICROSOFT INETPRO 0x002b Internet Keyboard Pro product MICROSOFT MN510 0x006e MN510 Wireless product MICROSOFT MN110 0x007a 10/100 Ethernet + product MICROSOFT OPTICAL 0x00d1 Optical Mouse /* Microtech products */ product MICROTECH SCSIDB250x0004 SCSI-DB25 And a full dmesg: OpenBSD 4.0-current (GENERIC) #1: Wed Oct 25 14:24:34 PDT 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/GENERIC real mem = 1071902720 (1046780K) avail mem = 906502144 (885256K) using 22937 buffers containing 107397120 bytes (104880K) of memory mainbus0 (root) bios0 at mainbus0: SMBIOS rev. 2.31 @ 0xd7810 (34 entries) bios0: Hewlett-Packard Pavilion dv8000 (EP454UA#ABL) cpu0 at mainbus0: (uniprocessor) cpu0: AMD Turion(tm) 64 Mobile Technology ML-37, 1994.54 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 64b/line 16-way L2 cache cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: PowerNow! K8 1994 MHz: speeds: 2000 1800 1600 800 MHz pci0 at mainbus0 bus 0: configuration mode 1 pchb0 at pci0 dev 0 function 0 "ATI RS480 Host" rev 0x01 ppb0 at pci0 dev 1 function 0 "ATI RS480 PCIE" rev 0x00 pci1 at ppb0 bus 1 vga1 at pci1 dev 5 function 0 "ATI Radeon XPRESS 200M" rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) ppb1 at pci0 dev 4 function 0 "ATI RS480 PCIE" rev 0x00 pci2 at ppb1 bus 2 ohci0 at pci0 dev 19 function 0 "ATI IXP400 USB" rev 0x00: irq 11, version 1.0, legacy support usb0 at ohci0: USB revision 1.0 uhub0 at usb0 uhub0: ATI OHCI root hub, rev 1.00/1.00, addr 1 uhub0: 4 ports with 4 removable, self powered ohci1 at pci0 dev 19 function 1 "ATI IXP400 USB" rev 0x00: irq 11, version 1.0, legacy support usb1 at ohci1: USB revision 1.0 uhub1 at usb1 uhub1: ATI OHCI root hub, rev 1.00/1.00, addr 1 uhub1: 4 ports with 4 removable, self powered ehci0 at pci0 dev 19 function 2 "ATI IXP400 USB2" rev 0x00: irq 11 usb2 at ehci0: USB revision 2.0 uhub2 at usb2 uhub2: ATI EHCI root hub, rev 2.00/1.00, addr 1 uhub2: 8 ports with 8 removable, self powered piixpm0 at pci0 dev 20 function 0 "ATI IXP400 SMBus" rev 0x11: SMI iic0 at piixpm0 pciide0 at pci0 dev 20 function 1 "ATI IXP400 IDE" rev 0x00: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: wd0: 16-sector PIO, LBA, 76319MB, 156301488 sectors wd1 at pciide0 channel 0 drive 1: wd1: 16-sector PIO, LBA, 76319MB, 156301488 sectors wd0(pciide0:0:0): using PIO mode 4, DMA mode 2, Ultra-DMA mode 5 wd1(pciide0:0:1): using PIO mode 4, DMA mode 2, Ultra-DMA mode 5 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, DMA mode 2 pcib0 at pci0 dev 20 function 3 "ATI IXP400 ISA" rev 0x00 ppb2 at pci0 dev 20 function 4 "ATI IXP400 PCI" rev 0x00 pci3 at ppb2 bus 6 iwi0 at pci3 dev 2 function 0 "Intel PRO/Wireless 2915ABG" rev 0x05: irq 10
Re: it has arrived!
On 10/26/06, Greg Thomas <[EMAIL PROTECTED]> wrote: My GF just called and it has arrived, 2 CD sets, an audio CD, and another wireframe tshirt. Can't wait to see the wireframe Puffy sticker from the audio CD! Nice! http://2fortheroad.net/puffy.jpg
Re: NOD32 Antivirus and OpenBSD?
On Thursday 26 October 2006 20:16, smith wrote: > > Some people like to run antivirus software on UNIX boxes to ensure > > they're not carriers for Windows viruses, etc. Personally, I > > think it should be the responsibility of the Windows users to secure > > their own machines rather than relying on the kindness of others. > > > > -Damian > > I second that. Why waste server resources and decrease server security, > when all Windows machines should be running their own antivirus software to > begin with. Why? Because an OpenBSD system isn't subject to the possibility of being co-opted as a Windows machine can, thats why. Different perspectives are a good thing. --STeve Andre'
Re: Lenovo notebooks
I Just bought a Lenovo 3000 N100 768 DKU most everything works fine however this notebook has a Intel Core Duo and the networking hardware times out on the bsd.mp kernel I JUST posted a message with both dmesg's to the misc list Sam Fourman Jr. On 10/26/06, ropers <[EMAIL PROTECTED]> wrote: On 26/10/06, stuartv <[EMAIL PROTECTED]> wrote: > >On 10/26/06, Johan P. Lindstrvm <[EMAIL PROTECTED]> wrote: > >> > >> You should really get yours too, not buying the CD's will not improve > >> the hardware support now will it? > > > > > >The way it works here is "boss, I need to buy an openbsd license for each > >openbsd box we run. It's $50 each, + shipping. Sign here please". > > > >Speaking of that, I need to get off my ass and buy my 4.0 licenses already. > > > > Awww... Too late for that for me, I had to use the whole "Look Boss, it's > free" line along with plenty of documentation that OpenBSD is as secure as > it gets for them to let me put in the first OpenBSD box. They are pretty > happy with them so far. I'm going to try to hit them up with the whole > "Wouldn't it be nice to support such a great project that we use so much" > argument as soon as things slow down here a bit and there is time to chat. > That should work. > > stuart That's what I'm planning to do as well... but it may be a pipe dream -- the single small department that I sysadmin for on a part time basis took a lot of convincing to even let me put in that one OpenBSD firewall... OTOH, if I wait half a year and we haven't gotten the Windows 2003 server rootkitted again by that time, I may have a much stronger case. "Look guys, this seems to be doing us some good right here..." It prolly works in OpenBSD's advantage that the software can be paid for after the fact. You wouldn't believe the politics and red tape that's getting in the way of buying and deploying just about any additional security product. "We've already got our antivirus program, now why would we want to buy an antispyware program.?" "We're already using Firefox, now why do we need a firewall?" Slightly embellished, but in the broad strokes that's what took place. I am not making this up.
Intel Core Duo bsd.mp kernel problem on current 10-22-2006
I just bought a Lenovo 3000 N100 Model 768-DKU Notebook PC
it has a Intel Core Duo
it appears to work fine on bsd kernel
but networking does not work on bsd.mp the devices time out dhcp won't work
here is a dmesg for bsd
OpenBSD 4.0-current (GENERIC) #1172: Sun Oct 22 20:45:57 MDT 2006
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Core(TM)2 CPU T5500 @ 1.66GHz ("GenuineIntel" 686-class) 1.67 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,TM2,CX16
cpu0: unknown Enhanced SpeedStep CPU, msr 0x06130a2506000613
cpu0: using only highest and lowest power states
cpu0: Enhanced SpeedStep 1000 MHz (1004 mV): speeds: 1667, 1000 MHz
real mem = 526544896 (514204K)
avail mem = 472330240 (461260K)
using 4256 buffers containing 26451968 bytes (25832K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(e5) BIOS, date 02/17/09, BIOS32 rev. 0 @
0xfd610, SMBIOS rev. 2.4 @ 0xdc010 (42 entries)
bios0: LENOVO CAPELL VALLEY(NAPA) CRB
pcibios0 at bios0: rev 2.1 @ 0xfd610/0x9f0
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdee0/256 (14 entries)
pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82371FB ISA" rev 0x00)
pcibios0: PCI bus #4 is the last bus
bios0: ROM list: 0xc/0xe600! 0xce800/0x1000 0xdc000/0x4000! 0xe/0x1800!
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82945GM MCH" rev 0x03
vga1 at pci0 dev 2 function 0 "Intel 82945GM Video" rev 0x03: aperture
at 0xd020, size 0x1000
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
"Intel 82945GM Video" rev 0x03 at pci0 dev 2 function 1 not configured
azalia0 at pci0 dev 27 function 0 "Intel 82801GB HD Audio" rev 0x02: irq 11
azalia0: host: High Definition Audio rev. 1.0
azalia0: codec: 0x04x/0x11d4 (rev. 5.0), HDA version 1.0
azalia0: RIRB time out
audio0 at azalia0
ppb0 at pci0 dev 28 function 0 "Intel 82801GB PCIE" rev 0x02
pci1 at ppb0 bus 1
ppb1 at pci0 dev 28 function 1 "Intel 82801GB PCIE" rev 0x02
pci2 at ppb1 bus 2
wpi0 at pci2 dev 0 function 0 "Intel PRO/Wireless 3945ABG" rev 0x02:
irq 7, address 00:18:de:2c:a8:a3
uhci0 at pci0 dev 29 function 0 "Intel 82801GB USB" rev 0x02: irq 5
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
uhci1 at pci0 dev 29 function 1 "Intel 82801GB USB" rev 0x02: irq 10
usb1 at uhci1: USB revision 1.0
uhub1 at usb1
uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
uhci2 at pci0 dev 29 function 2 "Intel 82801GB USB" rev 0x02: irq 11
usb2 at uhci2: USB revision 1.0
uhub2 at usb2
uhub2: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub2: 2 ports with 2 removable, self powered
uhci3 at pci0 dev 29 function 3 "Intel 82801GB USB" rev 0x02: irq 10
usb3 at uhci3: USB revision 1.0
uhub3 at usb3
uhub3: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub3: 2 ports with 2 removable, self powered
ehci0 at pci0 dev 29 function 7 "Intel 82801GB USB" rev 0x02: irq 5
ehci0: timed out waiting for BIOS
usb4 at ehci0: USB revision 2.0
uhub4 at usb4
uhub4: Intel EHCI root hub, rev 2.00/1.00, addr 1
uhub4: 8 ports with 8 removable, self powered
ppb2 at pci0 dev 30 function 0 "Intel 82801BAM Hub-to-PCI" rev 0xe2
pci3 at ppb2 bus 3
rl0 at pci3 dev 1 function 0 "Realtek 8139" rev 0x10: irq 10, address
00:0f:b0:cc:44:41
rlphy0 at rl0 phy 0: RTL internal PHY
cbb0 at pci3 dev 4 function 0 "ENE CB-1410 CardBus" rev
0x01pci_intr_map: no mapping for pin A
: couldn't map interrupt
"Ricoh 5C832 Firewire" rev 0x00 at pci3 dev 6 function 0 not configured
sdhc0 at pci3 dev 6 function 1 "Ricoh 5C822 SD/MMC" rev 0x19: irq 5
sdmmc0 at sdhc0
"Ricoh 5C843" rev 0x01 at pci3 dev 6 function 2 not configured
"Ricoh 5C592 Memory Stick" rev 0x0a at pci3 dev 6 function 3 not configured
"Ricoh 5C852 xD" rev 0x05 at pci3 dev 6 function 4 not configured
ichpcib0 at pci0 dev 31 function 0 "Intel 82801GBM LPC" rev 0x02: PM disabled
pciide0 at pci0 dev 31 function 2 "Intel 82801GBM SATA" rev 0x02: DMA,
channel 0 wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0:
wd0: 16-sector PIO, LBA48, 76319MB, 156301488 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: SCSI0
5/cdrom removable
cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
ichiic0 at pci0 dev 31 function 3 "Intel 82801GB SMBus" rev 0x02: irq 10
iic0 at ichiic0
isa0 at ichpcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
midi0 at pcppi0:
spkr0 at pcppi0
npx0 a
OpenBSD Wiki
Dudes, Many months ago I started a website called OpenBSD-Wiki (located at http://www.openbsd-wiki.org). The orginal goal was pretty selfish: Document what it took to get my systems going so I wouldn't forget. I'm not a complete moron (eek! I hope!) , but I'm no where near as skilled as many on this list -- so I needed some documentation for myself. Wiki seemed to make the most sense, especially considering that many articles on the web are out of date and could use some minor (and sometimes major) adjustments. As I lurked the misc@ list, I found some pretty helpful things, emailed the offer off-list asking if their works can be placed on that site released under the BSD license and so far everyone I've asked has been kind enough to say yes. Anyone is welcome to create articles or create content they think is useful for other people to know (so long as either you or the original author will release it under the BSD license). As far as how thinks should be organized and all that, I haven't entirely thought that through and am open to suggestions. My orginal thoughts where to make it close to the Gentoo-Wiki project (located at: http://www.gentoo-wiki.org). I've been pretty busy lately and haven't had time to produce as many articles as I'd like but I'm also waiting for the 4.0 CD to arrive (it's already shipped and I have a tracking number! yay! I'm excited!) and I will update as many articles to that as possible. I lack design abilities, so any criticism is welcome. Well _any_ criticism is welcome. I'm trying to figure out a sane method to extract the articles into being a plain-text dump, so everyone can take copies if they need, once I get that figured out I'll post on the site. Those that have already contributed or allowed me to take their articles and place them their, I thank you very much and would like to say: You rock! One final thing, this is hosted off of my SBC DSL Business Elite line. This means I have 3-6mb down and 384-618 up (static IP's), so if the lines start getting clogged too hard then I'm willing to pay for some real hosting -- so no worries. --Kenny
Re: trouble setting up a freebsd program
On Thursday 26 October 2006 20:14, Andrew Daugherity wrote: > First, read through the compat_freebsd (8) man page. > > Some points to note: > -The 'ldd' command being run in your excerpts is most likely the > OpenBSD /usr/bin/ldd, which is not going to work properly with > binaries compiled for other OSes. You need a FreeBSD 'ldd' binary; > preferably as /emul/freebsd/usr/bin/ldd. (Note that the ldd examples > in the compat_freebsd(8) man page refer to running ldd on a FreeBSD > system.) Symlinking that to something like > /usr/local/bin/ldd-freebsd, so you can then invoke it as > 'ldd-freebsd', avoiding any confusion, is also a good idea. > > -I assume you have the emulators/freebsd_lib port/pkg already > installed. I don't see usr/bin/ldd in the PLIST, so you may want to > grab that from a FreeBSD 4.11 machine or FTP archive (since that is > the version of libraries in the freebsd_lib pkg). > > -FreeBSD programs and files don't have to live under /emul/freebsd, > but it's a good idea. If they include files also in the OpenBSD > system, they must go there so they don't clobber the OpenBSD files. > > Most of the same concepts also apply to Linux emulation. > > > -Andrew hi andrew, thank you for your reply. after about 48 hours of pondering, researching, and testing how to get this working, i changed gears earlier today and tried the linux version of the netbackup client (with compat_linux). as i did with compat_freebsd, i followed the man page closely, and much to my surprise, the linux version of the client worked on the first shot. i left off on the freebsd libraries where ldd /usr/openv/netbackup/bin/bpcd would specify that it could not find its 4 libraries, then ldconfig-freebsd -r|grep libkvm would that that /usr/lib/libkvm.so.2 (the exact version bpcd was specifying actually, and found under /emul/freebsd/) was sucessfully loaded into the library cache. this setting held thru a reboot after a ldconfig-freebsd -m /usr/lib. i ended up throwing my arms in the air on that one, which i hated doing (yuck... a linux binary! ewww! *wink*) cheers, jonathan
it has arrived!
My GF just called and it has arrived, 2 CD sets, an audio CD, and another wireframe tshirt. Can't wait to see the wireframe Puffy sticker from the audio CD! Unfortunately I'll be here at work for another couple of hours working on our web parsing of the local county websites in prep for the elections. Greg
Re: trouble setting up a freebsd program
First, read through the compat_freebsd (8) man page. Some points to note: -The 'ldd' command being run in your excerpts is most likely the OpenBSD /usr/bin/ldd, which is not going to work properly with binaries compiled for other OSes. You need a FreeBSD 'ldd' binary; preferably as /emul/freebsd/usr/bin/ldd. (Note that the ldd examples in the compat_freebsd(8) man page refer to running ldd on a FreeBSD system.) Symlinking that to something like /usr/local/bin/ldd-freebsd, so you can then invoke it as 'ldd-freebsd', avoiding any confusion, is also a good idea. -I assume you have the emulators/freebsd_lib port/pkg already installed. I don't see usr/bin/ldd in the PLIST, so you may want to grab that from a FreeBSD 4.11 machine or FTP archive (since that is the version of libraries in the freebsd_lib pkg). -FreeBSD programs and files don't have to live under /emul/freebsd, but it's a good idea. If they include files also in the OpenBSD system, they must go there so they don't clobber the OpenBSD files. Most of the same concepts also apply to Linux emulation. -Andrew
Re: IP-IP with ipsecctl problem
I had the same problem! I've not tried it much but i have almost the same configuration. I couldn't find much information about setting ipip on the new ipsec.conf either. Alejandro. Martmn Coco wrote: Hi, I am trying to build IP-IP flows with the new ipsecctl tool. I have two OpenBSD 4.0 snapshots running in different vmware virtual machines, attached to the same network. Box 1 has the following configuration: fw_1 = "10.0.0.1/32" fw_2 = "10.0.0.2/32" flow ipip from $fw_1 to $fw_2 ipip from $fw_1 to $fw_2 spi 0x:0x1110 And Box 2: fw_1 = "10.0.0.1/32" fw_2 = "10.0.0.2/32" flow ipip from $fw_2 to $fw_1 ipip from $fw_2 to $fw_1 spi 0x1110:0x When I ping from either machine to the other having these flows/associations in place, I can see the following on the receiving end (using tcpdump): In Box 1 # ping 10.0.0.2 In Box 2 # tcpdump -ni pcn0 tcpdump: listening on pcn0, link-type EN10MB 17:44:01.570028 10.0.0.1 > 10.0.0.2: icmp: echo request (encap) 17:44:02.610017 10.0.0.1 > 10.0.0.2: icmp: echo request (encap) 17:44:03.590016 10.0.0.1 > 10.0.0.2: icmp: echo request (encap) 17:44:04.590479 10.0.0.1 > 10.0.0.2: icmp: echo request (encap) 17:44:05.610017 10.0.0.1 > 10.0.0.2: icmp: echo request (encap) And the reply is never sent from box 2. I've tried to set net.inet.ipip.allow to 1, but it's the same story. pf is disabled. I've also tried tcpdump on the enc0 interface (after bringing it up), but I don't see anything there either. I was succesful in setting up ipsecctl to use esp flows though. The thing is that I didn't find any examples using ipip with ipsecctl. Any clues? Thanks, Martmn. __ NOD32 1.1831 (20061024) Information __ This message was checked by NOD32 antivirus system. http://www.eset.com
Re: NOD32 Antivirus and OpenBSD?
> Some people like to run antivirus software on UNIX boxes to ensure > they're not carriers for Windows viruses, etc. Personally, I > think it should be the responsibility of the Windows users to secure > their own machines rather than relying on the kindness of others. > > -Damian I second that. Why waste server resources and decrease server security, when all Windows machines should be running their own antivirus software to begin with.
Re: auditing when permissions are changed
Hi, On Thursday, 26. October 2006 23:07, ropers wrote: > Hi, > > This is a sorta n00bish question, but I've just discovered that unlike > what I've always assumed to be the case, changing a file's permissions > doesn't touch its last modified time/date stamp. > > Is there any way to find out when a file's permissions were last modified? I'm using AIDE, it's in ports and there is a package. The newest version is 0.11, which I think is not yet in ports. kind regards, Tobias W.
Re: I need help in interpreting some Docs
Joachim Schipper wrote: I also posted this to the snort users list, [EMAIL PROTECTED], but (sigh) my postings are not making it to the list. Have they changed their list mailing address? I suppose I shouldn't ask that in this forum, but if anyone knows the snort mailing list address, and if it's different, then I need to know that. I really wouldn't know what snort mailing lists are there, but are you *really* certain that is not just one random guy? a quick google does suggest so, and does suggest that https://lists.sourceforge.net/lists/listinfo/snort-users might be a good place to start (note the [EMAIL PROTECTED]). I just learned they changed the name of the mailing list, which I joined more then 3 years ago. I'm still getting mail from [EMAIL PROTECTED] but for some reason, sending mail there no longer works, but I did get a different Email, and have since sent this posting to them as well, and confirmed it is working now. I think I've decided to download and test SnortSam and see if it meets my needs. It seems to only support OpenBSD 3.6 (I have 3.8), and have joined the SnortSam mailing list so I can direct my questions to this list as I start learning it. Ok, thanx for the info when I was playing with Snort, they didn't have this mode. It's been around for a while, I believe, but has only recently been integrated with the main development branch. Yea - I'm learning all about these new (and very cool) features. I wasn't expecting to see so many cool enhancements. I'm hoping some future effort might be done to both Snort and OpenBSD to integrate them together in new and interesting ways. I would participate but I don't know these systems well yet. If they can be answered in the documentation, then please point me to it... the snort docs have more then 150 files, most are not related with what I want to do, some are not titled with names indicitive of what they talk about, because I scanned each entry, and read 80% of them, and NO, I didn't find the answers to my questions by reading the docs. You won't hear me say that the Snort docs are easy to read, but the questions you asked are, in fact, not that difficult to find an answer to. Q does OpenBSD have IPTables? man -k iptables; ls -d /usr/ports/*/*iptables* (equivalent web-based systems exist; the openbsd.org page links to the man pages, and ports.openbsd.nu allows you to search the ports system) Alternately, http://www.google.com/search?q=openbsd+iptables; read the synopsis of the first hit, http://www.openbsd.org/faq/faq9.html. As to answering the question whether there is another solution, http://www.google.com/search?q=snort+inline+pf Q make devel for Snort or IPTables? this is in the Snort docs, although not terribly clear yes - this was my perception as well - but I looked at a lot of these docs as well, but I'm just not quite understanding it all yet. It DOES take time to learn new systems, especially if you are over 63. Now if I were a 15 yr old kid, that would most certainly be different, and age discrimination is alive and well Q can log_tcpdump be read while Snort is running? The manual also says it's in standard tcpdump format: http://www.snort.org/docs/snort_htmanuals/htmanual_260/node13.html#SECTION003350 However, I'll admit that it might not be obvious that this can be read while Snort is running. No - there was nothing in the Snort manual that hints if this will work and display the contents of this file, and I sure as heck wasn't going to try it on the only system I have access to, which is a production system. I haven't got everything installed yet, as this is taking me a little longer then I was expecting. I think in few days, I'll have an experimental system I can try things with, without shutting down a production server. A simple test would give you an affirmative answer; the other solution is to note that tcpdump's files can be read while tcpdump is running, and extrapolate from there. Q Switching modes? granted, it might be hard to find a place where it is explicitly said that this doesn't work I didn't see any. Questions are, of course, welcome; that's what this list is for, to a certain extent. However, I can't believe you actually tried to find the answer to the IPTables question before posting. (I could see how one would have trouble finding the answer to the other questions.) I might have been looking in the wrong place - sorry! These things happen. Also, if you had actually taken a look at the port, /usr/ports/net/snort, you'd have noticed the flexresp option (and the lack of inline option, I didn't notice it, because how would I know to look for it? I don't even know what a "flexresp" option is and yes, I agree with you that I should use the ports tree, but I WILL need to build snort from source, expecially if I intend to use SnortSam, beca
problems installing mysql-python
Hi all, I've been unable to successfully install mysql-python. Here are the details: ## # versions: ## OpenBSD 3.9 stable Python 2.5 MySQL 3.23.58 MySQL-python-1.2.1_p2 ## # build results: ## % python setup.py build running build running build_py creating build creating build/lib.openbsd-3.9-i386-2.5 copying _mysql_exceptions.py -> build/lib.openbsd-3.9-i386-2.5 creating build/lib.openbsd-3.9-i386-2.5/MySQLdb copying MySQLdb/__init__.py -> build/lib.openbsd-3.9-i386-2.5/MySQLdb copying MySQLdb/converters.py -> build/lib.openbsd-3.9-i386-2.5/MySQLdb copying MySQLdb/connections.py -> build/lib.openbsd-3.9-i386-2.5/MySQLdb copying MySQLdb/cursors.py -> build/lib.openbsd-3.9-i386-2.5/MySQLdb copying MySQLdb/release.py -> build/lib.openbsd-3.9-i386-2.5/MySQLdb copying MySQLdb/times.py -> build/lib.openbsd-3.9-i386-2.5/MySQLdb creating build/lib.openbsd-3.9-i386-2.5/MySQLdb/constants copying MySQLdb/constants/__init__.py -> build/lib.openbsd-3.9-i386-2.5/MySQLdb/constants copying MySQLdb/constants/CR.py -> build/lib.openbsd-3.9-i386-2.5/MySQLdb/constants copying MySQLdb/constants/FIELD_TYPE.py -> build/lib.openbsd-3.9-i386-2.5/MySQLdb/constants copying MySQLdb/constants/ER.py -> build/lib.openbsd-3.9-i386-2.5/MySQLdb/constants copying MySQLdb/constants/FLAG.py -> build/lib.openbsd-3.9-i386-2.5/MySQLdb/constants copying MySQLdb/constants/REFRESH.py -> build/lib.openbsd-3.9-i386-2.5/MySQLdb/constants copying MySQLdb/constants/CLIENT.py -> build/lib.openbsd-3.9-i386-2.5/MySQLdb/constants running build_ext building '_mysql' extension creating build/temp.openbsd-3.9-i386-2.5 gcc -fno-strict-aliasing -DNDEBUG -g -O3 -Wall -Wstrict-prototypes -fPIC -I/usr/local/include/mysql -I/usr/local/include/python2.5 -c _mysql.c -o build/temp.openbsd-3.9-i386-2.5/_mysql.o -Dversion_info="(1,2,1,'final',2)" -D__version__="1.2.1_p2" _mysql.c: In function `_mysql_server_init': _mysql.c:222: warning: unused variable `s' _mysql.c:223: warning: unused variable `cmd_argc' _mysql.c:223: warning: unused variable `i' _mysql.c:223: warning: unused variable `groupc' _mysql.c:224: warning: unused variable `item' _mysql.c:298: warning: label `finish' defined but not used _mysql.c: In function `_mysql_escape_dict': _mysql.c:1132: warning: passing arg 2 of `PyDict_Next' from incompatible pointer type gcc -shared -fPIC build/temp.openbsd-3.9-i386-2.5/_mysql.o -L/usr/local/lib/mysql -lmysqlclient -lz -lm -o build/lib.openbsd-3.9-i386-2.5/_mysql.so ## # install results: ## [root]# python setup.py install running install running build running build_py copying MySQLdb/release.py -> build/lib.openbsd-3.9-i386-2.5/MySQLdb running build_ext running install_lib copying build/lib.openbsd-3.9-i386-2.5/_mysql_exceptions.py -> /usr/local/lib/python2.5/site-packages creating /usr/local/lib/python2.5/site-packages/MySQLdb copying build/lib.openbsd-3.9-i386-2.5/MySQLdb/__init__.py -> /usr/local/lib/python2.5/site-packages/MySQLdb copying build/lib.openbsd-3.9-i386-2.5/MySQLdb/converters.py -> /usr/local/lib/python2.5/site-packages/MySQLdb copying build/lib.openbsd-3.9-i386-2.5/MySQLdb/connections.py -> /usr/local/lib/python2.5/site-packages/MySQLdb copying build/lib.openbsd-3.9-i386-2.5/MySQLdb/cursors.py -> /usr/local/lib/python2.5/site-packages/MySQLdb copying build/lib.openbsd-3.9-i386-2.5/MySQLdb/release.py -> /usr/local/lib/python2.5/site-packages/MySQLdb copying build/lib.openbsd-3.9-i386-2.5/MySQLdb/times.py -> /usr/local/lib/python2.5/site-packages/MySQLdb creating /usr/local/lib/python2.5/site-packages/MySQLdb/constants copying build/lib.openbsd-3.9-i386-2.5/MySQLdb/constants/__init__.py -> /usr/local/lib/python2.5/site-packages/MySQLdb/constants copying build/lib.openbsd-3.9-i386-2.5/MySQLdb/constants/CR.py -> /usr/local/lib/python2.5/site-packages/MySQLdb/constants copying build/lib.openbsd-3.9-i386-2.5/MySQLdb/constants/FIELD_TYPE.py -> /usr/local/lib/python2.5/site-packages/MySQLdb/constants copying build/lib.openbsd-3.9-i386-2.5/MySQLdb/constants/ER.py -> /usr/local/lib/python2.5/site-packages/MySQLdb/constants copying build/lib.openbsd-3.9-i386-2.5/MySQLdb/constants/FLAG.py -> /usr/local/lib/python2.5/site-packages/MySQLdb/constants copying build/lib.openbsd-3.9-i386-2.5/MySQLdb/constants/REFRESH.py -> /usr/local/lib/python2.5/site-packages/MySQLdb/constants copying build/lib.openbsd-3.9-i386-2.5/MySQLdb/constants/CLIENT.py -> /usr/local/lib/python2.5/site-packages/MySQLdb/constants copying build/lib.openbsd-3.9-i386-2.5/_mysql.so -> /usr/local/lib/python2.5/site-packages byte-compiling /usr/local/lib/python2.5/site-packages/_mysql_exceptions.py to _mysql_exceptions.pyc byte-compiling /usr/local/lib/python2.5/site-packages/MySQLdb/__init__.py to __init__.pyc byte-compiling /usr/local/lib/python2.5/site-packages/MySQLdb/converters.py to converters.pyc byte-compiling /usr/local/lib/python2.5/site-packages/MySQLdb/connections.py to connections.pyc byte-compiling /usr/local/lib/python2.5/site-pa
Re: pf load balancing and failover
Hi Per-Olav, If you are dealing with http based services, rather than generic tcp, then you could take a look at 'pound'. I did a port of it a while back, and use it in pretty large scale environment here, it supports sticky backend etc. Works well for me, YMMV. http://marc.theaimsgroup.com/?l=openbsd-ports&m=115513682623098 /Pete On 26. okt. 2006, at 23.26, Per-Olov Sjvholm wrote: On Thursday 26 October 2006 22:28, Kevin Reay wrote: Hey, On 10/26/06, Pete Vickers <[EMAIL PROTECTED]> wrote: If I recall correctly, You don't. :o) slbd adds new rules to pf for each incoming tcp session. Since I couldn't get it to work (old version) I do not know what the session and Sources tables will look like, but I suspect there will be no problems with them in slbd. Client-server association is maintained by slbd and implemented with separate rules for each tcp session. slbd doesn't maintain separate rules for each tcp session. Client- server association is NOT maintained by slbd. This seems a bit ineffective and rather pointless since pf has the load balancing functionality built in. Which slbd relies on. Slbd just inserts the load balancing rules into pf based on it's own config. Then it does the job of health-checking the servers listed in it's config file, and removing them from the server list if they go down. The problems with using pf and a health checking script is related to removal of failed backends. There are two separate issues: 1) When using sticky-address in the rdr rules client-server associations are added to the internal Sources table. It is impossible to remove entries for a single backend from this table. If a backend fails and is removed from the rdr destination table this table will have to be flushed, making all clients end up on new backends, wich is unacceptable in many configurations. If this table is not cleared then the rdr destination table is not inspected for client IP's found in the Sources table. These clients will still be sent to the failed and removed backend. Preferably entries could be removed from this table based on source-IP and backend-IP:backend-port, and maybe even the virtual service IP:port or a pf rule number. Which is what slbd avoids. slbd doesn't use sticky-address for this reason. slbd seems mostly geared for web servers where the web application is written well enough to not need each request to go back to the same server. Kevin Hi Kevin I can come up with 100 reasons for using the same web target server over a whole session and very few for not doing it. Can't see we can use slbd for the ordering system as intended if requests goes to just any server in the pool. Or did I miss anything? Regards /Per-Olov
Re: auditing when permissions are changed
On Thu, 26 Oct 2006, ropers wrote: > Hi, > > This is a sorta n00bish question, but I've just discovered that unlike > what I've always assumed to be the case, changing a file's permissions > doesn't touch its last modified time/date stamp. > > Is there any way to find out when a file's permissions were last modified? Inode changes change the ctimestamp. You can look at it using ls -lc or stat(1). stat(2) lists when ctime is updated. -Otto
Re: auditing when permissions are changed
On 26/10/06, Paul de Weerd <[EMAIL PROTECTED]> wrote: On Thu, Oct 26, 2006 at 11:07:49PM +0200, ropers wrote: | Hi, | | This is a sorta n00bish question, but I've just discovered that unlike | what I've always assumed to be the case, changing a file's permissions | doesn't touch its last modified time/date stamp. | | Is there any way to find out when a file's permissions were last modified? Each file on a unix-like filesystem has three different timestamps. Use stat(1) to find out what these are. Cheers, Paul 'WEiRD' de Weerd -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/ Thanks all! :)
Re: auditing when permissions are changed
On Thu, Oct 26, 2006 at 11:07:49PM +0200, ropers wrote: | Hi, | | This is a sorta n00bish question, but I've just discovered that unlike | what I've always assumed to be the case, changing a file's permissions | doesn't touch its last modified time/date stamp. | | Is there any way to find out when a file's permissions were last modified? Each file on a unix-like filesystem has three different timestamps. Use stat(1) to find out what these are. Cheers, Paul 'WEiRD' de Weerd -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/ [demime 1.01d removed an attachment of type application/pgp-signature]
Re: pf load balancing and failover
On Thursday 26 October 2006 22:28, Kevin Reay wrote: > Hey, > > On 10/26/06, Pete Vickers <[EMAIL PROTECTED]> wrote: > > If I recall correctly, > > You don't. :o) > > > slbd adds new rules to pf for each incoming > > tcp session. Since I couldn't get it to work (old version) I do not > > know what the session and Sources tables will look like, but I > > suspect there will be no problems with them in slbd. Client-server > > association is maintained by slbd and implemented with separate rules > > for each tcp session. > > slbd doesn't maintain separate rules for each tcp session. Client-server > association is NOT maintained by slbd. > > > This seems a bit ineffective and rather pointless since pf has the > > load balancing functionality built in. > > Which slbd relies on. Slbd just inserts the load balancing rules into > pf based on it's own config. Then it does the job of health-checking > the servers listed in it's config file, and removing them from the > server list if they go down. > > > The problems with using pf and a health checking script is related to > > removal of failed backends. There are two separate issues: > > > > 1) When using sticky-address in the rdr rules client-server > > associations are added to the internal Sources table. > > It is impossible to remove entries for a single backend from this > > table. If a backend fails and is removed from the rdr destination > > table this table will have to be flushed, making all clients end > > up on > > new backends, wich is unacceptable in many configurations. > > If this table is not cleared then the rdr destination table is not > > inspected for client IP's found in the Sources table. These clients > > will still be sent to the failed and removed backend. > > Preferably entries could be removed from this table based on > > source-IP and backend-IP:backend-port, and maybe even the virtual > > service IP:port or a pf rule number. > > Which is what slbd avoids. slbd doesn't use sticky-address for this reason. > slbd seems mostly geared for web servers where the web application > is written well enough to not need each request to go back to the same > server. > > Kevin Hi Kevin I can come up with 100 reasons for using the same web target server over a whole session and very few for not doing it. Can't see we can use slbd for the ordering system as intended if requests goes to just any server in the pool. Or did I miss anything? Regards /Per-Olov
Re: Unknown "." dir in a daily insecurity report
On Oct 26, 2006, at 4:04 AM, Otto Moerbeek wrote: On Thu, 26 Oct 2006, Patrick Rutkowski wrote: I don't know what I'm supposed to make of this: === Start Message === Subject: daily insecurity output Checking special files and directories. Output format is: filename: criteria (shouldbe, reallyis) .: permissions (0755, 0777) === End Message === Normally I don't get daily insecurity reports, which I take to mean that everything is OK. But for the past two nights I have gotten this one; and I can't figure out what it's trying to tell me. sudo find / -perm 777 will show no output other than when I deliberately create a single chmod 777 file, at which point it will show only that one file. This proves that that find is working properly and that there are, as far as I can tell, no chmod 777 files on my system. The only thing worth mentioning about my system is that it's still running 3.8. It looks like your / dir has the wrong permissions. -Otto Yup, that was it; ty :-D
Re: auditing when permissions are changed
On Thu, Oct 26, 2006 at 11:07:49PM +0200, ropers wrote: > Hi, > > This is a sorta n00bish question, but I've just discovered that unlike > what I've always assumed to be the case, changing a file's permissions > doesn't touch its last modified time/date stamp. > > Is there any way to find out when a file's permissions were last modified? Yes, it does modify ctime. Of course, that only helps if your box isn't completely rooted, which might or might not be relevant in this case. Joachim
auditing when permissions are changed
Hi, This is a sorta n00bish question, but I've just discovered that unlike what I've always assumed to be the case, changing a file's permissions doesn't touch its last modified time/date stamp. Is there any way to find out when a file's permissions were last modified? regards, --ropers -- www.ropersonline.com
Soundblaster Audigy LS (SE, PCI subsys id = 0x100a1102)
Hi, Any poor soul living in Frankfurt and running Linux or Windows needing a Soundblaster (PCI) card? I have a Soundblaster Audigy LE card to give away as there is no BSD support for this one (checked FreeBSD project as well). I tried "fool"ing around with it, putting support into it, after pretty well copying the Linux driver but it didn't seem to work. This card doesn't seem to be ac97 compatible so no ac97 driver could attach to it. I'm giving it away as it's completely worthless to me. Let me know where to deliver it to, I'll drop it off at your door. Please reply individually as I'm not subscribed to this list. -peter -- Here my ticker tape .signature My name is Peter Philipp lynx -dump "http://en.wikipedia.org/w/index.php?title=Pufferfish&oldid=20768394"; | sed -n 131,137p http://centroid.eu So long and thanks for all the fish!!!
Re: Lenovo notebooks
On 26/10/06, stuartv <[EMAIL PROTECTED]> wrote: >On 10/26/06, Johan P. Lindstrvm <[EMAIL PROTECTED]> wrote: >> >> You should really get yours too, not buying the CD's will not improve >> the hardware support now will it? > > >The way it works here is "boss, I need to buy an openbsd license for each >openbsd box we run. It's $50 each, + shipping. Sign here please". > >Speaking of that, I need to get off my ass and buy my 4.0 licenses already. > Awww... Too late for that for me, I had to use the whole "Look Boss, it's free" line along with plenty of documentation that OpenBSD is as secure as it gets for them to let me put in the first OpenBSD box. They are pretty happy with them so far. I'm going to try to hit them up with the whole "Wouldn't it be nice to support such a great project that we use so much" argument as soon as things slow down here a bit and there is time to chat. That should work. stuart That's what I'm planning to do as well... but it may be a pipe dream -- the single small department that I sysadmin for on a part time basis took a lot of convincing to even let me put in that one OpenBSD firewall... OTOH, if I wait half a year and we haven't gotten the Windows 2003 server rootkitted again by that time, I may have a much stronger case. "Look guys, this seems to be doing us some good right here..." It prolly works in OpenBSD's advantage that the software can be paid for after the fact. You wouldn't believe the politics and red tape that's getting in the way of buying and deploying just about any additional security product. "We've already got our antivirus program, now why would we want to buy an antispyware program.?" "We're already using Firefox, now why do we need a firewall?" Slightly embellished, but in the broad strokes that's what took place. I am not making this up.
pf load balancing and failover
Hey, On 10/26/06, Pete Vickers <[EMAIL PROTECTED]> wrote: If I recall correctly, You don't. :o) slbd adds new rules to pf for each incoming tcp session. Since I couldn't get it to work (old version) I do not know what the session and Sources tables will look like, but I suspect there will be no problems with them in slbd. Client-server association is maintained by slbd and implemented with separate rules for each tcp session. slbd doesn't maintain separate rules for each tcp session. Client-server association is NOT maintained by slbd. This seems a bit ineffective and rather pointless since pf has the load balancing functionality built in. Which slbd relies on. Slbd just inserts the load balancing rules into pf based on it's own config. Then it does the job of health-checking the servers listed in it's config file, and removing them from the server list if they go down. The problems with using pf and a health checking script is related to removal of failed backends. There are two separate issues: 1) When using sticky-address in the rdr rules client-server associations are added to the internal Sources table. It is impossible to remove entries for a single backend from this table. If a backend fails and is removed from the rdr destination table this table will have to be flushed, making all clients end up on new backends, wich is unacceptable in many configurations. If this table is not cleared then the rdr destination table is not inspected for client IP's found in the Sources table. These clients will still be sent to the failed and removed backend. Preferably entries could be removed from this table based on source-IP and backend-IP:backend-port, and maybe even the virtual service IP:port or a pf rule number. Which is what slbd avoids. slbd doesn't use sticky-address for this reason. slbd seems mostly geared for web servers where the web application is written well enough to not need each request to go back to the same server. Kevin
Re: pf load balancing and failover
Pete Vickers wrote: 1) When using sticky-address in the rdr rules client-server associations are added to the internal Sources table. It is impossible to remove entries for a single backend from this table. If a backend fails and is removed from the rdr destination table this table will have to be flushed, making all clients end up on new backends, wich is unacceptable in many configurations. If this table is not cleared then the rdr destination table is not inspected for client IP's found in the Sources table. These clients will still be sent to the failed and removed backend. Preferably entries could be removed from this table based on source-IP and backend-IP:backend-port, and maybe even the virtual service IP:port or a pf rule number. 2) TCP sessions to a failed backend will continue to exist after the backend is removed from the rdr destination table. As of today these sessions can be removed with pfctl by specifying the source and destination IP addresses. Since different services can run on differerent port numbers on the same machines it should be possible to specify a destination port number as well. I guess that if a backend dies then the client is notified about this just as if it had been speaking directly to the backend, so it might not be necessary to clean out these sessions at all, and maybe even the tcpdrop tool will do the trick? Anyway, main issue is with removing single sessions from the internal Sources table (as it is called in pfctl(8)). I've submitted a patch, adding a new ioctl to pf and an implementation to clear src-track entries likewise states (-k 1.1.1.1 -k 2.3.5.0/23). A patched build (smt. between 4.0 and -current) is running in many DCs in my county right now. pfctl.c changed after my submission. I have to fix the patches and post here in case it helps. It needs to get OKs from developers to get into the tree. Last touch with a developer about this patch was with dhartmei on Jul 25. (I'll post it tomorrow)
Re: Lenovo notebooks
>On 10/26/06, Johan P. Lindstrvm <[EMAIL PROTECTED]> wrote: >> >> You should really get yours too, not buying the CD's will not improve >> the hardware support now will it? > > >The way it works here is "boss, I need to buy an openbsd license for each >openbsd box we run. It's $50 each, + shipping. Sign here please". > >Speaking of that, I need to get off my ass and buy my 4.0 licenses already. > Awww... Too late for that for me, I had to use the whole "Look Boss, it's free" line along with plenty of documentation that OpenBSD is as secure as it gets for them to let me put in the first OpenBSD box. They are pretty happy with them so far. I'm going to try to hit them up with the whole "Wouldn't it be nice to support such a great project that we use so much" argument as soon as things slow down here a bit and there is time to chat. That should work. stuart
Re: pf load balancing and failover
Hi, If I recall correctly, slbd adds new rules to pf for each incoming tcp session. Since I couldn't get it to work (old version) I do not know what the session and Sources tables will look like, but I suspect there will be no problems with them in slbd. Client-server association is maintained by slbd and implemented with separate rules for each tcp session. This seems a bit ineffective and rather pointless since pf has the load balancing functionality built in. The problems with using pf and a health checking script is related to removal of failed backends. There are two separate issues: 1) When using sticky-address in the rdr rules client-server associations are added to the internal Sources table. It is impossible to remove entries for a single backend from this table. If a backend fails and is removed from the rdr destination table this table will have to be flushed, making all clients end up on new backends, wich is unacceptable in many configurations. If this table is not cleared then the rdr destination table is not inspected for client IP's found in the Sources table. These clients will still be sent to the failed and removed backend. Preferably entries could be removed from this table based on source-IP and backend-IP:backend-port, and maybe even the virtual service IP:port or a pf rule number. 2) TCP sessions to a failed backend will continue to exist after the backend is removed from the rdr destination table. As of today these sessions can be removed with pfctl by specifying the source and destination IP addresses. Since different services can run on differerent port numbers on the same machines it should be possible to specify a destination port number as well. I guess that if a backend dies then the client is notified about this just as if it had been speaking directly to the backend, so it might not be necessary to clean out these sessions at all, and maybe even the tcpdrop tool will do the trick? Anyway, main issue is with removing single sessions from the internal Sources table (as it is called in pfctl(8)). /Pete On 22. okt. 2006, at 21.13, Kevin Reay wrote: On 10/22/06, Per-Olov Sjvholm <[EMAIL PROTECTED]> wrote: Hi again I am looking at the CVS. I can't see its possible to out of the box remove addresses from a round robin scheme in PF against a faulty web server. Am I missing something? But I maybe misunderstood Kevin Reay that in this thread said: "and it would automatically remove the address from a pf poll (and optionality run a command) when a host failed.". Maybe I have to do some scripting after all... It can be a little confusing at first, but it makes a lot of sense once you understand it. The way I remember it, a person creates a config file for slbd that defines the various pools and their polling methods, and slbd creates the load balancing pools in pf at start-up automatically (in an anchored ruleset). Then it removes entries from those pools when a server goes down. So... no scripting required. Of course, Bill Marquette will probably have more knowledge/details about this then me... Kevin
Re: Lenovo notebooks
On 10/26/06, Johan P. Lindstrvm <[EMAIL PROTECTED]> wrote: > > You should really get yours too, not buying the CD's will not improve > the hardware support now will it? The way it works here is "boss, I need to buy an openbsd license for each openbsd box we run. It's $50 each, + shipping. Sign here please". Speaking of that, I need to get off my ass and buy my 4.0 licenses already.
Re: Lenovo notebooks
Lenovo has been building the ThinkPads for some 5 odd years, they just bourght the brand from IBM. I have the following hardware running 4.0 or earlier from the pre-order CD's. You should really get yours too, not buying the CD's will not improve the hardware support now will it? Shame on everyone who dont buy their CD's. Try it out from a local FTP and when the time comes, twice a year so far, get your release on CD, plenty of nice stickers and the artwork is always amazing. * ThinkPad T30 * ThinkPad T40 * ThinkPad T41 * ThinkPad T42 * ThinkPad T43 * ThinkPad T60 * ThinkPad Z60 * ThinkPad R50 * Dell D600 Ethernet works on all (most often its a fxp0 on ThinkPads), wifi on some, pcmcia card with wifi works great. -- Johan On 10/26/06, martin g <[EMAIL PROTECTED]> wrote: Hello all Has anyone got experience with Lenovo notebooks running OpenBSD. If you are so kind to share your experience. tnx. -- // Johan
Re: Automating updates question
On Wednesday 25 October 2006 22:39, [EMAIL PROTECTED] wrote:
> > You mean /usr/ports/infrastructure/out-of-date? ;-)
[--snip--]
>
> Thanks! This type of info was what I was looking for.
I've written a script the other day that deals with this and updates
your current apps based on out-of-date:
#!/usr/bin/env ruby
class PBuild
attr_accessor :uplist
attr_reader :flavor, :package
def initialize(uplist = '/tmp/uplist')
@uplist = uplist
end
def parse
File.open(@uplist) do |file|
file.each {|line| pkgadd(line)}
end
end
def list
`/usr/ports/infrastructure/build/out-of-date > [EMAIL PROTECTED]
end
def pkgadd(line)
line =~ /((\S+)(\/)*)+/
#port = $&
flav = $&.split(',')
@package = flav.first
flav.delete(flav.first)
@flavor = "env FLAVOR=\""
if not flav.empty?
flav.each do |opt|
@flavor = @flavor + opt.to_s + ' '
end
p "Building package [EMAIL PROTECTED] with [EMAIL PROTECTED]"
@flavor = @flavor + "\" make update clean"
else
p "Building package [EMAIL PROTECTED]"
@flavor = "make update clean"
end
`cd /usr/ports/#{package} && [EMAIL PROTECTED]
end
end
latest = PBuild.new
latest.list
latest.parse
Re: OpenBSD 4.0 - Where is it?
> I am new to the list and I do not fully understand the process either. > However, I believe that the project gets a large portion of its funding > from the sale of CDs. So to give added incentive to buy CDs, those who > pre-order get the release early. I think this is how it works but I could > be wrong.. You are correct and don't forget the cool T-shirts!! Mr D
Re: Intel Core Duo - should I go for bsd.mp?
On 10/26/06, Peter N. M. Hansteen wrote: Most likely some time tomorrow I'll have a Thinkpad R60 with an Intel Core Duo processor land in my lap. I wonder, would it be at all useful to try running it with a bsd.mp kernel? Unless you just want to use one of the two cores, bsd.mp would seem to be the way to go... -Eliah
Re: dhclient does not get lease after reboot
On 10/26/06, Riley McIntire <[EMAIL PROTECTED]> wrote: On 10/25/06, Matt Bettinger <[EMAIL PROTECTED]> wrote: > I added a pause as suggested by Jason Dixon, and still cannot pick up > a lease unless I do it manually. I'm really at a loss as what can be > causing this and running out of places where I can check for the > problem. Does anyone else have any suggestions? Another wildass guess. I've seen this behavior with /var mount'd mfs (with a modified /etc/rc), and think nfs mount'ing var would do the same. You doing anything like this? Riley No. Nothing crazy, just your typical bsd router with 4 nics and some vlan stuff. Thanks for the suggestions though. I fixed the issue temporarily with a small script. Maybe on a rainy Sunday afternoon I'll swap in a new NIC and see if that solves the problem but we're good for now. Thanks. -mb
Re: OpenBSD Audio series other than bsdtalk ?
On 10/25/06 23:16, Jon Simola wrote: I'm really hoping someone recorded Theo's talk at the CUUG last night. I've seen the slides from a few presentations floating around, but audio to accompy them would be icing on the cake. http://video.google.com/videosearch?q=CUUG Last year seems to be there. http://video.google.com/videosearch?q=OpenBSD Henning!!! +++chefren
Re: dhclient does not get lease after reboot
On 10/25/06, Matt Bettinger <[EMAIL PROTECTED]> wrote: I added a pause as suggested by Jason Dixon, and still cannot pick up a lease unless I do it manually. I'm really at a loss as what can be causing this and running out of places where I can check for the problem. Does anyone else have any suggestions? Another wildass guess. I've seen this behavior with /var mount'd mfs (with a modified /etc/rc), and think nfs mount'ing var would do the same. You doing anything like this? Riley -- "Education: The ability to listen to almost anything without losing your temper or self confidence." - -- Robert Frost
Re: OpenBSD 4.0 - Where is it?
2006/10/26, Dylan Hall <[EMAIL PROTECTED]>: I am new to the list and I do not fully understand the process either. Then RTFAQ!
Re: OpenBSD 4.0 - Where is it?
On Thu, Oct 26, 2006 at 09:16:07AM -0400, ICMan wrote: > I admit that I am not the most up to date on the release process, but > why is 4.0 not out on the FTP server yet if people are receiving it in > their homes on CD? And how do I get on that list of people who get the > pre-release? You have to pre-order it off the website, see http://www.openbsd.org/orders.html It's a good idea; CD sales help the project, you get automatic male enhancement without having to pop pills and your breath will be minty fresh until the next release.
Re: OpenBSD 4.0 - Where is it?
>PS pre-orders do not guarantee early delivery... I'm still waiting >for mine here in ny but it's ok because my 3.9 systems are running >just fine and they can wait :) > AFAICT, you cannot update packages to 4.0 versions until November 1st since they're not available on the FTP mirrors. if this is true, there's as great an advantage to getting the CDs early as one would think.
Re: Uptime and pf stats difference.
RCF wrote: > The server had been in testing for almost a month with rdate > configured to run every 6 hours before I rebooted. So I don't really > think the clock was off. I don't have this issue, but if you're running rdate every six hours, you might want to 'man ntpd' instead.
Re: OpenBSD 4.0 - Where is it?
On Thu, 26 Oct 2006, ICMan wrote: > I admit that I am not the most up to date on the release process, but > why is 4.0 not out on the FTP server yet if people are receiving it in > their homes on CD? And how do I get on that list of people who get the > pre-release? > > ICMan > If you want it early, you have to pre-order when it is available. We received our CDs early this week. Lee Leland V. Lammert[EMAIL PROTECTED] Chief Scientist Omnitec Corporation Network/Internet Consultants www.omnitec.net
Re: Uptime and pf stats difference.
On Thu, Oct 26, 2006 at 12:44:25PM +0100, RCF wrote: > The server had been in testing for almost a month with rdate > configured to run every 6 hours before I rebooted. So I don't really > think the clock was off. Clocks naturally drift over time. Four minutes over about 1.5 years seems reasonable.
Re: OpenBSD 4.0 - Where is it?
ICMan wrote: I admit that I am not the most up to date on the release process, but why is 4.0 not out on the FTP server yet if people are receiving it in their homes on CD? And how do I get on that list of people who get the pre-release? Folks who pre-order gets an advantage. The rest of us has to wait 4 more days for the FTP to release it.
Re: OpenBSD 4.0 - Where is it?
On Oct 26, 2006, at 9:16 AM, ICMan wrote: I admit that I am not the most up to date on the release process, but why is 4.0 not out on the FTP server yet if people are receiving it in their homes on CD? And how do I get on that list of people who get the pre-release? ICMan Pre-orders have been accepted for weeks. People who pre-order get cd's early if the cd's are done being made and are sitting around. It's all in the archives... Mike PS pre-orders do not guarantee early delivery... I'm still waiting for mine here in ny but it's ok because my 3.9 systems are running just fine and they can wait :)
Re: OpenBSD 4.0 - Where is it?
Hi ICMan, I am new to the list and I do not fully understand the process either. However, I believe that the project gets a large portion of its funding from the sale of CDs. So to give added incentive to buy CDs, those who pre-order get the release early. I think this is how it works but I could be wrong.. Dylan On 10/26/06, ICMan <[EMAIL PROTECTED]> wrote: > > I admit that I am not the most up to date on the release process, but > why is 4.0 not out on the FTP server yet if people are receiving it in > their homes on CD? And how do I get on that list of people who get the > pre-release? > > ICMan
Re: OpenBSD 4.0 - Where is it?
ICMan wrote on Thu, Oct 26, 2006 at 09:16:07AM -0400: > I admit that I am not the most up to date on the release process, > but why is 4.0 not out on the FTP server yet if people are receiving > it in their homes on CD? It is not yet released, in particular, any required errata may not yet be complete. Search the archives, i recently explained this in more detail. > And how do I get on that list of people who get the pre-release? Pre-order as soon as pre-orders are possible, and make sure you always pay as soon as you are asked to pay.
Re: OpenBSD 4.0 - Where is it?
On Thu, Oct 26, 2006 at 09:16:07AM -0400, ICMan wrote: > I admit that I am not the most up to date on the release process, but > why is 4.0 not out on the FTP server yet if people are receiving it in > their homes on CD? And how do I get on that list of people who get the > pre-release? It'll be on the FTP servers on the release date. A while back Theo annouced that they were taking pre-orders. That's the time to make your order if you want your CDs early. :) -- Darrin Chandler| Phoenix BSD Users Group [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ |
Re: OpenBSD 4.0 - Where is it?
On Thursday 26 October 2006 08:16, you wrote: >I admit that I am not the most up to date on the release process, but >why is 4.0 not out on the FTP server yet if people are receiving it in >their homes on CD? >From https://https.openbsd.org/cgi-bin/order: "Will release and ship November 1 2006" If you order early you get it shipped early as a bonus. >And how do I get on that list of people who get > the pre-release? http://www.openbsd.org/orders.html Dan RamaleyDial Center 118, Drake University Network Programmer/Analyst 2407 Carpenter Ave +1 515 271-4540Des Moines IA 50311 USA
Re: OpenBSD 4.0 - Where is it?
* ICMan <[EMAIL PROTECTED]> [2006-10-26 15:21]: > I admit that I am not the most up to date on the release process, but > why is 4.0 not out on the FTP server yet if people are receiving it in > their homes on CD? because it is not released yet? > And how do I get on that list of people who get the > pre-release? you just order very early, and most of the time you'll have your CDs before release date. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
Re: OpenBSD 4.0 - Where is it?
Hi ICMan, > I admit that I am not the most up to date on the release process, but > why is 4.0 not out on the FTP server yet if people are receiving it in > their homes on CD? 4.0 is due Nov 1st. People who pre-order, get their stuff beforehand. > And how do I get on that list of people who get > the pre-release? You pre-order. Just take a good look at http://www.openbsd.org/ and you'll see what I mean. 'We' do not get a pre-release (which might be -current at any given time, if you like to think like that), but the final and only release. 'We' just get it early, because -in Europe- Wim just really, really loves us and wants to make us happy. HTH... Nico
Re: OpenBSD 4.0 - Where is it?
On Thu, 2006-10-26 at 09:16 -0400, ICMan wrote: > I admit that I am not the most up to date on the release process, but > why is 4.0 not out on the FTP server yet if people are receiving it in It is not uploaded on the FTP until Nov, 1st, which is the official release date. > their homes on CD? And how do I get on that list of people who get the > pre-release? By ordering the CD set. ciao Luca
Re: Lenovo notebooks
martin g writes: Hello all Has anyone got experience with Lenovo notebooks running OpenBSD. If you are so kind to share your experience. I recently got my hands on a Z61T which is pretty nice. The functionality that I require works, though it is lacking the power managament functions (this work is currently in progress if I understand correctly). One thing to note is that the disk driver works, which is not the case with NetBSD (at least, the last time I checked). I've put the dmesg.boot up here: http://bender.cl.msu.edu/~muk/nibbler-dmesg.boot The bge interface works great docked or undocked, and the wpi interface also works (make sure you read the man page), though I have had some performance degredation with it in some situations -- I rarely use the wireless for big sustained transfers or the like, so I have not made time to test it properly. I did note that booting GENERIC.MP really hurt my performance (I just gave it a whirl without understanding the implications on a dual-core machine). Regardless, I think it works pretty well. This is the first time I've had a ThinkPad, and it seems pretty nice so far. I've only booted OpenBSD and SUSE Linux on it to date, and both seem to do well (I'm sticking with OpenBSD). ./matt
OpenBSD 4.0 - Where is it?
I admit that I am not the most up to date on the release process, but why is 4.0 not out on the FTP server yet if people are receiving it in their homes on CD? And how do I get on that list of people who get the pre-release? ICMan
kernel panic (bsd.rd) with latest snapshot (Oct 22) on Thinkpad X40
Hello misc@,
I just wanted to do my unfrequent updates to -current (using snapshots),
but for some reason bsd.rd panics (I transcribed messages by hand, see
below), but bsd does not panic (just copied it to / using my installed
snapshot).
Here is the last couple of lines:
ath0 at pci1 dev 2 function 0 "Atheros AR5212 (IBM MiniPCI)" rev 0x01: irq11
uvm_fault(0xd06800a0, 0x0, 0, 3) -> e
fatal page fault (6) in supervisor mode
trap type 6 code 2 eip d0276166 cs 8 eflags 10202 cr2 34 cpl 0
panic: trap type 6, code=2, pc=d0276166
uvm_fault(0xd06800a0, 0x0, 0, 1) -> e
fatal page fault (6) in supervisor mode
trap type 6 code 0 eip d0276cbd cs 8 eflags 10286 cr2 bc0 cpl 0
panic: trap type 6, code=0, pc=d0276cbd
The operating system has halted.
Please press any key to reboot.
An older bsd.rd (from Sep 1st) doesn't panic:
OpenBSD 4.0 (RAMDISK_CD) #37: Fri Sep 1 12:13:09 MDT 2006
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/RAMDISK_CD
cpu0: Intel(R) Pentium(R) M processor 1.40GHz ("GenuineIntel" 686-class) 1.40
GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,TM,SBF,EST,TM2
real mem = 1063743488 (1038812K)
avail mem = 963801088 (941212K)
using 4256 buffers containing 53288960 bytes (52040K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(49) BIOS, date 01/07/05, BIOS32 rev. 0 @ 0xfd740,
SMBIOS rev. 2.33 @ 0xe0010 (56 entries)
bios0: IBM 2371H9G
apm0 at bios0: Power Management spec V1.2
apm0: flags 30102 dobusy 0 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xfd6d0/0x930
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdeb0/256 (14 entries)
pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82371FB ISA" rev 0x00)
pcibios0: PCI bus #3 is the last bus
bios0: ROM list: 0xc/0xc800! 0xcc800/0x1000 0xcd800/0x1000 0xdc000/0x4000!
0xe/0x1
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82852GM Hub-PCI" rev 0x02
"Intel 82852GM Memory" rev 0x02 at pci0 dev 0 function 1 not configured
"Intel 82852GM Configuration" rev 0x02 at pci0 dev 0 function 3 not configured
vga1 at pci0 dev 2 function 0 "Intel 82852GM AGP" rev 0x02
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
"Intel 82852GM AGP" rev 0x02 at pci0 dev 2 function 1 not configured
uhci0 at pci0 dev 29 function 0 "Intel 82801DB USB" rev 0x01: irq 11
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
uhci1 at pci0 dev 29 function 1 "Intel 82801DB USB" rev 0x01: irq 11
usb1 at uhci1: USB revision 1.0
uhub1 at usb1
uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
uhci2 at pci0 dev 29 function 2 "Intel 82801DB USB" rev 0x01: irq 11
usb2 at uhci2: USB revision 1.0
uhub2 at usb2
uhub2: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub2: 2 ports with 2 removable, self powered
ehci0 at pci0 dev 29 function 7 "Intel 82801DB USB" rev 0x01: irq 11
usb3 at ehci0: USB revision 2.0
uhub3 at usb3
uhub3: Intel EHCI root hub, rev 2.00/1.00, addr 1
uhub3: 6 ports with 6 removable, self powered
ppb0 at pci0 dev 30 function 0 "Intel 82801BAM Hub-to-PCI" rev 0x81
pci1 at ppb0 bus 2
cbb0 at pci1 dev 0 function 0 "Ricoh 5C476 CardBus" rev 0x8d: irq 11
"Ricoh 5C822 SD/MMC" rev 0x13 at pci1 dev 0 function 1 not configured
em0 at pci1 dev 1 function 0 "Intel PRO/1000MT Mobile (82541GI)" rev 0x00: irq
11, address 00:0a:e4:2f:30:7e
ath0 at pci1 dev 2 function 0 "Atheros AR5212 (IBM MiniPCI)" rev 0x01: irq 11
ath0: AR5213 5.9 phy 4.3 rf5112a 3.6, WOR2W, address 00:0e:9b:a2:97:07
cardslot0 at cbb0 slot 0 flags 0
cardbus0 at cardslot0: bus 3 device 0 cacheline 0x0, lattimer 0xb0
pcmcia0 at cardslot0
ichpcib0 at pci0 dev 31 function 0 "Intel 82801DBM LPC" rev 0x01
pciide0 at pci0 dev 31 function 1 "Intel 82801DBM IDE" rev 0x01: DMA, channel 0
configured to compatibility, channel 1 configured to compatibility
wd0 at pciide0 channel 0 drive 0:
wd0: 16-sector PIO, LBA, 38154MB, 78140160 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
pciide0: channel 1 disabled (no drives)
"Intel 82801DB SMBus" rev 0x01 at pci0 dev 31 function 3 not configured
"Intel 82801DB AC97" rev 0x01 at pci0 dev 31 function 5 not configured
"Intel 82801DB Modem" rev 0x01 at pci0 dev 31 function 6 not configured
isa0 at ichpcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
npx0 at isa0 port 0xf0/16: using exception 16
biomask fffd netmask fffd ttymask
rd0: fixed, 3800 blocks
umass0 at uhub3 port 3 configuration 1 interface 0
umass0: Cypress Semiconductor USB2.0 Storage Device, rev 2.00/0.01, addr 2
umass0: using SCSI over Bulk-Only
scsibus0 at umass0: 2 targets
cd0 at scsibus0 targ 1 lun 0: SCSI0 5/cdrom
removable
dkcsum: wd0 matches BIOS drive 0x80
root on rd0a
rootdev=0x1100 rrootdev=0x2f00 rawdev=0x2f02
And full d
Cadeau intelligent
[IMAGE] Offre riservie exclusivement aux entreprises. Conformiment ` la Loi Informatique et Libertis parue au Journal Officiel du 6 janvier 1978, vous disposez d'un droit d'acchs, de rectification, et d'opposition aux donnies personnelles vous concernant. Pour ne plus recevoir d'informations de notre part, cliquez sur le lien suivant: Me disabonner
Re: OpenBGP & carp interface
* ClaudeBrassel <[EMAIL PROTECTED]> [2006-10-26 14:03]: > Some add-on : > If I start the session with the carp device I have following in the > /var/log/daemon : > > Oct 26 13:48:12 bgp1 bgpd[31321]: nexthop 212.x.x.253 now valid: via > 212.x.x.254 yes, as I said, this is because the ifindex is not set on the routing message, and thus we do not detect that this is a "directly connected" route. I am pretty certain this was fixed after 3.9. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
Re: OpenBGPD & tcpmd5 password change bug ?
* Henning Brauer <[EMAIL PROTECTED]> [2006-10-26 14:06]: > I found it. ugh. storing the dynamically aquired SPIs in a struct the > gets overwritten was no good idea - of course we fail to reove the old > SPIs then on reconfig. let me retry this sentence in english. Storing the dynamically acquired SPIs in a struct that gets overwritten on config reload was no good idea - of course we fail to remove the old SAs on reconfig then, since we lost the SPIs.
Re: OpenBGP & carp interface
ok, I am pretty certain this is fixed in 4.0 -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
Re: OpenBGPD & tcpmd5 password change bug ?
I found it. ugh. storing the dynamically aquired SPIs in a struct the
gets overwritten was no good idea - of course we fail to reove the old
SPIs then on reconfig.
to get your box going again, reconfig bgpd with new passwords, flush the
SAs using ipsecctl (will kill existing md5'd sessions), and clear the
session then.
that means, you need to delete the old SAs before re-establishing the
session, that is the bug.
the diff below fixes the issue in bgpd.
Index: pfkey.c
===
RCS file: /cvs/src/usr.sbin/bgpd/pfkey.c,v
retrieving revision 1.32
diff -u -p -r1.32 pfkey.c
--- pfkey.c 30 Aug 2006 17:58:40 - 1.32
+++ pfkey.c 26 Oct 2006 11:42:36 -
@@ -497,34 +497,34 @@ pfkey_sa_remove(struct bgpd_addr *src, s
int
pfkey_md5sig_establish(struct peer *p)
{
- if (!p->conf.auth.spi_out)
+ if (!p->auth.spi_out)
if (pfkey_sa_add(&p->conf.local_addr, &p->conf.remote_addr,
p->conf.auth.md5key_len, p->conf.auth.md5key,
- &p->conf.auth.spi_out) == -1)
+ &p->auth.spi_out) == -1)
return (-1);
- if (!p->conf.auth.spi_in)
+ if (!p->auth.spi_in)
if (pfkey_sa_add(&p->conf.remote_addr, &p->conf.local_addr,
p->conf.auth.md5key_len, p->conf.auth.md5key,
- &p->conf.auth.spi_in) == -1)
+ &p->auth.spi_in) == -1)
return (-1);
- p->auth_established = 1;
+ p->auth.established = 1;
return (0);
}
int
pfkey_md5sig_remove(struct peer *p)
{
- if (p->conf.auth.spi_out)
+ if (p->auth.spi_out)
if (pfkey_sa_remove(&p->conf.local_addr, &p->conf.remote_addr,
- &p->conf.auth.spi_out) == -1)
+ &p->auth.spi_out) == -1)
return (-1);
- if (p->conf.auth.spi_in)
+ if (p->auth.spi_in)
if (pfkey_sa_remove(&p->conf.remote_addr, &p->conf.local_addr,
- &p->conf.auth.spi_in) == -1)
+ &p->auth.spi_in) == -1)
return (-1);
- p->auth_established = 0;
+ p->auth.established = 0;
return (0);
}
@@ -597,7 +597,7 @@ pfkey_ipsec_establish(struct peer *p)
if (pfkey_reply(fd, NULL) < 0)
return (-1);
- p->auth_established = 1;
+ p->auth.established = 1;
return (0);
}
@@ -662,7 +662,7 @@ pfkey_ipsec_remove(struct peer *p)
if (pfkey_reply(fd, NULL) < 0)
return (-1);
- p->auth_established = 0;
+ p->auth.established = 0;
return (0);
}
@@ -680,7 +680,7 @@ pfkey_establish(struct peer *p)
int
pfkey_remove(struct peer *p)
{
- if (!p->auth_established)
+ if (!p->auth.established)
return (0);
else if (p->conf.auth.method == AUTH_MD5SIG)
return (pfkey_md5sig_remove(p));
Index: session.h
===
RCS file: /cvs/src/usr.sbin/bgpd/session.h,v
retrieving revision 1.86
diff -u -p -r1.86 session.h
--- session.h 27 Aug 2006 16:11:05 - 1.86
+++ session.h 26 Oct 2006 11:42:36 -
@@ -166,6 +166,11 @@ struct peer {
struct capabilities ann;
struct capabilities peer;
}capa;
+ struct {
+ u_int32_t spi_in;
+ u_int32_t spi_out;
+ u_int8_testablished;
+ } auth;
struct sockaddr_storage sa_local;
struct sockaddr_storage sa_remote;
struct msgbufwbuf;
@@ -184,7 +189,6 @@ struct peer {
enum session_state state;
enum session_state prev_state;
u_int16_tholdtime;
- u_int8_t auth_established;
u_int8_t depend_ok;
u_int8_t demoted;
u_int8_t passive;
Re: OpenBGP & carp interface
Some add-on :
If I start the session with the carp device I have following in the
/var/log/daemon :
Oct 26 13:48:12 bgp1 bgpd[31321]: nexthop 212.x.x.253 now valid: via
212.x.x.254
And this one with the em0 interface :
Oct 26 13:53:21 bgp1 bgpd[31321]: nexthop 212.x.x.253 now valid: directly
connected
Regards
Claude
Henning Brauer wrote:
>
> * ClaudeBrassel <[EMAIL PROTECTED]> [2006-10-26 12:44]:
>> carp0: flags=8843 mtu 1500
>> carp: MASTER carpdev em0 vhid 1 advbase 1 advskew 100
>> groups: carp
>> inet 212.xxx.xxx.254 netmask 0xfffc broadcast 212.xxx.xxx.255
>
>> ip_interroute="212.xx.xx.253"
>> neighbor $ip_interroute {
>> remote-as 8928
>> descr "peering interroute"
>> local-address 212.xxx.xxx.254
>> holdtime180
>> holdtime min3
>> announceself
>> }
>
> you'll likely want a "depend on carp0" within the neighbor definition
> for interroute, but taht is related to your issue.
>
>> bgp1 # bgpctl sh next
>> Nexthop State
>> 212.xxx.xxx.253valid
>
> so .253 is the interroute router right?
>
> [ show rib ]
>> *>195.68.0.0/17 212.xxx.xxx.254 100 0 8928 8220 i
>
> please show "route -n get 212.xxx.xxx.253"
> also, what release are you on? we fixed some cases where the interface
> pointer was missing in messages on the routing socked, and I think that
> was post-3.9
>
>> If I delete the carp and bring the em0 with the ip up everything works
>> great
>
> yeah. carp plays fast with routes. and screws up. it fiddles with the
> interface route, and that is broken for at least unnumbered interfaces.
> ryan and I need to find some time to sit over this together.
>
> nontheless. I have a similar setup with a carp interface to an exchange
> point network, and that works just fine - with something close to 4.0.
>
> --
> Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
> BS Web Services, http://bsws.de
> Full-Service ISP - Secure Hosting, Mail and DNS Services
> Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
>
>
>
--
View this message in context:
http://www.nabble.com/OpenBGP---carp-interface-tf2513187.html#a7009726
Sent from the openbsd user - misc mailing list archive at Nabble.com.
Re: OpenBGP & carp interface
Some add-on :
in the /var/log/daemon I have following entrys if I start the bgp session
with the carp :
Oct 26 13:48:12 bgp1 bgpd[31321]: nexthop 212.23.37.253 now valid: via
212.23.37.254
And this one with the em0 interface :
Oct 26 13:53:21 bgp1 bgpd[31321]: nexthop 212.23.37.253 now valid: directly
connected
Thanks
Claude
Henning Brauer wrote:
>
> * ClaudeBrassel <[EMAIL PROTECTED]> [2006-10-26 12:44]:
>> carp0: flags=8843 mtu 1500
>> carp: MASTER carpdev em0 vhid 1 advbase 1 advskew 100
>> groups: carp
>> inet 212.xxx.xxx.254 netmask 0xfffc broadcast 212.xxx.xxx.255
>
>> ip_interroute="212.xx.xx.253"
>> neighbor $ip_interroute {
>> remote-as 8928
>> descr "peering interroute"
>> local-address 212.xxx.xxx.254
>> holdtime180
>> holdtime min3
>> announceself
>> }
>
> you'll likely want a "depend on carp0" within the neighbor definition
> for interroute, but taht is related to your issue.
>
>> bgp1 # bgpctl sh next
>> Nexthop State
>> 212.xxx.xxx.253valid
>
> so .253 is the interroute router right?
>
> [ show rib ]
>> *>195.68.0.0/17 212.xxx.xxx.254 100 0 8928 8220 i
>
> please show "route -n get 212.xxx.xxx.253"
> also, what release are you on? we fixed some cases where the interface
> pointer was missing in messages on the routing socked, and I think that
> was post-3.9
>
>> If I delete the carp and bring the em0 with the ip up everything works
>> great
>
> yeah. carp plays fast with routes. and screws up. it fiddles with the
> interface route, and that is broken for at least unnumbered interfaces.
> ryan and I need to find some time to sit over this together.
>
> nontheless. I have a similar setup with a carp interface to an exchange
> point network, and that works just fine - with something close to 4.0.
>
> --
> Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
> BS Web Services, http://bsws.de
> Full-Service ISP - Secure Hosting, Mail and DNS Services
> Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
>
>
>
--
View this message in context:
http://www.nabble.com/OpenBGP---carp-interface-tf2513187.html#a7009690
Sent from the openbsd user - misc mailing list archive at Nabble.com.
Re: Lenovo notebooks
- Original Message - From: martin g Date: Thursday, October 26, 2006 9:10 Subject: Lenovo notebooks To: misc@openbsd.org > Hello all > > Has anyone got experience with Lenovo notebooks running OpenBSD. > If you are so kind to share your experience. > > tnx. Hello, I'm using a thinkpad x60s. From not being able to boot +/- 1 year ago, almost everything is working now, even acpi :-) starts to work. PCMCIA is not working, when inserting a card, the kernel panics immediately (see bug report PR 5239 for details). Kind regards Didier
Re: OpenBGP & carp interface
Hello,
The release is :
bgp1 # uname -rsv
OpenBSD 3.9 GENERIC#617
and yes 212.x.x.253 is my neigbhor.
bgp1 # ifconfig carp0
carp0: flags=8843 mtu 1500
carp: BACKUP carpdev em0 vhid 1 advbase 1 advskew 100
groups: carp
inet 212.x.x.254 netmask 0xfffc broadcast 212.xxx.xxx.255
bgp1 # ifconfig em0
em0: flags=8943 mtu 1500
lladdr 00:07:e9:24:aa:38
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::207:e9ff:fe24:aa38%em0 prefixlen 64 scopeid 0x1
bgp1 # bgpctl neighbor 212.x.x.253 up
request processed
bgp1 # route -n get 212.x.x.253
route to: 212.x.x.253
destination: 212.x.x.253
interface: carp0
if address: 212.x.x.254
flags:
recvpipe sendpipe ssthresh rtt,msecrttvar hopcount mtu
expire
0 0 0 0 0 0 0
1169
bgp1 # bgpctl sh next
Nexthop State
212.x.x.253valid
64.x.x.148 valid em1 UP, Ethernet, active, 100 MBit/s
bgp1 # bgpctl sh interfaces
Interface Nexthop state Flags Link state
carp5 ok UP CARP, master
carp6 ok UP CARP, master
carp0 ok UP CARP, master
lo0ok UP unknown
enc0 invalid unknown
pfsync0ok UP unknown
pflog0 invalid unknown
hme7 ok UP Ethernet, active, 100 MBit/s
hme6 ok UP Ethernet, active, 100 MBit/s
hme5 invalidUP Ethernet, no carrier
hme4 ok UP Ethernet, active, 100 MBit/s
hme3 ok UP Ethernet, active, 100 MBit/s
hme2 invalid Ethernet, unknown
hme1 invalid Ethernet, unknown
hme0 invalid Ethernet, unknown
em1ok UP Ethernet, active, 100 MBit/s
em0ok UP Ethernet, active, 100 MBit/s
Henning Brauer wrote:
>
> * ClaudeBrassel <[EMAIL PROTECTED]> [2006-10-26 12:44]:
>> carp0: flags=8843 mtu 1500
>> carp: MASTER carpdev em0 vhid 1 advbase 1 advskew 100
>> groups: carp
>> inet 212.xxx.xxx.254 netmask 0xfffc broadcast 212.xxx.xxx.255
>
>> ip_interroute="212.xx.xx.253"
>> neighbor $ip_interroute {
>> remote-as 8928
>> descr "peering interroute"
>> local-address 212.xxx.xxx.254
>> holdtime180
>> holdtime min3
>> announceself
>> }
>
> you'll likely want a "depend on carp0" within the neighbor definition
> for interroute, but taht is related to your issue.
>
>> bgp1 # bgpctl sh next
>> Nexthop State
>> 212.xxx.xxx.253valid
>
> so .253 is the interroute router right?
>
> [ show rib ]
>> *>195.68.0.0/17 212.xxx.xxx.254 100 0 8928 8220 i
>
> please show "route -n get 212.xxx.xxx.253"
> also, what release are you on? we fixed some cases where the interface
> pointer was missing in messages on the routing socked, and I think that
> was post-3.9
>
>> If I delete the carp and bring the em0 with the ip up everything works
>> great
>
> yeah. carp plays fast with routes. and screws up. it fiddles with the
> interface route, and that is broken for at least unnumbered interfaces.
> ryan and I need to find some time to sit over this together.
>
> nontheless. I have a similar setup with a carp interface to an exchange
> point network, and that works just fine - with something close to 4.0.
>
> --
> Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
> BS Web Services, http://bsws.de
> Full-Service ISP - Secure Hosting, Mail and DNS Services
> Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
>
>
>
--
View this message in context:
http://www.nabble.com/OpenBGP---carp-interface-tf2513187.html#a7009644
Sent from the openbsd user - misc mailing list archive at Nabble.com.
Re: Uptime and pf stats difference.
The server had been in testing for almost a month with rdate configured to run every 6 hours before I rebooted. So I don't really think the clock was off. On 26/10/06, Alexander Hall <[EMAIL PROTECTED]> wrote: RCF wrote: > [11:16:[EMAIL PROTECTED]:~$ uptime > 11:16AM up 440 days, 22:15, 1 user, load averages: 0.39, 0.26, 0.19 > [11:16:[EMAIL PROTECTED]:~$ sudo pfctl -s info > Status: Enabled for 440 days 22:20:03 Debug: Urgent I guess your time was off by a few minutes when you started your computer. Uptime seems unaffected by changing the clock, while I guess pfctl just calculates the time difference between now and the time it was started. $ sudo date 02; sudo pfctl -d; sudo pfctl -e; sudo pfctl -si | head -n1 Thu Oct 26 13:02:00 CEST 2006 pf disabled pf enabled Status: Enabled for 0 days 00:00:00 Debug: Urgent ^^^ All is well $ sudo date 03; sudo pfctl -si | head -n1 Thu Oct 26 13:03:00 CEST 2006 Status: Enabled for 0 days 00:01:00 Debug: Urgent ^^^ Oops $ sudo date 01; sudo pfctl -si | head -n1 Thu Oct 26 13:01:00 CEST 2006 Status: Enabled for 49710 days 06:27:16 Debug: Urgent ^^^ D'oh! Don't know if there is much to do about it. Maybe a sanity check a la time = (start < stop ? stop - start : 0) or so, if someone should care enough. /Alexander
Re: Uptime and pf stats difference.
RCF wrote: [11:16:[EMAIL PROTECTED]:~$ uptime 11:16AM up 440 days, 22:15, 1 user, load averages: 0.39, 0.26, 0.19 [11:16:[EMAIL PROTECTED]:~$ sudo pfctl -s info Status: Enabled for 440 days 22:20:03 Debug: Urgent I guess your time was off by a few minutes when you started your computer. Uptime seems unaffected by changing the clock, while I guess pfctl just calculates the time difference between now and the time it was started. $ sudo date 02; sudo pfctl -d; sudo pfctl -e; sudo pfctl -si | head -n1 Thu Oct 26 13:02:00 CEST 2006 pf disabled pf enabled Status: Enabled for 0 days 00:00:00 Debug: Urgent ^^^ All is well $ sudo date 03; sudo pfctl -si | head -n1 Thu Oct 26 13:03:00 CEST 2006 Status: Enabled for 0 days 00:01:00 Debug: Urgent ^^^ Oops $ sudo date 01; sudo pfctl -si | head -n1 Thu Oct 26 13:01:00 CEST 2006 Status: Enabled for 49710 days 06:27:16 Debug: Urgent ^^^ D'oh! Don't know if there is much to do about it. Maybe a sanity check a la time = (start < stop ? stop - start : 0) or so, if someone should care enough. /Alexander
Re: Unknown "." dir in a daily insecurity report
On 26/10/06, Patrick Rutkowski <[EMAIL PROTECTED]> wrote: I don't know what I'm supposed to make of this: === Start Message === Subject: daily insecurity output Checking special files and directories. Output format is: filename: criteria (shouldbe, reallyis) .: permissions (0755, 0777) === End Message === Normally I don't get daily insecurity reports, which I take to mean that everything is OK. But for the past two nights I have gotten this one; and I can't figure out what it's trying to tell me. sudo find / -perm 777 will show no output other than when I deliberately create a single chmod 777 file, at which point it will show only that one file. This proves that that find is working properly and that there are, as far as I can tell, no chmod 777 files on my system. The only thing worth mentioning about my system is that it's still running 3.8. sudo chmod 755 /.
Re: OpenBGP & carp interface
* Henning Brauer <[EMAIL PROTECTED]> [2006-10-26 12:59]:
> * ClaudeBrassel <[EMAIL PROTECTED]> [2006-10-26 12:44]:
> > carp0: flags=8843 mtu 1500
> > carp: MASTER carpdev em0 vhid 1 advbase 1 advskew 100
> > groups: carp
> > inet 212.xxx.xxx.254 netmask 0xfffc broadcast 212.xxx.xxx.255
>
> > ip_interroute="212.xx.xx.253"
> > neighbor $ip_interroute {
> > remote-as 8928
> > descr "peering interroute"
> > local-address 212.xxx.xxx.254
> > holdtime180
> > holdtime min3
> > announceself
> > }
>
> you'll likely want a "depend on carp0" within the neighbor definition
> for interroute, but taht is related to your issue.
e NOT related
Re: OpenBGP & carp interface
* ClaudeBrassel <[EMAIL PROTECTED]> [2006-10-26 12:44]:
> carp0: flags=8843 mtu 1500
> carp: MASTER carpdev em0 vhid 1 advbase 1 advskew 100
> groups: carp
> inet 212.xxx.xxx.254 netmask 0xfffc broadcast 212.xxx.xxx.255
> ip_interroute="212.xx.xx.253"
> neighbor $ip_interroute {
> remote-as 8928
> descr "peering interroute"
> local-address 212.xxx.xxx.254
> holdtime180
> holdtime min3
> announceself
> }
you'll likely want a "depend on carp0" within the neighbor definition
for interroute, but taht is related to your issue.
> bgp1 # bgpctl sh next
> Nexthop State
> 212.xxx.xxx.253valid
so .253 is the interroute router right?
[ show rib ]
> *>195.68.0.0/17 212.xxx.xxx.254 100 0 8928 8220 i
please show "route -n get 212.xxx.xxx.253"
also, what release are you on? we fixed some cases where the interface
pointer was missing in messages on the routing socked, and I think that
was post-3.9
> If I delete the carp and bring the em0 with the ip up everything works great
yeah. carp plays fast with routes. and screws up. it fiddles with the
interface route, and that is broken for at least unnumbered interfaces.
ryan and I need to find some time to sit over this together.
nontheless. I have a similar setup with a carp interface to an exchange
point network, and that works just fine - with something close to 4.0.
--
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
OpenBGP & carp interface
Hello,
I new to bgp and I try to use it but i have some trouble with carp devices
I Have 2 peering, one work great one not
My interfaces :
carp0 => interface with interroute : 212.xxx.xxx.254
carp0: flags=8843 mtu 1500
carp: MASTER carpdev em0 vhid 1 advbase 1 advskew 100
groups: carp
inet 212.xxx.xxx.254 netmask 0xfffc broadcast 212.xxx.xxx.255
em0: flags=8943 mtu 1500
lladdr 00:07:e9:24:aa:38
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::207:e9ff:fe24:aa38%em0 prefixlen 64 scopeid 0x1
I use carp device because I have only 2 ip's in the subnet (my ip and the
peering router)
em1 => interface with neo : 83.xxx.xxx.109
My bgpd.conf :
ip_interroute="212.xx.xx.253"
ip_neotelecom="64.xx.xx.148"
neighbor $ip_interroute {
remote-as 8928
descr "peering interroute"
local-address 212.xxx.xxx.254
holdtime180
holdtime min3
announceself
}
neighbor $ip_neotelecom {
remote-as 6461
descr "peering NeoTelecom"
local-address 83.xxx.xxx.109
holdtime180
holdtime min3
announceself
multihop3
}
bgp1 # bgpctl sh
Neighbor ASMsgRcvdMsgSentOutQ Up/Down
State/PrefixRcvd
peering NeoTelecom6461 95342 1027 0 17:04:38 197977
peering interroute8928 300179882 0 00:09:41 200898
When I use the carp device the bgp session works, he acquire the complete
routing table.
But ..
bgp1 # bgpctl sh next
Nexthop State
212.xxx.xxx.253valid
64.xxx.xxx.148 valid em1 UP, Ethernet, active, 100 MBit/s
bgp1 # bgpctl sh interface
Interface Nexthop state Flags Link stater
carp0 ok UP CARP, master
em1ok UP Ethernet, active, 100 MBit/s
em0ok UP Ethernet, active, 100 MBit/s
bgp1 # bgpctl show rib 195.68.0.1
flags: * = Valid, > = Selected, I = via IBGP, A = Announced
origin: i = IGP, e = EGP, ? = Incomplete
flags destination gateway lpref med aspath origin
*>195.68.0.0/17 212.xxx.xxx.254 100 0 8928 8220 i
* 195.68.0.0/17 83.xxx.xxx.106 100 174 6461 8220 i
Now the problem is that the gateway is my self, 212.xxx.xxx.254 is the carp0
IP
If I delete the carp and bring the em0 with the ip up everything works great
:
bgp1 # bgpctl sh next
Nexthop State
212.xxx.xxx.253valid em0 UP, Ethernet, active, 100 MBit/s
64.xxx.xxx.148 valid em1 UP, Ethernet, active, 100 MBit/s
bgp1 # bgpctl show rib 195.68.0.1
flags: * = Valid, > = Selected, I = via IBGP, A = Announced
origin: i = IGP, e = EGP, ? = Incomplete
flags destination gateway lpref med aspath origin
*>195.68.0.0/17 212.xxx.xxx.253 100 0 8928 8220 i
* 195.68.0.0/17 83.xxx.xxx.106 100 174 6461 8220 i
Some Idea ?
Regards
Claude
--
View this message in context:
http://www.nabble.com/OpenBGP---carp-interface-tf2513187.html#a7008786
Sent from the openbsd user - misc mailing list archive at Nabble.com.
Uptime and pf stats difference.
Hi all, I came across this curiosity, it looks like the firewall was running ~4 minutes before the computer booted. Wouldn't be a bad idea I guess. I have checked 3.8 and 3.9 and such difference is not there, although those machines have only weeks of uptime. [11:15:[EMAIL PROTECTED]:~$ uname -a OpenBSD ns4.com 3.7 ASROCK_15Jul05#0 i386 [11:16:[EMAIL PROTECTED]:~$ uptime 11:16AM up 440 days, 22:15, 1 user, load averages: 0.39, 0.26, 0.19 [11:16:[EMAIL PROTECTED]:~$ ls -al /var/run/dmesg.boot -rw-r--r-- 1 root wheel 16027 Aug 11 2005 /var/run/dmesg.boot [11:16:[EMAIL PROTECTED]:~$ sudo pfctl -s info Status: Enabled for 440 days 22:20:03 Debug: Urgent Hostid: 0xcda0de08 . Regards, Myself..
Re: OpenBSD AJAX
On Wed, Oct 25, 2006 at 05:54:37PM -0500, Damian Wiest wrote: > On Wed, Oct 25, 2006 at 03:06:36PM +0200, Joachim Schipper wrote: > > Just a half-baked thought, but escaping any non-constant expression > > (i.e., actual variable, not fixed string) passed to the browser or a > > database would go a long way toward solving most problems. > > > > That is, > > > > $hello = ""; > > echo " ", $hello; > > > > could produce > >> > > > And > > > > do_query('select var1, var2 from mydb where id = ' . $my_id); > > > > would not be as dangerous as it is now. > > > > Of course, this is an ugly hack [1]. But a hack that would make my life > > quite a bit easier. > > > > Joachim > > > > [1] The first example is not that bad, treating constants and variables > > differently is just one sin; the interesting part is figuring out a sane > > way to do the latter. > > > > Or you could use DBI's bind parameters and not have to worry about the > issue. Yes, but that solves only the second problem and doesn't work on sloppy (non-)programmers. > My main problem with PHP is that it allows programmers to be extremely > sloppy and embed application logic into what would otherwise be an HTML > page. Using code to iterate through a list and display the values > contained within is fine, but I see a lot of people doing transactional > processing in PHP pages. This isn't unique to PHP, as JSPs tend to have > the same problems. When you have a hammer, ... Joachim
Re: I need help in interpreting some Docs
On Wed, Oct 25, 2006 at 11:32:00AM -0700, John Draper wrote: > Joachim Schipper wrote: > >On Tue, Oct 24, 2006 at 03:17:05PM -0700, John Draper wrote: > >> or would I (...) write [Snort-inline] off as something OpenBSD is > >> not setup to do, or is there an alternative [to IPTables] I can > >> use with Snort? > >> > >Snort-inline is written to work with IPTables. It might be possible to > >implement something similar for pf, although it would most likely > >require some patches; however, to the best of my knowledge, this has not > >been done yet. > > > >It would be possible to use Snort's response mechanism to put someone in > >a table, say . pf can be configured to handle tables in many > >interesting ways. This is not real-time blocking, but might be close > >enough. > > I also posted this to the snort users list, [EMAIL PROTECTED], but > (sigh) my postings are not making it to the list. Have they changed > their list mailing address? I suppose I shouldn't ask that in this > forum, but if anyone knows the snort mailing list address, and if > it's different, then I need to know that. I really wouldn't know what snort mailing lists are there, but are you *really* certain that is not just one random guy? a quick google does suggest so, and does suggest that https://lists.sourceforge.net/lists/listinfo/snort-users might be a good place to start (note the [EMAIL PROTECTED]). > >>I'm basically setting up snort that if it sees a Priority one attack > >>it executes a script or Binary file, well, actually it will instantiate > >>a thread that does this in whatever scripting language I choose (Python) > >>in my case. > > > >Easy DoS. > > > I simplified this... of course it is... but was just giving an example. > > >>I Haven't read ALL the new stuff yet, but am ready to install any > >>additional utilities, like Barnyard. Which I already have running. > > > >Barnyard doesn't have a lot to do with Snort-inline, really. > > > I know, I'm still trying to figure it all out. Wish I could reach the > snort > community Can't seem to mail to their list after signing up. > > >>Is it possible to use Snort in normal NIDS mode, then when I get a > >>higher priority attach, to switch to Inline mode? How fast > >>can Snort switch from one mode to another? Also, is it possible > >>to use Snort to "look at" a binary file and display contents via > >>the ./snort -dvr option while snort is running? > > > >You cannot switch modes, that's just silly. Inline mode most likely does > >allow you to warn only, so that would take care of any need for running > >Snort in two modes. > > > Ok, thanx for the info when I was playing with Snort, they didn't > have this mode. It's been around for a while, I believe, but has only recently been integrated with the main development branch. > >Do you mean the log_tcpdump output module when you say 'binary file'? If > >so, use tcpdump. And yes, this can be done while Snort is running, > >although the file is most likely not complete, so you will be unable to > >see the last (couple of) packet(s). > > > > > OK, right. > > >Those questions are all answered in the documentation, really. Not worth > >bothering two lists with. > > If they can be answered in the documentation, then please point me > to it... the snort docs have more then 150 files, most are not > related with > what I want to do, some are not titled with names indicitive of what they > talk about, because I scanned each entry, and read 80% of them, and > NO, I didn't find the answers to my questions by reading the docs. You won't hear me say that the Snort docs are easy to read, but the questions you asked are, in fact, not that difficult to find an answer to. Q does OpenBSD have IPTables? man -k iptables; ls -d /usr/ports/*/*iptables* (equivalent web-based systems exist; the openbsd.org page links to the man pages, and ports.openbsd.nu allows you to search the ports system) Alternately, http://www.google.com/search?q=openbsd+iptables; read the synopsis of the first hit, http://www.openbsd.org/faq/faq9.html. As to answering the question whether there is another solution, http://www.google.com/search?q=snort+inline+pf Q make devel for Snort or IPTables? this is in the Snort docs, although not terribly clear Q can log_tcpdump be read while Snort is running? The manual also says it's in standard tcpdump format: http://www.snort.org/docs/snort_htmanuals/htmanual_260/node13.html#SECTION003350 However, I'll admit that it might not be obvious that this can be read while Snort is running. A simple test would give you an affirmative answer; the other solution is to note that tcpdump's files can be read while tcpdump is running, and extrapolate from there. Q Switching modes? granted, it might be hard to find a place where it is explicitly said that this doesn't work Questions are, of course, welcome; that's what this list is for, to a certain ex
Re: OpenBGPD & tcpmd5 password change bug ?
* Marcel Prisi <[EMAIL PROTECTED]> [2006-10-26 11:34]: > We seem to have hit a bug in OpenBGPD regarding tcpmd5. > > We are running OpenBGPD 3.9 on OpenBSD 3.9 on i386 with two full peers. > > We had a running session with tcpmd5 working. > > For some reason, we had to change its password. > > I edited bgpd.conf, bgpctl reload, bgpctl neighbor clear > > But the sessions staid active. "active" as in bgp state active? > I had a look at the output of "ipsecadm show" which gave me something > that was obviously wrong (I was in a hurry and did not copy it, sorry) GNARF! that would have been what we needed to figure out what was going on... -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
Re: Lenovo notebooks
On 10/26/06, Andreas Kahari <[EMAIL PROTECTED]> wrote: > > On 26/10/06, martin g <[EMAIL PROTECTED]> wrote: > > Hello all > > > > Has anyone got experience with Lenovo notebooks running OpenBSD. > > If you are so kind to share your experience. > > > I have a Thinkpad T43 running an OpenBSD snapshot at the moment. I dual boot FreeBSD and OpenBSD on it. I haven't run into any problems with basic functionality but I haven't tried out much in the way of power management. -- Kian Mohageri
OpenBGPD & tcpmd5 password change bug ?
We seem to have hit a bug in OpenBGPD regarding tcpmd5. We are running OpenBGPD 3.9 on OpenBSD 3.9 on i386 with two full peers. We had a running session with tcpmd5 working. For some reason, we had to change its password. I edited bgpd.conf, bgpctl reload, bgpctl neighbor clear But the sessions staid active. I had a look at the output of "ipsecadm show" which gave me something that was obviously wrong (I was in a hurry and did not copy it, sorry) We tried changing the password again but we could not get the session back. We finally deactivated tcpmd5 and the session was back in a few seconds. Did I do sth wrong or is there some issue here ?? Thanks
Re: Lenovo notebooks
On 26/10/06, martin g <[EMAIL PROTECTED]> wrote: Hello all Has anyone got experience with Lenovo notebooks running OpenBSD. If you are so kind to share your experience. http://marc.theaimsgroup.com/?l=openbsd-misc&s=lenovo -- Andreas Kahari Somewhere in the general Cambridge area, UK
Re: Unknown "." dir in a daily insecurity report
On Thu, 26 Oct 2006, Patrick Rutkowski wrote: > I don't know what I'm supposed to make of this: > > === Start Message === > > Subject: daily insecurity output > > Checking special files and directories. > Output format is: > filename: > criteria (shouldbe, reallyis) > .: permissions (0755, 0777) > > === End Message === > > Normally I don't get daily insecurity reports, which I take to mean that > everything is OK. But for the past two nights I have gotten this one; and I > can't figure out what it's trying to tell me. > > sudo find / -perm 777 will show no output other than when I > deliberately create a single chmod 777 file, at which point it will show only > that one file. This proves that that find is working properly and that there > are, as far as I can tell, no chmod 777 files on my system. > > The only thing worth mentioning about my system is that it's still running > 3.8. It looks like your / dir has the wrong permissions. -Otto
Intel Core Duo - should I go for bsd.mp?
Most likely some time tomorrow I'll have a Thinkpad R60 with an Intel Core Duo processor land in my lap. I wonder, would it be at all useful to try running it with a bsd.mp kernel? -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ "First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales" 20:11:56 delilah spamd[26905]: 146.151.48.74: disconnected after 36099 seconds
Unknown "." dir in a daily insecurity report
I don't know what I'm supposed to make of this: === Start Message === Subject: daily insecurity output Checking special files and directories. Output format is: filename: criteria (shouldbe, reallyis) .: permissions (0755, 0777) === End Message === Normally I don't get daily insecurity reports, which I take to mean that everything is OK. But for the past two nights I have gotten this one; and I can't figure out what it's trying to tell me. sudo find / -perm 777 will show no output other than when I deliberately create a single chmod 777 file, at which point it will show only that one file. This proves that that find is working properly and that there are, as far as I can tell, no chmod 777 files on my system. The only thing worth mentioning about my system is that it's still running 3.8. -Patrick
IBM T40 mouse freezes after resume from zzz
If I run zzz from an xterm and resume the mouse is frozen. If I
switch to another terminal or if I ssh into my laptop, run zzz,
resume, and switch back to X, then the mouse works fine.
OpenBSD 4.0-current (GENERIC) #1145: Tue Oct 10 15:58:33 MDT 2006
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Pentium(R) M processor 1300MHz ("GenuineIntel"
686-class) 1.30 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,TM,SBF,EST,TM2
cpu0: Enhanced SpeedStep 1300 MHz (1388 mV): speeds: 1300, 1200, 1000,
800, 600 MHz
real mem = 535719936 (523164K)
avail mem = 480768000 (469500K)
using 4256 buffers containing 26910720 bytes (26280K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(29) BIOS, date 06/02/06, BIOS32 rev. 0 @
0xfd750, SMBIOS rev. 2.33 @ 0xe0010 (61 entries)
bios0: IBM 237314U
apm0 at bios0: Power Management spec V1.2
apm0: battery life expectancy 100%
apm0: AC on, battery charge high
apm0: flags 30102 dobusy 0 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xfd6e0/0x920
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdea0/272 (15 entries)
pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82371FB ISA" rev 0x00)
pcibios0: PCI bus #6 is the last bus
bios0: ROM list: 0xc/0x1 0xd/0x1000 0xd1000/0x1000
0xdc000/0x4000! 0xe/0x1
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82855PE Hub" rev 0x03
ppb0 at pci0 dev 1 function 0 "Intel 82855PE AGP" rev 0x03
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 "ATI Radeon Mobility M7 LW" rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
uhci0 at pci0 dev 29 function 0 "Intel 82801DB USB" rev 0x01: irq 11
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
uhci1 at pci0 dev 29 function 1 "Intel 82801DB USB" rev 0x01: irq 11
usb1 at uhci1: USB revision 1.0
uhub1 at usb1
uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
uhci2 at pci0 dev 29 function 2 "Intel 82801DB USB" rev 0x01: irq 11
usb2 at uhci2: USB revision 1.0
uhub2 at usb2
uhub2: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub2: 2 ports with 2 removable, self powered
ehci0 at pci0 dev 29 function 7 "Intel 82801DB USB" rev 0x01: irq 11
usb3 at ehci0: USB revision 2.0
uhub3 at usb3
uhub3: Intel EHCI root hub, rev 2.00/1.00, addr 1
uhub3: 6 ports with 6 removable, self powered
ppb1 at pci0 dev 30 function 0 "Intel 82801BAM Hub-to-PCI" rev 0x81
pci2 at ppb1 bus 2
cbb0 at pci2 dev 0 function 0 "TI PCI1520 CardBus" rev 0x01: irq 11
cbb1 at pci2 dev 0 function 1 "TI PCI1520 CardBus" rev 0x01: irq 11
iwi0 at pci2 dev 2 function 0 "Intel PRO/Wireless 2200BG" rev 0x05:
irq 11, address 00:12:f0:9e:f8:4b
fxp0 at pci2 dev 8 function 0 "Intel PRO/100 VE" rev 0x81, i82562: irq
11, address 00:09:6b:53:07:b6
inphy0 at fxp0 phy 1: i82562ET 10/100 PHY, rev. 0
cardslot0 at cbb0 slot 0 flags 0
cardbus0 at cardslot0: bus 3 device 0 cacheline 0x8, lattimer 0xb0
pcmcia0 at cardslot0
cardslot1 at cbb1 slot 1 flags 0
cardbus1 at cardslot1: bus 6 device 0 cacheline 0x8, lattimer 0xb0
pcmcia1 at cardslot1
ichpcib0 at pci0 dev 31 function 0 "Intel 82801DBM LPC" rev 0x01
pciide0 at pci0 dev 31 function 1 "Intel 82801DBM IDE" rev 0x01: DMA,
channel 0 configured to compatibility, channel 1 configured to
compatibility
wd0 at pciide0 channel 0 drive 0:
wd0: 16-sector PIO, LBA, 28615MB, 58605120 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: SCSI0
5/cdrom removable
cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
ichiic0 at pci0 dev 31 function 3 "Intel 82801DB SMBus" rev 0x01: irq 11
iic0 at ichiic0
auich0 at pci0 dev 31 function 5 "Intel 82801DB AC97" rev 0x01: irq
11, ICH4 AC97
ac97: codec id 0x41445374 (Analog Devices AD1981B)
ac97: codec features headphone, 20 bit DAC, No 3D Stereo
audio0 at auich0
"Intel 82801DB Modem" rev 0x01 at pci0 dev 31 function 6 not configured
isa0 at ichpcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
midi0 at pcppi0:
spkr0 at pcppi0
lpt2 at isa0 port 0x3bc/4: polled
npx0 at isa0 port 0xf0/16: using exception 16
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
biomask effd netmask effd ttymask
pctr: 686-class user-level performance counters enabled
mtrr: Pentium Pro MTRR support
ath0 at cardbus0 dev 0 function 0 "NETGEAR WAB501 802.11a/b Wireless
Adapter, 00": irq 11
ath0: AR5211 4.2 phy 3.0 rf5111 1.7, FCC1A, address 00:09:5b:40:7d:3c
dkcsum: wd0 matches BIOS drive 0x80
root on wd0a
rootdev=0x0
Lenovo notebooks
Hello all Has anyone got experience with Lenovo notebooks running OpenBSD. If you are so kind to share your experience. tnx.
Re: macppc booting: G3 w/ SCSI disk
On Wed, Oct 25, 2006 at 01:07:37PM -0500, Jacob Yocom-Piatt wrote: > /dev/[EMAIL PROTECTED]/ADPT,[EMAIL PROTECTED]:9,ofwboot, which makes sense > from the try /dev/[EMAIL PROTECTED]/ADPT,[EMAIL PROTECTED]:0,ofwboot
