Which crypto card for Soekris 4801?

[Heinrich Rebehn]

Hi all,

which crypto cards actually work in a soekris 4801 under OpenBSD?

I thought about bying a vpn1411, but have read about problems with 
corrupted mac, which don't seem to be resolved so far. This is a bit 
confusing: http://www.openbsd.org/i386.html states that the board is 
supported, so does the soekris website. However:
http://archives.neohapsis.com/archives/openbsd/2006-06/0825.html 
suggests that it's not.


So my question: Which PCI/MiniPCI card does actually work? I want to use 
it to accelerate IPSec.


Thank you very much for any info. Without hardware encryption this box 
is too slow for my use and i will have to return it to my dealer.


Regards,

Heinrich Rebehn

University of Bremen
Physics / Electrical and Electronics Engineering
- Department of Telecommunications -

Phone : +49/421/218-4664
Fax   :-3341

Un veritable velo d'appartement offert pour votre premiere commande

[Welcome office]

WELCOME OFFICE n01 DU DISCOUNT AUX ENTREPRISES

Message invisible, http://as1.emv2.com/I?a=A9X7Cqgr,28F8S4sQ6LYIxTjxA";>cliquez ici

Offre riservie `  anciens materiaux renovation de normandie,

Un viritable vilo d'appartement offert pour 400$ HT de commande !

Ce vilo micanique amiliore l'endurance tout en musclant le bas du corps : 
simple, adapti ` tous les bges et ` tous les niveaus sportifs, il ne nicessite 
pas spicialement une grande condition physique.
Avec ordinateur 5 fonctions :
- Temps
- Vitesse
- Distance
- Calories
- Scan

Pour binificier de cette offre, rien de plus simple :
- connectez vous sur notre site  http://www.welcomeoffice.com
- dans la section "Ma commande", inscrivez le code suivant : M03KVELOP17

ou

copiez-collez le lien suivant dans votre navigateur web :
http://as1.emv2.com/I?a=A9X7Cqgr,28F8S4sQ6LYIQrj,A

Votre cadeau sera ajouti ` votre commande une fois le montant correct atteint.

Bonne journie.

L'iquipe WELCOME OFFICE

Re: Which crypto card for Soekris 4801?

[Christopher Snell]

On 1/15/07, Heinrich Rebehn <[EMAIL PROTECTED]> wrote:

Hi all,

which crypto cards actually work in a soekris 4801 under OpenBSD?


You're going to have a hard time finding supported Mini-PCI cards,
other than the HiFn stuff.

Instead, check out the Commel motherboards:

http://www.commell-sys.com/Product/SBC/ITX-662.HTM

This one has the C3 chip which is listed as supported here:

http://www.openbsd.org/crypto.html#hardware

If it's performance that you're after, you're going to have a struggle
with that Soekris.

Chris

MD5 sum of /bsd on freshly installed system/?

[Gregory Edigarov]

Hello,

It would be greatly appreciated if somebody can make an md5 checksum of 
the generic kernel.
Need to check that  as my OpenBSD 4.0 install hangs while booting at the 
very early stage.


I was trying to install my openbsd on a reletively old pc, all went just 
fine. I.e. I've boot from cd, made partitions, etc...
Then on the first boot from HDD it hanged after it recognized  the 
second  USB  controller.
I suspect something is wrong with memory/HDD but I can't investigate it 
right now. Could it be a kernel bug also?

--
With best regards,
   Gregory Edigarov

Re: MD5 sum of /bsd on freshly installed system/?

[Clint Pachl]

Gregory Edigarov wrote:
It would be greatly appreciated if somebody can make an md5 checksum 
of the generic kernel.
Need to check that  as my OpenBSD 4.0 install hangs while booting at 
the very early stage.


# this is for i386 because you said old PC
MD5 (bsd) = e8f67a2fd90f98d5b4edee9fe837c2fd
MD5 (bsd.mp) = 63906960ed483599175af5c21bbcffe7

You can always find the checksums on the FTP server:
ftp://ftp.openbsd.org/pub/OpenBSD/4.0/i386/MD5

-pachl

Re: MD5 sum of /bsd on freshly installed system/?

[Stas Myasnikov]

> Hello,
> 
> It would be greatly appreciated if somebody can make an md5 checksum of 
> the generic kernel.

MD5 (/bsd) = e8f67a2fd90f98d5b4edee9fe837c2fd
MD5 (/bsd.mp) = 63906960ed483599175af5c21bbcffe7
MD5 (/bsd.rd) = 9b39a3f3d938fb906f2bf59bcface97f

Re: Which crypto card for Soekris 4801?

[Christian Ney]

Hi Heinrich,

> I thought about bying a vpn1411, but have read about problems with
> corrupted mac, which don't seem to be resolved so far. This is a bit
> confusing: http://www.openbsd.org/i386.html states that the board is
> supported, so does the soekris website. However:
> http://archives.neohapsis.com/archives/openbsd/2006-06/0825.html suggests
> that it's not.
Although I can't tell you which card actually works, I can (partly)
confirm the "corrupted mac"-thingie:
My WRAP-firewall is running 4.0-stable and a VPN1411. From time to time,
running ssh-sessions will simply die and spit out "Disconnecting:
Corrupted MAC on input."

Everything else works, but it's rather confusing editing pf.conf and seing
your connecting dying. If you don't have to configure your device every 5
minutes or so, this shouldn't be a showstopper.

Hope that helps...
Chris

Re: MD5 sum of /bsd on freshly installed system/?

[Woodchuck]

On Mon, 15 Jan 2007, Gregory Edigarov wrote:

> Hello,
> 
> It would be greatly appreciated if somebody can make an md5 checksum of the
> generic kernel.
> Need to check that  as my OpenBSD 4.0 install hangs while booting at the very
> early stage.

The kernel embeds information that is different each time it is compiled.
If you are using the kernel from the official release, the MD5 sum
should be available at the official ftp site.

The file would be ftp://ftp.openbsd.org/pub/OpenBSD/4.0/i386/MD5
(assuming i386 is your architecture).

For the generic kernel
MD5 (bsd) = e8f67a2fd90f98d5b4edee9fe837c2fd

> I was trying to install my openbsd on a reletively old pc, all went just fine.
> I.e. I've boot from cd, made partitions, etc...
> Then on the first boot from HDD it hanged after it recognized  the second  USB
> controller.
> I suspect something is wrong with memory/HDD but I can't investigate it right
> now. Could it be a kernel bug also?

Can't tell.  Repost as a separate request, and include the dmesg if possible.
(This can be tricky if the machine won't boot.  Note that using the
installation CD, you can establish a working networked system
and copy the dmesg to another machine, maybe using ftp.  (I don't
remember if scp is available on the install media).)

Really -- whoever can help you with this has to know all the details.

Dave
-- 
  [In] all human groups at all times there are the few who rule
   and the many who are ruled.
-- A. Livingston

Re: Which crypto card for Soekris 4801?

[Stuart Henderson]

On 2007/01/15 09:39, Heinrich Rebehn wrote:
> I thought about bying a vpn1411, but have read about problems with 
> corrupted mac, which don't seem to be resolved so far.

I only remember seeing posts about problems with encryption in
user processes, not the kernel. If it is indeed reliable with kernel
use, then you can set sysctl kern.usercrypto=0 and restrict use of
the card to the kernel.

However the Geode hardware platform has a weak PCI system relying
in part on emulation in the CPU; this is the main cause of limited
throughput on this hardware; depending on what sort of speeds
you're trying to achieve, the accelerator may not be enough.

If you disable IPsec and pass the amount of bandwidth you need
to support through the system, you can watch top(1) and examine
the cpu% spent handling interrupts; if there is not a reasonable
amount free to handle the interrupts from the accelerator card,
it won't help you.

The systems using VIA processors are very much faster even
without hardware AES support since they have a better PCI system;
the models with accelerated encryption do so by using new CPU
instructions, rather than a device which must be accessed over
the PCI bus. There's far less overhead because of this.

AMD Geode LX processors also have AES instructions on-CPU
(for 128-bit, anyway) but they're not yet supported (-current
has support for the random number generator, "AES to be added
later").

Other hardware - Commell has been mentioned, Liantec are another
option (some of their hardware is listed here:
http://kd85.com/liantec.html), and of course there are others.

Debugging an OpenBSD/vax-only resource leak

[Moritz Grimm]

Hi,


a strange issue is affecting the system monitor I wrote. It's working 
fine everywhere (i386, sparc*, amd64, other OSes on various archs), 
except on OpenBSD/vax (-current snapshot as of Jan 5th, same with 
4.0-release) running inside simh-vax. It leaks huge amounts of memory 
there, and CPU usage is rising over time as well. I have no idea how to 
debug this, and whether this is even related to my code or not (AFAICT 
the problem could be anywhere, my bug, g++ bug, libstdc++ bug, libxml2 
bug, simh-vax bug, ... probably specific to the combination VAX + a.out 
+ static libs.)


Is there a way to investigate this? I fear that practical ways are slim; 
the VAX simulation is also incredibly slow, making almost everything 
seem to take forever.


Any hints would be highly appreciated.


Moritz

Need: dmesg from Intel D850GB Motherboard

[Gregory Edigarov]

Hi List,

I know it is very old motherboard, but... May be somebody has it under 
OpenBSD. dmesg from 4.0 GENERIC /bsd would be highly appreciated.


Thanks a lot.

--
With best regards,
   Gregory Edigarov

pkg_add, ftp and external ftp proxy connection problem

[Didier Wiroth]

Hello,
(I'm using 4.0-stable)

We have a ftp proxy which I can't bypass with the standard openbsd ftp 
command.
Every pkg_add commands, or any fetch commands in the ports system, fail 
 when it tries to fetch some file via ftp:// sites.


I tried every possible combination of the ftp_proxy variable but it 
doesn't work.


I'm able to use the openbsd ftp command and connect like this:
1) connect to our ftp proxy "without" authentication.
ftp -n ourproxy
Connected to ourproxy.
220 FTP Service (36)
ftp>

2) and now manually connect to the desired ftp server:
ftp> user [EMAIL PROTECTED]
331 Anonymous login ok, send your complete email address as your password.
Password:
230 Anonymous access granted, restrictions apply.
ftp>

The NCFTP client works with the following 2 options:
#type 1:  Connect to firewall host, but send "USER [EMAIL PROTECTED]"
firewall-type=1
firewall-host=a.b.c.d

Unfortunately NCFTP is of no use with pkg_add or the ports system as it 
does not support the required "-o -" option.


Could someone tell me which other program I could use to resolve this 
problem?


Thank you very much!
Kind regards
Didier

Re: Friendly registrar

[Marcos Laufer]

Checck www.ipv4domains.com out , donates to OpenBSD monthly, small company
but big expectations !

Bye!

- Original Message - 
From: "Jean-Daniel Beaubien" <[EMAIL PROTECTED]>
To: 
Sent: Sunday, January 14, 2007 5:41 PM
Subject: Friendly registrar


Hi everyone,

I'm about to purchase a domain name and I was wondering if there are
any registrar out there that are friendly to OpenBSD (donations,
contributions, etc...).

Thanks,

JD

Re: pkg_add, ftp and external ftp proxy connection problem

[Stuart Henderson]

On 2007/01/15 13:57, Didier Wiroth wrote:
> The NCFTP client works with the following 2 options:
> #type 1:  Connect to firewall host, but send "USER [EMAIL PROTECTED]"
> firewall-type=1
> firewall-host=a.b.c.d
> 
> Unfortunately NCFTP is of no use with pkg_add or the ports system as it 
> does not support the required "-o -" option.

Point FETCH_CMD to a script which runs ncftpget -c $3.
Works fine (at least directly, I haven't tried through a proxy).

Re: Merchandise idea: OpenBSD mug

[Samurai Chef]

On 1/14/07, Constantine A. Murenin <[EMAIL PROTECTED]> wrote:


Read the archives. Theo explained here the copyright law many times,
specifically to your situation about the use of artwork -- unless you
are explicitly given the right to sell you don't have such a right
[1]. Period, this is misc@ and not legal@, so this is not even worth
any further discussion here. Therefore, unless he specifically gives
you an OK to sell, you can expect to have legal problems. :)

[1] http://archives.neohapsis.com/archives/openbsd/2005-03/2490.html



Thanks for the information.  I failed to search the archives for this.

I will wait on anything until after I have an opportunity to discuss
this with Theo.

To everyone else interesting in this project - it's going to be at
least 6 weeks, and then maybe never after reading the thread
referenced above.

Re: pkg_add, ftp and external ftp proxy connection problem

[Didier Wiroth]

Stuart Henderson wrote:

On 2007/01/15 13:57, Didier Wiroth wrote:

The NCFTP client works with the following 2 options:
#type 1:  Connect to firewall host, but send "USER [EMAIL PROTECTED]"
firewall-type=1
firewall-host=a.b.c.d

Unfortunately NCFTP is of no use with pkg_add or the ports system as it 
does not support the required "-o -" option.


Point FETCH_CMD to a script which runs ncftpget -c $3.
Works fine (at least directly, I haven't tried through a proxy).


Thank you but it does not work.
Using this:
#!/bin/sh
/usr/local/bin/ncftpget -c $3

and this
FETCH_CMD=/home/didier/bin/proxyftp

Returns as an error and show the available options of ncftpget.
Here a short snip of the error:

Examples:
  ncftpget ftp.freebsd.org . /pub/FreeBSD/README.TXT 
/pub/FreeBSD/index.html

  ncftpget ftp.gnu.org /tmp '/pub/gnu/README.*'
  ncftpget ftp://ftp.freebsd.org/pub/FreeBSD/README.TXT
  ncftpget -R ftp.ncftp.com /tmp /ncftp  (ncftp is a directory)
  ncftpget -u gleason -p my.password Bozo.probe.net . '/home/mjg/.*rc'
  ncftpget -u gleason Bozo.probe.net . /home/mjg/foo.txt  (prompt for 
password)

  ncftpget -f Bozo.cfg '/home/mjg/.*rc'
  ncftpget -c ftp.freebsd.org /pub/FreeBSD/README.TXT | /usr/bin/more
  ncftpget -c ftp://ftp.freebsd.org/pub/FreeBSD/README.TXT | /usr/bin/more
  ncftpget -a -d /tmp/debug.log -t 60 ftp.wustl.edu . '/pub/README*'

Library version: LibNcFTP 3.1.9 (March 19, 2005).

This is a freeware program by Mike Gleason (http://www.ncftp.com).
This was built using LibNcFTP (http://www.ncftp.com/libncftp/).
*** Error code 1

Stop in /usr/ports/net/no-ip (line 2124 of 
/usr/ports/infrastructure/mk/bsd.port.mk).

*** Error code 1

Stop in /usr/ports/net/no-ip (line 1578 of 
/usr/ports/infrastructure/mk/bsd.port.mk).

*** Error code 1

Stop in /usr/ports/net/no-ip (line 1767 of 
/usr/ports/infrastructure/mk/bsd.port.mk).




Kind regards
Didier

Re: pkg_add, ftp and external ftp proxy connection problem

[Stuart Henderson]

On 2007/01/15 15:21, Didier Wiroth wrote:
> Thank you but it does not work.

> *** Error code 1
> 
> Stop in /usr/ports/net/no-ip (line 2124 of 
> /usr/ports/infrastructure/mk/bsd.port.mk).

You did say pkg_add not ports... Ports don't use -o - (you can
probably just use FETCH_CMD=ncftpget for them).

You can automate things (including using something other than
ncftpget for http:// URLs), but you get to write it, it's all just
basic scripting that you should learn anyway if you're using a
unix-like os (hey, it gives you an incentive to learn :-)

Most people don't need this, they either have no proxy required, a
transparent proxy or "nat helper" for FTP, or an http proxy without
authentication (in which case set ftp_proxy and http_proxy and ftp(1)
will cope).

The rarer side-cases not supported by ftp(1) are your example with a non-
transparent FTP proxy, and an HTTP proxy requiring authentication (as came
up recently). Or a socks proxy, but that's easy anyway (dsocks).

Re: Which crypto card for Soekris 4801?

[Heinrich Rebehn]

Christian Ney wrote:

Hi Heinrich,


I thought about bying a vpn1411, but have read about problems with
corrupted mac, which don't seem to be resolved so far. This is a bit
confusing: http://www.openbsd.org/i386.html states that the board is
supported, so does the soekris website. However:
http://archives.neohapsis.com/archives/openbsd/2006-06/0825.html suggests
that it's not.

Although I can't tell you which card actually works, I can (partly)
confirm the "corrupted mac"-thingie:
My WRAP-firewall is running 4.0-stable and a VPN1411. From time to time,
running ssh-sessions will simply die and spit out "Disconnecting:
Corrupted MAC on input."

Everything else works, but it's rather confusing editing pf.conf and seing
your connecting dying. If you don't have to configure your device every 5
minutes or so, this shouldn't be a showstopper.

No, i don't. I want to use the box as a fileserver at home and have the 
WLAN traffic encrypted with IPsec or OpenVPN. I do not know how robust 
both of them are w.r.t to intermittent "corrupted mac" errors. 
Unrecoverable hangs during file transfers would of course be quite 
annyoing. Maybe i will simply give it a try..

Hope that helps...

Yes, thanks very much.

Chris

Heinrich

Re: Which crypto card for Soekris 4801?

[Heinrich Rebehn]

Christopher Snell wrote:

On 1/15/07, Heinrich Rebehn <[EMAIL PROTECTED]> wrote:

Hi all,

which crypto cards actually work in a soekris 4801 under OpenBSD?


You're going to have a hard time finding supported Mini-PCI cards,
other than the HiFn stuff.

Instead, check out the Commel motherboards:

http://www.commell-sys.com/Product/SBC/ITX-662.HTM

This one has the C3 chip which is listed as supported here:

http://www.openbsd.org/crypto.html#hardware

If it's performance that you're after, you're going to have a struggle
with that Soekris.

Chris

Thanks for your reply. Performance is of course relative. ATM i am 
getting 7 Mbit/s via OpenVPN measured with iperf. This is somewhat less 
than my WLAN can handle (54 Mbit/s) and also less than the speed of the 
HDD (~70 Mbit/s). So a working VPN1411 would really help.


I will see if i can get more from IPsec.

> This one has the C3 chip which is listed as supported here:
The Hi/fn 7955 is also listed as supported.. ;-)

Cheers,

Heinrich

Re: Which crypto card for Soekris 4801?

[Stuart Henderson]

On 2007/01/15 17:25, Heinrich Rebehn wrote:
> Thanks for your reply. Performance is of course relative. ATM i am 
> getting 7 Mbit/s via OpenVPN measured with iperf. This is somewhat less 
> than my WLAN can handle (54 Mbit/s)

54 Mbit/s is before protocol overhead; actual throughput is a bit
less than half that (assuming signal strength is strong, no packet
loss etc, however unlikely that is). This is around the limit of
what you can handle on the current Soekris boards _without_ encryption.

Crypto h/w helps a bit, but not a lot. NPtcp seems to fill the
network better than iperf, so might be a better test. But if you're
really interested in fileserver performance, it's better to look
at that directly under real conditions and decide whether the
performance is acceptable.

> and also less than the speed of the HDD (~70 Mbit/s).

I don't run HDs in Soekris boxes any more; without extra cooling
or extended-temperature-range drives they don't seem to last very
long.

Re: Which crypto card for Soekris 4801?

[Martin Schröder]

2007/1/15, Heinrich Rebehn <[EMAIL PROTECTED]>:

getting 7 Mbit/s via OpenVPN measured with iperf. This is somewhat less
than my WLAN can handle (54 Mbit/s) and also less than the speed of the
HDD (~70 Mbit/s). So a working VPN1411 would really help.


If your HDD does only 70 M_bit_/s, you should buy a new one that does
70 M_Byte_/s. :-)

Good NASes have fast CPUs and GEs for a reason.

Best
  Martin

Problems with IPsec NAT-T

[johannes]

Hi,

 

I've setup an OpenBSD 4.0 (release) server to accept incoming IPsec

connections (using isakmpd). As long as the clients are not behind a NAT

things work great. However, as soon as NAT-T comes into play, things

stop working.

 

In order to diagnose to problem I tried to perform a controlled test:

 

Initially I did a pfctl -d, just to make sure it's not in the way.

 

Logging was performed using: tcpdump -ni enc0 -w ..  tcpdump -ni rl0 -w

..  isakmpd -d -D A=99 > ..  ipsecctl -s all > .. (periodically)

 

and wireshark was running on the client. These logs are NOT included in

this mail just to save some space, in case they are wanted/needed, I'll

be happy to include them (obviously I'll happily send dmesg and

isakmpd.conf as well).

 

The client (Microsoft Windows Vista) and the server negotiate SAs and

setup flows without any problems and the client system start sending ESP

packets. First I tried some TCP traffic (HTTP), then I tried some ICMP

(ping) ... nothing.  The server is not responding at all. When examining

the enc0 logs you can see the packets sent by the client. The TCP

packets seem to get a bad checksum, don't know if that is "supposed" to

happen. The ICMP packets seem to get through correctly. But the server

doesn't respond with a single packet. As soon as I'm not using IPsec

everything works fine.

 

Thank you for you help

 

/john

Re: 202 days Uptime in OpenBSD 3.6

[Alexander Bochmann]

...on Thu, Jan 11, 2007 at 08:42:35AM +0100, Marc Balmer wrote:

 > hmm, why are people so proud of their uptimes when it only show they
 > don't care for their systems?

Bah, uptimes (is it that time of the year again?)...

Last login: Sun Jan  7 19:22:19 2007 from xxx
OpenBSD 2.3 (LOCAL) #0: Wed Jul 31 12:51:38 CEST 2002

Welcome to OpenBSD: The proactively secure Unix-like operating system.

{104} ls -al /etc/localtime
lrwxr-xr-x  1 root  wheel  33 Jun 12  1998 /etc/localtime -> 
/usr/share/zoneinfo/Europe/Berlin

That's an Internet-connected system, running mail, web, DNS. 

It gets increasingly difficult to talk current software into 
compiling on that platform, though.

Alex.

Re: ThinkPad z61p: ar5_register_timeout

[Karsten McMinn]

On 1/11/07, Allan Wind <[EMAIL PROTECTED]> wrote:
>
> Dear List,
>
> I am getting the following with OpenBSD 4.0 (amd64) on a ThinkPad z61p
> (core 2 duo) when booting either the default bsd or bsd.mp kernel:
>
> ...
> ath0 at pc3 dev 0 function 0 "Atheros AR5212 (IBM MiniPCI)" rev 0x01: irq
> 11
> NMI ... going to debugger
> stopped at ar5k_register_timeout+0x8e: jmp ar5k_register_timeout+0x3e
> ddb>


this atheros chipset and others are still being worked on. see the archives
for more details.

pf.conf(5) and "on "

[Maxim Bourmistrov]

Hi!
I see from the pf-code it is possible to use interfacegroup with "on" option, 
like:

pass on egress all keep state

but it is not documented.

Maxim.

Re: Which crypto card for Soekris 4801?

[Christian Ney]

> No, i don't. I want to use the box as a fileserver at home and have the
> WLAN traffic encrypted with IPsec or OpenVPN. I do not know how robust
> both of them are w.r.t to intermittent "corrupted mac" errors.
> Unrecoverable hangs during file transfers would of course be quite
> annyoing. Maybe i will simply give it a try..
in this case you shouldn't run into any problems: I'm also using the WRAP
as tunnel endpoint (OpenVPN mostly, but also IPSec) and the only thing
affected until now has been SSH.

Otoh: as others already mentioned, the performance benefit won't be
knocking you off your feet as long as there are only one or two users.
Well, at least the VPN1411 isn't _that_ expensive. ;)

Hopefully, you'll have much fun with your Soekris box.

Re: 202 days Uptime in OpenBSD 3.6

[Darren Spruell]

On 1/15/07, Alexander Bochmann <[EMAIL PROTECTED]> wrote:

...on Thu, Jan 11, 2007 at 08:42:35AM +0100, Marc Balmer wrote:

 > hmm, why are people so proud of their uptimes when it only show they
 > don't care for their systems?

Bah, uptimes (is it that time of the year again?)...

Last login: Sun Jan  7 19:22:19 2007 from xxx
OpenBSD 2.3 (LOCAL) #0: Wed Jul 31 12:51:38 CEST 2002

Welcome to OpenBSD: The proactively secure Unix-like operating system.

{104} ls -al /etc/localtime
lrwxr-xr-x  1 root  wheel  33 Jun 12  1998 /etc/localtime -> 
/usr/share/zoneinfo/Europe/Berlin

That's an Internet-connected system, running mail, web, DNS.


Do you sleep well at night exposing that system to the Internet? One
would question the amount of effort to ensure patch application (if at
all possible) on a system so far out of date...

DS

Re: Merchandise idea: OpenBSD mug

[Greg Thomas]

On 1/15/07, Samurai Chef <[EMAIL PROTECTED]> wrote:

On 1/14/07, Constantine A. Murenin <[EMAIL PROTECTED]> wrote:
>
> Read the archives. Theo explained here the copyright law many times,
> specifically to your situation about the use of artwork -- unless you
> are explicitly given the right to sell you don't have such a right
> [1]. Period, this is misc@ and not legal@, so this is not even worth
> any further discussion here. Therefore, unless he specifically gives
> you an OK to sell, you can expect to have legal problems. :)
>
> [1] http://archives.neohapsis.com/archives/openbsd/2005-03/2490.html
>

Thanks for the information.  I failed to search the archives for this.

I will wait on anything until after I have an opportunity to discuss
this with Theo.

To everyone else interesting in this project - it's going to be at
least 6 weeks, and then maybe never after reading the thread
referenced above.



Well, we'll wait and see.  Hopefully Theo will be interested in this,
I think the other two people mentioned in the email above didn't
bother getting permission.  Maybe this time he'll see a reason to have
someone else sell some cups and glasses.

Greg

Re: pf.conf(5) and "on "

[Maxim Bourmistrov]

discard :)

On Monday 15 January 2007 18:55, Maxim Bourmistrov wrote:
> Hi!
> I see from the pf-code it is possible to use interfacegroup with "on" option, 
> like:
> 
> pass on egress all keep state
> 
> but it is not documented.
> 
> Maxim.

Re: Which crypto card for Soekris 4801?

[Joe]

Stuart Henderson wrote:


The systems using VIA processors are very much faster even
without hardware AES support since they have a better PCI system;
the models with accelerated encryption do so by using new CPU
instructions, rather than a device which must be accessed over
the PCI bus. There's far less overhead because of this.



I'll second this. My VIA EN15000 is quite fast when it comes to IPSEC 
and the motherboard+cpu utilizes ~20W...if that.


I had trouble find a good crypto implementation that was fully supported 
and worked well. This statement by Theo helped my decision though:


~~~snip~~~

Theo de Raadt is quoted as saying, "There's just no way to describe how 
happy we were to find such an inexpensive, blazingly fast, and correctly 
operating device as the VIA Eden-N processor's Padlock ACE ..." OpenBSD 
3.4 has support for this processor and its integrated cryptographic engine.


~~~snip~~~

This gave me some confidence that the VIA was the right choice.

mixed (compile from source, binary update) approach

[Patrick Useldinger]

Hi,

I expected that this question had come up many times before but I didn't 
find anything in the archives, so here I go.


My understanding is that OpenBSD version updates can only be done with 
binaries. Likewise, for additional application installation, packages 
i.e. binaries are favored over ports i.e. compiling from source.


Why then, otoh, does following -stable involve compiling from source?

I thought that the rationale for using binaries was security: everybody 
is guaranteed to use exactly the same binaries so there's no risk that 
for some reason, on one machine, the compile process would yield in a 
different result. Yet the same argument would be true for following 
-stable, especially as using the GENERIC kernel is the only supported 
configuration.


So I guess I am missing something decisive here. Can anybody shed some 
light on _why_ there are 2 different ways to update?



Regards,
-pu

Re: Is this possible or not ?

[S t i n g r a y]

Hello Stuart

Well during the past few days i was busy trying to make it work , i upgraded to 
version 4.0 also changed all the Ethernet cards .as according to some mailing 
lists this error comes cause of some Ethernet nic's. only changing the CPU is 
left , now gonna try make it work on a SEP cpu ..
do you think it would work ?
if it doesn't bother you much can you see my pf.conf & check if there aren't 
any logical mistakes .. that is causing this.

thanks once again 


lan_net = "10.0.0.0/16"
int_if  = "xl1"
ext_if1 = "xl0"
ext_if2 = "xl2"
ext_gw1 = "192.168.0.1"
ext_gw2 = "203.81.235.1"
chadd = "10.0.0.1"
ports = "22 25 53 80 110 119 123 143 443 465 554 900 995 1755 1863 1999 2090 
2091 2095 3000 3020 2020 3389 5000 5001 5050 5100 5190 6667 

11999 14360"
table  persist file "/etc/allowedclients"

#  nat outgoing connections on each internet interface
nat on $ext_if1 from $lan_net to  -> ($ext_if1) 
nat on $ext_if2 from $lan_net to  -> ($ext_if2)

rdr on $int_if proto tcp from  to any port 80 -> $chadd port 
8080

#  pass all outgoing packets on internal interface
pass out on $int_if from any to $lan_net

#  pass in quick any packets destined for the gateway itself

pass in quick on $int_if from $lan_net to $int_if
pass in on $int_if route-to { ($ext_if1 $ext_gw1) } inet proto tcp from \
$lan_net to any port {$ports} keep state

pass in on $int_if route-to { ($ext_if2 $ext_gw2) } from \
$lan_net flags S/SA keep state

#  general "pass out" rules for external interfaces

pass out on $ext_if1 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if1 proto { udp, icmp } from any to any keep state
pass out on $ext_if2 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if2 proto { udp, icmp } from any to any keep state

#  route packets from any IPs on $ext_if1 to $ext_gw1 and the same for
#  $ext_if2 and $ext_gw2

pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any 
pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any 




*:$., 88,.$:*(((*$ Stingray *:$., 88,.$:*((*$
  



- Original Message 
From: Stuart Henderson <[EMAIL PROTECTED]>
To: S t i n g r a y <[EMAIL PROTECTED]>
Cc: openbsd 
Sent: Monday, January 8, 2007 4:52:11 PM
Subject: Re: Is this possible or not ?

On 2007/01/08 01:39, S t i n g r a y wrote:
> but now i have another problem which is whenever i load this file my server 
> crashes with a "kernel:  page fault" the whole error is
> epic0: lost carrier
> kernel:  page fault trap, code=0
> stopped at  pf_route +0x248 : movl
> 
> do you know why is this ?
> 
> i am using OpenBSD 3.9

I don't know why, but my suggestions are:

- first, try 4.0 or a -current snapshot (-current is best)
in case it's already fixed;

- if it still crashes, try and get the information from "trace"
and "ps" - if you're lucky, it will still be in "dmesg" after
you reboot (type "boot r" at the ddb prompt, don't power-cycle).
Otherwise, copy it by hand or better, if you have a null modem
cable, capture the whole lot: openbsd.org/faq/faq7.html#SerCon
has instructions.






 

Never miss an email again!
Yahoo! Toolbar alerts you the instant new Mail arrives.
http://tools.search.yahoo.com/toolbar/features/mail/

Re: Is this possible or not ?

[Stuart Henderson]

On 2007/01/15 11:04, S t i n g r a y wrote:
> Well during the past few days i was busy trying to make it work
> , i upgraded to version 4.0

try a -current snapshot (or, if you know how, apply the diff
mentioned here 
and rebuild).

Re: mixed (compile from source, binary update) approach

[Emilio Perea]

On Mon, Jan 15, 2007 at 08:58:58PM +0100, Patrick Useldinger wrote:
> So I guess I am missing something decisive here. Can anybody shed some 
> light on _why_ there are 2 different ways to update?

It might help to think about it as the process for keeping up with
-stable being identical to the process for keeping up with -current.  In
both cases, you start with the latest relevant release and update it by
building from source.  The only difference is that in one case the
starting points change only twice a year, while in the other they may
change twice a day.

Ideally, there would be stable as well as current snapshots.  But that
would require a lot more hardware and time for the developers to keep up
with the last two stable releases plus the version they are actually
working on now.  For each platform.  That doesn't seem very practical.

If you have more than one machine (with the same architecture) it makes
sense to build a release in one and use it for a binary upgrade on the
others.

Emilio (NOT a developer.)

Re: mixed (compile from source, binary update) approach

[Darren Spruell]

On 1/15/07, Patrick Useldinger <[EMAIL PROTECTED]> wrote:

My understanding is that OpenBSD version updates can only be done with
binaries. Likewise, for additional application installation, packages
i.e. binaries are favored over ports i.e. compiling from source.


Version up_grades_  (one release/version to another) are supported via
binary upgrade. People attempting to upgrade via source end up
breaking things.

You're right about packages vs. ports being preferred, where possible.
Why waste time and introduce potential for failure if you don't have
to? A port build just results in a package anyway.


Why then, otoh, does following -stable involve compiling from source?


Because it works and happens sometimes too frequently to justify
binary releases so often.

Note that you can follow the directions in release(8) to produce your
own distribution set for binary "updates" if you want; it's
essentially treated as an upgrade although you can apply updates the
same way (you just aren't moving from one version to another.)


I thought that the rationale for using binaries was security: everybody
is guaranteed to use exactly the same binaries so there's no risk that
for some reason, on one machine, the compile process would yield in a
different result. Yet the same argument would be true for following
-stable, especially as using the GENERIC kernel is the only supported
configuration.


Statistically, the process doesn't yield different results. This is
one benefit of a known, stable development environment shipping with
the OS. Security is probably a weak argument there. One might argue
that binary distribution updates mask security problems; when you
apply updates and build from using source patches, you see what is
going into your system. (OK, it could be a a weak argument. Whatever.)


So I guess I am missing something decisive here. Can anybody shed some
light on _why_ there are 2 different ways to update?


Other than one is really an upgrade and the other is an update, so
it's apples to oranges in that regard?

(Note that there are 3rd-party binary update/patch programs for
OpenBSD on the Internet. I'm not advocating them; note also that
you're on your own if you choose to use them.)

DS

Re: 202 days Uptime in OpenBSD 3.6

[Joachim Schipper]

On Mon, Jan 15, 2007 at 11:20:27AM -0700, Darren Spruell wrote:
> On 1/15/07, Alexander Bochmann <[EMAIL PROTECTED]> wrote:
> >...on Thu, Jan 11, 2007 at 08:42:35AM +0100, Marc Balmer wrote:
> >
> > > hmm, why are people so proud of their uptimes when it only show they
> > > don't care for their systems?
> >
> >Bah, uptimes (is it that time of the year again?)...
> >
> >Last login: Sun Jan  7 19:22:19 2007 from xxx
> >OpenBSD 2.3 (LOCAL) #0: Wed Jul 31 12:51:38 CEST 2002
> >
> >Welcome to OpenBSD: The proactively secure Unix-like operating system.
> >
> >{104} ls -al /etc/localtime
> >lrwxr-xr-x  1 root  wheel  33 Jun 12  1998 /etc/localtime -> 
> >/usr/share/zoneinfo/Europe/Berlin
> >
> >That's an Internet-connected system, running mail, web, DNS.
> 
> Do you sleep well at night exposing that system to the Internet? One
> would question the amount of effort to ensure patch application (if at
> all possible) on a system so far out of date...

If you are careful, and know what you do, and know what software to run,
you can get away with a very small number of patches.

Still, I do try to upgrade at least once a year.

Joachim

Re: Merchandise idea: OpenBSD mug

[L. V. Lammert]

On Mon, 15 Jan 2007, Greg Thomas wrote:

> On 1/15/07, Samurai Chef <[EMAIL PROTECTED]> wrote:
> > On 1/14/07, Constantine A. Murenin <[EMAIL PROTECTED]> wrote:
> > >
> > > Read the archives. Theo explained here the copyright law many times,
> >
> > Thanks for the information.  I failed to search the archives for this.
> >
> > I will wait on anything until after I have an opportunity to discuss
> > this with Theo.
> >
>
> Well, we'll wait and see.  Hopefully Theo will be interested in this,
>
There's always the obvious solution - donate a few cases of mugs to the
project & see what sells? That completely bypasses any copyright issues,
and also maximizes the return.

Lee

Re: Merchandise idea: OpenBSD mug

[Clint Pachl]

 Tom Beard wrote:

  Samurai Chef wrote:

I'll do it.  I'll order some and announce here.  I'll set up a ebay
store for the merchandise.  contact me with requests.

  I'd take a few if you got them done.

Me too. Is that eBay store setup?

Like someone all ready mentioned, it would be really cool if one side of
the mug read "RTFM".

-pachl

Re: Friendly registrar

[Karl R. Balsmeier]

I have been using domainpeople.com mainly because they are canadian, 
(e.g. not greedy and impossible to get in touch with like many 
registrars in my own country, and home of the coolest open source OS 
project on the planet). 

they are easy to get in touch with (they have a phone number maintained 
by actual verified humans), have great pricing, and have always helped 
me out as well as my customers.  If you get a reseller account with them 
(free) you can buy domains for $12USD instead of $35 USD.  In speaking 
with their technical staff they are well aware of openbsd and may even 
be running a few chrooted dns servers even though they couldn't answer 
in that detail.


-karlski


Paulo Rodriguez wrote:

Not sure if they are specifically OpenBSD friendly, but gandi.net is 
alternative-friendly and opensource friendly (see 
http://www.gandi.net/soutient/ ) . And they are french, which might be 
a plus on your book ;)


I think Henning's company also did registrar services ( 
http://www.bsws.de/ ), in which case you know what's being used 
infrastructure-wise, and where the bling bling goes.

Kind regards,

P

Jean-Daniel Beaubien schreef:


Hi everyone,

I'm about to purchase a domain name and I was wondering if there are
any registrar out there that are friendly to OpenBSD (donations,
contributions, etc...).

Thanks,

JD

Re: Thinkpad Fingerprint Sensors

[Christopher Snell]

Sorry for the thread revival but this looks interesting.  These guys
claim to have a GPL'ed driver for the fingerprint reader:

http://sourceforge.net/projects/thinkfinger

Chris

On 12/13/06, Chris Kuethe <[EMAIL PROTECTED]> wrote:

On 12/13/06, Marc Balmer <[EMAIL PROTECTED]> wrote:
> * Michael wrote:
> > Hi,
> >
> > will there be any support for the fingerprint sensor on the newer
> > Thinkpads (anytime soon)?
> >
> > Linux:
> > http://toe.ch/~tsa/ibm-fingerprint/
> > http://www.thinkwiki.org/wiki/How_to_enable_the_fingerprint_reader
> > http://www.qrivy.net/~michael/blua/
> >
> > Vendor SDKs:
> > Linux: http://www.upek.com/support/dl_linux_bsp.asp
> > FreeBSD: http://www.upek.com/support/dl_freeBSD_bsp.asp
>
> These are binary only (BLOB) drivers w/o source code.  If you can find
> source code that would be better.  With the current state of affairs (no
> source code, only BLOB) you will never get support for this device in
> OpenBSD .

If you're still curious though, there is a fairly stagnant project at
sourceforge that might offer some insight into what you're asking for
- fvs.sourceforge.net. Sometimes you can find the sensor docs - like
for authentec - but many times there are very significant errors (like
with authentec). I started hacking on an authentec driver some years
ago. I was getting data back from the sensor but then I stopped
caring.

UPEK and DigitalPersona seemed quite unwilling to release enough
register documentation to make an open, multiplatform driver a
worthwhile pursuit - even if you did buy the SDK. They're free to
build closed, windows-only software, and you're free to ignore them.

CK

--
GDB has a 'break' feature; why doesn't it have 'fix' too?

Re: 202 days Uptime in OpenBSD 3.6

[Karl R. Balsmeier]

Joachim Schipper wrote:


On Mon, Jan 15, 2007 at 11:20:27AM -0700, Darren Spruell wrote:
 


On 1/15/07, Alexander Bochmann <[EMAIL PROTECTED]> wrote:
   


...on Thu, Jan 11, 2007 at 08:42:35AM +0100, Marc Balmer wrote:

 


hmm, why are people so proud of their uptimes when it only show they
don't care for their systems?
   


Bah, uptimes (is it that time of the year again?)...

Last login: Sun Jan  7 19:22:19 2007 from xxx
OpenBSD 2.3 (LOCAL) #0: Wed Jul 31 12:51:38 CEST 2002

Welcome to OpenBSD: The proactively secure Unix-like operating system.

{104} ls -al /etc/localtime
lrwxr-xr-x  1 root  wheel  33 Jun 12  1998 /etc/localtime -> 
/usr/share/zoneinfo/Europe/Berlin


That's an Internet-connected system, running mail, web, DNS.
 


Do you sleep well at night exposing that system to the Internet? One
would question the amount of effort to ensure patch application (if at
all possible) on a system so far out of date...
   



If you are careful, and know what you do, and know what software to run,
you can get away with a very small number of patches.

Still, I do try to upgrade at least once a year.

Joachim

 

and behind a good firewall, even old systems like RH6 with a million 
holes are never going to get exploited as long as you take proper care.  
in a high volume, public facing infrastructure.  there are too many 
cpanel and IIS servers around to hack, trying to bust into an OBSD box 
would mean you have to be a real hacker, like U4EA or DFENS or Radikahl 
or Sidewinder or Tkiller or Datarape or  One's looking for a car 
with the doors unlocked, engine running, keys in the ignition, owner 
nowhere in sight.


Can you show me some 3.6 exploits Alexander?  It's hard to doubt someone 
cares about their system when they hang out on the list.  Perhaps 
really, they actually know what they are doing eh?


Where would I get an exploit for 3.6?, which exploit would I choose?  
Remote?  How many hundreds of those are lying about for ready download? 
  Can you or anyone else we know on the list give a nice howto on this? 

Just how easy is it compared to the old days when you could run nuke.c 
on IRC chats and literally shut down someone's Mac Plus on them 
mid-sentence?  Now that was fun.  Wasn't even a web back then, just 
BITNET, majordomo, FTPlists, BB's, archie, WAIS, even encrypted chat 
/dcc_chat /dcc_send (where'd that go?)


I have a 3.6 system right here, unpatched behind a firewall, and one not 
behind a firewall.  -i'd like to see some skills from the 
fear-uncertainty-doubt 5th column since everyone's so absolutely sure 
you'll get hacked if you turn on a computer at all and try to make it do 
anything useful whatsoever.


uptime 412 days on #drgori  he's running an ancient os because informix 
hasn't altogether disappeared from the base of code run by our v1 app 
made what, 6 years ago?  boy if that one customer who needs it would 
just scram.  -practical need vs. non-useful-perfectionism.  the ugly 
flower never gets picked.  I hate informix, but #drgori never goes 
down, does it's job, and even though people try, -they just can't get 
through the defenses in front of him.


Just curious Alexander.  Just curious.

booya.  biff y

-krb

Re: 202 days Uptime in OpenBSD 3.6

[Olivier Meyer]

What really matters is the security of the applications you are
running(httpd, sshd, sendmail,...). If you keep those up to date, the
kernel really does not matter. If you look at
http://openbsd.org/security.html, most of the "openbsd" bugs really
are in openssh, the c library, or are a local privilege escalation
attack that cannot be exploited remotely.

On 1/15/07, Karl R. Balsmeier <[EMAIL PROTECTED]> wrote:

Joachim Schipper wrote:

>On Mon, Jan 15, 2007 at 11:20:27AM -0700, Darren Spruell wrote:
>
>
>>On 1/15/07, Alexander Bochmann <[EMAIL PROTECTED]> wrote:
>>
>>
>>>...on Thu, Jan 11, 2007 at 08:42:35AM +0100, Marc Balmer wrote:
>>>
>>>
>>>
hmm, why are people so proud of their uptimes when it only show they
don't care for their systems?


>>>Bah, uptimes (is it that time of the year again?)...
>>>
>>>Last login: Sun Jan  7 19:22:19 2007 from xxx
>>>OpenBSD 2.3 (LOCAL) #0: Wed Jul 31 12:51:38 CEST 2002
>>>
>>>Welcome to OpenBSD: The proactively secure Unix-like operating system.
>>>
>>>{104} ls -al /etc/localtime
>>>lrwxr-xr-x  1 root  wheel  33 Jun 12  1998 /etc/localtime ->
>>>/usr/share/zoneinfo/Europe/Berlin
>>>
>>>That's an Internet-connected system, running mail, web, DNS.
>>>
>>>
>>Do you sleep well at night exposing that system to the Internet? One
>>would question the amount of effort to ensure patch application (if at
>>all possible) on a system so far out of date...
>>
>>
>
>If you are careful, and know what you do, and know what software to run,
>you can get away with a very small number of patches.
>
>Still, I do try to upgrade at least once a year.
>
>   Joachim
>
>
>
and behind a good firewall, even old systems like RH6 with a million
holes are never going to get exploited as long as you take proper care.
in a high volume, public facing infrastructure.  there are too many
cpanel and IIS servers around to hack, trying to bust into an OBSD box
would mean you have to be a real hacker, like U4EA or DFENS or Radikahl
or Sidewinder or Tkiller or Datarape or  One's looking for a car
with the doors unlocked, engine running, keys in the ignition, owner
nowhere in sight.

Can you show me some 3.6 exploits Alexander?  It's hard to doubt someone
cares about their system when they hang out on the list.  Perhaps
really, they actually know what they are doing eh?

Where would I get an exploit for 3.6?, which exploit would I choose?
Remote?  How many hundreds of those are lying about for ready download?
   Can you or anyone else we know on the list give a nice howto on this?

Just how easy is it compared to the old days when you could run nuke.c
on IRC chats and literally shut down someone's Mac Plus on them
mid-sentence?  Now that was fun.  Wasn't even a web back then, just
BITNET, majordomo, FTPlists, BB's, archie, WAIS, even encrypted chat
/dcc_chat /dcc_send (where'd that go?)

I have a 3.6 system right here, unpatched behind a firewall, and one not
behind a firewall.  -i'd like to see some skills from the
fear-uncertainty-doubt 5th column since everyone's so absolutely sure
you'll get hacked if you turn on a computer at all and try to make it do
anything useful whatsoever.

uptime 412 days on #drgori  he's running an ancient os because informix
hasn't altogether disappeared from the base of code run by our v1 app
made what, 6 years ago?  boy if that one customer who needs it would
just scram.  -practical need vs. non-useful-perfectionism.  the ugly
flower never gets picked.  I hate informix, but #drgori never goes
down, does it's job, and even though people try, -they just can't get
through the defenses in front of him.

Just curious Alexander.  Just curious.

booya.  biff y

-krb





--
--
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)

Re: openbsd 4.0 installation: kernel hangup

[Michel Hubert]

Hi,

trying to install or upgrade OpenBSD 4.0 release does not seem to work
on Fujitsu Siemens Primergy P200 machines with an
Adaptec 2100S RAID controller.

While booting up, the kernel hangs at:
--- screen copy ---
usb0 at ohci0: USB revision 1.0
uhub0 at usb0
uhub0: ServerWorks OHCI root hub, rev 1.00/1.00, addr 1
uhub0: 4 ports with 4 removable, self powered
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifi
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
biomask f7c5 netmask ffe5 ttymask ffe7
rd0: fixed, 3800 blocks
iop0: configuring...
ioprbs0 at iop0 tid 518:  direct access, fixed
scsibus 2 at ioprb0: 1 targets
sd0 at scsibus2 targ 0 lun 0:  SCSI2 0/direct
fixed
sd0: 17300MB, 17300 cyl, 64 head, 32 sec, 512 bytes/sec, 35430400 sec
total
iopsp0 at iop0 tid 8: SCSI port 
scsibus3 at iopsp0: 16 targets



I already tried out several combinations of BIOS and Adaptec RAID
controller flash versions with no luck for OpenBSD 4.0.


Get stuck on the same place on IBM x335 using Adaptec 2100S RAID
controller when installing 4.0.

Worked well on OpenBSD 3.7

Is that controler still supported?

--
Michel Hubert

Re: Merchandise idea: OpenBSD mug

[Samurai Chef]

On 1/14/07, Clint Pachl <[EMAIL PROTECTED]> wrote:

 Tom Beard wrote:

  Samurai Chef wrote:

I'll do it.  I'll order some and announce here.  I'll set up a ebay
store for the merchandise.  contact me with requests.

  I'd take a few if you got them done.

Me too. Is that eBay store setup?

Like someone all ready mentioned, it would be really cool if one side of
the mug read "RTFM".

-pachl




No.  the store is not setup yet.  for details, read the entire thread please.

State table not recovering on CARP backup machine

[Christopher Snell]

Hi All,

We saw a strange issue today with two of our CARP'ed firewalls.  At
two different points in the afternoon, the state table suddenly jumped
from it's normal level of around 30,000 entries to the limit of
200,000 entries.  As expected, no new states could be created.  We
drove to our datacenter, logged into to the primary machine and
flushed the state table.  Strangely, the output from pfctl was
something like "Cleared 26 state entries" or some similarly small
number.  At this point, the state count creeped back up to its normal
level of around 30k entries.  Our network went back to normal and we
drove back to the office.  I bumped the state limit up on our CARP
master to 60 and then attempted to copy the pf.conf to the CARP
backup server.  The scp timed out.  I haven't yet made it back to the
datacenter but my guess is that the state table is still full on that
machine.  This is really strange.  Wouldn't pfsync clear out the state
tables on the backup host when the primary host was cleared with
'pfctl -F state'?  Has anybody experienced sudden surges of state
entries like this?  Denial of service attack perhaps?

Also, I just noticed some strange entries in /var/log/messages:

Jan 15 15:57:15 fw-01 /bsd: carp666: ip_output failed: 65
Jan 15 15:57:15 fw-01 /bsd: carp667: ip_output failed: 65
Jan 15 15:57:15 fw-01 /bsd: carp668: ip_output failed: 65
Jan 15 15:57:15 fw-01 /bsd: carp669: ip_output failed: 65

Googling didn't yield anything interesting (beyond CARP source code)
for this error.  Does anybody have any ideas?

Chris

OpenBSD 4.0-current (GENERIC) #744: Fri Nov 10 16:16:08 MST 2006
   [EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/GENERIC
real mem = 3757633536 (3669564K)
avail mem = 3223883776 (3148324K)
using 22937 buffers containing 375971840 bytes (367160K) of memory
mainbus0 (root)
bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xfcfe0 (52 entries)
bios0: Sun Microsystems Sun Fire X2200 M2
ipmi0 at mainbus0: version 1.5 interface KCS iobase 0xca2/2 spacing 1
cpu0 at mainbus0: (uniprocessor)
cpu0: Dual-Core AMD Opteron(tm) Processor 2214, 2211.65 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW
cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB
64b/line 16-way L2 cache
cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative
cpu0: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative
pci0 at mainbus0 bus 0: configuration mode 1
"NVIDIA MCP55 Memory" rev 0xa2 at pci0 dev 0 function 0 not configured
pcib0 at pci0 dev 1 function 0 "NVIDIA MCP55 ISA" rev 0xa3
nviic0 at pci0 dev 1 function 1 "NVIDIA MCP55 SMBus" rev 0xa3
iic0 at nviic0: disabled to avoid ipmi0 interactions
iic1 at nviic0: disabled to avoid ipmi0 interactions
ohci0 at pci0 dev 2 function 0 "NVIDIA MCP55 USB" rev 0xa1: irq 15,
version 1.0, legacy support
usb0 at ohci0: USB revision 1.0
uhub0 at usb0
uhub0: NVIDIA OHCI root hub, rev 1.00/1.00, addr 1
uhub0: 10 ports with 10 removable, self powered
ehci0 at pci0 dev 2 function 1 "NVIDIA MCP55 USB" rev 0xa2: irq 7
usb1 at ehci0: USB revision 2.0
uhub1 at usb1
uhub1: NVIDIA EHCI root hub, rev 2.00/1.00, addr 1
uhub1: 10 ports with 10 removable, self powered
pciide0 at pci0 dev 4 function 0 "NVIDIA MCP55 IDE" rev 0xa1: DMA,
channel 0 configured to compatibility, channel 1 configured to
compatibility
pciide0: channel 0 disabled (no drives)
pciide0: channel 1 ignored (disabled)
pciide1 at pci0 dev 5 function 0 "NVIDIA MCP55 SATA" rev 0xa3: DMA
pciide1: using irq 10 for native-PCI interrupt
wd0 at pciide1 channel 0 drive 0: 
wd0: 16-sector PIO, LBA48, 238475MB, 488397168 sectors
wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 5
wd1 at pciide1 channel 1 drive 0: 
wd1: 16-sector PIO, LBA48, 238475MB, 488397168 sectors
wd1(pciide1:1:0): using PIO mode 4, Ultra-DMA mode 5
ppb0 at pci0 dev 6 function 0 "NVIDIA MCP55 PCI-PCI" rev 0xa2
pci1 at ppb0 bus 1
vga1 at pci1 dev 5 function 0 "ASPEED Technology AST2000" rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
nfe0 at pci0 dev 8 function 0 "NVIDIA MCP55 LAN" rev 0xa3: irq 11,
address 00:16:36:76:43:f7
eephy0 at nfe0 phy 2: Marvell 88E1149 Gigabit PHY, rev. 1
nfe1 at pci0 dev 9 function 0 "NVIDIA MCP55 LAN" rev 0xa3: irq 5,
address 00:16:36:76:43:f8
eephy1 at nfe1 phy 3: Marvell 88E1149 Gigabit PHY, rev. 1
ppb1 at pci0 dev 10 function 0 "NVIDIA MCP55 PCIE" rev 0xa3
pci2 at ppb1 bus 2
ppb2 at pci0 dev 11 function 0 "NVIDIA MCP55 PCIE" rev 0xa3
pci3 at ppb2 bus 3
ppb3 at pci0 dev 12 function 0 "NVIDIA MCP55 PCIE" rev 0xa3
pci4 at ppb3 bus 4
ppb4 at pci0 dev 13 function 0 "NVIDIA MCP55 PCIE" rev 0xa3
pci5 at ppb4 bus 5
ppb5 at pci5 dev 0 function 0 "ServerWorks PCIE-PCIX" rev 0xb5
pci6 at ppb5 bus 6
bge0 at pci6 dev 4 function 0 "Broadcom BCM5715" rev 0xa3, BCM5715 A3
(0x9003): irq 15, address 00:16:36:76:43:f5
brgphy0 at 

Groklaw artical about the BSD license

[Jean-Daniel Beaubien]

Groklaw has an article about some misconceptions of the BSD license

http://www.groklaw.net/article.php?story=20070114093427179

I am curious what people on this list (with the proper knowledge)
think about the correctnessof the article.

Jd

Re: Groklaw artical about the BSD license

[Adriaan]

On 1/16/07, Jean-Daniel Beaubien <[EMAIL PROTECTED]> wrote:

Groklaw has an article about some misconceptions of the BSD license

http://www.groklaw.net/article.php?story=20070114093427179

I am curious what people on this list (with the proper knowledge)
think about the correctnessof the article.


I think most people will disagree with the article and agree with this
slashdot post http://bsd.slashdot.org/comments.pl?sid=216988&cid=17617988

Adriaan

database/postgresql, update to PostgreSQL 8.2.x series

[Marc Balmer]

some time in the (near?) future I will update our port
of the PostgreSQL database to version 8.2.x.  We currently
have version 8.1.x in the tree, so the update will require
you to do a database dump prior to the update and a restore
after it.

please make sure to read the release notes at
http://www.postgresql.org/docs/current/static/release-8-2.html
_before_ you update, it contains important information on the
changes and also on how to proceed with the update.

we will try to make the update as easy as possible using the
pkg_tools, but this information beforehand should already
help to make you aware that this is an update that we can
not completely automate.  our pkg_tools are designed to
flawlessly replace software, but can of course not cope with
all data produced by third party software.  you manual
intervention is required to safeguard all your data before
the update and make it available again after it.

if you are unsure and your database works well for you,
please consider if you need the update at all.

- mb

Re: State table not recovering on CARP backup machine

[Kian Mohageri]

On 1/15/07, Christopher Snell <[EMAIL PROTECTED]> wrote:

Has anybody experienced sudden surges of state
> entries like this?  Denial of service attack perhaps?
>
>
There has been a surge of SYN scanning from machines on our network that
were affected by the Symantec hole.  That created a few thousand states and
I ended up putting in some rules to deal with it.  Check your state table
for patterns...e.g. recurring ports, addresses with unreasonable numbers of
states, a lot of connections to port 2967 outside of your network, etc.

-- 
Kian Mohageri

APCUPSD on 4.0

[Steve B]

I recently acquired an old APC Smart1400 with a real serial port from a
defunct ISP. I've run APCUPSD before with a simple BackUPS but would now
like to take advantage of the ncurses powerflute tool and the cgi components
for the web tools. Has anyone compiled these options successfully on 4.0? My
Google reading is not coming up with successful hits on whether this has
been done.

Steve

Re: openbsd 4.0 installation: kernel hangup

[Mike Erdely]

Michel Hubert wrote:

Get stuck on the same place on IBM x335 using Adaptec 2100S RAID
controller when installing 4.0.

Worked well on OpenBSD 3.7

Is that controler still supported?


Working for me...

OpenBSD 4.0 (GENERIC.MP) #1: Thu Nov 16 18:35:23 EST 2006
[EMAIL 
PROTECTED]:/home/binpatch/work-binpatch-4.0/src/sys/arch/i386/compile/GENERIC.MP
cpu0: AMD Athlon(tm) MP 2400+ ("AuthenticAMD" 686-class, 256KB L2 cache) 2.01 
GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE

real mem  = 1073246208 (1048092K)
avail mem = 970956800 (948200K)
using 4256 buffers containing 53764096 bytes (52504K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(03) BIOS, date 08/01/03, BIOS32 rev. 0 @ 0xfb100, 
SMBIOS rev. 2.2 @ 0xf0800 (44 entries)

bios0: MICRO-STAR INTERNATIONAL CO., LTD MS-6501
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
apm0: flags 70102 dobusy 1 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xf/0xdf94
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdec0/208 (11 entries)
pcibios0: PCI Exclusive IRQs: 5 11
pcibios0: PCI Interrupt Router at 000:07:0 ("AMD 768 Power" rev 0x00)
pcibios0: PCI bus #3 is the last bus
bios0: ROM list: 0xc/0xf400 0xd/0x6000! 0xd6000/0x1800
mainbus0: Intel MP Specification (Version 1.4) (OEM0 PROD)
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 266 MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: AMD Athlon(tm) MP 2400+ ("AuthenticAMD" 686-class, 256KB L2 cache) 2.01 
GHz
cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV
mainbus0: bus 0 is type PCI
mainbus0: bus 1 is type PCI
mainbus0: bus 2 is type PCI
mainbus0: bus 3 is type PCI
mainbus0: bus 4 is type ISA
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 11, 24 pins
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "AMD 762 PCI" rev 0x20
ppb0 at pci0 dev 1 function 0 "AMD 762 PCI-PCI" rev 0x00
pci1 at ppb0 bus 1
pcib0 at pci0 dev 7 function 0 "AMD 768 ISA" rev 0x05
pciide0 at pci0 dev 7 function 1 "AMD 768 IDE" rev 0x04: DMA, channel 0 
configured to compatibility, channel 1 configured to compatibility

atapiscsi0 at pciide0 channel 0 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0:  SCSI0 5/cdrom 
removable
cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 disabled (no drives)
amdpm0 at pci0 dev 7 function 3 "AMD 768 Power" rev 0x03: rng active
iic0 at amdpm0
auich0 at pci0 dev 7 function 5 "AMD 768 AC97" rev 0x03: apic 2 int 17 (irq 11), 
AMD768 AC97

ac97: codec id 0x414c4710 (Avance Logic ALC200)
ac97: codec features headphone, 18 bit DAC, 18 bit ADC, Realtek 3D
audio0 at auich0
vga1 at pci0 dev 8 function 0 "NVIDIA GeForce FX 5200" rev 0xa1
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
ppb1 at pci0 dev 9 function 0 "DPT PCI-PCI" rev 0x02
pci2 at ppb1 bus 2
iop0 at pci0 dev 9 function 1 "DPT SmartRAID (I2O)" rev 0x02: I2O adapter 


iop0: interrupting at apic 2 int 17 (irq 11)
ppb2 at pci0 dev 16 function 0 "AMD 768 PCI-PCI" rev 0x05
pci3 at ppb2 bus 3
ohci0 at pci3 dev 0 function 0 "AMD 768 USB" rev 0x07: apic 2 int 19 (irq 11), 
version 1.0, legacy support

usb0 at ohci0: USB revision 1.0
uhub0 at usb0
uhub0: AMD OHCI root hub, rev 1.00/1.00, addr 1
uhub0: 4 ports with 4 removable, self powered
fxp0 at pci3 dev 9 function 0 "Intel 8255x" rev 0x10, i82551: apic 2 int 17 (irq 
11), address 00:0c:76:7f:78:46

inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: 
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
lm0 at isa0 port 0x290/8: W83627HF
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
biomask 0 netmask 0 ttymask 0
ioapic0: pin 17 shares different IPL interrupts (40..90), degraded performance
pctr: user-level cycle counter enabled
mtrr: Pentium Pro MTRR support
apm0: disconnected
iop0: configuring...
ioprbs0 at iop0 tid 525:  direct access, fixed
scsibus1 at ioprbs0: 1 targets
sd0 at scsibus1 targ 0 lun 0:  SCSI2 0/direct fixed
sd0: 35003MB, 35003 cyl, 64 head, 32 sec, 512 bytes/sec, 71686144 sec total
ioprbs1 at iop0 tid 526:  direct access, fixed
scsibus2 at ioprbs1: 1 targets
sd1 at scsibus2 targ 0 lun 0:  SCSI2 0/direct fixed
sd1: 858306MB, 858306 cyl, 64 head, 32 sec, 512 bytes/sec, 1757810688 sec total
iopsp0 at iop0 tid 8: SCSI port 
scsibus3 at iopsp0: 16 targets
dkcsum: sd0 matches BIOS drive 0x80
dkcsum: sd1 matches BIOS drive 0x81
r

seeking hardware for hackathon

[Nikolay Sturm]

Hi there,

the next OpenBSD Mini Hackathon will be the Filesystem Hackathon, taking
place in april in Vienna. For this event we are looking for some fast   
build machines and lots of harddisks as a loan (donations welcome, of
course :).

We need
- several fast build machines with at least two harddisks, amd64
  preferred
- at least one machine with more than 4GB of memory, amd64 preferred
- hardware to build a raid with 2 or more TB
- USB sticks and the like with misbehaving MSDOS filesystems

If you are willing to provide us with any of the above mentioned
hardware, please contact [EMAIL PROTECTED]

thanks,

Nikolay

-- 
"It's all part of my Can't-Do approach to life." Wally

Re: Groklaw artical about the BSD license

[Travers Buda]

On Mon, 15 Jan 2007 23:21:52 -0500
"Jean-Daniel Beaubien" <[EMAIL PROTECTED]> wrote:

> Groklaw has an article about some misconceptions of the BSD license
> 
> http://www.groklaw.net/article.php?story=20070114093427179
> 
> I am curious what people on this list (with the proper knowledge)
> think about the correctnessof the article.
> 
> Jd
> 

The Groklaw article is complete bullshit. The BSD (and ISC) licenses
are terse... I don't know how someone could misinterpret them... except
unless they wanted to just write yellow journalism, which is what
slashdot is all about!

See /usr/share/misc/license.template
You'll notice that the ONLY RESTRICTIONS amount to this:

*Permission to use, copy, modify, and distribute this software for any
*purpose with or without fee is hereby granted, provided that the
*above copyright notice and this permission notice appear in all copies.

As long as you retain the copyright notice, you're acting in the spirit
of the license (give credit where it is due) and are not violating
copyright law. The only difference in the 3 clause BSD license is that
you can't use the name of organization XXX to promote your product.

The BSD and ISC licenses are VERY short, and do not contain confusing
or _ambigious_ terms like other licenses. Anyone who does not
understand them is a moron.

Keep it simple, stupid.

Travers Buda

Re: Groklaw artical about the BSD license

[Greg Thomas]

On 1/15/07, Travers Buda <[EMAIL PROTECTED]> wrote:

On Mon, 15 Jan 2007 23:21:52 -0500
"Jean-Daniel Beaubien" <[EMAIL PROTECTED]> wrote:

> Groklaw has an article about some misconceptions of the BSD license
>
> http://www.groklaw.net/article.php?story=20070114093427179
>
> I am curious what people on this list (with the proper knowledge)
> think about the correctnessof the article.
>
> Jd
>

The Groklaw article is complete bullshit. The BSD (and ISC) licenses
are terse... I don't know how someone could misinterpret them... except
unless they wanted to just write yellow journalism, which is what
slashdot is all about!



Yeah, the article comes up with the most absurd conclusions I've ever
seen.  Talk about your  bogus assumptions and leaps of logic.

Greg