Mono project support
Is Mono Project (http://www.mono-project.com/Main_Page) supported by the OpenBSD OS? In other words, am I able to compile and run C# files under the OpenBSD OS? Thanks.
Re: Problem with MTU & IPSec VPN
On 2/19/07, Tim Pushor <[EMAIL PROTECTED]> wrote: Hi all, I'm getting to the point where I don't really know where to turn. I am having a weird problem with an OpenBSD server/firewall that has a permament IPSec tunnel to a checkpoint embedded security device. The problem is, that half the time large packets can't get through. I've trial and error'ed (via windows ping -l) that ping packets 1306 bytes get through all the time, while packets > 1306 (even 1307) only get through half the time. Not half the time like 50% loss, but like it works for hours, then doesn't for 10 minutes. If that Check Point device has SmartDefense enabled, it has rules that futz with ICMP packets larger than some threshold. See if you have any of that mojo going on. DS
spamd unnecessarily abrasive?
I was testing a new DNSBL, and got the test results shown below: I was under the impression that spamd was supposed to "politely" defer connections from unknown/greylisted hosts. The dialogue below suggests that the assumption is that the unknown host is a spammer (which is true 99% of the time, but still...) Isn't this a bit "over the top"? Rgds, Jay - TEST RESULTS --- Date: 20 Feb 2007 03:34:43 - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Your SBL test report Testing your SBL block. See http://www.crynwr.com/spam/ for more info. Please note that this test will not tell you if your server is open for relaying. Instead, it tests to see if your server blocks email from IP addresses listed in various blocking lists; in this case, the SBL list. Here's how the conversation looked from sbl.crynwr.com. Note that some sites don't apply the SBL block to postmaster, so I use your envelope sender as the To: address. I connected to 67.33.XX.YYY and here's the conversation I had: 220 kingcull.cullmail.com ESMTP spamd IP-based SPAM blocker; Mon Feb 19 21:34:43 2007 helo sbl.crynwr.com 250 Hello, spam sender. Pleased to be wasting your time. mail from:<> 250 You are about to try to deliver spam. Your time will be spent, for nothing. rcpt to:<[EMAIL PROTECTED]> 451 Temporary failure, please try again later. Terminating conversation
Re: 100 brave souls needed
Jacek, I did not purchase your first edition book, But I would sincerely love to partake in your beta program, if you have room. I am VERY interested in OpenBSD and pf,carp firewalls and wireless devices. please if you have any room left contact me. Sam Fourman Jr. On 2/19/07, Jacek Artymiak <[EMAIL PROTECTED]> wrote: Hi, I'd like to ask those of you who bought the first 100 (numbered) copies of the first edition of Building Firewalls with OpenBSD and PF to get in touch with me privately. I've got some beta invites for you and free copies of my new books that will go to the printers end of February. PS (1). Those of you already on the RadioBSD beta just wait for more information. PS (2). I don't want to clutter this list with my emails. If you want to know more about what's happening in my neck of woods, visit and subscribe to this feed: http://feeds.artymiak.com/jacek-artymiak -- Jacek Artymiak devGuide.net :: RadioBSD
Problem with MTU & IPSec VPN
Hi all, I'm getting to the point where I don't really know where to turn. I am having a weird problem with an OpenBSD server/firewall that has a permament IPSec tunnel to a checkpoint embedded security device. The problem is, that half the time large packets can't get through. I've trial and error'ed (via windows ping -l) that ping packets 1306 bytes get through all the time, while packets > 1306 (even 1307) only get through half the time. Not half the time like 50% loss, but like it works for hours, then doesn't for 10 minutes. I only have control of one half of the connection (unfortunately), and am kind of lost. I have a rudimentary understanding of IP, so do understand things like MTU's & fragementation, and things like VPN adding packet overhead that reduces the effective MTU. I just don't really know where to start tracking this down. I guess I don't understand enough (any?) about how this part of the tunnel works under the covers. Can anyone help maybe point me in a direction? My ruleset is default deny with log, and nothing is being dropped. pfctl -x loud doesn't reveal anything. I pass everything to/from the VPN. My network configuration is unfortunately kind of complex. I have vlan's and carp's on those vlan's so I'll refrain from trying to describe the setup unless its necessary. Hopefully thanks in advance :) Tim
Re: HP ML110 failed install
Thanks Ron, I have gone through these options but no luck. Even my serial console locks up when the main machine becomes unresponsive at the ukc prompt. I have applied the latest firmware and tried the latest snapshot. The symptoms don't change. The long waits seem to improve if I disable USB on the BIOS Is there an easy way to create a modified bsd.rd that has axe already disabled and maybe even USB disabled for use in a pxe install ? Steve -Original Message- From: Ron Oliver [mailto:[EMAIL PROTECTED] Sent: Tuesday, 20 February 2007 9:52 AM To: Administrator; misc@openbsd.org Subject: Re: HP ML110 failed install On 2/19/07, Administrator <[EMAIL PROTECTED]> wrote: > Hi all, > > I am having an issue trying to install to a HP ML110 G4. > > There was an identical thread a week or so ago that doest seem to have > a solution. I was hoping someone may have some further suggestions. > > I keep getting flooded with these messages during the install > > axe0: read PHY failed > axe0: read PHY failed > axe0: read PHY failed > > The machine finally gets to the install prompt but becomes > unresponsive. > > It was suggested to boot -c and disable axe but the machine is also > unresponsive at the ukc prompt. > > This is supposed to be on-site tomorrow so any thoughts would be > greatly appreciated. I got around this by boot -c from a serial console. UKC> prompt works from there. You can then "disable axe" and boot. Then once you're up, # cp -p /bsd /bsd.orig # config -e -o /bsd /bsd UKC> disable axe UKC> quit and it'll boot. As per previous thread, your null modem cable must provide DCD; otherwise, you'll see the boot> prompt, but it won't accept your input. It will still take several minutes to boot; haven't heard any reasons for that yet. It stalls after "entry point at " for a few minutes, then stalls again a couple of times. But it will finally come up and appears to run ok after that. -- Ron Oliver
100 brave souls needed
Hi, I'd like to ask those of you who bought the first 100 (numbered) copies of the first edition of Building Firewalls with OpenBSD and PF to get in touch with me privately. I've got some beta invites for you and free copies of my new books that will go to the printers end of February. PS (1). Those of you already on the RadioBSD beta just wait for more information. PS (2). I don't want to clutter this list with my emails. If you want to know more about what's happening in my neck of woods, visit and subscribe to this feed: http://feeds.artymiak.com/jacek-artymiak -- Jacek Artymiak devGuide.net :: RadioBSD
Re: HP ML110 failed install
On 2/19/07, Administrator <[EMAIL PROTECTED]> wrote: Hi all, I am having an issue trying to install to a HP ML110 G4. There was an identical thread a week or so ago that doest seem to have a solution. I was hoping someone may have some further suggestions. I keep getting flooded with these messages during the install axe0: read PHY failed axe0: read PHY failed axe0: read PHY failed The machine finally gets to the install prompt but becomes unresponsive. It was suggested to boot -c and disable axe but the machine is also unresponsive at the ukc prompt. This is supposed to be on-site tomorrow so any thoughts would be greatly appreciated. I got around this by boot -c from a serial console. UKC> prompt works from there. You can then "disable axe" and boot. Then once you're up, # cp -p /bsd /bsd.orig # config -e -o /bsd /bsd UKC> disable axe UKC> quit and it'll boot. As per previous thread, your null modem cable must provide DCD; otherwise, you'll see the boot> prompt, but it won't accept your input. It will still take several minutes to boot; haven't heard any reasons for that yet. It stalls after "entry point at " for a few minutes, then stalls again a couple of times. But it will finally come up and appears to run ok after that. -- Ron Oliver
Re: Pf - Private address blocking
On Mon, 19 Feb 2007, martin g wrote: > Hey all > > I have a question about blocking private addr. with pf. > > I have defined the reserved addresses acording to RFC 1918 in a table > > > My default rule is : > > block in on $ext_if > block out on $ext_if > > pass in on $int_if > pass out on $int_if > > 1. With this 2 rules defined is it still recomended to block private addr. Yes. RFC1918 source/destination packets should be kept from the public internet. Any coming to you are bogus. Any leaving your router are bogus; they should both be dropped. Such packets are "non-routable". > If it is then: > > Computers on my network have IP's from block 192.168.0.0/16 let's say > 192.168.1.100 to 192.168.1.105 > I make another table called > > What is the correct rule? Do i negate table lan in a rule > > block in on $ext_if from any to { , ! } > block out on $ext_if from { , ! } to any > > or do i negate ip's in a table like so > > table { !192.168.1.100 , ...} > > tnx for reply Neither. You want to block them all at the ext_if. You want to use nat to map your LAN addresses to something routable. If you forward packets from an RFC1918 address, those packets will soon be dropped, probably by the next host to forward them. Dave
Re: serial console on macbook?
On Feb 19, 2007, at 11:13 AM, Otto Moerbeek wrote: On Mon, 19 Feb 2007, Pierre Riteau wrote: The MacBook is different from the MacBook Pro. The first sign of trouble is that the UKC prompt doesn't work. It won't accept input. When booting without going to UKC, it shows various USB related error messages and the after a very long time comes to the install prompt, which doesn't accept input either. This happens both with an acpi-enabled bsd.rd and the default bsd.rd. I didn't have a chanche yet to diagnose this further. -Otto One easy method to install OpenBSD on a Macbook is to plug an external usb keyboard before booting on the CD. Booting takes a while but then you can use the external keyboard to install OpenBSD. Be sure not to use the network, msk0 will hang the machine without some acpi features IIRC. Then reboot, you will get errors about ehci, ignore them and still use the external keyboard. Compile a GENERIC.MP kernel with all acpi option enabled on another machine and copy it to the macbook with a CD, or grab -current sources on CD from another machine and copy them to the macbook. Reboot and enjoy, built-in keyboard works, ethernet (msk0) works, usb sticks work. But wireless device (ath0) doesn't. I haven't tried X11 for a while but I think it works too. Ah, I did try that before but it didn't work. But now it turns out that I have to use the frontmost USB port. The other one is not working. Installing as I write this... Trying now... this is all i386, i assume? -Otto
DNSBL ratings
I'm reviewing the DNSBLs I have in my sendmail configuration: * dnsbl.sorbs.net * bl.spamcop.net * sbl.spamhaus.org * cbl.abuseat.org * ipwhois.rfc-ignorant.org Is there a "rating service" that anybody's aware of that rates the quality of these services? Thnx, Jay
Re: serial console on macbook?
On Mon, 19 Feb 2007, Pierre Riteau wrote: > > The MacBook is different from the MacBook Pro. > > > > The first sign of trouble is that the UKC prompt doesn't work. It > > won't accept input. When booting without going to UKC, it shows > > various USB related error messages and the after a very long time > > comes to the install prompt, which doesn't accept input either. > > > > This happens both with an acpi-enabled bsd.rd and the default bsd.rd. > > > > I didn't have a chanche yet to diagnose this further. > > > > -Otto > > One easy method to install OpenBSD on a Macbook is to plug an external > usb keyboard before booting on the CD. Booting takes a while but then > you can use the external keyboard to install OpenBSD. Be sure not to > use the network, msk0 will hang the machine without some acpi features > IIRC. > Then reboot, you will get errors about ehci, ignore them and still use > the external keyboard. > Compile a GENERIC.MP kernel with all acpi option enabled on another > machine and copy it to the macbook with a CD, or grab -current sources > on CD from another machine and copy them to the macbook. Reboot and > enjoy, built-in keyboard works, ethernet (msk0) works, usb sticks > work. But wireless device (ath0) doesn't. > I haven't tried X11 for a while but I think it works too. Ah, I did try that before but it didn't work. But now it turns out that I have to use the frontmost USB port. The other one is not working. Installing as I write this... -Otto
Re: Ral drivers are they in bsd.rd>
On 2007/02/20 02:18, Sunnz wrote: > Ohh, got AMD64 here... so how could I connect to the wireless network > from boot CD? Is there a way to load the ral driver or something? You could run i386 on it. Otherwise you'll need to install from a source other than the PCI ralink.
Re: VPN manpage missing in 4.0?
On Mon, Feb 19, 2007 at 11:28:25AM -0600, [EMAIL PROTECTED] wrote: > Noticed that 4.0 release (fresh install) seems to be missing a couple > of man pages that exist in both 3.9 and 'current'. > > $ uname -a > OpenBSD hostname.domainname.com 4.0 GENERIC#1107 i386 > > $ man vpn > man: no entry for vpn in the manual. > > $ man ipsecadm > man: no entry for ipsecadm in the manual. > these pages have been removed from -current. man -k ipsec and man -k isakmpd contain all the relevant ipsec stuff. jmc
Re: VPN manpage missing in 4.0?
> Noticed that 4.0 release (fresh install) seems to be missing a couple > of man pages that exist in both 3.9 and 'current'. > > $ uname -a > OpenBSD hostname.domainname.com 4.0 GENERIC#1107 i386 > > $ man vpn > man: no entry for vpn in the manual. > > Went thru the list of the "See Also" man pages listed under both 3.9 > and 'current', and found another that also doesn't exist for some > reason. > > $ man ipsecadm > man: no entry for ipsecadm in the manual. > > Hadn't seen anything referencing this on the web site or on [EMAIL PROTECTED] > > No big deal, just curious why these are missing on the 4.0 release. > Was this simply an oversight, or is there "we left this out for a > reason; we don't think you should use these items under 4.0" logic > behind this? ipsecadm has been replaced with a whole new mechanism for ipsec management man ipsecctl Try it. You will see that it is way better.
VPN manpage missing in 4.0?
Noticed that 4.0 release (fresh install) seems to be missing a couple of man pages that exist in both 3.9 and 'current'. $ uname -a OpenBSD hostname.domainname.com 4.0 GENERIC#1107 i386 $ man vpn man: no entry for vpn in the manual. Went thru the list of the "See Also" man pages listed under both 3.9 and 'current', and found another that also doesn't exist for some reason. $ man ipsecadm man: no entry for ipsecadm in the manual. Hadn't seen anything referencing this on the web site or on [EMAIL PROTECTED] No big deal, just curious why these are missing on the 4.0 release. Was this simply an oversight, or is there "we left this out for a reason; we don't think you should use these items under 4.0" logic behind this?
Re: SSL Certs on Carp'd web servers
Bill Chmura wrote: Hello, I have two web servers carp'd that I am getting ssl certs for. I have it all running with my own self signed ones, but need to get a verisign or thwate cert. Is there any issues that are gonna bite me with doing this? Since they all appear the same, the cert info will be very similar and I don't want to buy them without making sure it's gonna be okay if I just apply for them using the info generated on each box? The servers are a master / backup - so the the traffic should mostly be going to one server (unless something bad happens). Any info would be great. Thanks Bill This should basically work the same as it does here -- we have one DNS entry pointing to multiple machines, and we just make sure our certificate is based on the shared domain (i.e. server.foo.bar rather than server1.foo.bar). If you want to make this /extra/ easy, buy a *.foo.bar certificate and just copy it to both places. -- Jason Faulkner Systems Manager Broadwick Corporation (919) 459-2509
Re: _SC_GETGR_R_SIZE_MAX ?
On Mon, Feb 19, 2007 at 12:33:43AM +, Nick Holmes wrote: > Dear all, > > I have been trying to compile PHP 5.2.1 with the Suhosin Patch on an > OpenBSD-STABLE 3.9 i386 machine. /configure finishes fine, but each time I > try to make, it stops with: > > /var/build/php-5.2.1/ext/posix/posix.c: In function `zif_posix_getgrgid': > /var/build/php-5.2.1/ext/posix/posix.c:889: error: `_SC_GETGR_R_SIZE_MAX' > undeclared (first use in this function) > /var/build/php-5.2.1/ext/posix/posix.c:889: error: (Each undeclared > identifier is reported only once > /var/build/php-5.2.1/ext/posix/posix.c:889: error: for each function it > appears in.) > > Someone with a similar problem posted at the Hardened-PHP.net forums and > was told that it was not a Suhosin issue. After searching for the (sysconf > definition??) _SC_GETGR_R_SIZE_MAX on my own machine I found it in > /usr/include/sys/unistd.h but it is in a section under #ifdef notyet /* > P1003.1c */ - Does that mean those items in that section are "not yet" > implemented in OpenBSD? (I read the getgr* man pages but am still none the > wiser). Apologies for my ignorance of these nuts & bolts issues which I am > having great difficulty understanding. > > Does anyone have a workaround for this problem? > Many thanks in advance... I presume you are aware that a) -current has this patch in its PHP port, and b) 4.0 (at least) has a -hardened flavour which, while it uses another patch, is pretty comparable? This suggests that there's an easier solution... Joachim
Re: serial console on macbook?
On 2/19/07, Otto Moerbeek <[EMAIL PROTECTED]> wrote: On Mon, 19 Feb 2007, Paul de Weerd wrote: > On Sun, Feb 18, 2007 at 08:27:54PM -0800, Ben Calvert wrote: > | can't install 4.0 or snapshots on my macbook due to what appear to be > | issues with the usb controller. ( lots of errors about the usb > | controller, and the keyboard is nonresponsive... no capslock light, > | no input ) > | > | does anyone have any ideas about how to capture the dmesg so i can > | submit? > > I'm reading MacBook, so I think you're not talking about the MacBook > Pro (just to make sure). I had similar issues with the MacBook Pro, so > maybe this helps. > > I got things working on the MacBook Pro. See [1]. This required the > latest snapshot (where you can type at the bootprompt, some changes > went in to support this) and enabling acpi in UKC. What I did > initially (burn a CD with a bsd.rd kernel that I had config'd on > another machine to enable acpi) should not be necessary anymore. > > On a side note, audio *does* work albeit *extremely* low volume. If I > crank everything up in mixerctl I can barely hear something. You may > experience similar issues on your MacBook. > > And X looks like it'll be a while. There's no new Radeon support in > xorg yet and I've found no one working on a driver. It works with > vesa(4) for now, but that doesn't support the 1440x900 resolution of > the machine. > > Ben, let us know how you proceed with the MacBook. The MacBook is different from the MacBook Pro. The first sign of trouble is that the UKC prompt doesn't work. It won't accept input. When booting without going to UKC, it shows various USB related error messages and the after a very long time comes to the install prompt, which doesn't accept input either. This happens both with an acpi-enabled bsd.rd and the default bsd.rd. I didn't have a chanche yet to diagnose this further. -Otto One easy method to install OpenBSD on a Macbook is to plug an external usb keyboard before booting on the CD. Booting takes a while but then you can use the external keyboard to install OpenBSD. Be sure not to use the network, msk0 will hang the machine without some acpi features IIRC. Then reboot, you will get errors about ehci, ignore them and still use the external keyboard. Compile a GENERIC.MP kernel with all acpi option enabled on another machine and copy it to the macbook with a CD, or grab -current sources on CD from another machine and copy them to the macbook. Reboot and enjoy, built-in keyboard works, ethernet (msk0) works, usb sticks work. But wireless device (ath0) doesn't. I haven't tried X11 for a while but I think it works too. Pierre Riteau
Re: SSL Certs on Carp'd web servers
Hey Bill, > I noticed that Verisign has an option to secure more than one server > with a single cert, but it basically doubles the price. You don't need this per se. FWIW, I have my certs via GoDaddy at this point in time. Works for me. > The only reason I could think of that would require a single cert for > two is if I was load balanced and you never knew what you were going to > get on your next request... In fact, I am probably at this point going > to self sign the backup, and do a normal cert on the primary. Well, since any of my masters has yet to fail me in more than 3 years, I've never had to deal with *anything*, basically. (Yes, I tried just about everything in my 'lab setup') I don't use a load-balancing, but a failover setup. AFAIAC, one set of carp hosts is one server, therefore I need one cert, which I configure on each individual carp host. For me, that's end of story. I am a really, really cheap bastard... Nico ;-)
Re: SSL Certs on Carp'd web servers
On Monday 19 February 2007 09:13, Bill Chmura wrote: > Hello, > > I have two web servers carp'd that I am getting ssl certs for. I have it > all running with my own self signed ones, but need to get a verisign or > thwate cert. I am not sure about Thawte but Verisign has a clause in their license agreement that does not allow one certificate to be used on more than one physical server. I encountered this problem once, and they said that this rule applies in all cases including active/passive configurations. > > Is there any issues that are gonna bite me with doing this? Since they all > appear the same, the cert info will be very similar and I don't want to buy > them without making sure it's gonna be okay if I just apply for them using > the info generated on each box? > > The servers are a master / backup - so the the traffic should mostly be > going to one server (unless something bad happens). > > Any info would be great. > > Thanks > > Bill > > > !DSPAM:1,45d9bfe9211582517112723! -- Vijay Sankar ForeTell Technologies Limited 59 Flamingo Avenue, Winnipeg, MB, Canada R3J 0X6 Phone: +1 (204) 885-9535, E-Mail: [EMAIL PROTECTED]
_SC_GETGR_R_SIZE_MAX ?
Dear all, I have been trying to compile PHP 5.2.1 with the Suhosin Patch on an OpenBSD-STABLE 3.9 i386 machine. /configure finishes fine, but each time I try to make, it stops with: /var/build/php-5.2.1/ext/posix/posix.c: In function `zif_posix_getgrgid': /var/build/php-5.2.1/ext/posix/posix.c:889: error: `_SC_GETGR_R_SIZE_MAX' undeclared (first use in this function) /var/build/php-5.2.1/ext/posix/posix.c:889: error: (Each undeclared identifier is reported only once /var/build/php-5.2.1/ext/posix/posix.c:889: error: for each function it appears in.) Someone with a similar problem posted at the Hardened-PHP.net forums and was told that it was not a Suhosin issue. After searching for the (sysconf definition??) _SC_GETGR_R_SIZE_MAX on my own machine I found it in /usr/include/sys/unistd.h but it is in a section under #ifdef notyet /* P1003.1c */ - Does that mean those items in that section are "not yet" implemented in OpenBSD? (I read the getgr* man pages but am still none the wiser). Apologies for my ignorance of these nuts & bolts issues which I am having great difficulty understanding. Does anyone have a workaround for this problem? Many thanks in advance... Nick _ Click Here To Find Your Perfect Match This Valentines! http://msnuk.match.com/
Re: SSL Certs on Carp'd web servers
Am Mon, 19 Feb 2007 16:22:59 +0100 schrieb Nico Meijer <[EMAIL PROTECTED]>: > Hey Bill, > > > Is there any issues that are gonna bite me with doing this? > > No, not that I know of. > > I do this with a bunch of boxes. I only use the carp'ed IP address on > either box when configuring apache. > > HTH... Nico > Hmm, I'm not sure but what's about ssl session data? When the ssl handshake happens client and server will negotiate session keys. Those information will be lost when the master system goes down because carp only works on ip-layer. You have to ensure to sync this info. I don't know how. Perhaps rsync is your friend. But of course this concerns only to already initiated connections. Regards Joerg -- Dipl.-Ing. (FH) Joerg Streckfuss, Phone: +49 40 808077-631 PGP RSA/2048, E0D4BD3F, 90 C3 FB 4A CB D3 20 70 6B 04 47 84 B5 3C 28 8C DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
Re: SSL Certs on Carp'd web servers
On Mon, 19 Feb 2007 16:22:59 +0100 Nico Meijer <[EMAIL PROTECTED]> wrote: > Hey Bill, > > > Is there any issues that are gonna bite me with doing this? > > No, not that I know of. > > I do this with a bunch of boxes. I only use the carp'ed IP address on > either box when configuring apache. > > HTH... Nico Thanks Nico, I noticed that Verisign has an option to secure more than one server with a single cert, but it basically doubles the price. The only reason I could think of that would require a single cert for two is if I was load balanced and you never knew what you were going to get on your next request... In fact, I am probably at this point going to self sign the backup, and do a normal cert on the primary. Thanks for the sanity check!
Re: Ral drivers are they in bsd.rd>
Ohh, got AMD64 here... so how could I connect to the wireless network from boot CD? Is there a way to load the ral driver or something? 2007/2/20, Stuart Henderson <[EMAIL PROTECTED]>: On 2007/02/19 22:35, Sunnz wrote: > Just wondering if the ral WiFi drivers are in bsd.rd kernel? Depends which architecture. i386, yes for PCI and cardbus. amd64, cardbus only. You can check all these for yourself, either in the architecture pages (openbsd.org/i386.html etc) or looking at the kernel configuration files via cvsweb (in src/sys/arch/ZZZ/conf). > I just installed a Ralink WiFi card today and attempted to install 4.0 > on the computer from cd40.iso. It didn't pick up the WiFi card PCI. > > Mean while I will check if I have installed it correctly. If it's installed correctly but isn't picked up by a driver, it would show as a "not configured" device in dmesg. -- Please avoid sending me Word or PowerPoint attachments. See http://www.gnu.org/philosophy/no-word-attachments.html
Re: SSL Certs on Carp'd web servers
Hey Bill, > Is there any issues that are gonna bite me with doing this? No, not that I know of. I do this with a bunch of boxes. I only use the carp'ed IP address on either box when configuring apache. HTH... Nico
Re: cisco vpn gateway
Hi there, atstake atstake schrieb: I been given this Cisco VPN Client software version 4.8 where a "vpnclient.ini" file needs to be imported and authentication is done via username and password to a Cisco VPN gateway which (after authentication) drops me off to the internal network. ugh. That's Cisco's way of extended authentication. Does anyone know if it is at all possible to use OpenBSD's isakpmd or anything else to authenticate to the Cisco VPN gateway instead of using Cisco VPN Client software version 4.8 on Windows XP? To my knowledge, the extended authentication (username & password in Cisco's VPN Client) is some propritary extension, therefor it won't work with isakmpd. If I'm wrong, I'd like to be corrected :-) Regards, ./Marian
SSL Certs on Carp'd web servers
Hello, I have two web servers carp'd that I am getting ssl certs for. I have it all running with my own self signed ones, but need to get a verisign or thwate cert. Is there any issues that are gonna bite me with doing this? Since they all appear the same, the cert info will be very similar and I don't want to buy them without making sure it's gonna be okay if I just apply for them using the info generated on each box? The servers are a master / backup - so the the traffic should mostly be going to one server (unless something bad happens). Any info would be great. Thanks Bill
Pf - Private address blocking
Hey all I have a question about blocking private addr. with pf. I have defined the reserved addresses acording to RFC 1918 in a table My default rule is : block in on $ext_if block out on $ext_if pass in on $int_if pass out on $int_if 1. With this 2 rules defined is it still recomended to block private addr. If it is then: Computers on my network have IP's from block 192.168.0.0/16 let's say 192.168.1.100 to 192.168.1.105 I make another table called What is the correct rule? Do i negate table lan in a rule block in on $ext_if from any to { , ! } block out on $ext_if from { , ! } to any or do i negate ip's in a table like so table { !192.168.1.100 , ...} tnx for reply
HP ML110 failed install
Hi all, I am having an issue trying to install to a HP ML110 G4. There was an identical thread a week or so ago that doest seem to have a solution. I was hoping someone may have some further suggestions. I keep getting flooded with these messages during the install axe0: read PHY failed axe0: read PHY failed axe0: read PHY failed The machine finally gets to the install prompt but becomes unresponsive. It was suggested to boot -c and disable axe but the machine is also unresponsive at the ukc prompt. This is supposed to be on-site tomorrow so any thoughts would be greatly appreciated. Steve
cisco vpn gateway
I been given this Cisco VPN Client software version 4.8 where a "vpnclient.ini" file needs to be imported and authentication is done via username and password to a Cisco VPN gateway which (after authentication) drops me off to the internal network. Does anyone know if it is at all possible to use OpenBSD's isakpmd or anything else to authenticate to the Cisco VPN gateway instead of using Cisco VPN Client software version 4.8 on Windows XP? Thanks.
Re: Ral drivers are they in bsd.rd>
On 2007/02/19 22:35, Sunnz wrote: > Just wondering if the ral WiFi drivers are in bsd.rd kernel? Depends which architecture. i386, yes for PCI and cardbus. amd64, cardbus only. You can check all these for yourself, either in the architecture pages (openbsd.org/i386.html etc) or looking at the kernel configuration files via cvsweb (in src/sys/arch/ZZZ/conf). > I just installed a Ralink WiFi card today and attempted to install 4.0 > on the computer from cd40.iso. It didn't pick up the WiFi card PCI. > > Mean while I will check if I have installed it correctly. If it's installed correctly but isn't picked up by a driver, it would show as a "not configured" device in dmesg.
NIS uid/gid range
Hi. This diff makes it possible to only include a range of uid/gid for NIS password maps. I'm no regex guru but it seems to do the job (inspired from NetBSD). Maybe some people can make use of this... Index: Makefile.yp === RCS file: /cvs/src/usr.sbin/ypserv/ypinit/Makefile.yp,v retrieving revision 1.13 diff -u -r1.13 Makefile.yp --- Makefile.yp 1 Nov 2002 23:54:18 - 1.13 +++ Makefile.yp 19 Feb 2007 12:22:29 - @@ -14,6 +14,7 @@ MAKEDBM=/usr/sbin/makedbm SED=/usr/bin/sed SENDMAIL=/usr/sbin/sendmail +SORT=/usr/bin/sort STDHOSTS=/usr/sbin/stdhosts STDETHERS=/usr/sbin/stdethers MKALIAS=/usr/sbin/mkalias @@ -34,33 +35,53 @@ # If you want ypserv to ask DNS for unknown hosts set USEDNS to -b USEDNS= +# Only include UID/GID between MIN/MAX range in the maps. +MINUID=1000 +MAXUID=32765 +MINGID=1000 +MAXGID=32765 + all: passwd group hosts ethers networks rpc services protocols netid netgroup amd.home aliases passwd.time: $(DIR)/master.passwd [EMAIL PROTECTED] [ -f $(>) ]; then \ if [ ! $(UNSECURE) ]; then \ $(CAT) $(>) | $(CUT) -d: -f1-4,8-10 | \ - $(AWK) 'BEGIN { FS=":"; OFS="\t"; } /^[a-zA-Z0-9_]/ \ - { print $$1, $$1":*:"$$3":"$$4":"$$5":"$$6":"$$7 }' -|\ - $(MAKEDBM) - passwd.byname; \ + $(AWK) -v minuid=${MINUID} -v maxuid=${MAXUID} \ + 'BEGIN { FS=":"; OFS="\t"; } /^[a-zA-Z0-9_]/ \ + { if (minuid <= $$3 && maxuid >= $$3) \ + print $$1, $$1":*:"$$3":"$$4":"$$5":"$$6":"$$7 }' -|\ + ${SORT} | $(MAKEDBM) - passwd.byname; \ $(CAT) $(>) | $(CUT) -d: -f1-4,8-10 |\ - $(AWK) 'BEGIN { FS=":"; OFS="\t"; } /^[a-zA-Z0-9_]/ \ - { print $$3, $$1":*:"$$3":"$$4":"$$5":"$$6":"$$7 }' -|\ - $(MAKEDBM) - passwd.byuid; \ + $(AWK) -v minuid=${MINUID} -v maxuid=${MAXUID} \ + 'BEGIN { FS=":"; OFS="\t"; } /^[a-zA-Z0-9_]/ \ + { if (minuid <= $$3 && maxuid >= $$3) \ + print $$3, $$1":*:"$$3":"$$4":"$$5":"$$6":"$$7 }' -|\ + ${SORT} | $(MAKEDBM) - passwd.byuid; \ else \ $(CAT) $(>) | $(CUT) -d: -f1-4,8-10 | \ - $(AWK) 'BEGIN { FS=":"; OFS="\t"; } /^[a-zA-Z0-9_]/ \ - { print $$1, $$0 }' - | $(MAKEDBM) - passwd.byname; \ + $(AWK) -v minuid=${MINUID} -v maxuid=${MAXUID} \ + 'BEGIN { FS=":"; OFS="\t"; } /^[a-zA-Z0-9_]/ \ + { if (minuid <= $$3 && maxuid >= $$3) \ + print $$1, $$0 }' - | ${SORT} | \ + $(MAKEDBM) - passwd.byname; \ $(CAT) $(>) | $(CUT) -d: -f1-4,8-10 |\ - $(AWK) 'BEGIN { FS=":"; OFS="\t"; } /^[a-zA-Z0-9_]/ \ - { print $$3, $$0 }' - | $(MAKEDBM) - passwd.byuid; \ + $(AWK) -v minuid=${MINUID} -v maxuid=${MAXUID} \ + 'BEGIN { FS=":"; OFS="\t"; } /^[a-zA-Z0-9_]/ \ + { if (minuid <= $$3 && maxuid >= $$3) \ + print $$3, $$0 }' - | ${SORT} | \ + $(MAKEDBM) - passwd.byuid; \ fi; \ $(CAT) $(>) | \ - $(AWK) 'BEGIN { FS=":"; OFS="\t"; } /^[a-zA-Z0-9_]/ \ - { print $$1, $$0 }' - | $(MAKEDBM-S) - master.passwd.byname; \ + $(AWK) -v minuid=${MINUID} -v maxuid=${MAXUID} \ + 'BEGIN { FS=":"; OFS="\t"; } /^[a-zA-Z0-9_]/ \ + { if (minuid <= $$3 && maxuid >= $$3) \ + print $$1, $$0 }' - | $(MAKEDBM-S) - master.passwd.byname; \ $(CAT) $(>) | \ - $(AWK) 'BEGIN { FS=":"; OFS="\t"; } /^[a-zA-Z0-9_]/ \ - { print $$3, $$0 }' - | $(MAKEDBM-S) - master.passwd.byuid; \ + $(AWK) -v minuid=${MINUID} -v maxuid=${MAXUID} \ + 'BEGIN { FS=":"; OFS="\t"; } /^[a-zA-Z0-9_]/ \ + { if (minuid <= $$3 && maxuid >= $$3) \ + print $$3, $$0 }' - | $(MAKEDBM-S) - master.passwd.byuid; \ $(TOUCH) $(@); \ $(ECHO) "updated passwd"; \ if [ ! $(NOPUSH) ]; then \ @@ -79,12 +100,14 @@ group.time: $(DIR)/group [EMAIL PROTECTED] [ -f $(>) ]; then \ - $(AWK) 'BEGIN { FS=":"; OFS="\t"; } /^[a-zA-Z0-9_]/ \ - { print $$1, $$0 }' $(>) | \ - $(MAKEDBM) - group.byname; \ - $(AWK) 'BEGIN { FS=":"; OFS="\t"; } /^[a-zA-Z0-9_]/ \ - { print $$3, $$0 }' $(>) | \ - $(MAKEDBM) - group.bygid; \ + $(AWK) -v mingid=${MINGID} -v maxgid=${MAXGID} \ +
Ral drivers are they in bsd.rd>
Just wondering if the ral WiFi drivers are in bsd.rd kernel? I just installed a Ralink WiFi card today and attempted to install 4.0 on the computer from cd40.iso. It didn't pick up the WiFi card PCI. Mean while I will check if I have installed it correctly. Thanks. -- Please avoid sending me Word or PowerPoint attachments. See http://www.gnu.org/philosophy/no-word-attachments.html
Re: Serial console not working for IBM Aptiva
Damon McMahon wrote: > Thanks for the response, Nick, I'm almost there and just one further query: > > On 18/02/07, Nick Holland <[EMAIL PROTECTED]> wrote: ... > The Aptiva has an anaemic BIOS program, but by disabling one of the > two serial interfaces I now appear to have eliminated IRQ conflicts > and acquired a working serial console - BUT I lose nearly all of the > dmesg(8) and init(8) output at boot, with it being directed to the > screen instead. I also note that boot(8) tells me I have com0 and no > com1 (which is expected since I disabled it in the BIOS) whereas > dmesg(8) tells me I have pccom1 but no pccom0 and this seems a little > strange to me. boot(8) tells you what the BIOS tells it. boot(8) uses the BIOS to communicate. dmesg(8) tells you what hardware OpenBSD actually found. The BIOS can define ports as it wishes. OpenBSD defines ports as spec'd in /usr/src/sys/arch/i386/conf/GENERIC >From your dmesg, > pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo That's not the standard definition for com0 (DOS COM1), but rather, com1 (DOS COM2:) >From pccom(4): pccom0 at isa? port 0x3f8 irq 4 pccom1 at isa? port 0x2f8 irq 3 > > To clarify, boot(8) tells me I have com0 available at boot. So in > /etc/boot.conf I tell it: > > set tty com0 > > and it switches to the console but all that is output to the console is: > >>> OpenBSD/i386 BOOT 2.10 > boot> > booting hd0a:/bsd: 4966344+867848 [52+255872+237161]=0x608d64 > entry point at 0x100120 so once the kernel is loaded, your redirection is screwed up... > That's it for the output seen on the terminal, at this point the > dmesg(8) and init(8) output is directed to the screen. Then when > getty(8) is executed interactivity for _both_ the keyboard and the > serial console are restored. I haven't played with this kind of config, but my guess is you are sending the output to a non-existant com0, so the system falls back to using the screen. You get the serial IO again after boot because of your ttys setting which has tty01 turned on, you would get the login prompt on the serial port even if you didn't do the "set tty com0". > Any further thoughts will be appreciated; dmesg(8) and ttys(5) are > included below: ...thanks, snipped for size > > # head -n 20 /etc/ttys > # > # $OpenBSD: ttys,v 1.17 2002/06/09 06:15:14 todd Exp $ > # > # name getty typestatus comments > # > console "/usr/libexec/getty Pc" vt220 off secure > ttyC0 "/usr/libexec/getty Pc" vt220 on secure > ttyC1 "/usr/libexec/getty Pc" vt220 on secure > ttyC2 "/usr/libexec/getty Pc" vt220 on secure > ttyC3 "/usr/libexec/getty Pc" vt220 on secure > ttyC4 "/usr/libexec/getty Pc" vt220 off secure > ttyC5 "/usr/libexec/getty Pc" vt220 on secure > ttyC6 "/usr/libexec/getty Pc" vt220 off secure > ttyC7 "/usr/libexec/getty Pc" vt220 off secure > ttyC8 "/usr/libexec/getty Pc" vt220 off secure > ttyC9 "/usr/libexec/getty Pc" vt220 off secure > ttyCa "/usr/libexec/getty Pc" vt220 off secure > ttyCb "/usr/libexec/getty Pc" vt220 off secure > tty00 "/usr/libexec/getty std.9600" vt220on secure > tty01 "/usr/libexec/getty std.9600" vt220on secure What's hurting you is that non-standard first com port. Take another look at your BIOS setup, see if there is anything that allows you to change how it is defined. Also check to make sure you don't have any BIOS-based redirection going..that can cause various problems that might be similar to this on some machines. (BIOS redirection is great, but unfortunately, not at all standardized, so results are sometimes unpredictable.) Nick.
Re: openbsd 4.0 on vmware server
From the VMWare website: This paper describes how timekeeping hardware works in physical machines, how typical guest operating systems use this hardware to keep time, and how VMware products virtualize the hardware. http://www.vmware.com/pdf/vmware_timekeeping.pdf On 2/19/07, Zlfar M. E. Johnson <[EMAIL PROTECTED]> wrote: I was wondering if anyone else experienced clock trouble with openbsd 4.0 as a host on vmware server 1.01? My setup was vmware server 1.01 on centos 4.4 using a dell c600 laptop. I had openbsd 4.0 installed as a host, but after many attempts to fix the time synch issue between openbsd and centos I gave up and just installed openbsd 4.0 on the laptop. I tried to resolve the issue using ntp, but to no avail. Would anyone recommend using openbsd 4.0 as a server on vmware server? Or is openbsd as a virtual host not really a feasible option? -- Jan Mason Registered Linux User #156002 [EMAIL PROTECTED]
Re: serial console on macbook?
On Mon, 19 Feb 2007, Paul de Weerd wrote: > On Sun, Feb 18, 2007 at 08:27:54PM -0800, Ben Calvert wrote: > | can't install 4.0 or snapshots on my macbook due to what appear to be > | issues with the usb controller. ( lots of errors about the usb > | controller, and the keyboard is nonresponsive... no capslock light, > | no input ) > | > | does anyone have any ideas about how to capture the dmesg so i can > | submit? > > I'm reading MacBook, so I think you're not talking about the MacBook > Pro (just to make sure). I had similar issues with the MacBook Pro, so > maybe this helps. > > I got things working on the MacBook Pro. See [1]. This required the > latest snapshot (where you can type at the bootprompt, some changes > went in to support this) and enabling acpi in UKC. What I did > initially (burn a CD with a bsd.rd kernel that I had config'd on > another machine to enable acpi) should not be necessary anymore. > > On a side note, audio *does* work albeit *extremely* low volume. If I > crank everything up in mixerctl I can barely hear something. You may > experience similar issues on your MacBook. > > And X looks like it'll be a while. There's no new Radeon support in > xorg yet and I've found no one working on a driver. It works with > vesa(4) for now, but that doesn't support the 1440x900 resolution of > the machine. > > Ben, let us know how you proceed with the MacBook. The MacBook is different from the MacBook Pro. The first sign of trouble is that the UKC prompt doesn't work. It won't accept input. When booting without going to UKC, it shows various USB related error messages and the after a very long time comes to the install prompt, which doesn't accept input either. This happens both with an acpi-enabled bsd.rd and the default bsd.rd. I didn't have a chanche yet to diagnose this further. -Otto
Re: OpenOSPFd and kernel routing table
Claudio Jeker wrote: Hmm. For some reasons the carp route is not cleared correctly. I'll have a look at it. Thanks, I would be happy if this works. Btw. I think for your simple setup with two bgpd routers and one carped LAN network behind them does not need ospfd. Try to keep it simple until you know that you need ospf. I'm thinking about alternatives for this setup. But as the routes are dynamic in dependence of the state of the carp-interfaces such an IGP fits all the needs, doesn't it? Falk
Re: openbsd 4.0 on vmware server
Hi, this is not a OpenBSD problem. Check the Vmware documentation about your timeproblem. You need to change something in your vmx file! Openbsd works also fine as virtual machine! Frank Zlfar M. E. Johnson schrieb: I was wondering if anyone else experienced clock trouble with openbsd 4.0 as a host on vmware server 1.01? My setup was vmware server 1.01 on centos 4.4 using a dell c600 laptop. I had openbsd 4.0 installed as a host, but after many attempts to fix the time synch issue between openbsd and centos I gave up and just installed openbsd 4.0 on the laptop. I tried to resolve the issue using ntp, but to no avail. Would anyone recommend using openbsd 4.0 as a server on vmware server? Or is openbsd as a virtual host not really a feasible option?
openbsd 4.0 on vmware server
I was wondering if anyone else experienced clock trouble with openbsd 4.0 as a host on vmware server 1.01? My setup was vmware server 1.01 on centos 4.4 using a dell c600 laptop. I had openbsd 4.0 installed as a host, but after many attempts to fix the time synch issue between openbsd and centos I gave up and just installed openbsd 4.0 on the laptop. I tried to resolve the issue using ntp, but to no avail. Would anyone recommend using openbsd 4.0 as a server on vmware server? Or is openbsd as a virtual host not really a feasible option?
Re: OpenBGPd won't receive prefix
On Sat, Feb 17, 2007 at 11:22:48PM +, Stuart Henderson wrote: > On 2007/02/17 23:41, Falk Brockerhoff wrote: > > I will play with localpref later, but before I want to ask if my planned > > setup is the right solution for my needs. I want to run two bgp-routers > > and connect several eBGP sessions to the two routers. > > To the inside I want to provide a failover-tolerant default gateway for > > my vlans, that's why I'm using carp. > > If you run PF on the same routers as well, take care with stateful rules, > stateless is the easy way, or arrange so that the CARP master is a better > route (maybe prepend on the backup). you are unlikely to get states sync'd > quickly enough to avoid problems if you have things too asymmetric. > > > want to do this for the "internal" networks, too. > > I would normally use OSPF for this, using iBGP to carry internal routes > is possible but I think mostly something done on larger networks. > iBGP and an IGP like OSPF are used for different tasks. iBGP brings routing information from the edges to the core of your network and is used to find the best path out of your network. OSPF on the other hand is mostly used for internal and incomming traffic. If your network is simple enough that a few static routes suffice to describe your network there is no need for OSPF. Huge networks (ab)use iBGP to cover also the topology information for the network. To set up such a network needs a lot of knowledge and a very good documentation process. > ospfd has a nice feature; when you use "interface carpXX { passive }", > the network is only announced via OSPF when CARP is master. This works > really well. > Yes, but if you just have two routers with one carp interface on them you don't need OSPF. In such simple cases "depend on carp" and "demote carp" may suffice. -- :wq Claudio
Re: OpenOSPFd and kernel routing table
On Sun, Feb 18, 2007 at 02:46:09PM +0100, Falk Brockerhoff wrote: > >And the output of the forwarding database with the unexpected nexthop of > >the local interface instead of the opsf-neighbor: > > > ># ospfctl sh fib > >flags: * = valid, O = OSPF, C = Connected, S = Static > >Flags Destination Nexthop > > C 195.140.212.0/24 link#22 > > I killed the ospfd-process and started it again, and the fib looks better: > > # ospfctl sh fib > flags: * = valid, O = OSPF, C = Connected, S = Static > Flags Destination Nexthop > *O 195.140.212.0/24 10.0.0.2 > > Hm, killing and restarting ospfd isn't the way I want to do it everytime > the state of the carp-interface changes :-) > Hmm. For some reasons the carp route is not cleared correctly. I'll have a look at it. Btw. I think for your simple setup with two bgpd routers and one carped LAN network behind them does not need ospfd. Try to keep it simple until you know that you need ospf. -- :wq Claudio
Re: serial console on macbook?
On Sun, Feb 18, 2007 at 08:27:54PM -0800, Ben Calvert wrote: | can't install 4.0 or snapshots on my macbook due to what appear to be | issues with the usb controller. ( lots of errors about the usb | controller, and the keyboard is nonresponsive... no capslock light, | no input ) | | does anyone have any ideas about how to capture the dmesg so i can | submit? I'm reading MacBook, so I think you're not talking about the MacBook Pro (just to make sure). I had similar issues with the MacBook Pro, so maybe this helps. I got things working on the MacBook Pro. See [1]. This required the latest snapshot (where you can type at the bootprompt, some changes went in to support this) and enabling acpi in UKC. What I did initially (burn a CD with a bsd.rd kernel that I had config'd on another machine to enable acpi) should not be necessary anymore. On a side note, audio *does* work albeit *extremely* low volume. If I crank everything up in mixerctl I can barely hear something. You may experience similar issues on your MacBook. And X looks like it'll be a while. There's no new Radeon support in xorg yet and I've found no one working on a driver. It works with vesa(4) for now, but that doesn't support the 1440x900 resolution of the machine. Ben, let us know how you proceed with the MacBook. Cheers, Paul 'WEiRD' de Weerd [1] http://marc.theaimsgroup.com/?l=openbsd-misc&m=117002194202234&w=2 -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/ [demime 1.01d removed an attachment of type application/pgp-signature]
Re: Supported GPS receivers
Phusion wrote: What are the best supported GPS receivers under 4.0 release and stable code-base? I would like to find a GPS receiver (serial or USB) that is supported under OpenBSD that will work for OpenNTPD or NTP. You should go for a GPS receiver that provides a PPS signal, like e.g. the Garmin GPS 18 LVC. Without a PPS signal, the nmea(4) line discipline can only guess when the received time information was valid. With a PPS signal, you can turn on TTY timestamping and you get precise time information. Most PPS capable GPS receivers need the PPS signal be specifically turned on by sending them some command bytes. NB, if you turn on TTY timestamping without having the GPS provide a PPS signal, the time information will be invalid.
Re: serial console on macbook?
Ben Calvert wrote: can't install 4.0 or snapshots on my macbook due to what appear to be issues with the usb controller. ( lots of errors about the usb controller, and the keyboard is nonresponsive... no capslock light, no input ) does anyone have any ideas about how to capture the dmesg so i can submit? thanks, ben sounds like a similar pb i had on an hp omnibook - you can't get the installer to complete to get a dmesg, & maybe you don't have a suitable serial cable or port to capture it otherwise. i'm not sure about the lights & loss of input, maybe that's a different problem. but you can try the following in either case: make a new boot cd with an additional file, as follows, based on 4.0 release or a -current: file:///etc/boot.conf set timeout 5 boot -c this will drop you into the ukc before the device probing starts, so you can try & try again disabling various things, such as : verbose disable uhci* disable ehci* disable ohci* disable usb* this got me to a working state & then i could fine-tune adding them back in until things were usable again. info on making the CD, ymmv: http://www.webengr.com/development/tools/openbsd/tips/cdrom/ http://undeadly.org/cgi?action=article&sid=20031105030127 a+ scorch