Re: Installing Skype
Yes, you are right, I need it for my work, so I have not choice, and I do not want to use Linux nor windows. I have not solved my trouble although the lib needed I have it in /usr/local/emul/redhat/lib/, however when I try to run ./skype I have the same error. I don`t know what to do. Regards --- Tobias Weisserth [EMAIL PROTECTED] escribis: Hi, On Mar 23, 2007, at 8:03 PM, J.C. Roberts wrote: On Friday 23 March 2007 11:35, Tobias Weisserth wrote: On Mar 23, 2007, at 6:24 PM, Rafael Morales wrote: I need the shared library libasound.so.2, anybody could send to me ???, I don't have a linux box here. I need my box rooted, can anybody please send me a trojaned binary library I have to trust blindly? Tobias, You telling the above good advice to someone, Rafael, who is *already* trying to install a trojaned binary (skype) on their OpenBSD system. Skype is dangerous. Periord. End of discussion. You're preaching to the converted. My parents Mandrake box got routed through Skype last year, because they didn't upgrade Skype to a newer version. From the emails in this thread we know he needs it for work, so he hasn't really got a choice. There's no other client to the Skype network. Maybe there's a way to lockin Skype in systrace. On openSUSE I locked Skype in with AppArmor for my parents. If you need to talk to people on Skype you don't really have a choice. regards, Tobias W.
Re: OpenBGPD MIB
On Saturday, March 24, 2007, at 23:49:12, misc@openbsd.org wrote: sophisticated montoring system with snmp,that is kind of an oxymoron, isn't it... there's no such thing as far as I am aware of. Hello Henning, it's not exactly what you think :P I've to configure such system and typed ip of one extreme box into it. After a while I saw few things which surprised me a lot: 1. cpu/mem - nothing special 2. interface status - nothing special 3. bgp peers configuration - oh... what a clever system, I thought :P I clicked into it and saw that it looks after prefix count, session up/downs and reachability of neighbor. It's very very nice, isn't it? And I've managed to do that by few clicks. When I saw that I just wanted to do the same on my bgp boxes :-) So i've instaled that clumsy net-snmp packages, configured it out, clicked into mon system and typed ip addr of openbsd box, and nothing happened - just cpu/mem and interfaces status... I googled around and found PF mibs and not only (http://www.packetmischief.ca/openbsd/snmp/) Any chances to add that to the wishlist for next releases? -- Sylwester S. Biernacki [EMAIL PROTECTED] X-NET, http://www.xnet.com.pl/
Re: [EMAIL PROTECTED] list archives in file format?
On Sat, Mar 24, 2007 at 07:40:18PM -0400, Brian A. Seklecki wrote: Does anyone have a personal archive that they can export via MUA and share? Is there a way to ask Majordomo for it (playing with the 'get' command now) I'm doing some number crunching and analysis and I'd like a few year-long data sample. No, but... If you want to take a look at CVS statistics, see http://www.oxide.org/cvs/. If you want to get an archive, I'd suggest starting at http://gmane.org/export.php. I never tried it, but it should work. Joachim
Re: Convergence time with carp(4)
On Fri, Mar 23, 2007 at 04:35:31PM +0100, Jeremie Le Hen wrote: [...] - We are using stock OpenBSD 4.0 for our test. [...] Without running ifconfig(8) too often, the convergence time is a few seconds but we managed to increase the delay up to 2 minutes with this trick. This is fixed in 4.0-stable, which you really should be using. (see http://www.openbsd.org/errata40.html#m_dup1). Either update via CVS or apply this patch: http://www.openbsd.org/cgi-bin/cvsweb/src/sys/netinet6/in6.c.diff?r1=1.68r2=1.68.2.1 Btw, you might consider using ifstated(8) instead of scripting sth w/ ifconfig(8).
Re: CARP flip flop problems
On Fri, Mar 23, 2007 at 12:38:44PM +1200, Nigel Roberts wrote: [...] You can see when the state change happens. The backup host advertises with advskew of 100, advbase of 2 and promptly decides it's the master until the next advertisment arrives from the machine that really should be the master. The backup also issues a CARP IPv6 announcement, which is strange because we don't have IPv6 configured. That is not supposed to happen. carp should not send IPv6 advertisements. Mind to share your configuration?
Re: OpenBGPD MIB
* Sylwester S. Biernacki [EMAIL PROTECTED] [2007-03-25 10:52]: Any chances to add that to the wishlist for next releases? I won't stop you from putting sth on a wishlist, but I can guarantee you I won't be working on anything snmp-mib related for openbgpd (well, unless somebody pays me so massively for it that I consider that a sufficient solatium) -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Routing on one NIC?
Hi, What would be the recommended way to route traffic between two subnets with only one NIC? I currently have one NIC plugged into a switch that contains two subnets. I would like the NIC to have two IP addresses, one on each subnet, that it will route traffic between. I have tried creating an alias, but pf didn't like that. Any help would be greatly appreciated. -- Thanks, Lachlan
[OpenBSD/i386 BOOT 2.10] diskinfo command on net4801
Hello. I have a soekris net4801 embedded computer. This computer currently runs OpenBSD 4.0. There are two internal drives on it: an enhanced availability Hitachi Travelstar E7K100 (ready for 24/7 use) and a SanDisk SDCFB-1024 CF card that is being used as installation media and net4801 documentation and firmware releases repository: comBIOS ver. 1.29 20070204 Copyright (C) 2000-2007 Soekris Engineering. net4801 0256 Mbyte MemoryCPU Geode 266 Mhz Pri Mas HTE721080G9AT00 LBA 16383-16-63 78 Gbyte Pri Sla SanDisk SDCFB-1024 LBA 1986-16-63 1001 Mbyte Slot Vend Dev ClassRev Cmd Stat CL LT HT Base1Base2 Int --- 0:00:0 1078 0001 0600 0107 0280 00 00 00 0:06:0 100B 0020 0200 0107 0290 00 3F 00 E101 A000 10 0:07:0 100B 0020 0200 0107 0290 00 3F 00 E201 A0001000 10 0:08:0 100B 0020 0200 0107 0290 00 3F 00 E301 A0002000 10 0:10:0 104C AC23 06040002 0107 0210 08 3F 01 0:18:2 100B 0502 01018001 0005 0280 00 00 00 0:19:0 0E11 A0F8 0C031008 0117 0280 08 38 00 A0003000 11 1:00:0 100B 0020 0200 0107 0290 00 3F 00 D001 A400 05 1:01:0 100B 0020 0200 0107 0290 00 3F 00 D101 A4001000 11 5 Seconds to automatic boot. Press Ctrl-P for entering Monitor. I would like to ask if this output for the machine diskinfo command on the OpenBSD/i386 BOOT release 2.10 is expected: Using drive 0, partition 3. Loading... probing: pc0 com0 com1 mem[639K 255M a20=on] disk: hd0+ hd1+ OpenBSD/i386 BOOT 2.10 - com0: 9600 baud switching console to com0 OpenBSD/i386 BOOT 2.10 boot machine diskinfo DiskBIOS# TypeCylsHeads SecsFlags Checksum hd0 0x80label 1 16 63 0x2 0xd8299676 hd1 0x81label 1 16 63 0x2 0xc99b9503 boot Drives on the soekris embedded computer are set as cable select. On another computer, an old Pentium 166 MHz, there is a different but annoying output too: MBR on floppy or old BIOS Using drive 0, partition 3. Loading... probing: pc0 com0 com1 mem[639K 127M a20=on] disk: fd0 hd0+ hd1+ OpenBSD/i386 BOOT 2.10 boot machine diskinfo DiskBIOS# TypeCylsHeads SecsFlags Checksum fd0 0x0 *none* 80 2 18 0x4 0x0 hd0 0x80label 15 15 63 0x2 0xcbea9586 hd1 0x81label 101916 63 0x2 0xc8d994f7 boot The first drive is a 6 GB Western Digital Caviar drive, the second one is a 2 GB Western Digital Caviar drive. The geometry for these internal HDDs is wrong too. Perhaps I am missreading the output of this command as a consequence of how the firmware on these computers sees the drives... (I know, a PC BIOS and OpenBSD do not need to agree about HDD geometry) but... a single cylinder on the net4801 (and 15 cylinders for the first internal HDD on the pentium computer) cannot be right. These machines are running OpenBSD only, no other operating systems are installed on them. I have not find any useful reference to this problem on the operating system documentation. Only the output of some machine diskinfo commands that look right (on Google, most of them with an obvious BIOS translation of the disk geometry) and a reference to diskinfo on boot(8): diskinfo Prints a list of hard disks installed on your system including: BIOS device number, and the BIOS geometry. Am I doing something wrong? It is not an important matter, OpenBSD is working fine on these computers, but I would like to understand the output of the diskinfo command on these machines. As both machines return an incorrect disk geometry I start suspecting that I did something wrong with relation to the disk drives. Best regards, Igor.
Re: Routing on one NIC?
On Mar 25, 2007, at 7:48 AM, Lachlan Gunn wrote: Hi, What would be the recommended way to route traffic between two subnets with only one NIC? I currently have one NIC plugged into a switch that contains two subnets. I would like the NIC to have two IP addresses, one on each subnet, that it will route traffic between. I have tried creating an alias, but pf didn't like that. vlan(4) -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: Routing on one NIC?
Hi Lachlan. What you are looking for is usually called router on a stick. Perhaps you can use some binat rules to specify bidirectional mappings between external netblocks and the internal aliases. Don't know why you are doing it, however. The only time I made a router on a stick was on my Cisco 2501. Honestly, this set up is an ugly workaround. Cheers, Igor.
Re: OpenBGPD MIB
On Sun, Mar 25, 2007 at 10:41:06AM +0200, Sylwester S. Biernacki wrote: On Saturday, March 24, 2007, at 23:49:12, misc@openbsd.org wrote: sophisticated montoring system with snmp,that is kind of an oxymoron, isn't it... there's no such thing as far as I am aware of. Hello Henning, it's not exactly what you think :P I've to configure such system and typed ip of one extreme box into it. After a while I saw few things which surprised me a lot: 1. cpu/mem - nothing special 2. interface status - nothing special 3. bgp peers configuration - oh... what a clever system, I thought :P I clicked into it and saw that it looks after prefix count, session up/downs and reachability of neighbor. It's very very nice, isn't it? And I've managed to do that by few clicks. When I saw that I just wanted to do the same on my bgp boxes :-) So i've instaled that clumsy net-snmp packages, configured it out, clicked into mon system and typed ip addr of openbsd box, and nothing happened - just cpu/mem and interfaces status... I googled around and found PF mibs and not only (http://www.packetmischief.ca/openbsd/snmp/) Any chances to add that to the wishlist for next releases? You should create a port or net-snmp flavor of these changes. I even have some dirty diffs to have a terse bgpctl output usable to feed into rrdtool. I should clean them up a bit and commit it. -- :wq Claudio
Re: Routing on one NIC?
On Mar 25, 2007, at 9:27 AM, Igor Sobrado wrote: Hi Lachlan. What you are looking for is usually called router on a stick. Perhaps you can use some binat rules to specify bidirectional mappings between external netblocks and the internal aliases. Don't know why you are doing it, however. The only time I made a router on a stick was on my Cisco 2501. Honestly, this set up is an ugly workaround. It works fine if you're using secure VLANs. But if you have the money for a VLAN-capable switch, you might as well use dedicated interfaces. But it *can* be done easily and securely. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: Routing on one NIC?
On 3/25/07, Jason Dixon [EMAIL PROTECTED] wrote: It works fine if you're using secure VLANs. But if you have the money for a VLAN-capable switch, you might as well use dedicated interfaces. But it *can* be done easily and securely. But isn't the hope then that there's no leakage and that you can't easily do something like that arp-based thing used to sniff a switch? I know, I know, my design at my last company included using vlans this way too, but I kept the internal vlans on internal switches, and external vlans on external, physically separate, switches[1]. -me [1] I inherited a situation where the *entire* inside network was reachable via this external, outside the firewall, switch, via the vlan. Being that we did not require the services of the network fuckup fairy because we had our very own personal NotWork Engineer[TM], I had to move quickly to make sure he did not suddenly turn on routing on that 3550, for example. [TM] I have a CCNP, but, like, Cisco, um, lost my certificate. Yeah, that's it Of course, it's been a *LONG* time since I saw any ccnp who could not set a default route on cisco equipment. Who likes to build single channel etherchannels. Who likes to build routing loops. Who actually built a 10/8 network - and we had 40+ remote/wan locations!! Yes, you read it right - no subnets! Where the design was so bad that the recent external audit of the network had the consultants snickering every few minutes, and when he couldn't stand it anymore, he'll call me over, hey, psst, you've gotta come see this...
Re: Does anyone know a good file manager for OpenBSD?
On 3/24/07, Ted Unangst [EMAIL PROTECTED] wrote: On 3/21/07, Paul Irofti [EMAIL PROTECTED] wrote: - the fact that ftp can handle http makes me ponder what happened to the KISS principle? ftp is very simple. there are files on the internet. i want them on my computer. ftp puts them there. how much simpler can it be? :) But that's what wget is for.
Re: Routing on one NIC?
On Mar 25, 2007, at 10:38 AM, bofh wrote: On 3/25/07, Jason Dixon [EMAIL PROTECTED] wrote: It works fine if you're using secure VLANs. But if you have the money for a VLAN-capable switch, you might as well use dedicated interfaces. But it *can* be done easily and securely. But isn't the hope then that there's no leakage and that you can't easily do something like that arp-based thing used to sniff a switch? I know, I know, my design at my last company included using vlans this way too, but I kept the internal vlans on internal switches, and external vlans on external, physically separate, switches[1]. Disabling DTP, which should be done anyways, will prevent VLAN hopping. I'm not sure what arp-based thing you're referring to that wasn't fixed 5-6 years ago. Perhaps you're referring to arp spoofing, which has nothing to do with VLANs. Please clarify. Thanks, -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: Routing on one NIC?
On 3/25/07, Jason Dixon [EMAIL PROTECTED] wrote: Disabling DTP, which should be done anyways, will prevent VLAN hopping. I'm not sure what arp-based thing you're referring to that wasn't fixed 5-6 years ago. Perhaps you're referring to arp spoofing, which has nothing to do with VLANs. Please clarify. My point was that there may be future vulnerabilities, and it may be a good idea to keep that in mind for the original poster's designs.
Re: OpenBGPD MIB
Henning Brauer a icrit : * Sylwester S. Biernacki [EMAIL PROTECTED] [2007-03-25 10:52]: Any chances to add that to the wishlist for next releases? I won't stop you from putting sth on a wishlist, but I can guarantee you I won't be working on anything snmp-mib related for openbgpd (well, unless somebody pays me so massively for it that I consider that a sufficient solatium) How much is massive ? ;) -- Ronnie Garcia r.garcia at ovea dot com
Re: Does anyone know a good file manager for OpenBSD?
On Sun, Mar 25, 2007 at 10:33:25AM -0400, Nick ! wrote: | On 3/24/07, Ted Unangst [EMAIL PROTECTED] wrote: | On 3/21/07, Paul Irofti [EMAIL PROTECTED] wrote: |- the fact that ftp can handle http makes me ponder what happened to |the KISS principle? | | ftp is very simple. there are files on the internet. i want them on | my computer. ftp puts them there. how much simpler can it be? :) | | But that's what wget is for. $ which ftp wget /usr/bin/ftp wget: Command not found. wget has its uses (recursion comes to mind), but for simply transferring files ftp(1) is all i need. Paul 'WEiRD' de Weerd -- [++-]+++.+++[---].+++[+ +++-].++[-]+.--.[-] http://www.weirdnet.nl/
Re: Routing on one NIC?
On Mar 25, 2007, at 11:24 AM, bofh wrote: On 3/25/07, Jason Dixon [EMAIL PROTECTED] wrote: Disabling DTP, which should be done anyways, will prevent VLAN hopping. I'm not sure what arp-based thing you're referring to that wasn't fixed 5-6 years ago. Perhaps you're referring to arp spoofing, which has nothing to do with VLANs. Please clarify. My point was that there may be future vulnerabilities, and it may be a good idea to keep that in mind for the original poster's designs. There may also be future vulnerabilities in physical ethernet. Guess you'd better unplug now! ;-) -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: Is OpenBSD good/best for my 486?
On Fri, 2007-03-23 at 10:49 -0400, Douglas Allan Tutty wrote: On Fri, Mar 23, 2007 at 06:56:32AM -0500, Shawn K. Quinn wrote: On Wed, 2007-03-21 at 22:37 -0400, Douglas Allan Tutty wrote: Hello, I've got a 486DX4-100 with 32 MB ram, ISA bus, with two drives: 840 MB and 1280 MB IDE. Currently running Debian GNU/Linux Sarge. Assuming you don't try to do more with it than you have CPU and RAM for, you should be fine. However, once you've tested that all your hardware works with the GENERIC kernel, I would strongly recommend you compile a custom kernel and run that (do a Web search for a Perl program called dmassage which will help immensely), but keep a copy of GENERIC around in case problems do creep in. The reason for compiling a custom kernel in this case is to save memory; I saved about 2.5M on a similar system, which is a lot when you only have 32M to begin with (with any system much newer it's usually not worth it). I thought compiling a custom kernel was _discouraged_? Officially it's discouraged; from my point of view, you have one of the rare situations where a case could be made for it. Note that you should *always* keep a copy of GENERIC around for troubleshooting. I just loaded the 486 to the most I ever do: ssh to the big box (titan) to pon courer (the modem) and run bwm ssh to titan for mutt run aptitude, update the package list run top to watch everything run X with icewm: rxvt ssh titan, to run conquorer go to theweathernetwork.com I'm using 6 MB swap, but the system is not spending any time waiting for I/O. Aptitude is taking 75% of the CPU, top on a 2 second delay is taking 10%. I can still browse the net; the wait is a slow dial-up connection. I don't know how to tell how big the kernel in memory is since its modular. Linux, the kernel, as distributed in Debian GNU/Linux, the full oeprating system, is modular. The OpenBSD kernel is not, it's monolithic. An apples-to-apples comparison would be a Linux kernel configured with no module support and most possible device drivers compiled into the kernel directly (and, IMHO, that falls squarely into the category of kids, don't try this at home for a box with only 32M of RAM). -- Shawn K. Quinn [EMAIL PROTECTED]
Re: Routing on one NIC?
On Sunday 25 March 2007 08:41, Jason Dixon wrote: On Mar 25, 2007, at 11:24 AM, bofh wrote: On 3/25/07, Jason Dixon [EMAIL PROTECTED] wrote: Disabling DTP, which should be done anyways, will prevent VLAN hopping. I'm not sure what arp-based thing you're referring to that wasn't fixed 5-6 years ago. Perhaps you're referring to arp spoofing, which has nothing to do with VLANs. Please clarify. My point was that there may be future vulnerabilities, and it may be a good idea to keep that in mind for the original poster's designs. There may also be future vulnerabilities in physical ethernet. Guess you'd better unplug now! ;-) Future? -Nope. It's been already done. http://www.wired.com/news/technology/0,70619-0.html http://www.wired.com/news/technology/1,70908-0.html Though the example is not formally ethernet, physical access to the tubes still means you should consider yourself 0wnd. But bofh is kinda right, arp-cache poisoning (possibly the thing he was talking about?) is really very interesting. kind regards, JCR
Re: Routing on one NIC?
On Mar 25, 2007, at 12:21 PM, J.C. Roberts wrote: On Sunday 25 March 2007 08:41, Jason Dixon wrote: On Mar 25, 2007, at 11:24 AM, bofh wrote: On 3/25/07, Jason Dixon [EMAIL PROTECTED] wrote: Disabling DTP, which should be done anyways, will prevent VLAN hopping. I'm not sure what arp-based thing you're referring to that wasn't fixed 5-6 years ago. Perhaps you're referring to arp spoofing, which has nothing to do with VLANs. Please clarify. My point was that there may be future vulnerabilities, and it may be a good idea to keep that in mind for the original poster's designs. There may also be future vulnerabilities in physical ethernet. Guess you'd better unplug now! ;-) Future? -Nope. It's been already done. http://www.wired.com/news/technology/0,70619-0.html http://www.wired.com/news/technology/1,70908-0.html Though the example is not formally ethernet, physical access to the tubes still means you should consider yourself 0wnd. But bofh is kinda right, arp-cache poisoning (possibly the thing he was talking about?) is really very interesting. The topic was in regards to VLAN security. Arp-cache poisoning, or spoofing (as I already mentioned) has nothing to do with VLANs. Unless either of you have anything relevant to add with regards to the OP's question about single-homed routing, I suggest we move on. Thanks, -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: Is OpenBSD good/best for my 486?
Shawn K. Quinn wrote: On Fri, 2007-03-23 at 10:49 -0400, Douglas Allan Tutty wrote: On Fri, Mar 23, 2007 at 06:56:32AM -0500, Shawn K. Quinn wrote: On Wed, 2007-03-21 at 22:37 -0400, Douglas Allan Tutty wrote: Hello, I've got a 486DX4-100 with 32 MB ram, ISA bus, with two drives: 840 MB and 1280 MB IDE. Currently running Debian GNU/Linux Sarge. Assuming you don't try to do more with it than you have CPU and RAM for, you should be fine. However, once you've tested that all your hardware works with the GENERIC kernel, I would strongly recommend you compile a custom kernel and run that (do a Web search for a Perl program called dmassage which will help immensely), but keep a copy of GENERIC around in case problems do creep in. The reason for compiling a custom kernel in this case is to save memory; I saved about 2.5M on a similar system, which is a lot when you only have 32M to begin with (with any system much newer it's usually not worth it). I thought compiling a custom kernel was _discouraged_? Officially it's discouraged; from my point of view, you have one of the rare situations where a case could be made for it. no. If you want to run OpenBSD on a 16M or 12M machine, yes, you probably have to make a custom kernel. But then, you have a pretty far-out app, so you would know that already. 32M is at a point where if it isn't enough, you need a better machine. Tweaking the kernel to make it run better in 32M is just perfume on the pig. If that's what you need to do, get a less smelly pig. Note that you should *always* keep a copy of GENERIC around for troubleshooting. I just loaded the 486 to the most I ever do: ssh to the big box (titan) to pon courer (the modem) and run bwm ssh to titan for mutt run aptitude, update the package list run top to watch everything run X with icewm: rxvt ssh titan, to run conquorer go to theweathernetwork.com As I indicated recently, probably on this thread, ssh on a 486 is painful. Works fine, but painfully slow. (key length was cranked a few releases ago with the assumption that most people with slower machines can crank it back down if they so desire). X? oh, ick. It will work, but you may need the XF3 support, as a lot of old, 486-vintage video chips haven't been ported to X.org. If you need to use the XF3 servers, you will be out of luck starting with OpenBSD v4.2, as (hopefully) we will have switched to Xenocara, and probably drop XF3 support. I believe at some point, it was indicated that this 486 is or may be the OP's first OpenBSD experience. If that is true, I'd highly recommend a better machine to get your feet wet with. OpenBSD will run better on a 486 than just about any other popular OS now, but the 486 will take a long time to install, and you shouldn't make the assumption that your first install will actually be your final install. Installing on a 486 is for someone with enough experience that the first install ends up being the final install; you don't want to learn too many lessons the hard way on a 486. MY recommendation for minimum HW for OpenBSD for a first-timer would be a Pentium, 100MHz or better, 32M RAM or better. If you want X, I'd bump that up to a P200, 64M RAM or better. Again, it isn't that it won't run on slower machines, it is just that you will skip important steps in the learning process if your machine is too slow. Keep in mind, some wickedly fast (for OpenBSD) machines are probably sitting out at your neighbor's curb on trash day (my best find so far was a 733MHz PIII w/256M RAM and a 30G HD). I'm suspecting Vista upgrades are gonna be putting a lot of otherwise fine machines out on curbs soon. Nick.
GRE over IPsec
Hey all, I know that it's possible to run GRE over and IPsec tunnel but I am wondering if anyone here has seen some good documentation (besides the man pages) or a howto on setting this up. I'm trying to config my OpenBSD 4.0firewall to interop with a route-based VPN network with a mix of Fortigate and Netscreen firewalls. Fortigates and Netscreens both use GRE interaces as tunnel interfaces when creating route-based VPN tunnels. Right now all endpoints are using un-numbered (0.0.0.0/0) GRE interfaces and so I would like to use a similar configuration on the OpenBSD side but I am just wondering how to accomplish this as I am uncertain how to bind the GRE interface to a tunnel. Right now I have a hub-and-spoke VPN network using static routes to route traffic across the VPN. Each spoke endpoint has a static destination route of 10.1.0.0/16 which is sent over GRE interface. The only exception to the hub-and-spoke VPN is my OpenBSD firewall which I have to create VPN tunnels to every spoke network I need access to (quite painfull). On my OpenBSD box I would like to be able to use a single static destination route of 10.1.0.0/16 to send this traffic over a GRE interface to get to the rest of the VPN network. Here's a snippet of the hub-and-spoke VPN network: 1.1.1.1 OpenBSD 10.1.1.0/24 | | | | 2.2.2.2 Fortigate (Hub) 10.1.2.0/24 | | | | 3.3.3.3 Juniper 10.1.3.0/24 Thanks in advance for your help. Cheers, -Chris
Re: GRE over IPsec
I ran into some kernel panics (watchdog reset) with GRE + ESP/Transport (or ESP+GRE) back in the day. It was related to MTU assumptions etc. There was a sendbug(8) related to it. Google seklecki gre ipsec openbsd http://archives.neohapsis.com/archives/openbsd/2006-01/0623.html etc... On Sun, 2007-03-25 at 09:55 -0700, Chris Jones wrote: Hey all, I know that it's possible to run GRE over and IPsec tunnel but I am wondering if anyone here has seen some good documentation (besides the man pages) or a howto on setting this up. I'm trying to config my OpenBSD 4.0firewall to interop with a route-based VPN network with a mix of Fortigate and Netscreen firewalls. Fortigates and Netscreens both use GRE interaces as tunnel interfaces when creating route-based VPN tunnels. Right now all endpoints are using un-numbered (0.0.0.0/0) GRE interfaces and so I would like to use a similar configuration on the OpenBSD side but I am just wondering how to accomplish this as I am uncertain how to bind the GRE interface to a tunnel. Right now I have a hub-and-spoke VPN network using static routes to route traffic across the VPN. Each spoke endpoint has a static destination route of 10.1.0.0/16 which is sent over GRE interface. The only exception to the hub-and-spoke VPN is my OpenBSD firewall which I have to create VPN tunnels to every spoke network I need access to (quite painfull). On my OpenBSD box I would like to be able to use a single static destination route of 10.1.0.0/16 to send this traffic over a GRE interface to get to the rest of the VPN network. Here's a snippet of the hub-and-spoke VPN network: 1.1.1.1 OpenBSD 10.1.1.0/24 | | | | 2.2.2.2 Fortigate (Hub) 10.1.2.0/24 | | | | 3.3.3.3 Juniper 10.1.3.0/24 Thanks in advance for your help. Cheers, -Chris
Re: Routing on one NIC?
On Sunday 25 March 2007 09:27, Jason Dixon wrote: On Mar 25, 2007, at 12:21 PM, J.C. Roberts wrote: On Sunday 25 March 2007 08:41, Jason Dixon wrote: On Mar 25, 2007, at 11:24 AM, bofh wrote: On 3/25/07, Jason Dixon [EMAIL PROTECTED] wrote: Disabling DTP, which should be done anyways, will prevent VLAN hopping. I'm not sure what arp-based thing you're referring to that wasn't fixed 5-6 years ago. Perhaps you're referring to arp spoofing, which has nothing to do with VLANs. Please clarify. My point was that there may be future vulnerabilities, and it may be a good idea to keep that in mind for the original poster's designs. There may also be future vulnerabilities in physical ethernet. Guess you'd better unplug now! ;-) Future? -Nope. It's been already done. http://www.wired.com/news/technology/0,70619-0.html http://www.wired.com/news/technology/1,70908-0.html Though the example is not formally ethernet, physical access to the tubes still means you should consider yourself 0wnd. But bofh is kinda right, arp-cache poisoning (possibly the thing he was talking about?) is really very interesting. The topic was in regards to VLAN security. Arp-cache poisoning, or spoofing (as I already mentioned) has nothing to do with VLANs. Unless either of you have anything relevant to add with regards to the OP's question about single-homed routing, I suggest we move on. Thanks, Strange... ? -As far as I know, arp-cache poisioning and spoofing are still relevant even in VLANs (see below), and single homed routing might compound the known problems, so the OP should do a bit of reading before accepting VLANs as an answer. Title: VLAN Security Guidelines http://www.corecom.com/external/livesecurity/vlansec.htm [QUOTE] VLAN switch configurations and deployments have been vulnerable to a number of spoofing and man-in-the-middle attacks. The most well known exploits include the following. (Links at the end of this article lead to detailed descriptions.) * MAC address spoofing * VLAN tag spoofing (where the attack computer falsely identifies itself as a member of a VLAN by spoofing the IEEE 802.1q tag ) * ARP cache poisoning * Connection hijacking following a successful ARP attack (see HUNT) [/QUOTE] The sad part is even if all such issues have been addressed in OpenBSD, the attacker would go just after the switch which is probably not running the latest and greatest firmware (assuming the vendor has bothered to fix the issues and is still offering support for the device and the admin has bothered to install it). There are probably other ways to attack it... Can we use OpenBSD to get around the vulnerable switch problem? How? (Hark! -I think I hear the infamous wooshing sound of a quickly approaching clue stick) Since you know real world usage of VLANs far better than most (and certainly better than me), your insights on using OpenBSD to properly secure VLANs seem totally MetaBUGable! kind regards, jcr
Re: Routing on one NIC?
On Mar 25, 2007, at 1:44 PM, J.C. Roberts wrote: On Sunday 25 March 2007 09:27, Jason Dixon wrote: The topic was in regards to VLAN security. Arp-cache poisoning, or spoofing (as I already mentioned) has nothing to do with VLANs. Unless either of you have anything relevant to add with regards to the OP's question about single-homed routing, I suggest we move on. Strange... ? -As far as I know, arp-cache poisioning and spoofing are still relevant even in VLANs (see below), and single homed routing might compound the known problems, so the OP should do a bit of reading before accepting VLANs as an answer. Title: VLAN Security Guidelines http://www.corecom.com/external/livesecurity/vlansec.htm [QUOTE] VLAN switch configurations and deployments have been vulnerable to a number of spoofing and man-in-the-middle attacks. The most well known exploits include the following. (Links at the end of this article lead to detailed descriptions.) * MAC address spoofing A LAN-only attack where the hijacker impersonates as the victim and gateway by poisoning the switch and victim arp caches. This requires the target to exist on the same logical/physical segment, since we all know arp is non-routable. This can be mitigated, at least on the switch, through ARP inspection. * VLAN tag spoofing (where the attack computer falsely identifies itself as a member of a VLAN by spoofing the IEEE 802.1q tag ) This is the VLAN hopping I referred to earlier. It is an old attack used to force a misconfigured switch into trunk mode, and easily thwarted by disabling DTP. * ARP cache poisoning See above. * Connection hijacking following a successful ARP attack (see HUNT) [/QUOTE] See above. The sad part is even if all such issues have been addressed in OpenBSD, the attacker would go just after the switch which is probably not running the latest and greatest firmware (assuming the vendor has bothered to fix the issues and is still offering support for the device and the admin has bothered to install it). There are probably other ways to attack it... Can we use OpenBSD to get around the vulnerable switch problem? How? None of these issues have anything to do with OpenBSD. I'm not an expert on non-Cisco switch features (and hardly an expert at that), but these are all old attacks that should be manageable with modern switches (i.e. anything newer than 2002). Check your switch documentation to be certain. (Hark! -I think I hear the infamous wooshing sound of a quickly approaching clue stick) I'm not sure of the date of this article, but it seems to cover all of your questions. http://www.cisco.com/en/US/products/hw/switches/ps708/ products_white_paper09186a008013159f.shtml Since you know real world usage of VLANs far better than most (and certainly better than me), your insights on using OpenBSD to properly secure VLANs seem totally MetaBUGable! VLANs really aren't the black magic most folks seem to think. Even Gillian Anderson has mastered the art of packet switching. http://www.routergod.com/gilliananderson/ http://www.routergod.com/gilliananderson/part2.html -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: Convergence time with carp(4)
Marco, Thank you for your reply. On Sun, Mar 25, 2007 at 12:52:18PM +0200, Marco Pfatschbacher wrote: On Fri, Mar 23, 2007 at 04:35:31PM +0100, Jeremie Le Hen wrote: [...] - We are using stock OpenBSD 4.0 for our test. [...] Without running ifconfig(8) too often, the convergence time is a few seconds but we managed to increase the delay up to 2 minutes with this trick. This is fixed in 4.0-stable, which you really should be using. (see http://www.openbsd.org/errata40.html#m_dup1). Either update via CVS or apply this patch: http://www.openbsd.org/cgi-bin/cvsweb/src/sys/netinet6/in6.c.diff?r1=1.68r2=1.68.2.1 Thank you for this information. I'm using stock 4.0 release for testing purpose and I don't intend to use it in production. Btw, you might consider using ifstated(8) instead of scripting sth w/ ifconfig(8). I don't understand what you are saying here. I explicitely showed the commands which can lead to my setup. They are usually handled by netstart(8) and hostname.if(5). Moreover, I don't really see the point in using ifstated(8). As far as I understand, net.inet.carp.preempt matches the problem by raising advskew to 240 on all carp(4) interface whenever there is a failure. ifstated(8) would be useful if I had to run something upon state change. Am I wrong ? Best regards, -- Jeremie Le Hen jeremie at le-hen dot org ttz at chchile dot org
Interesting tangent to Routing on one NIC?
On Thursday and Friday I participated as part of the Firewall/IPS team for Shmoocon Labs (https://www.shmoocon.org/labs.html). The organizers brought in a Cisco ASA to handle the firewalling duties; needless to say, I was disappointed although not entirely surprised. While they struggled for a couple hours to get the most recent patches installed for IOS and the IPS module, I spent all of 15 minutes configuring OpenBSD/macppc -current on my PowerBook G4 to act as a single-homed routing gateway for 10 conference VLAN networks. It never got to see production, but it was a fun exercise nonetheless. Thanks OpenBSD. :) P.S. We really need more *BSD attendees at Shmoocon. If you're remotely interested in security, and I would assume most folks using OpenBSD are, you should really come out next year. Besides myself and Mike Erdely, I ran into Ray Lai (OpenBSD dev), Dan Langille (FreeBSD user), and Bruce Potter (OpenBSD user). I also met a handful of members from kaos.theory, some of whom are BSD advocates. Needless to say, we were far outnumbered by Windows and Linux fanbois. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: No Blob without Puffy
On Mon, Mar 19, 2007 at 07:52:35PM -0600, Tony Abernethy wrote: Lars D. Nooden wrote: On Mon, 19 Mar 2007, Dave Anderson wrote: You've left out the extremely important fact that many vendors interpret acceptance of blobs by any free OS as validating their position of not releasing adequate documentation -- so accepting blobs (even when there's no other choice) actively harms the anti-blob campaign. It harms more than just the campaign, it harms anyone wanting to maintain a modicum of options further down the road in regards to hardware lifecycles, operating system and kernel lifecycles, and last but not least security. One anecdote regarding insecurity of mysterious binaries / BLOBs: A local privilege escation has been known to exist, unfixed, for several years in nvidia's binary drivers: http://lwn.net/Articles/204541/ However, if you can't audit (and subsequently compile) all the code, including the applications, libraries, compilers and OS, then you've got nothing secure and nothing that can be made secure - regardless of anecdotes, no amount of assurances, claims, hand waving, shouting, smoke, noise etc. from vendors. Don't take my word for it, read what the ACM had to say about it: http://www.acm.org/classics/sep95/ But it's not just 'security' that is at risk. The lifecycle of both the operating system/kernel and the hardware that rely on the continued availability of the BLOBs become dependent on the BLOBs producers. Those are groups which may or may not continue to have interests and motivations which overlap yours. If your hardware or system needs a BLOB to run, then the BLOB-maker has you on a leash. Endorsing BLOBs puts *all* hardware, systems, and security at risk through active effort, which is reprehensible. To have one system accepting them, makes it all that much harder to keep them off. Think digital scab. Tolerating BLOBs or failing to eliminate BLOBs, are simply balless passive means of putting the above at risk. To put it another way, it's possible to gain control (political, economical, technical) of systems that get locked into BLOBs either passively or actively and encroachment into one system/distro can be used to marginalize the others. I lurk on this list and occasionally kibbitz. Various effects make OpenBSD a very efficient leading indicator. It works essentially thus. If the hardware gives OpenBSD trouble, it will tend to give everybody else trouble sooner or later. OpenBSD just finds out earlier. The same is with software. Compiling and running on OpenBSD seems to be one method of finding bugs in programs along with electric fence etc. CL
Re: Routing on one NIC?
On Sunday 25 March 2007 11:09, Jason Dixon wrote: (Hark! -I think I hear the infamous wooshing sound of a quickly approaching clue stick) I'm not sure of the date of this article, but it seems to cover all of your questions. http://www.cisco.com/en/US/products/hw/switches/ps708/ products_white_paper09186a008013159f.shtml Excellent! Thanks Jason. Since you know real world usage of VLANs far better than most (and certainly better than me), your insights on using OpenBSD to properly secure VLANs seem totally MetaBUGable! VLANs really aren't the black magic most folks seem to think. Even Gillian Anderson has mastered the art of packet switching. http://www.routergod.com/gilliananderson/ http://www.routergod.com/gilliananderson/part2.html Now that was *really* unfair -you know I'm a sucker for redheads. :-) jcr
Re: No Blob without Puffy
On Tue, Mar 20, 2007 at 12:43:06AM -0400, Daniel Ouellet wrote: Tell me, would you let Microsoft for example, access your servers to see if they work well? I don't think so. But again, you might already do that via BLOB. You just don't know. Interesting story about a security breach. Did this ever happen with a firmware for a wireless chipset? Or directly in the wireless chip? Or, even funnier, in the CPU or the northbridge? Technically it's definitely possible. CL
Re: Interesting tangent to Routing on one NIC?
On Mar 25, 2007, at 2:28 PM, Jason Dixon wrote: P.S. We really need more *BSD attendees at Shmoocon. If you're remotely interested in security, and I would assume most folks using OpenBSD are, you should really come out next year. Besides myself and Mike Erdely, I ran into Ray Lai (OpenBSD dev), Dan Langille (FreeBSD user), and Bruce Potter (OpenBSD user). I also met a handful of members from kaos.theory, some of whom are BSD advocates. Needless to say, we were far outnumbered by Windows and Linux fanbois. Oops, I almost forgot about Todd C. Miller. Sorry [EMAIL PROTECTED] :) -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: No Blob without Puffy
On Tue, Mar 20, 2007 at 10:03:14AM -0400, Dan Farrell wrote: I second that. danno -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of chefren Sent: Monday, March 19, 2007 7:34 PM To: misc@openbsd.org Subject: Re: No Blob without Puffy On 3/19/07 4:48 PM, Marco Peereboom wrote: You are so uninformed that it isn't even funny to pick on you. Karel clocks on the wrong edge and is by far the worst educated asocial asshole I have met on this list. Easy man, you need to get laid. CL +++chefren
Re: Is OpenBSD good/best for my 486?
On Sun, 2007-03-25 at 12:44 -0400, Nick Holland wrote: 32M is at a point where if it isn't enough, you need a better machine. Tweaking the kernel to make it run better in 32M is just perfume on the pig. If that's what you need to do, get a less smelly pig. Wow, I guess back in the day, I had one great smelling pig, then (at least my mom didn't complain that it stunk up the place). Replacing the box wasn't really an option at the time, and the 100 MHz Pentium with a mere 32M of RAM worked admirably right up until the hard disk finally gave up the ghost. (The same role is now filled by a 600 MHz Athlon with 128M of RAM, which of course is way overkill for a basic firewall/router with Squid, but the only box I have not otherwise occupied.) -- Shawn K. Quinn [EMAIL PROTECTED]
Re: Installing Skype
On Fri, Mar 23, 2007 at 12:03:54PM -0700, J.C. Roberts wrote: On Friday 23 March 2007 11:35, Tobias Weisserth wrote: On Mar 23, 2007, at 6:24 PM, Rafael Morales wrote: I need the shared library libasound.so.2, anybody could send to me ???, I don't have a linux box here. I need my box rooted, can anybody please send me a trojaned binary library I have to trust blindly? Tobias, You telling the above good advice to someone, Rafael, who is *already* trying to install a trojaned binary (skype) on their OpenBSD system. Skype is dangerous. Periord. End of discussion. Fortunately, when someone writes end of discussion, the discussion actually doesn't have to end, as you are seeing right now. Here is a bibliography that supports the claim better than a proclamation Periord. http://blackhat.com/presentations/bh-europe-06/bh-eu-06-biondi/bh-eu-06-biondi-up.pdf See page 104 which seems to claim that there is an arithmetic overflow in skype. Even a screenshot of cracked system is supplied. Though, it's not difficult to fabricate such a screenshot with GIMP ;-) CL If anyone doesn't believe the above statement of fact, they have only two possible ways to prove or disprove it: 1.) Have the many months of time and highly advanced reverse engineering skills necessary to fully audit the skype binaries including getting around their executable packing, morphing, validation, anti-debugging and other nasty ways of preventing much needed auditing and analysis. __OR__ 2.) Just read the damn skype licnese which requires you to agree to let your system and bandwidth be used for any known or unknown purposes that eBay/Skype wants. jcr
Re: Installing Skype
On Fri, Mar 23, 2007 at 03:26:25PM -0700, J.C. Roberts wrote: On Friday 23 March 2007 12:13, Tobias Weisserth wrote: From the emails in this thread we know he needs it for work, so he hasn't really got a choice. There's no other client to the Skype network. Maybe there's a way to lockin Skype in systrace. On openSUSE I locked Skype in with AppArmor for my parents. If you need to talk to people on Skype you don't really have a choice. Well, it might not work for everyone but I took a different approach to solving the skype problem. I decided to be a prick and require people using Skype to have a standard phone number via SkypeIn. Being locked into the insecure, proprietary skype world is really their problem and I refuse to join them. Once you have a standard way to contact the skype user via a normal phone number, then you are free to deploy and use whatever you want on your end to reduce your costs... -http://www.asterisk.org/ Tried on OpenBSD, doesn't work. -http://www.openwengo.com/ Tried on OpenBSD, doesn't work. -http://www.gizmoproject.com/ Tried on OpenBSD, doesn't work. The guy wants it on OpenBSD. CL -http://www.google.com/talk/ (supposedly SIP soon -see link below) -http://code.google.com/apis/talk/open_communications.html -whatever -long distance plan on your cell phone -and surprisingly enough, even your PTSN land line The above should be enough to make anyone wonder if they actually *need* skype at all but if someone decides to use and pay for skype, then it's their responisibility to become compatible with the rest of the world. jcr
Re: Postfix flavour for PostgreSQL ?
From: Bryan Irvine [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: Peter [EMAIL PROTECTED] CC: misc@openbsd.org Subject: Re: Postfix flavour for PostgreSQL ? Date: Sat, 24 Mar 2007 00:56:26 -0700 On 3/23/07, Peter [EMAIL PROTECTED] wrote: I see there is a postfix flavour for mysql but not for postgresql. Is this combination used much? I already have a PGSQL server and I want to plug postfix into it for virtual mailbox domains. You get 2 minutes in the penalty box. ;) There is a pgsql flavor. I don't see a binary package, so you will need to compile it from the ports tree. I guess I should have mentioned I was looking for a package. Will do (compile). And thanks to Ted for his explicit answer. Pedro
Re: Installing Skype
On Sun, Mar 25, 2007 at 09:48:35PM +0200, Karel Kulhavy wrote: On Fri, Mar 23, 2007 at 03:26:25PM -0700, J.C. Roberts wrote: On Friday 23 March 2007 12:13, Tobias Weisserth wrote: From the emails in this thread we know he needs it for work, so he hasn't really got a choice. There's no other client to the Skype network. Maybe there's a way to lockin Skype in systrace. On openSUSE I locked Skype in with AppArmor for my parents. If you need to talk to people on Skype you don't really have a choice. Well, it might not work for everyone but I took a different approach to solving the skype problem. I decided to be a prick and require people using Skype to have a standard phone number via SkypeIn. Being locked into the insecure, proprietary skype world is really their problem and I refuse to join them. Once you have a standard way to contact the skype user via a normal phone number, then you are free to deploy and use whatever you want on your end to reduce your costs... -http://www.asterisk.org/ Tried on OpenBSD, doesn't work. Then you did something wrong, as there's a port. -http://www.openwengo.com/ Tried on OpenBSD, doesn't work. -http://www.gizmoproject.com/ Tried on OpenBSD, doesn't work. No idea whether or not those work. Joachim
Re: OpenNTPD reliability
On Fri, 2007-03-23 at 15:14 -0600, Shane Harbour wrote: Look at the -S option and see if that's what you want. I think you mean -s. Yes I use it but still the clients report they won't sync because of the server not being synced. ciao Luca
Re: OpenNTPD reliability
My apologies...you are right. Wasn't paying attention. I use -s on all of my servers to keep them updated. I hate having them off by a lot and am too impatient to wait for them to slowly sync themselves. Regards, Shane Luca Corti wrote: On Fri, 2007-03-23 at 15:14 -0600, Shane Harbour wrote: Look at the -S option and see if that's what you want. I think you mean -s. Yes I use it but still the clients report they won't sync because of the server not being synced. ciao Luca
Re: OpenNTPD reliability
On Sun, Mar 25, 2007 at 10:54:55PM +0200, Luca Corti wrote: On Fri, 2007-03-23 at 15:14 -0600, Shane Harbour wrote: Look at the -S option and see if that's what you want. I think you mean -s. Yes I use it but still the clients report they won't sync because of the server not being synced. Have you measured the time from ntpd startup until it logs `clock is now synced' in the log? On the same machine, I see anywhere from 10 minutes to about 1 hour. In normal cases, machines acting as time servers are always on. If it takes less than an hour for ntpd to sync, and then it's up for months at a time then there's little problem. If you want to turn on a computer and have it fetch some times from the network and report that it's synced... well, that's not accurate. A big, full-blown, complex thing like xntpd won't do it, either. If you don't really care what time it is, but want all your local computers to have the same time (or very, very close) there are other ways such as timed(8). Then you can have a computer using ntpd, and synced or not it can be a timed master for your network. -- Darrin Chandler| Phoenix BSD User Group | MetaBUG [EMAIL PROTECTED] | http://phxbug.org/ | http://metabug.org/ http://www.stilyagin.com/ | Daemons in the Desert | Global BUG Federation
Re: Does anyone know a good file manager for OpenBSD?
On Sun, 25 Mar 2007, Nick ! wrote: On 3/24/07, Ted Unangst [EMAIL PROTECTED] wrote: On 3/21/07, Paul Irofti [EMAIL PROTECTED] wrote: - the fact that ftp can handle http makes me ponder what happened to the KISS principle? ftp is very simple. there are files on the internet. i want them on my computer. ftp puts them there. how much simpler can it be? :) If' you're running on a command line, Midnight Commander (in packages) is also a good choice. Lee Leland V. Lammert[EMAIL PROTECTED] Chief Scientist Omnitec Corporation Network/Internet Consultants www.omnitec.net
Re: Installing Skype
After all this talk about blob-only software... Skype is absolute proof of why we shouldn't have blob-only software. The recent hoo-ha about it grabbing BIOS dumps and sending them back to the servers on X86 machines really shows that software can do nasty things. Nobody even noticed because they do it very discretely. -http://www.asterisk.org/ Tried on OpenBSD, doesn't work. Not only is there a port, but there was some banter on this list from people who have it working on OpenBSD just last week! -http://www.openwengo.com/ Tried on OpenBSD, doesn't work. The secret sauce is available for browsing so it wouldn't be that hard to port. I am gathering it's mostly the audio interface that differs between Linux and BSD. -http://www.gizmoproject.com/ Tried on OpenBSD, doesn't work. I see not the sauce for Gizmo anywhere. http://www.freeworlddialup.com is free, and standards compliant so you can use any SIP-compatible soft or hard-phone. The only thing they're really missing is callout/in, and even then they have a project in the works for that. Regards, A
Re: No Blob without Puffy
On 3/25/07, Karel Kulhavy [EMAIL PROTECTED] wrote: On Tue, Mar 20, 2007 at 10:03:14AM -0400, Dan Farrell wrote: On 3/19/07 4:48 PM, Marco Peereboom wrote: You are so uninformed that it isn't even funny to pick on you. Karel clocks on the wrong edge and is by far the worst educated asocial asshole I have met on this list. Easy man, you need to get laid. Easy man, you were chastised, you ran away for a week, now you're back. There's no need to make stupid (and this really is stupid, and inane, and couldn't-you-do-any-better) insults. Just go back to asking and helping people like everyone else and you'll be fine. -Nick
dovecot SASL + sendmail
i'm to understand there are some folks here who use dovecot. i've got dovecot's SASL authentication socket working fine with postfix so that there's no need to maintain a separate set of SASL passwords for the users on one of the mailservers i maintain. a new setup i'm working on uses sendmail in place of postfix and it would be nice if the same dovecot SASL authentication worked for sendmail so there is only 1 place i need to change passwords. does anybody have this working? clues appreciated, else i have to maintain 2 databases for logins (dovecot and usual SASL for relaying). cheers, jake --
Re: OpenBGPD MIB
On Sunday, March 25, 2007, at 15:40:18, Claudio Jeker wrote: You should create a port or net-snmp flavor of these changes. I even have some dirty diffs to have a terse bgpctl output usable to feed into rrdtool. I should clean them up a bit and commit it. Hello Claudio, I've talked about your response with my friends, and I've almost won (my bet was that you were working on that :P). If you have anything we can test and write/modify/add to your tools we are ready to work on it :-) -- Sylwester S. Biernacki [EMAIL PROTECTED] X-NET, http://www.xnet.com.pl/
Re: GRE over IPsec
On Sunday, March 25, 2007, at 18:55:31, Chris Jones wrote: Hey all, I know that it's possible to run GRE over and IPsec tunnel but I am wondering if anyone here has seen some good documentation (besides the man pages) or a howto on setting this up. I'm trying to config my OpenBSD 4.0firewall to interop with a route-based VPN network with a mix of Fortigate and Netscreen firewalls. Fortigates and Netscreens both use GRE interaces as tunnel interfaces when creating route-based VPN tunnels. Right now all endpoints are using un-numbered (0.0.0.0/0) GRE interfaces and so I would like to use a similar configuration on the OpenBSD side but I am just wondering how to accomplish this as I am uncertain how to bind the GRE interface to a tunnel. Hello Cris, GRE is standard and works in OpenBSD as RFC says ;-) When I was running gre over ipsec tunnel between two openbsd boxes (OpenBSD 3.8 or sth like that) it worked without any problems. but it works till now, so example from config of that machine (ip changed): vpn1# cat /etc/hostname.gre0 1.1.1.1 2.2.2.2.netmask 0x carp0 !ifconfig gre0 tunnel 1.1.1.1 2.2.2.2 !route add -inet 192.168.1.0/24 2.2.2.2 few things you should be aware of: a) sysctl.conf (net.inet.gre.allow=1, net.inet.ip.mtudisc=1) b) MTU - gre is taking 24 bytes from frame (i.e. 1476 from 1500 bytes) c) IPSec uses DF bit - if you don't remember about that you can get into windowing problem (ethernet uses 1500 bytes and can't be splitted into fragments because of don't fragment bit) d) use different ip address space for your vpn-routers/concentrators and for your local networks. If you get blank paper and try to draw that (with OSI model in mind) you will make it in a few minutes :-) Good luck :) -- Sylwester S. Biernacki [EMAIL PROTECTED] X-NET, http://www.xnet.com.pl/
Re: OpenBGPD MIB
Sylwester S. Biernacki wrote: Any chances to add that to the wishlist for next releases? You'll have to extend net-snmp in some way for this. The easiest may be to just write a shell script that parses bgpctl output into a MIB. The more complicated way would be to write a proper extension/plugin (or whatever the heck net-snmp call it). --- Lars Hansson
Re: Interesting tangent to Routing on one NIC?
On 3/25/07, Jason Dixon [EMAIL PROTECTED] wrote: P.S. We really need more *BSD attendees at Shmoocon. If you're remotely interested in security, and I would assume most folks using OpenBSD are, you should really come out next year. Besides myself and Mike Erdely, I ran into Ray Lai (OpenBSD dev), Dan Langille (FreeBSD user), and Bruce Potter (OpenBSD user). I also met a handful of members from kaos.theory, some of whom are BSD advocates. Needless to say, we were far outnumbered by Windows and Linux fanbois. Hmm, I know some of the guys from kaos.theory, where was shmoocon this year? I should try to keep up with them.
Re: Interesting tangent to Routing on one NIC?
On Mar 25, 2007, at 11:34 PM, bofh wrote: On 3/25/07, Jason Dixon [EMAIL PROTECTED] wrote: P.S. We really need more *BSD attendees at Shmoocon. If you're remotely interested in security, and I would assume most folks using OpenBSD are, you should really come out next year. Besides myself and Mike Erdely, I ran into Ray Lai (OpenBSD dev), Dan Langille (FreeBSD user), and Bruce Potter (OpenBSD user). I also met a handful of members from kaos.theory, some of whom are BSD advocates. Needless to say, we were far outnumbered by Windows and Linux fanbois. Hmm, I know some of the guys from kaos.theory, where was shmoocon this year? I should try to keep up with them. It was at the Wardman Park Marriott in Washington, DC. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
micro atx motherboard recommendations?
Just looking for a recommendation on a good/cheap (but not necessarily fast) microatx motherboard. Or possibly, one of those via motherboards, but needs to fit in an atx case. Thanx in advance.
usb networking
I have a Zaurus here (and arm architecture), and I use a device aue0 for my networking. My problem is, the usb refuses to recognize the little bugger, about 75% of the time. The only thing that seems to do any good at all is to perform endless reboot syscles until the aue device is finally recognized. Performing endless unplug/replug cycles on the usb cable seems to do nogood ata ll. Does anyone know of any way SHORT of those endless reboots to get the usb aue device to wake up and get itself recognized? Once it's started, it always seems to work very reliably. Help!
Re: usb networking
Theo de Raadt wrote: I have a Zaurus here (and arm architecture), and I use a device aue0 for my networking. My problem is, the usb refuses to recognize the little bugger, about 75% of the time. The only thing that seems to do any good at all is to perform endless reboot syscles until the aue device is finally recognized. Performing endless unplug/replug cycles on the usb cable seems to do nogood ata ll. Does anyone know of any way SHORT of those endless reboots to get the usb aue device to wake up and get itself recognized? If this works with a powered USB hub, then it is a result of insufficient USB power from the Zaurus, during the early startup time. I put the usb hub out there for the single purpose of powering it. Only th eone pieve of gear on the hub, too, so need another idea.
Re: usb networking
If this works with a powered USB hub, then it is a result of insufficient USB power from the Zaurus, during the early startup time. I put the usb hub out there for the single purpose of powering it. Only th eone pieve of gear on the hub, too, so need another idea. Are you using a powered hub or a non-powered one? Your reply seems a bit vague. Hint: If you don't plug an AC-adaptor or battery pack into the hub then it's not powered. A
Re: usb networking
On 3/26/07, Adam Hawes [EMAIL PROTECTED] wrote: If this works with a powered USB hub, then it is a result of insufficient USB power from the Zaurus, during the early startup time. I put the usb hub out there for the single purpose of powering it. Only th eone pieve of gear on the hub, too, so need another idea. Are you using a powered hub or a non-powered one? Your reply seems a bit vague. Hint: If you don't plug an AC-adaptor or battery pack into the hub then it's not powered. I read it as Yes it is powered, the whole reason I have a USB hub is for the power. This device is the only thing plugged in to it to, so it's definitely got enough power. -Nick
Re: micro atx motherboard recommendations?
On 3/25/07, bofh [EMAIL PROTECTED] wrote: Just looking for a recommendation on a good/cheap (but not necessarily fast) microatx motherboard. Or possibly, one of those via motherboards, but needs to fit in an atx case. Thanx in advance. I recently built two Windows machines for a client using the BIOSTAR TForce 6100: http://www.newegg.com/Product/Product.aspx?Item=N82E16813138027 I've been quite happy with the machines thus far. However, beware that the chipsets are all NVIDIA.
Re: micro atx motherboard recommendations?
On 3/26/07, Todd Alan Smith [EMAIL PROTECTED] wrote: http://www.newegg.com/Product/Product.aspx?Item=N82E16813138027 I've been quite happy with the machines thus far. However, beware that the chipsets are all NVIDIA. Thanx!
ftpd/ftp help
In the process of setting up ftpd I seem to have hit a snag. When I try to ftp to my server from home (OpenBSD -current) all goes well until I issue the ls command. I get this error: 435 Can't build data connection: No such file or directory. I am able to ls when I connect from the server itself and from a linux box outside my home network. I figured it might be my nat rules but I am able to connect to other ftp sites just fine (like rt.fm). My inetd.conf looks like this ftp stream tcp nowait root /usr/libexec/ftpd ftpd -AUS and I opened up port 21 on my firewall. Does anyone have any ideas? Thanks.
Re: Installing Skype
On Sun, Mar 25, 2007 at 10:36:37PM +0200, Joachim Schipper wrote: On Sun, Mar 25, 2007 at 09:48:35PM +0200, Karel Kulhavy wrote: On Fri, Mar 23, 2007 at 03:26:25PM -0700, J.C. Roberts wrote: On Friday 23 March 2007 12:13, Tobias Weisserth wrote: From the emails in this thread we know he needs it for work, so he hasn't really got a choice. There's no other client to the Skype network. Maybe there's a way to lockin Skype in systrace. On openSUSE I locked Skype in with AppArmor for my parents. If you need to talk to people on Skype you don't really have a choice. Well, it might not work for everyone but I took a different approach to solving the skype problem. I decided to be a prick and require people using Skype to have a standard phone number via SkypeIn. Being locked into the insecure, proprietary skype world is really their problem and I refuse to join them. Once you have a standard way to contact the skype user via a normal phone number, then you are free to deploy and use whatever you want on your end to reduce your costs... -http://www.asterisk.org/ Tried on OpenBSD, doesn't work. Then you did something wrong, as there's a port. No in the port Asterisk cannot work as a SIP client. Asterisk works as a SIP server - I had it running under OpenBSD and it worked just fine, clients could register and could be called, etc. But the guy wants a SIP client. Asterisk can do this, but needs some extra modules for this - audio output, dial etc. And the audio module is disabled in the OpenBSD port because it doesn't compile. CL -http://www.openwengo.com/ Tried on OpenBSD, doesn't work. -http://www.gizmoproject.com/ Tried on OpenBSD, doesn't work. No idea whether or not those work. Joachim
Re: micro atx motherboard recommendations?
On 3/25/07, bofh [EMAIL PROTECTED] wrote: Just looking for a recommendation on a good/cheap (but not necessarily fast) microatx motherboard. Or possibly, one of those via motherboards, but needs to fit in an atx case. I just put together a server with this cheap $70 PCChips V21G board: http://www.newegg.com/Product/Product.aspx?Item=N82E16813185094 The specs don't mention it, but it uses the 1.5 GHz VIA Esther CPU. It seems to work well enough so far. The only problem I had is that it didn't want to boot off of a CF-IDE adapter. Also, the onboard network is only 10/100 so you'll have to give up one of the two PCI slots for gigabit. Here's a dmesg: OpenBSD 4.1 (GENERIC) #1435: Sat Mar 10 19:07:45 MST 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: VIA Esther processor 1500MHz (CentaurHauls 686-class) 1.50 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,CMOV,PAT,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,TM,SBF,SSE3 cpu0: RNG AES AES-CTR SHA1 SHA256 RSA real mem = 468217856 (457244K) avail mem = 419348480 (409520K) using 4278 buffers containing 23535616 bytes (22984K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+ BIOS, date 05/29/06, BIOS32 rev. 0 @ 0xf9ee0, SMBIOS rev. 2.3 @ 0xf (33 entries) bios0: PCCHIPS V21G apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 70102 dobusy 1 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0xd1a4 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfd110/144 (7 entries) pcibios0: bad IRQ table checksum pcibios0: PCI BIOS has 7 Interrupt Routing table entries pcibios0: PCI Exclusive IRQs: 5 10 11 pcibios0: PCI Interrupt Router at 000:17:0 (VIA VT8237 ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0xfe00 0xd/0x8000! 0xd8000/0x4800 acpi at mainbus0 not configured cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 VIA CN700 Host rev 0x00 pchb1 at pci0 dev 0 function 1 VIA CN700 Host rev 0x00 pchb2 at pci0 dev 0 function 2 VIA CN700 Host rev 0x00 pchb3 at pci0 dev 0 function 3 VIA PT890 Host rev 0x00 pchb4 at pci0 dev 0 function 4 VIA CN700 Host rev 0x00 pchb5 at pci0 dev 0 function 7 VIA CN700 Host rev 0x00 ppb0 at pci0 dev 1 function 0 VIA VT8377 AGP rev 0x00 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 VIA S3 Unichrome PRO IGP rev 0x01: aperture at 0xf400, size 0x1000 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) skc0 at pci0 dev 8 function 0 Marvell Yukon 88E8001/8003/8010 rev 0x12, Yukon (0x1): irq 10 sk0 at skc0 port A, address 00:04:e2:ec:ba:0d eephy0 at sk0 phy 0: Marvell 88E1011 Gigabit PHY, rev. 3 pciide0 at pci0 dev 9 function 0 CMD Technology SiI3114 SATA rev 0x02: DMA pciide0: using irq 11 for native-PCI interrupt pciide0: port 0: device present, speed: 1.5Gb/s wd0 at pciide0 channel 0 drive 0: ST3250823AS wd0: 16-sector PIO, LBA48, 238475MB, 488397168 sectors wd0(pciide0:0:0): using BIOS timings, Ultra-DMA mode 6 pciide0: port 1: device present, speed: 1.5Gb/s wd1 at pciide0 channel 1 drive 0: ST3250823AS wd1: 16-sector PIO, LBA48, 238475MB, 488397168 sectors wd1(pciide0:1:0): using BIOS timings, Ultra-DMA mode 6 pciide0: port 2: device present, speed: 1.5Gb/s wd2 at pciide0 channel 2 drive 0: ST3250620AS wd2: 16-sector PIO, LBA48, 238475MB, 488397168 sectors wd2(pciide0:2:0): using BIOS timings, Ultra-DMA mode 6 pciide0: port 3: device present, speed: 1.5Gb/s wd3 at pciide0 channel 3 drive 0: ST3250823AS wd3: 16-sector PIO, LBA48, 238475MB, 488397168 sectors wd3(pciide0:3:0): using BIOS timings, Ultra-DMA mode 6 pciide1 at pci0 dev 15 function 0 VIA VT6420 SATA rev 0x80: DMA pciide1: using irq 11 for native-PCI interrupt wd4 at pciide1 channel 0 drive 0: ST3250823AS wd4: 16-sector PIO, LBA48, 238475MB, 488397168 sectors wd4(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 5 wd5 at pciide1 channel 1 drive 0: ST3250823AS wd5: 16-sector PIO, LBA48, 238475MB, 488397168 sectors wd5(pciide1:1:0): using PIO mode 4, Ultra-DMA mode 5 pciide2 at pci0 dev 15 function 1 VIA VT82C571 IDE rev 0x06: ATA133, channel 0 configured to compatibility, channel 1 configured to compatibility wd6 at pciide2 channel 0 drive 0: WDC WD800JB-00CRA1 wd6: 16-sector PIO, LBA, 76319MB, 156301488 sectors wd6(pciide2:0:0): using PIO mode 4, Ultra-DMA mode 5 pciide2: channel 1 disabled (no drives) uhci0 at pci0 dev 16 function 0 VIA VT83C572 USB rev 0x81: irq 10 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 16 function 1 VIA VT83C572 USB rev 0x81: irq 10 usb1 at uhci1: USB revision 1.0 uhub1 at usb1 uhub1: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered uhci2 at pci0 dev 16 function 2 VIA VT83C572 USB rev 0x81: irq 11 usb2 at uhci2: USB revision 1.0 uhub2 at usb2 uhub2: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub2: 2
Re: ftpd/ftp help
Once again, I solved my own problem 10seconds after I emailed the list. You'd think the official FAQ would always be the first place one would look when they encounter a problem. http://www.openbsd.org/faq/pf/ftp.html#server On Mon, Mar 26, 2007 at 01:30:52AM -0400, James Turner wrote: In the process of setting up ftpd I seem to have hit a snag. When I try to ftp to my server from home (OpenBSD -current) all goes well until I issue the ls command. I get this error: 435 Can't build data connection: No such file or directory. I am able to ls when I connect from the server itself and from a linux box outside my home network. I figured it might be my nat rules but I am able to connect to other ftp sites just fine (like rt.fm). My inetd.conf looks like this ftp stream tcp nowait root /usr/libexec/ftpd ftpd -AUS and I opened up port 21 on my firewall. Does anyone have any ideas? Thanks.
VPN
Hi, Been using OpenBSD 4.0 w/ PF for a quite a while now, everything is running perfectly smooth, our setup is to block all incoming packets while allow all for outbound packets as long as connections are initiated from within our local lan. The only problem we encountered was that we can't connect simultaneous vpn connections to via windows XP vpn connectivity to our branch server. We can connect one at a time. Is there something I need to configure? We Tested it with another firewall setup (ipcop firewall) and it works. Hoping for your help. Thanks much. -- View this message in context: http://www.nabble.com/VPN-tf3465334.html#a9668331 Sent from the openbsd user - misc mailing list archive at Nabble.com.
any site or doc about openbsd kernel configuration, info or tweak?
any site or doc about openbsd kernel configuration, info or tweak aside from man page? thanks
