Re: pciide: ATI IXP 600 SATA

[Jonathan Gray]

On Fri, Apr 13, 2007 at 06:27:52PM +0100, Stuart Henderson wrote:
 On 2007/04/13 13:57, alemao wrote:
  Is there any progress to support DMA on this chipset?
 
 ahci(4) is probably your best bet, but only JMicron and VT8251
 are handled so far.

Well only Intel and JMicron devices are known to work so far.

But any device that advertises the AHCI PCI class should
at least try to attach.

But the SB600 along with recent chips from NVIDIA(MCP65+), SiS(966+) etc
should work.  Try the following diff:

Index: sys/dev/pci/ahci.c
===
RCS file: /cvs/src/sys/dev/pci/ahci.c,v
retrieving revision 1.112
diff -u -p -r1.112 ahci.c
--- sys/dev/pci/ahci.c  8 Apr 2007 09:13:31 -   1.112
+++ sys/dev/pci/ahci.c  14 Apr 2007 05:57:52 -
@@ -417,6 +417,10 @@ intahci_vt8251_attach(struct 
ahci_sof
struct pci_attach_args *);
 
 static const struct ahci_device ahci_devices[] = {
+   { PCI_VENDOR_ATI,   PCI_PRODUCT_ATI_IXP_SATA_600_1,
+   NULL,   NULL },
+   { PCI_VENDOR_ATI,   PCI_PRODUCT_ATI_IXP_SATA_600_2,
+   NULL,   NULL },
{ PCI_VENDOR_JMICRON,   PCI_PRODUCT_JMICRON_JMB360,
ahci_jmicron_match, ahci_jmicron_attach },
{ PCI_VENDOR_JMICRON,   PCI_PRODUCT_JMICRON_JMB361,

Re: Mail Server (seeking recommendations)

[Bob Beck]

 We have settled on
 what software to use for everything but the mail server.
 
 I'm reasonably happy using the Courier-MTA suite on OpenBSD.  It's had 
 four reported vulnerabilities 
 (http://secunia.com/product/2557/?task=advisories), three DOS and one 
 remote-code-execution in a corner case (debug logging enabled).
 

This is a stupid measure.. He're my new MTA - it's super secure
trust me. It has had no reported vulnerablilies - so it must be
better than everything else. Use it.

Of course I haven't yet decided if I'm going to replace
sendmail with it. of course sendmail had so many vulnerablilites
back when I was thin and had a mullet that this must be more
secure.

--8- Super secure MTA 8-
#!/bin/sh

echo stmp stream tcp nowait root /bin/sh supersecuremail  /etc/inetd.conf 
pkill -HUP inetd

--8

Re: Mail Server (seeking recommendations)

[Joachim Schipper]

On Fri, Apr 13, 2007 at 09:33:00PM -0400, Steven Presser wrote:
 Hello,
 I'm working for a small company which has settled on OpenBSD as its
 server software (because the security is excellent).  We have settled on
 what software to use for everything but the mail server.  I'd like to
 request recommendations from the knowledgeable people of this
 list.  The priorities for the mail server are:
 1. Security
 2. Usability (for the end user - not everyone is technically skilled,
 although the setup can be done for anyone who needs help)
 3. Ease of setup
 4. Scaleability
 Obviously the first is by far the most important.  The other three
 are more perks than anything else.

I'm going to go with the Postfix/Dovecot chorus here, which has worked
very well for me, with one caveat: Dovecot doesn't like concurrent
access to mailboxes. There were plans to fix this a while ago, but the
sole batch of users who often use concurrent mailboxes are still unhappy
about this. (Dovecot doesn't eat data or anything; it just drops the
connection.)

As to spam control, greylisting works very well; spamd or postgrey will
be extremely helpful.

Joachim

-- 
TFMotD: dump (8) - filesystem backup

Re: using spamd to block outbound spam

[Joachim Schipper]

On Fri, Apr 13, 2007 at 10:17:51PM -0400, Paolo Supino wrote:
 Hi Bob
 
   The webapp does talk to a real mail server: on localhost (IIS6 SMTP 
 service). When a spammers abuses the webapp the email is actually sent 
 via the local mail server and not directly from the webapp to all the 
 mail servers on the Internet. Rate limiting isn't an option because 
 emails must be out the door within a very short time frame from the 
 moment a set of events is triggered in the webapp.
   Right now the only way I can think of is limit the SMTP service to 
 connect only to authorized remote SMTP servers that I will manage 
 manually (I'm in the process of checking how often I would have to 
 change the list to see if it's feasible). You wrote that I can do it 
 with spamd, how?
 Another option I thought of is setting up a sendmail relay on another 
 computer and let that sendmail only relay specific emails according to a 
 set of criteria (that fit only valid emails).

You are going about this all wrong. First step is finding a suitable
blunt instrument and getting the developers to fix it. The second step
is configuring rate limiting, along the lines of '1000 mails/hour';
this will allow a large batch of e-mail to get through immediately, but
stop spammers. What you're planning now is both less effective and way
more work.

Joachim

Re: using spamd to block outbound spam

[Bob Beck]

 You are going about this all wrong. First step is finding a suitable
 blunt instrument and getting the developers to fix it. The second step
 is configuring rate limiting, along the lines of '1000 mails/hour';
 this will allow a large batch of e-mail to get through immediately, but
 stop spammers. What you're planning now is both less effective and way
 more work.
 

exactly. spamd is not useful for this.
just rate limit it. or better yet, rate limit the source connections
into the web script, so one source can only make X many connections
in 10 minutes or something - also easily doable with pf.

-Bob

uxterm problem

[Onat I#350;IK]

I'm using a recent snapshot. I used to be able to type in
unicode characters using vim-no_x11 or even using
ed(1) under uxterm. It is no longer possible. The
characters I was able to type was Turkish characters
dotless i, g breve and s cedilla. I have the line
XkbLayout tr in xorg.conf. I think the problem is
related to uxterm.

 Send instant messages to your online friends http://uk.messenger.yahoo.com 

Re: Mail Server (seeking recommendations)

[Åke Nordin]

On 4/14/07, Joachim Schipper [EMAIL PROTECTED] wrote:

On Fri, Apr 13, 2007 at 09:33:00PM -0400, Steven Presser wrote:
 Hello,
 I'm working for a small company which has settled on OpenBSD as its
 server software (because the security is excellent).  We have settled on
 what software to use for everything but the mail server.  I'd like to
 request recommendations from the knowledgeable people of this
 list.  The priorities for the mail server are:
 1. Security
 2. Usability (for the end user - not everyone is technically skilled,
 although the setup can be done for anyone who needs help)
 3. Ease of setup
 4. Scaleability
 Obviously the first is by far the most important.  The other three
 are more perks than anything else.

I'm going to go with the Postfix/Dovecot chorus here, which has worked
very well for me, with one caveat: Dovecot doesn't like concurrent
access to mailboxes. There were plans to fix this a while ago, but the
sole batch of users who often use concurrent mailboxes are still unhappy
about this. (Dovecot doesn't eat data or anything; it just drops the
connection.)

As to spam control, greylisting works very well; spamd or postgrey will
be extremely helpful.


My operation have just the most superficial resemblance of a  company
(it's years since I earned any money out of it), but the setup I have is
sendfail+spamd on one box and dovecot on another, that works far better
than I've ever dreamt of.

Security: at least not much worse than the alternatives
- Only stuuf in base + dovecot (which hasn't been laughed at
  too much security-wise, and it's got a security stance)
Ease of setup: Quite.
- Dovecot is in ports (v1.0.0 checked in yesterday)
- The version I believe is in 4.1 (1.0.rc22) is the one I run
  (from a late february snapshot) hasn't failed me at all
  (but see the errata at http://dovecot.org/oldnews.html)
- sendfail setup has never been easier than with the
  exquisite OpenBSD documentation
- ditto spamd
Scalability: I think so, but I might have fallen prey to a
certail nevel of hype. Especially Dovecot seems to have
a good track record.

I don't know much about ease of use by end users. I
find it easy but I don't think I'm typical. My few users
(mainly in the family) asked me to set their mail up,
but I do have the users I deserve...

--
Eke Nordin, moose (a) {stacken.kth|enting|netia} (o) se

Re: using spamd to block outbound spam

[Paolo Supino]

Hi Kyle

1. Fixing the code is impossible :-( I already tried it, the developers 
keep saying that they're code is sound and safe. I've shown logs and 
statistics to the bosses of the company that owns the webapp, but the 
only response I got was: fix it (they aren't making the connection 
between the webapp and the spam emails). The only thing I can do to 
prove my point is exploit the webapp in front of them, but I don't know 
how to do that.


2. I currently don't have any suitable SMTP server that I can do 2 and 
see 1 above about changing the code.


3. Once the OpenBSD firewall will be in place I'll probably go with 
setting up rate limiting via sendmail, though I'd rather not run any 
servers on the firewall.









TIA
Paolo







Kyle George wrote:


On Fri, 13 Apr 2007, Paolo Supino wrote:

 The webapp does talk to a real mail server: on localhost (IIS6 SMTP 
service). When a spammers abuses the webapp the email is actually sent 
via the local mail server and not directly from the webapp to all the 
mail servers on the Internet. Rate limiting isn't an option because 
emails must be out the door within a very short time frame from the 
moment a set of events is triggered in the webapp.



You could:

1) Make them fix the code

2) Uninstall the IIS SMTP service and make them change the code to send 
through a trusted host that can rate limit, filter, etc.


3) http://support.microsoft.com/kb/308161, see smart host

(2) and (3) would let you configure an MTA to filter this mess.  The 
best option is for them to fix their code AND use (2) or (3).  It makes 
sense to have untrusted applications send through the network's MTA(s) 
and to put the machine behind pf blocking outgoing port 25.  You don't 
want to get blacklisted.  Also, code that's letting this happen likely 
has many other problems.  I'd isolate it.

Re: using spamd to block outbound spam

[Bob Beck]

* Paolo Supino [EMAIL PROTECTED] [2007-04-14 08:43]:
 Hi Kyle
 
 1. Fixing the code is impossible :-( I already tried it, the developers 
 keep saying that they're code is sound and safe. I've shown logs and 
 statistics to the bosses of the company that owns the webapp, but the 
 only response I got was: fix it (they aren't making the connection 
 between the webapp and the spam emails). The only thing I can do to 
 prove my point is exploit the webapp in front of them, but I don't know 
 how to do that.

Sounds like a problem best fixed by printing resumes.

Problems with stupid people are not best solved by techincal means.

-Bob

Re: using spamd to block outbound spam

[Henning Brauer]

* Paolo Supino [EMAIL PROTECTED] [2007-04-14 16:43]:
 1. Fixing the code is impossible :-( I already tried it, the developers 
 keep saying that they're code is sound and safe. I've shown logs and 
 statistics to the bosses of the company that owns the webapp, but the 
 only response I got was: fix it (they aren't making the connection 
 between the webapp and the spam emails). The only thing I can do to 
 prove my point is exploit the webapp in front of them, but I don't know 
 how to do that.

then you should obviously find out how to do the latter.

you cannot fix this problem without fixing the buggy application.

-- 
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg  Amsterdam

azalia0 sound

[openbsd fan]

I am running 4.1-current on a Thinkpad X60S.  I have searched the @misc
archives and read the FAQ, but I have yet come across the method by which to
increase the system's volume when using azalia0.

The Volume buttons on my Thinkpad X60S work. If I try to advance beyond the
end of a man page, for example, it emits a VERY loud beep.  After I do that,
I can then hear very faint sound when playing multimedia.  However, if I
reboot OpenBSD, startx, and xmms filename.mp3, I will hear nothing.

When I try to use the volume buttons, I can increase the volume of the
beeping noise that occurs when you try to advance beyond the end of a man
page; I can also mute the warning beep.  However, I cannot increase the
sound when any multimedia files are being played by xmms or mplayer.

Here is the output of mixerctl -a:

outputs.dac02.source=hdaudio
outputs.lineout.source=dac03
outputs.lineout.mute=off
outputs.lineout=125,125
outputs.lineout=85,85
outputs.lineout.dir=output
outputs.lineout.boost=off
outputs.hp.source=dac03
outputs.hp.mute=off
outputs.hp=125,125
outputs.hp.boost=off
outputs.mono.mute=off
outputs.mono=125
outputs.mic=85,85
outputs.linein.source=dac03
outputs.linein.mute=off
outputs.linein=125,125
outputs.linein=85,85
outputs.linein.dir=output
inputs.sel0b.source=dac03
inputs.beep.source=beep10
outputs.beep.mute=off
outputs.beep=119
outputs.sel11.mute=off
outputs.sel11=123,123
outputs.sel12.mute=off
outputs.sel12=123,123
outputs.sel13.mute=off
outputs.sel13=123,123
outputs.pow14.source=beep
inputs.sel15.source=mix0c
outputs.sel15.mute=off
outputs.sel15=119,119
outputs.mic2.source=dac03
outputs.mic2.mute=off
outputs.mic2=125,125
outputs.mic2=85,85
outputs.mic2.dir=input
outputs.sel1a.mute=off
outputs.sel1a=123,123
outputs.sel1b.mute=off
outputs.sel1b=123,123
outputs.sel1c.mute=off
outputs.sel1c=123,123
outputs.speaker.mute=off
outputs.speaker=123,123
outputs.sel1e.mute=off
outputs.sel1f.mute=off
inputs.usingdac=03

Because there is no outputs.master is this why I cannot adjust the volume?

Thanks for looking...

Openbsdfan.

Re: using spamd to block outbound spam

[Paolo Supino]

Hi Joachim

  I know that right now I'm mostly going at it in the wrong way but I 
have to fix it quickly and without changing the infrastructure. I'm not 
a windows or layer 7 person but rather a layer 1 to layer 4 in my 
background, so I'm trying to find a solution in those layers. I work in 
an environment where I'm told: Fix it without spending money ...
  The webapp development was outsourced thus the developers aren't 
local. Blunt objects aren't an option :-(
  The legitimate email structure (subject and content) is pretty 
limited and steady. Will sendmail + procmail to filter emails be a 
solutions?

  I will try to implement rate limiting.





TIA
Paolo




Joachim Schipper wrote:


On Fri, Apr 13, 2007 at 10:17:51PM -0400, Paolo Supino wrote:


Hi Bob

 The webapp does talk to a real mail server: on localhost (IIS6 SMTP 
service). When a spammers abuses the webapp the email is actually sent 
via the local mail server and not directly from the webapp to all the 
mail servers on the Internet. Rate limiting isn't an option because 
emails must be out the door within a very short time frame from the 
moment a set of events is triggered in the webapp.
 Right now the only way I can think of is limit the SMTP service to 
connect only to authorized remote SMTP servers that I will manage 
manually (I'm in the process of checking how often I would have to 
change the list to see if it's feasible). You wrote that I can do it 
with spamd, how?
Another option I thought of is setting up a sendmail relay on another 
computer and let that sendmail only relay specific emails according to a 
set of criteria (that fit only valid emails).



You are going about this all wrong. First step is finding a suitable
blunt instrument and getting the developers to fix it. The second step
is configuring rate limiting, along the lines of '1000 mails/hour';
this will allow a large batch of e-mail to get through immediately, but
stop spammers. What you're planning now is both less effective and way
more work.

Joachim

Re: using spamd to block outbound spam

[Henning Brauer]

* Paolo Supino [EMAIL PROTECTED] [2007-04-14 17:16]:
   I know that right now I'm mostly going at it in the wrong way but I 
 have to fix it quickly and without changing the infrastructure. I'm not 
 a windows or layer 7 person but rather a layer 1 to layer 4 in my 
 background, so I'm trying to find a solution in those layers. I work in 
 an environment where I'm told: Fix it without spending money ...

I have a layer 1 solution for you: cut the cable. quick!

-- 
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg  Amsterdam

Re: using spamd to block outbound spam

[Joachim Schipper]

On Sat, Apr 14, 2007 at 11:06:43AM -0400, Paolo Supino wrote:
 Hi Joachim
 
   I know that right now I'm mostly going at it in the wrong way but I 
 have to fix it quickly and without changing the infrastructure. I'm not 
 a windows or layer 7 person but rather a layer 1 to layer 4 in my 
 background, so I'm trying to find a solution in those layers. I work in 
 an environment where I'm told: Fix it without spending money ...
   The webapp development was outsourced thus the developers aren't 
 local. Blunt objects aren't an option :-(
   The legitimate email structure (subject and content) is pretty 
 limited and steady. Will sendmail + procmail to filter emails be a 
 solutions?
   I will try to implement rate limiting.

I don't do sendmail, but I'm certain it can be made to run outgoing mail
through a filter of some sort. milter_regex or something similar might
be a better fit than procmail, though.

Joachim

-- 
PotD: x11/915resolution - change resolution on available vbios modes for
i8x5/9x5

Re: azalia0 sound

[Ted Unangst]

On 4/14/07, openbsd fan [EMAIL PROTECTED] wrote:

outputs.speaker=123,123

Because there is no outputs.master is this why I cannot adjust the volume?


did you try adjusting the speaker volume?

Re: using spamd to block outbound spam

[Paolo Supino]

Hi Henning

  From the technical aspect, I agree with you. But non technical people 
don't see (or understand) that :-( I wish I had time to sit down and 
find out how to exploit the webapp. I tried to bring in a company to do 
penetration testing, but I was refused the budget for it.
  I can't fix the problem completely, but I can put measures in place 
that will reduce the problem to an acceptable level.









TIA
Paolo


Henning Brauer wrote:


* Paolo Supino [EMAIL PROTECTED] [2007-04-14 16:43]:

1. Fixing the code is impossible :-( I already tried it, the developers 
keep saying that they're code is sound and safe. I've shown logs and 
statistics to the bosses of the company that owns the webapp, but the 
only response I got was: fix it (they aren't making the connection 
between the webapp and the spam emails). The only thing I can do to 
prove my point is exploit the webapp in front of them, but I don't know 
how to do that.



then you should obviously find out how to do the latter.

you cannot fix this problem without fixing the buggy application.

Re: using spamd to block outbound spam

[Henning Brauer]

* Paolo Supino [EMAIL PROTECTED] [2007-04-14 17:53]:
   From the technical aspect, I agree with you. But non technical people 
 don't see (or understand) that :-( I wish I had time to sit down and 
 find out how to exploit the webapp. I tried to bring in a company to do 
 penetration testing, but I was refused the budget for it.
   I can't fix the problem completely, but I can put measures in place 
 that will reduce the problem to an acceptable level.

yeah, cut the cable.

otherwise at least tell us the IP address (range) so we can all 
blacklist it.

really, there is no solution (or even half reasonable band-aid) that is 
nbot fix the application

-- 
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg  Amsterdam

Re: using spamd to block outbound spam

[Vijay Sankar]

On Saturday 14 April 2007 10:06, Paolo Supino wrote:
 Hi Joachim

I know that right now I'm mostly going at it in the wrong way but
 I have to fix it quickly and without changing the infrastructure. I'm
 not a windows or layer 7 person but rather a layer 1 to layer 4 in my
 background, so I'm trying to find a solution in those layers. I work
 in an environment where I'm told: Fix it without spending money ...
 The webapp development was outsourced thus the developers aren't
 local. Blunt objects aren't an option :-(
The legitimate email structure (subject and content) is pretty
 limited and steady. Will sendmail + procmail to filter emails be a
 solutions?
I will try to implement rate limiting.

Just a thought -- is it practical for you to have a white list? For 
example, I am wondering whether you could have a white-list table in pf 
and configure your openbsd firewall to allow email to go only to 
addresses in that white list from your app server. That may be  easier 
and more elegant to do with OpenBSD than limiting the smtp service to 
connect to authorized remote servers using TCPIP settings on Windows.






 TIA
 Paolo

 Joachim Schipper wrote:
  On Fri, Apr 13, 2007 at 10:17:51PM -0400, Paolo Supino wrote:
 Hi Bob
 
   The webapp does talk to a real mail server: on localhost (IIS6
  SMTP service). When a spammers abuses the webapp the email is
  actually sent via the local mail server and not directly from the
  webapp to all the mail servers on the Internet. Rate limiting
  isn't an option because emails must be out the door within a very
  short time frame from the moment a set of events is triggered in
  the webapp.
   Right now the only way I can think of is limit the SMTP service
  to connect only to authorized remote SMTP servers that I will
  manage manually (I'm in the process of checking how often I would
  have to change the list to see if it's feasible). You wrote that I
  can do it with spamd, how?
 Another option I thought of is setting up a sendmail relay on
  another computer and let that sendmail only relay specific emails
  according to a set of criteria (that fit only valid emails).
 
  You are going about this all wrong. First step is finding a
  suitable blunt instrument and getting the developers to fix it. The
  second step is configuring rate limiting, along the lines of '1000
  mails/hour'; this will allow a large batch of e-mail to get through
  immediately, but stop spammers. What you're planning now is both
  less effective and way more work.
 
  Joachim

 !DSPAM:1,4620f04c203471073733319!

-- 
Vijay Sankar
ForeTell Technologies Limited
59 Flamingo Avenue, Winnipeg, MB, Canada R3J 0X6
Phone: +1 (204) 885-9535, E-Mail: [EMAIL PROTECTED]

Re: using spamd to block outbound spam

[Åke Nordin]

On 4/14/07, Henning Brauer [EMAIL PROTECTED] wrote:

* Paolo Supino [EMAIL PROTECTED] [2007-04-14 16:43]:
 1. Fixing the code is impossible :-( I already tried it, the developers
 keep saying that they're code is sound and safe. I've shown logs and
 statistics to the bosses of the company that owns the webapp, but the
 only response I got was: fix it (they aren't making the connection
 between the webapp and the spam emails). The only thing I can do to
 prove my point is exploit the webapp in front of them, but I don't know
 how to do that.

then you should obviously find out how to do the latter.

you cannot fix this problem without fixing the buggy application.


A word of caution: Don't get yourself fired in the process.
Be very certain that you have written approval to break in
when you demonstrate how the webapp can be misused
by spammers.

--
Eke Nordin, moose (a) {stacken.kth|enting|netia} (o) se

Re: azalia0 sound

[Simon Effenberg]

On Sat, Apr 14, 2007 at 10:51:24AM -0400, openbsd fan wrote:
 outputs.lineout=125,125

I have the same Card..

you have to do:

mixerctl outputs.lineout=255,255

but it won't be very loud ;-)

\s

-- 
GnuPG: 5755FB64

Per aspera ad astra.

Re: Routerboards (was: Re: Routerboard 532 Bounty)

[Jonathan Towne]

On Thu, Apr 12, 2007 at 10:44:10AM -0400, Bret Lambert scribbled:
# So, a question to the list: besides soekris and WRAP boards (and the
# specific board that began the thread), what tiny, non-PC machines are
# out there and useful?

I've been in contact for some time with the folks at AR Infotek in
Taiwan.  They're exceedingly nice people and offer some very cool
products.  I'm trying to get ahold of a small pile of their 3258-245
model to use as OpenBSD+carp firewalls and routers.

The main issue with them is that they aren't a distributor of their
product; they mainly sell to system integrators and the like.  They do
sell in small quantities for evaluation purposes, and OpenBSD has
been ported to run on them.

I was (just today) sent a press release from a while back about
OpenBSD on their 3xxx series machines:

http://www.arinfotek.com/news/news_d.asp?sty=2pid=29


-- Jonathan Towne

Re: azalia0 sound

[openbsd fan]

That did it!  YOU ROCK!!!

On 4/14/07, Simon Effenberg [EMAIL PROTECTED] wrote:

 On Sat, Apr 14, 2007 at 10:51:24AM -0400, openbsd fan wrote:
  outputs.lineout=125,125

 I have the same Card..

 you have to do:

 mixerctl outputs.lineout=255,255

 but it won't be very loud ;-)

 \s

 --
 GnuPG: 5755FB64

 Per aspera ad astra.

Re: Finding a ral(4) cardbus card

[Tom McLaughlin]

On Thu, 2007-04-12 at 19:33 -0700, Luke Eckley wrote:
 I am having a hard time finding a ral(4) cardbus card for my laptop. I
 recently bought a Hawking Tech HWC54G - which happens to be acx(4) -
 thinking I was buying a Hawking Tech HWC54GR (which is listed as
 supported by ral(4)).
 
 Searching ebay.com and pricewatch.com I am only turning up the Belkin
 card. I am a little reluctant to purchase that one since ral(4)
 states that it supports version 2 only - and dealers never seem to
 know what version they are selling and I don't want to take another
 gamble.
 

I used this site to find a vendor and chipset:

http://ralink.rapla.net

I thought it used to have more specific revision information but maybe
my mind is playing tricks on me a year later.  It should at least help
expand your available card search.

 Does anyone know of any place that sells a ral(4) supported card?
 Where did everyone get theirs?


I use www.newegg.com for anything whenever possible.  It's still going
to be a minor gamble though.

tom

-- 
| tmclaugh at sdf.lonestar.org tmclaugh at FreeBSD.org |
| FreeBSD   http://www.FreeBSD.org |
| BSD#http://www.mono-project.com/Mono:FreeBSD |

Re: Dynamic DNS (first setup, couple troubles)

[Tim Judd]

--- Tim Judd [EMAIL PROTECTED] wrote:

 Thanks for ANY help from all of you excellent people out there.  Of
 you
 want a configuration file, they are available at:
 http://usemy.homeunix.org:88/dhcpd.txt
 http://usemy.homeunix.org:88/named.txt

I was seeing if anybody was checking my problem out by viewing the
access log on my server, and I found named.txt to be getting error 403
-- which I should have fixed by now.  If you still want to address this
and want to look at my files, please try again.

thank you all!

If opportunity doesn't knock, build a door.
I can is a way of life.
More and Bigger is not always Better.
The road to success is always uphill.
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: using spamd to block outbound spam

[Paolo Supino]

Hi Henning

  I appriciate your straight and forward replies :-) but the world 
isn't black and white and sometime you have to create work arounds to 
overcome other people's crap (well most of the time). Unfortunately 
cutting the cable isn't an acceptable solution (I'll get fired and 
someone else will come and reconnect it). The IP range 0.0.0.0/0 to 
255.255.255.255/32  should cover it ;-)






TIA
Paolo







Henning Brauer wrote:


* Paolo Supino [EMAIL PROTECTED] [2007-04-14 17:53]:

 From the technical aspect, I agree with you. But non technical people 
don't see (or understand) that :-( I wish I had time to sit down and 
find out how to exploit the webapp. I tried to bring in a company to do 
penetration testing, but I was refused the budget for it.
 I can't fix the problem completely, but I can put measures in place 
that will reduce the problem to an acceptable level.



yeah, cut the cable.

otherwise at least tell us the IP address (range) so we can all 
blacklist it.


really, there is no solution (or even half reasonable band-aid) that is 
nbot fix the application

Re: Finding a ral(4) cardbus card

[Andy Hayward]

On 4/13/07, Luke Eckley [EMAIL PROTECTED] wrote:

I am having a hard time finding a ral(4) cardbus card for my laptop. I
recently bought a Hawking Tech HWC54G - which happens to be acx(4) -
thinking I was buying a Hawking Tech HWC54GR (which is listed as
supported by ral(4)).


Try the Edimax EW-7108PCg (Ralink Rt2500 chipset).

Scan (www.scan.co.uk) and Newegg are selling them.

-- ach

Re: using spamd to block outbound spam

[Paolo Supino]

Hi Vijay


  In one of my replies I did write that I was checking what it means to 
manage a white list (I didn't use the term white list though) to block 
outgoing spam but since the new firewall isn't in place yet (and it will 
be a couple of weeks before I can install it) I thought of doing it in 
the IIS6 SMTP service (this isn't the place to discuss IIS6 SMTP 
configurations).







TIA
Paolo


Vijay Sankar wrote:


On Saturday 14 April 2007 10:06, Paolo Supino wrote:


Hi Joachim

  I know that right now I'm mostly going at it in the wrong way but
I have to fix it quickly and without changing the infrastructure. I'm
not a windows or layer 7 person but rather a layer 1 to layer 4 in my
background, so I'm trying to find a solution in those layers. I work
in an environment where I'm told: Fix it without spending money ...
The webapp development was outsourced thus the developers aren't
local. Blunt objects aren't an option :-(
  The legitimate email structure (subject and content) is pretty
limited and steady. Will sendmail + procmail to filter emails be a
solutions?
  I will try to implement rate limiting.



Just a thought -- is it practical for you to have a white list? For 
example, I am wondering whether you could have a white-list table in pf 
and configure your openbsd firewall to allow email to go only to 
addresses in that white list from your app server. That may be  easier 
and more elegant to do with OpenBSD than limiting the smtp service to 
connect to authorized remote servers using TCPIP settings on Windows.








TIA
Paolo

Joachim Schipper wrote:


On Fri, Apr 13, 2007 at 10:17:51PM -0400, Paolo Supino wrote:


Hi Bob

The webapp does talk to a real mail server: on localhost (IIS6
SMTP service). When a spammers abuses the webapp the email is
actually sent via the local mail server and not directly from the
webapp to all the mail servers on the Internet. Rate limiting
isn't an option because emails must be out the door within a very
short time frame from the moment a set of events is triggered in
the webapp.
Right now the only way I can think of is limit the SMTP service
to connect only to authorized remote SMTP servers that I will
manage manually (I'm in the process of checking how often I would
have to change the list to see if it's feasible). You wrote that I
can do it with spamd, how?
Another option I thought of is setting up a sendmail relay on
another computer and let that sendmail only relay specific emails
according to a set of criteria (that fit only valid emails).


You are going about this all wrong. First step is finding a
suitable blunt instrument and getting the developers to fix it. The
second step is configuring rate limiting, along the lines of '1000
mails/hour'; this will allow a large batch of e-mail to get through
immediately, but stop spammers. What you're planning now is both
less effective and way more work.

Joachim


!DSPAM:1,4620f04c203471073733319!

Re: Dynamic DNS (first setup, couple troubles)

[viq]

On 14/04/07, Tim Judd [EMAIL PROTECTED] wrote:

--- Tim Judd [EMAIL PROTECTED] wrote:

 Thanks for ANY help from all of you excellent people out there.  Of
 you
 want a configuration file, they are available at:
 http://usemy.homeunix.org:88/dhcpd.txt
 http://usemy.homeunix.org:88/named.txt

I was seeing if anybody was checking my problem out by viewing the
access log on my server, and I found named.txt to be getting error 403
-- which I should have fixed by now.  If you still want to address this
and want to look at my files, please try again.

thank you all!


As previous posters already noted, you need to have static leases
outside of the dynamic range. Another thing is that for the dynamic
updates you need to use the net/isc-dhcp port, the dhcpd in base
doesn't have the required functionality. Otherwise than that, I think
it looks ok. Mind you, for LANBOX and FATMAN I think you will need to
define addresses by yourself in your zone.

--
viq

Re: using spamd to block outbound spam

[Joachim Schipper]

On Sat, Apr 14, 2007 at 05:58:52PM +0200, Henning Brauer wrote:
 * Paolo Supino [EMAIL PROTECTED] [2007-04-14 17:53]:
From the technical aspect, I agree with you. But non technical people 
  don't see (or understand) that :-( I wish I had time to sit down and 
  find out how to exploit the webapp. I tried to bring in a company to do 
  penetration testing, but I was refused the budget for it.
I can't fix the problem completely, but I can put measures in place 
  that will reduce the problem to an acceptable level.
 
 yeah, cut the cable.
 
 otherwise at least tell us the IP address (range) so we can all 
 blacklist it.
 
 really, there is no solution (or even half reasonable band-aid) that is 
 nbot fix the application

Henning brings up a good point: can't you explain to management the cost
of fixing the application vs the effort of getting yourself off all
blacklist that you soon will be on?

Otherwise, try mod_security.

Joachim

-- 
TFMotD: top (1) - display and update information about the top CPU
processes

Re: SSH/SFTP question

[jared r r spiegel]

On Fri, Apr 13, 2007 at 09:37:14AM -0400, stuart van Zee wrote:
 
 I was under the impression that when using SFTP to transfer files they 
 were automatically treated as Binary files.

  i might totally be wrong, but i had the impression that sftp doesn't
  incorporate the 'legacy ftp' concept of 'binary' vs. 'ascii', but rather
  just transferred files without any regard to what they have in them.

 CRLF to terminate lines, the downloaded file would have CRLF terminating
 it's lines.  So I have a vendor that has replaced his FTP with SSH/SFTP.
 my code is written to expect CRLF because that is the way the files
 were when using the old FTP system to download.

  have you tried scp instead of sftp?  (if that is an option).  sftp
  seems to be a bit of the bastard child of the openssh software family.

 Now, when I use SFTP
 the files just have the LF.

  that seems strange.  i haven't used sftp nearly as much as scp,
  but i don't recall either ever having modified a file on me.

  i tried the following test:

- made a test file (5 lines) using windows notepad, saved it to the openbsd box
  via a samba share.
- opened up in vi and saw that it had '^M's at the end of it, quit out.
- scp'd that file to another host on the network here
- went to the other host, verified MD5s same
- back on original host, sftp'd the file off of the remote host down
  to a new filename on the local host, verified MD5s the same.

  so in my case, sftp'ing a file from a remote host down locally didn't
  incur any CRLF-LF translation.

  maybe you are seeing a behaviour from something else and it just seems
  to be because of sftp(1) ?

  do you know for certain that the files, as they exist on the vendor's
  end, do indeed still have the CRLFs in them?

 What I really need is an explanation or a pointer to where I can get an
 explanation so that I really know what I am talking about when I talk
 to this vendor (and KNOW that I know what I am talking about).

  might not need to go that far.  if you know/trust that they have CRLFs
  on their end, but when you get the files from them, they have only LFs
  now, just test stuff on your end with your own remote sftp/ssh server
  like i did above.  if you have a file that you know has CRLFs, and on
  this one problem host you can pull the file down over sftp from your
  remote test host, and it still has the CRLFs, that would seem to
  imply that your local system is not responsible for the translation.

-- 

  jared

Re: SSH/SFTP question

[Frank Bax]

At 09:37 AM 4/13/07, stuart van Zee wrote:


Sorry if this belongs elsewhere but I was sure someone here would know.

I was under the impression that when using SFTP to transfer files they
were automatically treated as Binary files.  So if the remote file uses
CRLF to terminate lines, the downloaded file would have CRLF terminating
it's lines.  So I have a vendor that has replaced his FTP with SSH/SFTP.
my code is written to expect CRLF because that is the way the files
were when using the old FTP system to download.  Now, when I use SFTP
the files just have the LF.  The vendors answer is that we need to use
ASCII mode to transfer the files to get the CRLF.  I didn't know that
there WAS an ASCII mode in SFTP let alone that using ASCII as opposed to
Binary would change the line terminators.  The files in question are
technically ASCII text files but shouldn't I be getting an EXACT copy of
the file when I use Binary mode (assuming that I am right and that is
indeed the default with SFTP)?

What I really need is an explanation or a pointer to where I can get an
explanation so that I really know what I am talking about when I talk
to this vendor (and KNOW that I know what I am talking about).



FTP and SFTP clients will often have an option to send files as 
ASCII/BINARY/AUTO.  This option controls how CRLF is handled when 
encountered in the source file.  This option has nothing at all to do with 
the FTP/SFTP protocol itself; but is an option often included in client 
software.


When transfer option is ASCII (or sometimes TEXT); a translation 
occurs.  When copying from Windows to *BSD, CRLF changes to LF.  When 
copying from *BSD to Windows, LF changes to CRLF.


When transfer option is BINARY; no translation ever occurs.

When transfer is AUTO; behaviour is either ASCII or BINARY depending on 
file extension.  TXT, HTM, PHP, CGI, PL might all be considered text files; 
client software often allows this list to be configured.


PSCP and WinSCP are two examples of windows software that support 
SFTP.  PSCP does not convert CRLF to LF; WinSCP has a user option 
controlling this translation.


Based on what your vendor says; it looks like the file originally contains 
only LF and not CRLF; so enabling ASCII transfer should convert LF to 
CRLF.  If your transfer software doesn't have this option find another that 
does. 

Re: using spamd to block outbound spam

[Stuart Henderson]

On 2007/04/14 11:37, Paolo Supino wrote:
   From the technical aspect, I agree with you. But non technical people 
 don't see (or understand) that :-( I wish I had time to sit down and 
 find out how to exploit the webapp.

if you don't have time to work this out, you don't have time to get
yourself off all the public and in-house blacklists. reliably getting mail
into places like aol and hotmail can be challenging at the best of times,
even without known vulnerabilities in your mail-sending setup.

 I tried to bring in a company to do penetration testing, but I was
 refused the budget for it.

you can probably just read logs/tcpdump.

ccdconfig -g no more

[Ted Unangst]

as of a few days ago, ccdconfig -g doesn't work.  it required the use
of kvm, which is a bad thing, so this functionality was disabled (as
part of some larger work).  it is possible to re-add this
functionality, but there are no present plans to do so.

Re: bio not working on dl380 g4 with newer ciss fw

[Joel Knight]

--- Quoting Boris Golberg on 2007/04/13 at 08:07 -0500:

 Hello Kalle,
 
 BM Two logical drives.  Not sure about the firmware version, but the
 BM more than one logical drive issue is in the caveats section of
 BM ciss(4).
 
   I've  asked  about  that  caveat  in ciss recently, but no one really had
 answered. Tried even to e-mail directly to [EMAIL PROTECTED] - no reply.
 
   I'm  planning  to get HP server myself. Could you give me some additional
 information about your configuration and problem? What model of Smart Array
 are  you  using?  Do  you  have  any  problem with these two logical drives
 besides  bioctl  not working properly? Does the lack of bio support causing
 any real problem in your case?
   Sorry  for  trying to kind of benefit from your problem, but answers will
 be really appreciated.


I recently installed an HP DL360g5 running OpenBSD 4.1. The hardware
works great (man, it's a fast machine) but there is an issue with bio
and ciss. The server has a HP E200i controller card in it that does
not attach to bio(4). I gave mickey@ access to the box and he supposedly
figured out the issue, but then some shit happened and now he's not
around.

Anyways, hope that's useful to you and maybe others. My dmesg is here:
http://www.armorlogic.com/openbsd_information_server_compatibility_list.html




.joel