Re: pf - drop or return - is stealth mode overrated?
On Tue, Apr 24, 2007 at 06:36:17PM -0400, Chris Smith wrote: Hello, Using openbsd as a firewall in several cases - a few small businesses, and also for home use. Some websites, such as grc.com, stress that stealth mode (which openbsd handles with ease) is the safest. But I've also read that using 'return' instead of 'drop' is good netizenship. So I'm wondered how others are handling this and what recommendations you might have. I find 'return' to be easier to work with. The LAN I am primarily thinking about is both infested with Windows and accessible via VPN - and the VPN has some Windows clients. Considering the people on said LAN, who are both sweet and smart but not in general computer-savvy, I'd be highly surprised if an attacker spent much time on the firewall. Joachim -- TFMotD: tftp (1) - trivial file transfer program
Re: vnconfig question...
On Tue, Apr 24, 2007 at 11:47:00PM +0100, poncenby wrote: List, Are there plans to change vnconfig so it will accept a file for the key when -K is specified? I notice there was a patch put up to misc in 2004, does anyone know if there is a patch for 4.0? vnconfig in -current, at least, already accepts a -S option to specify the salt file. Changing vnconfig to read the password on stdin is easy, but you should really ask yourself if that is a good idea. Joachim -- TFMotD: ssh-keyscan (1) - gather ssh public keys
CARP
Hi, I'm playing around with carp and routers. My scenario is the next: One ISP address ( for exemple: 10.2.2.1 ) Two openbsd 4.0 machines with 3 NICs Lan switch On LAN side, i set one NIC on every machine with private ip: Machine#1: 192.168.0.20 Machine#2: 192.168.0.21 And they share a virtual address: 192.168.0.30 The carp nics between both machines with 10.0.0.1 and 10.0.0.2 And my question is for ISP side: I got only one IP address, 10.2.2.1, how do share it? I mean, i can't set up other 2 new IPs like 10.2.2.2 and .3.. any suggestion? Thanks
Re: CARP
On 2007/04/25 12:43, Tang Tse wrote: I got only one IP address, 10.2.2.1, how do share it? I mean, i can't set up other 2 new IPs like 10.2.2.2 and .3.. any suggestion? just configure the carp interface as 10.2.2.1, you don't need a 'real' address as well. use carpdev to specify the parent interface.
Re: CARP
Thanks!!! 2007/4/25, Stuart Henderson [EMAIL PROTECTED]: On 2007/04/25 12:43, Tang Tse wrote: I got only one IP address, 10.2.2.1, how do share it? I mean, i can't set up other 2 new IPs like 10.2.2.2 and .3.. any suggestion? just configure the carp interface as 10.2.2.1, you don't need a 'real' address as well. use carpdev to specify the parent interface.
pf - 1 firewall 2 wans
Hi,
We have two internet connection with 2 different firewalls that we want
to merge into a new single pf based firewall.
Connection 1 (wan1) will be used for nat-ing the internal network (lan)
to the outside world and access to a few internal servers.
Connection 2 (wan2) will be used for the dmz (dmz), public servers.
wan1 212.105.x.37/32 gw: 212.105.x.2 -||
|openbsd 4.1/pf |
|default gateway:|
|213.106.x.2 |
wan2 213.115.x.x/25 gw: 213.249.x.33 -||
| |
| |
lan dmz
172.16.90.1/24 192.168.78.1/25
I guess we have to use route-to and reply-to, not sure how to do it, or
if there's a more simple solution by using route.
Anyone out there running a similiar solution who can share your experience?
Thanks,
Johan Linner
pf.conf so far:
lan=em0
dmz=em1
wan1=em2
wan2=em3
tcpp={21 22 80 443 3306}
udpp={53 123}
table www const {213.115.x.5 213.115.x.6 213.115.x.7 213.115.x.11
213.115.x.126}
table authpf_users persist
table blacklist persist file /var/log/blacklist
set skip on lo
set loginterface $wan2
set limit { states 256000, frags 64000 }
scrub in
nat on $wan1 from $lan:network to any - $wan1:0
nat on $wan2 from 192.168.78.5 to any - 213.115.x.5
binat on $wan2 from 192.168.78.2 to any - 213.115.x.1
rdr on $wan2 proto tcp from any to www port 80 - 192.168.78.5
rdr on $wan1 proto tcp to port 80 - 172.16.90.2
rdr on $wan1 proto tcp to port 22 - 127.0.0.1
block in log
pass out quick
antispoof log quick for {$lan lo} inet
# public servers
pass in quick on $wan2 proto tcp from any to 192.168.78.5 port 80
pass in quick on $wan2 proto tcp from any to 192.168.78.2 port {25, 26,
110, 143, 443, 993}
pass in quick on $dmz proto {tcp udp} from $dmz:network to ! $lan:network
# access to internal servers
pass in quick on $wan1 inet proto tcp from authpf_users to 172.16.90.2
port 80
pass in log on $wan1 inet proto tcp from any to 127.0.0.1 port 22 flags
S/SA modulate state (max-src-conn-rate 4/40, overload blacklist flush)
#lan
pass in quick on $lan inet proto tcp from $lan:network to any port $tcpp
pass in quick on $lan inet proto udp from $lan:network to any port $udpp
pass in quick on $lan inet proto {tcp udp} from $lan:network to $dmz
# ping ping
pass in inet proto icmp all icmp-type echoreq code 0 keep state
# no logging:
block return in quick on {$wan1 $wan2} proto tcp from any to any port 113
block in on {$wan1 $wan2} proto {udp tcp} from any to any port {135:139
445 1434}
Re: [landisk] power-off button panic
On Wed, 25 Apr 2007, Miod Vallat wrote: There was an unconditional Debugger() call in this codepath, which got commited by mistake. Snapshots after march 23rd have this corrected. Miod thanks for the quick reply. I'll try a newer kernel went I get to the office diana
Re: CARP
On 4/25/07, Tang Tse [EMAIL PROTECTED] wrote: Hi, I'm playing around with carp and routers. My scenario is the next: One ISP address ( for exemple: 10.2.2.1 ) Two openbsd 4.0 machines with 3 NICs Lan switch On LAN side, i set one NIC on every machine with private ip: Machine#1: 192.168.0.20 Machine#2: 192.168.0.21 And they share a virtual address: 192.168.0.30 The carp nics between both machines with 10.0.0.1 and 10.0.0.2 And my question is for ISP side: I got only one IP address, 10.2.2.1, how do share it? I mean, i can't set up other 2 new IPs like 10.2.2.2 and .3.. any suggestion? Tang, this is covered in the FAQ: http://www.openbsd.org/faq/pf/carp.html The section titled 'Combining CARP and pfsync For Failover' addresses your question. -Todd
4.0 Installation problems
I was redirected here from the tech group. I am trying to install OpenBSD 4.0 on a Dell OptiPlex 745. The computer has a SATA CD-ROM and a SATA hard drive. After the install/upgrade/shell part, I see a lot of kernel messages. Everything looks normal, and it looks like all of my hardware is detected. The install appears to go okay, but then it hangs after the file sets are copied. It doesn't matter if I select all, some, or the minimal file sets: the installation always hangs after the copy is finished. I tried a separate set of CDs, just to see if that was the issue, but I get the same result. I also tried reducing the size of the root partition to see if that was an issue. Another member suggested that I try Ctrl-Z after the hang. If it stops the job, then the installation program has hung. I tried it. ^Z displays on the screen, but I do not get a shell. Apparently this means that the kernel has hung. I'm trying to get a dmesg, but there's no floppy drive and the network card isn't working yet. I have no idea what's going wrong. Can someone point me in the right direction? Thanks in advance, Chris -- View this message in context: http://www.nabble.com/4.0-Installation-problems-tf3645668.html#a10181771 Sent from the openbsd user - misc mailing list archive at Nabble.com.
Re: authpf: real world uses of $user_id ?
Well, in fact, I was wondering: 1. What is the purpose of the $user_id macro in authpf rules? 2. Is anybody using it successfully? 3. Is it possible to use it to track per user traffic? Thanks if you read this and help me :-) Matthias Bertschy Matthias Bertschy wrote: Hello list ! I have been using authpf for years now, and it has worked flawlessly so far. Reading the latest man page (to stay up to date), I saw that authpf can fill the $user_id macro with the user's ID. Wow, it sounds cool, but I cannot see any real world example of this feature... I would say, this could be a good way to account each user for its usage, as stated in the man page: This, combined with properly set up filter rules and secure switches, can be used to ensure users are held accountable for their network traffic. But I cannot find any example or documentation for that... Hmm, I would really like to have this wonderfull tool with pfflowd on my network routers :-) Matthias Bertschy
Re: authpf: real world uses of $user_id ?
Do you mean what is the purpose of user_id compared to user_ip? I think it is interesting if several users use the same computer. On 4/25/07, Matthias Bertschy [EMAIL PROTECTED] wrote: Well, in fact, I was wondering: 1. What is the purpose of the $user_id macro in authpf rules? 2. Is anybody using it successfully? 3. Is it possible to use it to track per user traffic? Thanks if you read this and help me :-) Matthias Bertschy Matthias Bertschy wrote: Hello list ! I have been using authpf for years now, and it has worked flawlessly so far. Reading the latest man page (to stay up to date), I saw that authpf can fill the $user_id macro with the user's ID. Wow, it sounds cool, but I cannot see any real world example of this feature... I would say, this could be a good way to account each user for its usage, as stated in the man page: This, combined with properly set up filter rules and secure switches, can be used to ensure users are held accountable for their network traffic. But I cannot find any example or documentation for that... Hmm, I would really like to have this wonderfull tool with pfflowd on my network routers :-) Matthias Bertschy
Prevent circumventing dansguardian with pf
Greetings! Included below is my pf.conf set up to use
dansguardian (proxyport 3128, filterport 8080)
and tinyproxy (listen port 3128) as a transparent
proxy.
What changes do I need to make to keep someone on
int_if/int_net from circumventing dansguardian
by changing their browser to point to 3128?
Thanks and take care,
Allen
--8--cut here--8--
ext_if=rl0
int_if=xl0
int_net=192.168.0.0/24
proxy_server = 127.0.0.1
tcp_services={ 113 }
icmp_types=echoreq
set block-policy return
set skip on lo
scrub in
nat on $ext_if from !($ext_if) - ($ext_if:0)
rdr on $int_if inet proto tcp
from $int_net
to any port www - $proxy_server port 8080
block in
antispoof quick for { lo $int_if }
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in on $ext_if inet proto tcp
from any
to ($ext_if) port $tcp_services flags S/SA keep state
pass on $int_if
pass out keep state
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
Clue-by-four needed: trunk(4) and an(4)
I have an i386 laptop with two NICs: xl(4) and an(4). For me, trunk(4) does not seem to be able to send any packets over the an(4) NIC. The xl(4) NIC works just fine. The an0 NIC never shows active as a child of the trunk. Viz.: When I set a single NIC in the trunk, just for testing as shown below, I see: trunkport xl0 master,active or trunkport an0 master I can watch packets flowing across the an0 NIC via tcpdump, but none originate from the laptop. Could someone please whack me with a clue-stick to get an(4) working? Thanks. -Josh Grosse- -- example showing no master,active for trunkport status: an0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 lladdr 00:40:96:32:2d:02 trunk: trunkdev trunk0 groups: wlan media: IEEE802.11 autoselect (DS11) status: active ieee80211: nwid Grosse chan 9 bssid 00:06:25:25:70:1d inet6 fe80::240:96ff:fe32:2d02%an0 prefixlen 64 scopeid 0x4 trunk0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:40:96:32:2d:02 trunk: trunkproto roundrobin trunkport an0 master groups: trunk media: Ethernet autoselect status: active inet 192.168.2.50 netmask 0xff00 broadcast 255.255.0.0 inet6 fe80::240:96ff:fe32:2d02%trunk0 prefixlen 64 scopeid 0x5 -- dmesg -- OpenBSD 4.1-current (GENERIC) #15: Mon Apr 23 07:22:11 EDT 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Pentium(R) III Mobile CPU 1000MHz (GenuineIntel 686-class) 731 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE real mem = 267821056 (261544K) avail mem = 236433408 (230892K) using 3299 buffers containing 13512704 bytes (13196K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+ BIOS, date 05/16/03, BIOS32 rev. 0 @ 0xffe90, SMBIOS rev. 2.3 @ 0xf76b0 (61 entries) bios0: Dell Computer Corporation Inspiron 4100 apm0 at bios0: Power Management spec V1.2 apm0: battery life expectancy 90% apm0: AC off, battery charge high, estimated 1:42 hours apm0: flags 30102 dobusy 0 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfbb90/208 (11 entries) pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82371 ISA and IDE rev 0x00) pcibios0: PCI bus #4 is the last bus bios0: ROM list: 0xc/0x1 acpi at mainbus0 not configured cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82830MP CPU-I/O-1 rev 0x04 ppb0 at pci0 dev 1 function 0 Intel 82830MP CPU-AGP rev 0x04 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 ATI Radeon Mobility M6 LY rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) uhci0 at pci0 dev 29 function 0 Intel 82801CA/CAM USB rev 0x02: irq 11 ppb1 at pci0 dev 30 function 0 Intel 82801BAM Hub-to-PCI rev 0x42 pci2 at ppb1 bus 2 xl0 at pci2 dev 0 function 0 3Com 3c905C 100Base-TX rev 0x78: irq 11, address 00:08:74:95:af:f2 exphy0 at xl0 phy 24: 3Com internal media interface cbb0 at pci2 dev 1 function 0 TI PCI1420 CardBus rev 0x00: irq 11 cbb1 at pci2 dev 1 function 1 TI PCI1420 CardBus rev 0x00: irq 11 cardslot0 at cbb0 slot 0 flags 0 cardbus0 at cardslot0: bus 3 device 0 cacheline 0x8, lattimer 0x20 pcmcia0 at cardslot0 cardslot1 at cbb1 slot 1 flags 0 cardbus1 at cardslot1: bus 4 device 0 cacheline 0x8, lattimer 0x20 pcmcia1 at cardslot1 ichpcib0 at pci0 dev 31 function 0 Intel 82801CAM LPC rev 0x02: 24-bit timer at 3579545Hz pciide0 at pci0 dev 31 function 1 Intel 82801CAM IDE rev 0x02: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: IC25N020ATCS04-0 wd0: 16-sector PIO, LBA, 19077MB, 39070080 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: TOSHIBA, CD-ROM XM-7002B, 1005 SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 auich0 at pci0 dev 31 function 5 Intel 82801CA/CAM AC97 rev 0x02: irq 11, ICH3 AC97 ac97: codec id 0x4352595b (Cirrus Logic CS4205 rev 3) ac97: codec features mic channel, tone, simulated stereo, bass boost, 20 bit DAC, 18 bit ADC, SRS 3D audio0 at auich0 Intel 82801CA/CAM Modem rev 0x02 at pci0 dev 31 function 6 not configured usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered isa0 at ichpcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pms0 at pckbc0 (aux slot) pckbc0: using irq 12 for aux slot wsmouse0 at pms0 mux 0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 npx0 at isa0 port 0xf0/16: reported by
Re: authpf: real world uses of $user_id ?
On 4/25/07, Matthias Bertschy [EMAIL PROTECTED] wrote: Well, in fact, I was wondering: 1. What is the purpose of the $user_id macro in authpf rules? well, whatever you want it do. :) 2. Is anybody using it successfully? honestly, about the only thing i can think of is that instead of having per user authpf rules, you could create tables named by user, and reference them by $user_id. i don't know if this works. 3. Is it possible to use it to track per user traffic? you can only log by userid if the traffic is local, so i don't think so.
Re: heads up for current followers: fsck_ffs
On 04/23/07 17:06, Marco Peereboom wrote: When will you be fixed? ROFL... +++chefren
Re: Prevent circumventing dansguardian with pf
On Apr 25, 2007, at 11:05 AM, Allen Theobald wrote: pass in inet proto icmp all icmp-type $icmp_types keep state This can be used as a covert communication channel. Allowing internal IPs to send/receive ping is bad. As for your question, only allow internal devices to do what you want and deny the rest. rdr requests to external web servers on port 80 to your transparent/filtering proxy. -Chad
Thanks Was: [landisk] power-off button panic
On Wed, 25 Apr 2007, Diana Eichert wrote: On Wed, 25 Apr 2007, Miod Vallat wrote: There was an unconditional Debugger() call in this codepath, which got commited by mistake. Snapshots after march 23rd have this corrected. Miod thanks for the quick reply. I'll try a newer kernel went I get to the office diana thanks, all working now though I have another question that I'll pose in a new thread diana
[landisk] poweroff on shutdown -r/reboot
The power button problem I reported in an earlier thread was resolved with a newer kernel. Now I have another question. In order to get power down to work, you have to set powerdown=YES to power down the unit. Now that's pretty obvious, but why when you run shutdown -r/reboot does the system power down? Doesn't that obviate the reboot command? I would think powerdown=YES would be ignored on shutdown -r/reboot. diana
Re: CARP
Hi, I readed the faq before. I know carp device needs to be the one i want to share. My question is not for the carp device, is just for the network interfaces ( in my case rl0 on both machines ). Which address should i gave them? anyone into the isp ip-mask rank? 2007/4/25, Todd Alan Smith [EMAIL PROTECTED]: On 4/25/07, Tang Tse [EMAIL PROTECTED] wrote: Hi, I'm playing around with carp and routers. My scenario is the next: One ISP address ( for exemple: 10.2.2.1 ) Two openbsd 4.0 machines with 3 NICs Lan switch On LAN side, i set one NIC on every machine with private ip: Machine#1: 192.168.0.20 Machine#2: 192.168.0.21 And they share a virtual address: 192.168.0.30 The carp nics between both machines with 10.0.0.1 and 10.0.0.2 And my question is for ISP side: I got only one IP address, 10.2.2.1, how do share it? I mean, i can't set up other 2 new IPs like 10.2.2.2 and .3.. any suggestion? Tang, this is covered in the FAQ: http://www.openbsd.org/faq/pf/carp.html The section titled 'Combining CARP and pfsync For Failover' addresses your question. -Todd
Re: CARP
On 2007/04/25 21:38, Tang Tse wrote: I readed the faq before. I know carp device needs to be the one i want to share. My question is not for the carp device, is just for the network interfaces ( in my case rl0 on both machines ). Which address should i gave them? anyone into the isp ip-mask rank? They don't need any address, miss out the whole 'inet' line in hostname.rll0 and include 'up' instead.
nfs data corruption
Heya, It seems I'm experiencing some data corruption on nfs when -w or -r aren't powers of 2. I have a local file with these settings: % md5 sunclock.diff MD5 (sunclock.diff) = 9f002849da08cd6ab76032a8cf2726e1 now, if I export the filesystem (nfsd -tu -n 4) it's on I get data corruption when I try to use a readsize or writesize that's not a power of 2: % mount_nfs -3 -T spectre:/home /mnt % md5 /mnt/inphobia/sunclock.diff MD5 (/mnt/inphobia/sunclock.diff) = 9f002849da08cd6ab76032a8cf2726e1 % umount /mnt % mount_nfs -3 -T -r 32768 -w 32768 spectre:/home /mnt % md5 /mnt/inphobia/sunclock.diff MD5 (/mnt/inphobia/sunclock.diff) = 9f002849da08cd6ab76032a8cf2726e1 % umount /mnt % mount_nfs -3 -T -r 32000 -w 32000 spectre:/home /mnt % md5 /mnt/inphobia/sunclock.diff MD5 (/mnt/inphobia/sunclock.diff) = d9bfc86665d9619e19c2a317f12b0c09 % umount /mnt % mount_nfs -3 -U -r 32000 -w 32000 spectre:/home /mnt % md5 /mnt/inphobia/sunclock.diff MD5 (/mnt/inphobia/sunclock.diff) = d9bfc86665d9619e19c2a317f12b0c09 % umount /mnt The nfs client is i386 -current, the server is i386 4.0 stable. Yes, the manual page says I should use a power of 2 greater than or equal to 1024, but perhaps it could warn that if I don't my data will get corrupted? Or perhaps have mount_nfs refuse mounts with an incorrect read/writesize - sane defaults? And the background of this: I was lazy and just wanted to do a mount -r 32k -w 32k, but since that is refused I was lazy again and just mounted with -r 32000 -w 32000, which makes the actual mount show up as: spectre:/home on /mnt type nfs (v3, udp, wsize=31744, rsize=31744, rdirsize=31744, timeo=100) Ohw, and it's not just md5 that fails. While the contents of text files look sane, I actually stumbled upon this while trying to recode a flac file to an mp3. Mounting with wrong readsizes caused flac to spew out errors, after remounting with correct sizes it worked fine. // nick
Re: CARP
thanks!! 2007/4/25, Stuart Henderson [EMAIL PROTECTED]: On 2007/04/25 21:38, Tang Tse wrote: I readed the faq before. I know carp device needs to be the one i want to share. My question is not for the carp device, is just for the network interfaces ( in my case rl0 on both machines ). Which address should i gave them? anyone into the isp ip-mask rank? They don't need any address, miss out the whole 'inet' line in hostname.rll0 and include 'up' instead.
Re: Prevent circumventing dansguardian with pf
Chad M Stewart wrote: On Apr 25, 2007, at 11:05 AM, Allen Theobald wrote: pass in inet proto icmp all icmp-type $icmp_types keep state This can be used as a covert communication channel. Allowing internal IPs to send/receive ping is bad. Bull. Not allowing ICMP is just as bad. Worse actually, as you are violating RFCs. Quit spreading this FUD. -- [100~Plax]sb16i0A2172656B63616820636420726568746F6E61207473754A[dZ1!=b]salax
Re: dmesg output Sun Fire 4200
Paul de Weerd wrote: Hi all, For those interested here's a copy of the dmesg output on a Sun Fire 4200 system. More info (`sysctl hw; openssl speed; sysctl hw` output for the temperature difference is also included for example ;) is available at http://www.weirdnet.nl/openbsd/hardware/sunfire4200/ NB: The SAS controller (Symbios Logic SAS1064) isn't supported yet, so I installed on an IDE disk in a USB enclosure. Cheers, Paul 'WEiRD' de Weerd Is there any changes on the support of the X4200, specially the X4100 M2 and X2100 M2 with SAS version, not the SATA one? There wasn't much updates in the archive on the subject still. Any luck with may be new DMESG to look at for these? The one bellow is pretty old. Best. Daniel -- OpenBSD 3.9-beta (GENERIC.MP) #714: Sun Feb 12 22:10:43 MST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 2147012608 (2096692K) avail mem = 1835753472 (1792728K) using 22937 buffers containing 214908928 bytes (209872K) of memory mainbus0 (root) ipmi0 at mainbus0: version 2.0 interface KCS iobase 0xca2/2 spacing 1 mainbus0: Intel MP Specification (Version 1.4) (SUN X4200 ) cpu0 at mainbus0: apid 0 (boot processor) cpu0: AMD Opteron(tm) Processor 252, 2593.00 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 64b/line 16-way L2 cache cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: apic clock running at 199MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: AMD Opteron(tm) Processor 252, 2592.62 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW cpu1: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 64b/line 16-way L2 cache cpu1: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu1: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative mpbios: bus 0 is type PCI mpbios: bus 1 is type PCI mpbios: bus 2 is type PCI mpbios: bus 3 is type PCI mpbios: bus 4 is type PCI mpbios: bus 5 is type PCI mpbios: bus 6 is type PCI mpbios: bus 7 is type ISA ioapic0 at mainbus0 apid 2: pa 0x8373ee24, version 11, 24 pins ioapic1 at mainbus0 apid 3: pa 0x8373ed24, version 11, 4 pins ioapic2 at mainbus0 apid 4: pa 0x8373ec24, version 11, 4 pins ioapic3 at mainbus0 apid 5: pa 0x8373eb24, version 11, 4 pins ioapic4 at mainbus0 apid 6: pa 0x8373ea24, version 11, 4 pins pci0 at mainbus0 bus 0: configuration mode 1 ppb0 at pci0 dev 1 function 0 AMD 8131 PCIX rev 0x13 pci1 at ppb0 bus 1 em0 at pci1 dev 1 function 0 Intel PRO/1000MT (82546EB) rev 0x03: apic 3 int 2 (irq 10), address 00:03:ba:f1:36:b2 em1 at pci1 dev 1 function 1 Intel PRO/1000MT (82546EB) rev 0x03: apic 3 int 3 (irq 11), address 00:03:ba:f1:36:b3 em2 at pci1 dev 2 function 0 Intel PRO/1000MT (82546EB) rev 0x03: apic 3 int 0 (irq 11), address 00:03:ba:f1:36:b8 em3 at pci1 dev 2 function 1 Intel PRO/1000MT (82546EB) rev 0x03: apic 3 int 1 (irq 9), address 00:03:ba:f1:36:b9 aapic0 at pci0 dev 1 function 1 AMD 8131 PCIX IOAPIC rev 0x01 ppb1 at pci0 dev 2 function 0 AMD 8131 PCIX rev 0x13 pci2 at ppb1 bus 2 Symbios Logic SAS1064 rev 0x02 at pci2 dev 3 function 0 not configured aapic1 at pci0 dev 2 function 1 AMD 8131 PCIX IOAPIC rev 0x01 ppb2 at pci0 dev 6 function 0 AMD 8111 PCI-PCI rev 0x07 pci3 at ppb2 bus 3 ohci0 at pci3 dev 0 function 0 AMD 8111 USB rev 0x0b: apic 2 int 19 (irq 11), version 1.0, legacy support usb0 at ohci0: USB revision 1.0 uhub0 at usb0 uhub0: AMD OHCI root hub, rev 1.00/1.00, addr 1 uhub0: 3 ports with 3 removable, self powered ohci1 at pci3 dev 0 function 1 AMD 8111 USB rev 0x0b: apic 2 int 19 (irq 11), version 1.0, legacy support usb1 at ohci1: USB revision 1.0 uhub1 at usb1 uhub1: AMD OHCI root hub, rev 1.00/1.00, addr 1 uhub1: 3 ports with 3 removable, self powered vga1 at pci3 dev 3 function 0 ATI Rage XL rev 0x27 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) pcib0 at pci0 dev 7 function 0 AMD AMD8111 LPC rev 0x05 pciide0 at pci0 dev 7 function 1 AMD 8111 IDE rev 0x03: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility atapiscsi0 at pciide0 channel 0 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: TEAC, DV-28SL, 1.0A SCSI0 5/cdrom removable cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 pciide0: channel 1 ignored (disabled) amdiic0 at pci0 dev 7 function 2 AMD 8111 SMBus rev 0x02: SCI iic at amdiic0 not configured amdpm0 at pci0 dev 7 function 3 AMD 8111 Power rev 0x05: rng active
Re: vnconfig question...
On 4/25/07, poncenby [EMAIL PROTECTED] wrote: i'm obviously missing something here. could you explain why it is a bad idea to have two files, the key and salt, which would be used to initially mount the regular file, then securely deleted from the host and only re-introduced to the host when decryption/remounting is required. the whole point of requiring you to type in the password is to require you to type in the password. if that's not possible, just use expect. it is a bad idea to put the password on disk. i mean, come on. in what scenario are you capable of securely installing and deleting a file, but not capable of typing a password? and also, for us luddites, how do you read the password on stdin. vi vnconfig.c and go from there.
Re: Prevent circumventing dansguardian with pf
On Wed, 25 Apr 2007 20:19:42 + (UTC) Tobias Weingartner [EMAIL PROTECTED] wrote: Chad M Stewart wrote: On Apr 25, 2007, at 11:05 AM, Allen Theobald wrote: pass in inet proto icmp all icmp-type $icmp_types keep state This can be used as a covert communication channel. Allowing internal IPs to send/receive ping is bad. Bull. Not allowing ICMP is just as bad. Worse actually, as you are violating RFCs. Quit spreading this FUD. hi, actually, me thinks the same about allowing/denying ICMP as you, tobias. however, we recently had a CCIE/NSA certified blahblah guy in our company, tuning our, err, Cizcoooeee equipment. guess what he did -- he violated 'the RFCs'. unfortunately, i wasn't able to find them on the net. do you have them handy? i'm very curious about that :) tia, -- Timo Schoeler | http://riscworks.net/~tis | [EMAIL PROTECTED] RISCworks -- Perfection is a powerful message Ex-ISP | RISC afficinados | Networking, Security, BSD services GPG Key fingerprint = 76E0 BEAF 762A BD1B 383C F88C EBCF 6DDF D87F CDF0 You can fly away to the end of the world But where does it get you to? (Tennant/Lowe)
Re: Prevent circumventing dansguardian with pf
On Apr 25, 2007, at 4:19 PM, Tobias Weingartner wrote: Chad M Stewart wrote: On Apr 25, 2007, at 11:05 AM, Allen Theobald wrote: pass in inet proto icmp all icmp-type $icmp_types keep state This can be used as a covert communication channel. Allowing internal IPs to send/receive ping is bad. Bull. Not allowing ICMP is just as bad. Worse actually, as you are violating RFCs. Quit spreading this FUD. I did NOT suggest blocking ALL ICMP, just echo-request and echo- replies from internal hosts to untrusted IPs. Trojans have used echo-request and echo-reply as a method of covert communication. If you had read the original post you'd see that $icmp_types was defined to be echoreq. I don't this is FUD. -Chad
Re: dmesg output Sun Fire 4200
I am running an X4100 with -current and I see no issues at all. On Wed, Apr 25, 2007 at 04:23:54PM -0400, Daniel Ouellet wrote: Paul de Weerd wrote: Hi all, For those interested here's a copy of the dmesg output on a Sun Fire 4200 system. More info (`sysctl hw; openssl speed; sysctl hw` output for the temperature difference is also included for example ;) is available at http://www.weirdnet.nl/openbsd/hardware/sunfire4200/ NB: The SAS controller (Symbios Logic SAS1064) isn't supported yet, so I installed on an IDE disk in a USB enclosure. Cheers, Paul 'WEiRD' de Weerd Is there any changes on the support of the X4200, specially the X4100 M2 and X2100 M2 with SAS version, not the SATA one? There wasn't much updates in the archive on the subject still. Any luck with may be new DMESG to look at for these? The one bellow is pretty old. Best. Daniel -- OpenBSD 3.9-beta (GENERIC.MP) #714: Sun Feb 12 22:10:43 MST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 2147012608 (2096692K) avail mem = 1835753472 (1792728K) using 22937 buffers containing 214908928 bytes (209872K) of memory mainbus0 (root) ipmi0 at mainbus0: version 2.0 interface KCS iobase 0xca2/2 spacing 1 mainbus0: Intel MP Specification (Version 1.4) (SUN X4200 ) cpu0 at mainbus0: apid 0 (boot processor) cpu0: AMD Opteron(tm) Processor 252, 2593.00 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 64b/line 16-way L2 cache cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: apic clock running at 199MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: AMD Opteron(tm) Processor 252, 2592.62 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW cpu1: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 64b/line 16-way L2 cache cpu1: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu1: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative mpbios: bus 0 is type PCI mpbios: bus 1 is type PCI mpbios: bus 2 is type PCI mpbios: bus 3 is type PCI mpbios: bus 4 is type PCI mpbios: bus 5 is type PCI mpbios: bus 6 is type PCI mpbios: bus 7 is type ISA ioapic0 at mainbus0 apid 2: pa 0x8373ee24, version 11, 24 pins ioapic1 at mainbus0 apid 3: pa 0x8373ed24, version 11, 4 pins ioapic2 at mainbus0 apid 4: pa 0x8373ec24, version 11, 4 pins ioapic3 at mainbus0 apid 5: pa 0x8373eb24, version 11, 4 pins ioapic4 at mainbus0 apid 6: pa 0x8373ea24, version 11, 4 pins pci0 at mainbus0 bus 0: configuration mode 1 ppb0 at pci0 dev 1 function 0 AMD 8131 PCIX rev 0x13 pci1 at ppb0 bus 1 em0 at pci1 dev 1 function 0 Intel PRO/1000MT (82546EB) rev 0x03: apic 3 int 2 (irq 10), address 00:03:ba:f1:36:b2 em1 at pci1 dev 1 function 1 Intel PRO/1000MT (82546EB) rev 0x03: apic 3 int 3 (irq 11), address 00:03:ba:f1:36:b3 em2 at pci1 dev 2 function 0 Intel PRO/1000MT (82546EB) rev 0x03: apic 3 int 0 (irq 11), address 00:03:ba:f1:36:b8 em3 at pci1 dev 2 function 1 Intel PRO/1000MT (82546EB) rev 0x03: apic 3 int 1 (irq 9), address 00:03:ba:f1:36:b9 aapic0 at pci0 dev 1 function 1 AMD 8131 PCIX IOAPIC rev 0x01 ppb1 at pci0 dev 2 function 0 AMD 8131 PCIX rev 0x13 pci2 at ppb1 bus 2 Symbios Logic SAS1064 rev 0x02 at pci2 dev 3 function 0 not configured aapic1 at pci0 dev 2 function 1 AMD 8131 PCIX IOAPIC rev 0x01 ppb2 at pci0 dev 6 function 0 AMD 8111 PCI-PCI rev 0x07 pci3 at ppb2 bus 3 ohci0 at pci3 dev 0 function 0 AMD 8111 USB rev 0x0b: apic 2 int 19 (irq 11), version 1.0, legacy support usb0 at ohci0: USB revision 1.0 uhub0 at usb0 uhub0: AMD OHCI root hub, rev 1.00/1.00, addr 1 uhub0: 3 ports with 3 removable, self powered ohci1 at pci3 dev 0 function 1 AMD 8111 USB rev 0x0b: apic 2 int 19 (irq 11), version 1.0, legacy support usb1 at ohci1: USB revision 1.0 uhub1 at usb1 uhub1: AMD OHCI root hub, rev 1.00/1.00, addr 1 uhub1: 3 ports with 3 removable, self powered vga1 at pci3 dev 3 function 0 ATI Rage XL rev 0x27 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) pcib0 at pci0 dev 7 function 0 AMD AMD8111 LPC rev 0x05 pciide0 at pci0 dev 7 function 1 AMD 8111 IDE rev 0x03: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility atapiscsi0 at pciide0 channel 0 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: TEAC, DV-28SL, 1.0A SCSI0 5/cdrom removable
Re: dmesg output Sun Fire 4200
Marco Peereboom wrote: I am running an X4100 with -current and I see no issues at all. Thank you! I will order some then and will see the results. I appreciate your time. Best Daniel
Re: Prevent circumventing dansguardian with pf
On Wed, 25 Apr 2007 23:56:50 +0200 Joachim Schipper [EMAIL PROTECTED] wrote: On Wed, Apr 25, 2007 at 10:40:45PM +0200, Timo Schoeler wrote: On Wed, 25 Apr 2007 20:19:42 + (UTC) Tobias Weingartner [EMAIL PROTECTED] wrote: Chad M Stewart wrote: On Apr 25, 2007, at 11:05 AM, Allen Theobald wrote: pass in inet proto icmp all icmp-type $icmp_types keep state This can be used as a covert communication channel. Allowing internal IPs to send/receive ping is bad. Bull. Not allowing ICMP is just as bad. Worse actually, as you are violating RFCs. Quit spreading this FUD. hi, actually, me thinks the same about allowing/denying ICMP as you, tobias. however, we recently had a CCIE/NSA certified blahblah guy in our company, tuning our, err, Cizcoooeee equipment. guess what he did -- he violated 'the RFCs'. unfortunately, i wasn't able to find them on the net. do you have them handy? i'm very curious about that :) In general, though, it will almost always be possible to get data in/out of the network. IP-over-DNS comes to mind. If this particular vector is used by a widely deployed worm, it might be worth it; but otherwise, just ignore it. yeah, i know -- that's why i watched him doing in my typical skeptical way... Do you intend to ask where 'the RFCs' are? (If so, www.ietf.org is a good choice.) Or in what RFC this particular requirement is? (No real idea...) the latter one... Joachim -- TFMotD: kadmin (8) - Kerberos administration utility timo
Re: dmesg output Sun Fire 4200
On 2007/04/25 16:23, Daniel Ouellet wrote: Is there any changes on the support of the X4200, specially the X4100 M2 and X2100 M2 with SAS version, not the SATA one? There wasn't much updates in the archive on the subject still. X4100 are AMD8131, 4 em(4) nics X4200 are nvidia nforce systems, 2 em(4) nics and on solaris 2 nge - presumably nfe(4) here. I know what my choice would be...
Re: Prevent circumventing dansguardian with pf
On 25/04/07, Joachim Schipper [EMAIL PROTECTED] wrote: On Wed, Apr 25, 2007 at 10:40:45PM +0200, Timo Schoeler wrote: On Wed, 25 Apr 2007 20:19:42 + (UTC) Tobias Weingartner [EMAIL PROTECTED] wrote: Chad M Stewart wrote: On Apr 25, 2007, at 11:05 AM, Allen Theobald wrote: pass in inet proto icmp all icmp-type $icmp_types keep state This can be used as a covert communication channel. Allowing internal IPs to send/receive ping is bad. Bull. Not allowing ICMP is just as bad. Worse actually, as you are violating RFCs. Quit spreading this FUD. hi, actually, me thinks the same about allowing/denying ICMP as you, tobias. however, we recently had a CCIE/NSA certified blahblah guy in our company, tuning our, err, Cizcoooeee equipment. guess what he did -- he violated 'the RFCs'. unfortunately, i wasn't able to find them on the net. do you have them handy? i'm very curious about that :) In general, though, it will almost always be possible to get data in/out of the network. IP-over-DNS comes to mind. If this particular vector is used by a widely deployed worm, it might be worth it; but otherwise, just ignore it. Do you intend to ask where 'the RFCs' are? (If so, www.ietf.org is a good choice.) Or in what RFC this particular requirement is? (No real idea...) I didn't expect it to come that easily, but google was helpful here: RFC2979 has this: 3.1.1. Path MTU Discovery and ICMP ICMP messages are commonly blocked at firewalls because of a perception that they are a source of security vulnerabilities. This often creates black holes for Path MTU Discovery [3], causing legitimate application traffic to be delayed or completely blocked when talking to systems connected via links with small MTUs. By the transparency rule, a packet-filtering router acting as a firewall which permits outgoing IP packets with the Don't Fragment (DF) bit set MUST NOT block incoming ICMP Destination Unreachable / Fragmentation Needed errors sent in response to the outbound packets from reaching hosts inside the firewall, as this would break the standards-compliant usage of Path MTU discovery by hosts generating legitimate traffic. On the other hand, it's proper (albeit unfriendly) to block ICMP Echo and Echo Reply messages, since these form a different use of the network, or to block ICMP Redirect messages entirely, or to block ICMP DU/FN messages which were not sent in response to legitimate outbound traffic. [3] Mogul, J. and S. Deering, Path MTU discovery, RFC 1191, November 1990. Joachim -- TFMotD: kadmin (8) - Kerberos administration utility -- viq
Re: dmesg output Sun Fire 4200
Stuart Henderson wrote: X4100 are AMD8131, 4 em(4) nics X4200 are nvidia nforce systems, 2 em(4) nics and on solaris 2 nge - presumably nfe(4) here. I know what my choice would be... Thanks! (; I know too!
Re: Clue-by-four needed: trunk(4) and an(4)
I don't know if it is related, but you could perhaps try the patch at the end of this report http://cvs.openbsd.org/cgi-bin/query-pr-wrapper?full=yesnumbers=5420 /Markus Josh Grosse wrote: I have an i386 laptop with two NICs: xl(4) and an(4). For me, trunk(4) does not seem to be able to send any packets over the an(4) NIC. The xl(4) NIC works just fine. The an0 NIC never shows active as a child of the trunk. Viz.: When I set a single NIC in the trunk, just for testing as shown below, I see: trunkport xl0 master,active or trunkport an0 master I can watch packets flowing across the an0 NIC via tcpdump, but none originate from the laptop. Could someone please whack me with a clue-stick to get an(4) working? Thanks. -Josh Grosse- -- example showing no master,active for trunkport status: an0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 lladdr 00:40:96:32:2d:02 trunk: trunkdev trunk0 groups: wlan media: IEEE802.11 autoselect (DS11) status: active ieee80211: nwid Grosse chan 9 bssid 00:06:25:25:70:1d inet6 fe80::240:96ff:fe32:2d02%an0 prefixlen 64 scopeid 0x4 trunk0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:40:96:32:2d:02 trunk: trunkproto roundrobin trunkport an0 master groups: trunk media: Ethernet autoselect status: active inet 192.168.2.50 netmask 0xff00 broadcast 255.255.0.0 inet6 fe80::240:96ff:fe32:2d02%trunk0 prefixlen 64 scopeid 0x5 -- dmesg -- OpenBSD 4.1-current (GENERIC) #15: Mon Apr 23 07:22:11 EDT 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Pentium(R) III Mobile CPU 1000MHz (GenuineIntel 686-class) 731 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE real mem = 267821056 (261544K) avail mem = 236433408 (230892K) using 3299 buffers containing 13512704 bytes (13196K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+ BIOS, date 05/16/03, BIOS32 rev. 0 @ 0xffe90, SMBIOS rev. 2.3 @ 0xf76b0 (61 entries) bios0: Dell Computer Corporation Inspiron 4100 apm0 at bios0: Power Management spec V1.2 apm0: battery life expectancy 90% apm0: AC off, battery charge high, estimated 1:42 hours apm0: flags 30102 dobusy 0 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfbb90/208 (11 entries) pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82371 ISA and IDE rev 0x00) pcibios0: PCI bus #4 is the last bus bios0: ROM list: 0xc/0x1 acpi at mainbus0 not configured cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82830MP CPU-I/O-1 rev 0x04 ppb0 at pci0 dev 1 function 0 Intel 82830MP CPU-AGP rev 0x04 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 ATI Radeon Mobility M6 LY rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) uhci0 at pci0 dev 29 function 0 Intel 82801CA/CAM USB rev 0x02: irq 11 ppb1 at pci0 dev 30 function 0 Intel 82801BAM Hub-to-PCI rev 0x42 pci2 at ppb1 bus 2 xl0 at pci2 dev 0 function 0 3Com 3c905C 100Base-TX rev 0x78: irq 11, address 00:08:74:95:af:f2 exphy0 at xl0 phy 24: 3Com internal media interface cbb0 at pci2 dev 1 function 0 TI PCI1420 CardBus rev 0x00: irq 11 cbb1 at pci2 dev 1 function 1 TI PCI1420 CardBus rev 0x00: irq 11 cardslot0 at cbb0 slot 0 flags 0 cardbus0 at cardslot0: bus 3 device 0 cacheline 0x8, lattimer 0x20 pcmcia0 at cardslot0 cardslot1 at cbb1 slot 1 flags 0 cardbus1 at cardslot1: bus 4 device 0 cacheline 0x8, lattimer 0x20 pcmcia1 at cardslot1 ichpcib0 at pci0 dev 31 function 0 Intel 82801CAM LPC rev 0x02: 24-bit timer at 3579545Hz pciide0 at pci0 dev 31 function 1 Intel 82801CAM IDE rev 0x02: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: IC25N020ATCS04-0 wd0: 16-sector PIO, LBA, 19077MB, 39070080 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: TOSHIBA, CD-ROM XM-7002B, 1005 SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 auich0 at pci0 dev 31 function 5 Intel 82801CA/CAM AC97 rev 0x02: irq 11, ICH3 AC97 ac97: codec id 0x4352595b (Cirrus Logic CS4205 rev 3) ac97: codec features mic channel, tone, simulated stereo, bass boost, 20 bit DAC, 18 bit ADC, SRS 3D audio0 at auich0 Intel 82801CA/CAM Modem rev 0x02 at pci0 dev 31 function 6 not configured usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered isa0 at ichpcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pms0 at pckbc0 (aux slot)
Re: Prevent circumventing dansguardian with pf
I did NOT suggest blocking ALL ICMP, just echo-request and echo- replies from internal hosts to untrusted IPs. Trojans have used echo-request and echo-reply as a method of covert communication. If you had read the original post you'd see that $icmp_types was defined to be echoreq. I don't this is FUD. Don't forget to also configure your firewalls to block traffic with the evil bit set. :-) -- Mathieu Sauve-Frankel
OT: Blocking of ICMP type 3 code 4 packets [Was: Prevent circumventing dansguardian with pf]
Although it's not well known TCP seriously depends on ICMP packets of type 3 code 4 for Path MTU Discovery (PTMTUD). Blocking of these packets lead to congested IP connections, broken transmissions and thus to frustrated users. Some documentation: http://en.wikipedia.org/wiki/Pmtud http://www.usenix.org/events/lisa02/tech/full_papers/vanderberg/vanderberg_html/ http://www.ietf.org/rfc/rfc2923.txt Various serious solutions: BSD: pass quick proto icmp from any to any icmp-type 3 code 4| Linux: iptables -I CHAIN-NAME -p ICMP --icmp-type 3/4 -j ACCEPT Check Point firewalls: Explicitly allow ICMP type 3 code 4 packets to the servers that use Path MTU Discovery A firewall that allows TCP and disallows ICMP type 3 code 4 is a broken firewall that should be repaired or replaced immediately since it's not usable for serious TCP traffic. +++chefren
Re: OT: Blocking of ICMP type 3 code 4 packets [Was: Prevent circumventing dansguardian with pf]
On 2007/04/26 01:01, chefren wrote: Although it's not well known TCP seriously depends on ICMP packets of type 3 code 4 for Path MTU Discovery (PTMTUD). Blocking of these packets lead to congested IP connections, broken transmissions and thus to frustrated users. for PF, 'keep state' on the TCP rule (default in 4.1) does the right thing and matches the appropriate ICMP messages as well.
Re: Prevent circumventing dansguardian with pf
On 2007/04/26 08:02, Mathieu Sauve-Frankel wrote: I did NOT suggest blocking ALL ICMP, just echo-request and echo- replies from internal hosts to untrusted IPs. Trojans have used echo-request and echo-reply as a method of covert communication. If you had read the original post you'd see that $icmp_types was defined to be echoreq. I don't this is FUD. Don't forget to also configure your firewalls to block traffic with the evil bit set. :-) watch out, this causes problems for clients behind rfc3514-compliant NAT...
The OpenBSD Command-Line Companion Book delayed (or MIA?)
Shipments of the OpenBSD Command-Line Companion Book have been delayed and ETA is unknown at this time. According to the author's blog: http://devguide.net there was a problem with the UPS shipment, but we are unable to contact Jacek Artymiak directly, and we have no tracking number for the shipment. This book was to have been printed in the USA and shipped to the Belgian and Sweet Grass, MT, USA depots in early April. We know from past events that Jacek is subject to a certain chronic illness that can sometimes suddenly put him in the hospital for a few months at a time. If such is the case, we wish him all the best. For the mean time we have removed the book from the order pages, and will ship existing orders without the book, showing it as a backorder. If anyone knows which US printer Jacek had the books made at we would try to trace them from that end. Let us know. OpenBSD Distribution Milk River, Alberta, Canada
Re: Prevent circumventing dansguardian with pf
On Wednesday, April 25, Chad M Stewart wrote: I did NOT suggest blocking ALL ICMP, just echo-request and echo- replies from internal hosts to untrusted IPs. And how is this not violating RFCs? Trojans have used echo-request and echo-reply as a method of covert communication. I've you've been compromised, it's already too late. If you had read the original post you'd see that $icmp_types was defined to be echoreq. Irrelevant. I don't this is FUD. Telling people to worry about the door to the barn after the horse has left is not FUD? It's not misdirection? Tell them to solve the root of their problems instead. --Toby.
Re: The OpenBSD Command-Line Companion Book delayed (or MIA?)
On Wed, Apr 25, 2007 at 04:38:32PM -0700, Austin Hook wrote: Shipments of the OpenBSD Command-Line Companion Book have been delayed and ETA is unknown at this time. According to the author's blog: http://devguide.net there was a problem with the UPS shipment, but we are unable to contact Jacek Artymiak directly, and we have no tracking number for the shipment. This book was to have been printed in the USA and shipped to the Belgian and Sweet Grass, MT, USA depots in early April. We know from past events that Jacek is subject to a certain chronic illness that can sometimes suddenly put him in the hospital for a few months at a time. If such is the case, we wish him all the best. For the mean time we have removed the book from the order pages, and will ship existing orders without the book, showing it as a backorder. If anyone knows which US printer Jacek had the books made at we would try to trace them from that end. Let us know. OpenBSD Distribution Milk River, Alberta, Canada This is sad news, I've been anxiously awaiting my copy. I hope Jacek is doing well and the books will eventually arrive at there final destinations. -- James Turner
Re: Prevent circumventing dansguardian with pf
Tobias Weingartner wrote: Telling people to worry about the door to the barn after the horse has left is not FUD? It's not misdirection? Tell them to solve the root of their problems instead. Don't poo-poo his effort to mitigate information leaks. Did you realize that even LAMP can be used to transmit hidden messages? The Lightbulb Amplification and Modulation Protocol is often used to transmit sequences of boolean information using unfiltered windows and an untrusted light source. The only truly secure countermeasure is to unplug all potential sources of LAMP. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: [landisk] poweroff on shutdown -r/reboot
On Wed, 25 Apr 2007, Diana Eichert wrote:
Now I have another question. In order to get power down to work, you have to
set powerdown=YES to power down the unit. Now that's pretty obvious, but
why when you run shutdown -r/reboot does the system power down? Doesn't
that obviate the reboot command? I would think powerdown=YES would be
ignored on shutdown -r/reboot.
diana
on further perusal through reboot.c I see where the -p switch only works
if program is called as halt.
case 'p':
/* Only works if we're called as halt. */
if (dohalt) {
pflag = 1;
howto |= RB_POWERDOWN;
}
break;
Shouldn't the check for powerdown=YES in rc.shutdown also be wrapped
by something similar?
execl(_PATH_BSHELL, sh, _PATH_RC, shutdown, (char
*)NULL);
_exit(1);
default:
/* rc exits 2 if powerdown=YES in rc.shutdown */
waitpid(pid, status, 0);
if (WIFEXITED(status) WEXITSTATUS(status) == 2)
howto |= RB_POWERDOWN;
I'm downloading -current source to one of my landisks so I can make the
change to reboot.c .
diana
Resolved Re: [landisk] poweroff on shutdown -r/reboot
On Wed, 25 Apr 2007, Diana Eichert wrote:
on further perusal through reboot.c I see where the -p switch only works if
program is called as halt.
case 'p':
/* Only works if we're called as halt. */
if (dohalt) {
pflag = 1;
howto |= RB_POWERDOWN;
}
break;
Shouldn't the check for powerdown=YES in rc.shutdown also be wrapped by
something similar?
execl(_PATH_BSHELL, sh, _PATH_RC, shutdown, (char
*)NULL);
_exit(1);
default:
/* rc exits 2 if powerdown=YES in rc.shutdown */
waitpid(pid, status, 0);
if (WIFEXITED(status) WEXITSTATUS(status) == 2)
howto |= RB_POWERDOWN;
my quick hack
# diff -u sbin/reboot/reboot.c.orig sbin/reboot/reboot.c
--- sbin/reboot/reboot.c.orig Wed Apr 25 18:45:23 2007
+++ sbin/reboot/reboot.cWed Apr 25 18:47:50 2007
@@ -201,8 +201,10 @@
default:
/* rc exits 2 if powerdown=YES in rc.shutdown */
waitpid(pid, status, 0);
- if (WIFEXITED(status) WEXITSTATUS(status) == 2)
- howto |= RB_POWERDOWN;
+ if (dohalt) {
+ if (WIFEXITED(status) WEXITSTATUS(status) ==
2)
+ howto |= RB_POWERDOWN;
+ }
}
}
#
shutdown -r now and reboot now run rc.shutdown, sync disks and reboot
as expected
diana
Re: The OpenBSD Command-Line Companion Book delayed (or MIA?)
On 4/25/07, Austin Hook [EMAIL PROTECTED] wrote: Shipments of the OpenBSD Command-Line Companion Book have been delayed and ETA is unknown at this time. According to the author's blog: http://devguide.net there was a problem with the UPS shipment, but we are unable to contact Jacek Artymiak directly, and we have no tracking number for the shipment. This book was to have been printed in the USA and shipped to the Belgian and Sweet Grass, MT, USA depots in early April. We know from past events that Jacek is subject to a certain chronic illness that can sometimes suddenly put him in the hospital for a few months at a time. If such is the case, we wish him all the best. For the mean time we have removed the book from the order pages, and will ship existing orders without the book, showing it as a backorder. If anyone knows which US printer Jacek had the books made at we would try to trace them from that end. Let us know. OpenBSD Distribution Milk River, Alberta, Canada Thanks for the update, Austin. I was just wondering about this last night. I placed my order for the book on the same day that I placed my pre-order for OpenBSD 4.1 (two separate orders). Since I hadn't yet received the book, I just figured that it wasn't printed yet. Jacek writes great books. I can wait a while longer for this one, if need be. I have plenty other material to read in the meantime. If Jacek is ill, I wish him a speedy recovery. If he's not ill, I hope he doesn't get a migraine from the shipping problems. -Todd
Re: 4.0 Installation problems
chayashida wrote: I am trying to install OpenBSD 4.0 on a Dell OptiPlex 745. The computer has a SATA CD-ROM and a SATA hard drive. After the install/upgrade/shell part, I see a lot of kernel messages. Everything looks normal, and it looks like all of my hardware is detected. The install appears to go okay, but then it hangs after the file sets are copied. It doesn't matter if I select all, some, or the minimal file sets: the installation always hangs after the copy is finished. I tried a separate set of CDs, just to see if that was the issue, but I get the same result. I also tried reducing the size of the root partition to see if that was an issue. Another member suggested that I try Ctrl-Z after the hang. If it stops the job, then the installation program has hung. I tried it. ^Z displays on the screen, but I do not get a shell. Apparently this means that the kernel has hung. The OptiPlex 745 has the following hardware: SATA CD-ROM SATA hard drive 3.4 GHz Pentium D Broadcom BCM5754 network card Intel 82801H All of the above are listed as supported under OpenBSD 4.0. I noticed that there were kernel errors when I tried to set up the network to use DHCP with the on-board NIC, so I installed a new NIC. I disabled the on-board NIC and installed an Encore Electronics ENL832-TX-ICNT 10/100 Ethernet PCI card. I had also disabled the on-board audio as well. I ran the install, but this time chose to install over ftp instead of from the CD-ROM. It worked. (Previously, I had tried from another disc, so I was able to rule out the CD.) The only other difference was that the files on the CD were in the root of the disc, instead of 4.0/i386. I made another CD with the files in the correct directory and tried to install, and I still had problems. I also tested that CD by copying all the files off the CD without errors. I ran the install again, this time with the same configuration, but from the CD-ROM. It failed again. My best guess is that the accessing the SATA CD-ROM and the SATA hard drive at the same time is somehow hanging the system. I am installing a second system overnight (we have a slow Internet connection) but I expect it to work. I hope this helps someone else. Chris -- View this message in context: http://www.nabble.com/4.0-Installation-problems-tf3645668.html#a10193201 Sent from the openbsd user - misc mailing list archive at Nabble.com.
Re: Prevent circumventing dansguardian with pf
On Wednesday 25 April 2007 17:48, Jason Dixon wrote: Tobias Weingartner wrote: Telling people to worry about the door to the barn after the horse has left is not FUD? It's not misdirection? Tell them to solve the root of their problems instead. Don't poo-poo his effort to mitigate information leaks. Did you realize that even LAMP can be used to transmit hidden messages? The Lightbulb Amplification and Modulation Protocol is often used to transmit sequences of boolean information using unfiltered windows and an untrusted light source. The only truly secure countermeasure is to unplug all potential sources of LAMP. Yes, but all of us already know that windows are insecure. -jcr
Re: 4.0 Installation problems
On 4/26/07, chayashida [EMAIL PROTECTED] wrote: chayashida wrote: The install appears to go okay, but then it hangs after the file sets are copied. It doesn't matter if I select all, some, or the minimal file sets: the installation always hangs after the copy is finished. I tried a separate set of CDs, just to see if that was the issue, (Previously, I had tried from another disc, so I was able to rule out the CD.) The only other difference was that the files on the CD were in the root of the disc, instead of 4.0/i386. I made another CD with the files in the correct directory and tried to install, and I still had problems. I also tested that CD by copying all the files off the CD without errors. uh... so many CDs... which CDs are u using? And why should u be modifying them in the first place? -jf -- It's so hard to write a graphics driver that open-sourcing it would not help. -- Andrew Fear, Software Product Manager, NVIDIA Corporation http://kerneltrap.org/node/7228
Re: 4.0 Installation problems
Jeffrey wrote: uh... so many CDs... which CDs are u using? And why should u be modifying them in the first place? I was installing the servers in at a low-bandwidth site, so I downloaded the 4.0/i386 directory from the ftp site and burnt it to a CD at a site with a better connection. It was basically a way to speed up the installation process. I probably should have been more clear. -- View this message in context: http://www.nabble.com/4.0-Installation-problems-tf3645668.html#a10193493 Sent from the openbsd user - misc mailing list archive at Nabble.com.
NFS mount by non-root
Is it possible for users (non-root) to mount NFS exports? I seem to be able to mount_nfs using sudo, but not as a regular user. I actually want to allow regular users to mount the NFS share from another machine/OS (MacOSX), but since I couldn't get a regular user to do the mount just on the local machine, I thought I'd start with this problem first. With these settings on OpenBSD 4.0, (generic+autoraid) /etc/rc.conf.local lockd=YES portmap=YES nfs_server=YES /etc/exports /home -alldirs -ro -network=10.0.1 -mask=255.255.255.0 /etc/sysctl.conf kern.usermount=1 For example logged is as usera, on machine 10.0.1.201 (the server) uid=1000(usera) gid=1000(usera) groups=1000(usera), 0(wheel), 10(users), 20(staff) $ mount_nfs 10.0.1.201:/home/usera/dir2share /home/usera/private/mnt fails with mount_nfs: bad MNT RPC: RPC: Authentication error; why = Client credential too weak but $ sudo mount_nfs 10.0.1.201:/home/usera/dir2share /home/usera/private/mnt works fine Any help would be appreciated. More details: I've tried to adhere to: man mount A mount point node must be an existing directory for a mount to succeed (except in the special case of /, of course). Only the superuser may mount file systems unless kern.usermount is nonzero (see sysctl(8)), the special device is readable and writeable by the user attempting the mount, and the mount point node is owned by the user attempting the mount. by setting: drwxr-xr-x root wheel /home drwxr-xr-x usera usera /home/usera drwxr-xr-x usera usera /home/usera/dir2share drwxr-xr-x usera usera /home/usera/private drwxr-xr-x usera usera /home/usera/private/mnt Thanks
Re: NFS mount by non-root
On Thu, Apr 26, 2007 at 03:33:47AM +, Douglas Maus wrote: Is it possible for users (non-root) to mount NFS exports? From mount_nfs(8): HISTORY The -P flag historically informed the kernel to use a reserved port when communicating with clients. In OpenBSD, a reserved port is always used. This means to me that you will always have to be root to use mount_nfs. Unless I'm missing something. -ME
Re: Prevent circumventing dansguardian with pf
Tobias Weingartner wrote: Chad M Stewart wrote: On Apr 25, 2007, at 11:05 AM, Allen Theobald wrote: pass in inet proto icmp all icmp-type $icmp_types keep state This can be used as a covert communication channel. Allowing internal IPs to send/receive ping is bad. Bull. Not allowing ICMP is just as bad. Worse actually, as you are violating RFCs. Quit spreading this FUD. As very often in this world, none of these points of view is absolutely perfect in all situations. Regarding violation of RFCs, I found RFC 1812, which states that routers have to implement echo replies, but one should be able to switch them off: RFC 1812 Requirements for IP Version 4 Routers, page 57/58: 4.3.3.6 Echo Request/Reply A router MUST implement an ICMP Echo server function that receives Echo Requests sent to the router, and sends corresponding Echo Replies. A router MUST be prepared to receive, reassemble and echo an ICMP Echo Request datagram at least as the maximum of 576 and the MTUs of all the connected networks. The Echo server function MAY choose not to respond to ICMP echo requests addressed to IP broadcast or IP multicast addresses. A router SHOULD have a configuration option that, if enabled, causes the router to silently ignore all ICMP echo requests; if provided, this option MUST default to allowing responses. Andreas
