Re: RDR rule on PF
Is IP forwarding enabled? # sysctl net.inet.ip.forwarding=1 /Johan
Re: RDR rule on PF
I checked tcpdump on internal if, and it's not working. I enabled ip forwarding on sysctl.conf, yes. It's so weird. I'm shure it's a very stupid mistake but i can't find it... On 5/13/07, Johan Linner [EMAIL PROTECTED] wrote: Is IP forwarding enabled? # sysctl net.inet.ip.forwarding=1 /Johan
Re: Failing to get [EMAIL PROTECTED] in X
Quoting Ted Unangst ([EMAIL PROTECTED]): from the end of your x log. seems the x40 simply can't handle a monitor that big. Indeed, the specs for the X40 seems to indicate it can't, but booting the other (disgusting) OS installed on the same harddrive outputs [EMAIL PROTECTED] perfectly. Also, see Xorg.log below: (II) I810(0): Monitor0: Using hsync range of 30.00-83.00 kHz (II) I810(0): Monitor0: Using vrefresh range of 56.00-75.00 Hz (II) I810(0): Estimated virtual size for aspect ratio 1.5667 is 1680x1050 (WW) I810(0): Shrinking virtual size estimate from 1680x1200 to 1600x1200 (1600x1200,Monitor0) mode clock 162MHz exceeds DDC maximum 150MHz (--) I810(0): Virtual size is 1600x1200 (pitch 1600) (**) I810(0): *Built-in mode 1280x1024 (**) I810(0): *Built-in mode 1024x768 Seems the xorg.conf I used to generate that log is wrong. This is the same part of my current Xorg.log: (II) I810(0): External Monitor: Using hsync range of 30.00-83.00 kHz (II) I810(0): External Monitor: Using vrefresh range of 56.00-75.00 Hz (II) I810(0): Not using built-in mode 1600x1200 (height too large for virtual size) (--) I810(0): Virtual size is 1680x1050 (pitch 1680) (**) I810(0): *Built-in mode 1680x1050 ^ Any idea what this * means? (**) I810(0): Built-in mode 1280x1024 (**) I810(0): Built-in mode 1024x768 (**) I810(0): Built-in mode 800x600 (**) I810(0): Built-in mode 640x480 (II) I810(0): Attempting to use 75.00Hz refresh for mode 1680x1050 (85c) [..] Any idea why the i810 driver attempts to use 75Hz? Maybe if I could get it to try 60Hz at that point would make it work.. I appreciate the suggestions. Any other hints? -- I prefer the dark of the night, after midnight and before four-thirty, when it's more bare, more hollow.http://a.mongers.org
Re: Failing to get [EMAIL PROTECTED] in X
Quoting Jimmy Mitchener ([EMAIL PROTECTED]): Have you tried starting X several times in a row? I have this issue when I connect my external display to my laptop. Sometimes X comes up at [EMAIL PROTECTED] and sometimes it is at 56Hz and looks awful. The only solution seems to be to restart X several times, and eventually it gets it right. Sometimes it's not required, other times I have to restart X nearly 20 times. It seems pretty hit and miss. Hopefully this will improve with the new 965GM drivers =) I have noticed the same randomized variation in output res and Hz when restarting X several times but I have never seen it correctly start at the resolution I want.. I haven't tried 20 times in a row, however. I'm more or less at the point where I've ruled out that I'm doing something obvious wrong.. sendbug is probably the only way to go from here. -- I prefer the dark of the night, after midnight and before four-thirty, when it's more bare, more hollow.http://a.mongers.org
Re: RDR rule on PF
On 5/13/07, Alberich de megres [EMAIL PROTECTED] wrote: On 5/13/07, Johan Linner [EMAIL PROTECTED] wrote: Is IP forwarding enabled? # sysctl net.inet.ip.forwarding=1 /Johan I checked tcpdump on internal if, and it's not working. I enabled ip forwarding on sysctl.conf, yes. It's so weird. I'm shure it's a very stupid mistake but i can't find it... Stupid question: did you also reboot? -Nick
cannot make squidclamav -- issues with libcurl not found
Apologies if this mail is a bit long, but I included most of the output of some commands as I think they might help you helping me telling how to proceed. I'm trying to make/install squidclamav on a newly configured OBSD 4.1 firewall / squid proxy on a i386 AMD/K6 450MHz 200MB pc for use at home. I guess I'm missing a library or a correct path to one somewhere but I am not expert enough to find what I need to do. squidclamav is not in the obsd packages/ports and I downloaded : squidclamav-3.0.tar.gz from http://www.samse.fr/GPL/squidclamav/ I found instructions how to make/install on : http://www.kernel-panic.it/openbsd/proxy/proxy6.html where it is said that on need the curl package. This appeared to be already installed : curl-7.16.0. So, I unpacked squidclamav-3.0.tar.gz, cd-ed and ./configure : all seems ok (I think, or at least there are no warnings at this stage) : $./configure checking for a BSD-compatible install... /usr/bin/install -c checking whether build environment is sane... yes checking for gawk... no checking for mawk... no checking for nawk... nawk checking whether make sets $(MAKE)... yes checking for gcc... gcc checking for C compiler default output file name... a.out checking whether the C compiler works... yes checking whether we are cross compiling... no checking for suffix of executables... checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking for gcc option to accept ANSI C... none needed checking for style of include used by make... GNU checking dependency style of gcc... gcc3 checking for a BSD-compatible install... /usr/bin/install -c checking for main in -lcurl... no checking how to run the C preprocessor... gcc -E checking for egrep... grep -E checking for ANSI C header files... yes checking for sys/types.h... yes checking for sys/stat.h... yes checking for stdlib.h... yes checking for string.h... yes checking for memory.h... yes checking for strings.h... yes checking for inttypes.h... yes checking for stdint.h... yes checking for unistd.h... yes checking arpa/inet.h usability... yes checking arpa/inet.h presence... yes checking for arpa/inet.h... yes checking fcntl.h usability... yes checking fcntl.h presence... yes checking for fcntl.h... yes checking netdb.h usability... yes checking netdb.h presence... yes checking for netdb.h... yes checking netinet/in.h usability... yes checking netinet/in.h presence... yes checking for netinet/in.h... yes checking for stdlib.h... (cached) yes checking for string.h... (cached) yes checking sys/socket.h usability... yes checking sys/socket.h presence... yes checking for sys/socket.h... yes checking sys/timeb.h usability... yes checking sys/timeb.h presence... yes checking for sys/timeb.h... yes checking for unistd.h... (cached) yes checking for size_t... yes checking for stdlib.h... (cached) yes checking for GNU libc compatible malloc... yes checking for function prototypes... yes checking whether setvbuf arguments are reversed... no checking return type of signal handlers... void checking for ftime... no checking for gethostbyname... yes checking for memset... yes checking for regcomp... yes checking for socket... yes checking for strdup... yes checking for strspn... yes checking for strstr... yes configure: creating ./config.status config.status: creating Makefile config.status: creating config.h config.status: executing depfiles commands However make does run into problems because it cannot find curl/curl.h in main.c : $make make all-am if gcc -DHAVE_CONFIG_H -I. -I. -I. -g -O2 -MT config.o -MD -MP -MF .deps/config.Tpo -c -o config.o config.c; then mv -f .deps/config.Tpo .deps/config.Po; else rm -f .deps/config.Tpo; exit 1; fi if gcc -DHAVE_CONFIG_H -I. -I. -I. -g -O2 -MT lists.o -MD -MP -MF .deps/lists.Tpo -c -o lists.o lists.c; then mv -f .deps/lists.Tpo .deps/lists.Po; else rm -f .deps/lists.Tpo; exit 1; fi if gcc -DHAVE_CONFIG_H -I. -I. -I. -g -O2 -MT log.o -MD -MP -MF .deps/log.Tpo -c -o log.o log.c; then mv -f .deps/log.Tpo .deps/log.Po; else rm -f .deps/log.Tpo; exit 1; fi if gcc -DHAVE_CONFIG_H -I. -I. -I. -g -O2 -MT main.o -MD -MP -MF .deps/main.Tpo -c -o main.o main.c; then mv -f .deps/main.Tpo .deps/main.Po; else rm -f .deps/main.Tpo; exit 1; fi main.c:67:23: curl/curl.h: No such file or directory main.c: In function `main': main.c:163: error: `CURL' undeclared (first use in this function) main.c:163: error: (Each undeclared identifier is reported only once main.c:163: error: for each function it appears in.) main.c:163: error: `eh' undeclared (first use in this function) main.c:166: error: `CURL_ERROR_SIZE' undeclared (first use in this function) main.c:243: error: `CURL_GLOBAL_ALL' undeclared (first use in this function) main.c:255: error: `CURLOPT_WRITEFUNCTION' undeclared (first use in this function) main.c:257: error: `CURLOPT_ERRORBUFFER' undeclared (first use in this function)main.c:259: error:
Re: cannot make squidclamav -- issues with libcurl not found
On Sun, May 13, 2007 at 11:20:14AM +0200, Frederic Durodie wrote: Apologies if this mail is a bit long, but I included most of the output of some commands as I think they might help you helping me telling how to proceed. I'm trying to make/install squidclamav on a newly configured OBSD 4.1 firewall / squid proxy on a i386 AMD/K6 450MHz 200MB pc for use at home. I guess I'm missing a library or a correct path to one somewhere but I am not expert enough to find what I need to do. squidclamav is not in the obsd packages/ports and I downloaded : squidclamav-3.0.tar.gz from http://www.samse.fr/GPL/squidclamav/ I found instructions how to make/install on : http://www.kernel-panic.it/openbsd/proxy/proxy6.html where it is said that on need the curl package. This appeared to be already installed : curl-7.16.0. The wonders of autohell. Some thing to try: env CFLAGS=/usr/local/include LDFLAGS=/usr/local/lib ./configure same as above, but with make check ./configure --help if you can specifiy the curl location Tobias
Re: cannot make squidclamav -- issues with libcurl not found [solved]
Hi Tobias, Thanks a lot for the help. However I had to slightly correct your recipe below. So, for future reference for poor souls such as myself : $ env CFLAGS=-I/usr/local/include LDFLAGS=-L/usr/local/lib ./configure $ vi Makefile to change the line with LIBS = -lcurl to : LIBS = -lcurl -lcompat as was indicated at www.kernel-panic.it/openbsd/... $ env CFLAGS=-I/usr/local/include LDFLAGS=-L/usr/local/lib make Thanks again. Frederic On Sun, 2007-05-13 at 13:17 +0200, Tobias Ulmer wrote: On Sun, May 13, 2007 at 11:20:14AM +0200, Frederic Durodie wrote: Apologies if this mail is a bit long, but I included most of the output of some commands as I think they might help you helping me telling how to proceed. I'm trying to make/install squidclamav on a newly configured OBSD 4.1 firewall / squid proxy on a i386 AMD/K6 450MHz 200MB pc for use at home. I guess I'm missing a library or a correct path to one somewhere but I am not expert enough to find what I need to do. squidclamav is not in the obsd packages/ports and I downloaded : squidclamav-3.0.tar.gz from http://www.samse.fr/GPL/squidclamav/ I found instructions how to make/install on : http://www.kernel-panic.it/openbsd/proxy/proxy6.html where it is said that on need the curl package. This appeared to be already installed : curl-7.16.0. The wonders of autohell. Some thing to try: env CFLAGS=/usr/local/include LDFLAGS=/usr/local/lib ./configure same as above, but with make check ./configure --help if you can specifiy the curl location Tobias
s3virge pci card on xenocara/sparc64 ?
Hello, i'm trying to make an old Ultra 10 working in dual-screen/xinerama, with onboard ati (works fine at [EMAIL PROTECTED]) and additional old s3 pci (detected by kernel). I've seen on xenocara/driver/Makefile that s3virge driver, which this card normally uses on other archs/OS, is not enabled on sparc64. Is there a particular reason, there is a known problem with this hardware, or is it only because sparc64 are normally only bundled/tested with ati's (as stated on http://www.openbsd.org/sparc64.html) ? May i try building the driver, or it's not worth trying ? is it possible to build _only_ the driver/ part of xenocara, taking the rest of xenocara from snapshot ? I've tried with wsfb(4), but the primary card is always taken, even when specifiying BusID.. If i make the card work, do i have a chance to get Xinerama ? Mandatory dmesg : http://gcu.info/~gaston/sparc64/dmesg.boot Xorg.0.log, when trying with wsfb and BusID 2:1:0 and using onboard ati as default : http://gcu.info/~gaston/sparc64/Xorg.0.log Thanks, Landry
ADVERT: Secure communications software
C12-GAMMA: free/open-source FreeBSD/Linux software; http://www.caesarion.org.uk Sincerely, R Carey.
ppp dial on demand server
I have unfortunately been stuck with having to use a 56k dialup connection at home at least until the phone company runs DSL out here, (6 months, but I won't hold my breath). Anyway there are a few computers here, that need to have access so since had used OpenBSD as a firewall when I had cable before I moved I decided to look into that. I have ppp dialing correctly and providing service to everyone if i ssh into the machine launch ppp with `ppp -at isp` and at the ppp prompt type dial. if I launch ppp with `ppp -nat -auto isp` ppp never dials out. I have pppd dialing correctly and with the demand setting in /etc/ppp/ options it will background, dial out when iI open a web browser on another machine but I can not browse the web from either lynx on the firewall or any browser on a client machine. It does seem to give ppp0 the correct address's and set ppp0 as the gateway. I feel that I almost got it right, but since this is the first time setting up a modem connection and a dial on demand server and working on it yesterday for too long, I've missed a setting somewhere or misconfigured either the ppp settings or pf. If anyone has any suggestions as to where I've goofed it would be appreciated. I would prefer to use pppd as I can set what can trigger it to dial out, but if I can get either ppp or pppd working I'd be happy. I'm sure I have a lot of unneeded stuff in these config files by now. Firewall is OpenBSD 4.1 RELEASE /etc/ppp/ppp.conf !include ~/.ppp.conf default: set device /dev/tty00 set speed 115200 set authname username set authkey password set server +3000 showmeisp set redial random 100 set mtu max 1500 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0 add default HISADDR isp: set device /dev/tty00 set speed 115200 set authname username set authkey password set server +3000 showmeisp set redial random 100 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0 add default HISADDR set phone 5574061 set dial ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \\ ATZ OK-ATZ-OK ATDT\\T TIMEOUT 120 CONNECT \r\r set login TIMEOUT 30 login:-\\r-login: username ssword: password 1524 add! default HISADDR set log local Chat enable dns /etc/ppp/options: demand nopersist /dev/tty00 lock crtscts 115200 modem defaultroute noipdefault idle 600 mru 1500 ipcp-accept-remote ipcp-accept-local 10.0.0.2:10.0.0.3 netmask 255.255.255.255 active-filter 'dst port 80' active-filter 'dst port 53' call elink /etc/ppp/peers/elink: tty00 115200 crtscts connect '/usr/sbin/chat -V -f /etc/ppp/peers/elink.chat' noauth /etc/ppp/peers/elink.chat: ECHO ON ABORT BUSY ABORT 'NO CARRIER' '' ATZ OK ATDT5574061 TIMEOUT 120 CONNECT \r\r SAY \nLogging in ... \n ogin:--ogin: username ssword: password /etc/pf.conf: Currently set to use tun0 as the ext_if, when trying with pppd ext_if is set to ppp0 #PF CONF #Lists #Macros ext_if = tun0 int_if = fxp0 #TABLES table mynetwork { 192.168.0.0/24 } #OPTIONS set block-policy return set loginterface $ext_if set skip on lo0 scrub in all #QoS altq on $ext_if priq bandwidth 50Kb queue { q_pri, q_def } queue q_pri priority 7 queue q_def priority 1 priq(default) #NAT nat on $ext_if from $int_if to any - ($ext_if:peer) nat-anchor ftp-proxy/* #RDR rdr-anchor ftp-proxy/* rdr on $int_if proto tcp from any to any port 21 - 127.0.0.1 port 8021 #rdr inet proto tcp from any to any port = www - 127.0.0.1 port 3128 #RULES antispoof quick for $int_if inet block in all anchor ftp-proxy/* pass in on $int_if from mynetwork to $int_if keep state pass out on $int_if from 192.168.0.1 to mynetwork keep state pass in on $int_if from mynetwork to any keep state pass out on $ext_if proto { tcp } from $int_if to ($ext_if) flags S/ SA keep state queue (q_def, q_pri) -Thank you.
Re: Failing to get [EMAIL PROTECTED] in X
On 5/13/07, Alex Holst [EMAIL PROTECTED] wrote: (II) I810(0): External Monitor: Using hsync range of 30.00-83.00 kHz (II) I810(0): External Monitor: Using vrefresh range of 56.00-75.00 Hz (II) I810(0): Not using built-in mode 1600x1200 (height too large for virtual size) (--) I810(0): Virtual size is 1680x1050 (pitch 1680) (**) I810(0): *Built-in mode 1680x1050 ^ Any idea what this * means? that's fine. (**) I810(0): Built-in mode 1280x1024 (**) I810(0): Built-in mode 1024x768 (**) I810(0): Built-in mode 800x600 (**) I810(0): Built-in mode 640x480 (II) I810(0): Attempting to use 75.00Hz refresh for mode 1680x1050 (85c) [..] Any idea why the i810 driver attempts to use 75Hz? Maybe if I could get it to try 60Hz at that point would make it work.. I appreciate the suggestions. Any other hints? change the modeline to only support 60hz refresh.
Re: Failing to get [EMAIL PROTECTED] in X
Quoting Ted Unangst ([EMAIL PROTECTED]): Any idea why the i810 driver attempts to use 75Hz? Maybe if I could get it to try 60Hz at that point would make it work.. I appreciate the suggestions. Any other hints? change the modeline to only support 60hz refresh. I set VertRefresh to 60-60, included a modeline generated by gtf and disabled DDC, resulting in X being a smartarse (Sure, I can do 60Hz): (II) I810(0): External Monitor: Using hsync range of 30.00-83.00 kHz (II) I810(0): External Monitor: Using vrefresh value of 60.00 Hz (--) I810(0): Virtual size is 1680x1050 (pitch 1680) (**) I810(0): *Built-in mode 1680x1050 (**) I810(0): Built-in mode 1680x1050 (**) I810(0): Built-in mode 1280x1024 (**) I810(0): Built-in mode 1024x768 (**) I810(0): Built-in mode 800x600 (**) I810(0): Built-in mode 640x480 (II) I810(0): Attempting to use 60.00Hz refresh for mode 1680x1050 (85a) (II) I810(0): Attempting to use 60.00Hz refresh for mode 1680x1050 (85c) (II) I810(0): Attempting to use 60.02Hz refresh for mode 1280x1024 (858) (II) I810(0): Attempting to use 60.00Hz refresh for mode 1024x768 (854) (II) I810(0): Attempting to use 60.32Hz refresh for mode 800x600 (852) (II) I810(0): Attempting to use 59.94Hz refresh for mode 640x480 (850) VGA output is [EMAIL PROTECTED], desktop geometry being 1680x1050. What do you reckon: Persistent user error or bug? -- I prefer the dark of the night, after midnight and before four-thirty, when it's more bare, more hollow.http://a.mongers.org
Re: s3virge pci card on xenocara/sparc64 ?
Hi, On 13/05/07, Landry Breuil [EMAIL PROTECTED] wrote: Hello, i'm trying to make an old Ultra 10 working in dual-screen/xinerama, with onboard ati (works fine at [EMAIL PROTECTED]) and additional old s3 pci (detected by kernel). As far as I am aware sparc64 requires OpenBoot aware graphics cards. I'm not sure how it works in the case of a secondary graphics card for X only however. Just an idea. If it doesnt work then try a creator3d / elite3d? -- Best Regards Edd PS. Would you mind if I grab that xorg.conf? I have a U10 that I never got X working on. --- http://students.dec.bournemouth.ac.uk/ebarrett/
Re: dual g4 needed for hackathon
How about a dual G5? PowerMac Dual G5 7,3 2.2 Open Firmware 4. I don't follow Apple hardware, so I don't know what the difference between a G4 and a G5 is architecture wise; but I do know that OS/X has to come off of this thing with a quickness. ~BAS On Fri, 2007-05-11 at 20:31 +0200, Mark Kettenis wrote: the Calgary or Edmonton area that can loan us a dual g4 machine end -- Brian A. Seklecki [EMAIL PROTECTED] Collaborative Fusion, Inc. IMPORTANT: This message contains confidential information and is intended only for the individual named. If the reader of this message is not an intended recipient (or the individual responsible for the delivery of this message to an intended recipient), please be advised that any re-use, dissemination, distribution or copying of this message is prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.
spamd synchronization
I have two mail servers running 4.1-stable and am trying to get spamd synchronization working between them. During testing using a basic set of options /usr/libexec/spamd -y nfe0 -Y nfe0 -d in the resulting debug I see using multicast spam sync mode (ttl 1, group 224.0.1.240, port 8025) on the other system running 'tcpdump -nn net 224.0/8' I see the following when starting up spamd 20:11:24.546651 192.168.1.50 224.0.1.240: igmp nreport 224.0.1.240 [ttl 1] In the debug output I see spamd reporting that it is sending out a sync message sync grey update helo chad.here ip x.x.x.x from a to b sending multicast sync message But I never see the resulting message in the tcpdump capture nor does spamd on the other system see the resulting message, as I was also running it with -d. I did have them working once when I used their IPs directly instead of the default multicast. Am I doing something wrong? Thanks, Chad
Chrooting users the right way
Hi I am setting up a new OpenBSD machine in which I want to chroot users. I don't want to use any of the patching solutions to OpenSSH but want to implement a real system chroot solution so any user, who is chrooted, is jailed even if he logs in manually. I have tried to find articles on this, but haven't been succesfull. Does anyone know of a good tutorial on how to do this on OpenBSD? Best and kind regards. Rico Secada.
rdate issue
Dear gentleman/madam, i have a home network composed of 1 gateway and two boxes. All of them running openbsd 4.1 of course. I decided to get the time syncronization for all those boxes. In the gateway machine, i managed to get the following in crontab: */5 * * * * /usr/sbin/rdate -4ncva ptbtime1.ptb.de | /usr/bin/logger -t NTP In the other two boxes (lion and etosha) i have: */5 * * * * /usr/sbin/rdate -4cva gw | /usr/bin/logger -t NTP Everything is working ok except because of those two boxes always have a time about 20/22 seconds after my gateway time, like in the output for date command: [EMAIL PROTECTED] date Sun May 13 23:04:35 BRT 2007 [EMAIL PROTECTED] date Sun May 13 23:04:59 BRT 2007 [EMAIL PROTECTED] date Sun May 13 23:04:59 BRT 2007 Does anybody have any ideia about why it is happening ? Thanks in advance. best regards.
Re: rdate issue
John Nietzsche wrote: ... Everything is working ok except because of those two boxes always have a time about 20/22 seconds after my gateway time, like in the output for date command: [EMAIL PROTECTED] date Sun May 13 23:04:35 BRT 2007 [EMAIL PROTECTED] date Sun May 13 23:04:59 BRT 2007 [EMAIL PROTECTED] date Sun May 13 23:04:59 BRT 2007 Does anybody have any ideia about why it is happening ? yep. http://www.openbsd.org/faq/faq8.html#NTPerror ls -l /etc/localtime on all three boxes will probably make it clear what is going on. (look for the presence or absence of the word right in each...) Nick.
Re: rdate issue
I decided to get the time syncronization for all those boxes. In the gateway machine, i managed to get the following in crontab: */5 * * * * /usr/sbin/rdate -4ncva ptbtime1.ptb.de | /usr/bin/logger -t NTP snip Everything is working ok except because of those two boxes always have a time about 20/22 seconds after my gateway time, like in the output for date command: Have you considered running ntpd instead of rdate? If nothing more, the daemon removes the need to have crontabs updating the clock. I have no explanation for why the times are about 20 seconds out other than the gateway might be taking its time to wake up the rdate daemon. Cheers, A
Re: NEW: education/stardict
It's really a good application. i like it. Thanks ^_^
Re: Chrooting users the right way
On Mon, 14 May 2007 02:43:59 +0200 [EMAIL PROTECTED] wrote: Follow-up: I found some posts on the archive about this being a very bad idea, would someone mind explaining why? On this particular system some users are trusted, but others are less trusted. The system contains some different specific files, which only the trusted user may look at. Is it a better way to simply create a group and put trusted users into that group and making that group the group of the files (chmod 750)? Also a few setups in etc are unwanted reading for less trusted user, how should one deal with that then? Forgive my ignorence on this issue! Hi I am setting up a new OpenBSD machine in which I want to chroot users. I don't want to use any of the patching solutions to OpenSSH but want to implement a real system chroot solution so any user, who is chrooted, is jailed even if he logs in manually. I have tried to find articles on this, but haven't been succesfull. Does anyone know of a good tutorial on how to do this on OpenBSD? Best and kind regards. Rico Secada.
Troubleshooting NFS/SFU
I've tried to configure NFS and am nearly all the way there, but it seems like I've hit a pretty big stumbling block. I've got OpenBSD 4.1-stable (10.0.0.1) with an NFS export of my home directory. I also have a Windows XP machine (10.0.0.2) and installed the SFU 3.5 NFS client. [/etc/exports] /home/david -mapall=david:guest -network=10.0.0.0 -mask=255.255.255.0 I can successfully mount this share locally and perform both reads and writes. Without any of SFU's User Name Mapping configured, I can mount the share with uid/gid of -2/-2 as advertised. Appropriately, I cannot access any files or directories that are not world-readable. However, inside a chmod-777 directory, I cannot create files or directories (which might be as expected). After configuring User Name Mapping to map my Windows account to the UNIX account, I can mount the share with the expected uid/gid. Although I can read user-only files and directories, I still cannot create any files or directories. Windows keeps reporting that the drive has write-protection enabled. I know this isn't a SFU help forum, but any ideas to try or tips on troubleshooting the NFS side is more than welcome. Thanks in advance. --david P.S. On an unrelated sidenote, does mountd always bind to the same ports by default? If not, is there a way to fix them at certain values, so that PF rules can be written to match? Linux rpc.mountd(8) supposedly has a -p option that can be used for this purpose.
startx problem
i have configures X and my /etc/X11/xorg.conf file is same as i have used on DragonFyBSd and Gentoo, Arch Linux etc. when i do startx on OpenBSD amd64 4.1 it 1st turns-OFF and then after 2 seconds turns-ON my monitor *automatically*. i had the same problem in OpenBSD 3.9 i386. any solution ? -- http://arnuld.blogspot.com/
Re: rdate issue
On 5/13/07, John Nietzsche [EMAIL PROTECTED] wrote: In the other two boxes (lion and etosha) i have: */5 * * * * /usr/sbin/rdate -4cva gw | Everything is working ok except because of those two boxes always have a time about 20/22 seconds after my gateway time, like in the output for date command: don't use -c.
Re: Failing to get [EMAIL PROTECTED] in X
On 5/13/07, Alex Holst [EMAIL PROTECTED] wrote: I set VertRefresh to 60-60, included a modeline generated by gtf and disabled DDC, resulting in X being a smartarse (Sure, I can do 60Hz): can you post the full log somewhere? if you can wait to tuesday, i'll also try to get it working myself.
IPsec related issue.
Greetings all, I'm trying to implement an IPsec tunnel from my LAN to a dedicated box. I've met with a common issue where some TCP packets cannot be fragmented due to a DF flag is set, and the packet is unable to pass through a tunnel. In that case an informing icmp packet is sent to the destination; the problem is that some sites block such packets. In the result, tcp session stalls. Some details about my setup: OpenBSD 4.1 WRAP box with a kernel PPPoE connection doing NAT. The remote box is a OpenBSD 4.0 machine with a vr(4) nic in some datacenter. My ipsec.conf is very simple and uses sane, secure defaults: local ipsec.conf: ike dynamic esp from { 10.10.10.0/29, pppoe } to any peer xx.xx.xx.xx srcid fw.xx.com flow esp from { 10.10.10.0/29, 10.10.11.0/28 } to { 10.10.10.0/29, 10.10.11.0/28 } type bypass remote ipsec.conf: ike passive esp from any to any srcid vpngw.x96.org So, some TCP sessions still stall. I've tried multiple combinations of scrub directive; had to decrease max-mss and such, still would see stalling tcp sessions. So I came up with a test that would check the maximum size of a packet that can pass through a tunnel using ping's -s to set a size of a payload of icmp echo request packet. The test has shown that the maximum payload is 1330 bytes (-s 1331 would not go through). Add 8B ICMP header, 20B IP header make it 1358B total. Since regularly TCP header is 12 bytes larger than an ICMP header, It looks like I'd have to set a max-mss to 1318 for most tcp sessions to work fine. Then I tried the same test without the tunnel and got a result of 1464B icmp payload. The conclusion is that there is a 134 bytes overhead for IPsec tunnel, that includes a 20B new IP header, 8B ESP header and who knows how large an optional ESP trailer. The only assumption I make for this test to work is that icmp echo request packet is not fragmented. Correct me if I'm wrong please. I should probably try out scapy to create a DF tcp packet using similar logic to test the max size to get more assuring results. Anyway, it seems that this overhead is quite large, ~10% of the largest packet. Anyone could comment on this? I would appreciate any comments or suggestions on how to improve this setup. My current scrub directive on remote box is: scrub on $ext_if no-df max-mss 1318 Like I said, some TCP sessions still stall, could that be caused by a rare enlarged TCP packet with Options field being set? ;-)