Re: RDR rule on PF
Is IP forwarding enabled? # sysctl net.inet.ip.forwarding=1 /Johan
Re: RDR rule on PF
I checked tcpdump on internal if, and it's not working. I enabled ip forwarding on sysctl.conf, yes. It's so weird. I'm shure it's a very stupid mistake but i can't find it... On 5/13/07, Johan Linner [EMAIL PROTECTED] wrote: Is IP forwarding enabled? # sysctl net.inet.ip.forwarding=1 /Johan
Re: Failing to get [EMAIL PROTECTED] in X
Quoting Ted Unangst ([EMAIL PROTECTED]): from the end of your x log. seems the x40 simply can't handle a monitor that big. Indeed, the specs for the X40 seems to indicate it can't, but booting the other (disgusting) OS installed on the same harddrive outputs [EMAIL PROTECTED] perfectly. Also, see Xorg.log below: (II) I810(0): Monitor0: Using hsync range of 30.00-83.00 kHz (II) I810(0): Monitor0: Using vrefresh range of 56.00-75.00 Hz (II) I810(0): Estimated virtual size for aspect ratio 1.5667 is 1680x1050 (WW) I810(0): Shrinking virtual size estimate from 1680x1200 to 1600x1200 (1600x1200,Monitor0) mode clock 162MHz exceeds DDC maximum 150MHz (--) I810(0): Virtual size is 1600x1200 (pitch 1600) (**) I810(0): *Built-in mode 1280x1024 (**) I810(0): *Built-in mode 1024x768 Seems the xorg.conf I used to generate that log is wrong. This is the same part of my current Xorg.log: (II) I810(0): External Monitor: Using hsync range of 30.00-83.00 kHz (II) I810(0): External Monitor: Using vrefresh range of 56.00-75.00 Hz (II) I810(0): Not using built-in mode 1600x1200 (height too large for virtual size) (--) I810(0): Virtual size is 1680x1050 (pitch 1680) (**) I810(0): *Built-in mode 1680x1050 ^ Any idea what this * means? (**) I810(0): Built-in mode 1280x1024 (**) I810(0): Built-in mode 1024x768 (**) I810(0): Built-in mode 800x600 (**) I810(0): Built-in mode 640x480 (II) I810(0): Attempting to use 75.00Hz refresh for mode 1680x1050 (85c) [..] Any idea why the i810 driver attempts to use 75Hz? Maybe if I could get it to try 60Hz at that point would make it work.. I appreciate the suggestions. Any other hints? -- I prefer the dark of the night, after midnight and before four-thirty, when it's more bare, more hollow.http://a.mongers.org
Re: Failing to get [EMAIL PROTECTED] in X
Quoting Jimmy Mitchener ([EMAIL PROTECTED]): Have you tried starting X several times in a row? I have this issue when I connect my external display to my laptop. Sometimes X comes up at [EMAIL PROTECTED] and sometimes it is at 56Hz and looks awful. The only solution seems to be to restart X several times, and eventually it gets it right. Sometimes it's not required, other times I have to restart X nearly 20 times. It seems pretty hit and miss. Hopefully this will improve with the new 965GM drivers =) I have noticed the same randomized variation in output res and Hz when restarting X several times but I have never seen it correctly start at the resolution I want.. I haven't tried 20 times in a row, however. I'm more or less at the point where I've ruled out that I'm doing something obvious wrong.. sendbug is probably the only way to go from here. -- I prefer the dark of the night, after midnight and before four-thirty, when it's more bare, more hollow.http://a.mongers.org
Re: RDR rule on PF
On 5/13/07, Alberich de megres [EMAIL PROTECTED] wrote: On 5/13/07, Johan Linner [EMAIL PROTECTED] wrote: Is IP forwarding enabled? # sysctl net.inet.ip.forwarding=1 /Johan I checked tcpdump on internal if, and it's not working. I enabled ip forwarding on sysctl.conf, yes. It's so weird. I'm shure it's a very stupid mistake but i can't find it... Stupid question: did you also reboot? -Nick
cannot make squidclamav -- issues with libcurl not found
Apologies if this mail is a bit long, but I included most of the output of some commands as I think they might help you helping me telling how to proceed. I'm trying to make/install squidclamav on a newly configured OBSD 4.1 firewall / squid proxy on a i386 AMD/K6 450MHz 200MB pc for use at home. I guess I'm missing a library or a correct path to one somewhere but I am not expert enough to find what I need to do. squidclamav is not in the obsd packages/ports and I downloaded : squidclamav-3.0.tar.gz from http://www.samse.fr/GPL/squidclamav/ I found instructions how to make/install on : http://www.kernel-panic.it/openbsd/proxy/proxy6.html where it is said that on need the curl package. This appeared to be already installed : curl-7.16.0. So, I unpacked squidclamav-3.0.tar.gz, cd-ed and ./configure : all seems ok (I think, or at least there are no warnings at this stage) : $./configure checking for a BSD-compatible install... /usr/bin/install -c checking whether build environment is sane... yes checking for gawk... no checking for mawk... no checking for nawk... nawk checking whether make sets $(MAKE)... yes checking for gcc... gcc checking for C compiler default output file name... a.out checking whether the C compiler works... yes checking whether we are cross compiling... no checking for suffix of executables... checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking for gcc option to accept ANSI C... none needed checking for style of include used by make... GNU checking dependency style of gcc... gcc3 checking for a BSD-compatible install... /usr/bin/install -c checking for main in -lcurl... no checking how to run the C preprocessor... gcc -E checking for egrep... grep -E checking for ANSI C header files... yes checking for sys/types.h... yes checking for sys/stat.h... yes checking for stdlib.h... yes checking for string.h... yes checking for memory.h... yes checking for strings.h... yes checking for inttypes.h... yes checking for stdint.h... yes checking for unistd.h... yes checking arpa/inet.h usability... yes checking arpa/inet.h presence... yes checking for arpa/inet.h... yes checking fcntl.h usability... yes checking fcntl.h presence... yes checking for fcntl.h... yes checking netdb.h usability... yes checking netdb.h presence... yes checking for netdb.h... yes checking netinet/in.h usability... yes checking netinet/in.h presence... yes checking for netinet/in.h... yes checking for stdlib.h... (cached) yes checking for string.h... (cached) yes checking sys/socket.h usability... yes checking sys/socket.h presence... yes checking for sys/socket.h... yes checking sys/timeb.h usability... yes checking sys/timeb.h presence... yes checking for sys/timeb.h... yes checking for unistd.h... (cached) yes checking for size_t... yes checking for stdlib.h... (cached) yes checking for GNU libc compatible malloc... yes checking for function prototypes... yes checking whether setvbuf arguments are reversed... no checking return type of signal handlers... void checking for ftime... no checking for gethostbyname... yes checking for memset... yes checking for regcomp... yes checking for socket... yes checking for strdup... yes checking for strspn... yes checking for strstr... yes configure: creating ./config.status config.status: creating Makefile config.status: creating config.h config.status: executing depfiles commands However make does run into problems because it cannot find curl/curl.h in main.c : $make make all-am if gcc -DHAVE_CONFIG_H -I. -I. -I. -g -O2 -MT config.o -MD -MP -MF .deps/config.Tpo -c -o config.o config.c; then mv -f .deps/config.Tpo .deps/config.Po; else rm -f .deps/config.Tpo; exit 1; fi if gcc -DHAVE_CONFIG_H -I. -I. -I. -g -O2 -MT lists.o -MD -MP -MF .deps/lists.Tpo -c -o lists.o lists.c; then mv -f .deps/lists.Tpo .deps/lists.Po; else rm -f .deps/lists.Tpo; exit 1; fi if gcc -DHAVE_CONFIG_H -I. -I. -I. -g -O2 -MT log.o -MD -MP -MF .deps/log.Tpo -c -o log.o log.c; then mv -f .deps/log.Tpo .deps/log.Po; else rm -f .deps/log.Tpo; exit 1; fi if gcc -DHAVE_CONFIG_H -I. -I. -I. -g -O2 -MT main.o -MD -MP -MF .deps/main.Tpo -c -o main.o main.c; then mv -f .deps/main.Tpo .deps/main.Po; else rm -f .deps/main.Tpo; exit 1; fi main.c:67:23: curl/curl.h: No such file or directory main.c: In function `main': main.c:163: error: `CURL' undeclared (first use in this function) main.c:163: error: (Each undeclared identifier is reported only once main.c:163: error: for each function it appears in.) main.c:163: error: `eh' undeclared (first use in this function) main.c:166: error: `CURL_ERROR_SIZE' undeclared (first use in this function) main.c:243: error: `CURL_GLOBAL_ALL' undeclared (first use in this function) main.c:255: error: `CURLOPT_WRITEFUNCTION' undeclared (first use in this function) main.c:257: error: `CURLOPT_ERRORBUFFER' undeclared (first use in this function)main.c:259: error:
Re: cannot make squidclamav -- issues with libcurl not found
On Sun, May 13, 2007 at 11:20:14AM +0200, Frederic Durodie wrote: Apologies if this mail is a bit long, but I included most of the output of some commands as I think they might help you helping me telling how to proceed. I'm trying to make/install squidclamav on a newly configured OBSD 4.1 firewall / squid proxy on a i386 AMD/K6 450MHz 200MB pc for use at home. I guess I'm missing a library or a correct path to one somewhere but I am not expert enough to find what I need to do. squidclamav is not in the obsd packages/ports and I downloaded : squidclamav-3.0.tar.gz from http://www.samse.fr/GPL/squidclamav/ I found instructions how to make/install on : http://www.kernel-panic.it/openbsd/proxy/proxy6.html where it is said that on need the curl package. This appeared to be already installed : curl-7.16.0. The wonders of autohell. Some thing to try: env CFLAGS=/usr/local/include LDFLAGS=/usr/local/lib ./configure same as above, but with make check ./configure --help if you can specifiy the curl location Tobias
Re: cannot make squidclamav -- issues with libcurl not found [solved]
Hi Tobias, Thanks a lot for the help. However I had to slightly correct your recipe below. So, for future reference for poor souls such as myself : $ env CFLAGS=-I/usr/local/include LDFLAGS=-L/usr/local/lib ./configure $ vi Makefile to change the line with LIBS = -lcurl to : LIBS = -lcurl -lcompat as was indicated at www.kernel-panic.it/openbsd/... $ env CFLAGS=-I/usr/local/include LDFLAGS=-L/usr/local/lib make Thanks again. Frederic On Sun, 2007-05-13 at 13:17 +0200, Tobias Ulmer wrote: On Sun, May 13, 2007 at 11:20:14AM +0200, Frederic Durodie wrote: Apologies if this mail is a bit long, but I included most of the output of some commands as I think they might help you helping me telling how to proceed. I'm trying to make/install squidclamav on a newly configured OBSD 4.1 firewall / squid proxy on a i386 AMD/K6 450MHz 200MB pc for use at home. I guess I'm missing a library or a correct path to one somewhere but I am not expert enough to find what I need to do. squidclamav is not in the obsd packages/ports and I downloaded : squidclamav-3.0.tar.gz from http://www.samse.fr/GPL/squidclamav/ I found instructions how to make/install on : http://www.kernel-panic.it/openbsd/proxy/proxy6.html where it is said that on need the curl package. This appeared to be already installed : curl-7.16.0. The wonders of autohell. Some thing to try: env CFLAGS=/usr/local/include LDFLAGS=/usr/local/lib ./configure same as above, but with make check ./configure --help if you can specifiy the curl location Tobias
s3virge pci card on xenocara/sparc64 ?
Hello, i'm trying to make an old Ultra 10 working in dual-screen/xinerama, with onboard ati (works fine at [EMAIL PROTECTED]) and additional old s3 pci (detected by kernel). I've seen on xenocara/driver/Makefile that s3virge driver, which this card normally uses on other archs/OS, is not enabled on sparc64. Is there a particular reason, there is a known problem with this hardware, or is it only because sparc64 are normally only bundled/tested with ati's (as stated on http://www.openbsd.org/sparc64.html) ? May i try building the driver, or it's not worth trying ? is it possible to build _only_ the driver/ part of xenocara, taking the rest of xenocara from snapshot ? I've tried with wsfb(4), but the primary card is always taken, even when specifiying BusID.. If i make the card work, do i have a chance to get Xinerama ? Mandatory dmesg : http://gcu.info/~gaston/sparc64/dmesg.boot Xorg.0.log, when trying with wsfb and BusID 2:1:0 and using onboard ati as default : http://gcu.info/~gaston/sparc64/Xorg.0.log Thanks, Landry
ADVERT: Secure communications software
C12-GAMMA: free/open-source FreeBSD/Linux software; http://www.caesarion.org.uk Sincerely, R Carey.
ppp dial on demand server
I have unfortunately been stuck with having to use a 56k dialup
connection at home at least until the phone company runs DSL out
here, (6 months, but I won't hold my breath). Anyway there are a few
computers here, that need to have access so since had used OpenBSD as
a firewall when I had cable before I moved I decided to look into that.
I have ppp dialing correctly and providing service to everyone if i
ssh into the machine launch ppp with `ppp -at isp` and at the ppp
prompt type dial. if I launch ppp with `ppp -nat -auto isp` ppp never
dials out.
I have pppd dialing correctly and with the demand setting in /etc/ppp/
options it will background, dial out when iI open a web browser on
another machine but I can not browse the web from either lynx on the
firewall or any browser on a client machine. It does seem to give
ppp0 the correct address's and set ppp0 as the gateway.
I feel that I almost got it right, but since this is the first time
setting up a modem connection and a dial on demand server and working
on it yesterday for too long, I've missed a setting somewhere or
misconfigured either the ppp settings or pf. If anyone has any
suggestions as to where I've goofed it would be appreciated.
I would prefer to use pppd as I can set what can trigger it to dial
out, but if I can get either ppp or pppd working I'd be happy.
I'm sure I have a lot of unneeded stuff in these config files by now.
Firewall is OpenBSD 4.1 RELEASE
/etc/ppp/ppp.conf
!include ~/.ppp.conf
default:
set device /dev/tty00
set speed 115200
set authname username
set authkey password
set server +3000 showmeisp
set redial random 100
set mtu max 1500
set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
add default HISADDR
isp:
set device /dev/tty00
set speed 115200
set authname username
set authkey password
set server +3000 showmeisp
set redial random 100
set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
add default HISADDR
set phone 5574061
set dial ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \\ ATZ
OK-ATZ-OK ATDT\\T TIMEOUT 120 CONNECT \r\r
set login TIMEOUT 30 login:-\\r-login: username ssword:
password 1524
add! default HISADDR
set log local Chat
enable dns
/etc/ppp/options:
demand
nopersist
/dev/tty00
lock
crtscts
115200
modem
defaultroute
noipdefault
idle 600
mru 1500
ipcp-accept-remote
ipcp-accept-local
10.0.0.2:10.0.0.3
netmask 255.255.255.255
active-filter 'dst port 80'
active-filter 'dst port 53'
call elink
/etc/ppp/peers/elink:
tty00 115200 crtscts
connect '/usr/sbin/chat -V -f /etc/ppp/peers/elink.chat'
noauth
/etc/ppp/peers/elink.chat:
ECHO ON
ABORT BUSY
ABORT 'NO CARRIER'
'' ATZ
OK ATDT5574061
TIMEOUT 120
CONNECT \r\r
SAY \nLogging in ... \n
ogin:--ogin: username
ssword: password
/etc/pf.conf: Currently set to use tun0 as the ext_if, when trying
with pppd ext_if is set to ppp0
#PF CONF
#Lists
#Macros
ext_if = tun0
int_if = fxp0
#TABLES
table mynetwork { 192.168.0.0/24 }
#OPTIONS
set block-policy return
set loginterface $ext_if
set skip on lo0
scrub in all
#QoS
altq on $ext_if priq bandwidth 50Kb queue { q_pri, q_def }
queue q_pri priority 7
queue q_def priority 1 priq(default)
#NAT
nat on $ext_if from $int_if to any - ($ext_if:peer)
nat-anchor ftp-proxy/*
#RDR
rdr-anchor ftp-proxy/*
rdr on $int_if proto tcp from any to any port 21 - 127.0.0.1 port 8021
#rdr inet proto tcp from any to any port = www - 127.0.0.1 port 3128
#RULES
antispoof quick for $int_if inet
block in all
anchor ftp-proxy/*
pass in on $int_if from mynetwork to $int_if keep state
pass out on $int_if from 192.168.0.1 to mynetwork keep state
pass in on $int_if from mynetwork to any keep state
pass out on $ext_if proto { tcp } from $int_if to ($ext_if) flags S/
SA keep state queue (q_def, q_pri)
-Thank you.
Re: Failing to get [EMAIL PROTECTED] in X
On 5/13/07, Alex Holst [EMAIL PROTECTED] wrote: (II) I810(0): External Monitor: Using hsync range of 30.00-83.00 kHz (II) I810(0): External Monitor: Using vrefresh range of 56.00-75.00 Hz (II) I810(0): Not using built-in mode 1600x1200 (height too large for virtual size) (--) I810(0): Virtual size is 1680x1050 (pitch 1680) (**) I810(0): *Built-in mode 1680x1050 ^ Any idea what this * means? that's fine. (**) I810(0): Built-in mode 1280x1024 (**) I810(0): Built-in mode 1024x768 (**) I810(0): Built-in mode 800x600 (**) I810(0): Built-in mode 640x480 (II) I810(0): Attempting to use 75.00Hz refresh for mode 1680x1050 (85c) [..] Any idea why the i810 driver attempts to use 75Hz? Maybe if I could get it to try 60Hz at that point would make it work.. I appreciate the suggestions. Any other hints? change the modeline to only support 60hz refresh.
Re: Failing to get [EMAIL PROTECTED] in X
Quoting Ted Unangst ([EMAIL PROTECTED]): Any idea why the i810 driver attempts to use 75Hz? Maybe if I could get it to try 60Hz at that point would make it work.. I appreciate the suggestions. Any other hints? change the modeline to only support 60hz refresh. I set VertRefresh to 60-60, included a modeline generated by gtf and disabled DDC, resulting in X being a smartarse (Sure, I can do 60Hz): (II) I810(0): External Monitor: Using hsync range of 30.00-83.00 kHz (II) I810(0): External Monitor: Using vrefresh value of 60.00 Hz (--) I810(0): Virtual size is 1680x1050 (pitch 1680) (**) I810(0): *Built-in mode 1680x1050 (**) I810(0): Built-in mode 1680x1050 (**) I810(0): Built-in mode 1280x1024 (**) I810(0): Built-in mode 1024x768 (**) I810(0): Built-in mode 800x600 (**) I810(0): Built-in mode 640x480 (II) I810(0): Attempting to use 60.00Hz refresh for mode 1680x1050 (85a) (II) I810(0): Attempting to use 60.00Hz refresh for mode 1680x1050 (85c) (II) I810(0): Attempting to use 60.02Hz refresh for mode 1280x1024 (858) (II) I810(0): Attempting to use 60.00Hz refresh for mode 1024x768 (854) (II) I810(0): Attempting to use 60.32Hz refresh for mode 800x600 (852) (II) I810(0): Attempting to use 59.94Hz refresh for mode 640x480 (850) VGA output is [EMAIL PROTECTED], desktop geometry being 1680x1050. What do you reckon: Persistent user error or bug? -- I prefer the dark of the night, after midnight and before four-thirty, when it's more bare, more hollow.http://a.mongers.org
Re: s3virge pci card on xenocara/sparc64 ?
Hi, On 13/05/07, Landry Breuil [EMAIL PROTECTED] wrote: Hello, i'm trying to make an old Ultra 10 working in dual-screen/xinerama, with onboard ati (works fine at [EMAIL PROTECTED]) and additional old s3 pci (detected by kernel). As far as I am aware sparc64 requires OpenBoot aware graphics cards. I'm not sure how it works in the case of a secondary graphics card for X only however. Just an idea. If it doesnt work then try a creator3d / elite3d? -- Best Regards Edd PS. Would you mind if I grab that xorg.conf? I have a U10 that I never got X working on. --- http://students.dec.bournemouth.ac.uk/ebarrett/
Re: dual g4 needed for hackathon
How about a dual G5? PowerMac Dual G5 7,3 2.2 Open Firmware 4. I don't follow Apple hardware, so I don't know what the difference between a G4 and a G5 is architecture wise; but I do know that OS/X has to come off of this thing with a quickness. ~BAS On Fri, 2007-05-11 at 20:31 +0200, Mark Kettenis wrote: the Calgary or Edmonton area that can loan us a dual g4 machine end -- Brian A. Seklecki [EMAIL PROTECTED] Collaborative Fusion, Inc. IMPORTANT: This message contains confidential information and is intended only for the individual named. If the reader of this message is not an intended recipient (or the individual responsible for the delivery of this message to an intended recipient), please be advised that any re-use, dissemination, distribution or copying of this message is prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.
spamd synchronization
I have two mail servers running 4.1-stable and am trying to get spamd synchronization working between them. During testing using a basic set of options /usr/libexec/spamd -y nfe0 -Y nfe0 -d in the resulting debug I see using multicast spam sync mode (ttl 1, group 224.0.1.240, port 8025) on the other system running 'tcpdump -nn net 224.0/8' I see the following when starting up spamd 20:11:24.546651 192.168.1.50 224.0.1.240: igmp nreport 224.0.1.240 [ttl 1] In the debug output I see spamd reporting that it is sending out a sync message sync grey update helo chad.here ip x.x.x.x from a to b sending multicast sync message But I never see the resulting message in the tcpdump capture nor does spamd on the other system see the resulting message, as I was also running it with -d. I did have them working once when I used their IPs directly instead of the default multicast. Am I doing something wrong? Thanks, Chad
Chrooting users the right way
Hi I am setting up a new OpenBSD machine in which I want to chroot users. I don't want to use any of the patching solutions to OpenSSH but want to implement a real system chroot solution so any user, who is chrooted, is jailed even if he logs in manually. I have tried to find articles on this, but haven't been succesfull. Does anyone know of a good tutorial on how to do this on OpenBSD? Best and kind regards. Rico Secada.
rdate issue
Dear gentleman/madam, i have a home network composed of 1 gateway and two boxes. All of them running openbsd 4.1 of course. I decided to get the time syncronization for all those boxes. In the gateway machine, i managed to get the following in crontab: */5 * * * * /usr/sbin/rdate -4ncva ptbtime1.ptb.de | /usr/bin/logger -t NTP In the other two boxes (lion and etosha) i have: */5 * * * * /usr/sbin/rdate -4cva gw | /usr/bin/logger -t NTP Everything is working ok except because of those two boxes always have a time about 20/22 seconds after my gateway time, like in the output for date command: [EMAIL PROTECTED] date Sun May 13 23:04:35 BRT 2007 [EMAIL PROTECTED] date Sun May 13 23:04:59 BRT 2007 [EMAIL PROTECTED] date Sun May 13 23:04:59 BRT 2007 Does anybody have any ideia about why it is happening ? Thanks in advance. best regards.
Re: rdate issue
John Nietzsche wrote: ... Everything is working ok except because of those two boxes always have a time about 20/22 seconds after my gateway time, like in the output for date command: [EMAIL PROTECTED] date Sun May 13 23:04:35 BRT 2007 [EMAIL PROTECTED] date Sun May 13 23:04:59 BRT 2007 [EMAIL PROTECTED] date Sun May 13 23:04:59 BRT 2007 Does anybody have any ideia about why it is happening ? yep. http://www.openbsd.org/faq/faq8.html#NTPerror ls -l /etc/localtime on all three boxes will probably make it clear what is going on. (look for the presence or absence of the word right in each...) Nick.
Re: rdate issue
I decided to get the time syncronization for all those boxes. In the gateway machine, i managed to get the following in crontab: */5 * * * * /usr/sbin/rdate -4ncva ptbtime1.ptb.de | /usr/bin/logger -t NTP snip Everything is working ok except because of those two boxes always have a time about 20/22 seconds after my gateway time, like in the output for date command: Have you considered running ntpd instead of rdate? If nothing more, the daemon removes the need to have crontabs updating the clock. I have no explanation for why the times are about 20 seconds out other than the gateway might be taking its time to wake up the rdate daemon. Cheers, A
Re: NEW: education/stardict
It's really a good application. i like it. Thanks ^_^
Re: Chrooting users the right way
On Mon, 14 May 2007 02:43:59 +0200 [EMAIL PROTECTED] wrote: Follow-up: I found some posts on the archive about this being a very bad idea, would someone mind explaining why? On this particular system some users are trusted, but others are less trusted. The system contains some different specific files, which only the trusted user may look at. Is it a better way to simply create a group and put trusted users into that group and making that group the group of the files (chmod 750)? Also a few setups in etc are unwanted reading for less trusted user, how should one deal with that then? Forgive my ignorence on this issue! Hi I am setting up a new OpenBSD machine in which I want to chroot users. I don't want to use any of the patching solutions to OpenSSH but want to implement a real system chroot solution so any user, who is chrooted, is jailed even if he logs in manually. I have tried to find articles on this, but haven't been succesfull. Does anyone know of a good tutorial on how to do this on OpenBSD? Best and kind regards. Rico Secada.
Troubleshooting NFS/SFU
I've tried to configure NFS and am nearly all the way there, but it seems like I've hit a pretty big stumbling block. I've got OpenBSD 4.1-stable (10.0.0.1) with an NFS export of my home directory. I also have a Windows XP machine (10.0.0.2) and installed the SFU 3.5 NFS client. [/etc/exports] /home/david -mapall=david:guest -network=10.0.0.0 -mask=255.255.255.0 I can successfully mount this share locally and perform both reads and writes. Without any of SFU's User Name Mapping configured, I can mount the share with uid/gid of -2/-2 as advertised. Appropriately, I cannot access any files or directories that are not world-readable. However, inside a chmod-777 directory, I cannot create files or directories (which might be as expected). After configuring User Name Mapping to map my Windows account to the UNIX account, I can mount the share with the expected uid/gid. Although I can read user-only files and directories, I still cannot create any files or directories. Windows keeps reporting that the drive has write-protection enabled. I know this isn't a SFU help forum, but any ideas to try or tips on troubleshooting the NFS side is more than welcome. Thanks in advance. --david P.S. On an unrelated sidenote, does mountd always bind to the same ports by default? If not, is there a way to fix them at certain values, so that PF rules can be written to match? Linux rpc.mountd(8) supposedly has a -p option that can be used for this purpose.
startx problem
i have configures X and my /etc/X11/xorg.conf file is same as i have used on DragonFyBSd and Gentoo, Arch Linux etc. when i do startx on OpenBSD amd64 4.1 it 1st turns-OFF and then after 2 seconds turns-ON my monitor *automatically*. i had the same problem in OpenBSD 3.9 i386. any solution ? -- http://arnuld.blogspot.com/
Re: rdate issue
On 5/13/07, John Nietzsche [EMAIL PROTECTED] wrote: In the other two boxes (lion and etosha) i have: */5 * * * * /usr/sbin/rdate -4cva gw | Everything is working ok except because of those two boxes always have a time about 20/22 seconds after my gateway time, like in the output for date command: don't use -c.
Re: Failing to get [EMAIL PROTECTED] in X
On 5/13/07, Alex Holst [EMAIL PROTECTED] wrote: I set VertRefresh to 60-60, included a modeline generated by gtf and disabled DDC, resulting in X being a smartarse (Sure, I can do 60Hz): can you post the full log somewhere? if you can wait to tuesday, i'll also try to get it working myself.
IPsec related issue.
Greetings all,
I'm trying to implement an IPsec tunnel from my LAN to a dedicated box.
I've met with a common issue where some TCP packets cannot be fragmented
due to a DF flag is set, and the packet is unable to pass through a
tunnel. In that case an informing icmp packet is sent to the
destination; the problem is that some sites block such packets. In the
result, tcp session stalls. Some details about my setup: OpenBSD 4.1
WRAP box with a kernel PPPoE connection doing NAT. The remote box is a
OpenBSD 4.0 machine with a vr(4) nic in some datacenter. My ipsec.conf
is very simple and uses sane, secure defaults:
local ipsec.conf:
ike dynamic esp from { 10.10.10.0/29, pppoe } to any peer xx.xx.xx.xx
srcid fw.xx.com
flow esp from { 10.10.10.0/29, 10.10.11.0/28 } to { 10.10.10.0/29,
10.10.11.0/28 } type bypass
remote ipsec.conf:
ike passive esp from any to any srcid vpngw.x96.org
So, some TCP sessions still stall. I've tried multiple combinations of
scrub directive; had to decrease max-mss and such, still would see
stalling tcp sessions. So I came up with a test that would check the
maximum size of a packet that can pass through a tunnel using ping's -s
to set a size of a payload of icmp echo request packet. The test has
shown that the maximum payload is 1330 bytes (-s 1331 would not go
through). Add 8B ICMP header, 20B IP header make it 1358B total. Since
regularly TCP header is 12 bytes larger than an ICMP header, It looks
like I'd have to set a max-mss to 1318 for most tcp sessions to work
fine. Then I tried the same test without the tunnel and got a result of
1464B icmp payload. The conclusion is that there is a 134 bytes overhead
for IPsec tunnel, that includes a 20B new IP header, 8B ESP header and
who knows how large an optional ESP trailer. The only assumption I make
for this test to work is that icmp echo request packet is not
fragmented. Correct me if I'm wrong please. I should probably try out
scapy to create a DF tcp packet using similar logic to test the max size
to get more assuring results. Anyway, it seems that this overhead is
quite large, ~10% of the largest packet. Anyone could comment on this?
I would appreciate any comments or suggestions on how to improve this
setup. My current scrub directive on remote box is:
scrub on $ext_if no-df max-mss 1318
Like I said, some TCP sessions still stall, could that be caused by a
rare enlarged TCP packet with Options field being set? ;-)
