Re: Volume Management

[Sébastien Colmant]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
I m not tied in anyway to OpenBSD, what i m trying to avoid is
multiplying the amount of different OS i m using hence the question
about OpenBSD,
i think i will indeed take a look at GEOM for time being.
Point is i now have 2 servers running OpenBSD for FTP and HTTP, 1
running as a filtring bridge, plus a management station, i m looking
at replacing some more linux systems which i m growing to dislike.
LVM/EVMS gives flexibility in managing storage hence the question to
know if something similar was/is available

Lyndon Nerenberg a icrit :
 OpenBSD doesn't have any volume management tools ala lvm and friends.

 If you don't have other requirements that tie you to OpenBSD specifically,
 you might want to look at some of the GEOM-based providers in FreeBSD.  If
 you give a more detailed description of what you want to do you'll likely
 get better answers.

 --lyndon
iD8DBQFGTVBx8B8RxF4jfhQRAgs0AJ9cLhQRr9Bbw8w+6tNbAWwYdeIz2ACeNnDG
y1YkwjJpXwsjDjpK36KiFlc=
=Wm7h
-END PGP SIGNATURE-

Re: Volume Management

[Lyndon Nerenberg]

 I m not tied in anyway to OpenBSD, what i m trying to avoid is
 multiplying the amount of different OS i m using hence the question
 about OpenBSD,

Okay, but it helps to know this info up front.

 i think i will indeed take a look at GEOM for time being.

Also, the Express releases of Solaris are shipping ZFS in addition to
the traditional Solaris volume management tools.  As a SAN storage engine, 
that's
one of your better places to start.

Use the right tool for the right job. OpenBSD isn't what you want for the
SAN.  But it is what you want to use to secure access to that SAN.

--lyndon

Re: flowcharts

[mvdeventer]

Thanks to those that responded. I have a few ideas.
Once i figure out how to add arrowheads, QCad may be just the thing. I got the
idea from Douglas' xfig idea. Thanks man.

Cheers


-Original Message-
From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED]
Sent: Tue 2007/05/15 12:01
To: misc@openbsd.org
Subject: OT: flowcharts

Hi all
I have an OT question for you guys.
Do any of you use flowcharting software, and if so what do you use?
I am just beginning to explore the world of programming and have so far
used Microsoft (spit) Visio. I tried both Kivio and Dia but they fall
short for me.
My code choices are (due to the course I am attending) limited to
JavaScript and pseudocode.
Any recommendations?
Marius.

Re: a cd key

[Timothy Wilson]

Had you thought about mounting certain areas as read only?
For example, /etc, /local can be mounted as read only. When you want
to make changes, such as installing a new package or whatever, just
remount the file systems read/write.
You can also use jails.

Timothy

Re: pf state limits

[Henning Brauer]

* Brian A. Seklecki [EMAIL PROTECTED] [2007-05-17 23:52]:
 Given a i386 kernel, assume I can toss as much RAM at the box as
 needed (I know this isn't the limitation, it's a kernel memory issue),
 what's the maximum I can set the state table size to?  I have a couple
 Wild guess: The limitiation is the max value that the variable size of 
 the counter can contain, followed secondly by physical memory.

no, it is much much more complicated than that. If there was an easy, 
reliable way to calculate the max, we would have the kernel do the math 
and not export a user-settable limit.

there is no better answer than try out. increase, fill state table. 
repeat until the box panics. than chose a limit smaller than that.

-- 
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg  Amsterdam

Mizani, D.Essentials,KeraCare others 50% off

[Sheldeez Hair Products and Salons Inc.]

All of the following product lines 50% off
extended until Sunday May 27, 2007This promotin
will expire at midnight onnbsp;Sundaynbsp;May
27, 2007. For the convenience of our customers
please find a shortcut to some of our most popular
salon items below. No promotional code is
necessary. The prices are already discounted 50%.
Please feel free to share this e-mail with anyone
who may find it useful.Keracare
http://www.sheldeez.com/webcart11/webcart.php?RCATS=Kera+CareMizani
http://www.sheldeez.com/webcart11/webcart.php?RCATS=MizaniStraight
Request
http://www.sheldeez.com/webcart11/webcart.php?RCATS=Straight+RequestDesign
Essentials
http://www.sheldeez.com/webcart11/webcart.php?RCATS=Design+EssentialsSilk
2
http://www.sheldeez.com/webcart11/webcart.php?RCATS=Silk2If
you would like to be removed please click
here.https://webcart.net/securehost/sheldeez.com/webcart11/nl_unsubscribe.php?ln=enEMAIL=misc%40openbsd.orgSRC=aah2Click
here to unsubscribeSheldeez Management

Re: Sun Netra X1 Firewall Throughput?

[Edd Barrett]

Hi,

On 18/05/07, Bryan Vyhmeister [EMAIL PROTECTED] wrote:

Can anyone give any information about the Sun Netra X1 being used as
a pf firewall. I am specifically looking for throughput information.
I am considering using a pair for a theoretical maximum throughput of
about 45 Mbps. Can the Netra X1 comfortably handle this with carp(4)
and some pf firewalling. I know this is pretty generic but any
comments? (In case you are wondering, I would run pfsync on a VLAN on
the less used interface.) Thank you.


I have one of these as a buildbox, but I have only used it as a
personal server. Is there some kind of benchmarking tool I can run on
it to give you an idea? I have little knowledge on pf and I have never
used carp.

--
Best Regards

Edd

---
http://students.dec.bournemouth.ac.uk/ebarrett

Tracking stable procedure

[stuart van Zee]

As I am still a fairly new to OpenBSD in a production
environment, I have written a few procedures for myself
to follow so that I can do some of the day to day tasks
without screwing them up.  This is my procedure for
tracking stable.  If any of you see any errors, please
call me an idiot and point them out.  Note, I have read
the faq (again and again) as well as a couple of books
and a number of articles.  Unfortunately, it seems
like there are as many variations on tracking stable as
there is articles etc about tracking stable and my poor
mind has some trouble figuring out which is best.

So here is mine:

Get the Source Code:

# export [EMAIL PROTECTED]:/cvs
# cd /usr
# cvs checkout P rOPENBSD_#_# src
# cvs checkout P rOPENBSD_#_# ports

Compile and Install the Stable Kernel:

# cd /usr/src/sys/arch/i386/conf
# config GENERIC
# cd ../compile/GENERIC
# make depend  make
(this will take a while)
# cp /bsd /bsd.old
# cp bsd /
# shutdown r now

Compile New System Binaries:

# cd /usr/src
# rm r /usr/obj/*
# make obj  make build
(again, this will take a while)


Stuart van Zee
[EMAIL PROTECTED]

pf default queue inspection

[Matt Hamilton]

Hi All,
  I've got a firewall with several dozen pf queues on, and all has  
been working fine for past few years, however I've managed to somehow  
at some point end up with a bunch of traffic end up in the 'default  
queue'.  My intention is that every packet should end up in a defined  
queue (as we use this for accounting etc).  Anyone think of any ways  
I can work out what packets are ending up in the default queue?  As  
the default queue is where packets which don't match a rule end up, I  
can't add a log statement or anything.  I've tried putting in:


# Default outputs -- these should probably go at some point
pass out log on $ext_if proto tcp all keep state flags S/SA queue d3
pass out log on $ext_if inet all flags S/SA keep state queue d3
pass out log on $ext_if proto { gre, egp } all keep state queue d3

before any of my real queues to hopefully get everything that doesn't  
match into the queue d3 and then I can view what is going on with  
tcpdump and pflog, but I still seem to be missing something.


Any ideas?

-Matt

--
Matt Hamilton   [EMAIL PROTECTED]
Netsight Internet Solutions, Ltd.Business Vision on the Internet
http://www.netsight.co.uk +44 (0)117 9090901
Web Design | Zope/Plone Development  Consulting | Co-location | Hosting

Media Proxy In OpenBSD

[demuel]

Hi,

Just a taught. If there is proxying of FTP, is there any in existence what they 
called
MEDIA proxying in OpenBSD?


Regards,
Demuel

Re: Tracking stable procedure

[Martin Schröder]

2007/5/18, stuart van Zee [EMAIL PROTECTED]:

# make depend  make
(this will take a while)
# cp /bsd /bsd.old
# cp bsd /


Why do you deviate from the FAQ?
http://www.openbsd.org/faq/faq5.html#BldKernel

Best
  Martin

Re: Media Proxy In OpenBSD

[Brian A. Seklecki]

Do you mean this:

http://en.wikipedia.org/wiki/Media_Transfer_Protocol  ?

~BAS

On Fri, 2007-05-18 at 14:16 +0100, [EMAIL PROTECTED] wrote:
 Hi,
 
 Just a taught. If there is proxying of FTP, is there any in existence what 
 they called
 MEDIA proxying in OpenBSD?
 
 
 Regards,
 Demuel
 
-- 
Brian A. Seklecki [EMAIL PROTECTED]
Collaborative Fusion, Inc.




IMPORTANT: This message contains confidential information and is intended only 
for the individual named. If the reader of this message is not an intended 
recipient (or the individual responsible for the delivery of this message to an 
intended recipient), please be advised that any re-use, dissemination, 
distribution or copying of this message is prohibited.  Please notify the 
sender immediately by e-mail if you have received this e-mail by mistake and 
delete this e-mail from your system.

Re: Tracking stable procedure

[stuart van Zee]

Mostly just because if I copy the kernel file over myself
instead of using make install I have a copy of the old
kernel in case I screwed something up (and know where it
is).  I am under the impression that copying the kernel to
the root is what make install does.  Is there a problem
with this logic?

Other than that, the faq also uses:
# make clean  make depend  make

I guess the fact that my procedure doesn't use make clean
is mostly due to a simple error... ooops, i must have been
tired when I was writing the damn thing.  Thanks for
pointing that out.  I will be adding that.

s

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of
 Martin Schrvder
 Sent: Friday, May 18, 2007 9:19 AM
 To: Misc OpenBSD
 Subject: Re: Tracking stable procedure


 2007/5/18, stuart van Zee [EMAIL PROTECTED]:
  # make depend  make
  (this will take a while)
  # cp /bsd /bsd.old
  # cp bsd /

 Why do you deviate from the FAQ?
 http://www.openbsd.org/faq/faq5.html#BldKernel

 Best
Martin

Re: Tracking stable procedure

[Joachim Schipper]

On Fri, May 18, 2007 at 10:35:32AM -0400, stuart van Zee wrote:
  -Original Message-
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of
  Martin Schrvder
  2007/5/18, stuart van Zee [EMAIL PROTECTED]:
   # make depend  make
   (this will take a while)
   # cp /bsd /bsd.old
   # cp bsd /
 
  Why do you deviate from the FAQ?
  http://www.openbsd.org/faq/faq5.html#BldKernel
 
 Mostly just because if I copy the kernel file over myself
 instead of using make install I have a copy of the old
 kernel in case I screwed something up (and know where it
 is).  I am under the impression that copying the kernel to
 the root is what make install does.  Is there a problem
 with this logic?
 
 Other than that, the faq also uses:
   # make clean  make depend  make
 
 I guess the fact that my procedure doesn't use make clean
 is mostly due to a simple error... ooops, i must have been
 tired when I was writing the damn thing.  Thanks for
 pointing that out.  I will be adding that.

'make install' does, in fact, back up the old kernel. Again, just follow
the FAQ.

Joachim

-- 
TFMotD: hotplugd (8) - devices hot plugging monitor daemon

Re: Volume Management

[Sébastien Colmant]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
Fist of all thanks for this enlightening answer, i m really trying to
reduce the amount of different OSes i have to support at the moment,
OpenBSD as been a wonderful replacement for web serving and ftp
services plus of course network managment. ZFS looks indeed quite
interesting and i will take a close look at it plus the Solaris volume
management tools are quite adequate for the job i have in mind, namely
replacing a crappy dell powervault running some crappy win2000 storage
(dont ask, i wasnt in the company when this was bought and has been
causing a lot of troubles).
Down the line the ideal solution would be to standardize on one OS but
a stopgap solution that allow me to get away from the aforementioned
dell box is already a nice step.
btw, is there any plan to include volume management in a future release?

Lyndon Nerenberg a icrit :
 I m not tied in anyway to OpenBSD, what i m trying to avoid is
 multiplying the amount of different OS i m using hence the question
 about OpenBSD,

 Okay, but it helps to know this info up front.

 i think i will indeed take a look at GEOM for time being.

 Also, the Express releases of Solaris are shipping ZFS in addition to
 the traditional Solaris volume management tools.  As a SAN storage
engine, that's
 one of your better places to start.

 Use the right tool for the right job. OpenBSD isn't what you want for the
 SAN.  But it is what you want to use to secure access to that SAN.

 --lyndon
iD8DBQFGTcHc8B8RxF4jfhQRAuU8AJ9O0MMfl/TxOvsnP4xg1GkC7feVPACdHjWi
zkroysVX+XgkCXPlH+Z9448=
=+hox
-END PGP SIGNATURE-

Re: Sun Netra X1 Firewall Throughput?

[Bryan Vyhmeister]

On May 18, 2007, at 4:56 AM, Edd Barrett wrote:


On 18/05/07, Bryan Vyhmeister [EMAIL PROTECTED] wrote:

Can anyone give any information about the Sun Netra X1 being used as
a pf firewall. I am specifically looking for throughput information.
I am considering using a pair for a theoretical maximum throughput of
about 45 Mbps. Can the Netra X1 comfortably handle this with carp(4)
and some pf firewalling. I know this is pretty generic but any
comments? (In case you are wondering, I would run pfsync on a VLAN on
the less used interface.) Thank you.


I have one of these as a buildbox, but I have only used it as a
personal server. Is there some kind of benchmarking tool I can run on
it to give you an idea? I have little knowledge on pf and I have never
used carp.


Thank you for the response. There isn't really an easy way to  
benchmark this type of thing except for putting it in production. I  
have one machine on the way and I can just test with that. I was just  
hoping that someone else might already be using that setup.


One thing I was wondering about the X1. Does it support hard drives  
larger than 137 GB or whatever that old limit was? I don't know if  
Sun systems are affected by those same kind of issues as older PC  
stuff but I don't want to get bitten by that one if they are.


Bryan

Re: flowcharts

[Anthony Howe]

[EMAIL PROTECTED] wrote:

Thanks to those that responded. I have a few ideas.
Once i figure out how to add arrowheads, QCad may be just the thing. I got the
idea from Douglas' xfig idea. Thanks man.


OpenOffice's Draw program can do Visio like flowcharts.

--
Anthony C Howe  Skype: SirWumpusSnertSoft
+33 6 11 89 73 78 AIM: SirWumpusSendmail Milter Solutions
http://www.snert.com/ ICQ: 7116561  http://www.snertsoft.com/

Re: Volume Management

[Ted Unangst]

On 5/18/07, Sibastien Colmant [EMAIL PROTECTED] wrote:

btw, is there any plan to include volume management in a future release?


what can volume management do that you cannot do with ccdconfig and
disklabel?

Re: Sun Netra X1 Firewall Throughput?

[Paul D. Ouderkirk]

On 5/18/07, Edd Barrett [EMAIL PROTECTED] wrote:

I must say that the LOM (Lights Out Management) on this machine is
absolutely superb. The bad thing with it is that it has no cd drive,
so you have to open it up and balance one on top for the initial
install. From there on i reccommend bsd.rd upgrades:P


I recommend bsd.rd installs :)

I'm actually running an X1 off compact flash on a CF-IDE adapter.

Paul.

--
Paul D. Ouderkirk
Senior UNIX System Administrator
JadedPixel Technologies
[EMAIL PROTECTED]
--
laughing,
in the mechanism
-- William Gibson

Re: Sun Netra X1 Firewall Throughput?

[Edd Barrett]

HI,

On 18/05/07, Bryan Vyhmeister [EMAIL PROTECTED] wrote:

Thank you for the response. There isn't really an easy way to
benchmark this type of thing except for putting it in production. I
have one machine on the way and I can just test with that. I was just
hoping that someone else might already be using that setup.



Sorry I can't be of more help regarding that.


One thing I was wondering about the X1. Does it support hard drives
larger than 137 GB or whatever that old limit was? I don't know if
Sun systems are affected by those same kind of issues as older PC
stuff but I don't want to get bitten by that one if they are.


I have never tried it to be honest. I'd like to guess it does as it
seems a very modern (but basic) sun machine. As in it atleast has a
133MHz disk interface. Well after the time that flaw was noticed in
the mainstream?

I must say that the LOM (Lights Out Management) on this machine is
absolutely superb. The bad thing with it is that it has no cd drive,
so you have to open it up and balance one on top for the initial
install. From there on i reccommend bsd.rd upgrades:P


--
Best Regards

Edd

---
http://students.dec.bournemouth.ac.uk/ebarrett

Re: Volume Management

[Sébastien Colmant]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
Snapshot, online resize and shrink, the ability to move the datablocks
from one storage media to another without having to unmount or
otherwise make copies of the datas,
most importantly to me is the flexibility it allows in managing a
resource that has a tendency to get overabused by users.



Ted Unangst a icrit :
 On 5/18/07, Sibastien Colmant [EMAIL PROTECTED] wrote:
 btw, is there any plan to include volume management in a future
 release?

 what can volume management do that you cannot do with ccdconfig and
  disklabel?
iD8DBQFGTeOu8B8RxF4jfhQRAq32AJ9WLZCUYiy9rqhC+G86/fCdTMfGWACaAmwJ
SzfvcVOeiFjQjRCw22YhEVk=
=C2RX
-END PGP SIGNATURE-

Re: Volume Management

[Ted Unangst]

On 5/18/07, Sibastien Colmant [EMAIL PROTECTED] wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

after reading some more on ccdconfig, just on the top of my head it
doesnt seems to allow moving data block from on physical or logical
volume to another for example.
when i m saying volume management i m encompassing more than
concatenating disks or partitions, i need to be able to move data
around, resize dynamically add and / or remove disks and or partitions
without the user having to endure downtime.
note that i m not saying that ccd is not a valid package, i m just
saying that it seems to be a bit limited.


for instance, i'm looking at
http://tldp.org/HOWTO/LVM-HOWTO/reducelv.html to shrink a volume.
it's not done online.  other sections that talk about an online
operation like pvmove all say it either can cause data loss or is
unstable.  it's also highly filesystem dependent.  ffs cannot be
resized online, so it hardly matters what a volume manager would be
capable of.

Remote Syslogd

[djgoku]

I am trying to filter remote syslog information that is coming from
Motherboard Monitor on Windows. If all I do is change syslogd startup
options in /etc/rc.conf from syslogd=-u all information is logged to
/var/log/daemon. But I would really like the information be routed to
something like /var/log/hostname.

Here is some sample data in /var/log/daemon:

May 18 12:06:24 hostname hostname MBM[Case]: C=95 LA=41 HA=158 L=95 H=95 A=95
May 18 12:06:24 hostname hostname MBM[CPU]: C=87 LA=41 HA=158 L=87 H=87 A=87
May 18 12:06:24 hostname hostname MBM[Core 0]: C=1.51 LA=1.90 HA=2.10
L=1.51 H=1.51 A=1.51
May 18 12:06:24 hostname hostname MBM[+3.3]: C=3.32 LA=3.13 HA=3.46
L=3.32 H=3.32 A=3.32
May 18 12:06:24 hostname hostname MBM[+5.00]: C=5.15 LA=4.75 HA=5.25
L=5.15 H=5.15 A=5.15
May 18 12:06:24 hostname hostname MBM[+12.00]: C=12.03 LA=11.40
HA=12.60 L=12.03 H=12.03 A=12.03

syslogd.conf (I added):

+hostname
*.*   /var/log/hostname

But all the data is logged to daemon/message/hostname in /var/log/.

Re: Volume Management

[Ted Unangst]

On 5/18/07, Sibastien Colmant [EMAIL PROTECTED] wrote:

ps: this is in no way an attack after one of OpenBSD developer and
most certainly someone better qualified than i am to know and
understand the finer points of a system like lvm (the concept not the
package), i merely miss some of the ease of use i have been acustomed
to have while working on other systems.


hey, no problem.  i just think many people overlook the tools that are
available because they don't have the right names.

Re: Volume Management

[Sébastien Colmant]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
after reading some more on ccdconfig, just on the top of my head it
doesnt seems to allow moving data block from on physical or logical
volume to another for example.
when i m saying volume management i m encompassing more than
concatenating disks or partitions, i need to be able to move data
around, resize dynamically add and / or remove disks and or partitions
without the user having to endure downtime.
note that i m not saying that ccd is not a valid package, i m just
saying that it seems to be a bit limited.

Ted Unangst a icrit :
 On 5/18/07, Sibastien Colmant [EMAIL PROTECTED] wrote:
 btw, is there any plan to include volume management in a future
 release?

 what can volume management do that you cannot do with ccdconfig and
 disklabel?
iD8DBQFGTd/t8B8RxF4jfhQRAnekAJ4y4ulZF6LfSZ4/w5q4e/oCmz7BsgCeLi58
y01ogdJQ9qUYlJoWOtqUW3Q=
=/0h2
-END PGP SIGNATURE-

https file transfer

[stuart van Zee]

I have just been handed a new project and would like to 
know if anyone has any software suggestions that would 
fit the requirements or at least a point in the right
direction.

We need to have an https server running that users can 
upload un-encrypted files to and have those files encrypted
on the fly and safely stored away until they are needed.

This is to help us interface with brain-dead people that
are unable to encrypt a file (or unable to remember to).

Those same people will need to be able to download their
files as they need them and have them decrypted for them
and sent over https so that they can use their web browser
to retrieve the files.  The fact that these files aren't 
encrypted on the users system is not our problem, we just 
need to be absolutely sure that they aren't sitting on our
system without being encrypted.  

Needless to say, I would like to run said https server on
an OpenBSD box so that I can have a hope of sleeping at 
night.   

Stuart van Zee
[EMAIL PROTECTED]

a bit OT question

[Maxim Belooussov]

Hi,

Maybe I should ask this in ports@, so it is a bit OT.

Is there a port of 'varnish' for OpenBSD?

Varnish is BSD-licensed reverse-proxy,

http://www.slideshare.net/vishnu/varnish-reverse-proxy/

Maxim

Re: https file transfer

[L. V. Lammert]

At 03:31 PM 5/18/2007 -0400, stuart van Zee wrote:

I have just been handed a new project and would like to
know if anyone has any software suggestions that would
fit the requirements or at least a point in the right
direction.

We need to have an https server running that users can
upload un-encrypted files to and have those files encrypted
on the fly and safely stored away until they are needed.


Sounds like a simple Ruby/Python/Perl/Python script to handle the upload, 
saving as a temporary file until the upload is complete, then encrypting. 
Might be a tad tricky to ensure the upload is complete first, but should 
not be a big problem.



Those same people will need to be able to download their
files as they need them and have them decrypted for them
and sent over https so that they can use their web browser
to retrieve the files.


Just the opposite for retrieval?

HTH,

Lee

Re: flowcharts

[Steve Fairhead]

[EMAIL PROTECTED] asked:


Do any of you use flowcharting software, and if so what do you use?
I am just beginning to explore the world of programming and have so far used
Microsoft (spit) Visio. I tried both Kivio and Dia but they fall short for
me.
My code choices are (due to the course I am attending) limited to JavaScript
and pseudocode.


By all means experiment with flowcharts, but be prepared to move on: I
haven't used flowcharts in nearly 30 years, and there are good reasons.
First, they teach you nothing about good structure - it's too easy to draw
spaghetti. Second, they're never maintained - code gets tweaked, but the
(graphical) flowcharts don't - so they become misleading documentation.
Lastly, if your code is so complex that it needs a flowchart to be
comprehensible, you're doing something wrong - or, at least, there are
better ways.

My suggestion would be to flowchart in pseudocode (avoiding the infamous
goto, of course - haven't used those in 30 years, either - there's always a
better, cleaner way). If you have large, complex indents, consider
decomposing further: turn the indented section into a function (with a
simple, clean name and interface - think generality). Think in terms of
vertical complexity rather than horizontal. Aim to make your code as
readable as you can. Similarly, make the code self-documenting: if
maintenance relies on separate documents, it'll become harder when the docs
fall behind - as they invariably will.

All IMHO, of course, but learned the hard way ;). And it is entirely
possible that this is something you *have* to learn the hard way, hence my
opening words.

Steve
[Oh - and while I'm at it: avoid global variables. They are evil. But that's
maybe for later, in the OO chapter... ;)]

http://www.sfdesign.co.uk
http://www.fivetrees.com

Re: https file transfer

[Tobias Ulmer]

On Fri, May 18, 2007 at 03:31:50PM -0400, stuart van Zee wrote:
 I have just been handed a new project and would like to 
 know if anyone has any software suggestions that would 
 fit the requirements or at least a point in the right
 direction.
 
 We need to have an https server running that users can 
 upload un-encrypted files to and have those files encrypted
 on the fly and safely stored away until they are needed.
 
 This is to help us interface with brain-dead people that
 are unable to encrypt a file (or unable to remember to).
 
 Those same people will need to be able to download their
 files as they need them and have them decrypted for them
 and sent over https so that they can use their web browser
 to retrieve the files.  The fact that these files aren't 
 encrypted on the users system is not our problem, we just 
 need to be absolutely sure that they aren't sitting on our
 system without being encrypted.  
 
 Needless to say, I would like to run said https server on
 an OpenBSD box so that I can have a hope of sleeping at 
 night.   
 
 Stuart van Zee
 [EMAIL PROTECTED]
 


vnconfig(8) unless you want to encrypt on a per-file basis, which would
need some custom stuff, can probably done nicely in $PROG_LANG_OF_CHOICE
and openssl(1)/crypto(3).

Tobias

Re: Volume Management

[Sébastien Colmant]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
dear Ted,

I m not after a fight here, i m simply asking if a tool similar to
lvm, evms or vvm is available under OpenBSD.
Also yes it is true that it is higly dependent on the filesystem.
lastly i m mentioning lvm because it is a well know package nothing more.
pvmove in lvm1 could be a bit tricky and the prefered solution was to
do it offline, it is now much better in lvm2, still even the ability
to do it offline is better than no ability in my opinion.

so while we could discuss the finer points of one solution over
another for a while i m just happy to have an answer to my initial
question.

ps: this is in no way an attack after one of OpenBSD developer and
most certainly someone better qualified than i am to know and
understand the finer points of a system like lvm (the concept not the
package), i merely miss some of the ease of use i have been acustomed
to have while working on other systems.



Ted Unangst a icrit :
 On 5/18/07, Sibastien Colmant [EMAIL PROTECTED] wrote:
 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1

 after reading some more on ccdconfig, just on the top of my head
 it doesnt seems to allow moving data block from on physical or
 logical volume to another for example. when i m saying volume
 management i m encompassing more than concatenating disks or
 partitions, i need to be able to move data around, resize
 dynamically add and / or remove disks and or partitions without
 the user having to endure downtime. note that i m not saying that
 ccd is not a valid package, i m just saying that it seems to be a
 bit limited.

 for instance, i'm looking at
 http://tldp.org/HOWTO/LVM-HOWTO/reducelv.html to shrink a volume.
 it's not done online.  other sections that talk about an online
 operation like pvmove all say it either can cause data loss or is
 unstable.  it's also highly filesystem dependent.  ffs cannot be
 resized online, so it hardly matters what a volume manager would be
  capable of.
iD8DBQFGTelW8B8RxF4jfhQRAoa3AJ4wN4YTmfs8dfFJVzqdcNJG8s+PCACfddeu
jVhtmqlW4rcw4zOh0VeA1OQ=
=dLA0
-END PGP SIGNATURE-

Re: https file transfer

[Stuart Henderson]

On 2007/05/18 14:49, L. V. Lammert wrote:
 saving as a temporary file until the upload is complete, then encrypting. 

temporary file? that depends on the exact definition of absolutely
sure that they aren't sitting on our system without being encrypted

decryption will need to involve some user-supplied component to be
worth much; there's not a lot of point encrypting if the means to
decrypt are stored on the same system as the encrypted files...

Re: https file transfer

[viq]

On 18/05/07, stuart van Zee [EMAIL PROTECTED] wrote:

I have just been handed a new project and would like to
know if anyone has any software suggestions that would
fit the requirements or at least a point in the right
direction.

We need to have an https server running that users can
upload un-encrypted files to and have those files encrypted
on the fly and safely stored away until they are needed.

This is to help us interface with brain-dead people that
are unable to encrypt a file (or unable to remember to).

Those same people will need to be able to download their
files as they need them and have them decrypted for them
and sent over https so that they can use their web browser
to retrieve the files.  The fact that these files aren't
encrypted on the users system is not our problem, we just
need to be absolutely sure that they aren't sitting on our
system without being encrypted.

Needless to say, I would like to run said https server on
an OpenBSD box so that I can have a hope of sleeping at
night.

Stuart van Zee
[EMAIL PROTECTED]


Maybe doesn't quite answer your question, but here's something that
does pretty much what you're asking for:
http://www.vmware.com/vmtn/appliances/directory/138
And if you don't like it, you can always figure out how they did that
and do that yourself on a platform of your choosing ;)


--
viq

Re: a bit OT question

[Maxim Belooussov]

Thanks for all the off-list answers. Looks like varnish uses some
features that OpenBSD doesn't have yet.

For those interested, the correct link is here:

http://varnish.projects.linpro.no/

Max

Re: Sun Netra X1 Firewall Throughput?

[Daniel Ouellet]

Bryan Vyhmeister wrote:
One thing I was wondering about the X1. Does it support hard drives 
larger than 137 GB or whatever that old limit was? I don't know if Sun 
systems are affected by those same kind of issues as older PC stuff but 
I don't want to get bitten by that one if they are.


No it doesn't. I have about 30 of them and putting any drives bigger 
then that will simply not work. Well, actually it work, but you can't 
use above that. If you try to even partition it like that, the system 
will crash and not start, period. I try a good Seagate 180MB for test 
and can't use it all.

Re: Sun Netra X1 Firewall Throughput?

[Daniel Ouellet]

On 18/05/07, Bryan Vyhmeister [EMAIL PROTECTED] wrote:

Can anyone give any information about the Sun Netra X1 being used as
a pf firewall. I am specifically looking for throughput information.
I am considering using a pair for a theoretical maximum throughput of
about 45 Mbps. Can the Netra X1 comfortably handle this with carp(4)
and some pf firewalling. I know this is pretty generic but any
comments? (In case you are wondering, I would run pfsync on a VLAN on
the less used interface.) Thank you.


The X1 is great for firewall. Your limits to consider is not the 
transfer in Mbps, but always the PPS. That's where you will hit the wall 
if to high and that's not only with X1, but any servers. PPS is really 
the biggest problem here, unless you start talking multiple time 100Mb/sec.

Mysql POrts installation

[John Nietzsche]

Dear gentleman,

i am trying to install mysql on my openbsd 4.1 server. But i would
like to change the user and group names from _mysql, _mysql to mysql,
dba.

I have change a set of files:

pkg/PLIST-server:@newgroup dba:1002
pkg/PLIST-server:@newuser mysql:1001:dba:daemon:MySQL
Account:/nonexistent:/sbin/nologin
patches/patch-scripts_mysql_install_db_sh:+user=mysql
patches/patch-scripts_mysqld_safe_sh:+user=mysql
patches/patch-scripts_mysql_install_db_sh:+group=dba
patches/patch-scripts_mysqld_safe_sh:+group=dba
./Makefile:  --with-mysqld-user=mysql \

But it does not seem to be enough? Is there anything i forgot?

Thank you a lot for your time and cooperation.

Best regards.

Re: Remote Syslogd

[Darren Spruell]

On 5/18/07, djgoku [EMAIL PROTECTED] wrote:

I am trying to filter remote syslog information that is coming from
Motherboard Monitor on Windows. If all I do is change syslogd startup
options in /etc/rc.conf from syslogd=-u all information is logged to
/var/log/daemon. But I would really like the information be routed to
something like /var/log/hostname.

Here is some sample data in /var/log/daemon:

May 18 12:06:24 hostname hostname MBM[Case]: C=95 LA=41 HA=158 L=95 H=95 A=95
May 18 12:06:24 hostname hostname MBM[CPU]: C=87 LA=41 HA=158 L=87 H=87 A=87
May 18 12:06:24 hostname hostname MBM[Core 0]: C=1.51 LA=1.90 HA=2.10
L=1.51 H=1.51 A=1.51
May 18 12:06:24 hostname hostname MBM[+3.3]: C=3.32 LA=3.13 HA=3.46
L=3.32 H=3.32 A=3.32
May 18 12:06:24 hostname hostname MBM[+5.00]: C=5.15 LA=4.75 HA=5.25
L=5.15 H=5.15 A=5.15
May 18 12:06:24 hostname hostname MBM[+12.00]: C=12.03 LA=11.40
HA=12.60 L=12.03 H=12.03 A=12.03

syslogd.conf (I added):

+hostname
*.*   /var/log/hostname


syslog.conf(5) doesn't make any mention of + prepending that I can find.

Can you specify which syslog facility your app should log to? If so,
you could instruct it to log to one of the local* levels and direct
that to a seperate log file, e.g.

local1.* /var/log/hostname

DS

Re: Remote Syslogd

[K K]

On 5/18/07, djgoku [EMAIL PROTECTED] wrote:

I am trying to filter remote syslog information that is coming from
Motherboard Monitor on Windows. If all I do is change syslogd startup
options in /etc/rc.conf from syslogd=-u all information is logged to
/var/log/daemon. But I would really like the information be routed to
something like /var/log/hostname.


The stock syslogd doesn't directly support this type of handling.
Logging by originating host, and much more, is available in syslog-ng,
available from the ports tree (/usr/ports/sysutils/syslog-ng).

It can be a little tricky to get syslog-ng to co-exist with the stock
syslogd, or to entirely replace it with syslog-ng.

Kevin

Re: a cd key

[Clint M. Sand]

On Fri, May 18, 2007 at 08:47:21PM +1000, Timothy Wilson wrote:
 Had you thought about mounting certain areas as read only?
 For example, /etc, /local can be mounted as read only. When you want
 to make changes, such as installing a new package or whatever, just
 remount the file systems read/write.
 You can also use jails.
 
 Timothy


I think the point is that if someone roots your machine because you are
running a vulnerable service, they can't really install rootkits and
things if your binaries are on a filesystem that CAN'T be remounted r/w.

If you just mount your harddisks (or portions like /etc) ro and someone
roots your box, they just re-mount it, install rootkit, then re-mount
back ro. Does nothing really. 

Re: Bridge over gif on 4.1

[Renaud Allard]

Renaud Allard wrote:
 Markus Friedl wrote:
 On Fri, Apr 13, 2007 at 12:03:18PM +0200, Renaud Allard wrote:
 It's just quite annoying that the man page for brconfig says that the
 bridge over gif should work and it does not.
 well, it did work before and should work in 4.1


 
 I know. But with 4.1, it doesn't work with the config I posted and it
 doesn't work either with 4.1-current of april 6th.
 
 

It works great with the following patch from Markus on a -stable branch:

Index: sys/net/if_bridge.c
===
RCS file: /cvs/src/sys/net/if_bridge.c,v
retrieving revision 1.158
diff -u -p -u -r1.158 if_bridge.c
--- sys/net/if_bridge.c 10 Apr 2007 17:47:55 -  1.158
+++ sys/net/if_bridge.c 16 May 2007 09:03:44 -
@@ -2705,6 +2705,11 @@ bridge_ifenqueue(struct bridge_softc *sc
int error, len;
short mflags;

+#if NGIF  0
+   /* Packet needs etherip encapsulation. */
+   if (ifp-if_type == IFT_GIF)
+   m-m_flags |= M_PROTO1;
+#endif
len = m-m_pkthdr.len;
mflags = m-m_flags;
IFQ_ENQUEUE(ifp-if_snd, m, NULL, error);
Index: sys/net/if_gif.c
===
RCS file: /cvs/src/sys/net/if_gif.c,v
retrieving revision 1.43
diff -u -p -u -r1.43 if_gif.c
--- sys/net/if_gif.c19 Apr 2007 09:28:40 -  1.43
+++ sys/net/if_gif.c16 May 2007 09:03:44 -
@@ -217,6 +217,7 @@ gif_start(ifp)
m-m_flags = ~(M_BCAST|M_MCAST);

/* extract address family */
+   family = AF_UNSPEC;
tp = *mtod(m, u_int8_t *);
tp = (tp  4)  0xff;  /* Get the IP version number. */
 #ifdef INET
@@ -233,16 +234,10 @@ gif_start(ifp)
 * Check if the packet is comming via bridge and needs
 * etherip encapsulation or not.
 */
-   if (ifp-if_bridge)
-   for (mtag = m_tag_find(m, PACKET_TAG_BRIDGE, NULL);
-   mtag;
-   mtag = m_tag_find(m, PACKET_TAG_BRIDGE, mtag)) {
-   if (!bcmp(ifp-if_bridge, mtag + 1,
-   sizeof(caddr_t))) {
-   family = AF_LINK;
-   break;
-   }
-   }
+   if (ifp-if_bridge  (m-m_flags  M_PROTO1)) {
+   m-m_flags = ~M_PROTO1;
+   family = AF_LINK;
+   }
 #endif

 #if NBPFILTER  0

Re: Remote Syslogd

[Stuart Henderson]

On 2007/05/18 14:39, Darren Spruell wrote:
 syslog.conf(5) doesn't make any mention of + prepending that I can find.

+ in syslog.conf is a FreeBSD extension, NetBSD picked it up with some
other changes (including poll and signals - kqueue/kevent)

Neither OpenBSD nor the Linux version I just checked support +; all the
non-OpenBSD versions support the allow spaces instead of tabs extension,
presumably for the benefit of people who can't read manuals (though how
they'll deal with things like differing use of ! if they can't handle
tabs, who knows...)

Re: a cd key

[Sean Malloy]

On 5/17/07, BradenM - Sonoma Computer [EMAIL PROTECTED] wrote:

Hi;

In the past, I read an article which told me of a process in which a cd houses
the important system binaries and software and even some settings and is left
outside of the machine so that unauthorized users, and even root, cannot
access the programs unless the disc is within the system's cdrom drive.
Does anyone have any resources which explain and show the process for doing
something similar to that which is stated above?

Thank you;
Bray.



I think this article explains it.
http://geodsoft.com/howto/harden/OpenBSD/remove_files.htm

--
Sean Malloy
Registered GNU/Linux User #417855
www.catgrepsort.com

Re: https file transfer

[bofh]

And if he encrypts using the http server's ssl cert, he doesn't even
have to worry about decryption issues - the https server can dwcrypt
and toss it to the downloading user.

Security?  What's that?  His looks more like a business/audit issue.
Am I jaded that I can now see giving the users what they want, instead
of what I think is correct? Then again, who am I to determine what is
correct.


On 5/18/07, L. V. Lammert [EMAIL PROTECTED] wrote:

At 03:31 PM 5/18/2007 -0400, stuart van Zee wrote:
I have just been handed a new project and would like to
know if anyone has any software suggestions that would
fit the requirements or at least a point in the right
direction.

We need to have an https server running that users can
upload un-encrypted files to and have those files encrypted
on the fly and safely stored away until they are needed.

Sounds like a simple Ruby/Python/Perl/Python script to handle the upload,
saving as a temporary file until the upload is complete, then encrypting.
Might be a tad tricky to ensure the upload is complete first, but should
not be a big problem.

Those same people will need to be able to download their
files as they need them and have them decrypted for them
and sent over https so that they can use their web browser
to retrieve the files.

Just the opposite for retrieval?

 HTH,

 Lee





--
This officer's men seem to follow him merely out of idle curiosity.
-- Sandhurst officer cadet evaluation.

spamd-setup in blacklisting mode run from rc

[Nick Templeton]

Since when running spamd(8) in blacklisting mode requires
that spamd-setup(8) also be run with the -b option, should
/etc/rc (the system startup script) be modified with something
like I provide below?

Index: rc
===
RCS file: /cvs/src/etc/rc,v
retrieving revision 1.304
diff -u -r1.304 rc
--- rc  25 Apr 2007 14:12:05 -  1.304
+++ rc  18 May 2007 22:10:31 -
@@ -668,9 +668,10 @@
 if [ X${spamd_flags} != XNO ]; then
if [ X${spamd_black} != XNO ]; then
spamd_flags=${spamd_flags} -b
+   spamd_setup_flags=-b
fi
echo -n ' spamd';   eval /usr/libexec/spamd ${spamd_flags}
-   /usr/libexec/spamd-setup
+   /usr/libexec/spamd-setup ${spamd_setup_flags}
if [ X${spamd_black} = XNO ]; then
echo -n ' spamlogd'
/usr/libexec/spamlogd ${spamlogd_flags}


Also maybe a mention that the cron job needs the -b flag added
in the BLACKLISTING section of spamd(8)'s man page.

-Nick Templeton

xenocara

[Brian]

I am updating my system, and I have just read about xenocara in -current.  Do I
just build this over my pre-existing X.org?  I wasn't quite sure from the
README.

And is there anything special I need to do with ports and packages?

Thanks.

Re: isakmpd not deleting old SAD

[Steven Surdock]

Steven Surdock wrote:
 Greetings,

 I have an isakmpd process that's not letting go of old SADs.  While it
 doesn't seem to be causing issues with the tunnels, it is
 causing higher
 than normal system utilization.  It seems to be occurring on
 the tunnels
 which have multiple subnets defined (e.g. VPNA and VPNB, but
 not VPNC).
 Any insight would be appreciated.

 fw1$ sudo ipsecctl -sa |grep tunnel |wc
   24 3122184
 fw1$ sudo ipsecctl -sa |grep tunnel |wc
   32 4162890
 fw1$ sudo ipsecctl -sa |grep tunnel |wc
   36 4683258
 fw1$ sudo ipsecctl -sa |grep tunnel |wc
   58 7545212

It's getting out of control.  I should only have about 18 SAD entries...

[EMAIL PROTECTED] ipsecctl -sa |grep tunn|wc
1214   15782  107964

Any insight would be appreciated.

-Steve S.

US Export of Cryptography

[Mark Reitblatt]

After reviewing OpenBSD's current policies on US contributions of
cryptography, and current US law, I'd like a clarification. Current US
law (c.f. the short guide
http://www.bis.doc.gov/encryption/lechart1.htm) allows the unlicensed
export/reexport of open source encryption source code. The only
restriction prevents knowledgeably exporting to one of the restricted
countries. BUT, there is this gem stuck in the section:

Note to paragraph (e).  Posting encryption
source code and corresponding object code on the
Internet (e.g., FTP or World Wide Web site)
where it may be downloaded by anyone neither
establishes knowledge of a prohibited export or
reexport for purposes of this paragraph, nor
triggers any red flags necessitating the
affirmative duty to inquire under the Know Your
Customer guidance provided in Supplement No.
3 to part 732 of the EAR.

Is this not an acceptable restriction? Basically, this means that no
primary CVS servers used by US crypto devs can be located in one of
the restricted countries, nor can a US server push to such a
country. As long as access is completely open, and the source code is
pulled, this section makes it quite clear that everything is peachy.

The only gotcha here is the notification requirement each time the
encryption SW is updated. However, the requirement is just
notification, not permission, and is submitted by email. It is not
100% clear, but a CVS commit email from the appropriate sections of
the source tree would appear to satisfy this requirement. This would
also only be required for contributions from US cryptographers.

This was the result of a short look into the US laws, and obviously
this isn't something that will just change overnight. But, I think it
would be useful to start up a conversation about changing OpenBSD
policies to allow US contributions. I'd be willing to conduct further,
comprehensive, and more conclusive research if I were to receive
reassurances that the restrictions above (or similar) are acceptable.

Sources:
http://www.access.gpo.gov/bis/ear/txt/740.txt
Section 740.13 (e)

P.S.
Sorry if this isn't the right list. It's the most appropriate as far
as I can tell.

--
Mark Reitblatt