OT: requesting updates to OpenBSD Server Compatibility List
As some of you know, there is a hardware compatibility list at http://www.armorlogic.com/oscl which provides information about major/stock hardware and OpenBSD compatibility. Some of the previously tested configuration are badly out-of-date or are misinformative. Especially the configurations that didn't work a couple of releases ago. They probably work just fine know, but it would be nice if could get confirmation. So please, have a look at the list and send directly to me or to [EMAIL PROTECTED] Especially for the configuration listed with partial support. New configurations and updates to the already working ones are also very welcome. Thanks.
Re: OpenLDAP question
Henning Brauer wrote: * Uv Pzaf [EMAIL PROTECTED] [2007-05-20 23:12]: I wonder why OpenBSD packages (i.e. openldap-server-2.3.24.tgz) still uses ldbm as database backend especially since the OpenLDAP folks are stating that this is no good any more: (http://www.openldap.org/faq/data/cache/756.htm) and not bdb or hdb. because ldbm works fine, very much opposed to the other two you mention. My personal experiences with ldbm were equally fine, I recommend you use it unless you are performing frequent writes, or are in need of high performance lookups. Once I started making regular writes, ldbm started to pack it in rather frequently (db corruption) so I went to bdb, however bdb takes careful tuning to get right. There also seems to be lots of noise about ldbm support becoming deprecated in the 2.4+ releases of OpenLDAP. You should review the OpenLDAP lists to research this more if that's of concern.
Re: flowcharts
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Anthony Howe Sent: 18 May 2007 07:00 PM Cc: misc@openbsd.org Subject: Re: flowcharts [EMAIL PROTECTED] wrote: Thanks to those that responded. I have a few ideas. Once i figure out how to add arrowheads, QCad may be just the thing. I got the idea from Douglas' xfig idea. Thanks man. OpenOffice's Draw program can do Visio like flowcharts. -- Anthony C Howe Skype: SirWumpusSnertSoft +33 6 11 89 73 78 AIM: SirWumpusSendmail Milter Solutions http://www.snert.com/ ICQ: 7116561 http://www.snertsoft.com/ Yes it can, and very well too. But openoffice is not on the CD, and such a large download is quite simply out of the question for an ordinary citizen in an African country.
Re: flowcharts
By all means experiment with flowcharts, but be prepared to move on: I Like I said to someone else off list. Maybe flowcharts are not needed, but I have a lecturer who believes in them and wants me to use them I my assignments. So for a while I am simply forced to use the. if your code is so complex that it needs a flowchart to be comprehensible, you're doing something wrong For a total beginner (like me) even basic code is not clear, so maybe I will drop flowcharts as I become better at this.
Re: OpenLDAP question
On 5/20/07, Dave Harrison [EMAIL PROTECTED] wrote: Henning Brauer wrote: * Uv Pzaf [EMAIL PROTECTED] [2007-05-20 23:12]: I wonder why OpenBSD packages (i.e. openldap-server-2.3.24.tgz) still uses ldbm as database backend especially since the OpenLDAP folks are stating that this is no good any more: (http://www.openldap.org/faq/data/cache/756.htm) and not bdb or hdb. because ldbm works fine, very much opposed to the other two you mention. My personal experiences with ldbm were equally fine, I recommend you use it unless you are performing frequent writes, or are in need of high performance lookups. Once I started making regular writes, ldbm started to pack it in rather frequently (db corruption) so I went to bdb, however bdb takes careful tuning to get right. Older versions of bdb went bad a fairly regular basis. I had DB's go corrupt as often as once a day under older verson of OL using bdb. This hasn't been a problem for a while though. I havn't had a db go bad in 2 years, even after power failures. I forget specifically what versions of openldap and bdb had this problem but it went away with the versions from ports on 3.7. --Bryan
Re: flowcharts
Hi, On 21/05/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Like I said to someone else off list. Maybe flowcharts are not needed, but I have a lecturer who believes in them and wants me to use them I my assignments. So for a while I am simply forced to use the. Have you looked into UML state charts/ sequence charts instead? This is the sort of thing I use for my assignments. -- Best Regards Edd --- http://students.dec.bournemouth.ac.uk/ebarrett
Re: a cd key
On Fri, 18 May 2007 18:16:03 -0400 Clint M. Sand [EMAIL PROTECTED] wrote: On Fri, May 18, 2007 at 08:47:21PM +1000, Timothy Wilson wrote: Had you thought about mounting certain areas as read only? For example, /etc, /local can be mounted as read only. When you want to make changes, such as installing a new package or whatever, just remount the file systems read/write. You can also use jails. Timothy I think the point is that if someone roots your machine because you are running a vulnerable service, they can't really install rootkits and things if your binaries are on a filesystem that CAN'T be remounted r/w. If you just mount your harddisks (or portions like /etc) ro and someone roots your box, they just re-mount it, install rootkit, then re-mount back ro. Does nothing really. Of course, they could just chflags schg *. That way, an attacker couldn't just remove the schg flags from the files he wants to modify. The big advantage to using a CD or DVD is that one could create the CD/DVD from a more secure site while leaving the live site running. When ready to upgrade, just change the CD or DVD and reboot. Eric Johnson
pckbc, pmsi_* errors, mouse not working on 4.1
Hi all I've upgraded OBSD on my notebook (hp-compaq nc7xxx series) from 3.8 to 4.1. All went well, except that when I start X, neither mouse nor keyboard are responding any more. Instead I get repeating error messages in syslog and on console: pmsi_enable: command error pckbc: command timeout pmsi_disable: command error Google suggested that I try to enable ACPI, which I did via UKC. But as soon as I quit UKC, the machine hard resets and starts over. The same happens when I edit a kernel with config and boot from it: immediate reset and reboot. Is there any other approach to solving the mouse problem? If no: is there any way to find out what is killing the kernel with acpi enabled? thx /markus
Re: Problem with cvs update
Mikolaj Kucharski [EMAIL PROTECTED] writes: Hi, From some time I have a problem updating sources from cvs. Below is an example cvs session. The `No space left on device' problem was very often for me durning last few months, but from today I cannot update src and ports module at all. On target partition there is currently 1GB of free space. Thoes anyone has this issue? Use some other server. anoncvs.ca gets used too hard and runs out of /tmp. //art
Re: Problem with cvs update
On Mon, May 21, 2007 at 10:52:13AM +0200, Artur Grabowski wrote: Mikolaj Kucharski [EMAIL PROTECTED] writes: Hi, From some time I have a problem updating sources from cvs. Below is an example cvs session. The `No space left on device' problem was very often for me durning last few months, but from today I cannot update src and ports module at all. On target partition there is currently 1GB of free space. Thoes anyone has this issue? Use some other server. anoncvs.ca gets used too hard and runs out of /tmp. Yes, just for records, other servers doesn't have this problem and they are working without any issues. -- best regards q#
Re: flowcharts
-Original Message- From: Edd Barrett [mailto:[EMAIL PROTECTED] Sent: 21 May 2007 09:03 AM To: Marius Van Deventer - Umzimkulu; OpenBSD general usage list Subject: Re: flowcharts Hi, On 21/05/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Like I said to someone else off list. Maybe flowcharts are not needed, but I have a lecturer who believes in them and wants me to use them I my assignments. So for a while I am simply forced to use the. Have you looked into UML state charts/ sequence charts instead? This is the sort of thing I use for my assignments. -- Best Regards Edd --- http://students.dec.bournemouth.ac.uk/ebarrett We will be doing those in the course later I believe.
Re: VESA modes
Thanks Mats, The VESA lines tell us which moded the graphics cards BIOSs thinks it can handle. It has nothing to do with what your monitor can handle. In your case it seems like it is the monitor that is setting the limit. But if you had a external 1280x1024 monitor it would be the graphics card that was setting the limit. this makes sense. I have a couple of laptops with 1280x800 LCD panels but the VESA bios hasn't a mode for it. This is only a problem if you have to use a vesa driver. My X works fine with the native neomagic Driver, but only does 800x600; that's why I was trying VESA, in the false hope that mentioning 1024x768 during boot somehow implies I could have that resolution. Thanks again Jan
Re: new openbsd 4.0 server, panic on ufsdirhash
[snip] OK, now I'm clueless why this happens. I didn't see in your verbose dmesg at all any obvious PCI busses or devices. Yet the normal dmesg lists your PCI devices. I could be reading the devices wrong, but I read in your verbose dmesg that it found: 1: Audio 2: Realtek Ethernet (probably a PCI device??) 3: isa0 bus 4: Keyboard/mouse ports (which I really think they are attached on the ISA bus, internally on the motherboard) 5: speaker (again, same as #4, on the ISA bus in the motherboard) 6: parallel (ditto) 7: npx0 (I think this is your coprocessor, and I don't know what bus it is on) 8: COM/Serial ports (ditto as #4) 9: Floppy drive (I would think this is on the ISA bus, but I am not sure) Aside from #2, the realtek ethernet, I am not seeing any signs of PCI detection. But how can it boot off the drive, which is on pciide0 (from original, normal dmesg in digest #783). That device sure looks like it's on the PCI bus. I'm lost on this one, I totally expected to see anything, SOMETHING about the pci bus (wouldn't it be pci0?). I think we are missing the top of the dmesg (notice how you don't see the copyright notice) This must be because all the verbosity overflow the 4k buffer for the dmesg. Aside from that, I'm sorry I can't help much. John did state he has another version, and if *THIS* thing fails horribly bad on trying to get more information, I would try the other version. I'm not sure if the 4.1-RELEASE (at least the sparc32 one) was done correctly, I have a simple 64MB sparcstation5 that after I came home from work one day, the box was at the 4th prompt (for ya i386 folks, that's similar to the BIOS/SETUP program). A day or two later the same box, same config, same everything was waiting on a ddb prompt with what seemed to be a runaway application (smbd, ddb's ps command just kept endlessly returning smbd as processes running on the box). The only change to this box was an addon SBUS 4-port ethernet board. Anyway, I got sidetracked in the basic statement that there may be something wrong with the comp41.tgz set? bad press? bad release process on OpenBSD? I can't pin it down, but I didn't have *ANY* problem with 4.0, in any of it's platforms. The above paragraph may start flaming, and I want to defuse it right now. The problem I have above may not at all be related to John's original problem, but I've also seen other people having trouble installing 4.1 on this mailing list and wonder if it has something related/linked that we can use. Heck, my 4.1 i386 CD I burned locks up my keyboard/kvm so bad that I have to push the buttons on the front to reboot. It gets to the install, upgrade, shell and then locks up. John, please try 4.0 and then doing a source upgrade to 4.1, if this verbose dmesg doesn't help anybody. Sorry for bringing it up :( Good luck. If opportunity doesn't knock, build a door. I can is a way of life. More and Bigger is not always Better. The road to success is always uphill.
CARP question
Hi Again! I got my firewall running, affer some headaches.. But i got a question: carp0 for example, uses em0 to listen my shared IP, and sends advsken on this nic ( em0 ). The same thing with internal lan carp device. But i don't want carp advske to travel in all net. I got a third NICs used by pfsync ( rl0 ), is it some way to send carp advskew throught rl0? Thanks once again, Alberich
Re: CARP question
On Mon, 2007-05-21 at 14:01 +0200, Alberich de megres wrote: But i got a question: carp0 for example, uses em0 to listen my shared IP, and sends advsken on this nic ( em0 ). The same thing with internal lan carp device. But i don't want carp advske to travel in all net. I got a third NICs used by pfsync ( rl0 ), is it some way to send carp advskew throught rl0? This makes no sense. You need to exchange CARP heartbeats through the link on which you are sharing the IP address or you won't be monitoring availability of all network segments connected to the firewall. Also CARP uses authentication when exchanging messages. ciao Luca
Re: hackathon
On Sat, May 19, 2007 at 01:15:58PM -0600, Jack Woehr wrote: Theo de Raadt wrote: A HP XFP SR-optic 10GE module for a HP 3500yl switch which already has the 10Gb card installed. If anyone can help us with getting this to us, we'd love it. Yes, we know they are very expensive. Brutal, in fact. Hmm, $2,822.97 at http://keenzo.com/showproduct.asp?id=741395 (if Google has indeed found me the correct product :-)) Yes, that would be very good to know. I found quite a mixed bag trying to Google for it. The actual unit is the J8436A. It looks like someone has in fact bought one for us, and now HP Procurve is going through the procedures of trying to donate one as well. We hope that these units arrive in time for the hackathon. In the meantime, we will try to work with our CX4 units (that is copper 10GE, really weird stuff). We'll try to use the money that people did donate towards this well. At some point we will also need one of the LR optic units as well ;)
Re: US Export of Cryptography
On Sun, 20 May 2007, dreamwvr wrote: -- Mark Reitblatt The entire world is not the US. The entire world AND the US is addressed by OpenBSD. Mr Reitblatt should be advised that there are some of us in the USA that are quite pleased with and in fact grateful for a reliable, free and open source of crypto software from *outside* the USA. The thicket of law, regulation, executive decree and discretionary interpretation by bureaucrats, administrative law judges and others in this country is legendary, and growing more tangled with every sea change in politics. The idea that democracy can remedy this situation is charmingly naive and dangerously unrealistic. Democracy brought this situation about. Mr Reitblatt seems to believe that to be arrested, sued or otherwise harassed, drained of one's resources, and then finally, after years of litigation and other forms of immiseration (crypto export is a *crime*, involving prison), vindicated, is the same as having been left in peace initially. In the technical sense only, this is correct. This is the sort of Pyrrhic victory that only lawyers on retainer celebrate. My initial reaction to Mr Reitblatt was to wonder if he was a provacateur from a US government department intending to plug a security loophole. This view is not justified, but the fact that I had it is itself indicative of the climate here concerning such issues -- this is now a country in which bank transactions less than about a month's wages (anything over 5000 USD!) are reported to authorities. Everywhere one looks, one is being looked at by some security entity. OpenBSD might find itself vindicated if it began distribution from the US. It might find itself bankrupted, too. It might find its hardware vanished into the black hole of an evidence locker or impound lot. There is very little satisfaction in being ruined and right. The risk/reward ratio is absolutely stunning. Executive summary: There is no *need* for OpenBSD to enter this meat grinder, so there is no *reason* to do it! Stay Canadian, gents, and stay out of the US. Others would do well to follow OpenBSD's example! Dave -- Resistance is futile. You've already been assimilated.
Re: APC UPSD
If you want to use an APC UPS you might need to compile nut from ports (or download and compile the latest version). For some reason, the newhidups/hidups drivers are not in the 4.1 package and are not compiled when using vanilla ports (those are the drivers needed by most usb APC UPS, look it up to be sure). There seems to be a problem in the hidups driver (somewhere it requires /usr/linux/something) so it never gets compiled...and for some reason the newhidups driver doesn't get compiled either. I had to add to do ./configure --with-drivers=newhidups to compile the newhidups driver. My two cents, Jd On 5/20/07, John Nietzsche [EMAIL PROTECTED] wrote: I would like to try nut! Does anybody have it working with APC USB UPS ? Could you send me you configuration file? Thanks in advance. On 5/20/07, Patrick Cummings [EMAIL PROTECTED] wrote: Date: Sat, 19 May 2007 13:11:39 -0300 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: APC UPSD What about USB support? Is there any in ports collection supoprting USB? Thanks in advance. On 5/19/07, Patrick Cummings [EMAIL PROTECTED] wrote: Date: Sat, 19 May 2007 03:48:49 -0300 From: [EMAIL PROTECTED] To: misc@openbsd.org Subject: APC UPSD Dear gentleman, i realized apc-upsd port in 4.1 does not support USB UPS devices. Is anyone here aware of a patch for it? Thanks in advance. Best regards. Hi, the apcupsd port is very old, so it should not be used. You can try the latest source from their website, which seems to work well for most people, if you follow their instructions carefully. I personnally use it with an USB SmartUPS 1500. Soyez parmi les premiers ` essayer Windows Live Mail. Not for apc-upsd. Your can try nut, available as a package. It will work with usb since the port is up-to-date. However, as I said, apc-upsd works perfectly for me with usb, using the version from their official website that I compiled from source. There is also upsd that you can try, also not available as a package, you must compile from source. Soyez parmi les premiers ` essayer Windows Live Mail.
Re: spamd-setup in blacklisting mode run from rc
On Sun, May 20, 2007 at 12:55:58PM +0200, Maurice Janssen wrote:
On Saturday, May 19, 2007 at 22:46:29 +0100, Jason McIntyre wrote:
On Fri, May 18, 2007 at 05:25:32PM -0500, Nick Templeton wrote:
Since when running spamd(8) in blacklisting mode requires
that spamd-setup(8) also be run with the -b option, should
/etc/rc (the system startup script) be modified with something
like I provide below?
Index: rc
===
RCS file: /cvs/src/etc/rc,v
retrieving revision 1.304
diff -u -r1.304 rc
--- rc 25 Apr 2007 14:12:05 - 1.304
+++ rc 18 May 2007 22:10:31 -
@@ -668,9 +668,10 @@
if [ X${spamd_flags} != XNO ]; then
if [ X${spamd_black} != XNO ]; then
spamd_flags=${spamd_flags} -b
+ spamd_setup_flags=-b
fi
echo -n ' spamd'; eval /usr/libexec/spamd
${spamd_flags}
- /usr/libexec/spamd-setup
+ /usr/libexec/spamd-setup ${spamd_setup_flags}
if [ X${spamd_black} = XNO ]; then
echo -n ' spamlogd'
/usr/libexec/spamlogd ${spamlogd_flags}
why do you want to do this? spamd(8) says to use crontab.
Yes, but the default is once per hour. So without the -b flag to
spamd-setup in /etc/rc, the blacklisted hosts are not sent to the
spamd table in pf for quite some time.
I think the proposed patch makes sense.
Maurice
Right. spamd-setup was already being executed via /etc/rc, I
simply added the -b flag.
Nick
Re: hackathon
On Mon, 21 May 2007, Theo de Raadt wrote: SNIP time for the hackathon. In the meantime, we will try to work with our CX4 units (that is copper 10GE, really weird stuff). SNIP At some point we will also need one of the LR optic units as well ;) now that's an extreme, from CX4 Cu to LR optics. :-) How many klicks you going to shoot between OBSD boxes?
Re: hackathon
On Mon, 21 May 2007, Theo de Raadt wrote: SNIP time for the hackathon. In the meantime, we will try to work with our CX4 units (that is copper 10GE, really weird stuff). SNIP At some point we will also need one of the LR optic units as well ;) now that's an extreme, from CX4 Cu to LR optics. :-) How many klicks you going to shoot between OBSD boxes? We are not trying to use this equipment. We're simply trying to test and make sure the drivers work correctly once they are written. And sometimes the vendors don't give us the best cards, so we have to test what they give us.
Re: setting up ssh tunnel/vpn
On Sunday 20 May 2007 22:23, Martin Toft wrote: On Sun, May 20, 2007 at 07:19:50PM +0200, Steffen Sch|tz wrote: You can try man ssh and then search for the section SSH-BASED VIRTUAL PRIVATE NETWORKS Steffen Nice section actually -- I just used the trial and error way of getting it right, as I hadn't discovered that section of the manual. As the OP now have got some useful answers, I'll diverge a bit from the original subject. Darren, Jason, and Steffen: Do any of you use ssh-based virtual private networks, and, if yes, what are your experiences? I ask, as I have a problem with mine (ssh occasionally stops forwarding tunnel traffic). I posted to misc@ about it yesterday: No, I've never tried the ssh based VPN . http://marc.info/?l=openbsd-miscm=117962544826309w=2 In your case I would install openswan on the 'WRT box and use IPsec for the VPN between OpenBSD and the OpenWRT.
OpenBSD 4.1: pf is not blocking anything
Hello,
I am testing pf in an OpenBSD 4.1. This same configuration works fine on
OpenBSD 3.9, but in 4.1 it is not filtering anything, everything is passing
thru,
just like as if there was no 'block all'. What worries me most is that
anyone
on the outside can see my ssh service .
Is there anything wrong with the state of my rules? If i didn't
misunderstand ,
this rules should work just fine
Any ideas?
Thanks in advance,
Marcos
---
#
set skip on lo
scrub in
icmp_nets={ 10.10.10.0/24 }
block all
# good guys
table goodhosts persist
pass in quick on egress from goodhosts to any keep state
# blackhole
table badhosts persist
block in quick log on egress from badhosts to any
# no ipv6
block in quick inet6 all
##
# outgoing
# dns
pass out on egress proto { tcp, udp } from (self)/32 to any port domain
flags S/SA keep state
# smtp, http , https
pass out on egress proto tcp from (self)/32 to any port { smtp, www, https }
flags S/SA keep state
# ntp
ntp_servers={ 10.10.10.4 }
pass out on egress proto udp from (self)/32 to $ntp_servers port ntp keep
state
# ssh
ssh_friends={ 10.10.10.0/24 }
pass out on egress proto tcp from (self)/32 to $ssh_friends port ssh flags
S/SA keep state
# mysql
pass out on egress proto tcp from (self)/32 to any port 3306 flags S/SA keep
state
##
# incoming
# private
friends={ 10.10.10.0/24 }
friends_srvs={ ftp, ftp-data, ssh }
pass in on egress proto tcp from $friends to (self)/32 port $friends_srvs
flags S/SA keep state
# MySQL y PgSQL
sql_www_apps_srv={ 10.10.10.0/24 }
pass in quick proto tcp from $sql_www_apps_srv to self/32 port { 3306,
5432 } flags S/SA keep state
# icmp
pass in quick proto icmp from $icmp_nets to self/32 keep state
Re: hackathon
I will donate 100 bucks to the cause. You call it network testing, I call it making sure the Internet is up Same thing... Counterstrike tournament... ;^) Glad to see you guys got in on the ground floor WRT 10G. Betcha M$ don't have the ear of the hardware guys like you do... Keep up the good work... Bryan On 5/21/07, Theo de Raadt [EMAIL PROTECTED] wrote: On Mon, 21 May 2007, Theo de Raadt wrote: SNIP time for the hackathon. In the meantime, we will try to work with our CX4 units (that is copper 10GE, really weird stuff). SNIP At some point we will also need one of the LR optic units as well ;) now that's an extreme, from CX4 Cu to LR optics. :-) How many klicks you going to shoot between OBSD boxes? We are not trying to use this equipment. We're simply trying to test and make sure the drivers work correctly once they are written. And sometimes the vendors don't give us the best cards, so we have to test what they give us.
Re: OpenBSD 4.1: pf is not blocking anything
On 5/21/07, Marcos Laufer [EMAIL PROTECTED] wrote:
Hello,
I am testing pf in an OpenBSD 4.1. This same configuration works fine on
OpenBSD 3.9, but in 4.1 it is not filtering anything, everything is passing
thru,
just like as if there was no 'block all'. What worries me most is that
anyone
on the outside can see my ssh service .
Is there anything wrong with the state of my rules? If i didn't
misunderstand ,
this rules should work just fine
Any ideas?
Thanks in advance,
Marcos
---
#
set skip on lo
scrub in
icmp_nets={ 10.10.10.0/24 }
block all
# good guys
table goodhosts persist
pass in quick on egress from goodhosts to any keep state
# blackhole
table badhosts persist
block in quick log on egress from badhosts to any
# no ipv6
block in quick inet6 all
##
# outgoing
# dns
pass out on egress proto { tcp, udp } from (self)/32 to any port domain
flags S/SA keep state
Marcos, 'keep state' and 'flags S/SA' are now default settings. Did
you read about what's new in 4.1[0], as well as the updated FAQ[1],
before upgrading your firewall?
-Todd
[0] http://openbsd.org/41.html#new
[1] http://openbsd.org/faq/pf/index.html
Re: OpenBSD 4.1: pf is not blocking anything
check pfctl -sr -vv
use log and pflog
check pflog via tcpdump and you will find answer
On 2007-05-21, at 20:36, Marcos Laufer wrote:
Hello,
I am testing pf in an OpenBSD 4.1. This same configuration works
fine on
OpenBSD 3.9, but in 4.1 it is not filtering anything, everything is
passing
thru,
just like as if there was no 'block all'. What worries me most is that
anyone
on the outside can see my ssh service .
Is there anything wrong with the state of my rules? If i didn't
misunderstand ,
this rules should work just fine
Any ideas?
Thanks in advance,
Marcos
---
#
set skip on lo
scrub in
icmp_nets={ 10.10.10.0/24 }
block all
# good guys
table goodhosts persist
pass in quick on egress from goodhosts to any keep state
# blackhole
table badhosts persist
block in quick log on egress from badhosts to any
# no ipv6
block in quick inet6 all
##
# outgoing
# dns
pass out on egress proto { tcp, udp } from (self)/32 to any port
domain
flags S/SA keep state
# smtp, http , https
pass out on egress proto tcp from (self)/32 to any port { smtp,
www, https }
flags S/SA keep state
# ntp
ntp_servers={ 10.10.10.4 }
pass out on egress proto udp from (self)/32 to $ntp_servers port
ntp keep
state
# ssh
ssh_friends={ 10.10.10.0/24 }
pass out on egress proto tcp from (self)/32 to $ssh_friends port
ssh flags
S/SA keep state
# mysql
pass out on egress proto tcp from (self)/32 to any port 3306 flags
S/SA keep
state
##
# incoming
# private
friends={ 10.10.10.0/24 }
friends_srvs={ ftp, ftp-data, ssh }
pass in on egress proto tcp from $friends to (self)/32 port
$friends_srvs
flags S/SA keep state
# MySQL y PgSQL
sql_www_apps_srv={ 10.10.10.0/24 }
pass in quick proto tcp from $sql_www_apps_srv to self/32 port { 3306,
5432 } flags S/SA keep state
# icmp
pass in quick proto icmp from $icmp_nets to self/32 keep state
Re: APC UPSD
Jean-Daniel Beaubien writes: If you want to use an APC UPS you might need to compile nut from ports (or download and compile the latest version). Or use apcuspd. Last time I got the source from sourceforge it just worked. ./configure --enable-usb make sudo make install neko[marc]# /etc/rc.apcupsd restart Stopping apcupsd power management Done. waiting for apcupsd to exit Starting apcupsd power management Done. neko[marc]# /etc/rc.apcupsd status APC : 001,037,0911 DATE : Mon May 21 13:40:56 PDT 2007 HOSTNAME : neko.snafu.org RELEASE : 3.14.0 VERSION : 3.14.0 (9 February 2007) openbsd UPSNAME : neko.snafu.org CABLE: USB Cable MODEL: Back-UPS RS 1500 UPSMODE : Stand Alone STARTTIME: Mon May 21 13:40:53 PDT 2007 STATUS : ONLINE LINEV: 118.0 Volts LOADPCT : 36.0 Percent Load Capacity BCHARGE : 100.0 Percent TIMELEFT : 91.5 Minutes MBATTCHG : 30 Percent MINTIMEL : 10 Minutes MAXTIME : 0 Seconds SENSE: Low LOTRANS : 097.0 Volts HITRANS : 132.0 Volts ALARMDEL : Always BATTV: 26.9 Volts LASTXFER : Low line voltage NUMXFERS : 0 TONBATT : 0 seconds CUMONBATT: 0 seconds XOFFBATT : N/A SELFTEST : NO STATFLAG : 0x0708 Status Flag MANDATE : 2004-09-25 SERIALNO : JB0439032522 BATTDATE : 2001-09-25 NOMINV : 120 NOMBATTV : 24.0 FIRMWARE : 8.g8 .D USB FW:g8 APCMODEL : Back-UPS RS 1500 END APC : Mon May 21 13:40:57 PDT 2007 // marc
Thanks for the great os and xenocara
Hi, I say thank you to all developers for the great operating system. With xorg 7.2 (xenocara) now I can use my nvidia 7600 gs on my 1680x1050 widescreen without any problems. Best regards, Sven
Re: 4.1 PXEboot fails to load via etherboot
Solved it. Etherboot cannot process files an integer multiple of 1432 bytes. pxeboot V4.1 is 36 * 1432 = 51552 bytes long. Added two bytes to V4.1 pxeboot and it (Etherboot) works fine. --John _ Windows Live Hotmail, with safety bar colour coding, helps identify suspicious mail before it takes your daughter out on a date. Upgrade today for a better look. www.newhotmail.ca?icid=WLHMENCA152
Re: APC UPSD
I've also had good luck with the latest sourceforge release of apcupsd, especially since the APC USB is now usefully detected as a ugen. Thanks again to the kind soul who provided the USB quirks patch back in the 3.8 or 3.9 days. Their configure script doesn't handle --prefix too well, though; it still insisted on installing things into /sbin. I ended up having to do something like this: ./configure --sbindir=/usr/local/sbin --mandir=/usr/local/man --enable-usb [your options] --david On 5/21/07, Marco S Hyman [EMAIL PROTECTED] wrote: Jean-Daniel Beaubien writes: If you want to use an APC UPS you might need to compile nut from ports (or download and compile the latest version). Or use apcuspd. Last time I got the source from sourceforge it just worked. ./configure --enable-usb make sudo make install neko[marc]# /etc/rc.apcupsd restart Stopping apcupsd power management Done. waiting for apcupsd to exit Starting apcupsd power management Done. neko[marc]# /etc/rc.apcupsd status APC : 001,037,0911 DATE : Mon May 21 13:40:56 PDT 2007 HOSTNAME : neko.snafu.org RELEASE : 3.14.0 VERSION : 3.14.0 (9 February 2007) openbsd UPSNAME : neko.snafu.org CABLE: USB Cable MODEL: Back-UPS RS 1500 UPSMODE : Stand Alone STARTTIME: Mon May 21 13:40:53 PDT 2007 STATUS : ONLINE LINEV: 118.0 Volts LOADPCT : 36.0 Percent Load Capacity BCHARGE : 100.0 Percent TIMELEFT : 91.5 Minutes MBATTCHG : 30 Percent MINTIMEL : 10 Minutes MAXTIME : 0 Seconds SENSE: Low LOTRANS : 097.0 Volts HITRANS : 132.0 Volts ALARMDEL : Always BATTV: 26.9 Volts LASTXFER : Low line voltage NUMXFERS : 0 TONBATT : 0 seconds CUMONBATT: 0 seconds XOFFBATT : N/A SELFTEST : NO STATFLAG : 0x0708 Status Flag MANDATE : 2004-09-25 SERIALNO : JB0439032522 BATTDATE : 2001-09-25 NOMINV : 120 NOMBATTV : 24.0 FIRMWARE : 8.g8 .D USB FW:g8 APCMODEL : Back-UPS RS 1500 END APC : Mon May 21 13:40:57 PDT 2007 // marc
4.1 upgrade and squid
I've upgraded my firewall to 4.1 and all of the packages. Now squid fails to start with the new version. I get the following errors: 2007/05/21 16:22:32| aclParseAclLine: WARNING: empty ACL: acl BlockSites url_regex /etc/squid/blocksites.txt 2007/05/21 16:22:32| parseConfigFile: line 2191 unrecognized: 'httpd_accel_host virtual' 2007/05/21 16:22:32| parseConfigFile: line 2192 unrecognized: 'httpd_accel_port 80' 2007/05/21 16:22:32| parseConfigFile: line 2223 unrecognized: 'httpd_accel_with_proxy on' 2007/05/21 16:22:32| parseConfigFile: line 2245 unrecognized: 'httpd_accel_uses_host_header on' Any ideas what I need to change on the new version of squid? --Bryan
Re: 4.1 upgrade and squid
Bryan Irvine wrote: I've upgraded my firewall to 4.1 and all of the packages. Now squid .. Any ideas what I need to change on the new version of squid? I ended up using /usr/local/share/examples/squid/squid.conf with a few minor modifications.
