Re: How to track port updates in stable?

[Siju George]

On 8/4/07, Todd Pytel <[EMAIL PROTECTED]> wrote:
> I don't spend as much time following OpenBSD as I used to, so perhaps
> I'm missing something. But there used to be a ports-security mailing
> list used for announcing updated ports. That list doesn't exist any
> more, or at least doesn't appear to have had anything posted to it in a
> very long time. Is there some other official way to track changes to
> ports? Absent that, has anyone come up with a simple hack to feed to
> cron to accomplish the same thing?
>

I use

http://flirble.disruptiveproactivity.com/rss/openbsd_stable_ports.rss

and google reader

It was given by a kind individual on this list :-)

Related feeds are

http://flirble.disruptiveproactivity.com/rss/openbsd_stable_XF4.rss


http://flirble.disruptiveproactivity.com/rss/openbsd_stable_src.rss

http://undeadly.org/cgi?action\x3derrata

hope this helps :-)

Kind Regards

Siju

Re: How to track port updates in stable?

[Clint M. Sand]

On Fri, Aug 03, 2007 at 06:35:51PM -0500, Todd Pytel wrote:
> I don't spend as much time following OpenBSD as I used to, so perhaps
> I'm missing something. But there used to be a ports-security mailing
> list used for announcing updated ports. That list doesn't exist any
> more, or at least doesn't appear to have had anything posted to it in a
> very long time. Is there some other official way to track changes to
> ports? Absent that, has anyone come up with a simple hack to feed to
> cron to accomplish the same thing? 
> 
> --Todd


I think the easiest is:

If you must use ports: regularly cvs update or cvs up your local ports
tree and run the /usr/ports/infrastructure/build/out-of-date script to
find things to update.

If you use packages (recommended) just make sure $PKG_PATH is set and
pkg_add -ui. It will prompt you to install any updated versions.

Re: How to track port updates in stable?

[Lawrence Teo]

Todd Pytel wrote:

On Fri, 2007-08-03 at 18:35 -0500, Todd Pytel wrote:

Is there some other official way to track changes to
ports? 


Thanks for all the responses. I went with the tracking system on
ports.openbsd.nu. While I understand and admire the whole "follow the
source" approach of watching cvs, my servers are hobby machines and
family commitments mean that I can't geek out as much as I used to.
While I don't run any high-profile ports that I would expect to be
attacked, it's still nice to get a notification about a security update
in case I haven't had time to check the lists in a while.


If you're only interested in updated packages for the stable branch,
and you have limited geek-out time (don't we all), there's always
http://www.openbsd.org/pkg-stable.html

You can see the changes to it in reverse chronological order at:
http://www.openbsd.org/cgi-bin/cvsweb/www/build/packages-4.1
(assuming you're tracking 4.1-stable)

Hope it helps,
Lawrence

--
Lawrence Teo
Calyptix Security
http://www.calyptix.com/

Re: How to track port updates in stable?

[Todd Pytel]

On Fri, 2007-08-03 at 18:35 -0500, Todd Pytel wrote:
> Is there some other official way to track changes to
> ports? 

Thanks for all the responses. I went with the tracking system on
ports.openbsd.nu. While I understand and admire the whole "follow the
source" approach of watching cvs, my servers are hobby machines and
family commitments mean that I can't geek out as much as I used to.
While I don't run any high-profile ports that I would expect to be
attacked, it's still nice to get a notification about a security update
in case I haven't had time to check the lists in a while.

Thanks again.

--Todd

Proposed secure network using pre-existing infrastructure

[Gadi Evron]

Network Working Group   J. Evers
Internet-Draft  Bantown Consulting, Inc.
Intended status: Standards Track   November 2006
Expires: May 5, 2007


A Standard for the Transmission of IP Datagrams Using the Negro
  darknet.txt

Status of this Memo

   This document is an Internet-Draft and is NOT offered in accordance
   with Section 10 of RFC 2026, and the author does not provide the IETF
   with any rights other than to publish as an Internet-Draft.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on May 5, 2007.



















Evers  Expires May 5, 2007  [Page 1]

Internet-Draft   DarkNet   November 2006


Abstract

   This document presents a novel new technique for the transmission of
   IP Datagrams using the dark-skinned Negroid race as a physical-layer
   transport.


Table of Contents

   1.  Background  . . . . . . . . . . . . . . . . . . . . . . . . ancho
   2.  Frame Encoding and Transmission . . . . . . . . . . . . . . ancho
 2.1.  Encryption and Encapsulation  . . . . . . . . . . . . . ancho
 2.2.  Ready to Send . . . . . . . . . . . . . . . . . . . . . ancho
 2.3.  Transmission  . . . . . . . . . . . . . . . . . . . . . ancho
 2.4.  Decoding  . . . . . . . . . . . . . . . . . . . . . . . ancho
   3.  Technical Notes . . . . . . . . . . . . . . . . . . . . . . ancho
 3.1.  TTL . . . . . . . . . . . . . . . . . . . . . . . . . . ancho
 3.2.  NAT Traversal . . . . . . . . . . . . . . . . . . . . . ancho
   4.  Security Considerations . . . . . . . . . . . . . . . . . . ancho
   5.  Normative References  . . . . . . . . . . . . . . . . . . . ancho
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . 0






























Evers  Expires May 5, 2007  [Page 2]

Internet-Draft   DarkNet   November 2006


1.  Background

   Since nearly the discovery of the dark-skinned Negroid race [Negro],
   the white man has found this race to be incalculably useful in many
   commercial endeavors from cotton picking to producing "hip" and
   "urban" music.  It has come to the attention of the Authors that the
   time may be ripe to introduce a viable new system of transmitting
   Internet Protocol Datagrams using this hardy and industrious race of
   dark-skinned commodity.










































Evers  Expires May 5, 2007  [Page 3]

Internet-Draft   DarkNet   November 2006


2.  Frame Encoding and Transmission

   Sending a Datagram using a Negro is a complicated business, and it
   may place considerable strain on systems not accustomed to dealing
   with large amounts of Negroes, particularly at institutions of higher
   education, polite society and Libraries.  There are multiple steps
   which must be taken to encode and prepare the Datagram for
   transmission, which are as follows.

2.1.  Encryption and Encapsulation

   Firstly, to prepare the IP Datagram for transmission, it must be
   encoded so as to provide end-to-end encryption of the contents of the
   data.  To encode the datagram, simply have it bound into a story-
   book.  This simple transformation will leave the Negro clueless as to
   its contents, and it will be disinclined to scan its pages as Negroes
   have a well-known natural dislike for books.  While the authors
   acknowledge that the book-binding time increases the latency of
   transmission, they contend that it is necessary to provide the
   highest level of security and it necessary to fully utilize all
   aspects of the Negroid, much as the Red-man once utilized all the
   parts of the Buffalo and White man.





























Evers  Expires May 5, 2007  [Page 4]

Internet-Draft   DarkNet   November 2006


   The Negro, baffled by the bound novel

 ___  ___  ___
|__ \|__ \|__ \
   ) |  ) |  ) |
  / /  / /  / /
 |_|  |_|  |_|
 (_)  (_)  (_)

  -
   ///#\\\
  /##00##

Re: How to track port updates in stable?

[James Turner]

On Sat, Aug 04, 2007 at 01:10:24AM +0100, Stuart Henderson wrote:
> On 2007/08/03 18:54, Will Maier wrote:
> > On Fri, Aug 03, 2007 at 06:35:51PM -0500, Todd Pytel wrote:
> > > I don't spend as much time following OpenBSD as I used to, so
> > > perhaps I'm missing something. But there used to be a
> > > ports-security mailing list used for announcing updated ports.
> > > That list doesn't exist any more, or at least doesn't appear to
> > > have had anything posted to it in a very long time.
> > 
> > It exists, but is inactive.
> > 
> > > Is there some other official way to track changes to ports? 
> > 
> > By looking at the output of `cvs up`? By watching commits via
> > [EMAIL PROTECTED] I do both, and find it sufficient.
> > 
> > > Absent that, has anyone come up with a simple hack to feed to cron
> > > to accomplish the same thing? 
> > 
> > I pull updated ports and src daily via cron, and read
> > (ports|source)-changes@ for commit messages, etc. Does that not
> > achieve what you need?
> 
> Or there's odc/owc if you prefer summaries:
> http://www.squish.net/mailman/listinfo
> 
> Even looking at output of a cron-scripted 'cvs up' or cvsync
> is useful.
> 
If you want some sort of web interface you could also subscribe to
http://ports.openbsd.nu/rss.php.

-- 
James Turner
BSD Group Consulting
http://www.bsdgroup.org

Re: Seeking info for RAID 1 on OpenBSD

[Joel Knight]

--- Quoting HDC on 2007/08/02 at 20:26 -0300:

> Read this...
> http://www.packetmischief.ca/openbsd/doc/raidadmin/ .ca/openbsd/>
> 

I used to use raidframe and followed the procedures in that doc for
doing so, but now there's no point. If the system requires any type of
raid, go hardware. Long live bio(4).





.joel

Re: spamd - 250 return text

[Tom Bombadil]

> Editing the binary? (Is recompiling really so hard?)

Not hard, just changed it right now... But sometimes it pays to ask
around to see if there is a simpler way that doesn't involve messing
around with the original source code.

> Ah, you'll be looking for the OpenBSD Corporate Edition - with sudo
> defaulting to !insults, apologies from spamd, and available on exclusive
> gold CDs, it's yours for a bargain donation to the project of only
> $5k... (-:

I was in no way complaining about the outstanding work all the
developers are doing, but since being called a spammer is a very bad
insult these days, surely a innocuous '250 OK' would make less people
mad.. hehehe

Thanks for all the responses,
g.

Re: How to track port updates in stable?

[Stuart Henderson]

On 2007/08/03 18:54, Will Maier wrote:
> On Fri, Aug 03, 2007 at 06:35:51PM -0500, Todd Pytel wrote:
> > I don't spend as much time following OpenBSD as I used to, so
> > perhaps I'm missing something. But there used to be a
> > ports-security mailing list used for announcing updated ports.
> > That list doesn't exist any more, or at least doesn't appear to
> > have had anything posted to it in a very long time.
> 
> It exists, but is inactive.
> 
> > Is there some other official way to track changes to ports? 
> 
> By looking at the output of `cvs up`? By watching commits via
> [EMAIL PROTECTED] I do both, and find it sufficient.
> 
> > Absent that, has anyone come up with a simple hack to feed to cron
> > to accomplish the same thing? 
> 
> I pull updated ports and src daily via cron, and read
> (ports|source)-changes@ for commit messages, etc. Does that not
> achieve what you need?

Or there's odc/owc if you prefer summaries:
http://www.squish.net/mailman/listinfo

Even looking at output of a cron-scripted 'cvs up' or cvsync
is useful.

Re: How to track port updates in stable?

[Will Maier]

On Fri, Aug 03, 2007 at 06:35:51PM -0500, Todd Pytel wrote:
> I don't spend as much time following OpenBSD as I used to, so
> perhaps I'm missing something. But there used to be a
> ports-security mailing list used for announcing updated ports.
> That list doesn't exist any more, or at least doesn't appear to
> have had anything posted to it in a very long time.

It exists, but is inactive.

> Is there some other official way to track changes to ports? 

By looking at the output of `cvs up`? By watching commits via
[EMAIL PROTECTED] I do both, and find it sufficient.

> Absent that, has anyone come up with a simple hack to feed to cron
> to accomplish the same thing? 

I pull updated ports and src daily via cron, and read
(ports|source)-changes@ for commit messages, etc. Does that not
achieve what you need?

-- 

o--{ Will Maier }--o
| web:...http://www.lfod.us/ | [EMAIL PROTECTED] |
*--[ BSD Unix: Live Free or Die ]--*

Re: Problem with VLANs

[Stuart Henderson]

On 2007/08/03 16:18, Chris Cappuccio wrote:
> Stuart Henderson [EMAIL PROTECTED] wrote:
> >  
> > case SIOCSIFMTU:
> > -   if (ifr->ifr_mtu > ETHERMTU || ifr->ifr_mtu < ETHERMIN)
> > +   if (ifr->ifr_mtu > ETHERMTU + ETHER_VLAN_ENCAP_LEN || 
> > +   ifr->ifr_mtu < ETHERMIN)
> > error = EINVAL;
> > else if (ifp->if_mtu != ifr->ifr_mtu)
> > ifp->if_mtu = ifr->ifr_mtu;
> 
> This isn't the idea.  The MTU is not supposed to be set to 1504, it stays
> at 1500 and if_vlan sees IFCAP_VLAN_MTU and knows that the chip actually
> supports MTU + EVL_ENCAPLEN.

damn, yes you're right. Scrub this bit of the diff then.

> With this change, then on several chips, if the
> user expected to set 1504 and then use if_vlan on top of that (say, to pass
> packets that are alreay tagged by another device) then it would fail.

btw, you can stack tags (e.g. vlanYYY vlandev vlanXXX), at least on some
nics.

How to track port updates in stable?

[Todd Pytel]

I don't spend as much time following OpenBSD as I used to, so perhaps
I'm missing something. But there used to be a ports-security mailing
list used for announcing updated ports. That list doesn't exist any
more, or at least doesn't appear to have had anything posted to it in a
very long time. Is there some other official way to track changes to
ports? Absent that, has anyone come up with a simple hack to feed to
cron to accomplish the same thing? 

--Todd

Re: Problem with VLANs

[Chris Cappuccio]

Stuart Henderson [EMAIL PROTECTED] wrote:
>  
>   case SIOCSIFMTU:
> - if (ifr->ifr_mtu > ETHERMTU || ifr->ifr_mtu < ETHERMIN)
> + if (ifr->ifr_mtu > ETHERMTU + ETHER_VLAN_ENCAP_LEN || 
> + ifr->ifr_mtu < ETHERMIN)
>   error = EINVAL;
>   else if (ifp->if_mtu != ifr->ifr_mtu)
>   ifp->if_mtu = ifr->ifr_mtu;

This isn't the idea.  The MTU is not supposed to be set to 1504, it stays
at 1500 and if_vlan sees IFCAP_VLAN_MTU and knows that the chip actually
supports MTU + EVL_ENCAPLEN.  With this change, then on several chips, if the
user expected to set 1504 and then use if_vlan on top of that (say, to pass
packets that are alreay tagged by another device) then it would fail.

Re: fsck Segmentation fault on 4.1

[Marcos Laufer]

So the patch works, and this problem seems serious and easy to encounter, i
vote for moving it to stable.

- Original Message - 
From: "Tobias Ulmer" <[EMAIL PROTECTED]>
To: "Otto Moerbeek" <[EMAIL PROTECTED]>
Cc: 
Sent: Friday, August 03, 2007 3:37 PM
Subject: Re: fsck Segmentation fault on 4.1


On Thu, Jul 19, 2007 at 08:09:58PM +0200, Otto Moerbeek wrote:
> [...]
>
> I misdiagnosed the problem. In the meantime I got another report with
> a dd of the partition which enabled me to diagnose the problem and
> make a fix for 4.1. Please test and report back. I'll be on vacation
> from Saturday, so it would be nice if you can answer before that.
>
> Anobody else seeing INCONSISTENT CGSIZE messages should try this as well.
>
> NOTE: this diff only applies to 4.1. Current does not have the
> problem, due to a corrected CGSIZE macro.
>
> -Otto
>
> Index: setup.c
> ===
> RCS file: /cvs/src/sbin/fsck_ffs/setup.c,v
> retrieving revision 1.29
> diff -u -p -r1.29 setup.c
> --- setup.c 16 Feb 2007 08:34:29 - 1.29
> +++ setup.c 19 Jul 2007 18:02:36 -
> @@ -336,6 +336,7 @@ setup(char *dev)
>  sbdirty();
>  dirty(&asblk);
>  }
> +#if 0
>  if (sblock.fs_cgsize != fragroundup(&sblock, CGSIZE(&sblock))) {
>  pwarn("INCONSISTENT CGSIZE=%d\n", sblock.fs_cgsize);
>  sblock.fs_cgsize = fragroundup(&sblock, CGSIZE(&sblock));
> @@ -346,6 +347,7 @@ setup(char *dev)
>  dirty(&asblk);
>  }
>  }
> +#endif
>  if (INOPB(&sblock) != sblock.fs_bsize / sizeof(struct ufs1_dinode)) {
>  pwarn("INCONSISTENT INOPB=%d\n", INOPB(&sblock));
>  sblock.fs_inopb = sblock.fs_bsize / sizeof(struct ufs1_dinode);
>
>

I had a power failure here (power company was doing maintenance and
repeatedly switched power off and on...)

Both my 4.1 boxen ran into this. The patch fixed the BLK 64 issues, but
i have a partition made with a larger blocksize (defaults * 2), that
couldn't be fixed (BLK 128). bsd.rd from snapshots did the trick... Just FYI

Tobias

Re: spamd - 250 return text

[Lawrence Teo]

Tom Bombadil wrote:

Hi all,

Short of recompiling spamd, is there any undocumented way of changing
the 250 responses from spamd?

- 250 Hello, spam sender. Pleased to be wasting your time.
- 250 You are about to try to deliver spam. Your time will be spent, for
nothing.

"man spamd" and a quick search in the ML archives weren't very successful.


If you check the spamd.c source, you'll see that those responses are
hardcoded into spamd:

snprintf(cp->obuf, cp->osize,
"250 Hello, spam sender. "
"Pleased to be wasting your time.\r\n");

So no, there is no way to change those responses apart from modifying
the code and recompiling.

Lawrence

--
Lawrence Teo
Calyptix Security
http://www.calyptix.com/

Re: spamd - 250 return text

[Stuart Henderson]

On 2007/08/03 13:59, Tom Bombadil wrote:
> Short of recompiling spamd, is there any undocumented way of changing
> the 250 responses from spamd?

Editing the binary? (Is recompiling really so hard?)

> Sorry to bug you guys with this lame "problem" but in the financial
> world, people can be very touchy :D

Ah, you'll be looking for the OpenBSD Corporate Edition - with sudo
defaulting to !insults, apologies from spamd, and available on exclusive
gold CDs, it's yours for a bargain donation to the project of only
$5k... (-:

Re: spamd - 250 return text

[Darren Spruell]

On 8/3/07, Tom Bombadil <[EMAIL PROTECTED]> wrote:
> Hi all,
>
> Short of recompiling spamd, is there any undocumented way of changing
> the 250 responses from spamd?
>
> - 250 Hello, spam sender. Pleased to be wasting your time.
> - 250 You are about to try to deliver spam. Your time will be spent, for
> nothing.
>
> "man spamd" and a quick search in the ML archives weren't very successful.
>
> We've had a pretty hard time from a client saying how "rude" this
> default message is. Even though their tech people didn't care, the
> people higher up got really offended... Quite understandably I'd say,
> since these "greetings" aren't really what we can call friendly... hehe
>
> Sorry to bug you guys with this lame "problem" but in the financial
> world, people can be very touchy :D

This *has* been discussed in the past, and should be in the archives,
and ultimately was dropped as a pointless subject. No, there's no
magic "hugs and rainbows" knob.

Why are people in positions of financial impact seeing this SMTP
dialog in the first place? Give them a software client with a wysiwyg
interface and a send button and this is all moot.

DS

Re: spamd - 250 return text

[Marcus Watts]

writes Tom Bombadil <[EMAIL PROTECTED]>
> Subject: spamd - 250 return text
...
> Short of recompiling spamd, is there any undocumented way of changing
> the 250 responses from spamd?
...

Sure.  It's called "bvi".

-Marcus Watts

spamd - 250 return text

[Tom Bombadil]

Hi all,

Short of recompiling spamd, is there any undocumented way of changing
the 250 responses from spamd?

- 250 Hello, spam sender. Pleased to be wasting your time.
- 250 You are about to try to deliver spam. Your time will be spent, for
nothing.

"man spamd" and a quick search in the ML archives weren't very successful.

We've had a pretty hard time from a client saying how "rude" this
default message is. Even though their tech people didn't care, the
people higher up got really offended... Quite understandably I'd say,
since these "greetings" aren't really what we can call friendly... hehe

Sorry to bug you guys with this lame "problem" but in the financial
world, people can be very touchy :D

Thanks,
g.

Re: OpenBSD Berlin?

[Vim Visual]

for more info

http://www.kneipen-suche.com/berlin-tuffstein-5160.html

2007/7/31, Gabriel Kihlman <[EMAIL PROTECTED]>:
> "Dirk Fohrenkamm" <[EMAIL PROTECTED]> writes:
> >
> > ok, to write something not that "OT": time? date? location? (as you know I
> > have quite a lot bars and restaurants around)
>
> I think we already (in a private discussion) agreed on the following:
>
> 16th of august, 18.00, in Tuffstein:
>
> http://maps.google.de/maps?f=q&hl=ca&geocode=&q=leberstrasse+2,+berlin&sll=52.485276,13.358967&sspn=0.008363,0.018797&ie=UTF8&ll=52.485838,13.361499&spn=0.008363,0.018797&t=h&z=16&iwloc=addr&om=1
>
> So, see you there
>
> /gabriel (living in kreuzberg)

Re: iBGP: losing routes after eBGP flap

[Claudio Jeker]

On Fri, Aug 03, 2007 at 07:56:02PM +0200, Toni Mueller wrote:
> Hi,
> 
> I've got a setup on two i386 family PCs with 4.1-stable which includes
> the following:
> 
>  Internet 1 - p1 - r1 -- r2 - p2 - Internet 2
> 
> r1 and r2 have an iBGP session running, and the Internet connections go
> to different ISPs, running eBGP on each (r1-p1, r2-p2). I receive full
> routes from both ISPs mentioned, and have "announce all" in my iBGP
> configuration (this is the default, too, but anyway...). Today, I had
> to take one line down for testing, thus ending the corresponding eBGP
> session (r1-p1). When the line came back up, it was collecting starting
> to collect routes from p1 again, as one would expect, but at the same
> time dropping routes from r2, leaving some 300 routes from the iBGP
> peer (r2) left. On r2, everything looks normal, it receives a full
> table from both r1 and p2. So, on r1, I tried to "bgpctl nei r2
> refresh", but to no avail.
> 
> What gives?
> 

This is more or less expected. iBGP session only transmit eBGP pathes that
are valid and best for the router. So on r2 you have all the iBGP routes
from r1 and r2 has no reason to send something back to r1 because his
routes are not better than the ones from r1.

-- 
:wq Claudio

Re: fsck Segmentation fault on 4.1

[Tobias Ulmer]

On Thu, Jul 19, 2007 at 08:09:58PM +0200, Otto Moerbeek wrote:
> [...]
>
> I misdiagnosed the problem. In the meantime I got another report with
> a dd of the partition which enabled me to diagnose the problem and
> make a fix for 4.1. Please test and report back. I'll be on vacation
> from Saturday, so it would be nice if you can answer before that. 
> 
> Anobody else seeing INCONSISTENT CGSIZE messages should try this as well.
> 
> NOTE: this diff only applies to 4.1. Current does not have the
> problem, due to a corrected CGSIZE macro.
> 
>   -Otto
> 
> Index: setup.c
> ===
> RCS file: /cvs/src/sbin/fsck_ffs/setup.c,v
> retrieving revision 1.29
> diff -u -p -r1.29 setup.c
> --- setup.c   16 Feb 2007 08:34:29 -  1.29
> +++ setup.c   19 Jul 2007 18:02:36 -
> @@ -336,6 +336,7 @@ setup(char *dev)
>   sbdirty();
>   dirty(&asblk);
>   }
> +#if 0
>   if (sblock.fs_cgsize != fragroundup(&sblock, CGSIZE(&sblock))) {
>   pwarn("INCONSISTENT CGSIZE=%d\n", sblock.fs_cgsize);
>   sblock.fs_cgsize = fragroundup(&sblock, CGSIZE(&sblock));
> @@ -346,6 +347,7 @@ setup(char *dev)
>   dirty(&asblk);
>   }
>   }
> +#endif
>   if (INOPB(&sblock) != sblock.fs_bsize / sizeof(struct ufs1_dinode)) {
>   pwarn("INCONSISTENT INOPB=%d\n", INOPB(&sblock));
>   sblock.fs_inopb = sblock.fs_bsize / sizeof(struct ufs1_dinode);
> 
> 

I had a power failure here (power company was doing maintenance and
repeatedly switched power off and on...)

Both my 4.1 boxen ran into this. The patch fixed the BLK 64 issues, but
i have a partition made with a larger blocksize (defaults * 2), that
couldn't be fixed (BLK 128). bsd.rd from snapshots did the trick... Just FYI

Tobias

Source port allocation and named(8)

[Darren Spruell]

Has named(8) on OpenBSD ever used randomized source ports for DNS
queries? I thought for some reason it had and noticed today that this
probably was not right:

10.0.1.2.34140 > 192.35.51.30.53: 64395% [1au] ? sec1.apnic.net. (43)
10.0.1.2.34140 > 192.0.34.126.53: 50119% [1au] ? blackhole-1.iana.org. (49)
10.0.1.2.34140 > 192.0.34.126.53: 42816% [1au] A? blackhole-2.iana.org. (49)
10.0.1.2.34140 > 192.0.34.126.53: 50486% [1au] ? blackhole-2.iana.org. (49)
10.0.1.2.34140 > 139.91.1.10.53: 51546% [1au] ? a.iana-servers.net. (47)
10.0.1.2.34140 > 139.91.1.10.53: 59001% [1au] ? c.iana-servers.net. (47)
10.0.1.2.34140 > 202.12.29.59.53: 58965% [1au] ? sec1.apnic.net. (43)
10.0.1.2.34140 > 192.0.34.126.53: 51376 A? blackhole-1.iana.org. (38)
10.0.1.2.34140 > 192.0.34.126.53: 44588 ? blackhole-1.iana.org. (38)
10.0.1.2.34140 > 192.0.34.126.53: 57558 A? blackhole-2.iana.org. (38)
10.0.1.2.34140 > 192.0.34.126.53: 48825 ? blackhole-2.iana.org. (38)
10.0.1.2.34140 > 192.175.48.42.53: 48486 [1au] PTR? 6.2.0.10.in-addr.arpa. (50)
10.0.1.2.34140 > 192.5.6.30.53: 44602 [1au] A? www.tacobell.com. (45)
10.0.1.2.34140 > 144.135.8.182.53: 58126 [1au] A? www.tacobell.com. (45)
10.0.1.2.34140 > 144.135.8.182.53: 37108% [1au] A? usc1.akam.net. (42)
10.0.1.2.34140 > 144.135.8.182.53: 36869% [1au] ? usc1.akam.net. (42)
10.0.1.2.34140 > 144.135.8.182.53: 41857% [1au] A? ns1-95.akam.net. (44)

Given the recent buzz around predictable query IDs in BIND 9
(exempting the in-tree implementation), I started wondering why
ephemeral ports wouldn't also be randomized for DNS queries as they
are for many other services. I assume this is somehow related to named
simply choosing the port at startup and may have some (small, if any)
performance implications, but why not simply allow the OS to provide
the source port for  you?

DS

iBGP: losing routes after eBGP flap

[Toni Mueller]

Hi,

I've got a setup on two i386 family PCs with 4.1-stable which includes
the following:

 Internet 1 - p1 - r1 -- r2 - p2 - Internet 2

r1 and r2 have an iBGP session running, and the Internet connections go
to different ISPs, running eBGP on each (r1-p1, r2-p2). I receive full
routes from both ISPs mentioned, and have "announce all" in my iBGP
configuration (this is the default, too, but anyway...). Today, I had
to take one line down for testing, thus ending the corresponding eBGP
session (r1-p1). When the line came back up, it was collecting starting
to collect routes from p1 again, as one would expect, but at the same
time dropping routes from r2, leaving some 300 routes from the iBGP
peer (r2) left. On r2, everything looks normal, it receives a full
table from both r1 and p2. So, on r1, I tried to "bgpctl nei r2
refresh", but to no avail.

What gives?


Best,
--Toni++

Re: OpenBSD client to Microsoft ISA Server

[Dmitrij Czarkoff]

Well, looks like I was doing something wrong, 'cause now I'm
connecting OK with http_proxy set to ISA Server (as well as to local
ntlmaps).

Still no connection avaliable on ICQ (the same configuration
-- 
.0.
..0
000

Re: isakmpd active mode and phase 1 build-up

[Sven Ulland]

Hans-Joerg Hoexer wrote:

On Thu, Aug 02, 2007 at 10:23:59PM +0200, Sven Ulland wrote:

I'm very (that's putting it mildly) interested in the issues with 4.0
that you mention. Would you be able to shed some more light on which
issues they were, or point me to references? It would be most
interesting.


I'm not sure, but I think there was an issued caused by that [1] commit
which we backed out some time later [2].  This means it should be fixed in
4.0, however, it is obviously not.  I'll try to reproduce this.

[1] 
http://www.openbsd.org/cgi-bin/cvsweb/src/sbin//isakmpd/sa.c?rev=1.104&content-type=text/x-cvsweb-markup
[2] 
http://www.openbsd.org/cgi-bin/cvsweb/src/sbin//isakmpd/sa.c?rev=1.109&content-type=text/x-cvsweb-markup


Thanks. Yes, seems to be fixed in 4.0.

I have enabled isakmpd clear-text packet capture, and I can see that our end
tries to establish a new phase 1 tunnel exactly every 30 seconds. The tunnel is
established correctly, with key exchange and all.

Below I have the isakmpd packet exchange [1] and the /var/log/daemon
output for that packet exchange with debug levels all set to 99 [2]. I'm not
sure if it's any help, but I included it just in case. The output is for
a single phase 1 connection establishment, as shown by the cookies.

[1: isakmpd clear-text packet capture for one tunnel-establishment]
12:49:56.952681 129.240.64.2.500 > 213.98.7.53.500: [udp sum ok] isakmp v1.0 
exchange ID_PROT
  cookie: 1aa459c4ff9d83dc-> msgid:  len: 180
  payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY
  payload: PROPOSAL len: 40 proposal: 1 proto: ISAKMP spisz: 0 xforms: 1
  payload: TRANSFORM len: 32
  transform: 0 ID: ISAKMP
  attribute ENCRYPTION_ALGORITHM = 3DES_CBC
  attribute HASH_ALGORITHM = SHA
  attribute AUTHENTICATION_METHOD = PRE_SHARED
  attribute GROUP_DESCRIPTION = MODP_1024
  attribute LIFE_TYPE = SECONDS
  attribute LIFE_DURATION = 28800
  payload: VENDOR len: 20 (supports OpenBSD-4.0)
  payload: VENDOR len: 20 (supports v2 NAT-T, draft-ietf-ipsec-nat-t-ike-02)
  payload: VENDOR len: 20 (supports v3 NAT-T, draft-ietf-ipsec-nat-t-ike-03)
  payload: VENDOR len: 20 (supports NAT-T, RFC 3947)
  payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 208)
12:49:57.617188 213.98.7.53.500 > 129.240.64.2.500: [udp sum ok] isakmp v1.0 
exchange ID_PROT
  cookie: 1aa459c4ff9d83dc->dd04fc2fbc38c9eb msgid:  len: 100
  payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY
  payload: PROPOSAL len: 40 proposal: 1 proto: ISAKMP spisz: 0 xforms: 1
  payload: TRANSFORM len: 32
  transform: 1 ID: ISAKMP
  attribute ENCRYPTION_ALGORITHM = 3DES_CBC
  attribute HASH_ALGORITHM = SHA
  attribute GROUP_DESCRIPTION = MODP_1024
  attribute AUTHENTICATION_METHOD = PRE_SHARED
  attribute LIFE_TYPE = SECONDS
  attribute LIFE_DURATION = 28800
  payload: VENDOR len: 20 (supports v3 NAT-T, 
draft-ietf-ipsec-nat-t-ike-03) [ttl 0] (id 1, len 128)
12:49:57.629442 129.240.64.2.500 > 213.98.7.53.500: [udp sum ok] isakmp v1.0 
exchange ID_PROT
  cookie: 1aa459c4ff9d83dc->dd04fc2fbc38c9eb msgid:  len: 228
  payload: KEY_EXCH len: 132
  payload: NONCE len: 20
  payload: NAT-D-DRAFT len: 24
  payload: NAT-D-DRAFT len: 24 [ttl 0] (id 1, len 256)
12:49:59.131134 213.98.7.53.500 > 129.240.64.2.500: [udp sum ok] isakmp v1.0 
exchange ID_PROT
  cookie: 1aa459c4ff9d83dc->dd04fc2fbc38c9eb msgid:  len: 304
  payload: KEY_EXCH len: 132
  payload: NONCE len: 24
  payload: VENDOR len: 20
  payload: VENDOR len: 20 (supports DPD v1.0)
  payload: VENDOR len: 20
  payload: VENDOR len: 12 (supports draft-ietf-ipsra-isakmp-xauth-06.txt)
  payload: NAT-D-DRAFT len: 24
  payload: NAT-D-DRAFT len: 24 [ttl 0] (id 1, len 332)
12:49:59.176547 129.240.64.2.500 > 213.98.7.53.500: [udp sum ok] isakmp v1.0 
exchange ID_PROT
  cookie: 1aa459c4ff9d83dc->dd04fc2fbc38c9eb msgid:  len: 64
  payload: ID len: 12 type: IPV4_ADDR = 129.240.64.2
  payload: HASH len: 24 [ttl 0] (id 1, len 92)
12:50:00.906697 213.98.7.53.500 > 129.240.64.2.500: [udp sum ok] isakmp v1.0 
exchange ID_PROT
  cookie: 1aa459c4ff9d83dc->dd04fc2fbc38c9eb msgid:  len: 68
  payload: ID len: 12 proto: 17 port: 500 type: IPV4_ADDR = 213.98.7.53
  payload: HASH len: 24 [ttl 0] (id 1, len 96)
[end of isakmpd packet capture]


[2: /var/log/daemon excerpt with full debugging for all classes]
[lots of transport_release messages]
12:49:56 transport_release: transport 0x47531a00 had 2 references
12:49:56 transport_release: transport 0x47b91180 had 3 references
12:49:56 transport_release:

Re: Support multiple pptp (GRE) Channels ?

[Stuart Henderson]

On 2007/08/03 15:45, Stuart Henderson wrote:
> On 2007/08/03 08:11, Michael Gale wrote:
> > We are currently testing out OpenBSD 4.1 and have a requirement where 
> > we 
> > need to support multiple PPTP connections to a single server where the 
> > clients are behind a single NAT device.
> 
> http://sourceforge.net/projects/frickin/

...and you get a cookie if you can make it build :-)

Re: Support multiple pptp (GRE) Channels ?

[Peter N. M. Hansteen]

Michael Gale <[EMAIL PROTECTED]> writes:

>   We are currently testing out OpenBSD 4.1 and have a
> requirement where we need to support multiple PPTP connections to a
> single server where the clients are behind a single NAT device. It
> does not look like OpenBSD can support this requirement, are my
> assumptions correct ?

there is a solution, although not one in the base system, called "The
Frickin PPTP proxy", which claims to work well with PPTP through PF.
Never tried it much myself -- the several times I got a request for
PPTP support the requirement went away before I had a complete setup
and testing was not possible anymore for some reason -- but it's
available from  or thereabouts.

> It seems that iptables and the Linux kernel can support this, would
> this every be added to OpenBSD ?

I do *not* speak for the developers, but I think it rather unlikely
that PPTP support will be added to the base system.  The main reason
is that you can get a useful VPN solutions which the core develpers
consider superior with other tools which are available already in the
base system.

Hope this helps,
-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.datadok.no/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: Support multiple pptp (GRE) Channels ?

[Stuart Henderson]

On 2007/08/03 08:11, Michael Gale wrote:
>   We are currently testing out OpenBSD 4.1 and have a requirement where 
> we 
> need to support multiple PPTP connections to a single server where the 
> clients are behind a single NAT device.

http://sourceforge.net/projects/frickin/

Support multiple pptp (GRE) Channels ?

[Michael Gale]

Hey,

	We are currently testing out OpenBSD 4.1 and have a requirement where we need to support multiple PPTP connections to a single server where the clients are behind a single 
NAT device. It does not look like OpenBSD can support this requirement, are my assumptions correct ?


I came across this mailing list entry:

OpenBSD Security:
Subject: Re: Will 3.5 pf support multiple pptp (GRE) Channels ?

--snip--
In the other hand, multiple PPTP connections to the same server
are not allowed when there is NAT between clients and server. It is
a problem with PPTP, not OpenBSD or NAT.
--snip--

It seems that iptables and the Linux kernel can support this, would this every 
be added to OpenBSD ?


--
Michael Gale

Red Hat Certified Engineer
Network Administrator
Pason Systems Corp.

Re: Calling all isakmpd(8) users

[Stuart Henderson]

On 2007/07/31 22:01, Tom Cosgrove wrote:
> This diff fixes a long-standing interoperability issue between OpenBSD
> isakmpd and Cisco IOS (and possibly others).

"possibly others" includes zyxel 662, and this fixes it.

Re: ftp-proxy vs "FTP over SSL"

[Adriaan]

On 8/3/07, Die Gestalt <[EMAIL PROTECTED]> wrote:
> You mean with or without ftp-proxy?
>
> On 8/3/07, soulshepard <[EMAIL PROTECTED]> wrote:
> > is there any other way of getting ftp+ssl to pass normally on a bsd box?
> >
[snip]

A way to pass sslized ftp has been suggested in
http://www.bsdforums.org/forums/showthread.php?t=51153

=Adriaan=

Re: ftp-proxy vs "FTP over SSL"

[Die Gestalt]

You mean with or without ftp-proxy?

On 8/3/07, soulshepard <[EMAIL PROTECTED]> wrote:
> is there any other way of getting ftp+ssl to pass normally on a bsd box?
>
> soul.
>
>
> Die Gestalt wrote:
> >
> > All I can tell you is I had for a while a ftp + ssl server running
> > (and yes ftp + ssl is useful in some scenarii) behind a pf machine and
> > it all worked perfectly well.
> >
> > The problem is that you get first a SSL handshake and then all the
> > rest is ciphered, preveting ftp-proxy from doing its work.
> >
> > You may need  to do the following:
> >
> > - restrict the data ports of the ftp server to a certain range (for
> > example 4 to 45000)
> > - open these ports on the pf machine (bypassing the ftp proxy behaviour)
> > - have the ftp server listen on a port other than 21
> >
> > If you wanted ftp-proxy to work transparently with SSL it would have
> > to proxy the SSL handshake as well which might be a problem in terms
> > of security since the data flow would exist in clear (somewhere in
> > memory) on the proxy.
> >
> > On 7/31/07, Peter N. M. Hansteen <[EMAIL PROTECTED]> wrote:
> >> A client of ours (don't ask) has been sold by somebody else on the
> >> idea that FTP over SSL (afaik implemented with some Microsoft system
> >> or other) is the way to go.
> >>
> >> Now FTP over SSL seems to be a variant which isn't obviously well
> >> supported other than a few experimental clients, and with a fairly
> >> straightforward 4.1 pf + ftp-proxy setup (close enough to the one in
> >> the tutorial[1]) near the client end, what I get is that the client
> >> and server happily clear authetication, but do not manage to set up
> >> their SSL connection.
> >>
> >> What I get from ftp-proxy is a sequence of
> >>
> >> Jul 31 10:49:27 delilah ftp-proxy[15797]: #1 client command too long or
> >> not clean
> >>
> >> with incrementing # numbers, until the partners give up.
> >>
> >> The 'techies' at the other end seem to have problems with concepts
> >> such a server tunables, so the question is, is there some obvious
> >> ftp-proxy workaround I've missed (other than the even more obvious
> >> 'use something else')?
> >>
> >> - P
> >>
> >> [1] http://home.nuug.no/~/peter/pf/, specifically
> >>http://home.nuug.no/~peter/pf/en/newftpproxy.html
> >>
> >> --
> >> Peter N. M. Hansteen, member of the first RFC 1149 implementation team
> >> http://www.blug.linux.no/rfc1149/ http://www.datadok.no/
> >> http://www.nuug.no/
> >> "Remember to set the evil bit on all malicious network traffic"
> >> delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
> >
> >
> >
>
> --
> View this message in context: 
> http://www.nabble.com/ftp-proxy-vs-%22FTP-over-SSL%22-tf4191916.html#a11980071
> Sent from the openbsd user - misc mailing list archive at Nabble.com.

Re: Problem with VLANs

[Stuart Henderson]

On 2007/08/03 15:27, Hugo van Niekerk wrote:
[...]

pcn(4) can be persuaded to send frames large enough to hold vlan tags
and a 1500-byte packet with the diff below, but on the vmware I just
tried, I can't get it to receive frames that size. Then again, neither
does em(4) with Ethernet0.virtualDev = "e1000", or vic(4) with
Ethernet0.virtualDev = "vmxnet", so it's likely to be a problem
with the NIC on the vmware I just tried it on (nfe on a junk
windows box).

If anyone wants to try their luck with a real pcn (rare beast that
it is ..) or a better vmware installation here's the diff (against
-current) to test.

A test is only successful if you can send *and receive* large
packets over a vlan interface over the wire (e.g. ping -s1472
some.other.host.on.the.vlan).

Features table for the AMD chip says 'software vlan support' and there's
nothing specific to enable large frame reception mentioned in the data
sheet that I could find, but there could be some reason (other than
"they didn't think of it") why it seems not to be done in other OS.

Index: if_pcn.c
===
RCS file: /cvs/src/sys/dev/pci/if_pcn.c,v
retrieving revision 1.15
diff -u -p -r1.15 if_pcn.c
--- if_pcn.c9 Nov 2006 14:25:23 -   1.15
+++ if_pcn.c3 Aug 2007 10:40:49 -
@@ -805,6 +805,8 @@ pcn_attach(struct device *parent, struct
IFQ_SET_MAXLEN(&ifp->if_snd, PCN_NTXDESC -1);
IFQ_SET_READY(&ifp->if_snd);
 
+   ifp->if_capabilities = IFCAP_VLAN_MTU;
+
/* Attach the interface. */
if_attach(ifp);
ether_ifattach(ifp);
@@ -1128,7 +1130,8 @@ pcn_ioctl(struct ifnet *ifp, u_long cmd,
break;
 
case SIOCSIFMTU:
-   if (ifr->ifr_mtu > ETHERMTU || ifr->ifr_mtu < ETHERMIN)
+   if (ifr->ifr_mtu > ETHERMTU + ETHER_VLAN_ENCAP_LEN || 
+   ifr->ifr_mtu < ETHERMIN)
error = EINVAL;
else if (ifp->if_mtu != ifr->ifr_mtu)
ifp->if_mtu = ifr->ifr_mtu;

Re: pppoe getting limited to 150k/sec?

[M. Parsons]

On 8/3/07, Daniel Melameth <[EMAIL PROTECTED]> wrote:
>
>
> This is likely a BPD issue--see
> http://marc.info/?l=openbsd-misc&m=111910098716125&w=2 for details.
>
>

Yep, that fixes it.

Always someone better out there at searching than yourself. :-)

Thank you.  (and wow at the quickness!) :-)

Mark

Re: pppoe getting limited to 150k/sec?

[M. Parsons]

On 8/3/07, JD Bronson <[EMAIL PROTECTED]> wrote:
>
> just out of curiosity...
> did you try kernel pppoe?



My fault for not saying I already am using kernel pppoe (and yes I find it
to be very low on CPU usage)

Clearing out pf doesnt seem to help either.

Mark

Re: pppoe getting limited to 150k/sec?

[JD Bronson]

just out of curiosity...
did you try kernel pppoe?

man 4 pppoe

I found that to be much faster and more robust than userland
pppoe, but still doesnt explain your issue...

CPU usage dramatically dropped when using kernelmode pppoe.

-JD

At 08:42 AM 8/3/2007 -0400, M. Parsons wrote:

Hello,

Running Openbsd 4.1 i386 as a firewall/nat box.  I have connected to it a 6
mbps DSL pppoe connection.

The pppoe works fine, as do all machines behind the openbsd box, they all
can max out the 6mbps.

But, transfers directly on the openbsd box (wget, ftp, whatever) all are
limited to 150k/sec.  I can run 4 of them at a time to max out the 6 mbps,
but individually, they never go above 150k/sec.

I notice that its been discussed before at "
http://groups.google.ca/group/lucky.openbsd.misc/browse_thread/thread/6b23da898f218983/973782972742230e?lnk=st&q=openbsd+150k&rnum=3&hl=en#973782972742230e";

(I apologize for the long link)

But I cant seem to find a solution.

Its not the end of the world that transfers directly on the openbsd max at
150k/sec, but when updating the system or something I would like to get
600k. :-)

Thank you

Mark

Re: pppoe getting limited to 150k/sec?

[Daniel Melameth]

On 8/3/07, M. Parsons <[EMAIL PROTECTED]> wrote:
> Running Openbsd 4.1 i386 as a firewall/nat box.  I have connected to it a 6
> mbps DSL pppoe connection.
>
> The pppoe works fine, as do all machines behind the openbsd box, they all
> can max out the 6mbps.
>
> But, transfers directly on the openbsd box (wget, ftp, whatever) all are
> limited to 150k/sec.  I can run 4 of them at a time to max out the 6 mbps,
> but individually, they never go above 150k/sec.

This is likely a BPD issue--see
http://marc.info/?l=openbsd-misc&m=111910098716125&w=2 for details.

pppoe getting limited to 150k/sec?

[M. Parsons]

Hello,

Running Openbsd 4.1 i386 as a firewall/nat box.  I have connected to it a 6
mbps DSL pppoe connection.

The pppoe works fine, as do all machines behind the openbsd box, they all
can max out the 6mbps.

But, transfers directly on the openbsd box (wget, ftp, whatever) all are
limited to 150k/sec.  I can run 4 of them at a time to max out the 6 mbps,
but individually, they never go above 150k/sec.

I notice that its been discussed before at "
http://groups.google.ca/group/lucky.openbsd.misc/browse_thread/thread/6b23da898f218983/973782972742230e?lnk=st&q=openbsd+150k&rnum=3&hl=en#973782972742230e";

(I apologize for the long link)

But I cant seem to find a solution.

Its not the end of the world that transfers directly on the openbsd max at
150k/sec, but when updating the system or something I would like to get
600k. :-)

Thank you

Mark

Re: OpenBSD client to Microsoft ISA Server

[Huzeyfe ONAL]

Hi,
try Ntlmaps from http://ntlmaps.sourceforge.net/

Dmitrij Czarkoff wrote:
> Is there any solution for connecting web via Microsoft ISA Server?
> I''ve got on at my office, and the only app successfuly comming
> through is Firefox, while all the rest can't.
> Setting HTTP_PROXY="http://username:[EMAIL PROTECTED]:8080" doesn't help.

Re: 4.1-release packages with 4.1-stable system ?

[Nico Meijer]

Hi Ronnie,

> Now i wonder if i still can use 4.1-release packages, from any mirror.

Set up $PKG_PATH to point at your favo(u)rite mirror. Depending on your
architecture, you get updated packages with `pkg_add -ui`.

The answer, in short, is 'yes, but check for updates'.

HTH... Nico

4.1-release packages with 4.1-stable system ?

[Ronnie Garcia]

Hello,

I was used to run only -release systems until yesterday. I updated to 
4.1-stable, built a release, and installed other fresh 4.1-stable systems.


Now i wonder if i still can use 4.1-release packages, from any mirror.
Reading http://www.openbsd.org/faq/faq5.html#Flavors make me feel that 
it is not recommended, but its not clear.


Then, maybe i should switch to using ports ?

Best,

--
Ronnie Garcia 

Re: OpenBSD client to Microsoft ISA Server

[Mathias Reitinger]

hi,

On 03:22 03 Aug 07, Dmitrij Czarkoff wrote:
> Is there any solution for connecting web via Microsoft ISA Server?
> I''ve got on at my office, and the only app successfuly comming
> through is Firefox, while all the rest can't.
> Setting HTTP_PROXY="http://username:[EMAIL PROTECTED]:8080" doesn't help.

maybe the ISA server is using NTLM auth? firefox seems to support
NTLM, most application do not.

there is a proxy (written in python) that can perform the NTML auth
and forward your requests. you can use that as a 'normal' proxy than.


-- 
Mathias Reitinger

OpenBSD client to Microsoft ISA Server

[Dmitrij Czarkoff]

Is there any solution for connecting web via Microsoft ISA Server?
I''ve got on at my office, and the only app successfuly comming
through is Firefox, while all the rest can't.
Setting HTTP_PROXY="http://username:[EMAIL PROTECTED]:8080" doesn't help.

-- 
.0.
..0
000

Re: ftp-proxy vs "FTP over SSL"

[soulshepard]

is there any other way of getting ftp+ssl to pass normally on a bsd box? 

soul.


Die Gestalt wrote:
> 
> All I can tell you is I had for a while a ftp + ssl server running
> (and yes ftp + ssl is useful in some scenarii) behind a pf machine and
> it all worked perfectly well.
> 
> The problem is that you get first a SSL handshake and then all the
> rest is ciphered, preveting ftp-proxy from doing its work.
> 
> You may need  to do the following:
> 
> - restrict the data ports of the ftp server to a certain range (for
> example 4 to 45000)
> - open these ports on the pf machine (bypassing the ftp proxy behaviour)
> - have the ftp server listen on a port other than 21
> 
> If you wanted ftp-proxy to work transparently with SSL it would have
> to proxy the SSL handshake as well which might be a problem in terms
> of security since the data flow would exist in clear (somewhere in
> memory) on the proxy.
> 
> On 7/31/07, Peter N. M. Hansteen <[EMAIL PROTECTED]> wrote:
>> A client of ours (don't ask) has been sold by somebody else on the
>> idea that FTP over SSL (afaik implemented with some Microsoft system
>> or other) is the way to go.
>>
>> Now FTP over SSL seems to be a variant which isn't obviously well
>> supported other than a few experimental clients, and with a fairly
>> straightforward 4.1 pf + ftp-proxy setup (close enough to the one in
>> the tutorial[1]) near the client end, what I get is that the client
>> and server happily clear authetication, but do not manage to set up
>> their SSL connection.
>>
>> What I get from ftp-proxy is a sequence of
>>
>> Jul 31 10:49:27 delilah ftp-proxy[15797]: #1 client command too long or
>> not clean
>>
>> with incrementing # numbers, until the partners give up.
>>
>> The 'techies' at the other end seem to have problems with concepts
>> such a server tunables, so the question is, is there some obvious
>> ftp-proxy workaround I've missed (other than the even more obvious
>> 'use something else')?
>>
>> - P
>>
>> [1] http://home.nuug.no/~/peter/pf/, specifically
>>http://home.nuug.no/~peter/pf/en/newftpproxy.html
>>
>> --
>> Peter N. M. Hansteen, member of the first RFC 1149 implementation team
>> http://www.blug.linux.no/rfc1149/ http://www.datadok.no/
>> http://www.nuug.no/
>> "Remember to set the evil bit on all malicious network traffic"
>> delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
> 
> 
> 

-- 
View this message in context: 
http://www.nabble.com/ftp-proxy-vs-%22FTP-over-SSL%22-tf4191916.html#a11980071
Sent from the openbsd user - misc mailing list archive at Nabble.com.

Re: kernel pppoe issues

[Chris Cohen]

On Friday 03 August 2007 10:38, you wrote:
> Hi Chris,
>
> * Chris Cohen wrote/schrieb:
> > Would really like to provide a dmesg but the pppoe messages flooded away
> > the boot messages.
>
> I can't really answer your question, but you can find the boot dmesg
> in /var/run/dmesg.boot

Nope, It's also full of pppoe errors and uid 0 on /dev: out of inodes (which 
happened because I did something wrong with my cf-card and mfs, but that is 
fixed now...). 

>
> Good luck,

Thanks

Re: kernel pppoe issues

[Chris Cohen]

Sorry, I'm Running 4.1 (-STABLE from 1. March) on i386.

On Friday 03 August 2007 10:10, Chris Cohen wrote:
> Hi,
>
> I've got some trouble with in-kernel pppoe and adsl.
>
> >From time to time the connection just "hangs up":
>
> # grep pppoe /var/log/messages
> [...]
> Jul 26 09:41:21 dslgw /bsd: pppoe0: LCP keepalive timeout
> Jul 26 10:34:51 dslgw /bsd: pppoe0: LCP keepalive timeout
> Jul 26 10:34:57 dslgw /bsd: pppoe0: pap failure
> Jul 26 10:35:07 dslgw /bsd: pppoe0: pap failure
> Jul 26 10:35:17 dslgw /bsd: pppoe0: pap failure
> Jul 26 10:35:28 dslgw /bsd: pppoe0: pap failure
> Jul 27 11:05:27 dslgw /bsd: pppoe0: LCP keepalive timeout
> Jul 28 03:09:01 dslgw /bsd: pppoe0: LCP keepalive timeout
> Jul 29 14:35:39 dslgw /bsd: pppoe0: LCP keepalive timeout
> Jul 29 15:01:20 dslgw /bsd: pppoe0: LCP keepalive timeout
> Jul 30 07:33:53 dslgw /bsd: pppoe0: LCP keepalive timeout
> Jul 30 07:43:23 dslgw /bsd: pppoe0: LCP keepalive timeout
> Jul 30 07:46:33 dslgw /bsd: pppoe0: LCP keepalive timeout
> Jul 30 08:01:34 dslgw /bsd: pppoe0: LCP keepalive timeout
> Jul 30 18:23:16 dslgw /bsd: pppoe0: LCP keepalive timeout
> Jul 31 10:34:30 dslgw /bsd: pppoe0: LCP keepalive timeout
> Jul 31 11:04:20 dslgw /bsd: pppoe0: LCP keepalive timeout
> Jul 31 14:31:21 dslgw /bsd: pppoe0: LCP keepalive timeout
> Aug  1 10:31:56 dslgw /bsd: pppoe0: LCP keepalive timeout
> Aug  1 11:09:36 dslgw /bsd: pppoe0: LCP keepalive timeout
> Aug  2 09:45:42 dslgw /bsd: pppoe0: LCP keepalive timeout
> Aug  2 10:13:02 dslgw /bsd: pppoe0: LCP keepalive timeout
> Aug  2 10:13:07 dslgw /bsd: pppoe0: pap failure
> Aug  3 07:31:15 dslgw /bsd: pppoe0: pap failure
> Aug  3 07:31:25 dslgw /bsd: pppoe0: pap failure
> Aug  3 07:31:35 dslgw /bsd: pppoe0: pap failure
> Aug  3 09:34:08 dslgw /bsd: pppoe0: LCP keepalive timeout
> Aug  3 09:34:13 dslgw /bsd: pppoe0: pap failure
> Aug  3 09:50:08 dslgw /bsd: pppoe0: LCP keepalive timeout
> Aug  3 09:50:28 dslgw /bsd: pppoe0: pap failure
> Aug  3 09:50:38 dslgw /bsd: pppoe0: pap failure
>
> /etc/hostname.pppoe0
> inet 0.0.0.0 255.255.255.255 0.0.0.1 pppoedev fxp0 authproto pap
> authname "@t-online.de" authkey  up
> !/sbin/route add default 0.0.0.1
>
> /etc/hostname.fxp0
> up
>
> fxp0 is connected to my providers stupid (no webinterface) dsl-modem. The
> modems diode shows that there still is a connection to my providers dslam.
> Would really like to provide a dmesg but the pppoe messages flooded away
> the boot messages.
>
> So the question is, is this a provider issue or is it hardware/openbsd
> related?
>
> --
> thanks
> Chris

Server Compatability List

[Stefan Hoffmann]

hello,

i'm looking for a server compatability list. Does there exists an 
offical one?


I only found

http://www.armorlogic.com/openbsd_information_server_compatibility_list.html

which only covers a few servers.



mfG
--> stefan <--

OpenBSD 4.1 and 4.2-beta on Hp Proliant DL585 G2

[patrik . bergamasco]

hi all, i have this problem, on hp proliant dl585 g2 (is a server with 4 
amd opteron dual core and 8gb ecc ram, the bios recognizing all ram) i try 
to run openbsd 4.1 and openbsd 4.2-beta but only recognize 2gb ram
i try to run obsd without mp but the problem don't change... so i try the 
command "machine mem +" without success... also i try to install only 4gb 
ram but it is the same one, also I have tried disable pcibios on ukc 
console but without success.

any suggestion are welcome... thanks

sorry for my eng. 

this is a kernel dmesg of 4.2:

OpenBSD 4.2-beta (GENERIC.MP) #1347: Tue Jul 31 13:28:30 MDT 2007
[EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 2145316864 (2045MB)
avail mem = 2072072192 (1976MB)
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.3 @ 0xee000 (149 entries)
bios0: HP ProLiant DL585 G2
acpi at mainbus0 not configured
ipmi0 at mainbus0: version 2.0 interface KCS iobase 0xca2/2 spacing 1
mainbus0: Intel MP Specification (Version 1.4)
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Dual-Core AMD Opteron(tm) Processor 8212, 2009.48 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,CX16,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW
cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 
64b/line 16-way L2 cache
cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully 
associative
cpu0: DTLB 32 4KB entries fully associative, 8 4MB entries fully 
associative
cpu0: apic clock running at 200MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Dual-Core AMD Opteron(tm) Processor 8212, 2009.26 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,CX16,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW
cpu1: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 
64b/line 16-way L2 cache
cpu1: ITLB 32 4KB entries fully associative, 8 4MB entries fully 
associative
cpu1: DTLB 32 4KB entries fully associative, 8 4MB entries fully 
associative
cpu2 at mainbus0: apid 2 (application processor)
cpu2: Dual-Core AMD Opteron(tm) Processor 8212, 2009.26 MHz
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,CX16,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW
cpu2: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 
64b/line 16-way L2 cache
cpu2: ITLB 32 4KB entries fully associative, 8 4MB entries fully 
associative
cpu2: DTLB 32 4KB entries fully associative, 8 4MB entries fully 
associative
cpu3 at mainbus0: apid 3 (application processor)
cpu3: Dual-Core AMD Opteron(tm) Processor 8212, 2009.26 MHz
cpu3: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,CX16,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW
cpu3: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 
64b/line 16-way L2 cache
cpu3: ITLB 32 4KB entries fully associative, 8 4MB entries fully 
associative
cpu3: DTLB 32 4KB entries fully associative, 8 4MB entries fully 
associative
cpu4 at mainbus0: apid 4 (application processor)
cpu4: Dual-Core AMD Opteron(tm) Processor 8212, 2009.26 MHz
cpu4: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,CX16,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW
cpu4: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 
64b/line 16-way L2 cache
cpu4: ITLB 32 4KB entries fully associative, 8 4MB entries fully 
associative
cpu4: DTLB 32 4KB entries fully associative, 8 4MB entries fully 
associative
cpu5 at mainbus0: apid 5 (application processor)
cpu5: Dual-Core AMD Opteron(tm) Processor 8212, 2009.26 MHz
cpu5: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,CX16,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW
cpu5: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 
64b/line 16-way L2 cache
cpu5: ITLB 32 4KB entries fully associative, 8 4MB entries fully 
associative
cpu5: DTLB 32 4KB entries fully associative, 8 4MB entries fully 
associative
cpu6 at mainbus0: apid 6 (application processor)
cpu6: Dual-Core AMD Opteron(tm) Processor 8212, 2009.26 MHz
cpu6: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,CX16,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW
cpu6: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 
64b/line 16-way L2 cache
cpu6: ITLB 32 4KB entries fully associative, 8 4MB entries fully 
associative
cpu6: DTLB 32 4KB entries fully associative, 8 4MB entries fully 
associative
cpu7 at mainbus0: apid 7 (application processor)
cpu7: Dual-Core AMD Opteron(tm) Processor 8212, 2009.26 MHz
cpu7: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,CX16,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW
cpu7: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 
64b/line 16-way L2 cache
cpu7: ITLB 32 4KB entries fully associative

kernel pppoe issues

[Chris Cohen]

Hi,

I've got some trouble with in-kernel pppoe and adsl.
>From time to time the connection just "hangs up":
# grep pppoe /var/log/messages
[...]
Jul 26 09:41:21 dslgw /bsd: pppoe0: LCP keepalive timeout
Jul 26 10:34:51 dslgw /bsd: pppoe0: LCP keepalive timeout
Jul 26 10:34:57 dslgw /bsd: pppoe0: pap failure
Jul 26 10:35:07 dslgw /bsd: pppoe0: pap failure
Jul 26 10:35:17 dslgw /bsd: pppoe0: pap failure
Jul 26 10:35:28 dslgw /bsd: pppoe0: pap failure
Jul 27 11:05:27 dslgw /bsd: pppoe0: LCP keepalive timeout
Jul 28 03:09:01 dslgw /bsd: pppoe0: LCP keepalive timeout
Jul 29 14:35:39 dslgw /bsd: pppoe0: LCP keepalive timeout
Jul 29 15:01:20 dslgw /bsd: pppoe0: LCP keepalive timeout
Jul 30 07:33:53 dslgw /bsd: pppoe0: LCP keepalive timeout
Jul 30 07:43:23 dslgw /bsd: pppoe0: LCP keepalive timeout
Jul 30 07:46:33 dslgw /bsd: pppoe0: LCP keepalive timeout
Jul 30 08:01:34 dslgw /bsd: pppoe0: LCP keepalive timeout
Jul 30 18:23:16 dslgw /bsd: pppoe0: LCP keepalive timeout
Jul 31 10:34:30 dslgw /bsd: pppoe0: LCP keepalive timeout
Jul 31 11:04:20 dslgw /bsd: pppoe0: LCP keepalive timeout
Jul 31 14:31:21 dslgw /bsd: pppoe0: LCP keepalive timeout
Aug  1 10:31:56 dslgw /bsd: pppoe0: LCP keepalive timeout
Aug  1 11:09:36 dslgw /bsd: pppoe0: LCP keepalive timeout
Aug  2 09:45:42 dslgw /bsd: pppoe0: LCP keepalive timeout
Aug  2 10:13:02 dslgw /bsd: pppoe0: LCP keepalive timeout
Aug  2 10:13:07 dslgw /bsd: pppoe0: pap failure
Aug  3 07:31:15 dslgw /bsd: pppoe0: pap failure
Aug  3 07:31:25 dslgw /bsd: pppoe0: pap failure
Aug  3 07:31:35 dslgw /bsd: pppoe0: pap failure
Aug  3 09:34:08 dslgw /bsd: pppoe0: LCP keepalive timeout
Aug  3 09:34:13 dslgw /bsd: pppoe0: pap failure
Aug  3 09:50:08 dslgw /bsd: pppoe0: LCP keepalive timeout
Aug  3 09:50:28 dslgw /bsd: pppoe0: pap failure
Aug  3 09:50:38 dslgw /bsd: pppoe0: pap failure

/etc/hostname.pppoe0
inet 0.0.0.0 255.255.255.255 0.0.0.1 pppoedev fxp0 authproto pap
authname "@t-online.de" authkey  up
!/sbin/route add default 0.0.0.1

/etc/hostname.fxp0
up

fxp0 is connected to my providers stupid (no webinterface) dsl-modem. The
modems diode shows that there still is a connection to my providers dslam.
Would really like to provide a dmesg but the pppoe messages flooded away the
boot messages.

So the question is, is this a provider issue or is it hardware/openbsd
related?

--
thanks
Chris

Re: pagedaemon: deadlock detected

[Timo Schoeler]

thus Chris Kuethe spake:

On 8/2/07, Timo Schoeler <[EMAIL PROTECTED]> wrote:

hi,

i have an amd64 system running for about six months now flawlessly
(however, due to following -current, not with uptimes >10 days).

today it crashed twice when i had two torrents active (not very big
ones, one 900MByte and one 1300MByte in size -- i did use this machine
for far bigger ones, with rtorrent running several instances in
parallel, without problems).


check out PRs 5517 and 5496 - they include a diff which may help you.

CK


hi,

i applied the patch to a -current system checked out and built about 
twelve hours ago; since then the machine runs happily with both rtorrent 
instances.


if i can provide more information on this issue especially with regards 
to why it did *not* fix the problem on Frank Denis' Net4801, please let 
me know.


thanks again & best,

timo