Re: OpenBSD firewalls as virtual machine ?
On 9/20/07, Nick Holland [EMAIL PROTECTED] wrote: Can someone please inform me if this is a really bad idea or not, ideally with some nice reasoning? Cheers, Josh Read this: http://advosys.ca/viewpoints/2007/04/fuzzing-virtual-machines/ Read the paper linked there as well. Always good to go back to original source material. Anyone who told you VM technology and security had anything to do with each other was full of doo-doo. I'll echo Nick's statements here. Virtualization does not provide reliable enough segmentation to rely on for security assurance. Do not buy into the market smack the vendors are putting out about it. As far as that goes, the more time goes on, the weaker the assumption of virtualized segmentation becomes. Research from IntelGuardians and other groups appears to be coming closer to completely unraveling virtualization security, at least in terms of how it's implemented in VMware for example. See also CVE-2007-0061, CVE-2007-0062, CVE-2007-0063, and CVE-2007-4496. DS
Re: Shutdown script (derived from Simple startup daemon's on boot question?)
On 9/21/07, Siju George [EMAIL PROTECTED] wrote: I have a similar doubt. What happens when I have a lot of windows open in my fvwm2 and I click on my desktop and click Exit Fvwm2 ? Will all the X11 applications be shutdown decently? Or is it better to type halt in an xterm? What is the right way to shutdown a desktop? There are some mechanisms to tell applications to shutdown when you quit X (either by exiting the window manager, or more brutally with Ctl+Alt+Backspace). They are a bit complex, and no all applications handle the events they get. (and not all window managers implement the same protocol). For instance in my experience, firefox manages to remove its lock (in ~/.mozilla/firefox/hexstuff/) most of the time when I exit from X (using Ctl+Alt+Backspace) without quitting it first. But the safest way is to quit each application 1st, then exit the window manager. Of course this is mainly important for applications with pending changes like text editors, e-mail clients, or such. xclock or xload don't care if they are terminated badly.
Re: Error while trying to build xenocara
Gregory Edigarov wrote: Just an update: I've made /usr/xobj directory, then run the same command again, with same result. read the README file, under the hopeless case section... that helped me (I am a hopeless case, too, but not hopless ;) OK, thanks, guys. It worked. And sorry for being a bit impolite. Just not hopeless but desperate. That's what led me the wrong way. -- With best regards, Gregory Edigarov
Re: operator permissions: a wish-list
Matthew Szudzik wrote: I don't know the history of the operator group, but it almost seems as if it dates back to the days when BSD ran on mainframes whose only form of removable media was a tape drive. Of course, computers are being used much differently nowadays, so it makes sense to update the operator group. It comes from the job description of Computer Operator. You know what a Systems Administrator is, operator is a much lower profile junior job. In large companies, operators often work the graveyard shift and operate the backup routines. Been there, done that Or, alternatively, maybe the operator group has become obsolete with the advent of sudo? In that case, perhaps the operator group should be abolished, because I get the feeling that the operator group, in its current form, isn't serving any real purpose. It is used by backup apps, such as amanda (in ports). It can also be used by your local backup scripts to dump slices. Maybe there is need for an additional group for other functions that are now more common? So you could be added to operator and desktop (or whatever name is better)
Re: FW: Microsoft gets the Most Secure Operating Systems award
The One. The one gonad. Get a proper email account you cowardly faggot.
Re: OpenBSD firewalls as virtual machine ?
Darren Spruell wrote: On 9/20/07, Nick Holland [EMAIL PROTECTED] wrote: Can someone please inform me if this is a really bad idea or not, ideally with some nice reasoning? Anyone who told you VM technology and security had anything to do with each other was full of doo-doo. I'll echo Nick's statements here. Virtualization does not provide reliable enough segmentation to rely on for security assurance. Do not buy into the market smack the vendors are putting out about it. Virtual equals complex. Network devices are supposed to be reliable. Complex does not equal reliable - just ask anyone that has served in the military!
Re: operator permissions: a wish-list
* Craig Skinner [EMAIL PROTECTED] [2007-09-21 10:02]: Maybe there is need for an additional group for other functions that are now more common? halter? :) -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: Forward traffic on incoming port help
Jake Conk [EMAIL PROTECTED] writes: I added this rdr rule to my pf.conf: rdr on $ext_if proto tcp from any to any port ftp - 192.168.10.9 port ftp FTP is a special case. Like Jason pointed out, you most likely need to hook ftp-proxy into your configuration. - P -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.datadok.no/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Question on interface enumeration
Hello Everybody, Supposing I have several identical NIC's in my server, can I predict which become int0, which become int1, etc? A link to document explaining (or man something) would absolutely suffice. Thank you. -- With best regards, Gregory Edigarov
Re: operator permissions: a wish-list
Henning Brauer wrote: * Craig Skinner [EMAIL PROTECTED] [2007-09-21 10:02]: Maybe there is need for an additional group for other functions that are now more common? halter? :) For a while I supported Sun's Netconnect service, which is a fancy Nagios for Solaris. It watches the logs for patterns and reports on system availability. But when German speaking customers took it on they reported terrible uptime stats; it was grepping for the the word halt!
Re: 2 internet connections on 1 router
Marian Hettwer wrote: Hi All, Question is: How do I fiddle around with my routing table, that basically the wget running on my router is using sis2 (with the pppoe uplink), while the rest (my existing working lan) is still using sis0 with my good-guys cable modem uplink? just do: route add som.eth.in.g your pppoe server ip and you're set -- With best regards, Gregory Edigarov
Re: 2 internet connections on 1 router
Gregory Edigarov schrieb: Marian Hettwer wrote: Hi All, Question is: How do I fiddle around with my routing table, that basically the wget running on my router is using sis2 (with the pppoe uplink), while the rest (my existing working lan) is still using sis0 with my good-guys cable modem uplink? just do: route add som.eth.in.g your pppoe server ip and you're set This would basically mean, if som.eth.in.g is let's say 123.123.123.123, that every connection to that destination goes through my pppoe uplink. Right? Isn't there a way to say something like: if source is 127.0.0.1, then go via the pppoe uplink? I bet there's a way to do that via route. On the other hand, it may interfer with my existing setup. Thinking of the ftp proxy which connects from localhost to somewhere. hhmm... well, the host route setup is good enough for the moment. I'll write a small shellscript which does the downloading from different servers anyway, and well, I'll just setup the route before starting. thanks so far! ./Marian
Re: 1440x900 resolution problem
Like Darrin suggested try matching Modelines and Modes : On xorg.conf Enable only this (comment the rest of the modellines) : Modeline 1680x1050_60.00 147.14 1680 1784 1968 2256 1050 1051 1054 1087 -HSync +Vsync Modify the screen section : Section Screen Identifier Screen0 Device Card0 MonitorMonitor0 DefaultDepth 24 SubSection Display Depth 24 Modes 1680x1050_60.00 EndSubSection EndSection Marius On 9/21/07, Genadijus Paleckis [EMAIL PROTECTED] wrote: I have similar problem and it is still unresolved. My video card Intel i810 and monitor is Samsung SyncMaster 226CW, I'm trying to use 1680x1050 with no success. What I found is that I cannot force to use 60Hz vertrefresh and card uses 75Hz instead. gtf's suggestion boo$ gtf 1680 1050 60 # 1680x1050 @ 60.00 Hz (GTF) hsync: 65.22 kHz; pclk: 147.14 MHz Modeline 1680x1050_60.00 147.14 1680 1784 1968 2256 1050 1051 1054 1087 -HSync +Vsync xorg.conf's monitor and screen sections: Section Monitor Identifier Monitor0 Option DPMS # from Xorg.0.log HorizSync30-81 VertRefresh 56-75 # GTF suggestion Modeline 1680x1050_1 147.14 1680 1784 1968 2256 1050 1051 1054 1087 -HSync +Vsync # numbers from Xorg.0.log ModeLine 1680x1050_2 119.0 1680 1728 1760 1840 1050 1053 1059 1080 EndSection Section Screen Identifier Screen0 Device Card0 MonitorMonitor0 DefaultDepth 24 SubSection Display Depth 24 Modes 1680x1050_1 1680x1050_2 EndSubSection EndSection
Re: 2 internet connections on 1 router
On 2007/09/21 11:12, Marian Hettwer wrote: route add som.eth.in.g your pppoe server ip and you're set This would basically mean, if som.eth.in.g is let's say 123.123.123.123, that every connection to that destination goes through my pppoe uplink. Right? Yes. Isn't there a way to say something like: if source is 127.0.0.1, then go via the pppoe uplink? route-to + nat in pf.conf.
2007-09-20 from sweden to south africa by bike
I've now reached the french alps by bike. I will soon cycle beside the mediterranean sea near the coast. I have taken some pictures and written some about my expedition. If you're interested you can point your brower too the following address: http://www.narfstrom.se Friendly regards from Grenoble, Rhtne Alps - France Andreas
Re: Forward traffic on incoming port help
Well to answer my question apparently I could use inetd to also do port forwarding which is included in base and really easy to do. After figuring that out I was suddenly able to figure out my pf problems and got pf to port forward correctly also. Thanks guys, - Jake On 9/21/07, Peter N. M. Hansteen [EMAIL PROTECTED] wrote: Jake Conk [EMAIL PROTECTED] writes: I added this rdr rule to my pf.conf: rdr on $ext_if proto tcp from any to any port ftp - 192.168.10.9 port ftp FTP is a special case. Like Jason pointed out, you most likely need to hook ftp-proxy into your configuration. - P -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.datadok.no/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: 1440x900 resolution problem
Tried and as before it stuck at 75Hz resulting in 1280x1024. Some time ago I've somewhere read that on linux with Xorg 7.2 someone also had this problem (I don't know if I can call it same problem, it has widescreen LCD, i810 driver) and solved it by updating i810 driver, xrandr to 1.2 and some other libs from Xorg's git tree. Because 7.3 is already released and Matthieu Herrb is doing his hard work to move xenocara to 7.3 I guess that in near future I also will be pleased with 1680x1050 :) Marius ROMAN wrote: Like Darrin suggested try matching Modelines and Modes : On xorg.conf Enable only this (comment the rest of the modellines) : Modeline 1680x1050_60.00 147.14 1680 1784 1968 2256 1050 1051 1054 1087 -HSync +Vsync Modify the screen section : Section Screen Identifier Screen0 Device Card0 MonitorMonitor0 DefaultDepth 24 SubSection Display Depth 24 Modes 1680x1050_60.00 EndSubSection EndSection Marius On 9/21/07, Genadijus Paleckis [EMAIL PROTECTED] wrote: I have similar problem and it is still unresolved. My video card Intel i810 and monitor is Samsung SyncMaster 226CW, I'm trying to use 1680x1050 with no success. What I found is that I cannot force to use 60Hz vertrefresh and card uses 75Hz instead. gtf's suggestion boo$ gtf 1680 1050 60 # 1680x1050 @ 60.00 Hz (GTF) hsync: 65.22 kHz; pclk: 147.14 MHz Modeline 1680x1050_60.00 147.14 1680 1784 1968 2256 1050 1051 1054 1087 -HSync +Vsync xorg.conf's monitor and screen sections: Section Monitor Identifier Monitor0 Option DPMS # from Xorg.0.log HorizSync30-81 VertRefresh 56-75 # GTF suggestion Modeline 1680x1050_1 147.14 1680 1784 1968 2256 1050 1051 1054 1087 -HSync +Vsync # numbers from Xorg.0.log ModeLine 1680x1050_2 119.0 1680 1728 1760 1840 1050 1053 1059 1080 EndSection Section Screen Identifier Screen0 Device Card0 MonitorMonitor0 DefaultDepth 24 SubSection Display Depth 24 Modes 1680x1050_1 1680x1050_2 EndSubSection EndSection
Re: isakmp phase 2 negotiation failed
On 20.09-19:17, Daniel Ouellet wrote: [ ... ] Do, as you see fit, but my advise to you, wouldn't be to help trying to get it up as is now, but first run 4.1, then try the new way of doing it. I think that would be much better spend of time. thanks for the advice. unfortunately both systems are off-site production machines and cannot be easily upgraded. i will try manually keying the tunnel in the short term. thanks again -- t t w
Re: Question on interface enumeration
Gregory Edigarov wrote: Hello Everybody, Supposing I have several identical NIC's in my server, can I predict which become int0, which become int1, etc? A link to document explaining (or man something) would absolutely suffice. Thank you. Not Easily, at least if you are referring to a machine you know nothing about and haven't powered up yet. However, it is easy to make simple tests to find out. Assuming PCI, they go by order of the slots in the bus, which isn't something OpenBSD controls. Many machines have curious orders. For example, I have a Dell GX1 which has five PCI slots; the order is something like: 2 3 4 0 1. (To add insult to injury, I had four port NICs in every slot, took a while to find dc0! :) Now, once I know (er.. knew. The above sequence is from non-ECC and proven faulty memory!) the pattern of slots in a GX1, I can know which NIC will get which identifier. If I put int(4) NICs in slots 3 and 1, the one in slot 1 will be int0, the one in slot 3 will be int1. Now, if I move the NIC from slot 1 into slot 4, they will switch IDs. If I replace the NIC in slot 3 with a NIC of the same type (driver-wise, that is), nothing will change. If I remove int0 and replace it with a different driver, int1 will become int0. How did I identify the slot order in the machine? Stuck identical NICs in all slots. Why did I do that? Because I stuck three NICs in the thing and the ordering was not obvious, so I figured I better get to know this machine better. In all cases, the dmesg will link your MACs to physical IDs, so stick the MAC addr on the spine of the card. In most cases, ifconfig will show you which NICs have link in real time, so an easy way to identify things is drop to shell, plug in one cable, run ifconfig and see which has link. Label. Move cable, repeat until done. None of this is applicable to ISA or USB NICs. It may be applicable to other buses and platforms. Moral: 1) Know your HW 2) Label the MAC address on your NICs 3) Have identical replacement HW in case a non-OpenBSD expert has to do a swap, 4) Know how to reconfig your system if you have to change your NICs. 5) Practice, Practice, Practice 6) Drop to shell before install, look around. Nick.
4.1 on ALIX.1C - recommendations?
Hi all, last night, I installed 4.1 on the new ALIX.1C: http://www.pcengines.ch/alix1c.htm (see dmesg at bottom). The intended use of the box is a home router/firewall/NAT/DNS/DHCP for my home network of about four computers (heterogeneous). Everything works fine (as usual with OpenBSD), but there are a few fine points I need some advice with. Firstly, swap (i don't really mind reinstalling). Install guide says On the root disk, the two partitions 'a' and 'b' must be created. The installation process will not proceed until these two partitions are available. 'a' will be used for the root filesystem (/) and 'b' will be used as swap space. It also says The 'b' partition of your first drive automatically becomes your system swap partition -- we recommend a minimum of 32MB but if you have disk to spare make it at least 64MB. If you have lots of disk space to spare, make this 256MB, or even 512MB. On the other hand, if you are using a flash device for disk, you probably want no swap partition at all. Many people follow an old rule of thumb that your swap partition should be twice the size of your main system RAM. This rule is nonsense. The machine has 256M of RAM, and the storage is a 2G CF card (seen as wd0). The machine is mostly idle (basically just routes). How much swap do you think I should set for such operation? For regular operation, I don't think I need a swap partition at all (how would I do that? A 'b' partition of zero size, as it has to exist?), but to be able to save possible core dumps, I am thinking of 300M swap and 300M /var (to hold /var/crash). Is this reasonable? Secondly, the network interfaces. The box comes with an on-board vr0 at pci0 dev 13 function 0 VIA VT6105M RhineIII rev 0x96: irq 10 which I currently use as the external iface, and the PIC slot holds rl0 at pci0 dev 12 function 0 Realtek 8139 rev 0x10: irq 11 which is used as the internal iface. I also have the following cards in my hands, and I would like to figure out which combination of external/internal would give me the best performance (if it makes any difference at all): Intel PRO/100 S Desktop adapter 3C905C-TX-M Etherlink 10/100 PCI 3 I don't have any idea about what amount of e.g. fragment reassembly the external/internal iface needs to do, and which card (or which card's driver) is best for that. The machine only has one PCI slot, so one of these has to be the on-board VIA. Which of the others is best supported in obsd (and which vendor is most open)? Thirdly, the CF storage. Having read http://www.kaschwig.net/projects/openbsd/wrap/#mfs http://blog.innerewut.de/2005/05/14/openbsd-3-7-on-wrap http://blog.innerewut.de/2005/05/19/openbsd-3-7-on-wrap-revised http://blog.innerewut.de/2005/06/03/small-update-on-openbsd-3-7-on-wrap (which apply to 3.7 on WRAP, the predecesor of ALIX), I am concerned about the CF wearing off. As these articles are from 2005 - do these things still apply to newer CF cards, and should I therefore set up a mfs? What else should I do to make the CF card live longer (noatime comes to mind of course). Thanks for any suggestions Jan OpenBSD 4.1 (GENERIC) #1435: Sat Mar 10 19:07:45 MST 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Geode(TM) Integrated Processor by AMD PCS (AuthenticAMD 586-class) 499 MHz cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX real mem = 259284992 (253208K) avail mem = 228904960 (223540K) using 3195 buffers containing 13086720 bytes (12780K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+ BIOS, date 08/21/07, BIOS32 rev. 0 @ 0xfa960 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 70102 dobusy 1 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0xdfb4 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf40/112 (5 entries) pcibios0: bad IRQ table checksum pcibios0: PCI BIOS has 5 Interrupt Routing table entries pcibios0: PCI Exclusive IRQs: 5 10 11 pcibios0: no compatible PCI ICU found pcibios0: Warning, unable to fix up PCI interrupt routing pcibios0: PCI bus #0 is the last bus bios0: ROM list: 0xc/0x8000 0xef000/0x1000! acpi at mainbus0 not configured cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 1 function 0 AMD Geode LX rev 0x31 vga1 at pci0 dev 1 function 1 AMD Geode LX Video rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) glxsb0 at pci0 dev 1 function 2 AMD Geode LX Crypto rev 0x00: RNG AES rl0 at pci0 dev 12 function 0 Realtek 8139 rev 0x10: irq 11, address 00:50:fc:e2:cf:20 rlphy0 at rl0 phy 0: RTL internal PHY vr0 at pci0 dev 13 function 0 VIA VT6105M RhineIII rev 0x96: irq 10, address 00:0d:b9:0c:e1:40 ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, model 0x0034 pcib0 at pci0 dev 15 function 0 AMD
WG: isakmp phase 2 negotiation failed
-Urspr|ngliche Nachricht- Von: Christoph Leser Gesendet: Freitag, 21. September 2007 12:58 An: 'n0g0013' Betreff: AW: isakmp phase 2 negotiation failed -Urspr|ngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Auftrag von n0g0013 Gesendet: Donnerstag, 20. September 2007 23:52 An: misc@openbsd.org Betreff: isakmp phase 2 negotiation failed having a nightmare getting two openbsd (one 3.8, one 4.0) boxes to setup a tunnel. finally got the phase 1 negotiation going (or so i believe from reviewing the logs) but it appears that the phase two starts and is just abandoned. my best guess is that the default definitions for QM-ESP-DES-MD5-SUITE are incompatible but i can't seem to get by it. the -DA=99 output and configuration files are attached in the hope that someone make sense of this. i also have the -L dump if anyone needs it. thanks for any assistance. -- t t w # isakmpd configuration [General] Listen-on= 83.104.36.71 [X509-Certificates] CA-directory=/etc/isakmpd/ca/ Cert-directory= /etc/isakmpd/certs/ Private-key= /etc/isakmpd/private/local.key [Phase 1] #84.203.180.117= gw.vpn.cobbled.net [caley01.vpn.cobbled.net] ID-Type= FQDN Name=caley01.vpn.cobbled.net [gw.vpn.cobbled.net] ID-Type= FQDN Name=gw.vpn.cobbled.net [Phase 2] Connections= cobbled-caley [cobbled_net-gw] Phase= 1 Configuration= low-crypto Address= 84.203.180.117 ID= caley01.vpn.cobbled.net Remote-ID= gw.vpn.cobbled.net [cobbled-caley] Phase= 2 ISAKMP-peer=cobbled_net-gw Configuration= low-crypto-quick Local-ID= cobbled_net-caley Remote-ID= cobbled_net-all [cobbled_net-all] ID-Type=IPV4_ADDR_SUBNET Network=10.0.0.0 Netmask=255.0.0.0 [cobbled_net-caley] ID-Type=IPV4_ADDR_SUBNET Network=10.192.0.0 Netmask=255.255.0.0 [min-crypto-quick] DOI= IPSEC EXCHANGE_TYPE= QUICK_MODE Transforms= QM-ESP-DES-MD5-SUITE [low-crypto] DOI=IPSEC EXCHANGE_TYPE= ID_PROT Transforms= 3DES-SHA-RSA_SIG [low-crypto-quick] DOI=IPSEC EXCHANGE_TYPE= QUICK_MODE Transforms= QM-ESP-3DES-SHA-PFS-SUITE [demime 1.01d removed an attachment of type application/x-gunzip] enable logging to /var/run/isakmpd.pcap by either starting isakmpd with the -L switch or sending the 'p on' command to the isakmpd command pipe (echo 'p on' /var/run/isakmpd.fifo ). Then do a tcpdump -r /var/run/isakmpd.pcap -nvv This will clearly show what parameters are negotiated and with what result the phase 2 negotiation fails. That's my 5 cent regards
Re: OpenBSD firewalls as virtual machine ?
Some commercial firewalls (i.e. Juniper/NetScreen ScreenOS-based gear) have been offering virtual-systems for years now. I think the negative comments received here may be appropriate when sharing the system with non-secure guest OSs, but it seems that it might be alright if its nothing but firewalls Cheers, Kent Josh wrote: Hello there. We have a bunch of obsd firewalls, 8 at the moment, all working nice and so forth. But we need to add about another 4 in there for new connections and networks, which means more machines to find room for. So basically I have been asked to investigate running all these firewalls in two big boxes, with lots of NIC's, with a bunch of openbsd vritual machines on them. One main box for the primary firewalls, one for the secondary. Each virtual machine getting its own physical NIC. Personally I dont really like the idea, I can see things going wrong, lots of stuff balancing on a guest os and box. Can someone please inform me if this is a really bad idea or not, ideally with some nice reasoning? Cheers, Josh
spamdb never shows any entries ?!?
Hi, I tryed to set up spamd on OpenBSD4.1 but after preloading the database at /var/db/spamd using: isabsd # /usr/libexec/spamd-setup -d Getting http://www.openbsd.org/spamd/nixspam.gz blacklist nixspam 39960 entries whitelist override 40138 entries Getting http://www.openbsd.org/spamd/chinacidr.txt.gz blacklist china 431 entries whitelist override 609 entries Getting http://www.openbsd.org/spamd/koreacidr.txt.gz blacklist korea 270 entries whitelist override 448 entries spamdb does not show any entries ... isabsd # spamdb isabsd # I also tryed to gather mor informationon what spamd is doing by adding deamon.debug for lgooing and calling spamd using -v -G1:1:864 to be soemwaht more verbose I cant detect something helpful. by connecting to Port 25 on the spamd machine I always gets the answer form spamd. but tailing what spamd does - never shows that it adds ( Greylist ) something to the databse. I changed the Owner of /var/db/spamd to _spamd:_spamd. but im executing spamd and spamdb as beeing root. Any Ideas ? Stefan
Re: spamdb never shows any entries ?!?
On Fri, 21 Sep 2007, Stefan Sczekalla-Waldschmidt wrote: isabsd # /usr/libexec/spamd-setup -d See your pf(4) table spamd pfctl -t spamd -T show | wc -l pfctl -t spamd -T show | tail spamdb does not show any entries ... isabsd # spamdb That is unrelated. spamdb only touches the hash database on the filesystem. Also spamd itself doesn't use the pf spamd table -- it uses the pf spamd-white table. Jeremy C. Reed
Re: OpenBSD firewalls as virtual machine ?
It sounds to me like the comments here are largely appropriate, virtualizing firewalls in the limited context that has been explained probably isn't a real good idea...at least due to perceived load. Additionally, if there are that many fireuwalls being ran, instead of numerous interfaces in a fewer number of machines, you're going to continue to have problems being able to virtualize enough hardware network interfaces. However, I don't fully agree with the sentiment that running a firewall in a virtual machine (let's be specific, VMWare ESX) guest environment. I'm running my firewall on a ESX 3.0.2 guest, and it works perfectly fine. That being said, you have to be aware of the VM configuraton. The majority of vulnerabilities in VMWare are patchable (so yes, someone needs to do maintenance), but are also issues that affect the VMKernel or service console, and with careful planning, the vulnerabilities can largely be prevented for being used as exploits on external interfaces. And one final note...although I am a fan of virtualization (I work for the company that owns VMWare), I really, really wish they did not have so many freaking patches... Kent Watsen wrote: Some commercial firewalls (i.e. Juniper/NetScreen ScreenOS-based gear) have been offering virtual-systems for years now. I think the negative comments received here may be appropriate when sharing the system with non-secure guest OSs, but it seems that it might be alright if its nothing but firewalls Cheers, Kent Josh wrote: Hello there. We have a bunch of obsd firewalls, 8 at the moment, all working nice and so forth. But we need to add about another 4 in there for new connections and networks, which means more machines to find room for. So basically I have been asked to investigate running all these firewalls in two big boxes, with lots of NIC's, with a bunch of openbsd vritual machines on them. One main box for the primary firewalls, one for the secondary. Each virtual machine getting its own physical NIC. Personally I dont really like the idea, I can see things going wrong, lots of stuff balancing on a guest os and box. Can someone please inform me if this is a really bad idea or not, ideally with some nice reasoning? Cheers, Josh
Re: OpenBSD firewalls as virtual machine ?
On 9/21/07, Kent Watsen [EMAIL PROTECTED] wrote: Some commercial firewalls (i.e. Juniper/NetScreen ScreenOS-based gear) have been offering virtual-systems for years now. I think the negative comments received here may be appropriate when sharing the system with non-secure guest OSs, but it seems that it might be alright if its nothing but firewalls I have no detailed knowledge of those devices, but I'm pretty sure their virtual firewalls are not accomplished by virtualizing the OS, but by supporting multiple routing tables and rules-sets. Virtual and virtual may be different in reality. /Tony
Re: spamdb never shows any entries ?!?
On 2007/09/21 08:01, Jeremy C. Reed wrote: On Fri, 21 Sep 2007, Stefan Sczekalla-Waldschmidt wrote: isabsd # /usr/libexec/spamd-setup -d See your pf(4) table spamd This changed in 4.1; unless you use -b, it's no longer necessary to keep the blacklist in a PF table.
Re: 4.1 on ALIX.1C - recommendations?
Jan Stary wrote: Hi all, last night, I installed 4.1 on the new ALIX.1C: http://www.pcengines.ch/alix1c.htm (see dmesg at bottom). The intended use of the box is a home router/firewall/NAT/DNS/DHCP for my home network of about four computers (heterogeneous). Everything works fine (as usual with OpenBSD), but there are a few fine points I need some advice with. Firstly, swap (i don't really mind reinstalling). Install guide says On the root disk, the two partitions 'a' and 'b' must be created. The installation process will not proceed until these two partitions are available. 'a' will be used for the root filesystem (/) and 'b' will be used as swap space. oops. That's no longer true, you can now install Just Fine with no swap partition. It was true some time back, but that was fixed long ago. It also says The 'b' partition of your first drive automatically becomes your system swap partition -- we recommend a minimum of 32MB but if you have disk to spare make it at least 64MB. If you have lots of disk space to spare, make this 256MB, or even 512MB. On the other hand, if you are using a flash device for disk, you probably want no swap partition at all. Many people follow an old rule of thumb that your swap partition should be twice the size of your main system RAM. This rule is nonsense. The machine has 256M of RAM, and the storage is a 2G CF card (seen as wd0). The machine is mostly idle (basically just routes). How much swap do you think I should set for such operation? none. If swapping is a concern, you don't want flash. For regular operation, I don't think I need a swap partition at all (how would I do that? A 'b' partition of zero size, as it has to exist?), but to be able to save possible core dumps, I am thinking of 300M swap and 300M /var (to hold /var/crash). Is this reasonable? naw. Unless you know what to do with a core dump, just skip the swap. Secondly, the network interfaces. The box comes with an on-board vr0 at pci0 dev 13 function 0 VIA VT6105M RhineIII rev 0x96: irq 10 which I currently use as the external iface, and the PIC slot holds rl0 at pci0 dev 12 function 0 Realtek 8139 rev 0x10: irq 11 which is used as the internal iface. I also have the following cards in my hands, and I would like to figure out which combination of external/internal would give me the best performance (if it makes any difference at all): Intel PRO/100 S Desktop adapter 3C905C-TX-M Etherlink 10/100 PCI 3 I don't have any idea about what amount of e.g. fragment reassembly the external/internal iface needs to do, and which card (or which card's driver) is best for that. The machine only has one PCI slot, so one of these has to be the on-board VIA. Which of the others is best supported in obsd (and which vendor is most open)? If you gotta ask, it won't matter. You have three bad NICs (vr, rl, xl) and one good one (fxp). But it just won't matter for your use. You got yourself a little economy car of a computer system. You got it because it is small and cheap to operate, and you will be operating it in rush-hour. Don't worry about which tail fin will give you the best performance. (no idea how well that analogy travels around the world. Around here, people like buying tiny cars, then putting a loud muffler and a huge fin (on the back of a front-wheel drive car. That so helps) on 'em and think themselves cool, rather than the dumb-as-a-rock that the rest of us think of them as. I really hope the rest of the world isn't this dumb, but I fear it may be) Philosophically, I'd probably rather put Intel card showing to the Internet, but to fight that urge, I ran my primary mail/web server with an rl(4) card facing the 'net for many years with zero problem. Anything you are going to run through this box will not hit the NICs as a bottleneck. Thirdly, the CF storage. Having read http://www.kaschwig.net/projects/openbsd/wrap/#mfs http://blog.innerewut.de/2005/05/14/openbsd-3-7-on-wrap http://blog.innerewut.de/2005/05/19/openbsd-3-7-on-wrap-revised http://blog.innerewut.de/2005/06/03/small-update-on-openbsd-3-7-on-wrap (which apply to 3.7 on WRAP, the predecesor of ALIX), I am concerned about the CF wearing off. As these articles are from 2005 - do these things still apply to newer CF cards, and should I therefore set up a mfs? What else should I do to make the CF card live longer (noatime comes to mind of course). biggest reason to avoid writing to flash is it is painfully slow. General experience (inc. mine) seems to indicate that the finite write cycle problems of flash is not going to bite you. It's a blooming computer system, how long do you even want it to last? :) In two years, you will be buying 32G flash devices at the drugstore closeout pile. The (then big) 256M CF that I had running OpenBSD for many years on is now useless to me for almost
Re: spamdb never shows any entries ?!?
--- Stefan Sczekalla-Waldschmidt [EMAIL PROTECTED] wrote: Hi, I tryed to set up spamd on OpenBSD4.1 but after preloading the database at /var/db/spamd using: isabsd # /usr/libexec/spamd-setup -d Getting http://www.openbsd.org/spamd/nixspam.gz blacklist nixspam 39960 entries whitelist override 40138 entries Getting http://www.openbsd.org/spamd/chinacidr.txt.gz blacklist china 431 entries whitelist override 609 entries Getting http://www.openbsd.org/spamd/koreacidr.txt.gz blacklist korea 270 entries whitelist override 448 entries spamdb does not show any entries ... isabsd # spamdb spamd-setup does not populate the spamdb database. I also tryed to gather mor informationon what spamd is doing by adding deamon.debug for lgooing and calling spamd using -v -G1:1:864 to be soemwaht more verbose I cant detect something helpful. by connecting to Port 25 on the spamd machine I always gets the answer form spamd. but tailing what spamd does - never shows that it adds ( Greylist ) something to the databse. I changed the Owner of /var/db/spamd to _spamd:_spamd. but im executing spamd and spamdb as beeing root. Any Ideas ? Stefan Ask a question on any topic and get answers from real people. Go to Yahoo! Answers and share what you know at http://ca.answers.yahoo.com
Re: Skype on OpenBSD 4.1 using Fedora RPM
www.aei.mpg.de/~pau/skype.png (BIG png, watch out, I don't want to kill your modem connection) was working fine. I installed it as an exercise and then deleted it... because I don't use it Cheers, Pau 2007/9/21, Siju George [EMAIL PROTECTED]: On 9/20/07, Siju George [EMAIL PROTECTED] wrote: Hi, Is there anybody successfully using skype on OpenBSD 4.1 using Linux emulation? If so which RPM are you using? O.K with the help of Martynas Venckus I got Skype running on 4.1 had to copy libasound.so.2 = /usr/lib/libasound.so.2 libsigc-2.0.so.0 = /usr/lib/libsigc-2.0.so.0 to the openbsd system as told in http://www.openbsd.org/cgi-bin/man.cgi?query=compat_linuxsektion=8 Had problems with running skype. Martynas helped me there too :-) Thanks a million friend. When you restart skype you cannot login as it would give the error Another skype instance may exist so the work around followed now is wipe out whole ~/.Skype directory and it works again. I can chat but cannot make phone calls It gives the error Call Failed : Problem with audio playback Thank ou so much :-) Kind Regards Siju
Re: FW: Microsoft gets the Most Secure Operating Systems award
On Fri, Sep 21, 2007 at 08:53:02AM +0100, Craig Skinner wrote: The One. The one gonad. Get a proper email account you cowardly faggot. Lets not get into WW II morale-boosting songs :) Doug.
Re: OpenBSD firewalls as virtual machine ?
On 9/21/07, Scott Wells [EMAIL PROTECTED] wrote: However, I don't fully agree with the sentiment that running a firewall in a virtual machine (let's be specific, VMWare ESX) guest environment. I'm running my firewall on a ESX 3.0.2 guest, and it works perfectly fine. That being said, you have to be aware of the VM configuraton. The majority of vulnerabilities in VMWare are patchable (so yes, someone needs to do maintenance), but are also issues that affect the VMKernel or service console, and with careful planning, the vulnerabilities can largely be prevented for being used as exploits on external interfaces. (I'd hoped you would have prefaced that with a statement like these are my stock options talking, but...) This is the kind of bad advice that virtualization companies (and naive users of those technologies) need to stop spreading. This security model is flawed, and people should not rely on these virtual machine environments to provide firewall services. Here's an entirely realistic scenario at this point: - Administrator pays loads of money for VMware ESX; for better ROI, he intends to replace several systems on the network with one big system running a number of VMs. Maybe there is a full DMZ (say, 10 hosts) on this box. One virtual machine is configured as a firewall, intended to provide packet filtering and other network security services for the other DMZ VMs. - A vulnerability is discovered that allows an attacker who has presence in one VM to execute arbitrary code on the host OS, or transfer files between guest and host. (Both of these have happened already. In fact, VMware Tools seems to be the perfect bit of flawed gateway software to make this even easier.) Virtualized segmentation is compromised at this point. - Attacker now has presence on host OS and can fully control all 10 of the VMs running on the host. VM segmentation was supposed to prevent this, remember? This includes the firewall which he can now play fun games with such as overwriting the ruleset. He can sniff network traffic for all the VM hosts since he has direct access to the host interface. In one short subversion, 10 (11) systems have been compromised through one flawed security model. A weakness in one VM becomes the thing that makes compromising all the others dramatically easier. Why subject your firewall to that? At least in a traditional non-virtualized firewall model, the attacker would have to pull out real exploits and attack real (secured) services to compromise the firewall, and it wouldn't fall at the same time as the other hosts. Yes, these kinds of of flaws have (so far) been able to be patched, but a. They're becoming more frequent as more research goes into breaking out of VMs b. The impact of these flaws can be so high it doesn't justify risking the integrity of an entire network of machines at the same time when you get bit by it. Feel free to lump all of your IIS webservers onto a VM environment and let that get owned up and down. At least have the good sense to physically seperate your firewall (and other network security devices) out of that. DS
Re: OpenBSD firewalls as virtual machine ?
Josh wrote: Hello there. We have a bunch of obsd firewalls, 8 at the moment, all working nice and so forth. But we need to add about another 4 in there for new connections and networks, which means more machines to find room for. So basically I have been asked to investigate running all these firewalls in two big boxes, with lots of NIC's, with a bunch of openbsd vritual machines on them. One main box for the primary firewalls, one for the secondary. Each virtual machine getting its own physical NIC. Personally I dont really like the idea, I can see things going wrong, lots of stuff balancing on a guest os and box. I don't understand the logic of having multiple firewalls on one box. If one box can handle the throughput requirements of all the NICs, why not just one big firewall? Doug.
Re: 4.1 on ALIX.1C - recommendations?
Jan Stary [EMAIL PROTECTED] wrote: last night, I installed 4.1 on the new ALIX.1C: http://www.pcengines.ch/alix1c.htm (see dmesg at bottom). The intended use of the box is a home router/firewall/NAT/DNS/DHCP for my home network of about four computers (heterogeneous). I recently got a Soekris net5501, which is uncannily similar (I guess they're both based on the same reference design), and moved the same kind of infrastructure functions to that box, so I had to look at similar decisions. Firstly, swap (i don't really mind reinstalling). The machine has 256M of RAM, and the storage is a 2G CF card (seen as wd0). The machine is mostly idle (basically just routes). How much swap do you think I should set for such operation? For regular operation, I don't think I need a swap partition at all Indeed. Just run without swap. (how would I do that? A 'b' partition of zero size, as it has to exist?), Actually, it does not have to exist. but to be able to save possible core dumps, I am thinking of 300M swap and 300M /var (to hold /var/crash). Is this reasonable? Do you want to do kernel development and debugging on that box? It depends on how you view the machine. I decided to forgo the usual multiuser system approach and treat the box as an appliance. The whole point is that it will just sit there, performs its job, and I won't have to touch it. I didn't twiddle with settings unless required for functionality. No need for a pretty shell prompt. I didn't even bother to create a user account. What for? I'd have to prefix nearly all commands with sudo anyway. Partitions? There's only a single partition 'a'. Secondly, the network interfaces. The box comes with an on-board vr0 at pci0 dev 13 function 0 VIA VT6105M RhineIII rev 0x96: irq 10 which I currently use as the external iface, and the PIC slot holds rl0 at pci0 dev 12 function 0 Realtek 8139 rev 0x10: irq 11 which is used as the internal iface. I also have the following cards in my hands, and I would like to figure out which combination of external/internal would give me the best performance (if it makes any difference at all): Intel PRO/100 S Desktop adapter 3C905C-TX-M Etherlink 10/100 PCI 3 Well, near the top of /sys/dev/ic/rtl81x9.c you can find Bill Paul's famous rant on just how crappy the rl(4) hardware is. He concludes: It's impossible given this rotten design to really achieve decent performance at 100Mbps, unless you happen to have a 400MHz PII or some equally overmuscled CPU to drive it. That was written quite a few years ago, and as wimpy as a Geode LX800 may seem today, it qualifies as an overmuscled CPU. Any of your cards above will be fine. I doubt you're going to notice any difference. I don't have any idea about what amount of e.g. fragment reassembly the external/internal iface needs to do, and which card (or which card's driver) is best for that. Fragment reassembly doesn't happen in the driver. Thirdly, the CF storage. Having read http://www.kaschwig.net/projects/openbsd/wrap/#mfs http://blog.innerewut.de/2005/05/14/openbsd-3-7-on-wrap http://blog.innerewut.de/2005/05/19/openbsd-3-7-on-wrap-revised http://blog.innerewut.de/2005/06/03/small-update-on-openbsd-3-7-on-wrap (which apply to 3.7 on WRAP, the predecesor of ALIX), I am concerned about the CF wearing off. I'm not. As these articles are from 2005 - do these things still apply to newer CF cards, and should I therefore set up a mfs? I don't think these things still applied back then either. At EuroBSDCon 2005, Poul-Henning Kamp, who has a lot of experience with this, broached the topic in one of his talks and basically said that it wasn't a concern in practice and that he wanted to try out a flash drive as his laptop disk. What else should I do to make the CF card live longer (noatime comes to mind of course). Buy a bigger flash so wear-leveling can spread the writes around. But with CFs now starting at 1 GB, this isn't an issue either. -- Christian naddy Weisgerber [EMAIL PROTECTED]
Re: 4.1 on ALIX.1C - recommendations?
Jan Stary wrote: I am concerned about the CF wearing off. As these articles are from 2005 - do these things still apply to newer CF cards, and should I therefore set up a mfs? What else should I do to make the CF card live longer (noatime comes to mind of course). Remote sysloging
Re: 4.1 on ALIX.1C - recommendations?
On Sep 21 09:49:20, Nick Holland wrote: http://www.pcengines.ch/alix1c.htm (see dmesg at bottom). The intended use of the box is a home router/firewall/NAT/DNS/DHCP for my home network of about four computers (heterogeneous). Firstly, swap (i don't really mind reinstalling). Install guide says On the root disk, the two partitions 'a' and 'b' must be created. The installation process will not proceed until these two partitions are available. 'a' will be used for the root filesystem (/) and 'b' will be used as swap space. oops. That's no longer true, you can now install Just Fine with no swap partition. It was true some time back, but that was fixed long ago. OK, would someone delete this from /faq/faq4.html#Disks then, please? The machine has 256M of RAM, and the storage is a 2G CF card (seen as wd0). The machine is mostly idle (basically just routes). How much swap do you think I should set for such operation? none. If swapping is a concern, you don't want flash. For regular operation, I don't think I need a swap partition at all (how would I do that? A 'b' partition of zero size, as it has to exist?), but to be able to save possible core dumps, I am thinking of 300M swap and 300M /var (to hold /var/crash). Is this reasonable? naw. Unless you know what to do with a core dump, just skip the swap. Will do, just wanted someone to assure me :-) Secondly, the network interfaces. The box comes with an on-board vr0 at pci0 dev 13 function 0 VIA VT6105M RhineIII rev 0x96: irq 10 which I currently use as the external iface, and the PIC slot holds rl0 at pci0 dev 12 function 0 Realtek 8139 rev 0x10: irq 11 which is used as the internal iface. I also have the following cards in my hands, and I would like to figure out which combination of external/internal would give me the best performance (if it makes any difference at all): Intel PRO/100 S Desktop adapter 3C905C-TX-M Etherlink 10/100 PCI 3 If you gotta ask, it won't matter. You have three bad NICs (vr, rl, xl) and one good one (fxp). But it just won't matter for your use. [...] Philosophically, I'd probably rather put Intel card showing to the Internet, but to fight that urge, I ran my primary mail/web server with an rl(4) card facing the 'net for many years with zero problem. Anything you are going to run through this box will not hit the NICs as a bottleneck. OK, ext_if=fxp0 int_if=vr0 for me then. (Made me read your post at bottom of http://archive.openbsd.nu/?ml=openbsd-misca=2004-01t=18114 and the BUGS section of rl(4) and vr(4).) Thirdly, the CF storage. Having read http://www.kaschwig.net/projects/openbsd/wrap/#mfs http://blog.innerewut.de/2005/05/14/openbsd-3-7-on-wrap http://blog.innerewut.de/2005/05/19/openbsd-3-7-on-wrap-revised http://blog.innerewut.de/2005/06/03/small-update-on-openbsd-3-7-on-wrap (which apply to 3.7 on WRAP, the predecesor of ALIX), I am concerned about the CF wearing off. As these articles are from 2005 - do these things still apply to newer CF cards, and should I therefore set up a mfs? What else should I do to make the CF card live longer (noatime comes to mind of course). biggest reason to avoid writing to flash is it is painfully slow. This isn't really a concern in my situation - about the only thing the box will ever write is syslog messages (to an internal @loghost, probably). General experience (inc. mine) seems to indicate that the finite write cycle problems of flash is not going to bite you. There is a lifelong waranty for the CF card anyway, so I will just replace it once it dies. It's a blooming computer system, how long do you even want it to last? :) In two years, you will be buying 32G flash devices at the drugstore closeout pile. True :-) That being said, I'm not sold on the idea of flash as the fail-proof storage media, I've seen and heard too many my flash card died! stories to believe that. The only other storage option on the ALIX board is a 44pin IDE; the CF card is quieter and eats less yticirtcele, which is more important for me, as it is a router and is gonna be running 24/7 on my desk. Back up at least your config, the critical files you need to rebuild it will take only a tiny amount of space. All that really matters on this system is a few files in /etc (seriously), and these are backed up of course. (thanks for the dmesg!) Aaah, I forgot to mail it to dmesg@ ! Thanks a lot, Nick! Jan
WG: Re: isakmp phase 2 negotiation failed
-Urspr|ngliche Nachricht- Von: Christoph Leser Gesendet: Freitag, 21. September 2007 16:44 An: '[EMAIL PROTECTED]' Betreff: Re: isakmp phase 2 negotiation failed w #$OpenBSD: ipsec.conf,v 1.5 2006/09/14 15:10:43 hshoexer Exp $ # # See ipsec.conf(5) for syntax and examples. ike esp from 10.192.0.0/16 to 10.0.0.0/8 \ peer gw.vpn.cobbled.net \ main auth hmac-sha enc 3des-cbc \ quick auth hmac-md5 enc des-cbc \ srcid caley01.vpn.cobbled.net dstid gw.vpn.cobbled.net # isakmpd configuration [General] Listen-on= 83.104.36.71 [X509-Certificates] CA-directory=/etc/isakmpd/ca/ Cert-directory= /etc/isakmpd/certs/ Private-key= /etc/isakmpd/private/local.key [Phase 1] #84.203.180.117= gw.vpn.cobbled.net [caley01.vpn.cobbled.net] ID-Type= FQDN Name=caley01.vpn.cobbled.net [gw.vpn.cobbled.net] ID-Type= FQDN Name=gw.vpn.cobbled.net [Phase 2] Connections= cobbled-caley [cobbled_net-gw] Phase= 1 Configuration= low-crypto Address= 84.203.180.117 ID= caley01.vpn.cobbled.net Remote-ID= gw.vpn.cobbled.net [cobbled-caley] Phase= 2 ISAKMP-peer=cobbled_net-gw Configuration= low-crypto-quick Local-ID= cobbled_net-caley Remote-ID= cobbled_net-all [cobbled_net-all] ID-Type=IPV4_ADDR_SUBNET Network=10.0.0.0 Netmask=255.0.0.0 [cobbled_net-caley] ID-Type=IPV4_ADDR_SUBNET Network=10.192.0.0 Netmask=255.255.0.0 [low-crypto] DOI=IPSEC EXCHANGE_TYPE= ID_PROT Transforms= 3DES-SHA-RSA_SIG [low-crypto-quick] DOI=IPSEC EXCHANGE_TYPE= QUICK_MODE Transforms= QM-ESP-DES-MD5-SUITE Maybe there is a problem with your isakmpd.conf: The hierachy should be as follows ( that's at least what I read from man isakmpd.conf: Connections lists ipsec-connections: cobbled-caley ipsec-connections names IPsec-configuration: low-crypto-quick IPsec-configuration names Suites QM-ESP-DES-MD5-SUITE !! so maybe it should be [low-crypto-quick] DOI=IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-DES-MD5-SUITE i.e. transforms is not a valid parameter in the IPsec-configuration section let me know ... regards christoph
Re: OpenBSD firewalls as virtual machine ?
Darren Spruell wrote: At least in a traditional non-virtualized firewall model, the attacker would have to pull out real exploits and attack real (secured) services to compromise the firewall, and it wouldn't fall at the same time as the other hosts. Yes, these kinds of of flaws have (so far) been able to be patched, but When I provided patch support for Solaris 10, the number of times that a patch would not add to the global zone, thus affecting all local zones on the host, was fairly common. This affected airlines, banks and oil companies that you have heard of.. I know an OS is different to a VM platform, but you are still relying on someone else to do their bit. And just because you have a lottery ticket worth of support contract does not mean that it will actually get patched in a timely manner, from experience
Re: Question on interface enumeration
Nick Holland wrote: Gregory Edigarov wrote: Hello Everybody, Supposing I have several identical NIC's in my server, can I predict which become int0, which become int1, etc? A link to document explaining (or man something) would absolutely suffice. Thank you. Not Easily, at least if you are referring to a machine you know nothing about and haven't powered up yet. However, it is easy to make simple tests to find out. Assuming PCI, they go by order of the slots in the bus, which isn't something OpenBSD controls. Many machines have curious orders. For example, I have a Dell GX1 which has five PCI slots; the order is something like: 2 3 4 0 1. (To add insult to injury, I had four port NICs in every slot, took a while to find dc0! :) Now, once I know (er.. knew. The above sequence is from non-ECC and proven faulty memory!) the pattern of slots in a GX1, I can know which NIC will get which identifier. If I put int(4) NICs in slots 3 and 1, the one in slot 1 will be int0, the one in slot 3 will be int1. Now, if I move the NIC from slot 1 into slot 4, they will switch IDs. If I replace the NIC in slot 3 with a NIC of the same type (driver-wise, that is), nothing will change. If I remove int0 and replace it with a different driver, int1 will become int0. How did I identify the slot order in the machine? Stuck identical NICs in all slots. Why did I do that? Because I stuck three NICs in the thing and the ordering was not obvious, so I figured I better get to know this machine better. In all cases, the dmesg will link your MACs to physical IDs, so stick the MAC addr on the spine of the card. In most cases, ifconfig will show you which NICs have link in real time, so an easy way to identify things is drop to shell, plug in one cable, run ifconfig and see which has link. Label. Move cable, repeat until done. None of this is applicable to ISA or USB NICs. It may be applicable to other buses and platforms. Moral: 1) Know your HW 2) Label the MAC address on your NICs 3) Have identical replacement HW in case a non-OpenBSD expert has to do a swap, 4) Know how to reconfig your system if you have to change your NICs. 5) Practice, Practice, Practice 6) Drop to shell before install, look around. Nick. I.e. they depend on the PCI slot they inserted, if I get you correct. Well, thank you for so in-depth explanation, but what I meant really was: is it guaranteed that if one take a card from the server and then install the other card of the same make to the same slot, it will have the same id? I will do more research about it , however :-) The best thing however would be to have the ability to set the name of an intreface based on it's mac address, perhaps somebody is working on it/having it on the todo list? -- With best regards, Gregory Edigarov
Problems with ftp-proxy - Solution
Hi all, I finally found a solution to my ftp-proxy problem. The machine is a Dell 2950 with broadcom gigabit NICs, so I'm using the bnx driver included in the generic kernel. It seems that the TCP checksum offloading causes problems in certain cases. I found a reference to this on another message board first, but look also at bug report 5437. http://cvs.openbsd.org/cgi-bin/query-pr-wrapper?full=yesnumbers=5437 This report is closed, but the behavior I saw matched this report. In any case, I changed the bnx driver as described in the temporary fix and recompiled the kernel. FTP clients behind the proxy now function as expected. To respond to the previous post from Mr. Spruell: You were definitely on to something when you mentioned checksum offloading features. I had already tried multiple client applications and machines, but of course the problem was the firewall system itself. Incidentally, the client's ACK to complete the initial handshake did show an incorrect checksum, but I noticed that was the case whether I was using the proxy or not, and didn't seem to cause any problems by itself. I suspect that is yet another windows oddity. I appreciate everyone's help. Thank you, Jason
Re: Question on interface enumeration
Something like iftab on debian. On 9/21/07, Gregory Edigarov [EMAIL PROTECTED] wrote: The best thing however would be to have the ability to set the name of an intreface based on it's mac address, perhaps somebody is working on it/having it on the todo list? -- With best regards, Gregory Edigarov
Re: Skype on OpenBSD 4.1 using Fedora RPM
On 9/21/07, Pau Amaro-Seoane [EMAIL PROTECTED] wrote: www.aei.mpg.de/~pau/skype.png (BIG png, watch out, I don't want to kill your modem connection) was working fine. I installed it as an exercise and then deleted it... because I don't use it Thanks a lot pau for the reply :-) What version was it? Were you able to make calls? Which rpm did you use? Kind Regards Siju
Re: Skype on OpenBSD 4.1 using Fedora RPM
On 9/21/07, Adam PAPAI [EMAIL PROTECTED] wrote: Could you please write me the procedure a little bit detailed? You downloaded the skype binary, installed the redhat-* stuff, enabled linux_compat and you had to copy some files from where? OK :-) I did this on a 4.1/i386. For other versions it would be similar however since we are going to use the Skype Linux Binary we will need an x86 system. Linux emulation is available only for x86 systems. 1) Enable Linux Emulation option in kernel You will have a line #kern.emul.linux=1 # enable running Linux binaries in your /etc/sysctl.conf file. You need to uncomment it ( remove the # in the begining ) and make it look like kern.emul.linux=1 # enable running Linux binaries In the next step when you install the fedora_base-4.0p2.tgz pakage it will automatically enable this option temporarily in the running kernel but if the change has to last after a reboot you need to edit this file :-) 2) Install fedora_base-4.0p2.tgz package. #export PKG_PATH=ftp://ftp.openbsd.org/pub/OpenBSD/4.1/packages/i386/ #pkg_add fedora_base-4.0p2.tgz We do this to get most of the required Linux library files that the Skype Linux Binary will need. Though their website says it is statically linked we will soon find out that it is not the case :-( At this point if you are more interested in details you can read http://www.openbsd.org/cgi-bin/man.cgi?query=compat_linuxsektion=8 or $man 8 compat_linux 3) Download the Skype Linux Binary. #cd /tmp #ftp http://www.skype.com/go/getskype-linux-static Trying 204.9.163.136... Requesting http://www.skype.com/go/getskype-linux-static Redirected to http://download.skype.com/linux/skype_static-1.4.0.99.tar.bz2 Trying 130.117.72.89... Requesting http://download.skype.com/linux/skype_static-1.4.0.99.tar.bz2 0% | | 0 --:-- ETA #pwd /tmp #bunzip2 skype_static-1.4.0.99.tar.bz2 #tar -xvf skype_static-1.4.0.99.tar #mv skype_static-1.4.0.99 skype If you want there is a README file inside the skype directory now. It explains some things other things have to be guessed :-) So continuing our setup #pwd /tmp #mv skype /emul/linux/usr/share #cd /emul/linux/usr/share/skype #mv skype /emul/linux/usr/bin #mkdir /emul/linux/etc/skype #mv skype.conf /emul/linux/etc/skype Now at this point if you start skype it will give an error. $ /emul/linux/usr/bin/skype /emul/linux/usr/bin/skype: error while loading shared libraries: libasound.so.2: cannot open shared object file: No such file or directory So now investigating this problem we will find that 1) Skype Linux Binary is not fully statically linked as their website says 2) Even the fedora_base-4.0p2.tgz package we installed earlier does not provide all the library files required to run skype. $ ldd /emul/linux/usr/bin/skype /emul/linux/usr/bin/skype: libasound.so.2 = not found librt.so.1 = /lib/librt.so.1 (0x48874000) libSM.so.6 = /usr/X11R6/lib/libSM.so.6 (0x5635f000) libICE.so.6 = /usr/X11R6/lib/libICE.so.6 (0x4ef0a000) libXi.so.6 = /usr/X11R6/lib/libXi.so.6 (0x4f70) libXrender.so.1 = /usr/X11R6/lib/libXrender.so.1 (0x4960d000) libXrandr.so.2 = /usr/X11R6/lib/libXrandr.so.2 (0x4b7ad000) libXfixes.so.3 = /usr/X11R6/lib/libXfixes.so.3 (0x4f1c4000) libXcursor.so.1 = /usr/X11R6/lib/libXcursor.so.1 (0x4cd49000) libXinerama.so.1 = /usr/X11R6/lib/libXinerama.so.1 (0x4c147000) libfreetype.so.6 = /usr/lib/libfreetype.so.6 (0x4b546000) libfontconfig.so.1 = /usr/lib/libfontconfig.so.1 (0x4b22b000) libXext.so.6 = /usr/X11R6/lib/libXext.so.6 (0x4dee6000) libX11.so.6 = /usr/X11R6/lib/libX11.so.6 (0x53161000) libdl.so.2 = /lib/libdl.so.2 (0x4f1b9000) libpthread.so.0 = /lib/libpthread.so.0 (0x514e9000) libsigc-2.0.so.0 = not found libstdc++.so.6 = /usr/lib/libstdc++.so.6 (0x56a43000) libm.so.6 = /lib/libm.so.6 (0x5171b000) libgcc_s.so.1 = /lib/libgcc_s.so.1 (0x5084) libc.so.6 = /lib/libc.so.6 (0x55057000) /lib/ld-linux.so.2 (0x53a9e000) libz.so.1 = /usr/lib/libz.so.1 (0x51f77000) libexpat.so.0 = /usr/lib/libexpat.so.0 (0x52c4d000) $ ldd /emul/linux/usr/bin/skype |grep not libasound.so.2 = not found libsigc-2.0.so.0 = not found $ So libasound.so.2 and libsigc-2.0.so.0 are not in the OpenBSD system. We can get it from any recent Linux
Re: Skype on OpenBSD 4.1 using Fedora RPM
Siju George wrote: Call Failed : Problem with audio playback It is unlikely that Skype will ever work on OpenBSD for more than chatting, as it uses ALSA for audio output (same as Flash 9.) That's not something compat_linux(8) can handle, only OSS audio output is emulated. Moritz
lock(1) to lock all virtual terminals?
I don't use X much and instead use lots of Virtual Terminals. Since I'm on dialup, sometimes I need to leave multiple VTs open to do things, perhaps downloading something, or its just that I'm in the middle of things. How can I lock the whole virtual termial setup? lock(1) only lets me lock the one VT without blocking the ability to switch to others. On Debian, there's vlock -a that does this. I don't see anything similar in the available packages for OBSD. I can't read code so I don't know how lock(1) works internally. To get it to lock everything, I guess it would have to capture the Alt-Fn key combo. However, the OS (wscons(4)?) likely captures that before the keys get passed on to the application. So I'm sorry, I can't provide a patch. Any suggestions? Doug.
Re: OpenBSD firewalls as virtual machine ?
On Fri, 2007-09-21 at 10:52 -0400, Douglas A. Tutty wrote: I don't understand the logic of having multiple firewalls on one box. If one box can handle the throughput requirements of all the NICs, why not just one big firewall? Overlapping IP address space. ciao Luca
Re: OT Strange Punishment
The kid's an idiot. Set up qemu on the mandatory windows machine and run your Ubuntu. The sentence said nothing about running an emulated OS on your monitored OS. The kid is just a whiner First they give me two felonies, then they throw me in prison, and now this. As if using Windows is more damaging to your reputation than felonies... On 8/29/07, Rui Miguel Silva Seabra [EMAIL PROTECTED] wrote: On Wed, Aug 29, 2007 at 08:32:25PM -0300, Rafael Almeida wrote: The main problem I see here is the government incentivating the purshase of Microsoft product. It's kinda dumb paying the guy pay to a company that has nothing to do witht he whole thing as a punishment for your crimes. It would make sense if the government charged him for using some government OS. Besides the point that I consider restricting someone from acessing a computer to be tantamount to gagging, it is perverse that a convicted monopolist be beneficiated in such a way. Rui -- Keep the Lasagna flying! Today is Boomtime, the 23rd day of Bureaucracy in the YOLD 3173 + No matter how much you do, you never do enough -- unknown + Whatever you do will be insignificant, | but it is very important that you do it -- Gandhi + So let's do it...?
Re: Is AMD64 page out of date about W^X?
I sent a message and it looks like it got rejected... basically I found out that ia32e is EM64T(Intel's marketing name for it). I was thinking it was the itanium arch which is actually ia64. But either way... EM64T is supposed to run on AMD64... and it appears that the Intel chips do support the NXE bit since around 2005. Can anyone confirm that the newer ia32e chips (made after early 2005) are actually supporting W^X? It seems that just because NXE is shown in the dmesg wouldn't necessarily mean that OpenBSD would then use it. If it is indeed supported.. could someone change the message on the AMD64 page? http://www.openbsd.org/amd64.html It does seem useful to know this information for this platform and I have veered away from AMD64 for the last year because of it.
Re: SMP Support?
Hello Daniel, Just want to make sure that we are on the same page: I'm talking about i386. It seems from below that your concern is more about amd64, but I didn't really try it, because my CPU isn't even a Xeon. Wednesday, September 19, 2007, 6:00:16 PM, you wrote: I have pretty much the same picture with HP ProLiant 320 G5 (Dual Core Pentium-D 925). The server is new and passes all tests from the HP maintenance CD. DO I couldn't make what BIOS version you were actually running there, but DO you did check to make sure you have the latest one right? DO http://h18023.www1.hp.com/support/files/server/us/revision/9753.html Yes, my BIOS is from 2007.04.06 that mentioned there. DO Le me know how it goes with current... We've done boot testing with 4.2 -current generic.mp (with the path from http://marc.info/?l=openbsd-techm=118975639013313w=2) turning on/off APIC in the BIOS (default on) and acpi in the kernel (default off). APIC off, acpi off - boots with one CPU: OpenBSD 4.2-current (GENERIC.BUILD.MP) #2: Wed Sep 19 17:11:01 CDT 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.BUILD.MP cpu0: Intel(R) Pentium(R) D CPU 3.00GHz (GenuineIntel 686-class) 3.01 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MW AIT,DS-CPL,EST,CNXT-ID,CX16,xTPR real mem = 1071640576 (1021MB) avail mem = 1028599808 (980MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 12/31/99, BIOS32 rev. 0 @ 0xf, SMBIOS rev. 2.3 @ 0xee000 (47 entries) bios0: vendor HP version W04 date 04/06/2007 bios0: HP ProLiant DL320 G5 pcibios0 at bios0: rev 3.0 @ 0xf/0x2000 pcibios0: PCI BIOS has 7 Interrupt Routing table entries pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82801GB LPC rev 0x00) pcibios0: PCI bus #7 is the last bus bios0: ROM list: 0xc/0xb000 0xcc400/0x1000 0xcd400/0x1000 0xce400/0x3400! 0xe6000/0x2000! acpi at mainbus0 not configured ipmi0 at mainbus0: version 2.0 interface KCS iobase 0xca2/2 spacing 1 cpu0 at mainbus0: (uniprocessor) pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel E7230 MCH rev 0xc0 ppb0 at pci0 dev 1 function 0 Intel E7230 PCIE rev 0xc0 pci1 at ppb0 bus 1 ppb1 at pci0 dev 28 function 0 Intel 82801GB PCIE rev 0x01 pci2 at ppb1 bus 2 ppb2 at pci2 dev 0 function 0 ServerWorks PCIE-PCIX rev 0xb5 pci3 at ppb2 bus 3 bge0 at pci3 dev 4 function 0 Broadcom BCM5714 rev 0xa3, BCM5715 A3 (0x9003): irq 11, address 00:1b:78:07:c9:9a brgphy0 at bge0 phy 1: BCM5714 10/100/1000baseT PHY, rev. 0 bge1 at pci3 dev 4 function 1 Broadcom BCM5714 rev 0xa3, BCM5715 A3 (0x9003): irq 10, address 00:1b:78:07:c9:9b brgphy1 at bge1 phy 1: BCM5714 10/100/1000baseT PHY, rev. 0 ppb3 at pci3 dev 8 function 0 ServerWorks HT-1000 PCIX rev 0xb4 pci4 at ppb3 bus 4 ppb4 at pci0 dev 28 function 4 Intel 82801G PCIE rev 0x01 pci5 at ppb4 bus 5 em0 at pci5 dev 0 function 0 Intel PRO/1000 PT (82571EB) rev 0x06: irq 11, address 00:1b:78:57:58:e0 em1 at pci5 dev 0 function 1 Intel PRO/1000 PT (82571EB) rev 0x06: irq 10, address 00:1b:78:57:58:e1 ppb5 at pci0 dev 28 function 5 Intel 82801G PCIE rev 0x01 pci6 at ppb5 bus 6 Intel 82801GB USB rev 0x01 at pci0 dev 29 function 0 not configured Intel 82801GB USB rev 0x01 at pci0 dev 29 function 1 not configured Intel 82801GB USB rev 0x01 at pci0 dev 29 function 2 not configured Intel 82801GB USB rev 0x01 at pci0 dev 29 function 3 not configured ehci0 at pci0 dev 29 function 7 Intel 82801GB USB rev 0x01: irq 5 usb0 at ehci0: USB revision 2.0 uhub0 at usb0: Intel EHCI root hub, rev 2.00/1.00, addr 1 ppb6 at pci0 dev 30 function 0 Intel 82801BA AGP rev 0xe1 pci7 at ppb6 bus 7 vga1 at pci7 dev 3 function 0 ATI ES1000 rev 0x02 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) Compaq iLO rev 0x03 at pci7 dev 4 function 0 not configured Compaq iLO rev 0x03 at pci7 dev 4 function 2 not configured Hewlett-Packard USB rev 0x00 at pci7 dev 4 function 4 not configured Hewlett-Packard IPMI rev 0x00 at pci7 dev 4 function 6 not configured ichpcib0 at pci0 dev 31 function 0 Intel 82801GB LPC rev 0x01: PM disabled pciide0 at pci0 dev 31 function 1 Intel 82801GB IDE rev 0x01: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility pciide0: channel 0 disabled (no drives) pciide0: channel 1 disabled (no drives) pciide1 at pci0 dev 31 function 2 Intel 82801GB SATA rev 0x01: DMA, channel 0 configured to native-PCI, channel 1 configured to na tive-PCI pciide1: using irq 7 for native-PCI interrupt wd0 at pciide1 channel 0 drive 0: FB160C4081 wd0: 16-sector PIO, LBA48, 152627MB, 312581808 sectors wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 5 isa0 at ichpcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pmsi0 at pckbc0
Re: OpenBSD firewalls as virtual machine ?
That's why god created competant network admins and NAT. On 9/21/07, Luca Corti [EMAIL PROTECTED] wrote: On Fri, 2007-09-21 at 10:52 -0400, Douglas A. Tutty wrote: I don't understand the logic of having multiple firewalls on one box. If one box can handle the throughput requirements of all the NICs, why not just one big firewall? Overlapping IP address space. ciao Luca -- This officer's men seem to follow him merely out of idle curiosity. -- Sandhurst officer cadet evaluation.
Re: Is AMD64 page out of date about W^X?
On 9/21/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: [snip] EM64T is supposed to run on AMD64... and it appears that the Intel chips do support the NXE bit since around 2005. Can anyone confirm that the newer ia32e chips (made after early 2005) are actually supporting W^X? It seems that just because NXE is shown in the dmesg wouldn't necessarily mean that OpenBSD would then use it. [snip] You can lookup support for the Execution Disable Bit for your processor at http://processorfinder.intel.com/Default.aspx For example http://processorfinder.intel.com/details.aspx?sSpec=SL99W =Adriaan=
Transfert 8 et Super8, montage video, duplication CD/DVD, clefs USB
Vous avez besoin pour votre entreprise et aussi ` titre personnel de sauvegarder vos anciens films (8, Super8, VHS, Hi8, Video8, DV et autres) et leur donner une nouvelle jeunesse en les mettant sur DVD, ceci ` moindre co{t. Ne cherchez plus, nous sommes l`. Nous sommes prisents sur le marchi depuis 10 ans avec des appareils professionnels, nous vous rendrons un risultat comparable ` l'original et souvent mjme mieux. Ceci pour des films magnitiques mais aussi super8, 8mm et 16mm. Nous vous invitons ` cliquer sur le lien ci-dessous pour en savoir plus et nous contacter : http://www.cdmultimedia.fr/TransfertVideo/Video%20page/IndexVideo.php Nous pouvons aussi : - Personnaliser vos CD/DVD vierges ` votre logo ou marque, - Rialiser la duplication et la copie en petite quantiti ou en tris grande sirie de ces supports si vous avez besoin de communiquer vers des prospects, clients ou autres - Vous proposer des systhmes de duplication de clefs USB, FlashRam cartes, CD et DVD. Nous restons ` votre disposition, n'hisitez pas ` prendre contact avec nous. Cordialement, Le service commercial Centre Direct du Multimedia BP32 5 rue du 8 mai 1945 91470 Limours site internet : http://www.cdmultimedia.fr Til : 01 64 91 46 24 Fax : 01 64 91 46 87 email : [EMAIL PROTECTED] Fichier diclari ` la CNIL sous numiro 785523. L'article 27 de la loi no 78-17 du 06 janvier 1978 relative ` l'informatique, aux fichiers et aux libertis s'applique aux donnies nominatives. Elle garantit un droit d'acchs et de rectification pour ces donnies auprhs de la sociiti Centre Direct du Multimedia par simple retour d'e-mail : mailto:[EMAIL PROTECTED] Si vous ne disirez plus recevoir nos mailings sur votre adresse mail, ripondez simplement ` ce message en pricisant dans l'objet : Ne plus utiliser. mailto:[EMAIL PROTECTED] plus utiliser
Re: OpenBSD firewalls as virtual machine ?
On 2007/09/21 14:29, bofh wrote: That's why god created competant network admins and NAT. And VRF.
Re: Is AMD64 page out of date about W^X?
Isn't one of the core2 bugs that nx is only honored for one of the cores but not the other? On 9/20/07, Ted Unangst [EMAIL PROTECTED] wrote: On 9/20/07, Darren Spruell [EMAIL PROTECTED] wrote: On 9/20/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: According to: http://www.openbsd.org/amd64.html W^X will not work on Intel's 64 bit chips. I for one chose to go with i386 on my Core 2 because of this fact alone. the early chips didn't have it, the new ones do. the web page is old. Intel produces 2 families of 64-bit processors; the EM64T and an AMD64 family chip. i cannot find any mention of the intel amd64 family on their website. -- This officer's men seem to follow him merely out of idle curiosity. -- Sandhurst officer cadet evaluation.
Re: OpenBSD firewalls as virtual machine ?
On 9/21/07, Darren Spruell [EMAIL PROTECTED] wrote: Here's an entirely realistic scenario at this point: - Administrator pays loads of money for VMware ESX; for better ROI, he intends to replace several systems on the network with one big system running a number of VMs. Maybe there is a full DMZ (say, 10 hosts) on this box. One virtual machine is configured as a firewall, intended to provide packet filtering and other network security services for the other DMZ VMs. - A vulnerability is discovered that allows an attacker who has presence in one VM to execute arbitrary code on the host OS, or transfer files between guest and host. (Both of these have happened already. In fact, VMware Tools seems to be the perfect bit of flawed gateway software to make this even easier.) Virtualized segmentation is compromised at this point. so what do you recommend? running all 10 services on the same non-virtualized machine?
Re: Is AMD64 page out of date about W^X?
On 9/21/07, bofh [EMAIL PROTECTED] wrote: Isn't one of the core2 bugs that nx is only honored for one of the cores but not the other? do you have an errata number?
Re: Is AMD64 page out of date about W^X?
Sorry, iirc it was in that link that Theo posted on core 2 errata. Hopefully I didn't read it incorrectly. But I disclaim everything... On 9/21/07, Ted Unangst [EMAIL PROTECTED] wrote: On 9/21/07, bofh [EMAIL PROTECTED] wrote: Isn't one of the core2 bugs that nx is only honored for one of the cores but not the other? do you have an errata number? -- This officer's men seem to follow him merely out of idle curiosity. -- Sandhurst officer cadet evaluation.
Re: libc: missing POSIX functions
On Fri, Sep 21, 2007 at 04:39:49PM +0200, Christoph Egger wrote: Which form is better (a) or b))? a) char slave[80]; ... if (openpty(masterfd, slavefd, slave, NULL, NULL) 0) char slave[PATH_MAX] ? I think it's a reasonable assumption that no library function will return (on any system out there) a path longer than PATH_MAX. if (openpty(masterfd, slavefd, NULL, NULL, NULL) 0) ... slave = ptsname(masterfd); 'ttyname(slavefd)' will do.
Re: OpenBSD firewalls as virtual machine ?
On Fri, 2007-09-21 at 20:51 +0100, Stuart Henderson wrote: On 2007/09/21 14:29, bofh wrote: That's why god created competant network admins and NAT. And VRF. We are talking about OpenBSD here, and support for VRF is not there. ciao Luca
Re: OpenBSD firewalls as virtual machine ?
On Fri, 2007-09-21 at 14:29 -0500, bofh wrote: That's why god created competant network admins and NAT. You are not always in control of all things. Powerful technology is about choice, not about one absolute right way. BTW, NAT sucks. ciao Luca
Re: Is AMD64 page out of date about W^X?
On 9/21/07, bofh [EMAIL PROTECTED] wrote: Sorry, iirc it was in that link that Theo posted on core 2 errata. Hopefully I didn't read it incorrectly. But I disclaim everything... there is an errata that disabling the NX bit causes it to be disabled on both cores, but this hardly relevant. openbsd doesn't disable the NX bit. the utility of disabling it for one core but leaving it enabled on another is also rather dubious.
ccd interleave 0 does not work
Hi, I'm trying to concatenate 2 disks using ccd. With an interleave factor of 0, as described by the man page of ccd(4), it doesn't work. An interleave factor of 1 works, though. Also, the fstype is 4.2BSD in my example, but there's no difference if I set it to CCD. This resembles a bug that was fixed March 30th, 2007: http://archive.openbsd.nu/?ml=openbsd-bugsa=2007-03t=3406566. User error or system error? # cat /etc/ccd.conf # $OpenBSD: ccd.conf,v 1.1 1996/08/24 20:52:22 deraadt Exp $ # Configuration file for concatenated disk devices # # ccd ileave flags component devices ccd00 none/dev/wd1a /dev/wd2a # ccdconfig -C ccdconfig: ioctl (CCDIOCSET): /dev/ccd0c: Invalid argument # uname -a OpenBSD obsdv.lan 4.1 GENERIC#1435 i386 # mount /dev/wd0a on / type ffs (local) # fdisk wd1 Disk: wd1 geometry: 520/64/63 [2096640 Sectors] Offset: 0 Signature: 0xAA55 Starting Ending LBA Info: #: idC H S -C H S [ start: size ] 0: 000 0 0 -0 0 0 [ 0: 0 ] unused 1: 000 0 0 -0 0 0 [ 0: 0 ] unused 2: 000 0 0 -0 0 0 [ 0: 0 ] unused *3: A60 1 1 - 519 63 63 [ 63: 2096577 ] OpenBSD # disklabel wd1 # Inside MBR partition 3: type A6 start 63 size 2096577 # /dev/rwd1c: type: ESDI disk: ESDI/IDE disk label: VMware Virtual I flags: bytes/sector: 512 sectors/track: 63 tracks/cylinder: 16 sectors/cylinder: 1008 cylinders: 2080 total sectors: 2097152 rpm: 3600 interleave: 1 trackskew: 0 cylinderskew: 0 headswitch: 0 # microseconds track-to-track seek: 0 # microseconds drivedata: 0 16 partitions: # sizeoffset fstype [fsize bsize cpg] a: 209657763 4.2BSD 2048 16384 328 # Cyl 0*- 2079 c: 2097152 0 unused 0 0 # Cyl 0 - 2080* # fdisk wd2 Disk: wd2 geometry: 520/64/63 [2096640 Sectors] Offset: 0 Signature: 0xAA55 Starting Ending LBA Info: #: idC H S -C H S [ start: size ] 0: 000 0 0 -0 0 0 [ 0: 0 ] unused 1: 000 0 0 -0 0 0 [ 0: 0 ] unused 2: 000 0 0 -0 0 0 [ 0: 0 ] unused *3: A60 1 1 - 519 63 63 [ 63: 2096577 ] OpenBSD # disklabel wd2 # Inside MBR partition 3: type A6 start 63 size 2096577 # /dev/rwd2c: type: ESDI disk: ESDI/IDE disk label: VMware Virtual I flags: bytes/sector: 512 sectors/track: 63 tracks/cylinder: 16 sectors/cylinder: 1008 cylinders: 2080 total sectors: 2097152 rpm: 3600 interleave: 1 trackskew: 0 cylinderskew: 0 headswitch: 0 # microseconds track-to-track seek: 0 # microseconds drivedata: 0 16 partitions: # sizeoffset fstype [fsize bsize cpg] a: 209657763 4.2BSD 0 00 # Cyl 0*- 2079 c: 2097152 0 unused 0 0 # Cyl 0 - 2080*
Gettnig sendto no buffer space available errors... irq problem?
I'm seeing some sendto: No buffer space available errors along with some ssh session hangs. The symptoms are intermitent and look a lot like this thread. http://monkey.org/openbsd/archive/misc/0309/msg00827.html The system is 4.1 stable generic with the sangoma wanpipe driver. Most traffic is moving between the t1 card and em0. Is this probably an irq issue? If so, Is there any reason not to put the nics and the wic on the same irq? (is the context switching advantage still valid?) Does it make any real difference what the other controllers are on as long as they avoid each other and em*, bge0, and sdla1? If its more complicated than that, can anyone point me to some docs? thanks in advance -- Joe $ dmesg OpenBSD 4.1 (GENERIC) #1: Sat Sep 8 20:23:34 CDT 2007 #:/usr/src/sys/arch/i386/compile/GENERIC[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Pentium(R) 4 CPU 2.80GHz (GenuineIntel 686-class) 2.81 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT-ID,CX16,xTPR real mem = 267747328 (261472K) avail mem = 236670976 (231124K) using 3299 buffers containing 13512704 bytes (13196K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+ BIOS, date 03/24/06, BIOS32 rev. 0 @ 0xffe90, SMBIOS rev. 2.3 @ 0xfa3d0 (48 entries) bios0: Dell Computer Corporation PowerEdge 830 pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfb900/208 (11 entries) pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82801GB LPC rev 0x00) pcibios0: PCI bus #6 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0x1000 0xc9000/0x1600 0xec000/0x4000! acpi at mainbus0 not configured ipmi0 at mainbus0: version 1.5 interface KCS iobase 0xca8/8 spacing 4 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel E7230 MCH rev 0x00 ppb0 at pci0 dev 1 function 0 Intel E7230 PCIE rev 0x00 pci1 at ppb0 bus 1 ppb1 at pci0 dev 28 function 0 Intel 82801GB PCIE rev 0x01 pci2 at ppb1 bus 2 ppb2 at pci2 dev 0 function 0 Intel PCIE-PCIE rev 0x09 pci3 at ppb2 bus 3 em0 at pci3 dev 2 function 0 Intel PRO/1000MT (82546GB) rev 0x03: irq 3, address 00:04:23:cb:75:f2 em1 at pci3 dev 2 function 1 Intel PRO/1000MT (82546GB) rev 0x03: irq 11, address 00:04:23:cb:75:f3 ppb3 at pci0 dev 28 function 4 Intel 82801G PCIE rev 0x01 pci4 at ppb3 bus 4 bge0 at pci4 dev 0 function 0 Broadcom BCM5721 rev 0x11, BCM5750 B1 (0x4101): irq 10, address 00:15:c5:5e:65:aa brgphy0 at bge0 phy 1: BCM5750 10/100/1000baseT PHY, rev. 0 ppb4 at pci0 dev 28 function 5 Intel 82801G PCIE rev 0x01 pci5 at ppb4 bus 5 uhci0 at pci0 dev 29 function 0 Intel 82801GB USB rev 0x01: irq 11 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 29 function 1 Intel 82801GB USB rev 0x01: irq 10 usb1 at uhci1: USB revision 1.0 uhub1 at usb1 uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered uhci2 at pci0 dev 29 function 2 Intel 82801GB USB rev 0x01: irq 5 usb2 at uhci2: USB revision 1.0 uhub2 at usb2 uhub2: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub2: 2 ports with 2 removable, self powered ehci0 at pci0 dev 29 function 7 Intel 82801GB USB rev 0x01: irq 11 usb3 at ehci0: USB revision 2.0 uhub3 at usb3 uhub3: Intel EHCI root hub, rev 2.00/1.00, addr 1 uhub3: 6 ports with 6 removable, self powered ppb5 at pci0 dev 30 function 0 Intel 82801BA AGP rev 0xe1 pci6 at ppb5 bus 6 sdla1 at pci6 dev 0 function 0 Sangoma A10x rev 0x01 irq 11 sdla1: Sangoma AFT-A101 T1/E1 adapter vga1 at pci6 dev 5 function 0 XGI Technology Volari Z7 rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) ichpcib0 at pci0 dev 31 function 0 Intel 82801GB LPC rev 0x01: PM disabled pciide0 at pci0 dev 31 function 1 Intel 82801GB IDE rev 0x01: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility atapiscsi0 at pciide0 channel 0 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: HL-DT-ST, CD-ROM GCR-8485B, 1.06 SCSI0 5/cdrom removable cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 pciide0: channel 1 ignored (disabled) pciide1 at pci0 dev 31 function 2 Intel 82801GB SATA rev 0x01: DMA, channel 0 configured to native-PCI, channel 1 configured to native-PCI pciide1: using irq 11 for native-PCI interrupt wd0 at pciide1 channel 0 drive 0: Maxtor 6L080M0 wd0: 16-sector PIO, LBA48, 76293MB, 15625 sectors wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 5 ichiic0 at pci0 dev 31 function 3 Intel 82801GB SMBus rev 0x01: irq 11 iic0 at ichiic0: disabled to avoid ipmi0 interactions isa0 at ichpcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard,
Re: OpenBSD firewalls as virtual machine ?
On Fri, Sep 21, 2007 at 11:16:37PM +0200, Luca Corti wrote: On Fri, 2007-09-21 at 20:51 +0100, Stuart Henderson wrote: On 2007/09/21 14:29, bofh wrote: That's why god created competant network admins and NAT. And VRF. We are talking about OpenBSD here, and support for VRF is not there. That may change faster then you expect -- :wq Claudio
OT: embedded single board recommendation
List, Does anyone know of an embedded single board computer, much like a WRAP/ALIX.C, which has at least one miniPCIe slot? having no luck on the intertubes am i right in thinking that these board just are not suitable for 802.11n networking? considering power requirements, bus bandwidth etc etc Any thoughts welcome poncenby
Re: OpenBSD firewalls as virtual machine ?
On 9/21/07, Claudio Jeker [EMAIL PROTECTED] wrote: On Fri, Sep 21, 2007 at 11:16:37PM +0200, Luca Corti wrote: On Fri, 2007-09-21 at 20:51 +0100, Stuart Henderson wrote: On 2007/09/21 14:29, bofh wrote: That's why god created competant network admins and NAT. And VRF. We are talking about OpenBSD here, and support for VRF is not there. That may change faster then you expect Now we're talking =) That's why god created competant network admins and NAT. Oh, please /Tony
Re: OpenBSD firewalls as virtual machine ?
On 9/20/07, Josh [EMAIL PROTECTED] wrote: Hello there. We have a bunch of obsd firewalls, 8 at the moment, all working nice and so forth. But we need to add about another 4 in there for new connections and networks, which means more machines to find room for. So basically I have been asked to investigate running all these firewalls in two big boxes, with lots of NIC's, with a bunch of openbsd vritual machines on them. One main box for the primary firewalls, one for the secondary. Each virtual machine getting its own physical NIC. Personally I dont really like the idea, I can see things going wrong, lots of stuff balancing on a guest os and box. Can someone please inform me if this is a really bad idea or not, ideally with some nice reasoning? I don't like the idea of virtualiazing the firewalls either. It's just asking for trouble. What happens when the host OS gets hacked? Better I think to get some of these: http://www.netgate.com/product_info.php?cPath=67products_id=369 and some soekris boards. You'll be able to fit 2 firewalls per 'u'. Then either use VLANS, or put a nic on each segment. -Bryan
Re: OpenBSD firewalls as virtual machine ?
On Sat, 2007-09-22 at 00:34 +0200, Claudio Jeker wrote: We are talking about OpenBSD here, and support for VRF is not there. That may change faster then you expect These are great news. If the implementation will allow to assign interfaces to different VRFs it would solve the virtual router/firewall setup without the need for OS virtualization. ciao Luca
Re: Slow ral(4) 802.11b in hostap mode?
Thanks for the responses from Peter and others. The CAVEAT seems only to apply to the USB variant - mine is a PCI: # dmesg| grep ral0 ral0 at pci0 dev 15 function 0 Ralink RT2560 rev 0x01: irq 5, address 00:13:d3:6a:bb:9d ral0: MAC/BBP RT2560 (rev 0x04), RF RT2525 I've tried setting specific media types rather than autoselect but if anything this reduces throughput. I also have an aftermarket high- gain antenna fitted. Are there any other suggestions readers can offer? Thanks in advance, Damon On 20/09/2007, at 1:09 AM, Peter N. M. Hansteen wrote: Damon McMahon [EMAIL PROTECTED] writes: Also, while top(1) shows that the CPU is 95% idle the ssh terminal seems very sluggish when the ral(4) connection is maxed out, even when it's another host that's maxing it out (i.e. not the host on which the ssh client is operating). It's sort of a known problem I'm afraid. it sounds like you're stuck on a suboptimal mode, and ral doesn't really know how to fix that. It's under CAVEATS at the end of the ral(4) man page. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.datadok.no/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: OpenBSD firewalls as virtual machine ?
Douglas A. Tutty wrote: ... I don't understand the logic of having multiple firewalls on one box. If one box can handle the throughput requirements of all the NICs, why not just one big firewall? There are lots of places where multiple firewalls are better than a single firewall. If one believed in the idea of a perfect VM environment, it could make sense to do that. 1) Unrelated projects: If Project A and Project B are not related, keeping them on separate firewalls can simplify the rule sets and administration. 2) Separate administration: If you run a data center with lots of different people managing different systems, They can administer their systems without having access to (or messing with) My systems' firewall. When they screw up their rules, they don't break my systems (and I guess it works the other way, too. :) Note this has some cross-training benefit, too. I can be the Firewall Deity, but I do want to go on vacation. Fred may be a Firewall Jester, but with a bit of practice, he could possibly back me up very effectively. So, Fred manages a firewall for his projects, when he screws up, he learns lessons on a simple system, and when I am not there, he can babysit the big firewall, and if I get run over by a bus, he knows how to keep all the systems running. 3) Isolation: I had set up a firewall for a web app some time back. I had ZERO trust in the skills of the web developers, and even less for their security programming skills (and similar trust in my skills to audit their code). So, I stuck their app on its own firewall, completely isolated from our production environment. I also made sure that the various machines in the thing were each attached to their own leg of the firewall, so that we really had several layers of security between the Internet (bad guys) and the database (the valuable stuff). You would have to knock over Apache, then the app, then the DB to get to the data. Even then, they get to a DB Server which had ONLY THE BARE MINIMUM data required to accomplish the task at hand. If it wasn't for this design, you can be sure that database server would end up serving a lot of things as, $18k Oracle licenses don't grow on trees. :) (I'm actually rather amazed they went for this. If you look at all the money they spent on the non-free parts of this system, it ended up costing probably $10/hit this site has received). If this firewall ended up getting knocked over, they would still have no access to the real company jewels, just a few shiny pebbles. This entire system could also be picked up and moved to some other location without much difficulty, if we wanted to co-locate the system. If you spend too much money on a commercial firewall product, you might wish to convince yourself that centralized administration is best, and all that and want to run everything through one monster firewall, but for real-life, there are places where it makes more logical sense to split things up. Nick.
Re: SMP Support?
Boris Goldberg wrote: Hello Daniel, Just want to make sure that we are on the same page: I'm talking about i386. It seems from below that your concern is more about amd64, but I didn't really try it, because my CPU isn't even a Xeon. You are 100% right. An oversight on my part here. Yes, my concern are definitely more with the AMD64. In your case, you should now be good to go.
Re: OpenBSD firewalls as virtual machine ?
On Fri, Sep 21, 2007 at 11:12:10PM -0400, [EMAIL PROTECTED] wrote: Douglas A. Tutty wrote: ... I don't understand the logic of having multiple firewalls on one box. If one box can handle the throughput requirements of all the NICs, why not just one big firewall? There are lots of places where multiple firewalls are better than a single firewall. If one believed in the idea of a perfect VM environment, it could make sense to do that. 1) Unrelated projects: If Project A and Project B are not related, keeping them on separate firewalls can simplify the rule sets and administration. 2) Separate administration: If you run a data center with lots of different people managing different systems, They can administer their systems without having access to (or messing with) My systems' firewall. When they screw up their rules, they don't break my systems (and I guess it works the other way, too. :) Note this has some cross-training benefit, too. I can be the Firewall Deity, but I do want to go on vacation. Fred may be a Firewall Jester, but with a bit of practice, he could possibly back me up very effectively. So, Fred manages a firewall for his projects, when he screws up, he learns lessons on a simple system, and when I am not there, he can babysit the big firewall, and if I get run over by a bus, he knows how to keep all the systems running. 3) Isolation: I had set up a firewall for a web app some time back. I had ZERO trust in the skills of the web developers, and even less for their security programming skills (and similar trust in my skills to audit their code). So, I stuck their app on its own firewall, completely isolated from our production environment. I also made sure that the various machines in the thing were each attached to their own leg of the firewall, so that we really had several layers of security between the Internet (bad guys) and the database (the valuable stuff). You would have to knock over Apache, then the app, then the DB to get to the data. Even then, they get to a DB Server which had ONLY THE BARE MINIMUM data required to accomplish the task at hand. If it wasn't for this design, you can be sure that database server would end up serving a lot of things as, $18k Oracle licenses don't grow on trees. :) (I'm actually rather amazed they went for this. If you look at all the money they spent on the non-free parts of this system, it ended up costing probably $10/hit this site has received). If this firewall ended up getting knocked over, they would still have no access to the real company jewels, just a few shiny pebbles. This entire system could also be picked up and moved to some other location without much difficulty, if we wanted to co-locate the system. If you spend too much money on a commercial firewall product, you might wish to convince yourself that centralized administration is best, and all that and want to run everything through one monster firewall, but for real-life, there are places where it makes more logical sense to split things up. Hi Nick. I understand your reasons. To me they look like reasons for separate firewalls on separate boxes. In the scenarios you mention, would you put separate firewalls on one machine? If I was going to put them all on one machine, I'd separate the administration of the box itself (me) from the people responsible for rule sub-sets. E.g. if one sub-firewall is dealing with traffic between NICs 1 2 (call it channel A), another between NICs 3 4 (call it channel B), I'd have the channels A and B admins submit rules sub-sets via rsync to the box. My script would then sanity check (ensure that they only dealt with the interfaces they were assigned) then incorporate all of them into a master rule-set that would then get tested and then put on-line. I would think that this, being only one firewall, would be simpler than several firewalls in VMs on one box; possibly more secure given the comments in this thread about the porus isolation between VMs. That's just how I would think of it. OTOH, I've never done any virtualization and never been into a proper data center. Doug.
Re: 4.1 on ALIX.1C - recommendations?
Jan Stary wrote: Hi all, last night, I installed 4.1 on the new ALIX.1C: http://www.pcengines.ch/alix1c.htm (see dmesg at bottom). The intended use of the box is a home router/firewall/NAT/DNS/DHCP for my home network of about four computers (heterogeneous). Everything works fine (as usual with OpenBSD), but there are a few fine points I need some advice with. Firstly, swap (i don't really mind reinstalling). Install guide says On the root disk, the two partitions 'a' and 'b' must be created. The installation process will not proceed until these two partitions are available. 'a' will be used for the root filesystem (/) and 'b' will be used as swap space. It also says The 'b' partition of your first drive automatically becomes your system swap partition -- we recommend a minimum of 32MB but if you have disk to spare make it at least 64MB. If you have lots of disk space to spare, make this 256MB, or even 512MB. On the other hand, if you are using a flash device for disk, you probably want no swap partition at all. Many people follow an old rule of thumb that your swap partition should be twice the size of your main system RAM. This rule is nonsense. The machine has 256M of RAM, and the storage is a 2G CF card (seen as wd0). The machine is mostly idle (basically just routes). How much swap do you think I should set for such operation? For regular operation, I don't think I need a swap partition at all (how would I do that? A 'b' partition of zero size, as it has to exist?), but to be able to save possible core dumps, I am thinking of 300M swap and 300M /var (to hold /var/crash). Is this reasonable? ... SNIP Is anyone using solid state drives yet?