Re: digitally signed distribution (was: OBSD's perspective on SELinux)
On 9/24/07, Martin Schrvder [EMAIL PROTECTED] wrote: 2007/9/24, Joachim Schipper [EMAIL PROTECTED]: Sure it does, just pull from CVS over SSH and compile your own. Only Where do I get the ssh fingerprints of the CVS servers? Where do you get the public keys for the digitally signed distributions? --- Lars Hansson
Re: digitally signed distribution (was: OBSD's perspective on SELinux)
Sure it does, just pull from CVS over SSH and compile your own. Only Where do I get the ssh fingerprints of the CVS servers? http://www.openbsd.org/anoncvs.html#CVSROOT, of course. Not all are listed, but one can either use one that needs verified or contact the maintainer for a correct fingerprint. DS
RAID1 powerloss - can parity rewrite be safely backgrounded?
I'm running a RAID1 mirror on OpenBSD 4.1 (webserver) On a power failure the parity becomes dirty and needs rewriting, which results in 1.5 hours 'downtime'. Is it safe to background this in /etc/rc or is that a no-no? I found a reference this was possible/safe on-list but it was a) 2003 and b) dealt with RAID5. I'd like to make sure I am not doing something dangerous. Thanks, Matt
Re: OpenCON 2007 // Call for Papers
Eric Johnson wrote: On Mon, 24 Sep 2007 22:55:16 +0200 Ed [EMAIL PROTECTED] wrote: http://2006.opencon.org/ Just out of curiousity (since I can't make it), is there a newer page on this? That is the webpage of last years conference, please visit http://www.opencon.org/ for the current conference information. - mb
Re: SMTP flood + spamdb
On 9/23/07, Peter N. M. Hansteen [EMAIL PROTECTED] wrote: patrick keshishian [EMAIL PROTECTED] writes: I'm running spamdb in greylist mode, but these servers were getting white-listed very quickly. Then it sounds almost like you were running with a too short passtime, but then that's easy to adjust. The default (which I believe is 25 minutes). At around 1:40 PM (PDT) my SMTP server started getting flooded by enormous amount of connections. The connections were for seemingly random users @my-domain-name. We've been seeing a lot of that here, too. Mostly it's a few (maybe 20) a day to the most widely known domain here, then occasionally somebody pushes the generate button for too long and one domain almost nobody actually uses gets the bouces for 700+ fake addresses[1]. Bob Beck's greyscanner is rather effective, as is the more manual methods I've blogged about the observations quite a bit, starting with [2]. I have just re-opened my SMTP port which I had shut since 1440 Sunday. Not 1 hour has passed yet and my GREY list is almost at 300. I've added about 250 (count at the time) bogus emails to the greytrap list but since they are unique I don't think it will help the situation much. I'm very certain right now, this flood is due to a spammer using these fake addresses @my-domain-name to spam these mail server (all around the world -- Japan, South America, US, Germany, Ireland, etc...) and I'm getting the brunt of it in the form of these bounced messages. At this point I think I have no other choice but to wait out the storm. Short summary for those who are not too interested in blog posts: I started seeing more than the usual amount of bounce activity in my mail server log summaries, close enough to what you describe. So after a bit of thinking and log browsing I decided this was generated mainly by misconfigured mail servers bouncing spam. Then I decided I wanted to do an experiment, to see if I could poison the well and at the same time get a feel for the data I was collecting. When you speak of misconfigured mail servers bouncing spam, what exactly is a proper configured mail server supposed to do with spam directed at non-existing user @their-host-name? Just curious. FYI, as of now my: - GREY list count is 342 (and growing) - unique bogus email count is 341 - ESTABLISHED spamd connection count is 63 (and growing) This is not fun :-\ I started publishing the fake addresses on a web page[3] as well as entering them into the list of trap addresses. I've been seeing evidence that the addresses are actually being harvested and used as to-be-spammed addresses too: addresses which are all uppercase on the web page turning up in the spamd logs and greylist dumps in all lowercase, addresses which have been on my flypaper list for months turn up all the time, and we see a steadily growing number of hosts in TRAPPED state. My users here are not getting any more spam than they used to (as close as does not matter to none), false positives are pretty much an unknown, and it looks like we're succeeding in making the spammers work harder. [1] http://bsdly.blogspot.com/2007/08/lady-in-distress-or-then-again-maybe.html [2] http://bsdly.blogspot.com/2007/07/hey-spammer-heres-list-for-you.html [3] http://www.bsdly.net/~peter/traplist.html
Re: SMTP flood + spamdb
patrick keshishian [EMAIL PROTECTED] writes: When you speak of misconfigured mail servers bouncing spam, what exactly is a proper configured mail server supposed to do with spam directed at non-existing user @their-host-name? The real question in there is, what does a properly configured mail server do with spam? My answer is, if it gets as far as content filtering, drop it as soon as it's classified as spam, don't bounce it. Bouncing spam is never useful, the purported return address is extremely unlikely to be deliverable. A bounce is only useful for valid messages (which happen to be sent to a mistyped address), which in our context means that the message has passed greylisting and most likely some content filtering or other. In all likelihood you will still bounce to a few bogus ones, but taking this approach makes you a lot less noisy. The noise you are seeing is from sites which either don't bother much with filtering, or if they do, belong to that little cult of bouncing spam is good believers. - GREY list count is 342 (and growing) - unique bogus email count is 341 - ESTABLISHED spamd connection count is 63 (and growing) Unless your spamd box is extremely skinny, none of these figures are particularly worrying. spamd allocates IIRC about 12 kilobytes of buffers per tarpitted host, for greylist entries just another tuple in the database. My list of trap addresses, all harvested from stuff from out there, is just over 2700. Right now there are 273 hosts in the greylist at the gateway closest to where I'm sitting (my home net, actually), with 533 in TRAPPED state. This is not fun :-\ Well, it should not be a huge problem. IMO people who fake addresses in other people's domains should be prosecuted for some variety of fraud, but with the current level of digital competence in law enforcement that is just not going to happen. In the meantime we have reasonable countermeasures. See what greyscanner can do for you. - P -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.datadok.no/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Debugging ral
I'd like to thank in public Damien Bergamini, he helped me a lot in debugging my ral setup: it was very very slow and unreliable. With Damien's tips now I have a better understanding of my ral device and, above all, it works flawlessy. I wrote a small doc reporting this experience and Damien's tips: I hope it could be useful. http://sekureshell.altervista.org/docs/trouble_ral.html f. Soekris docs resources - http://sekureshell.altervista.org
hoststated, using the same tables for more than one service
Hello there. I am using hoststated to fail over to a backup server. No dramas in that department. However, I have more than one internet connection for which hoststated is doing rdr's for. Each incoming internet connection goes to a specific carp ip, and I tag it. Then I use a reply-to later on to tell it which gateway to reply back to (instead of going out the default route). so the network looks like this: conn1 - conn1_firewall - hoststated_firewall(carp1) - server conn2 - conn2_firewall - hoststated_firewall(carp2) - server conn3 - conn3_firewall - hoststated_firewall(carp3) - server Anyway, my question is, can I use the same tables in multiple service entries? ( one for each connection ) Example: # for internet connection one service connection_one { virtual host 192.168.0.1 port 25 tag route_one table main_server backup table backup_server } # for internet connection two service connection_two { virtual host 192.168.0.2 port 25 tag route_two table main_server backup table backup_server } and so on. Can I do that without any weird side effects? It will save me duplicating the table entry's for each different internet connection I get connections on. Thanks, Josh
Re: hoststated, using the same tables for more than one service
Anyway, my question is, can I use the same tables in multiple service entries? ( one for each connection ) no problem there.
Re: SMTP flood + spamdb
patrick keshishian wrote: I'm very certain right now, this flood is due to a spammer using these fake addresses @my-domain-name to spam these mail server (all around the world -- Japan, South America, US, Germany, Ireland, etc...) and I'm getting the brunt of it in the form of these bounced messages. At this point I think I have no other choice but to wait out the storm. Read up on backscatter spam. This is a deliberate attack on your domain. How it works: A spammer uses infected home user boxes to send random mail to various domains, with fake random addresses in your domain as the from or reply-to address. When the target domain of the initial domain does not do recipient validation at the smtp connection stage (as it should do), but spools and then rejects the mail - to you, hence you are the real target. Greylisting is of no use whatsoever because the servers sending the bounces to you are actual smtp boxes (sendmail, extrange, ), not malware, so they will quickly bypass spamd. Spamd greytraps will help a great deal, but you say that the addresses are random. How to cope with it: All you can do is make sure that you reject mail for unknown users at the smtp connection stage. You can rate limit most mail daemons so they don't overwhelm your box. Don't worry about it, I sometimes have up to 1300 messages a minute hitting my PII 350 box on a 500M ADSL and can not tell the difference when surfing about. How to run a mailserver: Reject mail for unknown users at the initial smtp connection stage. For valid users; either reject spam at the smtp connection stage, or spool it, process it later, tag it as spam and deliver it to the user's spam box - do not bounce it later as you will then be generating backscatter for some other poor soul. Note: some versions of exchange can not do recipient validation at the smtp connection stage, so this will always be a problem, and is yet another reason never to have exchange as an internet facing mail server.
Re: SMTP flood + spamdb
Craig Skinner [EMAIL PROTECTED] writes: malware, so they will quickly bypass spamd. Spamd greytraps will help a great deal, but you say that the addresses are random. I think what happened here is that somebody let the random address generator run for longer than intended. One or more spammer groups has been doing similar things to some of the domains I admin for some months now, and the typical rate of new, essentially random, addresses found per day is about 20, sometimes as high as 50, and in one case more than 700. That last one was probably a case of asleep at the wheel too. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.datadok.no/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Proper way to install library from source
Hello I would like to have the AoTuV Vorbis encoder. There is no package for that. Is this supported on OpenBSD and if yes what is the proper way to do it? I downloaded the AoTuV libvorbis (it's just a different version of libvorbis), compiled, installed, then oggenc didn't recognize -q 2. So I removed oggenc and compiled oggenc from sources, that recognized -q -2 but segfaulted. I thought there is some mechanism to prevent loading a library with different version and segfault. When I remove all traces from libvorbis and install aotuv and vorbistools (oggenc) from sources, then it works like charm. But I don't have mplayer, audacity, mpd then which I want. CL
Re: SMTP flood + spamdb
On 2007/09/25 00:08, patrick keshishian wrote: I'm very certain right now, this flood is due to a spammer using these fake addresses @my-domain-name to spam these mail server (all around the world -- Japan, South America, US, Germany, Ireland, etc...) and I'm getting the brunt of it in the form of these bounced messages. At this point I think I have no other choice but to wait out the storm. If it's compatible with how you use the domain, it might help to publish SPF records. When you speak of misconfigured mail servers bouncing spam, what exactly is a proper configured mail server supposed to do with spam directed at non-existing user @their-host-name? The correct behaviour is to reject it at the SMTP port, rather than issue a bounce. Also: all hosts listed in MX records should be aware of the list of valid users and do the same. For sendmail, this is easy to do with the access map. For Postfix, relay_recipient_maps. FYI, as of now my: - GREY list count is 342 (and growing) - unique bogus email count is 341 - ESTABLISHED spamd connection count is 63 (and growing) This is not fun :-\ These are bounces, so they'll be coming from MTAs with retry queues, so they generally will make it through to the real MTA after (a minimum of) 3 retry attempts. Depending on how many normal spams that spamd saves you from, it may be a hindrance to use greylisting here. It might be better just to get these mails handled quickly and out of the sender's queues (depends on your bandwidth situation). On 2007/09/24 20:01, patrick keshishian wrote: Btw, your reply-to field contains my e-mail address. Is that intended? Mail-Followup-To, actually - yes. It wouldn't totally surprise me if gmail is doing something unexpected with it, though (-:
Re: OBSD's perspective on SELinux
In all my experience, every single complex security policy I've seen has very serious issues. Complexity kills it. There's always a scenario somewhere that someone has forgotten about that breaks stuff. Heck, this even happens with access control systems like PAM. About every 3 months, we hear of a security hole where some distro has managed to ship an ssh policy that makes it possible for root to login remotely without entering a password, provided he does not have a DSA key (don't believe my word, read bugtraq!). There is no model of complex security authentication systems. There is no tool that allows people to configure this kind of stuff properly, *and check the results*. Not just write documents, but actually verify that *every case* makes sense. Consider the combinatorial complexity of that. Consider real information systems, where people either have ten passwords to remember, or they use some account that's not there, or there is some temporal incongruity between what should be and what is. (Tivoli is probably the closest there is to that in the proprietary world). In the end, you want simple security. If you need ACLs, then you probably fucked up your design, and decided to add an architectural band-aid to cater over the holes of the broken design. That said, ACLs and mandatory access control make for great security theater (see Bruce Schneier's website if you don't get the reference). It's the kind of expertise that allows consulting business to make a living in security IT. Not much actual security, though.
non-x86-based hardware for OBSD?
I'm looking at the recent article on Soekris and very favorably impressed. Setting up a Soekris 5501 with OpenBSD 4.2 24 Sep 2007 http://undeadly.org/cgi?action=articlesid=20070924004901 The setup seems almost perfect, except that the AMD Geode seems to be x86-based. What corresponding non-x86 hardware options are common, recommended, or even available ? Regards, -Lars
Re: SMTP flood + spamdb
Stuart Henderson [EMAIL PROTECTED] writes: If it's compatible with how you use the domain, it might help to publish SPF records. I suppose I'll never know how many receivers of spam claiming to be from [EMAIL PROTECTED] (yes, fresh from the source) and friends actually acted on the SPF info for the domain and skipped sending a bounce, but the ones that don't use SPF in any meaningful way still generate significant backscatter. Once [EMAIL PROTECTED] is a spamtrap it won't matter much of course, except for any valid mail which might happen to venture out from the same IP address to somebody at datadok.no. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.datadok.no/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: non-x86-based hardware for OBSD?
VIA, Intel lo-comsumption, are X86-based. You should go into the ARM world to get something like that, and you will be disapointed, as it is much much harder to find something with 4 network connectors, serial, flash, pci, mini-pci connector, due to the lack of products manufacturers. You may want to check the website of the manufacturers mentionned on epiacenter website (http://www.epiacenter.com/modules.php?name=Contentpa=showpagepid=39), some of them have a very broad range of product, more than you can easily find on the net. Regards, On 9/25/07, Lars Noodin [EMAIL PROTECTED] wrote: I'm looking at the recent article on Soekris and very favorably impressed. Setting up a Soekris 5501 with OpenBSD 4.2 24 Sep 2007 http://undeadly.org/cgi?action=articlesid=20070924004901 The setup seems almost perfect, except that the AMD Geode seems to be x86-based. What corresponding non-x86 hardware options are common, recommended, or even available ? Regards, -Lars
Re: non-x86-based hardware for OBSD?
On 9/25/07, Lars NoodC)n [EMAIL PROTECTED] wrote: I'm looking at the recent article on Soekris and very favorably impressed. Setting up a Soekris 5501 with OpenBSD 4.2 24 Sep 2007 http://undeadly.org/cgi?action=articlesid=20070924004901 The setup seems almost perfect, except that the AMD Geode seems to be x86-based. What corresponding non-x86 hardware options are common, recommended, or even available ? Regards, -Lars Do you have any special reasons for not using x86-based hardware? BR dunceor
Re: SMTP flood + spamdb
On 2007/09/25 10:29, Stuart Henderson wrote: Also: all hosts listed in MX records should be aware of the list of valid users and do the same. For sendmail, this is easy to do with the access map. I had a question off-list about how to do this, so I guess some other people will benefit from an example of how to set this up. To:domain.comerror:550 5.1.1 No such user To:[EMAIL PROTECTED] OK To:[EMAIL PROTECTED] OK To:[EMAIL PROTECTED] OK then (cd /etc/mail; sudo makemap hash access access)
Re: SMTP flood + spamdb
On Tue, 25 Sep 2007 09:38:10 +0100, Craig Skinner wrote: Greylisting is of no use whatsoever because the servers sending the bounces to you are actual smtp boxes (sendmail, extrange, ), not malware, so they will quickly bypass spamd. Spamd greytraps will help a great deal, but you say that the addresses are random. I've snipped all the content (which I largely agree with) above and below this paragraph to recount my experience which started about a fortnight ago and ran for about a week. Log analysis showed that there were two classes of incoming unwanted crap. One was bounced mail that should have been rejected as invalid recipient mail at the original target. That included an mx at aph.gov.au, the Australian Federal Parliamnet House. Yep, the pollies who want ISPs to block websites on request and who spent $84mil on a kiddie-filter that some 10-year old bypassed in ten minutes, The others were from bots as far as I could tell but they were not being sent by MTAs which had received them. My defence was to write a couple of scripts. One parsed the output of spamdb looking for GREY with sender and then tested the intended recipient against the postfix valid mailbox database. If it failed then the sender IP was added to a pf table that was outright blacklisted for 24 hours. The other script did housekeeping and added sender IPs to the TRAPPED category in case they retried later. The blacklist grew rapidly to over 1200 unique addresses but then petered out after a few days and I turned off the cron jobs running the scripts at day nine. So greylisting/spamd did a hell of a good job for me. I would not have been able to block traffic from all those crappily configured boxes (MTAs mostly qmail or windows) unless I had a greylist database to scan every few minutes. Peter H and Beck@ know what they are doing alright and do good papers on it. Thanks. R/ Me...a skeptic? I trust you have proof.
Re: SMTP flood + spamdb
RW [EMAIL PROTECTED] writes: One was bounced mail that should have been rejected as invalid recipient mail at the original target. That included an mx at aph.gov.au, the Australian Federal Parliamnet House. Yep, the pollies who want ISPs to block websites on request and who spent $84mil on a kiddie-filter that some 10-year old bypassed in ten minutes, You did buy a nice frame to put that in, I hope? ;) I've been noticing that the generated junk addresses which were originally used as from addresses on spam sent to elsewhere (generating the bounces we see here) tend to resurface pretty soon in my greylists as to addresses on attempted incoming spam. I also see quite a few attempts at reaching actually deliverable addresses in our domains with a fake from address. So I think it may be just a matter of time before I see spam where both to and from are already in my spamtraps. (and thanks, RW) - P -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.datadok.no/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: hoststated, using the same tables for more than one service
Well after trying it, it appears there _IS_ a problem there. One of the services was not working. As soon as I gave it its own separate tables, it worked. Pierre-Yves Ritschard wrote: Anyway, my question is, can I use the same tables in multiple service entries? ( one for each connection ) no problem there.
Re: SMTP flood + spamdb
Stuart Henderson wrote: I had a question off-list about how to do this, so I guess some other people will benefit from an example of how to set this up. If you are using postfix: /etc/postfix/main.cf: .. .. smtpd_recipient_restrictions = reject_non_fqdn_hostname reject_invalid_hostname reject_non_fqdn_sender reject_non_fqdn_recipient reject_unlisted_recipient -- this one reject_unlisted_sender reject_unknown_reverse_client_hostname warn_if_rejectreject_unknown_client_hostname reject_unknown_helo_hostname reject_unknown_sender_domain reject_unknown_recipient_domain permit_mynetworks reject_unauth_destination ... ... ... unknown_address_reject_code = 554 alias_maps = btree:$config_directory/aliases /etc/postfix/aliases: .. .. joe.bloggs jb123456 joe jb123456 bloggs jb123456 $ sudo postfix reload
Re: SMTP flood + spamdb
RW wrote: The others were from bots as far as I could tell but they were not being sent by MTAs which had received them. Yes, but the OPs problem is back scatter, and that does not come from bots, they don't retry. $ man spamd: DESCRIPTION spamd is a fake sendmail(8)-like daemon which rejects false mail. It is designed to be very efficient so that it does not slow down the receiving machine. .. .. greylisted hosts are redirected to spamd, but spamd has not yet decided if they are likely spammers. They are given a temporary failure message by spamd when they try to deliver mail. Greylisting works brilliantly for bots, but wont help with hosts that retry, as is the case in back scatter. If the OP was repeatedly getting mail to a few addresses from different hosts, he could use grey trapping. But he said that they are all random.
what if hoststated dies?
Gidday, How can I have a rdr rule which redirects to the same main servers that hoststated does ( using a different table/macro in pf.conf than the hoststated rdr statement does ), which only matches when hoststated is not running? What happens if hoststated crashes? Does its latest table entry's and rdr rules still remain? Thanks, Josh
Re: hoststated, using the same tables for more than one service
On Tue, 25 Sep 2007 23:25:44 +1200 Josh [EMAIL PROTECTED] wrote: Well after trying it, it appears there _IS_ a problem there. One of the services was not working. As soon as I gave it its own separate tables, it worked. Pierre-Yves Ritschard wrote: Anyway, my question is, can I use the same tables in multiple service entries? ( one for each connection ) no problem there. the following works: webhost1=a.b.c.d webhost2=e.f.g.h public1=w.x.y.z public2=w.x.y.z table web1 { real port http check http / code 200 host $webhost1 } table web2 { real port http check http / code 200 host $webhost2 } table sorry { check icmp real port http host 127.0.0.1 } service www1 { virtual host $public1 port 80 table web1 backup table sorry } service www2 { virtual host $public2 port 80 table web2 backup table sorry }
Re: non-x86-based hardware for OBSD?
nicodache wrote: ... You should go into the ARM world to get something like that, and you will be disapointed, as it is much much harder to find something with 4 network connectors, serial, flash, pci, mini-pci connector, due to the lack of products manufacturers. Yes. I know. Hence my query to the list. ... on epiacenter website ... I find only x86-based units there: celeron, amd geode, pentium, c3, eden, TM8600, etc. One ARM on the list, though. But isn't ARM now under Intel, maker of AMT? There has got to be non-x86 units out there, SBC or other, running Cell or Freescale or anything else. Regards, -Lars
Re: SMTP flood + spamdb
On 25 September 2007, RW [EMAIL PROTECTED] wrote: [...] My defence was to write a couple of scripts. One parsed the output of spamdb looking for GREY with sender and then tested the intended recipient against the postfix valid mailbox database. [...] With Postfix you can use anvil(8) to control concurrency. Regards, Liviu Daia -- Dr. Liviu Daia http://www.imar.ro/~daia
Re: what if hoststated dies?
On Wed, 2007-09-26 at 00:01 +1200, Josh wrote: What happens if hoststated crashes? Does its latest table entry's and rdr rules still remain? Maybe you can try a kill -9 and see what happens. ciao Luca
Re: non-x86-based hardware for OBSD?
On 9/25/07, Lars NoodC)n [EMAIL PROTECTED] wrote: nicodache wrote: ... You should go into the ARM world to get something like that, and you will be disapointed, as it is much much harder to find something with 4 network connectors, serial, flash, pci, mini-pci connector, due to the lack of products manufacturers. Yes. I know. Hence my query to the list. ... on epiacenter website ... I find only x86-based units there: celeron, amd geode, pentium, c3, eden, TM8600, etc. One ARM on the list, though. But isn't ARM now under Intel, maker of AMT? There has got to be non-x86 units out there, SBC or other, running Cell or Freescale or anything else. Regards, -Lars What is AMT? Well ARM is not under Intel, Intel does ARM-processors just like several others do (Atmel, TI, Phillips etc). ARM only licence their technology and their designs and let others produce it. The question is what are your goal with the system? Route, small file server, entertainment box? Please explain your demands and purpose with the system and people can help and identify what hw that could suite. Br Dunceor
Re: non-x86-based hardware for OBSD?
I think AxiomTek has what you're looking for. And if it doesn't, then either there is no such thing as you search, or it's well hidden. regards, On 9/25/07, Lars Noodin [EMAIL PROTECTED] wrote: nicodache wrote: ... You should go into the ARM world to get something like that, and you will be disapointed, as it is much much harder to find something with 4 network connectors, serial, flash, pci, mini-pci connector, due to the lack of products manufacturers. Yes. I know. Hence my query to the list. ... on epiacenter website ... I find only x86-based units there: celeron, amd geode, pentium, c3, eden, TM8600, etc. One ARM on the list, though. But isn't ARM now under Intel, maker of AMT? There has got to be non-x86 units out there, SBC or other, running Cell or Freescale or anything else. Regards, -Lars
Re: hoststated, using the same tables for more than one service
On Tue, 25 Sep 2007 14:08:50 +0200 Pierre-Yves Ritschard [EMAIL PROTECTED] wrote: On Tue, 25 Sep 2007 23:25:44 +1200 Josh [EMAIL PROTECTED] wrote: Well after trying it, it appears there _IS_ a problem there. One of the services was not working. As soon as I gave it its own separate tables, it worked. Pierre-Yves Ritschard wrote: Anyway, my question is, can I use the same tables in multiple service entries? ( one for each connection ) no problem there. the following works: After checking again, there seems to be a problem here indeed. I'll get working on a solution.
Re: non-x86-based hardware for OBSD?
Karl SjC6dahl - dunceor wrote: What is AMT? http://www.intel.com/technology/platform-technology/intel-amt/index.htm aka rootkit for everybody http://strombergson.com/kryptoblog/?p=311 Well ARM is not under Intel, Intel does ARM-processors just like several others do (Atmel, TI, Phillips etc). ARM only licence their technology and their designs and let others produce it. Ok. However, the devil is in the details. The question is what are your goal with the system? ... Route / filter as the Soekris boxes are often used. -Lars
Re: OBSD's perspective on SELinux
Just for the fun of it, some people subscribe to misc@ from politically correct accounts. So, I got a bounce on my last email, because I was saying that complex security ACLs were fucked up by design. This email is probably going to get blocked too, which is all that they deserve. Fucking retards.
Re: non-x86-based hardware for OBSD?
On 2007/09/25 15:19, Lars Noodin wrote: nicodache wrote: ... You should go into the ARM world to get something like that, and you will be disapointed, as it is much much harder to find something with 4 network connectors, serial, flash, pci, mini-pci connector, due to the lack of products manufacturers. Yes. I know. Hence my query to the list. Thecus N2100 has two ethernet, minipci, USB, serial. But although it's low power, it's quite noisy (most of my fast arch boxes are *far* quieter). Maybe it would be ok with a SATACF bridge and the fan removed...but then it really could use another ethernet port or two. And it would be nice if it had something like the +++ reset / +++ power feature that the net5501 has. ... on epiacenter website ... I find only x86-based units there: celeron, amd geode, pentium, c3, eden, TM8600, etc. I just noticed Commell LV-681 (socket S1 amd64; ati chipset)... it looks quite expensive, though, and at least where I live, only a limited part of their product range seems to be available (VIA/Intel CPU mini-itx boards mostly - BVM list some of the others but weren't capable of answering email last time I tried). One ARM on the list, though. But isn't ARM now under Intel, maker of AMT? Not all Intel CPUs are i386-compatible, of course... There has got to be non-x86 units out there, SBC or other, running Cell or Freescale or anything else. Freescale is a company, not a CPU architecture - looks like they have designs using powerpc, arm, etc.
altroot is not mentioned in FAQ
Hi all, afterboot(8) mentions /altroot, which is a nice feature. But you only learn about /altroot when you read afterboot(8). By that time, you already have a system installed, in particular your disk is already partitioned, and typically you don't have the spare partition (of size at least that of /) to use for /altroot. So my suggestion is: /altroot should be mentioned in the install faq, probably in the 'setting up disks' paragraph: http://openbsd.org/faq/faq4.html#Disks Thanks Jan
kde automounting
Is there a way to get kde's automounting functionality working under obsd? At linux I think it uses hal-deamon plus something like pmount. Some way to make /etc/hotplug/attach call some kde application with DISPLAY=:0.0 that lets the gui-logged user mount (or not) its usb drive ?
Re: Debugging ral
I wrote a small doc reporting this experience and Damien's tips: I hope it could be useful. http://sekureshell.altervista.org/docs/trouble_ral.html I have a question. You list channel 112 as having the greatest power (power=57), and claim that you chose the channel with the greatest power. But later, when clients associate with your network they connect with channel 6 ral0: sending auth to 00:19:5b:xx:xx:xx on channel 6 mode 11b Why did you choose channel 6 instead of channel 112 (or channels 161 or 165, which have power=16)? Channels 1 through 6 all have power=14.
Re: kde automounting
On Tue, 25 Sep 2007, Rodrigo V. Raimundo wrote: Is there a way to get kde's automounting functionality working under obsd? At linux I think it uses hal-deamon plus something like pmount. Some way to make /etc/hotplug/attach call some kde application with DISPLAY=:0.0 that lets the gui-logged user mount (or not) its usb drive ? Why not just mount the stick (with hotplug) in all cases when it's plugged in? -- Antti Harri
Re: Debugging ral
A few lines above I wrote supported channel: i meant supported by your clients. Yes, this should be corrected, thank you. I don't know if some device supports those high channels: another ral adapter I tested does, my laptop doesn't. For example my iBook supports channels from 1 to 11 (don't know if it is an hardware limitation or it's just Apple) while another Toshiba laptop equipped with XP associates on chan 13 without any problem, not channel 112 however. After some playing with my clients I found the most powerful supported channel for me is chan 6. f. Non sono pigro...ma non ne ho voglia :D :D Il giorno 25/set/07, alle 16:15, Matthew Szudzik ha scritto: Why did you choose channel 6 instead of channel 112 (or channels 161 or 165, which have power=16)? Channels 1 through 6 all have power=14.
Re: kde automounting
Antti Harri wrote: On Tue, 25 Sep 2007, Rodrigo V. Raimundo wrote: Is there a way to get kde's automounting functionality working under obsd? At linux I think it uses hal-deamon plus something like pmount. Some way to make /etc/hotplug/attach call some kde application with DISPLAY=:0.0 that lets the gui-logged user mount (or not) its usb drive ? Why not just mount the stick (with hotplug) in all cases when it's plugged in? Just automounting works good when you own the machine. I'm planning futher installing obsd on public (shared) environments. I think p(u)mount can be a good solution to let an unprivileged user mount/umount removable media on its will. Sudo access to mount/umount is dangerous.
Re: SMTP flood + spamdb
On Tuesday 25 September 2007, Craig Skinner wrote: If you are using postfix: /etc/postfix/main.cf: .. .. smtpd_recipient_restrictions = reject_non_fqdn_hostname reject_invalid_hostname reject_non_fqdn_sender reject_non_fqdn_recipient reject_unlisted_recipient -- this one Isn't this actually a postfix default? As smtpd_reject_unlisted_recipient defaults to yes. -- Chris
Re: what if hoststated dies?
On Tue, 25 Sep 2007 14:22:19 +0200 Luca Corti [EMAIL PROTECTED] wrote: On Wed, 2007-09-26 at 00:01 +1200, Josh wrote: What happens if hoststated crashes? Does its latest table entry's and rdr rules still remain? Maybe you can try a kill -9 and see what happens. ciao Luca better try pkill -SEGV hoststated ;) in either case, the pfe process catches the fact that the hce process dies and cleans up the tables and rules before completely dying.
Clearance Announcement from Art Robinson
African American Hair Dot Com Specials. Some Items 60% Off http://www.youtube.com/watch?v=MMlYv5iKktsDulles Beauty Supply1110 Elden St. #B Suite 204Herndon, VA 20170
Re: kde automounting
On 9/25/07, Rodrigo V. Raimundo [EMAIL PROTECTED] wrote: Antti Harri wrote: On Tue, 25 Sep 2007, Rodrigo V. Raimundo wrote: Is there a way to get kde's automounting functionality working under obsd? At linux I think it uses hal-deamon plus something like pmount. Some way to make /etc/hotplug/attach call some kde application with DISPLAY=:0.0 that lets the gui-logged user mount (or not) its usb drive ? Why not just mount the stick (with hotplug) in all cases when it's plugged in? Just automounting works good when you own the machine. I'm planning futher installing obsd on public (shared) environments. I think p(u)mount can be a good solution to let an unprivileged user mount/umount removable media on its will. Sudo access to mount/umount is dangerous. Well, there is an unofficial freebsd port of pmount, it seems (judging from the list at the bottom of http://packages.debian.org/unstable/utils/pmount), so you could probably adapt that. But would http://www.openbsd.org/cgi-bin/man.cgi?query=hotplugd work for you? Just make sure only root can write the hotplugd scripts and set it up to automount and you're good, no? -Nick
Re: carp ip balancing (-current)
I went to colo, and checked what happened, as soon as a type: ifconfig carp0 10.10.10.110 netmask 255.255.248.0 vhid 7 advskew 100 I get: ifconfig carp0 10.10.10.110 netmask 255.255.248.0 vhid 7 advskew 100 uvm_fault(0xd6a07524, 0x0, 0, 3) - e kernel: page fault trap, code=0 Stopped at carp_join_multicast+0x32:movl %eax, 0(%edx) ddb (i cann't type anything after that). Version is: OpenBSD 4.2-current as of Wed Sep 19, 2007 I tried it on two (identical IBM netvista desktops) (actually it's 4 netvistas, but 2 works perfectly well, but as soon as you try to add 3d one...) dmesg: OpenBSD 4.2-current (GENERIC) #0: Wed Sep 19 08:48:10 PDT 2007 [EMAIL PROTECTED] :/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Pentium(R) 4 CPU 2.26GHz (GenuineIntel 686-class) 2.26 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM real mem = 534802432 (510MB) avail mem = 509419520 (485MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 12/02/02, BIOS32 rev. 0 @ 0xfd844, SMBIOS rev. 2.31 @ 0xf01e0 (51 entries) bios0: vendor IBM version 24KT33AUS date 12/02/2002 bios0: IBM 830531U pcibios0 at bios0: rev 2.1 @ 0xfd700/0x900 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf00/224 (12 entries) pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82371FB ISA rev 0x00) pcibios0: PCI bus #2 is the last bus bios0: ROM list: 0xc/0xb200! 0xcb800/0x1000 0xcc800/0x1000 0xe/0x1! acpi at mainbus0 not configured cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82845G/GL rev 0x01 vga1 at pci0 dev 2 function 0 Intel 82845G/GL Video rev 0x01: aperture at 0x8800, size 0x800 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) uhci0 at pci0 dev 29 function 0 Intel 82801DB USB rev 0x01: irq 11 uhci1 at pci0 dev 29 function 1 Intel 82801DB USB rev 0x01: irq 10 uhci2 at pci0 dev 29 function 2 Intel 82801DB USB rev 0x01: irq 5 ehci0 at pci0 dev 29 function 7 Intel 82801DB USB rev 0x01: irq 9 usb0 at ehci0: USB revision 2.0 uhub0 at usb0: Intel EHCI root hub, rev 2.00/1.00, addr 1 ppb0 at pci0 dev 30 function 0 Intel 82801BA AGP rev 0x81 pci1 at ppb0 bus 2 fxp0 at pci1 dev 8 function 0 Intel PRO/100 VE rev 0x81, i82562: irq 9, address 00:09:6b:e1:d1:17 inphy0 at fxp0 phy 1: i82562EM 10/100 PHY, rev. 0 ichpcib0 at pci0 dev 31 function 0 Intel 82801DB LPC rev 0x01: 24-bit timer at 3579545Hz pciide0 at pci0 dev 31 function 1 Intel 82801DB IDE rev 0x01: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: IC35L040AVVN07-0 wd0: 16-sector PIO, LBA, 38162MB, 78156288 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: HL-DT-ST, CD-ROM GCR-8480B, 1.02 SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 ichiic0 at pci0 dev 31 function 3 Intel 82801DB SMBus rev 0x01: irq 9 iic0 at ichiic0 admtemp0 at iic0 addr 0x4c: adm1032 auich0 at pci0 dev 31 function 5 Intel 82801DB AC97 rev 0x01: irq 9, ICH4 AC97 ac97: codec id 0x41445374 (Analog Devices AD1981B) ac97: codec features headphone, 20 bit DAC, No 3D Stereo audio0 at auich0 usb1 at uhci0: USB revision 1.0 uhub1 at usb1: Intel UHCI root hub, rev 1.00/1.00, addr 1 usb2 at uhci1: USB revision 1.0 uhub2 at usb2: Intel UHCI root hub, rev 1.00 /1.00, addr 1 usb3 at uhci2: USB revision 1.0 uhub3 at usb3: Intel UHCI root hub, rev 1.00/1.00, addr 1 isa0 at ichpcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec biomask ff65 netmask ff65 ttymask ffe7 pctr: user-level cycle counter enabled mtrr: Pentium Pro MTRR support uhidev0 at uhub1 port 2 configuration 1 interface 0 uhidev0: DELL DELL USB Keyboard, rev 1.10/1.05, addr 2, iclass 3/1 ukbd0 at uhidev0: 8 modifier keys, 6 key codes wskbd1 at ukbd0 mux 1 wskbd1: connecting to wsdisplay0 dkcsum: wd0 matches BIOS drive 0x80 root on wd0a swap on wd0b dump on wd0b WARNING: / was not properly unmounted- Hide quoted text - On 9/20/07, Chad M Stewart [EMAIL PROTECTED] wrote: just a thought... so you don't lose connectivity to the boxes, give each box its own IP. Then use additional IPs for the carp interfaces. Then you can lose connectivity to the carp IP but hopefully continue with the box IP. On my production pair I have assigned 172.16.0.0/16 to the physical
Re: carp ip balancing (-current)
On Tue, Sep 25, 2007 at 08:57:19AM -0700, dane johansen wrote: I went to colo, and checked what happened, as soon as a type: ifconfig carp0 10.10.10.110 netmask 255.255.248.0 vhid 7 advskew 100 I get: ifconfig carp0 10.10.10.110 netmask 255.255.248.0 vhid 7 advskew 100 uvm_fault(0xd6a07524, 0x0, 0, 3) - e kernel: page fault trap, code=0 Stopped at carp_join_multicast+0x32:movl %eax, 0(%edx) ddb You were unlucky and stepped on a bug in -current. Claudio fixed that already: http://www.openbsd.org/cgi-bin/cvsweb/src/sys/netinet/ip_carp.c?f=h#rev1.151
wi maximal power
Dear all, First, let me say a big hello to everyone here. I've been out of this list for almost three years... Just came back less than a week ago and Chuck Yerkes is sorely missing... I don't know if this question will be better answered here or on [EMAIL PROTECTED] After reading an email about power management on ral devices, took a look in the following piece of code, from if_wi.c. It seems to suggest that power output, using wi devices, is limited. Anything greater than 20dBm will be treated as 20dBm. I'm waiting the arrival of some senao cards, capable of 200mW (23dBm) output. Is the wi driver capable of handling this amount of power? STATIC int wi_set_txpower(struct wi_softc *sc, struct ieee80211_txpower *txpower) { u_int16_t cmd; u_int16_t power; int8_t tmp; int error; int alc; if (txpower == NULL) { if (!(sc-wi_flags WI_FLAGS_TXPOWER)) return (EINVAL); alc = 0;/* disable ALC */ } else { if (txpower-i_mode == IEEE80211_TXPOWER_MODE_AUTO) { alc = 1;/* enable ALC */ sc-wi_flags = ~WI_FLAGS_TXPOWER; } else { alc = 0;/* disable ALC */ sc-wi_flags |= WI_FLAGS_TXPOWER; sc-wi_txpower = txpower-i_val; } } /* Set ALC */ cmd = WI_CMD_DEBUG | (WI_DEBUG_CONFBITS 8); if ((error = wi_cmd(sc, cmd, alc, 0x8, 0)) != 0) return (error); /* No need to set the TX power value if ALC is enabled */ if (alc) return (0); /* Convert dBM to internal TX power value */ if (sc-wi_txpower 20) power = 128; else if (sc-wi_txpower -43) power = 127; else { tmp = sc-wi_txpower; tmp = -12 - tmp; tmp = 2; power = (u_int16_t)tmp; } /* Set manual TX power */ cmd = WI_CMD_WRITE_MIF; if ((error = wi_cmd(sc, cmd, WI_HFA384X_CR_MANUAL_TX_POWER, power, 0)) != 0) return (error); if (sc-sc_ic.ic_if.if_flags IFF_DEBUG) printf(%s: %u (%d dBm)\n, sc-sc_dev.dv_xname, power, sc-wi_txpower); return (0); }
Re: carp ip balancing (-current)
Thanks. On 9/25/07, Marco Pfatschbacher [EMAIL PROTECTED] wrote: On Tue, Sep 25, 2007 at 08:57:19AM -0700, dane johansen wrote: I went to colo, and checked what happened, as soon as a type: ifconfig carp0 10.10.10.110 netmask 255.255.248.0 vhid 7 advskew 100 I get: ifconfig carp0 10.10.10.110 netmask 255.255.248.0 vhid 7 advskew 100 uvm_fault(0xd6a07524, 0x0, 0, 3) - e kernel: page fault trap, code=0 Stopped at carp_join_multicast+0x32:movl %eax, 0(%edx) ddb You were unlucky and stepped on a bug in -current. Claudio fixed that already: http://www.openbsd.org/cgi-bin/cvsweb/src/sys/netinet/ip_carp.c?f=h#rev1.151
'����' ���� ���� ������� ����� ����� ����� ��� �������; ������ ��������� ��� ���� ����� �� 5 ����
[IMAGE]Having trouble reading this email? See it in your browser ArabianBusiness.com Daily News Alert GHMK ]m Gacf^Z: GaCMO ,25 SHJcHQ 2007 [IMAGE] GaCNHGQ GaQFmSmI XG^I JZQV NcSI camGQGJ OfaGQ aTQGA HQGmc fSJ Ga_dOmI XG^I Jdfm JMfma fMOJeG Ga_dOmI GaLOmOI Eal cdJL _HmQ aad]X GaOQec GaEcGQGJm ^QH CZal cSJfl ]m 5 SdfGJ GJSGZ dXG^ GaJ_edGJ HQ]Z ^mcI GaQmGa GaSZfOm aJUa Eal ZcaGJ Ofa NamLmI CNQl ArabianBusiness.com JobsBrowse all jobs ; Business Operations Manager Dubai, UAE Head of Risk - Banking Doha, Qatar Head of Proprietary Trading Doha, Qatar [IMAGE] c^GfaGJ Z^GQ JcdM Smdf U]^I JXfmQ Z^GQm H^mcI 382 camfd OfaGQ cTQfZ ZLcGd 1 mJCa] cd 16 HQLG cJZOO GaNOcGJ f]dO^G fcQ_RG aacDJcQGJ fcQG]^ aaJSf^ fGaJQ]me! fm^Z Zal SGMa EcGQI ZLcGd. cOGdGJ aac^GfaGJ JHdm cdJLZG ]m GaCQOd GaU]^I JeO] Eal HdGA cdJLZ SfGmcm Zal GaHMQ GacmJ H^mcI 25 camfd OfaGQ XG^I GaHMQmd JJXaZ aaGSJKcGQ ]m CSfG^ Gad]X fGa[GR GaCLdHmI GaHMQmd JLQm cMGOKGJ cZ GaSZfOmI HTCd EHOGa NX CdGHmH d]X Hmd GaHaOmd HNX CNQ LOmO C_HQ MLcG Z^GQGJ Ga_fmJ JM^^ ]m GaGQJ]GZ Gac]GLF aCSZGQ GaZ^GQGJ GaM_fcI Ga_fmJmI SJT_a aLdI aaJM^m^ ]m CSHGH Ga^]RI GaMGUaI ]m CSZGQ GaZ^GQGJ fGaCQGVm JLGQI OHm GdJQdGTmfdGa _GHmJGa JTJQm MUI ]m cLcfZI Qm]fam GSJQGJmLmI GaTQ_I JQ_R Zal OZc GaCZcGa Gaccaf_I aZGFaGJ fGaJm JJcJZ HSLa ccJGR ]m GaJfSZ GadGLM fJca_ c^fcGJ dcf c[QmI cfGUaGJ Ec.Ec.Sm GacGamRmI Jf^Z GJ]G^G H^mcI 4.7 camGQ OfaGQ cZ OHm GaZGacmI HcfLH GaGJ]G^ SJXfQ GaTQ_JGd cQ_R HMQm mVc cQ]C aad]X fCMfGVG LG]I fMfVG aHdGA fEUaGM GaS]d ]m faGmI LfefQ HLdfH cGamRmG Gac^GaGJ GaC_KQ ^QGAI 1. GaNamLmfd mJUOQfd ^GFcI ]fQHS aaZGFaGJ Gaca_mI GaC_KQ KQGA 2. CcmQ ^XQm mTJQm ^UQG ]m HGQmS c^GHa 110 caGmmd OfaGQ 3. cUGOQI cZLfd CSdGd SGc ]m GaSZfOmI 4. JcGS_ GaZcaGJ GaNamLmI HZO N]V CSZGQ Ga]GFOI GaCcQm_mI fJQGLZ GaOfaGQ 5. H_Ja J]fR HcTQfZ ]m To Advertise in this newsletter please contact : Richard O'Sullivan Tel: +971 50 651 4745 a^O Ja^mJ ePe GaQSGaI cd TQ_I Bm Jm Hm! GaTQ_I GaQGFOI ]m GadTQ ]m cLGa GaGJUGaGJ fJ^dmI GacZafcGJ fGaCZcGa ]m GaTQ^ GaCfSX! f^O Jc JSLma HQmO_ GaEa_JQfdm HZO Cd GTJQ_J ]m GadSNI GaEa_JQfdmI adTQI Arabianbusiness.com/arabic! fPa_ CKdGA GTJQG__ HcSGH^I Cf JU]M_ aCMO cfG^ZdG (ITP.net; GitexTimes.com; ArabianBusiness.com; TimeOutDubai.com; TimeOutAbuDhabi.com and Ahlan.ae ). EPG Q[HJ ]m MP] ZdfGd HQmO_ GaEa_JQfdm cd ^GFcI cQGSaGJdG ]Gd^Q edG Ja^m ePe GadTQI
Re: touch screens
On Mon, 24 Sep 2007 16:15:08 -0700 Chris Cappuccio [EMAIL PROTECTED] wrote: Does anyone have any recommendations on 7 or smaller touch screens that have a USB input ? I want something preferrably under or around $100... I want to mount it on a car dash. from: http://www.openbsd.org/cgi-bin/man.cgi?query=uts The uts driver works with the following touchscreens and panels: - Gunze USB Touch Panel - Hantouch - LG L1510SF LCD Monitor - Origin AE X15e HTPC case with 7 LCD
Re: non-x86-based hardware for OBSD?
Lars Noodin [EMAIL PROTECTED] wrote: There has got to be non-x86 units out there, SBC or other, running Cell or Freescale or anything else. If you look hard enough, I think you can find ARM/MIPS/PowerPC based single-board computers vaguely comparable to the Soekris range. Heck, just look at what NetBSD and Wasabi support. However, OpenBSD won't run there out of the box, it'll each time require a new port to this platform. -- Christian naddy Weisgerber [EMAIL PROTECTED]
Re: touch screens
Well, I don't need scaling support out of the box, I just want something cheap. If it takes a little bit of work to make it happen, that's no problem. I had a hard time finding the listed LG monitor, and the Hantouch stuff is not cheap. Joerg Zinke [EMAIL PROTECTED] wrote: from: http://www.openbsd.org/cgi-bin/man.cgi?query=uts The uts driver works with the following touchscreens and panels: - Gunze USB Touch Panel - Hantouch - LG L1510SF LCD Monitor - Origin AE X15e HTPC case with 7 LCD -- By way of deception, thou shall do war
Re: non-x86-based hardware for OBSD?
On 9/25/07, Lars Noodin [EMAIL PROTECTED] wrote: I'm looking at the recent article on Soekris and very favorably impressed. Setting up a Soekris 5501 with OpenBSD 4.2 24 Sep 2007 http://undeadly.org/cgi?action=articlesid=20070924004901 The setup seems almost perfect, except that the AMD Geode seems to be x86-based. indeed. meaning it uses the same compiler and kernel as the most widely tested port of openbsd. What corresponding non-x86 hardware options are common, recommended, or even available ? why would you want such a thing?
spamd shows up as an open relay
Hey guys, We just ran across an odd intermittent problem with email that we traced back to spamd showing up as an open relay. I double-checked the documentation and mailing list archives and didn't find anything relevant. Our mail server is bara.nccn.net, 12.165.58.50. There is a bump-in-the-wire firewall sitting in front of bara, running OpenBSD + spamd and a few other goodies. spamd is configured to intercept incoming smtp connections in the usual way in pf. Some sample results from http://www.checkor.com/: RSET 250 Hello, spam sender. Pleased to be wasting your time. MAIL FROM: [EMAIL PROTECTED] 250 Ok to start over. RCPT TO: [EMAIL PROTECTED] Test Failed, 250 You are about to try to deliver spam. Your time will be spent, for nothing. and RSET 250 This is hurting you more than it is hurting me. MAIL FROM: [EMAIL PROTECTED] 250 Ok to start over. RCPT TO: @12.165.58.50:[EMAIL PROTECTED] Test Failed, 250 You are about to try to deliver spam. Your time will be spent, for nothing. and RSET 250 This is hurting you more than it is hurting me. MAIL FROM: [EMAIL PROTECTED] 250 Ok to start over. RCPT TO: [EMAIL PROTECTED]@12.165.58.50 Test Failed, 250 You are about to try to deliver spam. Your time will be spent, for nothing. and RSET 250 This is hurting you more than it is hurting me. MAIL FROM: [EMAIL PROTECTED] 250 Ok to start over. RCPT TO: [EMAIL PROTECTED] Test Failed, 250 You are about to try to deliver spam. Your time will be spent, for nothing. This is causing some of our outbound email to end up in other peoples' junk boxes by default by large service providers (oops). Is there some configuration for spamd that I've missed, or is it going to require a patch to fix the way it handles mail from/rcpt to, or is there another workaround? Thanks, - R.
Re: spamd shows up as an open relay
On Tue, 25 Sep 2007, Rob wrote: We just ran across an odd intermittent problem with email that we traced back to spamd showing up as an open relay. I double-checked the documentation and mailing list archives and didn't find anything relevant. Please let us know what service (if different thatn No-IP/CheckOR.com) that had you listed. Was it a dnsbl service? Some sample results from http://www.checkor.com/: They assume it is an open relay even though nothing was relayed. More accurate relay checks attempt to relay to themselves to verify. Jeremy C. Reed
Re: spamd shows up as an open relay
Hi Jeremy, On 9/25/07, Jeremy C. Reed [EMAIL PROTECTED] wrote: On Tue, 25 Sep 2007, Rob wrote: We just ran across an odd intermittent problem with email that we traced back to spamd showing up as an open relay. I double-checked the documentation and mailing list archives and didn't find anything relevant. Please let us know what service (if different thatn No-IP/CheckOR.com) that had you listed. Was it a dnsbl service? We haven't been listed by any DNSBLs. It looks like it's just some -- a few? big? small? -- service providers that are doing some kind of check against our mail server, finding it behaving like an open relay, and routing mail from our mail server to their users' junk folders. I'll reply back shortly with the name of a specific provider. Some sample results from http://www.checkor.com/: They assume it is an open relay even though nothing was relayed. More accurate relay checks attempt to relay to themselves to verify. Yeah, I agree. It's the wrong way for them to check for an open relay, but it is still causing a bit of a problem. - R.
Re: what if hoststated dies?
So any suggestions on how to have a rdr rule in pf.conf take over when this happens? better try pkill -SEGV hoststated ;) in either case, the pfe process catches the fact that the hce process dies and cleans up the tables and rules before completely dying
PF out of sync errors?
Hello, I have to machines running OpenBSD 4.1 which are acting as a firewalls and I have pfsync setup between the two. One of my machines had a power loss and when we turned it back on we got a lot of pf errors claiming bad state and what not. Here is the first machine which didn't have a power loss's messages: pf: state insert failed: tree_lan_ext lan: ff02::16 gwy: ff02::16 ext: :0:0:0:0:0:0:0 (from sync) pf: state insert failed: tree_lan_ext lan: ff02::1:ff4e:9848 gwy: ff02::1:ff4e:9848 ext: :0:0:0:0:0:0:0 (from sync) pf: state insert failed: tree_lan_ext lan: ff02::16 gwy: ff02::16 ext: :0:0:0:0:0:0:0 (from sync) pf: state insert failed: tree_lan_ext lan: ff02::1:ff4e:9848 gwy: ff02::1:ff4e:9848 ext: :0:0:0:0:0:0:0 (from sync) pf: state insert failed: tree_lan_ext lan: ff02::2 gwy: ff02::2 ext: fe80::20e:cff:fe4e:9848 (from sync) pf: state insert failed: tree_lan_ext lan: ff02::2 gwy: ff02::2 ext: fe80::20e:cff:fe4e:9848 (from sync) pf: state insert failed: tree_lan_ext lan: ff02::2 gwy: ff02::2 ext: fe80::20e:cff:fe4e:9848 (from sync) pf: state insert failed: tree_lan_ext lan: ff02::16 gwy: ff02::16 ext: fe80::20e:cff:fe4e:9848 (from sync) pf: state insert failed: tree_lan_ext lan: ff02::16 gwy: ff02::16 ext: fe80::20e:cff:fe4e:9848 (from sync) pf: state insert failed: tree_lan_ext lan: ff02::2 gwy: ff02::2 ext: fe80::20e:cff:fe4e:9848 (from sync) arp info overwritten for 192.168.10.30 by 00:0e:0c:4e:98:49 on bge1 pf: BAD state: TCP 192.168.10.2:45426 192.168.10.2:45426 192.168.10.40:80 [lo=4000259044 high=4000259046 win=16384 modulator=0] [lo=0 high=1 win=1 modulator=0] 2:0 S seq=2603308934 (2603308934) ack=0 len=0 ackskew=0 pkts=1:0 dir=out,fwd pf: State failure on: 2 | 6 pf: BAD state: TCP 192.168.10.2:30196 192.168.10.2:30196 192.168.10.20:80 [lo=4011403077 high=4011408965 win=16384 modulator=0 wscale=0] [lo=2087131504 high=2087147888 win=46 modulator=0 wscale=7] 9:9 S seq=2689487490 (2689487490) ack=2087131504 len=0 ackskew=0 pkts=5:5 dir=out,fwd pf: State failure on: 2 | 6 pf: BAD state: TCP 192.168.10.2:31750 192.168.10.2:31750 192.168.10.10:80 [lo=2288467466 high=2288467468 win=16384 modulator=0] [lo=0 high=1 win=1 modulator=0] 2:0 S seq=3908591135 (3908591135) ack=0 len=0 ackskew=0 pkts=1:0 dir=out,fwd pf: State failure on: 1 | 5 pf: BAD state: TCP 192.168.10.2:28186 192.168.10.2:28186 192.168.10.10:80 [lo=3798010498 high=3798010500 win=16384 modulator=0] [lo=0 high=1 win=1 modulator=0] 2:0 S seq=3506580854 (3506580854) ack=0 len=0 ackskew=0 pkts=1:0 dir=out,fwd pf: State failure on: 2 | 6 pf: BAD state: TCP 192.168.10.2:49031 192.168.10.2:49031 192.168.10.40:80 [lo=4161674212 high=4161674214 win=16384 modulator=0] [lo=0 high=1 win=1 modulator=0] 2:0 S seq=3805884514 (3805884514) ack=0 len=0 ackskew=0 pkts=1:0 dir=out,fwd pf: State failure on: 2 | 6 And here is the second machines messages: pf: state insert failed: tree_lan_ext lan: ff02::16 gwy: ff02::16 ext: :0:0:0:0:0:0:0 (from sync) pf: state insert failed: tree_lan_ext lan: ff02::1:ff4e:9848 gwy: ff02::1:ff4e:9848 ext: :0:0:0:0:0:0:0 (from sync) pf: state insert failed: tree_lan_ext lan: ff02::16 gwy: ff02::16 ext: :0:0:0:0:0:0:0 (from sync) pf: state insert failed: tree_lan_ext lan: ff02::1:ff4e:9848 gwy: ff02::1:ff4e:9848 ext: :0:0:0:0:0:0:0 (from sync) pf: state insert failed: tree_lan_ext lan: ff02::2 gwy: ff02::2 ext: fe80::20e:cff:fe4e:9848 (from sync) pf: state insert failed: tree_lan_ext lan: ff02::2 gwy: ff02::2 ext: fe80::20e:cff:fe4e:9848 (from sync) pf: state insert failed: tree_lan_ext lan: ff02::2 gwy: ff02::2 ext: fe80::20e:cff:fe4e:9848 (from sync) pf: state insert failed: tree_lan_ext lan: ff02::16 gwy: ff02::16 ext: fe80::20e:cff:fe4e:9848 (from sync) pf: state insert failed: tree_lan_ext lan: ff02::16 gwy: ff02::16 ext: fe80::20e:cff:fe4e:9848 (from sync) pf: state insert failed: tree_lan_ext lan: ff02::2 gwy: ff02::2 ext: fe80::20e:cff:fe4e:9848 (from sync) arp: attempt to overwrite entry for 192.168.10.30 on fxp1 by 00:0e:0c:4e:98:49 on carp1 arp: attempt to overwrite entry for 192.168.10.30 on fxp1 by 00:0e:0c:4e:98:49 on carp1 arp info overwritten for 192.168.10.30 by 00:0e:0c:4e:98:49 on fxp1 pf: dropping packet with ip options pf: dropping packet with ip options pf: dropping packet with ip options pf: dropping packet with ip options pf: dropping packet with ip options pf: dropping packet with ip options pf: BAD state: TCP 192.168.10.3:43927 192.168.10.3:43927 192.168.10.30:80 [lo=4160576830 high=4160582718 win=16384 modulator=0 wscale=0] [lo=1799910885 high=1799927269 win=46 modulator=0 wscale=7] 9:9 S seq=2750310474 (2750310474) ack=1799910885 len=0 ackskew=0 pkts=5:5 dir=out,fwd pf: State failure on: 2 | 6 pf: BAD state: TCP 192.168.10.3:34685 192.168.10.3:34685 192.168.10.30:80 [lo=3444997510 high=3445003398 win=16384 modulator=0 wscale=0] [lo=2612549088 high=2612565472 win=46 modulator=0 wscale=7] 9:9 S seq=3610146868 (3610146868) ack=2612549088 len=0
Re: SMTP flood + spamdb
On Tue, 25 Sep 2007 12:40:50 +0100, Craig Skinner wrote: RW wrote: The others were from bots as far as I could tell but they were not being sent by MTAs which had received them. Yes, but the OPs problem is back scatter, and that does not come from bots, they don't retry. What I was getting looked like backscatter and smelled like backscatter it is just that some of the IPs sending it didn't check out as MTAs. i.e. they were not listed MXs for the domain they came from AND the domain was not likely someone with separate outbound senders. They all retried too and when I had them as TRAPPED entries the logged data included typical failed-to-deliver messages. If the OP was repeatedly getting mail to a few addresses from different hosts, he could use grey trapping. But he said that they are all random. My experience entirely. I trapped them by looking for as sender, parsing the recipient as invalid (using a postfix lookup) and then inserting the IP into spamdb as TRAPPED. Later I firewalled them out for 24 hours. It cut the log clutter. The scripts are still there but the crontab lines are commented out until needed again. R/ A consultant is someone who's called in when someone has painted himself into a corner. He's expected to levitate his client out of that corner. -The Sayings of Chairman Morrow. 1984.
Re: what if hoststated dies?
On Wed, 2007-09-26 at 10:54 +1200, Josh wrote: So any suggestions on how to have a rdr rule in pf.conf take over when this happens? Why? If hoststated crashes, then it's a bug. If it doesn't crash, what are you trying to achieve? ciao Luca
Re: SMTP flood + spamdb
On Tue, 25 Sep 2007 14:14:46 +0300, Liviu Daia wrote: On 25 September 2007, RW [EMAIL PROTECTED] wrote: [...] My defence was to write a couple of scripts. One parsed the output of spamdb looking for GREY with sender and then tested the intended recipient against the postfix valid mailbox database. [...] With Postfix you can use anvil(8) to control concurrency. Yep, you could. BUT 1- why let it get to postfix? This is crap that spamd can deal with, with a bit of scripting help for extra functionality. 2- What concurrency? We had a mailstorm of backscatter from hundreds of IPs each trying to send one or two messages. We had over a thousand IPs marked TRAPPED in spamdb at one time. Postfix would just be rejecting them and filling its logs. As far as I'm concerned filling the logs of mailservers that are backscatter generators is A Good Thing . In the beginning was The Word and The Word was Content-type: text/plain The Word of Rod.
Re: what if hoststated dies?
On 2007/09/26 10:54, Josh wrote: So any suggestions on how to have a rdr rule in pf.conf take over when this happens? Yes, just list it below the hoststated rdr anchor.
Re: spamd shows up as an open relay
On 2007/09/25 14:50, Rob wrote: Is there some configuration for spamd that I've missed You could run inbound and outbound email on different IP addresses, and don't accept incoming port 25 connections on the address used as a source for outgoing mail.
Re: SMTP flood + spamdb
On 26 September 2007, RW [EMAIL PROTECTED] wrote: On Tue, 25 Sep 2007 14:14:46 +0300, Liviu Daia wrote: On 25 September 2007, RW [EMAIL PROTECTED] wrote: [...] My defence was to write a couple of scripts. One parsed the output of spamdb looking for GREY with sender and then tested the intended recipient against the postfix valid mailbox database. [...] With Postfix you can use anvil(8) to control concurrency. Yep, you could. BUT 1- why let it get to postfix? This is crap that spamd can deal with, with a bit of scripting help for extra functionality. 2- What concurrency? We had a mailstorm of backscatter from hundreds of IPs each trying to send one or two messages. We had over a thousand IPs marked TRAPPED in spamdb at one time. What I've been seeing here the last few weeks is somewhat different: robots trying to determine how many connections I'll accept concurrently. Left alone they can get to 100+ connection attempts per second from the same IP, they go on until I'm running out of resources and start delaying the accept(2). When that happens, only one or two of these connections are subsequently used to try to send the crap, the rest are closed immediately. Limiting concurrency at SMTP level seems to actually reduce the number of bots that try that (presumably the information that my site is way too uninteresting is propagated across the bot net). This has nothing to do with backscatter, but FWIW, backscatter alone has never been a real problem with Postfix until recently. Resource exhaustion because of insane concurrency as I described can be, and anvil(8) is a first attempt to a solution (it's not THE solution because it also hurts legitimate sites like Yahoo). Postfix would just be rejecting them and filling its logs. Oh come on, these days you're probably rejecting 95% of messages anyway. :) As far as I'm concerned filling the logs of mailservers that are backscatter generators is A Good Thing . Unfortunately the people in charge with these servers either don't have a clue, or don't care. Regards, Liviu Daia -- Dr. Liviu Daia http://www.imar.ro/~daia
Re: spamd shows up as an open relay
I'm not 100% certain I'm getting your idea here ... we do currently run inbound/outbound mail on different IPs, but the problem isn't with the connections themselves. From the example session transcript with spamd that I posted earlier: 250 Hello, spam sender. Pleased to be wasting your time. MAIL FROM: [EMAIL PROTECTED] 250 Ok to start over. RCPT TO: [EMAIL PROTECTED] 250 You are about to try to deliver spam. Your time will be spent, for nothing. For an actual MTA, the 250 code here indicates an open relay, because we are not the MX for checkor.com. spamd of course doesn't know this (and I'm aware that fixing it might not be easy), but it is still triggering a false positive as an open relay. Since this is happening during the conversation with our inbound mail server, I don't see how filtering connections between our inbound and outbound mail servers would fix it. Thanks, - R. On 9/25/07, Stuart Henderson [EMAIL PROTECTED] wrote: On 2007/09/25 14:50, Rob wrote: Is there some configuration for spamd that I've missed You could run inbound and outbound email on different IP addresses, and don't accept incoming port 25 connections on the address used as a source for outgoing mail.
Re: spamd shows up as an open relay
On 2007/09/25 17:35, Rob wrote: Since this is happening during the conversation with our inbound mail server, I don't see how filtering connections between our inbound and outbound mail servers would fix it. From what you say, it sounds like your outbound mail server sends mail to some host which carries out an on-the-fly relay test, is that right? If so, surely they only test the host *sending* the mail to them?
Re: spamd shows up as an open relay
On 9/25/07, Stuart Henderson [EMAIL PROTECTED] wrote: On 2007/09/25 17:35, Rob wrote: Since this is happening during the conversation with our inbound mail server, I don't see how filtering connections between our inbound and outbound mail servers would fix it. From what you say, it sounds like your outbound mail server sends mail to some host which carries out an on-the-fly relay test, is that right? Ah, gotcha. That's basically correct. Our user sends email to the outbound mail server, which connects to the recipient's mail server. The problem is, if the recipient's mail server is performing an on-the-fly check, then its connection back to our outbound mail server would automatically be redirected to our inbound mail server, which gets intercepted by spamd, which appears to be the open relay. You're right, then. If I explicitly block inbound connections to the outbound mail server (instead of redirecting them), that might fix the problem ... depending on just what kind of check the recipient's mail server is doing. If so, surely they only test the host *sending* the mail to them? I don't know yet exactly what they do. I'm crawling my way up their support ladder to try to figure it out. They could be doing some kind of open relay greylisting, or who-knows-what. I'm a little concerned about just blocking those connections per your suggestion, though. It might end up just changing the affected recipients; if someone's dumb enough not to correctly check for an open relay, someone else is certainly dumb enough to reject mail if they can't connect back to the inbound IP. - R.
Re: spamd shows up as an open relay
On 9/26/07, Rob [EMAIL PROTECTED] wrote: Yeah, I agree. It's the wrong way for them to check for an open relay, but it is still causing a bit of a problem. Well if it is actually caused by spamd you have 2 options: a) not run spamd. b) ask them to get their shit together and hope they actually do. It's amazing that in 2007 there are still so many mail operators and relay-check sites that doesn't have a clue. --- Lars Hansson
Re: SMTP flood + spamdb
On Wed, 26 Sep 2007 03:16:35 +0300, Liviu Daia wrote: Postfix would just be rejecting them and filling its logs. Oh come on, these days you're probably rejecting 95% of messages anyway. :) Nope. Every day at log reading time I do grep reject maillog and very rarely do I see a result. spamd is the genius. As far as I'm concerned filling the logs of mailservers that are backscatter generators is A Good Thing . Unfortunately the people in charge with these servers either don't have a clue, or don't care. If even one sees a lot of greytrap try-again messages followed by an entry when it gives up, then it will be worth it if it causes a config to be fixed. R/ Me...a skeptic? I trust you have proof.
Speed Problems
I've been having problems with throughput on a box I'm using as an edge gateway. I can't seem to get it to push out more than 150Mb/sec at about 20k pps. It's a Tyan Thunder K8SR (S2881) board that has two gig broadcom interfaces on a shared pci-x bus. It's on the bcm5704c chipset and I'm running OpenBSD 4.0. The machine has two dual core amd opteron chips and two gigs of ram. Barley any resources are being used when we are peaking during the day. When we hit around 140+Mb/sec I start seeing packet loss and when I copy a file from this machine via scp to another host over the gig lan I can see that it directly affects throughput. I've spent all day trying to find the problem but I've had no luck. Any ideas? Any info I can provide?