Dell PowerEdge 1950 Xeon Quad-Core
Dell PowerEdge 1950 Intel Xeon Quad-Core * 2 it's a work fine. - kernel compile # time make -j16 textdatabss dec hex 6382651 149620 883904 7416175 71296f 1m52.57s real 5m20.07s user 8m51.52s system - dmesg OpenBSD 4.2-current (GENERIC.MP) #1555: Mon Feb 11 19:29:59 MST 2008 [EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 3488907264 (3327MB) avail mem = 3373596672 (3217MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xcffbc000 (62 entries) bios0: vendor Dell Inc. version 1.3.7 date 03/26/2007 bios0: Dell Inc. PowerEdge 1950 acpi0 at bios0: rev 2 acpi0: tables DSDT FACP APIC SPCR HPET MCFG acpi0: wakeup devices PCI0(S5) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Xeon(R) CPU E5310 @ 1.60GHz, 1596.15 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,CX16,xTPR,NXE,LONG cpu0: 4MB 64b/line 16-way L2 cache cpu0: apic clock running at 265MHz cpu1 at mainbus0: apid 4 (application processor) cpu1: Intel(R) Xeon(R) CPU E5310 @ 1.60GHz, 1595.93 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,CX16,xTPR,NXE,LONG cpu1: 4MB 64b/line 16-way L2 cache cpu2 at mainbus0: apid 1 (application processor) cpu2: Intel(R) Xeon(R) CPU E5310 @ 1.60GHz, 1595.93 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,CX16,xTPR,NXE,LONG cpu2: 4MB 64b/line 16-way L2 cache cpu3 at mainbus0: apid 5 (application processor) cpu3: Intel(R) Xeon(R) CPU E5310 @ 1.60GHz, 1595.93 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,CX16,xTPR,NXE,LONG cpu3: 4MB 64b/line 16-way L2 cache cpu4 at mainbus0: apid 2 (application processor) cpu4: Intel(R) Xeon(R) CPU E5310 @ 1.60GHz, 1595.93 MHz cpu4: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,CX16,xTPR,NXE,LONG cpu4: 4MB 64b/line 16-way L2 cache cpu5 at mainbus0: apid 6 (application processor) cpu5: Intel(R) Xeon(R) CPU E5310 @ 1.60GHz, 1595.93 MHz cpu5: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,CX16,xTPR,NXE,LONG cpu5: 4MB 64b/line 16-way L2 cache cpu6 at mainbus0: apid 3 (application processor) cpu6: Intel(R) Xeon(R) CPU E5310 @ 1.60GHz, 1595.93 MHz cpu6: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,CX16,xTPR,NXE,LONG cpu6: 4MB 64b/line 16-way L2 cache cpu7 at mainbus0: apid 7 (application processor) cpu7: Intel(R) Xeon(R) CPU E5310 @ 1.60GHz, 1595.93 MHz cpu7: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,CX16,xTPR,NXE,LONG cpu7: 4MB 64b/line 16-way L2 cache ioapic0 at mainbus0 apid 8 pa 0xfec0, version 20, 24 pins ioapic0: misconfigured as apic 0, remapped to apid 8 ioapic1 at mainbus0 apid 9 pa 0xfec81000, version 20, 24 pins ioapic1: misconfigured as apic 0, remapped to apid 9 acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 5 (PEX2) acpiprt2 at acpi0: bus 6 (UPST) acpiprt3 at acpi0: bus 7 (DWN1) acpiprt4 at acpi0: bus 9 (DWN2) acpiprt5 at acpi0: bus 1 (PEX3) acpiprt6 at acpi0: bus 2 (PE2P) acpiprt7 at acpi0: bus 11 (PEX4) acpiprt8 at acpi0: bus 13 (PEX6) acpiprt9 at acpi0: bus 3 (SBEX) acpiprt10 at acpi0: bus 15 (COMP) acpicpu0 at acpi0 acpicpu1 at acpi0 acpicpu2 at acpi0 acpicpu3 at acpi0 acpicpu4 at acpi0 acpicpu5 at acpi0 acpicpu6 at acpi0 acpicpu7 at acpi0 ipmi at mainbus0 not configured pci0 at mainbus0 bus 0: configuration mode 1 pchb0 at pci0 dev 0 function 0 Intel 5000X Host rev 0x12 ppb0 at pci0 dev 2 function 0 Intel 5000 PCIE rev 0x12 pci1 at ppb0 bus 5 ppb1 at pci1 dev 0 function 0 Intel 6321ESB PCIE rev 0x01 pci2 at ppb1 bus 6 ppb2 at pci2 dev 0 function 0 Intel 6321ESB PCIE rev 0x01 pci3 at ppb2 bus 7 ppb3 at pci3 dev 0 function 0 ServerWorks PCIE-PCIX rev 0xc3 pci4 at ppb3 bus 8 bnx0 at pci4 dev 0 function 0 Broadcom BCM5708 rev 0x12: apic 8 int 16 (irq 5) ppb4 at pci2 dev 1 function 0 Intel 6321ESB PCIE rev 0x01 pci5 at ppb4 bus 9 ppb5 at pci1 dev 0 function 3 Intel 6321ESB PCIE-PCIX rev 0x01 pci6 at ppb5 bus 10 ppb6 at pci0 dev 3 function 0 Intel 5000 PCIE rev 0x12 pci7 at ppb6 bus 1 ppb7 at pci7 dev 0 function 0 Intel PCIE-PCIE rev 0x09 pci8 at ppb7 bus 2 mpi0 at pci8 dev 8 function 0 Symbios Logic SAS1068 rev 0x01: apic 9 int 0 (irq 5) scsibus0 at mpi0:
Re: [ami] Unable to set Hot Spare from bioctl on a Dell PERC 4/Di
On Wed, 20 Feb 2008, Marco Peereboom wrote: My natural answer is that this is a firmware issue. But since you I will upgrade the firmware and rerun my test case. provided such good steps I will try to recreate this. Thank you for this outstanding report. No problem :). Matthew On Wed, Feb 20, 2008 at 01:42:59AM -0700, Matthew Mulrooney wrote: Hi there, I'm back with another LSI controller, and I'm experiencing problems with creating hot spares from bioctl. This seems to be the same problem that I posted to misc@ on Oct 16, 2006 with the subject line of: [ami] Unable to set Hot Spare on MegaRAID SATA 300-8x I've got the same symptoms, but now with a PERC 4/Di controller. [And this time I've found a better work around than just avoiding bioctl -H with this LSI controller :).] Problem summary === When I use bioctl to mark an Unused drive as a Hot Spare, that drive will fail to be integrated when another disk fails. The only way, that I've found, to make that drive properly act as a Hot Spare, is to only set it as such from the LSI boot menu. If you have already marked it as a Hot Spare from bioctl, pull the Hot Spare-marked drive, and replace it (it can be the same physical disk). At that point your disk should be showing up as an 'Unused' disk, from where you can go do the thing in the LSI boot menu. This is an improvement over my 2006 analysis of the situation, where I couldn't find a way to reset the drive back to Unused (after Hot Sparing it from bioctl). The LSI boot menu requires a drive to be in an Unused state before it will allow me to correctly mark it as a Hot Spare. If you're interested, please let me know what I can do to be of assistance in trouble shooting this. I have a limited window before this box will have to be pushed into production, and I can live with the current situation (an after hours reboot in the case of a drive failure is perfectly fine). Matthew Test case = s = step succeeded F = step failed Normal case (RAID 1 + one hot spare) --- s Configure array from the LSI boot menu s Clear configuration s New configuration s Disks 0, 1: RAID 1 array s Disk 2: Hot spare s Install OpenBSD-4.2 s Single disk failure s Disk 0: Fails (I pulled it from the hot swap cage) s Disk 2: Automatically replaces it s Observe the RAID 1 array get fully rebuilt s Replace failed disk s Replace Disk 0 with a new disk s Observe that Disk 0 is marked as Unused through bioctl s Set Disk 0 to be a hot spare (through bioctl) s Single disk failure s Disk 1: Fails (I pulled it) F Disk 0: FAILS TO GET INTEGRATED, DESPITE STILL BEING MARKED AS A HOT SPARE - Array is still degraded. s Reboot, enter into the LSI boot menu s Configure View/Add Configurarion s Highlight disk 0 F4 (hot spare) s This Physical Drive is already a HOTSPARE\nPress any key to continue s F10 (Configure), Esc, Esc s Exit? = YES s Please REBOOT YOUR SYSTEM, CTRL-ALT-DEL s Recheck array F Disk 0: Still failing to integrate. Array still degraded. s Attempt to shake loose the 'Hot Spare' bit from disk 0 s Remove disk 0 s Replace disk 0 (with the same physical disk) s Disk 0 is *no longer* marked as a 'Hot Spare' (either through bioctl or through the LSI boot menu). Yeah! :) [I don't think I tested this method with my SATA 300-8x.] Log file # The output is generated by: # date; bioctl ami0 ## # Created a new RAID 1 array from the LSI boot menu and installed OpenBSD 4.2 Tue Feb 19 04:01:42 MST 2008 Volume Status Size Device ami0 0 Scrubbing146695782400 sd0 RAID1 3% done 0 Online 146811125760 0:0.0 safte0 MAXTOR ATLAS10K5_146SCAJNZM 1 Online 146811125760 0:1.0 safte0 SEAGATE ST3146807LC DS09 ami0 1 Hot spare146811125760 0:2.0 safte0 IBM IC35L146UCDY10-0S27F Tue Feb 19 10:02:15 MST 2008 Volume Status Size Device ami0 0 Scrubbing146695782400 sd0 RAID1 94% done 0 Online 146811125760 0:0.0 safte0 MAXTOR ATLAS10K5_146SCAJNZM 1 Online 146811125760 0:1.0 safte0 SEAGATE ST3146807LC DS09 ami0 1 Hot spare146811125760 0:2.0 safte0 IBM IC35L146UCDY10-0S27F Tue Feb 19 10:12:15 MST 2008 Volume Status Size Device ami0 0 Scrubbing146695782400 sd0 RAID1 97% done 0 Online 146811125760 0:0.0 safte0 MAXTOR ATLAS10K5_146SCAJNZM 1 Online 146811125760 0:1.0 safte0 SEAGATE ST3146807LC DS09 ami0 1 Hot spare146811125760 0:2.0 safte0 IBM IC35L146UCDY10-0S27F ## # Mirroring complete Tue Feb 19 10:22:16 MST 2008 Volume Status Size Device ami0 0 Online 146695782400 sd0 RAID1 0 Online 146811125760
Re: What is our ultimate goal??
On Thu, 21 Feb 2008 13:15:41 +0530, Mayuresh Kathe wrote: On Thu, Feb 21, 2008 at 1:05 PM, ropers [EMAIL PROTECTED] wrote: On 20/02/2008, Mayuresh Kathe [EMAIL PROTECTED] wrote: On Feb 20, 2008 4:58 PM, Henning Brauer [EMAIL PROTECTED] wrote: * Mayuresh Kathe [EMAIL PROTECTED] [2008-02-17 13:38]: Wouldn't it be nice to have a high performance networking stack? yeah. guess what we have? exactly that. (which doesn't mean it could be even faster) Pardon if I sound ignorant, but isn't our networking stack based on the 24 year old technology from Berkeley? Pardon if I sound ignorant, but isn't our Bugatti Veyron based on the millennia old wheel technology? The wheel isn't the technology, it is a concept. An implementation of the wheel concept would be the technology. The concept is the same, but the technology is certainly different. Are you saying your Bugatti Veyron is running on wooden wheels? ~Mayuresh Yawnn... Rod/ /earth: write failed, file system is full cp: /earth/creatures: No space left on device
Re: Dell PowerEdge 1950 Xeon Quad-Core
it's a work fine with 4.3-beta - kernel compile # time make -j8 textdatabss dec hex 6139672 181824 439328 6760824 672978 1m27.80s real 4m15.21s user 6m45.58s system - dmesg OpenBSD 4.3-beta (GENERIC.MP) #1: Fri Feb 22 02:11:55 KST 2008 [EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 3488907264 (3327MB) avail mem = 3373576192 (3217MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xcffbc000 (62 entries) bios0: vendor Dell Inc. version 1.3.7 date 03/26/2007 bios0: Dell Inc. PowerEdge 1950 acpi0 at bios0: rev 2 acpi0: tables DSDT FACP APIC SPCR HPET MCFG acpi0: wakeup devices PCI0(S5) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Xeon(R) CPU E5310 @ 1.60GHz, 1596.16 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,CX16,xTPR,NXE,LONG cpu0: 4MB 64b/line 16-way L2 cache cpu0: apic clock running at 265MHz cpu1 at mainbus0: apid 4 (application processor) cpu1: Intel(R) Xeon(R) CPU E5310 @ 1.60GHz, 1595.93 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,CX16,xTPR,NXE,LONG cpu1: 4MB 64b/line 16-way L2 cache cpu2 at mainbus0: apid 1 (application processor) cpu2: Intel(R) Xeon(R) CPU E5310 @ 1.60GHz, 1595.93 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,CX16,xTPR,NXE,LONG cpu2: 4MB 64b/line 16-way L2 cache cpu3 at mainbus0: apid 5 (application processor) cpu3: Intel(R) Xeon(R) CPU E5310 @ 1.60GHz, 1595.93 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,CX16,xTPR,NXE,LONG cpu3: 4MB 64b/line 16-way L2 cache cpu4 at mainbus0: apid 2 (application processor) cpu4: Intel(R) Xeon(R) CPU E5310 @ 1.60GHz, 1595.93 MHz cpu4: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,CX16,xTPR,NXE,LONG cpu4: 4MB 64b/line 16-way L2 cache cpu5 at mainbus0: apid 6 (application processor) cpu5: Intel(R) Xeon(R) CPU E5310 @ 1.60GHz, 1595.93 MHz cpu5: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,CX16,xTPR,NXE,LONG cpu5: 4MB 64b/line 16-way L2 cache cpu6 at mainbus0: apid 3 (application processor) cpu6: Intel(R) Xeon(R) CPU E5310 @ 1.60GHz, 1595.93 MHz cpu6: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,CX16,xTPR,NXE,LONG cpu6: 4MB 64b/line 16-way L2 cache cpu7 at mainbus0: apid 7 (application processor) cpu7: Intel(R) Xeon(R) CPU E5310 @ 1.60GHz, 1595.93 MHz cpu7: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,CX16,xTPR,NXE,LONG cpu7: 4MB 64b/line 16-way L2 cache ioapic0 at mainbus0 apid 8 pa 0xfec0, version 20, 24 pins ioapic0: misconfigured as apic 0, remapped to apid 8 ioapic1 at mainbus0 apid 9 pa 0xfec81000, version 20, 24 pins ioapic1: misconfigured as apic 0, remapped to apid 9 acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 5 (PEX2) acpiprt2 at acpi0: bus 6 (UPST) acpiprt3 at acpi0: bus 7 (DWN1) acpiprt4 at acpi0: bus 9 (DWN2) acpiprt5 at acpi0: bus 1 (PEX3) acpiprt6 at acpi0: bus 2 (PE2P) acpiprt7 at acpi0: bus 11 (PEX4) acpiprt8 at acpi0: bus 13 (PEX6) acpiprt9 at acpi0: bus 3 (SBEX) acpiprt10 at acpi0: bus 15 (COMP) acpicpu0 at acpi0 acpicpu1 at acpi0 acpicpu2 at acpi0 acpicpu3 at acpi0 acpicpu4 at acpi0 acpicpu5 at acpi0 acpicpu6 at acpi0 acpicpu7 at acpi0 ipmi at mainbus0 not configured pci0 at mainbus0 bus 0: configuration mode 1 pchb0 at pci0 dev 0 function 0 Intel 5000X Host rev 0x12 ppb0 at pci0 dev 2 function 0 Intel 5000 PCIE rev 0x12 pci1 at ppb0 bus 5 ppb1 at pci1 dev 0 function 0 Intel 6321ESB PCIE rev 0x01 pci2 at ppb1 bus 6 ppb2 at pci2 dev 0 function 0 Intel 6321ESB PCIE rev 0x01 pci3 at ppb2 bus 7 ppb3 at pci3 dev 0 function 0 ServerWorks PCIE-PCIX rev 0xc3 pci4 at ppb3 bus 8 bnx0 at pci4 dev 0 function 0 Broadcom BCM5708 rev 0x12: apic 8 int 16 (irq 5) ppb4 at pci2 dev 1 function 0 Intel 6321ESB PCIE rev 0x01 pci5 at ppb4 bus 9 ppb5 at pci1 dev 0 function 3 Intel 6321ESB PCIE-PCIX rev 0x01 pci6 at ppb5 bus 10 ppb6 at pci0 dev 3 function 0 Intel 5000 PCIE rev 0x12 pci7 at ppb6 bus 1 ppb7 at pci7 dev 0 function 0 Intel PCIE-PCIE rev 0x09 pci8 at ppb7 bus 2 mpi0 at pci8 dev 8 function 0 Symbios Logic SAS1068 rev 0x01: apic 9 int 0 (irq 5) scsibus0 at mpi0: 173 targets sd0 at scsibus0 targ 0 lun 0:
Projector/external monitor not working on OpenBSD 4.2-current on Thinkpad X60
I am unable to move the display to a projector or an external monitor on my Thinkpad X60, which is running OpenBSD 4.2-current. Fn-F7 is the keycombination to be used to switch displays, but it does not work. Now, I am not too sure if this is a function of the OS, or Thinkpad's firmware. Search engines turned up nothing. Can someone suggest a way by which I can make use of an external monitor? Any software package to control this? Thanks. -Amarendra
Re: make release errors
Chris Smith wrote: On Wednesday 20 February 2008, Alexander Hall wrote: The ignored part in the error output. Those error messages are typical (dare I guess you're on i386?) and not critical. Yes, i386. If these are the only errors you get, then you can go on with the rest of the release. I get this as well: = # cd /usr/src/distrib/sets sh checkflist 6455a6456 ./usr/sbin/authpf-noip 13115a13117 ./usr/share/man/cat4/wbsio.0 13442a13445 ./usr/share/man/cat8/authpf-noip.0 = Ah, I got those too, yesterday. I guess it's new stuff that has not yet made it to the correct file lists or so. As release(8) says: Check that the contents of ${DESTDIR} pretty much match the contents of the release `tarballs' Thanks to the pretty much part, I assumed that is was ok, but anyone more educated may be of another opinion. If I don't want X, am I basically done except for any third party packages desired? Yep. /Alexander
security alert
RBC Financial Group Contact Information Online Services Security Help Sign-In Protection Alert - Protection de l'ouverture de session - Alerte An attempt to access Online Banking was denied on: Une tentative d'accider ` Banque en direct a iti refusie le: Thursday, 18 Feb 2008 at 5:24:08 EST Jeudi, 18 Feb 2008 ` 5:24:08 EDT Access was denied for one of two reasons: * Incorrect attempts to access and Login failures. * Signing on from a different location or device different from your location and your IP address. L'acchs a iti refusi pour l'une des deux raisons suivantes : * La riponse ` votre question d'identification personnelle ne correspondait pas ` nos dossiers. * Votre question d'identification personnelle a iti posie mais aucune riponse n'a iti fournie. If you remember trying to access Online Banking on the above date and time, please select That was me. If you do not remember trying to access Online Banking on the above date and time, please select That was NOT me. You will then be prompted to safeguards your account. Si vous vous souvenez d'avoir tenti d'accider ` Banque en direct ` la date et ` l'heure ci-dessus, cliquez sur + C'itait moi ;. Si vous ne vous souvenez pas d'avoir tenti d'accider ` Banque en direct ` la date et ` l'heure ci-dessus, cliquez sur + Ce n'itait PAS moi ;. Le systhme vous demandera alors de changer votre mot de passe. That was me That was not me C'itait moi Ce n'itait PAS moi ) Royal Bank of Canada 1996, 2002, 2003-2008.
Re: OpenBSD 4.1 Stable Strange Problem
On 2/21/08, Wong Peter [EMAIL PROTECTED] wrote: Before this, it is not normal to me because it is very fast. Now become like this and also the wireless problem. My wireless card is Linksys Wmp54g. No i do not do any thing to rc.rconf .rc.local. /etc/hostname.rl1 : inet 172.16.10.1 255.240.0.0 /etc/hostname.ral0: inet 192.168.5.1 255.255.0.0 NONE media autoselect \ mediaopt hostap mode 11g nwid myname nwkey xxx /etc/hostname.rl0 (External Interface) dhcp NONE NONE NONE /etc/dhcpd.interfaces. ral0 rl1 /etc/dhcpd.conf Wired subnet 172.16.0.0 netmask 255.240.0.0 { option subnet-mask 255.240.0.0; option routers 172.16.10.1; range 172.16.10.12 and some fixed address; } wireless subnet 192.168.0.0 netmask 255.255.0.0 { option routers 192.168.5.1; } After boot, the wireless interface is not up and i need to manulaly bring it up with ifconifg ral0 192.168.5.1. AFter issues this command, the status of wireless interface is no network. Below is the ifconfig -a | less : rl1(Wired internal interfac) is not connected rl1: status: no carrier inet 172.16.10.1 netmask 0xfff0 broadcast 172.31.255.255 ral0: UP, Broadcast, RUNNING SIMPLEX,MULTICAST groups: wlan meida IEEE 802.11 autoselect (DS1) status no network ieee802.11: nwid myname (100dBm) inet 192.168.5.1 netmask 0xff00 broadcast 192.168.5.255 Routing Tables: Internet Destination GatewayFlagsRefs Use MtuInterface default 219.93.218.177 UGS 13 2142 tun0 127/8127.0.0.1UGRS 0 0 33224 lo0 127.0.0.1 127.0.0.1 UH 2 0 33224lo0 155.207.113.207 219.93.218.177 UGHD 0 1682 - L tun0 172.116/12 link#2 UC0 0- rl1 192.168.1/24 link#1 UC1 0 rl0 192.168.1.1 H.AUHLc 0 0 lo0 192.168.1.2 127.0.0.1 UGHS 0 0 lo0 219.93.218.177 60.48.180.172 UH2 0 1492 tun0 224/4 127.0.0.1 URS 0 0 33224 lo0 Dmesg if as follow: ral0 at pci0 dev 15 function 0 Ralink Rt2561S rev 0x00: irq 10, address H.A ral0: MAC/BBP RT 2561C, RF Rt 2527 Why function is 0 ? NAT rules: priv_add=192.168.0.0/16 priv_adds=172.16.0.0/12 nat on {ext_if} inet from $priv_add or $priv_adds to any - {$ext_if} rl0 is promisc mode when i do rootkit hunter scan. etherip.allow=1; ip.redirect=0; ip forward = 1 esp.enable = 1 ah.enable=1 Cannot ping openbsd to rl1(Wired Internal interface) If you need any more information, please let me know. I'm one of the developer of rootkit hunter. A billion thnaks for oyur help. -- Linux
Re: ssh_config, chroot, or user rights to restrict user access?
LeRoy, Ted wrote: ... I'd like to limit the user account access for the other groups, permitting them a shell and a few commands, but no ability to browse the box or do things like cat or cp /etc/passwd. ... In addition to chroot, you'll want to make sure that their login shell is rksh and that you've fiddle with the path. Any programs they should be able to run should be in a special path and the regular paths not even listed. http://www.openbsd.org/cgi-bin/man.cgi?query=rksh Regards, -Lars PS. If you get a good job later as a result of the course or the degree, then we on the list expect kickbacks for having helped you get it. ;) http://www.openbsd.org/donations.html
Re: ssh_config, chroot, or user rights to restrict user access?
Josh Grosse wrote: A new sftp chroot restriction environment is now available in -current; you may find the discussion at the OpenBSD Journal helpful: http://undeadly.org/cgi?action=articlesid=20080220110039 1) What is the timeline for completely dropping scp? 2) ChrootDirectory and similar features in sshd_config are great. DenyGroups and AllowGroups were ones that I had really wanted. Along those lines, the example given in the undeadly article above apply access controls at the user level. Applying them at the group level is often considered more maintainable and scalable. The example from the article would look like this instead: Match group uploaders ForceCommand internal-sftp ChrootDirectory /chroot Where user djm is a member of the group uploaders. Regards, -Lars
Why does pf work with last matching rule wins
Hi, I wonder why pf works from top to bottom in filtering with last matching rule wins but in adress translation from top to bottom with first matching rule wins. Sure, I can use quick on every rule in filtering to have first matching rule wins. Me thinks it would be better if both filtering and adress translation works the same (like first rule wins), but I think there are reasons to do it the pf way, but I don't see them. Any enlightment for me? thanks guido
Re: OpenBSD 4.2 with ftp-proxy, named, spamd on Alix2c1 board (+dmesg)
On Feb 20 19:13:04, Klaus Botschen wrote: The Alix2c1 board is from PC Engines, 3 LAN, 1 miniPCI, a 433 MHz AMD Geode LX700 with 128 MB DDR DRAM, CompactFlash socket (see http://pcengines.ch/alix2c1.htm). I currently use ALIX.1C as my main router/fw/named/dhcpd (soon to be replaced by ALIX.2C1 which you use), and have the following comments to make: We need /tmp, /var and /dev writeable, but this would destroy the CompactFlash card. We move those three directories to a memory based file system that will be populated during startup. Writing into /dev, /tmp and /var would definitely NOT destroy the CF card. Before installing, I too considered some filesystems to be mfs, to make the card live longer; but I was told on this list by knowledgeable people that this is not a concern any more. My ALIX is running for about half a year now, with all filesystems being regular ffs, with zero problems, while 'block log'-ing everything with 'pflogd -s 512 -f /var/log/pflog'. I think it only is a concern if you write into /var/log heavily on this kind of machine; and how often do you write into /dev and /tmp after all? Don't bother setting up a mfs and populating it on boot - just using noatime is fine; should the card die one day, new CF cards will be cheaper than a fart by then (and eight times as big, too). Jan
Re: ssh_config, chroot, or user rights to restrict user access?
Hi! On Thu, Feb 21, 2008 at 01:49:02PM +0200, Lars Noodin wrote: 1) What is the timeline for completely dropping scp? I hope never. [...] Kind regards, Hannah.
Re: What is our ultimate goal??
On 2/19/08, Mayuresh Kathe [EMAIL PROTECTED] wrote: something as good as FireEngine, I'm following this thread with quite some amusement, but one thing is not in the least clear to me: why do you think you want something as good as FireEngine. Heck, even under the assumption FireEngine is Really Good (TM), you should compare it to the *new* stack of FreeBSD, whose marketing blurb has at least a bit more meaty than Sun's. http://www.meetbsd.org/storage/kris.kennaway_meetbsd2007.pdf SO now do you want FireEngine? Or rather SMPng networking? Or would you like ReallyHyperFastZoomStreamCyberWoosh? You can't decide? You have not even shown a corner case, much less in general why it would be desirable to completely throw away the current architecture. I use OpenBSD since 3.0 on very small CPUs and also on rather big ones (all i386 and amd64, though), and I don't remember a single case in which network stack performance wouldn't at least have met my expectations. What performance difference are you expecting? Do you know the implications, which the different approaches impose on the kernel architecture? Even if there would be a developer, who would in principle be open to the idea, you have to show her that it is worth the hassle. But you don't even know what you're talking about. If *I* were a developer, I would be offended by the notion that AnotherSolution is *that* *much* *better* (as you imply) _without_ showing any evidence. --knitti
Re: What is our ultimate goal??
On Thu, Feb 21, 2008 at 8:52 AM, knitti [EMAIL PROTECTED] wrote: SO now do you want FireEngine? Or rather SMPng networking? Or would you like ReallyHyperFastZoomStreamCyberWoosh? Now that you've brought it up, I would really like a ReallyHyperFastZoomStreamCyberWoosh TCP stack. Just make sure it doesn't require 1.2Jigawatts of power and have interesting side effects when it gets to 88mph. -- http://www.glumbert.com/media/shift http://www.youtube.com/watch?v=tGvHNNOLnCk This officer's men seem to follow him merely out of idle curiosity. -- Sandhurst officer cadet evaluation. Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted. -- Gene Spafford learn french: http://www.youtube.com/watch?v=j1G-3laJJP0feature=related
Dubai Balanced Score Center
Dubai Balanced Score Training Center Up Coming Program Mar 2008 - [http://www.bsdubai.org/programs_details.php?type=coursecat=510] Strategies Of Modem Public Relations Dubai - City Seasons Hotel - Mar 02To 06 / 2008 - [http://www.bsdubai.org/programs_details.php?type=coursecat=918] Moderm Strategies To Supervise Security Cairo - Grand Hayat Hotel - Mar 09To 13 / 2008 - [http://www.bsdubai.net/programs_details.php?type=coursecat=CI%20422] Effective Communication Interpersonal Skills Cairo - Grand Hayat Hotel - Mar 09To 13 / 2008 - [http://www.bsdubai.net/programs_details.php?type=coursecat=SM%20720] Introduction To Sales and Marketing Cairo - Grand Hayat Hotel - Mar 09To 13 / 2008 - [http://www.bsdubai.net/programs_details.php?type=coursecat=HR%20234] Train The Trainner Best Practices Paris - Le Meridiem Etoile - Mar 23 To 27 / 2008 - [http://www.bsdubai.net/programs_details.php?type=coursecat=PI%20542] Advaned Contracts Management Geneva - Prestol Hotel - Mar 23 To 27 / 2008 - [http://www.bsdubai.net/programs_details.php?type=coursecat=ML%20140] Building High Performance Teams Geneva - Prestol Hotel - Mar 23 To 27 / 2008 Heba Munier B.S. Center [mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] [http://www.bsdubai.org] www.bsdubai.org Tel:00971509228381 Fax:0097142638827 This message was sent by: Heba Munier, Al-Qusaif T-Dubai, +965-9449251, Kuwait 56970, Kuwait Powered by iContact: http://freetrial.icontact.com Manage your subscription: http://app.icontact.com/icp/mmail-mprofile.pl?r=7726955l=17117s=HAQKm=100739c=218332
Re: Why does pf work with last matching rule wins
On Thu, Feb 21, 2008 at 12:19:54PM +0100, Guido Tschakert wrote: I wonder why pf works from top to bottom in filtering with last matching rule wins but in adress translation from top to bottom with first matching rule wins. I've wondered about the difference between NAT and filter rules myself. I have no answer. Sure, I can use quick on every rule in filtering to have first matching rule wins. Me thinks it would be better if both filtering and adress translation works the same (like first rule wins), but I think there are reasons to do it the pf way, but I don't see them. Any enlightment for me? Don't use quick that way. If you can't stand the way PF works it would be better to use something else. Using PF as intended will let you have normal conversations, look at example rules, c., c. One good reason for last match wins is that the rules proceed from most general to most specific. This is a normal way for humans to think, and once you get used to it I bet you like it better. For me it makes it easier to read, write, and maintain rules than using the first-match way of listing all exceptions without knowing the general (or default) case. -- Darrin Chandler| Phoenix BSD User Group | MetaBUG [EMAIL PROTECTED] | http://phxbug.org/ | http://metabug.org/ http://www.stilyagin.com/ | Daemons in the Desert | Global BUG Federation
Re: OpenBSD 4.2 with ftp-proxy, named, spamd on Alix2c1 board (+dmesg)
Hi, Writing into /dev, /tmp and /var would definitely NOT destroy the CF card. Might be. I used none-industrial-grade CF cards, so the chance is of course higher. running for about half a year now, with all filesystems being regular Thats fine. The machines that got replaced by the Alix board have been running for almost 5 years, and I hope that I don't need to touch the boards for several years. - just using noatime is fine; should the card die one day, new CF cards will be cheaper than a fart by then (and eight times as big, too). That might depend... I have the theory that if you are sysadmin, the machines feel when you are far away, and die exactly when you can't just drop in and repair them :) Cheers, Klaus
Re: inspircd + libunwind?
Is this the library you're looking for http://www.nongnu.org/libunwind/ ? I found it via Google and it wasn't exactly very hard. -Nix Fan.
Re: What is our ultimate goal??
SO now do you want FireEngine? Or rather SMPng networking? Or would you like ReallyHyperFastZoomStreamCyberWoosh? Now that you've brought it up, I would really like a ReallyHyperFastZoomStreamCyberWoosh TCP stack. Just make sure it doesn't require 1.2Jigawatts of power and have interesting side effects when it gets to 88mph. But ReallyHyperFastZoomStreamCyberWoosh is designed for processors with the HyperVirtualFuzzboxVoodooDoubleStream extension. Porting it to OpenBSD would seriously impact performance of OpenBSD on mundane processors. Miod
Re: make release errors
On Thursday 21 February 2008, Alexander Hall wrote: Thanks to the pretty much part, I assumed that is was ok, but anyone more educated may be of another opinion. Thanks. It's been announced that OpenBSD turned 4.3-beta, does that mean -current is now 4.3-beta? If so, is there anything special that needs to be done to stay -current through this version change? -- Chris
Re: Why does pf work with last matching rule wins
Darrin Chandler wrote: One good reason for last match wins is that the rules proceed from most general to most specific. ... I'm fairly comfortable with PF, but that way of looking at it really helps. Regards, -Lars
Re: Projector/external monitor not working on OpenBSD 4.2-current on Thinkpad X60
On Thu, Feb 21, 2008 at 03:41:30PM +0530, Amarendra Godbole wrote: I am unable to move the display to a projector or an external monitor on my Thinkpad X60, which is running OpenBSD 4.2-current. Fn-F7 is the keycombination to be used to switch displays, but it does not work. Now, I am not too sure if this is a function of the OS, or Thinkpad's firmware. Search engines turned up nothing. Can someone suggest a way by which I can make use of an external monitor? Any software package to control this? Thanks. When you boot the laptop, go into the bios (just to prevent booting). Have the external monitor attached. Hit your key combo and you should get the bios screen on the external monitor. If this works, then you're on the right track. If it doesn't, then you know that its not the OS fault. Doug.
Re: Why does pf work with last matching rule wins
On February 21, 2008 05:19:54 am Guido Tschakert wrote: Hi, I wonder why pf works from top to bottom in filtering with last matching rule wins but in adress translation from top to bottom with first matching rule wins. Sure, I can use quick on every rule in filtering to have first matching rule wins. Me thinks it would be better if both filtering and adress translation works the same (like first rule wins), but I think there are reasons to do it the pf way, but I don't see them. Any enlightment for me? thanks guido To me (from a layman's perspective), it seems like first match wins is more logical for NAT and last match wins seems more correct for filtering. While writing NAT rules I have not had a situation where one NAT rule negates the previous rules. Whereas with filtering rules, you could conceivably have that issue. Also, since you have to use a filter to allow NAT (assuming you are not using rdr pass) to me, the current approach makes reading a pf.conf file easier. Anyways. FWIW, that is what I thought was the reasoning behind this approach. -- Vijay Sankar, M.Eng., P.Eng. President CEO ForeTell Technologies Limited 59 Flamingo Avenue, Winnipeg, MB Canada R3J 0X6 Phone: +1 204 885 9535, E-Mail: [EMAIL PROTECTED]
Re: make release errors
On 2008/02/21 10:12, Chris Smith wrote: On Thursday 21 February 2008, Alexander Hall wrote: Thanks to the pretty much part, I assumed that is was ok, but anyone more educated may be of another opinion. Thanks. It's been announced that OpenBSD turned 4.3-beta, does that mean -current is now 4.3-beta? If so, is there anything special that needs to be done to stay -current through this version change? not really, just use *43.tgz rather than *42. this is a good time to be testing *snapshots* in particular (especially when new ones with 43 in the filenames turn up).
Re: Why does pf work with last matching rule wins
On Thursday, February 21, 2008, 09:22:25, Darrin Chandler wrote: ... One good reason for last match wins is that the rules proceed from most general to most specific. This is a normal way for humans to think, and once you get used to it I bet you like it better. For me it makes it easier to read, write, and maintain rules than using the first-match way of listing all exceptions without knowing the general (or default) case. But that's dependent on how you look at it and approach it. Isn't the general rule of thumb to allow only what you explicitly need and reject everything else? When I'm working with a Cisco IOS access-list I find its much easier to state each specific allow routing to this port on this host and let the final deny any to catch and reject the remainder. -- [EMAIL PROTECTED] The avalanche has already started, it is too Rod Dorman late for the pebbles to vote. - Ambassador Kosh
Re: There's something about OpenBSD...
On Thu, 21 Feb 2008 21:53:43 +0530 Mayuresh Kathe [EMAIL PROTECTED] wrote: What is it about OpenBSD that I can't resist it? After the past long exchange about our ultimate goal and a lot of people advising me to go over to Solaris 10, I did, I removed OpenBSD from one of my machines and installed Solaris Express Developers Edition. It was slick looking, very graphical with most of things you want to do, had Java SE 5/6 preinstalled, and had everything thing that I was expecting from OpenBSD. But yet, after 2 hours of fooling around, I came back to OpenBSD. For one thing, it took me almost 1.5 hours to install Solaris, compare that to 30 minutes with OpenBSD, including 'packages', 'src' and 'ports'. The second thing was probably the knowledge that things are simple with OpenBSD, none of the complicated layouts thing as with Solaris. You could follow instructions from ancient books like Practical Unix and Internet Security - Second Edition to the T. Given all that, inspite of all the hammering I've taken over my comments, I'd prefer to stick with OpenBSD. Thanks to Theo and the core gang for delivering such a good, clean operating environment. Best, ~Mayuresh Mind your heads fellow hackers. It can cause addiction. -- Henri Salo fgeek at hack.fi +358407705733 GPG ID: 2EA46E4F fp: 14D0 7803 BFF6 EFA0 9998 8C4B 5DFE A106 2EA4 6E4F [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
'Work from Home' 'Web Developer' 'Web Programmer' Oppurtunites
Hi, We are recruting 'web designers' and 'web programmers' to work with us in part time and full time in Contract basis. If you or your friends or your family members are looking for oppurtunities to work from home contact us ASAP by phone or email or by 'yahoo messanger' 'yahoo messanger' : [EMAIL PROTECTED] email : [EMAIL PROTECTED] Regards, Dilipan (703) 849 1269 (USA) (416) 238 0270 (CANADA)
Re: ssh_config, chroot, or user rights to restrict user access?
On Thu, 21 Feb 2008 14:03:40 +0100 Hannah Schroeter [EMAIL PROTECTED] wrote: Hi! On Thu, Feb 21, 2008 at 01:49:02PM +0200, Lars Noodin wrote: 1) What is the timeline for completely dropping scp? I hope never. [...] Kind regards, Hannah. Where did you get this information? I'm using scp every day and in few scripts. I hope it's not going to be dropped -- ever! -- Henri Salo fgeek at hack.fi +358407705733 GPG ID: 2EA46E4F fp: 14D0 7803 BFF6 EFA0 9998 8C4B 5DFE A106 2EA4 6E4F [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
There's something about OpenBSD...
What is it about OpenBSD that I can't resist it? After the past long exchange about our ultimate goal and a lot of people advising me to go over to Solaris 10, I did, I removed OpenBSD from one of my machines and installed Solaris Express Developers Edition. It was slick looking, very graphical with most of things you want to do, had Java SE 5/6 preinstalled, and had everything thing that I was expecting from OpenBSD. But yet, after 2 hours of fooling around, I came back to OpenBSD. For one thing, it took me almost 1.5 hours to install Solaris, compare that to 30 minutes with OpenBSD, including 'packages', 'src' and 'ports'. The second thing was probably the knowledge that things are simple with OpenBSD, none of the complicated layouts thing as with Solaris. You could follow instructions from ancient books like Practical Unix and Internet Security - Second Edition to the T. Given all that, inspite of all the hammering I've taken over my comments, I'd prefer to stick with OpenBSD. Thanks to Theo and the core gang for delivering such a good, clean operating environment. Best, ~Mayuresh
Re: There's something about OpenBSD...
And...you forgot to say: Sorry for my dumbness to all developers that give you an answer. Now, you have to kiss all their ass. Francesco Mayuresh Kathe ha scritto: What is it about OpenBSD that I can't resist it? After the past long exchange about our ultimate goal and a lot of people advising me to go over to Solaris 10, I did, I removed OpenBSD from one of my machines and installed Solaris Express Developers Edition. It was slick looking, very graphical with most of things you want to do, had Java SE 5/6 preinstalled, and had everything thing that I was expecting from OpenBSD. But yet, after 2 hours of fooling around, I came back to OpenBSD. For one thing, it took me almost 1.5 hours to install Solaris, compare that to 30 minutes with OpenBSD, including 'packages', 'src' and 'ports'. The second thing was probably the knowledge that things are simple with OpenBSD, none of the complicated layouts thing as with Solaris. You could follow instructions from ancient books like Practical Unix and Internet Security - Second Edition to the T. Given all that, inspite of all the hammering I've taken over my comments, I'd prefer to stick with OpenBSD. Thanks to Theo and the core gang for delivering such a good, clean operating environment. Best, ~Mayuresh
HFSC rules not working/parsing as supposed to
Hello all. A while back (several months ago), I had a dialogue with Henning regarding hfsc in pf not working as it was supposed to. To be more specific, according to previous posts and discussions, the following bare-bones ruleset should parse OK: ext_if = hme0 int_if = fxp0 altq on $ext_if hfsc bandwidth 384Kb queue { rtq defq } queue rtq hfsc(realtime 10Kb linkshare 11Kb upperlimit 21Kb) queue defq hfsc(default realtime 0Kb linkshare 200Kb upperlimit 300Kb) However, running pfctl -nv -f pf.conf on this produces the following error right after the first queue rule: pfctl: the sum of the child bandwidth higher than parent root_hme0 According to previous posts by Henning, if the service curves are specified in full, the bandwidth keyword should be unnecessary. I agree with the people who have posted to the lists before regarding the bandwidth keyword in hfsc as being confusing and redundant. So the question is: why do I get this error in the first place? Henning didn't have time to debug this, so it didn't go any further, but I'd appreciate any assistance in trying to figure this out now. I don't want to have to use the hack of bandwidth when the service curves should fully determine the queueing configuration. Thanks for any assistance. Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping
Re: Why does pf work with last matching rule wins
On Thu, Feb 21, 2008 at 10:50:50AM -0500, Rod Dorman wrote: On Thursday, February 21, 2008, 09:22:25, Darrin Chandler wrote: ... One good reason for last match wins is that the rules proceed from most general to most specific. This is a normal way for humans to think, and once you get used to it I bet you like it better. For me it makes it easier to read, write, and maintain rules than using the first-match way of listing all exceptions without knowing the general (or default) case. But that's dependent on how you look at it and approach it. Isn't the general rule of thumb to allow only what you explicitly need and reject everything else? When I'm working with a Cisco IOS access-list I find its much easier to state each specific allow routing to this port on this host and let the final deny any to catch and reject the remainder. Yes, but you have to read the entire Cisco rule set to know that. In PF... deny all allow this allow that Right away you know that the default policy is deny. Explicitly, and right up front. When looking at PF rules if the first thing isn't deny then I immediately know that (and I am also very suspicious at that point). I prefer this, personally. I also think it's a good practice, generally. I realize that other popular schemes do it the other way around and that many people are more familiar and comfortable that way. But I am glad that PF works as it does. -- Darrin Chandler| Phoenix BSD User Group | MetaBUG [EMAIL PROTECTED] | http://phxbug.org/ | http://metabug.org/ http://www.stilyagin.com/ | Daemons in the Desert | Global BUG Federation
IPSEC + Performance
How much OpenBSD performance is losted with IPSEC enable?
Re: There's something about OpenBSD...
Sorry for my dumbness, to all developers :) On Thu, Feb 21, 2008 at 10:56 PM, raven [EMAIL PROTECTED] wrote: And...you forgot to say: Sorry for my dumbness to all developers that give you an answer. Now, you have to kiss all their ass. Francesco Mayuresh Kathe ha scritto: What is it about OpenBSD that I can't resist it? After the past long exchange about our ultimate goal and a lot of people advising me to go over to Solaris 10, I did, I removed OpenBSD from one of my machines and installed Solaris Express Developers Edition. It was slick looking, very graphical with most of things you want to do, had Java SE 5/6 preinstalled, and had everything thing that I was expecting from OpenBSD. But yet, after 2 hours of fooling around, I came back to OpenBSD. For one thing, it took me almost 1.5 hours to install Solaris, compare that to 30 minutes with OpenBSD, including 'packages', 'src' and 'ports'. The second thing was probably the knowledge that things are simple with OpenBSD, none of the complicated layouts thing as with Solaris. You could follow instructions from ancient books like Practical Unix and Internet Security - Second Edition to the T. Given all that, inspite of all the hammering I've taken over my comments, I'd prefer to stick with OpenBSD. Thanks to Theo and the core gang for delivering such a good, clean operating environment. Best, ~Mayuresh
ssh complaining about bad file descriptor on 4.3beta.
I'm getting bad file descriptor errors on every ssh connection on a box that I built from source on 4.3 beta last night. Anyone else seeing this as well ? Feb 21 09:54:43 crusty sshd[21741]: error: getsockname failed: Bad file descriptor Wanted to see if anyone else is seeing it as well before I send a bug report.
Remote Admin Card - Dell DRAC or HP ILO2 ?
Who wins in the OpenBSD world? DRAC (Dell Remote Admin Card) or iLo (HP's Integrated Lights Out) (or better ilo2) ? We're looking at new servers and are wondering if these are worth the cash, or which is the one to go for ? I see some problem with ILO2 on HP DL320 G5 (/G5p ?). We need to be able to do 'quite' everything remotely (from installing (virtual floppy / cd / dvd) to exploitation). Regards.
Re: Why does pf work with last matching rule wins
On 2/21/08, Rod Dorman [EMAIL PROTECTED] wrote: Isn't the general rule of thumb to allow only what you explicitly need and reject everything else? When I'm working with a Cisco IOS access-list I find its much easier to state each specific allow routing to this port on this host and let the final deny any to catch and reject the remainder. so put the deny all rule first.
Re: There's something about OpenBSD...
* raven [EMAIL PROTECTED] [2008-02-21 18:50]: Now, you have to kiss all their ass. err, I'll pass... -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: Remote Admin Card - Dell DRAC or HP ILO2 ?
On Thu, Feb 21, 2008 at 07:01:21PM +0100, Xavier Millihs-Lacroix wrote: We need to be able to do 'quite' everything remotely (from installing (virtual floppy / cd / dvd) to exploitation). I prefer PXE booted bsd.rd and a serial console, with BIOS serial redirection it is quite close to a LOM module and does the things it can do extremely reliably.
Re: IPSEC + Performance
That depends what kind of hardware you have and what type of setting it will be used in. For example, have used a 100Mhz net4511 on a home-based connection without much trouble, but it would be inappropriate for much above that. -Will On Thu, Feb 21, 2008 at 12:37 PM, Gustavo Polillo [EMAIL PROTECTED] wrote: How much OpenBSD performance is losted with IPSEC enable?
Balanced Score Center Newsletter
Y X*X4X1Y YX1YX2 X'YX'X/X'X! X'YYX*YX'X2Y X(X/X9YX*YY YX-X6YX1 X#X-X/X+ X'YY X1X'YX, X'YX*X/X1Y X(Y X) YX'YYX$X*YX1X'X* YX9X'Y 2008 http://www.bsdubai.org This message was sent by: Heba Munier, Al-Qusaif T-Dubai, Dubai, Dubai 56970, United Arab Emirates Powered by iContact: http://freetrial.icontact.com Manage your subscription: http://app.icontact.com/icp/mmail-mprofile.pl?r=7726955l=17117s=HAQKm=101377c=218332
Re: IPSec transport mode and traceroute
The short answer is no, not over IPSec. You could change your IPSec filter to only match for TCP traffic, but that's not be a feasible solution if you need to IPSec protect ALL traffic. Without IPSec in the picture, traceroute works by sending a UDP packet from 128.164.144.144 to 128.164.159.159 with an ephemeral port for source and dest. It sets the TTL to 1 and sends the packet out. The first hop (your gateway) gets the packet and responds with the ICMP time exceeded message. The ICMP message contains the original UDP packet. Your source gets the packet and passes it to traceroute. Traceroute finds the original src and dest ports and makes sure that they match the packet he sent out before he posts the gateway IP and round trip time to the screen. With IPSec in the picture, things change. When traceroute sends the UDP packet out, the ESP header is inserted after the IP header, and the protocol is changed from 17 (UDP) to 50 (ESP). When the gateway gets the packet, it responds with the ICMP message. But this time when your source gets it, traceroute tries to compare the original src/dest ports with the incoming src/dest ports and they don't match (because it's not accounting for this ESP header... and the UDP packet is likely encrypted anyway). He tosses the packet and continues to wait until the timeout is hit. Every hop between your src and dest will fail this way. You will finally receive good data when we get to your destination because his stack undoes the IPSec stuff and the stack processes the original UDP packet. This time when the stack sends back the ICMP message Port Unreachable, the src/dest ports will match with what traceroute expects and you get the expected output. Hope that helps, Grant Jason Mader-3 wrote: I've got really simple transport mode IPSec setup between two hosts: [ipsec.conf] ike ah transport from 128.164.144.144 to 128.164.159.159 main auth hmac-sha2-256 group modp1536 quick group modp1536 Though traceroute from one host to the other fails at the gateway, despite the gateway responding, 128.164.144.189 dns1: icmp: time exceeded in-transit [tos 0xc0] (ttl 255, id 12234, len 56) traceroute to dns2 (128.164.159.159), 64 hops max, 40 byte packets 1 * * * 2 dns2 (128.164.159.159) 0.752 ms 0.648 ms 0.604 ms Is there anything I could be doing differently so that the traceroute works? -- View this message in context: http://www.nabble.com/IPSec-transport-mode-and-traceroute-tp15316278p15618006.html Sent from the openbsd user - misc mailing list archive at Nabble.com.
Re: There's something about OpenBSD...
Mayuresh Kathe wrote: What is it about OpenBSD that I can't resist it? After the past long exchange about our ultimate goal and a lot of people advising me to go over to Solaris 10, I did, I removed OpenBSD from one of my machines and installed Solaris Express Developers Edition. It was slick looking, very graphical with most of things you want to do, had Java SE 5/6 preinstalled, and had everything thing that I was expecting from OpenBSD. But yet, after 2 hours of fooling around, I came back to OpenBSD. For one thing, it took me almost 1.5 hours to install Solaris, compare that to 30 minutes with OpenBSD, including 'packages', 'src' and 'ports'. The second thing was probably the knowledge that things are simple with OpenBSD, none of the complicated layouts thing as with Solaris. You could follow instructions from ancient books like Practical Unix and Internet Security - Second Edition to the T. Given all that, inspite of all the hammering I've taken over my comments, I'd prefer to stick with OpenBSD. Thanks to Theo and the core gang for delivering such a good, clean operating environment. Best, ~Mayuresh yeah, I've been doing some things with Solaris for work, it's stunned me that an OS can take most of DVD...and still be missing what I would call absolute basics that OpenBSD has on an install that fits in half of a CD. I know, deep down, Solaris is a very good OS, and inspires a lot of the work OpenBSD developers do, but man, it's got user interface features that were fixed in MS-DOS and CP/M decades ago, and What The Heck do you put on an entire DVD when it doesn't even have a C compiler or some very basic management tools... I think the conflict you saw is very much the CAUSE of the simplicity and usability of OpenBSD. Community or committee designed OSs are filled with compromise and bloat to keep all parties happy. You can feel it in most systems -- five different ways to do one task, three different applications for the same goal, etc. You can just imagine people sitting around a room arguing over things, and eventually, a compromise is reached, and things get bigger, slower, and more bloated. If a better way of doing something comes up, there is fear of alienating users and developers if the old way is removed, so things get bigger and bigger. OpenBSD is the vision of one person. He's surrounded himself with a bunch of like-minded people, and they produce an OS they way they want it. Is it for everyone? Of course not. Usually, you will know pretty quickly if you agree with the design and philosophy or not. If not, there are plenty of alternatives out there. Funny thing is, I suspect most users of OpenBSD are happier with the results of having that small group of people make decisions about the direction of the project than they would be if the entire community had input on the direction of the project. Yes, every individual person would like it better if THEIR input (and only their input) steered the project, but I suspect few would be happier if EVERYONE'S input was blindly accepted and acted upon. Compromise is an interesting word. It sometimes seems to have widely different definitions -- there's what we are taught when young is the good sense, everyone giving-in a little for the better common good, and of course, the security compromise which is a very bad thing. However, I sometimes wonder about that good sense of the word...how often do we compromise on things we know are just plain wrong, just to avoid conflict or to make progress even when you know the progress is in the wrong direction. I guess you could call OpenBSD a no compromise OS for a number of definitions. :) So, when they say OpenBSD is written by the developers for the developers, my response is, Thank goodness. :) I still love this quote: Some of the people working on OpenBSD are nit-picking, anal-retentive, pedantic, intolerant, fanatical, insistent, demanding and relentless: in other words, the perfect people to be crafting an operating system. (possibly from Rich Kulawiec, but I've not had much luck confirming that... and he's wrong: not some, ALL...) Nick.
Re: Remote Admin Card - Dell DRAC or HP ILO2 ?
Xavier Millihs-Lacroix wrote: Who wins in the OpenBSD world? DRAC (Dell Remote Admin Card) or iLo (HP's Integrated Lights Out) (or better ilo2) ? I prefer HP ILO. Both do more or less the same thing, but Dell seems to change their card interface every other week, and HP builds them into the system board on G3 and above. I see some problem with ILO2 on HP DL320 G5 (/G5p ?). You do? We need to be able to do 'quite' everything remotely (from installing (virtual floppy / cd / dvd) to exploitation). For the HP you'll need an ILO license. For the Dell you'll need a card. They both cost about the same thing. The HPs can share one of the gigabit NICs if you're short on ports and use VLANs.
Re: ssh_config, chroot, or user rights to restrict user access?
Henri Salo wrote: ... Where did you get this information? ... It's a question, hence the question mark. Not a statement of fact, hence the absence of a period. Serves me right for having two topics in the same message. The topic that is more interesting to me is getting group level access control into the examples. Applying acls at the group level makes it easier to manage larger userbases. AllowGroups is particularly great and I was psyched when it showed up last year. Match is more complex and may turn out to be more useful. It means extra privileges, such as TcpForwarding or X11Forwarding, can be granted for specific groups. Same for fine-tuning like in the example using ForceCommand. Regards, -Lars
Re: Remote Admin Card - Dell DRAC or HP ILO2 ?
On Thu, 21 Feb 2008 19:01:21 +0100 Xavier Millihs-Lacroix [EMAIL PROTECTED] wrote: Who wins in the OpenBSD world? DRAC (Dell Remote Admin Card) or iLo (HP's Integrated Lights Out) (or better ilo2) ? We're looking at new servers and are wondering if these are worth the cash, or which is the one to go for ? I see some problem with ILO2 on HP DL320 G5 (/G5p ?). We need to be able to do 'quite' everything remotely (from installing (virtual floppy / cd / dvd) to exploitation). I don't really see how this is related to openbsd, but ilo2 wins hands down to drac, but has a costly advanced license. Installing openbsd through ilo2 virtual cd works just fine btw. // nick
Nike's Darcy Winslow to Address Lean and Green Summit
Darcy Winslow of Nike to Present Organizers of the first annual Lean and Green Summit announced the completion of the conference agenda. This next generation event will feature keynote presenter Darcy Winslow of Nike. Darcy is head of Nike's Women's Footwear Division and is a champion for the company's sustainability efforts. Attendees of the Summit will learn from industry professionals who display a high degree of business acumen as they address their company's impact on the world around them. Don't miss this opportunity! Register today! www.leanandgreensummit.com --- Summit Agenda Thursday, July 17th 8:00am - 9:30am Opening Program and Keynote Presentation Darcy Winslow General Manager for Women's Shoes, Nike 9:30am - 9:45am Break 9:45am - 11:15am Engineering Sustainable Operational Processes Presenter: Dave Gustashaw, Interface, Inc. In this session you will be introduced to what it truly means to be sustainable. As Dave Gustashaw will explain, sustainable operations aren't what most people think. By explaining Interface's journey, you will learn to look at sustainability through a different lens and how it's not simply about compliance. In fact, if you address sustainability as Interface has, compliance takes a backseat as a non-issue. World Cafe and the Technology of Participation See next article for explanations of these tools. 11:15am - 11:30am Break 11:30am - 12:30pm Networking Lunch 12:30pm - 12:45pm Break 12:45pm - 2:15pm Design for the Environment Presenters: Mike Gnam and Paul Chalmer from the National Center for Manufacturing Sciences In this session you will be presented with a holistic view of design, with implications of materials selected. Learn lean (set-based) approaches to design. The session will also cover concepts of cradle-to-cradle and design chemistry, life-cycle analysis and implications for business processes and the value proposition. World Cafe and the Technology of Participation 2:15pm-2:30pm Break 2:30pm-4:00pm People in a Green Organization Presenter: Jeff Harvey, President and CEO of Burgerville One of the largest barriers to Lean is often people and corporate culture. It's no different when your company moves on the road to Green and sustainability. Hear from Jeff Harvey, President and CEO of Burgerville how they address the people and culture side of their business. FROM BURGERVILLE'S WEBSITE... Central to the heart of the company, Burgerville people are at the center of what allows our company to live its values to their fullest extent. Without strong, vibrant, healthy people, there can be no healthy families or healthy community. At Burgerville, we believe in developing people throughout our organization. Leading and thriving in the midst of change calls for alert, reflective and creative people-people who are flexible in the face of change and who bring their spirit and imagination to bear on the problems and issues at hand. By growing their leadership abilities, employees learn how to powerfully manage change and serve with love not matter the circumstances they encounter. Leadership at this level contributes innovation and creates sustainable impact, which grows our business and serves our community. World Cafe and the Technology of Participation Friday, July 18th 8:00 am-9:30am Performance Measurement Presenters: Panel of Measurement Experts How do you measure whether you are truly sustainable or not? What is your true impact on nature? Unfortunately, there's a proliferation of different set of metrics, so how do you make sense of what metrics make sense for your organization. In this session you will learn how to define metrics for green and sustainability, so a company can measure its progress and understand what are the important few things to measure (and not the trivial many). Discuss how these metrics integrate (or don't integrate) with traditional financial metrics. Understand the conflicts with finance and directive management that come with dedication to lean and sustainability. World Cafe and the Technology of Participation 9:30am-11:30am Guided Collaboration World Cafe, Open Space Technology and the Technology of Participation 11:30am-12:30pm Networking Lunch 12:30pm-3:00pm Guided Collaboration World Cafe, Open Space Technology and the Technology of Participation You will walk away from this session with a personal action plan. www.leanandgreensummit.com --- Not your average conference... We've all attended conferences in which presenters talked AT us for session after never-ending session. The Lean and Green Summit is a next-generation conference that will involve attendees with a high degree of peer and presenter interaction. The Summit will incorporate the proven tools of World Cafe, Open Space Technology and the Technology of Participation. These tools have been effectively used for decades by large and small businesses, as well as many levels of government and civil society. Each of
Re: There's something about OpenBSD...
On Feb 21, 2008, at 1:40 PM, Nick Holland wrote: Mayuresh Kathe wrote: What is it about OpenBSD that I can't resist it? yeah, I've been doing some things with Solaris for work, it's stunned me that an OS can take most of DVD...and still be missing what I would call absolute basics that OpenBSD has on an install that fits in half of a CD. I know, deep down, Solaris is a very good OS, and inspires a lot of the work OpenBSD developers do, but man, it's got user interface features that were fixed in MS-DOS and CP/M decades ago, and What The Heck do you put on an entire DVD when it doesn't even have a C compiler or some very basic management tools... Sun Microsystems Inc. SunOS 5.10 Generic January 2005 -bash-3.00$ grep -r foo * grep: illegal option -- r Usage: grep -hblcnsviw pattern file . . . Enough said. --- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: Remote Admin Card - Dell DRAC or HP ILO2 ?
On 2008/02/21 14:21, Steve Shockley wrote: Xavier Millihs-Lacroix wrote: Who wins in the OpenBSD world? DRAC (Dell Remote Admin Card) or iLo (HP's Integrated Lights Out) (or better ilo2) ? I prefer HP ILO. Both do more or less the same thing, but Dell seems to change their card interface every other week, and HP builds them into the system board on G3 and above. Whichever you choose, try and get something that doesn't share a NIC with the OS. I normally go for the time-honoured serial console to a box running conserver and a masterswitch though (on a separate lan: you don't really want this sort of thing, ILO/DRAC or masterswitch or IP KVM or whatever else, on your main lan unprotected).
Question about ports-stable
Are there any plans underway to resume ports-stable maintenance? I'm aware that maintaining ports-stable is not a project goal or high on the todo list. I'd like to volunteer to assist, but I'm not sure what is needed. Thanks.
Re: Remote Admin Card - Dell DRAC or HP ILO2 ?
I really like PXE too. But the servers to be administrate remotely would be the firewalls (two in carp association). Xavier 2008/2/21, Jussi Peltola [EMAIL PROTECTED]: On Thu, Feb 21, 2008 at 07:01:21PM +0100, Xavier Millihs-Lacroix wrote: We need to be able to do 'quite' everything remotely (from installing (virtual floppy / cd / dvd) to exploitation). I prefer PXE booted bsd.rd and a serial console, with BIOS serial redirection it is quite close to a LOM module and does the things it can do extremely reliably.
Re: Remote Admin Card - Dell DRAC or HP ILO2 ?
I really like PXE too. But the servers to be administrate remotely would be the firewalls (two in carp association). Xavier
Re: There's something about OpenBSD...
On Thu, Feb 21, 2008 at 2:30 PM, Jason Dixon [EMAIL PROTECTED] wrote: On Feb 21, 2008, at 1:40 PM, Nick Holland wrote: Mayuresh Kathe wrote: What is it about OpenBSD that I can't resist it? yeah, I've been doing some things with Solaris for work, it's stunned me that an OS can take most of DVD...and still be missing what I would call absolute basics that OpenBSD has on an install that fits in half of a CD. I know, deep down, Solaris is a very good OS, and inspires a lot of the work OpenBSD developers do, but man, it's got user interface features that were fixed in MS-DOS and CP/M decades ago, and What The Heck do you put on an entire DVD when it doesn't even have a C compiler or some very basic management tools... Sun Microsystems Inc. SunOS 5.10 Generic January 2005 -bash-3.00$ grep -r foo * grep: illegal option -- r Usage: grep -hblcnsviw pattern file . . . Enough said. --- Jason Dixon DixonGroup Consulting http://www.dixongroup.net Did you mean -R?
Re: Remote Admin Card - Dell DRAC or HP ILO2 ?
On Thu, Feb 21, 2008 at 07:50:52PM +, Stuart Henderson wrote: I normally go for the time-honoured serial console to a box running conserver and a masterswitch though (on a separate lan: you don't really want this sort of thing, ILO/DRAC or masterswitch or IP KVM or whatever else, on your main lan unprotected). And it's supposed to be out of band and not shared with the main network to be really useful when you need it. Serial consoles are easily accessed with a telephone modem connected to the console server, redundant networking is much more complex (and I'd say less foolproof). -- Jussi Peltola
Re: pkill.c warn when no such process
$ pkill bob; echo $? 1 $ Just live with it.. ;) Breaking compatibility just to convenience you... is not an option. -Nix Fan.
Re: Why does pf work with last matching rule wins
Vijay Sankar escreveu: On February 21, 2008 05:19:54 am Guido Tschakert wrote: Hi, I wonder why pf works from top to bottom in filtering with last matching rule wins but in adress translation from top to bottom with first matching rule wins. Sure, I can use quick on every rule in filtering to have first matching rule wins. Me thinks it would be better if both filtering and adress translation works the same (like first rule wins), but I think there are reasons to do it the pf way, but I don't see them. Any enlightment for me? thanks guido To me (from a layman's perspective), it seems like first match wins is more logical for NAT and last match wins seems more correct for filtering. While writing NAT rules I have not had a situation where one NAT rule negates the previous rules. Whereas with filtering rules, you could conceivably have that issue. Also, since you have to use a filter to allow NAT (assuming you are not using rdr pass) to me, the current approach makes reading a pf.conf file easier. Anyways. FWIW, that is what I thought was the reasoning behind this approach. From the performance of the openbsd.org PF Faq: # Complexity and design of your rule set. The more complex your rule set, the slower it is. The more packets that are filtered by keep state and quick rules, the better the performance. The more lines that have to be evaluated for each packet, the lower the performance. I do use quick for all of my rule set. I come from Linux iptables, and for me it was hard to change my way of thinking. I couldn't change it entirely, and do use quick every time. I do this also because more people, which also come from the iptables, do also mantain the rule sets. Does anyone know of a tutorial or howto that focus on this difference of first match wins vs. last match wins. I would happyly start using the latter for writing my rule sets. This is a very interesting discussion, as the pf faq recommends using quick for better performance. My 2 cents, -- Giancarlo Razzolini Linux User 172199 Red Hat Certified Engineer no:804006389722501 Moleque Sem Conteudo Numero #002 Slackware Current OpenBSD Stable Ubuntu 7.04 Feisty Fawn Snike Tecnologia em Informatica 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: Remote Admin Card - Dell DRAC or HP ILO2 ?
You are right. I think I'll put a box like soekris in front of ILO ports to prevent hack on ILO By this way I 'll be able to push CD / floppy image to the HP's servers. During upgrade of the soerkis box. I'll use the firewall server COM port and PXE if I should do a full reinstall. Xavier. 2008/2/21, Jussi Peltola [EMAIL PROTECTED]: On Thu, Feb 21, 2008 at 07:50:52PM +, Stuart Henderson wrote: I normally go for the time-honoured serial console to a box running conserver and a masterswitch though (on a separate lan: you don't really want this sort of thing, ILO/DRAC or masterswitch or IP KVM or whatever else, on your main lan unprotected). And it's supposed to be out of band and not shared with the main network to be really useful when you need it. Serial consoles are easily accessed with a telephone modem connected to the console server, redundant networking is much more complex (and I'd say less foolproof). -- Jussi Peltola
Re: There's something about OpenBSD...
Jason Dixon wrote: Sun Microsystems Inc. SunOS 5.10 Generic January 2005 -bash-3.00$ grep -r foo * grep: illegal option -- r Usage: grep -hblcnsviw pattern file . . . You are not using the default shell. :-) The ksh implementation that comes with solaris is horrible indeed. # Han
Re: ham,Re: ham,Re: Monitoring Bandwidth Usage, based on ports, service, client, etc.
On Sat, Feb 16, 2008 at 1:59 PM, Simon Slaytor [EMAIL PROTECTED] wrote: Sorry Richard, should have mentioned the RRD voodoo, hopefully Peter has set you on the right track. I never really liked the 'rough' graphs produced by the version of RRD Graph available from the packages collection. I've downloaded the latest 1.2.6 port version from openports.se and compiled and built this. I then tweak nfsen adding the RRD 'slope' and anti alias features, not exactly accurate but very pretty! What tweaks did you do as a tweak or is 1.2.6 worth the change alone? TIA!
Re: There's something about OpenBSD...
real men use find On Thu, Feb 21, 2008 at 02:30:30PM -0500, Jason Dixon wrote: On Feb 21, 2008, at 1:40 PM, Nick Holland wrote: Mayuresh Kathe wrote: What is it about OpenBSD that I can't resist it? yeah, I've been doing some things with Solaris for work, it's stunned me that an OS can take most of DVD...and still be missing what I would call absolute basics that OpenBSD has on an install that fits in half of a CD. I know, deep down, Solaris is a very good OS, and inspires a lot of the work OpenBSD developers do, but man, it's got user interface features that were fixed in MS-DOS and CP/M decades ago, and What The Heck do you put on an entire DVD when it doesn't even have a C compiler or some very basic management tools... Sun Microsystems Inc. SunOS 5.10 Generic January 2005 -bash-3.00$ grep -r foo * grep: illegal option -- r Usage: grep -hblcnsviw pattern file . . . Enough said. --- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: OpenBSD 4.2 with ftp-proxy, named, spamd on Alix2c1 board (+dmesg)
On Thu, 21 Feb 2008, Klaus Botschen wrote: Writing into /dev, /tmp and /var would definitely NOT destroy the CF card. Might be. I used none-industrial-grade CF cards, so the chance is of course higher. Yes, I did it. Just let /var run full and try to log a lot of stuff and you will write the same sector many times in a short period. Lead to an unusable /var partition on a consumer SanDisk CF Card. The card was pretty old, but I guess that there are a lot of low price CF cards out there that have no real wear level algorithm implemented. running for about half a year now, with all filesystems being regular Thats fine. The machines that got replaced by the Alix board have been running for almost 5 years, and I hope that I don't need to touch the boards for several years. Putting /var on mfs is not such a bad idea if you got RAM to spare. Using rsync to write the changed files back on the CF card in fixed intervals and on shutdown should be ok. - just using noatime is fine; should the card die one day, new CF cards will be cheaper than a fart by then (and eight times as big, too). That might depend... I have the theory that if you are sysadmin, the machines feel when you are far away, and die exactly when you can't just drop in and repair them :) Nice theory, would explain some hardware faults I witnessed in the past :) Kind regards, Markus
Re: There's something about OpenBSD...
On Thu, Feb 21, 2008 at 01:40:28PM -0500, Nick Holland wrote: Mayuresh Kathe wrote: What is it about OpenBSD that I can't resist it? After the past long exchange about our ultimate goal and a lot of people advising me to go over to Solaris 10, I did, I removed OpenBSD from one of my machines and installed Solaris Express Developers Edition. It was slick looking, very graphical with most of things you want to do, had Java SE 5/6 preinstalled, and had everything thing that I was expecting from OpenBSD. But yet, after 2 hours of fooling around, I came back to OpenBSD. For one thing, it took me almost 1.5 hours to install Solaris, compare that to 30 minutes with OpenBSD, including 'packages', 'src' and 'ports'. The second thing was probably the knowledge that things are simple with OpenBSD, none of the complicated layouts thing as with Solaris. You could follow instructions from ancient books like Practical Unix and Internet Security - Second Edition to the T. Given all that, inspite of all the hammering I've taken over my comments, I'd prefer to stick with OpenBSD. Thanks to Theo and the core gang for delivering such a good, clean operating environment. Best, ~Mayuresh yeah, I've been doing some things with Solaris for work, it's stunned me that an OS can take most of DVD...and still be missing what I would call absolute basics that OpenBSD has on an install that fits in half of a CD. I know, deep down, Solaris is a very good OS, and inspires a lot of the work OpenBSD developers do, but man, it's got user interface features that were fixed in MS-DOS and CP/M decades ago, and What The Heck do you put on an entire DVD when it doesn't even have a C compiler or some very basic management tools... Solaris does have gcc and all the gnu stuff in the default install, you just have to add /usr/sfw/bin to your path ... and sometimes prefix some commands with 'g'. For instance 'ggrep -r ...' instead of 'grep -r ...' to search recursively with gnu grep (a worthless feature imho).
Re: There's something about OpenBSD...
Marco Peereboom ha scritto: real men use find or locate (1) Francesco
Re: There's something about OpenBSD...
On Thu, Feb 21, 2008 at 11:22:25PM +0200, [EMAIL PROTECTED] wrote: For instance 'ggrep -r ...' instead of 'grep -r ...' to search recursively with gnu grep (a worthless feature imho). Displaying the name of the file and the matched line nicely like grep -r does is not elegant with find + grep without using a script or a long and inelegant alias - or if it is, I'd be interested in how it can be done in case I need to work on some ancient unix. -- Jussi Peltola
Re: Why does pf work with last matching rule wins
On Thursday, February 21, 2008, 12:11:27, Darrin Chandler wrote: On Thu, Feb 21, 2008 at 10:50:50AM -0500, Rod Dorman wrote: ... When I'm working with a Cisco IOS access-list I find its much easier to state each specific allow routing to this port on this host and let the final deny any to catch and reject the remainder. Yes, but you have to read the entire Cisco rule set to know that. Well not really, there's an implied deny any at the end (although most people put one there anyway as a reminder) -- [EMAIL PROTECTED] The avalanche has already started, it is too Rod Dorman late for the pebbles to vote. - Ambassador Kosh
Re: Why does pf work with last matching rule wins
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrin Chandler Sent: Friday, 22 February 2008 12:52 AM To: Guido Tschakert Cc: OpenBSD Misc Subject: Re: Why does pf work with last matching rule wins [snip] Don't use quick that way. If you can't stand the way PF works it would be better to use something else. Using PF as intended will let you have normal conversations, look at example rules, c., c. One good reason for last match wins is that the rules proceed from most general to most specific. This is a normal way for humans to think, and once you get used to it I bet you like it better. For me it makes it easier to read, write, and maintain rules than using the first-match way of listing all exceptions without knowing the general (or default) case. To be honest, I think the opposite is the case. From my point of view, reading through a rule set having to keep in mind all previous matching rules to decide the fate of a particular packet is a headache. And you have to read all of the rules not just up to the first match. But I would never ask to change the default behaviour, because I can do it my way with the quick keyword. Everyone is happy! OpenBSD pf rocks!
Cold Boot Attacks on Encryption Keys
Little blog: http://citp.princeton.edu/memory/ Paper: http://citp.princeton.edu.nyud.net/pub/coldboot.pdf Well some months ago I asked (not here.. more directly) if it would be possible to may overwrite memory serval times in case the Box has nothing to do. Back then there was like no interest because it was no risk not to do it. It's no bashing thread. I just wanna bring this to the broad attention that simply turning OFF the PC wont magicaly kill all your PWs wich lay around in the RAM. :-) My suggestion is to overwrite memory like 3 times if a programm free's the memory or if a reboot is commanded via the shell. Of course this harms old boxes but it's still btter then loosing your SSH-Key or whatever resists in your ram. Furthermore OpenBSD may could overwrite periodicaly unused ram to ensure such data gets removed. The only place where this may could happen is in the Kernel. Also a modified lib* may help (f.e. modified free()?)? I'm no developer but I would be happy to read about solutions, concepts or ideas even none gets implemented. :-) Kind regards, Sebastian
Re: Cold Boot Attacks on Encryption Keys
Someone please send me some coffee; I can't stay awake. Somehow I knew some moron would send it to the list. I honestly guessed the person right. Let me give you an engineering opinion: bwahahahahahaha this is retarded. On Feb 21, 2008, at 4:55 PM, [EMAIL PROTECTED] wrote: Little blog: http://citp.princeton.edu/memory/ Paper: http://citp.princeton.edu.nyud.net/pub/coldboot.pdf Well some months ago I asked (not here.. more directly) if it would be possible to may overwrite memory serval times in case the Box has nothing to do. Back then there was like no interest because it was no risk not to do it. It's no bashing thread. I just wanna bring this to the broad attention that simply turning OFF the PC wont magicaly kill all your PWs wich lay around in the RAM. :-) My suggestion is to overwrite memory like 3 times if a programm free's the memory or if a reboot is commanded via the shell. Of course this harms old boxes but it's still btter then loosing your SSH-Key or whatever resists in your ram. Furthermore OpenBSD may could overwrite periodicaly unused ram to ensure such data gets removed. The only place where this may could happen is in the Kernel. Also a modified lib* may help (f.e. modified free()?)? I'm no developer but I would be happy to read about solutions, concepts or ideas even none gets implemented. :-) Kind regards, Sebastian
Re: Cold Boot Attacks on Encryption Keys
On Thu, Feb 21, 2008 at 11:55:39PM +0100, [EMAIL PROTECTED] wrote: My suggestion is to overwrite memory like 3 times if a programm free's the memory or if a reboot is commanded via the shell. Of course this harms old boxes but it's still btter then loosing your SSH-Key or whatever resists in your ram. How about a sysctl to turn that on. It will be terribly slow for users who do not require that level of security. -- Best Regards Edd http://students.dec.bmth.ac.uk/ebarrett
Re: There's something about OpenBSD...
On Thu, Feb 21, 2008 at 11:22:25PM +0200, [EMAIL PROTECTED] wrote: Yes quite, its all there but in odd places. Also not that make is in /usr/ccs/bin The thing that put me off sx developer edition is that it requires a whopping 760MB of RAM for install. Solaris 10 and Solaris Express and Indiana and all the other confusing marketting names do not use as much ram thank lord. -- Best Regards Edd http://students.dec.bmth.ac.uk/ebarrett
Re: Cold Boot Attacks on Encryption Keys
The paper you mentioned has some info on possible countermeasures. The best (IMO) is physically securing your RAM. This seems to fit in best with OpenBSD's philosophy, which has never been to put much time into thwarting attacks that require physical access to the box -- if you have that, there are MANY avenues of attack, most of which don't benefit much from immersing components in liquid N_2. Marti On Thu, Feb 21, 2008 at 3:55 PM, [EMAIL PROTECTED] wrote: Little blog: http://citp.princeton.edu/memory/ Paper: http://citp.princeton.edu.nyud.net/pub/coldboot.pdf Well some months ago I asked (not here.. more directly) if it would be possible to may overwrite memory serval times in case the Box has nothing to do. Back then there was like no interest because it was no risk not to do it. It's no bashing thread. I just wanna bring this to the broad attention that simply turning OFF the PC wont magicaly kill all your PWs wich lay around in the RAM. :-) My suggestion is to overwrite memory like 3 times if a programm free's the memory or if a reboot is commanded via the shell. Of course this harms old boxes but it's still btter then loosing your SSH-Key or whatever resists in your ram. Furthermore OpenBSD may could overwrite periodicaly unused ram to ensure such data gets removed. The only place where this may could happen is in the Kernel. Also a modified lib* may help (f.e. modified free()?)? I'm no developer but I would be happy to read about solutions, concepts or ideas even none gets implemented. :-) Kind regards, Sebastian -- Systems Programmer, Principal Electrical Computer Engineering The University of Arizona [EMAIL PROTECTED]
Re: There's something about OpenBSD...
On Thu, Feb 21, 2008 at 5:08 PM, Jussi Peltola [EMAIL PROTECTED] wrote: Displaying the name of the file and the matched line nicely like grep -r does is not elegant with find + grep without using a script or a long and inelegant alias - or if it is, I'd be interested in how it can be done in case I need to work on some ancient unix. Never used -r so I'm not sure what the output looks like but how about: find . -type f -exec grep something {} /dev/null \; -N
Re: There's something about OpenBSD...
What's wrong with: find . -name *.[ch] -exec grep blah {} \; -print On Feb 21, 2008, at 4:08 PM, Jussi Peltola [EMAIL PROTECTED] wrote: On Thu, Feb 21, 2008 at 11:22:25PM +0200, [EMAIL PROTECTED] wrote: For instance 'ggrep -r ...' instead of 'grep -r ...' to search recursively with gnu grep (a worthless feature imho). Displaying the name of the file and the matched line nicely like grep -r does is not elegant with find + grep without using a script or a long and inelegant alias - or if it is, I'd be interested in how it can be done in case I need to work on some ancient unix. -- Jussi Peltola
Re: There's something about OpenBSD...
On Thu, Feb 21, 2008 at 06:15:32PM -0500, Nick Bender wrote: On Thu, Feb 21, 2008 at 5:08 PM, Jussi Peltola [EMAIL PROTECTED] wrote: Displaying the name of the file and the matched line nicely like grep -r does is not elegant with find + grep without using a script or a long and inelegant alias - or if it is, I'd be interested in how it can be done in case I need to work on some ancient unix. Never used -r so I'm not sure what the output looks like but how about: find . -type f -exec grep something {} /dev/null \; Holy crap people, it was just an example. Believe it or not, I know alternatives to recursive grep on Solaris. -J.
Re: Cold Boot Attacks on Encryption Keys
On 2/21/08, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: My suggestion is to overwrite memory like 3 times if a programm free's the memory or if a reboot is commanded via the shell. Of course this harms old boxes but it's still btter then loosing your SSH-Key or whatever resists in your ram. 1. what happens when the bad people pull the plug on a running computer? 2. how long do the bad people have to read your memory after you turn it off?
Re: Cold Boot Attacks on Encryption Keys
On Thu, Feb 21, 2008 at 05:19:28PM -0600, Marco Peereboom wrote: Let me give you an engineering opinion: bwahahahahahaha this is retarded. Well, let me give you another engineering opinion based on actual experience working on a machine with a custom graphics system - it is not 100% reliable but DRAM can show a surprising amount of remanence even without power/refresh. We used to see parts of the display come up even after the machine had been down for hours. -- Brett Lymn Warning: The information contained in this email and any attached files is confidential to BAE Systems Australia. If you are not the intended recipient, any use, disclosure or copying of this email or any attachments is expressly prohibited. If you have received this email in error, please notify us immediately. VIRUS: Every care has been taken to ensure this email and its attachments are virus free, however, any loss or damage incurred in using this email is not the sender's responsibility. It is your responsibility to ensure virus checks are completed before installing any data sent in this email to your computer.
Re: There's something about OpenBSD...
On Fri, Feb 22, 2008 at 12:08:54AM +0200, Jussi Peltola wrote: On Thu, Feb 21, 2008 at 11:22:25PM +0200, [EMAIL PROTECTED] wrote: For instance 'ggrep -r ...' instead of 'grep -r ...' to search recursively with gnu grep (a worthless feature imho). Displaying the name of the file and the matched line nicely like grep -r does is not elegant with find + grep without using a script or a long and inelegant alias - or if it is, I'd be interested in how it can be done in case I need to work on some ancient unix. $ find DIR -type f -print0 | xargs -0 grep PATTERN which, unlike 'find ... -exec' is just as fast as 'grep -r', and unlike 'grep -r', will skip special devices, symlinks, etc.
Re: There's something about OpenBSD...
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jussi Peltola Sent: Friday, 22 February 2008 8:39 AM To: misc@openbsd.org Subject: Re: There's something about OpenBSD... On Thu, Feb 21, 2008 at 11:22:25PM +0200, [EMAIL PROTECTED] wrote: For instance 'ggrep -r ...' instead of 'grep -r ...' to search recursively with gnu grep (a worthless feature imho). Displaying the name of the file and the matched line nicely like grep -r does is not elegant with find + grep without using a script or a long and inelegant alias - or if it is, I'd be interested in how it can be done in case I need to work on some ancient unix. % find / -name '*.txt' -exec grep foo {} /dev/null \;
Re: Cold Boot Attacks on Encryption Keys
On 2/21/08, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: My suggestion is to overwrite memory like 3 times if a programm free's the memory or if a reboot is commanded via the shell. Of course this harms old boxes but it's still btter then loosing your SSH-Key or whatever resists in your ram. 1. what happens when the bad people pull the plug on a running computer? Well that's why I personaly mentioned a modified libary or the kernel wich may could overwrite the RAM 3 times or so in case it has nothing to do. Maybe there wont be a solution wich solves everything but it's a fact that most applications are written in a lazy way... so there's more information stored into the ram then needed. At least this could get reduced I think.. 2. how long do the bad people have to read your memory after you turn it off? How long do you need to search the memory? Not every OS blocks root from reading the memory so a simple grep or so may would just take 1second? *hopefully I got your qustion correctly..* Kind regards, Sebastian
Re: Cold Boot Attacks on Encryption Keys
And the power plug wasn't plugged in right? On Fri, Feb 22, 2008 at 10:45:56AM +1030, Brett Lymn wrote: On Thu, Feb 21, 2008 at 05:19:28PM -0600, Marco Peereboom wrote: Let me give you an engineering opinion: bwahahahahahaha this is retarded. Well, let me give you another engineering opinion based on actual experience working on a machine with a custom graphics system - it is not 100% reliable but DRAM can show a surprising amount of remanence even without power/refresh. We used to see parts of the display come up even after the machine had been down for hours. -- Brett Lymn Warning: The information contained in this email and any attached files is confidential to BAE Systems Australia. If you are not the intended recipient, any use, disclosure or copying of this email or any attachments is expressly prohibited. If you have received this email in error, please notify us immediately. VIRUS: Every care has been taken to ensure this email and its attachments are virus free, however, any loss or damage incurred in using this email is not the sender's responsibility. It is your responsibility to ensure virus checks are completed before installing any data sent in this email to your computer.
Re: Cold Boot Attacks on Encryption Keys
On Thu, Feb 21, 2008 at 07:12:58PM -0600, Marco Peereboom wrote: And the power plug wasn't plugged in right? Correct. We are not talking PC DRAM here - this was custom hardware with a circuit breaker that really cut power to everything. Often when you powered it up before the firmware got around to forcing a clear on the display ram (yes, the display ram was DRAM) you could clearly see parts of the display. To be honest it surprised the hell out of me the first time I saw it too. -- Brett Lymn Warning: The information contained in this email and any attached files is confidential to BAE Systems Australia. If you are not the intended recipient, any use, disclosure or copying of this email or any attachments is expressly prohibited. If you have received this email in error, please notify us immediately. VIRUS: Every care has been taken to ensure this email and its attachments are virus free, however, any loss or damage incurred in using this email is not the sender's responsibility. It is your responsibility to ensure virus checks are completed before installing any data sent in this email to your computer.
Re: Cold Boot Attacks on Encryption Keys
On Thursday 21 February 2008 19:15:56 Brett Lymn wrote: On Thu, Feb 21, 2008 at 05:19:28PM -0600, Marco Peereboom wrote: Let me give you an engineering opinion: bwahahahahahaha this is retarded. Well, let me give you another engineering opinion based on actual experience working on a machine with a custom graphics system - it is not 100% reliable but DRAM can show a surprising amount of remanence even without power/refresh. We used to see parts of the display come up even after the machine had been down for hours. Please let's not pummel Theo with this directly. As far as this goes, I'll point out once that you have to have physical ownership of the laptop to do this, and if so, all bets are off. If one has really really critical data on a laptop that goes into the outside world, they should be shot. Truly sensitive data should only go out into the world encrypted as a backup, NOT on some random laptop! The research is very interesting, but it doesn't apply to OpenBSD. --STeve Andre'
Re: Cold Boot Attacks on Encryption Keys
On Thursday 21 February 2008, Marti Martinez wrote: The paper you mentioned has some info on possible countermeasures. The best (IMO) is physically securing your RAM. This seems to fit in best with OpenBSD's philosophy, which has never been to put much time into thwarting attacks that require physical access to the box -- if you have that, there are MANY avenues of attack, most of which don't benefit much from immersing components in liquid N_2. Certainly someone w physical access can do just about anything which is very possible to succeed. If you have a laptop physical protection is pretty key. It all comes back to Schneier's balance. Security vs easy of use/practical. Stealing a server or desktop that has very valuable information should not be an easy option. It would NEVER go into a laptop. In the end it's good to know they can recover data from your RAM but in reality it will not affect many of us. Unless they could recover it hours later it's only going to be a problem in an organized attack. At which point it falls right back to physical security. -- Steve Szmidt They that would give up essential liberty for temporary safety deserve neither liberty nor safety. Benjamin Franklin
Re: Cold Boot Attacks on Encryption Keys
I really have a hard time buying this. I can see how you ended up with some crap in that memory upon reboot but I fail to see how that memory could retain its contents. Not knowing the situation you might have had some huge caps on that machine; or even battery backed up ram. This combined with low power mode content can be stored for days (we do that on RAID cards). But that is also ram that does not require a clock to retain its contents. On Fri, Feb 22, 2008 at 11:50:06AM +1030, Brett Lymn wrote: On Thu, Feb 21, 2008 at 07:12:58PM -0600, Marco Peereboom wrote: And the power plug wasn't plugged in right? Correct. We are not talking PC DRAM here - this was custom hardware with a circuit breaker that really cut power to everything. Often when you powered it up before the firmware got around to forcing a clear on the display ram (yes, the display ram was DRAM) you could clearly see parts of the display. To be honest it surprised the hell out of me the first time I saw it too. -- Brett Lymn Warning: The information contained in this email and any attached files is confidential to BAE Systems Australia. If you are not the intended recipient, any use, disclosure or copying of this email or any attachments is expressly prohibited. If you have received this email in error, please notify us immediately. VIRUS: Every care has been taken to ensure this email and its attachments are virus free, however, any loss or damage incurred in using this email is not the sender's responsibility. It is your responsibility to ensure virus checks are completed before installing any data sent in this email to your computer.
Re: Cold Boot Attacks on Encryption Keys
[EMAIL PROTECTED] writes: My suggestion is to overwrite memory like 3 times if a programm free's the memory or if a reboot is commanded via the shell. Of course this harms old boxes but it's still btter then loosing your SSH-Key or whatever resists in your ram. If someone has physical control of your machine while it is active you have zero security. Doing a memory overwrite in the background is not going to help. Accept that. If I can remove the case to get access to the memory to freeze it before chopping power I can also attach bus analyzers that watch and log every memory access. If I've a log of what was written to memory wiping the actual memory later does NOT help. Not at all! RAM keeps the information partly for MINUTES! It not a real race condition or so... it's about physics and electricity. And you're right abotu the Bug analyzer but that's a pretty uncommon devices. I think it's a lot easier to get the RAM and analyze it then to use a Busanalyzer. NOt everybody owns a Bus analyzer but mostly anybody owns a MB compatible to your memory modules... Think about bigger netroks! You do know ANY devices wich has NO ram? Even a simple client-PC wich boots via network has ram. And in universities or so with about 129k users you just can't ensure that NOBODY turns off the PC, gets the RAM, reads ya SSH key and turns the PC on again (just in case you might used it before this brave student..)... You could do this in like 10minutes (max!). If you keep in mind that if you break into a bank the cops have a time window of about 15 minutes what do you seriously exspect in universities? A swat-team in every pc pool? :-/ And a university is just one example. Another is a central manadged global opperating company where you just can't watch the VPN router or whatever 24/7 and where it's common that at least one provider has any issues a month. Of course the problem can't get solved with a 2-line patch or so. But it could be a good start if critical applications like ssh-agent or so would overwrite the memory they used (if no lib* change is planed). As I said already from my point of view a modified free() may would solve the issue (and it would be transparent to ANY software) or a change in the kernel. Kind regards, Sebastian
Re: Cold Boot Attacks on Encryption Keys
Well Marco just fuck you and piss off...ok? If you don't care stfu and do something else and let people talk who may care about physical things. And phyisical in the meaning of something related to physics... (just in case you don't know it's the thing you may missed in school...) Or why don't you just fix pcre or some other issues wih are still present in OpenBSD except of nerving me with pretty unproductive comments? And it's no shame to know nothing about physics! That's why universities do exists.. even in your city.. I'm sure. So seriously: if you've any productive or critical comment feel free to post it just stop bitching 'course it does not help/solve anything except of wasting YOUR bandwith.. right? Right... :) Kind regards, Sebastian p.s. And you'll be the last who can claim that there trolls on the oBSD mailinglist... you're a pretty nice example so I recomment that every zoo should have one or two of your kind So did we exchanged now enought greetings? Then we might could go back to the roots... thanks.
Re: Cold Boot Attacks on Encryption Keys
The paper you mentioned has some info on possible countermeasures. The best (IMO) is physically securing your RAM. This seems to fit in best with OpenBSD's philosophy, which has never been to put much time into thwarting attacks that require physical access to the box -- if you have that, there are MANY avenues of attack, most of which don't benefit much from immersing components in liquid N_2. Marti Then we could drop the whole encryption framework, or? Why encrypting OWs? Nobody could crack the PWs if they don't have phisical access.. why encrypting the HDDs or using IPSec? It's all about physical security so why does OpenBSD care? I don't think it's that easy and I don't realy angree to your point of view. From my point of view OpenBSD does a lot to assist to keep things secure even the physical security was brocken (a thief, a bad admin or whatever..). Of course there many kinds of attack but if somebody shutdowns your box and reads the infos from your memory there's something we can do about it: Overwriting Tell me how to ensure phyiscal security in bigger networks?! Should I simply shot each user or just torture 'em? :-) I don't talk about a 50+ company where you know everybody but more about 1k+ up to 130k users and more. For privacy it would be great to overwrite everything! But this slows down the whole stuff too... Well my oppinion is still: If you modify the libs so that a call of free() involves a overwriting of the memory all applications would transparently use it. This would mean there's no need for a kernelpatch wich overwrites free memory. But what if a application does not use free() before it got terminated? in this case the informations would still lay around into the memory.. if I'm wrong please correct me.. it's just that a slowdown is needed to solve this (even partly). Kind regards, Sebastian
Re: Cold Boot Attacks on Encryption Keys
STeve Andre' escreveu: The research is very interesting, but it doesn't apply to OpenBSD. --STeve Andre' Why doesn't apply to openbsd? And secondly, would vnd devices be affected by this kind of attack? I particularly believe that this could be done, i also saw those kind of display dumps with some video cards that have DRAM memory. Better never more let my crypt disk left open. But there is a feature in truecrypt, that i believe can defeat this. It can use a file in conjunction with the password. The attacker can successfully guess the password, but without knowing the file used, it would be pointless. The only problem is if tc keep the filename also in memory :(. Will investigate this matter. My regards, -- Giancarlo Razzolini Linux User 172199 Red Hat Certified Engineer no:804006389722501 Moleque Sem Conteudo Numero #002 Slackware Current OpenBSD Stable Ubuntu 7.04 Feisty Fawn Snike Tecnologia em Informatica 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: Cold Boot Attacks on Encryption Keys
[EMAIL PROTECTED] escreveu: [EMAIL PROTECTED] writes: My suggestion is to overwrite memory like 3 times if a programm free's the memory or if a reboot is commanded via the shell. Of course this harms old boxes but it's still btter then loosing your SSH-Key or whatever resists in your ram. If someone has physical control of your machine while it is active you have zero security. Doing a memory overwrite in the background is not going to help. Accept that. If I can remove the case to get access to the memory to freeze it before chopping power I can also attach bus analyzers that watch and log every memory access. If I've a log of what was written to memory wiping the actual memory later does NOT help. Not at all! RAM keeps the information partly for MINUTES! It not a real race condition or so... it's about physics and electricity. And you're right abotu the Bug analyzer but that's a pretty uncommon devices. I think it's a lot easier to get the RAM and analyze it then to use a Busanalyzer. NOt everybody owns a Bus analyzer but mostly anybody owns a MB compatible to your memory modules... Think about bigger netroks! You do know ANY devices wich has NO ram? Even a simple client-PC wich boots via network has ram. And in universities or so with about 129k users you just can't ensure that NOBODY turns off the PC, gets the RAM, reads ya SSH key and turns the PC on again (just in case you might used it before this brave student..)... You could do this in like 10minutes (max!). If you keep in mind that if you break into a bank the cops have a time window of about 15 minutes what do you seriously exspect in universities? A swat-team in every pc pool? :-/ And a university is just one example. Another is a central manadged global opperating company where you just can't watch the VPN router or whatever 24/7 and where it's common that at least one provider has any issues a month. Of course the problem can't get solved with a 2-line patch or so. But it could be a good start if critical applications like ssh-agent or so would overwrite the memory they used (if no lib* change is planed). As I said already from my point of view a modified free() may would solve the issue (and it would be transparent to ANY software) or a change in the kernel. Kind regards, Sebastian I believe this isn't as good as it sounds. Because the thief won't steal the laptop while you are using, or give the chance for it to nicely power down and overwrite the memory. He/She will simply turn directly off the computer and read the memory. This feature on openbsd would be nice from the paranoid point of view. But will be waste of code in my opinion. Even if it's simple (which i guess isn't very simple). My 2 cents, -- Giancarlo Razzolini Linux User 172199 Red Hat Certified Engineer no:804006389722501 Moleque Sem Conteudo Numero #002 Slackware Current OpenBSD Stable Ubuntu 7.04 Feisty Fawn Snike Tecnologia em Informatica 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: Cold Boot Attacks on Encryption Keys
On Fri, Feb 22, 2008 at 02:22:45AM +0100, [EMAIL PROTECTED] wrote: Well Marco just fuck you and piss off...ok? I would love to but you make me reply every single time you post this type of uninteresting shit. If you don't care stfu and do something else and let people talk who may care about physical things. And phyisical in the meaning of something related to physics... (just in case you don't know it's the thing you may missed in school...) Or why don't you just fix pcre or some other issues wih are still present in OpenBSD except of nerving me with pretty unproductive comments? I would leave anything broken just to piss you off. Really. And it's no shame to know nothing about physics! That's why universities do exists.. even in your city.. I'm sure. Right, you totally know my credentials so you totally can assert my scholastic achievements. So seriously: if you've any productive or critical comment feel free to post it just stop bitching 'course it does not help/solve anything except of wasting YOUR bandwith.. right? Right... :) I have all kinds of productive comments, you just don't listen. This is not interesting. It is a neat trick and it ends right there. Kind regards, Sebastian p.s. And you'll be the last who can claim that there trolls on the oBSD mailinglist... you're a pretty nice example so I recomment that every zoo should have one or two of your kind You are a living trolling legend on misc and undeadly. Quite frankly most people are sick and tired of your antics. You were quiet for a while and we liked that. Maybe you should try that again. So did we exchanged now enought greetings? Then we might could go back to the roots... thanks. The roots of trolling?
Re: Remote syslog
Terrific! Thanks to all who responded.
Re: There's something about OpenBSD...
On Thu, Feb 21, 2008 at 07:26:29PM -0500, Jason Dixon wrote: On Thu, Feb 21, 2008 at 06:15:32PM -0500, Nick Bender wrote: On Thu, Feb 21, 2008 at 5:08 PM, Jussi Peltola [EMAIL PROTECTED] wrote: Never used -r so I'm not sure what the output looks like but how about: find . -type f -exec grep something {} /dev/null \; Holy crap people, it was just an example. Believe it or not, I know alternatives to recursive grep on Solaris. I've heard of something having everything but the kitchen sink, but a Heavenly version of backup software? :) Doug.
Re: Cold Boot Attacks on Encryption Keys
On Thu, Feb 21, 2008 at 6:41 PM, [EMAIL PROTECTED] wrote: The paper you mentioned has some info on possible countermeasures. The best (IMO) is physically securing your RAM. This seems to fit in best with OpenBSD's philosophy, which has never been to put much time into thwarting attacks that require physical access to the box -- if you have that, there are MANY avenues of attack, most of which don't benefit much from immersing components in liquid N_2. Marti Then we could drop the whole encryption framework, or? Why encrypting OWs? Nobody could crack the PWs if they don't have phisical access.. why encrypting the HDDs or using IPSec? It's all about physical security so why does OpenBSD care? Sebastian, First off, I was not trying to be combative. I was trying to be realistic, however, which you clearly are not; IPSec and the encryption framework are all about physical protection? I think not. I am not against the other countermeasures described by these researchers; however, the performace hit of three extra load instructions on every memory location free()'d (as you suggested) would not be trivial, and would mostly be a waste of time; most memory on the 1000's of desktops you have in an enterprise is not storing hyper-sensitive data. I think that applications which are storing crypto keys should take responsibility to overwrite them as soon as practical, though even this wouldn't completely solve this problem. As you noted, a modification to free() wouldn't either. However, my point here is that applications can do this FAR more effectively than the OS can, with no drawbacks whatsoever (other than the possibility that something will be overlooked; however, a fault in the kernel would be far more dangerous, and if you can't trust your security developers to take basic precautions, why would you be using their software anyhow?) Security is part of a balancing act, with usability, performance and cost as counterweights. If your organization has 1000's of desktops with sensitive data floating around, you might want to look at taking a more holistic approach to security, and yes, users who let people take ram out of a system seconds after shutting it down should indeed be shot and/or tortured. Cheers, Marti I don't think it's that easy and I don't realy angree to your point of view. From my point of view OpenBSD does a lot to assist to keep things secure even the physical security was brocken (a thief, a bad admin or whatever..). Of course there many kinds of attack but if somebody shutdowns your box and reads the infos from your memory there's something we can do about it: Overwriting Tell me how to ensure phyiscal security in bigger networks?! Should I simply shot each user or just torture 'em? :-) I don't talk about a 50+ company where you know everybody but more about 1k+ up to 130k users and more. For privacy it would be great to overwrite everything! But this slows down the whole stuff too... Well my oppinion is still: If you modify the libs so that a call of free() involves a overwriting of the memory all applications would transparently use it. This would mean there's no need for a kernelpatch wich overwrites free memory. But what if a application does not use free() before it got terminated? in this case the informations would still lay around into the memory.. if I'm wrong please correct me.. it's just that a slowdown is needed to solve this (even partly). Kind regards, Sebastian -- Systems Programmer, Principal Electrical Computer Engineering The University of Arizona [EMAIL PROTECTED]
Re: Cold Boot Attacks on Encryption Keys
On Fri, Feb 22, 2008 at 9:22 AM, [EMAIL PROTECTED] wrote: So seriously: if you've any productive or critical comment feel free to post it just stop bitching 'course it does not help/solve anything except of wasting YOUR bandwith.. right? Right... :) I guess he's just too busy actually writing code. You know, contributing to the project in a constructive and meaningful way. --- Lars Hansson
Re: Cold Boot Attacks on Encryption Keys
On Fri, Feb 22, 2008 at 02:41:40AM +0100, [EMAIL PROTECTED] wrote: Of course there many kinds of attack but if somebody shutdowns your box and reads the infos from your memory there's something we can do about it: Overwriting Well my oppinion is still: If you modify the libs so that a call of free() involves a overwriting of the memory all applications would transparently use it. This would mean there's no need for a kernelpatch wich overwrites free memory. But what if a application does not use free() before it got terminated? in this case the informations would still lay around into the memory.. if I'm wrong please correct me.. it's just that a slowdown is needed to solve this (even partly). Perhaps the ideal solution would be a hardware solution for people paranoid enough to need it. A simm that goes between the MB and the memory that, when MB power is lost, has its own backup battery and will immediatly overwrite the memory on main power failure. If the threat is that someone will come along and pull the power on a box and grab the memory, then having the OS overwrite memory whenever it is free doesn't address the memory in use at the time the power is pulled. I suppose you could have a daemon going along wiping unused memory when the system is idle without slowing down the system much, (make it very nice?), but it doesn't deal with in-use memory just before power down. I don't suppose the hardware memory controller either on the CPU or the chipset is at all programmable? It sounds like the ideal place to put this. Doug.
Re: Cold Boot Attacks on Encryption Keys
On Fri, Feb 22, 2008 at 9:33 AM, [EMAIL PROTECTED] wrote: Not at all! RAM keeps the information partly for MINUTES! It not a real race condition or so... it's about physics and electricity. Wow! For minutes! While the research is interesting the chances of actually being a victim to this is pretty damn slim in practice. Think about bigger netroks! You do know ANY devices wich has NO ram? Even a simple client-PC wich boots via network has ram. And in universities or so with about 129k users you just can't ensure that NOBODY turns off the PC, gets the RAM, reads ya SSH key and turns the PC on again (just in case you might used it before this brave student..)... You could do this in like 10minutes (max!). 10 minutes is a lot longer than seconds or even minutes. --- Lars Hansson
Re: Cold Boot Attacks on Encryption Keys
On Thu, Feb 21, 2008 at 08:04:07PM -0600, Marco Peereboom wrote: I really have a hard time buying this. Yes, I can understand that - I was the same until I saw the remnants of the display come up on the screen. I can see how you ended up with some crap in that memory upon reboot but I fail to see how that memory could retain its contents. Not knowing the situation you might have had some huge caps on that machine; or even battery backed up ram. Nup - no real power storage devices in the machine at all, seriously. Technically DRAM is really a capacitor connected to a transistor - the charge in the capacitor in the dram cell determines the 1 or 0. How long the cell can retain that charge depends a lot on the particular cell - some hold the charge better than others. -- Brett Lymn Warning: The information contained in this email and any attached files is confidential to BAE Systems Australia. If you are not the intended recipient, any use, disclosure or copying of this email or any attachments is expressly prohibited. If you have received this email in error, please notify us immediately. VIRUS: Every care has been taken to ensure this email and its attachments are virus free, however, any loss or damage incurred in using this email is not the sender's responsibility. It is your responsibility to ensure virus checks are completed before installing any data sent in this email to your computer.
Re: Cold Boot Attacks on Encryption Keys
Marco Peereboom wrote: I really have a hard time buying this. I can see how you ended up with some crap in that memory upon reboot but I fail to see how that memory could retain its contents. Not knowing the situation you might have had some huge caps on that machine; or even battery backed up ram. This combined with low power mode content can be stored for days (we do that on RAID cards). But that is also ram that does not require a clock to retain its contents. Buy it, really. Twenty+ years ago, I'd noticed this, having completely powered down my computer, decided I had something more to do, flipped the power switch right back on, and I was sitting at a command prompt. I marveled, I did it again, it worked again. I called my roommate over, he and I marveled over this...every few times we tried it, it would end up rebooting (or Hung). We knew that the rated refresh time was 2ms for the RAM, and yet, here we were with the machine CLEARLY OFF (the DC fan on this thing was deafening, no question when it had power and when it didn't) for over a second, and coming back up right where we had powered it down. Keep in mind, it was most likely the reset circuit that was causing the reboot, not fading of data in the DRAM chips. And yes, the flash of old screens on video cards was also a give-away that this was happening. And yes, these were all DRAM machines, I was VERY familiar with the circuits and designs of this machine, being this machine was documented like none are today (I'm glancing up at the boot ROM source code for the machine -- it came in printed form with the system!), and I had rebuilt the RAM system on the these machines a few dozen times (I worked out an upgrade for the things to go from 64k chips to 256k chips, allowing the maximum of 768k on-board, it was a popular upgrade at our store). Is the effect real? ZERO question in my mind. I'm amazed that it goes as long as people are saying, but in thinking about it, I'm not so surprised. Keep in mind, the difference in basic design between an EPROM and a dynamic RAM chip is just one of retention time and how the state is changed. EPROMs are rated for ten year retention and routinely hold for twice that, so I'm not too surprised that the gate of a CMOS transistor can hold a charge for a few seconds...and if that, why not tens of seconds. Heck, almost 30 years ago, people were popping the cap off 4k and 16k DRAM chips, using an 8mm movie camera lens to focus an image on the chip, charging all the cells, wait a while and then read all the data...the light would cause the cells to discharge faster, and you could get a crude, 1 bit, digital picture. It took a while even then for the charge to drain off the gates enough to see the image. The effect is hidden by RC circuits that fire off hardware resets and energy saving monitors that don't have a picture on the screen until the machine has started booting (and now, LCDs which have to sync to the image) and ROMs that clear screens and start the boot process before we notice that the data isn't gone yet. It's also a matter of numbers -- If you say a DRAM has one second refresh times, but every few months one bit may fade too fast someplace, that would be completely unacceptable for a good system. HOWEVER, if 99% of your data is still intact after ten seconds...you can probably get SOME interesting data off the thing. So, you design for the worst possible environment, and refresh your data every 2ms or more often...but that most certainly doesn't mean ALL the data is gone after 20ms..or 20 seconds. Based on what I've seen, the only part I'm having trouble with is someone probably just got their doctorate on something that I considered a pointless curiosity twenty years ago. It's still a mostly pointless curiosity, and I'm still lame at working the system. But yes, if someone has access to your system enough to flood your system with liquid hydrocarbons and liquid nitrogen...you got bigger security problems than your memory not forgetting. Nick.
Re: There's something about OpenBSD...
On Thu, Feb 21, 2008 at 6:26 PM, Jason Dixon [EMAIL PROTECTED] wrote: On Thu, Feb 21, 2008 at 06:15:32PM -0500, Nick Bender wrote: On Thu, Feb 21, 2008 at 5:08 PM, Jussi Peltola [EMAIL PROTECTED] wrote: Displaying the name of the file and the matched line nicely like grep -r does is not elegant with find + grep without using a script or a long and inelegant alias - or if it is, I'd be interested in how it can be done in case I need to work on some ancient unix. Never used -r so I'm not sure what the output looks like but how about: find . -type f -exec grep something {} /dev/null \; Holy crap people, it was just an example. Believe it or not, I know alternatives to recursive grep on Solaris. Don't know why, but through all these posts the last few days, this one really made me laugh out loud.