Re: Thinkpad T61, cpu0: EST: strange msr value 0x06170d2806008811
Arthur Mesh wrote: Hello, Found an interesting behavior on a Thinkpad T61 running a week old 4.3-current i386 GENERIC. Whenever it boots plugged in to AC, dmesg recognizes SpeedStep and hw.setperf becomes available through sysctl(8). On the other hand, whenever it boots while it's on battery, dmesg doesn't recognize SpeedStep. acpidump is attached. There is even a subtle difference in dmesgs http://marc.info/?l=openbsd-miscm=120286785403754 /Alexander
Re: Setting up a HA server with limited resources
On Sat, Mar 22, 2008 at 10:49:26AM -0700, johan beisser wrote: I would like to reach a state, if possible, in which load balancing is performed, but at the same time, if one machine fails, the other will automatically take over. I believe this setup is also very useful when deploying updates. You're screwed on the load balancing without a 3rd system in the mix. Preferably 4 systems, so you've got failover between the firewalls. That's not the case anymore - see the IP BALANCING section in the carp(4) manpage. (there are a few caveats, first and formost being that your layer 2 network will have to cooperate)
PC Camera?
Well well, I am basically interested to set up a home monitoring system with a PC, OpenBSD, and a Webcam... PC and OpenBSD I had it going, but what about the webcam? Are there much webcam support for it? I have plugged in my old webcam in to the USB port just to see what gives... it reports the ugen0 device, Vimicro Corp. PC Camera, rev 1.10/1.00, addr 10... if it got this far instead of being not configured, does it mean it has some support for it? What should I do next? Thanks.
Re: PC Camera?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 22:59:31 Mar 23, Sunnz wrote: Well well, I am basically interested to set up a home monitoring system with a PC, OpenBSD, and a Webcam... PC and OpenBSD I had it going, but what about the webcam? Are there much webcam support for it? I have plugged in my old webcam in to the USB port just to see what gives... it reports the ugen0 device, Vimicro Corp. PC Camera, rev 1.10/1.00, addr 10... if it got this far instead of being not configured, does it mean it has some support for it? What should I do next? What should you do next? Wait for webcam support to be added. Short of that I have no other advice. Perhaps one of these days someone will do it. I too want this. If it comes to it I might do it but don't count on it. - -Girish - -- unix soi qui mal y pense UNIX to him who evil thinks +--+ | GnuPG key : 0x48E0DA0A | http://wwwkeys.nl.pgp.net| | Fingerprint: B9AF 854C 154F DB3D BF33 2C2D 0FDF 3BAD 48E0 DA0A | +--+ iD8DBQFH5k5XD987rUjg2goRAn5bAJ9+v0od4wC/3C0o01r2TGQoGQm1lQCdGVe5 1X9o34I8SYPgcOUQuWexaDM= =durj -END PGP SIGNATURE-
minimac on openbsd
Dear all anyone have implementation openbsd 4.2 in minimac ( intel proc ), i have plant to install as internet server ( web, mail, simple firewall n database), because problem in electricity in my place to need install server with low power. Also default minimac is only 1 ethernet how to add another ethernet can support in minimac and openbsd. -- sonjaya http://sicute.blogspot.com
Re: minimac on openbsd
On Sun, Mar 23, 2008 at 08:15:34PM +0700, sonjaya wrote: Also default minimac is only 1 ethernet how to add another ethernet can support in minimac and openbsd. USB? Slow, but works pretty well if there's a driver (see the lists on the man pages).
Re: BDB simple program compile problem
# cc t2.c To compile use cc -I/usr/local/include/db -o t2 t2.c -L/usr/local/lib/db -ldb -Mike
Re: minimac on openbsd
sonjaya [EMAIL PROTECTED] writes: Also default minimac is only 1 ethernet how to add another ethernet can support in minimac and openbsd. A typical mac mini comes with 4 USB 2.0 ports, so the first thing that springs to mind is to use USB ethernet devices (eg go to http://www.openbsd.org/i386.html and searhc for USB ether) -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: minimac on openbsd
any other device sugesstion? On Sun, Mar 23, 2008 at 8:34 PM, Jussi Peltola [EMAIL PROTECTED] wrote: On Sun, Mar 23, 2008 at 08:15:34PM +0700, sonjaya wrote: Also default minimac is only 1 ethernet how to add another ethernet can support in minimac and openbsd. USB? Slow, but works pretty well if there's a driver (see the lists on the man pages). -- sonjaya http://sicute.blogspot.com
Re: wrong files on ftp://ftp.openbsd.org/pub/OpenBSD/4.2/ ?
On Sat, Mar 22, 2008 at 03:55:20PM -0400, Juan Miscaro wrote: Seems like something a lot of people get bitten by. How does one stay informed on this snapshot libc/packages synchronization issue? subscribe to [EMAIL PROTECTED] to see when libc bumps happen, then check the dates of the snapshots and packages. not 100% perfect, but will give you a pretty good clue. -- [EMAIL PROTECTED] SDF Public Access UNIX System - http://sdf.lonestar.org
Re: trouble configuring snmpd
Ok, thanks! I can now to make graphics for network traffic. Is very easy, problem is about confusion between snmpd from openbsd and snmpd from net-snmp. Now i use snmpd from openbsd, is very simply and work well. Thanks again! Stuart Henderson wrote: On 2008-03-22, Fratiman Vladut [EMAIL PROTECTED] wrote: Can you post an simple snmpd.conf file? What for? net-snmp or OpenBSD snmpd? the latter is a 30-second job to look at snmpd.conf(5) and make something that works. I overwrite the original, with one created by snmpconf but not work. Is posibil to make net-snmpd to work? I don't have any net-snmp configs any more, I removed them when I changed those boxes that want SNMP over to snmpd. For basic monitoring, snmpd does more (e.g. it picks up iface descriptions automatically), needs less configuring, and doesn't crash all the time. Might even use it rather than symon in some places...
Re: minimac on openbsd
sonjaya wrote: any other device sugesstion? If you do not need the wireless card (see item 'J' in the diagram), *maybe* that could be replaced with an ethernet card: http://www.macworld.com/article/49653/2006/03/minicsi.html But then there would be the problem of the cable moving around or coming loose inside, and where the cable should come out of the case. regards, -Lars
soekris/pcenginges and RO mounting
Hello, being relatively new to obsd I have the problem of finding the right doc parts. What I'm looking for are starting points to read about what to do when RO mounting the root fs (and all other parts) especially on CF-media. So my ultimate target would be to: * mount as much as possible RO * still have system logging available (nfs mounting, logserver, whatever suits best - any pointers welcome) * main concern is exhaustion of write cycles on CF media usage of the box will be a home router in the first place and probably expanding to a file server and pxe boot server with usb drives attached to it for storage. I am familiar with general (linux) process of RO mounting partitions but I don't have any experience with CF cards and read that it's probably best to RO mount CF-media. Forgive me the missing/wrong terminology but I found just too much infos/howtos with differing tips on wether to care about write cycles or not, or special needs to take care of with CF media. Hope it makes sense what I ask for thanks martin -- http://tumblr.marcher.name https://twitter.com/MartinMarcher http://www.xing.com/profile/Martin_Marcher http://www.linkedin.com/in/martinmarcher You are not free to read this message, by doing so, you have violated my licence and are required to urinate publicly. Thank you.
Re: minimac on openbsd
On Sun, Mar 23, 2008 at 04:13:45PM +0200, Lars Noodin wrote: sonjaya wrote: any other device sugesstion? If you do not need the wireless card (see item 'J' in the diagram), *maybe* that could be replaced with an ethernet card: http://www.macworld.com/article/49653/2006/03/minicsi.html But then there would be the problem of the cable moving around or coming loose inside, and where the cable should come out of the case. Old-ish (I'm thinking ThinkPad A2*) laptops usually have a suitable miniPCI network card and a ribbon cable to connect to it, which will surely fit through some hole in the case. The RJ45 connector will sometimes be easily removable from the laptop case so it might not be too hard to use, in other cases the ribbon connects to the mainboard and you'd need to solder. At least my A21p seems to be of the former type, and those failed pretty often so you might be able to find one. I'd just go with USB ethernet, a soekris / mini-itx board or a cheap, nasty manageable switch with vlans (they are surprisingly common - even a series of ADSL modems common in Finland have VLAN capable integrated switches, neatly allowing you to have the internal wireless LAN in a separate VLAN firewalled with an OpenBSD router.) -- Jussi Peltola
Re: soekris/pcenginges and RO mounting
On Sun, Mar 23, 2008 at 03:18:20PM +0100, Martin Marcher wrote: Hello, being relatively new to obsd I have the problem of finding the right doc parts. What I'm looking for are starting points to read about what to do when RO mounting the root fs (and all other parts) especially on CF-media. So my ultimate target would be to: * mount as much as possible RO * still have system logging available (nfs mounting, logserver, whatever suits best - any pointers welcome) * main concern is exhaustion of write cycles on CF media usage of the box will be a home router in the first place and probably expanding to a file server and pxe boot server with usb drives attached to it for storage. I am familiar with general (linux) process of RO mounting partitions but I don't have any experience with CF cards and read that it's probably best to RO mount CF-media. Forgive me the missing/wrong terminology but I found just too much infos/howtos with differing tips on wether to care about write cycles or not, or special needs to take care of with CF media. I did not bother. I just installed openbsd to a CF normally, set syslog to log to memory buffers (not really because of write cycles but to avoid filling my 256M CF card) and it's been working just fine for a few years. Your experience may vary, but since you need to have backups anyway, is it so bad to possibly have to replace a CF card after many years? -- Jussi Peltola
Re: Would OpenBSD and Squid be considered a Proxy Firewall?
The book is called Counter Hack Reloaded: A Step-by-Step Guide to Computer Attacks and Effective Defenses (2nd Edition) - http://www.amazon.com/Counter-Hack-Reloaded-Step-Step/dp/0131481045/ref=pd_bb s_1?ie=UTF8s=booksqid=1206284032sr=8-1 The author makes several references to proxy firewalls and implies they are more secure than traditional firewalls because they ignore typical reconnaissance, probing attempts like nmap, etc. because they function at the application layer. Ed On Sat, Mar 22, 2008 at 7:38 AM, Lars Noodin [EMAIL PROTECTED] wrote: Ed Flecko wrote: I'm reading a book on network security and it mentions proxy firewalls ... are there other proxy firewalls the author is referring to? Which book? Title, author, ISBN would help. Or send a link to a review. As a matter of curiosity, has anyone ran an nmap scan against an OpenBSD box with Squid? What did the scan results indicate? The results depend entirely on how you have Squid set up and how PF is configured. Regards, -Lars
Re: soekris/pcenginges and RO mounting
Martin Marcher wrote: ... What I'm looking for are starting points to read about what to do when RO mounting the root fs (and all other parts) especially on CF-media. I did this recently, in December and January, and can point out what I found. More experienced or expert users will be able to say what the better options are. Since the smallest CF I could get was 1GB, I split it into two, to have one for the root tree and another partition for reserve copies in case experiments don't work. The whole system, including extras, is about 202 MB. I chose to do any compilation on another machine and therefore left out comp, the man pages (for me) are as essential as the kernel so I've kept them. I can't remember why I kept misc. [X] bsd [X] bsd.rd [ ] bsd.mp [X] base42.tgz [X] etc42.tgz [X] misc42.tgz [ ] comp42.tgz [X] man42.tgz [ ] game42.tgz [ ] xbase42.tgz [ ] xetc42.tgz [ ] xshare42.tgz [ ] xfont42.tgz [ ] xserv42.tgz I chose to have /tmp, /var, and /dev in memory and put the rest of the normal system into one partition. /home is a symlink to /var/home/, /root is a symlink to /var/root, /data is a separate partition for spare material and short term backup. No swap partition was used. Templates for /dev and /var are kept in /dev.base and /var.base, respectively. There are probably better naming conventions. mfs loads into RAM and then mounts the RAM versions. Here is what I have in /etc/fstab (wrapped text) to do that: /dev/wd0a / ffs ro 1 1 /dev/wd0d /data ffs rw,nodev,nosuid 1 2 # populate /var with data from CF, then mount in RAM swap /var mfs -P/var.base,-s16,noexec,async,nosuid, \ nodev,noatime,rw 0 0 # mount /tmp in memory swap /tmp mfs noexec,async,nosuid,nodev,noatime,rw, \ -b4096,-i1024,-s15000,-m0 0 0 # mount /dev in memory swap /dev mfs rw,-P=/dev.base,-s=3000,-i=1024 0 0 When you make changes, mount -o rw /, then make the changes then sync. I have also used config(8) to tune the GENERIC kernel somewhat. Just what I chose, I cannot recall, but when it is time to look at that again, I will try removing unneeded devices. Here is what I chose to have in /etc/boot.conf, the re-configured kernel is called /nbsd: stty com0 19200 set tty com0 #set image /bsd set image /nbsd To use cu, kermit or tip for serial console, you must be a member of the group dialer. I'm going to assume you have already set up a way to do the installation. I chose to use PXE boot. Now that I seem to be swimming in USB devices and media, I will probably try using those next time instead. Having PXE boot available is an advantage later if you want to set run live CDs or thin clients. For the logging, I've chosen not to worry about it yet. When the machine powers down, the logs are lost. Maybe you could set up something in /etc/rc.shutdown to rsync to a non-volatile partition. An external log server is another option. I've had log servers in the past, but will postpone that till I can experiment more with IPv6. There was a good IPv4 summary of logging on BSDTalk in January: http://bsdtalk.blogspot.com/2008/01/bsdtalk138-central-syslog.html http://cisx1.uma.maine.edu/~wbackman/bsdtalk/bsdtalk138.ogg There is apparently a risk that the log partition on the log server can get filled by anyone who wants to do so. YMMV, -Lars
Sendmail timeouts
I've got an OpenBSD 4.2 mail server behind an OpenBSD 4.2 firewall. Over the past day, I've noticed a lot of hung Sendmail processes in the process list: sendmail: m2NF4TFL003726 tnf-mta01-75.ebusiness.householdaccount.pgs01.com [137.236.172.75]: DATA (sendmail) sendmail: m2NF4whi024039 host4.FrameNetworkz.com [69.64.39.61]: DATA (sendmail) sendmail: m2NF50EF028088 host5.FrameNetworkz.com [69.64.39.62]: DATA (sendmail) sendmail: m2NF62uq032198 lists-outbound.sourceforge.net [66.35.250.225]: DATA (sendmail) sendmail: m2NF620o013768 lists-outbound.sourceforge.net [66.35.250.225]: DATA (sendmail) sendmail: m2NF62MF009167 lists-outbound.sourceforge.net [66.35.250.225]: DATA (sendmail) sendmail: m2NF63sx013705 lists-outbound.sourceforge.net [66.35.250.225]: DATA (sendmail) sendmail: m2NF63fT020736 lists-outbound.sourceforge.net [66.35.250.225]: DATA (sendmail) sendmail: m2NF63JS030535 lists-outbound.sourceforge.net [66.35.250.225]: DATA (sendmail) sendmail: m2NF63dc012684 lists-outbound.sourceforge.net [66.35.250.225]: DATA (sendmail) sendmail: m2NF6oC8001475 mxphxpool58.ebay.com [66.211.161.58]: DATA (sendmail) sendmail: m2NF6rZ6020650 123topsender.net [206.191.129.93]: DATA (sendmail) sendmail: m2NF76gR032529 mxphxpool98.ebay.com [66.211.161.98]: DATA (sendmail) I currently have 144 of these, a mix of spam and non-spam. The confusing part is that most messages still seem to come through fine, even from the same systems (i.e. SecurityFocus). There's not much in the logs, all I can see so far is the eventual disconnect. The IDs listed in the process list (i.e. m2NF76gR032529) don't show up in the logs.
Re: Sendmail timeouts
On a related note, on my firewall I'm seeing:
Re: Sendmail timeouts
On a related note, I'm seeing: 11:48:55.034320 66.35.250.225 71.126.119.199: icmp: host 66.35.250.225 unreachable - admin prohibited [tos 0xc0] (that's SourceForge) Does that mean they're blocking my return traffic, when they initiate the connection to me?
Re: soekris/pcenginges and RO mounting
On Sun, Mar 23, 2008 at 11:23 AM, Lars NoodC)n [EMAIL PROTECTED] wrote: Martin Marcher wrote: ... What I'm looking for are starting points to read about what to do when RO mounting the root fs (and all other parts) especially on CF-media. I did this recently, in December and January, and can point out what I found. More experienced or expert users will be able to say what the better options are. Since the smallest CF I could get was 1GB, I split it into two, to have one for the root tree and another partition for reserve copies in case experiments don't work. The whole system, including extras, is about 202 MB. I chose to do any compilation on another machine and therefore left out comp, the man pages (for me) are as essential as the kernel so I've kept them. I can't remember why I kept misc. [X] bsd [X] bsd.rd [ ] bsd.mp [X] base42.tgz [X] etc42.tgz [X] misc42.tgz [ ] comp42.tgz [X] man42.tgz [ ] game42.tgz [ ] xbase42.tgz [ ] xetc42.tgz [ ] xshare42.tgz [ ] xfont42.tgz [ ] xserv42.tgz I chose to have /tmp, /var, and /dev in memory and put the rest of the normal system into one partition. /home is a symlink to /var/home/, /root is a symlink to /var/root, /data is a separate partition for spare material and short term backup. No swap partition was used. Templates for /dev and /var are kept in /dev.base and /var.base, respectively. There are probably better naming conventions. mfs loads into RAM and then mounts the RAM versions. Here is what I have in /etc/fstab (wrapped text) to do that: /dev/wd0a / ffs ro 1 1 /dev/wd0d /data ffs rw,nodev,nosuid 1 2 # populate /var with data from CF, then mount in RAM swap /var mfs -P/var.base,-s16,noexec,async,nosuid, \ nodev,noatime,rw 0 0 # mount /tmp in memory swap /tmp mfs noexec,async,nosuid,nodev,noatime,rw, \ -b4096,-i1024,-s15000,-m0 0 0 # mount /dev in memory swap /dev mfs rw,-P=/dev.base,-s=3000,-i=1024 0 0 When you make changes, mount -o rw /, then make the changes then sync. I have also used config(8) to tune the GENERIC kernel somewhat. Just what I chose, I cannot recall, but when it is time to look at that again, I will try removing unneeded devices. Here is what I chose to have in /etc/boot.conf, the re-configured kernel is called /nbsd: stty com0 19200 set tty com0 #set image /bsd set image /nbsd To use cu, kermit or tip for serial console, you must be a member of the group dialer. I'm going to assume you have already set up a way to do the installation. I chose to use PXE boot. Now that I seem to be swimming in USB devices and media, I will probably try using those next time instead. Having PXE boot available is an advantage later if you want to set run live CDs or thin clients. For the logging, I've chosen not to worry about it yet. When the machine powers down, the logs are lost. Maybe you could set up something in /etc/rc.shutdown to rsync to a non-volatile partition. An external log server is another option. I've had log servers in the past, but will postpone that till I can experiment more with IPv6. There was a good IPv4 summary of logging on BSDTalk in January: http://bsdtalk.blogspot.com/2008/01/bsdtalk138-central-syslog.html http://cisx1.uma.maine.edu/~wbackman/bsdtalk/bsdtalk138.ogg There is apparently a risk that the log partition on the log server can get filled by anyone who wants to do so. YMMV, -Lars I do pretty much the same as this, for years now on WRAP, Soekris and now ALIX too (with BIOS 0.99b) but my fstab is a little different. I install them via PXEbooting OpenBSD and they all run 4.2-stable built on another, fast system, make via release(8) basically. I also have the MFS contens such as /var/logs, /var/. sync to CF on graceful shutdown via /etc/rc.shutdown and a crontab that periodically syncs the MFS back to CF. Never had a problem with any of these systems or the CF cards. The systems do some really wonderful things, thanks to OpenBSD! =) Regards. Some contents on my CF card (config files, etc.) are remotely backed up via rsync over SSH and/or tar over SSH to a remote system (and a local backup too).
Re: OpenBSD Artwork BSD Licensed?
On Sat, Mar 22, 2008 at 10:46 PM, Theo de Raadt [EMAIL PROTECTED] wrote: I'm not sure how else to ask this, but are we allowed to take some of the OpenBSD artwork such as the blowfish wireframe pictures and specs, get some stickers, t-shirts or other custom media developed and perhaps even sell them? Of course, any profits would get funneled back - and at the same time, it is a form of advocacy and support in a positive light for a preferred project. I'm just curious to know if something like this is allowed or acceptable? Is it something that would be frowned upon? Is the artwork under a BSD license or such, or is it considered to be copyright the owner(s) and not allowed? According to http://www.openbsd.org/art4.html Most images provided here are copyright by OpenBSD, by Theo de Raadt, or by other members or developers of the OpenBSD group. However, it is our intent that anyone be able to use these images to represent OpenBSD in a positive light. So enjoy them and let the world see them, if that is your wish. I know it says this on openbsd.org, but not specifically the questions above. This seems to imply using existing images from the image files on the website, but not the artwork itself - hence this email as I'm only wondering how this works. I appreciate any clarification on these questions. Permission for resale is not granted. The project sells some products which use the artwork, and the project in part survives on the sale of those items. This has been asked numerous times before. And yeah, quite a few people have said they would funnel profits back to the project, yet I've never not seen that happen even once. Even when some big tshirt printing places were doing it so, and their customers had said they were doing so. Not a dime. Not saying you would be the same as those people, but you had better prepare for me to be extremely sceptical about such promises. You're absolutely right and I can only agree with you in every aspect. I appreciate the reply and feedback from you and the others who replied. It was just a question, not an intention to actually take any sales away from OpenBSD or to even go through with it. I wouldn't doubt it either that people make promises like that and don't actually go through with their promises once the money starts coming in to them... On a side note, is there somewhere we can purchase some translucent wireframe blowfish stickers? I for one would love to have some of these and I'm sure others would too.
Re: PC Camera?
2008/3/23, Girish Venkatachalam [EMAIL PROTECTED]: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 22:59:31 Mar 23, Sunnz wrote: Well well, I am basically interested to set up a home monitoring system with a PC, OpenBSD, and a Webcam... PC and OpenBSD I had it going, but what about the webcam? Are there much webcam support for it? I have plugged in my old webcam in to the USB port just to see what gives... it reports the ugen0 device, Vimicro Corp. PC Camera, rev 1.10/1.00, addr 10... if it got this far instead of being not configured, does it mean it has some support for it? What should I do next? What should you do next? Wait for webcam support to be added. Short of that I have no other advice. Perhaps one of these days someone will do it. I too want this. If it comes to it I might do it but don't count on it. - -Girish - -- unix soi qui mal y pense UNIX to him who evil thinks +--+ | GnuPG key : 0x48E0DA0A | http://wwwkeys.nl.pgp.net| | Fingerprint: B9AF 854C 154F DB3D BF33 2C2D 0FDF 3BAD 48E0 DA0A | +--+ iD8DBQFH5k5XD987rUjg2goRAn5bAJ9+v0od4wC/3C0o01r2TGQoGQm1lQCdGVe5 1X9o34I8SYPgcOUQuWexaDM= =durj -END PGP SIGNATURE- Ah, I guess my question is, what is missing link here... like... do we need driver for this to function? Do we need documentation to webcams so dev can write driver for it... or is a port missing that can actually take videos? -- This e-mail may be confidential. It may also be legally privileged. You may not copy, forward, distribute, disclose, or, use any part of it. If you haveb(received this message in error, please delete it and all copies from your systemb(and notify the sender immediately by return e-mail. Internet communicationsb(cannot be guaranteed to be timely, secure, error, or, virus-free. The sender do not accept liability for any errors, or, omissions. Nevertheless, this text has no effective legal binding on your part. There is no obligation to abide any or all parts of this, just as any texts appended to e-mail on rest of the Internet.
Re: Setting up a HA server with limited resources
Hmm. Gotta review CARP again, it seems. When did this go in? On Mar 23, 2008, at 2:29 AM, Ryan McBride wrote: On Sat, Mar 22, 2008 at 10:49:26AM -0700, johan beisser wrote: I would like to reach a state, if possible, in which load balancing is performed, but at the same time, if one machine fails, the other will automatically take over. I believe this setup is also very useful when deploying updates. You're screwed on the load balancing without a 3rd system in the mix. Preferably 4 systems, so you've got failover between the firewalls. That's not the case anymore - see the IP BALANCING section in the carp(4) manpage. (there are a few caveats, first and formost being that your layer 2 network will have to cooperate)
Re: OpenBSD Artwork BSD Licensed?
On Sun, Mar 23, 2008 at 10:54 PM, Richard Daemon [EMAIL PROTECTED] wrote: [...] On a side note, is there somewhere we can purchase some translucent wireframe blowfish stickers? I for one would love to have some of these and I'm sure others would too. [...] This may have what you want: https://kd85.com/notforsale.html -Amarendra
Re: PC Camera?
did you try lsusb ? is anything reported through lsusb? also look in your syslog while your attaching the usb cam. hope this helps. peace, On Sun, Mar 23, 2008 at 5:59 PM, Sunnz [EMAIL PROTECTED] wrote: 2008/3/23, Girish Venkatachalam [EMAIL PROTECTED]: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 22:59:31 Mar 23, Sunnz wrote: Well well, I am basically interested to set up a home monitoring system with a PC, OpenBSD, and a Webcam... PC and OpenBSD I had it going, but what about the webcam? Are there much webcam support for it? I have plugged in my old webcam in to the USB port just to see what gives... it reports the ugen0 device, Vimicro Corp. PC Camera, rev 1.10/1.00, addr 10... if it got this far instead of being not configured, does it mean it has some support for it? What should I do next? What should you do next? Wait for webcam support to be added. Short of that I have no other advice. Perhaps one of these days someone will do it. I too want this. If it comes to it I might do it but don't count on it. - -Girish - -- unix soi qui mal y pense UNIX to him who evil thinks +--+ | GnuPG key : 0x48E0DA0A | http://wwwkeys.nl.pgp.net| | Fingerprint: B9AF 854C 154F DB3D BF33 2C2D 0FDF 3BAD 48E0 DA0A | +--+ iD8DBQFH5k5XD987rUjg2goRAn5bAJ9+v0od4wC/3C0o01r2TGQoGQm1lQCdGVe5 1X9o34I8SYPgcOUQuWexaDM= =durj -END PGP SIGNATURE- Ah, I guess my question is, what is missing link here... like... do we need driver for this to function? Do we need documentation to webcams so dev can write driver for it... or is a port missing that can actually take videos? -- This e-mail may be confidential. It may also be legally privileged. You may not copy, forward, distribute, disclose, or, use any part of it. If you haveb(received this message in error, please delete it and all copies from your systemb(and notify the sender immediately by return e-mail. Internet communicationsb(cannot be guaranteed to be timely, secure, error, or, virus-free. The sender do not accept liability for any errors, or, omissions. Nevertheless, this text has no effective legal binding on your part. There is no obligation to abide any or all parts of this, just as any texts appended to e-mail on rest of the Internet.
Problems setting up ipsec...
I'm trying to set up an IPSEC vpn between two fresh OpenBSD -current firewalls, using a combination of Zero to IPSEC and this message from Reyk Floeter (http://marc.info/?l=openbsd-miscm=114200467101649w=2). One side has a static IP, the other is ADSL. I've copied the keys from each machine to the other, and isakmpd is started with the -K flag on each. Here's a brief network layout: Static Side External IP:168.103.246.149 Internal Lan10.1.1.0/24 Dynamic Side External IP dynamic, but dns resolvable using homebrew script Internal Lan172.16.1.0/24 On the ADSL side I have the following in my ipsec.conf file: flow from 172.16.1.0/24 to 168.103.246.149 type bypass ike dynamic esp from 172.16.1.0/24 to 10.1.1.0/24 peer 168.103.246.149 \ srcid home.homeinstead.com \ dstid 168.103.246.149 ike dynamic esp from 172.16.1.0/24 to 10.1.1.0/24 peer 168.103.246.149 ike dynamic esp from 172.16.1.0/24 to 168.103.246.149 On the static side I have: ike passive esp from 172.16.1.0/24 to 168.103.246.149 dstid \ home.homeinstead.openvistas.net I appears that the ADSL side is trying to start the tunnel, but I'm getting this in the static sides logs: 2008-03-23 12:37:18.290800500 daemon.notice: Mar 23 12:37:18 isakmpd[21074]: attribute_unacceptable: ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC 2008-03-23 12:37:18.291792500 daemon.notice: Mar 23 12:37:18 isakmpd[21074]: message_negotiate_sa: no compatible proposal found 2008-03-23 12:37:18.291803500 daemon.notice: Mar 23 12:37:18 isakmpd[21074]: dropped message from 70.57.209.37 port 500 due to notification type NO_PROPOSAL_CHOSEN Google doesn't provide much help for this error, so any help would be geatly appreciated. Thanks, Jeff Ross
Re: OpenBSD Artwork BSD Licensed?
There's also a nice one that comes with the OpenBSD Audio CD. (great songs by the way!) On a side note, is there somewhere we can purchase some translucent wireframe blowfish stickers? I for one would love to have some of these and I'm sure others would too. -- An OpenBSD user... and that's all you need to know =) Please, send private emails to [EMAIL PROTECTED]
Re: PC Camera?
Sunnz wrote: 2008/3/23, Girish Venkatachalam [EMAIL PROTECTED]: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 22:59:31 Mar 23, Sunnz wrote: Well well, I am basically interested to set up a home monitoring system with a PC, OpenBSD, and a Webcam... PC and OpenBSD I had it going, but what about the webcam? Are there much webcam support for it? I have plugged in my old webcam in to the USB port just to see what gives... it reports the ugen0 device, Vimicro Corp. PC Camera, rev 1.10/1.00, addr 10... if it got this far instead of being not configured, does it mean it has some support for it? What should I do next? What should you do next? Wait for webcam support to be added. Short of that I have no other advice. Perhaps one of these days someone will do it. I too want this. If it comes to it I might do it but don't count on it. - -Girish - -- unix soi qui mal y pense UNIX to him who evil thinks +--+ | GnuPG key : 0x48E0DA0A | http://wwwkeys.nl.pgp.net| | Fingerprint: B9AF 854C 154F DB3D BF33 2C2D 0FDF 3BAD 48E0 DA0A | +--+ iD8DBQFH5k5XD987rUjg2goRAn5bAJ9+v0od4wC/3C0o01r2TGQoGQm1lQCdGVe5 1X9o34I8SYPgcOUQuWexaDM= =durj -END PGP SIGNATURE- Ah, I guess my question is, what is missing link here... like... do we need driver for this to function? Do we need documentation to webcams so dev can write driver for it... or is a port missing that can actually take videos? OpenBSD has support for cameras. There are two kinds of devices supported at the moment. Driver bktr(4) is ported for to OpenBSD (look at the hardware notes for i386) and you can use FFmpeg package to record, convert, and edit the video. OpenBSD has also a support for USB cameras look at http://openports.se/graphics/vid based on OV511 chipset. Currently it is not possible to use USB cameras to capture video stream on OpenBSD. You can just take a single shot. Now from your question I gather that you are interested in cheap USB cameras and you are interested like along the lines of Video4Linux. For something like that you need drivers. There are two approaches to such cameras. One is userland and another is kernel approach. You may Google and see what is the state of art of both approaches as well as their draw backs. In my understanding it seems that kernel approach would be the only approach which would lead real usable USB cameras (for let say video conferencing or video authoring). Given the goals and objectives of the OpenBSD project as well as the fact that USB devices are real mess I seriously doubt that OpenBSD will ever get support for USB cameras. Moreover it is also hard to justify time spend in hacking those things if there is relatively inexpensive hardware solution (video input devices supported by bktr can be bought for about $150 now vs a good USB camera is probably at least $50). In my understanding there USB cameras are extremely poorly documented so adding the kernel support would be very, very difficult. It would also unnecessary complicate the kernel. Having a drivers is one thing. Getting applications to recognize that you have USB camera and making them usable in application is another thing. A good example is FreeBSD which has spcaview driver ported (essentially the part of video4linux) and also another driver for the Phillips chip-set based cameras. Only the second are really usable (let say in Ekiga or MPlayer). Some people who use FreeBSD are trying to develop utility similar to ndis which will enable you to use Linux drivers not only for USB cameras but for other USB devices (project Evil or something like that). Again, giving the objectives, goals, and standards of OpenBSD project above is no-no in OpenBSD world. I hope somebody who knows more about this issue put the end to this pointless discussion. Best, Predrag
Re: IPsec with a Linux road-warrior
Tom Menari writes:
Can anyone reccomend a client configuration for IPsec from a roaming
Linux machine that works with OpenBSD's ipsecctl?
I have tried Openswan and racoon and both have thier problems.
Currently using X509 certificates but if anyone has public keys
working that would be good too.
I've got an OpenBSD road warrior that connects to a Debian server
running racoon. So far I haven't connected a Linux road warrior to an
OpenBSD machine but the following setup might work.
If you decide to use public keys you've got to convert the keys
between the file format used by OpenBSD and the format used by Racoon
and Openswan. I've put a Perl script that converts public keys
between both formats at the end of this message. The script requires
the Perl modules Parse::RecDescent and Crypt::OpenSSL::RSA, which are
both available as packages under OpenBSD and Debian.
Run the script on your OpenBSD machine to convert your machine's
public key into the file format that is accepted by racoon. Example:
./plainrsa-convert /etc/isakmpd/local.pub
Copy the output into the file /etc/racoon/certs/pubkeys.rsa on the
Linux machine. You can put the OpenBSD machine's IP address in front
of the key. Example:
192.168.0.1 : PUB 0sAgUAF2T29ovO...
Run the command plainrsa-gen, which comes with the racoon package, to
create a key on the Linux machine. Example:
plainrsa-gen -f /etc/racoon/certs/privatekey.rsa
Extract the public key from the key file and convert the key to the
format accepted by OpenBSD. Example:
grep : PUB privatekey.rsa | sed 's/^#//' | ./plainrsa-convert
Assuming that your client's host name is roadwarrior.example.org, put
the output of the above command into the file
/etc/isakmpd/pubkeys/fqdn/roadwarrior.example.org on your OpenBSD
machine.
I'm not sure what to put into /etc/ipsec.conf on the OpenBSD machine.
I think that something like this should work:
ike passive from any to 192.168.0.1 \
srcid server.example.org \
dstid roadwarrior.example.org
Put the following directives into the file /etc/racoon/racoon.conf on
the Linux machine. Don't forget to modify the IP address and the
identifiers.
--8--8--8--8--8--8--8--8--
# /etc/racoon/racoon.conf
path certificate /etc/racoon/certs;
## phase 1 proposals (for IKE SA)
# connection to server.example.org
remote 192.168.0.1 {
exchange_mode main;
certificate_type plain_rsa privatekey.rsa;
peers_certfile plain_rsa pubkeys.rsa;
my_identifier fqdn roadwarrior.example.org;
peers_identifier fqdn server.example.org;
dpd_delay 30;
lifetime time 1 hour;
proposal {
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method rsasig;
dh_group modp1024;
}
}
## phase 2 proposal (for IPsec SA).
# quick mode description for all connections
sainfo anonymous {
encryption_algorithm aes, 3des;
authentication_algorithm hmac_sha256, hmac_sha1, hmac_md5;
compression_algorithm deflate;
lifetime time 20 minutes;
}
--8--8--8--8--8--8--8--8--
#!/usr/bin/perl -w
# Convert public keys from and to the format used by Racoon.
# Written and placed in the public domain by Andreas Voegele.
use strict;
use Parse::RecDescent;
use Crypt::OpenSSL::RSA;
use MIME::Base64;
sub pem2rfc {
my $key = shift;
my $rsa_pub = Crypt::OpenSSL::RSA-new_public_key($key);
my ($n, $e) = $rsa_pub-get_key_parameters();
my $eb = $e-to_bin();
return encode_base64(pack(C, length($eb)) . $eb . $n-to_bin(), '');
}
sub rfc2pem {
my $key = shift;
my $decoded = decode_base64($key);
my $len = unpack(C, substr($decoded, 0, 1));
my $e = Crypt::OpenSSL::Bignum-new_from_bin(substr($decoded, 1, $len));
my $n = Crypt::OpenSSL::Bignum-new_from_bin(substr($decoded, 1 + $len));
my $rsa_pub = Crypt::OpenSSL::RSA-new_key_from_parameters($n, $e);
return $rsa_pub-get_public_key_x509_string();
}
my $grammar = q {
input: item(s)
item: pempubkey | rfcpubkey | other
pempubkey: m{-BEGIN PUBLIC KEY-.*?-END PUBLIC KEY-}s
{ print : PUB 0s . ::pem2rfc($item[1]), \n; }
rfcpubkey: addr(0..2) ':' 'PUB' m{0s[A-Za-z0-9+/=]+}
{ print ::rfc2pem(substr($item[4], 2)); }
addr: ( ipv4addr | ipv6addr ) skip: '' prefix(?) | 'any'
ipv4addr: /(?:\\d{1,3}\\.){3}\\d{1,3}/
ipv6addr: /[[:xdigit:]:]*:[[:xdigit:]:]*:[[:xdigit:]:]*/
prefix: m{/\d{1,3}}
other: /.*/
};
my $parser = new Parse::RecDescent($grammar);
undef $/;
my $input = ;
$parser-input($input);
Premier DVD és DivX filmek
Szia!
Az orszag legnagyobb warez letvltuhelye var mindenkit!
tvbb 100 Premier film kvz|l valaszthatsz, de
megtalalhatod kedvenc jatikaid, sorozataid is...
25 terra kivals minusig{ warezt talalhatsz nalunk, profin, crc is
egyib hiba nilk|l, megbmzhats savszilessiggel tvlthetsz le.
Valaszd ki a listabsl a kmvant filmet, programot is egy SMS
elk|ldisivel tvlts le annyi adatot, amennyit csak tudsz, a
meghatarozott idun bel|l.
Gyere is tvlts akar ingyen is!!!
http://start.smsx.hu
ui.: Amennyiben megzavarta nyugalmadat level|nk, elnizised kirj|k
irte.
Re: IPsec with a Linux road-warrior
I have been using www.shrew.net ipsec (gui) client on my road warrior ubuntu 7.10 (linux) machines very successfully with our openBSD 4.2 vpn/pf gateways. I did have to use an openBSD-side isakmpd.conf method vs. an ipsec.conf/ipsecctl method as I couldn't author an ipsec.conf that worked. shrew.net has a dependency on ipsec-tools 0.6.n or 0.7.0 (on the linux machine), but it shields you from the grottiness of it while giving the road warrior end-user a click and go vpn session. The shrew.net client is about to version to 2.1. While 2.0.x works for me, if it doesn't for you, then 2.1 has many fixes and enhancements. good luck. -Original Message- From: Tom Menari [EMAIL PROTECTED] To: misc@openbsd.org Subject: IPsec with a Linux road-warrior Date: Sat, 22 Mar 2008 23:23:42 + Delivered-To: [EMAIL PROTECTED] Can anyone reccomend a client configuration for IPsec from a roaming Linux machine that works with OpenBSD's ipsecctl? I have tried Openswan and racoon and both have thier problems. Currently using X509 certificates but if anyone has public keys working that would be good too. Thanks, Tom
Re: Would OpenBSD and Squid be considered a Proxy Firewall?
On 23 Mar 2008 at 7:58, Ed Flecko wrote: The book is called Counter Hack Reloaded: A Step-by-Step Guide to Computer Attacks and Effective Defenses (2nd Edition) - http://www.amazon.com/Counter-Hack-Reloaded-Step-Step/dp/0131481045/re f=pd_bb s_1?ie=UTF8s=booksqid=1206284032sr=8-1 The author makes several references to proxy firewalls and implies they are more secure than traditional firewalls because they ignore typical reconnaissance, probing attempts like nmap, etc. because they function at the application layer. Assuming you have correctly understood the author's intent, then he is completely wrong. There is no difference in the abilities of either proxy or packet-filtering firewalls to block probing (reconnaissance) attempts. In fact, it is much much easier to configure a stealthy (or invisible) firewall with a powerful packet filtering engine like OpenBSD's pf. The main argument about proxy firewalls being more secure focuses on the ease of configuration, or more specifically on the fact that it is fairly easy for a novice to mis-configure a packet-filter wide open, whereas a well designed application gateway will preclude such a faux- pas. The second half of the same argument has to do with content analysis -- application gateways (proxies) by definition operate at the application layer and have an inherent ability to analyze the application specific data content and react accordingly, including extensive data re-writing and manipulation. A properly designed packet filter operates only on TCP/IP headers and is oblivious of the payload (data content). This is the reason OpenBSD's pf(4) requires the support of ftp-proxy(8) to allow FTP data transfers across the firewall. For a thorough discussion of this issue (payload manipulation on the firewall) please check the list archives -- there has been a number of excellent threads recently. If you've come from Linux world or have looked at some Linux-based commercial firewalls, you have probably seen the term deep packet inspection. That is an ugly hack whereby the packet filter uses various special cases to examine the payload of the packets passing the firewall. While at first glance this approach seems to provide more control than generic packet header filtering, it still falls way short of the capabilities and reliability of a true proxy -- after all, it still operates on individual packets and will miss many things due to normal or malicious fragmentation. So, to bring it back to your original question, a typical SOHO OpenBSD firewall is a packet filtering firewall even with a Squid Cache running. After all, which part of the firewall actually implements the security policy and handles the traffic control? BTW, even if you were to add some application gateways to your OpenBSD firewall, you would only have a hybrid firewall, i.e. one that combines the features and functionality of both packet filtering and proxying. The classic, or true proxy firewall turns IP forwarding off and requires that any traffic crossing the firewall use a dedicated proxy. Such firewalls are never transparent -- the client computers always make their connections to the firewall itself regardless of what the ultimate destination may be. Moreover, because they require a specialized application (the proxy) for every type of communication that is to be supported across the firewall, they are typically very expensive -- too many development hours for a share of a relatively small market of deep-pocketed customers ;-) Ed On Sat, Mar 22, 2008 at 7:38 AM, Lars Noodin [EMAIL PROTECTED] wrote: Ed Flecko wrote: I'm reading a book on network security and it mentions proxy firewalls ... are there other proxy firewalls the author is referring to? Which book? Title, author, ISBN would help. Or send a link to a review. As a matter of curiosity, has anyone ran an nmap scan against an OpenBSD box with Squid? What did the scan results indicate? The results depend entirely on how you have Squid set up and how PF is configured. Regards, -Lars - System Administrator[EMAIL PROTECTED] Bitwise Internet Technologies, Inc. 22 Drydock Avenue tel: (617) 737-1837 Boston, MA 02210 fax: (617) 439-4941
Re: PC Camera?
On Sun, Mar 23, 2008 at 12:31:31PM -0700, Predrag Punosevac wrote: Moreover it is also hard to justify time spend in hacking those things if there is relatively inexpensive hardware solution (video input devices supported by bktr can be bought for about $150 now vs a good USB camera is probably at least $50). heh. check the second-hand store for bktr/bktr compatible hardware. of course, a camcorder is much more bulky than a USB camera ... I hope somebody who knows more about this issue put the end to this pointless discussion. I think you've covered the bases pretty well. although, if someone does come up with a good, clean driver, who knows ... -- [EMAIL PROTECTED] SDF Public Access UNIX System - http://sdf.lonestar.org
Re: soekris/pcenginges and RO mounting
On Sun, Mar 23, 2008 at 3:18 PM, Martin Marcher [EMAIL PROTECTED] wrote: Hello, being relatively new to obsd I have the problem of finding the right doc parts. What I'm looking for are starting points to read about what to do when RO mounting the root fs (and all other parts) especially on CF-media. So my ultimate target would be to: * mount as much as possible RO * still have system logging available (nfs mounting, logserver, whatever suits best - any pointers welcome) * main concern is exhaustion of write cycles on CF media usage of the box will be a home router in the first place and probably expanding to a file server and pxe boot server with usb drives attached to it for storage. I am familiar with general (linux) process of RO mounting partitions but I don't have any experience with CF cards and read that it's probably best to RO mount CF-media. Forgive me the missing/wrong terminology but I found just too much infos/howtos with differing tips on wether to care about write cycles or not, or special needs to take care of with CF media. Hope it makes sense what I ask for thanks martin -- http://tumblr.marcher.name https://twitter.com/MartinMarcher http://www.xing.com/profile/Martin_Marcher http://www.linkedin.com/in/martinmarcher You are not free to read this message, by doing so, you have violated my licence and are required to urinate publicly. Thank you. Jonathan Weiss did a great job writing down his solution on this topic: http://blog.innerewut.de/2005/05/14/openbsd-3-7-on-wrap http://blog.innerewut.de/2005/05/19/openbsd-3-7-on-wrap-revised http://blog.innerewut.de/2005/06/03/small-update-on-openbsd-3-7-on-wrap Even if he used 3.7 his tutorial is still up to date. I use the method on my pc-engines wrap. If you want your system to just route your traffic and you don't need the logs you can just mount everything ro and you are able to pull the plug if you want your system to shut down :) Thats what I do, I don't use rsync (mentioned in the tutorial) because I don't need logs, mail etc. But that's only useful if you don't use the router as file server. ~ vb
Re: minimac on openbsd
sonjaya writes: Also default minimac is only 1 ethernet how to add another ethernet can support in minimac and openbsd. Yes. My web/mail server is a mac mini. The only problem was finding a usb ethernet that worked. I had to try three of them before I found one supported. This one works fine: axe0 at uhub0 port 6 configuration 1 interface 0 \ Cisco-Linksys USB200M v2 rev 2.00/0.01 addr 2 axe0: AX88772, address 00:16:b6:ef:6e:83 ukphy0 at axe0 phy 16: Generic IEEE 802.3u media interface, rev. 1: \ OUI 0x000ec6, model 0x0001 sonjaya also writes: any other device sugesstion? Take a look at the back of the mini. What openings in the case do you see? For a second wired ethernet your only choice is USB as OpenBSD doesn't support firewire. I don't know if the built in wireless works as I've never tried it. It is recognized by the kernel: ath0 at pci2 dev 0 function 0 Atheros AR5424 rev 0x01: apic 2 int 17 (irq 11) ath0: AR5424 10.3 phy 6.1 rf 10.2, WOR5_ETSIC, address 00:17:f2:4f:3f:75 Warning: the mini won't boot without a console attached. I believe you can make a dummy plug to fool it into thinking there is a console. Also, you need this in your rc.local or someplace similar: # Magic tweak to put a Mac mini in server mode meaning it will # reboot after a power failure. Requires machdep.allowaperture=1 # (or better) # if [ -x /usr/X11R6/bin/pcitweak ]; then /usr/X11R6/bin/pcitweak -w 00:1f:0 -b 0xa4 0x00 if [ $(/usr/X11R6/bin/pcitweak -r 0:1f:0 -b 0xa4) = 0x00 ]; then echo -n ' server-mode' fi fi // marc
Re: Would OpenBSD and Squid be considered a Proxy Firewall?
In one section of the book (Page 301) the author contrasts nmap to Firewalk. He says, nmap cannot differentiate between what is open on an end machine and what is being firewalled. Firewalk, on the other hand, can determine if a given port is allowed through a packet-filtering device.With this information, Firewalk allows an attacker to determine your firewall rule set. I get the impression he thinks Firewalk is superior to nmap (although he doesn't come right out and SAY that). He then shortly thereafter says, Firewalk even works against traditional and stateful packet filters, which both just decrement the TTL by one. However, Firewalk does not work against proxy based firewalls, because proxies do not forward packets. Instead, a proxy application absorbs packets on one side of the gateway and creates a new connection on the other side, destroying all TTL information in the process. Packet filters actually forward the same packets, after applying filtering rules, keeping the TTL relatively intact (albeit decremented by one). So, although Firewalk is a highly effective technique against packet filter firewalls, it does not work at all against proxy firewalls. For services that the firewall is proxying, Firewalk reports that the associated ports are closed. Statements like this are what started me thinking I'd ask some of you (who probably know a whole lot more about this than I do :-)) your opinion about an OpenBSD with Squid. It sounds like a powerful combination to me! :-) Ed On Sun, Mar 23, 2008 at 1:42 PM, System Administrator [EMAIL PROTECTED] wrote: On 23 Mar 2008 at 7:58, Ed Flecko wrote: The book is called Counter Hack Reloaded: A Step-by-Step Guide to Computer Attacks and Effective Defenses (2nd Edition) - http://www.amazon.com/Counter-Hack-Reloaded-Step-Step/dp/0131481045/re f=pd_bb s_1?ie=UTF8s=booksqid=1206284032sr=8-1 The author makes several references to proxy firewalls and implies they are more secure than traditional firewalls because they ignore typical reconnaissance, probing attempts like nmap, etc. because they function at the application layer. Assuming you have correctly understood the author's intent, then he is completely wrong. There is no difference in the abilities of either proxy or packet-filtering firewalls to block probing (reconnaissance) attempts. In fact, it is much much easier to configure a stealthy (or invisible) firewall with a powerful packet filtering engine like OpenBSD's pf. The main argument about proxy firewalls being more secure focuses on the ease of configuration, or more specifically on the fact that it is fairly easy for a novice to mis-configure a packet-filter wide open, whereas a well designed application gateway will preclude such a faux- pas. The second half of the same argument has to do with content analysis -- application gateways (proxies) by definition operate at the application layer and have an inherent ability to analyze the application specific data content and react accordingly, including extensive data re-writing and manipulation. A properly designed packet filter operates only on TCP/IP headers and is oblivious of the payload (data content). This is the reason OpenBSD's pf(4) requires the support of ftp-proxy(8) to allow FTP data transfers across the firewall. For a thorough discussion of this issue (payload manipulation on the firewall) please check the list archives -- there has been a number of excellent threads recently. If you've come from Linux world or have looked at some Linux-based commercial firewalls, you have probably seen the term deep packet inspection. That is an ugly hack whereby the packet filter uses various special cases to examine the payload of the packets passing the firewall. While at first glance this approach seems to provide more control than generic packet header filtering, it still falls way short of the capabilities and reliability of a true proxy -- after all, it still operates on individual packets and will miss many things due to normal or malicious fragmentation. So, to bring it back to your original question, a typical SOHO OpenBSD firewall is a packet filtering firewall even with a Squid Cache running. After all, which part of the firewall actually implements the security policy and handles the traffic control? BTW, even if you were to add some application gateways to your OpenBSD firewall, you would only have a hybrid firewall, i.e. one that combines the features and functionality of both packet filtering and proxying. The classic, or true proxy firewall turns IP forwarding off and requires that any traffic crossing the firewall use a dedicated proxy. Such firewalls are never transparent -- the client computers always make their connections to the firewall itself regardless of what the ultimate destination may be. Moreover, because they require a specialized application
Re: minimac on openbsd
doesn't support firewire. I don't know if the built in wireless works as I've never tried it. It is recognized by the kernel: ath0 at pci2 dev 0 function 0 Atheros AR5424 rev 0x01: apic 2 int 17 (irq 11) Atheros AR5424 wireless devices are not supported in OpenBSD. See http://marc.info/?l=openbsd-miscm=118896011519883
Re: minimac on openbsd
Matthew Szudzik writes: doesn't support firewire. I don't know if the built in wireless works as I've never tried it. It is recognized by the kernel: ath0 at pci2 dev 0 function 0 Atheros AR5424 rev 0x01: apic 2 int 17 ( irq 11) Atheros AR5424 wireless devices are not supported in OpenBSD. See http://marc.info/?l=openbsd-miscm=118896011519883 It may not work, don't know... but it is at least recognized by the kernel. $ ifconfig ath0 ath0: flags=8822BROADCAST,NOTRAILERS,SIMPLEX,MULTICAST mtu 1500 lladdr 00:17:f2:4f:3f:75 groups: wlan media: IEEE802.11 autoselect status: no network ieee80211: nwid // marc
Re: minimac on openbsd
I don't know if the built in wireless works
as I've never tried it. It is recognized by the kernel:
ath0 at pci2 dev 0 function 0 Atheros AR5424 rev 0x01: apic 2 int 17 (irq
11)
ath0: AR5424 10.3 phy 6.1 rf 10.2, WOR5_ETSIC, address 00:17:f2:4f:3f:75
I didn't try to connect either, but a ifconfig -M ath0 works fine.
Warning: the mini won't boot without a console attached. I believe
you can make a dummy plug to fool it into thinking there is a console.
Not console but monitor, that's what the EFI wants to see
hardware-wise. More details here:
http://marc.info/?l=openbsd-miscm=116493012410994
My mini which is in a datacenter has a resistor (a very, very tiny one
I got from an old harddisk PCB) soldered onto the monitor connector
internally.
Also, you need this in your rc.local or someplace similar:
# Magic tweak to put a Mac mini in server mode meaning it will
# reboot after a power failure. Requires machdep.allowaperture=1
# (or better)
#
if [ -x /usr/X11R6/bin/pcitweak ]; then
/usr/X11R6/bin/pcitweak -w 00:1f:0 -b 0xa4 0x00
if [ $(/usr/X11R6/bin/pcitweak -r 0:1f:0 -b 0xa4) = 0x00 ]; then
echo -n ' server-mode'
fi
fi
As I found out recently, there's fortunately no need for
machdep.allowaperture=1 if you don't need X and run that script early
enough, in /etc/rc.securelevel (or in /etc/rc, if you want to patch
that file, which is not recommended, but works fine for me).
You might need machdep.allowaperture=1 temporarily to check if
everything works though.
pcitweak is in the xserv archive, but if you don't need anything else
from that, it's sufficient to extract just that file with something
like this:
tar -C / -xzphf ${RELEASEPATH}/xserv43.tgz ./usr/X11R6/bin/pcitweak
Tas.
can your 82c686 auvia(4) record properly?
hi if anyone has an 82c686 auvia(4) and can confirm whether recording does or does not work, I'd like to know. I know the 8233 auvia(4) devices do not record properly. -- [EMAIL PROTECTED] SDF Public Access UNIX System - http://sdf.lonestar.org
Upcoming PostgreSQL Update to version 8.3.1
(This is a crosspost from [EMAIL PROTECTED]; I want to make sure this reaches all OpenBSD/PostgreSQL users) PostgreSQL users, shortly the PostgreSQL port in OpenBSD will be updated from version 8.2.6 to 8.3.1. This is a major update and you have to dump your databases before update and restore them afterwards. ** DUMP AND RESTORE IS NEEDED ** But there is more to look after: Versions of PostgreSQL prior to 8.3.x had a feature (or bug...) implicit typecast. Functions that expect an argument to be of a certain type would cast a variable of any other type to the expected type, if possible. E.g. the function now() returns a date and time, but not a 'text' varriable. But an expression like substr(now(), 1, 5) was valid, because the result of now() was implicitely cast to ::text. With PostgreSQL 8.3.x, this is no longer the case. Implicit typecasts are gone. You have to explicitely cast to the right type, above example would have to be written as substr(now()::text, 1, 5). If you make use of functions or use PL/PGSQL, watch for such constructs. It is, however, unlikely that you run into trouble, from the applications simon@ and I looked at, we found only one that was affected by this and the problem was fixed in about ten minutes. NB: the update is not yet committed. This is an _advance_ information so that you don't forget to dump/restore your databases. I included a few people in BCC that mailed me after the last PostgreSQL update; people who forgot to dump their databases before they updated the port (and got into trouble) See this as a gentle reminder ;P (The update to 8.3.1 was mostly prepared by simon@ and tested by him and me.)
Re: Would OpenBSD and Squid be considered a Proxy Firewall?
On 2008-03-23, Ed Flecko [EMAIL PROTECTED] wrote: He then shortly thereafter says, Firewalk even works against traditional and stateful packet filters, which both just decrement the TTL by one. However, Firewalk does not work against proxy based firewalls, because proxies do not forward packets. Instead, a proxy application absorbs packets on one side of the gateway and creates a new connection on the other side, destroying all TTL information in the process. Packet filters actually forward the same packets, after applying filtering rules, PF's scrub option can help. Or if you want an actual proxy, relayd can do interesting things. Packet filters don't have to decrement TTL, btw. Statements like this are what started me thinking I'd ask some of you (who probably know a whole lot more about this than I do :-)) your opinion about an OpenBSD with Squid. It sounds like a powerful combination to me! :-) It adds a lot of complexity. Squid is not a small simple piece of software...
Re: PC Camera?
There is a USB standard for USB Cameras among other video devices... It's called USB Video Device Class. The specific is available to download... if anyone feels brave enough to write a driver for UVC class devices... ;) @Sunnz, Unsupported USB devices always attach to ugen, read the manual page then you'll realize how silly you are.. ;) http://en.wikipedia.org/wiki/USB_video_device_class This seems to be a driver for: OpenSolaris: http://www.opensolaris.org/os/community/device_drivers/projects/usb/uvc/ Linux: http://linux-uvc.berlios.de/ Mac OSX.. Microsoft's Vista - Which seems to require all vendors implement the standard.. ...And Sony's Playstation 3. So who's working on OpenBSD's implementation? get busy!! :D :D :D -Nix Fan.
Re: minimac on openbsd
On 3/23/08, sonjaya [EMAIL PROTECTED] wrote: any other device sugesstion? Trade the Mac to somebody for another computer that's more expandable.
Re: soekris/pcenginges and RO mounting
wow, lots of stuff to read and extract from your mails i hope i can at least make myself up to write a summary about all the setup process once it's done. thanks martin On Sun, Mar 23, 2008 at 11:09 PM, Vincent Barus [EMAIL PROTECTED] wrote: On Sun, Mar 23, 2008 at 3:18 PM, Martin Marcher [EMAIL PROTECTED] wrote: Hello, being relatively new to obsd I have the problem of finding the right doc parts. What I'm looking for are starting points to read about what to do when RO mounting the root fs (and all other parts) especially on CF-media. So my ultimate target would be to: * mount as much as possible RO * still have system logging available (nfs mounting, logserver, whatever suits best - any pointers welcome) * main concern is exhaustion of write cycles on CF media usage of the box will be a home router in the first place and probably expanding to a file server and pxe boot server with usb drives attached to it for storage. I am familiar with general (linux) process of RO mounting partitions but I don't have any experience with CF cards and read that it's probably best to RO mount CF-media. Forgive me the missing/wrong terminology but I found just too much infos/howtos with differing tips on wether to care about write cycles or not, or special needs to take care of with CF media. Hope it makes sense what I ask for thanks martin -- http://tumblr.marcher.name https://twitter.com/MartinMarcher http://www.xing.com/profile/Martin_Marcher http://www.linkedin.com/in/martinmarcher You are not free to read this message, by doing so, you have violated my licence and are required to urinate publicly. Thank you. Jonathan Weiss did a great job writing down his solution on this topic: http://blog.innerewut.de/2005/05/14/openbsd-3-7-on-wrap http://blog.innerewut.de/2005/05/19/openbsd-3-7-on-wrap-revised http://blog.innerewut.de/2005/06/03/small-update-on-openbsd-3-7-on-wrap Even if he used 3.7 his tutorial is still up to date. I use the method on my pc-engines wrap. If you want your system to just route your traffic and you don't need the logs you can just mount everything ro and you are able to pull the plug if you want your system to shut down :) Thats what I do, I don't use rsync (mentioned in the tutorial) because I don't need logs, mail etc. But that's only useful if you don't use the router as file server. ~ vb -- http://tumblr.marcher.name https://twitter.com/MartinMarcher http://www.xing.com/profile/Martin_Marcher http://www.linkedin.com/in/martinmarcher You are not free to read this message, by doing so, you have violated my licence and are required to urinate publicly. Thank you.
mediawiki setup
Two questions about mediawiki that I didn't find in the misc archives: 1. On a 4.2 i386 box, installing mediawiki from ports died during tk install with the header error pasted below. This box has xbase installed but none of the rest of the X stuff. How to remedy? 2. The package and port are version 1.9 while current stable source is at version 1.12. The release notes for 1.10-1.12 mention fixes for some cross-side scripting and other vulnerabilities. For OBSD boxes I understand that packages are preferred and often improve on security, protocol and code correctness, and documentation compared with similar releases for other OSs. Purely from a security standpoint, which is preferabe: installing the 1.9 version from packages or ports, or building the current release from sources? thanks dn === Building for tk-8.4.7p1 cc -pipe -c -O2 -pipe -Wall -Wno-implicit-int -fno-strict-aliasing -fPIC -I/usr/ports/x11/tk/8.4/w-tk-8.4.7p1/tk8.4.7/unix -I/usr/ports/x11/tk/8.4/w-tk-8.4.7p1/tk8.4.7/unix/../generic -I/usr/ports/x11/tk/8.4/w-tk-8.4.7p1/tk8.4.7/unix/../bitmaps -I/usr/local/include/tcl8.4/generic -DHAVE_UNISTD_H=1 -DHAVE_LIMITS_H=1 -DTCL_WIDE_INT_TYPE=long\ long -DSTDC_HEADERS=1 -DHAVE_SYS_TIME_H=1 -DTIME_WITH_SYS_TIME=1 -DHAVE_PW_GECOS=1 -DTCL_NO_DEPRECATED /usr/ports/x11/tk/8.4/w-tk-8.4.7p1/tk8.4.7/unix/../generic/tk3d.c In file included from /usr/ports/x11/tk/8.4/w-tk-8.4.7p1/tk8.4.7/generic/tkInt.h:21, from /usr/ports/x11/tk/8.4/w-tk-8.4.7p1/tk8.4.7/generic/tk3d.h:18, from /usr/ports/x11/tk/8.4/w-tk-8.4.7p1/tk8.4.7/generic/tk3d.c:16: /usr/ports/x11/tk/8.4/w-tk-8.4.7p1/tk8.4.7/generic/tk.h:96:29: X11/Xlib.h: No such file or directory many more screens of errors deleted dn
OpenBSD support of EFI?
Please excuse my ignorance. In reading through the recent Intel Mac Mini thread, I'm confused by what appears to OpenBSD's support? OpenBSD now supports EFI? Or is EFI have some compatibility mode with the older BIOS standard? Any information would be greatly appreciated. Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs
Re: OpenBSD support of EFI?
In reading through the recent Intel Mac Mini thread, I'm confused by what appears to OpenBSD's support? OpenBSD now supports EFI? Or is EFI have some compatibility mode with the older BIOS standard? It emulates a standard BIOS if it can't find Apple specific info on any of the boot devices, as far as I know. So for OpenBSD it looks like a usual PC. Tas.
Re: OpenBSD support of EFI?
Fred Snurd wrote: In reading through the recent Intel Mac Mini thread, I'm confused by what appears to OpenBSD's support? OpenBSD now supports EFI? Or is EFI have some compatibility mode with the older BIOS standard? No. In the case of modern Intel Macs, they have something called Boot Camp that emulates the classic PC BIOS interrupts and services.. There is no EFI boot loader for OpenBSD. ;) -Nix Fan.
Re: OpenBSD support of EFI?
In the case of modern Intel Macs, they have something called Boot Camp that emulates the classic PC BIOS interrupts and services.. Um, no. EFI does that on its own, also with an empty or without a harddisk. Boot Camp is a software which runs on OS X, which contains Windows drivers and which can prepare a partition for the installation of a second, additional OS like Windows on the hardisk. Has nothing to do with EFI, except that it uses the BIOS emulation of the EFI to be able to boot from that prepared non-OS X partition. You could install a second, additional OS also competely without Boot Camp, with just the tools which come with OS X (to resize the OS X system partition etc.). There is no EFI boot loader for OpenBSD. ;) That's right. Tas.
