Re: Debian libssl security (Cause???)
On Fri, May 16, 2008 at 04:02:48PM -0400, Ted Unangst wrote: On 5/16/08, Ross Cameron [EMAIL PROTECTED] wrote: Mmm this isn't the first time I've heard of bogus reports from Valgrind. How does one politely inform the Debian project to not trust it explicitly and to human audit anything it flags? I think people are placing too much blame on valgrind. valgrind doesn't tell you Delete this line of code. It says You are using uninitialized memory here. The correct fix is to initialize the memory, not delete the line of code. It's not about trusting or not trusting the tool; it's about responding correctly. I've seen innocuous valgrind reports, but never wrong ones. I also saw a valgrind report ignored as innocuous because it didn't seem to cause trouble, only to be the root cause of a problem that cost a minimum of $50,000 to resolve later. Yeah, using tools such as valgrind can help a lot, but the danger side is that it will cause actions to be taken by people who do not understand the code, just to silence valgrind. Since valgrind flags the location of the use of uninialized mem, and--of course--not the root cause, developers can easily be mislead and apply the wrong fix. I think we have a clear demonstration of the danger of using a tool without proper understanding of the code here. In addition, the vague posts from both sides on openssl-dev mailing lists did not help too. -Otto
Re: Debian libssl security (Cause???)
On Sat, 2008-05-17 at 08:36 +0200, Otto Moerbeek wrote: Yeah, using tools such as valgrind can help a lot, but the danger side is that it will cause actions to be taken by people who do not understand the code, just to silence valgrind. Since valgrind flags the location of the use of uninialized mem, and--of course--not the root cause, developers can easily be mislead and apply the wrong fix. I think we have a clear demonstration of the danger of using a tool without proper understanding of the code here. In addition, the vague posts from both sides on openssl-dev mailing lists did not help too. -Otto This might be a good example. I'm working on a CLI which is rapidly turning into a mini-shell. I'm not using readline, or other commonly used things to gather input, for the purposes of my own learning and keeping code portable I've elected to write my own functions. Every time I make major changes, I run the program through valgrind. Example results: ==10858== ==10858== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 13 from 1) ==10858== malloc/free: in use at exit: 48 bytes in 5 blocks. ==10858== malloc/free: 12 allocs, 7 frees, 4,182 bytes allocated. ==10858== For counts of detected errors, rerun with: -v ==10858== searching for pointers to 5 not-freed blocks. ==10858== checked 63,724 bytes. ==10858== ==10858== LEAK SUMMARY: ==10858==definitely lost: 37 bytes in 3 blocks. ==10858== possibly lost: 0 bytes in 0 blocks. ==10858==still reachable: 11 bytes in 2 blocks. ==10858== suppressed: 0 bytes in 0 blocks. ==10858== Use --leak-check=full to see details of leaked memory. As you can see, my program is in its infancy and not much is allocated. I have a leak due to some input stuff not freeing things that are strdup()'ed (I know about this) and I have done a pretty good job of being defensive so far. If something I inherit from libc leaks or throws errors, I quickly know and can explain it. Its not my program, its stuff I used from xxx function. Valgrind is something that is (ideally) used as you go. If you screw up, it will tell you. It should not be dismissed like trivial compiler warnings, but it should also not invoke some kind of knee jerk reaction. Its not exactly the world's best auditing tool for someone who is not used to using it every step of the way. Taking something you are unfamiliar with and trying to correct whatever valgrind complains about is asking for trouble beyond trivial warnings. What amazes me about this whole mess is that at least 1/3 of the GNU core utilities issue many complaints but they are ignored. When you package software, the only reason for squelching the valgrind results of other people's work is to keep those who install your package from asking about those warnings. Like I said in previous posts, shit happens. Nobody needs to be nailed to a cross for this. The lesson to be learned is: Q. Why does your x-y-z package throw so many warnings? A. I am not quite sure, I'm going to ask the developers who wrote it. Well, I know why its happening, but I can't quite be sure why the code that causes it is in there. Cheers, --Tim -- Monkey + Typewriter = Echoreply ( http://echoreply.us )
Re: geom network driver times out on sparc 4.2?
Hi, I was unable to get the obp upgrade to boot when put on a openbsd disk. I guess, but don't know for sure, that the sequence is: - obp starts - obp reads something - something starts - something reads the rest of the command line and reads the kernel. This something doesn't read the obp upgrade. If you compare the upgrade OBP with netboot to the diskless man page, the thing loaded across the network via tftp when openbsd boots is ofwboot.net. The thing loaded with tftp is the actuall upgrade program of obp in that case. cheers bruce On Fri, May 16, 2008 at 09:03:40PM +, Jay wrote: well, of course OB can read the file system.It loads the kernel after all.The instructions are encouraging: OB boot disk /flash-update Cool, like, the flash-update is a kernel?Well, not that, but a program runnable as if it is a kernel? But it looks like the OS, er, the OS installer, is between OB and the kernel;Specifically there are some boot blocks installed by the OS, and the OpenBSD ones don't recognize the file format of the flash-update. Darn. Maybe there is a way? - Jay From: [EMAIL PROTECTED]: [EMAIL PROTECTED]; [EMAIL PROTECTED]: [EMAIL PROTECTED]: RE: geom network driver times out on sparc 4.2?Date: Fri, 16 May 2008 20:17:26 + Awesome, thanks!Normally I would have said I have never netbooted; it seems too hard to setup but those look like great instructions.And I was almost right in my paranoia about needing Solaris.I still wonder though -- if OpenBSD's UFS is the same format as Solaris's, or if OpenBSD can create a Solaris format of file system, then I think OpenBoot can read the files. And if not, not. I think.Mitigating factors: I got 4.3 in the mail that supposedly fixes this. The wireless networking is working fine. The OPB isn't even known to fix this, but hopefully. But yeah, running old OBP/BIOS not great. - Jay Date: Fri, 16 May 2008 21:21:46 +0200 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] CC: [EMAIL PROTECTED]; misc@openbsd.org Subject: Re: geom network driver times out on sparc 4.2? So, just as I say this, the page is at: http://www.SMTPS.net/netboot_flash_obp.html I did an Ultra 10 this way with no problems. I may have done an Ultra2 as well. cheers bruce On Thu, May 15, 2008 at 07:59:48AM +0100, Sevan / Venture37 wrote: And dumb me, I didn't consider OBP as helping the install too. So the questions remain if I can install OBP without Solaris, and if I'll have to crack open the case. I'll see...From the OBP update page: Note 1: This utility is *not* OS-dependent. The list of releases shown under the Solaris Release and SunOS Release sections may not be complete: The absence of a valid Solaris Release or SunOS Release from the lists above does not preclude the installation of this patch against the hardware. _ Be a Hero and Win with Iron Man http://clk.atdmt.com/UKM/go/msnnkmgl001009ukm/direct/01/
wpi-firmware upgrade on 4.3
As a part of upgrading from 4.2 to 4.3 I needed to upgrade wpi-firmware to v2.14.1.5. As this package is not available from the package list. I needed to set PKG_PATH to http://damien.bergamini.free.fr/packages/openbsd/ and then pkg_add -ui -F update -F updatedepends wpi-firmware and then choose the latest version from the options list. I was wondering if there's any easier way to upgrade this package? Thanks.
Re: geom network driver times out on sparc 4.2?
Agreed. something is boot blocks and they are installed by the OS. The flash-update is a 32bit ELF file and I imagine the OpenBSD/sparc64 boot blocks only like 64bit ELF. (Per my other unrelated question -- I was wrong, OpenBSD/sparc64 is pure 64 bit, gcc -m32 doesn't work (from a certain point of view, yes I realize it does exactly what it is meant to do, and it is arguably superior this way, rather than open a can of worms as to just what is the architecture of the OS, some hard to pin down hybrid, or simply only SPARC64.) It is probably possible and not difficult to temporarily install the Solaris boot blocks (such as from the environment booting the Solaris install CD gives you), boot the flash-update, and then put back the OpenBSD boot blocks. I haven't really tried yet. It might even be possible, like, to say boot cdrom /blahblah/ or boot floppy /blahblahblah where /blahblahblah is, you know, normally just like bsd or /update-flash, the kernel or the program to run, relative to the device, but maybe you can use a device path there at the start and have the boot blocks on one device read the kernel (or rather update-flash) from another device. The flash-update is also 1.4something meg in size, which I thought therefore might fit on a floppy and be bootable completely from there, but I didn't have luck with that. The floppy drive wasn't working from OpenBSD and the floppy I produced on NT doesn't work. The size is maybe just a coincidence, and heck maybe I misread the number of digits, it was 14something. I was too lazy to determine the actual value of 1.44meg -- LAZY of me, so easy to have done... I'll experiment later. I blew away my Linux/macppc and started OpenBSD/macppc install so I can try the netboot (which is something I want to try anyway). I know those directions aren't specific to macppc, or even OpenBSD, but I have no other OpenBSD machines currently, the Mac was a good candidate, and I might as well not risk Linux or MacOSX varying in an area I'm not confident in. btw, those instructions were good, but the man page looks quite good as well, maybe identical. Thanks again, I'll report back later (in case anyone cares..hey the mailing list is misc, not dev-important.. :) ) - Jay Date: Sat, 17 May 2008 09:42:20 +0200 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] CC: [EMAIL PROTECTED]; misc@openbsd.org Subject: Re: geom network driver times out on sparc 4.2? Hi, I was unable to get the obp upgrade to boot when put on a openbsd disk. I guess, but don't know for sure, that the sequence is: - obp starts - obp reads something - something starts - something reads the rest of the command line and reads the kernel. This something doesn't read the obp upgrade. If you compare the upgrade OBP with netboot to the diskless man page, the thing loaded across the network via tftp when openbsd boots is ofwboot.net. The thing loaded with tftp is the actuall upgrade program of obp in that case. cheers bruce On Fri, May 16, 2008 at 09:03:40PM +, Jay wrote: well, of course OB can read the file system.It loads the kernel after all.The instructions are encouraging: OB boot disk /flash-update Cool, like, the flash-update is a kernel?Well, not that, but a program runnable as if it is a kernel? But it looks like the OS, er, the OS installer, is between OB and the kernel;Specifically there are some boot blocks installed by the OS, and the OpenBSD ones don't recognize the file format of the flash-update. Darn. Maybe there is a way? - Jay From: [EMAIL PROTECTED]: [EMAIL PROTECTED]; [EMAIL PROTECTED]: [EMAIL PROTECTED]: RE: geom network driver times out on sparc 4.2?Date: Fri, 16 May 2008 20:17:26 + Awesome, thanks!Normally I would have said I have never netbooted; it seems too hard to setup but those look like great instructions.And I was almost right in my paranoia about needing Solaris.I still wonder though -- if OpenBSD's UFS is the same format as Solaris's, or if OpenBSD can create a Solaris format of file system, then I think OpenBoot can read the files. And if not, not. I think.Mitigating factors: I got 4.3 in the mail that supposedly fixes this. The wireless networking is working fine. The OPB isn't even known to fix this, but hopefully. But yeah, running old OBP/BIOS not great. - Jay Date: Fri, 16 May 2008 21:21:46 +0200 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] CC: [EMAIL PROTECTED]; misc@openbsd.org Subject: Re: geom network driver times out on sparc 4.2? So, just as I say this, the page is at: http://www.SMTPS.net/netboot_flash_obp.html I did an Ultra 10 this way with no problems. I may have done an Ultra2 as well. cheers bruce On Thu, May 15, 2008 at 07:59:48AM +0100, Sevan / Venture37 wrote: And dumb me, I didn't consider OBP as helping the install too.So the questions remain if I can install OBP without Solaris, and if I'll have to crack open the case. I'll see... From the OBP update page: Note 1: This utility
OpenBSD as MS RIS-Server alternative?
Hello everybody, I would like to know if it's possible to use OpenBSD as RIS-Server to install WIndows via Network. I played around with this for 2 weeks now but I can't figure out how it gets done. Something is missing (maybe a dhcp-option?! :( ) I use OpenBSD to provide kinda anything to connected PCs (remote install, diagnostics, secure hdd formating (0,1,0 and other standards)). Also I face problems to provide VistaPE (it wont realy boot, bootloader comes up but then the bcd seams to be corrupted in soem way). So if somebody here also administrates Widnows-Servers (I don't know that much about 'em :/) and knows how to emulate a RIS please tell me. I would love to replace the Windows Box (the Imaging-Server was already replaced). The only things I've found with google where people using MS RIS to install OpenBSD (scarry, or? :p) but not vice versa. Kind regards, Sebastian
Re: Time for OBSD everywhere?
Paul de Weerd wrote: [snip] Depending on the origin and contents of the presentation you can : 1) Tell the originator to stop sending you MS docs In the long run, this is the most advantageous. PDF/A is an option for read-only. For those stuck on legacy applications and a need document editable, there is a plug-in from Sun to allow use of standard formats: http://www.sun.com/software/star/odf_plugin/get.jsp There is also a viewer which works, but could use improvement: http://opendocumentfellowship.com/odfviewer If the viewer is something someone here would like to get paid to take further, let me know off list. Regards, -Lars
Re: Lastet supported jdk on OpenBSD
On Fri, 16 May 2008 21:03:17 -0300 John Nietzsche [EMAIL PROTECTED] wrote: Dear users, i would like to add support for java on my 4.3 openbsd desktop. Has anybody already done so? May you point a url where i could download the package(s) from? As others have pointed out, instruction are in FAQ 8 13. Type 'make' in the appropriate ports directory you will get an error message telling you exactly what to download manually. It took about 10 hours to build an a PIII 800MHz Thinkpad and you need a few GB diskspace - works perfectly!
Re: OLPC inks agreement with Microsoft
Josh Grosse wrote: ... 1.The decision to push for WXP to replace Linux was due to pressure from prospective buyers of the XO laptop, which was slowing sales. 'The people who buy the machines are not the children who use them, but government officials in most cases,' said Nicholas Negroponte, founder of the nonprofit group. 'And those people are much more comfortable with {explitive deleted}.' ... My contact with directors and high level managers, the occasional CxO, etc. suggests that they are usually just more familiar with the brand name rather than any specific interface. Or, perhaps more commonly, they have signed onto some kind of ideology or myth which is flagged to the outside world by continued use of that brand. Most common seems to be bit of that last combined with a heavy dose of personal financial investments and/or close relatives with personal financial investments in that brand. As far as the technology goes, most are unlikely to (as a user) notice much of a difference between a nicely configured and painted OpenBSD setup with Xfce or an even leaner, but decorative, DE. In the case of OLPC it is Sugar on Linux. Either way, they probably would not notice without someone telling them to notice, except that over time they might notice the better performance and excellent uptime. It's hard to say about Negroponte just now, without having met him, but from a distance it seems he's knuckling under and compromising the learning advantages in exchange for marginally increased acceptance in a technopolitical ideology that's rapidly waning. YMMV. Regards, -Lars
Re: Lastet supported jdk on OpenBSD
On Sat, May 17, 2008 at 11:34 AM, Matthew Szudzik [EMAIL PROTECTED] wrote: On Fri, May 16, 2008 at 09:03:17PM -0300, John Nietzsche wrote: i would like to add support for java on my 4.3 openbsd desktop. Has anybody already done so? May you point a url where i could download the package(s) from? As the previous posters have pointed out, there are no JDK binary packages available for OpenBSD 4.3--you have to fetch and build the JDK from source yourself. But in OpenBSD 4.4 (which will be released in November), that situation will change, and binary packages for Java will be available. See http://www.undeadly.org/cgi?action=articlesid=20080321023803 Installing JDK manually is a royal pain at the moment. Clicking all those websites, accepting license agreements, downloading and then compiling the whole thing _does_ take hours. It would be really awesome to have Java available as package as of 4.4!
Re: wpi-firmware upgrade on 4.3
On 2008-05-17, Chris [EMAIL PROTECTED] wrote: As a part of upgrading from 4.2 to 4.3 I needed to upgrade wpi-firmware to v2.14.1.5. As this package is not available from the package list. I needed to set PKG_PATH to http://damien.bergamini.free.fr/packages/openbsd/ and then pkg_add -ui -F update -F updatedepends wpi-firmware and then choose the latest version from the options list. I was wondering if there's any easier way to upgrade this package? according to the man page, the person to contact about this is [EMAIL PROTECTED] This firmware file is not free because Intel refuses to grant distribu- tion rights without contractual obligations. As a result, even though OpenBSD includes the driver, the firmware file cannot be included and users have to download this file on their own. The official person to state your views to about this issue is [EMAIL PROTECTED]
Re: OLPC inks agreement with Microsoft
On 2008-05-16, Josh Grosse [EMAIL PROTECTED] wrote: This slashdot posting: http://tech.slashdot.org/article.pl?sid=08/05/15/2320243 references a New York Times article published today by Steve Lohr describing a new agreement with Microsoft It also references a pretty interesting article from Krstic..
wpi-firmware upgrade on 4.3
***YOUR EMAIL HAS NOT BEEN RECEIVED BY INTEL*** Intel is no longer monitoring this email address. Please visit http://support.intel.com for technical support information or use http://www.intel.com/feedback.htm to locate an option to resubmit your question. == (c) 2007 Intel Corporation * Legal Information (http://www.intel.com/sites/corporate/tradmarx.htm) Privacy Policy(http://www.intel.com/sites/corporate/privacy.htm) == The manpage needs an update! I mailed this person too today because I hate intels attitude! Is there any real chances all major BSDs+Linux may unite to get the rights of distribution? Maybe we could get Dell abord or Lenovo. Also the enhanced speedstep is biting me because I got responses that the devs can't support it correctly because intel does not provide docs! :( I wrote a mail to the person mentioned in the manpage + [EMAIL PROTECTED] I doubt I wont get a response and I start to hate intel right now for even forcing me to write a e-Mail just to get a fucking piece of firmware distributed for free. Using RALink is an option of course (are there any compatible mini pci cards compareable to the 4965AGN? (signal quality (receiving/sending)) It would be great if OpenBSD may kick off another call the vendor and tell them about it and do it NOW-project like it was done with some other vendors. INtel claims to support Open source but the lack of firmware + enhanced speedstep pisses me off. :( Kind regards, Sebastian
Re: relayd and src track
Hi, Looking into pf_ioctl.c and pfvar.h I've found that there is an undocumented (for some unknown reason) IOCTL - DIOCKILLSRCNODES. Further investigation revealed that it's purpose is to remove single node from source tracking tree. So the simplest way is find out what connections should be removed and kill them. But in sync_table we have only the final table, so connections to remove are in the pf table but not in the final table. To find them it is simplest to get previous table from pf, and subtract from it the final table. And then to remove found items from source tracking tree. That's exactly what is done in the diff below. best regards MichaE Koc Index: pfe_filter.c === RCS file: /cvs/src/usr.sbin/relayd/pfe_filter.c,v retrieving revision 1.27 diff -u -r1.27 pfe_filter.c --- pfe_filter.c16 May 2008 14:47:58 -1.27 +++ pfe_filter.c17 May 2008 13:46:43 - @@ -157,8 +157,12 @@ sync_table(struct relayd *env, struct rdr *rdr, struct table *table) { int i; +int j; +int cs; struct pfioc_table io; +struct pfioc_src_node_kill iok; struct pfr_addr*addlist; +struct pfr_addr*curlist; struct sockaddr_in*sain; struct sockaddr_in6*sain6; struct host*host; @@ -179,9 +183,7 @@ memset(io, 0, sizeof(io)); io.pfrio_esize = sizeof(struct pfr_addr); -io.pfrio_size = table-up; io.pfrio_size2 = 0; -io.pfrio_buffer = addlist; if (strlcpy(io.pfrio_table.pfrt_anchor, RELAYD_ANCHOR /, sizeof(io.pfrio_table.pfrt_anchor)) = PF_ANCHOR_NAME_SIZE) goto toolong; @@ -193,6 +195,28 @@ sizeof(io.pfrio_table.pfrt_name)) goto toolong; +cs = 0; +curlist = 0; + +if (rdr-conf.flags F_STICKY) { +io.pfrio_size = 0; +io.pfrio_buffer = 0; +if (ioctl(env-sc_pf-dev, DIOCRGETADDRS, io) == -1) +fatal(sync_table: cannot get number of address); + +if ((cs = io.pfrio_size)) { +if ((curlist = calloc(cs, sizeof(*curlist))) == NULL) +fatal(calloc); + +io.pfrio_buffer = curlist; +if (ioctl(env-sc_pf-dev, DIOCRGETADDRS, io) == -1) +fatal(sync_table: cannot get address list); +} +} + +io.pfrio_size = table-up; +io.pfrio_buffer = addlist; + i = 0; TAILQ_FOREACH(host, table-hosts, entry) { if (host-up != HOST_UP) @@ -205,6 +229,11 @@ memcpy((addlist[i].pfra_ip4addr), sain-sin_addr, sizeof(sain-sin_addr)); addlist[i].pfra_net = 32; +for (j = 0; j cs; ++j) +if (!memcmp(sain-sin_addr, +(curlist[j].pfra_ip4addr), +sizeof(sain-sin_addr))) +break; break; case AF_INET6: sain6 = (struct sockaddr_in6 *)host-conf.ss; @@ -212,11 +241,17 @@ memcpy((addlist[i].pfra_ip6addr), sain6-sin6_addr, sizeof(sain6-sin6_addr)); addlist[i].pfra_net = 128; +for (j = 0; j cs; ++j) +if (!memcmp(sain6-sin6_addr, +(curlist[j].pfra_ip6addr), +sizeof(sain6-sin6_addr))) +break; break; default: fatalx(sync_table: unknown address family); break; } +if (j != cs) curlist[j].pfra_fback = 1; i++; } if (i != table-up) @@ -224,16 +259,48 @@ if (ioctl(env-sc_pf-dev, DIOCRSETADDRS, io) == -1) fatal(sync_table: cannot set address list); -if (rdr-conf.flags F_STICKY) { -if (ioctl(env-sc_pf-dev, DIOCCLRSRCNODES, 0) == -1) -fatal(sync_table: cannot clear the tree of -source tracking nodes); -} free(addlist); log_debug(sync_table: table %s: %d added, %d deleted, %d changed, io.pfrio_table.pfrt_name, io.pfrio_nadd, io.pfrio_ndel, io.pfrio_nchange); + +if (cs (rdr-conf.flags F_STICKY)) { + +memset(iok.psnk_src, 0, sizeof(iok.psnk_src)); +memset(iok.psnk_dst, 0xff, sizeof(iok.psnk_dst)); +iok.psnk_src.port_op = PF_OP_NONE; +iok.psnk_dst.port[0] = rdr-conf.port; +iok.psnk_dst.neg = 0; +iok.psnk_dst.port_op = PF_OP_EQ; + +for (i = 0; i cs; ++i) +if (!curlist[i].pfra_fback) { +iok.psnk_af = curlist[i].pfra_af; +switch (iok.psnk_af) { +case AF_INET: +memcpy(iok.psnk_dst.addr.v.a.addr.v4, +curlist[i].pfra_ip4addr, +sizeof(curlist[i].pfra_ip4addr)); +break; +case AF_INET6: +memcpy(iok.psnk_dst.addr.v.a.addr.v6, +curlist[i].pfra_ip6addr, +
Re: OpenBSD as MS RIS-Server alternative?
On Sat, May 17, 2008 at 4:52 AM, [EMAIL PROTECTED] wrote: Hello everybody, I would like to know if it's possible to use OpenBSD as RIS-Server to install WIndows via Network. I played around with this for 2 weeks now but I can't figure out how it gets done. Something is missing (maybe a dhcp-option?! :( ) I use OpenBSD to provide kinda anything to connected PCs (remote install, diagnostics, secure hdd formating (0,1,0 and other standards)). Also I face problems to provide VistaPE (it wont realy boot, bootloader comes up but then the bcd seams to be corrupted in soem way). So if somebody here also administrates Widnows-Servers (I don't know that much about 'em :/) and knows how to emulate a RIS please tell me. I would love to replace the Windows Box (the Imaging-Server was already replaced). The only things I've found with google where people using MS RIS to install OpenBSD (scarry, or? :p) but not vice versa. Kind regards, Sebastian I'm very curious to know myself, if you get it working or find out how, please post here or undeadly.org. Something like this would be very handy for the work I do too.
Re: relayd and src track
Due to some problems witch patch formatting in mail agent it is also available at http://www.prime.pl/relayd.diff regards MichaE Koc Pierre-Yves Ritschard pisze: + if (rdr-conf.flags F_STICKY) + if (ioctl(env-sc_pf-dev, DIOCCLRSRCNODES, 0) == -1) + fatal(sync_table: cannot clear the tree of source tracking nodes); + free(addlist); log_debug(sync_table: table %s: %d added, %d deleted, %d changed, Good enough for now, it's in. We'll look for a way of clearing individual nodes later on.
Re: OpenBSD as MS RIS-Server alternative?
On Sat, May 17, 2008 at 10:52:49AM +0200, [EMAIL PROTECTED] wrote: Hello everybody, I would like to know if it's possible to use OpenBSD as RIS-Server to install WIndows via Network. I played around with this for 2 weeks now but I can't figure out how it gets done. Something is missing (maybe a dhcp-option?! :( ) I use OpenBSD to provide kinda anything to connected PCs (remote install, diagnostics, secure hdd formating (0,1,0 and other standards)). Also I face problems to provide VistaPE (it wont realy boot, bootloader comes up but then the bcd seams to be corrupted in soem way). So if somebody here also administrates Widnows-Servers (I don't know that much about 'em :/) and knows how to emulate a RIS please tell me. I would love to replace the Windows Box (the Imaging-Server was already replaced). The only things I've found with google where people using MS RIS to install OpenBSD (scarry, or? :p) but not vice versa. This isn't RIS, so if you're tied to that technology, ignore me, but I think this solution is a superior way to accomplish the same goal: I install all my Windows systems using http://unattended.sourceforge.net/. Not only does it let me script my Windows install, but also all my application installs as well and I can have different application sets for different machines. There's no need to keep it on similar hardware like with ghost/sysprep. All this requires is the stock dhcpd and tftpd along with samba (from ports) from the OpenBSD system serving it. While it's not trivial to set up, the instructions are very clear and you shouldn't have any major trouble. -Dan -- Burnished gallows set with red Caress the fevered, empty mind Of man who hangs bloodied and blind To reach for wisdom, not for bread. -- Deoridhe Grimsdaughter
Re: This seems like a good idea
2008/5/17 Curt Micol [EMAIL PROTECTED]: http://leaf.dragonflybsd.org/mailarchive/kernel/2008-05/msg00038.html Here is some more information including a list of keys: http://metasploit.com/users/hdm/tools/debian-openssl/ Thought I'd share. It's possible I am wrong and this isn't a good idea, but I can't think of any reason why it isn't. I can actually think of an entirely theoretical reason why the exclusion of the affected keys could conceivably, hypothetically be considered to be disadvantageous: It reduces the key space; i.e. future attackers of systems that have blacklisted these keys might know that they have a few less combinations to try. In the real world however, the affected keys will probably be the first ones attackers will try, and the above is just an entirely theoretical disadvantage -- and it's a much smaller disadvantage than that constituted by continuing to allow the affected keys. Kind regards, --ropers
Re: OpenBSD as MS RIS-Server alternative?
On Sat, May 17, 2008 at 9:15 AM, Dan Brosemer [EMAIL PROTECTED] wrote: On Sat, May 17, 2008 at 10:52:49AM +0200, [EMAIL PROTECTED] wrote: Hello everybody, I would like to know if it's possible to use OpenBSD as RIS-Server to install WIndows via Network. I played around with this for 2 weeks now but I can't figure out how it gets done. Something is missing (maybe a dhcp-option?! :( ) I use OpenBSD to provide kinda anything to connected PCs (remote install, diagnostics, secure hdd formating (0,1,0 and other standards)). Also I face problems to provide VistaPE (it wont realy boot, bootloader comes up but then the bcd seams to be corrupted in soem way). So if somebody here also administrates Widnows-Servers (I don't know that much about 'em :/) and knows how to emulate a RIS please tell me. I would love to replace the Windows Box (the Imaging-Server was already replaced). The only things I've found with google where people using MS RIS to install OpenBSD (scarry, or? :p) but not vice versa. This isn't RIS, so if you're tied to that technology, ignore me, but I think this solution is a superior way to accomplish the same goal: I install all my Windows systems using http://unattended.sourceforge.net/. Not only does it let me script my Windows install, but also all my application installs as well and I can have different application sets for different machines. There's no need to keep it on similar hardware like with ghost/sysprep. All this requires is the stock dhcpd and tftpd along with samba (from ports) from the OpenBSD system serving it. While it's not trivial to set up, the instructions are very clear and you shouldn't have any major trouble. I didn't know about this, looks great. Were you able to do it via PXE booting?
Re: OpenBSD as MS RIS-Server alternative?
[EMAIL PROTECTED] wrote: I would like to know if it's possible to use OpenBSD as RIS-Server to install WIndows via Network. I played around with this for 2 weeks now but I can't figure out how it gets done. Something is missing (maybe a dhcp-option?! :( ) Are you able to boot to your PXE server? That's the first step. Make sure your PXE server can get DHCP requests, even if it's not the DHCP server. If nothing else, you should (in theory) be able to copy over the REMOTEINSTALL tree from your RIS server and share it via tftp and Samba and make something work. Also I face problems to provide VistaPE (it wont realy boot, bootloader comes up but then the bcd seams to be corrupted in soem way). Vista is a different animal to install. I haven't worked on remote installing Vista (I'm working with Server 2008, relatively the same) booting from a Server 2003 SP2 with MS RIS/WDS hybrid-mode installed. RIS installing 2000/XP formats the disk and copies files over from the file system and starts setup. WDS installing Vista/2008 formats the disk and unpacks the WIM file onto the disk and starts setup. You won't be able to just copy the Vista DVD to your server and do a remote install, you'll need to download the BDD2007 and/or WAIK kit to make network-installable WIM files. My biggest hurdles moving from RIS to WDS were adding network drivers to the boot image for DL360 G5 servers (the normal drivers won't work) and moving my skill set from winnt.sif (2003) to unattend.xml (2008). So if somebody here also administrates Widnows-Servers (I don't know that much about 'em :/) and knows how to emulate a RIS please tell me. I would love to replace the Windows Box (the Imaging-Server was already replaced). The unattended project mentioned earlier looks good, I haven't used it. I don't know if it'll do Vista installs, if that's a requirement. I guess my question is, if you have a working RIS solution, why not continue using it? You seem to already be a Windows shop on the desktops, it doesn't seem like having a Windows server around would be that terrible.
Re: How do I set up personal web sites for users?
Marten Rizwan [EMAIL PROTECTED] writes: If your users are in /home and you're not willing to modify your filesystem layout much, you could simply export your /home as readonly nfs share and mount it to /var/www/users. something like that should work in /etc/exports: /home -alldirs,ro 127.0.0.1 $ mount_nfs -o rw 127.0.0.1:/home /var/www/users now you can ignore the fact that apache is chrooted. Don't expect read performance to be the same though. I'm maybe going to say something totally wrong but i believe that i've read some times ago (and i didn't remember when) that re-mounting a local fs via nfs locally is problematic and unstable, especially when mounting a subdirectory of the original filesystem. I think i've also read that the reason was, once a file opened and referenced through it's specific inode, the underlyning vfs code could never later know when using it's inode if it was opened via the non-nfs-mounted path or via the nfs-mounted path. I then emitted on that some theory on my own to try to understand why it was/could be problematic (which i've never took time to investigate further) What i thinked about is that once you have, for exemple, opendir()'ed the directory /var/www/users and do listing on it, how the vfs code layer send you back the correct inode value for the special .. directory (which could make for exemple getcwd() bugging in a weird way), and how it could correctly handle it if you want to chdir() to it, consider the following operations: - open /var/www/users - fchdir to it - open .. - fchdir to it Will you expect the system to bring you to /var/www or to /, the parent directory of /home/? What it will do in reality? Can the chrooted process in /var/www escape the chroot using /var/www/users/.. in a special way? I originally google'd a bit on words like mount nfs local after having some weird unstabilities on an OpenBSD 3.9 box running the same setup above, (on remote box which didn't respond to ping, maybe crashing...), i then stopped to remount the filesystem locally and stopped chroot'ing it and problems never happened anymore since i no longer used weird combinaisons of local filesystem + remount it via nfs elsewhere + chroot. Think of it if you discover some problems. For the purpose of skipping insulting stuff, i'm writing again my first sentence which was a disclaimer: I'm maybe going to say something totally wrong [...]. -- folays
Re: geom network driver times out on sparc 4.2?
whining Ugh, this is not so easy. First of all, I am able to write the Solaris and OpenBSD bootblocks.I could not find any documentation on saving/restoring them, butI could find how to set them to a specified set. It's not difficult. You boot the Solaris CD and like/blah/installboot /blah/`uname -i`/blah/bootblk blah And when you are done, to get OpenBSD back, boot the openBSD CD and like: mount /dev/wd0 /mnt /mnt/mdec/blah/installboot /mnt/mdec/bootblk /dev/rwd0 Actually I got an error so out of paranoia I did more like: mount /dev/wd0 /mnt cp /mnt/mdec/blah/* /tmp umount /mnt /tmp/installboot /tmp/bootblk /dev/rwd0 It took me a little while to find the OpenBSD installboot, buried in mdec instead of any of /usr/bin, /usr/sbin, /bin, /sbin..even thought to check /stand. (damn there are too many of these directories! I know people like to fragment up their hard drives into multiple partitions in order to make it harder to decide how large to make the partitions, and so then there is /bin and /usr/bin, but must we have sbin too?, and on a single partition system, can't they all just be in /bin and /usr/bin a symlink to /bin, and on a multi partition system, put them where they are needed and then fill the others with symlinks? I realize that's wasteful of storage and $path search...I know these are not great suggestions, but I do often wish it was all just in /bin.) find is not present in the shell when you boot the OpenBSD CD, and the one in /mnt/blah crashes. All that, and the Solaris boot blocks won't boot the flash updater either. They say something like file just loaded does not appear to be an executable or somesuch. This is surprising to me. I really thought this would work. Ok, so let's try the net boot approach. Well, there's a step edit /etc/hosts in the usual way. The usual way? I always use dhcp. The usual way is not at all. So I tried my usual way.. At first I forgot to switch the Sun back from wireless to wired. After some timeout, it sort of proceeded, to the next level of recieving nothing. Ok, switch it to wired. Remember the MAC address changes (since I had gotten it from my router/dhcpd instead of .enet-addr, it was that of the wireless). It is timing out indefinitely. At least that gives me a chance to fix the tftp server. Over on the tftp server I get: warning: cannot find jay-sun1 on 192.168.2.0, or maybe the other way around. I don't know where this .0 came from. I relented then and edited /etc/hosts. First I used a 192.168 range. But then I wonder, hm, maybe that conflicts with the dhcp on the router? Maybe I should use a 10.* or such number. So I tried that. I still get the warning about 192.168.2.0, and the Sun is still just sitting timing out. I don't know where this address is coming from. Maybe it is a reference to a group or mask of addresses -- 192.168.2.*? I have run pkill -1 inetd after every edit. So maybe I should reboot. Well, it's a newly installed slow machine, I had tar xfz ports,src,xenocara.tgz running. Kill those before rebooting. mv away /usr/src, /usr/ports to /usr/delete so I will delete them after the reboot. This triggers the not as dead as I meant tar to spew warning after warning after warning unable to set file times, to a slow console (MacPPC G3 iBook). There seems to be no way for me to stop it. My router shows no IP address -- I'd ssh in. Can't control-c or fg/control-c, it's detatched, stupid me. It's still going. I'll leave it go and then try again later. ok, i finally finished. Ugh. Flashing the BIOS is a big pain. On Windows, you just run the app, it runs within Windows, and then it reboots. ..Jay From: [EMAIL PROTECTED]: [EMAIL PROTECTED]: [EMAIL PROTECTED]; [EMAIL PROTECTED]: RE: geom network driver times out on sparc 4.2?Date: Sat, 17 May 2008 08:44:53 + Agreed. something is boot blocks and they are installed by the OS.The flash-update is a 32bit ELF file and I imagine the OpenBSD/sparc64 boot blocks only like 64bit ELF. (Per my other unrelated question -- I was wrong, OpenBSD/sparc64 is pure 64 bit, gcc -m32 doesn't work (from a certain point of view, yes I realize it does exactly what it is meant to do, and it is arguably superior this way, rather than open a can of worms as to just what is the architecture of the OS, some hard to pin down hybrid, or simply only SPARC64.) It is probably possible and not difficult to temporarily install the Solaris boot blocks (such as from the environment booting the Solaris install CD gives you), boot the flash-update, and then put back the OpenBSD boot blocks. I haven't really tried yet. It might even be possible, like, to say boot cdrom /blahblah/ or boot floppy /blahblahblah where /blahblahblah is, you know, normally just like bsd or /update-flash, the kernel or the program to run, relative to the device, but maybe you can use a device path there at the start and have the
Electrodomesticos Financiados 16 de Mayo 2008
Vendo Electrodomesticos nuevos al mejor precio y totalmente financiados. Cuotas Fijas y en Pesos hasta en 48 meses. Tambien disponible para personas que viven enel Interior del Pais. Entrega en todo el pais por Correo en 24Hs. Consulte y compruebelo. INCREIBLE!! EMAIL: [EMAIL PROTECTED] MSN: [EMAIL PROTECTED]
Re: geom network driver times out on sparc 4.2?
Ok, much progress. I got to the point where it boots the flash update and I believe I have to fix the jumper now. Here are some tricks.If you read the footnote of the instructions, you realize that RARPD and DHCP are applesand apples. You must pick just one. And it isn't up to you. It is how the Sun boots. So, extreme measure: Take both machines off the main network. No more dhcp, temporarily. Run one cable between them. No more wireless, temporarily. edit /etc/hostname.if (hostname.gem0 for me) on the rarpd/tftpd server to give it a static address I used 10.0.0.1 -- right from the start of man hostname.if edit /etc/hosts as instructed, I usd 10.0.0.2. I'm not sure how you really set up network booting. This can't be it.I know more modern systems to have dhcp in the boot environment. That should help completely. This got me to the point of rarpd sending a reply and then the Sun waiting and telling meto double check the tftpd server. Now, I varied a few things flailing around, but I think the main one wasthat the files in /tftpboot should be named in all caps. I also killed and restarted inetd, not just -1 (sighup), but that's probably not needed. I also ran inetd -d and it reported starting tftpd and then shortly after reaping it.If I ran tftpd under gdb, it exited with 1 after a short run.I was considering building it from source and debugging, but I haven't built OpenBSD yet.I THINK it was the CAPS in the file names, but not sure. AHA the instructions to use a capital X. I mistyped that. Now to open the machine and deal with the jumper... - Jay
Re: OpenBSD as MS RIS-Server alternative?
On Sat, May 17, 2008 at 10:17:17AM -0400, Richard Daemon wrote: On Sat, May 17, 2008 at 9:15 AM, Dan Brosemer [EMAIL PROTECTED] wrote: I didn't know about this, looks great. Were you able to do it via PXE booting? Absolutely. It's nothing-but-net. I can even get it to read the hostname from DHCP and select an unattended configuration based on that. My installs go something like this: pxelinux boot prompt: win It asks me for a username to mount the share with. It asks me for a password to mount the share with. It asks me for a password to join the domain. Now, the machine just goes and installs itself including all applications and patches including as many reboots as needed. I really can't rave about it enough, and it works beautifully with an OpenBSD server. -Dan -- Burnished gallows set with red Caress the fevered, empty mind Of man who hangs bloodied and blind To reach for wisdom, not for bread. -- Deoridhe Grimsdaughter
Re: geom network driver times out on sparc 4.2?
Ok! It is done. I think there might be a reasonable bug or feature request here to enable the OpenBSD/sparc64 bootblk to be able to boot the flash updates, like if it is just a matter of supporting ELF32 or something. But I don't know. Solaris still won't install. It actually got worse, before the OBP update. Solaris setup had brought up X, now it fails to. The machine came with Solaris, but when it booted, and went graphical, the LCD couldn't keep up.. Oh well. - Jay From: [EMAIL PROTECTED]: [EMAIL PROTECTED]: [EMAIL PROTECTED]; [EMAIL PROTECTED]: RE: geom network driver times out on sparc 4.2?Date: Sat, 17 May 2008 18:56:38 + Ok, much progress.I got to the point where it boots the flash update and I believe I have to fix the jumper now.
Re: OpenBSD as MS RIS-Server alternative?
On Sat, May 17, 2008 at 4:06 PM, Dan Brosemer [EMAIL PROTECTED] wrote: On Sat, May 17, 2008 at 10:17:17AM -0400, Richard Daemon wrote: On Sat, May 17, 2008 at 9:15 AM, Dan Brosemer [EMAIL PROTECTED] wrote: I didn't know about this, looks great. Were you able to do it via PXE booting? Absolutely. It's nothing-but-net. I can even get it to read the hostname from DHCP and select an unattended configuration based on that. My installs go something like this: pxelinux boot prompt: win It asks me for a username to mount the share with. It asks me for a password to mount the share with. It asks me for a password to join the domain. Now, the machine just goes and installs itself including all applications and patches including as many reboots as needed. I really can't rave about it enough, and it works beautifully with an OpenBSD server. Sweet! I'm going to give this a try, this is something I've been looking for, for a while. pxelinux boot prompt? Should work with OpenBSD's pxeboot the same way?
Re: geom network driver times out on sparc 4.2?
Boot the machine whilst holding the STOP N key on your keyboard,that will reset your obp to defaults, then hook up a null modem cable to the sun another box, run a terminal emulator on the other box, power cycle the sun hold STOP D this will cause the sun to do a full hardware diag. _ http://clk.atdmt.com/UKM/go/msnnkmgl001002ukm/direct/01/
PHP gd library isn't loading...
It seems that I've somehow lost the ability to load the php5-gd library into apache on my more or less -current box, even though I've installed the package and made the link as instructed when I installed the package. A page that pulls php_info() doesn't show gd at all, and if I tack a call to gd_info() to that script the whole thing fails with a function not found error. When I start or re-start apache I do not get any errors, but when I run a scrip from the cli I get this: PHP Warning: PHP Startup: Unable to load dynamic library '/var/www/lib/php/modules/gd.so' - Cannot load specified object in Unknown on line 0 even though that file lives at that specific location: [EMAIL PROTECTED]:/var/www/openvistas $ ls -al /var/www/lib/php/modules/ total 10096 drwxrwxr-x 2 www cvs 512 May 17 14:27 . drwxrwxr-x 3 www daemon 512 Sep 28 2005 .. -rwxr-xr-x 1 root cvs 4321568 Mar 1 2006 dpsearch.so -r--r--r-- 1 root bin 468882 May 13 20:20 gd.so -r--r--r-- 1 root bin 206391 Oct 9 2007 pgsql.so -rwxr-xr-x 1 root daemon 100446 Nov 2 2007 xcache.so Here is what I have installed php-wise: [EMAIL PROTECTED]:/var/www/conf $ pkg_info -a | grep php php5-core-5.2.5p3 server-side HTML-embedded scripting language php5-extensions-5.2.5 informational package about PHP5 extensions php5-gd-5.2.5 image manipulation extensions for php5 php5-pgsql-5.2.4pgsql database access extensions for php5 I have not yet updated php5-pgsql because I have not yet updated postgres to 8.3.1 but it still works just fine. Any cluesticks would be greatly appreciated! Thanks, Jeff Ross
Re: ipsec home network to colo server
2008/5/15 Claer [EMAIL PROTECTED]: On Thu, May 15 2008 at 09:09, Lord Sporkton wrote: 2008/5/14 Lord Sporkton [EMAIL PROTECTED]: 2008/5/14 scott learmonth [EMAIL PROTECTED]: On Tue, May 13, 2008 at 5:41 PM, Lord Sporkton [EMAIL PROTECTED] wrote: I am trying to set up a ipsec link between my home network(private ip network behind dynamic public ip) and my colo server(single public static ip). I was a bit unclear on how to set up a tunnel between a static and dynamic ip interesting traffic: 208.70.72.13 - 10.0.0.0/16 My sad seems to set up ok, however afterward i get no flows and can not pass data, ive checked out logs, and ipsecctl -m, but see nothing of use. Below is data i believe relevant, if anything else is requested i will do my best to post it back in a timely fashion thank you colo server: # uname -a OpenBSD angie.sporkton.com 4.3 GENERIC#846 i386 # cat /etc/ipsec.conf ike passive from 208.70.72.13 to 10.0.0.0/16 \ aggressive auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des \ srcid angie.sporkton.com dstid fire.sporkton.com \ psk password # ipsecctl -sa FLOWS: No flows SAD: esp tunnel from 67.159.171.204 to 208.70.72.13 spi 0x26974f0d auth hmac-sha1 enc 3des-cbc esp tunnel from 208.70.72.13 to 67.159.171.204 spi 0xeac5bef2 auth hmac-sha1 enc 3des-cbc # ipsecctl -m output: sadb_getspi: satype esp vers 2 len 10 seq 9 pid 7557 address_src: 67.159.171.204 address_dst: 208.70.72.13 spirange: min 0x0100 max 0x sadb_getspi: satype esp vers 2 len 10 seq 9 pid 7557 sa: spi 0x581ea1f0 auth none enc none state mature replay 0 flags 0 address_src: 67.159.171.204 address_dst: 208.70.72.13 sadb_add: satype esp vers 2 len 50 seq 10 pid 7557 sa: spi 0xe4968f00 auth hmac-sha1 enc 3des-cbc state mature replay 16 flags 4 lifetime_hard: alloc 0 bytes 0 add 1200 first 0 lifetime_soft: alloc 0 bytes 0 add 1080 first 0 address_src: 208.70.72.13 address_dst: 67.159.171.204 key_auth: bits 160: e7ee5eafe49c95cafc506ba1ba6c174a584e4859 key_encrypt: bits 192: 65c174f84e389d2022ffbf9c1f152348d7b7f708ef757014 identity_src: type fqdn id 0: angie.sporkton.com identity_dst: type fqdn id 0: fire.sporkton.com src_mask: 255.255.255.255 dst_mask: 255.255.0.0 protocol: proto 0 flags 0 flow_type: type unknown direction out src_flow: 208.70.72.13 dst_flow: 10.0.0.0 sadb_add: satype esp vers 2 len 42 seq 10 pid 7557 sa: spi 0xe4968f00 auth hmac-sha1 enc 3des-cbc state mature replay 16 flags 4 lifetime_hard: alloc 0 bytes 0 add 1200 first 0 lifetime_soft: alloc 0 bytes 0 add 1080 first 0 address_src: 208.70.72.13 address_dst: 67.159.171.204 identity_src: type fqdn id 0: angie.sporkton.com identity_dst: type fqdn id 0: fire.sporkton.com src_mask: 255.255.255.255 dst_mask: 255.255.0.0 protocol: proto 0 flags 0 flow_type: type unknown direction out src_flow: 208.70.72.13 dst_flow: 10.0.0.0 sadb_update: satype esp vers 2 len 50 seq 11 pid 7557 sa: spi 0x581ea1f0 auth hmac-sha1 enc 3des-cbc state mature replay 16 flags 4 lifetime_hard: alloc 0 bytes 0 add 1200 first 0 lifetime_soft: alloc 0 bytes 0 add 1080 first 0 address_src: 67.159.171.204 address_dst: 208.70.72.13 key_auth: bits 160: c2beffabe156d0dbaca586e730694a4ff3cc4ef5 key_encrypt: bits 192: 496cd320b35638d36dd8f899b8ce76c150840092db466715 identity_src: type fqdn id 0: fire.sporkton.com identity_dst: type fqdn id 0: angie.sporkton.com src_mask: 255.255.0.0 dst_mask: 255.255.255.255 protocol: proto 0 flags 0 flow_type: type unknown direction in src_flow: 10.0.0.0 dst_flow: 208.70.72.13 sadb_update: satype esp vers 2 len 42 seq 11 pid 7557 sa: spi 0x581ea1f0 auth hmac-sha1 enc 3des-cbc state mature replay 16 flags 4 lifetime_hard: alloc 0 bytes 0 add 1200 first 0 lifetime_soft: alloc 0 bytes 0 add 1080 first 0 address_src: 67.159.171.204 address_dst: 208.70.72.13 identity_src: type fqdn id 0: fire.sporkton.com identity_dst: type fqdn id 0: angie.sporkton.com src_mask: 255.255.0.0 dst_mask: 255.255.255.255 protocol: proto 0 flags 0 flow_type: type unknown direction in src_flow: 10.0.0.0 dst_flow: 208.70.72.13 Home firewall: # uname -a OpenBSD fire.sporkton.com 4.3
Re: ipsec home network to colo server
http://www.openbsd.org/papers/asiabsdcon07-ipsec/mgp00065.html try ipsec.conf on fire: angie = 208.70.72.13 fire = 10.0.0.0/24 ike esp from $fire to $angie local egress \ srcid fire.sporkton.com dstid angie.sporkton.com ipsec.conf on angie: angie = 208.70.72.13 fire = 10.0.0.0/24 ike passive esp from $angie to $fire \ srcid angie.sporkton.com dstid fire.sporkton.com HTH, Jose. Lord Sporkton wrote: 2008/5/15 Claer [EMAIL PROTECTED]: On Thu, May 15 2008 at 09:09, Lord Sporkton wrote: 2008/5/14 Lord Sporkton [EMAIL PROTECTED]: 2008/5/14 scott learmonth [EMAIL PROTECTED]: On Tue, May 13, 2008 at 5:41 PM, Lord Sporkton [EMAIL PROTECTED] wrote: I am trying to set up a ipsec link between my home network(private ip network behind dynamic public ip) and my colo server(single public static ip). I was a bit unclear on how to set up a tunnel between a static and dynamic ip interesting traffic: 208.70.72.13 - 10.0.0.0/16 My sad seems to set up ok, however afterward i get no flows and can not pass data, ive checked out logs, and ipsecctl -m, but see nothing of use. Below is data i believe relevant, if anything else is requested i will do my best to post it back in a timely fashion thank you colo server: # uname -a OpenBSD angie.sporkton.com 4.3 GENERIC#846 i386 # cat /etc/ipsec.conf ike passive from 208.70.72.13 to 10.0.0.0/16 \ aggressive auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des \ srcid angie.sporkton.com dstid fire.sporkton.com \ psk password # ipsecctl -sa FLOWS: No flows SAD: esp tunnel from 67.159.171.204 to 208.70.72.13 spi 0x26974f0d auth hmac-sha1 enc 3des-cbc esp tunnel from 208.70.72.13 to 67.159.171.204 spi 0xeac5bef2 auth hmac-sha1 enc 3des-cbc # ipsecctl -m output: sadb_getspi: satype esp vers 2 len 10 seq 9 pid 7557 address_src: 67.159.171.204 address_dst: 208.70.72.13 spirange: min 0x0100 max 0x sadb_getspi: satype esp vers 2 len 10 seq 9 pid 7557 sa: spi 0x581ea1f0 auth none enc none state mature replay 0 flags 0 address_src: 67.159.171.204 address_dst: 208.70.72.13 sadb_add: satype esp vers 2 len 50 seq 10 pid 7557 sa: spi 0xe4968f00 auth hmac-sha1 enc 3des-cbc state mature replay 16 flags 4 lifetime_hard: alloc 0 bytes 0 add 1200 first 0 lifetime_soft: alloc 0 bytes 0 add 1080 first 0 address_src: 208.70.72.13 address_dst: 67.159.171.204 key_auth: bits 160: e7ee5eafe49c95cafc506ba1ba6c174a584e4859 key_encrypt: bits 192: 65c174f84e389d2022ffbf9c1f152348d7b7f708ef757014 identity_src: type fqdn id 0: angie.sporkton.com identity_dst: type fqdn id 0: fire.sporkton.com src_mask: 255.255.255.255 dst_mask: 255.255.0.0 protocol: proto 0 flags 0 flow_type: type unknown direction out src_flow: 208.70.72.13 dst_flow: 10.0.0.0 sadb_add: satype esp vers 2 len 42 seq 10 pid 7557 sa: spi 0xe4968f00 auth hmac-sha1 enc 3des-cbc state mature replay 16 flags 4 lifetime_hard: alloc 0 bytes 0 add 1200 first 0 lifetime_soft: alloc 0 bytes 0 add 1080 first 0 address_src: 208.70.72.13 address_dst: 67.159.171.204 identity_src: type fqdn id 0: angie.sporkton.com identity_dst: type fqdn id 0: fire.sporkton.com src_mask: 255.255.255.255 dst_mask: 255.255.0.0 protocol: proto 0 flags 0 flow_type: type unknown direction out src_flow: 208.70.72.13 dst_flow: 10.0.0.0 sadb_update: satype esp vers 2 len 50 seq 11 pid 7557 sa: spi 0x581ea1f0 auth hmac-sha1 enc 3des-cbc state mature replay 16 flags 4 lifetime_hard: alloc 0 bytes 0 add 1200 first 0 lifetime_soft: alloc 0 bytes 0 add 1080 first 0 address_src: 67.159.171.204 address_dst: 208.70.72.13 key_auth: bits 160: c2beffabe156d0dbaca586e730694a4ff3cc4ef5 key_encrypt: bits 192: 496cd320b35638d36dd8f899b8ce76c150840092db466715 identity_src: type fqdn id 0: fire.sporkton.com identity_dst: type fqdn id 0: angie.sporkton.com src_mask: 255.255.0.0 dst_mask: 255.255.255.255 protocol: proto 0 flags 0 flow_type: type unknown direction in src_flow: 10.0.0.0 dst_flow: 208.70.72.13 sadb_update: satype esp vers 2 len 42 seq 11 pid 7557 sa: spi 0x581ea1f0 auth hmac-sha1 enc 3des-cbc state mature replay 16 flags 4 lifetime_hard: alloc 0 bytes 0 add 1200 first 0 lifetime_soft: alloc 0 bytes 0 add 1080 first 0 address_src: 67.159.171.204 address_dst: 208.70.72.13 identity_src: type fqdn id 0: fire.sporkton.com identity_dst: type fqdn
DNS Question.
Hi all, Is possible perform a DNS query, that gives me all A records from one ip, (without using the reverse DNS) ? Thanks a lot
Re: ipsec home network to colo server
So egress being something very much like any then? 2008/5/17 Jose Quinteiro [EMAIL PROTECTED]: http://www.openbsd.org/papers/asiabsdcon07-ipsec/mgp00065.html try ipsec.conf on fire: angie = 208.70.72.13 fire = 10.0.0.0/24 ike esp from $fire to $angie local egress \ srcid fire.sporkton.com dstid angie.sporkton.com ipsec.conf on angie: angie = 208.70.72.13 fire = 10.0.0.0/24 ike passive esp from $angie to $fire \ srcid angie.sporkton.com dstid fire.sporkton.com HTH, Jose. Lord Sporkton wrote: 2008/5/15 Claer [EMAIL PROTECTED]: On Thu, May 15 2008 at 09:09, Lord Sporkton wrote: 2008/5/14 Lord Sporkton [EMAIL PROTECTED]: 2008/5/14 scott learmonth [EMAIL PROTECTED]: On Tue, May 13, 2008 at 5:41 PM, Lord Sporkton [EMAIL PROTECTED] wrote: I am trying to set up a ipsec link between my home network(private ip network behind dynamic public ip) and my colo server(single public static ip). I was a bit unclear on how to set up a tunnel between a static and dynamic ip interesting traffic: 208.70.72.13 - 10.0.0.0/16 My sad seems to set up ok, however afterward i get no flows and can not pass data, ive checked out logs, and ipsecctl -m, but see nothing of use. Below is data i believe relevant, if anything else is requested i will do my best to post it back in a timely fashion thank you colo server: # uname -a OpenBSD angie.sporkton.com 4.3 GENERIC#846 i386 # cat /etc/ipsec.conf ike passive from 208.70.72.13 to 10.0.0.0/16 \ aggressive auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des \ srcid angie.sporkton.com dstid fire.sporkton.com \ psk password # ipsecctl -sa FLOWS: No flows SAD: esp tunnel from 67.159.171.204 to 208.70.72.13 spi 0x26974f0d auth hmac-sha1 enc 3des-cbc esp tunnel from 208.70.72.13 to 67.159.171.204 spi 0xeac5bef2 auth hmac-sha1 enc 3des-cbc # ipsecctl -m output: sadb_getspi: satype esp vers 2 len 10 seq 9 pid 7557 address_src: 67.159.171.204 address_dst: 208.70.72.13 spirange: min 0x0100 max 0x sadb_getspi: satype esp vers 2 len 10 seq 9 pid 7557 sa: spi 0x581ea1f0 auth none enc none state mature replay 0 flags 0 address_src: 67.159.171.204 address_dst: 208.70.72.13 sadb_add: satype esp vers 2 len 50 seq 10 pid 7557 sa: spi 0xe4968f00 auth hmac-sha1 enc 3des-cbc state mature replay 16 flags 4 lifetime_hard: alloc 0 bytes 0 add 1200 first 0 lifetime_soft: alloc 0 bytes 0 add 1080 first 0 address_src: 208.70.72.13 address_dst: 67.159.171.204 key_auth: bits 160: e7ee5eafe49c95cafc506ba1ba6c174a584e4859 key_encrypt: bits 192: 65c174f84e389d2022ffbf9c1f152348d7b7f708ef757014 identity_src: type fqdn id 0: angie.sporkton.com identity_dst: type fqdn id 0: fire.sporkton.com src_mask: 255.255.255.255 dst_mask: 255.255.0.0 protocol: proto 0 flags 0 flow_type: type unknown direction out src_flow: 208.70.72.13 dst_flow: 10.0.0.0 sadb_add: satype esp vers 2 len 42 seq 10 pid 7557 sa: spi 0xe4968f00 auth hmac-sha1 enc 3des-cbc state mature replay 16 flags 4 lifetime_hard: alloc 0 bytes 0 add 1200 first 0 lifetime_soft: alloc 0 bytes 0 add 1080 first 0 address_src: 208.70.72.13 address_dst: 67.159.171.204 identity_src: type fqdn id 0: angie.sporkton.com identity_dst: type fqdn id 0: fire.sporkton.com src_mask: 255.255.255.255 dst_mask: 255.255.0.0 protocol: proto 0 flags 0 flow_type: type unknown direction out src_flow: 208.70.72.13 dst_flow: 10.0.0.0 sadb_update: satype esp vers 2 len 50 seq 11 pid 7557 sa: spi 0x581ea1f0 auth hmac-sha1 enc 3des-cbc state mature replay 16 flags 4 lifetime_hard: alloc 0 bytes 0 add 1200 first 0 lifetime_soft: alloc 0 bytes 0 add 1080 first 0 address_src: 67.159.171.204 address_dst: 208.70.72.13 key_auth: bits 160: c2beffabe156d0dbaca586e730694a4ff3cc4ef5 key_encrypt: bits 192: 496cd320b35638d36dd8f899b8ce76c150840092db466715 identity_src: type fqdn id 0: fire.sporkton.com identity_dst: type fqdn id 0: angie.sporkton.com src_mask: 255.255.0.0 dst_mask: 255.255.255.255 protocol: proto 0 flags 0 flow_type: type unknown direction in src_flow: 10.0.0.0 dst_flow: 208.70.72.13 sadb_update: satype esp vers 2 len 42 seq 11 pid 7557 sa: spi 0x581ea1f0 auth hmac-sha1 enc 3des-cbc state mature replay 16 flags 4 lifetime_hard: alloc 0 bytes 0 add 1200 first 0 lifetime_soft: alloc 0 bytes 0 add 1080 first 0 address_src: 67.159.171.204
Re: OpenBSD as MS RIS-Server alternative?
On Sat, May 17, 2008 at 04:33:23PM -0400, Richard Daemon wrote: On Sat, May 17, 2008 at 4:06 PM, Dan Brosemer [EMAIL PROTECTED] wrote: On Sat, May 17, 2008 at 10:17:17AM -0400, Richard Daemon wrote: On Sat, May 17, 2008 at 9:15 AM, Dan Brosemer [EMAIL PROTECTED] wrote: I didn't know about this, looks great. Were you able to do it via PXE booting? Absolutely. It's nothing-but-net. I can even get it to read the hostname from DHCP and select an unattended configuration based on that. My installs go something like this: pxelinux boot prompt: win It asks me for a username to mount the share with. It asks me for a password to mount the share with. It asks me for a password to join the domain. Now, the machine just goes and installs itself including all applications and patches including as many reboots as needed. I really can't rave about it enough, and it works beautifully with an OpenBSD server. Sweet! I'm going to give this a try, this is something I've been looking for, for a while. pxelinux boot prompt? Should work with OpenBSD's pxeboot the same way? Actually, no. OpenBSD's pxeboot is what you want to boot OpenBSD's kernel. With unattended, you boot a linux environment off the network to begin your install (it mounts the samba share, copies files, etc.) so you use pxelinux. There are ways if you google for it to chain pxeboot off pxelinux so you can keep one environment for installing OpenBSD by and Windows over the network. -Dan -- Burnished gallows set with red Caress the fevered, empty mind Of man who hangs bloodied and blind To reach for wisdom, not for bread. -- Deoridhe Grimsdaughter
Re: DNS Question.
2008/5/17 Dark Nebula [EMAIL PROTECTED]: Hi all, Is possible perform a DNS query, that gives me all A records from one ip, (without using the reverse DNS) ? Thanks a lot Are you asking to find all the forward A records for a given IP? If so, there is no way to do that, not even with rDNS -- -Lawrence
Multicasting on OpenBSD
Hi Misc@, Just wondering around, is there any multicasting technology (PIM-SM, PIM-SSM etc) currently developed or implemented in OpenBSD?. Since working with this unbelievable OS (especially with routing/filtering/forwarding) I wish to know more about it. Right now I managed to use OBSD4.3-current to BGP routing (redundant/loadbalance with carp), storing the prefix to pftable, set the rtlabel, labeling rules with pf, multiple routing table, tagging rules, just unbelievable awesome. Best of luck to the guys working such a nice OS. Thanks, -- insandotpraja(at)gmaildotcom
Re: ipsec home network to colo server
No, egress is an interface group. Man ifconfig. You have to use that 'cause you outgoing (egress) IP address changes. The pf-style (eth0) syntax where eth0 is your outside interface may work too. Try it and see. Saludos, Jose. Lord Sporkton wrote: So egress being something very much like any then? 2008/5/17 Jose Quinteiro [EMAIL PROTECTED]: http://www.openbsd.org/papers/asiabsdcon07-ipsec/mgp00065.html try ipsec.conf on fire: angie = 208.70.72.13 fire = 10.0.0.0/24 ike esp from $fire to $angie local egress \ srcid fire.sporkton.com dstid angie.sporkton.com ipsec.conf on angie: angie = 208.70.72.13 fire = 10.0.0.0/24 ike passive esp from $angie to $fire \ srcid angie.sporkton.com dstid fire.sporkton.com HTH, Jose. Lord Sporkton wrote: 2008/5/15 Claer [EMAIL PROTECTED]: On Thu, May 15 2008 at 09:09, Lord Sporkton wrote: 2008/5/14 Lord Sporkton [EMAIL PROTECTED]: 2008/5/14 scott learmonth [EMAIL PROTECTED]: On Tue, May 13, 2008 at 5:41 PM, Lord Sporkton [EMAIL PROTECTED] wrote: I am trying to set up a ipsec link between my home network(private ip network behind dynamic public ip) and my colo server(single public static ip). I was a bit unclear on how to set up a tunnel between a static and dynamic ip interesting traffic: 208.70.72.13 - 10.0.0.0/16 My sad seems to set up ok, however afterward i get no flows and can not pass data, ive checked out logs, and ipsecctl -m, but see nothing of use. Below is data i believe relevant, if anything else is requested i will do my best to post it back in a timely fashion thank you colo server: # uname -a OpenBSD angie.sporkton.com 4.3 GENERIC#846 i386 # cat /etc/ipsec.conf ike passive from 208.70.72.13 to 10.0.0.0/16 \ aggressive auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des \ srcid angie.sporkton.com dstid fire.sporkton.com \ psk password # ipsecctl -sa FLOWS: No flows SAD: esp tunnel from 67.159.171.204 to 208.70.72.13 spi 0x26974f0d auth hmac-sha1 enc 3des-cbc esp tunnel from 208.70.72.13 to 67.159.171.204 spi 0xeac5bef2 auth hmac-sha1 enc 3des-cbc # ipsecctl -m output: sadb_getspi: satype esp vers 2 len 10 seq 9 pid 7557 address_src: 67.159.171.204 address_dst: 208.70.72.13 spirange: min 0x0100 max 0x sadb_getspi: satype esp vers 2 len 10 seq 9 pid 7557 sa: spi 0x581ea1f0 auth none enc none state mature replay 0 flags 0 address_src: 67.159.171.204 address_dst: 208.70.72.13 sadb_add: satype esp vers 2 len 50 seq 10 pid 7557 sa: spi 0xe4968f00 auth hmac-sha1 enc 3des-cbc state mature replay 16 flags 4 lifetime_hard: alloc 0 bytes 0 add 1200 first 0 lifetime_soft: alloc 0 bytes 0 add 1080 first 0 address_src: 208.70.72.13 address_dst: 67.159.171.204 key_auth: bits 160: e7ee5eafe49c95cafc506ba1ba6c174a584e4859 key_encrypt: bits 192: 65c174f84e389d2022ffbf9c1f152348d7b7f708ef757014 identity_src: type fqdn id 0: angie.sporkton.com identity_dst: type fqdn id 0: fire.sporkton.com src_mask: 255.255.255.255 dst_mask: 255.255.0.0 protocol: proto 0 flags 0 flow_type: type unknown direction out src_flow: 208.70.72.13 dst_flow: 10.0.0.0 sadb_add: satype esp vers 2 len 42 seq 10 pid 7557 sa: spi 0xe4968f00 auth hmac-sha1 enc 3des-cbc state mature replay 16 flags 4 lifetime_hard: alloc 0 bytes 0 add 1200 first 0 lifetime_soft: alloc 0 bytes 0 add 1080 first 0 address_src: 208.70.72.13 address_dst: 67.159.171.204 identity_src: type fqdn id 0: angie.sporkton.com identity_dst: type fqdn id 0: fire.sporkton.com src_mask: 255.255.255.255 dst_mask: 255.255.0.0 protocol: proto 0 flags 0 flow_type: type unknown direction out src_flow: 208.70.72.13 dst_flow: 10.0.0.0 sadb_update: satype esp vers 2 len 50 seq 11 pid 7557 sa: spi 0x581ea1f0 auth hmac-sha1 enc 3des-cbc state mature replay 16 flags 4 lifetime_hard: alloc 0 bytes 0 add 1200 first 0 lifetime_soft: alloc 0 bytes 0 add 1080 first 0 address_src: 67.159.171.204 address_dst: 208.70.72.13 key_auth: bits 160: c2beffabe156d0dbaca586e730694a4ff3cc4ef5 key_encrypt: bits 192: 496cd320b35638d36dd8f899b8ce76c150840092db466715 identity_src: type fqdn id 0: fire.sporkton.com identity_dst: type fqdn id 0: angie.sporkton.com src_mask: 255.255.0.0 dst_mask: 255.255.255.255 protocol: proto 0 flags 0 flow_type: type unknown direction in src_flow: 10.0.0.0 dst_flow: 208.70.72.13 sadb_update: satype esp vers 2 len 42 seq 11 pid 7557 sa: spi 0x581ea1f0 auth hmac-sha1 enc 3des-cbc state mature replay 16 flags 4
pf-altq-bandwith_problem
Hi, I'm using OpenBSD 4.2 Here my network to explain later: [Joe PC] --- $int_if [MY_OPENBSD] $ext_if --- [INTERNET] I have a little problem when trying to setup a altq bandwidth shape with pf. My intention is to give Joe only 100Kbs (bits) of the Internet total bandwidth, and also I have set some local local servers on my OpenBSD to give some services to Joe, but I also want to give it at the 100Kbs speed mentioned before, even beign local network (up to 100Mbs). The thing is that I have set the PF rules as manpages say, and everything work as spected when Joe goes out of my box to the internet, the bandwidth is 100Kbs, all OK. But when Joe takes some files by ftp from my OpenBSD box, the speed ups in a factor of 40x, I mean, if Joe takes a file from my box, or my box from Joe, the speed is very very much hight. I have try several things but I don't find the key to this. One thing: the speed factor when Joes connect to my OpenBSD is alwais 40x relative to the bandwidth value I give to the altq. my pf.conf (very simple, very unsafe, just to try this) =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- ext_if=rl0 int_if=sk0 scrub in all altq on $int_if cbq bandwidth 100Kb queue main queue main bandwidth 100% cbq(default) nat on $ext_if from $int_if:network - $ext_if block all pass queue main =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Thanks for your time -Jesus
Re: Multicasting on OpenBSD
On Sat, May 17, 2008 at 6:27 PM, Insan Praja SW [EMAIL PROTECTED] wrote: Just wondering around, is there any multicasting technology (PIM-SM, PIM-SSM etc) currently developed or implemented in OpenBSD? There's dvmrpd and mrouted.
Re: pf-altq-bandwith_problem
2008/5/17 Jesus Sanchez [EMAIL PROTECTED]: Hi, I'm using OpenBSD 4.2 Here my network to explain later: [Joe PC] --- $int_if [MY_OPENBSD] $ext_if --- [INTERNET] I have a little problem when trying to setup a altq bandwidth shape with pf. My intention is to give Joe only 100Kbs (bits) of the Internet total bandwidth, and also I have set some local local servers on my OpenBSD to give some services to Joe, but I also want to give it at the 100Kbs speed mentioned before, even beign local network (up to 100Mbs). The thing is that I have set the PF rules as manpages say, and everything work as spected when Joe goes out of my box to the internet, the bandwidth is 100Kbs, all OK. But when Joe takes some files by ftp from my OpenBSD box, the speed ups in a factor of 40x, I mean, if Joe takes a file from my box, or my box from Joe, the speed is very very much hight. I have try several things but I don't find the key to this. One thing: the speed factor when Joes connect to my OpenBSD is alwais 40x relative to the bandwidth value I give to the altq. my pf.conf (very simple, very unsafe, just to try this) =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- ext_if=rl0 int_if=sk0 scrub in all altq on $int_if cbq bandwidth 100Kb queue main queue main bandwidth 100% cbq(default) nat on $ext_if from $int_if:network - $ext_if block all pass queue main =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Thanks for your time -Jesus If Joe is accessing things on his local lan, that is, in his subnet, you will not be able to police this traffic as it never even hits the gateway(altq openbsd box), so the only limit will be the layer 2 hardware(your switch(s)). might i suggest putting your servers on a dmz as a solution, then Joe will be forced through the gateway for any server access. If your layer2 hardware is high end enough you may be able to do bandwidth control in the layer2 hardware its self. as a side note, i dont believe openbsd can do altq on anything other than a physical interface, so if you put the servers on a dmz, make sure to use a physical interface, not a vlan. -- -Lawrence
Re: pf-altq-bandwith_problem
Lord Sporkton escribis: 2008/5/17 Jesus Sanchez [EMAIL PROTECTED]: Hi, I'm using OpenBSD 4.2 Here my network to explain later: [Joe PC] --- $int_if [MY_OPENBSD] $ext_if --- [INTERNET] I have a little problem when trying to setup a altq bandwidth shape with pf. My intention is to give Joe only 100Kbs (bits) of the Internet total bandwidth, and also I have set some local local servers on my OpenBSD to give some services to Joe, but I also want to give it at the 100Kbs speed mentioned before, even beign local network (up to 100Mbs). The thing is that I have set the PF rules as manpages say, and everything work as spected when Joe goes out of my box to the internet, the bandwidth is 100Kbs, all OK. But when Joe takes some files by ftp from my OpenBSD box, the speed ups in a factor of 40x, I mean, if Joe takes a file from my box, or my box from Joe, the speed is very very much hight. I have try several things but I don't find the key to this. One thing: the speed factor when Joes connect to my OpenBSD is alwais 40x relative to the bandwidth value I give to the altq. my pf.conf (very simple, very unsafe, just to try this) =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- ext_if=rl0 int_if=sk0 scrub in all altq on $int_if cbq bandwidth 100Kb queue main queue main bandwidth 100% cbq(default) nat on $ext_if from $int_if:network - $ext_if block all pass queue main =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Thanks for your time -Jesus If Joe is accessing things on his local lan, that is, in his subnet, you will not be able to police this traffic as it never even hits the gateway(altq openbsd box), so the only limit will be the layer 2 hardware(your switch(s)). might i suggest putting your servers on a dmz as a solution, then Joe will be forced through the gateway for any server access. If your layer2 hardware is high end enough you may be able to do bandwidth control in the layer2 hardware its self. as a side note, i dont believe openbsd can do altq on anything other than a physical interface, so if you put the servers on a dmz, make sure to use a physical interface, not a vlan. I don't want to disturb, but I think you're not right. I want to shape the bandwidth of the full interface, I know that if joe it's in lan with other PC, the speed limit its the hardware limit, but I just want to limit one of the interfaces on my OpenBSD box to a certain number of Kbs (100Kbs), so PF already made changes, but I saw this weird behaviour and want to make the 100Kbs limit universal to all the interface transfers. If Joe want a file from the OpenBSD gateway running a limit of 100Kbs (pf+altq), even to get a file from the gateway box by FTP, the 100Kbs limit should affect, or not? please, I'm really noob with this and I don't want to bother anyone with my words, I just talk about what I think, if I'm wrong, please let me know. note: DMZ is not posible for this project, I only have the same PC to make as OpenBSD and FTP server to the joe users. Thanks for your time. -Jesus
Re: DNS Question.
On Sat, 2008-05-17 at 18:21 -0700, Lord Sporkton wrote: 2008/5/17 Dark Nebula [EMAIL PROTECTED]: Hi all, Is possible perform a DNS query, that gives me all A records from one ip, (without using the reverse DNS) ? Thanks a lot Are you asking to find all the forward A records for a given IP? If so, there is no way to do that, not even with rDNS There are services that track IP usage and correlate them to domains. The tools allow you to find out (approximately) what A records point to any given IP. This one is relatively accurate: http://www.myipneighbors.com/ I would not treat its output as gospel. It gives a decent indicator of how many virtual hosts are pointed at any given IP and shows you who they are. Note, this only tracks A records, not MX records and is easily confused by CNAMEs. There is no way to query for this, you would have to get a list of all FQDN's in use on the Internet and continuously dig them to record their IP. I don't know of any service that does this and offers free automated queries via some kind of text client, most insist that you use their web interface. This makes them handy for manual look ups but useless in any kind of automated tool. Cheers, --Tim -- Monkey + Typewriter = Echoreply ( http://echoreply.us )
Re: Old EmBSD docs
While researching a different problem I stumbled across something for later reading on this topic: http://www.kernel-panic.it/openbsd/embedded/ On Tue, May 13, 2008 at 2:09 AM, Michael Dexter [EMAIL PROTECTED] wrote: Nonsense. Many new embedded boards have limited flash memory soldered on. I think most of the developers are tired of seeing people shoot themselves in the foot then show up on the list complaining about blood loss. Pointing out that some people might have a justification for inflicting pain upon themselves only encourages harmful behavior. I was incorrect about the example product. My error. However, the paradox remains: arguably the best routing OS available requires blood loss on the most cost-effective routing hardware available. Fortunately, it remains the best none the less and the blood loss is acceptable. Keep up the good work. Michael.