Re: Debian libssl security (Cause???)

[Otto Moerbeek]

On Fri, May 16, 2008 at 04:02:48PM -0400, Ted Unangst wrote:

 On 5/16/08, Ross Cameron [EMAIL PROTECTED] wrote:
  Mmm this isn't the first time I've heard of bogus reports from Valgrind.
   How does one politely inform the Debian project to not trust it explicitly
   and to human audit anything it flags?
 
 I think people are placing too much blame on valgrind.  valgrind
 doesn't tell you Delete this line of code.  It says You are using
 uninitialized memory here.  The correct fix is to initialize the
 memory, not delete the line of code.  It's not about trusting or not
 trusting the tool; it's about responding correctly.
 
 I've seen innocuous valgrind reports, but never wrong ones.  I also
 saw a valgrind report ignored as innocuous because it didn't seem to
 cause trouble, only to be the root cause of a problem that cost a
 minimum of $50,000 to resolve later.

Yeah, using tools such as valgrind can help a lot, but the danger side
is that it will cause actions to be taken by people who do not
understand the code, just to silence valgrind. Since valgrind flags
the location of the use of uninialized mem, and--of course--not the
root cause, developers can easily be mislead and apply the wrong fix.
I think we have a clear demonstration of the danger of using a tool
without proper understanding of the code here. In addition, the vague
posts from both sides on openssl-dev mailing lists did not help too. 

-Otto

Re: Debian libssl security (Cause???)

[Tim Post]

On Sat, 2008-05-17 at 08:36 +0200, Otto Moerbeek wrote:
 Yeah, using tools such as valgrind can help a lot, but the danger side
 is that it will cause actions to be taken by people who do not
 understand the code, just to silence valgrind. Since valgrind flags
 the location of the use of uninialized mem, and--of course--not the
 root cause, developers can easily be mislead and apply the wrong fix.
 I think we have a clear demonstration of the danger of using a tool
 without proper understanding of the code here. In addition, the vague
 posts from both sides on openssl-dev mailing lists did not help too. 
 
   -Otto
 

This might be a good example. I'm working on a CLI which is rapidly
turning into a mini-shell. I'm not using readline, or other commonly
used things to gather input, for the purposes of my own learning and
keeping code portable I've elected to write my own functions.

Every time I make major changes, I run the program through valgrind.
Example results:

==10858==
==10858== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 13 from
1)
==10858== malloc/free: in use at exit: 48 bytes in 5 blocks.
==10858== malloc/free: 12 allocs, 7 frees, 4,182 bytes allocated.
==10858== For counts of detected errors, rerun with: -v
==10858== searching for pointers to 5 not-freed blocks.
==10858== checked 63,724 bytes.
==10858==
==10858== LEAK SUMMARY:
==10858==definitely lost: 37 bytes in 3 blocks.
==10858==  possibly lost: 0 bytes in 0 blocks.
==10858==still reachable: 11 bytes in 2 blocks.
==10858== suppressed: 0 bytes in 0 blocks.
==10858== Use --leak-check=full to see details of leaked memory.

As you can see, my program is in its infancy and not much is allocated.
I have a leak due to some input stuff not freeing things that are
strdup()'ed (I know about this) and I have done a pretty good job of
being defensive so far.

If something I inherit from libc leaks or throws errors, I quickly know
and can explain it. Its not my program, its stuff I used from xxx
function.

Valgrind is something that is (ideally) used as you go. If you screw up,
it will tell you. It should not be dismissed like trivial compiler
warnings, but it should also not invoke some kind of knee jerk
reaction. 

Its not exactly the world's best auditing tool for someone who is not
used to using it every step of the way. 

Taking something you are unfamiliar with and trying to correct whatever
valgrind complains about is asking for trouble beyond trivial warnings.

What amazes me about this whole mess is that at least 1/3 of the GNU
core utilities issue many complaints but they are ignored.

When you package software, the only reason for squelching the valgrind
results of other people's work is to keep those who install your package
from asking about those warnings.

Like I said in previous posts, shit happens. Nobody needs to be nailed
to a cross for this. The lesson to be learned is:

Q. Why does your x-y-z package throw so many warnings?

A. I am not quite sure, I'm going to ask the developers who wrote it.
Well, I know why its happening, but I can't quite be sure why the code
that causes it is in there.

Cheers,
--Tim

-- 
Monkey + Typewriter = Echoreply ( http://echoreply.us )

Re: geom network driver times out on sparc 4.2?

[Bruce O'Neel]

Hi,

I was unable to get the obp upgrade to boot when put on a openbsd disk.  I 
guess,
but don't know for sure, that the sequence is:

- obp starts
- obp reads something
- something starts
- something reads the rest of the command line and reads the kernel.

This something doesn't read the obp upgrade.

If you compare the upgrade OBP with netboot to the diskless man page, the thing
loaded across the network via tftp when openbsd boots is ofwboot.net.  The thing
loaded with tftp is the actuall upgrade program of obp in that case.


cheers

bruce

On Fri, May 16, 2008 at 09:03:40PM +, Jay wrote:
 well, of course OB can read the file system.It loads the kernel after all.The
 instructions are encouraging:
 OB boot disk /flash-update
 Cool, like, the flash-update is a kernel?Well, not that, but a program
 runnable as if it is a kernel?
 But it looks like the OS, er, the OS installer, is between OB and the
 kernel;Specifically there are some boot blocks installed by the OS, and the
 OpenBSD ones don't recognize the file format of the flash-update.
 Darn.
 Maybe there is a way?
  - Jay
 
 
 From: [EMAIL PROTECTED]: [EMAIL PROTECTED]; [EMAIL PROTECTED]:
 [EMAIL PROTECTED]: RE: geom network driver times out on sparc 4.2?Date:
 Fri, 16 May 2008 20:17:26 +
 
 
 Awesome, thanks!Normally I would have said I have never netbooted; it seems
 too hard to setup but those look like great instructions.And I was almost
 right in my paranoia about needing Solaris.I still wonder though -- if
 OpenBSD's UFS is the same format as Solaris's, or if OpenBSD can create a
 Solaris format of file system, then I think OpenBoot can read the files. And
 if not, not. I think.Mitigating factors:  I got 4.3 in the mail that
 supposedly fixes this.  The wireless networking is working fine.  The OPB
 isn't even known to fix this, but hopefully. But yeah, running old OBP/BIOS
 not great.  - Jay
 
  Date: Fri, 16 May 2008 21:21:46 +0200 From: [EMAIL PROTECTED] To:
 [EMAIL PROTECTED] CC: [EMAIL PROTECTED]; misc@openbsd.org Subject: Re:
 geom network driver times out on sparc 4.2?  So, just as I say this, the
 page is at:  http://www.SMTPS.net/netboot_flash_obp.html  I did an Ultra
 10 this way with no problems. I may have done an Ultra2 as well.  cheers 
 bruce  On Thu, May 15, 2008 at 07:59:48AM +0100, Sevan /  Venture37 
 wrote:   And dumb me, I didn't consider OBP as helping the install too. 
  So the questions remain if I can install OBP without Solaris, and if I'll 
 have to crack open the case.   I'll see...From the OBP update
 page:  Note 1: This utility is *not* OS-dependent. The list of releases
 shown under  the  Solaris Release and SunOS Release sections may not
 be complete:  The  absence of a valid Solaris Release or SunOS Release
 from the lists  above  does not preclude the installation of this patch
 against the  hardware.   
 _  Be a Hero
 and Win with Iron Man 
 http://clk.atdmt.com/UKM/go/msnnkmgl001009ukm/direct/01/ 

wpi-firmware upgrade on 4.3

[Chris]

As a part of upgrading from 4.2 to 4.3 I needed to upgrade
wpi-firmware to v2.14.1.5. As this package is not available from the
package list. I needed to set PKG_PATH to
http://damien.bergamini.free.fr/packages/openbsd/ and then pkg_add -ui
-F update -F updatedepends wpi-firmware and then choose the latest
version from the options list.

I was wondering if there's any easier way to upgrade this package?

Thanks.

Re: geom network driver times out on sparc 4.2?

[Jay]

Agreed. something is boot blocks and they are installed by the OS.
The flash-update is a 32bit ELF file and I imagine the OpenBSD/sparc64 boot
blocks only like 64bit ELF.

(Per my other unrelated question -- I was wrong, OpenBSD/sparc64 is pure 64
bit, gcc -m32 doesn't work (from a certain point of view, yes I realize it
does exactly what it is meant to do, and it is arguably superior this way,
rather than open a can of worms as to just what is the architecture of the
OS, some hard to pin down hybrid, or simply only SPARC64.)

It is probably possible and not difficult to temporarily install the Solaris
boot blocks (such as from the environment booting the Solaris install CD gives
you), boot the flash-update, and then put back the OpenBSD boot blocks. I
haven't really tried yet.

It might even be possible, like, to say boot cdrom /blahblah/ or boot floppy
/blahblahblah where /blahblahblah is, you know, normally just like bsd or
/update-flash, the kernel or the program to run, relative to the device, but
maybe you can use a device path there at the start and have the boot blocks
on one device read the kernel (or rather update-flash) from another device.

The flash-update is also 1.4something meg in size, which I thought therefore
might fit on a floppy and be bootable completely from there, but I didn't have
luck with that. The floppy drive wasn't working from OpenBSD and the floppy I
produced on NT doesn't work. The size is maybe just a coincidence, and heck
maybe I misread the number of digits, it was 14something. I was too lazy to
determine the actual value of 1.44meg -- LAZY of me, so easy to have done...

I'll experiment later. I blew away my Linux/macppc and started OpenBSD/macppc
install so I can try the netboot (which is something I want to try anyway). I
know those directions aren't specific to macppc, or even OpenBSD, but I have
no other OpenBSD machines currently, the Mac was a good candidate, and I might
as well not risk Linux or MacOSX varying in an area I'm not confident in.

btw, those instructions were good, but the man page looks quite good as well,
maybe identical.

Thanks again, I'll report back later (in case anyone cares..hey the mailing
list is misc, not dev-important.. :) )
 - Jay



 Date: Sat, 17 May 2008 09:42:20 +0200 From: [EMAIL PROTECTED] To:
[EMAIL PROTECTED] CC: [EMAIL PROTECTED]; misc@openbsd.org Subject: Re:
geom network driver times out on sparc 4.2?  Hi,  I was unable to get the
obp upgrade to boot when put on a openbsd disk. I guess, but don't know for
sure, that the sequence is:  - obp starts - obp reads something -
something starts - something reads the rest of the command line and reads the
kernel.  This something doesn't read the obp upgrade.  If you compare
the upgrade OBP with netboot to the diskless man page, the thing loaded
across the network via tftp when openbsd boots is ofwboot.net. The thing
loaded with tftp is the actuall upgrade program of obp in that case.  
cheers  bruce  On Fri, May 16, 2008 at 09:03:40PM +, Jay wrote: 
well, of course OB can read the file system.It loads the kernel after all.The
 instructions are encouraging:  OB boot disk /flash-update  Cool, like,
the flash-update is a kernel?Well, not that, but a program  runnable as if
it is a kernel?  But it looks like the OS, er, the OS installer, is
between OB and the  kernel;Specifically there are some boot blocks
installed by the OS, and the  OpenBSD ones don't recognize the file format
of the flash-update.  Darn.  Maybe there is a way?  - Jay 
From: [EMAIL PROTECTED]: [EMAIL PROTECTED]; [EMAIL PROTECTED]: 
[EMAIL PROTECTED]: RE: geom network driver times out on sparc 4.2?Date:
 Fri, 16 May 2008 20:17:26 +  Awesome, thanks!Normally I would
have said I have never netbooted; it seems  too hard to setup but those
look like great instructions.And I was almost  right in my paranoia about
needing Solaris.I still wonder though -- if  OpenBSD's UFS is the same
format as Solaris's, or if OpenBSD can create a  Solaris format of file
system, then I think OpenBoot can read the files. And  if not, not. I
think.Mitigating factors: I got 4.3 in the mail that  supposedly fixes this.
The wireless networking is working fine. The OPB  isn't even known to fix
this, but hopefully. But yeah, running old OBP/BIOS  not great. - Jay   
 Date: Fri, 16 May 2008 21:21:46 +0200 From: [EMAIL PROTECTED] To: 
[EMAIL PROTECTED] CC: [EMAIL PROTECTED]; misc@openbsd.org Subject:
Re:  geom network driver times out on sparc 4.2?  So, just as I say this,
the  page is at:  http://www.SMTPS.net/netboot_flash_obp.html  I did an
Ultra  10 this way with no problems. I may have done an Ultra2 as well. 
cheers   bruce  On Thu, May 15, 2008 at 07:59:48AM +0100, Sevan / 
Venture37   wrote:   And dumb me, I didn't consider OBP as helping the
install too.So the questions remain if I can install OBP without
Solaris, and if I'll   have to crack open the case.   I'll see...  
 From the OBP update  page:  Note 1: This utility 

OpenBSD as MS RIS-Server alternative?

[sebastian . rother]

Hello everybody,

I would like to know if it's possible to use OpenBSD as RIS-Server to
install WIndows via Network. I played around with this for 2 weeks now but
I can't figure out how it gets done. Something is missing (maybe a
dhcp-option?! :( )

I use OpenBSD to provide kinda anything to connected PCs (remote install,
diagnostics, secure hdd formating (0,1,0 and other standards)).
Also I face problems to provide VistaPE (it wont realy boot, bootloader
comes up but then the bcd seams to be corrupted in soem way).

So if somebody here also administrates Widnows-Servers (I don't know that
much about 'em :/) and knows how to emulate a RIS please tell me. I would
love to replace the Windows Box (the Imaging-Server was already replaced).


The only things I've found with google where people using MS RIS to
install OpenBSD (scarry, or? :p) but not vice versa.


Kind regards,
Sebastian

Re: Time for OBSD everywhere?

[Lars Noodén]

Paul de Weerd wrote:
[snip]
 Depending on the origin and contents of the presentation you can :
 
   1) Tell the originator to stop sending you MS docs

In the long run, this is the most advantageous.  PDF/A is an option for
read-only.  For those stuck on legacy applications and a need document
editable, there is a plug-in from Sun to allow use of standard formats:
http://www.sun.com/software/star/odf_plugin/get.jsp

There is also a viewer which works, but could use improvement:
http://opendocumentfellowship.com/odfviewer

If the viewer is something someone here would like to get paid to take
further, let me know off list.

Regards,
-Lars

Re: Lastet supported jdk on OpenBSD

[Ulf]

On Fri, 16 May 2008 21:03:17 -0300
John Nietzsche [EMAIL PROTECTED] wrote:

 Dear users,
 
 i would like to add support for java on my 4.3 openbsd
 desktop. Has anybody already done so? May you point a url
 where i could download the package(s) from?

As others have pointed out, instruction are in FAQ 8  13. Type
'make' in the appropriate ports directory you will get an error
message telling you exactly what to download manually. It took
about 10 hours to build an a PIII 800MHz Thinkpad and you need a
few GB diskspace - works perfectly!

Re: OLPC inks agreement with Microsoft

[Lars Noodén]

Josh Grosse wrote:
...
 1.The decision to push for WXP to replace Linux was due to pressure from
 prospective buyers of the XO laptop, which was slowing sales.  'The people
 who buy the machines are not the children who use them, but government
 officials in most cases,' said Nicholas Negroponte, founder of the nonprofit
 group. 'And those people are much more comfortable with {explitive deleted}.'
 ...

My contact with directors and high level managers, the occasional CxO,
etc. suggests that they are usually just more familiar with the brand
name rather than any specific interface.  Or, perhaps more commonly,
they have signed onto some kind of ideology or myth which is flagged to
the outside world by continued use of that brand.  Most common seems to
be bit of that last combined with a heavy dose of personal financial
investments and/or close relatives with personal financial investments
in that brand.

As far as the technology goes, most are unlikely to (as a user) notice
much of a difference between a nicely configured and painted OpenBSD
setup with Xfce or an even leaner, but decorative, DE.  In the case of
OLPC it is Sugar on Linux.

Either way, they probably would not notice without someone telling them
to notice, except that over time they might notice the better
performance and excellent uptime.

It's hard to say about Negroponte just now, without having met him, but
from a distance it seems he's knuckling under and compromising the
learning advantages in exchange for marginally increased acceptance in a
technopolitical ideology that's rapidly waning.

YMMV.

Regards,
-Lars

Re: Lastet supported jdk on OpenBSD

[Chris]

On Sat, May 17, 2008 at 11:34 AM, Matthew Szudzik
[EMAIL PROTECTED] wrote:
 On Fri, May 16, 2008 at 09:03:17PM -0300, John Nietzsche wrote:
 i would like to add support for java on my 4.3 openbsd desktop. Has
 anybody already done so? May you point a url where i could download
 the package(s) from?

 As the previous posters have pointed out, there are no JDK binary
 packages available for OpenBSD 4.3--you have to fetch and build the JDK
 from source yourself.  But in OpenBSD 4.4 (which will be released in
 November), that situation will change, and binary packages for Java will
 be available.  See
  http://www.undeadly.org/cgi?action=articlesid=20080321023803

Installing JDK manually is a royal pain at the moment. Clicking all
those websites, accepting license agreements, downloading and then
compiling the whole thing _does_ take hours. It would be really
awesome to have Java available as package as of 4.4!

Re: wpi-firmware upgrade on 4.3

[Stuart Henderson]

On 2008-05-17, Chris [EMAIL PROTECTED] wrote:
 As a part of upgrading from 4.2 to 4.3 I needed to upgrade
 wpi-firmware to v2.14.1.5. As this package is not available from the
 package list. I needed to set PKG_PATH to
 http://damien.bergamini.free.fr/packages/openbsd/ and then pkg_add -ui
 -F update -F updatedepends wpi-firmware and then choose the latest
 version from the options list.

 I was wondering if there's any easier way to upgrade this package?

according to the man page, the person to contact about this is
[EMAIL PROTECTED]

 This firmware file is not free because Intel refuses to grant distribu-
 tion rights without contractual obligations.  As a result, even though
 OpenBSD includes the driver, the firmware file cannot be included and
 users have to download this file on their own.  The official person to
 state your views to about this issue is [EMAIL PROTECTED]

Re: OLPC inks agreement with Microsoft

[Stuart Henderson]

On 2008-05-16, Josh Grosse [EMAIL PROTECTED] wrote:
 This slashdot posting:

 http://tech.slashdot.org/article.pl?sid=08/05/15/2320243

 references a New York Times article published today by Steve Lohr describing a
 new agreement with Microsoft

It also references a pretty interesting article from Krstic..

wpi-firmware upgrade on 4.3

[sebastian . rother]

***YOUR EMAIL HAS NOT BEEN RECEIVED BY INTEL***
Intel is no longer monitoring this email address. Please visit
http://support.intel.com for technical support information or use
http://www.intel.com/feedback.htm to locate an option to resubmit your
question.

==
(c) 2007 Intel Corporation
 *  Legal Information (http://www.intel.com/sites/corporate/tradmarx.htm)
Privacy Policy(http://www.intel.com/sites/corporate/privacy.htm)
==


The manpage needs an update!
I mailed this person too today because I hate intels attitude!

Is there any real chances all major BSDs+Linux may unite to get the rights
of distribution? Maybe we could get Dell abord or Lenovo.

Also the enhanced speedstep is biting me because I got responses that the
devs can't support it correctly because intel does not provide docs! :(

I wrote a mail to the person mentioned in the manpage + [EMAIL PROTECTED]

I doubt I wont get a response and I start to hate intel right now for even
forcing me to write a e-Mail just to get a fucking piece of firmware
distributed for free.
Using RALink is an option of course (are there any compatible mini pci
cards compareable to the  4965AGN? (signal quality (receiving/sending))

It would be great if OpenBSD may kick off another call the vendor and
tell them about it and do it NOW-project like it was done with some other
vendors.

INtel claims to support Open source but the lack of firmware + enhanced
speedstep pisses me off. :(


Kind regards,
Sebastian

Re: relayd and src track

[Michał Koc]

Hi,

Looking into pf_ioctl.c and pfvar.h I've found that there is an 
undocumented (for some unknown reason) IOCTL - DIOCKILLSRCNODES.
Further investigation revealed that it's purpose is to remove single 
node from source tracking tree.
So the simplest way is find out what connections should be removed and 
kill them. But in sync_table we have only the final table, so 
connections to remove
are in the pf table but not in the final table. To find them it is 
simplest to get previous table from pf, and subtract from it the final 
table.

And then to remove found items from source tracking tree.
That's exactly what is done in the diff below.

best regards
MichaE Koc

Index: pfe_filter.c
===
RCS file: /cvs/src/usr.sbin/relayd/pfe_filter.c,v
retrieving revision 1.27
diff -u -r1.27 pfe_filter.c
--- pfe_filter.c16 May 2008 14:47:58 -1.27
+++ pfe_filter.c17 May 2008 13:46:43 -
@@ -157,8 +157,12 @@
sync_table(struct relayd *env, struct rdr *rdr, struct table *table)
{
int i;
+int j;
+int cs;
struct pfioc_table io;
+struct pfioc_src_node_kill iok;
struct pfr_addr*addlist;
+struct pfr_addr*curlist;
struct sockaddr_in*sain;
struct sockaddr_in6*sain6;
struct host*host;
@@ -179,9 +183,7 @@

memset(io, 0, sizeof(io));
io.pfrio_esize = sizeof(struct pfr_addr);
-io.pfrio_size = table-up;
io.pfrio_size2 = 0;
-io.pfrio_buffer = addlist;
if (strlcpy(io.pfrio_table.pfrt_anchor, RELAYD_ANCHOR /,
sizeof(io.pfrio_table.pfrt_anchor)) = PF_ANCHOR_NAME_SIZE)
goto toolong;
@@ -193,6 +195,28 @@
sizeof(io.pfrio_table.pfrt_name))
goto toolong;

+cs = 0;
+curlist = 0;
+
+if (rdr-conf.flags  F_STICKY) {
+io.pfrio_size = 0;
+io.pfrio_buffer = 0;
+if (ioctl(env-sc_pf-dev, DIOCRGETADDRS, io) == -1)
+fatal(sync_table: cannot get number of address);
+
+if ((cs = io.pfrio_size)) {
+if ((curlist = calloc(cs, sizeof(*curlist))) == NULL)
+fatal(calloc);
+   
+io.pfrio_buffer = curlist;

+if (ioctl(env-sc_pf-dev, DIOCRGETADDRS, io) == -1)
+fatal(sync_table: cannot get address list);
+}
+}
+
+io.pfrio_size = table-up;
+io.pfrio_buffer = addlist;
+
i = 0;
TAILQ_FOREACH(host, table-hosts, entry) {
if (host-up != HOST_UP)
@@ -205,6 +229,11 @@
memcpy((addlist[i].pfra_ip4addr), sain-sin_addr,
sizeof(sain-sin_addr));
addlist[i].pfra_net = 32;
+for (j = 0; j  cs; ++j)
+if (!memcmp(sain-sin_addr,
+(curlist[j].pfra_ip4addr),
+sizeof(sain-sin_addr)))
+break;
break;
case AF_INET6:
sain6 = (struct sockaddr_in6 *)host-conf.ss;
@@ -212,11 +241,17 @@
memcpy((addlist[i].pfra_ip6addr), sain6-sin6_addr,
sizeof(sain6-sin6_addr));
addlist[i].pfra_net = 128;
+for (j = 0; j  cs; ++j)
+if (!memcmp(sain6-sin6_addr,
+(curlist[j].pfra_ip6addr),
+sizeof(sain6-sin6_addr)))
+break;
break;
default:
fatalx(sync_table: unknown address family);
break;
}
+if (j != cs) curlist[j].pfra_fback = 1;
i++;
}
if (i != table-up)
@@ -224,16 +259,48 @@

if (ioctl(env-sc_pf-dev, DIOCRSETADDRS, io) == -1)
fatal(sync_table: cannot set address list);
-if (rdr-conf.flags  F_STICKY) {
-if (ioctl(env-sc_pf-dev, DIOCCLRSRCNODES, 0) == -1)
-fatal(sync_table: cannot clear the tree of 
-source tracking nodes);
-}
free(addlist);

log_debug(sync_table: table %s: %d added, %d deleted, %d changed,
io.pfrio_table.pfrt_name,
io.pfrio_nadd, io.pfrio_ndel, io.pfrio_nchange);
+
+if (cs  (rdr-conf.flags  F_STICKY)) {
+
+memset(iok.psnk_src, 0, sizeof(iok.psnk_src));
+memset(iok.psnk_dst, 0xff, sizeof(iok.psnk_dst));
+iok.psnk_src.port_op = PF_OP_NONE;
+iok.psnk_dst.port[0] = rdr-conf.port;
+iok.psnk_dst.neg = 0;
+iok.psnk_dst.port_op = PF_OP_EQ;
+
+for (i = 0; i  cs; ++i)
+if (!curlist[i].pfra_fback) {
+iok.psnk_af = curlist[i].pfra_af;
+switch (iok.psnk_af) {
+case AF_INET:
+memcpy(iok.psnk_dst.addr.v.a.addr.v4,
+curlist[i].pfra_ip4addr,
+sizeof(curlist[i].pfra_ip4addr));
+break;
+case AF_INET6:
+memcpy(iok.psnk_dst.addr.v.a.addr.v6,
+curlist[i].pfra_ip6addr,
+

Re: OpenBSD as MS RIS-Server alternative?

[Richard Daemon]

On Sat, May 17, 2008 at 4:52 AM,  [EMAIL PROTECTED] wrote:
 Hello everybody,

 I would like to know if it's possible to use OpenBSD as RIS-Server to
 install WIndows via Network. I played around with this for 2 weeks now but
 I can't figure out how it gets done. Something is missing (maybe a
 dhcp-option?! :( )

 I use OpenBSD to provide kinda anything to connected PCs (remote install,
 diagnostics, secure hdd formating (0,1,0 and other standards)).
 Also I face problems to provide VistaPE (it wont realy boot, bootloader
 comes up but then the bcd seams to be corrupted in soem way).

 So if somebody here also administrates Widnows-Servers (I don't know that
 much about 'em :/) and knows how to emulate a RIS please tell me. I would
 love to replace the Windows Box (the Imaging-Server was already replaced).


 The only things I've found with google where people using MS RIS to
 install OpenBSD (scarry, or? :p) but not vice versa.


 Kind regards,
 Sebastian

I'm very curious to know myself, if you get it working or find out
how, please post here or undeadly.org. Something like this would be
very handy for the work I do too.

Re: relayd and src track

[Michał Koc]

Due to some problems witch patch formatting in mail agent
it is also available at http://www.prime.pl/relayd.diff

regards
MichaE Koc

Pierre-Yves Ritschard pisze:
 +   if (rdr-conf.flags  F_STICKY)
 +   if (ioctl(env-sc_pf-dev, DIOCCLRSRCNODES, 0) == -1)
 +   fatal(sync_table: cannot clear the tree of source 
 tracking nodes);
 +
free(addlist);

log_debug(sync_table: table %s: %d added, %d deleted, %d changed,

 

 Good enough for now, it's in. We'll look for a way of clearing
 individual nodes later on.

Re: OpenBSD as MS RIS-Server alternative?

[Dan Brosemer]

On Sat, May 17, 2008 at 10:52:49AM +0200, [EMAIL PROTECTED] wrote:
 Hello everybody,
 
 I would like to know if it's possible to use OpenBSD as RIS-Server to
 install WIndows via Network. I played around with this for 2 weeks now but
 I can't figure out how it gets done. Something is missing (maybe a
 dhcp-option?! :( )
 
 I use OpenBSD to provide kinda anything to connected PCs (remote install,
 diagnostics, secure hdd formating (0,1,0 and other standards)).
 Also I face problems to provide VistaPE (it wont realy boot, bootloader
 comes up but then the bcd seams to be corrupted in soem way).
 
 So if somebody here also administrates Widnows-Servers (I don't know that
 much about 'em :/) and knows how to emulate a RIS please tell me. I would
 love to replace the Windows Box (the Imaging-Server was already replaced).
 
 The only things I've found with google where people using MS RIS to
 install OpenBSD (scarry, or? :p) but not vice versa.

This isn't RIS, so if you're tied to that technology, ignore me, but I think
this solution is a superior way to accomplish the same goal:

I install all my Windows systems using http://unattended.sourceforge.net/.
Not only does it let me script my Windows install, but also all my
application installs as well and I can have different application sets for
different machines.  There's no need to keep it on similar hardware like
with ghost/sysprep.

All this requires is the stock dhcpd and tftpd along with samba (from ports)
from the OpenBSD system serving it.  While it's not trivial to set up, the
instructions are very clear and you shouldn't have any major trouble.

-Dan

-- 
Burnished gallows set with red
 Caress the fevered, empty mind
 Of man who hangs bloodied and blind
 To reach for wisdom, not for bread.  -- Deoridhe Grimsdaughter

Re: This seems like a good idea

[ropers]

2008/5/17 Curt Micol [EMAIL PROTECTED]:
 http://leaf.dragonflybsd.org/mailarchive/kernel/2008-05/msg00038.html

 Here is some more information including a list of keys:
 http://metasploit.com/users/hdm/tools/debian-openssl/

 Thought I'd share.  It's possible I am wrong and this isn't a good
 idea, but I can't think of any reason why it isn't.

I can actually think of an entirely theoretical reason why the
exclusion of the affected keys could conceivably, hypothetically be
considered to be disadvantageous: It reduces the key space; i.e.
future attackers of systems that have blacklisted these keys might
know that they have a few less combinations to try.

In the real world however, the affected keys will probably be the
first ones attackers will try, and the above is just an entirely
theoretical disadvantage -- and it's a much smaller disadvantage than
that constituted by continuing to allow the affected keys.

Kind regards,
--ropers

Re: OpenBSD as MS RIS-Server alternative?

[Richard Daemon]

On Sat, May 17, 2008 at 9:15 AM, Dan Brosemer [EMAIL PROTECTED] wrote:
 On Sat, May 17, 2008 at 10:52:49AM +0200, [EMAIL PROTECTED] wrote:
 Hello everybody,

 I would like to know if it's possible to use OpenBSD as RIS-Server to
 install WIndows via Network. I played around with this for 2 weeks now but
 I can't figure out how it gets done. Something is missing (maybe a
 dhcp-option?! :( )

 I use OpenBSD to provide kinda anything to connected PCs (remote install,
 diagnostics, secure hdd formating (0,1,0 and other standards)).
 Also I face problems to provide VistaPE (it wont realy boot, bootloader
 comes up but then the bcd seams to be corrupted in soem way).

 So if somebody here also administrates Widnows-Servers (I don't know that
 much about 'em :/) and knows how to emulate a RIS please tell me. I would
 love to replace the Windows Box (the Imaging-Server was already replaced).

 The only things I've found with google where people using MS RIS to
 install OpenBSD (scarry, or? :p) but not vice versa.

 This isn't RIS, so if you're tied to that technology, ignore me, but I think
 this solution is a superior way to accomplish the same goal:

 I install all my Windows systems using http://unattended.sourceforge.net/.
 Not only does it let me script my Windows install, but also all my
 application installs as well and I can have different application sets for
 different machines.  There's no need to keep it on similar hardware like
 with ghost/sysprep.

 All this requires is the stock dhcpd and tftpd along with samba (from ports)
 from the OpenBSD system serving it.  While it's not trivial to set up, the
 instructions are very clear and you shouldn't have any major trouble.


I didn't know about this, looks great. Were you able to do it via PXE booting?

Re: OpenBSD as MS RIS-Server alternative?

[Steve Shockley]

[EMAIL PROTECTED] wrote:

I would like to know if it's possible to use OpenBSD as RIS-Server to
install WIndows via Network. I played around with this for 2 weeks now but
I can't figure out how it gets done. Something is missing (maybe a
dhcp-option?! :( )


Are you able to boot to your PXE server?  That's the first step.  Make 
sure your PXE server can get DHCP requests, even if it's not the DHCP 
server.  If nothing else, you should (in theory) be able to copy over 
the REMOTEINSTALL tree from your RIS server and share it via tftp and 
Samba and make something work.



Also I face problems to provide VistaPE (it wont realy boot, bootloader
comes up but then the bcd seams to be corrupted in soem way).


Vista is a different animal to install.  I haven't worked on remote 
installing Vista (I'm working with Server 2008, relatively the same) 
booting from a Server 2003 SP2 with MS RIS/WDS hybrid-mode installed. 
RIS installing 2000/XP formats the disk and copies files over from the 
file system and starts setup.  WDS installing Vista/2008 formats the 
disk and unpacks the WIM file onto the disk and starts setup.  You won't 
be able to just copy the Vista DVD to your server and do a remote 
install, you'll need to download the BDD2007 and/or WAIK kit to make 
network-installable WIM files.


My biggest hurdles moving from RIS to WDS were adding network drivers to 
the boot image for DL360 G5 servers (the normal drivers won't work) and 
moving my skill set from winnt.sif (2003) to unattend.xml (2008).



So if somebody here also administrates Widnows-Servers (I don't know that
much about 'em :/) and knows how to emulate a RIS please tell me. I would
love to replace the Windows Box (the Imaging-Server was already replaced).


The unattended project mentioned earlier looks good, I haven't used 
it.  I don't know if it'll do Vista installs, if that's a requirement. 
I guess my question is, if you have a working RIS solution, why not 
continue using it?  You seem to already be a Windows shop on the 
desktops, it doesn't seem like having a Windows server around would be 
that terrible.

Re: How do I set up personal web sites for users?

[folays]

Marten Rizwan [EMAIL PROTECTED] writes:

 If your users are in /home and you're not willing to modify your filesystem
 layout much, you could simply export your /home as readonly nfs share and
 mount it to /var/www/users.
 something like that should work in /etc/exports:
 /home  -alldirs,ro 127.0.0.1
 
 $ mount_nfs -o rw 127.0.0.1:/home /var/www/users
 now you can ignore the fact that apache is chrooted. Don't expect read
 performance to be the same though.

I'm maybe going to say something totally wrong but i believe that i've read
some times ago (and i didn't remember when) that re-mounting a local fs via
nfs locally is problematic and unstable, especially when mounting a
subdirectory of the original filesystem.

I think i've also read that the reason was, once a file opened and
referenced through it's specific inode, the underlyning vfs code could
never later know when using it's inode if it was opened via the
non-nfs-mounted path or via the nfs-mounted path.

I then emitted on that some theory on my own to try to understand why it
was/could be problematic (which i've never took time to investigate further)
What i thinked about is that once you have, for exemple, opendir()'ed the
directory /var/www/users and do listing on it, how the vfs code layer
send you back the correct inode value for the special .. directory (which
could make for exemple getcwd() bugging in a weird way), and how it could
correctly handle it if you want to chdir() to it, consider the
following operations:
- open /var/www/users
- fchdir to it
- open ..
- fchdir to it
Will you expect the system to bring you to /var/www or to /, the parent
directory of /home/? What it will do in reality? Can the chrooted process
in /var/www escape the chroot using /var/www/users/.. in a special way?

I originally google'd a bit on words like mount nfs local after having
some weird unstabilities on an OpenBSD 3.9 box running the same setup above,
(on remote box which didn't respond to ping, maybe crashing...), i then
stopped to remount the filesystem locally and stopped chroot'ing it and
problems never happened anymore since i no longer used weird combinaisons
of local filesystem + remount it via nfs elsewhere + chroot.

Think of it if you discover some problems.

For the purpose of skipping insulting stuff, i'm writing again my first
sentence which was a disclaimer: I'm maybe going to say something totally
wrong [...].

-- 
folays

Re: geom network driver times out on sparc 4.2?

[Jay]

whining

  Ugh, this is not so easy.
  First of all, I am able to write the Solaris and OpenBSD bootblocks.I
could not find any documentation on saving/restoring them, butI could find
how to set them to a specified set. It's not difficult.   You boot the Solaris
CD and like/blah/installboot /blah/`uname -i`/blah/bootblk blah
  And when you are done, to get OpenBSD back, boot the openBSD CD and like:
 mount /dev/wd0 /mnt  /mnt/mdec/blah/installboot /mnt/mdec/bootblk
/dev/rwd0
 Actually I got an error so out of paranoia I did more like:
   mount /dev/wd0 /mnt  cp /mnt/mdec/blah/* /tmp umount /mnt
/tmp/installboot /tmp/bootblk /dev/rwd0
   It took me a little while to find the OpenBSD installboot, buried in mdec
instead of any of /usr/bin, /usr/sbin, /bin, /sbin..even thought to check
/stand. (damn there are too many of these directories! I know people like
to fragment up
their hard drives into multiple partitions in order to make it harder to
decide how large
to make the partitions, and so then there is /bin and /usr/bin,
but must we have sbin too?, and on a single partition system, can't they all
just
be in /bin and /usr/bin a symlink to /bin, and on a multi partition system,
put them
where they are needed and then fill the others with symlinks? I realize
that's wasteful
of storage and $path search...I know these are not great suggestions, but
I do often wish it was all just in /bin.)
   find is not present in the shell when you boot the OpenBSD CD, and the one
in /mnt/blah crashes.
   All that, and the Solaris boot blocks won't boot the flash updater either.
They say something like file just loaded does not appear to be an executable
or somesuch. This is surprising to me. I really thought this would work.
 Ok, so let's try the net boot approach.
 Well, there's a step edit /etc/hosts in the usual way. The usual way? I
always use dhcp. The usual way is not at all. So I tried my usual way..
 At first I forgot to switch the Sun back from wireless to wired. After some
timeout, it sort of proceeded, to the next level of  recieving nothing.
 Ok, switch it to wired. Remember the MAC address changes (since I had gotten
it from my router/dhcpd instead of .enet-addr,
  it was that of the wireless). It is timing out indefinitely. At least that
gives me a chance to fix the tftp server.
 Over on the tftp server I get:   warning: cannot find jay-sun1 on
192.168.2.0, or maybe the other way around.
 I don't know where this .0 came from. I relented then and edited /etc/hosts.
First I used a 192.168 range. But then I wonder, hm, maybe that conflicts with
the dhcp on the router?  Maybe I should use a 10.* or such number. So I tried
that.
   I still get the warning about 192.168.2.0, and the Sun is still just
sitting timing out.
   I don't know where this address is coming from. Maybe it is a reference to
a group
   or mask of addresses -- 192.168.2.*?
   I have run pkill -1 inetd after every edit.
   So maybe I should reboot. Well, it's a newly installed slow machine, I
had tar xfz ports,src,xenocara.tgz running. Kill those before rebooting.
mv away /usr/src, /usr/ports to /usr/delete so I will delete them after
the reboot. This triggers the not as dead as I meant tar to spew warning
after warning after warning unable to set file times, to a slow console
(MacPPC G3 iBook). There seems to be no way for me to stop it. My
router shows no IP address -- I'd ssh in. Can't control-c or fg/control-c,
it's detatched, stupid me. It's still going. I'll leave it go and then
try again later.  ok, i finally finished.
   Ugh. Flashing the BIOS is a big pain. On Windows, you just run the app,
it runs within Windows, and then it reboots.
 ..Jay

From: [EMAIL PROTECTED]: [EMAIL PROTECTED]: [EMAIL PROTECTED];
[EMAIL PROTECTED]: RE: geom network driver times out on sparc 4.2?Date:
Sat, 17 May 2008 08:44:53 +


Agreed. something is boot blocks and they are installed by the OS.The
flash-update is a 32bit ELF file and I imagine the OpenBSD/sparc64 boot blocks
only like 64bit ELF. (Per my other unrelated question -- I was wrong,
OpenBSD/sparc64 is pure 64 bit, gcc -m32 doesn't work (from a certain point
of view, yes I realize it does exactly what it is meant to do, and it is
arguably superior this way, rather than open a can of worms as to just what is
the architecture of the OS, some hard to pin down hybrid, or simply only
SPARC64.) It is probably possible and not difficult to temporarily install the
Solaris boot blocks (such as from the environment booting the Solaris install
CD gives you), boot the flash-update, and then put back the OpenBSD boot
blocks. I haven't really tried yet. It might even be possible, like, to say
boot cdrom /blahblah/ or boot floppy /blahblahblah where /blahblahblah is, you
know, normally just like bsd or /update-flash, the kernel or the program to
run, relative to the device, but maybe you can use a device path there at
the start and have the 

Electrodomesticos Financiados 16 de Mayo 2008

[PRIMMIS]

Vendo Electrodomesticos nuevos al mejor precio y totalmente financiados. Cuotas 
Fijas y en Pesos hasta en 48 meses. Tambien disponible para personas que viven 
enel Interior del Pais. Entrega en todo el pais por Correo en 24Hs. Consulte y 
compruebelo. INCREIBLE!!



EMAIL: [EMAIL PROTECTED]

MSN: [EMAIL PROTECTED]

Re: geom network driver times out on sparc 4.2?

[Jay]

Ok, much progress.
I got to the point where it boots the flash update and I believe I have to fix
the jumper now.

Here are some tricks.If you read the footnote of the instructions, you realize
that RARPD and DHCP are applesand apples. You must pick just one. And it isn't
up to you. It is how the Sun boots.
So, extreme measure:  Take both machines off the main network. No more dhcp,
temporarily.  Run one cable between them. No more wireless, temporarily.  edit
/etc/hostname.if (hostname.gem0 for me) on the rarpd/tftpd server to give it a
static address   I used 10.0.0.1 -- right from the start of man hostname.if
edit /etc/hosts as instructed, I usd 10.0.0.2.
I'm not sure how you really set up network booting. This can't be it.I know
more modern systems to have dhcp in the boot environment. That should help
completely.
This got me to the point of rarpd sending a reply and then the Sun waiting and
telling meto double check the tftpd server.
Now, I varied a few things flailing around, but I think the main one wasthat
the files in /tftpboot should be named in all caps.
I also killed and restarted inetd, not just -1 (sighup), but that's probably
not needed.
I also ran inetd -d and it reported starting tftpd and then shortly after
reaping it.If I ran tftpd under gdb, it exited with 1 after a short run.I was
considering building it from source and debugging, but I haven't built OpenBSD
yet.I THINK it was the CAPS in the file names, but not sure.
AHA the instructions to use a capital X. I mistyped that.
Now to open the machine and deal with the jumper...
 - Jay

Re: OpenBSD as MS RIS-Server alternative?

[Dan Brosemer]

On Sat, May 17, 2008 at 10:17:17AM -0400, Richard Daemon wrote:
 On Sat, May 17, 2008 at 9:15 AM, Dan Brosemer [EMAIL PROTECTED] wrote:

 I didn't know about this, looks great. Were you able to do it via PXE booting?

Absolutely.  It's nothing-but-net.  I can even get it to read the hostname
from DHCP and select an unattended configuration based on that.

My installs go something like this:

pxelinux boot prompt: win
It asks me for a username to mount the share with.
It asks me for a password to mount the share with.
It asks me for a password to join the domain.

Now, the machine just goes and installs itself including all applications
and patches including as many reboots as needed.

I really can't rave about it enough, and it works beautifully with an
OpenBSD server.

-Dan

-- 
Burnished gallows set with red
 Caress the fevered, empty mind
 Of man who hangs bloodied and blind
 To reach for wisdom, not for bread.  -- Deoridhe Grimsdaughter

Re: geom network driver times out on sparc 4.2?

[Jay]

Ok! It is done.

I think there might be a reasonable bug or feature request here to enable
the OpenBSD/sparc64 bootblk to be able to boot the flash updates, like if it
is just a matter of supporting ELF32 or something. But I don't know.

Solaris still won't install. It actually got worse, before the OBP update.
Solaris setup had brought up X, now it fails to.
The machine came with Solaris, but when it booted, and went graphical, the LCD
couldn't keep up.. Oh well.

 - Jay


From: [EMAIL PROTECTED]: [EMAIL PROTECTED]: [EMAIL PROTECTED];
[EMAIL PROTECTED]: RE: geom network driver times out on sparc 4.2?Date:
Sat, 17 May 2008 18:56:38 +


Ok, much progress.I got to the point where it boots the flash update and I
believe I have to fix the jumper now.

Re: OpenBSD as MS RIS-Server alternative?

[Richard Daemon]

On Sat, May 17, 2008 at 4:06 PM, Dan Brosemer [EMAIL PROTECTED] wrote:
 On Sat, May 17, 2008 at 10:17:17AM -0400, Richard Daemon wrote:
 On Sat, May 17, 2008 at 9:15 AM, Dan Brosemer [EMAIL PROTECTED] wrote:

 I didn't know about this, looks great. Were you able to do it via PXE 
 booting?

 Absolutely.  It's nothing-but-net.  I can even get it to read the hostname
 from DHCP and select an unattended configuration based on that.

 My installs go something like this:

 pxelinux boot prompt: win
 It asks me for a username to mount the share with.
 It asks me for a password to mount the share with.
 It asks me for a password to join the domain.

 Now, the machine just goes and installs itself including all applications
 and patches including as many reboots as needed.

 I really can't rave about it enough, and it works beautifully with an
 OpenBSD server.

Sweet! I'm going to give this a try, this is something I've been
looking for, for a while.

pxelinux boot prompt? Should work with OpenBSD's pxeboot the same way?

Re: geom network driver times out on sparc 4.2?

[Sevan / Venture37]

Boot the machine whilst holding the STOP  N key on your keyboard,that will
reset your obp to defaults, then hook up a null modem cable to the sun 
another box, run a terminal emulator on the other box, power cycle the sun 
hold STOP  D
this will cause the sun to do a full hardware diag.
_

http://clk.atdmt.com/UKM/go/msnnkmgl001002ukm/direct/01/

PHP gd library isn't loading...

[Jeff Ross]

It seems that I've somehow lost the ability to load the php5-gd library 
into apache on my more or less -current box, even though I've installed 
the package and made the link as instructed when I installed the package.


A page that pulls php_info() doesn't show gd at all, and if I tack a 
call to gd_info() to that script the whole thing fails with a function 
not found error.


When I start or re-start apache I do not get any errors, but when I run 
a scrip from the cli I get this:


PHP Warning:  PHP Startup: Unable to load dynamic library 
'/var/www/lib/php/modules/gd.so' - Cannot load specified object in 
Unknown on line 0


even though that file lives at that specific location:

[EMAIL PROTECTED]:/var/www/openvistas $ ls -al /var/www/lib/php/modules/ 


total 10096
drwxrwxr-x  2 www   cvs 512 May 17 14:27 .
drwxrwxr-x  3 www   daemon  512 Sep 28  2005 ..
-rwxr-xr-x  1 root  cvs 4321568 Mar  1  2006 dpsearch.so
-r--r--r--  1 root  bin  468882 May 13 20:20 gd.so
-r--r--r--  1 root  bin  206391 Oct  9  2007 pgsql.so
-rwxr-xr-x  1 root  daemon   100446 Nov  2  2007 xcache.so

Here is what I have installed php-wise:

[EMAIL PROTECTED]:/var/www/conf $ pkg_info -a | grep php
php5-core-5.2.5p3   server-side HTML-embedded scripting language
php5-extensions-5.2.5 informational package about PHP5 extensions
php5-gd-5.2.5   image manipulation extensions for php5
php5-pgsql-5.2.4pgsql database access extensions for php5


I have not yet updated php5-pgsql because I have not yet updated 
postgres to 8.3.1 but it still works just fine.


Any cluesticks would be greatly appreciated!

Thanks,

Jeff Ross

Re: ipsec home network to colo server

[Lord Sporkton]

2008/5/15 Claer [EMAIL PROTECTED]:
 On Thu, May 15 2008 at 09:09, Lord Sporkton wrote:

 2008/5/14 Lord Sporkton [EMAIL PROTECTED]:
  2008/5/14 scott learmonth [EMAIL PROTECTED]:
  On Tue, May 13, 2008 at 5:41 PM, Lord Sporkton [EMAIL PROTECTED]
  wrote:
  I am trying to set up a ipsec link between my home network(private ip
   network behind dynamic public ip)
   and my colo server(single public static ip). I was a bit unclear on
   how to set up a tunnel between a static
   and dynamic ip
 
   interesting traffic:
   208.70.72.13 - 10.0.0.0/16
 
 
   My sad seems to set up ok, however afterward i get no flows and can not
  pass
   data, ive checked out logs, and ipsecctl -m, but see nothing of use.
 
   Below is data i believe relevant, if anything else is requested i will
   do my best to post it back in a timely fashion
   thank you
 
 
   colo server:
 
   # uname -a
   OpenBSD angie.sporkton.com 4.3 GENERIC#846 i386
   # cat /etc/ipsec.conf
 
   ike passive from 208.70.72.13 to 10.0.0.0/16 \
  aggressive auth hmac-sha1 enc 3des group modp1024   \
  quick auth hmac-sha1 enc 3des \
  srcid angie.sporkton.com dstid fire.sporkton.com \
  psk password
   # ipsecctl -sa
   FLOWS:
   No flows
 
   SAD:
   esp tunnel from 67.159.171.204 to 208.70.72.13 spi 0x26974f0d auth
   hmac-sha1 enc 3des-cbc
   esp tunnel from 208.70.72.13 to 67.159.171.204 spi 0xeac5bef2 auth
   hmac-sha1 enc 3des-cbc
   #
 
   ipsecctl -m output:
 
   sadb_getspi: satype esp vers 2 len 10 seq 9 pid 7557
  address_src: 67.159.171.204
  address_dst: 208.70.72.13
  spirange: min 0x0100 max 0x
   sadb_getspi: satype esp vers 2 len 10 seq 9 pid 7557
  sa: spi 0x581ea1f0 auth none enc none
  state mature replay 0 flags 0
  address_src: 67.159.171.204
  address_dst: 208.70.72.13
   sadb_add: satype esp vers 2 len 50 seq 10 pid 7557
  sa: spi 0xe4968f00 auth hmac-sha1 enc 3des-cbc
  state mature replay 16 flags 4
  lifetime_hard: alloc 0 bytes 0 add 1200 first 0
  lifetime_soft: alloc 0 bytes 0 add 1080 first 0
  address_src: 208.70.72.13
  address_dst: 67.159.171.204
  key_auth: bits 160: e7ee5eafe49c95cafc506ba1ba6c174a584e4859
  key_encrypt: bits 192:
  65c174f84e389d2022ffbf9c1f152348d7b7f708ef757014
  identity_src: type fqdn id 0: angie.sporkton.com
  identity_dst: type fqdn id 0: fire.sporkton.com
  src_mask: 255.255.255.255
  dst_mask: 255.255.0.0
  protocol: proto 0 flags 0
  flow_type: type unknown direction out
  src_flow: 208.70.72.13
  dst_flow: 10.0.0.0
   sadb_add: satype esp vers 2 len 42 seq 10 pid 7557
  sa: spi 0xe4968f00 auth hmac-sha1 enc 3des-cbc
  state mature replay 16 flags 4
  lifetime_hard: alloc 0 bytes 0 add 1200 first 0
  lifetime_soft: alloc 0 bytes 0 add 1080 first 0
  address_src: 208.70.72.13
  address_dst: 67.159.171.204
  identity_src: type fqdn id 0: angie.sporkton.com
  identity_dst: type fqdn id 0: fire.sporkton.com
  src_mask: 255.255.255.255
  dst_mask: 255.255.0.0
  protocol: proto 0 flags 0
  flow_type: type unknown direction out
  src_flow: 208.70.72.13
  dst_flow: 10.0.0.0
   sadb_update: satype esp vers 2 len 50 seq 11 pid 7557
  sa: spi 0x581ea1f0 auth hmac-sha1 enc 3des-cbc
  state mature replay 16 flags 4
  lifetime_hard: alloc 0 bytes 0 add 1200 first 0
  lifetime_soft: alloc 0 bytes 0 add 1080 first 0
  address_src: 67.159.171.204
  address_dst: 208.70.72.13
  key_auth: bits 160: c2beffabe156d0dbaca586e730694a4ff3cc4ef5
  key_encrypt: bits 192:
  496cd320b35638d36dd8f899b8ce76c150840092db466715
  identity_src: type fqdn id 0: fire.sporkton.com
  identity_dst: type fqdn id 0: angie.sporkton.com
  src_mask: 255.255.0.0
  dst_mask: 255.255.255.255
  protocol: proto 0 flags 0
  flow_type: type unknown direction in
  src_flow: 10.0.0.0
  dst_flow: 208.70.72.13
   sadb_update: satype esp vers 2 len 42 seq 11 pid 7557
  sa: spi 0x581ea1f0 auth hmac-sha1 enc 3des-cbc
  state mature replay 16 flags 4
  lifetime_hard: alloc 0 bytes 0 add 1200 first 0
  lifetime_soft: alloc 0 bytes 0 add 1080 first 0
  address_src: 67.159.171.204
  address_dst: 208.70.72.13
  identity_src: type fqdn id 0: fire.sporkton.com
  identity_dst: type fqdn id 0: angie.sporkton.com
  src_mask: 255.255.0.0
  dst_mask: 255.255.255.255
  protocol: proto 0 flags 0
  flow_type: type unknown direction in
  src_flow: 10.0.0.0
  dst_flow: 208.70.72.13
 
 
 
   Home firewall:
 
   # uname -a
   OpenBSD fire.sporkton.com 4.3 

Re: ipsec home network to colo server

[Jose Quinteiro]

http://www.openbsd.org/papers/asiabsdcon07-ipsec/mgp00065.html

try

ipsec.conf on fire:
angie = 208.70.72.13
fire  = 10.0.0.0/24

ike esp from $fire to $angie local egress \
   srcid fire.sporkton.com dstid angie.sporkton.com



ipsec.conf on angie:
angie = 208.70.72.13
fire  = 10.0.0.0/24

ike passive esp from $angie to $fire \
   srcid angie.sporkton.com dstid fire.sporkton.com

HTH,
Jose.

Lord Sporkton wrote:
 2008/5/15 Claer [EMAIL PROTECTED]:
 On Thu, May 15 2008 at 09:09, Lord Sporkton wrote:

 2008/5/14 Lord Sporkton [EMAIL PROTECTED]:
 2008/5/14 scott learmonth [EMAIL PROTECTED]:
 On Tue, May 13, 2008 at 5:41 PM, Lord Sporkton [EMAIL PROTECTED]
 wrote:
 I am trying to set up a ipsec link between my home network(private ip
  network behind dynamic public ip)
  and my colo server(single public static ip). I was a bit unclear on
  how to set up a tunnel between a static
  and dynamic ip

  interesting traffic:
  208.70.72.13 - 10.0.0.0/16


  My sad seems to set up ok, however afterward i get no flows and can not
 pass
  data, ive checked out logs, and ipsecctl -m, but see nothing of use.

  Below is data i believe relevant, if anything else is requested i will
  do my best to post it back in a timely fashion
  thank you


  colo server:

  # uname -a
  OpenBSD angie.sporkton.com 4.3 GENERIC#846 i386
  # cat /etc/ipsec.conf

  ike passive from 208.70.72.13 to 10.0.0.0/16 \
 aggressive auth hmac-sha1 enc 3des group modp1024   \
 quick auth hmac-sha1 enc 3des \
 srcid angie.sporkton.com dstid fire.sporkton.com \
 psk password
  # ipsecctl -sa
  FLOWS:
  No flows

  SAD:
  esp tunnel from 67.159.171.204 to 208.70.72.13 spi 0x26974f0d auth
  hmac-sha1 enc 3des-cbc
  esp tunnel from 208.70.72.13 to 67.159.171.204 spi 0xeac5bef2 auth
  hmac-sha1 enc 3des-cbc
  #

  ipsecctl -m output:

  sadb_getspi: satype esp vers 2 len 10 seq 9 pid 7557
 address_src: 67.159.171.204
 address_dst: 208.70.72.13
 spirange: min 0x0100 max 0x
  sadb_getspi: satype esp vers 2 len 10 seq 9 pid 7557
 sa: spi 0x581ea1f0 auth none enc none
 state mature replay 0 flags 0
 address_src: 67.159.171.204
 address_dst: 208.70.72.13
  sadb_add: satype esp vers 2 len 50 seq 10 pid 7557
 sa: spi 0xe4968f00 auth hmac-sha1 enc 3des-cbc
 state mature replay 16 flags 4
 lifetime_hard: alloc 0 bytes 0 add 1200 first 0
 lifetime_soft: alloc 0 bytes 0 add 1080 first 0
 address_src: 208.70.72.13
 address_dst: 67.159.171.204
 key_auth: bits 160: e7ee5eafe49c95cafc506ba1ba6c174a584e4859
 key_encrypt: bits 192:
 65c174f84e389d2022ffbf9c1f152348d7b7f708ef757014
 identity_src: type fqdn id 0: angie.sporkton.com
 identity_dst: type fqdn id 0: fire.sporkton.com
 src_mask: 255.255.255.255
 dst_mask: 255.255.0.0
 protocol: proto 0 flags 0
 flow_type: type unknown direction out
 src_flow: 208.70.72.13
 dst_flow: 10.0.0.0
  sadb_add: satype esp vers 2 len 42 seq 10 pid 7557
 sa: spi 0xe4968f00 auth hmac-sha1 enc 3des-cbc
 state mature replay 16 flags 4
 lifetime_hard: alloc 0 bytes 0 add 1200 first 0
 lifetime_soft: alloc 0 bytes 0 add 1080 first 0
 address_src: 208.70.72.13
 address_dst: 67.159.171.204
 identity_src: type fqdn id 0: angie.sporkton.com
 identity_dst: type fqdn id 0: fire.sporkton.com
 src_mask: 255.255.255.255
 dst_mask: 255.255.0.0
 protocol: proto 0 flags 0
 flow_type: type unknown direction out
 src_flow: 208.70.72.13
 dst_flow: 10.0.0.0
  sadb_update: satype esp vers 2 len 50 seq 11 pid 7557
 sa: spi 0x581ea1f0 auth hmac-sha1 enc 3des-cbc
 state mature replay 16 flags 4
 lifetime_hard: alloc 0 bytes 0 add 1200 first 0
 lifetime_soft: alloc 0 bytes 0 add 1080 first 0
 address_src: 67.159.171.204
 address_dst: 208.70.72.13
 key_auth: bits 160: c2beffabe156d0dbaca586e730694a4ff3cc4ef5
 key_encrypt: bits 192:
 496cd320b35638d36dd8f899b8ce76c150840092db466715
 identity_src: type fqdn id 0: fire.sporkton.com
 identity_dst: type fqdn id 0: angie.sporkton.com
 src_mask: 255.255.0.0
 dst_mask: 255.255.255.255
 protocol: proto 0 flags 0
 flow_type: type unknown direction in
 src_flow: 10.0.0.0
 dst_flow: 208.70.72.13
  sadb_update: satype esp vers 2 len 42 seq 11 pid 7557
 sa: spi 0x581ea1f0 auth hmac-sha1 enc 3des-cbc
 state mature replay 16 flags 4
 lifetime_hard: alloc 0 bytes 0 add 1200 first 0
 lifetime_soft: alloc 0 bytes 0 add 1080 first 0
 address_src: 67.159.171.204
 address_dst: 208.70.72.13
 identity_src: type fqdn id 0: fire.sporkton.com
 identity_dst: type fqdn 

DNS Question.

[Dark Nebula]

Hi all,

Is possible perform a DNS query, that gives me all A records from one ip,
(without using the reverse DNS) ?

Thanks a lot

Re: ipsec home network to colo server

[Lord Sporkton]

So egress being something very much like any then?

2008/5/17 Jose Quinteiro [EMAIL PROTECTED]:
 http://www.openbsd.org/papers/asiabsdcon07-ipsec/mgp00065.html

 try

 ipsec.conf on fire:
 angie = 208.70.72.13
 fire  = 10.0.0.0/24

 ike esp from $fire to $angie local egress \
   srcid fire.sporkton.com dstid angie.sporkton.com



 ipsec.conf on angie:
 angie = 208.70.72.13
 fire  = 10.0.0.0/24

 ike passive esp from $angie to $fire \
   srcid angie.sporkton.com dstid fire.sporkton.com

 HTH,
 Jose.

 Lord Sporkton wrote:
 2008/5/15 Claer [EMAIL PROTECTED]:
 On Thu, May 15 2008 at 09:09, Lord Sporkton wrote:

 2008/5/14 Lord Sporkton [EMAIL PROTECTED]:
 2008/5/14 scott learmonth [EMAIL PROTECTED]:
 On Tue, May 13, 2008 at 5:41 PM, Lord Sporkton [EMAIL PROTECTED]
 wrote:
 I am trying to set up a ipsec link between my home network(private ip
  network behind dynamic public ip)
  and my colo server(single public static ip). I was a bit unclear on
  how to set up a tunnel between a static
  and dynamic ip

  interesting traffic:
  208.70.72.13 - 10.0.0.0/16


  My sad seems to set up ok, however afterward i get no flows and can 
 not
 pass
  data, ive checked out logs, and ipsecctl -m, but see nothing of use.

  Below is data i believe relevant, if anything else is requested i will
  do my best to post it back in a timely fashion
  thank you


  colo server:

  # uname -a
  OpenBSD angie.sporkton.com 4.3 GENERIC#846 i386
  # cat /etc/ipsec.conf

  ike passive from 208.70.72.13 to 10.0.0.0/16 \
 aggressive auth hmac-sha1 enc 3des group modp1024   \
 quick auth hmac-sha1 enc 3des \
 srcid angie.sporkton.com dstid fire.sporkton.com \
 psk password
  # ipsecctl -sa
  FLOWS:
  No flows

  SAD:
  esp tunnel from 67.159.171.204 to 208.70.72.13 spi 0x26974f0d auth
  hmac-sha1 enc 3des-cbc
  esp tunnel from 208.70.72.13 to 67.159.171.204 spi 0xeac5bef2 auth
  hmac-sha1 enc 3des-cbc
  #

  ipsecctl -m output:

  sadb_getspi: satype esp vers 2 len 10 seq 9 pid 7557
 address_src: 67.159.171.204
 address_dst: 208.70.72.13
 spirange: min 0x0100 max 0x
  sadb_getspi: satype esp vers 2 len 10 seq 9 pid 7557
 sa: spi 0x581ea1f0 auth none enc none
 state mature replay 0 flags 0
 address_src: 67.159.171.204
 address_dst: 208.70.72.13
  sadb_add: satype esp vers 2 len 50 seq 10 pid 7557
 sa: spi 0xe4968f00 auth hmac-sha1 enc 3des-cbc
 state mature replay 16 flags 4
 lifetime_hard: alloc 0 bytes 0 add 1200 first 0
 lifetime_soft: alloc 0 bytes 0 add 1080 first 0
 address_src: 208.70.72.13
 address_dst: 67.159.171.204
 key_auth: bits 160: e7ee5eafe49c95cafc506ba1ba6c174a584e4859
 key_encrypt: bits 192:
 65c174f84e389d2022ffbf9c1f152348d7b7f708ef757014
 identity_src: type fqdn id 0: angie.sporkton.com
 identity_dst: type fqdn id 0: fire.sporkton.com
 src_mask: 255.255.255.255
 dst_mask: 255.255.0.0
 protocol: proto 0 flags 0
 flow_type: type unknown direction out
 src_flow: 208.70.72.13
 dst_flow: 10.0.0.0
  sadb_add: satype esp vers 2 len 42 seq 10 pid 7557
 sa: spi 0xe4968f00 auth hmac-sha1 enc 3des-cbc
 state mature replay 16 flags 4
 lifetime_hard: alloc 0 bytes 0 add 1200 first 0
 lifetime_soft: alloc 0 bytes 0 add 1080 first 0
 address_src: 208.70.72.13
 address_dst: 67.159.171.204
 identity_src: type fqdn id 0: angie.sporkton.com
 identity_dst: type fqdn id 0: fire.sporkton.com
 src_mask: 255.255.255.255
 dst_mask: 255.255.0.0
 protocol: proto 0 flags 0
 flow_type: type unknown direction out
 src_flow: 208.70.72.13
 dst_flow: 10.0.0.0
  sadb_update: satype esp vers 2 len 50 seq 11 pid 7557
 sa: spi 0x581ea1f0 auth hmac-sha1 enc 3des-cbc
 state mature replay 16 flags 4
 lifetime_hard: alloc 0 bytes 0 add 1200 first 0
 lifetime_soft: alloc 0 bytes 0 add 1080 first 0
 address_src: 67.159.171.204
 address_dst: 208.70.72.13
 key_auth: bits 160: c2beffabe156d0dbaca586e730694a4ff3cc4ef5
 key_encrypt: bits 192:
 496cd320b35638d36dd8f899b8ce76c150840092db466715
 identity_src: type fqdn id 0: fire.sporkton.com
 identity_dst: type fqdn id 0: angie.sporkton.com
 src_mask: 255.255.0.0
 dst_mask: 255.255.255.255
 protocol: proto 0 flags 0
 flow_type: type unknown direction in
 src_flow: 10.0.0.0
 dst_flow: 208.70.72.13
  sadb_update: satype esp vers 2 len 42 seq 11 pid 7557
 sa: spi 0x581ea1f0 auth hmac-sha1 enc 3des-cbc
 state mature replay 16 flags 4
 lifetime_hard: alloc 0 bytes 0 add 1200 first 0
 lifetime_soft: alloc 0 bytes 0 add 1080 first 0
 address_src: 67.159.171.204
 

Re: OpenBSD as MS RIS-Server alternative?

[Dan Brosemer]

On Sat, May 17, 2008 at 04:33:23PM -0400, Richard Daemon wrote:
 On Sat, May 17, 2008 at 4:06 PM, Dan Brosemer [EMAIL PROTECTED] wrote:
  On Sat, May 17, 2008 at 10:17:17AM -0400, Richard Daemon wrote:
  On Sat, May 17, 2008 at 9:15 AM, Dan Brosemer [EMAIL PROTECTED] wrote:
 
  I didn't know about this, looks great. Were you able to do it via PXE 
  booting?
 
  Absolutely.  It's nothing-but-net.  I can even get it to read the hostname
  from DHCP and select an unattended configuration based on that.
 
  My installs go something like this:
 
  pxelinux boot prompt: win
  It asks me for a username to mount the share with.
  It asks me for a password to mount the share with.
  It asks me for a password to join the domain.
 
  Now, the machine just goes and installs itself including all applications
  and patches including as many reboots as needed.
 
  I really can't rave about it enough, and it works beautifully with an
  OpenBSD server.
 
 Sweet! I'm going to give this a try, this is something I've been
 looking for, for a while.
 
 pxelinux boot prompt? Should work with OpenBSD's pxeboot the same way?

Actually, no.  OpenBSD's pxeboot is what you want to boot OpenBSD's kernel.
With unattended, you boot a linux environment off the network to begin your
install (it mounts the samba share, copies files, etc.) so you use pxelinux.
There are ways if you google for it to chain pxeboot off pxelinux so you can
keep one environment for installing OpenBSD by and Windows over the network.

-Dan

-- 
Burnished gallows set with red
 Caress the fevered, empty mind
 Of man who hangs bloodied and blind
 To reach for wisdom, not for bread.  -- Deoridhe Grimsdaughter

Re: DNS Question.

[Lord Sporkton]

2008/5/17 Dark Nebula [EMAIL PROTECTED]:
 Hi all,

 Is possible perform a DNS query, that gives me all A records from one ip,
 (without using the reverse DNS) ?

 Thanks a lot



Are you asking to find all the forward A records for a given IP?
If so, there is no way to do that, not even with rDNS



-- 
-Lawrence

Multicasting on OpenBSD

[Insan Praja SW]

Hi Misc@,
Just wondering around, is there any multicasting technology (PIM-SM,  
PIM-SSM etc) currently developed or implemented in OpenBSD?. Since working  
with this unbelievable OS (especially with routing/filtering/forwarding) I  
wish to know more about it.
Right now I managed to use OBSD4.3-current to BGP routing  
(redundant/loadbalance with carp), storing the prefix to pftable, set the  
rtlabel, labeling rules with pf, multiple routing table, tagging rules,  
just unbelievable awesome.

Best of luck to the guys working such a nice OS.
Thanks,


--
insandotpraja(at)gmaildotcom

Re: ipsec home network to colo server

[Jose Quinteiro]

No, egress is an interface group.  Man ifconfig.  You have to use that 
'cause you outgoing (egress) IP address changes.  The pf-style (eth0) 
syntax where eth0 is your outside interface may work too.  Try it and see.


Saludos,
Jose.

Lord Sporkton wrote:

So egress being something very much like any then?

2008/5/17 Jose Quinteiro [EMAIL PROTECTED]:

http://www.openbsd.org/papers/asiabsdcon07-ipsec/mgp00065.html

try

ipsec.conf on fire:
angie = 208.70.72.13
fire  = 10.0.0.0/24

ike esp from $fire to $angie local egress \
  srcid fire.sporkton.com dstid angie.sporkton.com



ipsec.conf on angie:
angie = 208.70.72.13
fire  = 10.0.0.0/24

ike passive esp from $angie to $fire \
  srcid angie.sporkton.com dstid fire.sporkton.com

HTH,
Jose.

Lord Sporkton wrote:

2008/5/15 Claer [EMAIL PROTECTED]:

On Thu, May 15 2008 at 09:09, Lord Sporkton wrote:


2008/5/14 Lord Sporkton [EMAIL PROTECTED]:

2008/5/14 scott learmonth [EMAIL PROTECTED]:

On Tue, May 13, 2008 at 5:41 PM, Lord Sporkton [EMAIL PROTECTED]
wrote:

I am trying to set up a ipsec link between my home network(private ip
 network behind dynamic public ip)
 and my colo server(single public static ip). I was a bit unclear on
 how to set up a tunnel between a static
 and dynamic ip

 interesting traffic:
 208.70.72.13 - 10.0.0.0/16


 My sad seems to set up ok, however afterward i get no flows and can not
pass
 data, ive checked out logs, and ipsecctl -m, but see nothing of use.

 Below is data i believe relevant, if anything else is requested i will
 do my best to post it back in a timely fashion
 thank you


 colo server:

 # uname -a
 OpenBSD angie.sporkton.com 4.3 GENERIC#846 i386
 # cat /etc/ipsec.conf

 ike passive from 208.70.72.13 to 10.0.0.0/16 \
aggressive auth hmac-sha1 enc 3des group modp1024   \
quick auth hmac-sha1 enc 3des \
srcid angie.sporkton.com dstid fire.sporkton.com \
psk password
 # ipsecctl -sa
 FLOWS:
 No flows

 SAD:
 esp tunnel from 67.159.171.204 to 208.70.72.13 spi 0x26974f0d auth
 hmac-sha1 enc 3des-cbc
 esp tunnel from 208.70.72.13 to 67.159.171.204 spi 0xeac5bef2 auth
 hmac-sha1 enc 3des-cbc
 #

 ipsecctl -m output:

 sadb_getspi: satype esp vers 2 len 10 seq 9 pid 7557
address_src: 67.159.171.204
address_dst: 208.70.72.13
spirange: min 0x0100 max 0x
 sadb_getspi: satype esp vers 2 len 10 seq 9 pid 7557
sa: spi 0x581ea1f0 auth none enc none
state mature replay 0 flags 0
address_src: 67.159.171.204
address_dst: 208.70.72.13
 sadb_add: satype esp vers 2 len 50 seq 10 pid 7557
sa: spi 0xe4968f00 auth hmac-sha1 enc 3des-cbc
state mature replay 16 flags 4
lifetime_hard: alloc 0 bytes 0 add 1200 first 0
lifetime_soft: alloc 0 bytes 0 add 1080 first 0
address_src: 208.70.72.13
address_dst: 67.159.171.204
key_auth: bits 160: e7ee5eafe49c95cafc506ba1ba6c174a584e4859
key_encrypt: bits 192:
65c174f84e389d2022ffbf9c1f152348d7b7f708ef757014
identity_src: type fqdn id 0: angie.sporkton.com
identity_dst: type fqdn id 0: fire.sporkton.com
src_mask: 255.255.255.255
dst_mask: 255.255.0.0
protocol: proto 0 flags 0
flow_type: type unknown direction out
src_flow: 208.70.72.13
dst_flow: 10.0.0.0
 sadb_add: satype esp vers 2 len 42 seq 10 pid 7557
sa: spi 0xe4968f00 auth hmac-sha1 enc 3des-cbc
state mature replay 16 flags 4
lifetime_hard: alloc 0 bytes 0 add 1200 first 0
lifetime_soft: alloc 0 bytes 0 add 1080 first 0
address_src: 208.70.72.13
address_dst: 67.159.171.204
identity_src: type fqdn id 0: angie.sporkton.com
identity_dst: type fqdn id 0: fire.sporkton.com
src_mask: 255.255.255.255
dst_mask: 255.255.0.0
protocol: proto 0 flags 0
flow_type: type unknown direction out
src_flow: 208.70.72.13
dst_flow: 10.0.0.0
 sadb_update: satype esp vers 2 len 50 seq 11 pid 7557
sa: spi 0x581ea1f0 auth hmac-sha1 enc 3des-cbc
state mature replay 16 flags 4
lifetime_hard: alloc 0 bytes 0 add 1200 first 0
lifetime_soft: alloc 0 bytes 0 add 1080 first 0
address_src: 67.159.171.204
address_dst: 208.70.72.13
key_auth: bits 160: c2beffabe156d0dbaca586e730694a4ff3cc4ef5
key_encrypt: bits 192:
496cd320b35638d36dd8f899b8ce76c150840092db466715
identity_src: type fqdn id 0: fire.sporkton.com
identity_dst: type fqdn id 0: angie.sporkton.com
src_mask: 255.255.0.0
dst_mask: 255.255.255.255
protocol: proto 0 flags 0
flow_type: type unknown direction in
src_flow: 10.0.0.0
dst_flow: 208.70.72.13
 sadb_update: satype esp vers 2 len 42 seq 11 pid 7557
sa: spi 0x581ea1f0 auth hmac-sha1 enc 3des-cbc
state mature replay 16 flags 4

pf-altq-bandwith_problem

[Jesus Sanchez]

Hi, I'm using OpenBSD 4.2

Here my network to explain later:

[Joe PC] --- $int_if [MY_OPENBSD] $ext_if --- [INTERNET]

I have a little problem when trying to setup a altq bandwidth shape with
pf. My intention is to give Joe only 100Kbs (bits) of the Internet total
bandwidth, and also I have set some local local servers on my OpenBSD to
give some services to Joe, but I also want to give it at the 100Kbs
speed mentioned before, even beign local network (up to 100Mbs).

The thing is that I have set the PF rules as manpages say, and
everything work as spected when Joe goes out of my box to the internet,
the bandwidth is 100Kbs, all OK. But when Joe takes some files by ftp
from my OpenBSD box, the speed ups in a factor of 40x, I mean, if Joe
takes a file from my box, or my box from Joe, the speed is very very
much hight.

I have try several things but I don't find the key to this. One thing:
the speed factor when Joes connect to my OpenBSD is alwais 40x relative
to the bandwidth value I give to the altq.


my pf.conf (very simple, very unsafe, just to try this)
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

ext_if=rl0
int_if=sk0

scrub in all

altq on $int_if cbq bandwidth 100Kb queue main
queue main bandwidth 100% cbq(default)

nat on $ext_if from $int_if:network - $ext_if

block all
pass queue main

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Thanks for your time
-Jesus

Re: Multicasting on OpenBSD

[Matthew Dempsky]

On Sat, May 17, 2008 at 6:27 PM, Insan Praja SW [EMAIL PROTECTED] wrote:
 Just wondering around, is there any multicasting technology (PIM-SM, PIM-SSM
 etc) currently developed or implemented in OpenBSD?

There's dvmrpd and mrouted.

Re: pf-altq-bandwith_problem

[Lord Sporkton]

2008/5/17 Jesus Sanchez [EMAIL PROTECTED]:
 Hi, I'm using OpenBSD 4.2

 Here my network to explain later:

 [Joe PC] --- $int_if [MY_OPENBSD] $ext_if --- [INTERNET]

 I have a little problem when trying to setup a altq bandwidth shape with
 pf. My intention is to give Joe only 100Kbs (bits) of the Internet total
 bandwidth, and also I have set some local local servers on my OpenBSD to
 give some services to Joe, but I also want to give it at the 100Kbs
 speed mentioned before, even beign local network (up to 100Mbs).

 The thing is that I have set the PF rules as manpages say, and
 everything work as spected when Joe goes out of my box to the internet,
 the bandwidth is 100Kbs, all OK. But when Joe takes some files by ftp
 from my OpenBSD box, the speed ups in a factor of 40x, I mean, if Joe
 takes a file from my box, or my box from Joe, the speed is very very
 much hight.

 I have try several things but I don't find the key to this. One thing:
 the speed factor when Joes connect to my OpenBSD is alwais 40x relative
 to the bandwidth value I give to the altq.


 my pf.conf (very simple, very unsafe, just to try this)
 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

 ext_if=rl0
 int_if=sk0

 scrub in all

 altq on $int_if cbq bandwidth 100Kb queue main
 queue main bandwidth 100% cbq(default)

 nat on $ext_if from $int_if:network - $ext_if

 block all
 pass queue main

 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

 Thanks for your time
 -Jesus




If Joe is accessing things on his local lan, that is, in his subnet,
you will not be able to police this traffic as it never even hits the
gateway(altq openbsd box), so the only limit will be the layer 2
hardware(your switch(s)). might i suggest putting your servers on a
dmz as a solution, then Joe will be forced through the gateway for any
server access. If your layer2 hardware is high end enough you may be
able to do bandwidth control in the layer2 hardware its self.

as a side note, i dont believe openbsd can do altq on anything other
than a physical interface, so if you put the servers on a dmz, make
sure to use a physical interface, not a vlan.


-- 
-Lawrence

Re: pf-altq-bandwith_problem

[Jesus Sanchez]

Lord Sporkton escribis:

2008/5/17 Jesus Sanchez [EMAIL PROTECTED]:
  

Hi, I'm using OpenBSD 4.2

Here my network to explain later:

[Joe PC] --- $int_if [MY_OPENBSD] $ext_if --- [INTERNET]

I have a little problem when trying to setup a altq bandwidth shape with
pf. My intention is to give Joe only 100Kbs (bits) of the Internet total
bandwidth, and also I have set some local local servers on my OpenBSD to
give some services to Joe, but I also want to give it at the 100Kbs
speed mentioned before, even beign local network (up to 100Mbs).

The thing is that I have set the PF rules as manpages say, and
everything work as spected when Joe goes out of my box to the internet,
the bandwidth is 100Kbs, all OK. But when Joe takes some files by ftp
from my OpenBSD box, the speed ups in a factor of 40x, I mean, if Joe
takes a file from my box, or my box from Joe, the speed is very very
much hight.

I have try several things but I don't find the key to this. One thing:
the speed factor when Joes connect to my OpenBSD is alwais 40x relative
to the bandwidth value I give to the altq.


my pf.conf (very simple, very unsafe, just to try this)
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

ext_if=rl0
int_if=sk0

scrub in all

altq on $int_if cbq bandwidth 100Kb queue main
queue main bandwidth 100% cbq(default)

nat on $ext_if from $int_if:network - $ext_if

block all
pass queue main

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Thanks for your time
-Jesus






If Joe is accessing things on his local lan, that is, in his subnet,
you will not be able to police this traffic as it never even hits the
gateway(altq openbsd box), so the only limit will be the layer 2
hardware(your switch(s)). might i suggest putting your servers on a
dmz as a solution, then Joe will be forced through the gateway for any
server access. If your layer2 hardware is high end enough you may be
able to do bandwidth control in the layer2 hardware its self.

as a side note, i dont believe openbsd can do altq on anything other
than a physical interface, so if you put the servers on a dmz, make
sure to use a physical interface, not a vlan.

  

I don't want to disturb, but I think you're not right. I want to shape
the bandwidth of the full interface, I know that if joe it's in lan with
other PC, the speed limit its the hardware limit, but I just want to
limit one of the interfaces on my OpenBSD box to a certain number of Kbs
(100Kbs), so PF already made changes, but I saw this weird behaviour and
want to make the 100Kbs limit universal to all the interface transfers.

If Joe want a file from the OpenBSD gateway running a limit of 100Kbs
(pf+altq), even to get a file from the gateway box by FTP, the 100Kbs
limit should affect, or not? please, I'm really noob with this and I
don't want to bother anyone with my words, I just talk about what I
think, if I'm wrong, please let me know.

note: DMZ is not posible for this project, I only have the same
PC to make as OpenBSD and FTP server to the joe users.

Thanks for your time.
-Jesus

Re: DNS Question.

[Tim Post]

On Sat, 2008-05-17 at 18:21 -0700, Lord Sporkton wrote:
 2008/5/17 Dark Nebula [EMAIL PROTECTED]:
  Hi all,
 
  Is possible perform a DNS query, that gives me all A records from one ip,
  (without using the reverse DNS) ?
 
  Thanks a lot
 
 
 
 Are you asking to find all the forward A records for a given IP?
 If so, there is no way to do that, not even with rDNS

There are services that track IP usage and correlate them to domains.
The tools allow you to find out (approximately) what A records point to
any given IP.

This one is relatively accurate:

http://www.myipneighbors.com/

I would not treat its output as gospel. It gives a decent indicator of
how many virtual hosts are pointed at any given IP and shows you who
they are. Note, this only tracks A records, not MX records and is easily
confused by CNAMEs.

There is no way to query for this, you would have to get a list of all
FQDN's in use on the Internet and continuously dig them to record their
IP.

I don't know of any service that does this and offers free automated
queries via some kind of text client, most insist that you use their web
interface. This makes them handy for manual look ups but useless in any
kind of automated tool.

Cheers,
--Tim


-- 
Monkey + Typewriter = Echoreply ( http://echoreply.us )

Re: Old EmBSD docs

[Steve B]

While researching a different problem I stumbled across something for later
reading on this topic:
http://www.kernel-panic.it/openbsd/embedded/

On Tue, May 13, 2008 at 2:09 AM, Michael Dexter [EMAIL PROTECTED]
wrote:

  Nonsense. Many new embedded boards have limited flash memory soldered
 on.
 
 I think most of the developers are tired of seeing people shoot
 themselves in the foot then show up on the list complaining about blood
 loss.  Pointing out that some people might have a justification for
 inflicting pain upon themselves only encourages harmful behavior.

 I was incorrect about the example product. My error. However, the paradox
 remains: arguably the best routing OS available requires blood loss on the
 most cost-effective routing hardware available. Fortunately, it remains the
 best none the less and the blood loss is acceptable. Keep up the good work.

 Michael.