Re: esd + mpd

2008-09-30 Thread Nick Guenther 
On Tue, Sep 30, 2008 at 6:03 PM, Marius Hooge <[EMAIL PROTECTED]> wrote:
> Nick Guenther wrote:
>>
>> Aaah, I didn't realize how the user's homedir interacted with this
>> all. What must have been happening is that when I clicked 'play' in
>> soundtracker (which was running as myself) it looked for ~/.esd_auth,
>> didn't find it, so tried to spawn an esd, which promptly failed
>> because the other esd already had the soundcard.
>> All it took was:
>> ln -sf /var/empty/.esd_auth ~/.esd_auth
>> and now both mpd and soundtracker can play at once. There's some lag
>> when I first hit play but that's probably because right now it's
>> running with tcp and autospawning which probably are eating at it
>> quite a bit.
>>
>> I am going to play around some more and see if I can get esd running
>> as a system-wide daemon.
>>
>> Weird, I just tried to run esd with "-noterminate" but it said
>> "unrecognized option: -noterminate". The esd that packages installed
>> for me is "Esound version 0.2.34", what are you running?
>>
>
> I'm running 0.2.38v0, but I'm pretty shure, that this worked before. Try
> 'man esd'


USAGE
   esd [options]

 -d DEVICE force esd to use sound device DEVICE
 -brun server in 8 bit sound mode
 -r RATE   run server at sample rate of RATE
 -as SECS  free audio device after SECS of inactivity
 -unix use unix domain sockets instead of tcp/ip
 -tcp  use tcp/ip sockets instead of unix domain
 -public   make tcp/ip access public (other than localhost)
 -promiscuous  start unlocked and owned (disable
authenticaton) NOT RECOMMENDED
 -terminateterminate esd daemon after last client exits
 -nobeeps  disable startup beeps
 -truststart esd even if use of /tmp/.esd can be insecure
 -port PORTlisten for connections at PORT (only for tcp/ip)
 -bind ADDRESS binds to ADDRESS (only for tcp/ip)

 -v --version  print version information

I can get -noterminate by omitting -terminate, it's not a big deal, I
was just curious.

>>
>>
>> If I don't tell mplayer "ao=esd" then it grabs /dev/audio directly
>> (and works fine).
>> Do you know how to debug this?
>>
>
> Well, if I leave 'ao=esd' out, mplayer / libao tries to open /dev/audio
> (which is busy) and falls back to esd.
> Esd should be listed if you type 'mplayer -ao help'.
> Did you link ~/.esd/socket to /var/empty/.esd/socket?

It turns out I hadn't actually installed mplayer-esd, I forgot
FLAVOR=esd when I did 'make install' (I
had it when I did `make`). Oops. Egg on face &c.


>> Thank you for all the help so far, I had given up on esd.
>> -Nick
>
> I was pretty lost at first, too. You can still try running everything as
> yourself, as a last resort.
>
> I wish installation of sound mixers would be a bit more straight forward,
> like replacing or redirecting /dev/audio,
> but I'm afraid we're out of luck with that..
>

I've figured it out!
I'd gotten as far as getting everything -except- mpd to play nicely.
First I moved mpd's homedir to /var/mpd instead of /var/empty.
I created /var/esd for esd to live in and decided that
/var/esd/esd_auth would hold the "real" auth file and everyone else
would get `ln -s /var/esd/esd_auth ~/.esd_auth`.
Then I made a .esd_auth created somehow (esdplay in any user's account
that doesn't have the symlink created will do it) and copy it in.
Testing with mplayer and soundtracker showed that they worked fine,
whether running as myself, another user, or _mpd, but mpd itself would
constantly complain "/var/mpd/.esd_auth: File exists" which is a
frustratingly-zen sort of message.

Just now though as I was googling I came across my first post to this
thread and noticed "it seems that mpd chroots itself" and the
lightbulb went off. When I log in as _mpd I can follow symlinks out
fine, but mpd can't.

So now I've just changed it around so that /var/mpd/.esd_auth is the
real file and everything else is a symlink to it, and it seems to be
working. It's a bit flakey though, for example I need to
chgrp _esd /var/mpd/.esd_auth && chmod g+r /var/mpd/.esd_auth
in order for non-mpd users to use esd.
Also, because of the chroot and how esd puts its socket in whatever
homedir it was run from it is more reliable to use -tcp ((if not -tcp,
then must not use -terminate and must make sure _mpd is the user to
spawn esd)).

This isn't a very nice solution. The other thing I was thinking was to
run a script that copies out .esd_auth files to a bunch of users.

I think a way better way would be to change esd itself to create its
auth files when it starts, instead of having the client do it. That
way if you start esd with the system you could handle fanning out, but
autospawning could still be made to work. esd is so old though, it's
probably not worth fighting that out. This whole "auth with a cookie"
scheme seems weird when it's the client supplying the server with the
cookie.

uvm fault panic

2008-09-30 Thread Dale Carstensen 
I have two amd64 computers on OpenBSD 4.3.  Both had uvm fault problems
today.  There were panics with a message:

 kernel diagnostic assertion "anon->an_page == NULL" failed: file 
"/usr/src/sys/uvm/uvm_anon.c", line 169

I did trace and ps in ddb, but another crash before savecore could
capture the result of "boot dump" lost the crash dump, and the
results of those commands.  I changed the sysctl for ddb:panic, but
the expected automatic unattended reboot with dump and savecore did
not happen, hands-on attention was required at every crash.  I had
to do manual fsck of /usr each time.  I would think /usr is usually
read-only, so there should be filesystem inconsistencies requiring
a manual fsck.  Some file in ./src/usr.sbin had confusion, one
message said.  Not anywhere there s.hould have been any activity.

So I searched google and openbsd mailing list archives.  It seems
netbsd and openbsd have had nebulous uvm fault problems for years.
A thread from June 2008 inferred that a series of almost reproducible
crashes seems to have been solved by some patch, on netbsd.

These computers have the 3-core AMD CPUs.  I had been running on the
uni-processor /bsd.  I switched everything but wd0 today after several
crashes on one (case, power supply, cables, NICs, display adapter, yes,
everything but wd0).  That alternate hardware crashed on every attempt
to boot until I booted single-user and did

 mv /bsd /bsd.up
 mv /bsd.mp /bsd

and rebooted.  And it has been running since, but that's only about
3 hours so far.  These are the amd64 4.3 GENERIC kernels, vintage
March 2008.

 bsd.up:
  OpenBSD 4.3 (GENERIC) #1368: Wed Mar 12 11:05:31 MDT 2008
 bsd.mp:
  OpenBSD 4.3 (GENERIC.MP) #1582: Wed Mar 12 11:16:45 MDT 2008

Does anybody have a handle on the uvm fault crashes?  The bug reports
indicate it is very difficult to get a dump through savecore on these,
and there don't seem to be any closing of the bug reports, though many
independent ones seem to have been filed.  Maybe it's several independent
problems and it's foolish of me to think they're related.

Re: Limit number of login sessions

2008-09-30 Thread Maximo Pech 
> Please describe this situation some more.  What does 'sharing a ssh tunnel'
> mean?  Once a ssh tunnel is established, it just tunnels between two
> points,
> nobody needs to login anywhere then to 'use' it.


It means that I use my computer on a home adsl connection as a ssh tunnel
and that I let some friends use it as well but I don't want them to abuse.

What we are doing is connecting to the ssh server with some ssh client, it
creates a socks proxy on our local computers, we configure our programs to
connect to the local proxy and everything is forwarded trough the ssh
tunnel.

I mean, I don't know if there's another way to do it without having to login
in the ssh server.


> This sounds like an obfuscated utmp(5)
>
>
Yeah, utmp sounds useful for this.

Re: Limit number of login sessions

2008-09-30 Thread Maximo Pech 
> would you not be better to use ALTQ to limit the bandwidth available
> to each user?  then if they share their password their only sharing
> their own use?


Users are not in my local network. They will connect from the internet and
they have dynamic IPs so I guess that wouldn't work because altq can limit
bandwidth based on IP address, not on user names.


>
>
> if not then i'd suggest you create a BSD auth module for processing
> the login sessions and add a 'login-max' capability.
>

What kind of module? a kernel module?

Re: Limit number of login sessions

2008-09-30 Thread Maximo Pech 
> Some friends you have...
>
> ps aux | grep sshd | grep priv | awk '{print $12}' | sort | uniq -c
>
> Tell your friends if their number ever gets bigger than 2, they're no
> longer your friends.  A few more minutes of scripting and you'll have
> something to run in cron that deletes their account.


That one sounds good.

Re: Bad MD5 on snapshot i386 install.iso

2008-09-30 Thread Lawrence Teo 

Joe Gidi wrote:

I've downloaded the 9/24/08 i386 install.iso from both rt.fm and
ftp3.usa.openbsd.org and got bad MD5s on both files.

MD5 from both downloads was:
53238ca6a3212db65dadd9bef1ef1f3d

while the ftp MD5 file says it should be:
f87b839db833380f41f02bd7fffb2d27

Haven't checked the master fanout site because I got repeated "too many
users" errors.



Joe,

I think the MD5 file was out of sync in the past week.

I downloaded the i386 install44.iso a few days ago. I just checked the
file I downloaded, and it does have the "correct" MD5
(f87b839db833380f41f02bd7fffb2d27) according to what you posted.

*But* on the day I downloaded it, I was very sure the MD5 file
on the FTP site was advertising a different hash.

Like you, I thought I had a bad ISO, so I downloaded the ISO file
from a different mirror, but the second ISO file had the same hash as
the first.

So the MD5 file was either "ahead" or "behind." Since the install44.iso
file I downloaded was dated Sep 20, the MD5 file was probably behind.

Or maybe it's just one of those transient things that happen when
FTP sites are being mirrored.

Or maybe you and I are both crazy. :)

Lawrence

Re: Weird pkg_info behavior?

2008-09-30 Thread andrew fresh 
On Tue, Sep 30, 2008 at 10:47:56PM -0400, Nick Guenther wrote:
> If you are looking for package descriptions, install the ports tree
> and read the Makefiles. Also, if you are lazy/not on an OpenBSD box,
> most of the descriptions are available at
> http://www.openbsd.org/4.3_packages/.

or even 
http://openports.se/search.php?so=vim

l8rZ,
-- 
andrew - ICQ# 253198 - Jabber: [EMAIL PROTECTED]

BOFH excuse of the day: internet is needed to catch the etherbunny

Re: Weird pkg_info behavior?

2008-09-30 Thread Nick Guenther 
On Tue, Sep 30, 2008 at 8:14 PM, James Hartley <[EMAIL PROTECTED]> wrote:
> On Tue, Sep 30, 2008 at 11:16 AM, Slim Joe <[EMAIL PROTECTED]> wrote:
>> Is there a way to get package
>> info for a file not already downloaded or installed without
>> such heavy bandwidth (just the package info).
>
> Look at the -Q option on the pkg_info(1) manpage.
>

I think he's asking for how to read package descriptions without
downloading everything. But pkg_info has to download the entirety of
each package first because a package is a compressed archive file.

If you are looking for package descriptions, install the ports tree
and read the Makefiles. Also, if you are lazy/not on an OpenBSD box,
most of the descriptions are available at
http://www.openbsd.org/4.3_packages/.

-Nick

Re: Weird pkg_info behavior?

2008-09-30 Thread James Hartley 
On Tue, Sep 30, 2008 at 11:16 AM, Slim Joe <[EMAIL PROTECTED]> wrote:
> Is there a way to get package
> info for a file not already downloaded or installed without
> such heavy bandwidth (just the package info).

Look at the -Q option on the pkg_info(1) manpage.

Novidades de www.superdivertido.pt ( 30/Setembro/2008 )

2008-09-30 Thread Super Divertido 
Novidades de www.superdivertido.pt ( 30/Setembro/2008 )

 Novidades
Charadas 

 iCondom - Camisinha hi-tech promete evitar fiascos na cama

iCondom - Camisinha hi-tech promete evitar fiascos na cama

Fundos de Ecrc


 Carros Diversos

Carros Diversos

Imagens 

 Smiles 3D

Smiles 3D

Fundos de Ecrc


 Mulheres Famosas

Mulheres Famosas

 Lost

Lost

 Diversos 09/2008

Diversos 09/2008

 Megan Fox - HQ Fotos

Megan Fox - HQ Fotos

Imagens 

 Penteados Animais

Penteados Animais

 Tradugues

Tradugues

 Tatuagens Escritas

Tatuagens Escritas

 Dia de Bebedeira

Dia de Bebedeira

Revistas Masculinas

 Marina Rodrigues - FHM - 10/2008

Marina Rodrigues - FHM - 10/2008

Ersticas 

 Rosinha Protectora

Rosinha Protectora

 Quem Quer um Chupa-Chupa

Quem Quer um Chupa-Chupa

 As Mais Lindas

As Mais Lindas




www.superdivertido.pt 
[EMAIL PROTECTED] 



misc@openbsd.org


  _

Caso pretenda remover o seu e-mail da nossa Lista de Email's click
aqui...

Re: Weird pkg_info behavior?

2008-09-30 Thread Bryan Irvine 
On Tue, Sep 30, 2008 at 11:16 AM, Slim Joe <[EMAIL PROTECTED]> wrote:
> When I invoke something like "pkg_info vim*",
> pkg_info insists on downloading all the packages named
> "vim*". That is, I see a bunch of "vim*" packages on
> "." (present directory). Is there a way to get package
> info for a file not already downloaded or installed without
> such heavy bandwidth (just the package info).
>
> Note that my $PKG_PATH is set to ftp://[mirror site].
>
>

There's probably a better way but since nobody has responded maybe try

ftp $PKG_PATH

ftp> ls vim*
-r--r--r--1 00 6253054 Mar 14  2008 vim-7.1.244p0-gtk2.tgz
-r--r--r--1 00 6168107 Mar 11  2008 vim-7.1.244p0-no_x11.tgz
-r--r--r--1 00 1216459 Mar 14  2008
vim-lang-7.1.244-gtk2.tgz

ftp> get  vim-7.1.244p0-no_x11.tgz " | pkg_info - "

-B

Novidades de www.superdivertido.pt ( 29/Setembro/2008 )

2008-09-30 Thread Super Divertido 
Novidades de www.superdivertido.pt ( 29/Setembro/2008 )

 Novidades
Charadas 

 iCondom - Camisinha hi-tech promete evitar fiascos na cama

iCondom - Camisinha hi-tech promete evitar fiascos na cama

Fundos de Ecrc


 Carros Diversos

Carros Diversos

Imagens 

 Smiles 3D

Smiles 3D

Fundos de Ecrc


 Mulheres Famosas

Mulheres Famosas

 Lost

Lost

 Diversos 09/2008

Diversos 09/2008

 Megan Fox - HQ Fotos

Megan Fox - HQ Fotos

Imagens 

 Penteados Animais

Penteados Animais

 Tradugues

Tradugues

 Tatuagens Escritas

Tatuagens Escritas

 Dia de Bebedeira

Dia de Bebedeira

Revistas Masculinas

 Marina Rodrigues - FHM - 10/2008

Marina Rodrigues - FHM - 10/2008

Ersticas 

 Rosinha Protectora

Rosinha Protectora

 Quem Quer um Chupa-Chupa

Quem Quer um Chupa-Chupa

 As Mais Lindas

As Mais Lindas




www.superdivertido.pt 
[EMAIL PROTECTED] 




misc@openbsd.org


  _

Caso pretenda remover o seu e-mail da nossa Lista de Email's click
aqui...

Re: esd + mpd

2008-09-30 Thread Marius Hooge 

Nick Guenther wrote:

Aaah, I didn't realize how the user's homedir interacted with this
all. What must have been happening is that when I clicked 'play' in
soundtracker (which was running as myself) it looked for ~/.esd_auth,
didn't find it, so tried to spawn an esd, which promptly failed
because the other esd already had the soundcard.
All it took was:
ln -sf /var/empty/.esd_auth ~/.esd_auth
and now both mpd and soundtracker can play at once. There's some lag
when I first hit play but that's probably because right now it's
running with tcp and autospawning which probably are eating at it
quite a bit.

I am going to play around some more and see if I can get esd running
as a system-wide daemon.

Weird, I just tried to run esd with "-noterminate" but it said
"unrecognized option: -noterminate". The esd that packages installed
for me is "Esound version 0.2.34", what are you running?
  
I'm running 0.2.38v0, but I'm pretty shure, that this worked before. Try 
'man esd'

I built and installed mplayer-esd and edited ~/.mplayer/config to add
ao=esd like suggested but when that is in there mplayer just says
"Could not open/initialize audio device -> no sound.
Audio: no sound
Video: no video


Exiting... (End of file)"

If I don't tell mplayer "ao=esd" then it grabs /dev/audio directly
(and works fine).
Do you know how to debug this?
  
Well, if I leave 'ao=esd' out, mplayer / libao tries to open /dev/audio 
(which is busy) and falls back to esd.

Esd should be listed if you type 'mplayer -ao help'.
Did you link ~/.esd/socket to /var/empty/.esd/socket?

((I also have
$ cat /etc/libao.conf
default_driver=esd
if that is relevant))
  

I have neither ~/.libao nor /etc/libao.conf, but it shouldn't matter.

Thank you for all the help so far, I had given up on esd.
-Nick
I was pretty lost at first, too. You can still try running everything as 
yourself, as a last resort.


I wish installation of sound mixers would be a bit more straight 
forward, like replacing or redirecting /dev/audio,

but I'm afraid we're out of luck with that..

- Marius

Re: Problem with binat and ftp-proxy

2008-09-30 Thread Comète 

This was a good advice Stuart ! Thanks !
I used a pair of nat and rdr rule to replace my binat rule and it works
as expected !

thanks again guys.

Stuart Henderson a icrit :

On 2008-09-30, Comhte <[EMAIL PROTECTED]> wrote:

I use ftp-proxy to allow ftp client connexions from my LAN and it works
well. On my DMZ, i have multiple servers (web,dns,smtp,etc...) and they
have all one different public IP. So, i use binat rules to nat them
easily and it works fine too.
But i need to allow these servers on DMZ to make FTP client connexions
to external servers too. So I have put a rdr rule like the one i did for
my lan to make my DMZ servers use the ftp-proxy daemon. But this doesn't
work, i can only connect to external FTP servers from my DMZ servers if
disable the binat rule associated with the server which try to connect.

My question is, is there a mean to do what i want to do ? :)


pf.conf(5)

 Evaluation order of the translation rules is dependent on the type of the
 translation rules and of the direction of a packet.  binat rules are al-
 ways evaluated first.  Then either the rdr rules are evaluated on an in-
 bound packet or the nat rules on an outbound packet.  Rules of the same
 type are evaluated in the same order in which they appear in the ruleset.
 The first matching rule decides what action is taken.

So you need to disable the binat rule and use a pair of nat and
rdr instead.

Re: pf - queue filter directive sticky?

2008-09-30 Thread (private) HKS 
> from pf.conf man page:
>
> default Packets not matched by another queue are assigned to this
> one.  Exactly one default queue is *required.*


Thanks, I overlooked that a default queue was required. With that in
mind, then, does this section of pf.conf(5) imply that the queue
directive is sticky?
"During the filtering component of pf.conf, the last referenced queue
name is where any packets from pass rules will be queued..."


> Why you just not use "quick" in the first rule?
>
> pass in quick on $int_if from 10.0.0.1 queue tens
>
> pass in on $int_if

This question is for clarity's sake: is the "quick" required?

-HKS

Re: esd + mpd

2008-09-30 Thread Nick Guenther 
On Tue, Sep 30, 2008 at 10:38 AM, Marius Hooge <[EMAIL PROTECTED]> wrote:
> Jacob Meuser wrote:
>>
>> first, autospawning does not work in esound-0.2.38.  I don't know if
>> that's the version you are using, but that could be part of the problem.
>> I'm pretty sure I had mpd playing through esd at one point.
>>
>> let's see.  add a group, _esd.  add myself and _mpd to that
>> group.  start esd as myself, chgrp _esd ~/.esd_auth, chmod g+rw
>> ~/.esd_auth.  echo "default_driver=esd" > /etc/libao.conf.
>> sudo mpd.  starts fine, but oh, no workie.
>>
>> ok, make /var/esd. make that _mpd's home, and link from there an
>> .esd_auth to my .esd_auth.  that seems to work.
>>
>
> I have mpd playing through libao-esd, but without running them under their
> own users.
> Since Nick asked for a configuration that worked, here's mine:
>
> I first start esd with -noterminate, then mpd.
> ~/.mpd.conf:
> [..]
> audio_output {
> type "ao"
> driver "esd"
> name "ESD"
> }
>
> I installed the mplayer-esd port.
> ~/.mplayer/config:
> ao=esd
>
> If this works you can try running esd and mpd under their own users.
> hth
> - Marius
>

Aaah, I didn't realize how the user's homedir interacted with this
all. What must have been happening is that when I clicked 'play' in
soundtracker (which was running as myself) it looked for ~/.esd_auth,
didn't find it, so tried to spawn an esd, which promptly failed
because the other esd already had the soundcard.
All it took was:
ln -sf /var/empty/.esd_auth ~/.esd_auth
and now both mpd and soundtracker can play at once. There's some lag
when I first hit play but that's probably because right now it's
running with tcp and autospawning which probably are eating at it
quite a bit.

I am going to play around some more and see if I can get esd running
as a system-wide daemon.

Weird, I just tried to run esd with "-noterminate" but it said
"unrecognized option: -noterminate". The esd that packages installed
for me is "Esound version 0.2.34", what are you running?


I built and installed mplayer-esd and edited ~/.mplayer/config to add
ao=esd like suggested but when that is in there mplayer just says
"Could not open/initialize audio device -> no sound.
Audio: no sound
Video: no video


Exiting... (End of file)"

If I don't tell mplayer "ao=esd" then it grabs /dev/audio directly
(and works fine).
Do you know how to debug this?


((I also have
$ cat /etc/libao.conf
default_driver=esd
if that is relevant))


Thank you for all the help so far, I had given up on esd.
-Nick

Re: pf - queue filter directive sticky?

2008-09-30 Thread Giancarlo Razzolini 
(private) HKS escreveu:
>>> imho normally this packet wouldn't be queued because the last count
>>> matches the packet so the last rule applies:
>>>   
>
> This is what I assumed at first, but the stickiness of tags and the
> (seeming) logic of doing the same with queues made me second-guess
> myself.
>
>
>   
>> on the other hand:
>>
>> "During the filtering component of pf.conf, the last referenced
>> queue name is where any packets from pass rules will be queued..."
>>
>> that means because of the sequential order that the packet should be
>> queued imho.
>> 
>
> Is that the case, or does that mean that packets passed by a statement
> on an altq-enabled interface without an explicit "queue "
> directive are automatically assigned to the last defined queue?
>
> My initial tests suggest that the queue statements are not sticky (ie,
> my initial rules would not have queued it in the "tens" queue), but
> I'm still not sure.
>
> -HKS
>
>
>   
from pf.conf man page:

default Packets not matched by another queue are assigned to this
 one.  Exactly one default queue is *required.*


-- 
Giancarlo Razzolini
http://lock.razzolini.adm.br
Linux User 172199
Red Hat Certified Engineer no:804006389722501
Verify:https://www.redhat.com/certification/rhce/current/
Moleque Sem Conteudo Numero #002
OpenBSD Stable
Ubuntu 8.04 Hardy Heron
4386 2A6F FFD4 4D5F 5842  6EA0 7ABE BBAB 9C0E 6B85

Re: pf - queue filter directive sticky?

2008-09-30 Thread Rosen Iliev 

Why you just not use "quick" in the first rule?

pass in quick on $int_if from 10.0.0.1 queue tens
pass in on $int_if

Rosen

(private) HKS wrote, On 9/29/2008 1:29 PM:

If the following two rules apply to a given packet in the order shown,
will the packet be queued?

pass in on $int_if from 10.0.0.1 queue tens
pass in on $int_if

I've not been able to find a clear answer in pf.conf(5) or the online
PF documentation. If I overlooked it, please let me know. Thanks in
advance for the help.

-HKS

Re: ? Recommended News Server

2008-09-30 Thread bofh 
Unfortunately no.  But I think one of the ports maintainers was
looking at it for 4.4.



On 9/30/08, Matthias Kilian <[EMAIL PROTECTED]> wrote:
> On Tue, Sep 30, 2008 at 01:55:37PM -0400, bofh wrote:
>> I've been using the inn dev version without any issues.
>
> Yummy. Do you have something like a port of it?
>
> Ciao,
>   Kili
>


-- 
http://www.glumbert.com/media/shift
http://www.youtube.com/watch?v=tGvHNNOLnCk
"This officer's men seem to follow him merely out of idle curiosity."
-- Sandhurst officer cadet evaluation.
"Securing an environment of Windows platforms from abuse - external or
internal - is akin to trying to install sprinklers in a fireworks
factory where smoking on the job is permitted."  -- Gene Spafford
learn french:  http://www.youtube.com/watch?v=j1G-3laJJP0&feature=related

Re: OpenSSH ChrootDirectory oddities

2008-09-30 Thread Cezary Morga 
Dnia wtorek, 30 wrzeEnia 2008, Marian Hettwer napisaE:
> What I wanted to achieve is pretty much the following: Have some
> users, all in the same group named sftp and if the log in via sftp
> they get chroot'ed to their home directory.
> However, I wind up after a login in /home not /home/$username

>From the manpage:
 Specifies a path to chroot(2) to after authentication.  This
 path, and all its components, must be root-owned directories that
 are not writable by any other user or group.

So if you wan't to chroot user sftp1 in /home/sftp1 use:
 ChrootDirectory /home/%u

Still, /home/sftp1 MUST be root owned, thus user sftp1 won't be allowed
to write there anything.  You can create a directory under /home/sftp1
(like upload) owned by sftp1, where the chrooted user will be able to
write, delete and do whatever else he wishes.
--
Cezary Morga
"A fellow who is always declaring he's no fool usually has his
suspicions." (Wilson Mizner)

Weird pkg_info behavior?

2008-09-30 Thread Slim Joe 
When I invoke something like "pkg_info vim*",
pkg_info insists on downloading all the packages named
"vim*". That is, I see a bunch of "vim*" packages on
"." (present directory). Is there a way to get package
info for a file not already downloaded or installed without
such heavy bandwidth (just the package info).

Note that my $PKG_PATH is set to ftp://[mirror site].

Re: ? Recommended News Server

2008-09-30 Thread Matthias Kilian 
On Tue, Sep 30, 2008 at 01:55:37PM -0400, bofh wrote:
> I've been using the inn dev version without any issues.

Yummy. Do you have something like a port of it?

Ciao,
Kili

Re: ? Recommended News Server

2008-09-30 Thread bofh 
I've been using the inn dev version without any issues.



On 9/30/08, Duncan Patton a Campbell <[EMAIL PROTECTED]> wrote:
> Howdy List?
>
> I'm going to set up a news server on an OpenBSD system
> and I would like to know if there is a recommended
> server that I should use.
>
> Thanks,
>
> Dhu
>
>


-- 
http://www.glumbert.com/media/shift
http://www.youtube.com/watch?v=tGvHNNOLnCk
"This officer's men seem to follow him merely out of idle curiosity."
-- Sandhurst officer cadet evaluation.
"Securing an environment of Windows platforms from abuse - external or
internal - is akin to trying to install sprinklers in a fireworks
factory where smoking on the job is permitted."  -- Gene Spafford
learn french:  http://www.youtube.com/watch?v=j1G-3laJJP0&feature=related

Re: pf - queue filter directive sticky?

2008-09-30 Thread (private) HKS 
>> imho normally this packet wouldn't be queued because the last count
>> matches the packet so the last rule applies:

This is what I assumed at first, but the stickiness of tags and the
(seeming) logic of doing the same with queues made me second-guess
myself.


> on the other hand:
>
> "During the filtering component of pf.conf, the last referenced
> queue name is where any packets from pass rules will be queued..."
>
> that means because of the sequential order that the packet should be
> queued imho.

Is that the case, or does that mean that packets passed by a statement
on an altq-enabled interface without an explicit "queue "
directive are automatically assigned to the last defined queue?

My initial tests suggest that the queue statements are not sticky (ie,
my initial rules would not have queued it in the "tens" queue), but
I'm still not sure.

-HKS

Re: Problem with binat and ftp-proxy

2008-09-30 Thread Comète 
Indeed, this doesn't work either. I think i will try what Stuart 
proposed whereas i don't really see how to do...


thanks

Calomel a icrit :

See if this works for you. Using the ftp proxy with binat probably
will not work. Lets say 100.20.30.40 is the external ip. 


# cat /etc/rc.local
 /usr/sbin/ftp-proxy -a 100.20.30.40 -p 8021 -q bulk

# cat /etc/pf.conf
 Translation ###
rdr on $DMZIf inet proto tcp from $DMZ to any port ftp -> lo0 port 8021

 Filtering #
pass in log on $DMZIf inet proto tcp from $DMZ to lo0 port 8021 $TcpState 
$FtpIntIf


 Ftp-Proxy "how to" (forward and reverse proxy)
 https://calomel.org/ftp_proxy.html

--
  Calomel @ https://calomel.org
  Open Source Research and Reference


On Tue, Sep 30, 2008 at 01:09:25PM +0200, Com??te wrote:

Hi,

i run an OpenBSD 4.3 firewall with 3 network interfaces : 1 LAN, 1 WAN
and 1 DMZ
I use ftp-proxy to allow ftp client connexions from my LAN and it works
well. On my DMZ, i have multiple servers (web,dns,smtp,etc...) and they
have all one different public IP. So, i use binat rules to nat them
easily and it works fine too.
But i need to allow these servers on DMZ to make FTP client connexions
to external servers too. So I have put a rdr rule like the one i did for
my lan to make my DMZ servers use the ftp-proxy daemon. But this doesn't
work, i can only connect to external FTP servers from my DMZ servers if
disable the binat rule associated with the server which try to connect.

My question is, is there a mean to do what i want to do ? :)

Thanks a lot !

below an extract of my pf rules:

nat on $ext_if from !$ext_if to any -> $firewall_pub
nat-anchor "ftp-proxy/*"

binat on $ext_if from $dns1_priv to any -> $dns1_pub
binat on $ext_if from $dns2_priv to any -> $dns2_pub
binat on $ext_if from $web_ville_priv to any -> $web_ville_pub
binat on $int_if from $web_ville_priv to any -> $web_ville_pub

rdr-anchor "ftp-proxy/*"
rdr on { $int_if $dmz1_if } proto tcp from any to any port ftp -> lo0
port 8021

...

pass in quick log on $dmz1_if inet proto tcp from $DMZ1 to lo0 port 8021
pass in quick log on $int_if inet proto tcp from  to
lo0 port 8021
anchor "ftp-proxy/*"

...

OpenSSH ChrootDirectory oddities

2008-09-30 Thread Marian Hettwer 
Hi All,

first of all, thanks for the Feature to chroot sftp users. I've been
waiting for that one pretty long :)
Today I came back to that feature since I probably need it at work and
it'll be one more opportunity to not use a Linux system (Debian etch's
openssh is too old).

Anyway, back to the topic.

What I wanted to achieve is pretty much the following: Have some users, all
in the same group named sftp and if the log in via sftp they get chroot'ed
to their home directory.
However, I wind up after a login in /home not /home/$username

Now regarding my sshd_config:
Match Group sftp
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
ChrootDirectory /home

and somewhere above:
Subsystem   sftpinternal-sftp

The user is named sftp1, is in group sftp, has home dir set to /home/sftp1
and has nologin as shell.
When I login via sftp, I wind up being in /home not /home/sftp1:

[EMAIL PROTECTED] ~]# sftp [EMAIL PROTECTED]
Connecting to localhost...
Password:
sftp> ls -l
drwxr-x---4 1002 1001  512 Sep 12 15:46 jobauer
drwxr-x---  101 1001 1001 6656 Sep 30 16:05 mhettwer
drwxr-x---2 1003 1001  512 Sep 15 19:57 mt
drwx--3 1005 1003  512 Sep 30 16:06 sftp1
drwxr-xr-x2 1006 1003  512 Sep 30 16:42 sftp2
sftp> 

which really is:
[EMAIL PROTECTED] ~]# ls -l /home/
total 16
drwxrwxr-x2 root  operator   512 Sep 12 11:39 .snap
drwxr-x---4 jobauer   shellme512 Sep 12 15:46 jobauer
drwxr-x---  101 mhettwer  shellme   6656 Sep 30 16:05 mhettwer
drwxr-x---2 mtshellme512 Sep 15 19:57 mt
drwx--3 sftp1 sftp   512 Sep 30 16:06 sftp1
drwx--2 sftp2 sftp   512 Sep 30 16:42 sftp2
[EMAIL PROTECTED] ~]# 

Of course I changed permission so that the only option is a "cd sftp1" for
the user sftp1. But I really don't want sftp1 to see all home dirs.

I did try using /chroot as it was shown in examples on undeadly.org
However, thats the same situation. (sshd_config changed to /chroot instead
of /home)

[EMAIL PROTECTED] ~]# ls -l /chroot/
total 4
drwxr-xr-x  2 sftp1  sftp  512 Sep 30 11:30 sftp1
drwxr-xr-x  2 sftp2  sftp  512 Sep 30 16:09 sftp2

[EMAIL PROTECTED] ~]# sftp [EMAIL PROTECTED]
Connecting to localhost...
tPassword:
Password:
sftp> ls -la
Couldn't get handle: Permission denied
sftp> 

Woopsie. Thats probably due to:
[EMAIL PROTECTED] ~]# ls -ld /chroot/
drwx--  4 root  wheel  512 Sep 30 16:09 /chroot/

Permissions more open results in:
[EMAIL PROTECTED] ~]# ls -ld /chroot/
drwxr-xr-x  4 root  wheel  512 Sep 30 16:09 /chroot/

and via sftp:
[EMAIL PROTECTED] ~]# sftp [EMAIL PROTECTED]
Connecting to localhost...
Password:
sftp> ls -la
drwxr-xr-x4 00 512 Sep 30 16:09 .
drwxr-xr-x4 00 512 Sep 30 16:09 ..
drwxr-xr-x2 1005 1003  512 Sep 30 11:30 sftp1
drwxr-xr-x2 1006 1003  512 Sep 30 16:09 sftp2


Again, I'm in /chroot not /chroot/sftp1 where I think I should be, right?

Okay... let's try "/chroot/%u" then in sshd_config...
No, I can't login, 'cause sshd is complaining about the permissions of
/chroot/sftp1:
Sep 30 16:47:12 motor sshd[23190]: fatal: bad ownership or modes for chroot
directory "/chroot/sftp1"

Fair enough... the manpage states, that it should belong root. Okay then:
[EMAIL PROTECTED] ~]# ls -l /chroot/
total 4
drwxr-xr-x  2 root  wheel  512 Sep 30 11:30 sftp1
drwxr-xr-x  2 root  wheel  512 Sep 30 16:09 sftp2

[EMAIL PROTECTED] ~]# sftp [EMAIL PROTECTED]
Connecting to localhost...
Password:
sftp> ls -la
drwxr-xr-x2 00 512 Sep 30 11:30 .
drwxr-xr-x2 00 512 Sep 30 11:30 ..

where am I now?
Am I in /chroot/sftp1 ?
Could be, but due to these permissions, I'm not able to do anything:
sftp> mkdir foo
Couldn't create directory: Permission denied

Okay, now it gets ugly. Maybe I can create a directoy named incoming in
/chroot/sftp1. Would look like that:
[EMAIL PROTECTED] ~]# ls -l /chroot/sftp1/
total 2
drwxr-xr-x  2 sftp1  sftp  512 Sep 30 16:49 incoming

And then via sftp...
[EMAIL PROTECTED] ~]# !sftp
sftp [EMAIL PROTECTED]
Connecting to localhost...
Password:
sftp> ls -l
drwxr-xr-x2 1005 1003  512 Sep 30 16:49 incoming
sftp> cd incoming
sftp> ls -l
sftp> mkdir foo
lsftp> ls -l
drwxr-xr-x2 1005 1003  512 Sep 30 16:50 foo
sftp> 


Okay, this works.
So back to my question... Is that really the way it's supposed to be?
No write access for the user when being chrooted in a directory, but
instead I have to create another sub directory where he has write
permissions?
Am I missing something obvious here or is this "works as designed"?

Last information bits: Yes, thats a FreeBSD box, but that shouldn't make
much of a difference for my testing purpose. The production box will be an
OpenBSD one :)

[EMAIL PROTECTED] ~]# ssh -V
OpenSSH_5.1p1 FreeBSD-20080901, OpenSSL 0.9.8e 23 F

Re: macppc xv output pbm

2008-09-30 Thread Antoine Jacoutot 
On Sat, 27 Sep 2008, Antoine Jacoutot wrote:

> <<< No Message Collected >>>

Hmm ok weird...
Anyway, original message is here:


---
Hi.

I've been having an issue with mplayer/vlc and xv on macppc for several
weeks now.
For some reason, when playing a video, all I get is a blue screen. The
only way to make it work is to use the slow X11 (Ximage/Shm) output :(
It used to work fine before and I did not change anything to my 
configuration lately.

It seems the xv module load correctly and I don't see any obvious
errors. I tried changing AccelMethod to XAA but it doesn't make any
difference.
$ grep -i xv /var/log/Xorg.0.log
(II) Loading extension XVideo
(II) Loading extension XVideo-MotionCompensation

I'd appreciate any hint on solving this...

---
xorg.conf
---

Section "Module"
Load"dbe"
Load"type1"
Load"freetype"
Load"glx"
Load"extmod"
Load"record"
Load"xtrap"
EndSection

Section "Files"
RgbPath"/usr/X11R6/lib/X11/rgb"
ModulePath "/usr/X11R6/lib/modules"
FontPath   "/usr/X11R6/lib/X11/fonts/misc/"
FontPath   "/usr/X11R6/lib/X11/fonts/TTF/"
FontPath   "/usr/X11R6/lib/X11/fonts/Type1/"
FontPath   "/usr/X11R6/lib/X11/fonts/75dpi/"
FontPath   "/usr/X11R6/lib/X11/fonts/100dpi/"
FontPath   "/usr/local/lib/X11/fonts/mscorefonts/"
FontPath   "/usr/local/lib/X11/fonts/ghostscript/"
EndSection

Section "InputDevice"
Identifier  "Keyboard1"
Driver  "kbd"
Option "XkbRules"   "xorg"
Option "XkbModel"   "macintosh"
Option "XkbLayout"  "fr"
EndSection

Section "InputDevice"
Identifier  "Mouse1"
Driver  "mouse"
Option "Protocol""wsmouse"
Option "Device"  "/dev/wsmouse"
Option "ZAxisMapping" "4 5"
EndSection

Section "Monitor"
Identifier  "My Monitor"
HorizSync   30-100
VertRefresh 50-60
EndSection

Section "Device"
Identifier  "** ATI Radeon (generic)   [radeon]"
Driver  "radeon"
Option  "MonitorLayout" "LVDS"
Option  "iBookHacks" "on"
Option  "RenderAccel" "on"
Option  "AccelMethod" "EXA"
EndSection

Section "Screen"
Identifier  "Screen 1"
Device  "** ATI Radeon (generic)   [radeon]"
Monitor "My Monitor"
DefaultDepth 16

Subsection "Display"
Depth   8
Modes   "1280x1024" "1024x768" "800x600" "640x480"
ViewPort0 0
EndSubsection
Subsection "Display"
Depth   16
Modes   "1440x900" "1280x1024" "1024x768" "800x600" "640x480"
ViewPort0 0
EndSubsection
Subsection "Display"
Depth   24
Modes   "1280x1024" "1024x768" "800x600" "640x480"
ViewPort0 0
EndSubsection
EndSection

Section "ServerLayout"
Identifier  "Simple Layout"
Screen "Screen 1"
InputDevice "Mouse1" "CorePointer"
InputDevice "Keyboard1" "CoreKeyboard"
EndSection


(WW) OS did not count PCI devices, guessing wildly
(--) Using wscons driver

X.Org X Server 1.4.2
Release Date: 11 June 2008
X Protocol Version 11, Revision 0
Build Operating System: OpenBSD 4.4 macppc 
Current Operating System: OpenBSD ilap.bsdfrog.org 4.4 GENERIC#1860 macppc
Build Date: 20 August 2008  03:23:08PM
 
Before reporting problems, check http://wiki.x.org
to make sure that you have the latest version.
Module Loader present
Markers: (--) probed, (**) from config file, (==) default setting,
(++) from command line, (!!) notice, (II) informational,
(WW) warning, (EE) error, (NI) not implemented, (??) unknown.
(==) Log file: "/var/log/Xorg.0.log", Time: Sat Sep 27 12:16:28 2008
(==) Using config file: "/etc/X11/xorg.conf"
(==) ServerLayout "Simple Layout"
(**) |-->Screen "Screen 1" (0)
(**) |   |-->Monitor "My Monitor"
(**) |   |-->Device "** ATI Radeon (generic)   [radeon]"
(**) |-->Input Device "Mouse1"
(**) |-->Input Device "Keyboard1"
(==) Automatically adding devices
(==) Automatically enabling devices
(==) Including the default font path 
/usr/X11R6/lib/X11/fonts/misc/,/usr/X11R6/lib/X11/fonts/TTF/,/usr/X11R6/lib/X11/fonts/OTF,/usr/X11R6/lib/X11/fonts/Type1/,/usr/X11R6/lib/X11/fonts/100dpi/,/usr/X11R6/lib/X11/fonts/75dpi/.
(**) FontPath set to:
/usr/X11R6/lib/X11/fonts/misc/,
/usr/X11R6/lib/X11/fonts/TTF/,
/usr/X11R6/lib/X11/fonts/Type1/,
/usr/X11R6/lib/X11/fonts/75dpi/,
/usr/X11R6/lib/X11/fonts/100dpi/,
/usr/local/lib/X11/fonts/mscorefonts/,
/usr/local/lib/X11/fonts/ghostscript/,
/usr/X11R6/lib/X11/fonts/misc/,
/usr/X11R6/lib/X11/fonts/TTF/,
/usr/X11R6/lib/X11/fonts/OTF,
/usr/X11R6/lib/X11/fonts/Type1/,
/usr/X11R6/lib/X11/fonts/100dpi/,
/usr/X11R6/lib/X11/fonts/75dpi/
(**) RgbPath set to "/usr/X11R6/lib/X11/rgb"
(**) ModulePath set to "/usr/X11R6/lib/modules"
(II) Loader magic: 0x

? Recommended News Server

2008-09-30 Thread Duncan Patton a Campbell 
Howdy List?

I'm going to set up a news server on an OpenBSD system
and I would like to know if there is a recommended 
server that I should use.

Thanks,

Dhu

Re: esd + mpd

2008-09-30 Thread Marius Hooge 

Jacob Meuser wrote:

first, autospawning does not work in esound-0.2.38.  I don't know if
that's the version you are using, but that could be part of the problem.
I'm pretty sure I had mpd playing through esd at one point.

let's see.  add a group, _esd.  add myself and _mpd to that
group.  start esd as myself, chgrp _esd ~/.esd_auth, chmod g+rw
~/.esd_auth.  echo "default_driver=esd" > /etc/libao.conf.
sudo mpd.  starts fine, but oh, no workie.

ok, make /var/esd. make that _mpd's home, and link from there an
.esd_auth to my .esd_auth.  that seems to work.
  
I have mpd playing through libao-esd, but without running them under 
their own users.

Since Nick asked for a configuration that worked, here's mine:

I first start esd with -noterminate, then mpd.
~/.mpd.conf:
[..]
audio_output {
type "ao"
driver "esd"
name "ESD"
}

I installed the mplayer-esd port.
~/.mplayer/config:
ao=esd

If this works you can try running esd and mpd under their own users.
hth
- Marius

Re: Intel Atom and D945GCLF2

2008-09-30 Thread Theo de Raadt 
> > Is anyone running OpenBSD on one of these boards? The supported platform
> > page does not list either the chipset or the CPU so I'm guesing it is not
> > supported at this time.
> 
> I have been running OpenBSD 4.3 for several weeks on an Atom D945GCLF
> and didn't encounter any problems.
> The dmesg shows a few messages that indicate that not everything is
> fully supported yet but the board still runs fine.

The situation is really really really simple.

If it is a PC, we run on it.

Re: openbsd 4.3 amd64 and d-link dfe-550tx (st201)

2008-09-30 Thread Theo de Raadt 
> On Wed, Sep 24, 2008 at 5:52 PM, Stuart Henderson <[EMAIL PROTECTED]> wrote:
> > On 2008-09-24, wolk <[EMAIL PROTECTED]> wrote:
> >> Support for d-link dfe-550tx(st201) in amd64 arch is broken or only 
> >> disable?
> >> i386 works fine in GENERIC 4.3 kernel.
> >
> > This gives a good clue:
> >
> > $ fgrep ste* /sys/arch/amd64/conf/GENERIC
> > #ste*   at pci? # Sundance ST201 ethernet BORKED
> >
> > And here's the commit log:
> >
> > revision 1.70
> > date: 2005/05/27 06:36:23;  author: jason;  state: Exp;  lines: +3 -3
> > remove support for sf and ste.  vtophys is NOT a working solution.
> > Do not re-enable these drivers until they are bus-dma'ified.
> 
> It should still work if you enable it and have less than 4GB ram.
> vtophys is not a solution, but it does work.

It would be better if someone did the work implied by the commit message.

The problem with having vtophys drivers activated on amd64 is that
eventually it fries someone, and then they submit some vague bug
report and a lot of people waste their time.

Re: DHCP failing to find interface after 20 Interfaces

2008-09-30 Thread Nick Gustas 

Carl Horne wrote:

Hi,

Sorry but I run into another block.  This time it's dhcpd that is having the
issue.  I hope Stuart can find an answer as fast as he did last time.  This is
the issue.  If I have 20 or less interfaces configured then dhcpd starts up as
expected.  Dhcpd listens to the carp interface carp1:.  The startup command is
"/usr/sbin/dhcpd carp1".  If I have 20 interfaces the dhcpd finds the carp1
interface and it starts up.  If I add an interface so there is 21 interfaces
the dhcpd will not startup because it can not find carp1.  If I do ifconfig -a
it lists the interfaces in some kind of order.  It seems that it uses this
order and it can only see the first 20 in the list.  The carp interfaces are
always at the bottom of the list.

Thanks,
  Carl

Dhcpd:
I build this from source because I needed USE_SOCKETS enabled.  It's version
3.0.7.  It is running in using dhcp-failover between to servers.

# uname -a
OpenBSD xxx.xxx.xxx 4.1 GENERIC.MP#1152 amd64

# ifconfig -a
lo0: flags=8049 mtu 33192
groups: lo
inet 127.0.0.1 netmask 0xff00
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7
bge0: flags=8943 mtu 1500
lladdr 00:09:3d:11:99:02
groups: egress
media: Ethernet autoselect (1000baseT full-duplex)
status: active
inet 65.44.125.14 netmask 0xff00 broadcast 65.44.125.255
inet6 fe80::209:3dff:fe11:9902%bge0 prefixlen 64 scopeid 0x1
bge1: flags=8943 mtu 1500
lladdr 00:09:3d:11:99:03
media: Ethernet autoselect (1000baseT full-duplex)
status: active
inet 159.212.73.14 netmask 0xff80 broadcast 159.212.73.127
inet6 fe80::209:3dff:fe11:9903%bge1 prefixlen 64 scopeid 0x2
em0: flags=8843 mtu 1500
lladdr 00:04:23:ae:1a:14
media: Ethernet autoselect (1000baseT full-duplex)
status: active
inet 192.168.63.56 netmask 0xff00 broadcast 192.168.63.255
inet6 fe80::204:23ff:feae:1a14%em0 prefixlen 64 scopeid 0x3
em1: flags=8802 mtu 1500
lladdr 00:04:23:ae:1a:15
media: Ethernet autoselect (none)
status: no carrier
pflog0: flags=141 mtu 33192
enc0: flags=0<> mtu 1536
pfsync0: flags=0<> mtu 1460
pfsync: syncdev: em0 syncpeer: 192.168.63.57 maxupd: 128
groups: carp pfsync
gre1: flags=b011 mtu 1476
groups: gre
physical address inet 159.212.73.16 --> 159.212.48.152
inet6 fe80::209:3dff:fe11:9902%gre1 ->  prefixlen 64 scopeid 0xb
inet 192.168.0.1 --> 192.168.1.1 netmask 0x
gre126: flags=b011 mtu 1476
groups: gre
physical address inet 159.212.73.16 --> 159.212.48.111
inet6 fe80::209:3dff:fe11:9902%gre126 ->  prefixlen 64 scopeid 0xc
inet 192.168.0.126 --> 192.168.1.126 netmask 0x
gre132: flags=b011 mtu 1476
groups: gre
physical address inet 159.212.73.16 --> 10.140.253.251
inet6 fe80::209:3dff:fe11:9902%gre132 ->  prefixlen 64 scopeid 0xf
inet 192.168.0.132 --> 192.168.1.132 netmask 0x
gre146: flags=b011 mtu 1476
groups: gre
physical address inet 159.212.73.16 --> 159.212.187.7
inet6 fe80::209:3dff:fe11:9902%gre146 ->  prefixlen 64 scopeid 0x10
inet 192.168.0.146 --> 192.168.1.146 netmask 0x
gre112: flags=b011 mtu 1476
groups: gre
physical address inet 159.212.73.16 --> 10.192.15.15
inet6 fe80::209:3dff:fe11:9902%gre112 ->  prefixlen 64 scopeid 0x11
inet 192.168.0.112 --> 192.168.1.112 netmask 0x
gre110: flags=b011 mtu 1476
groups: gre
physical address inet 159.212.73.16 --> 10.108.8.7
inet6 fe80::209:3dff:fe11:9902%gre110 ->  prefixlen 64 scopeid 0x12
inet 192.168.0.110 --> 192.168.1.110 netmask 0x
gre114: flags=b011 mtu 1476
groups: gre
physical address inet 159.212.73.16 --> 10.108.16.60
inet6 fe80::209:3dff:fe11:9902%gre114 ->  prefixlen 64 scopeid 0x13
inet 192.168.0.114 --> 192.168.1.114 netmask 0x
gre118: flags=b011 mtu 1476
groups: gre
physical address inet 159.212.73.16 --> 10.108.24.45
inet6 fe80::209:3dff:fe11:9902%gre118 ->  prefixlen 64 scopeid 0x14
inet 192.168.0.118 --> 192.168.1.118 netmask 0x
gre140: flags=b011 mtu 1476
groups: gre
physical address inet 159.212.73.16 --> 10.108.32.61
inet6 fe80::209:3dff:fe11:9902%gre140 ->  prefixlen 64 scopeid 0x15
inet 192.168.0.140 --> 192.168.1.140 netmask 0x
gre142: flags=b011 mtu 1476
groups: gre
physical address inet 159.212.73.16 --> 10.108.40.10
inet6 fe80::209:3dff:fe11:9902%gre142 ->  prefixlen 64 scopeid 0x16
inet 192.168.0.142 --> 192.168.1.142 netmask 0x
carp1: flags=8843 mtu 1500
lladdr 00:00:5e:00:01:01
carp: MASTER carpdev bge0 vhid 1 advbase 1 advskew 20
groups: carp
inet6 fe80::200:5eff:fe00:101%c

Re: Problem with binat and ftp-proxy

2008-09-30 Thread Calomel 
See if this works for you. Using the ftp proxy with binat probably
will not work. Lets say 100.20.30.40 is the external ip. 

# cat /etc/rc.local
 /usr/sbin/ftp-proxy -a 100.20.30.40 -p 8021 -q bulk

# cat /etc/pf.conf
 Translation ###
rdr on $DMZIf inet proto tcp from $DMZ to any port ftp -> lo0 port 8021

 Filtering #
pass in log on $DMZIf inet proto tcp from $DMZ to lo0 port 8021 $TcpState 
$FtpIntIf


 Ftp-Proxy "how to" (forward and reverse proxy)
 https://calomel.org/ftp_proxy.html

--
  Calomel @ https://calomel.org
  Open Source Research and Reference


On Tue, Sep 30, 2008 at 01:09:25PM +0200, Com??te wrote:
>Hi,
>
>i run an OpenBSD 4.3 firewall with 3 network interfaces : 1 LAN, 1 WAN
>and 1 DMZ
>I use ftp-proxy to allow ftp client connexions from my LAN and it works
>well. On my DMZ, i have multiple servers (web,dns,smtp,etc...) and they
>have all one different public IP. So, i use binat rules to nat them
>easily and it works fine too.
>But i need to allow these servers on DMZ to make FTP client connexions
>to external servers too. So I have put a rdr rule like the one i did for
>my lan to make my DMZ servers use the ftp-proxy daemon. But this doesn't
>work, i can only connect to external FTP servers from my DMZ servers if
>disable the binat rule associated with the server which try to connect.
>
>My question is, is there a mean to do what i want to do ? :)
>
>Thanks a lot !
>
>below an extract of my pf rules:
>
>nat on $ext_if from !$ext_if to any -> $firewall_pub
>nat-anchor "ftp-proxy/*"
>
>binat on $ext_if from $dns1_priv to any -> $dns1_pub
>binat on $ext_if from $dns2_priv to any -> $dns2_pub
>binat on $ext_if from $web_ville_priv to any -> $web_ville_pub
>binat on $int_if from $web_ville_priv to any -> $web_ville_pub
>
>rdr-anchor "ftp-proxy/*"
>rdr on { $int_if $dmz1_if } proto tcp from any to any port ftp -> lo0
>port 8021
>
>...
>
>pass in quick log on $dmz1_if inet proto tcp from $DMZ1 to lo0 port 8021
>pass in quick log on $int_if inet proto tcp from  to
>lo0 port 8021
>anchor "ftp-proxy/*"
>
>...

Re: Intel Atom and D945GCLF2

2008-09-30 Thread Daniel Polak 

 Original message from Steve B at 27-9-2008 4:24

Is anyone running OpenBSD on one of these boards? The supported platform
page does not list either the chipset or the CPU so I'm guesing it is not
supported at this time.


I have been running OpenBSD 4.3 for several weeks on an Atom D945GCLF
and didn't encounter any problems.
The dmesg shows a few messages that indicate that not everything is
fully supported yet but the board still runs fine.

Daniel

OpenBSD 4.3-stable (GENERIC) #8: Wed Jul 30 22:03:55 CEST 2008
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
RTC BIOS diagnostic error 80
cpu0: Intel(R) Atom(TM) CPU 230 @ 1.60GHz ("GenuineIntel" 686-class) 
1.60 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,TM2,CX16,xTPR

cpu0: unknown i686 model 12, can't get bus clock (0x4308)
real mem  = 526192640 (501MB)
avail mem = 500740096 (477MB)
RTC BIOS diagnostic error 80
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 04/27/08, SMBIOS rev. 2.4 @ 
0xe3590 (23 entries)
bios0: vendor Intel Corp. version "LF94510J.86A.0038.2008.0427.2223" 
date 04/27/2008

bios0: Intel Corporation D945GCLF
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown, estimated 0:00 hours
acpi at bios0 function 0x0 not configured
pcibios at bios0 function 0x1a not configured
bios0: ROM list: 0xc/0xae00! 0xcb000/0x1000
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82945G Host" rev 0x02
agp0 at pchb0: aperture at 0x2000, size 0x1000
vga1 at pci0 dev 2 function 0 "Intel 82945G Video" rev 0x02
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
azalia0 at pci0 dev 27 function 0 "Intel 82801GB HD Audio" rev 0x01: irq 9
azalia0: codec[s]: Realtek/0x0662
audio0 at azalia0
ppb0 at pci0 dev 28 function 0 "Intel 82801GB PCIE" rev 0x01
pci1 at ppb0 bus 1
re0 at pci1 dev 0 function 0 "Realtek 8101E" rev 0x02: unknown ASIC 
(0x2480), irq 11, address 00:1c:c0:45:21:25

rlphy0 at re0 phy 7: RTL8201L 10/100 PHY, rev. 1
ppb1 at pci0 dev 28 function 2 "Intel 82801GB PCIE" rev 0x01
pci2 at ppb1 bus 2
ppb2 at pci0 dev 28 function 3 "Intel 82801GB PCIE" rev 0x01
pci3 at ppb2 bus 3
uhci0 at pci0 dev 29 function 0 "Intel 82801GB USB" rev 0x01: irq 10
uhci1 at pci0 dev 29 function 1 "Intel 82801GB USB" rev 0x01: irq 11
uhci2 at pci0 dev 29 function 2 "Intel 82801GB USB" rev 0x01: irq 9
uhci3 at pci0 dev 29 function 3 "Intel 82801GB USB" rev 0x01: irq 11
ehci0 at pci0 dev 29 function 7 "Intel 82801GB USB" rev 0x01: irq 10
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
ppb3 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0xe1
pci4 at ppb3 bus 4
em0 at pci4 dev 0 function 0 "Intel PRO/1000MT (82546GB)" rev 0x03: irq 
10, address 00:1b:21:14:48:78
em1 at pci4 dev 0 function 1 "Intel PRO/1000MT (82546GB)" rev 0x03: irq 
9, address 00:1b:21:14:48:79

ichpcib0 at pci0 dev 31 function 0 "Intel 82801GB LPC" rev 0x01: PM disabled
pciide0 at pci0 dev 31 function 1 "Intel 82801GB IDE" rev 0x01: DMA, 
channel 0 configured to compatibility, channel 1 configured to compatibility

wd0 at pciide0 channel 0 drive 0: 
wd0: 1-sector PIO, LBA, 244MB, 500400 sectors
wd0(pciide0:0:0): using PIO mode 4
pciide0: channel 1 ignored (disabled)
pciide1 at pci0 dev 31 function 2 "Intel 82801GB SATA" rev 0x01: DMA, 
channel 0 configured to native-PCI, channel 1 configured to native-PCI

pciide1: using irq 11 for native-PCI interrupt
ichiic0 at pci0 dev 31 function 3 "Intel 82801GB SMBus" rev 0x01: irq 11
iic0 at ichiic0
admtm0 at iic0 addr 0x2d: 47m192
spdmem0 at iic0 addr 0x50: 512MB DDR2 SDRAM non-parity PC2-4200CL5
usb1 at uhci0: USB revision 1.0
uhub1 at usb1 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb2 at uhci1: USB revision 1.0
uhub2 at usb2 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb3 at uhci2: USB revision 1.0
uhub3 at usb3 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb4 at uhci3: USB revision 1.0
uhub4 at usb4 "Intel UHCI root hub" rev 1.00/1.00 addr 1
isa0 at ichpcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: 
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
biomask ef6d netmask ef6d ttymask ffef
mtrr: Pentium Pro MTRR support
uftdi0 at uhub4 port 2 "Crystalfontz Crystalfontz CFA-634 USB LCD" rev 
1.10/2.00 addr 2

ucom0 at uftdi0 portno 1
softraid0 at root
root on wd0a swap on wd0b dump on wd0b

Re: Problem with binat and ftp-proxy

2008-09-30 Thread Stuart Henderson 
On 2008-09-30, Comhte <[EMAIL PROTECTED]> wrote:
> I use ftp-proxy to allow ftp client connexions from my LAN and it works
> well. On my DMZ, i have multiple servers (web,dns,smtp,etc...) and they
> have all one different public IP. So, i use binat rules to nat them
> easily and it works fine too.
> But i need to allow these servers on DMZ to make FTP client connexions
> to external servers too. So I have put a rdr rule like the one i did for
> my lan to make my DMZ servers use the ftp-proxy daemon. But this doesn't
> work, i can only connect to external FTP servers from my DMZ servers if
> disable the binat rule associated with the server which try to connect.
>
> My question is, is there a mean to do what i want to do ? :)

pf.conf(5)

 Evaluation order of the translation rules is dependent on the type of the
 translation rules and of the direction of a packet.  binat rules are al-
 ways evaluated first.  Then either the rdr rules are evaluated on an in-
 bound packet or the nat rules on an outbound packet.  Rules of the same
 type are evaluated in the same order in which they appear in the ruleset.
 The first matching rule decides what action is taken.

So you need to disable the binat rule and use a pair of nat and
rdr instead.

Re: Bad MD5 on snapshot i386 install.iso

2008-09-30 Thread Giancarlo Razzolini 
Steve Shockley escreveu:
> On 9/29/2008 12:36 PM, Giancarlo Razzolini wrote:
>> tcpdump on your if and see if you're getting bad tcp checksum's. Most
>> likely it's a problem with you network if, or switch, or router,
>> corrupting  packets.
>
> If you're used to seeing bad TCP checksums in tcpdump, you probably
> have a NIC that does TCP checksum offload.
>
>
In my case it was bad hardware. I've disabled offload on the driver. But
this was on linux, using ethtool. Good question, how to do the same on
openbsd? Ah, and i didn't noticed that the hashes where the same.

-- 
Giancarlo Razzolini
http://lock.razzolini.adm.br
Linux User 172199
Red Hat Certified Engineer no:804006389722501
Verify:https://www.redhat.com/certification/rhce/current/
Moleque Sem Conteudo Numero #002
OpenBSD Stable
Ubuntu 8.04 Hardy Heron
4386 2A6F FFD4 4D5F 5842  6EA0 7ABE BBAB 9C0E 6B85

OpenBSD on IBM Power System?

2008-09-30 Thread Rafal Bisingier 
Hi,

Is there any chance to install OpenBSD on a "logical hardware partition"
created on IBM p-Series machine? There is a mac-ppc port, but as I
understand it's only for apple hardware? Is there any one having some
experience on this field?

-- 
Greetings
Rafal Bisingier

Problem with binat and ftp-proxy

2008-09-30 Thread Comète 
Hi,

i run an OpenBSD 4.3 firewall with 3 network interfaces : 1 LAN, 1 WAN
and 1 DMZ
I use ftp-proxy to allow ftp client connexions from my LAN and it works
well. On my DMZ, i have multiple servers (web,dns,smtp,etc...) and they
have all one different public IP. So, i use binat rules to nat them
easily and it works fine too.
But i need to allow these servers on DMZ to make FTP client connexions
to external servers too. So I have put a rdr rule like the one i did for
my lan to make my DMZ servers use the ftp-proxy daemon. But this doesn't
work, i can only connect to external FTP servers from my DMZ servers if
disable the binat rule associated with the server which try to connect.

My question is, is there a mean to do what i want to do ? :)

Thanks a lot !

below an extract of my pf rules:

nat on $ext_if from !$ext_if to any -> $firewall_pub
nat-anchor "ftp-proxy/*"

binat on $ext_if from $dns1_priv to any -> $dns1_pub
binat on $ext_if from $dns2_priv to any -> $dns2_pub
binat on $ext_if from $web_ville_priv to any -> $web_ville_pub
binat on $int_if from $web_ville_priv to any -> $web_ville_pub

rdr-anchor "ftp-proxy/*"
rdr on { $int_if $dmz1_if } proto tcp from any to any port ftp -> lo0
port 8021

...

pass in quick log on $dmz1_if inet proto tcp from $DMZ1 to lo0 port 8021
pass in quick log on $int_if inet proto tcp from  to
lo0 port 8021
anchor "ftp-proxy/*"

...

Re: pf - queue filter directive sticky?

2008-09-30 Thread Uwe Werler 
Am Tue, 30 Sep 2008 10:53:05 +0200
schrieb [EMAIL PROTECTED]:

> Am Mon, 29 Sep 2008 15:29:08 -0400
> schrieb "(private) HKS" <[EMAIL PROTECTED]>:
> 
> > If the following two rules apply to a given packet in the order
> > shown, will the packet be queued?
> >
> > pass in on $int_if from 10.0.0.1 queue tens
> > pass in on $int_if
> >
> > I've not been able to find a clear answer in pf.conf(5) or the
> > online PF documentation. If I overlooked it, please let me know.
> > Thanks in advance for the help.
> >
> > -HKS
> 
> imho normally this packet wouldn't be queued because the last count
> matches the packet so the last rule applies:
> 
> from man pf.conf:
> 
> "For each packet processed by the packet filter, the filter rules
> are evaluated in sequential order, from first to last.  The last
> matching rule decides what action is taken.  If no rule matches the
> packet, the default action is to pass the packet."
> 
> uw
> 
> [demime 1.01d removed an attachment of type application/pgp-signature
> which had a name of signature.asc]
> 

on the other hand: 

"During the filtering component of pf.conf, the last referenced
queue name is where any packets from pass rules will be queued..."

that means because of the sequential order that the packet should be
queued imho.

III. Satinalma ve Tedarik Zinciri Yonetimi Zirvesi

2008-09-30 Thread Egitim ik 
III. SATINALMA ve TEDARIK ZINCIRI YONETIMI ZIRVESI

10 - 11 - 12 Ekim 2008 / Sheraton Istanbul Otel

w w w   b o s p h o r u s c o n f e r e n c e s . c o m

tel: 0216 486 3O  95pbx

Program:

10 EKIM CUMA

11 EKIM CUMARTESI

12 EKIM PAZAR

08:45-09:00 Acilis Konusmasi

10:00-10:30 Basarili Tedarik Zinciri Yonetimi Uygulamalari
Metin YILMAZ - Duzey Pazarlama Genel Muduru

10:00-10:30 Yap - Satin Al - Disari Yaptir Kararlarinin Verilmesindeki
Etkenler
Doc. Dr. Murat BASKAK - Istanbul Teknik Universitesi

09:00-09:45 Satinalmada Yeni Ufuklar
Mehmet Ali NEYZI - Zorlu Enerji Grubu Baskan Yardimcisi

10:30-10:45 Kahve Arasi

10:30-10:45 Kahve Arasi

09:45-10:00 Kahve Arasi

10:45-11:15 Dr. Murphy & Tedarik Zinciri Yonetimi
Bulent Cilingir - Zorlu Enerji Grubu Satinalma Direktoru

10:45-11:15 Satinalmada Fiyatlandirma, Optimal Fiyat Tespiti ve Satinalma
Butce Yonetimi
Gurkan HURYILMAZ - Satinalma Yonetim Uzmani

10:00-10:30 Satinalmada Stratejik Karar Surecleri
Yelda KABAKLARLI - AstraZeneca Satinalma Muduru

11:15-11:30 Kahve Arasi

11:15-11:30 Kahve Arasi

10:30-10:45 Kahve Arasi

11:30-12:15 Satinalmada Outsource Hizmetlerin Yonetimi
Huseyin CELIK - Acibadem Saglik Grubu, Satinalma ve Lojistik Direktoru

11:30-12:00 Satinalma Yonetiminin Hukuksal Boyutu, Sozlesmeler ve
Anlasmazliklar
Basak Ulkenli OZEL - Havelsan A.S. Sozlesmeler E. Md.

10:45-11:15 Satinalma Yoneticileri Icin Lojistik / Tedarikci Firma
Belirleme Kriterleri
Dr.Fatih SARACOGLU - Frentek Otomotiv San. A.S. YKB

12:15-13:15 Ogle Yemegi

12:00-13:00 Ogle Yemegi

11:15-11:30 Kahve Arasi

13:15-14:00 Dagitim Merkezi  Depo Yonetimi
Atilla YILDIZTEKIN - Arkas Lojistik E. Gn. Md.  UTIKAD, UND, LODER Yon.

13:00-13:30 Satinalma Iletisimi - Satinalma Yoneticileri Icin Etkili
Muzakere ve Pazarlik Teknikleri
Necdet UYGURER - ODTU Yeditepe Un. Ogr. Gor.

11:30-12:15 Stratejik Satinalmanin Tanimi, Gelisimi, Yeni Uygulamalar,
Yonetimdeki Yeri ve Onemi
Atilla FILIZ - Uretim Yonetimi Uzmani, Yazar

14:00-14:30 Tedarik Zinciri Yonetimi ve Denetim
Dilek OGAN - KESWICK

13:30-13:45 Kahve Arasi

12:15-13:15 Ogle Yemegi

14:30-14:45 Kahve Arasi

13:45-14:30 Satinalma Finansmani : Satinalma Surecinin Finans Sureciyle
Etkilesimi
Doc. Dr. Sevket SAYILGAN  Marmara Universitesi Ogr. U. Kurumsal
Finansman Uzmani

13:15-14:00 Satinalma Surecinde Urun, Veri, Yasam Yonetimi (PDM/PLM)
Metin KANSU - Endustriyel Satinalma Danismani - Otoyol Sanayi Eski
Satinalma Yoneticisi

14:45-15:30 Yesil Tedarik Zinciri Yonetimi

Feza OZALP - Tedarik Zinciri Yonetimi, Profesyonelleri Konsulu ABD Uyesi
 Bilgi Universitesi MBA Ogr.Gor.

14:30-14:45 Kahve Arasi

14:00-14:15 Kahve Arasi

15:30-16:00 Tedarik Zincirinde Bilgi Paylasimi
Yrd. Doc. Dr. Berrin Agaran (Dogus Universitesi. Muh. Fak. Endustri
Muhendisligi Ogretim Uyesi)

14:45-15:15 Dis Kaynaga Aktarim ve Yeni Gelismeler
Baha SIPAHI - Danisman, NORTEL NETAS Eski Isletmeler Lideri

14:15-15:00 Lojistik Yonetiminde IT Uygulamalari
Prof. Dr. Mehmet TANYAS  Okan Universitesi Uluslararasi Lojistik Bolum
Baskani

16:00-16:15 Kahve Arasi

15:15-15:30 Kahve Arasi

15:00-15:15 Kahve Arasi

16:15-17:00 Satinalma ve Tedarik Zinciri Yonetiminde Surec Iyilestirme
Metodlari
Umut Hulusi INAN - End. Y. Muhendisi  Yonetim Danismani

15:30-16:15 Olaganustu Hal - Kriz Lojistigi
Dr. Dogan KARADOGAN - K.K.K. (E) Ulastirma Binbasi, Lojistik Sistem
Uzmani

15:15-15:45 Tedarik Zinciri Yonetiminde Yenilikci Cozumler ve Teknoloji
Murat BOG - Ekol Lojistik, Genel Mudur Yardimcisi

16:15-16:30 Gunun Degerlendirmesi

16:15-16:30 Veda Kokteyli

15:45-16:30 Uretim ve Satinalmada Tedarikci ile Esgudum
Doc. Dr. Gulcin BUYUKOZKAN - Galatasaray Universitesi Muhendislik ve
Teknoloji Fakultesi Endustri Muhendisligi Ogretim Uyesi

w w w   b o s p h o r u s c o n f e r e n c e s . c o m

BOSPHORUS

CONFERENCES

Bir Bogazici Organizasyonudur.

w w w   b o g a z i c i e g i t i m . c o m . t r

tel: 0216 486 3O 95pbx

Katilim icin Kayit Formu doldurulmasi ve tarafimiza gonderilmesi
gerekmektedir.
Kisi basi katilim bedelimiz; 1500 YTL + KDV dir. Ucret, zirve tarihinden
once Bogazici Egitim ve Danismanlikin Isbankasi Beylerbeyi Subesi 215148
Nolu hesabina yatirilmalidir.
Ucrete organizasyon suresince tum ogle yemekleri, cay-kahve, kokteyl
ikramlari, programa ait tum kitap, cd, canta, dosya ve dokumanlari
dahildir.
1 Ekim 2008 tarihinden sonra yapilacak iptallerde para iadesi yapilmaz
ancak isim degisikligi kabul edilmektedir.
Zirve organizasyon heyeti mucbir sebepler gerektirdiginde program
mekanini veya programi degistirme, iptal etme veya erteleme hakkini sakli
tutmaktadir. Bu durumda odenmis olan ucretler iade edilir.

Tarafiniza Duyuru Amaciyla Gonderilmis olan bultenimizi farkli bir mail
adresinize yonlendirmemizi ya da iptal etmemizi isterseniz maille
bildirebilirsiniz.

Re: pf - queue filter directive sticky?

2008-09-30 Thread uw 
Am Mon, 29 Sep 2008 15:29:08 -0400
schrieb "(private) HKS" <[EMAIL PROTECTED]>:

> If the following two rules apply to a given packet in the order shown,
> will the packet be queued?
>
> pass in on $int_if from 10.0.0.1 queue tens
> pass in on $int_if
>
> I've not been able to find a clear answer in pf.conf(5) or the online
> PF documentation. If I overlooked it, please let me know. Thanks in
> advance for the help.
>
> -HKS

imho normally this packet wouldn't be queued because the last count
matches the packet so the last rule applies:

from man pf.conf:

"For each packet processed by the packet filter, the filter rules
are evaluated in sequential order, from first to last.  The last
matching rule decides what action is taken.  If no rule matches the
packet, the default action is to pass the packet."

uw

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

The correct way to use bsd.rd

2008-09-30 Thread Jordi Beltran Creix 
Okay, thank you. This is what I wanted to know.

2008/9/30 Nigel J. Taylor <[EMAIL PROTECTED]>:
> The RAMDISK_CD kernel bsd in
> /usr/src/sys/arch/`machine`/compile/RAMDISK_CD is not the same as bsd.rd
> as you have found out it has an empty ramdisk, it the initial stage, to
> get a bsd.rd you need to build a release after building the userland.
> Details for building a release are in the FAQ's and man pages.
>
> Building the release will use the RAMDISK_CD to build the kernel in bsd,
> reserving space for the ramdisk, and then the make release process adds
> the ramdisk (miniroot) into this creating the bsd.rd. You will find what
> the build release does under
>
> /usr/src/distrib/ramdisk
>
> The install / update shells are in
>
> /usr/src/distrib/miniroot
>
> The resulting bsd.rd created by the release is placed into
> $DESTDIR/snapshot, and then into the release directory $RELEASEDIR.
>
> The RAMDISK - is for the floppynn.fs, RAMDISKB, RAMDISKC for
> floppynnB.fs, and floppynnC.fs.
>
> It all works for building a release, but as pointed out never needed for
> following current. I build a release so I have an install with all the
> patches for stable, I can use on a number of machines which use stable,
> rather than applying the patches on each.
>
> If what your are asking is can you just build bsd.rd without building
> the full release - possibly, maybe setting DESTDIR, RELEASEDIR and a
> make in /usr/src/distrib/ramdisk might work, really your on your own if
> your trying to do that.
>
> Regards
>
> Nigel Taylor
>
>
> Jordi Beltran Creix wrote:
>> I am NOT trying to boot my root partition using bsd.rd. Although I see
>> that I can using the -a option. I was trying to get a bsd.rd image
>> like the one from the CDs, with the Install Upgrade and Shell options.
>> I followed the instructions from release(8) closely but the generated
>> binary is the same - it tells me it tries to boot from the ramdisk
>> device and that it has size 0 and reboots. I don't intend it to use as
>> a way to upgrade, it is easier to download the newer snapshots, I was
>> just testing the functionality. I am obviously missing something and
>> this is why I asked.
>> I've just downloaded the one from the snapshots and see it is
>> RAMDISK_CD. Do I need to build the RAMDISK_CD kernel instead of
>> RAMDISK and it will work?
>>
>> Thank you
>>
>> 2008/9/28 Stijn <[EMAIL PROTECTED]>:
>>> Jordi Beltran Creix wrote:
 I am using a virtual machine to try and follow -CURRENT.I have
 installed a snapshot, downloaded the cvs source, built it and run to
 see if it worked, up to there everything is okay.
 Reading the FAQ I found out that the "official" way to follow current
 more or less closely is to build a ramdisk image(or download a bsd.rd
 image from the servers) and boot from that. However, when I place my
 newly generated image in / and boot from it, it tells me that it lacks
 a root filesystem. Obviously it is lacking a ramdisk, but I don't know
 where to get that from and I have been unable to find the appropriate
 manpage or piece of documentation. Could you please point it out to
 me?
 Thank you




>>> From the FAQ:
>>> http://openbsd.org/faq/faq4.html#bsd.rd
>>>
>>> bsd.rd is used to install, upgrade or doing system maintenance. It's not
>>> used to boot of your machine for normal usage.
>>>
>>> HTH,
>>> Stijn