Re: Can't SSH into CARP'd system from the outside

2008-11-12 Thread Marco Pfatschbacher 
On Tue, Nov 11, 2008 at 03:53:54PM -0800, Vivek Ayer wrote:
[...]
 # macros
[...]
 carpdevs = { carp0 , carp1 }
[...]
 # pass rules
[...]
 pass in on $carpdevs inet proto tcp from any to ($ext_if) \
port $tcp_services flags S/SA keep state # Allow SSH Access from Outside


just from a quick glance:
pf(4) never filters on carp interfaces, but on carp's physical
interface (aka carpdev).

Re: pf.conf

2008-11-12 Thread FRLinux 
On Wed, Nov 12, 2008 at 7:47 AM, disintx [EMAIL PROTECTED] wrote:
 For all the ports you are looking for, you need to check /etc/services and
 you should read the man pages for whatever daemons you want to know about.

May I also recommend the excellent Building Firewalls with OpenBSD and
PF (http://openbsd.org/books.html#book1), helped me loads at the time
I build a bridging firewall.

Cheers,
Steph

Re: 4.4: crash in uvm_aiodone_daemon

2008-11-12 Thread Stuart Henderson 
On 2008-11-12, jul [EMAIL PROTECTED] wrote:
 Pedro Martelletto wrote on 11/11/08 18:56:
 What was the actual panic message?

 sorry but the serial console was connected after crash, so i don't have
 initial message.
 This information is not in trace ? is there a command to recover it ?

show panic

Re: Using a separate boot partition

2008-11-12 Thread dermiste 
On Wed, Nov 12, 2008 at 5:31 AM, Joseph Alten [EMAIL PROTECTED] wrote:
 So there isn't really an option like I was describing? I was going to just
 create my / partition on my boot hard drive like you mentioned, but I seemed
 so close when I ran boot hd0a:/bsd -a at the boot prompt that I thought I
 was missing something in the documentation...

 Thanks anyway.

 On Tue, 11 Nov 2008 20:08:08 -0800, Ben Calvert [EMAIL PROTECTED]
 wrote:

 on Linux, too much crap tends to end up in /, so they created /boot so you
 could have a small separate partition.

 on more traditional unix systems, you dont' put much in / , instead you
 have a separate /usr /tmp /home /var , etc.

 why not put / where you wanted to put /boot and then mount the rest on the
 second disk


 On Nov 11, 2008, at 7:52 PM, Joseph Alten wrote:

 Due to technical constraints, my setup requires that I have a separate
 boot partition (basically the kernel and anything else critical for
 booting), and then of course my root partition other data partitions on a
 separate disk.

 I'm kind of new to OpenBSD, and so far what I've managed to do is copy
 /bsd to a separate partition, then at the boot prompt I run boot hd0a -a,
 then specify my root partition when prompted by the kernel. While this has
 the desired effect, I'd rather not run this every time I want to boot
 OpenBSD. Is there a kernel parameter I can pass that lets the kernel know
 ahead of time the root device I wish to mount?

 Basically I'm looking for the OpenBSD equivalent of root=/dev/xxx Linux
 kernel parameter. I think I managed to get FreeBSD working similarly with
 the vfs.root.mountfrom= parameter, but this doesn't appear to exist in
 OpenBSD.

 Thanks for looking into this.

I'm backing ben here : OpenBSD / should be small enough to fit it
entirely into a boot partition.


: 12:10 [EMAIL PROTECTED]; df -h
Filesystem SizeUsed   Avail Capacity  Mounted on
/dev/wd0a  130M   35.1M   88.4M28%/
/dev/wd0m  9.9G3.6G5.9G38%/home
/dev/wd0h  130M   10.0K124M 0%/tmp
/dev/wd0j 1014M417M547M43%/usr
/dev/wd0k  253M143M   97.5M59%/usr/X11R6
/dev/wd0l  4.0G746M3.0G19%/usr/local
/dev/wd0d  2.0G2.0K1.9G 0%/usr/obj
/dev/wd0g  4.0G1.1G2.7G28%/usr/ports
/dev/wd0e  1.5G632M817M44%/usr/src
/dev/wd0f 1014M513M451M53%/usr/xenocara
/dev/wd0i  130M   11.6M112M 9%/var

all but bsd.mp is installed on this rig.


-- 
Vincent Gross

So, the essence of XML is this: the problem it solves is not hard, and
it does not solve the problem well. -- Jerome Simeon  Phil Wadler

Re: symux/rrdtool problem on 4.4-snap

2008-11-12 Thread Stuart Henderson 
On 2008-11-12, Ryan Flannery [EMAIL PROTECTED] wrote:
 I'm having some strange problems with the symon (mon+mux) and rrdtool
 packages after recently upgrading to a 4.4 snapshot (fresh install).

Seems like your Perl packages are not in-sync with the base perl.
Make sure they are all up-to-date and you fetch from a mirror which
isn't lagging.

Re: VLC/MPlayer/ffmpeg audio/video sync issues introduced in 4.4..

2008-11-12 Thread Jacob Meuser 
On Mon, Nov 10, 2008 at 09:19:18PM -0800, J.C. Roberts wrote:
 On Tue, 11 Nov 2008 04:26:22 +
 Jacob Meuser [EMAIL PROTECTED] wrote:
 
  On Mon, Nov 10, 2008 at 08:08:59PM -0800, J.C. Roberts wrote:
  
   general mplayer configuration suggestions
  
  nah, it's probably an B-frame or trellis or quantization issue.
 
 Then again, it might be the flux capacitor. (:

heh :)  just keep it under 88.

-- 
[EMAIL PROTECTED]
SDF Public Access UNIX System - http://sdf.lonestar.org

Re: IPSec to Checkpoint

2008-11-12 Thread Joe Warren-Meeks 
On Wed, Nov 12, 2008 at 02:35:35PM +0100, Claer wrote:

Hey there,
 
 I don't know if your isakmpd.conf is good or not. The general
 part seems good. But I'm wondering why you are not using the new
 configuration file (/etc/ipsec.conf) It's much easier to use and to
 maintain over time. For your part, you'll have to keep default lifetime
 in isakmpd.conf as it's not supported in ipsec.conf.

Aah, I somehow missed that change. I'll look into that. 

Thanks

 -- joe.

George Lucas was born a nerd and will die a nerd.

Applying patch 004 to OpenBSD 4.4 and Apache/OpenSSL (problem with PEM_F_DEF_CALLBACK)

2008-11-12 Thread Gilbert Fernandes 
Hello

At work here I have a PC which was loaded with OpenBSD 4.3
I have updated it to OpenBSD 4.4

After having installed it I downloaded from OpenBSD's ftp the
files sys.tar.gz and src.tar.gz which i did tar zxpf in
/usr/src

I then downloaded the latest 4.4.tar.gz patch file and applied
every patch. Everything went fine except the 004 patch.

I was having this error when doing the make :

--start of copy

[root][153] # make -f Makefile.bsd-wrapper
[...]  
cc -c  -I../../os/unix -I../../include  -O2 -pipe -DINET6 
-Dss_family=__ss_family -Dss_len=__ss_len -DHAVE_SOCKADDR_LEN -DMOD_SSL=208116 
-DEAPI `../../apaci` -DSSL_COMPAT -DSSL_ENGINE -DMOD_SSL_VERSION=\2.8.16\ 
ssl_engine_pphrase.c
ssl_engine_pphrase.c: In function `ssl_pphrase_Handle_CB':
ssl_engine_pphrase.c:492: error: `PEM_F_DEF_CALLBACK' undeclared (first use in 
this function)
ssl_engine_pphrase.c:492: error: (Each undeclared identifier is reported only 
once
ssl_engine_pphrase.c:492: error: for each function it appears in.)
*** Error code 1

--end of copy

So I did a rm -rf of the /usr/src and from the following CVSROOT :

[EMAIL PROTECTED]:/cvs/openbsd

I did a cvs up -dP of OPENBSD_44

But I must have done something wrong or so I guess since I could not
compile httpd

So I searched with Google and found that in OpenSSL 0.9.8 they did a
change, which is explained here :

https://issues.apache.org/bugzilla/show_bug.cgi?id=35889

So I did modify my own OpenBSD 4.4 
/usr/src/usr.sbin/httpd/src/modules/ssl/ssl_engine_pphrase.c

I replaced the PEM_F_DEF_CALLBACK by PEM_F_PEM_DEF_CALLBACK

at :

[...]
prompt = Enter pass phrase:;
for (;;) {
if ((i = EVP_read_pw_string(buf, bufsize, prompt, FALSE)) != 0) {
PEMerr(PEM_F_PEM_DEF_CALLBACK,PEM_R_PROBLEMS_GETTING_PASSWORD);
memset(buf, 0, (unsigned int)bufsize);
return (-1);
[...]

Now, the commands listed in the beginning of the 004 patch file do apply
properly :

--start of copy
cc -O2 -pipe -DINET6 -Dss_family=__ss_family -Dss_len=__ss_len 
-DHAVE_SOCKADDR_LEN -DMOD_SSL=208116 -DEAPI -DHTTPD_USER=\www\  
-DUID_MIN=1000  -DGID_MIN=1000  -DUSERDIR_SUFFIX=\public_html\  
-DLOG_EXEC=\/var/log/suexec_log\  -DDOC_ROOT=\/var/www/htdocs\  
-DSAFE_PATH=\/usr/bin:/bin:/usr/local/bin\ -DUSE_SETUSERCONTEXT -o suexec 
-L/usr/lib  -L../os/unix -L../ap suexec.o -lm -lap -los  -lkeynote -lm  -lssl 
-lcrypto
=== src/support
=== src
-- /usr/src/usr.sbin/httpd
[root][162] #

--end of copy

I guess that, at some time, I must have done or broken something on this machine
because the patch could not have broken this.

Can someone please confirm me there is nothing wrong in the 004 patch and
that for some reason I don't have a clean copy of OPENBSD_44 sources ?

Best regards,

-- 
_\(_)/_  Gilbert Fernandes   Laga
 /(O)\   Administrateur systemes/reseau

Re: IPSec to Checkpoint

2008-11-12 Thread Joe Warren-Meeks 
On Wed, Nov 12, 2008 at 02:35:35PM +0100, Claer wrote:

Hey there,

OK, so I've switched to ipsec.conf and it is alot easier!

However, I'm still struggling to use aes 256.

I have the following:

ike esp from 195.24.xxx.x/25 to 62.232.yyy.y/27 \
local 195.24.aaa.aa peer 62.232.bbb.bbb \
main auth hmac-sha1 enc aes group modp1024 \
quick auth hmac-sha1 enc aes psk sudomakemeagoat

This uses aes128. Is there any way to get aes256 working? Note: I'm on
4.2, was 256 support added later? If not, is there any way I could
enable 256 on 4.2?

 -- joe.

I can't believe Alan Davies would do that. I absolutely love him!

useradd /etc/security

2008-11-12 Thread Frank Bax 
After a few upgrades; I noticed that new users added with useradd(8) 
(using commands in upgradeXX.htm) are created with 13 asterisks in 
passwd field.  During a new install only one asterisk is placed in this 
field for system users.  I was curious about this difference and feeling 
a bit adventurous; so I changed them all from 13 to 1 (including some 
created for packages).


The next day; there is a message in daily insecurity output:

Checking the /etc/master.passwd file:
Login _pgsql is off but still has a valid shell and alternate access 
files in home directory are still readable.


When I need to login (rarely) as _pgsql; I use sudo su - _pgsql. 
Since I don't need to have a password on this user; I changed _pgsql 
back to 13 asterisks.


I looked at /etc/security - at about line 40 and following there is a 
statement that bypasses the test for shell and home directory if the 
password is 13 characters.


Finally, the point...

I was thinking that new users added in upgradeXX should have only one 
asterisk instead of 13; so that /etc/security will produce warning if 
these users somehow have shells in the future?


Frank

Re: Experiences running named and rndc on 4.4 vs 4.3

2008-11-12 Thread Woodchuck 
On Tue, 11 Nov 2008, Don Jackson wrote:

 Today I began testing named on a freshly installed OpenBSD 4.4 amd64
 machine, using my old named.conf file from 4.3 (which was still running
 named version 9.4.2)
 
 When the machine first boots after the install, /etc/rc determines there is
 no rndc.key, and generates one:
 
 rndc-confgen: generating new shared secret... done.
 starting named
 
 
 Here are the owner, group, and file modes of the two different copies of
 rndc.key that are generated:
 
 # ls -lAF /etc/rndc.key /var/named/etc/rndc.key
 -rw---  1 root  wheel  77 Nov 11 12:24 /etc/rndc.key
 -rw-r-  1 root  wheel  77 Nov 11 12:24 /var/named/etc/rndc.key
 
 
 named only cares about the rndc.key in /var/named/etc

Right.  But later, rndc will use the /etc version.  So you need
both, and the permissions you show are sane ones.

 Looking at the logs: /var/log/daemon, one can see:
 
 Nov 11 12:24:10 svn01 named[142]: none:0: open: /etc/rndc.key: permission
 denied
 Nov 11 12:24:10 svn01 named[142]: couldn't add command channel 127.0.0.1#953:
 permission denied
 
 Here is my workaround:
 
 # chown root:named /var/named/etc/rndc.key
 # ls -lAF /var/named/etc/rndc.key
 -rw-r-  1 root  named  77 Nov 11 12:24 /var/named/etc/rndc.key
 
 
 Should /etc/rc set the group ownership of /var/named/etc/rndc.key?
 
 Comments?

I think rndc.key should pick up the named group from the ownerships
and permissions on /var/named/etc. 

/var/named/etc should be owned by root.named and have permissions 750.

I bet your /var/named/etc is owned by root.wheel.

Dave

relayd: backups when using relay?

2008-11-12 Thread Johan Ström 

Hi list

I'm looking at the relay  (not redirect) feature of relayd (4.4), but  
cannot figure out how to use backups/fallbacks when doing relaying?
With redirect I just add another forward directive, but this doesn't  
seem to work for relays? Cannot find anything in docs mentioning this  
(with regards to relays).


Any pointers?

Thanks
Johan

Re: relayd exits when disabling and enabling hosts

2008-11-12 Thread David Caro 
Yes, sorry it is a typo, I used 4.4-snapshot (10/08), got the same error,
I'll try to test it on the release as soon as it gets out. If it keeps
crushing i'll fill a bug report.

Thanks for the info.

2008/11/11 Stuart Henderson [EMAIL PROTECTED]

 On 2008-11-11, Johan Strvm [EMAIL PROTECTED] wrote:
  Note that he was using 4.3. I was about to reply and suggest this was
  fixed in 4.4 (I think this problem have disappeared since I changed to
  4.4), but I wasn't sure.

  On Mon, Nov 10, 2008 at 05:11:56PM +0100, David Caro wrote:
  Same behaiviour using fresh 3.4-snapshot (10/08) installs

 presumably a typo since 3.4 didn't have hostated let alone relayd. :)

Re: How to NAT a site-site VPN tunnel

2008-11-12 Thread nuffnough 
I found another thread in french (I think,  I am not good with french)
with a link that looks promising...
http://fixunix.com/bsd/87865-nat-ipsec-openbsd-pf-isakmpd.html

I will check out that solution and let you know if I still have problems.

Re: IPSec to Checkpoint

2008-11-12 Thread Claer 
On Wed, Nov 12 2008 at 18:13, Joe Warren-Meeks wrote:
 Hey guys,
Hi,

 I'm struggling to get isakpmd to talk to a checkpoint firewall
 
 I need the following parameters
 
 General IKE Properties = AES-256 with SHA1
 IKE Phase 1 SA = Group2 (1024 bit)
 IKE Phase 1 SA renegotiation = 1440
 IKE Phase 2 SA renegotiation = 3600
 
 The network layout looks as follows:
 
 OurNet  OurFirewall Internet  TheirFW TheirNet
 
 195.24.xxx.xxx/25 - 195.24.xxx.yyy -  62.232.xxx.xxx  62.232.xxx.yyy
 
 I currently have the following in my isakpmd.policy
 
 Keynote-version: 2
 Authorizer: POLICY
 Conditions: app_domain == IPsec policy 
 esp_present == yes 
 esp_enc_alg != null - true;
 
 And my isakmpd.conf is at the end. Any pointers guys?

I don't know if your isakmpd.conf is good or not. The general
part seems good. But I'm wondering why you are not using the new
configuration file (/etc/ipsec.conf) It's much easier to use and to
maintain over time. For your part, you'll have to keep default lifetime
in isakmpd.conf as it's not supported in ipsec.conf.

From experience I can assure you it works also with Check Point (R60 to
R65) you just have to carefully ensure that all ipsec variables are the
same (As always with ipsec). Please review the parameters with the other
end. If you can, also ask them for their error message when establishing
the tunnel. I found the CheckPoint messages more usefull than the
isakmpd ones.



 [General]
 Retransmits=5
 Exchange-max-time=  120
 Listen-on=  195.24.xxx.yyy
 Default-phase-1-lifetime=   1440,60:86400
 Default-phase-2-lifetime=   3600,60:86400
 
 
 
 [Phase 1]
 62.232.xxx.xxx=   local-remote
 
 [local-remote]
 Phase=  1
 Transport=  udp
 Local-address=  195.24.xxx.yyy
 Address=62.232.xxx.xxx
 Configuration=  Default-main-mode
 Authentication= makemeagoatorsomething
 
 [Phase 2]
 Connections=VPN-local-remote-62.232.xx.yy/255.255.255.224
 
 
 [VPN-local-remote-62.232.xx.yy/255.255.255.224]
 Phase=  2
 ISAKMP-peer=local-remote
 Configuration=  Default-quick-mode
 Local-ID=   network-195.24.xxx.xxx/255.255.255.128
 Remote-ID=  network-62.232.xxx.yyy/255.255.255.224
 
 
 
 [network-195.24.xxx.xxx/255.255.255.128]
 ID-type=IPV4_ADDR_SUBNET
 Network=195.24.xxx.xx
 Netmask=255.255.255.128
 
 
 
 [network-62.232.xxx.yyy/255.255.255.0]
 ID-type=IPV4_ADDR_SUBNET
 Network=62.232.xxx.yyy
 Netmask=255.255.255.0
 
 
 [Default-main-mode]
 DOI=IPSEC
 EXCHANGE_TYPE=  ID_PROT
 Life=   ANY
 Transforms= AES-256-SHA
 
 [Default-quick-mode]
 DOI=IPSEC
 EXCHANGE_TYPE=  QUICK_MODE
 Suites= QM-ESP-AES-256-SHA-SUITE
 
 [AES-256-SHA]
 ENCRYPTION_ALGORITHM=   AES_CBC
 KEY_LENGTH= 256,256:256
 HASH_ALGORITHM= SHA
 AUTHENTICATION_METHOD=  PRE_SHARED
 GROUP_DESCRIPTION=  MODP_1024
 Life=   LIFE_MAIN_MODE
 
 [QM-ESP-AES-256-SHA-SUITE]
 Protocols=  QM-ESP-AES-256-SHA
 
  -- joe.

Re: 4.4 recently installed

2008-11-12 Thread Jacob Meuser 
On Tue, Nov 11, 2008 at 01:21:09PM -0800, T D wrote:
 I'm not sure...I didn't think it had more than one, I will have to look into
 this.
 There are no extra cards on the system (only a rj45) - the motherboard
 wouldn't have more than one music built in would it?.

unlikely

 Think I better check what board it is and look up the specs.
 CDs play well.

then you can probably just 'disable clcs' in UKC without issue.
but depending how you played the CD, it could just be using the
mixer and he DAC is not working.

 
 
 --- On Mon, 10/11/08, Jacob Meuser [EMAIL PROTECTED] wrote:
 
  From: Jacob Meuser [EMAIL PROTECTED]
  Subject: Re: 4.4 recently installed
  To: misc@openbsd.org
  Received: Monday, 10 November, 2008, 4:27 PM
  On Sun, Nov 09, 2008 at 10:39:17PM -0500, Nick Holland
  wrote:
   T D wrote:
Hi all,
   
I have installed 4.4 on a machine (ibm aptiva)
  with the below dmesg output.
As I am somewhat new to this os, I would like
  some sugestions as to what I
could/should do with this box and no I will not
  rm -rf /
Any ideas/suggestions greatly apreciated.
  
   I presume, your question is, not what can I do
  with this now
   that I have it installed, but rather, how
  can I fix this
   problem:
   ...
clcs0 at pci0 dev 17 function 0 Cirrus
  Logic CS4610 SoundFusion rev 0x01:
irq 3
clear_fifo: fist timeout cnt=0
clear_fifo: fist timeout cnt=1
   ,,,
   (and so on annoyingly)
  
   Correct?
  
   If so, the easy way out is probably to use
  ukc to disable the
   clcs0 device (see faq5.html).  You will lose the
  ability to play
   audio on this thing.
 
  there is also a wss(4) attaching later.  this thing really
  has two
  audio devices?
 
  http://www.openbsd.org/faq/faq13.html#audioprob
 
  --
  [EMAIL PROTECTED]
  SDF Public Access UNIX System - http://sdf.lonestar.org
 
 
   Find your
 perfect match today at the new Yahoo!7 Dating. Get Started
 http://au..dating.yahoo.com/?cid=53151pid=1012
 

-- 
[EMAIL PROTECTED]
SDF Public Access UNIX System - http://sdf.lonestar.org

IPSec to Checkpoint

2008-11-12 Thread Joe Warren-Meeks 
Hey guys,

I'm struggling to get isakpmd to talk to a checkpoint firewall

I need the following parameters

General IKE Properties = AES-256 with SHA1
IKE Phase 1 SA = Group2 (1024 bit)
IKE Phase 1 SA renegotiation = 1440
IKE Phase 2 SA renegotiation = 3600

The network layout looks as follows:

OurNet  OurFirewall Internet  TheirFW TheirNet

195.24.xxx.xxx/25 - 195.24.xxx.yyy -  62.232.xxx.xxx  62.232.xxx.yyy

I currently have the following in my isakpmd.policy

Keynote-version: 2
Authorizer: POLICY
Conditions: app_domain == IPsec policy 
esp_present == yes 
esp_enc_alg != null - true;

And my isakmpd.conf is at the end. Any pointers guys?

[General]
Retransmits=5
Exchange-max-time=  120
Listen-on=  195.24.xxx.yyy
Default-phase-1-lifetime=   1440,60:86400
Default-phase-2-lifetime=   3600,60:86400



[Phase 1]
62.232.xxx.xxx=   local-remote

[local-remote]
Phase=  1
Transport=  udp
Local-address=  195.24.xxx.yyy
Address=62.232.xxx.xxx
Configuration=  Default-main-mode
Authentication= makemeagoatorsomething

[Phase 2]
Connections=VPN-local-remote-62.232.xx.yy/255.255.255.224


[VPN-local-remote-62.232.xx.yy/255.255.255.224]
Phase=  2
ISAKMP-peer=local-remote
Configuration=  Default-quick-mode
Local-ID=   network-195.24.xxx.xxx/255.255.255.128
Remote-ID=  network-62.232.xxx.yyy/255.255.255.224



[network-195.24.xxx.xxx/255.255.255.128]
ID-type=IPV4_ADDR_SUBNET
Network=195.24.xxx.xx
Netmask=255.255.255.128



[network-62.232.xxx.yyy/255.255.255.0]
ID-type=IPV4_ADDR_SUBNET
Network=62.232.xxx.yyy
Netmask=255.255.255.0


[Default-main-mode]
DOI=IPSEC
EXCHANGE_TYPE=  ID_PROT
Life=   ANY
Transforms= AES-256-SHA

[Default-quick-mode]
DOI=IPSEC
EXCHANGE_TYPE=  QUICK_MODE
Suites= QM-ESP-AES-256-SHA-SUITE

[AES-256-SHA]
ENCRYPTION_ALGORITHM=   AES_CBC
KEY_LENGTH= 256,256:256
HASH_ALGORITHM= SHA
AUTHENTICATION_METHOD=  PRE_SHARED
GROUP_DESCRIPTION=  MODP_1024
Life=   LIFE_MAIN_MODE

[QM-ESP-AES-256-SHA-SUITE]
Protocols=  QM-ESP-AES-256-SHA

 -- joe.

How to reply read -s from bash (linux) in ksh (OpenBSD)

2008-11-12 Thread HDC 
I need migrate a script to a OpenBSD server, this work ok, but in the
script the some input parameters must be completed without echo in the
terminal.

I not found this in ksh,

Thanks in advance!

-- 
# /dev/hdc
- OpenBSDeros.org
hdc [at] openbsderos [dot] org

Re: How to reply read -s from bash (linux) in ksh (OpenBSD)

2008-11-12 Thread Andreas Kahari 
Something like

stty -echo
read variable
stty echo

Regards,
Andreas

2008/11/12 HDC [EMAIL PROTECTED]:
 I need migrate a script to a OpenBSD server, this work ok, but in the
 script the some input parameters must be completed without echo in the
 terminal.

 I not found this in ksh,

 Thanks in advance!

 --
 # /dev/hdc
 - OpenBSDeros.org
 hdc [at] openbsderos [dot] org





-- 
Andreas Kahari
Somewhere in the general Cambridge area, UK

Re: How to reply read -s from bash (linux) in ksh (OpenBSD)

2008-11-12 Thread Denis Doroshenko 
On Wed, Nov 12, 2008 at 6:40 PM, HDC [EMAIL PROTECTED] wrote:
 I need migrate a script to a OpenBSD server, this work ok, but in the
 script the some input parameters must be completed without echo in the
 terminal.

 I not found this in ksh,

a couple of ideas

1) do

stty -echo
read foo bar
stty echo

though in case you hit ^c in that read, that may lead to a tty with no
echo. perhaps may be solved with trap.

2) write a tiny program read-s, which will do that

Re: NAT + IPsec problem

2008-11-12 Thread BARDOU Pierre 
Hello,

I succeed to do what I wanted using this : 
http://fixunix.com/bsd/87865-nat-ipsec-openbsd-pf-isakmpd.html

Many thanks for the help !


--
Cordialement,
Pierre BARDOU

-Message d'origine-
De : Claer [mailto:[EMAIL PROTECTED] 
Envoyé : dimanche 9 novembre 2008 12:39
À : BARDOU Pierre
Objet : Re: NAT + IPsec problem

Le jeudi 06 novembre 2008 a 15:30, BARDOU Pierre ecrivait :
 Hello,
Bonjour,

 I am trying to setup an IPsec connection.
 Here is the ipsec.conf :
 ike esp from 10.63.61.0/26 to 193.164.151.0/28 peer 193.164.151.35 \
main auth hmac-sha1 enc aes-256 \
quick auth hmac-sha1 enc aes-256 group modp1024 psk 
 
 Tunnels go up well :
 flow esp in from 193.164.151.0/28 to 10.63.61.0/26 peer 193.164.151.35 
 srcid
 212.99.28.26/32 dstid 10.3.2.2/32 type use flow esp out from 
 10.63.61.0/26 to 193.164.151.0/28 peer 193.164.151.35 srcid 
 212.99.28.26/32 dstid 10.3.2.2/32 type require esp tunnel from 
 193.164.151.35 to 212.99.28.26 spi 0x1fd5f292 auth hmac-sha1 enc aes 
 esp tunnel from 212.99.28.26 to 193.164.151.35 spi 0xa0b3fc57 auth 
 hmac-sha1 enc aes
 
 As my LAN is adressed using 10.31.0.0/16, I need to nat to 
 10.63.61.xxx before the tunnel.
 So I put this in my pf.conf :
 nat from 10.31.30.1 to 193.164.151.1 - 10.63.61.2
 
 The problem is tha packets going from 10.31.30.1 to 193.164.151.1 
 don't go through the tunnel, they are going to the internet.
 
 Here is the pflog :
 Nov 06 15:16:16.932324 rule 532/(match) pass in on bge0: 10.31.30.1 
 193.164.151.1: icmp: echo request
 Nov 06 15:16:16.932362 rule 1/(match) block out on em0: 10.63.61.2 
 193.164.151.1: icmp: echo request
 
 - Packets are going out through em0 (my inet interface) instead of 
 - enc0
 
 As pf doc says translation occurs before filtering, I don't understand 
 why pf can see my real adress (10.31.30.1).
 And the most important : why outgoing packets -with good adresses- 
 don't go through the tunnel ?
 Have I misconfigured something ?
Oui et non. Cette config ne peut pas fonctionner.

l'action NAT est faite sur l'interface de sortie aprÚs le filtrage l'action 
RDR est faite sur l'interface d'entree  avant le filtrage

Quand un paquet arrive sur l'openbsd, en gros, il se passe ceci :

- analyse du paquet par pf (in)
 - est ce que le paquet doit etre nate (rdr)
 - est ce que le paquet est autorise (nouvelle session ou session
   existante)
 - est ce que le paquet doit etre redirige sur une if particuliere
   (route-to)

- traitement du routage par le kernel
 - le paquet doit il etre encapsuledans un flux ipsec ?
 - Le paquet est analyse facea la table de routage correspondante

- analyse du paquet sur l'interface de sortie (out)
 - est ce que le paquet est autorise (nouvelle session ou session
   existante)
 - est ce que le paquet doit etre redirige sur une if particuliere
   (route-to)
 - est ce que le paquet doit etre nate (nat)

Vue que le paquet est encapsule avant le nat, ce dernier ne peut pas 
s'appliquer. Comme indique dans un reply a ce thread, la solution est de passer 
par une loopback pour appliquer le nat avant le routage. De ce fait, le paquet 
passe 2x dans la table de routage.

Apres je peux pas me permettre de donner plus de confs ce serait aider un 
concurrent ;-) (NextiraOne)

Bonne chance !

Cdlt,

Claer
BEGIN:VCARD
VERSION:2.1
N:Bardou;Pierre
FN:BARDOU Pierre
ADR;WORK:;B011
LABEL;WORK:B011
EMAIL;PREF;INTERNET:[EMAIL PROTECTED]
REV:20070806T072621Z
END:VCARD


smime.p7s
Description: S/MIME cryptographic signature

Re: relayd exits when disabling and enabling hosts

2008-11-12 Thread Stuart Henderson 
On 2008/11/12 10:56, David Caro wrote:
 Yes, sorry it is a typo, I used 4.4-snapshot (10/08), got the same error,
 I'll try to test it on the release as soon as it gets out. If it keeps
 crushing i'll fill a bug report.

a snapshot from October '08 is way past 4.4 release, which was
built in August. (takes a little while to produce CDs, build packages
for the slower architectures, etc).

openvpn error PKI on obsd 4.4

2008-11-12 Thread sonjaya 
hi ,,,

i follow tutorial from this site
http://blog.innerewut.de/2005/7/4/openvpn-2-0-on-openbsd
i try make PKI follow automatic script from openvpn not working ,
bellow detail log
# uname -a
OpenBSD log.mydomain.com 4.4 GENERIC#1021 i386
#
#mkdir /etc/openvpn
#cp -R /usr/local/share/examples/openvpn/easy-rsa /etc/openvpn/
# init-config
ksh: init-config: not found
# ./vars
/etc/openvpn/easy-rsa/2.0/openssl.cnf[10]: HOME: not found
/etc/openvpn/easy-rsa/2.0/openssl.cnf[11]: RANDFILE: not found
/etc/openvpn/easy-rsa/2.0/openssl.cnf[12]: openssl_conf: not found
/etc/openvpn/easy-rsa/2.0/openssl.cnf[17]: oid_section: not found
/etc/openvpn/easy-rsa/2.0/openssl.cnf[18]: engines: not found
/etc/openvpn/easy-rsa/2.0/openssl.cnf[37]: default_ca: not found
/etc/openvpn/easy-rsa/2.0/openssl.cnf[42]: dir: not found
/etc/openvpn/easy-rsa/2.0/openssl.cnf[43]: certs: not found
/etc/openvpn/easy-rsa/2.0/openssl.cnf[44]: crl_dir: not found
/etc/openvpn/easy-rsa/2.0/openssl.cnf[45]: database: not found
/etc/openvpn/easy-rsa/2.0/openssl.cnf[46]: new_certs_dir: not found
/etc/openvpn/easy-rsa/2.0/openssl.cnf[48]: certificate: not found
/etc/openvpn/easy-rsa/2.0/openssl.cnf[49]: serial: not found
/etc/openvpn/easy-rsa/2.0/openssl.cnf[50]: crl: not found
/etc/openvpn/easy-rsa/2.0/openssl.cnf[51]: private_key: not found
/etc/openvpn/easy-rsa/2.0/openssl.cnf[52]: RANDFILE: not found
/etc/openvpn/easy-rsa/2.0/openssl.cnf[54]: x509_extensions: not found
/etc/openvpn/easy-rsa/2.0/openssl.cnf[60]: default_days: not found
/etc/openvpn/easy-rsa/2.0/openssl.cnf[61]: 30: not found
/etc/openvpn/easy-rsa/2.0/openssl.cnf[62]: default_md: not found
/etc/openvpn/easy-rsa/2.0/openssl.cnf[63]: preserve: not found
/etc/openvpn/easy-rsa/2.0/openssl.cnf[68]: policy: not found
/etc/openvpn/easy-rsa/2.0/openssl.cnf[72]: countryName: not found
/etc/openvpn/easy-rsa/2.0/openssl.cnf[73]: stateOrProvinceName: not found
/etc/openvpn/easy-rsa/2.0/openssl.cnf[74]: organizationName: not found
/etc/openvpn/easy-rsa/2.0/openssl.cnf[75]: organizationalUnitName: not found
/etc/openvpn/easy-rsa/2.0/openssl.cnf[76]: commonName: not found
/etc/openvpn/easy-rsa/2.0/openssl.cnf[77]: emailAddress: not found
/etc/openvpn/easy-rsa/2.0/openssl.cnf[83]: countryName: not found
/etc/openvpn/easy-rsa/2.0/openssl.cnf[84]: stateOrProvinceName: not found
/etc/openvpn/easy-rsa/2.0/openssl.cnf[85]: localityName: not found
/etc/openvpn/easy-rsa/2.0/openssl.cnf[86]: organizationName: not found
/etc/openvpn/easy-rsa/2.0/openssl.cnf[87]: organizationalUnitName: not found
/etc/openvpn/easy-rsa/2.0/openssl.cnf[88]: commonName: not found
/etc/openvpn/easy-rsa/2.0/openssl.cnf[89]: emailAddress: not found
/etc/openvpn/easy-rsa/2.0/openssl.cnf[93]: default_bits: not found
/etc/openvpn/easy-rsa/2.0/openssl.cnf[94]: default_keyfile: not found
/etc/openvpn/easy-rsa/2.0/openssl.cnf[95]: distinguished_name: not found
/etc/openvpn/easy-rsa/2.0/openssl.cnf[96]: attributes: not found
/etc/openvpn/easy-rsa/2.0/openssl.cnf[97]: x509_extensions: not found
/etc/openvpn/easy-rsa/2.0/openssl.cnf[111]: string_mask: not found
/etc/openvpn/easy-rsa/2.0/openssl.cnf[116]: syntax error: `(' unexpected
NOTE: If you run ./clean-all, I will be doing a rm -rf on
/etc/openvpn/easy-rsa/2.0/keys
#
then i try using openssl.cnf  in /etc/ssl/
#cp /etc/ssl/openssl.cnf  /etc/openvpn/easy-rsa/2.0/
# chmod 755 openssl.cnf
# ./vars
/etc/openvpn/easy-rsa/2.0/openssl.cnf[6]: RANDFILE: not found
/etc/openvpn/easy-rsa/2.0/openssl.cnf[10]: default_bits: not found
/etc/openvpn/easy-rsa/2.0/openssl.cnf[11]: default_keyfile: not found
/etc/openvpn/easy-rsa/2.0/openssl.cnf[12]: distinguished_name: not found
/etc/openvpn/easy-rsa/2.0/openssl.cnf[13]: attributes: not found
/etc/openvpn/easy-rsa/2.0/openssl.cnf[16]: syntax error: `(' unexpected
NOTE: If you run ./clean-all, I will be doing a rm -rf on
/etc/openvpn/easy-rsa/2.0/keys
#
still error may  openssl.cnf is miss config
here my openssl.cnf ( from exsample )

# For use with easy-rsa version 2.0

#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#

# This definition stops the following lines choking if HOME isn't
# defined.
HOME= .
RANDFILE= $ENV::HOME/.rnd
openssl_conf= openssl_init

[ openssl_init ]
# Extra OBJECT IDENTIFIER info:
#oid_file   = $ENV::HOME/.oid
oid_section = new_oids
engines = engine_section
 # To use this configuration file with the -extfile option of the
# openssl x509 utility, name here the section containing the
# X.509v3 extensions to use:
# extensions=
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)

[ new_oids ]

# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6

Re: symux/rrdtool problem on 4.4-snap

2008-11-12 Thread Ryan Flannery 
On Wed, Nov 12, 2008 at 6:54 AM, Stuart Henderson [EMAIL PROTECTED] wrote:
 In gmane.os.openbsd.misc, you wrote:
 On 2008-11-12, Ryan Flannery [EMAIL PROTECTED] wrote:
 I'm having some strange problems with the symon (mon+mux) and rrdtool
 packages after recently upgrading to a 4.4 snapshot (fresh install).

 Seems like your Perl packages are not in-sync with the base perl.
 Make sure they are all up-to-date and you fetch from a mirror which
 isn't lagging.



 s/are not/may not be/, but that is the first thing to check anyway..



Ah, I missed that.  Many thanks for the clue-stick.

After upgrading and re-building the rrd's, everything works fine.

Thanks again,
-ryan

Missing security announcements

2008-11-12 Thread Peer Janssen 

Hi!

I subscribed to security-announce a long time ago and thought I would 
receive information about security annoucements, but contrary to what is 
stated on http://openbsd.org/mail.html:


security-announce - Security announcements. This low volume list 
receives OpenBSD security advisories and pointers to security patches as 
they become available.,


as is easily verifyable here:

http://www.sigmasoft.com/~openbsd/archives/html/openbsd-security-announce/

together with:

http://openbsd.org/errata44.html,

the patches are not announced.

If the stated annoucement process via mailing list is unreliable or 
untimely, I'd think it's useless, and with it that mailing list.


Regards
Peer

Re: How to reply read -s from bash (linux) in ksh (OpenBSD)

2008-11-12 Thread HDC 
 1) do
 stty -echo
 read foo bar
 stty echo

 though in case you hit ^c in that read, that may lead to a tty with no
 echo. perhaps may be solved with trap.

This work fine whit stty  traps!

Thanks!

-- 
# /dev/hdc
- OpenBSDeros.org
hdc [at] openbsderos [dot] org

Re: dhcpd problem on OpenBSD 4.4 with release / renew

2008-11-12 Thread Administrator 

Kenneth R Westerback wrote:

On Tue, Nov 11, 2008 at 03:03:19PM -0800, Brian Keefer wrote:

On Nov 11, 2008, at 2:01 PM, Administrator wrote:


Brian Keefer wrote:

On Nov 11, 2008, at 12:42 PM, Administrator wrote:
Nope, didn't help. There must be some other mistery. Now it stops  
at DHCPOFFER part.



DHCPDISCOVER from 00:50:18:48:cb:3d via vlan51
DHCPOFFER on 192.168.51.3 to 00:50:18:48:cb:3d via vlan51
DHCPDISCOVER from 00:50:18:48:cb:3d via vlan51
DHCPOFFER on 192.168.51.3 to 00:50:18:48:cb:3d via vlan51

Any ideas?
Do you have the ability to test on -current?  You might try that.   
Also definitely post a follow-up to Misc@ and Cc:  
[EMAIL PROTECTED] to see if he has any ideas.  I'm not a DHCP  
guru, unfortunately.
He's probably going to need some tcpdump samples to see what options 
are getting passed.  This is what was requested last time:

please include tcpdump -eniinterface -Xvvs port 67 or port 68
Ok, I will try -current tomorrow. Do I have to recompile world or just 
dhcpd? Will this be enough?


# cd /usr/src/usr.sbin/dhcpd
# make obj  make  make install



For -current you should install a snapshot and go from there.  I believe 
you can't just update dhcpd because there have been library changes.


Hopefully you have a box you can test on.  I tend to use VMs for this  
kind of thing.


--
bk


You should be able to just get -current /usr/src/usr.sbin/dhcpd/options.c
and recompile on your system. The library problem was with my
compiling on a -current system and someone trying to that executable
it on a -release system.

 Ken



Recompiled  /usr/src/usr.sbin/dhcpd with -current source tree, but this 
didn't solve my problem anyway.


# ls -la /usr/sbin/dhcpd
-r-xr-xr-x  1 root  bin  89956 Nov 12 15:48 /usr/sbin/dhcpd

# tcpdump -enivlan51 -Xvvs port 67 or port 68
tcpdump: listening on vlan51, link-type EN10MB
15:49:13.301041 00:50:18:48:cb:3d ff:ff:ff:ff:ff:ff 0800 342: 
192.168.51.3.68  255.255.255.255.67: [udp sum ok] xid:0x5e8ed704 
C:192.168.51.3 vend-rfc1048 DHCP:RELEASE SID:192.168.51.254 
CID:1.0.80.24.72.203.61 (ttl 64, id 57884, len 328)

  : 4500 0148 e21c  4011 a3dd c0a8 3303  [EMAIL PROTECTED];X3.
  0010:   0044 0043 0134 6d17 0101 0600  .D.C.4m.
  0020: 5e8e d704   c0a8 3303    ^.W.A;X3.
  0030:     0050 1848 cb3d   .P.HE.=..
  0040:          
  0050:          
  0060:          
  0070:          
  0080:          
  0090:          
  00a0:          
  00b0:          
  00c0:          
  00d0:          
  00e0:          
  00f0:          
  0100:     6382 5363 3501 0736  c.Sc5..6
  0110: 04c0 a833 fe3d 0701 0050 1848 cb3d ff00  .A;X3=...P.HE.=?.
  0120:          
  0130:          
  0140:      

15:49:17.371880 00:50:18:48:cb:3d ff:ff:ff:ff:ff:ff 0800 342: 0.0.0.0.68 
 255.255.255.255.67: [udp sum ok] xid:0x73d08ba secs:55475 
vend-rfc1048 DHCP:DISCOVER CID:1.0.80.24.72.203.61 RQ:192.168.51.3 
HN:Suezou^@ VC:77.83.70.84.32.57.56 PR:SM+DN+DG+NS+WNS+WNT+WSC+VO+77 
(ttl 64, id 64284, len 328)

  : 4500 0148 fb1c  4011 7e89    [EMAIL PROTECTED]
  0010:   0044 0043 0134 2ac8 0101 0600  .D.C.4*C(
  0020: 073d 08ba d8b3       .=.r,U;3..
  0030:     0050 1848 cb3d   .P.HE.=..
  0040:          
  0050:          
  0060:          
  0070:          
  0080:          
  0090:          
  00a0:          
  00b0:          
  00c0:          
  00d0:          
  00e0:          
  00f0:          
  0100:     6382 5363 3501 013d  c.Sc5..=
  0110: 0701 0050 1848 cb3d 3204 c0a8 3303 0c07  ...P.HE.=2.A;X3...

Re: IPSec to Checkpoint

2008-11-12 Thread Hans-Joerg Hoexer 
Support for specifying aes key sizes was added february 2008, thus 4.2
does not provide this.

On Wed, Nov 12, 2008 at 03:17:17PM +, Joe Warren-Meeks wrote:
 On Wed, Nov 12, 2008 at 02:35:35PM +0100, Claer wrote:
 
 Hey there,
 
 OK, so I've switched to ipsec.conf and it is alot easier!
 
 However, I'm still struggling to use aes 256.
 
 I have the following:
 
 ike esp from 195.24.xxx.x/25 to 62.232.yyy.y/27 \
 local 195.24.aaa.aa peer 62.232.bbb.bbb \
 main auth hmac-sha1 enc aes group modp1024 \
 quick auth hmac-sha1 enc aes psk sudomakemeagoat
 
 This uses aes128. Is there any way to get aes256 working? Note: I'm on
 4.2, was 256 support added later? If not, is there any way I could
 enable 256 on 4.2?
 
  -- joe.
 
 I can't believe Alan Davies would do that. I absolutely love him!

Re: Can't SSH into CARP'd system from the outside

2008-11-12 Thread Vivek Ayer 
i don't think I understand. Clarify. you mean carpdev is like your
physical interface..eth0, re0, etc.?

On Wed, Nov 12, 2008 at 12:40 AM, Marco Pfatschbacher [EMAIL PROTECTED] wrote:
 On Tue, Nov 11, 2008 at 03:53:54PM -0800, Vivek Ayer wrote:
 [...]
 # macros
 [...]
 carpdevs = { carp0 , carp1 }
 [...]
 # pass rules
 [...]
 pass in on $carpdevs inet proto tcp from any to ($ext_if) \
port $tcp_services flags S/SA keep state # Allow SSH Access from Outside


 just from a quick glance:
 pf(4) never filters on carp interfaces, but on carp's physical
 interface (aka carpdev).

PCC developer looking for funding through BSD Fund

2008-11-12 Thread Mark Carlson 
I know there has been some interest on this list related to having a
BSD licensed C compiler used for OpenBSD.  Anders Magnusson (Ragge,)
is the maintainer of PCC and is looking for some funding through BSD
Fund (tax deductible in the US) to get a V1.0 release out.

This is also on Undeadly, if you have not seen it already:
http://undeadly.org/cgi?action=articlesid=20081108135831mode=expanded

A post to pcc-list by Anders Magnusson:
http://marc.info/?l=pcc-listm=122633955912667w=2

BSD fund has decided to get into the business of trying to get
donations for further PCC development, so that there can be faster
progress in development.

I have been discussing pcc with BSD fund for a while, and I think they
are doing a great job!

More info on http://www.bsdfund.org/projects/pcc/ , if you want to
contribute to PCC development or have a company that might be
interested in giving money for PCC.


-Mark C.

Re: Experiences running named and rndc on 4.4 vs 4.3 - Solved/Explained

2008-11-12 Thread Don Jackson 
Yes, you are exactly right.
My OS install script renames the existing /var/named/etc directory, and
creates a new one pulled from version control, and in so doing, does not
restore
the correct ownership of the etc directory.

So later on, during the execution of /etc/rc, the rndc.key file gets created
with the wrong ownership, which led to the problem I reported.

Because the rndc.key was generated later in this process, I did not think I
had an ownership issue with it, but clearly the problem is the ownership of
the
parent directory.

Thank you for your insight into my problem, I will make sure my install
scripts do a better job of maintaining the ownership/permissions...

Don

On Wed, Nov 12, 2008 at 6:17 AM, Woodchuck [EMAIL PROTECTED] wrote:

 On Tue, 11 Nov 2008, Don Jackson wrote:

  Today I began testing named on a freshly installed OpenBSD 4.4 amd64
  machine, using my old named.conf file from 4.3 (which was still running
  named version 9.4.2)
 
  When the machine first boots after the install, /etc/rc determines there
 is
  no rndc.key, and generates one:
 
  rndc-confgen: generating new shared secret... done.
  starting named
 
 
  Here are the owner, group, and file modes of the two different copies of
  rndc.key that are generated:
 
  # ls -lAF /etc/rndc.key /var/named/etc/rndc.key
  -rw---  1 root  wheel  77 Nov 11 12:24 /etc/rndc.key
  -rw-r-  1 root  wheel  77 Nov 11 12:24 /var/named/etc/rndc.key
 
 
  named only cares about the rndc.key in /var/named/etc

 Right.  But later, rndc will use the /etc version.  So you need
 both, and the permissions you show are sane ones.

  Looking at the logs: /var/log/daemon, one can see:
 
  Nov 11 12:24:10 svn01 named[142]: none:0: open: /etc/rndc.key: permission
  denied
  Nov 11 12:24:10 svn01 named[142]: couldn't add command channel
 127.0.0.1#953:
  permission denied
 
  Here is my workaround:
 
  # chown root:named /var/named/etc/rndc.key
  # ls -lAF /var/named/etc/rndc.key
  -rw-r-  1 root  named  77 Nov 11 12:24 /var/named/etc/rndc.key
 
 
  Should /etc/rc set the group ownership of /var/named/etc/rndc.key?
 
  Comments?

 I think rndc.key should pick up the named group from the ownerships
 and permissions on /var/named/etc.

 /var/named/etc should be owned by root.named and have permissions 750.

 I bet your /var/named/etc is owned by root.wheel.

 Dave

Re: Problem with relayctl - OBSD 4.4

2008-11-12 Thread BARDOU Pierre 
Hello,

Here is the log for relayd -dv.
When I try to relayctl reload I got a command failed and nothing in
relayd output.

# relayd -dv
warning: macro 'squid_adh' not used
warning: macro 'dns_adh' not used
warning: macro 'dns1_ext' not used
warning: macro 'dns2_ext' not used
warning: macro 'mx1_ext' not used
warning: macro 'mx2_ext' not used
warning: macro 'mx_int' not used
warning: macro 'mx_adh' not used
startup
relay_privinit: adding relay squid
protocol 1: name http_proxy
flags: 0x0004
type: http
relay_privinit: adding relay dns
protocol 2: name dnsfilter
flags: 0x0004
type: hce_notify_done: 10.60.0.102 (tcp_host_up: connect successful)
host 10.60.0.102, check tcp (1ms), state unknown - up, availability 100.00%
hce_notify_done: 10.60.0.102 (tcp_host_up: connect successful)
host 10.60.0.102, check tcp (1ms), state unknown - up, availability 100.00%
hce_notify_done: 10.60.0.101 (tcp_host_up: connect successful)
host 10.60.0.101, check tcp (1ms), state unknown - up, availability 100.00%
hce_notify_done: 10.60.0.101 (tcp_host_up: connect successful)
host 10.60.0.101, check tcp (1ms), state unknown - up, availability 100.00%
dns
relay_init: max open files 1024
adding 2 hosts from table squid:3128
adding 2 hosts from table DNS:53
relay_init: max open files 1024
relay_init: max open files 1024
relay_init: max open files 1024
relay_init: max open files 1024
relay_init: max open files 1024
relay_init: max open files 1024
relay_init: max open files 1024
relay_init: max open files 1024
init_filter: filter init done
relay_launch: running relay squid
adding 2 hosts from table squid:3128
adding 2 hosts from table squid:3128
adding 2 hosts from table squid:3128
adding 2 hosts from table squid:3128
adding 2 hosts from table squid:3128
adding 2 hosts from table squid:3128
adding 2 hosts from table squid:3128
adding 2 hosts from table squid:3128
relay_init: max open files 1024
init_tables: created 0 tables
adding 2 hosts from table DNS:53
adding 2 hosts from table DNS:53
adding 2 hosts from table DNS:53
adding 2 hosts from table DNS:53
adding 2 hosts from table DNS:53
adding 2 hosts from table DNS:53
adding 2 hosts from table DNS:53
adding 2 hosts from table DNS:53
adding 2 hosts from table squid:3128
pfe_dispatch_imsg: state 1 for host 2 10.60.0.102
relay_launch: running relay squid
adding 2 hosts from table DNS:53
relay_launch: running relay squid
relay_launch: running relay squid
relay_launch: running relay squid
relay_launch: running relay squid
relay_launch: running relay dns
relay_launch: running relay dns
pfe_dispatch_imsg: state 1 for host 4 10.60.0.102
relay_launch: running relay squid
relay_launch: running relay dns
relay_launch: running relay squid
relay_launch: running relay squid
relay_launch: running relay dns
relay_launch: running relay dns
relay_launch: running relay dns
pfe_dispatch_imsg: state 1 for host 1 10.60.0.101
relay_launch: running relay dns
relay_launch: running relay dns
relay_launch: running relay dns
relay_launch: running relay squid
pfe_dispatch_imsg: state 1 for host 3 10.60.0.101
relay_launch: running relay dns
hce_notify_done: 10.60.0.101 (tcp_host_up: connect successful)
hce_notify_done: 10.60.0.101 (tcp_host_up: connect successful)
hce_notify_done: 10.60.0.102 (tcp_host_up: connect successful)
hce_notify_done: 10.60.0.102 (tcp_host_up: connect successful)

 


--
Cordialement,
Pierre BARDOU

-Message d'origine-
De : Stuart Henderson [mailto:[EMAIL PROTECTED] 
Envoyé : mardi 11 novembre 2008 13:20
À : misc@openbsd.org
Objet : Re: Problem with relayctl - OBSD 4.4

On 2008-11-11, James Records [EMAIL PROTECTED] wrote:
 Pierre,

 I'm seeing the same exact thing, I'm not able to reload the config 
 without killing and restarting relayd.

 I haven't looked at the source yet, but I may get to that in the next 
 couple days, restarting is an ok work around for me at this point, but 
 won't be when it gets into production.

 Jim

Run relayd -dv, try and reload the config, check the output and paste it in
mail.

BEGIN:VCARD
VERSION:2.1
N:Bardou;Pierre
FN:BARDOU Pierre
ADR;WORK:;B011
LABEL;WORK:B011
EMAIL;PREF;INTERNET:[EMAIL PROTECTED]
REV:20070806T072621Z
END:VCARD


smime.p7s
Description: S/MIME cryptographic signature

Re: relayd exits when disabling and enabling hosts

2008-11-12 Thread David Caro 
In that case i'll make the bug report as soon as i get one machine idle
enough time to install openbsd 4.4 again.

2008/11/12 Stuart Henderson [EMAIL PROTECTED]

 On 2008/11/12 10:56, David Caro wrote:
  Yes, sorry it is a typo, I used 4.4-snapshot (10/08), got the same error,
  I'll try to test it on the release as soon as it gets out. If it keeps
  crushing i'll fill a bug report.

 a snapshot from October '08 is way past 4.4 release, which was
 built in August. (takes a little while to produce CDs, build packages
 for the slower architectures, etc).

Re: Can't SSH into CARP'd system from the outside

2008-11-12 Thread Stuart Henderson 
On 2008-11-12, Vivek Ayer [EMAIL PROTECTED] wrote:
 i don't think I understand. Clarify. you mean carpdev is like your
 physical interface..eth0, re0, etc.?

yes


 On Wed, Nov 12, 2008 at 12:40 AM, Marco Pfatschbacher [EMAIL PROTECTED] 
 wrote:
 On Tue, Nov 11, 2008 at 03:53:54PM -0800, Vivek Ayer wrote:
 [...]
 # macros
 [...]
 carpdevs = { carp0 , carp1 }
 [...]
 # pass rules
 [...]
 pass in on $carpdevs inet proto tcp from any to ($ext_if) \
port $tcp_services flags S/SA keep state # Allow SSH Access from Outside


 just from a quick glance:
 pf(4) never filters on carp interfaces, but on carp's physical
 interface (aka carpdev).

symux/rrdtool problem on 4.4-snap

2008-11-12 Thread Ryan Flannery 
Hello misc@,

I'm having some strange problems with the symon (mon+mux) and rrdtool
packages after recently upgrading to a 4.4 snapshot (fresh install).

Previously I was running 4.3 with symon  symux installed, and would
cron a script that created rrdtool graphs from some of the symux rrd
files, similar to what syweb does (only from cron).

After the upgrade, any attempt to fetch info from some of the rrd
files (even. via a rrdtool fetch rrdname CF) created  updated by
symux results in either a segfault or the following error from
rrdtool:
 ERROR: fetching cdp from rra

Same if I try to graph any of those files.

The only rrds that I can fetch info from, and graph, are the mbuf,
mem, and pf rrds.

I've re-created the rrds a dozen times, always from the provided
c_smrrds.sh script.  Symux reports no errors while running, and seems
to be updating all of the rrds.  On all of them, I can run
   rrdtool last rrdname
without error, and see that it was updated within the last 5 seconds.

I've been trying to track down the error, but so far have had no luck.

Any ideas or a clue-stick-smacks would be greatly appreciated.

Many Thanks,
-ryan


OpenBSD 4.4-current (GENERIC.MP) #1959: Mon Nov  3 12:17:11 MST 2008
[EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 2133671936 (2034MB)
avail mem = 2071810048 (1975MB)
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.4 @ 0x7ffbc000 (62 entries)
bios0: vendor Dell Inc. version 1.2.0 date 10/18/2006
bios0: Dell Inc. PowerEdge 2900
acpi0 at bios0: rev 2
acpi0: tables DSDT FACP APIC SPCR HPET MCFG
acpi0: wakeup devices PCI0(S5)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Xeon(R) CPU 5130 @ 2.00GHz, 1995.25 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,CX16,xTPR,NXE,LONG
cpu0: 4MB 64b/line 16-way L2 cache
cpu0: apic clock running at 332MHz
cpu1 at mainbus0: apid 6 (application processor)
cpu1: Intel(R) Xeon(R) CPU 5130 @ 2.00GHz, 1995.00 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,CX16,xTPR,NXE,LONG
cpu1: 4MB 64b/line 16-way L2 cache
cpu2 at mainbus0: apid 1 (application processor)
cpu2: Intel(R) Xeon(R) CPU 5130 @ 2.00GHz, 1995.00 MHz
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,CX16,xTPR,NXE,LONG
cpu2: 4MB 64b/line 16-way L2 cache
cpu3 at mainbus0: apid 7 (application processor)
cpu3: Intel(R) Xeon(R) CPU 5130 @ 2.00GHz, 1995.00 MHz
cpu3: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,CX16,xTPR,NXE,LONG
cpu3: 4MB 64b/line 16-way L2 cache
ioapic0 at mainbus0 apid 8 pa 0xfec0, version 20, 24 pins
ioapic0: misconfigured as apic 0, remapped to apid 8
ioapic1 at mainbus0 apid 9 pa 0xfec8, version 20, 24 pins
ioapic1: misconfigured as apic 0, remapped to apid 9
ioapic2 at mainbus0 apid 10 pa 0xfec83000, version 20, 24 pins
ioapic2: misconfigured as apic 0, remapped to apid 10
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 6 (PEX2)
acpiprt2 at acpi0: bus 7 (UPST)
acpiprt3 at acpi0: bus 8 (DWN1)
acpiprt4 at acpi0: bus 10 (DWN2)
acpiprt5 at acpi0: bus 11 (PE2X)
acpiprt6 at acpi0: bus 12 (PEX3)
acpiprt7 at acpi0: bus 13 (PEX4)
acpiprt8 at acpi0: bus 1 (PEX5)
acpiprt9 at acpi0: bus 2 (PE2P)
acpiprt10 at acpi0: bus 14 (PEX6)
acpiprt11 at acpi0: bus 4 (SBEX)
acpiprt12 at acpi0: bus 16 (COMP)
acpicpu0 at acpi0
acpicpu1 at acpi0
acpicpu2 at acpi0
acpicpu3 at acpi0
ipmi at mainbus0 not configured
pci0 at mainbus0 bus 0: configuration mode 1
pchb0 at pci0 dev 0 function 0 Intel 5000X Host rev 0x12
ppb0 at pci0 dev 2 function 0 Intel 5000 PCIE rev 0x12
pci1 at ppb0 bus 6
ppb1 at pci1 dev 0 function 0 Intel 6321ESB PCIE rev 0x01
pci2 at ppb1 bus 7
ppb2 at pci2 dev 0 function 0 Intel 6321ESB PCIE rev 0x01
pci3 at ppb2 bus 8
ppb3 at pci3 dev 0 function 0 ServerWorks PCIE-PCIX rev 0xc2
pci4 at ppb3 bus 9
bnx0 at pci4 dev 0 function 0 Broadcom BCM5708 rev 0x11: apic 8 int 16 (irq 5)
ppb4 at pci2 dev 1 function 0 Intel 6321ESB PCIE rev 0x01: apic 8
int 16 (irq 0)
pci5 at ppb4 bus 10
ppb5 at pci1 dev 0 function 3 Intel 6321ESB PCIE-PCIX rev 0x01
pci6 at ppb5 bus 11
em0 at pci6 dev 1 function 0 Intel PRO/1000GT (82541GI) rev 0x05:
apic 9 int 0 (irq 5), address 00:1b:21:0a:06:41
ral0 at pci6 dev 2 function 0 Ralink RT2561S rev 0x00: apic 9 int 4
(irq 5), address 00:0e:2e:8d:26:66
ral0: MAC/BBP RT2561C, RF RT2527
ppb6 at pci0 dev 3 function 0 Intel 5000 PCIE rev 0x12: apic 8 int 16 (irq 0)
pci7 at ppb6 bus 12
ppb7 at pci0 dev 4 function 0 Intel 5000 PCIE rev 0x12: apic 8 int 16 (irq 0)
pci8 at ppb7

Re: Using a separate boot partition

2008-11-12 Thread Louis V. Lambrecht 

Seems to me we are not looking at the good direction.
I seem to understand that the problem is multi-booting, with OSes 
possibly on multiple

physical devices.
It also seems that the starting point is a Lunixish advocating of having 
a /boot partition
handling *all* parameters for all OSes, which is presomptuous or a 
misplaced ego at least.
Each new installtion of an OS needs the controlling /boot/grub/menus.lst 
to be mounted and
sudo edited (or worse, GRUB re-installed) before beeing able to boot 
that new OS.


Very likely, GNU GRUB Legacy is used and installed in the /boot volume.
So why not use it?

With GRUB you can:
map drives (tell from which to really boot from)
hide/unhide partitions (i.e.: have two OpenBSD installs on the same drive)
make partitions active
chainload partitions
have many instances of grub, each in its own volume, handling all 
specific OSes automaticly

write their specific kernel parametes

Key is to install the OSes to boot from their own partition and to never 
re-write the MBR.

Only one OS should be allowed to write one mbr, be it NTLDR, GAG, GRUB.
With Lilo and GRUB, you may chose to install the boot record in the 
(mis-named) partition

boot record (PBR) which is more like a volume boot record.
grub setup (hd,x)
grub install (hd,x)
Then, chainload.
Title whatever
root (hd,y)
chainloader +1
boot
And leave it to the OS specific boot pocesses to have it their specific 
way with their

specific boot.conf or menu.lst or init.

More on GRUB, check this (Ubuntuish but extensive) 
http://users.bigpond.net.au/hermanzone/
Don't miss the MBR description 
http://users.bigpond.net.au/hermanzone/p6.htm which tells you
you only should rewrite only the first 446 bytes of the MBR, leaving the 
rest (the four DOS/Intel

partition table) unchanged unless you know what you are doing.

Douglas A. Tutty wrote:

On Wed, Nov 12, 2008 at 12:05:47AM -0500, Douglas A. Tutty wrote:
  

On Tue, Nov 11, 2008 at 08:31:42PM -0800, Joseph Alten wrote:

So there isn't really an option like I was describing? I was going to just  
create my / partition on my boot hard drive like you mentioned, but I  
seemed so close when I ran boot hd0a:/bsd -a at the boot prompt that I  
thought I was missing something in the documentation...
  

The boot prompt is the boot loader not the kernel.  With your command,
you're telling the boot loader to load the kernel on hd0a:/ called bsd.
That's not the same as booting a kernel on one drive and using a
different drive for the root partition, which is what you asked for.



Yes, I know the -a flag tells the kernel to ask for root device.  I just
don't see a way of telling the kernel up-front what root device to use.


  

In Linux parlance, this is having grub on /dev/hda but linux on
/dev/hdc1, which works without needing a separate /boot partition.

Re: relayd: does timeout-directive limits time for SSL-handshake?

2008-11-12 Thread Johan Ström 

Hi!

(ok not really a Re: since i dont have the original message, but i  
copy-pasted somewhat from archives to get some context, hope noone  
minds :) http://www.nabble.com/relayd:-does-timeout-directive-limits-time-for-SSL-handshake--td19698613.html)


Just want to bring this back up, since I just had this problem as  
well. And I had to bring it up more than 2s (running at 15s now) due  
to slow (mobile among others) clients.

Didn't see anything in CVS, any chances of changes?

A SSL handshake could very well take a few seconds on slow clients (as  
shown), but if my service is taking 2-3s to respond, something is  
wrong and I'd want to throw it out of rotation earlier than that.


A separate connection_setup_timeout directive or something might be on  
order?


Btw, would there be any problems running CURRENT relayd/relayctl on a  
4.4 kernel/system?


Thanks
Johan


On Monday, September 29, 2008 - 5:49 pm, Reyk Floeter wrote:
 Hi!

 On Sat, Sep 27, 2008 at 02:01:09AM +0200, Till Neudecker wrote:
  I have a pretty normal loadbalancing setup (2 relayd- 
loadbalancer, 2 backend
  hosts). The loadbalancer accepts ssl-encrypted sessions and  
forwards them

  unencrypted to the backend-hosts.
  Because all the hosts are on the same LAN
  I set the global timeout-directive to 200ms.

 200ms is a really brave timeout even for host checks in a LAN.  I
 almost always increase it in my configurations, but I think pyr@  
liked

 the really short timeout ;).  But we should probably bump up the
 default to prevent failures in common configurations.

 When now connecting from a slow internet-connection to my service,  
I often
 receive a SSL accept timeout. After changing the global timeout  
to 2000ms
 the problem disappears. The man-pages only says timeout limits the  
time for
  the checks of the backend-hosts but nothing about the SSL- 
handshake from

 clients
  Can someone agree or disgree to my guess that timeout also limits  
the time

  for the SSL-handshake?
 

 Yes, this is right.  The global timeout is a connection timeout
 which is used by the health checks but also by the initial
 connect/accept of the relays in TCP and SSL mode.  This means that
 this timeout will be used for the time to establish the stateful TCP
 or SSL connection.  The established connection will switch to the
 per-relay session timeout which defaults to 600s (10min) for idle
 TCP/SSL sessions.

 Thanks for your hint, I will think about adding another timeout and/ 
or

 improving the manpage here.

 Reyk

Re: Using a separate boot partition

2008-11-12 Thread Raimo Niskanen 
On Tue, Nov 11, 2008 at 07:52:30PM -0800, Joseph Alten wrote:
 Due to technical constraints, my setup requires that I have a separate  
 boot partition (basically the kernel and anything else critical for  
 booting), and then of course my root partition other data partitions on a  
 separate disk.

Can you say more about the technical constraints. If it is just
size constraints there should not be much of a problem since
the root partition is supposed to be small in OpenBSD.


 
 I'm kind of new to OpenBSD, and so far what I've managed to do is copy  
 /bsd to a separate partition, then at the boot prompt I run boot hd0a  
 -a, then specify my root partition when prompted by the kernel. While  
 this has the desired effect, I'd rather not run this every time I want to  
 boot OpenBSD. Is there a kernel parameter I can pass that lets the kernel  
 know ahead of time the root device I wish to mount?
 
 Basically I'm looking for the OpenBSD equivalent of root=/dev/xxx Linux  
 kernel parameter. I think I managed to get FreeBSD working similarly with  
 the vfs.root.mountfrom= parameter, but this doesn't appear to exist in  
 OpenBSD.
 
 Thanks for looking into this.
 
 -- 
 Joseph Alten

-- 

/ Raimo Niskanen, Erlang/OTP, Ericsson AB

Re: Using a separate boot partition

2008-11-12 Thread Stuart Henderson 
On 2008-11-12, dermiste [EMAIL PROTECTED] wrote:
 I'm backing ben here : OpenBSD / should be small enough to fit it
 entirely into a boot partition.

/etc/{master.,}passwd and /etc/{s,}pwd.db can grow pretty large
on some systems...

Re: How to NAT a site-site VPN tunnel

2008-11-12 Thread nuffnough 
2008/11/12 Mitja MuEeniD
 [EMAIL PROTECTED]:
 If you control the target box, the simplest solution by far is to assign a
 deconficting alias address to it and then establish the VPN tunnel between
 the 3rd party site and this alias address of yours. Everybody will be
 accessing through the original address except for the problematic site, they
 will use the alias.

 There are tricks with nat on ipsec but they are very hard to configure
 right.

I have full control over the local OBSD server and the internal
network, however the address assiged to the box in question is pretty
entrenched and so it isn't really possible to change its address.   :(

I am not completely without clue,  and am willing to get deeper into
the configs in question.

I should probably point out that I am still using the older style
isakmpd.[conf,policy] files at this time,  but I believe that my
problem lies within the pf.conf file.

I think I need to so something like

nat on rl2 from 172.20.20.123/32 to $client_network - enc0

but that doesn't seem to work for me

Re: Can't SSH into CARP'd system from the outside

2008-11-12 Thread Vivek Ayer 
then, what about this: pass on $carpdev proto carp keep state

Looks like it's filtering on the $carpdev, which is carp0 and carp1 in
this case. It's just what I read in the pf book. I'd like to resolve
this soon so I can go ahead an launch my website. I feel like there's
a lot of carp in the pf files. I need to lean it down a little. That
might be causing all these problems.

Help appreciated,
Vivek

On Wed, Nov 12, 2008 at 2:19 PM, Stuart Henderson [EMAIL PROTECTED] wrote:
 On 2008-11-12, Vivek Ayer [EMAIL PROTECTED] wrote:
 i don't think I understand. Clarify. you mean carpdev is like your
 physical interface..eth0, re0, etc.?

 yes


 On Wed, Nov 12, 2008 at 12:40 AM, Marco Pfatschbacher [EMAIL PROTECTED] 
 wrote:
 On Tue, Nov 11, 2008 at 03:53:54PM -0800, Vivek Ayer wrote:
 [...]
 # macros
 [...]
 carpdevs = { carp0 , carp1 }
 [...]
 # pass rules
 [...]
 pass in on $carpdevs inet proto tcp from any to ($ext_if) \
port $tcp_services flags S/SA keep state # Allow SSH Access from Outside


 just from a quick glance:
 pf(4) never filters on carp interfaces, but on carp's physical
 interface (aka carpdev).

Re: Can't SSH into CARP'd system from the outside

2008-11-12 Thread Stuart Henderson 
On 2008/11/12 14:35, Vivek Ayer wrote:
 then, what about this: pass on $carpdev proto carp keep state

the proto carp packets are all strictly on the parent interfaces,
that is the only place you need to pass them.

 Looks like it's filtering on the $carpdev, which is carp0 and carp1 in
 this case.

$carpdev would be a pf.conf macro and could be anything, I don't
have a copy of the book and http://home.nuug.no/~peter/pf/en/
doesn't talk about carp in pf.conf so I can't check how it's used
there.

I think most people using the term carpdev would use it in the
sense it's described in carp(4), i.e. the interface the carp
device attaches to. 

 It's just what I read in the pf book. I'd like to resolve
 this soon so I can go ahead an launch my website. I feel like there's
 a lot of carp in the pf files. I need to lean it down a little. That
 might be causing all these problems.

the only time I use the carp interface in pf.conf is for address
specification, pass to (carp80) etc.

Re: Missing security announcements

2008-11-12 Thread Simon Connah 

On 12 Nov 2008, at 17:57, Peer Janssen wrote:


Hi!

I subscribed to security-announce a long time ago and thought I  
would receive information about security annoucements, but contrary  
to what is stated on http://openbsd.org/mail.html:


security-announce - Security announcements. This low volume list  
receives OpenBSD security advisories and pointers to security  
patches as they become available.,


as is easily verifyable here:

http://www.sigmasoft.com/~openbsd/archives/html/openbsd-security-announce/

together with:

http://openbsd.org/errata44.html,

the patches are not announced.

If the stated annoucement process via mailing list is unreliable or  
untimely, I'd think it's useless, and with it that mailing list.


Regards
Peer



Four of those 4.4 patches are listed as reliability patches and not  
security patches. So I can why they were not posted to the security  
list. There is only one security patch there and that is patch 001.


I'm sure one of the developers will correct me if I am wrong but that  
is my assumption.


Simon.

Re: PCC developer looking for funding through BSD Fund

2008-11-12 Thread Simon Connah 

On 12 Nov 2008, at 20:25, Mark Carlson wrote:


I know there has been some interest on this list related to having a
BSD licensed C compiler used for OpenBSD.  Anders Magnusson (Ragge,)
is the maintainer of PCC and is looking for some funding through BSD
Fund (tax deductible in the US) to get a V1.0 release out.

This is also on Undeadly, if you have not seen it already:
http://undeadly.org/cgi? 
action=articlesid=20081108135831mode=expanded


A post to pcc-list by Anders Magnusson:
http://marc.info/?l=pcc-listm=122633955912667w=2

BSD fund has decided to get into the business of trying to get
donations for further PCC development, so that there can be faster
progress in development.

I have been discussing pcc with BSD fund for a while, and I think they
are doing a great job!

More info on http://www.bsdfund.org/projects/pcc/ , if you want to
contribute to PCC development or have a company that might be
interested in giving money for PCC.


-Mark C.



Looks interesting. It would be great to have a 100% C99 compatible  
compiler and C standard library. Not sure if that is what is the  
eventual goal for the project or not but there seems a real lack on  
that front.


I should probably do some more reading into PCC.

Simon.

Re: Missing security announcements

2008-11-12 Thread Eugene Prodeguene 

On Thu, 13 Nov 2008, Simon Connah wrote:


On 12 Nov 2008, at 17:57, Peer Janssen wrote:


Hi!

I subscribed to security-announce a long time ago and thought I would 
receive information about security annoucements, but contrary to what is 
stated on http://openbsd.org/mail.html:


security-announce - Security announcements. This low volume list receives 
OpenBSD security advisories and pointers to security patches as they become 
available.,


as is easily verifyable here:

http://www.sigmasoft.com/~openbsd/archives/html/openbsd-security-announce/

together with:

http://openbsd.org/errata44.html,

the patches are not announced.

If the stated annoucement process via mailing list is unreliable or 
untimely, I'd think it's useless, and with it that mailing list.


Regards
Peer



Four of those 4.4 patches are listed as reliability patches and not security 
patches. So I can why they were not posted to the security list. There is 
only one security patch there and that is patch 001.


I'm sure one of the developers will correct me if I am wrong but that is my 
assumption.


Simon.


For what its worth (probably not much), there is also the errata 
rss feed from undeadly, which clearly marks SECURITY vs RELIABILITY 
patches. I'm sure everyone knows about this by now, but it does make a 
nice addition to an rss reader of choice.


http://www.undeadly.org/cgi?action=errata

Re: Missing security announcements

2008-11-12 Thread Emilio Perea 
On Wed, Nov 12, 2008 at 06:57:19PM +0100, Peer Janssen wrote:
 I subscribed to security-announce a long time ago and thought I would 
 receive information about security annoucements, but contrary to what 
 is stated on http://openbsd.org/mail.html:

 security-announce - Security announcements. This low volume list 
 receives OpenBSD security advisories and pointers to security patches 
 as they become available.,


FWIW, I received the Welcome to the security-announce mailing list!
message on 9/4/2002 and nothing since.  I don't think it's a big deal
since there are other ways of getting the information.

Re: Missing security announcements

2008-11-12 Thread Aaron W. Hsu 
On Wed, 12 Nov 2008 21:32:57 -0600
Emilio Perea [EMAIL PROTECTED] wrote:

 I don't think it's a big deal
 since there are other ways of getting the information.

Given that we usually sign up to a security-announce mailing list for 
good reason, if the list isn't working as intended, or there is some 
misunderstanding as to why the list exists, then I'd like to know 
explicitely, if only so that I do not rely on the list too much. 

-- 
Aaron W. Hsu [EMAIL PROTECTED] | http://www.sacrideo.us
Government is the great fiction, through which everybody endeavors to
live at the expense of everybody else. -- Frederic Bastiat
+++ ((lambda (x) (x x)) (lambda (x) (x x))) ++

Re: Missing security announcements

2008-11-12 Thread Theo de Raadt 
  I don't think it's a big deal
  since there are other ways of getting the information.
 
 Given that we usually sign up to a security-announce mailing list for 
 good reason, if the list isn't working as intended, or there is some 
 misunderstanding as to why the list exists, then I'd like to know 
 explicitely, if only so that I do not rely on the list too much. 

It does not work because noone who works on OpenBSD runs -stable.
Then every few months some of you come and yell at us.

Honestly, I think we should get rid of the list.  But then, it was
created because you people like you asked for it.  So, if we got
rid of it, people like you would yell at us.  So how about if we
leave the list in existance, and instaed ignore your requests?

I think that would work better.  I am not here saying this because
I have answers.  I don't.  I think that people running old software
quite frankly cannot rely on a mailing list run by people who don't
run -stable.  So how can any of you hope we will solve your problems?
People who can't, won't.

Re: Missing security announcements

2008-11-12 Thread Rod Whitworth 
On Wed, 12 Nov 2008 21:32:57 -0600, Emilio Perea wrote:

On Wed, Nov 12, 2008 at 06:57:19PM +0100, Peer Janssen wrote:
 I subscribed to security-announce a long time ago and thought I would 
 receive information about security annoucements, but contrary to what 
 is stated on http://openbsd.org/mail.html:

 security-announce - Security announcements. This low volume list 
 receives OpenBSD security advisories and pointers to security patches 
 as they become available.,


FWIW, I received the Welcome to the security-announce mailing list!
message on 9/4/2002 and nothing since.  I don't think it's a big deal
since there are other ways of getting the information.


Maybe your email address got lost somewhere.
I have 75 entries from 12 April 2002 (in case your date format was not
the screwed up yank format) or a few less counting from Sep '02.

*** NOTE *** Please DO NOT CC me. I am subscribed to the list.
Mail to the sender address that does not originate at the list server is 
tarpitted. The reply-to: address is provided for those who feel compelled to 
reply off list. Thankyou.

Rod/
/earth: write failed, file system is full
cp: /earth/creatures: No space left on device

Re: Missing security announcements

2008-11-12 Thread Ted Unangst 
On Wed, Nov 12, 2008 at 10:32 PM, Emilio Perea [EMAIL PROTECTED] wrote:

 FWIW, I received the Welcome to the security-announce mailing list!
 message on 9/4/2002 and nothing since.  I don't think it's a big deal
 since there are other ways of getting the information.

Maybe you mean 2008, because I personally sent several messages to the
list in the years since.

If there was an errata that wasn't announced, remind the developer to
send such notice.  That's the only way they'll start sending such
messages.  I certainly can't remind them because I'm not subscribed so
I don't even know what's missing.

Re: Missing security announcements

2008-11-12 Thread Emilio Perea 
On Wed, Nov 12, 2008 at 11:36:10PM -0500, Ted Unangst wrote:
 On Wed, Nov 12, 2008 at 10:32 PM, Emilio Perea [EMAIL PROTECTED] wrote:
 
  FWIW, I received the Welcome to the security-announce mailing list!
  message on 9/4/2002 and nothing since.  I don't think it's a big deal
  since there are other ways of getting the information.
 
 Maybe you mean 2008, because I personally sent several messages to the
 list in the years since.

No, I meant 2002.  But as Rod suggested, it's quite possible I got
unsubscribed accidentally.  I see there are quite a few messages in the
mailing list archives...  In any case, I've seen announcements of all
errata on misc or source-changes, so it's no big deal.

Re: Missing security announcements

2008-11-12 Thread Aaron W. Hsu 
On Wed, 12 Nov 2008 21:17:46 -0700
Theo de Raadt [EMAIL PROTECTED] wrote:

 It does not work because noone who works on OpenBSD runs -stable.
 Then every few months some of you come and yell at us.

Not yelling, honest; I was just curious. 

So, basically, no one has the time or motivation to send out updates?

-- 
Aaron W. Hsu [EMAIL PROTECTED] | http://www.sacrideo.us
Government is the great fiction, through which everybody endeavors to
live at the expense of everybody else. -- Frederic Bastiat
+++ ((lambda (x) (x x)) (lambda (x) (x x))) ++

Re: Missing security announcements

2008-11-12 Thread Theo de Raadt 
  It does not work because noone who works on OpenBSD runs -stable.
  Then every few months some of you come and yell at us.
 
 Not yelling, honest; I was just curious. 
 
 So, basically, no one has the time or motivation to send out updates?

None of the developers are on the list.

Heck!  More than half the developers don't even read misc because
of who posts to it.

chaplIn...

2008-11-12 Thread T e z Z i A m . . . 
.

.

.

out of all

the lies

said to mE

i love you

was my favouriTe

.

.

.

[EMAIL PROTECTED]

.

.

.

Re: Using a separate boot partition

2008-11-12 Thread Joseph Alten 
On Wed, Nov 12, 2008 at 2:21 PM, Raimo Niskanen
[EMAIL PROTECTED] wrote:
 On Tue, Nov 11, 2008 at 07:52:30PM -0800, Joseph Alten wrote:
 Due to technical constraints, my setup requires that I have a separate
 boot partition (basically the kernel and anything else critical for
 booting), and then of course my root partition other data partitions on a
 separate disk.

 Can you say more about the technical constraints. If it is just
 size constraints there should not be much of a problem since
 the root partition is supposed to be small in OpenBSD.

Yes, it's just size constraints. Generally I prefer /usr, /var, /opt,
and so on, to be on the same partition because that allows for a more
flexible storage mechanism. However, most of my hard drive storage is
non-bootable, which means that I usually place kernels and ramdisks on
my bootable hard drive.


 I'm kind of new to OpenBSD, and so far what I've managed to do is copy
 /bsd to a separate partition, then at the boot prompt I run boot hd0a
 -a, then specify my root partition when prompted by the kernel. While
 this has the desired effect, I'd rather not run this every time I want to
 boot OpenBSD. Is there a kernel parameter I can pass that lets the kernel
 know ahead of time the root device I wish to mount?

 Basically I'm looking for the OpenBSD equivalent of root=/dev/xxx Linux
 kernel parameter. I think I managed to get FreeBSD working similarly with
 the vfs.root.mountfrom= parameter, but this doesn't appear to exist in
 OpenBSD.

 Thanks for looking into this.

 --
 Joseph Alten

 --

 / Raimo Niskanen, Erlang/OTP, Ericsson AB