Re: Yahoo! mail and OpenBSD greylisting
Hi Girish, ?Have you tried to contact with Yahoo! technical staff about it? -- Thanks, Jordi Espasa Clofent
Re: Yahoo! mail and OpenBSD greylisting
On 2008-12-22, Girish Venkatachalam girishvenkatacha...@gmail.com wrote: However I can whitelist gmail, aol, hotmail, rediff and so on since they publish SPF records. Is there a way to determine the IP addresses yahoo! uses for sending mail? dnswl.org; either use the whole list, or grep out yahoo's addresses.
Re: OpenBSD 4.4 amd64 bsd.mp can't detect 4GB memory
Owain Ainsworth wrote: Enabling bigmem=1: Also, from sys/arch/amd64/amd64/machdep.c: /* Tweakable by config(8) */ How? That diff was never commited. Config needs to know about it before it can change it. I did a similar config(8) patch for when PAE was in the same situation, so if someone desperately wants to make his/her config bigmem-aware and wants a hint on how to turn a random int on from config(8): http://people.su.se/~jj/obsd/config-pae.diff
Re: 4.4 apachectl configtest segfaul
Also my error.log file is filled up with this: [Mon Dec 22 08:56:24 2008] [notice] child pid 9102 exit signal Segmentation fault (11) [Mon Dec 22 11:01:56 2008] [notice] child pid 28953 exit signal Segmentation fault (11) [Mon Dec 22 11:02:14 2008] [notice] child pid 23240 exit signal Segmentation fault (11) [Mon Dec 22 12:54:18 2008] [notice] child pid 2948 exit signal Segmentation fault (11) [Mon Dec 22 12:56:11 2008] [notice] child pid 3545 exit signal Segmentation fault (11) [Mon Dec 22 12:59:25 2008] [notice] child pid 21327 exit signal Segmentation fault (11) I've attached my dmesg output. 2008/12/5 Gabri Mate gabrim...@ippimail.com Dear List, I've upgraded 4.3 to 4.4 today. Apachectl configtest returns with Syntax OK but right after that it segfaults. I can't run gdb on the dump file because it says it can't recognize the file. Please give me some advice where to start because i'm totally noob on debugging. Thanks in advance! -- Gabri Mate gabrim...@ippimail.com [demime 1.01d removed an attachment of type application/octet-stream which had a name of dmesg]
Novo Livro - De Norte a Sul!
MAIL ERROR
Re: 4.4 apachectl configtest segfaul
After further testing it seems that the segmentation fault is caused by my php_value options in my virtualhost configuration blocks. 2008/12/5 Gabri Mate gabrim...@ippimail.com Dear List, I've upgraded 4.3 to 4.4 today. Apachectl configtest returns with Syntax OK but right after that it segfaults. I can't run gdb on the dump file because it says it can't recognize the file. Please give me some advice where to start because i'm totally noob on debugging. Thanks in advance! -- Gabri Mate gabrim...@ippimail.com
Re: Yahoo! mail and OpenBSD greylisting
On Sunday 21 December 2008 23:30:49 Girish Venkatachalam wrote: Hello folks, I am unable to manually whitelist yahoo! mail sender IP addresses since yahoo! does not play well with greylisting. However I can whitelist gmail, aol, hotmail, rediff and so on since they publish SPF records. Is there a way to determine the IP addresses yahoo! uses for sending mail? I can think of possibly modifying the greyscanner perl script to look for patterns and whitelist. Any ideas? Thanks. -Girish 66.94.237.0/24 # Yahoo Groups servers (common pool, no retry) 66.100.210.82 # Groupwise? 66.135.209.0/24 # Ebay (for time critical alerts) 66.135.197.0/24 # Ebay (common pool) 66.162.216.166 # Groupwise? 66.218.66.0/24 # Yahoo Groups servers (common pool, no retry) 66.218.67.0/24 # Yahoo Groups servers (common pool, no retry) 66.218.69.0/24 # Yahoo Groups servers (common pool, no retry)
Re: Yahoo! mail and OpenBSD greylisting
On Monday 22 December 2008 04:45:34 you wrote: On 2008-12-22, Girish Venkatachalam girishvenkatacha...@gmail.com wrote: However I can whitelist gmail, aol, hotmail, rediff and so on since they publish SPF records. Is there a way to determine the IP addresses yahoo! uses for sending mail? dnswl.org; either use the whole list, or grep out yahoo's addresses. Yes, that's a really good one - thanks for the info
Re: Guide about update a port
2008/12/21 Fernando Quintero fernando.a.quint...@gmail.com: Hi list, I would like to know if there is any document or guide about how to update a port? Check out the man page for bsd.port.mk(5): $ man 5 bsd.port.mk and search for 'reinstall'. Obviously you need to get yourself an updated ports tree. Normally you update your entire system as well with either the install media (a new release; binary upgrade), snapshots (binary upgrade), or building world (source code upgrade). /juan
Etherchannel OpenBSD?
Hi all, Does anyone known if trunk(4) supports Cisco Etherchannel? I have a 3500XL with the following port configuration: interface FastEthernet0/22 port group 1 switchport trunk encapsulation dot1q switchport mode trunk interface FastEthernet0/24 port group 1 switchport trunk encapsulation dot1q switchport mode trunk ! Within OpenBSD 4.4 (-stable, generic), I have the following interface config: trunk0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:0c:29:40:2b:dc trunk: trunkproto roundrobin trunkport vic2 active trunkport vic1 master,active groups: trunk media: Ethernet autoselect status: active inet6 fe80::20c:29ff:fe40:2bd2%trunk0 prefixlen 64 scopeid 0x9 vlan11: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:0c:29:40:2b:dc vlan: 11 priority: 0 parent interface: trunk0 groups: vlan However running tcpdump on trunk0 does not give the L3 traffic I would expect. The manpage explicitly mentions 802.3ad but other sites on the Internet refer to Etherchannels as being supported (but I don't know if they are confusingly using 'etherchannel', 'port group' and 'LACP' interchangeably) [r...@gw1-uk]# tcpdump -i vlan11 -vv tcpdump: listening on vlan11, link-type EN10MB 15:51:09.269539 SSTP STP config root=8000.0:7:eb:93:bb:c7 rootcost=4 bridge=8000.0:d:ed:79:59:86 port=1 ifcost=128 age=1/0 max=20/0 hello=2/0 fwdelay=15/0 pvid=11 15:51:11.260602 SSTP STP config root=8000.0:7:eb:93:bb:c7 rootcost=4 bridge=8000.0:d:ed:79:59:86 port=1 ifcost=128 age=1/0 max=20/0 hello=2/0 fwdelay=15/0 pvid=11 15:51:13.260017 SSTP STP config root=8000.0:7:eb:93:bb:c7 rootcost=4 bridge=8000.0:d:ed:79:59:86 port=1 ifcost=128 age=1/0 max=20/0 hello=2/0 fwdelay=15/0 pvid=11 Any advice would be appreciated! Stu
Re: IPv6 virtual hosts
* Simon Vallet open...@castalie.org [2008-12-06 22:14]: On Sat, 06 Dec 2008 21:59:08 +0100 Jeroen Massar jer...@unfix.org wrote: My bad, mixing up between those two ;) Nevertheless note that the 1.3 docs might not apply to the special version of apache in openbsd, in part due to the IPv6 patch. Somewhere I hope the devs didn't modify the code that much. if you'd actually look at the code you'd wish we modified it to the point where no original code is left. if you plan to look at apache2 code, make sure you're close to a toilet. puke on the keyboard tends to be nasty. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: IPv6 virtual hosts
On 17:31:02 Dec 22, Henning Brauer wrote: if you plan to look at apache2 code, make sure you're close to a toilet. puke on the keyboard tends to be nasty. He he. I believe there is a new e-mail archival project called lucene which is written in the greatest programming language on the planet...you guessed right Java. Now that gives us enough hint about what the Apache project is all about. ;) -Girish
Re: Yahoo! mail and OpenBSD greylisting
On 09:30:48 Dec 22, Jordi Espasa Clofent wrote: Hi Girish, ?Have you tried to contact with Yahoo! technical staff about it? I know you are serious , so I don't want to kid. I almost got talking to a relatively highly placed individual in yahoo! to take a look at OpenBSD greylisting. But guess what? The typical corporate response: We do not care about open source. We will steal what we want from it without acknowledging any credit. And we are a big company with a lot of money. So we can continue the way we want. I can forward you the mildly agitating e-mail response I got from the yahoo! top gun. ;) Apropos of yahoo! breaking standards...well what can we do? -Girish
Re: 4.4 apachectl configtest segfaul
On 2008-12-22, Gabri Mati gabrim...@gmail.com wrote: After further testing it seems that the segmentation fault is caused by my php_value options in my virtualhost configuration blocks. oh c'mon, don't make people dig. *which* options? did you follow the upgrade guide to the end? - http://www.openbsd.org/faq/upgrade44.html#Pkgup
Re: Yahoo! mail and OpenBSD greylisting
Girish Venkatachalam wrote: On 09:30:48 Dec 22, Jordi Espasa Clofent wrote: Hi Girish, ?Have you tried to contact with Yahoo! technical staff about it? I know you are serious , so I don't want to kid. I almost got talking to a relatively highly placed individual in yahoo! to take a look at OpenBSD greylisting. But guess what? The typical corporate response: We do not care about open source. We will steal what we want from it without acknowledging any credit. And we are a big company with a lot of money. So we can continue the way we want. I can forward you the mildly agitating e-mail response I got from the yahoo! top gun. ;) Apropos of yahoo! breaking standards...well what can we do? *nobody* expects the spanish inquisition! give them the comfy chair!
Re: possible bug in OpenNTPD code?
this analysis is as correct as thye provided diff, which has been committed. * Anirban Sinha asi...@zeugmasystems.com [2008-12-05 03:07]: Hi: I am sort of digging my way through the OpenNTPD codebase for my work. I think I find a bug in the code. Please help me to understand the reason if this is not a bug. In function ntp_main() (ntp.c), we poll() to check if there are any events of interest. We do this: 1. Check internal fds (PIPE_MAIN) 2. Then check PIPE_DNS fds 3. Then check PIPE_HOTPLUG fds Next, for the server, we check all the fds we are listening on. And then finally, for nfs clients, we check the fds for the remote servers. Now, there's the issue in this line; for (j = 1; nfds 0 j idx_peers; j++) { ... } Shouldn't the index start with 3? That is, shouldn't we do this: for (j = 3; nfds 0 j idx_peers; j++) since, indices 0,1 and 2 correspond to the three checks I have written above which are already done. In other words, can we apply the following patch to fix the issue? Index: ntpd/ntp.c === --- ntpd.orig/ntp.c +++ ntpd/ntp.c @@ -344,7 +344,7 @@ ntp_main(int pipe_prnt[2], struct ntpd_c sensor_hotplugevent(hotplugfd); } - for (j = 1; nfds 0 j idx_peers; j++) + for (j = PFD_MAX; nfds 0 j idx_peers; j++) if (pfd[j].revents (POLLIN|POLLERR)) { nfds--; if (server_dispatch(pfd[j].fd, conf) == -1) Thanks, Ani -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: CARP with a single public IP address
* Felipe Alfaro Solana felipe.alf...@gmail.com [2008-12-05 11:56]: While the machine whose CARP interface is in ACTIVE won't have problems sending and processing traffic, the OpenBSD machine whose CARP interface is in BACKUP will. The machine whose CARP interface is in BACKUP will be able to send traffic to the Internet from its public IP address, but will not be able to process any response, for example to contact a NTP server: the UDP response from the NTP server will arrive at both OpenBSD machines (since both are sharing the public IP address), but the machine whose CARP interface is BACKUP will likely ignore the NTP response. For TCP is also very similar. wrong. the machine which is in BACKUP will not be able to send traffic over that interface or see the replies. in general, a machine which can only reach it's default gateway via a carp interface which is in BACKUP is doomed as far as internet access goes (and before someone nitpicks too much: there might be ugly hacks with pf or tunnels or whatever to make my statement wrong; it is right for all the normal cases tho). I have no idea how to deploy an scenario like this, while allowing the machine whose CARP interface is in BACKUP to access the Internet. as simple as it can be; use 3 public IPs. getting these might be a problem, but that is the only proper solution. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: CARP with a single public IP address
* Todd T. Fries t...@fries.net [2008-12-05 13:27]: Ironically, IPv6 cannot solve this scenario either, since by definition using ipv6 tends to require a tunnel a few ISPs here (too many) are stupid enough to deal with v6 to the extend of handing out v6 to customers natively. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: pf: how to set per-rule options?
* Toni Mueller openbsd-m...@oeko.net [2008-12-12 12:18]: Hi, On Thu, 11.12.2008 at 21:12:43 +, Stuart Henderson s...@spacehopper.org wrote: On 2008-12-11, Toni Mueller openbsd-m...@oeko.net wrote: On Thu, 11.12.2008 at 02:29:22 +, Stuart Henderson s...@spacehopper.org wrote: On 2008-12-10, Toni Mueller openbsd-m...@oeko.net wrote: Example: pass on $ext_if all max-mss 1400 you should use scrub on ... max-mss 1400 I have seen, and verified, that that works, but I hoped to apply such a rule to only some of the packets (think different transport media etc.pp.). scrub supports that. I've recently run into problems which looked to me like PMTUD does not work across IPSEC. you are missing the point. scrub in $somewhere from $foo to $bar max-mss 1400 is perfectly valid. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: Yahoo! mail and OpenBSD greylisting
On 2008-12-22, marrandy marra...@chaossolutions.org wrote: On Monday 22 December 2008 04:45:34 you wrote: On 2008-12-22, Girish Venkatachalam girishvenkatacha...@gmail.com wrote: However I can whitelist gmail, aol, hotmail, rediff and so on since they publish SPF records. SPF has problems in some areas, some people dislike it, others don't use it in certain situations. There are other sender verification schemes, you might look into who is the big name behind domainkeys... Is there a way to determine the IP addresses yahoo! uses for sending mail? dnswl.org; either use the whole list, or grep out yahoo's addresses. Yes, that's a really good one - thanks for the info Oh hmm. Just grepped my mail logs and pulled out a few addresses to check, it seems dnswl's coverage of yahoo isn't all that great (at least not for their UK-facing outbound servers). And pulling their prefixes out of a bgp feed is fiddly at best, they have at least three different AS. On 2008-12-22, Girish Venkatachalam girishvenkatacha...@gmail.com wrote: Apropos of yahoo! breaking standards...well what can we do? do you care to expand on this, which standards are they breaking that are related to this?
Re: Etherchannel OpenBSD?
On 23/12/08 4:52 AM, Stuart Morgan wrote: Hi all, Does anyone known if trunk(4) supports Cisco Etherchannel? I have a 3500XL with the following port configuration: interface FastEthernet0/22 port group 1 switchport trunk encapsulation dot1q switchport mode trunk interface FastEthernet0/24 port group 1 switchport trunk encapsulation dot1q switchport mode trunk ! [snip] Any advice would be appreciated! Stu Hi I'm not sure that Etherchannel is supported, however LACP works on a channel-group: interface FastEthernet0/22 switchport trunk encapsulation dot1q switchport mode trunk channel-group 1 mode active channel-protocol lacp interface FastEthernet0/24 switchport trunk encapsulation dot1q switchport mode trunk channel-group 1 mode active channel-protocol lacp N.
Re: Yahoo! mail and OpenBSD greylisting
This may be helpful: http://tech.groups.yahoo.com/group/ygmailadmin/ On Mon, Dec 22, 2008 at 08:22:18AM -0500, marrandy wrote: On Sunday 21 December 2008 23:30:49 Girish Venkatachalam wrote: Hello folks, I am unable to manually whitelist yahoo! mail sender IP addresses since yahoo! does not play well with greylisting. However I can whitelist gmail, aol, hotmail, rediff and so on since they publish SPF records. Is there a way to determine the IP addresses yahoo! uses for sending mail? I can think of possibly modifying the greyscanner perl script to look for patterns and whitelist. Any ideas? Thanks. -Girish 66.94.237.0/24 # Yahoo Groups servers (common pool, no retry) 66.100.210.82 # Groupwise? 66.135.209.0/24 # Ebay (for time critical alerts) 66.135.197.0/24 # Ebay (common pool) 66.162.216.166 # Groupwise? 66.218.66.0/24 # Yahoo Groups servers (common pool, no retry) 66.218.67.0/24 # Yahoo Groups servers (common pool, no retry) 66.218.69.0/24 # Yahoo Groups servers (common pool, no retry)
Re: 4.4 apachectl configtest segfaul
On 17:39 Mon 22 Dec , Stuart Henderson wrote: On 2008-12-22, Gabri Mati gabrim...@gmail.com wrote: After further testing it seems that the segmentation fault is caused by my php_value options in my virtualhost configuration blocks. oh c'mon, don't make people dig. *which* options? did you follow the upgrade guide to the end? - http://www.openbsd.org/faq/upgrade44.html#Pkgup I use these 3 options: php_value memory_limit 38M php_value upload_max_filesize 100M php_value post_max_size 100M Any one of them causes the configtest to segafault after it says that the syntax is ok. Yep, i did everything exactly as the upgrade guide said. Even deleted the php5 packages and reainstalled them. -- Gabri Mate gabrim...@ippimail.com
Re: 4.4 apachectl configtest segfaul
On 23:27 Mon 22 Dec , Marc Balmer wrote: * Gabri Mate wrote: On 17:39 Mon 22 Dec , Stuart Henderson wrote: On 2008-12-22, Gabri Mati gabrim...@gmail.com wrote: After further testing it seems that the segmentation fault is caused by my php_value options in my virtualhost configuration blocks. oh c'mon, don't make people dig. *which* options? did you follow the upgrade guide to the end? - http://www.openbsd.org/faq/upgrade44.html#Pkgup I use these 3 options: php_value memory_limit 38M php_value upload_max_filesize 100M php_value post_max_size 100M upoading 100MB files or having 100MB post data is a bit theoretical, right? It's a special community site and i'm haveing some presentations in quicktime format. But they aren't exactly 100mb large, so yes, you can say its theoretical. Any one of them causes the configtest to segafault after it says that the syntax is ok. Yep, i did everything exactly as the upgrade guide said. Even deleted the php5 packages and reainstalled them. -- Gabri Mate gabrim...@ippimail.com -- Marc Balmer, Micro Systems, Wiesendamm 2a, Postfach, CH-4019 Basel, Switzerland http://www.msys.ch/ http://www.vnode.ch/ In God we trust, in C we code. -- Gabri Mate gabrim...@ippimail.com
Re: pppoe not reconnecting
Hi, On Sat, 20.12.2008 at 14:13:34 +, Christian Weisgerber na...@mips.inka.de wrote: However, sometimes pppoe just seems get wedged and stop retrying. Does anybody else see this too? yes, across a number of versions of OpenBSD, and for the last few years. I have static IPs, too, but are disconnected every now and then. Connections actually seem to fail several times per day, more often at some locations than at others, so it may be a question of what's at the other end, or what the copper can do. When it happens, I can't see what's going on since then, I'm locked out. I have installed cron jobs, though, which detect the situation and try to speed up recovery by killing the (probably) wegded pppoe and ppp programs, and run this every one or two minutes. When things recover on their own, it sometimes takes about half an hour to do so, and sometimes fail (afair). And sometimes, I need several attempts to get a useful connection. So far, I was writing this off as you get what you pay for, although I have much less trouble with Linux connecting to the same ISP. Kind regards, --Toni++
Re: CARP with a single public IP address
On Dec 22, 2008, at 12:27 PM, Henning Brauer wrote: * Todd T. Fries t...@fries.net [2008-12-05 13:27]: Ironically, IPv6 cannot solve this scenario either, since by definition using ipv6 tends to require a tunnel a few ISPs here (too many) are stupid enough to deal with v6 to the extend of handing out v6 to customers natively. I don't know a single one in the US who gives out space to residential customers. Including in the Bay Area.
Re: Etherchannel OpenBSD?
Hi Nigel and all, Thanks very much for the suggestion, unfortunately my 3500XL doesn't support LACP - perhaps I need a firmware upgrade? *sw1a#sh ver IOS (tm) C3500XL Software (C3500XL-C3H2S-M), Version 12.0(5)WC16, RELEASE SOFTWARE (fc1) System image file is flash:c3500xl-c3h2s-mz.120-5.WC16.bin *Stu ___ Nigel Wohlers wrote: /* .. */ interface FastEthernet0/22 switchport trunk encapsulation dot1q switchport mode trunk channel-group 1 mode active channel-protocol lacp interface FastEthernet0/24 switchport trunk encapsulation dot1q switchport mode trunk channel-group 1 mode active channel-protocol lacp /* .. */
OpenBSD CARP
Hi all, I have an esxi server set up with 2 separate OpenBSD installations (4.4-stable generic) and am attempting to correctly configure carp so that I know it works before implementing this in proper hardware. My aim is to get them to 'share' 192.168.176.154. I think I have configured it correctly; the backup correctly changes status (according to ifconfig) immediately when I take the master down. I can't ping it, traceroute to it, no mention of it appears on pflog0 when I changed pf to log everything. Wireshark shows constant ARP requests and presumably no reply is given. Firewall rules accept carp traffic. Can anyone see anything immediately amiss from this? Thanks all :) Stu Configuration: * On Master (192.168.176.152) * vic0: flags=8b43UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST mtu 1500 lladdr 00:0c:29:b5:0d:ff groups: egress media: Ethernet autoselect status: active inet 192.168.176.152 netmask 0xffc0 broadcast 192.168.176.191 carp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:5e:00:01:01 carp: MASTER carpdev vic0 vhid 1 advbase 1 advskew 0 groups: carp inet 192.168.176.154 netmask 0xffc0 broadcast 192.168.176.191 * On Backup (192.168.176.153) * vic0: flags=8b43UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST mtu 1500 lladdr 00:0c:29:40:2b:d2 groups: egress media: Ethernet autoselect status: active inet 192.168.176.153 netmask 0xffc0 broadcast 192.168.176.191 carp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:5e:00:01:01 carp: BACKUP carpdev vic0 vhid 1 advbase 1 advskew 2 groups: carp inet 192.168.176.154 netmask 0xffc0 broadcast 192.168.176.191
Re: CARP with a single public IP address
* johan beisser j...@caustic.org [2008-12-23 01:49]: On Dec 22, 2008, at 12:27 PM, Henning Brauer wrote: * Todd T. Fries t...@fries.net [2008-12-05 13:27]: Ironically, IPv6 cannot solve this scenario either, since by definition using ipv6 tends to require a tunnel a few ISPs here (too many) are stupid enough to deal with v6 to the extend of handing out v6 to customers natively. I don't know a single one in the US who gives out space to residential customers. Including in the Bay Area. yurop is different -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: Running another OS under OpenBSD
* Jussi Peltola pe...@pelzi.net [2008-12-11 20:52]: On Thu, Dec 11, 2008 at 10:30:50AM -0800, Jeff_1981 wrote: Dear All, Please can you indicate me how to run Windows or Linux under OpenBSD ? Under Linux for example there is possibility to virtualize another OS. If the other OS is hacked from the web does it compromizes the security of OpenBSD ? Who cares; if your service gets hacked, it doesn't help to keep the underlying OS clean, your service is still compromised. if you run $random_crap_third_party_service on openbsd which is vulnerable there is still a good chance the security measures openbsd applies prevent successfull exploitation. it cannot be 100%, of course. This list seems to generally not recommend virtualization if security is important, and is especially critical of any claim that virtualization is going to improve (and not reduce) security, since it is a new, not-too-well-known and complex technology. virtualization at its current state of the art (art? hah.) assuredly reduces security. actually, reduces is not a strong enough word, it is way worse. Another question is if I run a server under OpenBSD is this impossible to hack it from the web ? impossible is impossible. The standard install of OpenBSD has no security holes anymore the standard install of -current OpenBSD never had known exploitable holes for prolonged timeframes. the very few short timeframes can of course suffice for exploitation, and there might be issues we were or even are not aware of. if I understand, does this mean noone can hack it from the web ? what about an OpenBSD on which wa have activated one or more services, like mail server / web server and file sharing for within network (if used as NAS / server as example ? Nobody has claimed OpenBSD has no security holes; it is quite possible (almost certain) there are some that have not been found yet. it is far from almost certain. nobody can give guarantees of course, and that is important to keep in mind. Enabling services will, of course, make you more vulnerable. _potentially_ more vulnerable. The OpenBSD base services are well audited and should be secure, but nobody guarantees they have no holes, and certainly nobody will claim it is un-hackable. There may be holes in OpenBSD or the software you run on it, and if you use kitty for a root password there is nothing OpenBSD can do to help you. yup. That said, OpenBSD base services are extremely secure, compared to the competition, when properly configured and patched. Note that no security audits are done to software in the ports tree; you're on your own with 3rd party software. many thing from ports are patched or otherwise modified for security reasons, and many things are deliberately NOT in ports due to security considerations. nontheless there is truth in your above statement; averaged things from ports are not on the same level as openbsd. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: OpenBSD CARP
Hi everyone, Please disregard the below, I seem to have found the reason (which is that with esxi, you have to give a VM permission to enter promisc mode (which it would have to to get the packets to the virtual MAC address presuambly) so the card wasn't in promisc mode even though openbsd thought it was. Good learning point though :) Stu Stuart Morgan wrote: Hi all, I have an esxi server set up with 2 separate OpenBSD installations (4.4-stable generic) and am attempting to correctly configure carp so that I know it works before implementing this in proper hardware. My aim is to get them to 'share' 192.168.176.154. I think I have configured it correctly; the backup correctly changes status (according to ifconfig) immediately when I take the master down. I can't ping it, traceroute to it, no mention of it appears on pflog0 when I changed pf to log everything. Wireshark shows constant ARP requests and presumably no reply is given. Firewall rules accept carp traffic. Can anyone see anything immediately amiss from this? Thanks all :) Stu
Re: CARP with a single public IP address
On Dec 22, 2008, at 5:25 PM, Henning Brauer wrote: yurop is different And one day, the US might stop playing ketchup.
Re: CARP under heavy load
* ropers rop...@gmail.com [2008-12-12 14:17]: What link are you sending the CARP advertisements over? E.g. do you use a dedicated link (separate NICs and cable connection between the CARPed machines) or do you send the CARP advertisements over existing other links? (Which? Please illustrate.) carp announcements never go over a dedicated link; that would defeat its purpose. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: CARP under heavy load
* ropers rop...@gmail.com [2008-12-12 15:01]: 2008/12/12 Stephan A. Rickauer stephan.ricka...@ini.phys.ethz.ch: On Fri, 2008-12-12 at 14:11 +0100, ropers wrote: What link are you sending the CARP advertisements over? E.g. do you use a dedicated link (separate NICs and cable connection between the CARPed machines) or do you send the CARP advertisements over existing other links? (Which? Please illustrate.) I didn't know I had a choice what link to send the ads over. In other words, the CARP ads are send over the corresponding underlying, physical interfaces, without a dedicated link. e.g.: em0.a/em0.b=carp0 = ads send over em0's Can I use 'carppeer' to specify *one* dedicated link for all the other CARP interfaces? We do have a dedicated link for pfsync, though. Maybe --possibly-- my own understanding is sorely lacking. Let me try to explain. The following requires a non-proportional font: Is this what your CARP setup looks like? external network || OpenBSD#0OpenBSD#1 || internal network If so, are the CARP advertisements being sent via the external or internal network? the ones for the carp interfaces on the external network over the nexternal network; the ones for the internal network over the internal network. OTOH, if you have a dedicated link, maybe your setup looks like this? external network || OpenBSD#0OpenBSD#1 || internal network I was under the impression that it should be possible to exchange CARP advertisements via the dedicated link (), though I have to admit that I haven't actually built such a network yet -- I'm planning to do that shortly. Maybe others can weigh in? that would defeat carp's purpose. if, in your scenario above, OpenBSD#0 loses link to the external network, wouldn't you want OpenBSD#1 to become master? -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: problem with openbgd on 4.3
* Maciej Jan Broniarz gau...@gausus.net [2008-12-15 10:48]: I have been using openbgpd since 4.1 release. Few weeks ago i have set up an openbsd 4.3 clean install with openbgpd. Few days later my bgp sessions began to restart for no apparent reason. My /var/log/messages says: Dec 11 14:00:29 router bgpd[14353]: neighbor 148.81.224.5 (peer-rs2): received notification: HoldTimer expired, unknown subcode 0 the peer tells you that its HoldTimer expired, as in, it hasn't received keepalives within HoldTime (which is 3 times the KeepAlive timer). Actually, received is wrong - processed is more appropriate. Failure to process keepalives in time in certain a certain other implementation has been my #1 reason to start writing bgpd... What might be the problem? my crystal ball is at the annual service (takes 365 days typically), sorry. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
no sound with aucat -l
Hi, I can't seem to get any sound when I run aucat -l. In /usr/lib I have libsndio.so.3.2 as my only libsndio.so. I've ran make DO_AUTEST=1 and didn't get any errors. I have export SDL_AUDIODRIVER=libsndio in my .profile. I have env SDL_AUDIODRIVER=libnsdio prog statemens for some of the applications in my window manager's (IceWM) menu. If I run the applications after killing aucat in server mode, then I get sound. Applications that call directly on aucat, ie; Pidgin - aucat %s, have sound, but then again only when _not_ running aucat in server mode. I think I've missed something obvious, but I'm not too sure where at this point. I'd welcome any suggestions, thanks. OpenBSD 4.4-current (GENERIC) #1627: Thu Dec 18 21:22:00 MST 2008 dera...@cvs.openbsd.org:/sys/arch/i386/compile/GENERIC cpu0: AMD Athlon(tm) processor (AuthenticAMD 686-class, 256KB L2 cache) 1.20 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR real mem = 804810752 (767MB) avail mem = 769384448 (733MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 07/13/01, BIOS32 rev. 0 @ 0xfb5d0, SMBIOS rev. 2.2 @ 0xf0800 (38 entries) bios0: vendor Award Software International, Inc. version 6.00 PG date 07/13/2001 bios0: Gigabyte Technology Co., LTD 7DXR apm at bios0 function 0x15 not configured acpi0 at bios0: rev 0 acpi0: tables DSDT FACP acpi0: wakeup devices SLPB(S5) PCI0(S5) USB0(S4) USB1(S4) UAR1(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpiprt0 at acpi0: bus 0 (PCI0) acpicpu0 at acpi0 acpibtn0 at acpi0: PWRB acpibtn1 at acpi0: SLPB bios0: ROM list: 0xc/0x8000 0xcc000/0x4000! 0xd/0x4000 cpu0 at mainbus0: (uniprocessor) pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 AMD 761 PCI rev 0x13 amdagp0 at pchb0 agp0 at amdagp0: aperture at 0xd000, size 0x400 ppb0 at pci0 dev 1 function 0 AMD 761 PCI-PCI rev 0x00 pci1 at ppb0 bus 1 vga1 at pci1 dev 5 function 0 ATI Mach64 rev 0x27 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) pcib0 at pci0 dev 7 function 0 VIA VT82C686 ISA rev 0x40 pciide0 at pci0 dev 7 function 1 VIA VT82C571 IDE rev 0x06: ATA100, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: Maxtor 6Y080L0 wd0: 16-sector PIO, LBA, 78167MB, 160086528 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets, initiator 7 cd0 at scsibus0 targ 0 lun 0: HL-DT-ST, RW/DVD GCC-4120B, 2.03 ATAPI 5/cdrom removable atapiscsi1 at pciide0 channel 1 drive 1 scsibus1 at atapiscsi1: 2 targets, initiator 7 cd1 at scsibus1 targ 0 lun 0: BENQ, CDRW 5232X, KPBY ATAPI 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, DMA mode 2 cd1(pciide0:1:1): using PIO mode 4, Ultra-DMA mode 2 uhci0 at pci0 dev 7 function 2 VIA VT83C572 USB rev 0x1a: irq 11 uhci1 at pci0 dev 7 function 3 VIA VT83C572 USB rev 0x1a: irq 11 viaenv0 at pci0 dev 7 function 4 VIA VT82C686 SMBus rev 0x40: failed to map PM I/O space rl0 at pci0 dev 12 function 0 D-Link Systems 530TX+ rev 0x10: irq 10, address 00:50:ba:59:24:c3 rlphy0 at rl0 phy 0: RTL internal PHY eap0 at pci0 dev 14 function 0 Ensoniq CT5880 rev 0x03: irq 5 ac97: codec id 0x83847608 (SigmaTel STAC9708/11) ac97: codec features 18 bit DAC, 18 bit ADC, SigmaTel 3D audio0 at eap0 midi0 at eap0: AudioPCI MIDI UART uhci2 at pci0 dev 15 function 0 VIA VT83C572 USB rev 0x50: irq 11 uhci3 at pci0 dev 15 function 1 VIA VT83C572 USB rev 0x50: irq 10 ehci0 at pci0 dev 15 function 2 VIA VT6202 USB rev 0x51: irq 7 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 VIA EHCI root hub rev 2.00/1.00 addr 1 pciide1 at pci0 dev 16 function 0 Promise PDC20265 rev 0x02: DMA, channel 0 configured to native-PCI, channel 1 configured to native-PCI pciide1: using irq 11 for native-PCI interrupt pciide1: channel 0 disabled (no drives) pciide1: channel 1 disabled (no drives) isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi1 at pcppi0: PC speaker spkr0 at pcppi0 npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec usb1 at uhci0: USB revision 1.0 uhub1 at usb1 VIA UHCI root hub rev 1.00/1.00 addr 1 usb2 at uhci1: USB revision 1.0 uhub2 at usb2 VIA UHCI root hub rev 1.00/1.00 addr 1 usb3 at uhci2: USB revision 1.0 uhub3 at usb3 VIA UHCI root hub rev 1.00/1.00 addr 1 usb4 at uhci3: USB revision 1.0 uhub4 at usb4 VIA UHCI root hub rev 1.00/1.00 addr 1 biomask fddd netmask fddd ttymask ffdf mtrr: Pentium Pro MTRR support uhidev0 at uhub1 port 2 configuration 1 interface 0 KYE USB MOUSE rev 1.10/0.00 addr 2 uhidev0: iclass 3/1 ums0 at uhidev0: 3 buttons, Z dir wsmouse0 at ums0 mux 0 softraid0 at root
Re: Running another OS under OpenBSD
On Tue, Dec 23, 2008 at 02:41:08AM +0100, Henning Brauer wrote: * Jussi Peltola pe...@pelzi.net [2008-12-11 20:52]: On Thu, Dec 11, 2008 at 10:30:50AM -0800, Jeff_1981 wrote: That said, OpenBSD base services are extremely secure, compared to the competition, when properly configured and patched. Note that no security audits are done to software in the ports tree; you're on your own with 3rd party software. many thing from ports are patched or otherwise modified for security reasons, and many things are deliberately NOT in ports due to security considerations. nontheless there is truth in your above statement; averaged things from ports are not on the same level as openbsd. Has anybody done any comparisons to see how things from ports (especially commone things like firefox) compare to the competition's packages (rpms, debs, whatever)? I know that the ports don't get audited like base, but then I don't think anyone else's does either. In other words, if you need a box with multiple third-party apps, (lets say that none of them are server apps), (eg, firefox, a window manager or DTE, mutt, LaTex, gv, a pdf reader), which box would be more secure (with the same admin): OpenBSD with ports or a Linux (e.g. Debian)? Doug.
Notifica Urgente
Gentile cliente di Poste Italiane, Le chiediamo di prestare la massima attenzione alle informazioni contenute nel presente e-mail. Attualmente stiamo eseguendo la manutenzione regolare delle nostre misure di sicurezza. Il suo conto h stato scelto a caso per questa manutenzione, e Lei sar` adesso portato attraverso una serie di pagine di verifica di identit`. Per eseguire la manutenzione regolare per favore clicca qui Proteggere la sicurezza del Suo conto h la nostra principale preoccupazione, e chiediamo scusa per qualunque inconveniente che questo potrebbe causare. Importante: Se non riceviamo la verifica di conto entro 24 ore suppureremo che questo conto sia fraudolento e verr` sospeso. Il fine di questa verifica h quello di assicurarci che il suo conto non h stato compromesso e combattere la frode dalla nostra comunit`.
Re: Etherchannel OpenBSD?
On Tue, Dec 23, 2008 at 12:45:23AM +, Stuart Morgan wrote: Hi Nigel and all, Thanks very much for the suggestion, unfortunately my 3500XL doesn't support LACP - perhaps I need a firmware upgrade? *sw1a#sh ver IOS (tm) C3500XL Software (C3500XL-C3H2S-M), Version 12.0(5)WC16, RELEASE SOFTWARE (fc1) System image file is flash:c3500xl-c3h2s-mz.120-5.WC16.bin The 3500XL are end of life for a good reason. Those switches are so limited they're not even fun for a lab. Even if you get a newer IOS image for them I doubt they will support LACP. -- :wq Claudio
Re: CARP under heavy load
On Fri, Dec 12, 2008 at 12:56:22PM +, Stephan A. Rickauer wrote: We have a simple two-node CARP cluster, each with three em(2)'s and one fxp0() interface. The setup runs fine since OpenBSD 3.7. Being part of University Zurich our firewall has a 1GBit uplink to the central Uni infrastructure. Recently we have seen that utilizing this link heavily (e.g. when our Tivoli Storage Manager Client behind our firewall starts backing up some Gigabytes to Uni) both CARP interfaces of both nodes would go into MASTER state. I could imagine that CARP advertisments are no longer sent and/or received 'in time' due to the heavy load so that the BACKUP believes it should become MASTER. Wouldn't this be a general CARP problem under heavy load? And if so, how do people here deal with it? I was thinking of adding a simple priq-based ALTQ rule only for CARP. Does this make sense? Or would it be possible (theoretically) to send carp ads over a dedicated link? (Almost) any comments welcome. ;) Welcome to the fine world of livelock and the problem timeouts are not run on time. If your box enters livelock carp announcements from the master may come late on the backup box so the backup is getting master but the master does not notice that so you end up with two master systems. There is some initial code in -current that tries to avoid the system entering livelock for extended times. It needs a lot of testing so maybe you should try it out and report back. -- :wq Claudio
Re: AuthPF removing all the states created from an IP
Hello, Seeing that nobody is answering to the question below I'd add: Is there anybody who uses authpf in the same scenario? Does it behave like in my case? Any suggestion to keep the states for the user after he/she closes the session? Thank you. On Wed, Dec 17, 2008 at 1:46 PM, Derek derekmail...@gmail.com wrote: Hi list, I'm using authpf to allow external users to access to certain restricted services within our network. This network hosts public services as well, this is services which are open to all internet. The thing is that after some tests I realized that a client who has an authpf session opened and uses both, the autpf-protected service and the public service, gets disconnected of all services when he/she closes the authpf session. Looking a little bit closer I can see that all the states created by an IP address are removed when the user from that IP closes the authpf session so the states created by the authpf rules but also the ones created by the regular pf.conf rules disappear from the table. I guess that this is because there is only one states table and it could be difficult to know which states are genereated by which rules. The question is, is there any plan to label or mark the states so will be possible in the future for the non-authpf states to survive the authpf session? Thank you all. Derek.