Nepenthes on OBSD
Hi, I installed Nepenthes from ports on OBSD and when I run it, I get this message saying: [ crit mgr ] Compiled without support for capabilities, no way to run capabilities Even though I see its workings (sort of) but I don't think its working as expected. It has been running for couple of days and hasn't caught anything. I have Nepenthes on an ubuntu machine , it doesn't give me this message and has caught many binaries in the wild. Can anyone point me why I am getting this message? or the fix? I tried compiling it from scratch with --enable-capabilities but still I get the same message. I would appreciate any help. Thanks Parvinder Bhasin
Re: Nepenthes on OBSD
On Sun, Jan 25, 2009 at 01:58:01AM -0800, Parvinder Bhasin wrote: Hi, I installed Nepenthes from ports on OBSD and when I run it, I get this message saying: [ crit mgr ] Compiled without support for capabilities, no way to run capabilities Even though I see its workings (sort of) but I don't think its working as expected. It has been running for couple of days and hasn't caught anything. I have Nepenthes on an ubuntu machine , it doesn't give me this message and has caught many binaries in the wild. Can anyone point me why I am getting this message? or the fix? I tried compiling it from scratch with --enable-capabilities but still I get the same message. I would appreciate any help. Likely means it can (optionally) use libcap, a library to set POSIX 1e capabilities, an extension to the kernel which is not supported by OpenBSD but popular under Linux etc. Thanks Parvinder Bhasin
Find special hidden files (e.g. .#Makefile.1.31)
Makefile was modified in the source tree. After a CVS update the modified file is renamed to .#Makefile.1.31. I tried the cmd 'find' to find all files starting with '.#' in the source tree. Tried escape characters for '.' and '#' but did not succeed... Any advise/hints? BR /pat
Re: Find special hidden files (e.g. .#Makefile.1.31)
2009/1/25 Patrick Oeschger tbeoe...@armdev.swissptt.ch: I tried the cmd 'find' to find all files starting with '.#' in the source tree. Tried escape characters for '.' and '#' but did not succeed... find . -name .\\#*
getting random icmp host unreachable messages from firewall
Hallo again! When i access internet from behind nat'ting OpenBSD 4.4-current i386 platform firewall (20090121 snapshot, under Xen HVM quest if this test then qualifies) i get randomly icmp host unreachable messages. At the same time network traffic is low and this test firewall is not under any mentionable load. For example about five to ten icmp error messages appear from firewall to wget client when issuing 300 wgets i a raw, like this $ for i in `seq 1 300`; do wget http://172.16.0.12/README?count=$i; -O - 1dhs.$i.log; done # tcpdump -nttti ne3 icmp tcpdump: listening on ne3, link-type EN10MB Jan 25 15:21:04.986368 192.168.10.210 192.168.10.10: icmp: host x.x.x.x unreachable Jan 25 15:21:06.444112 192.168.10.210 192.168.10.10: icmp: host x.x.x.x unreachable ... And insterting one second delay between wgets reduces icmp errors a lot. I belive it has something to do with a firewall's natting because with plain routing it seems to work all right. I would be very greateful if somebody could comment on this. Imre Original Message Subject: getting random icmp host unreachable messages while accessing host from behind nat with 4.4 amd64 Date: Thu, 22 Jan 2009 22:10:32 +0200 From: Imre Oolberg i...@auul.pri.ee To: misc@openbsd.org Hi! I have following problem with my OpenBSD amd64 version firewall and would be very thankful if you can help me with it. Quite accidentally my collegue discovered that while he is accessing content over http from behind natting firewall he doest get it every time. And it happens seemengly randomly, say about ten times per 300 attempts (vise versa firewall is working all right and also with routing). I tested it on living firewall and confirmed it and after that i set up other computers dedicated to test this case more throughly. This is my test setup http server em1 firewall bge0 --- mgm computer server 10.0.5.2 -- 192.168.2.38 172.16.0.12| em0 | | | computer accessing http server (10.0.6.242) firewall has following addresses em0 - 10.0.6.248 em1 - 172.16.0.78 bge0 - 10.0.5.7 mgm computer actually is 192.168.2.38, a hop away. I used 4.4 amd64 system with latest kernel patches (and userspace patches between them) but i also tried original 4.4 kernel, results seem to be the same. dmesg and full pfctl -sa are included in the end of this letter. rules on the firewall are no more no less like this # pfctl -sn nat on em1 inet all tagged ICMP_TEST - 172.16.0.78 # pfctl -sr block drop log all pass in quick on bge0 inet from 192.168.2.0/24 to 10.0.5.7 flags S/SA keep state (tcp.established 1064000) pass in quick on bge0 inet from 10.0.5.0/24 to 10.0.5.7 flags S/SA keep state (tcp.established 1064000) pass in quick on em0 inet proto tcp from 10.0.6.242 to 172.16.0.12 port = www flags S/SA keep state tag ICMP_TEST pass out quick on em1 all flags S/SA keep state tagged ICMP_TEST Here is my testing. I access http in this manner (after fresh reboot) $ for i in `seq 1 300`; do wget http://172.16.0.12/README?count=$i; -O - 1dhs.$i.log; done and the results are like this, i.e. this time five responses are not succeeding $ find . -size 0 ./dhs.251.log ./dhs.171.log ./dhs.179.log ./dhs.188.log ./dhs.149.log while listening on firewall on em0 for icmp i get # tcpdump -nettti em0 icmp Jan 22 21:06:45.787661 00:04:23:09:14:30 70:10:00:00:62:42 0800 70: 10.0.6.248 10.0.6.242: icmp: host 172.16.0.12 unreachable Jan 22 21:06:45.995783 00:04:23:09:14:30 70:10:00:00:62:42 0800 70: 10.0.6.248 10.0.6.242: icmp: host 172.16.0.12 unreachable Jan 22 21:06:46.067863 00:04:23:09:14:30 70:10:00:00:62:42 0800 70: 10.0.6.248 10.0.6.242: icmp: host 172.16.0.12 unreachable Jan 22 21:06:46.150686 00:04:23:09:14:30 70:10:00:00:62:42 0800 70: 10.0.6.248 10.0.6.242: icmp: host 172.16.0.12 unreachable Jan 22 21:06:46.765440 00:04:23:09:14:30 70:10:00:00:62:42 0800 70: 10.0.6.248 10.0.6.242: icmp: host 172.16.0.12 unreachable It may also be essential to say that there does not appear anything relevant (on this network there are other traffic as well to be honest) in pflog. I also saved all traffic on both relevant firewall interfaces during test and followed it and tcpdump shows that during connection failure 1. http client sends syn packet which do not get to the other side of firewall 2. firewall answers this with icmp host unreachable message 3. wget saves zero result 4. client then sends out next syn which gets properly served In the end i tested removing nat and it worked well i.e. without errors (16k of queries). I also tested the same thing with OpenBSD 4.3 and i did work for 24k queries all right (didnt try longer). If someone could please confirm whether this holds true generally on amd64 and i386 (havent tried it yet) platform or it still is some kind of specific combination of my computer and networking
Problems with bwi0 - drops packets and stops responding
While using the bwi0 WiFi on a Dell 1501 laptop, a lot of packets are being dropped (no firewall, 4 yards away from AP, AP is fine as iPhone drops no packets). After a while, the device completely stops responding. I do: $ sudo ifconfig bwi0 down $ sudo ifconfig bwi0 up and within 10 secs, the device works again, but drops a lot of packets until it completely stops responding again, and repeat. I can not tell if the problem is in the kernel (default GENERIC 4.4-STABLE) or in the firmware. Any ideas on how I could figure out the source of the problem and a way to fix would be greatly appreciated. Unless I missed it, I do not see any recent patches for the bwi device. $ dmesg | grep bwi bwi0 at pci3 dev 0 function 0 Broadcom BCM4312 rev 0x01: apic 2 int 18 (irq 11), address 00:19:7d:5e:f5:1f $ uname -a OpenBSD jupiter32-bsd.rexregis.org 4.4 GENERIC.MP#844 i386 $ ifconfig bwi0 bwi0: flags=8843 mtu 1500 lladdr 00:19:7d:5e:f5:1f groups: wlan egress media: IEEE802.11 autoselect (OFDM36 mode 11g) status: active ieee80211: nwid DDWRT chan 11 bssid 00:40:10:10:00:03 51dB wpapsk wpaprotos wpa1,wpa2 wpaakms psk,802.1x wpaciphers tkip,ccmp wpagroupcipher tkip inet6 fe80::219:7dff:fe5e:f51f%bwi0 prefixlen 64 scopeid 0x1 inet 10.192.168.201 netmask 0xff00 broadcast 10.192.168.255 $ ls /var/db/pkg/ | grep bwi bwi-firmware-1.4 $ ping -c 1000 10.192.168.1 64 bytes from 10.192.168.1: icmp_seq=280 ttl=255 time=0.831 ms 64 bytes from 10.192.168.1: icmp_seq=281 ttl=255 time=0.879 ms 64 bytes from 10.192.168.1: icmp_seq=282 ttl=255 time=0.902 ms ping: sendto: Host is down ping: wrote 10.192.168.1 64 chars, ret=-1 ping: sendto: Host is down ping: wrote 10.192.168.1 64 chars, ret=-1 --- 10.192.168.1 ping statistics --- 390 packets transmitted, 162 packets received, 58.5% packet loss round-trip min/avg/max/std-dev = 0.728/1.011/7.031/0.782 ms As you can see, I only made it to 390 packets, but device quit responding at 282 packets. But with only 162 packets received, that's still a 42.5% packet loss. FYI: 10.192.168.1 is still up. Jason P.S: Yes, I know, Broadcom is a POS for OpenSource. I will do a better job next time when I shop for a laptop. Are the Apple MacBook Pros completely OpenBSD compatible?
Re: Find special hidden files (e.g. .#Makefile.1.31)
On Sun, Jan 25, 2009 at 01:19:28PM +0100, Patrick Oeschger wrote: Makefile was modified in the source tree. After a CVS update the modified file is renamed to .#Makefile.1.31. I tried the cmd 'find' to find all files starting with '.#' in the source tree. Tried escape characters for '.' and '#' but did not succeed... Any advise/hints? find . -name '.#*' BR /pat -- Alexander Yurchenko
OT: Hard Disk Problems (was: Re: Dealing with Seagate's problematic 7200.11 firmware.)
Hi, On Fri, 23.01.2009 at 21:28:34 +, Dieter open...@sopwith.solgatos.com wrote: Recovering from Seagate's problematic 7200.11 firmware. first off, several other product lines are affected, too. In particular, the popular ES and ES.2 server grade disks are also affected, to the best of my knowledge. Seagate only admits to problems with ES.2 drives, not ES drives, though. Seagate's response has been less than wonderful. We need a FLOSS solution. Right. We need for this to work with any flavor of Unix, We need to do this from within a running system. We need for this to work on one drive without affecting other drives. My first idea is that smartmontools probably provide much of the required framework alreaedy, and could possibly extended to work with this situation, too. If Maxtorman is correct, then once the drive has been operating awhile, Seagate sent me the following link http://seagate.custkb.com/seagate/crm/selfservice/search.jsp?DocId=207931 which imho contributes to the impression of a less-than-stellar response by stating Based on the low risk as determined by an analysis of actual field return data, Seagate believes that the affected drives can be used as is. (current as of _now_). that works properly. Since Seagate's solution will require attaching the drive to an x86 system and booting a FreeDOS ISO from CD, if the log is at 320 that boot will brick the drive. As far as I understood, the firmware has a sort of a boot loader which reads the actual firmware from the drive, and also writes new firmware to the drive. This leads me to suspect that writing a modified boot loader firmware which does not contain such log entry reading or writing, could bypass the 'brickedness' caused by the broken firmware which is actually on the platters (ie, which is what the boot loader needs to load to begin with). So, if a modified boot loader would eg. abstain from loading the firmware on the drive, the corruption of said firmware on the drive would not occur, thus not blocking the remainder of the hardware. However, if, and how, such a new boot loader could be placed into the ???ROMs of the drive, I really don't know. Once Seagate releases working firmware, we want to be able to install it from Unix, on any CPU arch. Seagate's release can only install on x86 using FreeDOS. - smartmontools come to mind. Is Maxtorman correct about the 320 log entries? My dealer told me a similar story, but I don't know where he had it from. Kind regards, --Toni++
Mr.SAIDOU KEITA URGENT PARTNERSHIP/INVESTMENT
!Tengo nueva direccisn de correo!Ahora puedes escribirme a: saidoukeit...@yahoo.com.mx Mr Saidou Keita,staff of bank,i wan't to transfer $4.500 million to your account Saidou Keita - saidou keita
Re: KDE/DCOP vs pf
On 2009 January 24 03:09:57 pm Pereresus ne Vlezaet Buggy wrote: Add set skip on lo. Searching for the right place of this string will be your homework. Thanks much. My working pf.conf now contains: vvv=pf.conf===vvv ## MACROS tcp_services = { ssh, smtp, smtps, domain, www, auth, pop3s, ftp, sftp, https, imaps } udp_services = { domain, pop3, pop3s, imaps } # KDE uses loopback set skip on lo0 ## DEFAULT: DENY external access; OK going out block in all pass out proto tcp to any port $tcp_services pass proto udp to any port $udp_services pass out inet proto icmp all icmp-type 8 code 0 ^^^=E O F===^^^ Cheers, -KenD
Re: ipv6 neighbor discovery over a wpa wireless link
On Sat, Jan 24, 2009 at 3:46 PM, Mark Zimmerman markz...@frii.com wrote: Greetings: I am trying to get ipv6 neighbor discovery working over a wpa wireless link between two ral interfaces. I get nothing, and no error messages from rtadvd on the router. The router is 4.4-current and the laptop is a 4.3 snapshot that I really need to update. Ipv4 works fine. Hello, My setup is the following: router on OpenBSD 4.4-STABLE access point linksys running openwrt laptop devices with v6 support None of them have a single problem getting a router advertisement. So I am guessing you might have some filtering taking place or maybe radvd is not listening to the right interface. So, are you getting RA over wired connection? If so, are you using a separate network for the wireless net (although I have wired and wireless, i do not separate subnets). Last but not least, may I suggest that you run pftop (from ports) and look at it when you connect the laptop. Cheers, Steph
Re: ipv6 neighbor discovery over a wpa wireless link
On 2009-01-24, Mark Zimmerman markz...@frii.com wrote: Greetings: I am trying to get ipv6 neighbor discovery working over a wpa wireless link between two ral interfaces. I get nothing, and no error messages from rtadvd on the router. The router is 4.4-current and the laptop is a 4.3 snapshot that I really need to update. Ipv4 works fine. Before I spend too much time on this, I wanted to check if this might not be a supported capability. Should it be possible to do this? ral/wpa/ipv6 works ok here with -current from the last week on the laptop and Dec 13 snap on the hostap box... if you really need to update the laptop, why not do that before spending any time on it.
Re: ral0 hangs during sftp
On 2009-01-24, David Higgs hig...@gmail.com wrote: I recently installed 4.4-stable and started using wireless with WPA2. Basic web browsing had been working fine all week, but today I started moving some files around via sftp and suddenly the link stalled. Log messages indicate resource problems with named but not a total link failure, since dhcpd still worked. Running ifconfig up/down appeared to fix the problem temporarily; I lost patience and found a wired connection after the second hang. Is this somehow related to Fix HW crypto on ral(4) devices. in the list of -current changes? Is there any additional information I can provide? there are various fixes to ral(4) post-4.4. I definitely think you should be running -current from the last month or so if you have problems with earlier ral(4) code.
Re: KDE/DCOP vs pf
On Sun, Jan 25, 2009 at 03:45:25AM -0800, Ken Dickey wrote: On 2009 January 24 03:09:57 pm Pereresus ne Vlezaet Buggy wrote: Add set skip on lo. Searching for the right place of this string will be your homework. Thanks much. My working pf.conf now contains: i'll take the opportunity to offer my opinion that one stands to save a LOT of time by *logging blocks* during debugging. eg: 'block in log all' or whatever the grammar needs to be. then just watch pflog0 on tcpdump with a bunch of -v action and you can see what the traffic is and create allows based on that. -- jared
Re: isakmpd does not initiate quick mode after main mode is established
Christoph Leser le...@sup-logistik.de wrote: I'm still struggling to keep my ipsec vpns running smoothly. FWIW, I mostly use IPsec on my home WLAN and I observe a similar lack of reliability. My laptop sets up two IPsec associations, one IPv4 and one IPv6, and from time to time one of these or both fail inexplicably (no response, no proposal chosen) but eventually get established within ten minutes or so. Since this is WLAN, I have considered that packet loss may screw up the ISAKMP negotiation, but I haven't investigated. I wonder how people who run a large number of IPsec associations in production settings deal with this or if they are seeing it at all. -- Christian naddy Weisgerber na...@mips.inka.de
Re: Apache file upload
On 1/23/2009 11:37 PM, Nick Holland wrote: I found an application called file upload by Jeffery Carnahan. GNU license, and currently seems to be proof that GNU does NOT mean can't disappear. A quick search found http://www.freebsddiary.org/fileupload.php, which has a link to a mirror of the tar file.
Re: Altq doesn't works as I expect on OpenBSd 4.4
Hi, On Thu, 20.11.2008 at 17:08:31 +, Stuart Henderson s...@spacehopper.org wrote: also note you can queue the _inbound_ packets, which will associate a queue with the state table entry, then the queue of this name will be used when those packets are sent _out_. this sounds like it fills a gap in the man page, imho. many of the views from pftop are also available in systat (in the base OS) these days. see systat queues, systat rules, systat pf etc. systat queues does not work if you're not root, but otherwise, it fills a gap, too. Thank you! Kind regards, --Toni++
Re: Problems with bwi0 - drops packets and stops responding
I may have found my answer looking at the 4.4 to -current log. Make sure the bwi(4) driver does not try to attach rev 2 BCM431[1-2] chipsets, as they require v4 firmware and bwi(4) currently uses v3. However, this says rev 2 of the chipset, from dmesg: bwi0 at pci3 dev 0 function 0 Broadcom BCM4312 rev 0x01: apic 2 int 18 (irq 11), address 00:19:7d:5e:f5:1f it says I have rev 1 of the chipset. Is my problem related to this or are we sure the v4 firmware only affects rev 2 chipsets? If my problem is due to firmware versions, any work on getting bwi(4) to v4? Jason -- View this message in context: http://www.nabble.com/Problems-with-bwi0---drops-packets-and-stops-responding-tp21652920p21659111.html Sent from the openbsd user - misc mailing list archive at Nabble.com.
Re: ipv6 neighbor discovery over a wpa wireless link
On Sun, Jan 25, 2009 at 09:56:50PM +, Stuart Henderson wrote: On 2009-01-24, Mark Zimmerman markz...@frii.com wrote: Greetings: I am trying to get ipv6 neighbor discovery working over a wpa wireless link between two ral interfaces. I get nothing, and no error messages from rtadvd on the router. The router is 4.4-current and the laptop is a 4.3 snapshot that I really need to update. Ipv4 works fine. Before I spend too much time on this, I wanted to check if this might not be a supported capability. Should it be possible to do this? ral/wpa/ipv6 works ok here with -current from the last week on the laptop and Dec 13 snap on the hostap box... if you really need to update the laptop, why not do that before spending any time on it. I think I will do that now that I have confirmation that it ought to work. Thanks for the response.
Publique GRATIS no nosso portal
Se nco visualizar esta pagina correctamente , clique aqui * Conhega as diferentes formas de publicitar o seu produto ou negscio * Anzncios online de publicagco imediata. Faga a sua prspria gestco, e modificagco dos anzncios online. Publique GRATIS no portaldanet.com , com fotos e texto da sua empresa, negscio ou produtos nas categorias do site. Se quiser aderir ` nossa campanha de web marketing semanal, do seu negscio ou produto, para 350.000 contactos em Portugal, contacte-nos para aderir ao nosso sistema, ou entre na sua conta pessoal e adira ao pacote instantbneo Campanha publicitaria. O envio dessa campanha tera uma foto da sua empresa ou produto com o link directo para a sua pagina Web ou para a publicidade que tiver publicada no nosso portal de classificados. Veja a campanha de alguns negscios desta semana nos links abaixo: Nissan NAVARRA 2004 MORADIA T4 - NOVA - OPORTUNIDADE Ford Focus TCDI 1600 Sport CAHER 550F - BOM PREGO Mota Honda CBF 1000 Preta Sofa cama de 3 lug+1 +poltrona Pastelaria/Geladaria Mobiliario escritsrio Fiat Punto HGT 1.8 16v Esta mensagem esta de acordo com a legislagco Europeia sobre o envio de mensagens comerciais. Destina-se unicamente a clientes, potenciais clientes e parceiros e nco pode ser considerada SPAM porque tem inclumdo contacto e instrugues para remogco da nossa lista de emails. Qualquer mensagem devera estar claramente identificada com os dados do emissor e devera proporcionar ao receptor a hipstese de ser removida da lista (Directiva 2000/31/CE do Parlamento Europeu; Relatsrio A5-0270/2001 do Parlamento Europeu). Se desejar ser retirado desta mailing list Clique aqui. Obrigado!
Re: OT: Hard Disk Problems (was: Re: Dealing with Seagate's problematic 7200.11 firmware.)
Recovering from Seagate's problematic 7200.11 firmware. first off, several other product lines are affected, too. In particular, the popular ES and ES.2 server grade disks are also affected, to the best of my knowledge. Seagate only admits to problems with ES.2 drives, not ES drives, though. Word is the Maxtor Diamond Max 21 line is also affected. We need to do this from within a running system. Yes. My first idea is that smartmontools probably provide much of the required framework alreaedy, and could possibly extended to work with this situation, too. Thanks. I downloaded smartmontools, fixed a couple of ILP vs LP64 bugs, and it appears to provide the number of SMART log entries. Is Maxtorman correct about the 320 log entries? My dealer told me a similar story, but I don't know where he had it from. I guess the next step is to find out if Maxtorman is correct about this 320 log entries stuff, and if the SMART log entries as reported by smartmontools is the log to worry about, or if there is some other log. E.g. see the Read Log Ext and Write Log Extended commands I posted yesterday. I don't know if these use the same log as the SMART commands or if this is something different.
Re: ral0 hangs during sftp
On Sun, Jan 25, 2009 at 5:00 PM, Stuart Henderson s...@spacehopper.org wrote: there are various fixes to ral(4) post-4.4. I definitely think you should be running -current from the last month or so if you have problems with earlier ral(4) code. Can I take that ral code and stick it into 4.4? -- http://www.glumbert.com/media/shift http://www.youtube.com/watch?v=tGvHNNOLnCk This officer's men seem to follow him merely out of idle curiosity. -- Sandhurst officer cadet evaluation. Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted. -- Gene Spafford learn french: http://www.youtube.com/watch?v=j1G-3laJJP0feature=related