Re: acpithinkpad problems on thinkpad w500

[Didier Wiroth]

Hello,
Thanks for replying.

It is now the exact same behaviour as mentioned in the bug report and email 
"pending/6099" from Aaron W.Hsu.

The message starts when opening the cd. Disabling acpithinkpad stops the 
message flood but it is still impossible to close the cd.

Kind regards,
Didier

> -Original Message-
> From: joshua stein [mailto:j...@openbsd.org]
> Sent: 09 March 2009 01:43
> To: misc@openbsd.org
> Subject: Re: acpithinkpad problems on thinkpad w500
> 
> > I came across a strange problem today. I (accidentally) opened the
> cd/dvd
> > player of my thinkpad w500 laptop. Once the player is opened, it is
> > impossible to close it, as it is immediately reopened.
> >
> > Dmesg is flawed with the following messages:
> > acpithinkpad0: unknown type 3 event 0x006
> >
> > Any ideas on how I can solve the problem?
> 
> does the event log at the opening or closing of the drive?
> 
> if you disable the acpithinkpad device (boot -c) does the drive work
> properly?

Re: PF firewall system capable of handling a multi-gigabit link

[Alface Voadora]

2009/3/9 Ted Unangst 

> On Sun, Mar 8, 2009 at 2:14 PM, Alface Voadora 
> wrote:
> > Do you know about any installed firewall cluster that has pf+carp+pfsync
> > working along with ALTQ on a multi-gigabit configuration with an
> acceptable
> > performance?
>
> how many gigabits is multi-gigabit?  2, 10, 400?


2 Gbps


>  can't you just test
> openbsd and see if it works?


Yes I can, and obviously I will test it.

Re: PF Seems To Reload Its Default Rules Unexpectedly

[J.C. Roberts]

On Sun, 8 Mar 2009 16:01:57 -0700 Hilco Wijbenga
 wrote:

> I have pf running on my firewall box and I'm experiencing some strange
> behaviour. After several hours (this may even be 24 hours) of
> functioning normally, pf seems to reload its default rules which means
> that from that point on all traffic is blocked. A simple "pfctl -f
> /etc/pf.conf" fixes the problem but it is very annoying.

ummm... no. Think about it for a moment. The default rules *are* stored
in /etc/pf.conf --the very same file you are manually reloading, so
it's obviously not magically reloading the "default rules" as you claim.

What kind of connection are you running?
Is your public IP address static or dynamic?
More importantly, are you running some sort of
tunneling/authentication such as PPPoE or simlar?

In sort my first guess is your IP is changing every 24 hours or so due
to your service provider using dynamic addressing (and trying to
prevent you from having a particular IP for too long). If I'm right,
then your problem is that pf is holding on to the old rules for your
old IP address even though your IP had changed. In other words, you
have a configuration error.

-- 
J.C. Roberts

Re: pppoe server

[ttw+bsd]

On 08.03-11:13, Lo?=?VAI DC!niel wrote:
[ ... ]
> I wish to experiment setting up a PPPoE server (AC) on OpenBSD 4.4. 
> Although I've read the pppoe(8) man page and googled around, it is not 
> clear for me how to set up such configuration.

man sppp

x11 problems with lenovo w500

[Didier Wiroth]

Hello,

I have a strange problem which I never had in the past when using a lenovo
laptop with a somewhat identical configuration.

I'm using CURRENT with a lenovo w500 (model 4063-34G). This model has one of
these switchable dual graphics.
(ATI Mobility Radeon FireGL V5700 + Intel's integrated GMA 4500MHD)



(X11 identifies the ati card as a "ati mobility radeon HD 3650)



For now, I'm using the intel adapter, as the ati adapter is very, very slow
when watching a movie.
I'm using the following display bios settings:
a) Default Primary Video Device: Internal
b) Boot Display Device: ThinkPad LCD
c) Graphics Device: "Integrated Graphics"
d) OS Detection for Switchable Graphics: Disabled

Now, let me explain the problem in my simple words.

I'm dualbooting between windows xp and openbsd:
partition 1 - openbsd current
partition 2 - windows xp

Partition 2 is fully encrypted with truecrypt (http://www.truecrypt.org).

In a non technical terminology when I boot, the following happens:
the Truecrypt prompt/"boot loader" appears, I have two choices:

a) Enter a passphrase to access the windows bootloader
If I choose this option and enter a passphrase the windows xp bootloader
appears and I can still choose to boot into windows xp or openbsd (I have
followed the guidelines at 
to add the openbsd partition boot record to the boot.ini of windows xp).
Here is the Xorg.0.log:

Here is the dmesg:


If I boot via a) into Openbsd, X11 _IS_ working, no problem here!

b) Now, if I bypass the authentication and boot directly into openbsd.
The openbsd kernel is loaded, but now I'm _NOT_ able to start X11.
Here is the NON-working Xorg.0.log:

Here is the dmesg.boot:

(I don't think there is a difference between the two DMESG, but I included
them in case someone would like to have a look into it)

Here is a snip of the error message:
(II) Loading /usr/X11R6/lib/modules//libvgahw.so
(II) Module vgahw: vendor="X.Org Foundation"
compiled for 1.5.3, module version = 0.1.0
ABI class: X.Org Video Driver, version 4.1
(II) intel(0): Creating default Display subsection in Screen section
"Builtin Default intel Screen 0" for depth/fbbpp 24/32
(==) intel(0): Depth 24, (--) framebuffer bpp 32
(==) intel(0): RGB weight 888
(==) intel(0): Default visual is TrueColor
(II) intel(0): Integrated Graphics Chipset: Intel(R) Mobile IntelB. GM45
Express Chipset
(--) intel(0): Chipset: "Mobile IntelB. GM45 Express Chipset"
(--) intel(0): Linear framebuffer at 0xD000
(--) intel(0): IO registers at addr 0xF440
(EE) intel(0): Unable to map mmio range. Invalid argument (22)

Fatal server error:
Caught signal 11.  Server aborting

Thanks a lot for your help!
Didier

Nuevas ofertas de Mercadonica.com

[Mercadonica.com]

Si no puede ver bien el contenido de este boletmn, hacer clic AQUI

Publicar anuncio

www.mercadonica.com

Anuncios promocionados

Casas/Oficinas

Alquilo Oficina
PA : 150
Managua

Ver mas

Vendo Casa
PV : 40,000
Managua

Ver mas

Vendo Casa
PV : 50,000
Managua

Ver mas

Terrenos/Propiedades

Vendo Lote
PV : 403,040
Managua

Ver mas

Vendo Lote
PV : 95,000 neg
Masaya

Ver mas

Automotores

Vendo Coupe 2 puertas
PV : 17000

Ver mas

Vendo Sedan
PV : 3,600

Ver mas

Anuncios varios

Laptop DELL Inspiron E1505
PV : 600 neg.
PA : N/A

Ver mas

Vendo/Alquilo Casa
PV : 50,000
PA : N/A

Ver mas

Vendo/Alquilo Finca
PV : 100,000.00
PA : N/A

Ver mas

Vendo/Alquilo Pick Up 4x4
PV : 3,000 neg
PA : N/A

Ver mas

Vendo Laptop HP 510
PV : 650 neg.
PA : N/A

Ver mas

) Copyright MercadoNica.com
Si no desea recibir este correo, escribir a ven...@mercadonica.com

Re: acpithinkpad problems on thinkpad w500

[J.C. Roberts]

On Mon, 09 Mar 2009 08:23:04 + Didier Wiroth
 wrote:

> Hello,
> Thanks for replying.
> 
> It is now the exact same behaviour as mentioned in the bug report and
> email "pending/6099" from Aaron W.Hsu.
> 
> The message starts when opening the cd. Disabling acpithinkpad stops
> the message flood but it is still impossible to close the cd.
> 
> Kind regards,
> Didier

Just a thought... on motorized cd/dvd drives you can use cdio

# cdio close

Seemed worth a shot.

-- 
J.C. Roberts

Re: Bug OpenBGPD, IPv6 peer gets cleared, never gets up again

[Arnoud Vermeer]

We commented out the following lines, to test if it is indeed an 
End-of-RIB-marker that is acting up, and it turns out it isn't.

in rde.c line 2613 we commented out this:

   if (peer->capa_received.restart && peer->capa_announced.restart)
 peer_send_eor(peer, afi, safi);

This is the only place where the peer_send_eor function is called, and 
commented out, the bug remains. Hence we assume it is not an eor message 
that causes the issue... but an update generated somewhere else.

Because the empty update is sent out to all connected parties, I think 
it has something to do with the 'announce all' capability.

On 3/8/09 10:48 PM, Arnoud Vermeer wrote:
> No, this is not the only session. Here is the full config, I hope it helps:
>
> Things start going wrong when I add the following to a v6 session:
> tcp md5sig password hondjes
>
> --
>
> AS 6777
> router-id 195.69.145.245
> fib-update no
> log updates
> listen on 195.69.145.245
> listen on 2001:7F8:1::A500:6777:4
>
> nexthop qualify via bgp
> transparent-as yes
>
> dump all in "/tmp/all-in-dump-%H%M" 300
> dump all out "/tmp/all-out-dump-%H%M" 300
>
> group "peers-rs-v6" {
>   announce IPv6 unicast
>   announce IPv4 none
>   softreconfig in yes
>   enforce neighbor-as yes
>   set nexthop no-modify
>   local-address 2001:7F8:1::A500:6777:4
>
>   neighbor 2001:7f8:1::A500:1200:1 {
>   descr "AS1200-v6-01"
>   remote-as 1200
>   announce all
>   passive
>   tcp md5sig password hondjes
>   }
>
>   neighbor 2001:7f8:1::A500:1200:2 {
>   descr "AS1200-v6-02"
>   remote-as 1200
>   announce all
>   passive
>   }
>
>   neighbor 2001:7f8:1::a504:8345:1 {
>   descr "XSNEWS-v6-01"
>   remote-as 48345
>   announce all
>   passive
>   max-prefix 5
>   }
>
>   neighbor 2001:7f8:1::a504:8345:2 {
>   descr "XSNEWS-v6-02"
>   remote-as 48345
>   announce all
>   passive
>   max-prefix 5
>   }
>
>   neighbor 2001:7F8:1::A503:4763:1 {
>   descr "ABSOLUTE-v6-01"
>   remote-as 34763
>   announce all
>   passive
>   max-prefix 350
>   }
>
>   neighbor 2001:7F8:1::A501:6265:1 {
>   descr "LEASEWEB-v6-01"
>   remote-as 16265
>   announce all
>   passive
>   max-prefix 115
>   }
>
>   neighbor 2001:7F8:1::A501:6265:2 {
>   descr "LEASEWEB-v6-02"
>   remote-as 16265
>   announce all
>   passive
>   max-prefix 115
>   }
>
>   neighbor 2001:7F8:1::A504:1692:1 {
>   descr "OPENCARRIER-v6-01"
>   remote-as 41692
>   announce all
>   passive
>   max-prefix 5
>   }
>
>   neighbor 2001:7f8:1::a500:559:1 {
>   descr "SWITCH-v6-01"
>   remote-as 559
>   announce all
>   passive
>   max-prefix 252
>   }
>
> }
>
> group "peers-rs-v4" {
>   announce IPv6 none
>   announce IPv4 unicast
>   softreconfig in yes
>   enforce neighbor-as yes
>   set nexthop no-modify
>
>   neighbor 195.69.144.1 {
>   descr "AS1200-rtr-eun-01"
>   remote-as 1200
>   announce all
>   passive
>   max-prefix 5
>   tcp md5sig password hondjes
>   }
>
>   neighbor 195.69.145.1 {
>   descr "AS1200-rtr-glo-02"
>   remote-as 1200
>   announce all
>   passive
>   max-prefix 5
>   }
>
>   neighbor 195.69.144.229 {
>   descr "XSNEWS-01"
>   remote-as 48345
>   announce all
>   passive
>   max-prefix 5
>   }
>
>   neighbor 195.69.145.229 {
>   descr "XSNEWS-02"
>   remote-as 48345
>   announce all
>   passive
>   max-prefix 5
>   }
>
>   neighbor 195.69.144.168 {
>   descr "AKAMAI-01"
>   remote-as 20940
>   announce all
>   passive
>   max-prefix 152
>   }
>
>   neighbor 195.69.145.208 {
>   descr "AKAMAI-02"
>   remote-as 20940
>   announce all
>

arp MiTM

[irix]

Hello Misc,

 How to protect your server from such attacks without the use of static arp 
entries?
 By freebsd 5.0 patch was written arp_antidote 
(http://freecap.ru/if_ether.c.patch),
 somebody could port it on openbsd?

Also, in freebsd it is possible to specify a flag through the ifconfig
on the interface "staticarp", while "If the Address Resolution Protocol is 
enabled,
the host will only reply to requests for its addresses, and will never send 
anyrequests."
May you made this flag in openbsd ?
-- 
Best regards,
 irix  mailto:i...@ukr.net

Re: pf does not log all block

[Pierre Lamy]

Without the "quick" keyword, pf evaluates all of your rules and if a 
more-permissive rule exists to match the traffic flow, it is used. This 
is different than some commercial firewalls such as Check Point which 
stop when the traffic matches a rule, and the rules are processed in order.


It's common in a pf setup, to block all at the beginning of the security 
rules, without the quick keyword, and then add the pass rules 
afterwards. Anything not matching a pass rule would by default hit your 
first block all rule.


If you are very used to an in-order-stop-when-match firewall then using 
quick on every rule will be more familiar to you, and your block quick 
log all should be at the bottom of your rulebase after the pass rules.


Pierre

patrick keshishian wrote:

On Sun, Mar 8, 2009 at 11:12 AM, Maxx Twayne  wrote:
  

Hi,

I would like to see all blocked packets with pf. And i used this :

block in log on $ext_if all
block out log all

But when i read on pflog0 on the pflog file, i didn't got any blocked
packets.
Only the logged pass that i asked.

Is there any kind of protection, or i did something wrong ?



hard to tell with the small snippet of your pf.conf you included. It
could be a problem with your rule-set that allows everything to pass.
can't tell with the info you provided.

--patrick

Re: arp MiTM

[Paul de Weerd]

>From a quick glance over the patch, it seems pretty useless unless you
also prevent MAC spoofing. You may want to look into port security for
your switches or 802.1x if this is a big concern to you.

Cheers,

Paul 'WEiRD' de Weerd

On Mon, Mar 09, 2009 at 02:11:38PM +0200, irix wrote:
| Hello Misc,
|
|  How to protect your server from such attacks without the use of static arp
entries?
|  By freebsd 5.0 patch was written arp_antidote
(http://freecap.ru/if_ether.c.patch),
|  somebody could port it on openbsd?
|
| Also, in freebsd it is possible to specify a flag through the ifconfig
| on the interface "staticarp", while "If the Address Resolution Protocol is
enabled,
| the host will only reply to requests for its addresses, and will never send
anyrequests."
| May you made this flag in openbsd ?
| --
| Best regards,
|  irix  mailto:i...@ukr.net
|

--
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/

Re: acpithinkpad problems on thinkpad w500

[Didier Wiroth]

> Just a thought... on motorized cd/dvd drives you can use cdio
> 
>   # cdio close

Nope ... returns the following error:

cd0(ahci0:1:0): Check Condition (error 0x70) on opcode 0x1b
SENSE KEY: Illegal Request

Didier

Re: Bug OpenBGPD, IPv6 peer gets cleared, never gets up again

[Claudio Jeker]

On Mon, Mar 09, 2009 at 12:25:12PM +0100, Arnoud Vermeer wrote:
> We commented out the following lines, to test if it is indeed an 
> End-of-RIB-marker that is acting up, and it turns out it isn't.
> 
> in rde.c line 2613 we commented out this:
> 
>if (peer->capa_received.restart && peer->capa_announced.restart)
>  peer_send_eor(peer, afi, safi);
> 
> This is the only place where the peer_send_eor function is called, and 
> commented out, the bug remains. Hence we assume it is not an eor message 
> that causes the issue... but an update generated somewhere else.
> 
> Because the empty update is sent out to all connected parties, I think 
> it has something to do with the 'announce all' capability.
> 

yes, I had a quick mail exchange with henning about that. There seems to
be a wild update that causes this bad updates. I'm currently in Japan
preparing everything for AsiaBSDCon plus some traveling. As soon as I can
get my head free of all the rest I will look into it.
I have a few ideas but nothing was obvious enough to be seen by glancing
over the code.

Btw. does this only happen with full IPv6 feeds or are a few announcements
already enough?

-- 
:wq Claudio

ichiic0 errors on 4.3

[Srikant Tangirala]

Hi 

I have been noticing these kernel messages once in 
a while on my i386 machine running 4.3 (+ all patches 
up to date). The drive is brand new 500GB SATA.

ichiic0: exec: op 1, addr 0x2e, cmdlen 1, len 1, flags 0x00: timeout, status 0x0
ichiic0: abort failed, status 0x0
ichiic0: exec: op 1, addr 0x2e, cmdlen 1, len 1, flags 0x00: timeout, status 0x0
ichiic0: abort failed, status 0x0
ichiic0: exec: op 1, addr 0x2e, cmdlen 1, len 1, flags 0x00: timeout, status 
0x40
ichiic0: abort failed, status 0x0
ichiic0: exec: op 1, addr 0x2e, cmdlen 1, len 1, flags 0x00: timeout, status 
0x40
ichiic0: abort failed, status 0x40

Is this the sign of an impending motherboard failure?
It is an intel D915GVWB. Can someone please shed some 
light on the meaning of these. I know 4.5 is about to
be released. I will definitely move on to it. If this
regards some issue which was fixed in 4.4 or later,
I apologize for bringing this up again.

The dmesg is as follows. Let me know if anything else 
is required for analysis .

OpenBSD 4.3 (GENERIC) #0: Thu Feb 12 22:22:54 IST 2009
root@:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Pentium(R) 4 CPU 3.06GHz ("GenuineIntel" 686-class) 3.07 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,TM2,CNXT-ID,CX16,xTPR
real mem  = 1599647744 (1525MB)
avail mem = 1537679360 (1466MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 10/12/05, SMBIOS rev. 2.3 @ 0xe5bf1 (32 
entries)
bios0: vendor Intel Corp. version "WB91X10J.86A.1319.2005.1012.0939" date 
10/12/2005
bios0: Intel Corporation D915GVWB
apm0 at bios0: Power Management spec V1.2
apm0: battery life expectancy 0%
apm0: AC off, battery charge unknown, estimated 0:00 hours
acpi at bios0 function 0x0 not configured
pcibios at bios0 function 0x1a not configured
bios0: ROM list: 0xc/0xae00!
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82915G Host" rev 0x04
agp0 at pchb0: aperture at 0x6000, size 0x1000
vga1 at pci0 dev 2 function 0 "Intel 82915G Video" rev 0x04
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
azalia0 at pci0 dev 27 function 0 "Intel 82801FB HD Audio" rev 0x03: irq 11
azalia0: codec[s]: Realtek ALC880
audio0 at azalia0
ppb0 at pci0 dev 28 function 0 "Intel 82801FB PCIE" rev 0x03
pci1 at ppb0 bus 1
ppb1 at pci0 dev 28 function 1 "Intel 82801FB PCIE" rev 0x03
pci2 at ppb1 bus 2
ppb2 at pci0 dev 28 function 2 "Intel 82801FB PCIE" rev 0x03
pci3 at ppb2 bus 3
ppb3 at pci0 dev 28 function 3 "Intel 82801FB PCIE" rev 0x03
pci4 at ppb3 bus 4
uhci0 at pci0 dev 29 function 0 "Intel 82801FB USB" rev 0x03: irq 9
uhci1 at pci0 dev 29 function 1 "Intel 82801FB USB" rev 0x03: irq 10
uhci2 at pci0 dev 29 function 2 "Intel 82801FB USB" rev 0x03: irq 11
uhci3 at pci0 dev 29 function 3 "Intel 82801FB USB" rev 0x03: irq 11
ehci0 at pci0 dev 29 function 7 "Intel 82801FB USB" rev 0x03: irq 9
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
ppb4 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0xd3
pci5 at ppb4 bus 5
vr0 at pci5 dev 0 function 0 "VIA VT6105 RhineIII" rev 0x8b: irq 11, address 
00:21:91:8e:3f:4b
ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 9: OUI 0x004063, 
model 0x0034
vr1 at pci5 dev 1 function 0 "VIA VT6105 RhineIII" rev 0x8b: irq 11, address 
00:21:91:8d:e8:be
ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 9: OUI 0x004063, 
model 0x0034
fxp0 at pci5 dev 8 function 0 "Intel 82801FB LAN" rev 0x01, i82562: irq 11, 
address 00:16:76:63:2f:e3
inphy0 at fxp0 phy 1: i82562ET 10/100 PHY, rev. 0
ichpcib0 at pci0 dev 31 function 0 "Intel 82801FB LPC" rev 0x03: PM disabled
pciide0 at pci0 dev 31 function 1 "Intel 82801FB IDE" rev 0x03: DMA, channel 0 
configured to compatibility, channel 1 configured to compatibility
atapiscsi0 at pciide0 channel 0 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0:  SCSI0 5/cdrom 
removable
cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 ignored (disabled)
pciide1 at pci0 dev 31 function 2 "Intel 82801FB SATA" rev 0x03: DMA, channel 0 
configured to native-PCI, channel 1 configured to native-PCI
pciide1: using irq 10 for native-PCI interrupt
wd0 at pciide1 channel 0 drive 0: 
wd0: 16-sector PIO, LBA48, 476940MB, 976773168 sectors
wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 5
ichiic0 at pci0 dev 31 function 3 "Intel 82801FB SMBus" rev 0x03: irq 10
iic0 at ichiic0
adt0 at iic0 addr 0x2e: emc6d100 rev 0x68
spdmem0 at iic0 addr 0x50: 256MB DDR SDRAM non-parity PC3200CL2.5
spdmem1 at iic0 addr 0x51: 1GB DDR SDRAM non-parity PC3200CL3.0
spdmem2 at iic0 addr 0x52: 256MB DDR SDRAM non-parity PC2700CL2.5
usb1 at uhci0: USB revision 1.0
uhub1 at usb1 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb2 at uhci1: USB revision 1.0
uhub2

Re: Bug OpenBGPD, IPv6 peer gets cleared, never gets up again

[Henning Brauer]

* Arnoud Vermeer  [2009-03-08 22:54]:
> No, this is not the only session. Here is the full config, I hope it helps:
> 
> Things start going wrong when I add the following to a v6 session:
> tcp md5sig password hondjes

wait. removing tcpmd5 fixes the problem? you gotta be kidding?
this is on OpenBSD right?

-- 
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam

Re: arp MiTM

[irix]

Hello Misc,

  I  am  a  customer and not the network administrator, and someone in
  the   network  makes  MiTM  attack,  a  network  of  billet  in  the
  uncontrolled swithes and ISP will not translate everything on the managed.
  Therefore, software implementation of this patch for openbsd.
  OpenBSD  is  most  secure OS on the planet, but susceptible to a
  simple MiTM attack. How then can we talk about the " security by default" 
-- 
Best regards,
 irix  mailto:i...@ukr.net

Re: Upgrade on non-live disk

[Hannah Schroeter]

Hi!

On Thu, Mar 05, 2009 at 12:09:31PM +1030, Damon McMahon wrote:
>Tue, 03 Mar 2009 07:17:56 -0500  :

>>On 3/2/2009 7:31 PM, Damon McMahon wrote:

>>   Is it possible/wise to follow the upgrade instructions on a non-live
>>  OpenBSD disk mounted on /altroot? I have a second drive I use as a
>>   non-live mirror with dd(1); can I use the "Upgrading without install
>>   kernel" instructions to upgrade this disk by mounting its file systems
>>   in /altroot and then substituting /altroot for / in the "Upgrading
>>   without install kernel" instructions?

>>Why not just continue to use your existing mirror process, and update the 
>>mirror once your prod drive >is upgraded?

>To minimise down-time to a simple reboot - best not to rush these
>things, and there's nothing like a production system being down to
>cause me to rush!

>Thanks to Nick for the advice, it seemed to work fine. For the
>archives, just make REALLY sure you replace / with /altroot at every
>step in the upgrade instructions (I slipped a couple of times,
>thankfully both instances were recoverable) and I did find some minor
>steps e.g. running newaliases(8) that would seem to require the system
>being upgraded to be live and running.

chroot /mountpoint /usr/bin/newaliases

Kind regards,

Hannah.

Re: arp MiTM

[Jacob Yocom-Piatt]

irix wrote:

Hello Misc,

  I  am  a  customer and not the network administrator, and someone in
  the   network  makes  MiTM  attack,  a  network  of  billet  in  the
  uncontrolled swithes and ISP will not translate everything on the managed.
  Therefore, software implementation of this patch for openbsd.
  OpenBSD  is  most  secure OS on the planet, but susceptible to a
  simple MiTM attack. How then can we talk about the " security by default" 
  



this sort of email will, even if you have a valid point, likely win you 
no points with the devs. i see no offer of funding or a demonstration of 
an attack vector so you are obviously a very serious player.


you are being unbelievably rude and are likely a troll so this is the 
last time i'll ever read your emails. wouldn't be surprised if a lot of 
other folks did the same.

Re: arp MiTM

[michal]

Jacob Yocom-Piatt wrote:

irix wrote:

Hello Misc,

  I  am  a  customer and not the network administrator, and someone in
  the   network  makes  MiTM  attack,  a  network  of  billet  in  the
  uncontrolled swithes and ISP will not translate everything on the 
managed.

  Therefore, software implementation of this patch for openbsd.
  OpenBSD  is  most  secure OS on the planet, but susceptible to a
  simple MiTM attack. How then can we talk about the " security by 
default" 
  



this sort of email will, even if you have a valid point, likely win 
you no points with the devs. i see no offer of funding or a 
demonstration of an attack vector so you are obviously a very serious 
player.


you are being unbelievably rude and are likely a troll so this is the 
last time i'll ever read your emails. wouldn't be surprised if a lot 
of other folks did the same.




Funny, I would say you are being more rude then he is

Where is "Secure by default" ?

[irix]

Hello Misc,

  In  www.openbsd.org  wrote  "Only  two  remote  holes in the default
  install,  in  more  than  10 years!", this not true. I using OpenBSD
  like customer, not like administrator. And my OpenBSD were attacked,
  by simple MiTM attack in arp protocol. How then can we talk about the " 
security by default" 
  For example, FreeBSD is decided very simply, with this patch 
http://freecap.ru/if_ether.c.patch
  When  this  is introduced in OpenBSD, so you can say with confidence
  that the system really "Secure by default" ?

-- 
Best regards,
 irix  mailto:i...@ukr.net

Re: Where is "Secure by default" ?

[Marco Peereboom]

because it is.

On Mon, Mar 09, 2009 at 04:36:47PM +0200, irix wrote:
> Hello Misc,
> 
>   In  www.openbsd.org  wrote  "Only  two  remote  holes in the default
>   install,  in  more  than  10 years!", this not true. I using OpenBSD
>   like customer, not like administrator. And my OpenBSD were attacked,
>   by simple MiTM attack in arp protocol. How then can we talk about the " 
> security by default" 
>   For example, FreeBSD is decided very simply, with this patch 
> http://freecap.ru/if_ether.c.patch
>   When  this  is introduced in OpenBSD, so you can say with confidence
>   that the system really "Secure by default" ?
> 
> -- 
> Best regards,
>  irix  mailto:i...@ukr.net

Re: arp MiTM

[Bret S. Lambert]

On Mon, Mar 09, 2009 at 02:34:07PM +, michal wrote:
> Jacob Yocom-Piatt wrote:
>> irix wrote:
>>> Hello Misc,
>>>
>>>   I  am  a  customer and not the network administrator, and someone in
>>>   the   network  makes  MiTM  attack,  a  network  of  billet  in  the
>>>   uncontrolled swithes and ISP will not translate everything on the  
>>> managed.
>>>   Therefore, software implementation of this patch for openbsd.
>>>   OpenBSD  is  most  secure OS on the planet, but susceptible to a
>>>   simple MiTM attack. How then can we talk about the " security by  
>>> default" 
>>>   
>>
>>
>> this sort of email will, even if you have a valid point, likely win  
>> you no points with the devs. i see no offer of funding or a  
>> demonstration of an attack vector so you are obviously a very serious  
>> player.
>>
>> you are being unbelievably rude and are likely a troll so this is the  
>> last time i'll ever read your emails. wouldn't be surprised if a lot  
>> of other folks did the same.
>>
>>
> Funny, I would say you are being more rude then he is
>

Awesome, a rude-off on misc@

I can't think of a better use of everybody's time.

Re: Where is "Secure by default" ?

[Paul Irofti]

On Mon, Mar 09, 2009 at 04:36:47PM +0200, irix wrote:
> Hello Misc,
> 
>   In  www.openbsd.org  wrote  "Only  two  remote  holes in the default
>   install,  in  more  than  10 years!", this not true. I using OpenBSD
>   like customer, not like administrator. And my OpenBSD were attacked,
>   by simple MiTM attack in arp protocol. How then can we talk about the " 
> security by default" 
>   For example, FreeBSD is decided very simply, with this patch 
> http://freecap.ru/if_ether.c.patch
>   When  this  is introduced in OpenBSD, so you can say with confidence
>   that the system really "Secure by default" ?
> 

Hello Mr. Troll, thanks for flaming by. Have a good day!

Técnico de Prevenção de Riscos Laborais

[ESINE]

Ticnico em
Prevengco de
Riscos Laborais

Todas as empresas necessitam de um plano de riscos laborais 

Obtenha um
diploma
com futuro

Acesso 24 horas
ao nosso campus virtual

Com completo
material didactico

Um certificado que avaliza
os seus conhecimentos

Em menos de 6 meses!

CLICK JA

se nco quiser receber mais emails da ESINE, clique aqui. Obrigado.

Re: Where is "Secure by default" ?

[Alexander Hall]

How do you define remote holes? Which remotely accessible services were 
compromised by this?


"Hey, somone hijacked facebook and I entered my password and submitted 
it to them AND OPENBSD DID NOT SAVE ME OMG!!! OpenBSD is so 
insecure".


There may or may not be a reason for applying sth similar to that patch 
but OpenBSD cannot save you from everything, you know.


Why the hell do I even bother replying to this? Sorry, list.

/Alexander

irix wrote:

Hello Misc,

  In  www.openbsd.org  wrote  "Only  two  remote  holes in the default
  install,  in  more  than  10 years!", this not true. I using OpenBSD
  like customer, not like administrator. And my OpenBSD were attacked,
  by simple MiTM attack in arp protocol. How then can we talk about the " security 
by default" 
  For example, FreeBSD is decided very simply, with this patch 
http://freecap.ru/if_ether.c.patch
  When  this  is introduced in OpenBSD, so you can say with confidence
  that the system really "Secure by default" ?

Re: arp MiTM

[bofh]

On Mon, Mar 9, 2009 at 10:34 AM, michal  wrote:
> Funny, I would say you are being more rude then he is

Why?  Jacob was simply telling him why he was rude.


-- 
http://www.glumbert.com/media/shift
http://www.youtube.com/watch?v=tGvHNNOLnCk
"This officer's men seem to follow him merely out of idle curiosity."
-- Sandhurst officer cadet evaluation.
"Securing an environment of Windows platforms from abuse - external or
internal - is akin to trying to install sprinklers in a fireworks
factory where smoking on the job is permitted."  -- Gene Spafford
learn french:  http://www.youtube.com/watch?v=j1G-3laJJP0&feature=related

Re: Where is "Secure by default" ?

[bofh]

On Mon, Mar 9, 2009 at 10:36 AM, irix  wrote:
>  When  this  is introduced in OpenBSD, so you can say with confidence
>  that the system really "Secure by default" ?

Then shouldn't  you be using freebsd, and go bug them?


--
http://www.glumbert.com/media/shift
http://www.youtube.com/watch?v=tGvHNNOLnCk
"This officer's men seem to follow him merely out of idle curiosity."
-- Sandhurst officer cadet evaluation.
"Securing an environment of Windows platforms from abuse - external or
internal - is akin to trying to install sprinklers in a fireworks
factory where smoking on the job is permitted."  -- Gene Spafford
learn french:  http://www.youtube.com/watch?v=j1G-3laJJP0&feature=related

Re: PF Seems To Reload Its Default Rules Unexpectedly

[Dag Richards]

On 3/9/09 2:05 AM, J.C. Roberts wrote:

On Sun, 8 Mar 2009 16:01:57 -0700 Hilco Wijbenga
  wrote:


I have pf running on my firewall box and I'm experiencing some strange
behaviour. After several hours (this may even be 24 hours) of
functioning normally, pf seems to reload its default rules which means
that from that point on all traffic is blocked. A simple "pfctl -f
/etc/pf.conf" fixes the problem but it is very annoying.


ummm... no. Think about it for a moment. The default rules *are* stored
in /etc/pf.conf --the very same file you are manually reloading, so
it's obviously not magically reloading the "default rules" as you claim.

What kind of connection are you running?
Is your public IP address static or dynamic?
More importantly, are you running some sort of
tunneling/authentication such as PPPoE or simlar?

In sort my first guess is your IP is changing every 24 hours or so due
to your service provider using dynamic addressing (and trying to
prevent you from having a particular IP for too long). If I'm right,
then your problem is that pf is holding on to the old rules for your
old IP address even though your IP had changed. In other words, you
have a configuration error.



Interesting, that is brings up a question for me... what do we do in 
this case?  My ISP seems to be content to give the same ip back over and 
over again.  If they did not is there something I can do besides monitor 
my $ext_if and reload the rules on ip addr change?


Just curious.

Re: pf does not log all block

[Maxx Twayne]

Thank you all.

Thanks to your indications, i've found my problem.
It was just a block line (when i really looked at it, i still ask why she
was here) which was at the end of my block group.

I removed it, and my logging worked fine.

Pierre, yes i know all these things. I use pf since OpenBSD 3.4, and i'm
spent more time on pf than any other firewall.
But, as i just did, i could still do some stupid stuff.

2009/3/9 Pierre Lamy 

> Without the "quick" keyword, pf evaluates all of your rules and if a
> more-permissive rule exists to match the traffic flow, it is used. This is
> different than some commercial firewalls such as Check Point which stop when
> the traffic matches a rule, and the rules are processed in order.
>
> It's common in a pf setup, to block all at the beginning of the security
> rules, without the quick keyword, and then add the pass rules afterwards.
> Anything not matching a pass rule would by default hit your first block all
> rule.
>
> If you are very used to an in-order-stop-when-match firewall then using
> quick on every rule will be more familiar to you, and your block quick log
> all should be at the bottom of your rulebase after the pass rules.
>
> Pierre
>
> patrick keshishian wrote:
>
>> On Sun, Mar 8, 2009 at 11:12 AM, Maxx Twayne 
>> wrote:
>>
>>
>>> Hi,
>>>
>>> I would like to see all blocked packets with pf. And i used this :
>>>
>>> block in log on $ext_if all
>>> block out log all
>>>
>>> But when i read on pflog0 on the pflog file, i didn't got any blocked
>>> packets.
>>> Only the logged pass that i asked.
>>>
>>> Is there any kind of protection, or i did something wrong ?
>>>
>>>
>>
>> hard to tell with the small snippet of your pf.conf you included. It
>> could be a problem with your rule-set that allows everything to pass.
>> can't tell with the info you provided.
>>
>> --patrick

Re: NFS or SAMBA ?

[Henning Brauer]

* Guillermo Bernaldo de Quiros Maraver  [2009-02-13 21:06]:
> if you have a shared network between WINDOWS and OpenBSD i recommend
> Samba if not, NFS 
> 
> NFS => Insecure 
> SAMBA => Have a problems, but, it's more secure.

that is the most ridiculous bullshit I have ever read here in some time.

-- 
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam

Re: Where is "Secure by default" ?

[Felipe Alfaro Solana]

On Mon, Mar 9, 2009 at 3:36 PM, irix  wrote:

> Hello Misc,
>
>  In  www.openbsd.org  wrote  "Only  two  remote  holes in the default
>  install,  in  more  than  10 years!", this not true. I using OpenBSD
>  like customer, not like administrator. And my OpenBSD were attacked,
>  by simple MiTM attack in arp protocol. How then can we talk about the "
> security by default" 
>  For example, FreeBSD is decided very simply, with this patch
> http://freecap.ru/if_ether.c.patch
>  When  this  is introduced in OpenBSD, so you can say with confidence
>  that the system really "Secure by default" ?


ARP is insecure by default. If you care, move to IPv6 and use IPSec/SeND.

Re: arp MiTM

[Felipe Alfaro Solana]

On Mon, Mar 9, 2009 at 1:11 PM, irix  wrote:

> Hello Misc,
>
>  How to protect your server from such attacks without the use of static arp
> entries?
>  By freebsd 5.0 patch was written arp_antidote (
> http://freecap.ru/if_ether.c.patch),
>  somebody could port it on openbsd?
>
> Also, in freebsd it is possible to specify a flag through the ifconfig
> on the interface "staticarp", while "If the Address Resolution Protocol is
> enabled,
> the host will only reply to requests for its addresses, and will never send
> anyrequests."
> May you made this flag in openbsd ?


ARP is insecure, no matter how many patches you apply or how many hacks you
try. If you want something more secure, use 802.1X, use security on the
switch, use IPv6+IPSec/SeND, etc.

Re: Where is "Secure by default" ?

[- Tethys]

On Mon, Mar 9, 2009 at 2:56 PM, Marco Peereboom  wrote:
> because it is.

And therein lies some of the problem with the OpenBSD community. Don't
get me wrong, I like OpenBSD, I use it, and have donated to the
project. But here we have a user that has security concerns, and
rather than either admit there's a problem or point out why there's no
security hole, the answer given is just that it's secure "because it
is". That wouldn't fill me with confidence if I was looking to deploy
an OpenBSD system. I'm worried that some are getting complacent about
OpenBSD's security here...

Maybe it's a troll. Maybe not. Can we afford to be turning away
potential users on the off chance?

Tet

-- 
The greatest shortcoming of the human race is our inability to
understand the exponential function -- Albert Bartlett

Re: Where is "Secure by default" ?

[João Salvatti]

If FreeBSD solve your problem, use it.

On Mon, Mar 9, 2009 at 12:10 PM, bofh  wrote:
> On Mon, Mar 9, 2009 at 10:36 AM, irix  wrote:
>>  When  this  is introduced in OpenBSD, so you can say with confidence
>>  that the system really "Secure by default" ?
>
> Then shouldn't  you be using freebsd, and go bug them?
>
>
> --
> http://www.glumbert.com/media/shift
> http://www.youtube.com/watch?v=tGvHNNOLnCk
> "This officer's men seem to follow him merely out of idle curiosity."
> -- Sandhurst officer cadet evaluation.
> "Securing an environment of Windows platforms from abuse - external or
> internal - is akin to trying to install sprinklers in a fireworks
> factory where smoking on the job is permitted."  -- Gene Spafford
> learn french:  http://www.youtube.com/watch?v=j1G-3laJJP0&feature=related
>
>



--
"Se Debugar i a arte de remover bugs, programar i a arte de inserm-los".

Donald E. Knuth.

--
Joco Salvatti
Graduated in Computer Science
Federal University of Para - UFPA - Brazil
E-Mail: salva...@gmail.com

Re: Where is "Secure by default" ?

[Vincent Gross]

On Mon, Mar 9, 2009 at 3:36 PM, irix  wrote:
>  In  www.openbsd.org  wrote  "Only  two  remote  holes in the default
>  install,  in  more  than  10 years!", this not true. I using OpenBSD
>  like customer, not like administrator.

So it wasn't default install anymore, was it ?

>  And my OpenBSD were attacked,
>  by simple MiTM attack in arp protocol.

that's why OpenBSD comes with IPSec and OpenSSH by default : to let
you create secure networks without having to install poorly-integrated
3rd party software.

>  How then can we talk about the " security by default" 

Simply because it wasn't default install anymore.

>  For example, FreeBSD is decided very simply, with this patch
http://freecap.ru/if_ether.c.patch
>  When  this  is introduced in OpenBSD, so you can say with confidence
>  that the system really "Secure by default" ?

My guess is this will never be in OpenBSD source tree. "Security is a
process, not a product", and blindly adding code inside kernel to
cover a marginal use case for which there is already a solution is not
my idea of a good process, and I'm pretty sure this is not OpenBSD
developers's either.

For authenticating remote hosts, have a look at ipsecctl, ssh and SSL.

Cheers,
--
Vincent Gross

"So, the essence of XML is this: the problem it solves is not hard, and
it does not solve the problem well." -- Jerome Simeon & Phil Wadler

Re: NFS or SAMBA ?

[Felipe Alfaro Solana]

On Mon, Mar 9, 2009 at 4:56 PM, Henning Brauer wrote:

> * Guillermo Bernaldo de Quiros Maraver  [2009-02-13
> 21:06]:
> > if you have a shared network between WINDOWS and OpenBSD i recommend
> > Samba if not, NFS 
> >
> > NFS => Insecure 
> > SAMBA => Have a problems, but, it's more secure.
>
> that is the most ridiculous bullshit I have ever read here in some time.


Why do you exactly thing that is bullshit?

Re: arp MiTM

[irix]

Hello Misc,

  On Mon, Mar 9, 2009 at 1:11 PM, irix  wrote:


>ARP is insecure, no matter how many patches you apply or how many hacks you
>try. If you want something more secure, use 802.1X, use security on the
>switch, use IPv6+IPSec/SeND, etc.

Sorry,  if  I  been rude. I not administartor of network, i am client.
And other client use MiTM. This network is use unmanaged switches, and
ISP  spit  on  it.  That's  why  i  try  to  find  out  to  protect my
workstation from MiTM, with out static arp entry. What would have been
easy and transparent. Variant with the patch, I think the simplest and
most  effective.  I  am simply customer, and i try to find most simple
solution.


-- 
Best regards,
 irix  mailto:i...@ukr.net

"device not configured" in SSH chroot

[Lars Noodén]

I've set up a chroot account using ssh's ChrootDirectory[1] keyword on
OpenBSD 4.4 on a Soekris (i386) net4801.  It works nicely, except that I
get some device errors in the chroot, but not the regular accounts.

Upon connecting with SSH with the chrooted account, there is an error
about tty:

ksh: No controlling tty (open /dev/tty: Device not configured)

then in the chrooted account, other devices are not available:

$ gpioctl -d /dev/gpio1
gpioctl: /dev/gpio1: Device not configured

Outside the chroot, these are both available.  Inside the chroot, there
is a directory for these devices, /dev which was populated by getting
MAKEDEV from the real /dev and then running
./MAKEDEV all

What step am I missing?  I've had it working before but cannot figure
the difference.

regards
-Lars

Re: PF Seems To Reload Its Default Rules Unexpectedly

[Mike Erdely]

On Mon, Mar 09, 2009 at 08:10:00AM -0700, Dag Richards wrote:
> Interesting, that is brings up a question for me... what do we do in  
> this case?  My ISP seems to be content to give the same ip back over and  
> over again.  If they did not is there something I can do besides monitor  
> my $ext_if and reload the rules on ip addr change?

($ext_if)

Re: Where is "Secure by default" ?

[michal]

- Tethys wrote:

On Mon, Mar 9, 2009 at 2:56 PM, Marco Peereboom  wrote:
  

because it is.



And therein lies some of the problem with the OpenBSD community. Don't
get me wrong, I like OpenBSD, I use it, and have donated to the
project. But here we have a user that has security concerns, and
rather than either admit there's a problem or point out why there's no
security hole, the answer given is just that it's secure "because it
is". That wouldn't fill me with confidence if I was looking to deploy
an OpenBSD system. I'm worried that some are getting complacent about
OpenBSD's security here...

Maybe it's a troll. Maybe not. Can we afford to be turning away
potential users on the off chance?

Tet

  

I agree with your standpoint

Re: Kernel Panic on 6th March i386 build

[Daniel Ouellet]

Stefan Sperling wrote:

On Sat, Mar 07, 2009 at 06:29:22PM -0500, Daniel Ouellet wrote:

Claudio Jeker wrote:

Fell free to disagree, that's fair.


Sorry, I don't get it a non-developer tries to educate a developer about
how kernel crashes should be reported? Sorry most of your standpoints are
just wrong. Sure people are encuraged to run snapshot kernels but
selfbuilt kernels are fine as long as they're built from a unmodified
GENERIC config. Let us developers take care of yelling at those people who
send in bad bug reports because we're acctually the people who may fix it
in the end.

Hi All,

I stand corrected on this one. I was bias in my reply, I must admit it  
and come clean on it!


No offense intended to anyone it may have offended. I was quick to reply  
to Steph as I did react to the content of the email and the linux name  
in the email address. My fault to react to quickly on this one. I should  
have know better!


Mmmmh... Did you happen to confuse Steph and me?
We have similar names.


I did! My bad and I am very sorry for that.

Not only did I put my foot in my mouth, swallow my boot, now I even lost 
my leg.


I sure own you an apology!

Sorry and I am crawling back under the biggest rock I can find!

The clarifications on the kernel was well received never the less.

Thanks.

Daniel

Re: arp MiTM

[Eric Furman]

On Mon, 9 Mar 2009 16:54:27 +0100, "Felipe Alfaro Solana"
 said:
> On Mon, Mar 9, 2009 at 1:11 PM, irix  wrote:
> 
> > Hello Misc,
> >
> >  How to protect your server from such attacks without the use of static arp
> > entries?
> >  By freebsd 5.0 patch was written arp_antidote (
> > http://freecap.ru/if_ether.c.patch),
> >  somebody could port it on openbsd?
> >
> > Also, in freebsd it is possible to specify a flag through the ifconfig
> > on the interface "staticarp", while "If the Address Resolution Protocol is
> > enabled,
> > the host will only reply to requests for its addresses, and will never send
> > anyrequests."
> > May you made this flag in openbsd ?
> 
> 
> ARP is insecure, no matter how many patches you apply or how many hacks
> you
> try. If you want something more secure, use 802.1X, use security on the
> switch, use IPv6+IPSec/SeND, etc.

ARP was designed by Nazis.
So, die now thread. DIE DIE

Re: Where is "Secure by default" ?

[Jason Dixon]

On Mon, Mar 09, 2009 at 03:48:05PM +, - Tethys wrote:
> On Mon, Mar 9, 2009 at 2:56 PM, Marco Peereboom  wrote:
> > because it is.
> 
> And therein lies some of the problem with the OpenBSD community. Don't
> get me wrong, I like OpenBSD, I use it, and have donated to the
> project. But here we have a user that has security concerns, and
> rather than either admit there's a problem or point out why there's no
> security hole, the answer given is just that it's secure "because it
> is". That wouldn't fill me with confidence if I was looking to deploy
> an OpenBSD system. I'm worried that some are getting complacent about
> OpenBSD's security here...
> 
> Maybe it's a troll. Maybe not. Can we afford to be turning away
> potential users on the off chance?

As a community, we don't suffer fools well.  Take it or leave it, but
don't try to change us.

-- 
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/

Re: Where is "Secure by default" ?

[Marco Peereboom]

If this issue matters to you and you want the OS to fix it you are doing
it wrong.  ARP has some inherent "qualities" that are questionable.  You
can hack ARP all up but it won't ever fix it so instead one needs to
embrace the issues and fix them where it makes sense.

This is not about an issue with the community it is about a
misunderstanding that is blown way out of proportion with condescending
language to boot.  You are on the other hand suggesting that we are not
paying attention to security issues.

On Mon, Mar 09, 2009 at 03:48:05PM +, - Tethys wrote:
> On Mon, Mar 9, 2009 at 2:56 PM, Marco Peereboom  wrote:
> > because it is.
> 
> And therein lies some of the problem with the OpenBSD community. Don't
> get me wrong, I like OpenBSD, I use it, and have donated to the
> project. But here we have a user that has security concerns, and
> rather than either admit there's a problem or point out why there's no
> security hole, the answer given is just that it's secure "because it
> is". That wouldn't fill me with confidence if I was looking to deploy
> an OpenBSD system. I'm worried that some are getting complacent about
> OpenBSD's security here...
> 
> Maybe it's a troll. Maybe not. Can we afford to be turning away
> potential users on the off chance?
> 
> Tet
> 
> -- 
> The greatest shortcoming of the human race is our inability to
> understand the exponential function -- Albert Bartlett

Re: Where is "Secure by default" ?

[L. V. Lammert]

At 04:50 PM 3/9/2009 +0100, Felipe Alfaro Solana wrote:

On Mon, Mar 9, 2009 at 3:36 PM, irix  wrote:

> Hello Misc,
>
>  In  www.openbsd.org  wrote  "Only  two  remote  holes in the default
>  install,  in  more  than  10 years!", this not true. I using OpenBSD
>  like customer, not like administrator. And my OpenBSD were attacked,
>  by simple MiTM attack in arp protocol. How then can we talk about the "
> security by default" 
>  For example, FreeBSD is decided very simply, with this patch
> http://freecap.ru/if_ether.c.patch
>  When  this  is introduced in OpenBSD, so you can say with confidence
>  that the system really "Secure by default" ?


ARP is insecure by default. If you care, move to IPv6 and use IPSec/SeND.


PMFJI, but isn't the issue simpler than that? If he has a MiTM attack via 
arp, doesn't that mean the attacker has access to the local subnet? That 
would be a physical security issue FIRST?? Lock the doors before you point 
fingers at the OS?


In any case, facts are more useful than FUD & BS.

Lee

Canada immigration

[Agence Casa ElFirdaous]

WARNING: contains undecipherable part
Received: from unicornia896a8 (adsl-245-183-192-81.adsl2.iam.net.ma 
[81.192.183.245])
by mail.cashcom.ma (Postfix/TrioOS) with ESMTP id 37DBD1200A3AE
for ; Mon,  9 Mar 2009 16:12:59 + (WET)
From: "Agence Casa ElFirdaous" 
To: 
Subject: Canada immigration
Date: Mon, 9 Mar 2009 17:12:09 +0100
MIME-Version: 1.0
X-Security: message sanitized on shear.ucar.edu See 
http://www.impsec.org/email-tools/sanitizer-intro.html for details. $Revision: 
1.147 $Date: 2004-10-02 11:16:26-07 
Content-Type: text/plain; charset="us-ascii"
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579
X-MS-TNEF-Correlator: D67849FBE0A2614284D66D50471F1152842D2300
Message-Id: <20090309161259.37dbd1200a...@mail.cashcom.ma>
X-Converted-To-Plain-Text: from multipart/mixed by demime 1.01d
X-Converted-To-Plain-Text: Alternative section used was text/plain

The debate is no longer about whether Canada should remain open to
immigration. That debate became moot when Canadians realized that low birth
rates and an aging population would eventually lead to a shrinking populace.
Baby bonuses and other such incentives couldn't convince Canadians to have
more kids, and demographic experts have forecasted that a Canada without
immigration would pretty much disintegrate as a nation by 2050.
Download the attached file to know about the required forms.
The sender of this email got this article from our side and forwarded it to
you.




  The original file name is IMM_Forms_E01.rar and compressed by WinRAR no
virus found.
  Use WinRAR to decompress the file.

[demime 1.01d removed an attachment of type application/ms-tnef which had a 
name of winmail.dat]

Re: PF Seems To Reload Its Default Rules Unexpectedly

[Hilco Wijbenga]

2009/3/9 J.C. Roberts :
> On Sun, 8 Mar 2009 16:01:57 -0700 Hilco Wijbenga
>  wrote:
>
>> I have pf running on my firewall box and I'm experiencing some strange
>> behaviour. After several hours (this may even be 24 hours) of
>> functioning normally, pf seems to reload its default rules which means
>> that from that point on all traffic is blocked. A simple "pfctl -f
>> /etc/pf.conf" fixes the problem but it is very annoying.
>
> ummm... no. Think about it for a moment. The default rules *are* stored
> in /etc/pf.conf --the very same file you are manually reloading, so
> it's obviously not magically reloading the "default rules" as you claim.

Ah, different semantics. :-) By "default rules" I mean whatever pf
does *without* an /etc/pf.conf. Probably something like "block all".

> What kind of connection are you running?
> Is your public IP address static or dynamic?
> More importantly, are you running some sort of
> tunneling/authentication such as PPPoE or simlar?

I use DHCP so my IP can change. It's not particularly "public" though.
My ISP gives me an IP in 192.168.1.*. :-( (A smart move on their part,
I guess [no more running out of IPv4 addresses for them] but not very
useful to me.)

> In sort my first guess is your IP is changing every 24 hours or so due
> to your service provider using dynamic addressing (and trying to
> prevent you from having a particular IP for too long). If I'm right,
> then your problem is that pf is holding on to the old rules for your
> old IP address even though your IP had changed. In other words, you
> have a configuration error.

That definitely makes sense. However, I thought that by referring to
an interface instead of an IP I was protected from that? I mean, it's
fairly common to have a dynamic IP, is it not?

Cheers,
Hilco

Resolved - Re: "device not configured" in SSH chroot

[Lars Noodén]

Moving the chroot to a new CF with a different partitioning scheme meant
that it ended up on one mounted 'nodev', changing the mount options
fixed the problem.

-Lars

Re: PF Seems To Reload Its Default Rules Unexpectedly

[Remco]

Dag Richards wrote:

>> In sort my first guess is your IP is changing every 24 hours or so due
>> to your service provider using dynamic addressing (and trying to
>> prevent you from having a particular IP for too long). If I'm right,
>> then your problem is that pf is holding on to the old rules for your
>> old IP address even though your IP had changed. In other words, you
>> have a configuration error.
>>
> 
> Interesting, that is brings up a question for me... what do we do in
> this case?  My ISP seems to be content to give the same ip back over and
> over again.  If they did not is there something I can do besides monitor
> my $ext_if and reload the rules on ip addr change?
> 
> Just curious.

To get an idea, you best take a look at the "Example Rulesets" in the PF
FAQ. And off course, grind the PF documentation on how to use parentheses
on interface names. "($ext_if)"

Re: Kernel Panic on 6th March i386 build

[Insan Praja SW]

Hi All,
On Sun, 08 Mar 2009 18:01:50 +0700, FRLinux  wrote:

On Sat, Mar 7, 2009 at 11:29 PM, Daniel Ouellet   
wrote:

I was clearly out of place.

Same to you Steph, I shouldn't have reacted so quickly to your email  
address
and have wrongly concluded to an other Linux quick miss place question,  
or

reaction.


What I've learned from this is fairly simple: sit still, watch and  
listen :)


Cheers,
Steph


Apology (if there's anything to apologies) accepted. I love this  
mailing-list, big hearted people came here, discuss and make  
funny-cruel-evil jokes, and we all actually supporter of OpenBSD, the  
OpenBSD way, and the developers. Big Cheers, applaus and salute to all of  
You.

From Indonesia with Cheers and Beers,
Cag,

--
insandotpraja(at)gmaildotcom

Re: PF Seems To Reload Its Default Rules Unexpectedly

[Theo de Raadt]

>Ah, different semantics. :-) By "default rules" I mean whatever pf
>does *without* an /etc/pf.conf. Probably something like "block all".

Without any rules, pf does not block anything.

come on.. stop making assumptions.

rack mounted intro server lab

[Lars Noodén]

I've run an intial pilot of a Soekris net4801 with OpenBSD 4.4, using
gpioctl to turn on and off other machines and netboot them for console
installs.  The notes below are a mess and there just to record until
they can be arranged to make sense:

http://www-personal.umich.edu/~lars/DES/des.html

The other machines automatically boot via PXE when powered on and are
connected to the Soekris via serial and via ethernet.  The serial
connection allows console installations, the ethernet allows tricks with
PF.

The OpenSSH chroot environment has only a few tools, two of which are
scripts with permissions set so that each 'user' can only turn on / off
or connect via console to a single machine.

The long and the short is that it's possible to log in to the net4801,
turn on a machine and install a system.  Currently, I have the following
working choices: (all i386)

openbsd 4.3
openbsd 4.4
openbsd -current
centos 5.2
debian etch
debian lenny
fedora 10
(k)ubuntu 8.04.2
(k)ubuntu 9.04alpha

The subnet has another machine with squid available.

A next step is to connect via OpenSSH vpn or maybe full OpenVPN so
access to this this can be taken outside the room.

I'll try some lab exercises with this soon so I can see what goes wrong
in a real environment.

Regards
-Lars

Re: arp MiTM

[irix]

Hello Paul,

  The problem is that, I am not an administrator of the network.
 I  am a client of the network. The network is built on the unmanaged switches.
 ISP  to the problem do not care, so interested in this patch. May you
 help with patch on OpenBSD ?

Monday, March 9, 2009, 3:02:23 PM, you wrote:

PdW> From a quick glance over the patch, it seems pretty useless unless you
PdW> also prevent MAC spoofing. You may want to look into port security for
PdW> your switches or 802.1x if this is a big concern to you.

PdW> Cheers,

PdW> Paul 'WEiRD' de Weerd

PdW> On Mon, Mar 09, 2009 at 02:11:38PM +0200, irix wrote:
PdW> | Hello Misc,
PdW> | 
PdW> |  How to protect your server from such attacks without the use of static 
arp entries?
PdW> |  By freebsd 5.0 patch was written arp_antidote
PdW> (http://freecap.ru/if_ether.c.patch),
PdW> |  somebody could port it on openbsd?
PdW> | 
PdW> | Also, in freebsd it is possible to specify a flag through the ifconfig
PdW> | on the interface "staticarp", while "If the Address Resolution Protocol 
is enabled,
PdW> | the host will only reply to requests for its addresses, and will never 
send anyrequests."
PdW> | May you made this flag in openbsd ?
PdW> | -- 
PdW> | Best regards,
PdW> |  irix  mailto:i...@ukr.net
PdW> | 




-- 
Best regards,
 irixmailto:i...@ukr.net

Re: arp MiTM

[Henry Sieff]

On Mon, Mar 9, 2009 at 9:15 AM, Eric Furman  wrote:
> On Mon, 9 Mar 2009 16:54:27 +0100, "Felipe Alfaro Solana"
>  said:
>> On Mon, Mar 9, 2009 at 1:11 PM, irix  wrote:
>>
>> > Hello Misc,
>> >
>> >  How to protect your server from such attacks without the use of static
arp
>> > entries?
>> >  By freebsd 5.0 patch was written arp_antidote (
>> > http://freecap.ru/if_ether.c.patch),
>> >  somebody could port it on openbsd?
>> >
>> > Also, in freebsd it is possible to specify a flag through the ifconfig
>> > on the interface "staticarp", while "If the Address Resolution Protocol
is
>> > enabled,
>> > the host will only reply to requests for its addresses, and will never
send
>> > anyrequests."
>> > May you made this flag in openbsd ?
>>
>>
>> ARP is insecure, no matter how many patches you apply or how many hacks
>> you
>> try. If you want something more secure, use 802.1X, use security on the
>> switch, use IPv6+IPSec/SeND, etc.
>
> ARP was designed by Nazis.
> So, die now thread. DIE DIE


I believe that this qualifies as 'Quirk's exception'.

Re: Where is "Secure by default" ?

[bofh]

On Mon, Mar 9, 2009 at 11:48 AM, - Tethys  wrote:
> And therein lies some of the problem with the OpenBSD community. Don't
> get me wrong, I like OpenBSD, I use it, and have donated to the

Depends on whether it is a valid concern.  I believe it was pointed
out in the other thread that the patch doesn't really help.  Think
about it - do you want an openssh that only half secures your session?
 OpenBSD is about complete security, but also, at the same time, about
the resources to do things.  If this is something that is a real
issue, a developer would have jumped on it.  Maybe they still would.
But coming in and flaming the developers for "you say you're so
secure, but this is proof that you're not" surely doesn't help.

> is". That wouldn't fill me with confidence if I was looking to deploy
> an OpenBSD system. I'm worried that some are getting complacent about
> OpenBSD's security here...
>
> Maybe it's a troll. Maybe not. Can we afford to be turning away
> potential users on the off chance?

OpenBSD exists solely for the developers...  [and yes, I'm a figment
of my imagination]



-- 
http://www.glumbert.com/media/shift
http://www.youtube.com/watch?v=tGvHNNOLnCk
"This officer's men seem to follow him merely out of idle curiosity."
-- Sandhurst officer cadet evaluation.
"Securing an environment of Windows platforms from abuse - external or
internal - is akin to trying to install sprinklers in a fireworks
factory where smoking on the job is permitted."  -- Gene Spafford
learn french:  http://www.youtube.com/watch?v=j1G-3laJJP0&feature=related

Re: Kernel Panic on 6th March i386 build

[Insan Praja SW]

Hi Daniel and Misc@,
On Sun, 08 Mar 2009 06:29:22 +0700, Daniel Ouellet   
wrote:



Claudio Jeker wrote:

Fell free to disagree, that's fair.

 Sorry, I don't get it a non-developer tries to educate a developer  
about
how kernel crashes should be reported? Sorry most of your standpoints  
are

just wrong. Sure people are encuraged to run snapshot kernels but
selfbuilt kernels are fine as long as they're built from a unmodified
GENERIC config. Let us developers take care of yelling at those people  
who
send in bad bug reports because we're acctually the people who may fix  
it

in the end.


Hi All,

I stand corrected on this one. I was bias in my reply, I must admit it  
and come clean on it!


No offense intended to anyone it may have offended. I was quick to reply  
to Steph as I did react to the content of the email and the linux name  
in the email address. My fault to react to quickly on this one. I should  
have know better!


Not only did I put my foot in my mouth, but I swallow the boot as well.

I follow cvs for years and I didn't see Insan as making changes to the  
tree, so I didn't know he actually was a developers or I would have  
known better and I miss a chance to just shut up! I didn't see his name  
on the list either. My bad!




I'm not a developer, if You mean I did something/contribute on the  
source-tree. But yeah, I periodically sync my testbed machine source-tree  
and compiled them, test them (most part is network subsystem) and I hope  
in someways, it might be helping the developers to find out bugs or  
anything they might interested into.



Insan, please accept my apologies on a misplace reply to you on my part!



Oh come on, we got our share supporting and enjoying these wonderful  
system, yeah sure, apology accepted.



I was clearly out of place.

Same to you Steph, I shouldn't have reacted so quickly to your email  
address and have wrongly concluded to an other Linux quick miss place  
question, or reaction.


I try to help when I can and over time stop reacting as much as I used  
to, but obviously I still have ways to go as this treed have shown.


My bad and I have no one else to blame then myself here.

Please accept my deepest apology where I should have know better and  
obviously missed a chance to shut up!


And Claudio and J.C., you are both right. Thanks for taking the time to  
straighted me up! I deserved that one fully.


One only get better by learning from their mistakes and that's not the  
first I did for sure and I am sure it will not the last either.


Best regards,

Daniel Ouellet

Thanks,


--
insandotpraja(at)gmaildotcom

Re: arp MiTM

[Theo de Raadt]

>   The problem is that, I am not an administrator of the network.
>  I  am a client of the network. The network is built on the unmanaged 
> switches.
>  ISP  to the problem do not care, so interested in this patch. May you
>  help with patch on OpenBSD ?

The network is built wrong.

No, we will not build a workaround for this problem.

Re: Where is "Secure by default" ?

[Han Boetes]

Paul Irofti wrote:
> Hello Mr. Troll, thanks for flaming by. Have a good day!

Never attribute to malice that which is adequately explained by
stupidity.



# Han

Re: Where is "Secure by default" ?

[Stuart Henderson]

On 2009-03-09, Felipe Alfaro Solana  wrote:
> On Mon, Mar 9, 2009 at 3:36 PM, irix  wrote:
>
>> Hello Misc,
>>
>>  In  www.openbsd.org  wrote  "Only  two  remote  holes in the default
>>  install,  in  more  than  10 years!", this not true. I using OpenBSD
>>  like customer, not like administrator. And my OpenBSD were attacked,
>>  by simple MiTM attack in arp protocol. How then can we talk about the "
>> security by default" 
>>  For example, FreeBSD is decided very simply, with this patch
>> http://freecap.ru/if_ether.c.patch
>>  When  this  is introduced in OpenBSD, so you can say with confidence
>>  that the system really "Secure by default" ?
>
>
> ARP is insecure by default. If you care, move to IPv6 and use IPSec/SeND.

Ah yes, SeND. That would be the one registered as US20080307516 with
the US Patent and Trademark Office wouldn't it.

Re: arp MiTM

[Stuart Henderson]

On 2009-03-09, irix  wrote:
> Hello Misc,
>
>   On Mon, Mar 9, 2009 at 1:11 PM, irix  wrote:
>
>
>>ARP is insecure, no matter how many patches you apply or how many hacks you
>>try. If you want something more secure, use 802.1X, use security on the
>>switch, use IPv6+IPSec/SeND, etc.
>
> Sorry,  if  I  been rude. I not administartor of network, i am client.
> And other client use MiTM. This network is use unmanaged switches, and
> ISP  spit  on  it.  That's  why  i  try  to  find  out  to  protect my
> workstation from MiTM, with out static arp entry. What would have been
> easy and transparent. Variant with the patch, I think the simplest and
> most  effective.  I  am simply customer, and i try to find most simple
> solution.
>
>

You can set static entries in the ARP tables with arp(8), see the
-f option with the "permanent" option.

This is not security against spoofed MAC addresses. And I bet the
management firmware on some NICs can be made to do really nasty things
by an attacker with access to layer 2.

If the network admins are unwilling to clean up their network, you
should take your custom elsewhere.

Re: Where is "Secure by default" ?

[Juan Miscaro]

2009/3/9 bofh :
> On Mon, Mar 9, 2009 at 11:48 AM, - Tethys  wrote:

>> Maybe it's a troll. Maybe not. Can we afford to be turning away
>> potential users on the off chance?

>
> OpenBSD exists solely for the developers

That's a silly thing to say.

--
jm

You have been unsubscribed from the Ektiposi mailing list

[ektiposi-bounces]

Re: Bug OpenBGPD, IPv6 peer gets cleared, never gets up again

[Elisa Jasinska]

Hi Henning and Claudio,

Claudio Jeker wrote:
> Btw. does this only happen with full IPv6 feeds or are a few
> announcements already enough?

We have two test setups. One actually includes real peers, none sending
a full table though. The other one is a setup in our lab, with various
routers we could find, which only send a couple of routes to each other.

We have seen this happening if the peer we 'clear' announces at least
one prefix to the route server, so there is actually something to update.

The behavior is different in the two setups though.

With the real peers: multiple sessions go Idle upon 'clearing' one
session and the broken UPDATE that gets send out with that, but they all
come up again after a while.

In the lab: the Idle sessions never come up completely, because the
broken UPDATE seems to be send out repeatedly, causing the peer to go
back to Idle immediately every time we reach an Established state.

Henning Brauer wrote:
> wait. removing tcpmd5 fixes the problem? you gotta be kidding?
> this is on OpenBSD right?
> 

Sorry, this was a wrong assumption we made based on your previous post
that there might be something wrong with it (and too many changes in our
config at the same time ;)

We are still busy with doing one change at a time now and trying to
figure out what in the config actually causes this to happen. Once we
get any conclusive results from this we will get back to you.

Thanks a lot for your help!

Regards
Elisa
-- 
Elisa Jasinska - AMS-IX NOC
http://www.ams-ix.net/

Re: Where is "Secure by default" ?

[Jan Stary]

On Mar 09 15:48:05, - Tethys wrote:
> Maybe it's a troll. Maybe not.

Take a wild guess.

> Can we afford to be turning away
> potential users on the off chance?

Assuming that "we" means the dev team, of which
neither you or me are members, then yes, we can.

> -- 
> The greatest shortcoming of the human race is our inability to
> understand the exponential function -- Albert Bartlett

Apparently not.

Re: Where is "Secure by default" ?

[Ted Unangst]

On Mon, Mar 9, 2009 at 11:48 AM, - Tethys  wrote:
> On Mon, Mar 9, 2009 at 2:56 PM, Marco Peereboom  wrote:
>> because it is.
>
> And therein lies some of the problem with the OpenBSD community. Don't
> get me wrong, I like OpenBSD, I use it, and have donated to the
> project. But here we have a user that has security concerns, and
> rather than either admit there's a problem or point out why there's no
> security hole, the answer given is just that it's secure "because it
> is". That wouldn't fill me with confidence if I was looking to deploy
> an OpenBSD system. I'm worried that some are getting complacent about
> OpenBSD's security here...

Then one should ask a question, wait for replies, and read them. Not
send a new email to the list every hour with ever escalating
trollosity, nor start new threads with provocative subjects.

If you want to borrow some eggs from your neighbor, you knock politely
and wait.  You don't keep bounding on the door and then piss in the
window.

Re: arp MiTM

[Paul de Weerd]

On Mon, Mar 09, 2009 at 07:18:59PM +0200, irix wrote:
| Hello Paul,
| 
|   The problem is that, I am not an administrator of the network.
|  I  am a client of the network. The network is built on the unmanaged 
switches.
|  ISP  to the problem do not care, so interested in this patch.

As has been pointed out by myself and numerous others by now, this is
the way things are on ethernet. There's one thing you can do, and that
is check the key fingerprint before logging in through SSH.

Otherwise, your options are all network based. Get a vlan or get a new
ISP that understands these issues and is prepared to deal with them.

| May you help with patch on OpenBSD ?

No. As I said in my previous mail, this is the wrong way to go. Feel
free to break your own system in any way you like; you get to keep all
the pieces. Just don't come here for support if you do, though.

Paul 'WEiRD' de Weerd

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 

Re: arp MiTM

[Jacob Meuser]

On Mon, Mar 09, 2009 at 02:34:07PM +, michal wrote:
> Jacob Yocom-Piatt wrote:
> >irix wrote:
> >>Hello Misc,
> >>
> >>  I  am  a  customer and not the network administrator, and someone in
> >>  the   network  makes  MiTM  attack,  a  network  of  billet  in  the
> >>  uncontrolled swithes and ISP will not translate everything on the 
> >>managed.
> >>  Therefore, software implementation of this patch for openbsd.
> >>  OpenBSD  is  most  secure OS on the planet, but susceptible to a
> >>  simple MiTM attack. How then can we talk about the " security by 
> >>default" 
> >>  
> >
> >
> >this sort of email will, even if you have a valid point, likely win 
> >you no points with the devs. i see no offer of funding or a 
> >demonstration of an attack vector so you are obviously a very serious 
> >player.
> >
> >you are being unbelievably rude and are likely a troll so this is the 
> >last time i'll ever read your emails. wouldn't be surprised if a lot 
> >of other folks did the same.
> >
> >
> Funny, I would say you are being more rude then he is
> 

the thing is, this isn't the first post by `irix'.  `irix' always wants
something.

-- 
jake...@sdf.lonestar.org
SDF Public Access UNIX System - http://sdf.lonestar.org

Re: x11 problems with lenovo w500

[Matthieu Herrb]

On Mon, Mar 9, 2009 at 11:56 AM, Didier Wiroth
 wrote:

>
> b) Now, if I bypass the authentication and boot directly into openbsd.
> The openbsd kernel is loaded, but now I'm _NOT_ able to start X11.
> Here is the NON-working Xorg.0.log:
> 
> Here is the dmesg.boot:
> 
> (I don't think there is a difference between the two DMESG, but I included
> them in case someone would like to have a look into it)
>
> Here is a snip of the error message:
> (II) Loading /usr/X11R6/lib/modules//libvgahw.so
> (II) Module vgahw: vendor="X.Org Foundation"
>compiled for 1.5.3, module version = 0.1.0
>ABI class: X.Org Video Driver, version 4.1
> (II) intel(0): Creating default Display subsection in Screen section
>"Builtin Default intel Screen 0" for depth/fbbpp 24/32
> (==) intel(0): Depth 24, (--) framebuffer bpp 32
> (==) intel(0): RGB weight 888
> (==) intel(0): Default visual is TrueColor
> (II) intel(0): Integrated Graphics Chipset: Intel(R) Mobile IntelB. GM45
> Express Chipset
> (--) intel(0): Chipset: "Mobile IntelB. GM45 Express Chipset"
> (--) intel(0): Linear framebuffer at 0xD000
> (--) intel(0): IO registers at addr 0xF440
> (EE) intel(0): Unable to map mmio range. Invalid argument (22)
>
> Fatal server error:
> Caught signal 11.  Server aborting
>

Can you send us the pcidump -v output for both cases?

Also what kind of interface is truecrypt using? Is it switching to
some graphics mode that would change the state of the card in some
way?

--
Matthieu Herrb

Re: Where is "Secure by default" ?

[Vadim Zhukov]

On 9 March 2009 P3. 21:29:47 Juan Miscaro wrote:
> 2009/3/9 bofh :
> > On Mon, Mar 9, 2009 at 11:48 AM, - Tethys  wrote:
> >> Maybe it's a troll. Maybe not. Can we afford to be turning away
> >> potential users on the off chance?
> >
> > OpenBSD exists solely for the developers
>
> That's a silly thing to say.

Then what do you do on this silly list made by silly people who also own
a silly website (and, as one Unix here says, silly OSes too) which says
such silly things too?

--
  Best wishes,
Vadim Silly Zhukov

Re: IPSEC: certificate ignored

[Toni Mueller]

Hi,

thanks for answering to Mitja and you.

On Sat, 07.03.2009 at 19:28:09 +0100, Heinrich Rebehn 
 wrote:
> Am 06.03.2009 um 22:56 schrieb Toni Mueller:
>> 223644.842092 Plcy 30 keynote_cert_obtain: failed to open "/etc/ 
>> isakmpd/keynote//u...@road-warrior/credentials"
>> 223644.842516 Default get_raw_key_from_file: monitor_fopen ("/etc/ 
>> isakmpd/pubkeys//ufqdn/u...@road-warrior", "r") failed: Permission  
>> denied
>
> ?? Permission denied? Could this be the problem?

No, it couldn't. These files don't exist.

I was able to find my own errors so far, as that now the correct
certificate gets used. This is what I have, and had, for several years
now. The problem was a missing semicolon in isakmpd.policy.

I still get "no policy" errors while in state "INFO encrypted", which
are imho hard to debug. If anyone has tips to share, I'd be very
grateful.

What I want to achieve (from my isakmpd.policy):

Conditions: app_domain == "IPsec policy"
&& esp_present == "yes"
&& esp_enc_alg == "aes"
&& phase_1 == "main"
&& phase1_group_desc == "5"
&& esp_encapsulation == "tunnel"
&& ah_present == "no"
&& esp_auth_alg == "hmac-sha2-512"
&& esp_key_length == "256"
&& pfs == "yes"
&& some-checks-on-the-remote-ids -> "true";

But I don't know if Linux supports them all. OpenBSD <-> OpenBSD worked
just fine...


Kind regards,
--Toni++

Re: generating passwords (crypt, md5)

[Juan Miscaro]

2009/2/28 Stuart Henderson :
> On 2009-02-28, Juan Miscaro  wrote:
>> What is the standard way of generating hashes (for me it's for
>> passwords) in OpenBSD? B I once used userdbpw but it's package
>> (courier-authlib-userdb) conflicts with another package I have
>> installed. B So I'm looking for a cleaner, standard method. B Thanks.
>
> encrypt(1) is in base and covers MD5/Blowfish/DES. or there's htpasswd,
> handling SHA/apache modified MD5/Blowfish/DES. if you need other hashes,
> dovecotpw (from the dovecot package) knows of many more.

Thanks everyone for the replies.  In the end I discovered that the
courier-authlib package has the utility 'authpasswd' which fits the
bill.

--
jm

Re: PF Seems To Reload Its Default Rules Unexpectedly

[J.C. Roberts]

On Mon, 9 Mar 2009 09:07:51 -0700 Hilco Wijbenga
 wrote:

> 2009/3/9 J.C. Roberts :
> > On Sun, 8 Mar 2009 16:01:57 -0700 Hilco Wijbenga
> >  wrote:
> >
> >> I have pf running on my firewall box and I'm experiencing some
> >> strange behaviour. After several hours (this may even be 24 hours)
> >> of functioning normally, pf seems to reload its default rules
> >> which means that from that point on all traffic is blocked. A
> >> simple "pfctl -f /etc/pf.conf" fixes the problem but it is very
> >> annoying.
> >
> > ummm... no. Think about it for a moment. The default rules *are*
> > stored in /etc/pf.conf --the very same file you are manually
> > reloading, so it's obviously not magically reloading the "default
> > rules" as you claim.
> 
> Ah, different semantics. :-) By "default rules" I mean whatever pf
> does *without* an /etc/pf.conf. Probably something like "block all".
> 

:-)

> > What kind of connection are you running?
> > Is your public IP address static or dynamic?
> > More importantly, are you running some sort of
> > tunneling/authentication such as PPPoE or simlar?
> 
> I use DHCP so my IP can change. It's not particularly "public" though.
> My ISP gives me an IP in 192.168.1.*. :-( (A smart move on their part,
> I guess [no more running out of IPv4 addresses for them] but not very
> useful to me.)
> 

I doubt your ISP only has 254 customers, so they are most likely using
more than just the stated 192.168.1.0 - 192.168.1.255 range.

If you are doing your own NAT'ing for other machines on your private
LAN, the fact your ISP is assigning you an IP address from the private
address space could lead to a conflict. 

The "smart" answer for an ISP is moving to IPv6 since it's the only
long term solution. Unfortunately, with less than 1% uptake on IPv6, it
doesn't get you much usability "right now" and network address
translation hacks are still required in some cases.

> > In sort my first guess is your IP is changing every 24 hours or so
> > due to your service provider using dynamic addressing (and trying to
> > prevent you from having a particular IP for too long). If I'm right,
> > then your problem is that pf is holding on to the old rules for your
> > old IP address even though your IP had changed. In other words, you
> > have a configuration error.
> 
> That definitely makes sense. However, I thought that by referring to
> an interface instead of an IP I was protected from that? I mean, it's
> fairly common to have a dynamic IP, is it not?
> 

It depends on *how* you refer to the interface in your rules. As
mentioned in the thread, you may have left off the needed parenthesis
around your interface variable. You would be neither the first nor last
to make this mistake. If you would post your pf.conf it would be very
helpful. 

p.s. I hope you don't mind I cc'd m...@. I figured your off-list reply
was due to my mistaken off-list reply.

-- 
J.C. Roberts

Re: arp MiTM

[irix]

Hello Misc,

  Theo and other, thanks.

-- 
Best regards,
 irix  mailto:i...@ukr.net

Re: relayd ssl to ssl not working. Sends http request to https port

[kevin thompson]

Sorry to dredge this back up from a month ago, but I wanted to get some
clarification.

If I wanted to have a gateway that accepts https connections from clients
and then proxies them over to https servers am I just out of luck?  Is it
that it cannot be done at all, or just that it cannot be done with relayd
and there is some other tool I should look at.

I'd like to look at making an open version of an Application Layer Firewall
(as required by the PCI DSS).  Ideally, I would be able to have clients
connect to port 443 on the OpenBSD gateway and the OpenBSD gateway would
decrypt the traffic, reassemble it, run it through snort, and maybe check
the headers for some expected values.  Then if everything is good, open a
connection to the server and pass the traffic on.  Can it be done on
OpenBSD?  Where do I need to look to learn more?  I've poured over the
documentation for relayd and pf, but I'm not seeing the ability to do what
I'm talking about here.

It probably sounds like Man in the Middle mode described below.  You're
right, dealing with bad certificates would be a pain in the butt.  Maybe we
could require the firewall admin to provide the certificate that is expected
from the server.  So whether it is bad or not, it has to match what the
firewall was expecting or the host is considered down and taken out of
rotation.

Kevin


On Mon, Feb 9, 2009 at 4:15 PM, Stuart Henderson wrote:

> On 2009-02-09, kevin thompson  wrote:
> > Is there something in my configuration file that I need to specify to
> ensure
> > that https requests are sent to the servers?  I've looked at a few
> examples
> > online and I haven't seen anything that fits the bill.  Here is my
> > relayd.conf file
>
> basically it looks like you want to decrypt, adjust the headers,
> and then re-encrypt to the server.
>
> relayd doesn't have this feature (mitm mode? :-)
>
> it could probably be added as an option to "forward to" for a
> relay, but this would bring some questions about how to handle
> invalid certificates at the backend server, etc... (and without
> safe ways to handle that, you might as well keep the cleartext
> to the backend).
>
> with what's currently available in relayd, you would have to
> use a plain TCP relay for HTTPS.
>
> > table  { www.mnsu.edu, secure.mnsu.edu }
> > web_port="80"
> > ssl_port="443"
> > bge0_ip="134.29.32.88"
> >
> > interval 10
> > timeout 200
> > prefork 5
> > log updates
> >
> > http protocol "httpfilter" {
> ># TCP Performance options
> >tcp { nodelay, sack, socket buffer 65536, backlog 100 }
> >
> ># Return HTTP/HTML error pages
> >return error
> >
> ># allow logging of remote client ips to internal web servers
> >header append "$REMOTE_ADDR" to "X-Forwarded-For"
> >
> ># Set keep alive timeout to global timeout
> >header change "Keep-Alive" to "$TIMEOUT"
> >
> ># Close connection upon receipt
> >header change "Connection" to "close"
> >
> ># Anonymize webservers name/type
> >response header change "Server" to "Something"
> >
> ># SSL options
> >ssl { sslv3, tlsv1, ciphers "HIGH:!ADH", no sslv2 }
> > }
> >
> > relay web_proxy {
> >listen on $bge0_ip port $ssl_port ssl
> >protocol "httpfilter"
> >forward to  port $ssl_port mode loadbalance check https
> "/"
> > code 200
> > }

Re: Where is "Secure by default" ?

[new_guy]

L. V. Lammert wrote:
> 
> PMFJI, but isn't the issue simpler than that? If he has a MiTM attack via 
> arp, doesn't that mean the attacker has access to the local subnet?
> 

Remote access to a machine on that subnet would do. It does not have to be
physical. Probably a compromised Windows box that got the ball rolling
(that's been my experience anyway). Once a machine on your net is infected,
the cracker may as well be physically in the building.
-- 
View this message in context: 
http://www.nabble.com/Where-is-%22Secure-by-default%22---tp22414975p22426601.html
Sent from the openbsd user - misc mailing list archive at Nabble.com.

Re: PF Seems To Reload Its Default Rules Unexpectedly

[Hilco Wijbenga]

2009/3/9 J.C. Roberts :
> On Mon, 9 Mar 2009 09:07:51 -0700 Hilco Wijbenga
>  wrote:
>
>> 2009/3/9 J.C. Roberts :
>> > On Sun, 8 Mar 2009 16:01:57 -0700 Hilco Wijbenga
>> >  wrote:
>> >
>> >> I have pf running on my firewall box and I'm experiencing some
>> >> strange behaviour. After several hours (this may even be 24 hours)
>> >> of functioning normally, pf seems to reload its default rules
>> >> which means that from that point on all traffic is blocked. A
>> >> simple "pfctl -f /etc/pf.conf" fixes the problem but it is very
>> >> annoying.
>> >
>> > ummm... no. Think about it for a moment. The default rules *are*
>> > stored in /etc/pf.conf --the very same file you are manually
>> > reloading, so it's obviously not magically reloading the "default
>> > rules" as you claim.
>>
>> Ah, different semantics. :-) By "default rules" I mean whatever pf
>> does *without* an /etc/pf.conf. Probably something like "block all".
>>
>
> :-)
>
>> > What kind of connection are you running?
>> > Is your public IP address static or dynamic?
>> > More importantly, are you running some sort of
>> > tunneling/authentication such as PPPoE or simlar?
>>
>> I use DHCP so my IP can change. It's not particularly "public" though.
>> My ISP gives me an IP in 192.168.1.*. :-( (A smart move on their part,
>> I guess [no more running out of IPv4 addresses for them] but not very
>> useful to me.)
>
> I doubt your ISP only has 254 customers, so they are most likely using
> more than just the stated 192.168.1.0 - 192.168.1.255 range.

Let's hope so for them. :-) I always get an IP in that range, though.
Well, so far anyway.

> If you are doing your own NAT'ing for other machines on your private
> LAN, the fact your ISP is assigning you an IP address from the private
> address space could lead to a conflict.

I had been wondering about that. I use 192.168.151.* internally. That
should be okay then, shouldn't it?

> The "smart" answer for an ISP is moving to IPv6 since it's the only
> long term solution. Unfortunately, with less than 1% uptake on IPv6, it
> doesn't get you much usability "right now" and network address
> translation hacks are still required in some cases.

We're talking about a very big ISP. Smart doesn't come into the picture. ;-)

>> > In sort my first guess is your IP is changing every 24 hours or so
>> > due to your service provider using dynamic addressing (and trying to
>> > prevent you from having a particular IP for too long). If I'm right,
>> > then your problem is that pf is holding on to the old rules for your
>> > old IP address even though your IP had changed. In other words, you
>> > have a configuration error.
>>
>> That definitely makes sense. However, I thought that by referring to
>> an interface instead of an IP I was protected from that? I mean, it's
>> fairly common to have a dynamic IP, is it not?
>>
>
> It depends on *how* you refer to the interface in your rules. As
> mentioned in the thread, you may have left off the needed parenthesis
> around your interface variable. You would be neither the first nor last
> to make this mistake. If you would post your pf.conf it would be very
> helpful.

ext_if = "sk0"
int_if = "sk1"

set skip on lo
set block-policy return
scrub in

nat log on $ext_if from $int_if:network to any -> ($ext_if)

block log
pass out quick from $int_if to $int_if:network
pass out quick from $ext_if to any
#pass in quick on $ext_if proto { tcp, udp } from any to ($ext_if)
port { domain, ntp }
pass in quick on $int_if from $int_if:network to any

> p.s. I hope you don't mind I cc'd m...@. I figured your off-list reply
> was due to my mistaken off-list reply.

:-) Yep.

Cheers,
Hilco

You have just received a virtual postcard from a friend !

[recei...@postcard.org]

You have just received a virtual postcard from a friend !

.

You can pick up your postcard at the following web address:

.

Click here to pick up your postcard

.

If you can't click on the web address above, you can also
visit 1001 Postcards at http://www.postcards.org/postcards/
and enter your pickup code, which is: d21-sea-sunset

.

(Your postcard will be available for 60 days.)

.

Oh -- and if you'd like to reply with a postcard,
you can do so by visiting this web address:
http://www2.postcards.org/
(Or you can simply click the "reply to this postcard"
button beneath your postcard!)

.

We hope you enjoy your postcard, and if you do,
please take a moment to send a few yourself!

.

Regards,
1001 Postcards
http://www.postcards.org/postcards/

Re: acpitz0: THRM: failed to read _TMP

[Miod Vallat]

> I'm seeing the following messages logged to the console:
> 
> acpitz0: THRM: failed to read _TMP
> acpitz0: THRM: failed to read temp
> 
> (both lines are repeated many times).
> 
> It looks like OpenBSD (4.4) is unable to read the CPU temperature
> which would explain why my previously whisper quiet box now resembles
> a starting F16. I have the box under the desk running 24/7 so I really
> want it to be quiet.

Have you tried a more recent snapshot? There have been fixes in acpitz
for this kind of failure some time after 4.4, which might help your
machine.

Miod

Re: PF Seems To Reload Its Default Rules Unexpectedly

[J.C. Roberts]

On Mon, 9 Mar 2009 19:06:10 -0700 Hilco Wijbenga
 wrote:

> 2009/3/9 J.C. Roberts :
> > On Mon, 9 Mar 2009 09:07:51 -0700 Hilco Wijbenga
> >  wrote:
> >
> >> 2009/3/9 J.C. Roberts :
> >
> > I doubt your ISP only has 254 customers, so they are most likely
> > using more than just the stated 192.168.1.0 - 192.168.1.255 range.
> 
> Let's hope so for them. :-) I always get an IP in that range, though.
> Well, so far anyway.
> 
> > If you are doing your own NAT'ing for other machines on your private
> > LAN, the fact your ISP is assigning you an IP address from the
> > private address space could lead to a conflict.
> 
> I had been wondering about that. I use 192.168.151.* internally. That
> should be okay then, shouldn't it?
> 
> > The "smart" answer for an ISP is moving to IPv6 since it's the only
> > long term solution. Unfortunately, with less than 1% uptake on
> > IPv6, it doesn't get you much usability "right now" and network
> > address translation hacks are still required in some cases.
> 
> We're talking about a very big ISP. Smart doesn't come into the
> picture. ;-)
> 

As for whether or not the assigned IP address you get from your ISP via
DHCP will become a problem really depends on the netmask and default
route they give you along with the IP.

If your internal network is 192.168.151.*
And your ISP gives you 192.168.1.* with a netmask of 255.255.0.0
then you're officially hosed. The provided netmask means your internal
network is *within* the range of your external network. bad juju!

That netmask would give you the range 192.168.0.0 - 192.168.255.255 on
your external interface, and hence, overlapping your internal network.

Don't worry, it gets worse. :-)

When using Point to Point Protocol (PPP, PPPoE, and similar), it can get
far more confusing. Take a look at the following:

# ifconfig tun0
tun0: flags=8051 mtu 1500
groups: tun egress
inet 70.212.222.173 --> 66.174.217.64 netmask 0xff00


My external interface "tun0" has an IP address of 70.212.222.173 with a
netmask of 255.255.255.0 (0xff00), so officially speaking the range
of addresses reachable from my external interface should be:

70.212.222.0 - 70.212.222.255

Did you notice my default route, 66.174.217.64, is actually outside of
the reachable range of my external interface?

Yep, this is one of the strange side effects of using the various Point
to Point Protocols. You mentioned needing DHCP but you did not mention
needing to use PPP/PPPoE/similar, so this little routing mindjob might
not be related to your issue.

None the less, the safest thing you can do is use an obtuse private
network range for your internal LAN.

http://en.wikipedia.org/wiki/Private_network

Typically the "20-bit" block 172.16.0.0 b 172.31.255.255 is mostly
forgotten, and will most likely keep you far away from what your
provider is using.

> >> > In sort my first guess is your IP is changing every 24 hours or
> >> > so due to your service provider using dynamic addressing (and
> >> > trying to prevent you from having a particular IP for too long).
> >> > If I'm right, then your problem is that pf is holding on to the
> >> > old rules for your old IP address even though your IP had
> >> > changed. In other words, you have a configuration error.
> >>
> >> That definitely makes sense. However, I thought that by referring
> >> to an interface instead of an IP I was protected from that? I
> >> mean, it's fairly common to have a dynamic IP, is it not?
> >>
> >
> > It depends on *how* you refer to the interface in your rules. As
> > mentioned in the thread, you may have left off the needed
> > parenthesis around your interface variable. You would be neither
> > the first nor last to make this mistake. If you would post your
> > pf.conf it would be very helpful.
> 
> ext_if = "sk0"
> int_if = "sk1"
> 
> set skip on lo
> set block-policy return
> scrub in
> 
> nat log on $ext_if from $int_if:network to any -> ($ext_if)
> 
> block log
> pass out quick from $int_if to $int_if:network
> pass out quick from $ext_if to any
> #pass in quick on $ext_if proto { tcp, udp } from any to ($ext_if)
> port { domain, ntp }
> pass in quick on $int_if from $int_if:network to any
> 
> > p.s. I hope you don't mind I cc'd m...@. I figured your off-list
> > reply was due to my mistaken off-list reply.
> 
> :-) Yep.
> 

The rules you have are a bit odd but you're not doing anything too
fancy, so you can easily simplify things.

If I was able to 'keep state' every time I 'pass out' drinking would be
far more enjoyable. Though I can't do it, pf can, and does it by
default, but it seems I've digressed. Additionally, you need to be very
careful when using the "quick" keyword since it intentionally short
circuits your rule evaluation.

ext_if = "sk0"
int_if = "sk1"
set skip on lo
scrub in

nat on $ext_if from !($ext_if) -) ($ext_if:0)

block in log
pass out
antispoof quick for { lo $int_if }