Re: systrace insecure [was: Re: chroot browser]
Howdy, On Thu, Mar 26, 2009 at 09:12:42AM -0600, Theo de Raadt wrote: That said, this is not enough reason to entirely delete the code. It still has uses. It's useful for checking ports are not dumping junk all over the file-system. Please keep it. Best Regards Edd Barrett (Freelance software developer / technical writer / open-source developer) http://students.dec.bmth.ac.uk/ebarrett
pkg_add via proxy
My pkg_add gets blocked by the web based authentication system I use at work. Every time I try pkg_add -iv honeyd, I get the following error: Error from ftp://rt.fm/pub/OpenBSD/snapshots/packages/i386/ Redirected to https://company.com:443//portal/login?__dest=rt.fm Requesting https://company.com:443//portal/login?__dest=rt.fm No packages available in the PKG_PATH Can't resolve honeyd Is there any way to tell pkg_add my user name and password for the web authentication system? I'm only using the base system. Thanks.
Re: VPN client-to-site over IPSec
Hi, On Fri, 03.04.2009 at 18:26:45 -0300, Marcello Cruz marcello.c...@globo.com wrote: Do you mean a VPN where only a HOST will access an entire NETWORK? If so, then the answer is YES. I don't need anything specifically right now which would fit into this thread, but asked questions to better understand what the original poster wanted to achieve. For instance, I have some OpenBSD servers acting as VPN Server and they allow me to connect from home to the networks behind those OpenBSD servers. Me too. PC -- Internet -- OpenBSD LAN PC IPSec Tunnel -- LAN I also have other situations where I need an entire LAN communicate with other LAN, like: LAN -- OpenBSD/Other -- Internet --- OpenBSD -- LAN LAN --- IPSec Tunnel --- LAN I just wanted to say that, network-wise, configuring the first scenario, assuming that you mean transport mode, almost never makes sense, or at least not to me, and that the the second scenario should be the default configuration, even if LAN and OpenBSD/Other might collapse into only one computer. Kind regards, --Toni++
Re: git0 tunnel with any remote endpoint
Garry Dolley wrote: On Fri, Apr 03, 2009 at 02:17:41PM +, Stuart Henderson wrote: On 2009-04-03, Garry Dolley gdol...@arpnetworks.com wrote: Dear misc, Is it possible to have a git0 tunnel that accepts a remote endpoint of any address? I'm trying to set up a 6to4 anycast relay router. 6to4 is not gif. Weird, because it works as 6to4. I'm tunneling IPv6 packets over it from a Linux box (static endpoint) that has a 6to4 tunnel whose endpoint is my OpenBSD box. That is because 6to4 (http://en.wikipedia.org/wiki/6to4) uses proto-41 (http://en.wikipedia.org/wiki/6in4). The major difference and also the concern for security is that the remote endpoint (where the packet will be forwarded to) is determined from the IPv6 address, eg 2002:aabb:ccdd:: becomes aa.bb.cc.dd. There are a lot of security pitfalls in 6to4 and if I recall correctly that is the reason why OpenBSD does not support 6to4. IMHO that was a just decision. As a side-note, there has been talk in the IETF to deprecate 6to4, especially the anycast version. Mostly though due to the many many many issues that come along with actually operating 6to4 anycast on a larger scale. (Try debugging 6to4 anycasted when there are 10 networks between you and the remote site, and you can only do traceroutes from your hosts and don't have a view at all at any of the other hosts/routers in the middle: impossible) Proto-41 itself is also easily subjective to spoofing as long as one can spoof IPv4 packets anywhere on a connected network and can get them to the host. OpenBSD does not support 6to4. Can a gif0 tunnel be set up with dynamic endpoints? If you add the heartbeat protocol this can work. Otherwise proto-41 doesn't have support for dynamic endpoints (unless you manually script it, then again, heartbeat is not that far away from that in some cases ;) Greets, Jeroen [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: Anyone using munin?
Marc Runkel wrote: Trying to set up munin work with OpenBSD and was wondering if anyone had some plugins pre-written? In particular interface statistics but I'll take just about anything. I think munin comes with a bunch of plugins already. If not you can grab some Linux package (like Debian's munin-node) and extract them from it. These are simple scripts (shell, perl, python) so they might run on OpenBSD even without any modifications. -- Cezary Morga Man forgives woman anything save the wit to outwit him. (Minna Thomas Antrim)
Re: pkg_add via proxy
On 2009-04-04, Chris atst...@gmail.com wrote: My pkg_add gets blocked by the web based authentication system I use at work. Every time I try pkg_add -iv honeyd, I get the following error: Error from ftp://rt.fm/pub/OpenBSD/snapshots/packages/i386/ Redirected to https://company.com:443//portal/login?__dest=rt.fm Requesting https://company.com:443//portal/login?__dest=rt.fm No packages available in the PKG_PATH Can't resolve honeyd Is there any way to tell pkg_add my user name and password for the web authentication system? I'm only using the base system. I don't know what's going to be involved with this portal you get redirected to... Is there any chance that you just need to login via a web browser first and then it unblocks access from your IP address? If it can do the usual HTTP proxy authentication, your best option is probably to install curl via manual download (you will also need libiconv, gettext libidn), set FETCH_CMD to use curl with the appropriate flags to login to your proxy, and use an _HTTP_ mirror.
Re: git0 tunnel with any remote endpoint
* Garry Dolley gdol...@arpnetworks.com [2009-04-03 21:39]: Weird, because it works as 6to4. I'm tunneling IPv6 packets over it from a Linux box (static endpoint) that is not 6to4, that is v6 over v4. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Friend check this out.
Hi Friend, it's me, Apple. I just visited this web page, and I wanted to share it with you. Please click on this link below to see it: http://tinyurl.com/dbl8gs - Apple
Re: pkg_add via proxy
I use ntlm and then i add http_proxy=localhost:myport pkg_add stuff. On Sat, Apr 04, 2009 at 02:42:02AM -0700, Chris wrote: My pkg_add gets blocked by the web based authentication system I use at work. Every time I try pkg_add -iv honeyd, I get the following error: Error from ftp://rt.fm/pub/OpenBSD/snapshots/packages/i386/ Redirected to https://company.com:443//portal/login?__dest=rt.fm Requesting https://company.com:443//portal/login?__dest=rt.fm No packages available in the PKG_PATH Can't resolve honeyd Is there any way to tell pkg_add my user name and password for the web authentication system? I'm only using the base system. Thanks.
Re: F5 FirePass SSL VPN on OpenBSD
On Fri, Apr 03, 2009 at 10:18:56PM +0800, Pui Edylie wrote: Hi Mikolaj, Here is the Perl script on F5 Dev Central which is used for *nix system http://devcentral.f5.com/Default.aspx?tabid=63articleType=ArticleViewarticleId=32 I have used it with great success on Linux but it should very pretty straight forward for *BSD Thanks Pui! Cool stuff. That's what I was looking for. Works fine with ppp(8). Only thing which I'm not able to make work is `set authkey' with script. Fragment from ppp(8): set [auth]key value ... If the first character of value is an exclamation mark (`!'), ppp treats the remainder of the string as a program that must be exe- cuted to determine the ``authname'' and ``authkey'' values. ... but that doesn't work for me. Currently I'm copy-pasting authkey from modified version of perl script[ref#1] output each time I want to connect to VPN, but that's little bit annoying. Anybody has cule how to make authname/authkey work with scripts? $ sysctl -n kern.version OpenBSD 4.5-current (GENERIC) #14: Fri Mar 27 06:57:10 MDT 2009 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC # /etc/ppp/ppp.conf firepass: set device !/usr/sbin/openssl s_client -quiet -ign_eof -host VPN-SERVER-DOT-COM -port 443 set authkey COOKIE-FROM-HTTP-HEADERS set dial \\ GET\\s/myvpn?sess=\\P\\sHTTP/1.0\\r\\nCookie:\\sMRHSession=\\P\\r\\n\\r\\n set timeout 0 set dns DNS-SERVER-TAKEN-FROM-WINDOWS enable dns accept dns resolv reload resolv readonly add! VPN-SERVER-DOT-COM CURRENT-DEFAULT-GATEWAY bg ifconfig INTERFACE description LABEL CONNECTING # /etc/ppp/ppp.linkup firepass: add! default HISADDR resolv rewrite shell ifconfig INTERFACE description LABEL is UP # /etc/ppp/ppp.linkdown firepass: shell ifconfig INTERFACE description LABEL is DOWN resolv restore resolv reload References 1. http://devcentral.f5.com/SDK/sslvpn.public.pl.txt 2. http://devcentral.f5.com/weblogs/dctv/archive/2006/10/30/fploginscript.aspx 3. http://fuhm.net/software/f5vpn-login/ -- best regards q#
Re: pkg_add via proxy
2009/4/4 Marco Peereboom sl...@peereboom.us: I use ntlm and then i add http_proxy=localhost:myport pkg_add stuff. You mean ntlmaps? http://www.openbsd.org/4.4_packages/i386/ntlmaps-0.9.9.0.1.tgz-long.html On Sat, Apr 04, 2009 at 02:42:02AM -0700, Chris wrote: My pkg_add gets blocked by the web based authentication system I use at work. Every time I try pkg_add -iv honeyd, I get the following error: Error from ftp://rt.fm/pub/OpenBSD/snapshots/packages/i386/ Redirected to https://company.com:443//portal/login?__dest=rt.fm Requesting https://company.com:443//portal/login?__dest=rt.fm No packages available in the PKG_PATH Can't resolve honeyd Is there any way to tell pkg_add my user name and password for the web authentication system? I'm only using the base system. Thanks.
About the OS - The basics
Hi, i just installed Openbsd 4.4 and the first thing i have seen is that there isn't a normal gui. I have put startx, but i have several problems (probably i am too novice): - The drivers of my graphic card aren't load. - The gui (x server) only has five options and the rest is unknown (i don't know what exactly is). I don't know too much, so i am here, asking if somebody can help me, the basics. Thank you very much.
Re: About the OS - The basics
On Sat, Apr 4, 2009 at 1:01 PM, Manuel Carrasco manuc.li...@gmail.com wrote: Hi, i just installed Openbsd 4.4 and the first thing i have seen is that there isn't a normal gui. I have put startx, but i have several problems (probably i am too novice): - The drivers of my graphic card aren't load. - The gui (x server) only has five options and the rest is unknown (i don't know what exactly is). I don't know too much, so i am here, asking if somebody can help me, the basics. Probably a good place to start is to include /var/log/Xorg.0.log file and output of the command `dmesg'. you'll need to include these inline; attachments get stripped off by misc@ mailing-list. Including those will get more people interested in helping you solve your problem(s). --patrick
Re: About the OS - The basics
On 4 Apr 2009, at 21:01, Manuel Carrasco wrote: I don't know too much, so i am here, asking if somebody can help me, the basics. Try this: http://openbsd.org/faq/ This will serve you very well. -- When I die I want to go peacefully in my sleep like my Grandfather, not screaming in terror like his passengers. http://playr.co.uk/
Re: About the OS - The basics
On Sat, 4 Apr 2009 21:32:34 +0100 Gaby Vanhegan g...@vanhegan.net wrote: On 4 Apr 2009, at 21:01, Manuel Carrasco wrote: I don't know too much, so i am here, asking if somebody can help me, the basics. Try this: http://openbsd.org/faq/ This will serve you very well. +1 http://www.openbsd101.com/ and http://openbsd-wiki.org/ can be interesting too. -- Maxime DERCHE GnuPG public key ID : 0x9A85C4C0 (fingerprint : 0FDC 16AF 5A5B 1908 786C 2B85 2D3C C83E 9A85 C4C0) http://www.mouet-mouet.net/maxime/blog/index.php
Re: pkg_add via proxy
yeah On Sat, Apr 04, 2009 at 09:01:37PM +0200, ropers wrote: 2009/4/4 Marco Peereboom sl...@peereboom.us: I use ntlm and then i add http_proxy=localhost:myport pkg_add stuff. You mean ntlmaps? http://www.openbsd.org/4.4_packages/i386/ntlmaps-0.9.9.0.1.tgz-long.html On Sat, Apr 04, 2009 at 02:42:02AM -0700, Chris wrote: My pkg_add gets blocked by the web based authentication system I use at work. Every time I try pkg_add -iv honeyd, I get the following error: Error from ftp://rt.fm/pub/OpenBSD/snapshots/packages/i386/ Redirected to https://company.com:443//portal/login?__dest=rt.fm Requesting https://company.com:443//portal/login?__dest=rt.fm No packages available in the PKG_PATH Can't resolve honeyd Is there any way to tell pkg_add my user name and password for the web authentication system? I'm only using the base system. Thanks.
Re: Donations (was, sadly, European orders)
On Thu, 2 Apr 2009, Bob Beck wrote: Others are trying to do it too, but they are just more quiet about it. And then there's the other catagory... the breeders... No, you're forgetting the third category - the titanium clipped, whose ungrateful spawn are now 18 and will soon be old enough to be capable of leaving the house... Quick marco.. snip 'em before it gets worse! Yeah, them damn breeders, I've been saying that for years, but then people always blamed it on radical feminism. :-) diana
Re: pkg_add via proxy
A few months ago, we added the ability for ftp to handle proxies with password, so this ought to work more or less... Of course, you need to be able to get a package list, so you will have to use http mirrors (since the nlist command won't go through proxies, as far as I know).
Publique os seus Anúncios GRÁTIS
Se nco visualizar esta pagina correctamente , clique aqui Classificados GRATIS do portaldanet.com * Conhega as diferentes formas de publicitar o seu produto ou negscio * Anzncios online de publicagco imediata. Faga a sua prspria gestco, e modificagco dos anzncios online. Publique GRATIS no portaldanet.com , com fotos e texto da sua empresa, negscio ou produtos nas categorias do site. Esta mensagem esta de acordo com a legislagco Europeia sobre o envio de mensagens comerciais. Destina-se unicamente a clientes, potenciais clientes e parceiros e nco pode ser considerada SPAM porque tem inclumdo contacto e instrugues para remogco da nossa lista de emails. Qualquer mensagem devera estar claramente identificada com os dados do emissor e devera proporcionar ao receptor a hipstese de ser removida da lista (Directiva 2000/31/CE do Parlamento Europeu; Relatsrio A5-0270/2001 do Parlamento Europeu). , Clique aqui. Obrigado! Se desejar ser retirado desta Mailing List
mounting Blu-ray/HD-DVD reader causes system lockup
I have had this LG GGC-H20L Blu-ray/HD-DVD reader. I got it because I made the mistake of buying several HD-DVDs before the format wars were over, plus I wanted to make backups of my HD movies. I installed this in my quad-core server, and booted the system. in the dmesg, I see the following: cd0 at scsibus0 targ 4 lun 0: HL-DT-ST, BDDVDRW GGC-H20L, 1.03 ATAPI 5/cdrom removable I did confirm that this the latest firmware, and it says ATAPI 5, but it's connected via SATA connection. I am able to mount DVD's and do a dump from mplayer to a VOB on the harddrive. I can view files on the DVD, and copy from it to the harddrive. The problem comes when I attempt to mount a blu-ray or hd-dvd disc. I put the disc in, and when I try to mount it using mount /dev/cd0c /cdrom, the drive light flashes two or three times, and then the system locks up. I can no longer do anything lose my USB keyboard, and I have connected a PS2 keyboard to the system. I can do Ctrl-C, and Ctrl-Z, and I see output on the screen, but no more prompt. I lose network connectivity, and cannot even ping the system. I am using the snapshots from 31 March, and I am still getting the same issue. Is this an issue with the HD discs not being supported by the OS, or is the drive not fully supported? Does OpenBSD support the UDF format that these discs use? Maybe that's the issue... but it shouldn't lock a system up when you try to mount the disc... I have included the GENERIC.MP dmesg below. If I need to send anything else, please let me know... I'm using just the console, no window manager or program other than mount regards, Bryan OpenBSD 4.5-current (GENERIC) #29: Tue Mar 31 09:58:34 MDT 2009 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Core(TM)2 Quad CPU Q6600 @ 2.40GHz (GenuineIntel 686-class) 2.41 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT, DS-CPL,VMX,EST,TM2,CX16,xTPR real mem = 3488833536 (3327MB) avail mem = 3384713216 (3227MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 10/23/08, BIOS32 rev. 0 @ 0xf0010, SMBIOS rev. 2.5 @ 0xf06e0 (54 entries) bios0: vendor American Megatrends Inc. version 5.32 date 10/23/2008 bios0: HP-Pavilion FK484AV-ABA m9400t acpi0 at bios0: rev 0 acpi0: tables DSDT FACP APIC MCFG OEMB HPET GSCI SLIC SSDT acpi0: wakeup devices P0P2(S4) P0P1(S4) PS2K(S3) PS2M(S3) USB0(S3) USB1(S3) USB2(S3) USB5(S3) EUSB(S3) USB3(S3) USB4(S3) USBE(S3) GBE_(S 4) P0P4(S4) P0P5(S4) P0P6(S4) P0P7(S4) P0P8(S4) P0P9(S4) SLPB(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 266MHz cpu at mainbus0: not configured cpu at mainbus0: not configured cpu at mainbus0: not configured ioapic0 at mainbus0: apid 4 pa 0xfec0, version 20, 24 pins acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (P0P1) acpiprt2 at acpi0: bus 3 (P0P4) acpiprt3 at acpi0: bus -1 (P0P5) acpiprt4 at acpi0: bus 2 (P0P6) acpiprt5 at acpi0: bus -1 (P0P7) acpiprt6 at acpi0: bus -1 (P0P8) acpiprt7 at acpi0: bus -1 (P0P9) acpicpu0 at acpi0 acpibtn0 at acpi0: SLPB acpibtn1 at acpi0: PWRB bios0: ROM list: 0xc/0xe200 0xce800/0x1000 pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Intel 82G33 Host rev 0x02 ppb0 at pci0 dev 1 function 0 Intel 82G33 PCIE rev 0x02: apic 4 int 16 (irq 5) pci1 at ppb0 bus 5 vga1 at pci1 dev 0 function 0 NVIDIA GeForce 9300 GE rev 0xa1 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) uhci0 at pci0 dev 26 function 0 Intel 82801I USB rev 0x02: apic 4 int 16 (irq 5) uhci1 at pci0 dev 26 function 1 Intel 82801I USB rev 0x02: apic 4 int 21 (irq 7) ehci0 at pci0 dev 26 function 7 Intel 82801I USB rev 0x02: apic 4 int 18 (irq 10) usb0 at ehci0: USB revision 2.0 uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1 azalia0 at pci0 dev 27 function 0 Intel 82801I HD Audio rev 0x02: apic 4 int 22 (irq 3) azalia0: codecs: Realtek ALC888 audio0 at azalia0 ppb1 at pci0 dev 28 function 0 Intel 82801I PCIE rev 0x02: apic 4 int 17 (irq 11) pci2 at ppb1 bus 3 ppb2 at pci2 dev 0 function 0 Creative Labs PCIE-PCI rev 0x00 pci3 at ppb2 bus 4 azalia1 at pci3 dev 0 function 0 Creative Labs SoundBlaster X-Fi Xtreme rev 0x00: apic 4 int 16 (irq 5) azalia1: codecs: Creative Labs/0x000a audio1 at azalia1 ppb3 at pci0 dev 28 function 2 Intel 82801I PCIE rev 0x02: apic 4 int 18 (irq 10) pci4 at ppb3 bus 2 re0 at pci4 dev 0 function 0 Realtek 8168 rev 0x02: RTL8168C/8111C (0x3c00), apic 4 int 18 (irq 10), address 00:23:54:3b:67:88 rgephy0 at re0 phy 7: RTL8169S/8110S PHY, rev. 2 uhci2 at pci0 dev 29 function 0 Intel 82801I USB rev 0x02: apic 4 int 23 (irq 14) uhci3 at pci0 dev 29 function 1 Intel 82801I USB rev 0x02: apic 4 int 19 (irq 15) uhci4 at pci0 dev 29 function
Re: Odd problem, may be related to relayd
I've seen similar problems...not with relayd, but it still may apply. I had a server that was behind a Linksys router on a DSL connection, being accessed by a remote user . The window size (iirc) at the remote user was lower then usual, and the DSL provider was blocking the ICMP messages to alter the window size. We had to lower a setting in Windows at the server side to fix this. Something similar could be happening herewhen going through relayd, it could be sending packets that are too large, and something is getting dropped. A packet capture at both ends could help reveal this. Just an idea. --Brian On Fri, Apr 3, 2009 at 1:47 PM, Gary Thornock gthorn...@yahoo.com wrote: My company has a web application running on a set of web servers that we're load balancing with relayd. We've recently learned of a problem where end users who have: - Comcast cable internet connections, - Linksys cable routers provided by Comcast, and - the Linksys router's firewall protection setting enabled (as it is by default) can't access our load balanced servers. We've watched the traffic, and it appears that our response packets are being dropped by the Linksys router. To confirm this further, if the Linksys firewall protection setting is disabled, then everything works fine. To further complicate matters, the users *can* access any single one of the web servers just fine. It's only when they try to use the relayd load balanced IP address that things break. More details, in case any of them help: relayd is running on a pair of stock Dell R200 machines, along with pf and carp. The installed OpenBSD version is 4.4 i386, running the generic kernel. relayd.conf looks like this: - wsrv1=192.168.2.20 wsrv2=192.168.2.21 wsrv3=192.168.2.22 interval 5 timeout 200 table wwwhosts { $wsrv1 $wsrv2 $wsrv3 } redirect wsrv { listen on a.b.c.d port 80 tag RELAYD sticky-address forward to wwwhosts port 80 mode roundrobin check http /robots.txt code 200 } redirect wsrv-https { listen on a.b.c.d port 443 tag RELAYD sticky-address forward to wwwhosts port 443 mode roundrobin check https /robots.txt code 200 } - We're not completely certain that relayd is causing the issue, but we've eliminated everything else we can think of (except of course the Linksys firewall, but we can't very well tell every single possible end user in the world who might have a Linksys cable router to turn off its firewall setting.) If there's something obvious that we're doing wrong with the configuration, we'd love to know about it. Thanks! -- _-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_ Brian McCann I don't have to take this abuse from you -- I've got hundreds of people waiting to abuse me. -- Bill Murray, Ghostbusters