Re: [Way OT] Roadtrip...

[Eric d'Alibut]

On Fri, Apr 24, 2009 at 1:11 AM, Nick Bender nben...@gmail.com wrote:

 Apologies to most people who won't give a shit but I'm finally moving
 to New Mexico...

This is the sort of thing that gets me thinking really really
seriously again about capital punishment. Who's with me?



-- 
No no no, my fish's name is Eric, Eric the fish. He's an halibut. I am
not a looney! Why should I be tarred with the epithet looney merely
because I have a pet halibut?

Re: Problem with slow disk I/O

[Janne Johansson]

On Apr 23 18:09:55, Thomas Pfaff wrote:

First on Ubuntu:
/dev/sda2 on / type ext3 (rw,relatime,errors=remount-ro)
~$ time (tar -zxf ports.tar.gz  sync)
real0m47.784s

47.78 seconds wall clock time


Then the same commands on OpenBSD:
/dev/wd0k on /home type ffs (local, nodev, nosuid, softdep)
$ time (tar -zxf ports.tar.gz  sync)
1m2.62s real 0m1.15s user 0m7.15s system


~ 1 minute 2.5 seconds wall clock time


So you have ~52 seconds on ext3 mounted  'realtime' (whatever that means),
versus ~63 seconds on ffs mounted with 'softdep'.
What was the problem again?

That I cannot get the job done in less than a minute on OpenBSD
while on Linux it takes only 18 seconds.


Also, doesn't ext2/3 run with everything mount async?

A quick test with ffs in async mode (instead of, or added to softdep) 
would also be worth running, in order to see how much grossly insecure 
I/O lessens the perceived time. I am one of those who like to keep my 
files, so I wont recommend USING async, but for the sake of argument 
here, such a test might be in order.



Which reminds me to ask what the state of having a UBC in OpenBSD is,
please?


There is nothing close to it yet, to my knowledge, but I am hosting the 
2009 filesystem hackathon this autumn in hopes of getting 'better' I/O 
out of OpenBSD, with the help of a nice grant to that goal. Perhaps 
magic will come out of that. History (and undeadly =) will tell.


Mind you, I did run UBC on my obsd amiga back in the short while when 
art@ had UBC in, which did wonders when you have lots (128M) of ram and 
a PIO mode 0 harddisk to boot.

Upgrade to -current

[MANI]

Currently I am using 4.2 stable and I am willing to upgrade to -current
because of some new features which i need.
According to faq (http://www.openbsd.org/faq/faq5.html#Bld) I should first
upgrade to closest binary, which means upgrade from 4.2 to 4.3 and then to
4.4 ( Latest snapshot ) and finally Fetch  build *-current.

Above process as you know will be a highly time consuming process and I
prefer stick to my current 4.2 rather than going through that. why not just
Fetch  build -cuurent directly?  what is your recommended approach for
upgrading to -cuurent ?

thanks,
Mani
*

Re: sudo won't work with login_fingerprint

[Nick Guenther]

omg we have finger print reader support??? !

I installed the port and I'm playing with it. Can you post your full
config? The login_fingerprint docs are short on the troubleshooting. I
can enroll my fingers and I've got su asking me for finger swipes but
whenever I do it says invalid swipe or login incorrect.

I see the same result as you with sudo. Annoying. Sudo must not be
feeding it correctly right, but perhaps login_fingerprint is expecting
wrongly.

It would be a neat gimmick if we could get this working!

-Nick

On 23/04/2009, LEVAI Daniel l...@ecentrum.hu wrote:
 Hi!

 I've set up this login_fingerprint port and it is working fine in console
 logins and with `su`, but with sudo I can't seem to get it to work.
 I've modified my /etc/login.conf like this:
 # Default allowed authentication styles
 auth-defaults:auth=-fingerprint,passwd,skey:\
 :x-fingerprint=7:

 I've just added the fingerprint stuff. Now when running sudo, and typing in
 my
 password 3 times:

 $ sudo -l
 -fingerprint: challenge not supported
 sudo password(daniell):
 -fingerprint: response not supported
 Sorry, try again.
 -fingerprint: challenge not supported
 sudo password(daniell):
 -fingerprint: response not supported
 Sorry, try again.
 -fingerprint: challenge not supported
 sudo password(daniell):
 -fingerprint: response not supported
 Sorry, try again.
 sudo: 3 incorrect password attempts

 With `sudo -a` I can specify the passwd type, and can sudo with my
 password,
 so no big problem, I'm just wondering what special configuration is needed
 for sudo to work with this auth type.

 Any idead would be appreciated, thanks!

 Daniel

 --
 LIVAI Daniel
 PGP key ID = 0x4AC0A4B1
 Key fingerprint = D037 03B9 C12D D338 4412  2D83 1373 917A 4AC0 A4B1

Re: question about net.inet.carp.preempt

[Imre Oolberg]

Hallo!

Thanks for the reply! I am also aware that one popular use of 
net.inet.carp.preempt is to control how the computer system as a whole 
reacts to errors like one physical interface goes dead.


'man carp' says about net.inet.carp.preempt:

Allow virtual hosts to preempt each other. It is also used to failover 
carp interfaces as a group.  When the option is enabled and one of the 
carp enabled physical interfaces goes down, advskew is changed to 240 on 
allcarp interfaces.  See also the first example. Disabled by default.


What i was interested in mainly this time is the so to say practical 
meaning of the first sentence, in case how pair of carp interfaces in a 
carp group behave while .carp.preempt is not set or is set.


I decided to dig a little bit deeper because sometimes i cant predict 
events when i add another vlan and carp interface to the running system 
(master for that particular carp device appears on the wrong side etc). 
It could be easily said to me that if your are so interested use the 
source but i am sorri the source is not much help for me, i am more 
about just a user.



Imre


Felipe Alfaro Solana wrote:

On Thu, Apr 23, 2009 at 12:05 PM, Imre Oolberg i...@auul.pri.ee wrote:


Hallo!

I would like to confirm my understanding of how carp works and if the
following holds generally true.

After having on all participating nodes set to

 # sysctl -w net.inet.carp.preempt=0



AFAIK CARP preempt has meaning only in the context of the machine to which
it applies. When CARP preempt is enabled, in a machine with multiple CARP
interfaces, whenever one CARP interface fails over, all other CARP
interfaces in the machine fail over too.

I'm using this on my 2-firewall configuration (active-passive) where each
machine has two CARP interfaces: internal interface and Internet-facing
interface. Whenever one of the interfaces failover, the other does too. This
way, both interfaces are either master or backup, at the same time. This
avoids the case where the internal interface is master and the
Internet-facing interface is backup (or the opposite).



one could change advskew value and actually no carp takeover takes place
automatically until issuing on the becoming master node

 # ifconfig carp-interface-name state master

or on becoming backup node

 # ifconfig carp-interface-name state backup

After that the carp master and backup change roles.

On the other hand, if all participating nodes are set to

 # sysctl -w net.inet.carp.preempt=1

then under similar changes in advskew carp takeover happes automatically
.i.e master and backup change roles and 'state master' or 'state backup'
aint needed to be issued manually. (As merriam-webster says in one case for
preemtive being 'marked by the seizing of the initiative; initiated by
oneself')


Imre

PS The scope of this experiment is takeover within paticular carp group
(practically between two physical interfaceses) and not for all carp groups
as in case with firewall with several physical interfaces.

Re: sudo won't work with login_fingerprint

[LEVAI Daniel]

On Friday 24 April 2009 09.28.34 you wrote:
 omg we have finger print reader support??? !

 I installed the port and I'm playing with it. Can you post your full
 config? The login_fingerprint docs are short on the troubleshooting. I
 can enroll my fingers and I've got su asking me for finger swipes but
 whenever I do it says invalid swipe or login incorrect.
You need to enroll_fingerprint(8) as the target (root) user too, so root will
have a ~/.fprint directory too.

 I see the same result as you with sudo. Annoying. Sudo must not be
 feeding it correctly right, but perhaps login_fingerprint is expecting
 wrongly.

 It would be a neat gimmick if we could get this working!
I just followed /usr/local/share/doc/login_fingerprint/README:
$ enroll_fingerprint -f 7
It has populated a ~/.fprint/ dir with the scanned fingerprint, and after the
login.conf modify I could login on the console and do `su`. Only sudo seems
to need the '-apasswd' option to force it to use the passwd auth type instead
of the -fingerprint type. But grepping thru sudo's source I couldn't find
this error message anywhere :\

My modifications in login.conf is only the following:
--- /var/backups/etc_login.conf.backup  Thu Apr 16 16:06:00 2009
+++ /etc/login.conf Thu Apr 23 17:15:23 2009
@@ -23,7 +23,8 @@
 #

 # Default allowed authentication styles
-auth-defaults:auth=passwd,skey:
+auth-defaults:auth=-fingerprint,passwd,skey:\
+   :x-fingerprint=7:

 # Default allowed authentication styles for authentication type ftp
 auth-ftp-defaults:auth-ftp=passwd:


Daniel

 On 23/04/2009, LEVAI Daniel l...@ecentrum.hu wrote:
[...]
  $ sudo -l
  -fingerprint: challenge not supported
  sudo password(daniell):
  -fingerprint: response not supported
  Sorry, try again.
  -fingerprint: challenge not supported
  sudo password(daniell):
  -fingerprint: response not supported
  Sorry, try again.
  -fingerprint: challenge not supported
  sudo password(daniell):
  -fingerprint: response not supported
  Sorry, try again.
  sudo: 3 incorrect password attempts
[...]

--
LIVAI Daniel
PGP key ID = 0x4AC0A4B1
Key fingerprint = D037 03B9 C12D D338 4412  2D83 1373 917A 4AC0 A4B1

Re: Upgrade to -current

[LEVAI Daniel]

On Friday 24 April 2009 08.50.11 you wrote:
 Currently I am using 4.2 stable and I am willing to upgrade to -current
 because of some new features which i need.
 According to faq (http://www.openbsd.org/faq/faq5.html#Bld) I should first
 upgrade to closest binary, which means upgrade from 4.2 to 4.3 and then to
 4.4 ( Latest snapshot ) and finally Fetch  build *-current.

 Above process as you know will be a highly time consuming process and I
 prefer stick to my current 4.2 rather than going through that. why not just
 Fetch  build -cuurent directly?  what is your recommended approach for
 upgrading to -cuurent ?
Upgrading thru the binary releases is not that tedious, and you could upgrade
to a binary snapshot of -current after the latest binary release have been
installed. No need to compile -current AFAIK.

Daniel

--
LIVAI Daniel
PGP key ID = 0x4AC0A4B1
Key fingerprint = D037 03B9 C12D D338 4412  2D83 1373 917A 4AC0 A4B1

Re: autowhitelister for spamd needs testing

[Gregory Edigarov]

Aaron Mason wrote:

On Fri, Apr 24, 2009 at 11:01 AM, Dan Harnett dan...@harnett.name wrote:
  

On top of that, if VeriSign could be tricked into signing a fake
Microsoft ActiveX key, can you really trust the authorities?
  

Are you implying SPF records are validated somewhere and signed by a
trusted third party?  They're not.  They're provided by the bad guys.  A
more proper analogy would be that you received an ActiveX control signed
by The Bad Guys Who Do Bad Things.  They were nice enough to sign it,
so you accept it.




I was implying no such thing.  I was referring to using WHOIS to block
spammers on the basis of the date the domain was registered.

  

asfjsakf1359.com TXT v=spf1 a:mail.asfjsakf1359.com ip4:0.0.0.0/0 ~all



Ok, now that gives us a pointer by which to block fraudulent folk.
That record means anyone and everyone can send an email using that
domain name.  A proper SPF record wouldn't have an all-encompassing IP
range.  In fact, who in the world would have anything more than a /7
block?

However that alone wouldn't deter any spammer - just limit the range
to what's accepted and you're in.  And any limit you set will only
cause more dramas.  Sure you could limit it to /24 and smaller, or
even to single addresses, but what about those select folk who have
been assigned /8 classless subnets?  That's a whole lotta SPF records
for one subdomain.

No solution is perfect, but a small group of imperfect solutions is a
far cry better than no solutions at all and our mailboxes being
inundated with spam.  The problem's here to stay, all we can do is
deal with it as best we can.
  

well nobody's  perfect. and there is no solution perfect.
And i do not even pretend that i made a perfect solution.
It still require /dev/brain, /dev/eyes, and /dev/hands...   
Ok, thank you all, for the interesting discussion. I think I could develop
more advanced solution that will check  blocks  found  by spf  lookup 
through whois lookup...


--
With best regards,
Gregory Edigarov

Re: rt.fm ftp server dumps core

[Paul Irofti]

On Thu, Apr 23, 2009 at 03:37:00PM -0600, Jeff Ross wrote:
 Hi,

 For a while now I've been getting segmentation faults when I try to 
 download snapshots from rt.fm

 ftp mget *tgz
 mget base45.tgz? all
 Prompting off for duration of mget.
 local: base45.tgz remote: base45.tgz
 150 Opening BINARY mode data connection for 'base45.tgz' (48267043 bytes).
 100% |**| 47135 KB00:41
 226 Transfer complete.
 48267043 bytes received in 41.35 seconds (1.11 MB/s)
 local: comp45.tgz remote: comp45.tgz
 150 Opening BINARY mode data connection for 'comp45.tgz' (90067409 bytes).
 100% |**| 87956 KB01:12
 421 Service not available, remote server has closed connection.
 Segmentation fault (core dumped)

I'm running a similar command now on pub/OpenBSD/snapshots/i386. Is that
what you're doing? Also, it would've been nice to include a trace from
the core.

Re: Problem with slow disk I/O

[Jan Stary]

 First on Ubuntu:
 /dev/sda2 on / type ext3 (rw,relatime,errors=remount-ro)
 ~$ time (tar -zxf ports.tar.gz  sync)
 real  0m47.784s

 Then the same commands on OpenBSD:
 /dev/wd0k on /home type ffs (local, nodev, nosuid, softdep)
 $ time (tar -zxf ports.tar.gz  sync)
 1m2.62s real 0m1.15s user 0m7.15s system

 So you have ~52 seconds on ext3 mounted  'realtime' (whatever that 
 means),
 versus ~63 seconds on ffs mounted with 'softdep'.

Replying to myself,

'realtime' implies noatime, says http://lwn.net/Articles/244829/
(Isn't once upon atime an amusing title?)

And https://help.ubuntu.com/community/Fstab says that 'async'
is the default for Ubuntu ext3 mounts. Is your ext3 mounted
async? The mount line doesn't say so - but is that hidden
under 'realtime', too?

 Also, doesn't ext2/3 run with everything mount async?
 A quick test with ffs in async mode (instead of, or added to softdep) 
 would also be worth running, in order to see how much grossly insecure 
 I/O lessens the perceived time.
 I am one of those who like to keep my 
 files, so I wont recommend USING async, but for the sake of argument 
 here, such a test might be in order.

softdep and async are mutually exclusive.

This is what happens with and without noatime (+ softdep, of course),
and with async replacing softdep, on my machine:

# uname -a
OpenBSD stary.dhcp.fjfi.cvut.cz 4.4 GENERIC.MP#2 i386

# mount
/dev/wd0a on / type ffs (local)
/dev/wd0d on /usr type ffs (local, nodev, softdep)
/dev/wd0e on /var type ffs (local, nodev, nosuid, softdep)
/dev/wd0f on /var/log type ffs (local, nodev, nosuid, softdep)
/dev/wd0g on /var/mail type ffs (local, nodev, nosuid, softdep)
/dev/wd0h on /tmp type ffs (local, nodev, nosuid, softdep)
/dev/wd0i on /home type ffs (local, nodev, nosuid, softdep)
/dev/wd0k on /dload type ffs (local, nodev, nosuid, softdep)
/dev/wd0j on /backup type ffs (local, nodev, nosuid, softdep)

# cd /backup
# ls -l ports.tar.gz
-rw-r--r--  1 root  wheel  14583699 Aug  9  2008 ports.tar.gz

# time { tar xzf ports.tar.gz ; sync ; }
1m5.51s real 0m0.00s user 0m0.00s system
# time rm -rf ports
0m13.88s real 0m0.20s user 0m1.56s system

# cd
# umount /backup
# mount -o nodev,nosuid,softdep,noatime /dev/wd0j /backup
# cd /backup

# time { tar xzf ports.tar.gz ; sync ; }
1m6.85s real 0m0.00s user 0m0.00s system
# time rm -rf ports
0m14.72s real 0m0.16s user 0m1.33s system

# cd
# umount /backup
# mount -o nodev,nosuid,async /dev/wd0j /backup
# cd /backup

# time { tar xzf ports.tar.gz ; sync ; }
0m39.44s real 0m0.00s user 0m0.01s system
# time rm -rf ports
0m6.80s real 0m0.19s user 0m1.45s system


Jan

Re: DHCP versus PPPoE for ADSL.

[David Walker]

From:  Claudio Jeker
 The main encapsulation over ADSL is PPPoE or PPPoA only lately, with the
 spread of IPTV and VDSL, EFM (Ethernet First Mile) is used by some telcos.
 So it totaly depends on what your provider is giving you.

Hi Claudio.
Maybe I didn't explain myself or perhaps I am trying to explain
something that doesn't make sense.
I understand there are differing methods of getting the packets from
the exchange to the premises, etcetera.
Considering the existing popular method of PPPoE is there more than
one way to collect those packets at the first adapter after the modem?

My current scenario:
DSLAM-PPPoE-Modem-TCP/IP-Router
In this case, the relevant adapter on the router gets an IP address
from the modem's DHCP server. All the PPPoE to IP transactions occur
within the modem.
The hostname.if file on the router:
DHCP none none none

The other scenario:
DSLAM-PPPoE-Modem-PPPoE-Router
In this case the relevant adapter on the router recieves PPPoE
encapsulated packets from the modem exactly as they are sent from the
exchange.
The modem does not do any PPPoE to IP conversion.
The hostname.if file on the router merely says up.
There is also an /etc/hostname.pppoe0 file on the router.

This other scenario seems to be the intent of pppoe(4):
 This is often used to connect a router via a DSL modem to an access con-
 centrator.  The pppoe interface does not by itself transmit or receive
 frames, but needs an Ethernet interface to do so.  This Ethernet inter-
 face is connected to the pppoe interface via ifconfig(8).  The Ethernet
 interface needs to be marked UP, but does not need to have an IP address.

So it is quite different from my current scenario - no IP address for a start.

Am I reading all this correctly?

Best wishes.

Transparent Firewall (bridge) with DMZ + LAN

[openbsder]

I'm currently interested in setting up a three-legged network, using OBSD+PF
as the firewall. Originally, I had jus

Transparent firewall (bridge) with DMZ + LAN

[openbsder]

I am currently interested in setting up a three-legged network topology,
using OBSD+PF as the firewall appliance. Originally, I was going to simply
have the firewall equipped with three network cards: one for DMZ, one for
LAN, the other for EXT/WAN/Internet (whatever you call this). The idea was
for a switch to be used on both DMZ and LAN, providing NAT on both segments.
Pretty straight forward.

Recently, it has been suggested that a transparent firewall implementation
is ideal where possible. But as far as I understand, transparency is only
available when the firewall acts as a bridge between TWO networks. How would
I keep my DMZ and LAN both while using a bridging firewall. Is it even
possible?

Re: sudo won't work with login_fingerprint

[Nick Guenther]

On Fri, Apr 24, 2009 at 3:38 AM, LEVAI Daniel l...@ecentrum.hu wrote:
 On Friday 24 April 2009 09.28.34 you wrote:
 omg we have finger print reader support??? !

 I installed the port and I'm playing with it. Can you post your full
 config? The login_fingerprint docs are short on the troubleshooting. I
 can enroll my fingers and I've got su asking me for finger swipes but
 whenever I do it says invalid swipe or login incorrect.
 You need to enroll_fingerprint(8) as the target (root) user too, so root
will
 have a ~/.fprint directory too.

When I say su I actually meant I'm running su $USER.

 I see the same result as you with sudo. Annoying. Sudo must not be
 feeding it correctly right, but perhaps login_fingerprint is expecting
 wrongly.

 It would be a neat gimmick if we could get this working!
 I just followed /usr/local/share/doc/login_fingerprint/README:
 $ enroll_fingerprint -f 7
 It has populated a ~/.fprint/ dir with the scanned fingerprint, and after
the
 login.conf modify I could login on the console and do `su`. Only sudo seems
 to need the '-apasswd' option to force it to use the passwd auth type
instead
 of the -fingerprint type. But grepping thru sudo's source I couldn't find
 this error message anywhere :\

 My modifications in login.conf is only the following:
 --- /var/backups/etc_login.conf.backup  Thu Apr 16 16:06:00 2009
 +++ /etc/login.conf Thu Apr 23 17:15:23 2009
 @@ -23,7 +23,8 @@
  #

  # Default allowed authentication styles
 -auth-defaults:auth=passwd,skey:
 +auth-defaults:auth=-fingerprint,passwd,skey:\
 +   :x-fingerprint=7:

  # Default allowed authentication styles for authentication type ftp
  auth-ftp-defaults:auth-ftp=passwd:


I followed the README too but it told me to add this:
#
# The fingerprint login class allows the fingerprint and passwd
# authentication methods and checks your 7th (right index) finger.
#
fingerprint:
:auth=-fingerprint,passwd:\
:x-fingerprint=7:\
:tc=default:

and I had to do sudo usermod -L fingerprint $USER to get su $USER
to start asking me to swipe. Do we maybe have different versions (I
should probably shyly mention here that I'm on -CURRENT right now)?

Why are we writing -fingerprint instead of fingerprint?
login.conf(8) is hazy on what this means. It doesn't seem to matter
espcially which is chosen.

I suspect my problem is a driver issue. I have a 1600 chip (as linux
tells me... dunno why OpenBSD) but the driver is written for 1610
chips. Until I can at least use su with my finger I'm not sure I can
help you.

-Nick

Re: sudo won't work with login_fingerprint

[LEVAI Daniel]

On Friday 24 April 2009 12.27.50 you wrote:
 On Fri, Apr 24, 2009 at 3:38 AM, LEVAI Daniel l...@ecentrum.hu wrote:
  On Friday 24 April 2009 09.28.34 you wrote:
  omg we have finger print reader support??? !
 
  I installed the port and I'm playing with it. Can you post your full
  config? The login_fingerprint docs are short on the troubleshooting. I
  can enroll my fingers and I've got su asking me for finger swipes but
  whenever I do it says invalid swipe or login incorrect.
 
  You need to enroll_fingerprint(8) as the target (root) user too, so root
  will have a ~/.fprint directory too.

 When I say su I actually meant I'm running su $USER.
Then you must run enroll_fingerprint as $USER, to make the
$USER_HOMEDIR/.fprint/ directory and the corresponding files.


  I see the same result as you with sudo. Annoying. Sudo must not be
  feeding it correctly right, but perhaps login_fingerprint is expecting
  wrongly.
 
  It would be a neat gimmick if we could get this working!
 
  I just followed /usr/local/share/doc/login_fingerprint/README:
  $ enroll_fingerprint -f 7
  It has populated a ~/.fprint/ dir with the scanned fingerprint, and after
  the login.conf modify I could login on the console and do `su`. Only sudo
  seems to need the '-apasswd' option to force it to use the passwd auth
  type instead of the -fingerprint type. But grepping thru sudo's source I
  couldn't find this error message anywhere :\
 
  My modifications in login.conf is only the following:
  --- /var/backups/etc_login.conf.backup  Thu Apr 16 16:06:00 2009
  +++ /etc/login.conf Thu Apr 23 17:15:23 2009
  @@ -23,7 +23,8 @@
   #
 
   # Default allowed authentication styles
  -auth-defaults:auth=passwd,skey:
  +auth-defaults:auth=-fingerprint,passwd,skey:\
  +   :x-fingerprint=7:
 
   # Default allowed authentication styles for authentication type ftp
   auth-ftp-defaults:auth-ftp=passwd:

 I followed the README too but it told me to add this:
 #
 # The fingerprint login class allows the fingerprint and passwd
 # authentication methods and checks your 7th (right index) finger.
 #

 fingerprint:
 :auth=-fingerprint,passwd:\
 :x-fingerprint=7:\
 :tc=default:

I've done the same thing except I've added this to the default class, so I
don't have to change the already made classes (which are
including auth-defaults).

 and I had to do sudo usermod -L fingerprint $USER to get su $USER
 to start asking me to swipe. Do we maybe have different versions (I
 should probably shyly mention here that I'm on -CURRENT right now)?
I'm using -current too, but in this case it doesn't matter; the login classes
we use are not the same, but that's all.

 Why are we writing -fingerprint instead of fingerprint?
 login.conf(8) is hazy on what this means. It doesn't seem to matter
 espcially which is chosen.
man login.conf:
 Local authentication styles may be added by creating a login script for
 the style (see below).  To prevent collisions with future official BSD
 Authentication style names, all local style names should start with a
 dash (-).

^^^ That is why the -fingerprint; also:
# ls -l /usr/libexec/auth/
[...]
login_-fingerprint
[...]

 I suspect my problem is a driver issue. I have a 1600 chip (as linux
 tells me... dunno why OpenBSD) but the driver is written for 1610
 chips. Until I can at least use su with my finger I'm not sure I can
 help you.
What does `ls -lR /home/$USER/.fprint/` tells you? Do you have the proper
scanned fingerprints there? Do you have the $USER in the fingerprint class
(if you've followed the README file with login_fingerprint)?

Daniel

--
LIVAI Daniel
PGP key ID = 0x4AC0A4B1
Key fingerprint = D037 03B9 C12D D338 4412  2D83 1373 917A 4AC0 A4B1

RadiusClient

[Bruno Galindro da Costa]

Hi all

What is the radius client packge for OpenBSD? What I need to do is
provide pptpd auth with radius. My Radius Server is a Windows Server 2003.
On Ubuntu and Debian tha name of package is radiusclient downloadable via
apt-get.

--
Att.
Bruno Galindro da Costa
bruno.galin...@gmail.com
Florianspolis - SC

Re: Upgrade to -current

[Neal Hogan]

On Fri, Apr 24, 2009 at 1:50 AM, MANI mm.m...@gmail.com wrote:
 Currently I am using 4.2 stable and I am willing to upgrade to -current
 because of some new features which i need.
 According to faq (http://www.openbsd.org/faq/faq5.html#Bld) I should first
 upgrade to closest binary, which means upgrade from 4.2 to 4.3 and then to
 4.4 ( Latest snapshot ) and finally Fetch  build *-current.

 Above process as you know will be a highly time consuming process and I
 prefer stick to my current 4.2 rather than going through that. why not just
 Fetch  build -cuurent directly?  what is your recommended approach for
 upgrading to -cuurent ?

As has already been said, the less tedious way is to go through a
binary upgrade of each version. Checkout:
http://www.openbsd.org/faq/upgrade44.html for guidance through the
upgrade from 4.3 - 4.4. The other upgrades will be similar. There are
links at the top of the page that will help you through other
upgrades.

-Neal


 thanks,
 Mani
 *





--
www.nealhogan.net  www.lambdaserver.com

Re: autowhitelister for spamd needs testing

[Dan Harnett]

On Fri, Apr 24, 2009 at 02:16:57PM +1000, Aaron Mason wrote:
 On Fri, Apr 24, 2009 at 11:01 AM, Dan Harnett dan...@harnett.name wrote:
  On top of that, if VeriSign could be tricked into signing a fake
  Microsoft ActiveX key, can you really trust the authorities?
 
  Are you implying SPF records are validated somewhere and signed by a
  trusted third party?  They're not.  They're provided by the bad guys.  A
  more proper analogy would be that you received an ActiveX control signed
  by The Bad Guys Who Do Bad Things.  They were nice enough to sign it,
  so you accept it.
 
 
 I was implying no such thing.  I was referring to using WHOIS to block
 spammers on the basis of the date the domain was registered.

Then your analogy didn't even make sense.  No one is being tricked.  I
can recycle old domains as well.  You don't get it.

  asfjsakf1359.com TXT v=spf1 a:mail.asfjsakf1359.com ip4:0.0.0.0/0 ~all
 
 Ok, now that gives us a pointer by which to block fraudulent folk.
 That record means anyone and everyone can send an email using that
 domain name.  A proper SPF record wouldn't have an all-encompassing IP
 range.  In fact, who in the world would have anything more than a /7
 block?

That is a proper SPF record.  So, in addition to filtering e-mail,
you're going to start using complicated filters to screen out SPF
records because you're dumb enough to whitelist everything the spammer
tells you to?  Go for it.  Have fun with that.

 However that alone wouldn't deter any spammer - just limit the range
 to what's accepted and you're in.  And any limit you set will only
 cause more dramas.  Sure you could limit it to /24 and smaller, or
 even to single addresses, but what about those select folk who have
 been assigned /8 classless subnets?  That's a whole lotta SPF records
 for one subdomain.

I gave you the simplest and quickest example that came to mind.  If you
have even half a brain, then you'd realize how trivial it would be to
list single IP addresses.  I can even obfuscate it to the point of
nested 'include:'s to keep the TXT records a decent size.  Spammers have
always been one step ahead.  Anything like auto-whitelisting SPF records
would be picked up rather fast and abused easily if it gained widespread
acceptance.  They don't even need to go as far as my example did.  They
just need to whitelist their own little spam haven, which you'll happily
do.

 No solution is perfect, but a small group of imperfect solutions is a
 far cry better than no solutions at all and our mailboxes being
 inundated with spam.  The problem's here to stay, all we can do is
 deal with it as best we can.

You're auto-whitelisting whatever the spammer tells you to and you think
that is preventing spam?  LOL.  The only hinderance here is the brief
moment greylisting was working until you whitelisted the entire
internet.  I think you still don't get it.

Re: RadiusClient

[Jasper Valentijn]

2009/4/24 Bruno Galindro da Costa bruno.galin...@gmail.com:
 Hi all

What is the radius client packge for OpenBSD? What I need to do is
 provide pptpd auth with radius. My Radius Server is a Windows Server 2003.
 On Ubuntu and Debian tha name of package is radiusclient downloadable via
 apt-get.


http://www.openbsd.org/4.4_packages/i386.html

Search for radius...

--
We spend the first twelve months of our children's lives teaching
them to walk and talk and the next twelve telling them to sit down and
shut up.

Re: RadiusClient

[Paul Irofti]

On Fri, Apr 24, 2009 at 09:05:32AM -0300, Bruno Galindro da Costa wrote:
 Hi all
 
 What is the radius client packge for OpenBSD? What I need to do is
 provide pptpd auth with radius. My Radius Server is a Windows Server 2003.
 On Ubuntu and Debian tha name of package is radiusclient downloadable via
 apt-get.

$ pkg_info -Q radius

Re: sudo won't work with login_fingerprint

[Nick Guenther]

On Fri, Apr 24, 2009 at 7:14 AM, LEVAI Daniel l...@ecentrum.hu wrote:
 On Friday 24 April 2009 12.27.50 you wrote:

 I followed the README too but it told me to add this:
 #
 # The fingerprint login class allows the fingerprint and passwd
 # authentication methods and checks your 7th (right index) finger.
 #

 fingerprint:
 :auth=-fingerprint,passwd:\
 :x-fingerprint=7:\
 :tc=default:

 I've done the same thing except I've added this to the default class, so I
 don't have to change the already made classes (which are
 including auth-defaults).

 and I had to do sudo usermod -L fingerprint $USER to get su $USER
 to start asking me to swipe. Do we maybe have different versions (I
 should probably shyly mention here that I'm on -CURRENT right now)?
 I'm using -current too, but in this case it doesn't matter; the login
classes
 we use are not the same, but that's all.

 Why are we writing -fingerprint instead of fingerprint?
 login.conf(8) is hazy on what this means. It doesn't seem to matter
 espcially which is chosen.
 man login.conf:
 Local authentication styles may be added by creating a login script for
 the style (see below).  To prevent collisions with future official BSD
 Authentication style names, all local style names should start with a
 dash (-).

 ^^^ That is why the -fingerprint; also:
 # ls -l /usr/libexec/auth/
 [...]
 login_-fingerprint
 [...]

Ah. login_fingerprint is installed to two places. Under /usr/local/
it's login_fingerprint, which is why I was confused.

 I suspect my problem is a driver issue. I have a 1600 chip (as linux
 tells me... dunno w
hy OpenBSD) but the driver is written for 1610
 chips. Until I can at least use su with my finger I'm not sure I can
 help you.
 What does `ls -lR /home/$USER/.fprint/` tells you? Do you have the proper
 scanned fingerprints there? Do you have the $USER in the fingerprint class
 (if you've followed the README file with login_fingerprint)?


The fingerprint files exist alright. The only thing I thought it might
be is that -CURRENT broke login_fingerprint somehow, but if you're
running the same code it must be the driver.
http://reactivated.net/fprint/wiki/Aes1610 sort of suggests that the
reader isn't great to begin with and if mine's a version off I
wouldn't be surprised it's b0rked.

-Nick

Recipient Validation Design Opinions

[Mario Vega]

Hello,

We are putting together an OpenBSD-based border email server to replace 
an aging Linux box.  On the current system, Postfix performs a call 
ahead to two internal boxes for recipient validation.  I'm interested in 
recommendations on how to perform validation with the base sendmail.


The two internal servers use several different domains and accept a 
variety of different name formats.  In addition, some users have one or 
more aliases.  Furthermore, only the primary address is published in 
LDAP.  One server serves approximately 1k users and the other 
approximately 20.


I have been researching milters to perform this task, specifically Eland 
System's scam-backscatter.  Our current average load, though I expect it 
to decrease with the use of spamd, is approximately 270k connections per 
day, 115k of which are rejected as invalid.  Does anyone have experience 
with scam-backscatter or are there other solutions we should be 
investigating?


I'm also interested in opinions on the overall design of the solution 
thus far.  As stated previously, our current system is a Linux box 
running Postfix, amavis, clamav and spamassassin.  Due to the nature of 
the store and scan system, we've noticed a tendency for the system to 
become swamped under heavy load and take several hours to clear out. 
Furthermore, we're quarantining viruses and and obvious spam in the 
neighborhood of 89k a day, which I would rather leave at the door.


The OpenBSD system would be running spamd, the base sendmail, 
smtp-vilter, clamav and spamassassin.


To prevent outgoing email from being tagged as spam and to conserve 
resources, I had planned to run sendmail on two different ports.  The 
standard port would handle incoming connections and a second, 
non-standard port, would be restricted with pf for outgoing email.  We 
would then run two instances of smtp-vilter, one which ran spamassassin 
and one which did not.  Use of sendmail's DAEMON_OPTIONS 
InputMailFilters would determine which vilter to run.


In our test environment, using smtpsend, we're seeing approximately 45 
messages/second through smtp-vilter with clamd.  The smtp-vilter 
instance which adds spamassassin is running 5-6 messages/second.


Any recommendations for recipient validation or suggestions on improving 
the system are greatly appreciated.


Thank you,
Mario

Re: Unable to mount CD/DVD-RW drive in OpenBSD 4.4/i386.

[Anon Y. Mous]

I have attached a .txt file indicating what #disklabel cd0 returned.



--- On Thu, 4/23/09, minsai0...@yahoo.com minsai0...@yahoo.com wrote:

 From: minsai0...@yahoo.com minsai0...@yahoo.com
 Subject: Unable to mount CD/DVD-RW drive in OpenBSD 4.4/i386.
 To: misc@openbsd.org
 Date: Thursday, April 23, 2009, 12:13 PM
 I am unable to get OpenBSD 4.4/i386
 to see my OptiArc DVD+/-RW AD-5540 drive on a Dell Inspiron
 6400 (E1505) notebook.

 Everything else is functional on this system.

 Neither /dev/cd0a nor /dev/cd0c work as /etc/fstab
 entries.

 The kernel returns: Device not configured.

 I also tried /dev/rcd0[n] (where n = a - p) as an
 /etc/fstab entry and it returned an error stating: Device
 block required.

 Below is an attachment of my dmesg file and /etc/fstab
 table.

 -minsai


  
# /dev/rcd0c:
type: ATAPI
disk: ATAPI CD-ROM
label: fictitious
flags:
bytes/sector: 2048
sectors/track: 100
tracks/cylinder: 1
sectors/cylinder: 100
cylinders: 1901
total sectors: 190050
rpm: 300
interleave: 1
trackskew: 0
cylinderskew: 0
headswitch: 0   # microseconds
track-to-track seek: 0  # microseconds
drivedata: 0 

0 partitions:
#size   offset  fstype [fsize bsize  cpg]

Re: DHCP versus PPPoE for ADSL.

[Stuart Henderson]

On 2009-04-24, David Walker davidianwal...@gmail.com wrote:
 From:  Claudio Jeker
 The main encapsulation over ADSL is PPPoE or PPPoA only lately, with the
 spread of IPTV and VDSL, EFM (Ethernet First Mile) is used by some telcos.
 So it totaly depends on what your provider is giving you.

 Maybe I didn't explain myself or perhaps I am trying to explain
 something that doesn't make sense.
 I understand there are differing methods of getting the packets from
 the exchange to the premises, etcetera.
 Considering the existing popular method of PPPoE is there more than
 one way to collect those packets at the first adapter after the modem?

 My current scenario:
 DSLAM-PPPoE-Modem-TCP/IP-Router

so with this, the modem is terminating the PPP session, and passing the
address on over DHCP. some router vendors call this half bridge or
dhcp spoofing. I'm not sure if it's still subject to the restriction
of ethernet MTU, but if it is, the modem will usually hide this by
clamping MSS, the same way match scrub (max-mss 1400) or whatever
does.

 The other scenario:
 DSLAM-PPPoE-Modem-PPPoE-Router
 In this case the relevant adapter on the router recieves PPPoE
 encapsulated packets from the modem exactly as they are sent from the
 exchange.

that's what I normally do when the ISP and ADSL backhaul support PPPoE;
the modem acts as a dumb bridge and the PPP session is terminated at the
router using pppoe(4). this lets you do things like use IPv6-over-PPP
where supported. (some networks allow you to use either PPPoA or PPPoE
for example the standard ADSL connections in the UK with BT backhaul;
I normally run these as PPPoE unless using them with carp).

 Can someone let me know if I am correct in assuming that if I want
 PPPoE in client mode only that PPPoE(4) is the way to go?

usually.

 Probably a more important question is what, if any, are the advantages
 or disadvantages compared to DHCP? 

with one vendor implementation of this, it saves you from having a huge
bunch of entries in your arp table... otherwise: control over the PPP
session, maybe better logging, maybe access to ipv6 or multicast which
could be a problem with some CPE modem/routers, and it puts most of
the per user settings into the firewall, so it may make it easier
to maintain spare modems/routers for a bunch of lines that you can
just swap-out without reconfiguring. if you need that sort of thing.

Jamais en ligne sur msn ?

[manon]

  Salut,

   J'ai vu ton annonge mais quand je t'icris ga revient en erreur ? j'essais
donc de ripondre ` ton annonce une nouvelle fois car la 1er fois j'ai regu un
message qui disait mail delivery failed Est ce que misc@openbsd.org c'est
bien ton adresse et est ce que c'est ton msn ? je t'ai rentri dans mes
contacts mais ga marche pas, t'es jamais en ligne en tout cas.

  Je voulais savoir ce que tu cherchais comme rencontre,
on habite pas tris loin l'un de l'autre et t'es dans la tranche d'age que je
recherche. Pour ma part j'aime pas me dicrire en chiffre mais je suis inscrite
sur un site ou tu pourras si tu le veux consulter une capture vidio faite avec
ma webcam et mes photos sous pseudo manonmatu j'ai fait cette annonge sur le
site qui s'appelle www.sexorlove.fr ( je pense que ga te donnera une idie plus
pricise de ce que je recherche).

  Autant te dire que je recherche une relation ipisodique et
simple sans prise de tete, j'ai envie de vivre, j'aimerais seulement que tu ne
me juge pas trop vite, je ne suis pas ce que tu crois, dans ma vidio je dis
que je cherche un homme grand beau et riche pour riche c'itait pour
plaisanter je m'en fou completement j'ai un tris bon job et j'ai tout ce qu'il
me faut, je ne suis pas vinale...Je t'en dirai plus si tu m'icris. Si tu veux
laisse moi un msn qui est valide si misc@openbsd.org n'est pas le bon, soit
sur mon email ou soit sur ma boite aux lettres du site, c'est gratuit dans les
deux cas. A bientot peut etre dis moi ce que tu as pensi de mes petites
captures vidios. Bisous Manon









Pour ne plus recevoir directement de riponses sur votre email ou si il y a une
erreur et que votre adresse email n'est pas associie ` une fiche que vous
auriez vous meme initii vous pouvez ` tout moment vous disinscrire de la
maling list en envoyant  STOP uniquement avec l'email qui a regu cette
riponse (sinon votre demande ne sera pas prise en compte) ` l'adresse
suivante. ad...@sexorlove.fr  et votre adresse email sera retirie de la
mailing list et vous ne recevrez plus d'alertes.

Re: rt.fm ftp server dumps core

[Jeff Ross]

Paul Irofti wrote:

On Thu, Apr 23, 2009 at 03:37:00PM -0600, Jeff Ross wrote:

Hi,

For a while now I've been getting segmentation faults when I try to 
download snapshots from rt.fm


ftp mget *tgz
mget base45.tgz? all
Prompting off for duration of mget.
local: base45.tgz remote: base45.tgz
150 Opening BINARY mode data connection for 'base45.tgz' (48267043 bytes).
100% |**| 47135 KB00:41
226 Transfer complete.
48267043 bytes received in 41.35 seconds (1.11 MB/s)
local: comp45.tgz remote: comp45.tgz
150 Opening BINARY mode data connection for 'comp45.tgz' (90067409 bytes).
100% |**| 87956 KB01:12
421 Service not available, remote server has closed connection.
Segmentation fault (core dumped)


I'm running a similar command now on pub/OpenBSD/snapshots/i386. Is that
what you're doing? Also, it would've been nice to include a trace from
the core.



Yes, that's what I've been trying to do.

I rm-ed the core file--I thought that there was a problem with the server 
itself but I couldn't find a email contact for the person in charge of the mirror.


Since I posted I've tried another 4 or 5 times and it's been working great.

Jeff

Re: Transparent firewall (bridge) with DMZ + LAN

[Felipe Alfaro Solana]

On Fri, Apr 24, 2009 at 12:12 PM, openbsder openbs...@gmail.com wrote:

 I am currently interested in setting up a three-legged network topology,
 using OBSD+PF as the firewall appliance. Originally, I was going to simply
 have the firewall equipped with three network cards: one for DMZ, one for
 LAN, the other for EXT/WAN/Internet (whatever you call this). The idea was
 for a switch to be used on both DMZ and LAN, providing NAT on both
 segments.
 Pretty straight forward.

 Recently, it has been suggested that a transparent firewall implementation
 is ideal where possible. But as far as I understand, transparency is only
 available when the firewall acts as a bridge between TWO networks. How
 would
 I keep my DMZ and LAN both while using a bridging firewall. Is it even
 possible?


What do you mean? Whether OpenBSD supports bridging? Whether PF supports
L2-based filtering? Whether you can have two interfaces in a bridge and
have, at the same time, L2-based filtering and L3-based filtering?

By L2-based filtering I mean having the firewall inspect frames/packets from
interfaces that are bridged together that do not have an IP address
configured (i.e. L2-switching).

-- 
http://www.felipe-alfaro.org/blog/disclaimer/

Re: sudo won't work with login_fingerprint

[Todd C. Miller]

login_fingerprint only supports login auth, not support challenge/response
mode which is what sudo (and other things) uses.

 - todd

European orders(Sweden) - nohup.se

[Maxim Bourmistrov]

Hello misc@,
it has been almost a week since I sent an invoice for OpenBSD 4.5 CD/t- 
shirt to nohup.se.
Well, there is no answer so far and the webpage is outdated and  
promoting old releases.


Any one from Sweden has ever successfully ordered anything from this  
site lately?

Any other (successful) paths available?

//maxim

T1 card compatible with 4.4

[(private) HKS]

I'm looking for a T1 card compatible with 4.4.

There were a fair number of recommendations for Sangoma's a101 a few
years ago, followed by threads describing major problems and Sangoma
yanking support for OpenBSD. What alternatives work decently under
OpenBSD?

-HKS

Re: autowhitelister for spamd needs testing

[Bob Beck]

   i think part of the success i experience using SPF as a means to create
   whitelists is in the fact that i maintain the list of domains i fancy
   whitelisting.  unfortunately, it would be trivial for someone to take
   advantage of an spf-based automatic whitelist to slip right on thru
   spamd(8).
 
   it's a pisser.
 

Spam Permitted From is broken as designed. It is most
commonly deployed on throwaway spam domains.  What a surprise!

-Bob

Re: aucat's volume-sharing algorithm

[Thomas Pfaff]

On Fri, 24 Apr 2009 11:29:02 -0400
Nick Guenther kou...@gmail.com wrote:
 I'm playing with the new aucat. Or rather, running it, since unlike
 every other soundserver it doesn't require endless tweaking to just
 work. There is one issue I'm having, and I'm not sure if it's on
 purpose or not. Whenever (say) pidgin (or anything else) plays sound
 my music dims in volume. It makes sense the clients have to be turned
 down so two playing at 100% don't blow the speakers, but the trouble
 is the dip in sound is -really obvious-.

I also think the current algorithm is too aggressive; the output
volume is calculated by dividing the maximum volume by the number of
streams (or clients).  While this does guarantee that there will be
no clipping, it means the change in volume is indeed very audible.

Excerpts from /usr/src/usr.bin/aucat/aproc.c:

  n = 0;
  LIST_FOREACH(buf, p-ibuflist, ient) {
  n++;
  }
  LIST_FOREACH(buf, p-ibuflist, ient) {
  weight = ADATA_UNIT / n;
  [...]
  buf-mixeight = weight;
  }

Mixing two (or more) streams is not likely to cause any clipping
(sample value out of range) as most samples are not exactly at
peak values all the time.  I don't have a better solution, but I
think something should be done about the current approach; it
just doesn't sound right to me.

I wonder what the other sound daemons do ...

Interpreting strange pflog output

[Aner Perez]

Hi,

We have an older OpenBSD 3.9 firewall which we will be upgrading to 4.5 and as a part of the upgrade, we will be locking 
down our outgoing connections.  As a first step, we have added some extra rules to log outgoing connections that are not 
specifically allowed by our current rule set.


While monitoring the pflog output, I occasionally see output that looks like 
this:

Apr 24 09:49:46.420762 rule 150/(match) pass in on fxp1: 107.6.96.0  
73.243.0.0: at-#0 18
Apr 24 09:49:46.420851 rule 150/(match) pass in on fxp1: 108.6.96.0  
73.37.0.0: at-#0 21
Apr 24 09:49:46.420901 rule 150/(match) pass in on fxp1: 108.6.96.0  
73.126.0.0: at-#0 15
Apr 24 09:49:46.420990 rule 150/(match) pass in on fxp1: 85.8.96.0  
73.229.0.0: at-#0 18
Apr 24 09:49:46.546277 rule 150/(match) pass in on fxp1: 106.8.96.0  
73.229.0.0: at-#0 96
Apr 24 09:49:46.551653 rule 150/(match) pass in on fxp1: 55.4.96.0  
73.174.0.0: at-#0 99

What first jumps out at me is the IP addresses which are not part of our network.  The second thing that jumps out is 
the at-#0 18 notation.  What does this mean?  I'm assuming the number at the end is the packet size.  What is the 
at-#0?  Has anybody seen traffic like this?  Should I be worried?


Also, this output comes from tcpdump -n -e -ttt -i pflog0 ifname fxp1.  Is there a way I can see the MAC address on 
these logged connections without doing a tcpdump on the physical interface?


This is on 3.9 GENERIC#617 i386 with pf turned on, NTP server enabled and an 
OpenVPN server running.

- Aner

--
Aner Perez
NCS Technologies, Inc

Re: DHCP versus PPPoE for ADSL.

[Chris Tankersley]

Honestly, I think it is going to depend on your ISP. For example, Embarq 
a few years ago switched their 'Embarq' ISP to using a hybrid DHCP setup:


(Whatever the DSLAM connects to)--PPPoE--DSLAM--DHCP--Modem--DHCP-

So when you set the modem to 'Bridge' whatever was behind it was set to 
DHCP, not PPPoE. PPPoE no longer worked because the DSLAM took care of 
the PPPoE connection, not the modem anymore.


If you were on someone who resold Embarq, then that reseller had to use 
PPPoE so that it routed back to the reseller correctly.


Chris

David Walker wrote:

From:  Claudio Jeker

The main encapsulation over ADSL is PPPoE or PPPoA only lately, with the
spread of IPTV and VDSL, EFM (Ethernet First Mile) is used by some telcos.
So it totaly depends on what your provider is giving you.


Hi Claudio.
Maybe I didn't explain myself or perhaps I am trying to explain
something that doesn't make sense.
I understand there are differing methods of getting the packets from
the exchange to the premises, etcetera.
Considering the existing popular method of PPPoE is there more than
one way to collect those packets at the first adapter after the modem?

My current scenario:
DSLAM-PPPoE-Modem-TCP/IP-Router
In this case, the relevant adapter on the router gets an IP address
from the modem's DHCP server. All the PPPoE to IP transactions occur
within the modem.
The hostname.if file on the router:
DHCP none none none

The other scenario:
DSLAM-PPPoE-Modem-PPPoE-Router
In this case the relevant adapter on the router recieves PPPoE
encapsulated packets from the modem exactly as they are sent from the
exchange.
The modem does not do any PPPoE to IP conversion.
The hostname.if file on the router merely says up.
There is also an /etc/hostname.pppoe0 file on the router.

This other scenario seems to be the intent of pppoe(4):
 This is often used to connect a router via a DSL modem to an access con-
 centrator.  The pppoe interface does not by itself transmit or receive
 frames, but needs an Ethernet interface to do so.  This Ethernet inter-
 face is connected to the pppoe interface via ifconfig(8).  The Ethernet
 interface needs to be marked UP, but does not need to have an IP address.

So it is quite different from my current scenario - no IP address for a start.

Am I reading all this correctly?

Best wishes.





--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

aucat's volume-sharing algorithm

[Nick Guenther]

I'm playing with the new aucat. Or rather, running it, since unlike
every other soundserver it doesn't require endless tweaking to just
work. There is one issue I'm having, and I'm not sure if it's on
purpose or not. Whenever (say) pidgin (or anything else) plays sound
my music dims in volume. It makes sense the clients have to be turned
down so two playing at 100% don't blow the speakers, but the trouble
is the dip in sound is -really obvious-.

I found
 -v volume
 Software volume attenuation of the playback stream.  The value
 must be between 1 and 127, corresponding to -42dB and -0dB atten-
 uation.  In server mode, clients inherit this parameter.  Reduc-
 ing the volume in advance reduces a client's dynamic range, but
 allows client volume to stay independent from the number of
 clients as long as their number is small enough.  A good compro-
 mise is to use -4dB attenuation (12 volume units) for each addi-
 tional client expected (115 if 2 clients are expected, 103 for 3
 clients, and so on).
which I interpret as saying that if I run aucat as aucat -l -v 50 it
should predim the volume of any client that connects so that the dip
doesn't happen. If I'm right about that (which I'm not at all sure
that I am) then aucat is behaving badly because I even tried giving
-v 1 and heard no change at all.


OpenBSD 4.5-current (GENERIC.MP) #80: Mon Apr 20 12:59:56 MDT 2009
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Intel(R) Core(TM)2 CPU U7600 @ 1.20GHz (GenuineIntel 686-class) 1.20 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,xTPR
real mem  = 1064202240 (1014MB)
avail mem = 1020690432 (973MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 10/30/07, BIOS32 rev. 0 @
0xfcb25, SMBIOS rev. 2.4 @ 0xec000 (40 entries)
bios0: vendor TOSHIBA version Version 1.50 date 10/30/2007
bios0: TOSHIBA PORTEGE R500
acpi0 at bios0: rev 0
acpi0: tables DSDT FACP SSDT APIC MCFG HPET TCPA SLIC SSDT SSDT
acpi0: wakeup devices USB1(S3) USB3(S3) USB4(S3) EHCI(S3) GLAN(S4)
WLAN(S4) LID_(S4) PWRB(S4) HS87(S4) HS86(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 133MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Core(TM)2 CPU U7600 @ 1.20GHz (GenuineIntel 686-class) 1.20 GHz
cpu1: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,xTPR
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins
ioapic0: misconfigured as apic 0, remapped to apid 1
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 3 (PCIB)
acpiprt2 at acpi0: bus 1 (PEX1)
acpiprt3 at acpi0: bus 2 (MPEX)
acpitz0 at acpi0: critical temperature 102 degC
acpicpu0 at acpi0
acpicpu1 at acpi0
acpibtn0 at acpi0: LID_
acpibat0 at acpi0: BAT1 model G71C00086210 serial 000796 type
Li-ION   oem 0
acpibtn1 at acpi0: PWRB
acpiac0 at acpi0: AC unit offline
acpidock at acpi0 not configured
acpivideo at acpi0 not configured
bios0: ROM list: 0xc/0x1 0xe/0x1!
cpu0: unknown Enhanced SpeedStep CPU, msr 0x060b090e0600090e
cpu0: using only highest and lowest power states
cpu0: Enhanced SpeedStep 1200 MHz (924 mV): speeds: 1200, 800 MHz
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
extent `pciio' (0x0 - 0x), flags=0
 0xaf10 - 0xaf1f
 0xaf24 - 0xaf2f
 0xaf34 - 0xaf9f
 0xafe0 - 0xbfff
 0xcff8 - 0xcfff
extent `pcimem' (0x0 - 0x), flags=0
 0x0 - 0x9
 0xe - 0x3fff
 0xe000 - 0xefff
 0xfec0 - 0xfec17fff
 0xfec2 - 0xfec27fff
 0xfed0 - 0xfed003ff
 0xfed14000 - 0xfed19fff
 0xfed1c000 - 0xfed8
 0xfeda - 0xfedb
 0xfee0 - 0xfee00fff
 0xff60 - 0xff8f
 0xff98 - 0xffbf
 0xffc3b800 - 0x
pchb0 at pci0 dev 0 function 0 Intel 82945GM Host rev 0x03
vga1 at pci0 dev 2 function 0 Intel 82945GM Video rev 0x03
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
intagp0 at vga1
agp0 at intagp0: aperture at 0xe000, size 0x1000
inteldrm0 at vga1: apic 1 int 16 (irq 10)
drm0 at inteldrm0
Intel 82945GM Video rev 0x03 at pci0 dev 2 function 1 not configured
azalia0 at pci0 dev 27 function 0 Intel 82801GB HD Audio rev 0x02:
apic 1 int 22 (irq 11)
azalia0: codecs: Realtek ALC262
audio0 at azalia0
ppb0 at pci0 dev 28 function 0 Intel 82801GB PCIE rev 0x02
pci1 at ppb0 bus 1
extent `ppb0 pciio' (0x0 - 0x), flags=0
 0x0 - 0xafff
 0xbfe0 - 0x
extent `ppb0 pcimem' (0x0 - 0x), flags=0
 0x0 - 0xff7f
 0xff8e - 

Re: Transparent firewall (bridge) with DMZ + LAN

[Tyler Mace]

Sorry for the confusion. I understand that bridging is possible under
OpenBSD but it's also my understanding that if I have interfaces A, B, and
C, I can bridge A to either B or C, but not both. Is this correct?

Referring to this topology:
http://upload.wikimedia.org/wikipedia/commons/6/6f/DMZ_network_diagram_1_firewall.svg

I would like to use this setup but with bridging on the firewall if at all
possible. Am I able to keep my firewall acting as the choke point between
all three segments (DMZ, LAN, EXT) while using bridges for transparency?
Hope this makes a little more sense.

On Fri, Apr 24, 2009 at 8:49 AM, Felipe Alfaro Solana 
felipe.alf...@gmail.com wrote:

 On Fri, Apr 24, 2009 at 12:12 PM, openbsder openbs...@gmail.com wrote:

  I am currently interested in setting up a three-legged network topology,
  using OBSD+PF as the firewall appliance. Originally, I was going to
 simply
  have the firewall equipped with three network cards: one for DMZ, one for
  LAN, the other for EXT/WAN/Internet (whatever you call this). The idea
 was
  for a switch to be used on both DMZ and LAN, providing NAT on both
  segments.
  Pretty straight forward.
 
  Recently, it has been suggested that a transparent firewall
 implementation
  is ideal where possible. But as far as I understand, transparency is only
  available when the firewall acts as a bridge between TWO networks. How
  would
  I keep my DMZ and LAN both while using a bridging firewall. Is it even
  possible?


 What do you mean? Whether OpenBSD supports bridging? Whether PF supports
 L2-based filtering? Whether you can have two interfaces in a bridge and
 have, at the same time, L2-based filtering and L3-based filtering?

 By L2-based filtering I mean having the firewall inspect frames/packets
 from
 interfaces that are bridged together that do not have an IP address
 configured (i.e. L2-switching).

 --
 http://www.felipe-alfaro.org/blog/disclaimer/

Re: Upgrade to -current

[MANI]

* **Toma:** **It depends where you use OpenBSD ( desktop or server )*
*Actually the system is a Desktop on my laptop, but I am highly dependent on
it for my programming's work.*

* michael  Neal :  You should try and search the archives for that, it is
answered*
* thorougly a couple of times.*
*Actually I read all of FAQs (and searched the archives) about this and I
know what's the recommended approach is but that's so time consuming and I
was looking for a shortcut to that!*


* michael: Recommends: exercise, eat healthy, reboot once in a while, and
upgrade*
* regularly:)*
*I agree with all of that except upgrading regularly! I only upgrade or
patch If there is security patch or highly needed feature, that's all about
OpenBSD's approach to life IMHO! :)*


* **Jan:** **Which new features are these and why do you need -current for
that?*
*Actually I am pretty happy with 4.2 but every now and then I have some
problems because of being out of date (e.g daylight saving time). About new
features I specially like ifconfig access point scanning capabilities which
is quiet important for me  having access to latest ports collection because
some ports I need is not available on 4.2.*


 Lammert  : A far better approach would be to backup the current machine,
do a fresh
 install of 4.5 [from the CDs you pre-ordered], and then restore any
needed
 files. Moving from 4.5 to -current should be much simpler
*But then I have to install OpenOffice, eclipse, netbeans, firefox and all
other ports from scratch right?*


* **LEVAI : **Upgrading thru the binary releases is not that tedious*
*I hope that's the case because my guess is I have to go along with the
upgrade guidance and upgrade 4.2  4.3  4.4 and finally 4.5.*

*thanks for help guys.*

Re: DHCP versus PPPoE for ADSL.

[David Walker]

From:  Stuart Henderson
 with one vendor implementation of this, it saves you from having a huge
 bunch of entries in your arp table... otherwise: control over the PPP
 session, maybe better logging, maybe access to ipv6 or multicast which
 could be a problem with some CPE modem/routers, and it puts most of
 the per user settings into the firewall, so it may make it easier
 to maintain spare modems/routers for a bunch of lines that you can
 just swap-out without reconfiguring. if you need that sort of thing.

Thanks for answering all my questions.

That's pretty much the implication of the man pages except for the IP6
which I haven't bumped into yet. :]
My ISP is the first in Oz to implement dual stack and the only one so far.
Of course that's neither here nor there as there are no domestic grade
modems or routers that do native yet anyway. Everyone is tunneling in
except for big business.
It's all a crying shame really - RFC @ 1998 (year).
Still if I can do IP6 from my router straight to PPPoE ...
I will have to read some more on encapsulation.

From:  Chris Tankersley
 Honestly, I think it is going to depend on your ISP.

Fortunately my ISP is very geek oriented. There would be nerds in
their office tipping keyboards upside down and breaking pencils if
they ever did this:

 So when you set the modem to 'Bridge' whatever was behind it was set to DHCP, 
  not PPPoE. PPPoE no longer worked because the DSLAM took care of the  
 PPPoE connection, not the modem anymore.

After we got over the initial shock we might wonder if it really matters.
I don't expect it does. Presumably this is what happens when people do
that last mile as gigabit.
http://www.internode.on.net/business/internet/corporate_internet/internode_ethernet/

Still, we are going FTTP here. Starts next year. So I expect to be
running 100Mbps by around 2020. Right when native IP6 kicks in. :]
http://www.pm.gov.au/media/Release/2009/media_release_0903.cfm

Thanks fellers. That's plenty of food for thought.

Best wishes.

Re: Can't install OpenOffice3 - pkg_add and make install fail on 4.5 -current

[Tomáš Bodžár]

Hmmm,

I upgraded to 23.4. snapshot and all dependencies are installed
now,but I can't still make OpenOffice3.
Have someone same problem?

Checking DLL ../unxobsd.pro/lib/check_libuno_sal.so.3
.../usr/obj/ports/openoffice-3.0.1/OOO300_m15/solver/300/unxobsd.pro/bin/chec
kdll:../unxobsd.pro/lib/check_libuno_sal.so.3:
undefined symbol '__gxx_personality_v0'
: ERROR: Cannot load specified object
dmake:  Error code 1, while making '../unxobsd.pro/lib/libuno_sal.so.3'

And error for pkg_add is still the same :

Can't install openoffice-3.0.1p3: lib not found ICE.8.1

Don't know how to resolve this,because I upgraded to actual snapshot
this morning and all other dependecies
are installed on the system trough ports after make install in
/usr/ports/editors/openoffice3

Dne 22. duben 2009 15:31 TomC!E! BodEC!r tomas.bod...@gmail.com napsal(a):
 I found another mirror for this file.Mirror which is in list for this
 packages is somewhat broken for me.

 Dne 22. duben 2009 15:16 TomC!E! BodEC!r tomas.bod...@gmail.com
napsal(a):
 Can't get it either trough curl.It stops on same place everytime

 $ curl --retry 10 -o /usr/distfiles/xalan-j_2_7_0-bin.tar.gz
http://archive.ap
 B % Total B  B % Received % Xferd B Average Speed B  Time B  B Time B  B 
Time B Current
 B  B  B  B  B  B  B  B  B  B  B  B  B  B  B  B  Dload B Upload B  Total B 
Spent B  B Left B Speed
 B 36 12.8M B  36 4808k B  B 0 B  B  0 B 57667 B  B  B 0 B 0:03:54 B 0:01:25
B 0:02:29 60439
 curl: (18) transfer closed with 8593310 bytes remaining to read
 $ curl -v --retry 10 -o /usr/distfiles/xalan-j_2_7_0-bin.tar.gz
http://archive
 * About to connect() to archive.apache.org port 80 (#0)
 * B  Trying 140.211.11.130... connected
 * Connected to archive.apache.org (140.211.11.130) port 80 (#0)
 GET /dist/xml/xalan-j/xalan-j_2_7_0-bin.tar.gz HTTP/1.1
 User-Agent: curl/7.19.4 (i386-unknown-openbsd4.5) libcurl/7.19.4
OpenSSL/0.9.8
 k zlib/1.2.3 libidn/1.11
 Host: archive.apache.org
 Accept: */*

 B % Total B  B % Received % Xferd B Average Speed B  Time B  B Time B  B 
Time B Current
 B  B  B  B  B  B  B  B  B  B  B  B  B  B  B  B  Dload B Upload B  Total B 
Spent B  B Left B Speed
 B 0 B  B  0 B  B 0 B  B  0 B  B 0 B  B  0 B  B  B 0 B  B  B 0 --:--:--
--:--:-- --:--:-- B  B  0
 HTTP/1.1 200 OK
  Date: Wed, 22 Apr 2009 13:12:08 GMT
  Server: Apache/2.2.9 (Unix)
  Last-Modified: Mon, 08 Aug 2005 04:26:02 GMT
  ETag: 9a24e2-ce3f9e-3fdcb71f1ea80
  Accept-Ranges: bytes
  Content-Length: 13516702
  Content-Type: application/x-tar
 
 { [data not shown]
 B 36 12.8M B  36 4765k B  B 0 B  B  0 B 57153 B  B  B 0 B 0:03:56 B 0:01:25
B 0:02:31 44244*
 transfer closed with 8593310 bytes remaining to read
 B 36 12.8M B  36 4808k B  B 0 B  B  0 B 57250 B  B  B 0 B 0:03:56 B 0:01:25
B 0:02:31 50560*
 Closing connection #0

 curl: (18) transfer closed with 8593310 bytes remaining to read
 $

 2009/4/22 Jacob Meuser jake...@sdf.lonestar.org:
 On Wed, Apr 22, 2009 at 01:05:59PM +0200, Tom?? Bod??r wrote:

  (SHA256) xalan-j_2_7_0-bin.tar.gz: FAILED
  Checksum mismatch for xalan-j_2_7_0-bin.tar.gz. (sha256)
 Make sure the Makefile and checksum file
(/usr/ports/devel/jdk/1.5/distinfo)
 are up to date. B If you want to fetch a good copy of this
 file from the OpenBSD main archive, type
 make REFETCH=true [other args].
 *** Error code 1

 make sure you're getting the whole file by checking that the size
 matches what's expected (in the distinfo file). B iirc, I had to use
 wget to fetch that or else I'd end up with a short file.

 --
 jake...@sdf.lonestar.org
 SDF Public Access UNIX System - http://sdf.lonestar.org





 --
 http://www.openbsd.org/lyrics.html




 --
 http://www.openbsd.org/lyrics.html




--
http://www.openbsd.org/lyrics.html

Re: RadiusClient

[Bruno Galindro da Costa]

Hi,

# pkg_info -Q radius
freeradius-2.0.5
freeradius-iodbc-2.0.5
freeradius-ldap-2.0.5
freeradius-mysql-2.0.5
freeradius-pgsql-2.0.5
mod_auth_radius-1.5.7p4
p5-Authen-Radius-0.05p1
p5-Net-Radius-1.56
radiusd-cistron-1.6.7p1
radiusd-lucent-2.1p8
radiusniff-0.2
radiusreport-0.3b6p0

Can I use freeradius-2.0.5 to do wath I want? This package contains the
radius client?

Thank4s

2009/4/24 Paul Irofti bulib...@sdf.lonestar.org

 On Fri, Apr 24, 2009 at 09:05:32AM -0300, Bruno Galindro da Costa wrote:
  Hi all
 
  What is the radius client packge for OpenBSD? What I need to do is
  provide pptpd auth with radius. My Radius Server is a Windows Server
 2003.
  On Ubuntu and Debian tha name of package is radiusclient downloadable via
  apt-get.

 $ pkg_info -Q radius




--
Att.
Bruno Galindro da Costa
bruno.galin...@gmail.com
Florianspolis - SC

Re: Yahoo videos on OpenBSD

[Tomáš Bodžár]

It works really great.Thanks for the tip.
Why I have gnash :-)

2009/4/20 Matthew Szudzik mszud...@andrew.cmu.edu:
 On Mon, Apr 20, 2009 at 07:46:42PM +0200, Tom Bodr wrote:
 someone is watching Yahoo videos on OpenBSD?

 I use
 B http://keepvid.com
 to download the video, then play it with mplayer.





--
http://www.openbsd.org/lyrics.html

ftp-proxy IPSEC clients?

[Cameron Schaus]

Hello Misc,

I have an OpenBSD 4.4 firewall with some clients connecting via IPSEC.  
Some clients have flows established to servers not on the local LAN, and 
these clients are natted through the internet interface to access these 
servers.  It's a bit convoluted, but things work, except of course for ftp.


I configured the ftp-proxy for clients on the local lan and openvpn 
clients (tun0), but I cannot appear to use ftp-proxy with IPSEC clients 
(enc0).


I want to use a line such as:
rdr on enc0 proto tcp from any to any port 21 - 127.0.0.1 port 8021

When this is in place, IPSEC clients cannot even connect to the ftp 
server.  I suspect there are some problems with this approach, since the 
man pages show matching with ipencap, but you can't do tcp port 
redirects with only ip encapsulated matching.


I am at a bit of a loss here, and I'm wondering if there's anything I 
can do to proxy the IPSEC ftp traffic, or if there are any other options 
I have at this point.


Thanks,
Cam

Re: DHCP versus PPPoE for ADSL.

[David Walker]

Konnichiwa.

That is too easy.
Took me all of two minutes to bridge my modem - RFC2684 BRIDGING
instead of PPPoE BRIDGING - and do the /etc file changes.
Happy as Larry (possibly happier) using pppoe(4).

All I need to work out is hostname.pppoe0 INET6 wildcards. Especially
what to export as the route.
Any pointers on that eligible for smilies. :]

Still I have a static IP, I'm sure I can plug that in.

Best wishes.

Re: ftp-proxy IPSEC clients?

[Matthew Dempsky]

On Fri, Apr 24, 2009 at 12:17 PM, Cameron Schaus c...@schaus.ca wrote:
 I have an OpenBSD 4.4 firewall with some clients connecting via IPSEC.
 Some
 clients have flows established to servers not on the local LAN, and these
 clients are natted through the internet interface to access these servers.
  It's a bit convoluted, but things work, except of course for ftp.

The IPsec flow is between the FTP client and the FTP server?  Then by
design, any intermediary will not be able to eavesdrop or alter
packets in transit.

 I am at a bit of a loss here, and I'm wondering if there's anything I can
do
 to proxy the IPSEC ftp traffic, or if there are any other options I have at
 this point.

If you're okay with allowing arbitrary outgoing TCP connections and
can live with only allowing clients to use passive FTP (I believe the
default nowadays), then you shouldn't need ftp-proxy at all.

[ot] Re: sudo won't work with login_fingerprint

[Matthias Kilian]

On Fri, Apr 24, 2009 at 03:28:34AM -0400, Nick Guenther wrote:
 omg we have finger print reader support??? !

yes, and it's really cool, since i've some quite sharp knifes.

(scnr)

E220 as 3G Internet Access

[don cipo]

Unfortunately you can't use OpenBSD yet to connect to Vodafone's 3G internet
mobile even if there is already an Huawei E220 shiny new driver. That is
because OBSD has an archaic pppd implementation (ver. 2.3.5) wich lacks some
important parameters like usepeerdns, noipv6, etc. Ask the developers to
update pppd at latest version 2.4.4 so we can all enjoy our favorite OS with
Vodafone's 3G. Cheers !

Re: question about net.inet.carp.preempt

[(private) HKS]

On Fri, Apr 24, 2009 at 3:32 AM, Imre Oolberg i...@auul.pri.ee wrote:
 Hallo!

 Thanks for the reply! I am also aware that one popular use of
 net.inet.carp.preempt is to control how the computer system as a whole
 reacts to errors like one physical interface goes dead.

 'man carp' says about net.inet.carp.preempt:

 Allow virtual hosts to preempt each other. It is also used to failover carp
 interfaces as a group.  When the option is enabled and one of the carp
 enabled physical interfaces goes down, advskew is changed to 240 on allcarp
 interfaces.  See also the first example. Disabled by default.

 What i was interested in mainly this time is the so to say practical
meaning
 of the first sentence, in case how pair of carp interfaces in a carp group
 behave while .carp.preempt is not set or is set.

 I decided to dig a little bit deeper because sometimes i cant predict
events
 when i add another vlan and carp interface to the running system (master
for
 that particular carp device appears on the wrong side etc). It could be
 easily said to me that if your are so interested use the source but i am
 sorri the source is not much help for me, i am more about just a user.


 Imre


Manual failover is simplified:

node1 is master with advskew 0 and node2 is backup with advskew 100

Without carp.preempt, you have to take the master down or (I haven't
tested this) increase it's demotion counter. With carp.preempt, you
can just change its advskew to 150 and watch node2 take over.

-HKS

Re: ftp-proxy IPSEC clients?

[Cameron Schaus]

Matthew Dempsky wrote:

The IPsec flow is between the FTP client and the FTP server?  Then by
design, any intermediary will not be able to eavesdrop or alter
packets in transit.
  
The IPSec flow is between the FTP Client and a LAN, and the packets are 
then NAT'd to the internet and send to the FTP server.  I want to put an 
IPSEC link between the LAN and the FTP server, but I can't get this in 
place yet.  If I could get this link setup, then there is no issue with 
the ftp, since there won't be any NAT taking place.



If you're okay with allowing arbitrary outgoing TCP connections and
can live with only allowing clients to use passive FTP (I believe the
default nowadays), then you shouldn't need ftp-proxy at all.
  
This is correct, passive ftp does work.  Active doesn't work because the 
client puts their IP address into the PORT command, and the server can't 
connect back to this address.  Unfortunately for me their custom 
application cannot use passive ftp.


Cam

svnd is incredible slow... somebody else notice that?

[sebastian . rother]

I notice it for a while now that SVND is incredible slow related to WRITE
SPEED. Also I do see a lot of biowait with top related to newfs for
example.


vnconfig -cK  -S saltfile /dev/sd0d /dev/svnd1c
disklabel -E svnd1
- a a
- r
- w
- q
newfs /dev/rsvnd1a

If you've serval houndret GBs that gonna take a lng time.
Also you can not restore a backup quickly because of the uberproor write
performance (it feels like being slower then PIO 3..).

On the other hand softraid can not handle partitions.
At least it wont do it...

bioctl -c C -l /dev/sd0d softraid0

Heyho invalid metadata format..

So what other choices does a OpenBSD user have to encrypt a HDD?
Also: Did nobody else notice that? Don't others use these functions? :-)

And as a side note to softraid:
Also it might be clever to add MORE then 1 softraid device.
Some people might have more then 1 HDD... :-)

Kind regards,
Sebastian

Re: Interpreting strange pflog output

[Philip Guenther]

On Fri, Apr 24, 2009 at 7:53 AM, Aner Perez a...@ncstech.com wrote:
...
 While monitoring the pflog output, I occasionally see output that looks
like
 this:

 Apr 24 09:49:46.420762 rule 150/(match) pass in on fxp1: 107.6.96.0 
73.243.0.0: at-#0 18
 Apr 24 09:49:46.420851 rule 150/(match) pass in on fxp1: 108.6.96.0 
73.37.0.0: at-#0 21
...
 What first jumps out at me is the IP addresses which are not part of our
 network.  The second thing that jumps out is the at-#0 18 notation.  What
 does this mean?  I'm assuming the number at the end is the packet size.
  What is the at-#0?  Has anybody seen traffic like this?  Should I be
 worried?

Those are Appletalk (Ethertalk) packets.  107.6.96.0 and such are
Appletalk phase II addresses (with DDP protocol) and *not* IP
addresses.  Seems you have old Macs or Apple hardware on your net
still doing the old stuff...


Philip Guenther

Re: DHCP versus PPPoE for ADSL.

[Stuart Henderson]

On 2009-04-24, David Walker davidianwal...@gmail.com wrote:
 Konnichiwa.

 That is too easy.
 Took me all of two minutes to bridge my modem - RFC2684 BRIDGING
 instead of PPPoE BRIDGING - and do the /etc file changes.
 Happy as Larry (possibly happier) using pppoe(4).

 All I need to work out is hostname.pppoe0 INET6 wildcards. Especially
 what to export as the route.
 Any pointers on that eligible for smilies. :]

 Still I have a static IP, I'm sure I can plug that in.

 Best wishes.



I just added the address assigned to me into hostname.pppoe0:

inet6 2001:4b10:1002:ff::1 64
!/sbin/route add -inet6 default 2001:4b10:1002:ff::1

I think you're supposed to do rtsol, but we don't support that on a
device configured as a router. There is afaik no IPv6 address discovery
mechanism done by PPP.

You might have some fun with fragmentation, scrub max-mss is your
friend. Sometimes.

Re: svnd is incredible slow... somebody else notice that?

[Jonathan Thornburg]

sebastian.rother () jpberlin ! de wrote
 I notice it for a while now that SVND is incredible slow related to WRITE
 SPEED. Also I do see a lot of biowait with top related to newfs for
 example.
 
 
 vnconfig -cK  -S saltfile /dev/sd0d /dev/svnd1c
 disklabel -E svnd1
 - a a
 - r
 - w
 - q
 newfs /dev/rsvnd1a

There is certainly some slowdown for the encryption and extra filesystem
overhead, but you can minimize it by making both filesystems (the upper
one that sees plaintext, and the lower one that provides the underlying
storage) ffs/ffs2 mounted softdep.  softdep gives a *big* speedup on
writes!  Mounting with noatime as well may also help things a bit.

I have been running laptops (Lenovo Thinkpad T42) with /home mounted
this way for 6 months or so, and in ordinary use I don't notice any
particular slowdown relative to my previous laptop system.  (Though
I haven't made any quantitative tests.)

ciao,

-- 
-- Jonathan Thornburg [remove -animal to reply] 
jth...@astro.indiana-zebra.edu
   Dept of Astronomy, Indiana University, Bloomington, Indiana, USA
   Washing one's hands of the conflict between the powerful and the
powerless means to side with the powerful, not to be neutral.
  -- quote by Freire / poster by Oxfam

Re: E220 as 3G Internet Access

[Fred Crowson]

On 4/24/09, don cipo donc...@elmed.pub.ro wrote:
 Unfortunately you can't use OpenBSD yet to connect to Vodafone's 3G internet
 mobile even if there is already an Huawei E220 shiny new driver. That is
 because OBSD has an archaic pppd implementation (ver. 2.3.5) wich lacks some
 important parameters like usepeerdns, noipv6, etc. Ask the developers to
 update pppd at latest version 2.4.4 so we can all enjoy our favorite OS with
 Vodafone's 3G. Cheers !


Where's your evidence? I'm not convinced your right [1] error messages
and configuration files that caused the failure might help get the
issue fixed - if there is one.

Fred

[1] http://marc.info/?l=openbsd-miscw=2r=1s=E220q=b
--
http://www.crowsons.com/puters/E169.htm

Re: svnd is incredible slow... somebody else notice that?

[Ted Unangst]

On Fri, Apr 24, 2009 at 6:12 PM,  sebastian.rot...@jpberlin.de wrote:
 If you've serval houndret GBs that gonna take a lng time.
 Also you can not restore a backup quickly because of the uberproor write
 performance (it feels like being slower then PIO 3..).

crypto is slow.  what else is new?

 So what other choices does a OpenBSD user have to encrypt a HDD?
 Also: Did nobody else notice that? Don't others use these functions? :-)

Has nobody noticed that in the history of disk encryption with
openbsd, the features have never been developed by people with a
pressing need for the feature?  And that the people who seem to need
the feature have contributed nothing but whining?

 And as a side note to softraid:
 Also it might be clever to add MORE then 1 softraid device.
 Some people might have more then 1 HDD... :-)

So what if they do?

Re: RadiusClient

[Stuart Henderson]

On 2009-04-24, Bruno Galindro da Costa bruno.galin...@gmail.com wrote:
 # pkg_info -Q radius
 freeradius-2.0.5
 freeradius-iodbc-2.0.5
 freeradius-ldap-2.0.5
 freeradius-mysql-2.0.5
 freeradius-pgsql-2.0.5
 mod_auth_radius-1.5.7p4
 p5-Authen-Radius-0.05p1
 p5-Net-Radius-1.56
 radiusd-cistron-1.6.7p1
 radiusd-lucent-2.1p8
 radiusniff-0.2
 radiusreport-0.3b6p0

 Can I use freeradius-2.0.5 to do wath I want? This package contains the
 radius client?

no, that's a server. I've got a work-in-progress port of freeradius-client,
but it's not ready for public consumption yet.

DCBSDCon 2009 Videos

[Jason Dixon]

As announced on Undeadly, the speaker videos for DCBSDCon 2009 are now
available on YouTube and the conference website.

http://undeadly.org/cgi?action=articlesid=20090424204748
http://www.youtube.com/profile?user=bsdconferencesview=videosquery=dcbsdcon
http://www.dcbsdcon.org/speakers/videos/

Will Backman (bsdtalk) has also posted audio from the conference.

http://cisx1.uma.maine.edu/~wbackman/bsdtalk/DCBSDCon2009/

I'd like to also express my gratitude to Todd Fries (todd@) for his
assistance with encoding videos in OpenBSD.  Needless to say I won't be
doing any more multimedia work in OS X.  :)

-- 
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/

Re: svnd is incredible slow... somebody else notice that?

[Marco Peereboom]

You are right about how awful all this stuff is. Man it seems like you  
should use an os that suits your goals a little better. I have heard  
that Linux offers awesome performance.


On Apr 24, 2009, at 17:12, sebastian.rot...@jpberlin.de wrote:

I notice it for a while now that SVND is incredible slow related to  
WRITE

SPEED. Also I do see a lot of biowait with top related to newfs for
example.


vnconfig -cK  -S saltfile /dev/sd0d /dev/svnd1c
disklabel -E svnd1
- a a
- r
- w
- q
newfs /dev/rsvnd1a

If you've serval houndret GBs that gonna take a lng time.
Also you can not restore a backup quickly because of the uberproor  
write

performance (it feels like being slower then PIO 3..).

On the other hand softraid can not handle partitions.
At least it wont do it...

bioctl -c C -l /dev/sd0d softraid0

Heyho invalid metadata format..

So what other choices does a OpenBSD user have to encrypt a HDD?
Also: Did nobody else notice that? Don't others use these  
functions? :-)


And as a side note to softraid:
Also it might be clever to add MORE then 1 softraid device.
Some people might have more then 1 HDD... :-)

Kind regards,
Sebastian

Re: [Way OT] Roadtrip...

[Diana Eichert]

On Fri, 24 Apr 2009, Nick Bender wrote:


Apologies to most people who won't give a shit but I'm finally moving
to New Mexico and am posting updates at http://nbender.com more
or less daily as we make our way across the country.

Regards,
-N


OMG!!!  You're moving to New Mexico, Osta no less.  Next thing I know
you'll be spouting crazy things about hearing some hum.

diana

How to disable output to speakers if I use headphones on azalia?

[Tomáš Bodžár]

Hi all,

someone now how to disable sound ouput to speakers if I use headphones?
I have sound from both sources and if I rise outputs.master both sources are
louder which is bad if I'm at work.I can't find usefull switch in
mixerctl -v and
Google doesn't help yet

$ mixerctl -v
outputs.hp_source=dac  [ dac dac2 mix2 ]
outputs.hp_boost=off  [ off on ]
outputs.mic_dir=input-vr80  [ none input input-vr0 input-vr50 input-vr80 ]
outputs.spkr_source=dac  [ dac dac2 mix2 ]
outputs.mic2_dir=input-vr80  [ none input input-vr0 input-vr50 input-vr80 ]
outputs.line_source=dac  [ dac dac2 mix2 ]
inputs.dac_mute=off  [ off on ]
inputs.dac=140,140
inputs.dac2_mute=off  [ off on ]
inputs.dac2=126,126
inputs.sel_source=dac  [ dac dac2 mix2 ]
inputs.mix2_source=dac,dac2,sel2,sel3  { dac dac2 sel2 sel3 }
inputs.mix2_dac=120,120
inputs.mix2_dac2=120,120
inputs.mix2_sel2=120,120
inputs.mix2_sel3=120,120
inputs.sel2_source=mic  [ mic mic2 ]
outputs.sel2=85,85
inputs.sel3_source=mic  [ mic mic2 ]
outputs.sel3=85,85
record.adc_source=sel2  [ sel2 mix2 mic3 ]
record.adc_mute=off  [ off on ]
record.adc=119,119
record.adc2_source=sel3  [ sel3 mix2 mic3 ]
record.adc2_mute=off  [ off on ]
record.adc2=119,119
inputs.beep_mute=off  [ off on ]
inputs.beep=85
outputs.hp_sense=plugged  [ unplugged plugged ]
outputs.mic_sense=unplugged  [ unplugged plugged ]
outputs.mic2_sense=unplugged  [ unplugged plugged ]
outputs.line_sense=unplugged  [ unplugged plugged ]
outputs.master=140,140
outputs.master.mute=off  [ off on ]
outputs.master.slaves=dac  { dac dac2 mic3 sel2 sel3 beep }
record.volume=119,119
record.volume.mute=off  [ off on ]
record.volume.slaves=adc,adc2  { adc adc2 }
$

$ audioctl
name=HD-Audio
version=1.0
config=azalia0
encodings=slinear_le:16,slinear_le:20,slinear_le:24
properties=full_duplex,independent
full_duplex=0
fullduplex=0
blocksize=17536
hiwat=2
lowat=1
output_muted=0
monitor_gain=0
mode=
play.rate=44100
play.channels=2
play.precision=16
play.encoding=slinear_le
play.gain=140
play.balance=32
play.port=0x0
play.avail_ports=0x0
play.seek=0
play.samples=0
play.eof=0
play.pause=0
play.error=0
play.waiting=0
play.open=0
play.active=0
play.buffer_size=65536
play.block_size=17536
play.errors=0
record.rate=48000
record.channels=2
record.precision=16
record.encoding=slinear_le
record.gain=119
record.balance=32
record.port=0x0
record.avail_ports=0x0
record.seek=0
record.samples=0
record.eof=0
record.pause=0
record.error=0
record.waiting=0
record.open=0
record.active=0
record.buffer_size=65536
record.block_size=9600
record.errors=0
$


$ dmesg | grep azalia
azalia0 at pci0 dev 27 function 0 Intel 82801I HD Audio rev 0x03:
apic 2 int 21 (irq 11)
azalia0: codecs: IDT 92HD71B7, Intel/0x2802, using IDT 92HD71B7
audio0 at azalia0
$

-- 
http://www.openbsd.org/lyrics.html

Re: How to disable output to speakers if I use headphones on azalia?

[Jacob Meuser]

On Sat, Apr 25, 2009 at 05:59:29AM +0200, Tom?? Bod??r wrote:
 Hi all,
 
 someone now how to disable sound ouput to speakers if I use headphones?
 I have sound from both sources and if I rise outputs.master both sources are
 louder which is bad if I'm at work.I can't find usefull switch in
 mixerctl -v and
 Google doesn't help yet
 
 $ mixerctl -v
 outputs.hp_source=dac  [ dac dac2 mix2 ]

 outputs.spkr_source=dac  [ dac dac2 mix2 ]

 inputs.dac_mute=off  [ off on ]

 inputs.dac2_mute=off  [ off on ]

 outputs.master.slaves=dac  { dac dac2 mic3 sel2 sel3 beep }

$ mixerctl outputs.spkr=dac2
$ mixerctl outputs.dac2_mute=on

the second command probalby isn't really needed.

-- 
jake...@sdf.lonestar.org
SDF Public Access UNIX System - http://sdf.lonestar.org

Re: How to disable output to speakers if I use headphones on azalia?

[Tomáš Bodžár]

Great.Second command is not needed.
Those shortcuts are still somewhat cryptic :-) I wasn't sure about it.

Are they described somewhere in man?They aren't described in
mixerctl(1),audio(4) or audio(9).Or I can't see them in format of
mixerctl output

2009/4/25 Jacob Meuser jake...@sdf.lonestar.org:
 On Sat, Apr 25, 2009 at 05:59:29AM +0200, Tom?? Bod??r wrote:
 Hi all,

 someone now how to disable sound ouput to speakers if I use headphones?
 I have sound from both sources and if I rise outputs.master both sources
are
 louder which is bad if I'm at work.I can't find usefull switch in
 mixerctl -v and
 Google doesn't help yet

 $ mixerctl -v
 outputs.hp_source=dac B [ dac dac2 mix2 ]

 outputs.spkr_source=dac B [ dac dac2 mix2 ]

 inputs.dac_mute=off B [ off on ]

 inputs.dac2_mute=off B [ off on ]

 outputs.master.slaves=dac B { dac dac2 mic3 sel2 sel3 beep }

 $ mixerctl outputs.spkr=dac2
 $ mixerctl outputs.dac2_mute=on

 the second command probalby isn't really needed.

 --
 jake...@sdf.lonestar.org
 SDF Public Access UNIX System - http://sdf.lonestar.org





--
http://www.openbsd.org/lyrics.html

Re: How to disable output to speakers if I use headphones on azalia?

[Jacob Meuser]

On Sat, Apr 25, 2009 at 06:55:12AM +0200, Tom?? Bod??r wrote:
 Great.Second command is not needed.
 Those shortcuts are still somewhat cryptic :-) I wasn't sure about it.
 
 Are they described somewhere in man?They aren't described in
 mixerctl(1),audio(4) or audio(9).Or I can't see them in format of
 mixerctl output

there really has never been strict naming of the mixer controls, but
audio(4) does suggest some guidelines, which the drivers mostly follow.

there are also some hints in mixerctl.conf(5).

 2009/4/25 Jacob Meuser jake...@sdf.lonestar.org:
  On Sat, Apr 25, 2009 at 05:59:29AM +0200, Tom?? Bod??r wrote:
  Hi all,
 
  someone now how to disable sound ouput to speakers if I use headphones?
  I have sound from both sources and if I rise outputs.master both sources
 are
  louder which is bad if I'm at work.I can't find usefull switch in
  mixerctl -v and
  Google doesn't help yet
 
  $ mixerctl -v
  outputs.hp_source=dac B [ dac dac2 mix2 ]
 
  outputs.spkr_source=dac B [ dac dac2 mix2 ]
 
  inputs.dac_mute=off B [ off on ]
 
  inputs.dac2_mute=off B [ off on ]
 
  outputs.master.slaves=dac B { dac dac2 mic3 sel2 sel3 beep }
 
  $ mixerctl outputs.spkr=dac2
  $ mixerctl outputs.dac2_mute=on
 
  the second command probalby isn't really needed.
 
  --
  jake...@sdf.lonestar.org
  SDF Public Access UNIX System - http://sdf.lonestar.org
 
 
 
 
 
 --
 http://www.openbsd.org/lyrics.html
 

-- 
jake...@sdf.lonestar.org
SDF Public Access UNIX System - http://sdf.lonestar.org