Re: [Way OT] Roadtrip...
On Fri, Apr 24, 2009 at 1:11 AM, Nick Bender nben...@gmail.com wrote: Apologies to most people who won't give a shit but I'm finally moving to New Mexico... This is the sort of thing that gets me thinking really really seriously again about capital punishment. Who's with me? -- No no no, my fish's name is Eric, Eric the fish. He's an halibut. I am not a looney! Why should I be tarred with the epithet looney merely because I have a pet halibut?
Re: Problem with slow disk I/O
On Apr 23 18:09:55, Thomas Pfaff wrote: First on Ubuntu: /dev/sda2 on / type ext3 (rw,relatime,errors=remount-ro) ~$ time (tar -zxf ports.tar.gz sync) real0m47.784s 47.78 seconds wall clock time Then the same commands on OpenBSD: /dev/wd0k on /home type ffs (local, nodev, nosuid, softdep) $ time (tar -zxf ports.tar.gz sync) 1m2.62s real 0m1.15s user 0m7.15s system ~ 1 minute 2.5 seconds wall clock time So you have ~52 seconds on ext3 mounted 'realtime' (whatever that means), versus ~63 seconds on ffs mounted with 'softdep'. What was the problem again? That I cannot get the job done in less than a minute on OpenBSD while on Linux it takes only 18 seconds. Also, doesn't ext2/3 run with everything mount async? A quick test with ffs in async mode (instead of, or added to softdep) would also be worth running, in order to see how much grossly insecure I/O lessens the perceived time. I am one of those who like to keep my files, so I wont recommend USING async, but for the sake of argument here, such a test might be in order. Which reminds me to ask what the state of having a UBC in OpenBSD is, please? There is nothing close to it yet, to my knowledge, but I am hosting the 2009 filesystem hackathon this autumn in hopes of getting 'better' I/O out of OpenBSD, with the help of a nice grant to that goal. Perhaps magic will come out of that. History (and undeadly =) will tell. Mind you, I did run UBC on my obsd amiga back in the short while when art@ had UBC in, which did wonders when you have lots (128M) of ram and a PIO mode 0 harddisk to boot.
Upgrade to -current
Currently I am using 4.2 stable and I am willing to upgrade to -current because of some new features which i need. According to faq (http://www.openbsd.org/faq/faq5.html#Bld) I should first upgrade to closest binary, which means upgrade from 4.2 to 4.3 and then to 4.4 ( Latest snapshot ) and finally Fetch build *-current. Above process as you know will be a highly time consuming process and I prefer stick to my current 4.2 rather than going through that. why not just Fetch build -cuurent directly? what is your recommended approach for upgrading to -cuurent ? thanks, Mani *
Re: sudo won't work with login_fingerprint
omg we have finger print reader support??? ! I installed the port and I'm playing with it. Can you post your full config? The login_fingerprint docs are short on the troubleshooting. I can enroll my fingers and I've got su asking me for finger swipes but whenever I do it says invalid swipe or login incorrect. I see the same result as you with sudo. Annoying. Sudo must not be feeding it correctly right, but perhaps login_fingerprint is expecting wrongly. It would be a neat gimmick if we could get this working! -Nick On 23/04/2009, LEVAI Daniel l...@ecentrum.hu wrote: Hi! I've set up this login_fingerprint port and it is working fine in console logins and with `su`, but with sudo I can't seem to get it to work. I've modified my /etc/login.conf like this: # Default allowed authentication styles auth-defaults:auth=-fingerprint,passwd,skey:\ :x-fingerprint=7: I've just added the fingerprint stuff. Now when running sudo, and typing in my password 3 times: $ sudo -l -fingerprint: challenge not supported sudo password(daniell): -fingerprint: response not supported Sorry, try again. -fingerprint: challenge not supported sudo password(daniell): -fingerprint: response not supported Sorry, try again. -fingerprint: challenge not supported sudo password(daniell): -fingerprint: response not supported Sorry, try again. sudo: 3 incorrect password attempts With `sudo -a` I can specify the passwd type, and can sudo with my password, so no big problem, I'm just wondering what special configuration is needed for sudo to work with this auth type. Any idead would be appreciated, thanks! Daniel -- LIVAI Daniel PGP key ID = 0x4AC0A4B1 Key fingerprint = D037 03B9 C12D D338 4412 2D83 1373 917A 4AC0 A4B1
Re: question about net.inet.carp.preempt
Hallo! Thanks for the reply! I am also aware that one popular use of net.inet.carp.preempt is to control how the computer system as a whole reacts to errors like one physical interface goes dead. 'man carp' says about net.inet.carp.preempt: Allow virtual hosts to preempt each other. It is also used to failover carp interfaces as a group. When the option is enabled and one of the carp enabled physical interfaces goes down, advskew is changed to 240 on allcarp interfaces. See also the first example. Disabled by default. What i was interested in mainly this time is the so to say practical meaning of the first sentence, in case how pair of carp interfaces in a carp group behave while .carp.preempt is not set or is set. I decided to dig a little bit deeper because sometimes i cant predict events when i add another vlan and carp interface to the running system (master for that particular carp device appears on the wrong side etc). It could be easily said to me that if your are so interested use the source but i am sorri the source is not much help for me, i am more about just a user. Imre Felipe Alfaro Solana wrote: On Thu, Apr 23, 2009 at 12:05 PM, Imre Oolberg i...@auul.pri.ee wrote: Hallo! I would like to confirm my understanding of how carp works and if the following holds generally true. After having on all participating nodes set to # sysctl -w net.inet.carp.preempt=0 AFAIK CARP preempt has meaning only in the context of the machine to which it applies. When CARP preempt is enabled, in a machine with multiple CARP interfaces, whenever one CARP interface fails over, all other CARP interfaces in the machine fail over too. I'm using this on my 2-firewall configuration (active-passive) where each machine has two CARP interfaces: internal interface and Internet-facing interface. Whenever one of the interfaces failover, the other does too. This way, both interfaces are either master or backup, at the same time. This avoids the case where the internal interface is master and the Internet-facing interface is backup (or the opposite). one could change advskew value and actually no carp takeover takes place automatically until issuing on the becoming master node # ifconfig carp-interface-name state master or on becoming backup node # ifconfig carp-interface-name state backup After that the carp master and backup change roles. On the other hand, if all participating nodes are set to # sysctl -w net.inet.carp.preempt=1 then under similar changes in advskew carp takeover happes automatically .i.e master and backup change roles and 'state master' or 'state backup' aint needed to be issued manually. (As merriam-webster says in one case for preemtive being 'marked by the seizing of the initiative; initiated by oneself') Imre PS The scope of this experiment is takeover within paticular carp group (practically between two physical interfaceses) and not for all carp groups as in case with firewall with several physical interfaces.
Re: sudo won't work with login_fingerprint
On Friday 24 April 2009 09.28.34 you wrote: omg we have finger print reader support??? ! I installed the port and I'm playing with it. Can you post your full config? The login_fingerprint docs are short on the troubleshooting. I can enroll my fingers and I've got su asking me for finger swipes but whenever I do it says invalid swipe or login incorrect. You need to enroll_fingerprint(8) as the target (root) user too, so root will have a ~/.fprint directory too. I see the same result as you with sudo. Annoying. Sudo must not be feeding it correctly right, but perhaps login_fingerprint is expecting wrongly. It would be a neat gimmick if we could get this working! I just followed /usr/local/share/doc/login_fingerprint/README: $ enroll_fingerprint -f 7 It has populated a ~/.fprint/ dir with the scanned fingerprint, and after the login.conf modify I could login on the console and do `su`. Only sudo seems to need the '-apasswd' option to force it to use the passwd auth type instead of the -fingerprint type. But grepping thru sudo's source I couldn't find this error message anywhere :\ My modifications in login.conf is only the following: --- /var/backups/etc_login.conf.backup Thu Apr 16 16:06:00 2009 +++ /etc/login.conf Thu Apr 23 17:15:23 2009 @@ -23,7 +23,8 @@ # # Default allowed authentication styles -auth-defaults:auth=passwd,skey: +auth-defaults:auth=-fingerprint,passwd,skey:\ + :x-fingerprint=7: # Default allowed authentication styles for authentication type ftp auth-ftp-defaults:auth-ftp=passwd: Daniel On 23/04/2009, LEVAI Daniel l...@ecentrum.hu wrote: [...] $ sudo -l -fingerprint: challenge not supported sudo password(daniell): -fingerprint: response not supported Sorry, try again. -fingerprint: challenge not supported sudo password(daniell): -fingerprint: response not supported Sorry, try again. -fingerprint: challenge not supported sudo password(daniell): -fingerprint: response not supported Sorry, try again. sudo: 3 incorrect password attempts [...] -- LIVAI Daniel PGP key ID = 0x4AC0A4B1 Key fingerprint = D037 03B9 C12D D338 4412 2D83 1373 917A 4AC0 A4B1
Re: Upgrade to -current
On Friday 24 April 2009 08.50.11 you wrote: Currently I am using 4.2 stable and I am willing to upgrade to -current because of some new features which i need. According to faq (http://www.openbsd.org/faq/faq5.html#Bld) I should first upgrade to closest binary, which means upgrade from 4.2 to 4.3 and then to 4.4 ( Latest snapshot ) and finally Fetch build *-current. Above process as you know will be a highly time consuming process and I prefer stick to my current 4.2 rather than going through that. why not just Fetch build -cuurent directly? what is your recommended approach for upgrading to -cuurent ? Upgrading thru the binary releases is not that tedious, and you could upgrade to a binary snapshot of -current after the latest binary release have been installed. No need to compile -current AFAIK. Daniel -- LIVAI Daniel PGP key ID = 0x4AC0A4B1 Key fingerprint = D037 03B9 C12D D338 4412 2D83 1373 917A 4AC0 A4B1
Re: autowhitelister for spamd needs testing
Aaron Mason wrote: On Fri, Apr 24, 2009 at 11:01 AM, Dan Harnett dan...@harnett.name wrote: On top of that, if VeriSign could be tricked into signing a fake Microsoft ActiveX key, can you really trust the authorities? Are you implying SPF records are validated somewhere and signed by a trusted third party? They're not. They're provided by the bad guys. A more proper analogy would be that you received an ActiveX control signed by The Bad Guys Who Do Bad Things. They were nice enough to sign it, so you accept it. I was implying no such thing. I was referring to using WHOIS to block spammers on the basis of the date the domain was registered. asfjsakf1359.com TXT v=spf1 a:mail.asfjsakf1359.com ip4:0.0.0.0/0 ~all Ok, now that gives us a pointer by which to block fraudulent folk. That record means anyone and everyone can send an email using that domain name. A proper SPF record wouldn't have an all-encompassing IP range. In fact, who in the world would have anything more than a /7 block? However that alone wouldn't deter any spammer - just limit the range to what's accepted and you're in. And any limit you set will only cause more dramas. Sure you could limit it to /24 and smaller, or even to single addresses, but what about those select folk who have been assigned /8 classless subnets? That's a whole lotta SPF records for one subdomain. No solution is perfect, but a small group of imperfect solutions is a far cry better than no solutions at all and our mailboxes being inundated with spam. The problem's here to stay, all we can do is deal with it as best we can. well nobody's perfect. and there is no solution perfect. And i do not even pretend that i made a perfect solution. It still require /dev/brain, /dev/eyes, and /dev/hands... Ok, thank you all, for the interesting discussion. I think I could develop more advanced solution that will check blocks found by spf lookup through whois lookup... -- With best regards, Gregory Edigarov
Re: rt.fm ftp server dumps core
On Thu, Apr 23, 2009 at 03:37:00PM -0600, Jeff Ross wrote: Hi, For a while now I've been getting segmentation faults when I try to download snapshots from rt.fm ftp mget *tgz mget base45.tgz? all Prompting off for duration of mget. local: base45.tgz remote: base45.tgz 150 Opening BINARY mode data connection for 'base45.tgz' (48267043 bytes). 100% |**| 47135 KB00:41 226 Transfer complete. 48267043 bytes received in 41.35 seconds (1.11 MB/s) local: comp45.tgz remote: comp45.tgz 150 Opening BINARY mode data connection for 'comp45.tgz' (90067409 bytes). 100% |**| 87956 KB01:12 421 Service not available, remote server has closed connection. Segmentation fault (core dumped) I'm running a similar command now on pub/OpenBSD/snapshots/i386. Is that what you're doing? Also, it would've been nice to include a trace from the core.
Re: Problem with slow disk I/O
First on Ubuntu: /dev/sda2 on / type ext3 (rw,relatime,errors=remount-ro) ~$ time (tar -zxf ports.tar.gz sync) real 0m47.784s Then the same commands on OpenBSD: /dev/wd0k on /home type ffs (local, nodev, nosuid, softdep) $ time (tar -zxf ports.tar.gz sync) 1m2.62s real 0m1.15s user 0m7.15s system So you have ~52 seconds on ext3 mounted 'realtime' (whatever that means), versus ~63 seconds on ffs mounted with 'softdep'. Replying to myself, 'realtime' implies noatime, says http://lwn.net/Articles/244829/ (Isn't once upon atime an amusing title?) And https://help.ubuntu.com/community/Fstab says that 'async' is the default for Ubuntu ext3 mounts. Is your ext3 mounted async? The mount line doesn't say so - but is that hidden under 'realtime', too? Also, doesn't ext2/3 run with everything mount async? A quick test with ffs in async mode (instead of, or added to softdep) would also be worth running, in order to see how much grossly insecure I/O lessens the perceived time. I am one of those who like to keep my files, so I wont recommend USING async, but for the sake of argument here, such a test might be in order. softdep and async are mutually exclusive. This is what happens with and without noatime (+ softdep, of course), and with async replacing softdep, on my machine: # uname -a OpenBSD stary.dhcp.fjfi.cvut.cz 4.4 GENERIC.MP#2 i386 # mount /dev/wd0a on / type ffs (local) /dev/wd0d on /usr type ffs (local, nodev, softdep) /dev/wd0e on /var type ffs (local, nodev, nosuid, softdep) /dev/wd0f on /var/log type ffs (local, nodev, nosuid, softdep) /dev/wd0g on /var/mail type ffs (local, nodev, nosuid, softdep) /dev/wd0h on /tmp type ffs (local, nodev, nosuid, softdep) /dev/wd0i on /home type ffs (local, nodev, nosuid, softdep) /dev/wd0k on /dload type ffs (local, nodev, nosuid, softdep) /dev/wd0j on /backup type ffs (local, nodev, nosuid, softdep) # cd /backup # ls -l ports.tar.gz -rw-r--r-- 1 root wheel 14583699 Aug 9 2008 ports.tar.gz # time { tar xzf ports.tar.gz ; sync ; } 1m5.51s real 0m0.00s user 0m0.00s system # time rm -rf ports 0m13.88s real 0m0.20s user 0m1.56s system # cd # umount /backup # mount -o nodev,nosuid,softdep,noatime /dev/wd0j /backup # cd /backup # time { tar xzf ports.tar.gz ; sync ; } 1m6.85s real 0m0.00s user 0m0.00s system # time rm -rf ports 0m14.72s real 0m0.16s user 0m1.33s system # cd # umount /backup # mount -o nodev,nosuid,async /dev/wd0j /backup # cd /backup # time { tar xzf ports.tar.gz ; sync ; } 0m39.44s real 0m0.00s user 0m0.01s system # time rm -rf ports 0m6.80s real 0m0.19s user 0m1.45s system Jan
Re: DHCP versus PPPoE for ADSL.
From: Claudio Jeker The main encapsulation over ADSL is PPPoE or PPPoA only lately, with the spread of IPTV and VDSL, EFM (Ethernet First Mile) is used by some telcos. So it totaly depends on what your provider is giving you. Hi Claudio. Maybe I didn't explain myself or perhaps I am trying to explain something that doesn't make sense. I understand there are differing methods of getting the packets from the exchange to the premises, etcetera. Considering the existing popular method of PPPoE is there more than one way to collect those packets at the first adapter after the modem? My current scenario: DSLAM-PPPoE-Modem-TCP/IP-Router In this case, the relevant adapter on the router gets an IP address from the modem's DHCP server. All the PPPoE to IP transactions occur within the modem. The hostname.if file on the router: DHCP none none none The other scenario: DSLAM-PPPoE-Modem-PPPoE-Router In this case the relevant adapter on the router recieves PPPoE encapsulated packets from the modem exactly as they are sent from the exchange. The modem does not do any PPPoE to IP conversion. The hostname.if file on the router merely says up. There is also an /etc/hostname.pppoe0 file on the router. This other scenario seems to be the intent of pppoe(4): This is often used to connect a router via a DSL modem to an access con- centrator. The pppoe interface does not by itself transmit or receive frames, but needs an Ethernet interface to do so. This Ethernet inter- face is connected to the pppoe interface via ifconfig(8). The Ethernet interface needs to be marked UP, but does not need to have an IP address. So it is quite different from my current scenario - no IP address for a start. Am I reading all this correctly? Best wishes.
Transparent Firewall (bridge) with DMZ + LAN
I'm currently interested in setting up a three-legged network, using OBSD+PF as the firewall. Originally, I had jus
Transparent firewall (bridge) with DMZ + LAN
I am currently interested in setting up a three-legged network topology, using OBSD+PF as the firewall appliance. Originally, I was going to simply have the firewall equipped with three network cards: one for DMZ, one for LAN, the other for EXT/WAN/Internet (whatever you call this). The idea was for a switch to be used on both DMZ and LAN, providing NAT on both segments. Pretty straight forward. Recently, it has been suggested that a transparent firewall implementation is ideal where possible. But as far as I understand, transparency is only available when the firewall acts as a bridge between TWO networks. How would I keep my DMZ and LAN both while using a bridging firewall. Is it even possible?
Re: sudo won't work with login_fingerprint
On Fri, Apr 24, 2009 at 3:38 AM, LEVAI Daniel l...@ecentrum.hu wrote: On Friday 24 April 2009 09.28.34 you wrote: omg we have finger print reader support??? ! I installed the port and I'm playing with it. Can you post your full config? The login_fingerprint docs are short on the troubleshooting. I can enroll my fingers and I've got su asking me for finger swipes but whenever I do it says invalid swipe or login incorrect. You need to enroll_fingerprint(8) as the target (root) user too, so root will have a ~/.fprint directory too. When I say su I actually meant I'm running su $USER. I see the same result as you with sudo. Annoying. Sudo must not be feeding it correctly right, but perhaps login_fingerprint is expecting wrongly. It would be a neat gimmick if we could get this working! I just followed /usr/local/share/doc/login_fingerprint/README: $ enroll_fingerprint -f 7 It has populated a ~/.fprint/ dir with the scanned fingerprint, and after the login.conf modify I could login on the console and do `su`. Only sudo seems to need the '-apasswd' option to force it to use the passwd auth type instead of the -fingerprint type. But grepping thru sudo's source I couldn't find this error message anywhere :\ My modifications in login.conf is only the following: --- /var/backups/etc_login.conf.backup Thu Apr 16 16:06:00 2009 +++ /etc/login.conf Thu Apr 23 17:15:23 2009 @@ -23,7 +23,8 @@ # # Default allowed authentication styles -auth-defaults:auth=passwd,skey: +auth-defaults:auth=-fingerprint,passwd,skey:\ + :x-fingerprint=7: # Default allowed authentication styles for authentication type ftp auth-ftp-defaults:auth-ftp=passwd: I followed the README too but it told me to add this: # # The fingerprint login class allows the fingerprint and passwd # authentication methods and checks your 7th (right index) finger. # fingerprint: :auth=-fingerprint,passwd:\ :x-fingerprint=7:\ :tc=default: and I had to do sudo usermod -L fingerprint $USER to get su $USER to start asking me to swipe. Do we maybe have different versions (I should probably shyly mention here that I'm on -CURRENT right now)? Why are we writing -fingerprint instead of fingerprint? login.conf(8) is hazy on what this means. It doesn't seem to matter espcially which is chosen. I suspect my problem is a driver issue. I have a 1600 chip (as linux tells me... dunno why OpenBSD) but the driver is written for 1610 chips. Until I can at least use su with my finger I'm not sure I can help you. -Nick
Re: sudo won't work with login_fingerprint
On Friday 24 April 2009 12.27.50 you wrote: On Fri, Apr 24, 2009 at 3:38 AM, LEVAI Daniel l...@ecentrum.hu wrote: On Friday 24 April 2009 09.28.34 you wrote: omg we have finger print reader support??? ! I installed the port and I'm playing with it. Can you post your full config? The login_fingerprint docs are short on the troubleshooting. I can enroll my fingers and I've got su asking me for finger swipes but whenever I do it says invalid swipe or login incorrect. You need to enroll_fingerprint(8) as the target (root) user too, so root will have a ~/.fprint directory too. When I say su I actually meant I'm running su $USER. Then you must run enroll_fingerprint as $USER, to make the $USER_HOMEDIR/.fprint/ directory and the corresponding files. I see the same result as you with sudo. Annoying. Sudo must not be feeding it correctly right, but perhaps login_fingerprint is expecting wrongly. It would be a neat gimmick if we could get this working! I just followed /usr/local/share/doc/login_fingerprint/README: $ enroll_fingerprint -f 7 It has populated a ~/.fprint/ dir with the scanned fingerprint, and after the login.conf modify I could login on the console and do `su`. Only sudo seems to need the '-apasswd' option to force it to use the passwd auth type instead of the -fingerprint type. But grepping thru sudo's source I couldn't find this error message anywhere :\ My modifications in login.conf is only the following: --- /var/backups/etc_login.conf.backup Thu Apr 16 16:06:00 2009 +++ /etc/login.conf Thu Apr 23 17:15:23 2009 @@ -23,7 +23,8 @@ # # Default allowed authentication styles -auth-defaults:auth=passwd,skey: +auth-defaults:auth=-fingerprint,passwd,skey:\ + :x-fingerprint=7: # Default allowed authentication styles for authentication type ftp auth-ftp-defaults:auth-ftp=passwd: I followed the README too but it told me to add this: # # The fingerprint login class allows the fingerprint and passwd # authentication methods and checks your 7th (right index) finger. # fingerprint: :auth=-fingerprint,passwd:\ :x-fingerprint=7:\ :tc=default: I've done the same thing except I've added this to the default class, so I don't have to change the already made classes (which are including auth-defaults). and I had to do sudo usermod -L fingerprint $USER to get su $USER to start asking me to swipe. Do we maybe have different versions (I should probably shyly mention here that I'm on -CURRENT right now)? I'm using -current too, but in this case it doesn't matter; the login classes we use are not the same, but that's all. Why are we writing -fingerprint instead of fingerprint? login.conf(8) is hazy on what this means. It doesn't seem to matter espcially which is chosen. man login.conf: Local authentication styles may be added by creating a login script for the style (see below). To prevent collisions with future official BSD Authentication style names, all local style names should start with a dash (-). ^^^ That is why the -fingerprint; also: # ls -l /usr/libexec/auth/ [...] login_-fingerprint [...] I suspect my problem is a driver issue. I have a 1600 chip (as linux tells me... dunno why OpenBSD) but the driver is written for 1610 chips. Until I can at least use su with my finger I'm not sure I can help you. What does `ls -lR /home/$USER/.fprint/` tells you? Do you have the proper scanned fingerprints there? Do you have the $USER in the fingerprint class (if you've followed the README file with login_fingerprint)? Daniel -- LIVAI Daniel PGP key ID = 0x4AC0A4B1 Key fingerprint = D037 03B9 C12D D338 4412 2D83 1373 917A 4AC0 A4B1
RadiusClient
Hi all What is the radius client packge for OpenBSD? What I need to do is provide pptpd auth with radius. My Radius Server is a Windows Server 2003. On Ubuntu and Debian tha name of package is radiusclient downloadable via apt-get. -- Att. Bruno Galindro da Costa bruno.galin...@gmail.com Florianspolis - SC
Re: Upgrade to -current
On Fri, Apr 24, 2009 at 1:50 AM, MANI mm.m...@gmail.com wrote: Currently I am using 4.2 stable and I am willing to upgrade to -current because of some new features which i need. According to faq (http://www.openbsd.org/faq/faq5.html#Bld) I should first upgrade to closest binary, which means upgrade from 4.2 to 4.3 and then to 4.4 ( Latest snapshot ) and finally Fetch build *-current. Above process as you know will be a highly time consuming process and I prefer stick to my current 4.2 rather than going through that. why not just Fetch build -cuurent directly? what is your recommended approach for upgrading to -cuurent ? As has already been said, the less tedious way is to go through a binary upgrade of each version. Checkout: http://www.openbsd.org/faq/upgrade44.html for guidance through the upgrade from 4.3 - 4.4. The other upgrades will be similar. There are links at the top of the page that will help you through other upgrades. -Neal thanks, Mani * -- www.nealhogan.net www.lambdaserver.com
Re: autowhitelister for spamd needs testing
On Fri, Apr 24, 2009 at 02:16:57PM +1000, Aaron Mason wrote: On Fri, Apr 24, 2009 at 11:01 AM, Dan Harnett dan...@harnett.name wrote: On top of that, if VeriSign could be tricked into signing a fake Microsoft ActiveX key, can you really trust the authorities? Are you implying SPF records are validated somewhere and signed by a trusted third party? They're not. They're provided by the bad guys. A more proper analogy would be that you received an ActiveX control signed by The Bad Guys Who Do Bad Things. They were nice enough to sign it, so you accept it. I was implying no such thing. I was referring to using WHOIS to block spammers on the basis of the date the domain was registered. Then your analogy didn't even make sense. No one is being tricked. I can recycle old domains as well. You don't get it. asfjsakf1359.com TXT v=spf1 a:mail.asfjsakf1359.com ip4:0.0.0.0/0 ~all Ok, now that gives us a pointer by which to block fraudulent folk. That record means anyone and everyone can send an email using that domain name. A proper SPF record wouldn't have an all-encompassing IP range. In fact, who in the world would have anything more than a /7 block? That is a proper SPF record. So, in addition to filtering e-mail, you're going to start using complicated filters to screen out SPF records because you're dumb enough to whitelist everything the spammer tells you to? Go for it. Have fun with that. However that alone wouldn't deter any spammer - just limit the range to what's accepted and you're in. And any limit you set will only cause more dramas. Sure you could limit it to /24 and smaller, or even to single addresses, but what about those select folk who have been assigned /8 classless subnets? That's a whole lotta SPF records for one subdomain. I gave you the simplest and quickest example that came to mind. If you have even half a brain, then you'd realize how trivial it would be to list single IP addresses. I can even obfuscate it to the point of nested 'include:'s to keep the TXT records a decent size. Spammers have always been one step ahead. Anything like auto-whitelisting SPF records would be picked up rather fast and abused easily if it gained widespread acceptance. They don't even need to go as far as my example did. They just need to whitelist their own little spam haven, which you'll happily do. No solution is perfect, but a small group of imperfect solutions is a far cry better than no solutions at all and our mailboxes being inundated with spam. The problem's here to stay, all we can do is deal with it as best we can. You're auto-whitelisting whatever the spammer tells you to and you think that is preventing spam? LOL. The only hinderance here is the brief moment greylisting was working until you whitelisted the entire internet. I think you still don't get it.
Re: RadiusClient
2009/4/24 Bruno Galindro da Costa bruno.galin...@gmail.com: Hi all What is the radius client packge for OpenBSD? What I need to do is provide pptpd auth with radius. My Radius Server is a Windows Server 2003. On Ubuntu and Debian tha name of package is radiusclient downloadable via apt-get. http://www.openbsd.org/4.4_packages/i386.html Search for radius... -- We spend the first twelve months of our children's lives teaching them to walk and talk and the next twelve telling them to sit down and shut up.
Re: RadiusClient
On Fri, Apr 24, 2009 at 09:05:32AM -0300, Bruno Galindro da Costa wrote: Hi all What is the radius client packge for OpenBSD? What I need to do is provide pptpd auth with radius. My Radius Server is a Windows Server 2003. On Ubuntu and Debian tha name of package is radiusclient downloadable via apt-get. $ pkg_info -Q radius
Re: sudo won't work with login_fingerprint
On Fri, Apr 24, 2009 at 7:14 AM, LEVAI Daniel l...@ecentrum.hu wrote: On Friday 24 April 2009 12.27.50 you wrote: I followed the README too but it told me to add this: # # The fingerprint login class allows the fingerprint and passwd # authentication methods and checks your 7th (right index) finger. # fingerprint: :auth=-fingerprint,passwd:\ :x-fingerprint=7:\ :tc=default: I've done the same thing except I've added this to the default class, so I don't have to change the already made classes (which are including auth-defaults). and I had to do sudo usermod -L fingerprint $USER to get su $USER to start asking me to swipe. Do we maybe have different versions (I should probably shyly mention here that I'm on -CURRENT right now)? I'm using -current too, but in this case it doesn't matter; the login classes we use are not the same, but that's all. Why are we writing -fingerprint instead of fingerprint? login.conf(8) is hazy on what this means. It doesn't seem to matter espcially which is chosen. man login.conf: Local authentication styles may be added by creating a login script for the style (see below). To prevent collisions with future official BSD Authentication style names, all local style names should start with a dash (-). ^^^ That is why the -fingerprint; also: # ls -l /usr/libexec/auth/ [...] login_-fingerprint [...] Ah. login_fingerprint is installed to two places. Under /usr/local/ it's login_fingerprint, which is why I was confused. I suspect my problem is a driver issue. I have a 1600 chip (as linux tells me... dunno w hy OpenBSD) but the driver is written for 1610 chips. Until I can at least use su with my finger I'm not sure I can help you. What does `ls -lR /home/$USER/.fprint/` tells you? Do you have the proper scanned fingerprints there? Do you have the $USER in the fingerprint class (if you've followed the README file with login_fingerprint)? The fingerprint files exist alright. The only thing I thought it might be is that -CURRENT broke login_fingerprint somehow, but if you're running the same code it must be the driver. http://reactivated.net/fprint/wiki/Aes1610 sort of suggests that the reader isn't great to begin with and if mine's a version off I wouldn't be surprised it's b0rked. -Nick
Recipient Validation Design Opinions
Hello, We are putting together an OpenBSD-based border email server to replace an aging Linux box. On the current system, Postfix performs a call ahead to two internal boxes for recipient validation. I'm interested in recommendations on how to perform validation with the base sendmail. The two internal servers use several different domains and accept a variety of different name formats. In addition, some users have one or more aliases. Furthermore, only the primary address is published in LDAP. One server serves approximately 1k users and the other approximately 20. I have been researching milters to perform this task, specifically Eland System's scam-backscatter. Our current average load, though I expect it to decrease with the use of spamd, is approximately 270k connections per day, 115k of which are rejected as invalid. Does anyone have experience with scam-backscatter or are there other solutions we should be investigating? I'm also interested in opinions on the overall design of the solution thus far. As stated previously, our current system is a Linux box running Postfix, amavis, clamav and spamassassin. Due to the nature of the store and scan system, we've noticed a tendency for the system to become swamped under heavy load and take several hours to clear out. Furthermore, we're quarantining viruses and and obvious spam in the neighborhood of 89k a day, which I would rather leave at the door. The OpenBSD system would be running spamd, the base sendmail, smtp-vilter, clamav and spamassassin. To prevent outgoing email from being tagged as spam and to conserve resources, I had planned to run sendmail on two different ports. The standard port would handle incoming connections and a second, non-standard port, would be restricted with pf for outgoing email. We would then run two instances of smtp-vilter, one which ran spamassassin and one which did not. Use of sendmail's DAEMON_OPTIONS InputMailFilters would determine which vilter to run. In our test environment, using smtpsend, we're seeing approximately 45 messages/second through smtp-vilter with clamd. The smtp-vilter instance which adds spamassassin is running 5-6 messages/second. Any recommendations for recipient validation or suggestions on improving the system are greatly appreciated. Thank you, Mario
Re: Unable to mount CD/DVD-RW drive in OpenBSD 4.4/i386.
I have attached a .txt file indicating what #disklabel cd0 returned. --- On Thu, 4/23/09, minsai0...@yahoo.com minsai0...@yahoo.com wrote: From: minsai0...@yahoo.com minsai0...@yahoo.com Subject: Unable to mount CD/DVD-RW drive in OpenBSD 4.4/i386. To: misc@openbsd.org Date: Thursday, April 23, 2009, 12:13 PM I am unable to get OpenBSD 4.4/i386 to see my OptiArc DVD+/-RW AD-5540 drive on a Dell Inspiron 6400 (E1505) notebook. Everything else is functional on this system. Neither /dev/cd0a nor /dev/cd0c work as /etc/fstab entries. The kernel returns: Device not configured. I also tried /dev/rcd0[n] (where n = a - p) as an /etc/fstab entry and it returned an error stating: Device block required. Below is an attachment of my dmesg file and /etc/fstab table. -minsai # /dev/rcd0c: type: ATAPI disk: ATAPI CD-ROM label: fictitious flags: bytes/sector: 2048 sectors/track: 100 tracks/cylinder: 1 sectors/cylinder: 100 cylinders: 1901 total sectors: 190050 rpm: 300 interleave: 1 trackskew: 0 cylinderskew: 0 headswitch: 0 # microseconds track-to-track seek: 0 # microseconds drivedata: 0 0 partitions: #size offset fstype [fsize bsize cpg]
Re: DHCP versus PPPoE for ADSL.
On 2009-04-24, David Walker davidianwal...@gmail.com wrote: From: Claudio Jeker The main encapsulation over ADSL is PPPoE or PPPoA only lately, with the spread of IPTV and VDSL, EFM (Ethernet First Mile) is used by some telcos. So it totaly depends on what your provider is giving you. Maybe I didn't explain myself or perhaps I am trying to explain something that doesn't make sense. I understand there are differing methods of getting the packets from the exchange to the premises, etcetera. Considering the existing popular method of PPPoE is there more than one way to collect those packets at the first adapter after the modem? My current scenario: DSLAM-PPPoE-Modem-TCP/IP-Router so with this, the modem is terminating the PPP session, and passing the address on over DHCP. some router vendors call this half bridge or dhcp spoofing. I'm not sure if it's still subject to the restriction of ethernet MTU, but if it is, the modem will usually hide this by clamping MSS, the same way match scrub (max-mss 1400) or whatever does. The other scenario: DSLAM-PPPoE-Modem-PPPoE-Router In this case the relevant adapter on the router recieves PPPoE encapsulated packets from the modem exactly as they are sent from the exchange. that's what I normally do when the ISP and ADSL backhaul support PPPoE; the modem acts as a dumb bridge and the PPP session is terminated at the router using pppoe(4). this lets you do things like use IPv6-over-PPP where supported. (some networks allow you to use either PPPoA or PPPoE for example the standard ADSL connections in the UK with BT backhaul; I normally run these as PPPoE unless using them with carp). Can someone let me know if I am correct in assuming that if I want PPPoE in client mode only that PPPoE(4) is the way to go? usually. Probably a more important question is what, if any, are the advantages or disadvantages compared to DHCP? with one vendor implementation of this, it saves you from having a huge bunch of entries in your arp table... otherwise: control over the PPP session, maybe better logging, maybe access to ipv6 or multicast which could be a problem with some CPE modem/routers, and it puts most of the per user settings into the firewall, so it may make it easier to maintain spare modems/routers for a bunch of lines that you can just swap-out without reconfiguring. if you need that sort of thing.
Jamais en ligne sur msn ?
Salut, J'ai vu ton annonge mais quand je t'icris ga revient en erreur ? j'essais donc de ripondre ` ton annonce une nouvelle fois car la 1er fois j'ai regu un message qui disait mail delivery failed Est ce que misc@openbsd.org c'est bien ton adresse et est ce que c'est ton msn ? je t'ai rentri dans mes contacts mais ga marche pas, t'es jamais en ligne en tout cas. Je voulais savoir ce que tu cherchais comme rencontre, on habite pas tris loin l'un de l'autre et t'es dans la tranche d'age que je recherche. Pour ma part j'aime pas me dicrire en chiffre mais je suis inscrite sur un site ou tu pourras si tu le veux consulter une capture vidio faite avec ma webcam et mes photos sous pseudo manonmatu j'ai fait cette annonge sur le site qui s'appelle www.sexorlove.fr ( je pense que ga te donnera une idie plus pricise de ce que je recherche). Autant te dire que je recherche une relation ipisodique et simple sans prise de tete, j'ai envie de vivre, j'aimerais seulement que tu ne me juge pas trop vite, je ne suis pas ce que tu crois, dans ma vidio je dis que je cherche un homme grand beau et riche pour riche c'itait pour plaisanter je m'en fou completement j'ai un tris bon job et j'ai tout ce qu'il me faut, je ne suis pas vinale...Je t'en dirai plus si tu m'icris. Si tu veux laisse moi un msn qui est valide si misc@openbsd.org n'est pas le bon, soit sur mon email ou soit sur ma boite aux lettres du site, c'est gratuit dans les deux cas. A bientot peut etre dis moi ce que tu as pensi de mes petites captures vidios. Bisous Manon Pour ne plus recevoir directement de riponses sur votre email ou si il y a une erreur et que votre adresse email n'est pas associie ` une fiche que vous auriez vous meme initii vous pouvez ` tout moment vous disinscrire de la maling list en envoyant STOP uniquement avec l'email qui a regu cette riponse (sinon votre demande ne sera pas prise en compte) ` l'adresse suivante. ad...@sexorlove.fr et votre adresse email sera retirie de la mailing list et vous ne recevrez plus d'alertes.
Re: rt.fm ftp server dumps core
Paul Irofti wrote: On Thu, Apr 23, 2009 at 03:37:00PM -0600, Jeff Ross wrote: Hi, For a while now I've been getting segmentation faults when I try to download snapshots from rt.fm ftp mget *tgz mget base45.tgz? all Prompting off for duration of mget. local: base45.tgz remote: base45.tgz 150 Opening BINARY mode data connection for 'base45.tgz' (48267043 bytes). 100% |**| 47135 KB00:41 226 Transfer complete. 48267043 bytes received in 41.35 seconds (1.11 MB/s) local: comp45.tgz remote: comp45.tgz 150 Opening BINARY mode data connection for 'comp45.tgz' (90067409 bytes). 100% |**| 87956 KB01:12 421 Service not available, remote server has closed connection. Segmentation fault (core dumped) I'm running a similar command now on pub/OpenBSD/snapshots/i386. Is that what you're doing? Also, it would've been nice to include a trace from the core. Yes, that's what I've been trying to do. I rm-ed the core file--I thought that there was a problem with the server itself but I couldn't find a email contact for the person in charge of the mirror. Since I posted I've tried another 4 or 5 times and it's been working great. Jeff
Re: Transparent firewall (bridge) with DMZ + LAN
On Fri, Apr 24, 2009 at 12:12 PM, openbsder openbs...@gmail.com wrote: I am currently interested in setting up a three-legged network topology, using OBSD+PF as the firewall appliance. Originally, I was going to simply have the firewall equipped with three network cards: one for DMZ, one for LAN, the other for EXT/WAN/Internet (whatever you call this). The idea was for a switch to be used on both DMZ and LAN, providing NAT on both segments. Pretty straight forward. Recently, it has been suggested that a transparent firewall implementation is ideal where possible. But as far as I understand, transparency is only available when the firewall acts as a bridge between TWO networks. How would I keep my DMZ and LAN both while using a bridging firewall. Is it even possible? What do you mean? Whether OpenBSD supports bridging? Whether PF supports L2-based filtering? Whether you can have two interfaces in a bridge and have, at the same time, L2-based filtering and L3-based filtering? By L2-based filtering I mean having the firewall inspect frames/packets from interfaces that are bridged together that do not have an IP address configured (i.e. L2-switching). -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: sudo won't work with login_fingerprint
login_fingerprint only supports login auth, not support challenge/response mode which is what sudo (and other things) uses. - todd
European orders(Sweden) - nohup.se
Hello misc@, it has been almost a week since I sent an invoice for OpenBSD 4.5 CD/t- shirt to nohup.se. Well, there is no answer so far and the webpage is outdated and promoting old releases. Any one from Sweden has ever successfully ordered anything from this site lately? Any other (successful) paths available? //maxim
T1 card compatible with 4.4
I'm looking for a T1 card compatible with 4.4. There were a fair number of recommendations for Sangoma's a101 a few years ago, followed by threads describing major problems and Sangoma yanking support for OpenBSD. What alternatives work decently under OpenBSD? -HKS
Re: autowhitelister for spamd needs testing
i think part of the success i experience using SPF as a means to create whitelists is in the fact that i maintain the list of domains i fancy whitelisting. unfortunately, it would be trivial for someone to take advantage of an spf-based automatic whitelist to slip right on thru spamd(8). it's a pisser. Spam Permitted From is broken as designed. It is most commonly deployed on throwaway spam domains. What a surprise! -Bob
Re: aucat's volume-sharing algorithm
On Fri, 24 Apr 2009 11:29:02 -0400 Nick Guenther kou...@gmail.com wrote: I'm playing with the new aucat. Or rather, running it, since unlike every other soundserver it doesn't require endless tweaking to just work. There is one issue I'm having, and I'm not sure if it's on purpose or not. Whenever (say) pidgin (or anything else) plays sound my music dims in volume. It makes sense the clients have to be turned down so two playing at 100% don't blow the speakers, but the trouble is the dip in sound is -really obvious-. I also think the current algorithm is too aggressive; the output volume is calculated by dividing the maximum volume by the number of streams (or clients). While this does guarantee that there will be no clipping, it means the change in volume is indeed very audible. Excerpts from /usr/src/usr.bin/aucat/aproc.c: n = 0; LIST_FOREACH(buf, p-ibuflist, ient) { n++; } LIST_FOREACH(buf, p-ibuflist, ient) { weight = ADATA_UNIT / n; [...] buf-mixeight = weight; } Mixing two (or more) streams is not likely to cause any clipping (sample value out of range) as most samples are not exactly at peak values all the time. I don't have a better solution, but I think something should be done about the current approach; it just doesn't sound right to me. I wonder what the other sound daemons do ...
Interpreting strange pflog output
Hi, We have an older OpenBSD 3.9 firewall which we will be upgrading to 4.5 and as a part of the upgrade, we will be locking down our outgoing connections. As a first step, we have added some extra rules to log outgoing connections that are not specifically allowed by our current rule set. While monitoring the pflog output, I occasionally see output that looks like this: Apr 24 09:49:46.420762 rule 150/(match) pass in on fxp1: 107.6.96.0 73.243.0.0: at-#0 18 Apr 24 09:49:46.420851 rule 150/(match) pass in on fxp1: 108.6.96.0 73.37.0.0: at-#0 21 Apr 24 09:49:46.420901 rule 150/(match) pass in on fxp1: 108.6.96.0 73.126.0.0: at-#0 15 Apr 24 09:49:46.420990 rule 150/(match) pass in on fxp1: 85.8.96.0 73.229.0.0: at-#0 18 Apr 24 09:49:46.546277 rule 150/(match) pass in on fxp1: 106.8.96.0 73.229.0.0: at-#0 96 Apr 24 09:49:46.551653 rule 150/(match) pass in on fxp1: 55.4.96.0 73.174.0.0: at-#0 99 What first jumps out at me is the IP addresses which are not part of our network. The second thing that jumps out is the at-#0 18 notation. What does this mean? I'm assuming the number at the end is the packet size. What is the at-#0? Has anybody seen traffic like this? Should I be worried? Also, this output comes from tcpdump -n -e -ttt -i pflog0 ifname fxp1. Is there a way I can see the MAC address on these logged connections without doing a tcpdump on the physical interface? This is on 3.9 GENERIC#617 i386 with pf turned on, NTP server enabled and an OpenVPN server running. - Aner -- Aner Perez NCS Technologies, Inc
Re: DHCP versus PPPoE for ADSL.
Honestly, I think it is going to depend on your ISP. For example, Embarq a few years ago switched their 'Embarq' ISP to using a hybrid DHCP setup: (Whatever the DSLAM connects to)--PPPoE--DSLAM--DHCP--Modem--DHCP- So when you set the modem to 'Bridge' whatever was behind it was set to DHCP, not PPPoE. PPPoE no longer worked because the DSLAM took care of the PPPoE connection, not the modem anymore. If you were on someone who resold Embarq, then that reseller had to use PPPoE so that it routed back to the reseller correctly. Chris David Walker wrote: From: Claudio Jeker The main encapsulation over ADSL is PPPoE or PPPoA only lately, with the spread of IPTV and VDSL, EFM (Ethernet First Mile) is used by some telcos. So it totaly depends on what your provider is giving you. Hi Claudio. Maybe I didn't explain myself or perhaps I am trying to explain something that doesn't make sense. I understand there are differing methods of getting the packets from the exchange to the premises, etcetera. Considering the existing popular method of PPPoE is there more than one way to collect those packets at the first adapter after the modem? My current scenario: DSLAM-PPPoE-Modem-TCP/IP-Router In this case, the relevant adapter on the router gets an IP address from the modem's DHCP server. All the PPPoE to IP transactions occur within the modem. The hostname.if file on the router: DHCP none none none The other scenario: DSLAM-PPPoE-Modem-PPPoE-Router In this case the relevant adapter on the router recieves PPPoE encapsulated packets from the modem exactly as they are sent from the exchange. The modem does not do any PPPoE to IP conversion. The hostname.if file on the router merely says up. There is also an /etc/hostname.pppoe0 file on the router. This other scenario seems to be the intent of pppoe(4): This is often used to connect a router via a DSL modem to an access con- centrator. The pppoe interface does not by itself transmit or receive frames, but needs an Ethernet interface to do so. This Ethernet inter- face is connected to the pppoe interface via ifconfig(8). The Ethernet interface needs to be marked UP, but does not need to have an IP address. So it is quite different from my current scenario - no IP address for a start. Am I reading all this correctly? Best wishes. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
aucat's volume-sharing algorithm
I'm playing with the new aucat. Or rather, running it, since unlike every other soundserver it doesn't require endless tweaking to just work. There is one issue I'm having, and I'm not sure if it's on purpose or not. Whenever (say) pidgin (or anything else) plays sound my music dims in volume. It makes sense the clients have to be turned down so two playing at 100% don't blow the speakers, but the trouble is the dip in sound is -really obvious-. I found -v volume Software volume attenuation of the playback stream. The value must be between 1 and 127, corresponding to -42dB and -0dB atten- uation. In server mode, clients inherit this parameter. Reduc- ing the volume in advance reduces a client's dynamic range, but allows client volume to stay independent from the number of clients as long as their number is small enough. A good compro- mise is to use -4dB attenuation (12 volume units) for each addi- tional client expected (115 if 2 clients are expected, 103 for 3 clients, and so on). which I interpret as saying that if I run aucat as aucat -l -v 50 it should predim the volume of any client that connects so that the dip doesn't happen. If I'm right about that (which I'm not at all sure that I am) then aucat is behaving badly because I even tried giving -v 1 and heard no change at all. OpenBSD 4.5-current (GENERIC.MP) #80: Mon Apr 20 12:59:56 MDT 2009 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Intel(R) Core(TM)2 CPU U7600 @ 1.20GHz (GenuineIntel 686-class) 1.20 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,xTPR real mem = 1064202240 (1014MB) avail mem = 1020690432 (973MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 10/30/07, BIOS32 rev. 0 @ 0xfcb25, SMBIOS rev. 2.4 @ 0xec000 (40 entries) bios0: vendor TOSHIBA version Version 1.50 date 10/30/2007 bios0: TOSHIBA PORTEGE R500 acpi0 at bios0: rev 0 acpi0: tables DSDT FACP SSDT APIC MCFG HPET TCPA SLIC SSDT SSDT acpi0: wakeup devices USB1(S3) USB3(S3) USB4(S3) EHCI(S3) GLAN(S4) WLAN(S4) LID_(S4) PWRB(S4) HS87(S4) HS86(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 133MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Core(TM)2 CPU U7600 @ 1.20GHz (GenuineIntel 686-class) 1.20 GHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,xTPR ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins ioapic0: misconfigured as apic 0, remapped to apid 1 acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 3 (PCIB) acpiprt2 at acpi0: bus 1 (PEX1) acpiprt3 at acpi0: bus 2 (MPEX) acpitz0 at acpi0: critical temperature 102 degC acpicpu0 at acpi0 acpicpu1 at acpi0 acpibtn0 at acpi0: LID_ acpibat0 at acpi0: BAT1 model G71C00086210 serial 000796 type Li-ION oem 0 acpibtn1 at acpi0: PWRB acpiac0 at acpi0: AC unit offline acpidock at acpi0 not configured acpivideo at acpi0 not configured bios0: ROM list: 0xc/0x1 0xe/0x1! cpu0: unknown Enhanced SpeedStep CPU, msr 0x060b090e0600090e cpu0: using only highest and lowest power states cpu0: Enhanced SpeedStep 1200 MHz (924 mV): speeds: 1200, 800 MHz pci0 at mainbus0 bus 0: configuration mode 1 (bios) extent `pciio' (0x0 - 0x), flags=0 0xaf10 - 0xaf1f 0xaf24 - 0xaf2f 0xaf34 - 0xaf9f 0xafe0 - 0xbfff 0xcff8 - 0xcfff extent `pcimem' (0x0 - 0x), flags=0 0x0 - 0x9 0xe - 0x3fff 0xe000 - 0xefff 0xfec0 - 0xfec17fff 0xfec2 - 0xfec27fff 0xfed0 - 0xfed003ff 0xfed14000 - 0xfed19fff 0xfed1c000 - 0xfed8 0xfeda - 0xfedb 0xfee0 - 0xfee00fff 0xff60 - 0xff8f 0xff98 - 0xffbf 0xffc3b800 - 0x pchb0 at pci0 dev 0 function 0 Intel 82945GM Host rev 0x03 vga1 at pci0 dev 2 function 0 Intel 82945GM Video rev 0x03 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) intagp0 at vga1 agp0 at intagp0: aperture at 0xe000, size 0x1000 inteldrm0 at vga1: apic 1 int 16 (irq 10) drm0 at inteldrm0 Intel 82945GM Video rev 0x03 at pci0 dev 2 function 1 not configured azalia0 at pci0 dev 27 function 0 Intel 82801GB HD Audio rev 0x02: apic 1 int 22 (irq 11) azalia0: codecs: Realtek ALC262 audio0 at azalia0 ppb0 at pci0 dev 28 function 0 Intel 82801GB PCIE rev 0x02 pci1 at ppb0 bus 1 extent `ppb0 pciio' (0x0 - 0x), flags=0 0x0 - 0xafff 0xbfe0 - 0x extent `ppb0 pcimem' (0x0 - 0x), flags=0 0x0 - 0xff7f 0xff8e -
Re: Transparent firewall (bridge) with DMZ + LAN
Sorry for the confusion. I understand that bridging is possible under OpenBSD but it's also my understanding that if I have interfaces A, B, and C, I can bridge A to either B or C, but not both. Is this correct? Referring to this topology: http://upload.wikimedia.org/wikipedia/commons/6/6f/DMZ_network_diagram_1_firewall.svg I would like to use this setup but with bridging on the firewall if at all possible. Am I able to keep my firewall acting as the choke point between all three segments (DMZ, LAN, EXT) while using bridges for transparency? Hope this makes a little more sense. On Fri, Apr 24, 2009 at 8:49 AM, Felipe Alfaro Solana felipe.alf...@gmail.com wrote: On Fri, Apr 24, 2009 at 12:12 PM, openbsder openbs...@gmail.com wrote: I am currently interested in setting up a three-legged network topology, using OBSD+PF as the firewall appliance. Originally, I was going to simply have the firewall equipped with three network cards: one for DMZ, one for LAN, the other for EXT/WAN/Internet (whatever you call this). The idea was for a switch to be used on both DMZ and LAN, providing NAT on both segments. Pretty straight forward. Recently, it has been suggested that a transparent firewall implementation is ideal where possible. But as far as I understand, transparency is only available when the firewall acts as a bridge between TWO networks. How would I keep my DMZ and LAN both while using a bridging firewall. Is it even possible? What do you mean? Whether OpenBSD supports bridging? Whether PF supports L2-based filtering? Whether you can have two interfaces in a bridge and have, at the same time, L2-based filtering and L3-based filtering? By L2-based filtering I mean having the firewall inspect frames/packets from interfaces that are bridged together that do not have an IP address configured (i.e. L2-switching). -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: Upgrade to -current
* **Toma:** **It depends where you use OpenBSD ( desktop or server )* *Actually the system is a Desktop on my laptop, but I am highly dependent on it for my programming's work.* * michael Neal : You should try and search the archives for that, it is answered* * thorougly a couple of times.* *Actually I read all of FAQs (and searched the archives) about this and I know what's the recommended approach is but that's so time consuming and I was looking for a shortcut to that!* * michael: Recommends: exercise, eat healthy, reboot once in a while, and upgrade* * regularly:)* *I agree with all of that except upgrading regularly! I only upgrade or patch If there is security patch or highly needed feature, that's all about OpenBSD's approach to life IMHO! :)* * **Jan:** **Which new features are these and why do you need -current for that?* *Actually I am pretty happy with 4.2 but every now and then I have some problems because of being out of date (e.g daylight saving time). About new features I specially like ifconfig access point scanning capabilities which is quiet important for me having access to latest ports collection because some ports I need is not available on 4.2.* Lammert : A far better approach would be to backup the current machine, do a fresh install of 4.5 [from the CDs you pre-ordered], and then restore any needed files. Moving from 4.5 to -current should be much simpler *But then I have to install OpenOffice, eclipse, netbeans, firefox and all other ports from scratch right?* * **LEVAI : **Upgrading thru the binary releases is not that tedious* *I hope that's the case because my guess is I have to go along with the upgrade guidance and upgrade 4.2 4.3 4.4 and finally 4.5.* *thanks for help guys.*
Re: DHCP versus PPPoE for ADSL.
From: Stuart Henderson with one vendor implementation of this, it saves you from having a huge bunch of entries in your arp table... otherwise: control over the PPP session, maybe better logging, maybe access to ipv6 or multicast which could be a problem with some CPE modem/routers, and it puts most of the per user settings into the firewall, so it may make it easier to maintain spare modems/routers for a bunch of lines that you can just swap-out without reconfiguring. if you need that sort of thing. Thanks for answering all my questions. That's pretty much the implication of the man pages except for the IP6 which I haven't bumped into yet. :] My ISP is the first in Oz to implement dual stack and the only one so far. Of course that's neither here nor there as there are no domestic grade modems or routers that do native yet anyway. Everyone is tunneling in except for big business. It's all a crying shame really - RFC @ 1998 (year). Still if I can do IP6 from my router straight to PPPoE ... I will have to read some more on encapsulation. From: Chris Tankersley Honestly, I think it is going to depend on your ISP. Fortunately my ISP is very geek oriented. There would be nerds in their office tipping keyboards upside down and breaking pencils if they ever did this: So when you set the modem to 'Bridge' whatever was behind it was set to DHCP, not PPPoE. PPPoE no longer worked because the DSLAM took care of the PPPoE connection, not the modem anymore. After we got over the initial shock we might wonder if it really matters. I don't expect it does. Presumably this is what happens when people do that last mile as gigabit. http://www.internode.on.net/business/internet/corporate_internet/internode_ethernet/ Still, we are going FTTP here. Starts next year. So I expect to be running 100Mbps by around 2020. Right when native IP6 kicks in. :] http://www.pm.gov.au/media/Release/2009/media_release_0903.cfm Thanks fellers. That's plenty of food for thought. Best wishes.
Re: Can't install OpenOffice3 - pkg_add and make install fail on 4.5 -current
Hmmm, I upgraded to 23.4. snapshot and all dependencies are installed now,but I can't still make OpenOffice3. Have someone same problem? Checking DLL ../unxobsd.pro/lib/check_libuno_sal.so.3 .../usr/obj/ports/openoffice-3.0.1/OOO300_m15/solver/300/unxobsd.pro/bin/chec kdll:../unxobsd.pro/lib/check_libuno_sal.so.3: undefined symbol '__gxx_personality_v0' : ERROR: Cannot load specified object dmake: Error code 1, while making '../unxobsd.pro/lib/libuno_sal.so.3' And error for pkg_add is still the same : Can't install openoffice-3.0.1p3: lib not found ICE.8.1 Don't know how to resolve this,because I upgraded to actual snapshot this morning and all other dependecies are installed on the system trough ports after make install in /usr/ports/editors/openoffice3 Dne 22. duben 2009 15:31 TomC!E! BodEC!r tomas.bod...@gmail.com napsal(a): I found another mirror for this file.Mirror which is in list for this packages is somewhat broken for me. Dne 22. duben 2009 15:16 TomC!E! BodEC!r tomas.bod...@gmail.com napsal(a): Can't get it either trough curl.It stops on same place everytime $ curl --retry 10 -o /usr/distfiles/xalan-j_2_7_0-bin.tar.gz http://archive.ap B % Total B B % Received % Xferd B Average Speed B Time B B Time B B Time B Current B B B B B B B B B B B B B B B B Dload B Upload B Total B Spent B B Left B Speed B 36 12.8M B 36 4808k B B 0 B B 0 B 57667 B B B 0 B 0:03:54 B 0:01:25 B 0:02:29 60439 curl: (18) transfer closed with 8593310 bytes remaining to read $ curl -v --retry 10 -o /usr/distfiles/xalan-j_2_7_0-bin.tar.gz http://archive * About to connect() to archive.apache.org port 80 (#0) * B Trying 140.211.11.130... connected * Connected to archive.apache.org (140.211.11.130) port 80 (#0) GET /dist/xml/xalan-j/xalan-j_2_7_0-bin.tar.gz HTTP/1.1 User-Agent: curl/7.19.4 (i386-unknown-openbsd4.5) libcurl/7.19.4 OpenSSL/0.9.8 k zlib/1.2.3 libidn/1.11 Host: archive.apache.org Accept: */* B % Total B B % Received % Xferd B Average Speed B Time B B Time B B Time B Current B B B B B B B B B B B B B B B B Dload B Upload B Total B Spent B B Left B Speed B 0 B B 0 B B 0 B B 0 B B 0 B B 0 B B B 0 B B B 0 --:--:-- --:--:-- --:--:-- B B 0 HTTP/1.1 200 OK Date: Wed, 22 Apr 2009 13:12:08 GMT Server: Apache/2.2.9 (Unix) Last-Modified: Mon, 08 Aug 2005 04:26:02 GMT ETag: 9a24e2-ce3f9e-3fdcb71f1ea80 Accept-Ranges: bytes Content-Length: 13516702 Content-Type: application/x-tar { [data not shown] B 36 12.8M B 36 4765k B B 0 B B 0 B 57153 B B B 0 B 0:03:56 B 0:01:25 B 0:02:31 44244* transfer closed with 8593310 bytes remaining to read B 36 12.8M B 36 4808k B B 0 B B 0 B 57250 B B B 0 B 0:03:56 B 0:01:25 B 0:02:31 50560* Closing connection #0 curl: (18) transfer closed with 8593310 bytes remaining to read $ 2009/4/22 Jacob Meuser jake...@sdf.lonestar.org: On Wed, Apr 22, 2009 at 01:05:59PM +0200, Tom?? Bod??r wrote: (SHA256) xalan-j_2_7_0-bin.tar.gz: FAILED Checksum mismatch for xalan-j_2_7_0-bin.tar.gz. (sha256) Make sure the Makefile and checksum file (/usr/ports/devel/jdk/1.5/distinfo) are up to date. B If you want to fetch a good copy of this file from the OpenBSD main archive, type make REFETCH=true [other args]. *** Error code 1 make sure you're getting the whole file by checking that the size matches what's expected (in the distinfo file). B iirc, I had to use wget to fetch that or else I'd end up with a short file. -- jake...@sdf.lonestar.org SDF Public Access UNIX System - http://sdf.lonestar.org -- http://www.openbsd.org/lyrics.html -- http://www.openbsd.org/lyrics.html -- http://www.openbsd.org/lyrics.html
Re: RadiusClient
Hi, # pkg_info -Q radius freeradius-2.0.5 freeradius-iodbc-2.0.5 freeradius-ldap-2.0.5 freeradius-mysql-2.0.5 freeradius-pgsql-2.0.5 mod_auth_radius-1.5.7p4 p5-Authen-Radius-0.05p1 p5-Net-Radius-1.56 radiusd-cistron-1.6.7p1 radiusd-lucent-2.1p8 radiusniff-0.2 radiusreport-0.3b6p0 Can I use freeradius-2.0.5 to do wath I want? This package contains the radius client? Thank4s 2009/4/24 Paul Irofti bulib...@sdf.lonestar.org On Fri, Apr 24, 2009 at 09:05:32AM -0300, Bruno Galindro da Costa wrote: Hi all What is the radius client packge for OpenBSD? What I need to do is provide pptpd auth with radius. My Radius Server is a Windows Server 2003. On Ubuntu and Debian tha name of package is radiusclient downloadable via apt-get. $ pkg_info -Q radius -- Att. Bruno Galindro da Costa bruno.galin...@gmail.com Florianspolis - SC
Re: Yahoo videos on OpenBSD
It works really great.Thanks for the tip. Why I have gnash :-) 2009/4/20 Matthew Szudzik mszud...@andrew.cmu.edu: On Mon, Apr 20, 2009 at 07:46:42PM +0200, Tom Bodr wrote: someone is watching Yahoo videos on OpenBSD? I use B http://keepvid.com to download the video, then play it with mplayer. -- http://www.openbsd.org/lyrics.html
ftp-proxy IPSEC clients?
Hello Misc, I have an OpenBSD 4.4 firewall with some clients connecting via IPSEC. Some clients have flows established to servers not on the local LAN, and these clients are natted through the internet interface to access these servers. It's a bit convoluted, but things work, except of course for ftp. I configured the ftp-proxy for clients on the local lan and openvpn clients (tun0), but I cannot appear to use ftp-proxy with IPSEC clients (enc0). I want to use a line such as: rdr on enc0 proto tcp from any to any port 21 - 127.0.0.1 port 8021 When this is in place, IPSEC clients cannot even connect to the ftp server. I suspect there are some problems with this approach, since the man pages show matching with ipencap, but you can't do tcp port redirects with only ip encapsulated matching. I am at a bit of a loss here, and I'm wondering if there's anything I can do to proxy the IPSEC ftp traffic, or if there are any other options I have at this point. Thanks, Cam
Re: DHCP versus PPPoE for ADSL.
Konnichiwa. That is too easy. Took me all of two minutes to bridge my modem - RFC2684 BRIDGING instead of PPPoE BRIDGING - and do the /etc file changes. Happy as Larry (possibly happier) using pppoe(4). All I need to work out is hostname.pppoe0 INET6 wildcards. Especially what to export as the route. Any pointers on that eligible for smilies. :] Still I have a static IP, I'm sure I can plug that in. Best wishes.
Re: ftp-proxy IPSEC clients?
On Fri, Apr 24, 2009 at 12:17 PM, Cameron Schaus c...@schaus.ca wrote: I have an OpenBSD 4.4 firewall with some clients connecting via IPSEC. Some clients have flows established to servers not on the local LAN, and these clients are natted through the internet interface to access these servers. It's a bit convoluted, but things work, except of course for ftp. The IPsec flow is between the FTP client and the FTP server? Then by design, any intermediary will not be able to eavesdrop or alter packets in transit. I am at a bit of a loss here, and I'm wondering if there's anything I can do to proxy the IPSEC ftp traffic, or if there are any other options I have at this point. If you're okay with allowing arbitrary outgoing TCP connections and can live with only allowing clients to use passive FTP (I believe the default nowadays), then you shouldn't need ftp-proxy at all.
[ot] Re: sudo won't work with login_fingerprint
On Fri, Apr 24, 2009 at 03:28:34AM -0400, Nick Guenther wrote: omg we have finger print reader support??? ! yes, and it's really cool, since i've some quite sharp knifes. (scnr)
E220 as 3G Internet Access
Unfortunately you can't use OpenBSD yet to connect to Vodafone's 3G internet mobile even if there is already an Huawei E220 shiny new driver. That is because OBSD has an archaic pppd implementation (ver. 2.3.5) wich lacks some important parameters like usepeerdns, noipv6, etc. Ask the developers to update pppd at latest version 2.4.4 so we can all enjoy our favorite OS with Vodafone's 3G. Cheers !
Re: question about net.inet.carp.preempt
On Fri, Apr 24, 2009 at 3:32 AM, Imre Oolberg i...@auul.pri.ee wrote: Hallo! Thanks for the reply! I am also aware that one popular use of net.inet.carp.preempt is to control how the computer system as a whole reacts to errors like one physical interface goes dead. 'man carp' says about net.inet.carp.preempt: Allow virtual hosts to preempt each other. It is also used to failover carp interfaces as a group. When the option is enabled and one of the carp enabled physical interfaces goes down, advskew is changed to 240 on allcarp interfaces. See also the first example. Disabled by default. What i was interested in mainly this time is the so to say practical meaning of the first sentence, in case how pair of carp interfaces in a carp group behave while .carp.preempt is not set or is set. I decided to dig a little bit deeper because sometimes i cant predict events when i add another vlan and carp interface to the running system (master for that particular carp device appears on the wrong side etc). It could be easily said to me that if your are so interested use the source but i am sorri the source is not much help for me, i am more about just a user. Imre Manual failover is simplified: node1 is master with advskew 0 and node2 is backup with advskew 100 Without carp.preempt, you have to take the master down or (I haven't tested this) increase it's demotion counter. With carp.preempt, you can just change its advskew to 150 and watch node2 take over. -HKS
Re: ftp-proxy IPSEC clients?
Matthew Dempsky wrote: The IPsec flow is between the FTP client and the FTP server? Then by design, any intermediary will not be able to eavesdrop or alter packets in transit. The IPSec flow is between the FTP Client and a LAN, and the packets are then NAT'd to the internet and send to the FTP server. I want to put an IPSEC link between the LAN and the FTP server, but I can't get this in place yet. If I could get this link setup, then there is no issue with the ftp, since there won't be any NAT taking place. If you're okay with allowing arbitrary outgoing TCP connections and can live with only allowing clients to use passive FTP (I believe the default nowadays), then you shouldn't need ftp-proxy at all. This is correct, passive ftp does work. Active doesn't work because the client puts their IP address into the PORT command, and the server can't connect back to this address. Unfortunately for me their custom application cannot use passive ftp. Cam
svnd is incredible slow... somebody else notice that?
I notice it for a while now that SVND is incredible slow related to WRITE SPEED. Also I do see a lot of biowait with top related to newfs for example. vnconfig -cK -S saltfile /dev/sd0d /dev/svnd1c disklabel -E svnd1 - a a - r - w - q newfs /dev/rsvnd1a If you've serval houndret GBs that gonna take a lng time. Also you can not restore a backup quickly because of the uberproor write performance (it feels like being slower then PIO 3..). On the other hand softraid can not handle partitions. At least it wont do it... bioctl -c C -l /dev/sd0d softraid0 Heyho invalid metadata format.. So what other choices does a OpenBSD user have to encrypt a HDD? Also: Did nobody else notice that? Don't others use these functions? :-) And as a side note to softraid: Also it might be clever to add MORE then 1 softraid device. Some people might have more then 1 HDD... :-) Kind regards, Sebastian
Re: Interpreting strange pflog output
On Fri, Apr 24, 2009 at 7:53 AM, Aner Perez a...@ncstech.com wrote: ... While monitoring the pflog output, I occasionally see output that looks like this: Apr 24 09:49:46.420762 rule 150/(match) pass in on fxp1: 107.6.96.0 73.243.0.0: at-#0 18 Apr 24 09:49:46.420851 rule 150/(match) pass in on fxp1: 108.6.96.0 73.37.0.0: at-#0 21 ... What first jumps out at me is the IP addresses which are not part of our network. The second thing that jumps out is the at-#0 18 notation. What does this mean? I'm assuming the number at the end is the packet size. What is the at-#0? Has anybody seen traffic like this? Should I be worried? Those are Appletalk (Ethertalk) packets. 107.6.96.0 and such are Appletalk phase II addresses (with DDP protocol) and *not* IP addresses. Seems you have old Macs or Apple hardware on your net still doing the old stuff... Philip Guenther
Re: DHCP versus PPPoE for ADSL.
On 2009-04-24, David Walker davidianwal...@gmail.com wrote: Konnichiwa. That is too easy. Took me all of two minutes to bridge my modem - RFC2684 BRIDGING instead of PPPoE BRIDGING - and do the /etc file changes. Happy as Larry (possibly happier) using pppoe(4). All I need to work out is hostname.pppoe0 INET6 wildcards. Especially what to export as the route. Any pointers on that eligible for smilies. :] Still I have a static IP, I'm sure I can plug that in. Best wishes. I just added the address assigned to me into hostname.pppoe0: inet6 2001:4b10:1002:ff::1 64 !/sbin/route add -inet6 default 2001:4b10:1002:ff::1 I think you're supposed to do rtsol, but we don't support that on a device configured as a router. There is afaik no IPv6 address discovery mechanism done by PPP. You might have some fun with fragmentation, scrub max-mss is your friend. Sometimes.
Re: svnd is incredible slow... somebody else notice that?
sebastian.rother () jpberlin ! de wrote I notice it for a while now that SVND is incredible slow related to WRITE SPEED. Also I do see a lot of biowait with top related to newfs for example. vnconfig -cK -S saltfile /dev/sd0d /dev/svnd1c disklabel -E svnd1 - a a - r - w - q newfs /dev/rsvnd1a There is certainly some slowdown for the encryption and extra filesystem overhead, but you can minimize it by making both filesystems (the upper one that sees plaintext, and the lower one that provides the underlying storage) ffs/ffs2 mounted softdep. softdep gives a *big* speedup on writes! Mounting with noatime as well may also help things a bit. I have been running laptops (Lenovo Thinkpad T42) with /home mounted this way for 6 months or so, and in ordinary use I don't notice any particular slowdown relative to my previous laptop system. (Though I haven't made any quantitative tests.) ciao, -- -- Jonathan Thornburg [remove -animal to reply] jth...@astro.indiana-zebra.edu Dept of Astronomy, Indiana University, Bloomington, Indiana, USA Washing one's hands of the conflict between the powerful and the powerless means to side with the powerful, not to be neutral. -- quote by Freire / poster by Oxfam
Re: E220 as 3G Internet Access
On 4/24/09, don cipo donc...@elmed.pub.ro wrote: Unfortunately you can't use OpenBSD yet to connect to Vodafone's 3G internet mobile even if there is already an Huawei E220 shiny new driver. That is because OBSD has an archaic pppd implementation (ver. 2.3.5) wich lacks some important parameters like usepeerdns, noipv6, etc. Ask the developers to update pppd at latest version 2.4.4 so we can all enjoy our favorite OS with Vodafone's 3G. Cheers ! Where's your evidence? I'm not convinced your right [1] error messages and configuration files that caused the failure might help get the issue fixed - if there is one. Fred [1] http://marc.info/?l=openbsd-miscw=2r=1s=E220q=b -- http://www.crowsons.com/puters/E169.htm
Re: svnd is incredible slow... somebody else notice that?
On Fri, Apr 24, 2009 at 6:12 PM, sebastian.rot...@jpberlin.de wrote: If you've serval houndret GBs that gonna take a lng time. Also you can not restore a backup quickly because of the uberproor write performance (it feels like being slower then PIO 3..). crypto is slow. what else is new? So what other choices does a OpenBSD user have to encrypt a HDD? Also: Did nobody else notice that? Don't others use these functions? :-) Has nobody noticed that in the history of disk encryption with openbsd, the features have never been developed by people with a pressing need for the feature? And that the people who seem to need the feature have contributed nothing but whining? And as a side note to softraid: Also it might be clever to add MORE then 1 softraid device. Some people might have more then 1 HDD... :-) So what if they do?
Re: RadiusClient
On 2009-04-24, Bruno Galindro da Costa bruno.galin...@gmail.com wrote: # pkg_info -Q radius freeradius-2.0.5 freeradius-iodbc-2.0.5 freeradius-ldap-2.0.5 freeradius-mysql-2.0.5 freeradius-pgsql-2.0.5 mod_auth_radius-1.5.7p4 p5-Authen-Radius-0.05p1 p5-Net-Radius-1.56 radiusd-cistron-1.6.7p1 radiusd-lucent-2.1p8 radiusniff-0.2 radiusreport-0.3b6p0 Can I use freeradius-2.0.5 to do wath I want? This package contains the radius client? no, that's a server. I've got a work-in-progress port of freeradius-client, but it's not ready for public consumption yet.
DCBSDCon 2009 Videos
As announced on Undeadly, the speaker videos for DCBSDCon 2009 are now available on YouTube and the conference website. http://undeadly.org/cgi?action=articlesid=20090424204748 http://www.youtube.com/profile?user=bsdconferencesview=videosquery=dcbsdcon http://www.dcbsdcon.org/speakers/videos/ Will Backman (bsdtalk) has also posted audio from the conference. http://cisx1.uma.maine.edu/~wbackman/bsdtalk/DCBSDCon2009/ I'd like to also express my gratitude to Todd Fries (todd@) for his assistance with encoding videos in OpenBSD. Needless to say I won't be doing any more multimedia work in OS X. :) -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: svnd is incredible slow... somebody else notice that?
You are right about how awful all this stuff is. Man it seems like you should use an os that suits your goals a little better. I have heard that Linux offers awesome performance. On Apr 24, 2009, at 17:12, sebastian.rot...@jpberlin.de wrote: I notice it for a while now that SVND is incredible slow related to WRITE SPEED. Also I do see a lot of biowait with top related to newfs for example. vnconfig -cK -S saltfile /dev/sd0d /dev/svnd1c disklabel -E svnd1 - a a - r - w - q newfs /dev/rsvnd1a If you've serval houndret GBs that gonna take a lng time. Also you can not restore a backup quickly because of the uberproor write performance (it feels like being slower then PIO 3..). On the other hand softraid can not handle partitions. At least it wont do it... bioctl -c C -l /dev/sd0d softraid0 Heyho invalid metadata format.. So what other choices does a OpenBSD user have to encrypt a HDD? Also: Did nobody else notice that? Don't others use these functions? :-) And as a side note to softraid: Also it might be clever to add MORE then 1 softraid device. Some people might have more then 1 HDD... :-) Kind regards, Sebastian
Re: [Way OT] Roadtrip...
On Fri, 24 Apr 2009, Nick Bender wrote: Apologies to most people who won't give a shit but I'm finally moving to New Mexico and am posting updates at http://nbender.com more or less daily as we make our way across the country. Regards, -N OMG!!! You're moving to New Mexico, Osta no less. Next thing I know you'll be spouting crazy things about hearing some hum. diana
How to disable output to speakers if I use headphones on azalia?
Hi all, someone now how to disable sound ouput to speakers if I use headphones? I have sound from both sources and if I rise outputs.master both sources are louder which is bad if I'm at work.I can't find usefull switch in mixerctl -v and Google doesn't help yet $ mixerctl -v outputs.hp_source=dac [ dac dac2 mix2 ] outputs.hp_boost=off [ off on ] outputs.mic_dir=input-vr80 [ none input input-vr0 input-vr50 input-vr80 ] outputs.spkr_source=dac [ dac dac2 mix2 ] outputs.mic2_dir=input-vr80 [ none input input-vr0 input-vr50 input-vr80 ] outputs.line_source=dac [ dac dac2 mix2 ] inputs.dac_mute=off [ off on ] inputs.dac=140,140 inputs.dac2_mute=off [ off on ] inputs.dac2=126,126 inputs.sel_source=dac [ dac dac2 mix2 ] inputs.mix2_source=dac,dac2,sel2,sel3 { dac dac2 sel2 sel3 } inputs.mix2_dac=120,120 inputs.mix2_dac2=120,120 inputs.mix2_sel2=120,120 inputs.mix2_sel3=120,120 inputs.sel2_source=mic [ mic mic2 ] outputs.sel2=85,85 inputs.sel3_source=mic [ mic mic2 ] outputs.sel3=85,85 record.adc_source=sel2 [ sel2 mix2 mic3 ] record.adc_mute=off [ off on ] record.adc=119,119 record.adc2_source=sel3 [ sel3 mix2 mic3 ] record.adc2_mute=off [ off on ] record.adc2=119,119 inputs.beep_mute=off [ off on ] inputs.beep=85 outputs.hp_sense=plugged [ unplugged plugged ] outputs.mic_sense=unplugged [ unplugged plugged ] outputs.mic2_sense=unplugged [ unplugged plugged ] outputs.line_sense=unplugged [ unplugged plugged ] outputs.master=140,140 outputs.master.mute=off [ off on ] outputs.master.slaves=dac { dac dac2 mic3 sel2 sel3 beep } record.volume=119,119 record.volume.mute=off [ off on ] record.volume.slaves=adc,adc2 { adc adc2 } $ $ audioctl name=HD-Audio version=1.0 config=azalia0 encodings=slinear_le:16,slinear_le:20,slinear_le:24 properties=full_duplex,independent full_duplex=0 fullduplex=0 blocksize=17536 hiwat=2 lowat=1 output_muted=0 monitor_gain=0 mode= play.rate=44100 play.channels=2 play.precision=16 play.encoding=slinear_le play.gain=140 play.balance=32 play.port=0x0 play.avail_ports=0x0 play.seek=0 play.samples=0 play.eof=0 play.pause=0 play.error=0 play.waiting=0 play.open=0 play.active=0 play.buffer_size=65536 play.block_size=17536 play.errors=0 record.rate=48000 record.channels=2 record.precision=16 record.encoding=slinear_le record.gain=119 record.balance=32 record.port=0x0 record.avail_ports=0x0 record.seek=0 record.samples=0 record.eof=0 record.pause=0 record.error=0 record.waiting=0 record.open=0 record.active=0 record.buffer_size=65536 record.block_size=9600 record.errors=0 $ $ dmesg | grep azalia azalia0 at pci0 dev 27 function 0 Intel 82801I HD Audio rev 0x03: apic 2 int 21 (irq 11) azalia0: codecs: IDT 92HD71B7, Intel/0x2802, using IDT 92HD71B7 audio0 at azalia0 $ -- http://www.openbsd.org/lyrics.html
Re: How to disable output to speakers if I use headphones on azalia?
On Sat, Apr 25, 2009 at 05:59:29AM +0200, Tom?? Bod??r wrote: Hi all, someone now how to disable sound ouput to speakers if I use headphones? I have sound from both sources and if I rise outputs.master both sources are louder which is bad if I'm at work.I can't find usefull switch in mixerctl -v and Google doesn't help yet $ mixerctl -v outputs.hp_source=dac [ dac dac2 mix2 ] outputs.spkr_source=dac [ dac dac2 mix2 ] inputs.dac_mute=off [ off on ] inputs.dac2_mute=off [ off on ] outputs.master.slaves=dac { dac dac2 mic3 sel2 sel3 beep } $ mixerctl outputs.spkr=dac2 $ mixerctl outputs.dac2_mute=on the second command probalby isn't really needed. -- jake...@sdf.lonestar.org SDF Public Access UNIX System - http://sdf.lonestar.org
Re: How to disable output to speakers if I use headphones on azalia?
Great.Second command is not needed. Those shortcuts are still somewhat cryptic :-) I wasn't sure about it. Are they described somewhere in man?They aren't described in mixerctl(1),audio(4) or audio(9).Or I can't see them in format of mixerctl output 2009/4/25 Jacob Meuser jake...@sdf.lonestar.org: On Sat, Apr 25, 2009 at 05:59:29AM +0200, Tom?? Bod??r wrote: Hi all, someone now how to disable sound ouput to speakers if I use headphones? I have sound from both sources and if I rise outputs.master both sources are louder which is bad if I'm at work.I can't find usefull switch in mixerctl -v and Google doesn't help yet $ mixerctl -v outputs.hp_source=dac B [ dac dac2 mix2 ] outputs.spkr_source=dac B [ dac dac2 mix2 ] inputs.dac_mute=off B [ off on ] inputs.dac2_mute=off B [ off on ] outputs.master.slaves=dac B { dac dac2 mic3 sel2 sel3 beep } $ mixerctl outputs.spkr=dac2 $ mixerctl outputs.dac2_mute=on the second command probalby isn't really needed. -- jake...@sdf.lonestar.org SDF Public Access UNIX System - http://sdf.lonestar.org -- http://www.openbsd.org/lyrics.html
Re: How to disable output to speakers if I use headphones on azalia?
On Sat, Apr 25, 2009 at 06:55:12AM +0200, Tom?? Bod??r wrote: Great.Second command is not needed. Those shortcuts are still somewhat cryptic :-) I wasn't sure about it. Are they described somewhere in man?They aren't described in mixerctl(1),audio(4) or audio(9).Or I can't see them in format of mixerctl output there really has never been strict naming of the mixer controls, but audio(4) does suggest some guidelines, which the drivers mostly follow. there are also some hints in mixerctl.conf(5). 2009/4/25 Jacob Meuser jake...@sdf.lonestar.org: On Sat, Apr 25, 2009 at 05:59:29AM +0200, Tom?? Bod??r wrote: Hi all, someone now how to disable sound ouput to speakers if I use headphones? I have sound from both sources and if I rise outputs.master both sources are louder which is bad if I'm at work.I can't find usefull switch in mixerctl -v and Google doesn't help yet $ mixerctl -v outputs.hp_source=dac B [ dac dac2 mix2 ] outputs.spkr_source=dac B [ dac dac2 mix2 ] inputs.dac_mute=off B [ off on ] inputs.dac2_mute=off B [ off on ] outputs.master.slaves=dac B { dac dac2 mic3 sel2 sel3 beep } $ mixerctl outputs.spkr=dac2 $ mixerctl outputs.dac2_mute=on the second command probalby isn't really needed. -- jake...@sdf.lonestar.org SDF Public Access UNIX System - http://sdf.lonestar.org -- http://www.openbsd.org/lyrics.html -- jake...@sdf.lonestar.org SDF Public Access UNIX System - http://sdf.lonestar.org