Re: powering off with shutdown -hp?

[Fred Snurd]

Rene wrote:
 You can try to disable apm inthe kernel config. 

Christian wrote:
 Remco wrote:
 If I remember correctly, the following hack in /etc/sysctl.conf worked for
 me on a Pentium II machine:
 machdep.apmhalt=1# 1=powerdown hack, try if halt -p doesn't work

 It does work for my Pentium III-based Thinkpad A20m.

Both methods worked!  Either by disabling apm at UKC or by editing sysctl.conf.

Theo wrote:
 There is a sophisticated heuristic in play.

Thanks for jogging my memory!  Not that the following describes all the gory 
details, but part of this heuristic is based on the SMBIOS version.  Single 
processor system older than 2.4 (mine's 2.1) gets APM:

http://marc.info/?l=openbsd-techm=124545473209570w=2

If anyone cares to indulge me further, is there any preference/advantage of 
going with ACPI over APM?

Thanks again for such a great operating system!  I'm always amazed at how 
OpenBSD helps keep old systems usable!

Re: Tomorrow: Amsterdam OpenBSD 4.6 release party!

[Otto Moerbeek]

On Wed, Oct 28, 2009 at 02:08:07PM +0100, chefren wrote:

 Tomorrow, Thursday 29th of October:
 
 Cafe de Deugniet Oude Brugsteeg 12, 1012 JP Amsterdam
 
 http://maps.google.nl/maps?f=qhl=enq=Oudebrugsteeg+12,+Amsterdam+1012+Amsterdam,+North+Holland,+The+Netherlandssll=52.469397,5.509644sspn=3.741684,6.097412ie=UTF8cd=1geocode=0,52.375293,4.897561t=hz=17iwloc=addr
 
 
 18:00 gathering in front of De Deugniet, we will find some food in the
 neighborhood that has lots of places where we can eat.
 
 From 20:00 on we will gather into De Deugniet itself and have a drink on
 OpenBSD 4.6!
 
 +++chefren

IK kan er helaas niet bij zijn, maar maak er wat moois van. 

-Otto

Re: Tomorrow: Amsterdam OpenBSD 4.6 release party!

[Otto Moerbeek]

On Thu, Oct 29, 2009 at 07:54:10AM +0100, Otto Moerbeek wrote:

 On Wed, Oct 28, 2009 at 02:08:07PM +0100, chefren wrote:
 
  Tomorrow, Thursday 29th of October:
  
  Cafe de Deugniet Oude Brugsteeg 12, 1012 JP Amsterdam
  
  http://maps.google.nl/maps?f=qhl=enq=Oudebrugsteeg+12,+Amsterdam+1012+Amsterdam,+North+Holland,+The+Netherlandssll=52.469397,5.509644sspn=3.741684,6.097412ie=UTF8cd=1geocode=0,52.375293,4.897561t=hz=17iwloc=addr
  
  
  18:00 gathering in front of De Deugniet, we will find some food in the
  neighborhood that has lots of places where we can eat.
  
  From 20:00 on we will gather into De Deugniet itself and have a drink on
  OpenBSD 4.6!
  
  +++chefren
 
 IK kan er helaas niet bij zijn, maar maak er wat moois van. 
 
   -Otto

Ehh, i missed to Cc: to m...@.

The message says: Unfortunately I cannot be there, but have a good time.

-Otto

Re: Anyway to force IP to be assigned only if MAC matches?

[Toni Mueller]

Hi,

On Wed, 28.10.2009 at 17:29:36 -0500, Andres Salazar ndrsslz...@gmail.com 
wrote:
 I Have dhcp enabled on my LAN which assigns an IP according to the
 clients MAC address, however if a user wanted to be malicious he can
 statically assign any IP to his NIC.

he then has root access to the box.

 Isnt there anyway I can force my ARP tables to only allow IPs to be
 assigned if the MAC address matches?

Some switches offer this kind of functionality, but they're not exactly
cheap.


Kind regards,
--Toni++

Re: Anyway to force IP to be assigned only if MAC matches?

[nick]

Google 802.1x port authentication  then see if your switch is capable of
doing it. (ebay might get you a switch that can)

It'd block the rogue machine at the switch connection.

NB. it's possible to change mac addresses on machines so it's not really
very secure. It's more of a inconvenience.


On Thu, 29 Oct 2009 09:36:02 +0100, Toni Mueller openbsd-m...@oeko.net
wrote:
 Hi,
 
 On Wed, 28.10.2009 at 17:29:36 -0500, Andres Salazar
ndrsslz...@gmail.com
 wrote:
 I Have dhcp enabled on my LAN which assigns an IP according to the
 clients MAC address, however if a user wanted to be malicious he can
 statically assign any IP to his NIC.
 
 he then has root access to the box.
 
 Isnt there anyway I can force my ARP tables to only allow IPs to be
 assigned if the MAC address matches?
 
 Some switches offer this kind of functionality, but they're not exactly
 cheap.
 
 
 Kind regards,
 --Toni++

Re: carp master - backup problem

[Georg Kahest]

Hello i noticed that my netstat -s -p carp shows 1068 discarded for bad 
authentication
My carp works okey otherwise, but should i worry about it ? how to debug 
it ?




Bryan Irvine wrote:

VVV
  

  372 discarded for unknown vhid




I know someone else already pointed it out but this is worth drawing
your attention to as well.

-B

GREAT SUCCESS OF JACARONI JYI 64rs

[WEST PRESS AGENCY]

[IMAGE]

LEGGI LA VERSIONE ITALIANA | READ ENGLISH VERSION

ENGLISH

[IMAGE]Huge success and interest around the newly-born, totally custom
JYI64RS, created by Jacaroni Yacht International. Also at the Genoa's
49th International Boat Show – after her September presentation at
Cannes' Festival de la Plaisance – sea lovers and the ilite in this
sector's economy were left speechless before the sumptuous sailing yacht.
The boat, made in composite, is especially conceived for those who love
dynamism and freedom and based on an accurate choice of the materials,
safety, comfort and respect for the environment.. The JYI64RS is an Ocean
Cruiser, designed to go around the world in luxury. She immediately
ranked at the top of the international yachting market.
The yacht has unique sea-keeping and safety-on-board characteristics: she
is equipped with an internal steering with joystick and two external
steering posts; she has a semi-automatised sailing plan, four cabins,
four bathrooms and a very spacious and bright saloon, organised in
different levels. Her revolutionary project and concept are made even
more valuable by advanced technological solutions.
“Jacaroni Yachts” is an Italian group designing and building maxi- and
mega Yachts, totally custom, giving the unique opportunity to make each
single detail personal. They love rediscovering the past and offering
fascinating timeless yachts.
The new custom JYI64RS has a l.o.a of 20m, 4 cabins/4 bathrooms,
automatised sailing plan ( technology from New Zealand) with Leisurefurl
Boom for main sail, self-tacking genoa and electric gennaker; highly
optimised propulsion system, designed to reach an average speed of 9kn
with an extremely low fuel consumption; hand-made teak deck; cockpit
table with integrated screen, keyboard and engine panel; Raymarine
G-series multimedia and navigation system.
The triple-tension electric system has an integrated control of CAN BUS
systems and she is also equipped with a Faraday gauge and water chilled
climate control system with integrated fuel tank..
The JYI64RS has a highly refined bow, double chain with
“easy-maneuvering”chain release system, bow thruster and electronic
propulsion control.
The stern main cabin has a queen-size berth and leather couch, Indonesian
teak in the bathroom, separate shower stall, table with chair. Twin bow
cabins with side double berths and private bathroom, shared shower.
Central fourth cabin with two berths for the crew. Internet area with
leather seat and bar underneath internal steering, “terrace-on-the-sea”
raised saloon.
In a world of dreams, the reality of luxury!

TOP



ITALIANO

[IMAGE]Inarrestabile il successo e l'interesse della nuova meraviglia
creata dalla Jacaroni Yacht International: il JYI 64 RS custom 2009.
Anche al 490 Salone Nautico Internazionale di Genova - dopo la
consacrazione di settembre al 32esimo Festival International de la
Plaisance de Cannes - gli appassionati di are e l'elite dell'economia di
settore sono rimasti senza parole davanti alla sontuosit` del lussuoso
yacht a vela. Con costruzione in composito, l'imbarcazione, pensata per
chi ama la libert` e il dinamismo, ha come guide principali la
navigazione in pieno comfort e sicurezza, l'accuratezza nella scelta dei
materiali e il pieno rispetto dell’ambiente. Jyi 64 RS h un Ocean
Cruiser, yacht da giro del mondo e grande creazione di lusso per gli
appassionati velisti, si h immediatamente collocato al top del mercato
nautico internazionale.
Lo yacht, dalle insuperabili doti di “sea-keeping”, di “safety on 
board”,
h provvisto di una timoniera interna con joystick e due timonerie
esterne; presenta un sistema semi-automatico per la gestione del piano
velico, quattro cabine, quattro bagni e un salone centrale molto
luminoso, disposto su piani diversi. Combinazioni di tecnologie si
rafforzano l’una con l’altra all’interno di un’imbarcazione dal concept 
e
dalle soluzioni progettuali rivoluzionarie.
Da sempre, la “Jacaroni Yachts”, Gruppo italiano che disegna e realizza
maxi-yachts e mega-yachts, privilegia costruire imbarcazioni custom,
personalizzabili in ogni minimo particolare. Ama riscoprire il passato e
riproporre imbarcazioni dal fascino senza tempo.
JYI 64 RS custom 2009 ha una lunghezza di 20 m, quattro cabine/quattro
bagni, piano velico automatizzato (tecnologia neozelandese) con randa su
Leisurefurl boom, genoa autovirante e gennaker rollabile elettricamente;
impianto propulsivo ad elevata efficienza ottimizzato per raggiungere una
velocit` di crociera di 9 nodi con consumi molto ridotti; ponte e coperta
in teak con doghe lavorate a mano; tavolo del pozzetto con monitor,
tastiera e pannello motore integrati; sistema multimediale e di
navigazione Raymarine G-series. L'impianto elettrico a tripla tensione
con controllo integrato degli impianti CAN BUS, sistema di protezione
antifulmine con schermatura completa a 

Re: wpa and wi

[Steve Shockley]

On 10/29/2009 12:34 AM, Rafael Ferreira Neves wrote:

It's better you figure out what is the chipset of your wireless card
and then search in the manpages to discover if WPA or WPA2 is
supported for your card.


Thanks for the reply.  I meant wi(4), and while the man page doesn't 
specifically say anything about wpa, I didn't know if it was hardware 
dependent or driver dependent.

Já não há memória de...Semana 44

[USBPortugal.com]

Se nco conseguir visualizar esta newsletter p.f. clique aqui |   Para
remover email da n/ base de dados clique aqui

Clique na imagem para pedir Orgamento

Email enviado para: misc@openbsd.org

O presente email destina-se znica e exclusivamente a informar clientes ou
potenciais clientes USBPortugal.com e nco deve ser considerado SPAM.
Se inadvertidamente i receptor desta mensagem e nco pretende receber mais
informagues clique aqui ou reenvie-nos este email com o assunto REMOVER.
Deve efectuar o pedido de anulagco pelo enderego de email que se encontra
na nossa base de dados, de outra forma ficaremos impossibilitados de o
fazer.
Este email esta em conformidade com o decreto/lei 67/98 de 26 Outubro,
artigos 10 e 11 (Regulagco do tratamento automatizado de dados).
[IMAGE]

Re: Problems with 4.5 as a KVM guest

[Toni Mueller]

Hi,

On Tue, 14.07.2009 at 11:27:13 -0600, Bob Beck b...@openbsd.org wrote:
 and/or ask the linux people to fix KVM to make it really a PC.

I'm running kvm 85+dfsg-4~bpo5 and see the following interesting
behaviour with OpenBSD 4.6:

* /bsd.rd runs just fine, using the ne(4) driver, but
* /bsd (the uni-processor kernel) locks up hard during, or just
  after booting, showing ne3: timeout (or similar) messages
  white-on-blue in between.

Any ideas about what specifically to ask the Linux folks, please?

-- 
Kind regards,
--Toni++

Tratamento Anti-Envelhecimento - oferta limitada

[Alexandra Paisana]

Um tratamento anti-envelhecimento incrC-vel que jC! se pode encontrar na
Europa e que propC5e realizar o sonho de todas as pessoas que querem
verdadeiramente permanecer jovens e em forma durante o maior tempo
possC-vel.

Durante um perC-odo limitado, o Centro Especial SaC:de distribui
gratuitamente um tratamento de anti-envelhecimento b no valor de 39b,
C s primeiras 500 pessoas a efectuar o pedido. 

Siga este link:
www.netpromouter.net/envelhecimento.html

Još samo 3 dana super popusti za Nju i Njega

[E-topshop]

Top Shop

PoD
etna | Budi fit | DomaDinstvo | Zdrav Eivot | Lepota | Knjige |
Quelle

PoEurite, ostalo je joE! samo 3 dana do isteka oktobarske Super ponude!

Za dame - Dry Cooker tiganj uz 10% popusta

Za dame - Rina's 1. i 2. deo uz 15% popusta

Za dame - Velform Enhance Bra uz poklon vreDice za veE!

Za gospodu Perfect Pushup uz 10% popusta

Za gospodu Micro Force brijaD
 uz 10% popusta

Za gospodu Mighty Putty set za popravke uz 10% popusta

Super popust za nju i njega

Leg Magic Super: -10%
Do 15.XI cena 8.091 RSD
PoruD
ite odmah!

Leg Magic Super

Multifunctional Bench: -10%
Do 15.XI cena: 6.741 RSD
PoruD
ite odmah!

MultiFunctional Bench

Garancija na zadovoljstvo
Kupovina bez rizika!

Isporuka na adresu
Putem kurirske sluEbe Post Express

Sigurna kupovina! Proizvode plaDate pouzeDem

Kupujte uz uE!tedu
Posebne on-line ponude i popusti

Ovu elektronsku poE!tu primate, ukoliko ste svojevoljno ostavili svoju
e-mail adresu na nekom od sajtova Top Shop-a, uD
estvovali u naE!oj
poklon igri ili nagradnom kvizu ili se prijavili za e-D
asopis Top Shop-a
ili nekog od nasih brendova.

Ponude date u ovom e-mailu vaEe iskljuD
ivo za porudEbine upuDene
putem Interneta ili broja telefona 021 489 26 60.

Ukoliko ne Eelite viE!e da primate naE!e elektronske poruke, za
odjavljivanje sa naE!e e-mailing liste, kliknite ovde.

Studio Moderna d.o.o., Bulevar vojvode Stepe 30, 21000 Novi Sad, Tel: 021
489 26 60, Fax: 021 489 29 08,
E-mail: i...@news.e-topshop.tv

[IMAGE]If you would no longer like to receive our emails please
unsubscribe by clicking here.

Re: Problems with 4.5 as a KVM guest

[John Jackson]

On Thu, Oct 29, 2009 at 12:18:40PM +0100, Toni Mueller wrote:
 Hi,
 
 On Tue, 14.07.2009 at 11:27:13 -0600, Bob Beck b...@openbsd.org wrote:
  and/or ask the linux people to fix KVM to make it really a PC.
 
 I'm running kvm 85+dfsg-4~bpo5 and see the following interesting
 behaviour with OpenBSD 4.6:
 
 * /bsd.rd runs just fine, using the ne(4) driver, but
 * /bsd (the uni-processor kernel) locks up hard during, or just
   after booting, showing ne3: timeout (or similar) messages
   white-on-blue in between.
 
 Any ideas about what specifically to ask the Linux folks, please?
 
 -- 
 Kind regards,
 --Toni++
 

Try setting the nic to e1000 on your kvm commandline.

John

Re: Secure way to delete data in hard disc

[Jacob Yocom-Piatt]

Noah Pugsley wrote:
Can I interest you in a pair of steganograpanties? Or for cooler 
weather, steganograpantaloons?



are you suggesting there are messages hidden in pictures of beck's ass?

the russians will be very upset. you should have taken thermite to those 
disks...




Marco Peereboom wrote:

They'll use it as torture material during the next krieg.

On Wed, Oct 28, 2009 at 04:48:28PM -0600, Bob Beck wrote:

What, you have pictures of my ass too?

Obviously I must make something to write a random pattern over my
entire ass so that It won't be recognized if some germans steal it.

Re: Secure way to delete data in hard disc

[Vadim Zhukov]

On 29 October 2009 c. 15:34:42 Jacob Yocom-Piatt wrote:
 Noah Pugsley wrote:
  Can I interest you in a pair of steganograpanties? Or for cooler
  weather, steganograpantaloons?

 are you suggesting there are messages hidden in pictures of beck's
 ass?

 the russians will be very upset. you should have taken thermite to
 those disks...

Yes, we're very, very upset! Personally I 'm going to my two handy bears
now, to drink vodka Putinka and think about using SA-20 as hard disc
destroyer device...

--
  Best wishes,
Vadim Zhukov

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?

Re: printing

[David Walker]

Fred Crowson fred.crowson () googlemail ! com scrivere:
 On 10/28/09, igor denisov denisovigor1...@rambler.ru wrote:
 Hi, there,
 I have this and no idea what to do
 lpq
 Warning: no daemon present
 Rank   Owner  Job   Files
 Total Size
 1st  me 14 (standard input)

 regards
 --
 igor denisov.

Read the man pages?

This is correct.

Have a look at 'man lpq' (your original command):
DESCRIPTION
 lpq examines the spooling area used by lpd(8) for printing files on the
 line printer, and reports the status of the specified jobs or all jobs
 associated with a user.  Etcetera ...

You guessed it, go to 'man lpd':
DESCRIPTION
 lpd is the line printer daemon (spool area handler) and is normally in-
 voked at boot time from the rc(8) file.  Etcetera ...

Therefore, look at 'man rc'. Coincidentally lpd is the provided sample:
CONFIGURATION EXAMPLES
 The rc.conf(8) file etcetera ...

 For example, the lpd(8) daemon is controlled by the following line:

   lpd_flags=NO# for normal use:  (or -l for debugging)

 This does not start lpd(8) at system startup.  To start lpd(8), the fol-
 lowing entry can be used:

   lpd_flags=# for normal use:  (or -l for debugging)

 Alternately, lpd(8) can be started with the -l flag (to log remote con-
 nections):

   lpd_flags=-l  # for normal use:  (or -l for debugging)

I don't print but I suspect that your problem is your rc.conf(.local).

# cat rc.conf | grep lpd
lpd_flags=NO# for normal use:  (or -l for debugging)

Have a look there for starters.

Best wishes.

Re: Problems with 4.5 as a KVM guest

[Michiel van Baak]

On 12:18, Thu 29 Oct 09, Toni Mueller wrote:
 Hi,
 
 On Tue, 14.07.2009 at 11:27:13 -0600, Bob Beck b...@openbsd.org wrote:
  and/or ask the linux people to fix KVM to make it really a PC.
 
 I'm running kvm 85+dfsg-4~bpo5 and see the following interesting
 behaviour with OpenBSD 4.6:
 
 * /bsd.rd runs just fine, using the ne(4) driver, but
 * /bsd (the uni-processor kernel) locks up hard during, or just
   after booting, showing ne3: timeout (or similar) messages
   white-on-blue in between.
 
 Any ideas about what specifically to ask the Linux folks, please?

Set the nic to e1000 in KVM


-- 

Michiel van Baak
mich...@vanbaak.eu
http://michiel.vanbaak.eu
GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x71C946BD

Why is it drug addicts and computer aficionados are both called users?

Re: wpa and wi

[Ted Unangst]

On Thu, Oct 29, 2009 at 6:54 AM, Steve Shockley
steve.shock...@shockley.net wrote:
 On 10/29/2009 12:34 AM, Rafael Ferreira Neves wrote:

 It's better you figure out what is the chipset of your wireless card
 and then search in the manpages to discover if WPA or WPA2 is
 supported for your card.

 Thanks for the reply.  I meant wi(4), and while the man page doesn't
 specifically say anything about wpa, I didn't know if it was hardware
 dependent or driver dependent.

Depends on the driver. Back in the day, wi was awesome and supported
all the fun stuff, but it still doesn't use the generic 802.11 stack
which is a requirement for WPA support.

Script to ping, traceroute a destination and record the time

[Kasper Adel]

Hi,

I am trying to troubleshoot a problem that is totally random and the one
idea that would help me is to have a bash script that will ping a few
destinations every minute, then do a traceroute to these destinations,
record the time and all that output in a file. then the whole process would
repeat minute.

This way, i'll be able to look at the script at the end of each day and find
out if these destinations were reachable when a problem was reported.

The problem/disconnect happens for a few minutes only.

Can any one help me get a script to do that?

Thanks,
Kim

Re: Script to ping, traceroute a destination and record the time

[Toni Mueller]

Hi,

On Thu, 29.10.2009 at 16:26:49 +0200, Kasper Adel karim.a...@gmail.com wrote:
 I am trying to troubleshoot a problem that is totally random and the one
 idea that would help me is to have a bash script that will ping a few
 destinations every minute, then do a traceroute to these destinations,
 record the time and all that output in a file. then the whole process would
 repeat minute.

I don't know what exactly you are going to do with the traceroute,
which is both hard to implement, given your timing requirements, and
tedious to evaluate, but if you could be content with pings and packet
loss, I can recommend using Smokeping with aggressive settings, and/or
some other things to trigger a traceroute in case of a problem.


Kind regards,
--Toni++

Re: Script to ping, traceroute a destination and record the time

[Jason Dixon]

On Thu, Oct 29, 2009 at 04:26:49PM +0200, Kasper Adel wrote:
 Hi,
 
 I am trying to troubleshoot a problem that is totally random and the one
 idea that would help me is to have a bash script that will ping a few
 destinations every minute, then do a traceroute to these destinations,
 record the time and all that output in a file. then the whole process would
 repeat minute.
 
 This way, i'll be able to look at the script at the end of each day and find
 out if these destinations were reachable when a problem was reported.
 
 The problem/disconnect happens for a few minutes only.
 
 Can any one help me get a script to do that?

If you can't whip this up yourself in a matter of 2 minutes they
have the wrong person debugging it.

-- 
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/

Re: Script to ping, traceroute a destination and record the time

[John Jackson]

On Thu, Oct 29, 2009 at 04:26:49PM +0200, Kasper Adel wrote:
 Hi,
 
 I am trying to troubleshoot a problem that is totally random and the one
 idea that would help me is to have a bash script that will ping a few
 destinations every minute, then do a traceroute to these destinations,
 record the time and all that output in a file. then the whole process would
 repeat minute.

You may want to look at 'mtr' or 'mtr-tiny'.  They should be in ports.

 
 This way, i'll be able to look at the script at the end of each day and find
 out if these destinations were reachable when a problem was reported.
 
 The problem/disconnect happens for a few minutes only.
 
 Can any one help me get a script to do that?
 
 Thanks,
 Kim
 

John

NTP not functioning for me.

[David Walker]

Bonjour.

I have one of those little box peecees - no battery = no clock.
Regardless, I wish to use OpenNTPD to organize time.
My ISP kindly provides an ntp server.

# uname -rsv
OpenBSD 4.6 GENERIC#58

During boot I see this:
starting network
add net default: gateway 0.0.0.1
starting system logger
starting initial daemons: ntpd.

This sits there for maybe ten seconds and continues booting.
Finally I see this (example):
Mon Jul 13 10:23:29 CST 2009
OpenBSD/i386 (myname.my.domain) (tty00)
login:

The clock is using the time from the previous shutdown/reboot (and
originally from the timestamp on the 4.6 install files).
The only change appears to be from elapsed uptime.

This is my rc.conf.local:
# cat rc.conf.local
ntpd_flags=-s # enabled during install

This is my ntpd.conf (minus some comments):
# cat ntpd.conf
# $OpenBSD: ntpd.conf,v 1.11 2009/05/18 16:13:48 stevesk Exp $
# Addresses to listen on (ntpd does not listen by default)
listen on 150.101.x.x
# sync to a single server
server ntp.internode.on.net

This is using pppoe(4) and the listen interface is the pppoe address.
My internet works fine and I have removed all filter rules from
pf.conf to be sure.
Regardless, with filtering happening the results look the same as per
the log (below).

In all cases the servers appear to be valid and the time difference
found appears to be on the money:
Jul 13 + ~108days b  Oct 30.
From /var/log/daemon:
Jul 13 09:38:56 myname ntpd[20688]: adjusting local clock by 9377958.788013s
Jul 13 09:39:27 myname ntpd[20688]: adjusting local clock by 9377958.680999s
Jul 13 09:43:45 myname ntpd[20688]: adjusting local clock by 9377957.395701s
Jul 13 09:44:19 myname ntpd[20688]: adjusting local clock by 9377957.230468s
Jul 13 09:44:51 myname ntpd[20688]: adjusting local clock by 9377957.115971s
Jul 13 09:48:39 myname ntpd[20688]: adjusting local clock by 9377956.019010s
Jul 13 09:52:58 myname ntpd[20688]: adjusting local clock by 9377954.771459s
Etcetera.

I had this exact issue (anecdotally) with 4.5 and tried rdate
(rc.conf.local):
rdate_flags=ntp.internode.on.net
From memory this worked fine and the clock was set at boot.
Certainly rdate worked.

Things I have done:
# ntpd -n
configuration OK
# rdate -p ntp.internode.on.net
Fri Oct 30 01:09:33 CST 2009

Things I noted:
I have no drift file (/var/db/ntpd.drift).

Any advice appreciated.

Best wishes.

Re: Tomorrow: Amsterdam OpenBSD 4.6 release party!

[andres]

Quoting Otto Moerbeek o...@drijf.net:


On Wed, Oct 28, 2009 at 02:08:07PM +0100, chefren wrote:


Tomorrow, Thursday 29th of October:

Cafe de Deugniet Oude Brugsteeg 12, 1012 JP Amsterdam



http://maps.google.nl/maps?f=qhl=enq=Oudebrugsteeg+12,+Amsterdam+1012+Amst
erdam,+North+Holland,+The+Netherlandssll=52.469397,5.509644sspn=3.741684,6.
097412ie=UTF8cd=1geocode=0,52.375293,4.897561t=hz=17iwloc=addr



18:00 gathering in front of De Deugniet, we will find some food in

the

neighborhood that has lots of places where we can eat.

From 20:00 on we will gather into De Deugniet itself and have a

drink on

OpenBSD 4.6!

+++chefren


IK kan er helaas niet bij zijn, maar maak er wat moois van.

-Otto


Ik ben jaloers!  Drink goed bier!   (I hope I said that
intelligibly)

--STeve Andre'

Re: Secure way to delete data in hard disc

[Bob Beck]

2009/10/28 Noah Pugsley noa...@bendtel.com:
 Can I interest you in a pair of steganograpanties? Or for cooler weather,
 steganograpantaloons?

The problem with steganograpanties is that residual images of my ass
are present *underneath* the panties - therfore if the offending
Germans were to use high technology panty-removing chemicals (like
ethanol) they could actually view the residual data present underneath
the panties!  As assuredly every german who is after my ass will
possess this technology it behooves me to take adequate precatuions to
obscure the data... I'm thinking kind of along the lines of the
full-ass Kat-Von-D stenographic ass-stealthing tattoo...

Re: Script to ping, traceroute a destination and record the time

[David Walker]

 If you can't whip this up yourself in a matter of 2 minutes they
 have the wrong person debugging it.

+1

If you can't already write this don't panic - it is possibly the best
opportunity you may have to get your feet wet.

Motivation - fix that problem.
Interesting - who doesn't like learning?
Simplicity - it doesn't get much easier.

If I can do it you can do it.

Here's a starter.
Read man sh.
Especially Input/output redirection. Then read Command syntax.

Remember a script (as per your request) is to save you doing this
stuff manually (too lazy, not quick enough, busy sleeping, etcetera).
In other words you can type this stuff at the shell instead and see
what it does. :]

Not only will you learn how to script your command vocabulary will
grow and grow ...

I am very much the beginner @ shell scripts but experience on another
platform tells me you won't get a better opportunity.

*cough*
ping -c 1 microsoft.com | grep received  report.file  echo Yeehah!
*sneeze*
man: sed, grep, cat, etcetera.

Not what you want but a push in the right direction.

Best wishes.

Re: 200g harddisk after newfs = Available 174g?

[Daniel Gracia Garallar]

Manufactures use the 'giga' prefix in the International System meaning. 
That said, 1Gb would be 10^9 = 1,000,000,000 bytes.


Computer programmers, OS and all around computer chit-chat use the 
prefix 'giga' to refer 2^30 = 1,073,741,824 bytes.


IEC recommends calling this GiB, but it's uncommon.

Today, you could assume safely only manufacturers write Gb in the 
International System meaning; everybody else is refering to GiBs when 
talking about Gb.


Sum this fact with filesystem overhead, and you may get all your space!

Jennifer Ma escribis:

hi all, lately, i obtained a seagate 200g(wd1) harddisk from my elder
brother, after i disklabel, newfs and mount the disk.  only 174g is
shown as available, in windows(through samba), said 9.16g already been
used.  is there any way i can claim those space back?  much thanks!

# disklabel wd1
# /dev/rwd1c:
type: ESDI
disk: ESDI/IDE disk
label: ST3200826A
flags:
bytes/sector: 512
sectors/track: 63
tracks/cylinder: 16
sectors/cylinder: 1008
cylinders: 16383
total sectors: 390721968
rpm: 3600
interleave: 1
trackskew: 0
cylinderskew: 0
headswitch: 0   # microseconds
track-to-track seek: 0  # microseconds
drivedata: 0

16 partitions:
#size   offset  fstype [fsize bsize  cpg]
  a:390721905   63  4.2BSD   2048 163841
  c:3907219680  unused


# df -h
# Filesystem SizeUsed   Avail Capacity  Mounted on
/dev/wd0a  1.8G1.4G313M82%/
/dev/wd1a  183G2.0K174G 0%/www01

Re: Script to ping, traceroute a destination and record the time

[Kasper Adel]

thanks all for answering.

Traceroute will allow me to find out if during the short period of
application disconnect is whether its an app problem or the network topology
changes and where (which router) the packets couldnt get across.

Cheers,
Kim

On Thu, Oct 29, 2009 at 4:43 PM, Toni Mueller openbsd-m...@oeko.net wrote:

 Hi,

 On Thu, 29.10.2009 at 16:26:49 +0200, Kasper Adel karim.a...@gmail.com
 wrote:
  I am trying to troubleshoot a problem that is totally random and the one
  idea that would help me is to have a bash script that will ping a few
  destinations every minute, then do a traceroute to these destinations,
  record the time and all that output in a file. then the whole process
 would
  repeat minute.

 I don't know what exactly you are going to do with the traceroute,
 which is both hard to implement, given your timing requirements, and
 tedious to evaluate, but if you could be content with pings and packet
 loss, I can recommend using Smokeping with aggressive settings, and/or
 some other things to trigger a traceroute in case of a problem.


 Kind regards,
 --Toni++

Re: 200g harddisk after newfs = Available 174g?

[Edho P Arief]

On Wed, Oct 28, 2009 at 4:28 PM, Daniel Gracia Garallar
danie...@electronicagracia.com wrote:
 Manufactures use the 'giga' prefix in the International System meaning. That
 said, 1Gb would be 10^9 = 1,000,000,000 bytes.

 Computer programmers, OS and all around computer chit-chat use the prefix
 'giga' to refer 2^30 = 1,073,741,824 bytes.

 IEC recommends calling this GiB, but it's uncommon.

 Today, you could assume safely only manufacturers write Gb in the
 International System meaning;

and Apple's Mac OS X 10.6

http://support.apple.com/kb/TS2419



-- 
O ascii ribbon campaign - stop html mail - www.asciiribbon.org

Re: 200g harddisk after newfs = Available 174g?

[Jonathan Gray]

On Thu, Oct 29, 2009 at 11:35:18PM +0700, Edho P Arief wrote:
 On Wed, Oct 28, 2009 at 4:28 PM, Daniel Gracia Garallar
 danie...@electronicagracia.com wrote:
  Manufactures use the 'giga' prefix in the International System meaning. That
  said, 1Gb would be 10^9 = 1,000,000,000 bytes.
 
  Computer programmers, OS and all around computer chit-chat use the prefix
  'giga' to refer 2^30 = 1,073,741,824 bytes.
 
  IEC recommends calling this GiB, but it's uncommon.
 
  Today, you could assume safely only manufacturers write Gb in the
  International System meaning;
 
 and Apple's Mac OS X 10.6
 
 http://support.apple.com/kb/TS2419

There are many stupid ideas in other operating systems, I
don't see why we should be required to implement them.

Re: Script to ping, traceroute a destination and record the time

[Frans Haarman]

2009/10/29 Kasper Adel karim.a...@gmail.com

 thanks all for answering.

 Traceroute will allow me to find out if during the short period of
 application disconnect is whether its an app problem or the network
 topology
 changes and where (which router) the packets couldnt get across.

 Cheers,
 Kim

 On Thu, Oct 29, 2009 at 4:43 PM, Toni Mueller openbsd-m...@oeko.net
 wrote:

  Hi,
 
  On Thu, 29.10.2009 at 16:26:49 +0200, Kasper Adel karim.a...@gmail.com
  wrote:
   I am trying to troubleshoot a problem that is totally random and the
 one
   idea that would help me is to have a bash script that will ping a few
   destinations every minute, then do a traceroute to these destinations,
   record the time and all that output in a file. then the whole process
  would
   repeat minute.
 
  I don't know what exactly you are going to do with the traceroute,
  which is both hard to implement, given your timing requirements, and
  tedious to evaluate, but if you could be content with pings and packet
  loss, I can recommend using Smokeping with aggressive settings, and/or
  some other things to trigger a traceroute in case of a problem.
 
 
  Kind regards,
  --Toni++


I am playing with hping to monitor changes in traceroutes. You can
specify which hop you want to monitor to a certain destination:

# /usr/local/sbin/hping -c 1 -1 --traceroute --tr-keep-ttl --ttl 4
openbsd.org
HPING openbsd.org (vic0 199.185.137.3): icmp mode set, 28 headers + 0 data
bytes
hop=4 TTL 0 during transit from ip=149.6.129.97 name=
vl250.mpd03.ams03.atlas.cogentco.com
hop=4 hoprtt=9.5 ms

As you can see hping will only output info about the 4th hop. Might be
usefull.

Regards,
-- Frans

privileged instruction fault trap

[Roger Schreiter]

Hello,

we are operating a BGP router using OpenBSD 4.5 since
some weeks. Till today everthing went fine.

Today, the system crashed, causing an uptime much too short
for an IP router.

Can someone guess the cause from the console output?
Can we improve the kernel stability by any settings?

Panic output was:

kernel: privileged instruction fault trap, code=0
Stopped at  ip_output +0xb8:
ddb _

(The last underscore is the cursor position.)


Any helpful hints?


Regards,
Roger.

Re: 200g harddisk after newfs = Available 174g?

[Bob Beck]

 There are many stupid ideas in other operating systems, I
 don't see why we should be required to implement them.

Yeah, and the discussion of my ass is a more productive discussion
than talking about making df display marketing gigabytes

That'll happen in openbsd right after we switch the default filesystem
to apple hfs, and while we're at it replace the yp code with netinfo
because it's so much better.

Re: privileged instruction fault trap

[Bob Beck]

2009/10/29 Roger Schreiter ro...@planinternet.de:

 Today, the system crashed,

.

 kernel: privileged instruction fault trap, code=0
 Stopped at  ip_output +0xb8:
 ddb _

.

 Any helpful hints?


http://www.openbsd.org/cgi-bin/man.cgi?query=crashapropos=0sektion=0manpat
h=OpenBSD+Currentarch=i386format=html

nat,ipsec,pf,routing question

[Christoph Leser]

I'm sure I have seen the answer to my question here on the list some
time ago, but I'm too stupid to find it again:

In what order are the following operations performed on an IP packet

a. IPSEC ( decides whether a packet matches an IPSEC flow )
b. normal kernel routing
c. NAT
d. packet filtering ( block/pass commands in pf.conf )

The reason I ask is that I failed to setup NAT for a IPSEC tunnel as
described in

http://marc.info/?l=openbsd-pfm=115875312200995w=2


As far as I understand, this can only work if NAT ( on lo1 ) is
performed before IPSEC checks for matching flows.

Has this order been changed in OBSD4 ( the above post from 2006 refers
to OBSD 3.8 ). There is a newer posting on the same issue at
http://archives.neohapsis.com/archives/openbsd/2008-12/1110.html,
suggesting essentially the same procedure.



Regards

Christoph

Re: 200g harddisk after newfs = Available 174g?

[Edho P Arief]

On Fri, Oct 30, 2009 at 12:13 AM, Bob Beck b...@ualberta.ca wrote:
 There are many stupid ideas in other operating systems, I
 don't see why we should be required to implement them.

 Yeah, and the discussion of my ass is a more productive discussion
 than talking about making df display marketing gigabytes


for some reason I'm kind of offended by SI = marketing equation.

note that I'm not suggesting anything. Things like this are already
confusing and changing anything will probably just add even more
confusion, etc.

-- 
O ascii ribbon campaign - stop html mail - www.asciiribbon.org

Re: 200g harddisk after newfs = Available 174g?

[Bryan Irvine]

On Thu, Oct 29, 2009 at 10:13 AM, Bob Beck b...@ualberta.ca wrote:
 There are many stupid ideas in other operating systems, I
 don't see why we should be required to implement them.

 Yeah, and the discussion of my ass is a more productive discussion
 than talking about making df display marketing gigabytes

 That'll happen in openbsd right after we switch the default filesystem
 to apple hfs, and while we're at it replace the yp code with netinfo
 because it's so much better.

Would you also please switch all the config files to XML since it's
the standard?


-B

Header re-writing and smtpd(8)

[Chris Jones]

Good morning,

I'm curious if anyone knows if it's possible to do header re-writing 
with smtpd(8). I have a project I would love to use smtpd(8) for but 
I'll need to figure a way to be able to re-write message headers as they 
relay through this server. The gist of it is, I would like to setup a 
mailbox server (zimbra) which routes mail to specific relay servers 
based on email domain. These relay servers would then re-write the 
Received: fields in the header of a message so that it looks like it's 
originating from the relay server.

I've done this with Postfix before but I would much rather use smtpd(8) 
for it's security and simplicity. Thanks in advance for any advice or 
information you have.

Cheers,
-Chris

-- 
Chris Jones

GDI Software Services Canada Inc.
Suite 1300, 1500 West Georgia St.
Vancouver, BC, Canada
V6G 2Z6

Mobile: (604) 218-5981
Phone: (778) 373-0600 | Fax: (778) 373-0669

Re: 4.6 reboots x336 ibm server(s)

[FRLinux]

On Wed, Oct 28, 2009 at 4:13 PM, Joachim Schipper
joac...@joachimschipper.nl wrote:
 Just to check the obvious: did you disable acpi when booting after the
 install? (And did you try both bsd and bsd.mp? The latter is less like
 the install kernel than the former.)



Hello, the problem is related to the network cards alright. Disabling
ppb* allows it to boot. My problem is that even if I disable a card in
the bios, i cannot boot the system. I tried to disable ppb2 but it
doesn't seem to take it. What am I missing ?

Cheers,
Steph

Re: 200g harddisk after newfs = Available 174g?

[Jurjen Oskam]

On Wed, Oct 28, 2009 at 10:28:00AM +0100, Daniel Gracia Garallar wrote:

 Computer programmers, OS and all around computer chit-chat use the 
 prefix 'giga' to refer 2^30 = 1,073,741,824 bytes.
 
 IEC recommends calling this GiB, but it's uncommon.
 
 Today, you could assume safely only manufacturers write Gb in the 
 International System meaning; everybody else is refering to GiBs when 
 talking about Gb.

... except when talking about computer networks: in that case everybody
*does* use the SI-prefixes and 1 Gb/sec really is 10 bits/second,
and not 1073741824 bits/second.

-- 
Jurjen Oskam

Savage's Law of Expediency:
You want it bad, you'll get it bad.

Re: 200g harddisk after newfs = Available 174g?

[Marco Peereboom]

bits are absolute.

this discussion should take a turn to beck's ass again.

On Thu, Oct 29, 2009 at 07:29:54PM +0100, Jurjen Oskam wrote:
 On Wed, Oct 28, 2009 at 10:28:00AM +0100, Daniel Gracia Garallar wrote:
 
  Computer programmers, OS and all around computer chit-chat use the 
  prefix 'giga' to refer 2^30 = 1,073,741,824 bytes.
  
  IEC recommends calling this GiB, but it's uncommon.
  
  Today, you could assume safely only manufacturers write Gb in the 
  International System meaning; everybody else is refering to GiBs when 
  talking about Gb.
 
 ... except when talking about computer networks: in that case everybody
 *does* use the SI-prefixes and 1 Gb/sec really is 10 bits/second,
 and not 1073741824 bits/second.
 
 -- 
 Jurjen Oskam
 
 Savage's Law of Expediency:
 You want it bad, you'll get it bad.

Re: 4.6 reboots x336 ibm server(s)

[Joachim Schipper]

On Thu, Oct 29, 2009 at 06:06:03PM +, FRLinux wrote:
 On Wed, Oct 28, 2009 at 4:13 PM, Joachim Schipper
 joac...@joachimschipper.nl wrote:
  Just to check the obvious: did you disable acpi when booting after the
  install? (And did you try both bsd and bsd.mp? The latter is less like
  the install kernel than the former.)
 
 
 
 Hello, the problem is related to the network cards alright. Disabling
 ppb* allows it to boot. My problem is that even if I disable a card in
 the bios, i cannot boot the system. I tried to disable ppb2 but it
 doesn't seem to take it. What am I missing ?

I'm not really sure what you are asking. Is your question answered by
pointing you at the -u option of config(8) (i.e. showing you how to get
the 'disable ppb*' to stick)? If not, you'll have to rephrase it or hope
someone else understands it...

Joachim

Re: Tomorrow: Amsterdam OpenBSD 4.6 release party!

[raven]

Il 29/10/09 00.23, Marco Peereboom ha scritto:

In .nl?  puhlease!
   
Ahahahah ok. Next time, we organize a team of chefs of the event and i 
will taking from italy some specialties :)

On Wed, Oct 28, 2009 at 11:07:52PM +0100, Francesco Vollero wrote:
   

Il giorno mer, 28/10/2009 alle 22.20 +0100, chefren ha scritto:
 

On 28-10-09 16:11, Francesco Vollero wrote:
   

Il giorno mer, 28/10/2009 alle 14.08 +0100, chefren ha scritto:
 

[snip]

 

It's unfair :( i came back from Amsterdam this morning :(

Francesco
 

Ah, well, I will try to honor you by proposing Italian food, OK?

   

Thanks :) But i hope you propose a real italian place :)

 

+++chefren
   

Francesco

PF challenge dealing with HTTPS URL restriction policies.. would it help, other possible solution?

[Matthew Young]

Hello,


Iam looking for a way to have an allowed list of SSL enabled sites
that a end user can browse, but this entirely done on a server level
with _zero_ configuration on the pc.

In a dream world, squid would be able to tranparently proxy https and
thus I would create  an allowed list of ssl sites specific to each LAN
user (based on private IP or MAC) that he/she can access. As we know
this isnt the case because this breaks SSL.

Does anybody know a way I can actually accomplish this?

My Thoughts:
I thought of a way to then take my list of SSL enabled sites
(gmail.com for example) and resolve the domain to an IP and then add
it in a firewall so that X user has
access to port 443 for only those specific IPs.  However the downside
to this is that if gmail (or any other site i do this) changes the IP
(which they will) the firewall rule which is static would need an
update. Besides gmails https hostname resolves to the same IP of
google.com A records so I would be fiddling with those at the same
time and thus basically be allowing or disallowing the entire google
domain when I truely really wanted just an access list of gmail.com.

Would there be a way to make then some type of sniffer which would
capture when users try to enter a https site and then somehow create a
dynamic rule of some kind to let traffic out based on an allowed list?

There must be a practical way, right guys?

Thanks

--Matt

Re: PF challenge dealing with HTTPS URL restriction policies.. would it help, other possible solution?

[Bob Beck]

apache or other reverse proxy.


2009/10/29 Matthew Young myoung24...@gmail.com:
 Hello,


 Iam looking for a way to have an allowed list of SSL enabled sites
 that a end user can browse, but this entirely done on a server level
 with _zero_ configuration on the pc.

 In a dream world, squid would be able to tranparently proxy https and
 thus I would create  an allowed list of ssl sites specific to each LAN
 user (based on private IP or MAC) that he/she can access. As we know
 this isnt the case because this breaks SSL.

 Does anybody know a way I can actually accomplish this?

 My Thoughts:
 I thought of a way to then take my list of SSL enabled sites
 (gmail.com for example) and resolve the domain to an IP and then add
 it in a firewall so that X user has
 access to port 443 for only those specific IPs.  However the downside
 to this is that if gmail (or any other site i do this) changes the IP
 (which they will) the firewall rule which is static would need an
 update. Besides gmails https hostname resolves to the same IP of
 google.com A records so I would be fiddling with those at the same
 time and thus basically be allowing or disallowing the entire google
 domain when I truely really wanted just an access list of gmail.com.

 Would there be a way to make then some type of sniffer which would
 capture when users try to enter a https site and then somehow create a
 dynamic rule of some kind to let traffic out based on an allowed list?

 There must be a practical way, right guys?

 Thanks

 --Matt

Re: PF challenge dealing with HTTPS URL restriction policies.. would it help, other possible solution?

[Matthew Young]

Hello,

If I use a reverse proxy I would have to know the SSL key of the
remote SSL site. (gmail.com) so that the reverse proxy server would
decrypt and encrypt. Iam not mistaken.

-- Matt

On Thu, Oct 29, 2009 at 2:50 PM, Bob Beck b...@ualberta.ca wrote:
 apache or other reverse proxy.


 2009/10/29 Matthew Young myoung24...@gmail.com:
 Hello,


 Iam looking for a way to have an allowed list of SSL enabled sites
 that a end user can browse, but this entirely done on a server level
 with _zero_ configuration on the pc.

 In a dream world, squid would be able to tranparently proxy https and
 thus I would create  an allowed list of ssl sites specific to each LAN
 user (based on private IP or MAC) that he/she can access. As we know
 this isnt the case because this breaks SSL.

 Does anybody know a way I can actually accomplish this?

 My Thoughts:
 I thought of a way to then take my list of SSL enabled sites
 (gmail.com for example) and resolve the domain to an IP and then add
 it in a firewall so that X user has
 access to port 443 for only those specific IPs.  However the downside
 to this is that if gmail (or any other site i do this) changes the IP
 (which they will) the firewall rule which is static would need an
 update. Besides gmails https hostname resolves to the same IP of
 google.com A records so I would be fiddling with those at the same
 time and thus basically be allowing or disallowing the entire google
 domain when I truely really wanted just an access list of gmail.com.

 Would there be a way to make then some type of sniffer which would
 capture when users try to enter a https site and then somehow create a
 dynamic rule of some kind to let traffic out based on an allowed list?

 There must be a practical way, right guys?

 Thanks

 --Matt

Re: PF challenge dealing with HTTPS URL restriction policies.. would it help, other possible solution?

[James Records]

may be able to do something with relayd, though i'm not sure.

J

On Thu, Oct 29, 2009 at 12:57 PM, Matthew Young myoung24...@gmail.comwrote:

 Hello,

 If I use a reverse proxy I would have to know the SSL key of the
 remote SSL site. (gmail.com) so that the reverse proxy server would
 decrypt and encrypt. Iam not mistaken.

 -- Matt

 On Thu, Oct 29, 2009 at 2:50 PM, Bob Beck b...@ualberta.ca wrote:
  apache or other reverse proxy.
 
 
  2009/10/29 Matthew Young myoung24...@gmail.com:
  Hello,
 
 
  Iam looking for a way to have an allowed list of SSL enabled sites
  that a end user can browse, but this entirely done on a server level
  with _zero_ configuration on the pc.
 
  In a dream world, squid would be able to tranparently proxy https and
  thus I would create  an allowed list of ssl sites specific to each LAN
  user (based on private IP or MAC) that he/she can access. As we know
  this isnt the case because this breaks SSL.
 
  Does anybody know a way I can actually accomplish this?
 
  My Thoughts:
  I thought of a way to then take my list of SSL enabled sites
  (gmail.com for example) and resolve the domain to an IP and then add
  it in a firewall so that X user has
  access to port 443 for only those specific IPs.  However the downside
  to this is that if gmail (or any other site i do this) changes the IP
  (which they will) the firewall rule which is static would need an
  update. Besides gmails https hostname resolves to the same IP of
  google.com A records so I would be fiddling with those at the same
  time and thus basically be allowing or disallowing the entire google
  domain when I truely really wanted just an access list of gmail.com.
 
  Would there be a way to make then some type of sniffer which would
  capture when users try to enter a https site and then somehow create a
  dynamic rule of some kind to let traffic out based on an allowed list?
 
  There must be a practical way, right guys?
 
  Thanks
 
  --Matt

openbsd ca tutorial

[Abdullah Sendul]

Hi,

I am trying to create my own CA on openbsd. but unfortunately couldnt
find any tutorial on this, there are some on freebsd, linux, but they
are giving some errors.

can you please point me correct place if there is one.

thanks

\sendul

Re: PF challenge dealing with HTTPS URL restriction policies.. would it help, other possible solution?

[Bob Beck]

Yep. That's why https encrypts the url transmission.

The point is you aren't *supposed* to be able to do that securely.
Your reverse proxy which does this will look like the standard hotel
room sillyness.


2009/10/29 Matthew Young myoung24...@gmail.com:
 Hello,

 If I use a reverse proxy I would have to know the SSL key of the
 remote SSL site. (gmail.com) so that the reverse proxy server would
 decrypt and encrypt. Iam not mistaken.

 -- Matt

 On Thu, Oct 29, 2009 at 2:50 PM, Bob Beck b...@ualberta.ca wrote:
 apache or other reverse proxy.


 2009/10/29 Matthew Young myoung24...@gmail.com:
 Hello,


 Iam looking for a way to have an allowed list of SSL enabled sites
 that a end user can browse, but this entirely done on a server level
 with _zero_ configuration on the pc.

 In a dream world, squid would be able to tranparently proxy https and
 thus I would create  an allowed list of ssl sites specific to each LAN
 user (based on private IP or MAC) that he/she can access. As we know
 this isnt the case because this breaks SSL.

 Does anybody know a way I can actually accomplish this?

 My Thoughts:
 I thought of a way to then take my list of SSL enabled sites
 (gmail.com for example) and resolve the domain to an IP and then add
 it in a firewall so that X user has
 access to port 443 for only those specific IPs.  However the downside
 to this is that if gmail (or any other site i do this) changes the IP
 (which they will) the firewall rule which is static would need an
 update. Besides gmails https hostname resolves to the same IP of
 google.com A records so I would be fiddling with those at the same
 time and thus basically be allowing or disallowing the entire google
 domain when I truely really wanted just an access list of gmail.com.

 Would there be a way to make then some type of sniffer which would
 capture when users try to enter a https site and then somehow create a
 dynamic rule of some kind to let traffic out based on an allowed list?

 There must be a practical way, right guys?

 Thanks

 --Matt

Re: openbsd ca tutorial

[Red Midnight]

Abdullah Sendul wrote:

Hi,

I am trying to create my own CA on openbsd. but unfortunately couldnt
find any tutorial on this, there are some on freebsd, linux, but they
are giving some errors.

can you please point me correct place if there is one.

thanks

\sendul


  

If I am understanding you correctly, you might want to look here:
http://www.openbsd.org/faq/faq10.html#HTTPS

--

-RSM

http://www.erratic.ca

Re: openbsd ca tutorial

[Abdullah Sendul]

 I am trying to create my own CA on openbsd. but unfortunately couldnt
 find any tutorial on this, there are some on freebsd, linux, but they
 are giving some errors.

 If I am understanding you correctly, you might want to look here:
 http://www.openbsd.org/faq/faq10.html#HTTPS

sorry not a self signed cert.
a certificate authority


 --

 -RSM

 http://www.erratic.ca

Re: PF challenge dealing with HTTPS URL restriction policies.. would it help, other possible solution?

[Joachim Schipper]

On Thu, Oct 29, 2009 at 02:57:14PM -0500, Matthew Young wrote:
 Hello,
 
 If I use a reverse proxy I would have to know the SSL key of the
 remote SSL site. (gmail.com) so that the reverse proxy server would
 decrypt and encrypt. Iam not mistaken.

Any decent proxy server accepts the CONNECT method, which means that it
basically passes the data through after validating the hostname - i.e.
GMail handles its own SSL.

I believe that work is currently underway to make it possible for
multiple SSL-enabled hostnames to share a single IP address, but it will
probably be quite a few years before this is remotely common.

Joachim

Re: PF challenge dealing with HTTPS URL restriction policies.. would it help, other possible solution?

[Brad Tilley]

On Thu, Oct 29, 2009 at 3:42 PM, Matthew Young myoung24...@gmail.com wrote:

 Iam looking for a way to have an allowed list of SSL enabled sites that a end 
 user can browse...

Off-topic, but if the users are knowledgeable with OpenSSH, they can
go around any obstacle you place in front of them and all you'll see
is a ssh tunnel going out of your network. Must OpenBSD folks are
aware of this, but it bears repeating. Smart, determined users cannot
be controlled.

Brad

Re: decreasing the size of the distribution

[Abdullah Sendul]

great thanks,

now my distribution is 4MB :)

\sendul

On Tue, Oct 27, 2009 at 4:02 AM, James Records james.reco...@gmail.com wrote:
 Take a look at www.mindrot.org/projects/flashboot

 It builds a minimal ramdisk based bsd.gz of around ~6MB

 You can customize the install script and get whatever binaries you need in
 there, just read the README file.

 It will take some tinkering but you should be able to get what you want with
 this build system

 J

 On Sun, Oct 25, 2009 at 4:10 PM, Abdullah Sendul coffeesm...@gmail.com
 wrote:

 Hi,

 we are having a couple of openbsd servers, of which, the content is
 static.

 I would like to identify all the files needed for this system to run,
 and then move it to a flash disk to minimise the size of the
 distribution

 find -mtime -atime is giving me some ideas, but is this the right
 approach to remove the rest of the files not used on the system.

 what do you suggest?

 thanks

 \sendul

Re: openbsd ca tutorial

[Bob Beck]

http://lmgtfy.com/?q=OpenSSL+set+up+own+Certificate+Authority

2009/10/29 Abdullah Sendul coffeesm...@gmail.com:
 Hi,

 I am trying to create my own CA on openbsd. but unfortunately couldnt
 find any tutorial on this, there are some on freebsd, linux, but they
 are giving some errors.

 can you please point me correct place if there is one.

 thanks

 \sendul

Re: openbsd ca tutorial

[Joachim Schipper]

On Thu, Oct 29, 2009 at 09:12:09PM +0100, Abdullah Sendul wrote:
 Hi,
 
 I am trying to create my own CA on openbsd. but unfortunately couldnt
 find any tutorial on this, there are some on freebsd, linux, but they
 are giving some errors.
 
 can you please point me correct place if there is one.

You have already been given a reference to the FAQ, but please consider
cacert.org as well.

Joachim

Re: PF challenge dealing with HTTPS URL restriction policies.. would it help, other possible solution?

[Matthew Young]

THis is great, however out LAN users are all technical. they would
know and the next thing I have is people browsing the internet through
IPs.

It was good, but not applicable here.


On Thu, Oct 29, 2009 at 3:11 PM, Chris Kuethe chris.kue...@gmail.com wrote:
 So run your own dns and only resolve good domains. Then the proxy can only
 find the things you want it to.

 On Oct 29, 2009 1:03 PM, Matthew Young myoung24...@gmail.com wrote:

 Hello,

 If I use a reverse proxy I would have to know the SSL key of the
 remote SSL site. (gmail.com) so that the reverse proxy server would
 decrypt and encrypt. Iam not mistaken.

 -- Matt

 On Thu, Oct 29, 2009 at 2:50 PM, Bob Beck b...@ualberta.ca wrote:  apache
 or other reverse proxy...

Re: PF challenge dealing with HTTPS URL restriction policies.. would it help, other possible solution?

[Bob Beck]

Not unless you know the ip addreses of everything you're hitting.  No
amount of magic will make relayd intercept an https session and get
the url out without sending a bogus certificate to the user.  If you
have a limited set of places to go, sure, it'll work, but so will just
a plain old pf rule restrincting outbound 443 connections to the same
set of addresses.  Trying to do this for akamai type moving targets
willl be an exercise in frustration though.

You could always just ensure all your users are using internet
explorer or firefox with all the whining turned off, and intercept the
ssl cookies anyway. Most of the users probably won't notice or will
click ok and simply blather along after clicking ok enough times to
make it accept the forgery.

2009/10/29 James Records james.reco...@gmail.com:
 may be able to do something with relayd, though i'm not sure.

 J

 On Thu, Oct 29, 2009 at 12:57 PM, Matthew Young myoung24...@gmail.com
 wrote:

 Hello,

 If I use a reverse proxy I would have to know the SSL key of the
 remote SSL site. (gmail.com) so that the reverse proxy server would
 decrypt and encrypt. Iam not mistaken.

 -- Matt

 On Thu, Oct 29, 2009 at 2:50 PM, Bob Beck b...@ualberta.ca wrote:
  apache or other reverse proxy.
 
 
  2009/10/29 Matthew Young myoung24...@gmail.com:
  Hello,
 
 
  Iam looking for a way to have an allowed list of SSL enabled sites
  that a end user can browse, but this entirely done on a server level
  with _zero_ configuration on the pc.
 
  In a dream world, squid would be able to tranparently proxy https and
  thus I would create  an allowed list of ssl sites specific to each LAN
  user (based on private IP or MAC) that he/she can access. As we know
  this isnt the case because this breaks SSL.
 
  Does anybody know a way I can actually accomplish this?
 
  My Thoughts:
  I thought of a way to then take my list of SSL enabled sites
  (gmail.com for example) and resolve the domain to an IP and then add
  it in a firewall so that X user has
  access to port 443 for only those specific IPs.  However the downside
  to this is that if gmail (or any other site i do this) changes the IP
  (which they will) the firewall rule which is static would need an
  update. Besides gmails https hostname resolves to the same IP of
  google.com A records so I would be fiddling with those at the same
  time and thus basically be allowing or disallowing the entire google
  domain when I truely really wanted just an access list of gmail.com.
 
  Would there be a way to make then some type of sniffer which would
  capture when users try to enter a https site and then somehow create a
  dynamic rule of some kind to let traffic out based on an allowed list?
 
  There must be a practical way, right guys?
 
  Thanks
 
  --Matt

4.6: Troubles with forwarding between vlan interfaces

[Alexander Shikoff]

Hello,

I'm trying to setup a router on OpenBSD 4.6 (amd64). I have only one
physical port on it, so I've decided to use 802.1Q VLANs: vlan2 is used
to connect to ISP, vlan663 - LAN.

Here a configuration of interfaces:
em0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:e0:81:b1:8d:d7
priority: 0
media: Ethernet autoselect (1000baseT full-duplex)
status: active
inet6 fe80::2e0:81ff:feb1:8dd7%em0 prefixlen 64 scopeid 0x1

vlan2: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:e0:81:b1:8d:d7
priority: 0
vlan: 2 priority: 0 parent interface: em0
groups: vlan egress
inet6 fe80::2e0:81ff:feb1:8dd7%vlan2 prefixlen 64 scopeid 0x5
inet x.x.x.226 netmask 0xfffc broadcast x.x.x.227

vlan663: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:e0:81:b1:8d:d7
priority: 0
vlan: 663 priority: 0 parent interface: em0
groups: vlan
inet6 fe80::2e0:81ff:feb1:8dd7%vlan663 prefixlen 64 scopeid 0x6
inet y.y.y.161 netmask 0xffe0 broadcast y.y.y.191

x.x.x.224/30 - Interconnect with my ISP
y.y.y.160/27 - My LAN

I can ping from internet both IPs x.x.x.226 and y.y.y.161, but
cannot ping IP from LAN y.y.y.162. It looks strange because I can ping it
from my box and net.inet.ip.forwarding is set to 1:

# arp -an
? (y.y.y.162) at 00:13:02:51:3a:43 on vlan663
? (x.x.x.225) at 00:21:59:1b:18:80 on vlan2

# ping y.y.y.162
PING y.y.y.162 (y.y.y.162): 56 data bytes
64 bytes from y.y.y.162: icmp_seq=0 ttl=64 time=6.798 ms
64 bytes from y.y.y.162: icmp_seq=1 ttl=64 time=3.588 ms
--- y.y.y.162 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 3.588/5.193/6.798/1.605 ms

# sysctl net.inet.ip.forwarding
net.inet.ip.forwarding=1

pf is enabled and passes all traffic:
# pfctl -sr 

   
pass all flags S/SA keep state


Any help will be kindly appreciated! Thanks.

-- 
MINO-RIPE

Re: PF challenge dealing with HTTPS URL restriction policies.. would it help, other possible solution?

[Marcello Cruz]

I had a similar problem. Transparente proxy is incompatible with SSL, as far 
as I know. Configuring each computer to use a proxy - either manually or by 
script - is time consuming.


So I decided to use WPAD+Squid. Problem solved. The drawback is the overhead 
in the internal web server. Everytime a new browser session is initiated, 
the browser connects to the internal web server to identify how to reach the 
Internet. The advantage is that you can do filtering using WPAD, too.


I don't know if it will work for you, so... good luck!

Rgds
Marcello


- Original Message - 
From: Matthew Young myoung24...@gmail.com

To: Bob Beck b...@ualberta.ca; misc@openbsd.org
Sent: Thursday, October 29, 2009 5:57 PM
Subject: Re: PF challenge dealing with HTTPS URL restriction policies.. 
would it help, other possible solution?




Hello,

If I use a reverse proxy I would have to know the SSL key of the
remote SSL site. (gmail.com) so that the reverse proxy server would
decrypt and encrypt. Iam not mistaken.

-- Matt

On Thu, Oct 29, 2009 at 2:50 PM, Bob Beck b...@ualberta.ca wrote:

apache or other reverse proxy.


2009/10/29 Matthew Young myoung24...@gmail.com:

Hello,


Iam looking for a way to have an allowed list of SSL enabled sites
that a end user can browse, but this entirely done on a server level
with _zero_ configuration on the pc.

In a dream world, squid would be able to tranparently proxy https and
thus I would create  an allowed list of ssl sites specific to each LAN
user (based on private IP or MAC) that he/she can access. As we know
this isnt the case because this breaks SSL.

Does anybody know a way I can actually accomplish this?

My Thoughts:
I thought of a way to then take my list of SSL enabled sites
(gmail.com for example) and resolve the domain to an IP and then add
it in a firewall so that X user has
access to port 443 for only those specific IPs.  However the downside
to this is that if gmail (or any other site i do this) changes the IP
(which they will) the firewall rule which is static would need an
update. Besides gmails https hostname resolves to the same IP of
google.com A records so I would be fiddling with those at the same
time and thus basically be allowing or disallowing the entire google
domain when I truely really wanted just an access list of gmail.com.

Would there be a way to make then some type of sniffer which would
capture when users try to enter a https site and then somehow create a
dynamic rule of some kind to let traffic out based on an allowed list?

There must be a practical way, right guys?

Thanks

--Matt

Re: PF challenge dealing with HTTPS URL restriction policies.. would it help, other possible solution?

[Bob Beck]

browsing ssl by IP addresses will also result in certificate conflicts
- because the ssl cert is for the name not the IP address.

So if they were willing to do that, they're willing to have your
stupid reverse proxy mitm all your certificates since they'll also
fail.

Perhaps between my extermely subtle taunting, I should give up and
just ask you *why* the hell do you want to do this?


2009/10/29 Matthew Young myoung24...@gmail.com:
 THis is great, however out LAN users are all technical. they would
 know and the next thing I have is people browsing the internet through
 IPs.

 It was good, but not applicable here.


 On Thu, Oct 29, 2009 at 3:11 PM, Chris Kuethe chris.kue...@gmail.com wrote:
 So run your own dns and only resolve good domains. Then the proxy can only
 find the things you want it to.

 On Oct 29, 2009 1:03 PM, Matthew Young myoung24...@gmail.com wrote:

 Hello,

 If I use a reverse proxy I would have to know the SSL key of the
 remote SSL site. (gmail.com) so that the reverse proxy server would
 decrypt and encrypt. Iam not mistaken.

 -- Matt

 On Thu, Oct 29, 2009 at 2:50 PM, Bob Beck b...@ualberta.ca wrote:  apache
 or other reverse proxy...

Re: PF challenge dealing with HTTPS URL restriction policies.. would it help, other possible solution?

[Matthew Young]

Marcello,

Thank you.. this is good except that I need to configure all my
browsers for downloading the pac file, and some Adware,/antivirus will
not auto discover this.. my users are linux as well as windows sadly.
So while this is a lot more practical then manually configuring
proxies in the machines it is not an option for for the requirement of
this project.

Thanks.

-Matt

On Thu, Oct 29, 2009 at 3:55 PM, Bob Beck b...@ualberta.ca wrote:
 browsing ssl by IP addresses will also result in certificate conflicts
 - because the ssl cert is for the name not the IP address.

 So if they were willing to do that, they're willing to have your
 stupid reverse proxy mitm all your certificates since they'll also
 fail.

 Perhaps between my extermely subtle taunting, I should give up and
 just ask you *why* the hell do you want to do this?


 2009/10/29 Matthew Young myoung24...@gmail.com:
 THis is great, however out LAN users are all technical. they would
 know and the next thing I have is people browsing the internet through
 IPs.

 It was good, but not applicable here.


 On Thu, Oct 29, 2009 at 3:11 PM, Chris Kuethe chris.kue...@gmail.com wrote:
 So run your own dns and only resolve good domains. Then the proxy can only
 find the things you want it to.

 On Oct 29, 2009 1:03 PM, Matthew Young myoung24...@gmail.com wrote:

 Hello,

 If I use a reverse proxy I would have to know the SSL key of the
 remote SSL site. (gmail.com) so that the reverse proxy server would
 decrypt and encrypt. Iam not mistaken.

 -- Matt

 On Thu, Oct 29, 2009 at 2:50 PM, Bob Beck b...@ualberta.ca wrote:  apache
 or other reverse proxy...

Re: openbsd ca tutorial

[Joachim Schipper]

On Thu, Oct 29, 2009 at 09:23:09PM +0100, Abdullah Sendul wrote:
  I am trying to create my own CA on openbsd. but unfortunately couldnt
  find any tutorial on this, there are some on freebsd, linux, but they
  are giving some errors.
 
  If I am understanding you correctly, you might want to look here:
  http://www.openbsd.org/faq/faq10.html#HTTPS
 
 sorry not a self signed cert.
 a certificate authority

*Read* the FAQ. It tells you about openssl ca. Is that insufficient?

Joachim

CPU of 50% for Interrupts?

[Roger Schreiter]

Hi,

top show a CPU usage of 50% for interrupts, when
my router forwards 1.5 Mbit/s of IP traffic.

My router is using OpenBSD 4.5, and running with
a  VIA Eden Processor 1000MHz, which should imho be
able to handle that amount of IP traffic as router.

dmesg tells, that ACPI is not configured.

Are these values ok, or should I search for something
configured wrong?


Regards,
Roger.

Re: PF challenge dealing with HTTPS URL restriction policies.. would it help, other possible solution?

[xSAPPYx]

On Thu, Oct 29, 2009 at 1:16 PM, Joachim Schipper
joac...@joachimschipper.nl wrote:
 I believe that work is currently underway to make it possible for
 multiple SSL-enabled hostnames to share a single IP address, but it will
 probably be quite a few years before this is remotely common.


There is an tls extension, defined in rfc 4366, called Server Name
Indication for just the purpose.
http://en.wikipedia.org/wiki/Server_Name_Indication
http://en.wikipedia.org/wiki/Transport_Layer_Security#Support_for_name-based_virtual_servers

Re: 4.6: Troubles with forwarding between vlan interfaces

[Alexander Shikoff]

I apologise. My mistake - misconfiguration of host in local network.

On Thu, Oct 29, 2009 at 10:39:43PM +0200, Alexander Shikoff wrote:
 Hello,
 
 I'm trying to setup a router on OpenBSD 4.6 (amd64). I have only one
 physical port on it, so I've decided to use 802.1Q VLANs: vlan2 is used
 to connect to ISP, vlan663 - LAN.
 
 Here a configuration of interfaces:
 em0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
 lladdr 00:e0:81:b1:8d:d7
 priority: 0
 media: Ethernet autoselect (1000baseT full-duplex)
 status: active
 inet6 fe80::2e0:81ff:feb1:8dd7%em0 prefixlen 64 scopeid 0x1
 
 vlan2: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
 lladdr 00:e0:81:b1:8d:d7
 priority: 0
 vlan: 2 priority: 0 parent interface: em0
 groups: vlan egress
 inet6 fe80::2e0:81ff:feb1:8dd7%vlan2 prefixlen 64 scopeid 0x5
 inet x.x.x.226 netmask 0xfffc broadcast x.x.x.227
 
 vlan663: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
 lladdr 00:e0:81:b1:8d:d7
 priority: 0
 vlan: 663 priority: 0 parent interface: em0
 groups: vlan
 inet6 fe80::2e0:81ff:feb1:8dd7%vlan663 prefixlen 64 scopeid 0x6
 inet y.y.y.161 netmask 0xffe0 broadcast y.y.y.191
 
 x.x.x.224/30 - Interconnect with my ISP
 y.y.y.160/27 - My LAN
 
 I can ping from internet both IPs x.x.x.226 and y.y.y.161, but
 cannot ping IP from LAN y.y.y.162. It looks strange because I can ping it
 from my box and net.inet.ip.forwarding is set to 1:
 
 # arp -an
 ? (y.y.y.162) at 00:13:02:51:3a:43 on vlan663
 ? (x.x.x.225) at 00:21:59:1b:18:80 on vlan2
 
 # ping y.y.y.162
 PING y.y.y.162 (y.y.y.162): 56 data bytes
 64 bytes from y.y.y.162: icmp_seq=0 ttl=64 time=6.798 ms
 64 bytes from y.y.y.162: icmp_seq=1 ttl=64 time=3.588 ms
 --- y.y.y.162 ping statistics ---
 2 packets transmitted, 2 packets received, 0.0% packet loss
 round-trip min/avg/max/std-dev = 3.588/5.193/6.798/1.605 ms
 
 # sysctl net.inet.ip.forwarding
 net.inet.ip.forwarding=1
 
 pf is enabled and passes all traffic:
 # pfctl -sr   
   

 pass all flags S/SA keep state
 
 
 Any help will be kindly appreciated! Thanks.
 
 -- 
 MINO-RIPE
 

-- 
MINO-RIPE

Re: openbsd ca tutorial

[Marco Peereboom]

anything openssl is insufficient.  When possible avoid OpenSSL.

On Thu, Oct 29, 2009 at 10:14:05PM +0100, Joachim Schipper wrote:
 On Thu, Oct 29, 2009 at 09:23:09PM +0100, Abdullah Sendul wrote:
   I am trying to create my own CA on openbsd. but unfortunately couldnt
   find any tutorial on this, there are some on freebsd, linux, but they
   are giving some errors.
  
   If I am understanding you correctly, you might want to look here:
   http://www.openbsd.org/faq/faq10.html#HTTPS
  
  sorry not a self signed cert.
  a certificate authority
 
 *Read* the FAQ. It tells you about openssl ca. Is that insufficient?
 
   Joachim

Re: openbsd ca tutorial

[Todd Alan Smith]

On Thu, Oct 29, 2009 at 4:24 PM, Bob Beck b...@ualberta.ca wrote:
 http://lmgtfy.com/?q=OpenSSL+set+up+own+Certificate+Authority

Bob, that's hilarious! I wasn't aware of that site.

Re: PF challenge dealing with HTTPS URL restriction policies.. would it help, other possible solution?

[Marcello Cruz]

I'm not sure about Linux, but with Windows the WPAD works fine, even if the 
computers are not member of an AD. The IE comes with the default Automatic 
proxy configuration.


So, you don't need to configure it. The problem is that some programs try to 
find the wpad script in the wrong (?) place. The AV programs are good 
examples. To solve this problem, my wpad script is in the default site and I 
don't have to bother with configuring the AV on each computer.


Rgds,
PS: When I say wrong place, I mean a place different than Windows.



- Original Message - 
From: Matthew Young myoung24...@gmail.com

To: misc@openbsd.org
Sent: Thursday, October 29, 2009 7:02 PM
Subject: Re: PF challenge dealing with HTTPS URL restriction policies.. 
would it help, other possible solution?




Marcello,

Thank you.. this is good except that I need to configure all my
browsers for downloading the pac file, and some Adware,/antivirus will
not auto discover this.. my users are linux as well as windows sadly.
So while this is a lot more practical then manually configuring
proxies in the machines it is not an option for for the requirement of
this project.

Thanks.

-Matt

On Thu, Oct 29, 2009 at 3:55 PM, Bob Beck b...@ualberta.ca wrote:

browsing ssl by IP addresses will also result in certificate conflicts
- because the ssl cert is for the name not the IP address.

So if they were willing to do that, they're willing to have your
stupid reverse proxy mitm all your certificates since they'll also
fail.

Perhaps between my extermely subtle taunting, I should give up and
just ask you *why* the hell do you want to do this?


2009/10/29 Matthew Young myoung24...@gmail.com:

THis is great, however out LAN users are all technical. they would
know and the next thing I have is people browsing the internet through
IPs.

It was good, but not applicable here.


On Thu, Oct 29, 2009 at 3:11 PM, Chris Kuethe chris.kue...@gmail.com 
wrote:
So run your own dns and only resolve good domains. Then the proxy can 
only

find the things you want it to.

On Oct 29, 2009 1:03 PM, Matthew Young myoung24...@gmail.com wrote:

Hello,

If I use a reverse proxy I would have to know the SSL key of the
remote SSL site. (gmail.com) so that the reverse proxy server would
decrypt and encrypt. Iam not mistaken.

-- Matt

On Thu, Oct 29, 2009 at 2:50 PM, Bob Beck b...@ualberta.ca wrote:  
apache

or other reverse proxy...

Re: Native Instruments 'Soundcards'

[Nick Guenther]

On Thu, Oct 29, 2009 at 12:42 AM, Jacob Meuser jake...@sdf.lonestar.org
wrote:
 the alsa driver looks to be a complete driver that has nothing to do
 with any of the usb standards based drivers for audio or midi.  one
 of the copyright holders on the alsa driver has an @caiaq.de email
 address.  http://caiaq.de doesn't have much info, but it says
 hardware development.  I'm guessing these guys (caiaq.de) developed
 this hardware and the drivers.  why it doesn't use the usb audio and
 midi standards though, I cannot answer.

Well because this just seems so braindead I'm bugging Native
Instruments and the @caiaq.de guy; I'll let you all know if any useful
info comes out of that.

I got this from one of their fanbois on their forums:
 hmm,
 ... it is a soundcard
 ... you connect it via usb
 ... it works via usb

 therefore Audio4DJ is definetly a USB soundcard!

 That Audio4 is not working with linux doesn't disqualify it,
 as long NI doesn't promote it for doing that.
Which is kind of Arggh stupid people. I was hoping we were past the
days of being slaves to vendors for compatibility. (And I did mention
OpenBSD, he's probably just unaware that anything besides
win/mac/linux exists.)

Exame de codigo!

[Codigo da Estrada 2009]

Caso nco visualize correctamente este e-mail, por favor clique AQUI.


EXAME DE CSDIGO




Teste os seus conhecimentos do Novo Csdigo da Estrada e verifique se esta apto 
a conduzir.

GARANTIA DE CONFIDENCIALIDADE Insira os seus dados e receba um pin no seu 
telemsvel para validar a sua identidade e saber o resultado do teste. 





NOTA INFORMATIVA: O presente email destina-se znica e exclusivamente a informar 
potenciais utilizadores e nco pode ser considerado SPAM. De acordo com a 
legislagco internacional que regulamenta o correio electrsnico, o email nco 
pode sera ser considerado SPAM quando incluir uma forma do receptor ser 
removido da lista do emissor. Se pretender nco receber mais estes emails 
clique AQUI. 

Re: CPU of 50% for Interrupts?

[Philip Guenther]

On Thu, Oct 29, 2009 at 2:27 PM, Roger Schreiter ro...@planinternet.de
wrote:
 top show a CPU usage of 50% for interrupts, when
 my router forwards 1.5 Mbit/s of IP traffic.

 My router is using OpenBSD 4.5, and running with
 a  VIA Eden Processor 1000MHz, which should imho be
 able to handle that amount of IP traffic as router.

I'm no networking hardware expert, but I do know that some cards are
better than other.  Anyone answering your question would probably find
your dmesg helpful in doing so.  The output of 'vmstat -i' may be
useful too.


Philip Guenther

relayd(8) packet/rewrite/buffer limit?

[Bryan Allen]

I've got relayd(8) on a stock OpenBSD 4.5 system sitting in front of our public
webservers, and have been very happy with it.

Recently I got the idea of putting it front of our SMTP/SASL systems.

The initial testing went very well, but when testing with a large attachment,
it took upwards of a minute to relay it to the backend host. dlg@ suggested I
set EVENT_NOKQUEUE, which knocked about 40 seconds off the send.

redirect sasl {
  listen on $sasl_ext_addr port 25 interface em0
  forward to sasl port 1125 check tcp
}

Directly to the SASL zone:

  $ export EVENT_NOKQUEUE=1
  $ time ./sasl_test.pl 63KB 
  Spamming... sasl
  real0m1.734s

  $ time ./sasl_test.pl 64KB 
  Spamming... sasl
  real0m1.536s

  $ time ./sasl_test.pl 4MB 
  Spamming... sasl
  real0m8.687s

  $ time ./sasl_test.pl 20MB 
  Spamming... sasl
  real0m38.670s

And via relayd(8):

  $ export EVENT_NOKQUEUE=1
  $ time ./sasl_test.pl 63KB 
  Spamming... border-sasl-smtp
  real0m1.547s
  
  $ time ./sasl_test.pl 64KB 
  Spamming... border-sasl-smtp
  real0m38.427s
  
  $ time ./sasl_test.pl 4MB 
  Spamming... border-sasl-smtp
  real1m17.339s

  $ time ./sasl_test.pl 20MB 
  Spamming... border-sasl-smtp
  real1m13.776s

The vast majority of attachments (or even messages) I'm going to see go through
these systems is going to be 64KB, so everyone is going to get bit by this.

Can anyone offer any insight?

(I don't see anything in plus46.html that would suggest this is a bug fixed
since 4.5.)

Cheers.
-- 
bda
cyberpunk is dead. long live cyberpunk.

Re: route-to/reply-to broken?

[Stuart Henderson]

In case people reading this thread didn't notice the commits yet,
this works again in -current (thanks jsg and claudio). Make sure you
upgrade pfctl and kernel together.

Re: 4.6 hang

[Steve Shockley]

Just as another update, I replaced the fiber em card with a bge, and the 
problems went away.

Re: Native Instruments 'Soundcards'

[Jacob Meuser]

On Thu, Oct 29, 2009 at 06:11:20PM -0400, Nick Guenther wrote:
 On Thu, Oct 29, 2009 at 12:42 AM, Jacob Meuser jake...@sdf.lonestar.org
 wrote:
  the alsa driver looks to be a complete driver that has nothing to do
  with any of the usb standards based drivers for audio or midi.  one
  of the copyright holders on the alsa driver has an @caiaq.de email
  address.  http://caiaq.de doesn't have much info, but it says
  hardware development.  I'm guessing these guys (caiaq.de) developed
  this hardware and the drivers.  why it doesn't use the usb audio and
  midi standards though, I cannot answer.
 
 Well because this just seems so braindead I'm bugging Native
 Instruments and the @caiaq.de guy; I'll let you all know if any useful
 info comes out of that.
 
 I got this from one of their fanbois on their forums:
  hmm,
  ... it is a soundcard
  ... you connect it via usb
  ... it works via usb
 
  therefore Audio4DJ is definetly a USB soundcard!
 
  That Audio4 is not working with linux doesn't disqualify it,
  as long NI doesn't promote it for doing that.
 Which is kind of Arggh stupid people. I was hoping we were past the
 days of being slaves to vendors for compatibility. (And I did mention
 OpenBSD, he's probably just unaware that anything besides
 win/mac/linux exists.)

I went to native-instruments.com to see if they claim their products
are USB audio/midi standards compliant.  sure it's a USB soundcard,
but that doesn't necessarily imply that it's standards compliant.
the site is all Flash.  that should give some indication of how aware/
considerate they are of alternative operating systems.

otoh, the USB audio standard is not so easy to comprehend ...

-- 
jake...@sdf.lonestar.org
SDF Public Access UNIX System - http://sdf.lonestar.org

Estrategia de marketing, ventas y cobranza - SEMINARIO-TALLER Jueves 5/11/2009

[EsAG Uruguay]

  EsAG invita:



Seminario-taller:

Nombre del evento | Desarrollo comercial para PYMES (ventas, marketing y 
gestisn de cobranzas).

Fecha | Jueves 5 de noviembre de 2009.

Sede | Hotel Ibis (rambla sur, Montevideo).

Horario | De 18.00 hs. a 22.00 hs.

Inversisn | Inscribiindose y abonando antes del 2/11/2009: $U 850. Full Price: 
$U 1000.

Forma de pago | Cobrador, Abitab, BROU, VISA, OCA y ANDA.

Contacto | (02) 314.1688

Se entrega certificado y materiales extra.



 

PLAZAS LIMITADAS



Puede cancelar este envio por esta misma vma