Re: powering off with shutdown -hp?
Rene wrote: You can try to disable apm inthe kernel config. Christian wrote: Remco wrote: If I remember correctly, the following hack in /etc/sysctl.conf worked for me on a Pentium II machine: machdep.apmhalt=1# 1=powerdown hack, try if halt -p doesn't work It does work for my Pentium III-based Thinkpad A20m. Both methods worked! Either by disabling apm at UKC or by editing sysctl.conf. Theo wrote: There is a sophisticated heuristic in play. Thanks for jogging my memory! Not that the following describes all the gory details, but part of this heuristic is based on the SMBIOS version. Single processor system older than 2.4 (mine's 2.1) gets APM: http://marc.info/?l=openbsd-techm=124545473209570w=2 If anyone cares to indulge me further, is there any preference/advantage of going with ACPI over APM? Thanks again for such a great operating system! I'm always amazed at how OpenBSD helps keep old systems usable!
Re: Tomorrow: Amsterdam OpenBSD 4.6 release party!
On Wed, Oct 28, 2009 at 02:08:07PM +0100, chefren wrote: Tomorrow, Thursday 29th of October: Cafe de Deugniet Oude Brugsteeg 12, 1012 JP Amsterdam http://maps.google.nl/maps?f=qhl=enq=Oudebrugsteeg+12,+Amsterdam+1012+Amsterdam,+North+Holland,+The+Netherlandssll=52.469397,5.509644sspn=3.741684,6.097412ie=UTF8cd=1geocode=0,52.375293,4.897561t=hz=17iwloc=addr 18:00 gathering in front of De Deugniet, we will find some food in the neighborhood that has lots of places where we can eat. From 20:00 on we will gather into De Deugniet itself and have a drink on OpenBSD 4.6! +++chefren IK kan er helaas niet bij zijn, maar maak er wat moois van. -Otto
Re: Tomorrow: Amsterdam OpenBSD 4.6 release party!
On Thu, Oct 29, 2009 at 07:54:10AM +0100, Otto Moerbeek wrote: On Wed, Oct 28, 2009 at 02:08:07PM +0100, chefren wrote: Tomorrow, Thursday 29th of October: Cafe de Deugniet Oude Brugsteeg 12, 1012 JP Amsterdam http://maps.google.nl/maps?f=qhl=enq=Oudebrugsteeg+12,+Amsterdam+1012+Amsterdam,+North+Holland,+The+Netherlandssll=52.469397,5.509644sspn=3.741684,6.097412ie=UTF8cd=1geocode=0,52.375293,4.897561t=hz=17iwloc=addr 18:00 gathering in front of De Deugniet, we will find some food in the neighborhood that has lots of places where we can eat. From 20:00 on we will gather into De Deugniet itself and have a drink on OpenBSD 4.6! +++chefren IK kan er helaas niet bij zijn, maar maak er wat moois van. -Otto Ehh, i missed to Cc: to m...@. The message says: Unfortunately I cannot be there, but have a good time. -Otto
Re: Anyway to force IP to be assigned only if MAC matches?
Hi, On Wed, 28.10.2009 at 17:29:36 -0500, Andres Salazar ndrsslz...@gmail.com wrote: I Have dhcp enabled on my LAN which assigns an IP according to the clients MAC address, however if a user wanted to be malicious he can statically assign any IP to his NIC. he then has root access to the box. Isnt there anyway I can force my ARP tables to only allow IPs to be assigned if the MAC address matches? Some switches offer this kind of functionality, but they're not exactly cheap. Kind regards, --Toni++
Re: Anyway to force IP to be assigned only if MAC matches?
Google 802.1x port authentication then see if your switch is capable of doing it. (ebay might get you a switch that can) It'd block the rogue machine at the switch connection. NB. it's possible to change mac addresses on machines so it's not really very secure. It's more of a inconvenience. On Thu, 29 Oct 2009 09:36:02 +0100, Toni Mueller openbsd-m...@oeko.net wrote: Hi, On Wed, 28.10.2009 at 17:29:36 -0500, Andres Salazar ndrsslz...@gmail.com wrote: I Have dhcp enabled on my LAN which assigns an IP according to the clients MAC address, however if a user wanted to be malicious he can statically assign any IP to his NIC. he then has root access to the box. Isnt there anyway I can force my ARP tables to only allow IPs to be assigned if the MAC address matches? Some switches offer this kind of functionality, but they're not exactly cheap. Kind regards, --Toni++
Re: carp master - backup problem
Hello i noticed that my netstat -s -p carp shows 1068 discarded for bad authentication My carp works okey otherwise, but should i worry about it ? how to debug it ? Bryan Irvine wrote: VVV 372 discarded for unknown vhid I know someone else already pointed it out but this is worth drawing your attention to as well. -B
GREAT SUCCESS OF JACARONI JYI 64rs
[IMAGE] LEGGI LA VERSIONE ITALIANA | READ ENGLISH VERSION ENGLISH [IMAGE]Huge success and interest around the newly-born, totally custom JYI64RS, created by Jacaroni Yacht International. Also at the Genoa's 49th International Boat Show â after her September presentation at Cannes' Festival de la Plaisance â sea lovers and the ilite in this sector's economy were left speechless before the sumptuous sailing yacht. The boat, made in composite, is especially conceived for those who love dynamism and freedom and based on an accurate choice of the materials, safety, comfort and respect for the environment.. The JYI64RS is an Ocean Cruiser, designed to go around the world in luxury. She immediately ranked at the top of the international yachting market. The yacht has unique sea-keeping and safety-on-board characteristics: she is equipped with an internal steering with joystick and two external steering posts; she has a semi-automatised sailing plan, four cabins, four bathrooms and a very spacious and bright saloon, organised in different levels. Her revolutionary project and concept are made even more valuable by advanced technological solutions. âJacaroni Yachtsâ is an Italian group designing and building maxi- and mega Yachts, totally custom, giving the unique opportunity to make each single detail personal. They love rediscovering the past and offering fascinating timeless yachts. The new custom JYI64RS has a l.o.a of 20m, 4 cabins/4 bathrooms, automatised sailing plan ( technology from New Zealand) with Leisurefurl Boom for main sail, self-tacking genoa and electric gennaker; highly optimised propulsion system, designed to reach an average speed of 9kn with an extremely low fuel consumption; hand-made teak deck; cockpit table with integrated screen, keyboard and engine panel; Raymarine G-series multimedia and navigation system. The triple-tension electric system has an integrated control of CAN BUS systems and she is also equipped with a Faraday gauge and water chilled climate control system with integrated fuel tank.. The JYI64RS has a highly refined bow, double chain with âeasy-maneuveringâchain release system, bow thruster and electronic propulsion control. The stern main cabin has a queen-size berth and leather couch, Indonesian teak in the bathroom, separate shower stall, table with chair. Twin bow cabins with side double berths and private bathroom, shared shower. Central fourth cabin with two berths for the crew. Internet area with leather seat and bar underneath internal steering, âterrace-on-the-seaâ raised saloon. In a world of dreams, the reality of luxury! TOP ITALIANO [IMAGE]Inarrestabile il successo e l'interesse della nuova meraviglia creata dalla Jacaroni Yacht International: il JYI 64 RS custom 2009. Anche al 490 Salone Nautico Internazionale di Genova - dopo la consacrazione di settembre al 32esimo Festival International de la Plaisance de Cannes - gli appassionati di are e l'elite dell'economia di settore sono rimasti senza parole davanti alla sontuosit` del lussuoso yacht a vela. Con costruzione in composito, l'imbarcazione, pensata per chi ama la libert` e il dinamismo, ha come guide principali la navigazione in pieno comfort e sicurezza, l'accuratezza nella scelta dei materiali e il pieno rispetto dellâambiente. Jyi 64 RS h un Ocean Cruiser, yacht da giro del mondo e grande creazione di lusso per gli appassionati velisti, si h immediatamente collocato al top del mercato nautico internazionale. Lo yacht, dalle insuperabili doti di âsea-keepingâ, di âsafety on boardâ, h provvisto di una timoniera interna con joystick e due timonerie esterne; presenta un sistema semi-automatico per la gestione del piano velico, quattro cabine, quattro bagni e un salone centrale molto luminoso, disposto su piani diversi. Combinazioni di tecnologie si rafforzano lâuna con lâaltra allâinterno di unâimbarcazione dal concept e dalle soluzioni progettuali rivoluzionarie. Da sempre, la âJacaroni Yachtsâ, Gruppo italiano che disegna e realizza maxi-yachts e mega-yachts, privilegia costruire imbarcazioni custom, personalizzabili in ogni minimo particolare. Ama riscoprire il passato e riproporre imbarcazioni dal fascino senza tempo. JYI 64 RS custom 2009 ha una lunghezza di 20 m, quattro cabine/quattro bagni, piano velico automatizzato (tecnologia neozelandese) con randa su Leisurefurl boom, genoa autovirante e gennaker rollabile elettricamente; impianto propulsivo ad elevata efficienza ottimizzato per raggiungere una velocit` di crociera di 9 nodi con consumi molto ridotti; ponte e coperta in teak con doghe lavorate a mano; tavolo del pozzetto con monitor, tastiera e pannello motore integrati; sistema multimediale e di navigazione Raymarine G-series. L'impianto elettrico a tripla tensione con controllo integrato degli impianti CAN BUS, sistema di protezione antifulmine con schermatura completa a
Re: wpa and wi
On 10/29/2009 12:34 AM, Rafael Ferreira Neves wrote: It's better you figure out what is the chipset of your wireless card and then search in the manpages to discover if WPA or WPA2 is supported for your card. Thanks for the reply. I meant wi(4), and while the man page doesn't specifically say anything about wpa, I didn't know if it was hardware dependent or driver dependent.
Já não há memória de...Semana 44
Se nco conseguir visualizar esta newsletter p.f. clique aqui | Para remover email da n/ base de dados clique aqui Clique na imagem para pedir Orgamento Email enviado para: misc@openbsd.org O presente email destina-se znica e exclusivamente a informar clientes ou potenciais clientes USBPortugal.com e nco deve ser considerado SPAM. Se inadvertidamente i receptor desta mensagem e nco pretende receber mais informagues clique aqui ou reenvie-nos este email com o assunto REMOVER. Deve efectuar o pedido de anulagco pelo enderego de email que se encontra na nossa base de dados, de outra forma ficaremos impossibilitados de o fazer. Este email esta em conformidade com o decreto/lei 67/98 de 26 Outubro, artigos 10 e 11 (Regulagco do tratamento automatizado de dados). [IMAGE]
Re: Problems with 4.5 as a KVM guest
Hi, On Tue, 14.07.2009 at 11:27:13 -0600, Bob Beck b...@openbsd.org wrote: and/or ask the linux people to fix KVM to make it really a PC. I'm running kvm 85+dfsg-4~bpo5 and see the following interesting behaviour with OpenBSD 4.6: * /bsd.rd runs just fine, using the ne(4) driver, but * /bsd (the uni-processor kernel) locks up hard during, or just after booting, showing ne3: timeout (or similar) messages white-on-blue in between. Any ideas about what specifically to ask the Linux folks, please? -- Kind regards, --Toni++
Tratamento Anti-Envelhecimento - oferta limitada
Um tratamento anti-envelhecimento incrC-vel que jC! se pode encontrar na Europa e que propC5e realizar o sonho de todas as pessoas que querem verdadeiramente permanecer jovens e em forma durante o maior tempo possC-vel. Durante um perC-odo limitado, o Centro Especial SaC:de distribui gratuitamente um tratamento de anti-envelhecimento b no valor de 39b, C s primeiras 500 pessoas a efectuar o pedido. Siga este link: www.netpromouter.net/envelhecimento.html
Još samo 3 dana super popusti za Nju i Njega
Top Shop PoD etna | Budi fit | DomaDinstvo | Zdrav Eivot | Lepota | Knjige | Quelle PoEurite, ostalo je joE! samo 3 dana do isteka oktobarske Super ponude! Za dame - Dry Cooker tiganj uz 10% popusta Za dame - Rina's 1. i 2. deo uz 15% popusta Za dame - Velform Enhance Bra uz poklon vreDice za veE! Za gospodu Perfect Pushup uz 10% popusta Za gospodu Micro Force brijaD uz 10% popusta Za gospodu Mighty Putty set za popravke uz 10% popusta Super popust za nju i njega Leg Magic Super: -10% Do 15.XI cena 8.091 RSD PoruD ite odmah! Leg Magic Super Multifunctional Bench: -10% Do 15.XI cena: 6.741 RSD PoruD ite odmah! MultiFunctional Bench Garancija na zadovoljstvo Kupovina bez rizika! Isporuka na adresu Putem kurirske sluEbe Post Express Sigurna kupovina! Proizvode plaDate pouzeDem Kupujte uz uE!tedu Posebne on-line ponude i popusti Ovu elektronsku poE!tu primate, ukoliko ste svojevoljno ostavili svoju e-mail adresu na nekom od sajtova Top Shop-a, uD estvovali u naE!oj poklon igri ili nagradnom kvizu ili se prijavili za e-D asopis Top Shop-a ili nekog od nasih brendova. Ponude date u ovom e-mailu vaEe iskljuD ivo za porudEbine upuDene putem Interneta ili broja telefona 021 489 26 60. Ukoliko ne Eelite viE!e da primate naE!e elektronske poruke, za odjavljivanje sa naE!e e-mailing liste, kliknite ovde. Studio Moderna d.o.o., Bulevar vojvode Stepe 30, 21000 Novi Sad, Tel: 021 489 26 60, Fax: 021 489 29 08, E-mail: i...@news.e-topshop.tv [IMAGE]If you would no longer like to receive our emails please unsubscribe by clicking here.
Re: Problems with 4.5 as a KVM guest
On Thu, Oct 29, 2009 at 12:18:40PM +0100, Toni Mueller wrote: Hi, On Tue, 14.07.2009 at 11:27:13 -0600, Bob Beck b...@openbsd.org wrote: and/or ask the linux people to fix KVM to make it really a PC. I'm running kvm 85+dfsg-4~bpo5 and see the following interesting behaviour with OpenBSD 4.6: * /bsd.rd runs just fine, using the ne(4) driver, but * /bsd (the uni-processor kernel) locks up hard during, or just after booting, showing ne3: timeout (or similar) messages white-on-blue in between. Any ideas about what specifically to ask the Linux folks, please? -- Kind regards, --Toni++ Try setting the nic to e1000 on your kvm commandline. John
Re: Secure way to delete data in hard disc
Noah Pugsley wrote: Can I interest you in a pair of steganograpanties? Or for cooler weather, steganograpantaloons? are you suggesting there are messages hidden in pictures of beck's ass? the russians will be very upset. you should have taken thermite to those disks... Marco Peereboom wrote: They'll use it as torture material during the next krieg. On Wed, Oct 28, 2009 at 04:48:28PM -0600, Bob Beck wrote: What, you have pictures of my ass too? Obviously I must make something to write a random pattern over my entire ass so that It won't be recognized if some germans steal it.
Re: Secure way to delete data in hard disc
On 29 October 2009 c. 15:34:42 Jacob Yocom-Piatt wrote: Noah Pugsley wrote: Can I interest you in a pair of steganograpanties? Or for cooler weather, steganograpantaloons? are you suggesting there are messages hidden in pictures of beck's ass? the russians will be very upset. you should have taken thermite to those disks... Yes, we're very, very upset! Personally I 'm going to my two handy bears now, to drink vodka Putinka and think about using SA-20 as hard disc destroyer device... -- Best wishes, Vadim Zhukov A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail?
Re: printing
Fred Crowson fred.crowson () googlemail ! com scrivere: On 10/28/09, igor denisov denisovigor1...@rambler.ru wrote: Hi, there, I have this and no idea what to do lpq Warning: no daemon present Rank Owner Job Files Total Size 1st me 14 (standard input) regards -- igor denisov. Read the man pages? This is correct. Have a look at 'man lpq' (your original command): DESCRIPTION lpq examines the spooling area used by lpd(8) for printing files on the line printer, and reports the status of the specified jobs or all jobs associated with a user. Etcetera ... You guessed it, go to 'man lpd': DESCRIPTION lpd is the line printer daemon (spool area handler) and is normally in- voked at boot time from the rc(8) file. Etcetera ... Therefore, look at 'man rc'. Coincidentally lpd is the provided sample: CONFIGURATION EXAMPLES The rc.conf(8) file etcetera ... For example, the lpd(8) daemon is controlled by the following line: lpd_flags=NO# for normal use: (or -l for debugging) This does not start lpd(8) at system startup. To start lpd(8), the fol- lowing entry can be used: lpd_flags=# for normal use: (or -l for debugging) Alternately, lpd(8) can be started with the -l flag (to log remote con- nections): lpd_flags=-l # for normal use: (or -l for debugging) I don't print but I suspect that your problem is your rc.conf(.local). # cat rc.conf | grep lpd lpd_flags=NO# for normal use: (or -l for debugging) Have a look there for starters. Best wishes.
Re: Problems with 4.5 as a KVM guest
On 12:18, Thu 29 Oct 09, Toni Mueller wrote: Hi, On Tue, 14.07.2009 at 11:27:13 -0600, Bob Beck b...@openbsd.org wrote: and/or ask the linux people to fix KVM to make it really a PC. I'm running kvm 85+dfsg-4~bpo5 and see the following interesting behaviour with OpenBSD 4.6: * /bsd.rd runs just fine, using the ne(4) driver, but * /bsd (the uni-processor kernel) locks up hard during, or just after booting, showing ne3: timeout (or similar) messages white-on-blue in between. Any ideas about what specifically to ask the Linux folks, please? Set the nic to e1000 in KVM -- Michiel van Baak mich...@vanbaak.eu http://michiel.vanbaak.eu GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x71C946BD Why is it drug addicts and computer aficionados are both called users?
Re: wpa and wi
On Thu, Oct 29, 2009 at 6:54 AM, Steve Shockley steve.shock...@shockley.net wrote: On 10/29/2009 12:34 AM, Rafael Ferreira Neves wrote: It's better you figure out what is the chipset of your wireless card and then search in the manpages to discover if WPA or WPA2 is supported for your card. Thanks for the reply. I meant wi(4), and while the man page doesn't specifically say anything about wpa, I didn't know if it was hardware dependent or driver dependent. Depends on the driver. Back in the day, wi was awesome and supported all the fun stuff, but it still doesn't use the generic 802.11 stack which is a requirement for WPA support.
Script to ping, traceroute a destination and record the time
Hi, I am trying to troubleshoot a problem that is totally random and the one idea that would help me is to have a bash script that will ping a few destinations every minute, then do a traceroute to these destinations, record the time and all that output in a file. then the whole process would repeat minute. This way, i'll be able to look at the script at the end of each day and find out if these destinations were reachable when a problem was reported. The problem/disconnect happens for a few minutes only. Can any one help me get a script to do that? Thanks, Kim
Re: Script to ping, traceroute a destination and record the time
Hi, On Thu, 29.10.2009 at 16:26:49 +0200, Kasper Adel karim.a...@gmail.com wrote: I am trying to troubleshoot a problem that is totally random and the one idea that would help me is to have a bash script that will ping a few destinations every minute, then do a traceroute to these destinations, record the time and all that output in a file. then the whole process would repeat minute. I don't know what exactly you are going to do with the traceroute, which is both hard to implement, given your timing requirements, and tedious to evaluate, but if you could be content with pings and packet loss, I can recommend using Smokeping with aggressive settings, and/or some other things to trigger a traceroute in case of a problem. Kind regards, --Toni++
Re: Script to ping, traceroute a destination and record the time
On Thu, Oct 29, 2009 at 04:26:49PM +0200, Kasper Adel wrote: Hi, I am trying to troubleshoot a problem that is totally random and the one idea that would help me is to have a bash script that will ping a few destinations every minute, then do a traceroute to these destinations, record the time and all that output in a file. then the whole process would repeat minute. This way, i'll be able to look at the script at the end of each day and find out if these destinations were reachable when a problem was reported. The problem/disconnect happens for a few minutes only. Can any one help me get a script to do that? If you can't whip this up yourself in a matter of 2 minutes they have the wrong person debugging it. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: Script to ping, traceroute a destination and record the time
On Thu, Oct 29, 2009 at 04:26:49PM +0200, Kasper Adel wrote: Hi, I am trying to troubleshoot a problem that is totally random and the one idea that would help me is to have a bash script that will ping a few destinations every minute, then do a traceroute to these destinations, record the time and all that output in a file. then the whole process would repeat minute. You may want to look at 'mtr' or 'mtr-tiny'. They should be in ports. This way, i'll be able to look at the script at the end of each day and find out if these destinations were reachable when a problem was reported. The problem/disconnect happens for a few minutes only. Can any one help me get a script to do that? Thanks, Kim John
NTP not functioning for me.
Bonjour. I have one of those little box peecees - no battery = no clock. Regardless, I wish to use OpenNTPD to organize time. My ISP kindly provides an ntp server. # uname -rsv OpenBSD 4.6 GENERIC#58 During boot I see this: starting network add net default: gateway 0.0.0.1 starting system logger starting initial daemons: ntpd. This sits there for maybe ten seconds and continues booting. Finally I see this (example): Mon Jul 13 10:23:29 CST 2009 OpenBSD/i386 (myname.my.domain) (tty00) login: The clock is using the time from the previous shutdown/reboot (and originally from the timestamp on the 4.6 install files). The only change appears to be from elapsed uptime. This is my rc.conf.local: # cat rc.conf.local ntpd_flags=-s # enabled during install This is my ntpd.conf (minus some comments): # cat ntpd.conf # $OpenBSD: ntpd.conf,v 1.11 2009/05/18 16:13:48 stevesk Exp $ # Addresses to listen on (ntpd does not listen by default) listen on 150.101.x.x # sync to a single server server ntp.internode.on.net This is using pppoe(4) and the listen interface is the pppoe address. My internet works fine and I have removed all filter rules from pf.conf to be sure. Regardless, with filtering happening the results look the same as per the log (below). In all cases the servers appear to be valid and the time difference found appears to be on the money: Jul 13 + ~108days b Oct 30. From /var/log/daemon: Jul 13 09:38:56 myname ntpd[20688]: adjusting local clock by 9377958.788013s Jul 13 09:39:27 myname ntpd[20688]: adjusting local clock by 9377958.680999s Jul 13 09:43:45 myname ntpd[20688]: adjusting local clock by 9377957.395701s Jul 13 09:44:19 myname ntpd[20688]: adjusting local clock by 9377957.230468s Jul 13 09:44:51 myname ntpd[20688]: adjusting local clock by 9377957.115971s Jul 13 09:48:39 myname ntpd[20688]: adjusting local clock by 9377956.019010s Jul 13 09:52:58 myname ntpd[20688]: adjusting local clock by 9377954.771459s Etcetera. I had this exact issue (anecdotally) with 4.5 and tried rdate (rc.conf.local): rdate_flags=ntp.internode.on.net From memory this worked fine and the clock was set at boot. Certainly rdate worked. Things I have done: # ntpd -n configuration OK # rdate -p ntp.internode.on.net Fri Oct 30 01:09:33 CST 2009 Things I noted: I have no drift file (/var/db/ntpd.drift). Any advice appreciated. Best wishes.
Re: Tomorrow: Amsterdam OpenBSD 4.6 release party!
Quoting Otto Moerbeek o...@drijf.net: On Wed, Oct 28, 2009 at 02:08:07PM +0100, chefren wrote: Tomorrow, Thursday 29th of October: Cafe de Deugniet Oude Brugsteeg 12, 1012 JP Amsterdam http://maps.google.nl/maps?f=qhl=enq=Oudebrugsteeg+12,+Amsterdam+1012+Amst erdam,+North+Holland,+The+Netherlandssll=52.469397,5.509644sspn=3.741684,6. 097412ie=UTF8cd=1geocode=0,52.375293,4.897561t=hz=17iwloc=addr 18:00 gathering in front of De Deugniet, we will find some food in the neighborhood that has lots of places where we can eat. From 20:00 on we will gather into De Deugniet itself and have a drink on OpenBSD 4.6! +++chefren IK kan er helaas niet bij zijn, maar maak er wat moois van. -Otto Ik ben jaloers! Drink goed bier! (I hope I said that intelligibly) --STeve Andre'
Re: Secure way to delete data in hard disc
2009/10/28 Noah Pugsley noa...@bendtel.com: Can I interest you in a pair of steganograpanties? Or for cooler weather, steganograpantaloons? The problem with steganograpanties is that residual images of my ass are present *underneath* the panties - therfore if the offending Germans were to use high technology panty-removing chemicals (like ethanol) they could actually view the residual data present underneath the panties! As assuredly every german who is after my ass will possess this technology it behooves me to take adequate precatuions to obscure the data... I'm thinking kind of along the lines of the full-ass Kat-Von-D stenographic ass-stealthing tattoo...
Re: Script to ping, traceroute a destination and record the time
If you can't whip this up yourself in a matter of 2 minutes they have the wrong person debugging it. +1 If you can't already write this don't panic - it is possibly the best opportunity you may have to get your feet wet. Motivation - fix that problem. Interesting - who doesn't like learning? Simplicity - it doesn't get much easier. If I can do it you can do it. Here's a starter. Read man sh. Especially Input/output redirection. Then read Command syntax. Remember a script (as per your request) is to save you doing this stuff manually (too lazy, not quick enough, busy sleeping, etcetera). In other words you can type this stuff at the shell instead and see what it does. :] Not only will you learn how to script your command vocabulary will grow and grow ... I am very much the beginner @ shell scripts but experience on another platform tells me you won't get a better opportunity. *cough* ping -c 1 microsoft.com | grep received report.file echo Yeehah! *sneeze* man: sed, grep, cat, etcetera. Not what you want but a push in the right direction. Best wishes.
Re: 200g harddisk after newfs = Available 174g?
Manufactures use the 'giga' prefix in the International System meaning. That said, 1Gb would be 10^9 = 1,000,000,000 bytes. Computer programmers, OS and all around computer chit-chat use the prefix 'giga' to refer 2^30 = 1,073,741,824 bytes. IEC recommends calling this GiB, but it's uncommon. Today, you could assume safely only manufacturers write Gb in the International System meaning; everybody else is refering to GiBs when talking about Gb. Sum this fact with filesystem overhead, and you may get all your space! Jennifer Ma escribis: hi all, lately, i obtained a seagate 200g(wd1) harddisk from my elder brother, after i disklabel, newfs and mount the disk. only 174g is shown as available, in windows(through samba), said 9.16g already been used. is there any way i can claim those space back? much thanks! # disklabel wd1 # /dev/rwd1c: type: ESDI disk: ESDI/IDE disk label: ST3200826A flags: bytes/sector: 512 sectors/track: 63 tracks/cylinder: 16 sectors/cylinder: 1008 cylinders: 16383 total sectors: 390721968 rpm: 3600 interleave: 1 trackskew: 0 cylinderskew: 0 headswitch: 0 # microseconds track-to-track seek: 0 # microseconds drivedata: 0 16 partitions: #size offset fstype [fsize bsize cpg] a:390721905 63 4.2BSD 2048 163841 c:3907219680 unused # df -h # Filesystem SizeUsed Avail Capacity Mounted on /dev/wd0a 1.8G1.4G313M82%/ /dev/wd1a 183G2.0K174G 0%/www01
Re: Script to ping, traceroute a destination and record the time
thanks all for answering. Traceroute will allow me to find out if during the short period of application disconnect is whether its an app problem or the network topology changes and where (which router) the packets couldnt get across. Cheers, Kim On Thu, Oct 29, 2009 at 4:43 PM, Toni Mueller openbsd-m...@oeko.net wrote: Hi, On Thu, 29.10.2009 at 16:26:49 +0200, Kasper Adel karim.a...@gmail.com wrote: I am trying to troubleshoot a problem that is totally random and the one idea that would help me is to have a bash script that will ping a few destinations every minute, then do a traceroute to these destinations, record the time and all that output in a file. then the whole process would repeat minute. I don't know what exactly you are going to do with the traceroute, which is both hard to implement, given your timing requirements, and tedious to evaluate, but if you could be content with pings and packet loss, I can recommend using Smokeping with aggressive settings, and/or some other things to trigger a traceroute in case of a problem. Kind regards, --Toni++
Re: 200g harddisk after newfs = Available 174g?
On Wed, Oct 28, 2009 at 4:28 PM, Daniel Gracia Garallar danie...@electronicagracia.com wrote: Manufactures use the 'giga' prefix in the International System meaning. That said, 1Gb would be 10^9 = 1,000,000,000 bytes. Computer programmers, OS and all around computer chit-chat use the prefix 'giga' to refer 2^30 = 1,073,741,824 bytes. IEC recommends calling this GiB, but it's uncommon. Today, you could assume safely only manufacturers write Gb in the International System meaning; and Apple's Mac OS X 10.6 http://support.apple.com/kb/TS2419 -- O ascii ribbon campaign - stop html mail - www.asciiribbon.org
Re: 200g harddisk after newfs = Available 174g?
On Thu, Oct 29, 2009 at 11:35:18PM +0700, Edho P Arief wrote: On Wed, Oct 28, 2009 at 4:28 PM, Daniel Gracia Garallar danie...@electronicagracia.com wrote: Manufactures use the 'giga' prefix in the International System meaning. That said, 1Gb would be 10^9 = 1,000,000,000 bytes. Computer programmers, OS and all around computer chit-chat use the prefix 'giga' to refer 2^30 = 1,073,741,824 bytes. IEC recommends calling this GiB, but it's uncommon. Today, you could assume safely only manufacturers write Gb in the International System meaning; and Apple's Mac OS X 10.6 http://support.apple.com/kb/TS2419 There are many stupid ideas in other operating systems, I don't see why we should be required to implement them.
Re: Script to ping, traceroute a destination and record the time
2009/10/29 Kasper Adel karim.a...@gmail.com thanks all for answering. Traceroute will allow me to find out if during the short period of application disconnect is whether its an app problem or the network topology changes and where (which router) the packets couldnt get across. Cheers, Kim On Thu, Oct 29, 2009 at 4:43 PM, Toni Mueller openbsd-m...@oeko.net wrote: Hi, On Thu, 29.10.2009 at 16:26:49 +0200, Kasper Adel karim.a...@gmail.com wrote: I am trying to troubleshoot a problem that is totally random and the one idea that would help me is to have a bash script that will ping a few destinations every minute, then do a traceroute to these destinations, record the time and all that output in a file. then the whole process would repeat minute. I don't know what exactly you are going to do with the traceroute, which is both hard to implement, given your timing requirements, and tedious to evaluate, but if you could be content with pings and packet loss, I can recommend using Smokeping with aggressive settings, and/or some other things to trigger a traceroute in case of a problem. Kind regards, --Toni++ I am playing with hping to monitor changes in traceroutes. You can specify which hop you want to monitor to a certain destination: # /usr/local/sbin/hping -c 1 -1 --traceroute --tr-keep-ttl --ttl 4 openbsd.org HPING openbsd.org (vic0 199.185.137.3): icmp mode set, 28 headers + 0 data bytes hop=4 TTL 0 during transit from ip=149.6.129.97 name= vl250.mpd03.ams03.atlas.cogentco.com hop=4 hoprtt=9.5 ms As you can see hping will only output info about the 4th hop. Might be usefull. Regards, -- Frans
privileged instruction fault trap
Hello, we are operating a BGP router using OpenBSD 4.5 since some weeks. Till today everthing went fine. Today, the system crashed, causing an uptime much too short for an IP router. Can someone guess the cause from the console output? Can we improve the kernel stability by any settings? Panic output was: kernel: privileged instruction fault trap, code=0 Stopped at ip_output +0xb8: ddb _ (The last underscore is the cursor position.) Any helpful hints? Regards, Roger.
Re: 200g harddisk after newfs = Available 174g?
There are many stupid ideas in other operating systems, I don't see why we should be required to implement them. Yeah, and the discussion of my ass is a more productive discussion than talking about making df display marketing gigabytes That'll happen in openbsd right after we switch the default filesystem to apple hfs, and while we're at it replace the yp code with netinfo because it's so much better.
Re: privileged instruction fault trap
2009/10/29 Roger Schreiter ro...@planinternet.de: Today, the system crashed, . kernel: privileged instruction fault trap, code=0 Stopped at ip_output +0xb8: ddb _ . Any helpful hints? http://www.openbsd.org/cgi-bin/man.cgi?query=crashapropos=0sektion=0manpat h=OpenBSD+Currentarch=i386format=html
nat,ipsec,pf,routing question
I'm sure I have seen the answer to my question here on the list some time ago, but I'm too stupid to find it again: In what order are the following operations performed on an IP packet a. IPSEC ( decides whether a packet matches an IPSEC flow ) b. normal kernel routing c. NAT d. packet filtering ( block/pass commands in pf.conf ) The reason I ask is that I failed to setup NAT for a IPSEC tunnel as described in http://marc.info/?l=openbsd-pfm=115875312200995w=2 As far as I understand, this can only work if NAT ( on lo1 ) is performed before IPSEC checks for matching flows. Has this order been changed in OBSD4 ( the above post from 2006 refers to OBSD 3.8 ). There is a newer posting on the same issue at http://archives.neohapsis.com/archives/openbsd/2008-12/1110.html, suggesting essentially the same procedure. Regards Christoph
Re: 200g harddisk after newfs = Available 174g?
On Fri, Oct 30, 2009 at 12:13 AM, Bob Beck b...@ualberta.ca wrote: There are many stupid ideas in other operating systems, I don't see why we should be required to implement them. Yeah, and the discussion of my ass is a more productive discussion than talking about making df display marketing gigabytes for some reason I'm kind of offended by SI = marketing equation. note that I'm not suggesting anything. Things like this are already confusing and changing anything will probably just add even more confusion, etc. -- O ascii ribbon campaign - stop html mail - www.asciiribbon.org
Re: 200g harddisk after newfs = Available 174g?
On Thu, Oct 29, 2009 at 10:13 AM, Bob Beck b...@ualberta.ca wrote: There are many stupid ideas in other operating systems, I don't see why we should be required to implement them. Yeah, and the discussion of my ass is a more productive discussion than talking about making df display marketing gigabytes That'll happen in openbsd right after we switch the default filesystem to apple hfs, and while we're at it replace the yp code with netinfo because it's so much better. Would you also please switch all the config files to XML since it's the standard? -B
Header re-writing and smtpd(8)
Good morning, I'm curious if anyone knows if it's possible to do header re-writing with smtpd(8). I have a project I would love to use smtpd(8) for but I'll need to figure a way to be able to re-write message headers as they relay through this server. The gist of it is, I would like to setup a mailbox server (zimbra) which routes mail to specific relay servers based on email domain. These relay servers would then re-write the Received: fields in the header of a message so that it looks like it's originating from the relay server. I've done this with Postfix before but I would much rather use smtpd(8) for it's security and simplicity. Thanks in advance for any advice or information you have. Cheers, -Chris -- Chris Jones GDI Software Services Canada Inc. Suite 1300, 1500 West Georgia St. Vancouver, BC, Canada V6G 2Z6 Mobile: (604) 218-5981 Phone: (778) 373-0600 | Fax: (778) 373-0669
Re: 4.6 reboots x336 ibm server(s)
On Wed, Oct 28, 2009 at 4:13 PM, Joachim Schipper joac...@joachimschipper.nl wrote: Just to check the obvious: did you disable acpi when booting after the install? (And did you try both bsd and bsd.mp? The latter is less like the install kernel than the former.) Hello, the problem is related to the network cards alright. Disabling ppb* allows it to boot. My problem is that even if I disable a card in the bios, i cannot boot the system. I tried to disable ppb2 but it doesn't seem to take it. What am I missing ? Cheers, Steph
Re: 200g harddisk after newfs = Available 174g?
On Wed, Oct 28, 2009 at 10:28:00AM +0100, Daniel Gracia Garallar wrote: Computer programmers, OS and all around computer chit-chat use the prefix 'giga' to refer 2^30 = 1,073,741,824 bytes. IEC recommends calling this GiB, but it's uncommon. Today, you could assume safely only manufacturers write Gb in the International System meaning; everybody else is refering to GiBs when talking about Gb. ... except when talking about computer networks: in that case everybody *does* use the SI-prefixes and 1 Gb/sec really is 10 bits/second, and not 1073741824 bits/second. -- Jurjen Oskam Savage's Law of Expediency: You want it bad, you'll get it bad.
Re: 200g harddisk after newfs = Available 174g?
bits are absolute. this discussion should take a turn to beck's ass again. On Thu, Oct 29, 2009 at 07:29:54PM +0100, Jurjen Oskam wrote: On Wed, Oct 28, 2009 at 10:28:00AM +0100, Daniel Gracia Garallar wrote: Computer programmers, OS and all around computer chit-chat use the prefix 'giga' to refer 2^30 = 1,073,741,824 bytes. IEC recommends calling this GiB, but it's uncommon. Today, you could assume safely only manufacturers write Gb in the International System meaning; everybody else is refering to GiBs when talking about Gb. ... except when talking about computer networks: in that case everybody *does* use the SI-prefixes and 1 Gb/sec really is 10 bits/second, and not 1073741824 bits/second. -- Jurjen Oskam Savage's Law of Expediency: You want it bad, you'll get it bad.
Re: 4.6 reboots x336 ibm server(s)
On Thu, Oct 29, 2009 at 06:06:03PM +, FRLinux wrote: On Wed, Oct 28, 2009 at 4:13 PM, Joachim Schipper joac...@joachimschipper.nl wrote: Just to check the obvious: did you disable acpi when booting after the install? (And did you try both bsd and bsd.mp? The latter is less like the install kernel than the former.) Hello, the problem is related to the network cards alright. Disabling ppb* allows it to boot. My problem is that even if I disable a card in the bios, i cannot boot the system. I tried to disable ppb2 but it doesn't seem to take it. What am I missing ? I'm not really sure what you are asking. Is your question answered by pointing you at the -u option of config(8) (i.e. showing you how to get the 'disable ppb*' to stick)? If not, you'll have to rephrase it or hope someone else understands it... Joachim
Re: Tomorrow: Amsterdam OpenBSD 4.6 release party!
Il 29/10/09 00.23, Marco Peereboom ha scritto: In .nl? puhlease! Ahahahah ok. Next time, we organize a team of chefs of the event and i will taking from italy some specialties :) On Wed, Oct 28, 2009 at 11:07:52PM +0100, Francesco Vollero wrote: Il giorno mer, 28/10/2009 alle 22.20 +0100, chefren ha scritto: On 28-10-09 16:11, Francesco Vollero wrote: Il giorno mer, 28/10/2009 alle 14.08 +0100, chefren ha scritto: [snip] It's unfair :( i came back from Amsterdam this morning :( Francesco Ah, well, I will try to honor you by proposing Italian food, OK? Thanks :) But i hope you propose a real italian place :) +++chefren Francesco
PF challenge dealing with HTTPS URL restriction policies.. would it help, other possible solution?
Hello, Iam looking for a way to have an allowed list of SSL enabled sites that a end user can browse, but this entirely done on a server level with _zero_ configuration on the pc. In a dream world, squid would be able to tranparently proxy https and thus I would create an allowed list of ssl sites specific to each LAN user (based on private IP or MAC) that he/she can access. As we know this isnt the case because this breaks SSL. Does anybody know a way I can actually accomplish this? My Thoughts: I thought of a way to then take my list of SSL enabled sites (gmail.com for example) and resolve the domain to an IP and then add it in a firewall so that X user has access to port 443 for only those specific IPs. However the downside to this is that if gmail (or any other site i do this) changes the IP (which they will) the firewall rule which is static would need an update. Besides gmails https hostname resolves to the same IP of google.com A records so I would be fiddling with those at the same time and thus basically be allowing or disallowing the entire google domain when I truely really wanted just an access list of gmail.com. Would there be a way to make then some type of sniffer which would capture when users try to enter a https site and then somehow create a dynamic rule of some kind to let traffic out based on an allowed list? There must be a practical way, right guys? Thanks --Matt
Re: PF challenge dealing with HTTPS URL restriction policies.. would it help, other possible solution?
apache or other reverse proxy. 2009/10/29 Matthew Young myoung24...@gmail.com: Hello, Iam looking for a way to have an allowed list of SSL enabled sites that a end user can browse, but this entirely done on a server level with _zero_ configuration on the pc. In a dream world, squid would be able to tranparently proxy https and thus I would create an allowed list of ssl sites specific to each LAN user (based on private IP or MAC) that he/she can access. As we know this isnt the case because this breaks SSL. Does anybody know a way I can actually accomplish this? My Thoughts: I thought of a way to then take my list of SSL enabled sites (gmail.com for example) and resolve the domain to an IP and then add it in a firewall so that X user has access to port 443 for only those specific IPs. However the downside to this is that if gmail (or any other site i do this) changes the IP (which they will) the firewall rule which is static would need an update. Besides gmails https hostname resolves to the same IP of google.com A records so I would be fiddling with those at the same time and thus basically be allowing or disallowing the entire google domain when I truely really wanted just an access list of gmail.com. Would there be a way to make then some type of sniffer which would capture when users try to enter a https site and then somehow create a dynamic rule of some kind to let traffic out based on an allowed list? There must be a practical way, right guys? Thanks --Matt
Re: PF challenge dealing with HTTPS URL restriction policies.. would it help, other possible solution?
Hello, If I use a reverse proxy I would have to know the SSL key of the remote SSL site. (gmail.com) so that the reverse proxy server would decrypt and encrypt. Iam not mistaken. -- Matt On Thu, Oct 29, 2009 at 2:50 PM, Bob Beck b...@ualberta.ca wrote: apache or other reverse proxy. 2009/10/29 Matthew Young myoung24...@gmail.com: Hello, Iam looking for a way to have an allowed list of SSL enabled sites that a end user can browse, but this entirely done on a server level with _zero_ configuration on the pc. In a dream world, squid would be able to tranparently proxy https and thus I would create an allowed list of ssl sites specific to each LAN user (based on private IP or MAC) that he/she can access. As we know this isnt the case because this breaks SSL. Does anybody know a way I can actually accomplish this? My Thoughts: I thought of a way to then take my list of SSL enabled sites (gmail.com for example) and resolve the domain to an IP and then add it in a firewall so that X user has access to port 443 for only those specific IPs. However the downside to this is that if gmail (or any other site i do this) changes the IP (which they will) the firewall rule which is static would need an update. Besides gmails https hostname resolves to the same IP of google.com A records so I would be fiddling with those at the same time and thus basically be allowing or disallowing the entire google domain when I truely really wanted just an access list of gmail.com. Would there be a way to make then some type of sniffer which would capture when users try to enter a https site and then somehow create a dynamic rule of some kind to let traffic out based on an allowed list? There must be a practical way, right guys? Thanks --Matt
Re: PF challenge dealing with HTTPS URL restriction policies.. would it help, other possible solution?
may be able to do something with relayd, though i'm not sure. J On Thu, Oct 29, 2009 at 12:57 PM, Matthew Young myoung24...@gmail.comwrote: Hello, If I use a reverse proxy I would have to know the SSL key of the remote SSL site. (gmail.com) so that the reverse proxy server would decrypt and encrypt. Iam not mistaken. -- Matt On Thu, Oct 29, 2009 at 2:50 PM, Bob Beck b...@ualberta.ca wrote: apache or other reverse proxy. 2009/10/29 Matthew Young myoung24...@gmail.com: Hello, Iam looking for a way to have an allowed list of SSL enabled sites that a end user can browse, but this entirely done on a server level with _zero_ configuration on the pc. In a dream world, squid would be able to tranparently proxy https and thus I would create an allowed list of ssl sites specific to each LAN user (based on private IP or MAC) that he/she can access. As we know this isnt the case because this breaks SSL. Does anybody know a way I can actually accomplish this? My Thoughts: I thought of a way to then take my list of SSL enabled sites (gmail.com for example) and resolve the domain to an IP and then add it in a firewall so that X user has access to port 443 for only those specific IPs. However the downside to this is that if gmail (or any other site i do this) changes the IP (which they will) the firewall rule which is static would need an update. Besides gmails https hostname resolves to the same IP of google.com A records so I would be fiddling with those at the same time and thus basically be allowing or disallowing the entire google domain when I truely really wanted just an access list of gmail.com. Would there be a way to make then some type of sniffer which would capture when users try to enter a https site and then somehow create a dynamic rule of some kind to let traffic out based on an allowed list? There must be a practical way, right guys? Thanks --Matt
openbsd ca tutorial
Hi, I am trying to create my own CA on openbsd. but unfortunately couldnt find any tutorial on this, there are some on freebsd, linux, but they are giving some errors. can you please point me correct place if there is one. thanks \sendul
Re: PF challenge dealing with HTTPS URL restriction policies.. would it help, other possible solution?
Yep. That's why https encrypts the url transmission. The point is you aren't *supposed* to be able to do that securely. Your reverse proxy which does this will look like the standard hotel room sillyness. 2009/10/29 Matthew Young myoung24...@gmail.com: Hello, If I use a reverse proxy I would have to know the SSL key of the remote SSL site. (gmail.com) so that the reverse proxy server would decrypt and encrypt. Iam not mistaken. -- Matt On Thu, Oct 29, 2009 at 2:50 PM, Bob Beck b...@ualberta.ca wrote: apache or other reverse proxy. 2009/10/29 Matthew Young myoung24...@gmail.com: Hello, Iam looking for a way to have an allowed list of SSL enabled sites that a end user can browse, but this entirely done on a server level with _zero_ configuration on the pc. In a dream world, squid would be able to tranparently proxy https and thus I would create an allowed list of ssl sites specific to each LAN user (based on private IP or MAC) that he/she can access. As we know this isnt the case because this breaks SSL. Does anybody know a way I can actually accomplish this? My Thoughts: I thought of a way to then take my list of SSL enabled sites (gmail.com for example) and resolve the domain to an IP and then add it in a firewall so that X user has access to port 443 for only those specific IPs. However the downside to this is that if gmail (or any other site i do this) changes the IP (which they will) the firewall rule which is static would need an update. Besides gmails https hostname resolves to the same IP of google.com A records so I would be fiddling with those at the same time and thus basically be allowing or disallowing the entire google domain when I truely really wanted just an access list of gmail.com. Would there be a way to make then some type of sniffer which would capture when users try to enter a https site and then somehow create a dynamic rule of some kind to let traffic out based on an allowed list? There must be a practical way, right guys? Thanks --Matt
Re: openbsd ca tutorial
Abdullah Sendul wrote: Hi, I am trying to create my own CA on openbsd. but unfortunately couldnt find any tutorial on this, there are some on freebsd, linux, but they are giving some errors. can you please point me correct place if there is one. thanks \sendul If I am understanding you correctly, you might want to look here: http://www.openbsd.org/faq/faq10.html#HTTPS -- -RSM http://www.erratic.ca
Re: openbsd ca tutorial
I am trying to create my own CA on openbsd. but unfortunately couldnt find any tutorial on this, there are some on freebsd, linux, but they are giving some errors. If I am understanding you correctly, you might want to look here: http://www.openbsd.org/faq/faq10.html#HTTPS sorry not a self signed cert. a certificate authority -- -RSM http://www.erratic.ca
Re: PF challenge dealing with HTTPS URL restriction policies.. would it help, other possible solution?
On Thu, Oct 29, 2009 at 02:57:14PM -0500, Matthew Young wrote: Hello, If I use a reverse proxy I would have to know the SSL key of the remote SSL site. (gmail.com) so that the reverse proxy server would decrypt and encrypt. Iam not mistaken. Any decent proxy server accepts the CONNECT method, which means that it basically passes the data through after validating the hostname - i.e. GMail handles its own SSL. I believe that work is currently underway to make it possible for multiple SSL-enabled hostnames to share a single IP address, but it will probably be quite a few years before this is remotely common. Joachim
Re: PF challenge dealing with HTTPS URL restriction policies.. would it help, other possible solution?
On Thu, Oct 29, 2009 at 3:42 PM, Matthew Young myoung24...@gmail.com wrote: Iam looking for a way to have an allowed list of SSL enabled sites that a end user can browse... Off-topic, but if the users are knowledgeable with OpenSSH, they can go around any obstacle you place in front of them and all you'll see is a ssh tunnel going out of your network. Must OpenBSD folks are aware of this, but it bears repeating. Smart, determined users cannot be controlled. Brad
Re: decreasing the size of the distribution
great thanks, now my distribution is 4MB :) \sendul On Tue, Oct 27, 2009 at 4:02 AM, James Records james.reco...@gmail.com wrote: Take a look at www.mindrot.org/projects/flashboot It builds a minimal ramdisk based bsd.gz of around ~6MB You can customize the install script and get whatever binaries you need in there, just read the README file. It will take some tinkering but you should be able to get what you want with this build system J On Sun, Oct 25, 2009 at 4:10 PM, Abdullah Sendul coffeesm...@gmail.com wrote: Hi, we are having a couple of openbsd servers, of which, the content is static. I would like to identify all the files needed for this system to run, and then move it to a flash disk to minimise the size of the distribution find -mtime -atime is giving me some ideas, but is this the right approach to remove the rest of the files not used on the system. what do you suggest? thanks \sendul
Re: openbsd ca tutorial
http://lmgtfy.com/?q=OpenSSL+set+up+own+Certificate+Authority 2009/10/29 Abdullah Sendul coffeesm...@gmail.com: Hi, I am trying to create my own CA on openbsd. but unfortunately couldnt find any tutorial on this, there are some on freebsd, linux, but they are giving some errors. can you please point me correct place if there is one. thanks \sendul
Re: openbsd ca tutorial
On Thu, Oct 29, 2009 at 09:12:09PM +0100, Abdullah Sendul wrote: Hi, I am trying to create my own CA on openbsd. but unfortunately couldnt find any tutorial on this, there are some on freebsd, linux, but they are giving some errors. can you please point me correct place if there is one. You have already been given a reference to the FAQ, but please consider cacert.org as well. Joachim
Re: PF challenge dealing with HTTPS URL restriction policies.. would it help, other possible solution?
THis is great, however out LAN users are all technical. they would know and the next thing I have is people browsing the internet through IPs. It was good, but not applicable here. On Thu, Oct 29, 2009 at 3:11 PM, Chris Kuethe chris.kue...@gmail.com wrote: So run your own dns and only resolve good domains. Then the proxy can only find the things you want it to. On Oct 29, 2009 1:03 PM, Matthew Young myoung24...@gmail.com wrote: Hello, If I use a reverse proxy I would have to know the SSL key of the remote SSL site. (gmail.com) so that the reverse proxy server would decrypt and encrypt. Iam not mistaken. -- Matt On Thu, Oct 29, 2009 at 2:50 PM, Bob Beck b...@ualberta.ca wrote: apache or other reverse proxy...
Re: PF challenge dealing with HTTPS URL restriction policies.. would it help, other possible solution?
Not unless you know the ip addreses of everything you're hitting. No amount of magic will make relayd intercept an https session and get the url out without sending a bogus certificate to the user. If you have a limited set of places to go, sure, it'll work, but so will just a plain old pf rule restrincting outbound 443 connections to the same set of addresses. Trying to do this for akamai type moving targets willl be an exercise in frustration though. You could always just ensure all your users are using internet explorer or firefox with all the whining turned off, and intercept the ssl cookies anyway. Most of the users probably won't notice or will click ok and simply blather along after clicking ok enough times to make it accept the forgery. 2009/10/29 James Records james.reco...@gmail.com: may be able to do something with relayd, though i'm not sure. J On Thu, Oct 29, 2009 at 12:57 PM, Matthew Young myoung24...@gmail.com wrote: Hello, If I use a reverse proxy I would have to know the SSL key of the remote SSL site. (gmail.com) so that the reverse proxy server would decrypt and encrypt. Iam not mistaken. -- Matt On Thu, Oct 29, 2009 at 2:50 PM, Bob Beck b...@ualberta.ca wrote: apache or other reverse proxy. 2009/10/29 Matthew Young myoung24...@gmail.com: Hello, Iam looking for a way to have an allowed list of SSL enabled sites that a end user can browse, but this entirely done on a server level with _zero_ configuration on the pc. In a dream world, squid would be able to tranparently proxy https and thus I would create an allowed list of ssl sites specific to each LAN user (based on private IP or MAC) that he/she can access. As we know this isnt the case because this breaks SSL. Does anybody know a way I can actually accomplish this? My Thoughts: I thought of a way to then take my list of SSL enabled sites (gmail.com for example) and resolve the domain to an IP and then add it in a firewall so that X user has access to port 443 for only those specific IPs. However the downside to this is that if gmail (or any other site i do this) changes the IP (which they will) the firewall rule which is static would need an update. Besides gmails https hostname resolves to the same IP of google.com A records so I would be fiddling with those at the same time and thus basically be allowing or disallowing the entire google domain when I truely really wanted just an access list of gmail.com. Would there be a way to make then some type of sniffer which would capture when users try to enter a https site and then somehow create a dynamic rule of some kind to let traffic out based on an allowed list? There must be a practical way, right guys? Thanks --Matt
4.6: Troubles with forwarding between vlan interfaces
Hello, I'm trying to setup a router on OpenBSD 4.6 (amd64). I have only one physical port on it, so I've decided to use 802.1Q VLANs: vlan2 is used to connect to ISP, vlan663 - LAN. Here a configuration of interfaces: em0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:e0:81:b1:8d:d7 priority: 0 media: Ethernet autoselect (1000baseT full-duplex) status: active inet6 fe80::2e0:81ff:feb1:8dd7%em0 prefixlen 64 scopeid 0x1 vlan2: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:e0:81:b1:8d:d7 priority: 0 vlan: 2 priority: 0 parent interface: em0 groups: vlan egress inet6 fe80::2e0:81ff:feb1:8dd7%vlan2 prefixlen 64 scopeid 0x5 inet x.x.x.226 netmask 0xfffc broadcast x.x.x.227 vlan663: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:e0:81:b1:8d:d7 priority: 0 vlan: 663 priority: 0 parent interface: em0 groups: vlan inet6 fe80::2e0:81ff:feb1:8dd7%vlan663 prefixlen 64 scopeid 0x6 inet y.y.y.161 netmask 0xffe0 broadcast y.y.y.191 x.x.x.224/30 - Interconnect with my ISP y.y.y.160/27 - My LAN I can ping from internet both IPs x.x.x.226 and y.y.y.161, but cannot ping IP from LAN y.y.y.162. It looks strange because I can ping it from my box and net.inet.ip.forwarding is set to 1: # arp -an ? (y.y.y.162) at 00:13:02:51:3a:43 on vlan663 ? (x.x.x.225) at 00:21:59:1b:18:80 on vlan2 # ping y.y.y.162 PING y.y.y.162 (y.y.y.162): 56 data bytes 64 bytes from y.y.y.162: icmp_seq=0 ttl=64 time=6.798 ms 64 bytes from y.y.y.162: icmp_seq=1 ttl=64 time=3.588 ms --- y.y.y.162 ping statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 3.588/5.193/6.798/1.605 ms # sysctl net.inet.ip.forwarding net.inet.ip.forwarding=1 pf is enabled and passes all traffic: # pfctl -sr pass all flags S/SA keep state Any help will be kindly appreciated! Thanks. -- MINO-RIPE
Re: PF challenge dealing with HTTPS URL restriction policies.. would it help, other possible solution?
I had a similar problem. Transparente proxy is incompatible with SSL, as far as I know. Configuring each computer to use a proxy - either manually or by script - is time consuming. So I decided to use WPAD+Squid. Problem solved. The drawback is the overhead in the internal web server. Everytime a new browser session is initiated, the browser connects to the internal web server to identify how to reach the Internet. The advantage is that you can do filtering using WPAD, too. I don't know if it will work for you, so... good luck! Rgds Marcello - Original Message - From: Matthew Young myoung24...@gmail.com To: Bob Beck b...@ualberta.ca; misc@openbsd.org Sent: Thursday, October 29, 2009 5:57 PM Subject: Re: PF challenge dealing with HTTPS URL restriction policies.. would it help, other possible solution? Hello, If I use a reverse proxy I would have to know the SSL key of the remote SSL site. (gmail.com) so that the reverse proxy server would decrypt and encrypt. Iam not mistaken. -- Matt On Thu, Oct 29, 2009 at 2:50 PM, Bob Beck b...@ualberta.ca wrote: apache or other reverse proxy. 2009/10/29 Matthew Young myoung24...@gmail.com: Hello, Iam looking for a way to have an allowed list of SSL enabled sites that a end user can browse, but this entirely done on a server level with _zero_ configuration on the pc. In a dream world, squid would be able to tranparently proxy https and thus I would create an allowed list of ssl sites specific to each LAN user (based on private IP or MAC) that he/she can access. As we know this isnt the case because this breaks SSL. Does anybody know a way I can actually accomplish this? My Thoughts: I thought of a way to then take my list of SSL enabled sites (gmail.com for example) and resolve the domain to an IP and then add it in a firewall so that X user has access to port 443 for only those specific IPs. However the downside to this is that if gmail (or any other site i do this) changes the IP (which they will) the firewall rule which is static would need an update. Besides gmails https hostname resolves to the same IP of google.com A records so I would be fiddling with those at the same time and thus basically be allowing or disallowing the entire google domain when I truely really wanted just an access list of gmail.com. Would there be a way to make then some type of sniffer which would capture when users try to enter a https site and then somehow create a dynamic rule of some kind to let traffic out based on an allowed list? There must be a practical way, right guys? Thanks --Matt
Re: PF challenge dealing with HTTPS URL restriction policies.. would it help, other possible solution?
browsing ssl by IP addresses will also result in certificate conflicts - because the ssl cert is for the name not the IP address. So if they were willing to do that, they're willing to have your stupid reverse proxy mitm all your certificates since they'll also fail. Perhaps between my extermely subtle taunting, I should give up and just ask you *why* the hell do you want to do this? 2009/10/29 Matthew Young myoung24...@gmail.com: THis is great, however out LAN users are all technical. they would know and the next thing I have is people browsing the internet through IPs. It was good, but not applicable here. On Thu, Oct 29, 2009 at 3:11 PM, Chris Kuethe chris.kue...@gmail.com wrote: So run your own dns and only resolve good domains. Then the proxy can only find the things you want it to. On Oct 29, 2009 1:03 PM, Matthew Young myoung24...@gmail.com wrote: Hello, If I use a reverse proxy I would have to know the SSL key of the remote SSL site. (gmail.com) so that the reverse proxy server would decrypt and encrypt. Iam not mistaken. -- Matt On Thu, Oct 29, 2009 at 2:50 PM, Bob Beck b...@ualberta.ca wrote: apache or other reverse proxy...
Re: PF challenge dealing with HTTPS URL restriction policies.. would it help, other possible solution?
Marcello, Thank you.. this is good except that I need to configure all my browsers for downloading the pac file, and some Adware,/antivirus will not auto discover this.. my users are linux as well as windows sadly. So while this is a lot more practical then manually configuring proxies in the machines it is not an option for for the requirement of this project. Thanks. -Matt On Thu, Oct 29, 2009 at 3:55 PM, Bob Beck b...@ualberta.ca wrote: browsing ssl by IP addresses will also result in certificate conflicts - because the ssl cert is for the name not the IP address. So if they were willing to do that, they're willing to have your stupid reverse proxy mitm all your certificates since they'll also fail. Perhaps between my extermely subtle taunting, I should give up and just ask you *why* the hell do you want to do this? 2009/10/29 Matthew Young myoung24...@gmail.com: THis is great, however out LAN users are all technical. they would know and the next thing I have is people browsing the internet through IPs. It was good, but not applicable here. On Thu, Oct 29, 2009 at 3:11 PM, Chris Kuethe chris.kue...@gmail.com wrote: So run your own dns and only resolve good domains. Then the proxy can only find the things you want it to. On Oct 29, 2009 1:03 PM, Matthew Young myoung24...@gmail.com wrote: Hello, If I use a reverse proxy I would have to know the SSL key of the remote SSL site. (gmail.com) so that the reverse proxy server would decrypt and encrypt. Iam not mistaken. -- Matt On Thu, Oct 29, 2009 at 2:50 PM, Bob Beck b...@ualberta.ca wrote: apache or other reverse proxy...
Re: openbsd ca tutorial
On Thu, Oct 29, 2009 at 09:23:09PM +0100, Abdullah Sendul wrote: I am trying to create my own CA on openbsd. but unfortunately couldnt find any tutorial on this, there are some on freebsd, linux, but they are giving some errors. If I am understanding you correctly, you might want to look here: http://www.openbsd.org/faq/faq10.html#HTTPS sorry not a self signed cert. a certificate authority *Read* the FAQ. It tells you about openssl ca. Is that insufficient? Joachim
CPU of 50% for Interrupts?
Hi, top show a CPU usage of 50% for interrupts, when my router forwards 1.5 Mbit/s of IP traffic. My router is using OpenBSD 4.5, and running with a VIA Eden Processor 1000MHz, which should imho be able to handle that amount of IP traffic as router. dmesg tells, that ACPI is not configured. Are these values ok, or should I search for something configured wrong? Regards, Roger.
Re: PF challenge dealing with HTTPS URL restriction policies.. would it help, other possible solution?
On Thu, Oct 29, 2009 at 1:16 PM, Joachim Schipper joac...@joachimschipper.nl wrote: I believe that work is currently underway to make it possible for multiple SSL-enabled hostnames to share a single IP address, but it will probably be quite a few years before this is remotely common. There is an tls extension, defined in rfc 4366, called Server Name Indication for just the purpose. http://en.wikipedia.org/wiki/Server_Name_Indication http://en.wikipedia.org/wiki/Transport_Layer_Security#Support_for_name-based_virtual_servers
Re: 4.6: Troubles with forwarding between vlan interfaces
I apologise. My mistake - misconfiguration of host in local network. On Thu, Oct 29, 2009 at 10:39:43PM +0200, Alexander Shikoff wrote: Hello, I'm trying to setup a router on OpenBSD 4.6 (amd64). I have only one physical port on it, so I've decided to use 802.1Q VLANs: vlan2 is used to connect to ISP, vlan663 - LAN. Here a configuration of interfaces: em0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:e0:81:b1:8d:d7 priority: 0 media: Ethernet autoselect (1000baseT full-duplex) status: active inet6 fe80::2e0:81ff:feb1:8dd7%em0 prefixlen 64 scopeid 0x1 vlan2: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:e0:81:b1:8d:d7 priority: 0 vlan: 2 priority: 0 parent interface: em0 groups: vlan egress inet6 fe80::2e0:81ff:feb1:8dd7%vlan2 prefixlen 64 scopeid 0x5 inet x.x.x.226 netmask 0xfffc broadcast x.x.x.227 vlan663: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:e0:81:b1:8d:d7 priority: 0 vlan: 663 priority: 0 parent interface: em0 groups: vlan inet6 fe80::2e0:81ff:feb1:8dd7%vlan663 prefixlen 64 scopeid 0x6 inet y.y.y.161 netmask 0xffe0 broadcast y.y.y.191 x.x.x.224/30 - Interconnect with my ISP y.y.y.160/27 - My LAN I can ping from internet both IPs x.x.x.226 and y.y.y.161, but cannot ping IP from LAN y.y.y.162. It looks strange because I can ping it from my box and net.inet.ip.forwarding is set to 1: # arp -an ? (y.y.y.162) at 00:13:02:51:3a:43 on vlan663 ? (x.x.x.225) at 00:21:59:1b:18:80 on vlan2 # ping y.y.y.162 PING y.y.y.162 (y.y.y.162): 56 data bytes 64 bytes from y.y.y.162: icmp_seq=0 ttl=64 time=6.798 ms 64 bytes from y.y.y.162: icmp_seq=1 ttl=64 time=3.588 ms --- y.y.y.162 ping statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 3.588/5.193/6.798/1.605 ms # sysctl net.inet.ip.forwarding net.inet.ip.forwarding=1 pf is enabled and passes all traffic: # pfctl -sr pass all flags S/SA keep state Any help will be kindly appreciated! Thanks. -- MINO-RIPE -- MINO-RIPE
Re: openbsd ca tutorial
anything openssl is insufficient. When possible avoid OpenSSL. On Thu, Oct 29, 2009 at 10:14:05PM +0100, Joachim Schipper wrote: On Thu, Oct 29, 2009 at 09:23:09PM +0100, Abdullah Sendul wrote: I am trying to create my own CA on openbsd. but unfortunately couldnt find any tutorial on this, there are some on freebsd, linux, but they are giving some errors. If I am understanding you correctly, you might want to look here: http://www.openbsd.org/faq/faq10.html#HTTPS sorry not a self signed cert. a certificate authority *Read* the FAQ. It tells you about openssl ca. Is that insufficient? Joachim
Re: openbsd ca tutorial
On Thu, Oct 29, 2009 at 4:24 PM, Bob Beck b...@ualberta.ca wrote: http://lmgtfy.com/?q=OpenSSL+set+up+own+Certificate+Authority Bob, that's hilarious! I wasn't aware of that site.
Re: PF challenge dealing with HTTPS URL restriction policies.. would it help, other possible solution?
I'm not sure about Linux, but with Windows the WPAD works fine, even if the computers are not member of an AD. The IE comes with the default Automatic proxy configuration. So, you don't need to configure it. The problem is that some programs try to find the wpad script in the wrong (?) place. The AV programs are good examples. To solve this problem, my wpad script is in the default site and I don't have to bother with configuring the AV on each computer. Rgds, PS: When I say wrong place, I mean a place different than Windows. - Original Message - From: Matthew Young myoung24...@gmail.com To: misc@openbsd.org Sent: Thursday, October 29, 2009 7:02 PM Subject: Re: PF challenge dealing with HTTPS URL restriction policies.. would it help, other possible solution? Marcello, Thank you.. this is good except that I need to configure all my browsers for downloading the pac file, and some Adware,/antivirus will not auto discover this.. my users are linux as well as windows sadly. So while this is a lot more practical then manually configuring proxies in the machines it is not an option for for the requirement of this project. Thanks. -Matt On Thu, Oct 29, 2009 at 3:55 PM, Bob Beck b...@ualberta.ca wrote: browsing ssl by IP addresses will also result in certificate conflicts - because the ssl cert is for the name not the IP address. So if they were willing to do that, they're willing to have your stupid reverse proxy mitm all your certificates since they'll also fail. Perhaps between my extermely subtle taunting, I should give up and just ask you *why* the hell do you want to do this? 2009/10/29 Matthew Young myoung24...@gmail.com: THis is great, however out LAN users are all technical. they would know and the next thing I have is people browsing the internet through IPs. It was good, but not applicable here. On Thu, Oct 29, 2009 at 3:11 PM, Chris Kuethe chris.kue...@gmail.com wrote: So run your own dns and only resolve good domains. Then the proxy can only find the things you want it to. On Oct 29, 2009 1:03 PM, Matthew Young myoung24...@gmail.com wrote: Hello, If I use a reverse proxy I would have to know the SSL key of the remote SSL site. (gmail.com) so that the reverse proxy server would decrypt and encrypt. Iam not mistaken. -- Matt On Thu, Oct 29, 2009 at 2:50 PM, Bob Beck b...@ualberta.ca wrote: apache or other reverse proxy...
Re: Native Instruments 'Soundcards'
On Thu, Oct 29, 2009 at 12:42 AM, Jacob Meuser jake...@sdf.lonestar.org wrote: the alsa driver looks to be a complete driver that has nothing to do with any of the usb standards based drivers for audio or midi. one of the copyright holders on the alsa driver has an @caiaq.de email address. http://caiaq.de doesn't have much info, but it says hardware development. I'm guessing these guys (caiaq.de) developed this hardware and the drivers. why it doesn't use the usb audio and midi standards though, I cannot answer. Well because this just seems so braindead I'm bugging Native Instruments and the @caiaq.de guy; I'll let you all know if any useful info comes out of that. I got this from one of their fanbois on their forums: hmm, ... it is a soundcard ... you connect it via usb ... it works via usb therefore Audio4DJ is definetly a USB soundcard! That Audio4 is not working with linux doesn't disqualify it, as long NI doesn't promote it for doing that. Which is kind of Arggh stupid people. I was hoping we were past the days of being slaves to vendors for compatibility. (And I did mention OpenBSD, he's probably just unaware that anything besides win/mac/linux exists.)
Exame de codigo!
Caso nco visualize correctamente este e-mail, por favor clique AQUI. EXAME DE CSDIGO Teste os seus conhecimentos do Novo Csdigo da Estrada e verifique se esta apto a conduzir. GARANTIA DE CONFIDENCIALIDADE Insira os seus dados e receba um pin no seu telemsvel para validar a sua identidade e saber o resultado do teste. NOTA INFORMATIVA: O presente email destina-se znica e exclusivamente a informar potenciais utilizadores e nco pode ser considerado SPAM. De acordo com a legislagco internacional que regulamenta o correio electrsnico, o email nco pode sera ser considerado SPAM quando incluir uma forma do receptor ser removido da lista do emissor. Se pretender nco receber mais estes emails clique AQUI.
Re: CPU of 50% for Interrupts?
On Thu, Oct 29, 2009 at 2:27 PM, Roger Schreiter ro...@planinternet.de wrote: top show a CPU usage of 50% for interrupts, when my router forwards 1.5 Mbit/s of IP traffic. My router is using OpenBSD 4.5, and running with a VIA Eden Processor 1000MHz, which should imho be able to handle that amount of IP traffic as router. I'm no networking hardware expert, but I do know that some cards are better than other. Anyone answering your question would probably find your dmesg helpful in doing so. The output of 'vmstat -i' may be useful too. Philip Guenther
relayd(8) packet/rewrite/buffer limit?
I've got relayd(8) on a stock OpenBSD 4.5 system sitting in front of our public webservers, and have been very happy with it. Recently I got the idea of putting it front of our SMTP/SASL systems. The initial testing went very well, but when testing with a large attachment, it took upwards of a minute to relay it to the backend host. dlg@ suggested I set EVENT_NOKQUEUE, which knocked about 40 seconds off the send. redirect sasl { listen on $sasl_ext_addr port 25 interface em0 forward to sasl port 1125 check tcp } Directly to the SASL zone: $ export EVENT_NOKQUEUE=1 $ time ./sasl_test.pl 63KB Spamming... sasl real0m1.734s $ time ./sasl_test.pl 64KB Spamming... sasl real0m1.536s $ time ./sasl_test.pl 4MB Spamming... sasl real0m8.687s $ time ./sasl_test.pl 20MB Spamming... sasl real0m38.670s And via relayd(8): $ export EVENT_NOKQUEUE=1 $ time ./sasl_test.pl 63KB Spamming... border-sasl-smtp real0m1.547s $ time ./sasl_test.pl 64KB Spamming... border-sasl-smtp real0m38.427s $ time ./sasl_test.pl 4MB Spamming... border-sasl-smtp real1m17.339s $ time ./sasl_test.pl 20MB Spamming... border-sasl-smtp real1m13.776s The vast majority of attachments (or even messages) I'm going to see go through these systems is going to be 64KB, so everyone is going to get bit by this. Can anyone offer any insight? (I don't see anything in plus46.html that would suggest this is a bug fixed since 4.5.) Cheers. -- bda cyberpunk is dead. long live cyberpunk.
Re: route-to/reply-to broken?
In case people reading this thread didn't notice the commits yet, this works again in -current (thanks jsg and claudio). Make sure you upgrade pfctl and kernel together.
Re: 4.6 hang
Just as another update, I replaced the fiber em card with a bge, and the problems went away.
Re: Native Instruments 'Soundcards'
On Thu, Oct 29, 2009 at 06:11:20PM -0400, Nick Guenther wrote: On Thu, Oct 29, 2009 at 12:42 AM, Jacob Meuser jake...@sdf.lonestar.org wrote: the alsa driver looks to be a complete driver that has nothing to do with any of the usb standards based drivers for audio or midi. one of the copyright holders on the alsa driver has an @caiaq.de email address. http://caiaq.de doesn't have much info, but it says hardware development. I'm guessing these guys (caiaq.de) developed this hardware and the drivers. why it doesn't use the usb audio and midi standards though, I cannot answer. Well because this just seems so braindead I'm bugging Native Instruments and the @caiaq.de guy; I'll let you all know if any useful info comes out of that. I got this from one of their fanbois on their forums: hmm, ... it is a soundcard ... you connect it via usb ... it works via usb therefore Audio4DJ is definetly a USB soundcard! That Audio4 is not working with linux doesn't disqualify it, as long NI doesn't promote it for doing that. Which is kind of Arggh stupid people. I was hoping we were past the days of being slaves to vendors for compatibility. (And I did mention OpenBSD, he's probably just unaware that anything besides win/mac/linux exists.) I went to native-instruments.com to see if they claim their products are USB audio/midi standards compliant. sure it's a USB soundcard, but that doesn't necessarily imply that it's standards compliant. the site is all Flash. that should give some indication of how aware/ considerate they are of alternative operating systems. otoh, the USB audio standard is not so easy to comprehend ... -- jake...@sdf.lonestar.org SDF Public Access UNIX System - http://sdf.lonestar.org
Estrategia de marketing, ventas y cobranza - SEMINARIO-TALLER Jueves 5/11/2009
EsAG invita: Seminario-taller: Nombre del evento | Desarrollo comercial para PYMES (ventas, marketing y gestisn de cobranzas). Fecha | Jueves 5 de noviembre de 2009. Sede | Hotel Ibis (rambla sur, Montevideo). Horario | De 18.00 hs. a 22.00 hs. Inversisn | Inscribiindose y abonando antes del 2/11/2009: $U 850. Full Price: $U 1000. Forma de pago | Cobrador, Abitab, BROU, VISA, OCA y ANDA. Contacto | (02) 314.1688 Se entrega certificado y materiales extra. PLAZAS LIMITADAS Puede cancelar este envio por esta misma vma