Re: http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability/

[ropers]

>From http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability/ :

> or desktop environments such as Wine

For some definitions of "desktop environments".

Re: http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability/

[Artur Grabowski]

Claire beuserie  writes:

> That came out a bit weird: are you saying you knew about the bug for 2 years
> but did not fix it?

Yes. Because the solution sucks. And all others we tried were just not
workable.

Just like we knew that executable stacks can be used for exploits and
didn't fix that for many years.

//art

Re: seeing separate logs for differrent interfaces.

[Siju George]

On Tue, Nov 3, 2009 at 1:52 PM, Henning Brauer  wrote:
>
> pfctl -vvsI is what you're after.
>

Thanks Michael Henning :-)

--Siju

does pf make sense for a desktop computer?

[Moritz Herrmann]

Hi all,
since the upgrade to version 4.6 had pf activated by default,
I was confronted with the question wheather it is reasonable to use it 
on my desktop computer or not.
I would like to know if someone is using it that way and if it's worth 
to invest my time into

the configuration of pf.

Regards,
Moritz

PS: After using obsd for one year now, I can just say that I just love it!
I am very grateful to you developers out there for you sharing your work.
I will keep on supporting for sure!

Re: does pf make sense for a desktop computer?

[John Cosimano]

--- Moritz Herrmann [Wed, Nov 04, 2009 at 11:51:52AM +0100]: --- 
> Hi all,
> since the upgrade to version 4.6 had pf activated by default,
> I was confronted with the question wheather it is reasonable to use it  
> on my desktop computer or not.
> I would like to know if someone is using it that way and if it's worth  
> to invest my time into
> the configuration of pf.

well i guess it depends on how hostile your environment where you have
this machine is. but personally, i think egress filtering is always
worthwhile.

Re: does pf make sense for a desktop computer?

[Jan Stary]

> > since the upgrade to version 4.6 had pf activated by default,
> > I was confronted with the question wheather it is reasonable to use it  
> > on my desktop computer or not.

The question you are "confronted with" has already been solved for you:
yes, it is reasonable - that's why it is the default.

> > I would like to know if someone is using it that way and if it's worth  
> > to invest my time into the configuration of pf.

What are you talking about? The time investment is minimal,
and the config is a few lines, mostly un-commented defaults.
As usual on OpenBSD.

Re: very slow xterm window refresh with TrueType fonts

[LEVAI Daniel]

> I'm experiencing this problem since a few snapshots now:
> [...]
> While resizing, moving or hovering the xterm window with other windows, the
> xterm window's content is refreshing painfully slowly. If someone else has
> experienced this problem, I would really appreciate some ideas or
> informations about this :)

Hi!

Just wanted to tell, that since then I've managed to get it working again. The
problem was that I've used the XAA accelmethod by default with the radeon
driver (with a "ATI Radeon Mobility X1400" in a Lenovo ThinkPad T60). The
Xorg.0.log nicely gives me the heads up that it is not supported with this
type of chip, and use the EXA accelmethod instead of the default XAA. After
making this configuration change in xorg.conf, everything is snappy again.

Could it be possible to use the EXA method by default with these radeon
drivers so there won't be any problems like this?



Daniel

--
LIVAI Daniel
PGP key ID = 0x4AC0A4B1
Key fingerprint = D037 03B9 C12D D338 4412  2D83 1373 917A 4AC0 A4B1

Re: http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability/

[Otto Moerbeek]

On Wed, Nov 04, 2009 at 02:57:59AM +0100, Claire beuserie wrote:

> Hi,
> 
> On Wed, Nov 4, 2009 at 12:58 AM, Theo de Raadt wrote:
> 
> > 2) At least three of our developers were aware of this exploitation
> >   method going back perhaps two years before than the commit, but we
> >   gnashed our teeth a lot to try to find other solutions.  Clever
> >   cpu architectures don't have this issue because the virtual address
> >   spaces are seperate, so i386/amd64 are the ones with the big impact.
> >   We did think long and hard about tlb bashing page 0 everytime we
> >   switch into the kernel, but it still does not look attractive from
> >   a performance standpoint.
> >
> 
> I'm confused.
> 
> That came out a bit weird: are you saying you knew about the bug for 2 years
> but did not fix it?

Allowing a mapping at address zero is not a bug per se, but it opens a
door for other bugs to be exploited more effectively. This door has
been closed, but only after hard thinking went into how to close it.

-Otto

Premature end of archive

[sonjaya]

Dear all
i try install clamav from packages but  get error like this , how to solved ?
- i try another mirror still same
- try donwload to local pc still same

# export PKG_PATH=ftp://ftp.openbsd.org/pub/OpenBSD/4.6/packages/i386/
# pkg_add -i clamav
Premature end of archive
clamav-0.95.2: complete
Adjusting sha for /usr/local/lib/libclamav.a from
k3C2K5oQcz5KJ1wrU0uLgN9h6iZ1w6MYh5gIYM02On4= to
orCLZWKfCRHFq1lVJcXljBP3QjUq2trZIlRJ49Np5zk=
/usr/sbin/pkg_add: Installation of clamav-0.95.2 failed, partial
installation recorded as partial-clamav-0.95.2

-- 
sonjaya
http://sicute.blogspot.com

Re: Native Instruments 'Soundcards'

[J.C. Roberts]

On Fri, 30 Oct 2009 07:59:30 + Jacob Meuser
 wrote:

> > I still kind of want to trade it in but it's looking like there
> > might not be any other 4in/4out USB soundcard that's suitable
> > (they're all either too complex or appear to be old so probably
> > need custom drivers).
> 
> Universal Serial Bus
> Device Class Definition for Audio Devices
> Release 1.0
> March 18, 1998
> 
> older than that?  again, by that spec, devices could be made to
> operate at 1-2ms latency, which is certainly low enough to be
> considered "pro".

If quality/speed was actually a requirement, why would anyone mess with
USB in the first place?

If you need high quality "pro" gear with 4in/4out wouldn't you be far
better off with a pair of PCI based JULI@ cards (www.esi-audio.com) or
something similar?

-- 
J.C. Roberts

Capital One Classic - Higher Acceptance rates, even for poor credit profiles

[Steven at TotallyMoney]

---
OK-mail

You have received this email because you are a registered member of
OK-mail.co.uk. If you no longer wish to receive emails like
this please see instructions at the bottom of the email.
Make sure you get the best from us by adding this address to your
address book, find out more...
http://tidyurl247.com/1s95-27775
---  

Dear Mischelle,

The Capital One Progress card guarantees to reduce your interest rate if
you use it sensibly. Its the best on the market if you have a lower
credit profile and want to earn a more competitive rate. 


Apply now:

http://tidyurl247.com/1s9n-27775





TotallyMoney.com is owned and operated by Media Ingenuity Ltd.
) Copyright 2009, Media Ingenuity Ltd. All rights reserved. 

Contact us by email on feedb...@totallymoney.com

Totally Money | 3rd Floor, 46a Rosebery Avenue, London EC1R 4RP UK

---
This email has been sent to the following address: m...@openbsd.org.
We respect your privacy and only send emails to registered users.

You can unsubscribe from our promotions mailing list by visiting our 
website, using the link below.
http://tidyurl247.com/1s96-27775
(please allow five working days from receipt for us to process
your request).

To change your preferences or to de-register please visit:
http://tidyurl247.com/1s97-27775

For more information about us, or to view our privacy policy,
please visit the links below.

Privacy: http://tidyurl247.com/1s98-27775

About Us: http://tidyurl247.com/1s99-27775

OK-mail Ltd, 46 Gillingham Street, London SW1V 1HU

mailcode=50908

Re: Premature end of archive

[Nick Guenther]

On Wed, Nov 4, 2009 at 5:49 AM, sonjaya  wrote:
> Dear all
> i try install clamav from packages but  get error like this , how to solved
?
> - i try another mirror still same
> - try donwload to local pc still same
>
> # export PKG_PATH=ftp://ftp.openbsd.org/pub/OpenBSD/4.6/packages/i386/
> # pkg_add -i clamav
> Premature end of archive
>clamav-0.95.2: complete
> Adjusting sha for /usr/local/lib/libclamav.a from
> k3C2K5oQcz5KJ1wrU0uLgN9h6iZ1w6MYh5gIYM02On4= to
> orCLZWKfCRHFq1lVJcXljBP3QjUq2trZIlRJ49Np5zk=
> /usr/sbin/pkg_add: Installation of clamav-0.95.2 failed, partial
> installation recorded as partial-clamav-0.95.2
>

Did you make sure to pkg_delete the partial install before trying again?

Re: Premature end of archive

[sonjaya]

yes already pkg_delete  but still same  show up  that problem

On Wed, Nov 4, 2009 at 7:11 PM, Nick Guenther  wrote:
> On Wed, Nov 4, 2009 at 5:49 AM, sonjaya  wrote:
>> Dear all
>> i try install clamav from packages but  get error like this , how to solved
?
>> - i try another mirror still same
>> - try donwload to local pc still same
>>
>> # export PKG_PATH=ftp://ftp.openbsd.org/pub/OpenBSD/4.6/packages/i386/
>> # pkg_add -i clamav
>> Premature end of archive
>>clamav-0.95.2: complete
>> Adjusting sha for /usr/local/lib/libclamav.a from
>> k3C2K5oQcz5KJ1wrU0uLgN9h6iZ1w6MYh5gIYM02On4= to
>> orCLZWKfCRHFq1lVJcXljBP3QjUq2trZIlRJ49Np5zk=
>> /usr/sbin/pkg_add: Installation of clamav-0.95.2 failed, partial
>> installation recorded as partial-clamav-0.95.2
>>
>
> Did you make sure to pkg_delete the partial install before trying again?
>



--
sonjaya
http://sicute.blogspot.com
http://www.pojokdomain.com(sell & buy domain with free )

Re: Premature end of archive

[FRLinux]

On Wed, Nov 4, 2009 at 12:49 PM, sonjaya  wrote:
> yes already pkg_delete  but still same  show up  that problem

Delete the partial again and try pkg_add -r

Cheers,
Steph

Re: http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability/

[Donald Allen]

On Wed, 4 Nov 2009 at 1:46 PM, Aaron Mason
 wrote:
>On Wed, Nov 4, 2009 at 1:04 PM, Gonzalo Lionel Rodriguez
> wrote:
>> 2009/11/3 Claire beuserie :
>>> Hi,
>>>
>>> On Wed, Nov 4, 2009 at 12:58 AM, Theo de Raadt
>> wrote:
>>>
 2) At least three of our developers were aware of this exploitation
   method going back perhaps two years before than the commit, but we
   gnashed our teeth a lot to try to find other solutions.  Clever
   cpu architectures don't have this issue because the virtual address
   spaces are seperate, so i386/amd64 are the ones with the big impact.
   We did think long and hard about tlb bashing page 0 everytime we
   switch into the kernel, but it still does not look attractive from
   a performance standpoint.

>>>
>>> I'm confused.
>>>
>>> That came out a bit weird: are you saying you knew about the bug for 2
>> years
>>> but did not fix it?
>>>
>>>
>>> c.b-
>>>
>>>
>>
>> Linux way.
>>
>>
>
>What a knob.  It makes me sad to say I used his crap now if he has
>that much contempt for those who value security before practicality.
>
>It's good to see Theo et al stick to their guns on this issue.  I'd
>rather have a machine that is secure than one that can run Windows
>binaries.
>
>Wine is a good idea, but it's stifling an even better idea - making
>applications compatible across multiple OSes, something that hasn't
>needed to be done in the M$ world because of the stranglehold they
>had/have over the consumer market.
>
>Let's put this into perspective: Linux would absolutely jump in
>popularity if Valve ported Steam and the Source engine to it, meaning
>games like the Half Life series, Left 4 Dead and Team Fortress 2 could
>run natively - not to mention that it would prompt other games that
>sell their wares through the Steam CDS to port their games as well -
>but since most of the games run just fine in Wine these days, there's
>no incentive.
>
>Linus is shooting himself in the foot and he has no idea.  Linux tries
>to be everything to everyone, and by doing it the way is does, it
>greatly limits its potential.
>
>OpenBSD does one thing and does it well - being secure.  That's all
>there is to it.

I think that sells OpenBSD unintentionally short. Yes, the attention
to security is of enormous value, but the care and intelligence that
characterizes the whole effort results in a system that is extremely
stable, very easy to administer, and very well documented. It is the
only system I know of, and I've tried almost all of them, that pays
attention to the things that really matter. The result is an
environment where you do your work, rather than fighting with your
tools. I replaced Linux on three laptops and a workstation with
OpenBSD (after a quick divorce from FreeBSD -- too many bugs) that I use
for general computing tasks including a lot of software development
and database work, and you couldn't pay me to go back.

I realize that I'm preaching to the choir -- you know all this. But I
think it's a mistake for (especially) the OpenBSD community to speak
of OpenBSD as just about security, when it's so much more than that.

/Don Allen

>
>--
>Aaron Mason - Programmer, open source addict
>- Oh, why does everything I whip leave me?

Re: http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability

[Justin Smith]

Theo wrote:

> For the record, this particular problem was resolved in OpenBSD a
while back, in 2008.

Nice, but:

"Since 2.6.23, it has been possible to prevent applications from
mapping low pages (to prevent null pointer dereferencing in the
kernel) via the /proc/sys/vm/mmap_min_addr sysctl, which sets the
minimum address allowed for such mappings."

2.6.23 released:  Tue, 9 Oct 2007

Ref:
http://lkml.org/lkml/2007/10/9/241
http://james-morris.livejournal.com/26303.html

--
JS

Re: http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability

[Otto Moerbeek]

On Wed, Nov 04, 2009 at 03:45:33PM +0100, Justin Smith wrote:

> Theo wrote:
> 
> > For the record, this particular problem was resolved in OpenBSD a
> while back, in 2008.
> 
> Nice, but:
> 
> "Since 2.6.23, it has been possible to prevent applications from
> mapping low pages (to prevent null pointer dereferencing in the
> kernel) via the /proc/sys/vm/mmap_min_addr sysctl, which sets the
> minimum address allowed for such mappings."
> 
> 2.6.23 released:  Tue, 9 Oct 2007
> 
> Ref:
> http://lkml.org/lkml/2007/10/9/241
> http://james-morris.livejournal.com/26303.html
> 
> --
> JS

Optional prevention is not worth a lot.

-Otto

Re: http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability

[Jacob Yocom-Piatt]

Otto Moerbeek wrote:

On Wed, Nov 04, 2009 at 03:45:33PM +0100, Justin Smith wrote:

  

Theo wrote:



For the record, this particular problem was resolved in OpenBSD a
  

while back, in 2008.

Nice, but:

"Since 2.6.23, it has been possible to prevent applications from
mapping low pages (to prevent null pointer dereferencing in the
kernel) via the /proc/sys/vm/mmap_min_addr sysctl, which sets the
minimum address allowed for such mappings."

2.6.23 released:  Tue, 9 Oct 2007

Ref:
http://lkml.org/lkml/2007/10/9/241
http://james-morris.livejournal.com/26303.html

--
JS



Optional prevention is not worth a lot.

  



not exactly on topic but Pope Benedict XVI would likely agree with otto.

see, even the pope doesn't like linus.

Re: http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability

[Todd T. Fries]

Penned by Justin Smith on 20091104 15:45.33, we have:
| Theo wrote:
| 
| > For the record, this particular problem was resolved in OpenBSD a
| while back, in 2008.
| 
| Nice, but:
| 
| "Since 2.6.23, it has been possible to prevent applications from
| mapping low pages (to prevent null pointer dereferencing in the
| kernel) via the /proc/sys/vm/mmap_min_addr sysctl, which sets the
| minimum address allowed for such mappings."
| 
| 2.6.23 released:  Tue, 9 Oct 2007
| 
| Ref:
| http://lkml.org/lkml/2007/10/9/241
| http://james-morris.livejournal.com/26303.html
| 
| --
| JS

And now we get into the fun stuff.

Ever heard of 'secure by default' ?

This knob is set to '0' by default.

How many Linux installations actually read the above paragraph, understood
what value it could have to set to something other than zero, and changed
it accordingly.

'Nuff said.
-- 
Todd Fries .. t...@fries.net

 _
| \  1.636.410.0632 (voice)
| Free Daemon Consulting, LLC \  1.405.227.9094 (voice)
| http://FreeDaemonConsulting.com \  1.866.792.3418 (FAX)
| "..in support of free software solutions."  \  sip:freedae...@ekiga.net
| \  sip:4052279...@ekiga.net
 \\
 
  37E7 D3EB 74D0 8D66 A68D  B866 0326 204E 3F42 004A
http://todd.fries.net/pgp.txt

Re: kern.bufcachepercent

[Luis Useche]

On Tue, Nov 3, 2009 at 11:44 PM, Bob Beck  wrote:
> 2009/11/3 Luis Useche :
>
>>
>> I read in the 4.6 changelog that his was part of the release.
>>
>> Am I missing something? Do I have to recompile? Or this is just a bug?
>
> Yeah you are missing something. Listen to the *whole* presentation and
> read the *whole* changelog. This is *not* in 4.6
>
> It is in current.

OK. Sorry for the noise. In any case, this change is in the 4.6
changelog (twice, http://www.openbsd.org/plus46.html):

"Added dynamic buffer cache sizing. The sysctl kern.bufcachepercent
will allow you to specify a high-water mark above 10 percent for use
by the cache. If you run low on memory, the page daemon will reclaim
pages from the buffer cache. "

"Added a kern.bufcachepercent sysctl(8) to allow adjusting the buffer
cache size on a running system."

Moreover it is also in the sysctl(8) manual: "kern.bufcachepercent
   integer   yes"

If all I am saying is wrong, sorry again. I just think this would be
an error in the documentation worth to take into account.

Luis.

PF Performance Tweak Folklore

[Jason Healy]

Good day to everyone,

I'm a happy PF user, and have been for over a decade now.  I'm writing
to ask some questions about performance now that I've got a system
that needs to handle some real traffic.  I've been digging up various
tweaks and settings from the archives (and elsewhere) over the years,
and I'd like to know which of it is still useful and accurate, and
which is "folklore".  Sorry for the length of the post, but I hope that
at the very least this thread will collect some information where the
searchbots can find it...

I've got a pair of 3GHz Celeron machines in a failover config.  Each
machine has 1GB RAM and 4 gigabit intel (em) interfaces.  One LAN,
one WAN, one pfsync, and one unused.  They're running 4.3 generic
uniprocessor.  I intentionally went with a high clock single-core
box because PF isn't multi-core capable.

The systems work great, but are chewing up about 60% of their time on
interrupts (~9000 according to vmstat, with ~7500 going to the LAN/WAN
cards).  This is fine; everything is working and I know that high
interrupt load was inevitable at the time.  However, I need to ramp up
the traffic on this system soon (we're at 30Mbps / 3.5kpps right now),
so I want to make sure I can keep the load under control.

I know that the first thing I should do is upgrade to 4.6, which I
plan to do.  However, I'm looking for other "best practices", which
I've divided into two major sections below:


Interrupt Mitigation:
=

Since the system is under moderately heavy interrupt load, I'd like to
try and improve that if possible since it seems that's going to be the
first limit I hit on this system.  In the "Tuning OpenBSD" paper:

  http://www.openbsd.org/papers/tuning-openbsd.ps

they mention "sharing interrupts" on a high load system.  If I
understand correctly, the theory is that if all my NICs are on the
same interrupt, the kernel can stay in the interrupt handler (no
context switch) and service all the NICs at once, rather than handling
each separately.  Am I understanding this right?  Should I try to lump
all (or some) of my NICs onto the same IRQ?  Or are there better
approaches (see below).

Several sources have suggested using APIC, which should be available
in non-ancient hardware.  I'm not sure if APIC replaces or complements
the suggestion above about interrupt sharing.  I checked my box, and
my dmesg didn't mention APIC, so I don't think I'm taking advantage
of it right now.  The -misc archives have oblique references to APIC
only being enabled on multiprocessor (MP) kernels rather than
uniprocessor (UP) ones.  Is this still true?  I also saw hints that
4.6 now has APIC on in UP by default.  Can anyone confirm or deny?

Since PF isn't multi-core capable, I believed that UP was the way to
go for firewalls (and my machine isn't multicore anyway).  However,
I'm happy to run MP if there are side benefits like APIC that would
increase performance.

Next up, FreeBSD has been touting support for message-signaled
interrupts (MSI/MSI-X), claiming that this increases performance:

  http://onlamp.com/pub/a/bsd/2008/02/26/whats-new-in-freebsd-70.html?page=4

I'm not quite clear on whether this helps with a packet-forwarding
workload or not.  Is there support for this in OpenBSD, or would it
not really help anyway?


Sysctl Tweaks:
==

I've been getting errors like:

  WARNING: mclpool limit reached; increase kern.maxclusters

So I did what it asked (I doubled the value to 12288), but am still
getting the error.  I've heard of people increasing this much more
(20x the default!), but also taunts of insanity for doing so:

  http://monkey.org/openbsd/archive/misc/0407/msg01521.html

So, what is a sane value for this?  Are there other causes that need
to be investigated when you get an "mclpool" warning, or should you
just keep cranking up the value?  Also, is there harm in going to
high (besides wasting memory)?

Next, I've seen interface drops (ifq.drops != 0), so I've cranked up
ifq.maxlen to 256 * #nics (1024) per recommendations on -misc.  I
was still getting occasional drops, so I doubled to 2048, and am
holding steady there.  I've seen recommendations not to go beyond
2500; what should I be worried about in this case?  High latency?
Memory issues?  Do I really need to be worried about a few drops?

Finally, as was mentioned on the list a few days ago, increasing
recvspace/sendspace doesn't help with a firewall (except for
locally-sourced connections) because it's just forwarding packets.
Just so I'm totally clear, is this true even in the case of packet
reassembly (scrub) and randomization, or do those features cause the
firewall to terminate and re-initiate connections that would benefit
from the buffers?

For that matter, are there any protocol options that help performance
of a packet forwarding box (again, ignoring locally-sourced
connections)?  I'm thinking about buffers, default MSS, ECN, window
scaling, SACK, etc.  I know it doesn't hurt to turn them 

Re: kern.bufcachepercent

[Maurice Janssen]

On Wed, Nov 04, 2009 at 10:26:50AM -0500, Luis Useche wrote:
>OK. Sorry for the noise. In any case, this change is in the 4.6
>changelog (twice, http://www.openbsd.org/plus46.html):
>
>"Added dynamic buffer cache sizing. The sysctl kern.bufcachepercent
>will allow you to specify a high-water mark above 10 percent for use
>by the cache. If you run low on memory, the page daemon will reclaim
>pages from the buffer cache. "
>
>"Added a kern.bufcachepercent sysctl(8) to allow adjusting the buffer
>cache size on a running system."

No, three times:
"Backed out all the c2k9 buffer cache changes committed during c2k9."

Maurice

Re: kern.bufcachepercent

[Bob Beck]

I don't know what version of plus46.html you are looking at - but that
text doesnt' appear in any version I look at.

Of course it is in the cvs commit log, but that's not the same thing.
That same commit was backed out before 4.6 - and has since gone back
into current.

2009/11/4 Luis Useche :
> On Tue, Nov 3, 2009 at 11:44 PM, Bob Beck  wrote:
>> 2009/11/3 Luis Useche :
>>
>>>
>>> I read in the 4.6 changelog that his was part of the release.
>>>
>>> Am I missing something? Do I have to recompile? Or this is just a bug?
>>
>> Yeah you are missing something. Listen to the *whole* presentation and
>> read the *whole* changelog. This is *not* in 4.6
>>
>> It is in current.
>
> OK. Sorry for the noise. In any case, this change is in the 4.6
> changelog (twice, http://www.openbsd.org/plus46.html):

Interface ierrs only with MP kernel (i386)

[Bryan S. Leaman]

As I continue to work on my previous issue with my Sun V120 and network
hangs, I decided to install 4.6 release onto an HP DL360 G4 box with the
latest BIOS and firmware updates as a possible replacement for the Sun. 
After many hours of load testing and changing configurations, I found that
I always get input errors on the network interfaces when running the
multiprocessor kernel.  But I get no errors at all with the uniprocessor
kernel.

I can reproduce this problem with the internal bge (BCM5704C) and also
with a PCI-X Intel Pro/1000 MT (82546GB) card.  All I need to do is bring
up the system using the MP kernel and push traffic through it.  I'm using
a simple wget on an internal machine to repeatedly pull a large file from
a webserver on the external LAN.  Within an hour I easily have over 1000
input errors.  With the uniprocessor kernel, I sustained 90Mbps through
the firewall for 8 hours straight with 0 errors.  I'm running separate
100Mbps switches for internal and external LANs.  I don't see any
ifq.drops in either case.

I'm thinking this is not a hardware issue since it works fine in one case
but not in the other, without changing any hardware or cables.  I
understand that the interrupt handling is different in the MP kernel, so
could that be where this issue is originating?  It would be great to have
both CPUs available as I plan to run some other things (aside from pf) on
this box but I can settle for one CPU if that is the only solution.  I
tried disabling hyperthreading but that did not affect the issue.

Here's the relevant netstat -i output for my 1-hour load test with em
interfaces and the MP kernel:

em0 150000:04:23:a6:b4:a6 24029262   710 12738132 0 
   0
em1 150000:04:23:a6:b4:a7 12753283  1009 24038738 0 
   0

After switching to the SP kernel:

em0 150000:04:23:a6:b4:a6 16393437 0 14391074 0 
   0
em1 150000:04:23:a6:b4:a7 14431184 0 16445995 0 
   0

Searching the lists, I only found one reference to something like this but
it was on 4.0 and I didn't see a resolution.  Has anyone else seen this
behavior?
http://www.mail-archive.com/misc@openbsd.org/msg31490.html

As a next step, I'm planning to install the latest snapshot to see if the
issue still exists.  In the meantime, here is the dmesg from the system. 
The kernel is #0 because I installed patches 002_xmm.patch and
003_getsockopt.patch.

OpenBSD 4.6 (GENERIC.MP) #0: Mon Nov  2 11:43:12 EST 2009
lea...@fw1.bitbytes.com:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Intel(R) Xeon(TM) CPU 3.40GHz ("GenuineIntel" 686-class) 3.41 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,CNXT-ID,CX16,xTPR
real mem  = 3757613056 (3583MB)
avail mem = 3648847872 (3479MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 12/31/99, BIOS32 rev. 0 @ 0xf,
SMBIOS rev. 2.3 @ 0xec000 (56 entries)
bios0: vendor HP version "P52" date 07/16/2007
bios0: HP ProLiant DL360 G4
acpi0 at bios0: rev 2
acpi0: tables DSDT FACP SPCR MCFG APIC SSDT
acpi0: wakeup devices
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 200MHz
cpu1 at mainbus0: apid 6 (application processor)
cpu1: Intel(R) Xeon(TM) CPU 3.40GHz ("GenuineIntel" 686-class) 3.41 GHz
cpu1:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,CNXT-ID,CX16,xTPR
ioapic0 at mainbus0: apid 8 pa 0xfec0, version 20, 24 pins
ioapic1 at mainbus0: apid 9 pa 0xfec1, version 20, 24 pins
ioapic1: misconfigured as apic 0, remapped to apid 9
ioapic2 at mainbus0: apid 10 pa 0xfec82000, version 20, 24 pins
ioapic3 at mainbus0: apid 11 pa 0xfec82400, version 20, 24 pins
acpiprt0 at acpi0: bus 1 (IP2P)
acpiprt1 at acpi0: bus 2 (ICHR)
acpiprt2 at acpi0: bus 7 (PCXA)
acpiprt3 at acpi0: bus 10 (PCXB)
acpiprt4 at acpi0: bus 6 (PTB0)
acpiprt5 at acpi0: bus 13 (PTA0)
acpiprt6 at acpi0: bus 3 (PTC0)
acpiprt7 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0: FVS, 3400, 2800 MHz
acpicpu1 at acpi0: FVS, 3400, 2800 MHz
acpitz0 at acpi0: critical temperature 31 degC
bios0: ROM list: 0xc/0x8000 0xc8000/0x4000! 0xcc000/0x1600
0xee000/0x2000!
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 "Intel E7520 Host" rev 0x0c
ppb0 at pci0 dev 2 function 0 "Intel E7520 PCIE" rev 0x0c
pci1 at ppb0 bus 13
ppb1 at pci0 dev 4 function 0 "Intel E7520 PCIE" rev 0x0c
pci2 at ppb1 bus 6
ppb2 at pci2 dev 0 function 0 "Intel PCIE-PCIE" rev 0x09
pci3 at ppb2 bus 7
em0 at pci3 dev 1 function 0 "Intel PRO/1000MT (82546GB)" rev 0x03: apic
10 int 0 (irq 5), address 00:04:23:a6:b4:a6
em1 at pci3 dev 1 function 1 "Intel PRO/1000MT (82546GB)" rev 0x03: apic
10 int 1 (irq 5), address 00:04:23:a6:b4:a7
ppb3 at pci2 dev 0 function 2 "Intel PCIE-PCIE" re

Re: Native Instruments 'Soundcards'

[Jacob Meuser]

On Wed, Nov 04, 2009 at 01:45:01AM -0800, J.C. Roberts wrote:
> On Fri, 30 Oct 2009 07:59:30 + Jacob Meuser
>  wrote:
> 
> > > I still kind of want to trade it in but it's looking like there
> > > might not be any other 4in/4out USB soundcard that's suitable
> > > (they're all either too complex or appear to be old so probably
> > > need custom drivers).
> > 
> > Universal Serial Bus
> > Device Class Definition for Audio Devices
> > Release 1.0
> > March 18, 1998
> > 
> > older than that?  again, by that spec, devices could be made to
> > operate at 1-2ms latency, which is certainly low enough to be
> > considered "pro".
> 
> If quality/speed was actually a requirement, why would anyone mess with
> USB in the first place?
> 
> If you need high quality "pro" gear with 4in/4out wouldn't you be far
> better off with a pair of PCI based JULI@ cards (www.esi-audio.com) or
> something similar?

think laptop, or other machines without available PCI slots ...

> -- 
> J.C. Roberts

-- 
jake...@sdf.lonestar.org
SDF Public Access UNIX System - http://sdf.lonestar.org

Re: PF Performance Tweak Folklore

[Henning Brauer]

* Jason Healy  [2009-11-04 16:37]:
> The systems work great, but are chewing up about 60% of their time on
> interrupts (~9000 according to vmstat, with ~7500 going to the LAN/WAN
> cards).  This is fine; everything is working and I know that high
> interrupt load was inevitable at the time.  However, I need to ramp up
> the traffic on this system soon (we're at 30Mbps / 3.5kpps right now),
> so I want to make sure I can keep the load under control.

you probably don't need to worry. especially with em load doesn't
remotely increase linearaly with traffic.

> I know that the first thing I should do is upgrade to 4.6, which I
> plan to do.  However, I'm looking for other "best practices", which
> I've divided into two major sections below:

yes, 4.6 is MUCH faster than 4.3.

> 
> Interrupt Mitigation:
> =
> 
> Since the system is under moderately heavy interrupt load, I'd like to
> try and improve that if possible since it seems that's going to be the
> first limit I hit on this system.  In the "Tuning OpenBSD" paper:
> 
>   http://www.openbsd.org/papers/tuning-openbsd.ps
> 
> they mention "sharing interrupts" on a high load system.  If I
> understand correctly, the theory is that if all my NICs are on the
> same interrupt, the kernel can stay in the interrupt handler (no
> context switch) and service all the NICs at once, rather than handling
> each separately.  Am I understanding this right?  Should I try to lump
> all (or some) of my NICs onto the same IRQ?  Or are there better
> approaches (see below).

i doubt that makes a difference these days. i don't worry any more.

> Several sources have suggested using APIC, which should be available
> in non-ancient hardware.  I'm not sure if APIC replaces or complements
> the suggestion above about interrupt sharing.  I checked my box, and
> my dmesg didn't mention APIC, so I don't think I'm taking advantage
> of it right now.  The -misc archives have oblique references to APIC
> only being enabled on multiprocessor (MP) kernels rather than
> uniprocessor (UP) ones.  Is this still true?  I also saw hints that
> 4.6 now has APIC on in UP by default.  Can anyone confirm or deny?

4.6 will just use the APIC.

> Since PF isn't multi-core capable, I believed that UP was the way to
> go for firewalls (and my machine isn't multicore anyway).  However,
> I'm happy to run MP if there are side benefits like APIC that would
> increase performance.
> 
> Next up, FreeBSD has been touting support for message-signaled
> interrupts (MSI/MSI-X), claiming that this increases performance:
> 
>   http://onlamp.com/pub/a/bsd/2008/02/26/whats-new-in-freebsd-70.html?page=4
> 
> I'm not quite clear on whether this helps with a packet-forwarding
> workload or not.  Is there support for this in OpenBSD, or would it
> not really help anyway?

no support.

> I've been getting errors like:
> 
>   WARNING: mclpool limit reached; increase kern.maxclusters
> 
> So I did what it asked (I doubled the value to 12288), but am still
> getting the error.  I've heard of people increasing this much more
> (20x the default!), but also taunts of insanity for doing so:
> 
>   http://monkey.org/openbsd/archive/misc/0407/msg01521.html
> 
> So, what is a sane value for this?

there is no easy or one-size-fits-all answer.

> Next, I've seen interface drops (ifq.drops != 0), so I've cranked up
> ifq.maxlen to 256 * #nics (1024) per recommendations on -misc.  I
> was still getting occasional drops, so I doubled to 2048, and am
> holding steady there.  I've seen recommendations not to go beyond
> 2500; what should I be worried about in this case?  High latency?
> Memory issues?  Do I really need to be worried about a few drops?

latency mostly. memory isn't that much of an issue for this.
i do have systems beyond 2500, but they handle many hundred MBit/s.

> Finally, as was mentioned on the list a few days ago, increasing
> recvspace/sendspace doesn't help with a firewall (except for
> locally-sourced connections) because it's just forwarding packets.

right.

> Just so I'm totally clear, is this true even in the case of packet
> reassembly (scrub) and randomization, or do those features cause the
> firewall to terminate and re-initiate connections that would benefit
> from the buffers?

doesn't change a thing. send/recvspace only apply to sockets, aka
stuff in userland.

> For that matter, are there any protocol options that help performance
> of a packet forwarding box (again, ignoring locally-sourced
> connections)?  I'm thinking about buffers, default MSS, ECN, window
> scaling, SACK, etc.  I know it doesn't hurt to turn them on, but am I
> doing any good for the connections I'm forwarding?
> 
> Thanks for any input and advice you can provide; I'm looking forward
> to using PF for another 10 years... =)

just use 4.6 and don't push buttons - you won't need to.

-- 
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail a

Re: http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability

[Theo de Raadt]

> > For the record, this particular problem was resolved in OpenBSD a
> while back, in 2008.
> 
> Nice, but:
> 
> "Since 2.6.23, it has been possible to prevent applications from
> mapping low pages (to prevent null pointer dereferencing in the
> kernel) via the /proc/sys/vm/mmap_min_addr sysctl, which sets the
> minimum address allowed for such mappings."
> 
> 2.6.23 released:  Tue, 9 Oct 2007
> 
> Ref:
> http://lkml.org/lkml/2007/10/9/241
> http://james-morris.livejournal.com/26303.html

And that knob was turned off.

Re: http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability

[Justin Smith]

On Wed, Nov 4, 2009 at 4:14 PM, Todd T. Fries  wrote:
> Penned by Justin Smith on 20091104 15:45.33, we have:
> | Theo wrote:
> |
> | > For the record, this particular problem was resolved in OpenBSD a
> | while back, in 2008.
> |
> | Nice, but:
> |
> | "Since 2.6.23, it has been possible to prevent applications from
> | mapping low pages (to prevent null pointer dereferencing in the
> | kernel) via the /proc/sys/vm/mmap_min_addr sysctl, which sets the
> | minimum address allowed for such mappings."
> |
> | 2.6.23 released:  Tue, 9 Oct 2007
> |
> | Ref:
> | http://lkml.org/lkml/2007/10/9/241
> | http://james-morris.livejournal.com/26303.html
> |
> | --
> | JS
>
> And now we get into the fun stuff.
>
> Ever heard of 'secure by default' ?
>
> This knob is set to '0' by default.
>
> How many Linux installations actually read the above paragraph, understood
> what value it could have to set to something other than zero, and changed
> it accordingly.
>
> 'Nuff said.


"By default, Ubuntu 8.04 and later with a non-zero
/proc/sys/vm/mmap_min_addr setting were not vulnerable."

Ubuntu 8.04 released in 2008 april.


--
JS

Re: kern.bufcachepercent

[Luis Useche]

Maurice: Thanks for pointing that out.

Bob: At this point this is probably irrelevant. In any case, I found
it in the officiel webpage http://www.openbsd.org/plus46.html.

Thanks for your help!
Luis



On Wed, Nov 4, 2009 at 10:42 AM, Bob Beck  wrote:
> I don't know what version of plus46.html you are looking at - but that
> text doesnt' appear in any version I look at.
>
> Of course it is in the cvs commit log, but that's not the same thing.
> That same commit was backed out before 4.6 - and has since gone back
> into current.
>
> 2009/11/4 Luis Useche :
>> On Tue, Nov 3, 2009 at 11:44 PM, Bob Beck  wrote:
>>> 2009/11/3 Luis Useche :
>>>

 I read in the 4.6 changelog that his was part of the release.

 Am I missing something? Do I have to recompile? Or this is just a bug?
>>>
>>> Yeah you are missing something. Listen to the *whole* presentation and
>>> read the *whole* changelog. This is *not* in 4.6
>>>
>>> It is in current.
>>
>> OK. Sorry for the noise. In any case, this change is in the 4.6
>> changelog (twice, http://www.openbsd.org/plus46.html):

Cierre de Inscripciones

[Patricia Silva - K . L . A . Educación Empresarial]

Buenos dmas,
?Csmo esta?

Haga como la Mayorma de los Lmderes de Ventas estan haciendo. Venga a pasar
una maqana entera con Mario Borghino, en la conferencia "Gestisn en Ventas"
que se realizara el dma 21 de noviembre en el Hotel Melia Mixico Reforma.

ATENCISN: Mas de 130 personas ya confirmaron su participacisn. No tendremos
mas vacantes disponibles a partir de la prsxima semana. !Tome esta decisisn
ahora! Haga su inscripcisn HOY.

Entre al sitio a continuacisn y tsrnese en un nuevo Lmder de Ventas a partir
de este encuentro.

www.klaeventos.com.mx/borghino

Muchas gracias.

Atentamente,
Patricia Silva
K.L.A. Educacisn y Eventos Empresariales
MIXICO
Tel. (55) 5635 98 61
Tel/Fax (55) 5635 30 47
SKYPE patricia.klamexico

Re: http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability/

[Stefan Wollny]

> -Urspr|ngliche Nachricht-
> Von: "Donald Allen" 
> Gesendet: 04.11.09 14:23:04
> An: misc@openbsd.org
> Betreff: Re:
http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability/


...

> I realize that I'm preaching to the choir -- you know all this. But I
> think it's a mistake for (especially) the OpenBSD community to speak
> of OpenBSD as just about security, when it's so much more than that.

I second that - it is the attitude of how the devs (and Theo in particular)
strive for a clean code and fight the temptation to implement a 'twist' only
to allow some poorly written app to run on OpenBSD. Remember the outcry some
years ago when a change broke backward compatibility disabling some poorly
written apps to run under OpenBSD since then? 'Security' is just another
result out of this firm stand for their believes.

BTW: Anyone around who has not yet bought his set of CDs? Believe me - this is
a clever investment in future development and a fine way saying THANK YOU!

STEFAN

Mail: ste...@wollny.de
GnuPG-Key ID: 0x9C26F1D0

Re: http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability

[Ted Unangst]

On Wed, Nov 4, 2009 at 10:55 AM, Justin Smith  wrote:
> "By default, Ubuntu 8.04 and later with a non-zero
> /proc/sys/vm/mmap_min_addr setting were not vulnerable."
>
> Ubuntu 8.04 released in 2008 april.

Ubuntu 8 also ships with a setuid pulseaudio by default, which renders
the mmap_min_addr protection useless.

LOS RABANES + DIABLITO VOL. II + MP3 GRATIS!

[DIABLITO RECORDS]

Your Email client is not formatted to view HTML emails. We have included the
text email of the message.

Purchase securely here:
iTunes: http://fburls.com/55-l467mT6S
DIABLITO RECORDS
sello indie alterlatino de mexico
distribuido por WARNER MUSIC MEXICO

PROMOCION DIABLITO - UN MP3 GRATIS!
BUSCA EL ENLACE AL FINAL DEL EMAIL!

DIABLITO RECORDS firma a RABANES de Panama!
Nuevo disco 'Demons On Fire' saldra en Mexico marzo 2010!
http://fburls.com/0-4GI433ra/t/s/txt/cid/558530/sid/102676424

DIABLITO RECORDS presenta acoplado DIABLITO VOL II

* Nuevo acoplado DIABLITO VOL. II presentando los grupos indie
alterlatino de Mexico, EEUU, Puerto Rico, Sur y Centro America:

PASTILLA, ARHKOTA, TASSO, LOS HOLLYWOOD, CANDY, TANKE,
LOS WEEDS, ASTRA HEIGHTS, DEBRALLEITOR,
LEVITICO, SUPERAQUELLO, POLBO, ARDNAXELA,
PINK FLAMINGO, THE MELOVSKYS, MALACATES TREBOL SHOP,
y MONGOL GOL GOL

YA A LA VENTA EN TIENDAS DE MEXICO!

DISPONIBLE AQUI
http://fburls.com/53-OK1LhT6t/t/s/txt/cid/558530/sid/102676424

http://fburls.com/46-CVC0ArJ6/t/s/txt/cid/558530/sid/102676424
http://fburls.com/84-62rpMcUG/t/s/txt/cid/558530/sid/102676424
http://fburls.com/38-zEn7IMFD/t/s/txt/cid/558530/sid/102676424
http://fburls.com/61-JlXBHDjI/t/s/txt/cid/558530/sid/102676424
http://fburls.com/49-krogx0NT/t/s/txt/cid/558530/sid/102676424
http://fburls.com/66-d2ESn3r9/t/s/txt/cid/558530/sid/102676424
http://fburls.com/19-GPAmFAFW/t/s/txt/cid/558530/sid/102676424
http://fburls.com/85-xKaL2aoG/t/s/txt/cid/558530/sid/102676424
http://fburls.com/13-l4TPZi3w/t/s/txt/cid/558530/sid/102676424
http://fburls.com/94-JGXCEnDd/t/s/txt/cid/558530/sid/102676424
http://fburls.com/73-zkNbZ4if/t/s/txt/cid/558530/sid/102676424
http://fburls.com/15-ge12owF2/t/s/txt/cid/558530/sid/102676424
http://fburls.com/28-nh7boAij/t/s/txt/cid/558530/sid/102676424
http://fburls.com/41-Z7oH3IE4/t/s/txt/cid/558530/sid/102676424
http://fburls.com/24-bDLTSUa0/t/s/txt/cid/558530/sid/102676424
http://fburls.com/97-n7EVBeVp/t/s/txt/cid/558530/sid/102676424

-

CONCIERTOS:

5 nov 2009  12:00p
TANKE @ FUSSIBLE FESTIVAL - CU Mexico City, MX, Distrito Federal

7 nov 2009  4:00p
TANKE (w/ LEVITICO) @ ROCXY SALA DE CONCIERTOS Ecatepec, Edo. De Mexico,
MC)xico

7 nov 2009  8:00p
LOS HOLLYWOOD @ TBC Ensenada, Baja California

14 nov 2009 8:00p
PASTILLA @ ROCXY SALA DE CONCIERTOS Mexico DF, MX, Distrito Federal

14 nov 2009 8:00p
LOS WEEDS @ TOKYO POP   Mexico City, MX, Distrito Federal

15 nov 2009 8:00p
CANDY @ CAFE IGUANA Monterrey, MX, Nuevo LeC3n

21 nov 2009 8:00p
LEVITICO @ SALON TIJUANA Mexico City, MX, Distrito Federal

5 dic 2009  8:00p
LOS WEEDS @ GOLIATH FESTIVAL (w. The Black Eyed Peas, Los Bunkers, 
etc...)
Mexico City, MX, Distrito Federal
10 dic 2009 10:00p

CANDY @ PATA NEGRA Mexico City DF, Distrito Federal

* TANKE @ FESTIVAL FUSSIBLE CU 12PM GRATIS!
JUEVES NOV 5 12HR.

* TANKE Y LEVITICO @ ROCXY SALA DE CONCIERTOS - EDO. DE MEXICO
SABADO NOV 7 16HR.
(con Massapan, Roxes, Boy In Problem, Mi Computadora Me Habla)
via Jose L Portillo No. 515 (Salon Minuet)
Col. Guadalupe Victoria Ecatepec Edo. De Mexico
TODAS LAS EDADES / Cupo limitado
Preventa 40mxn / Dia 60mxn

-

VIDEOS DIABLITO VOL. II

* TASSO 'Don't Love Me (I Never Will)'
http://fburls.com/1-8oUoSKEh/t/s/txt/cid/558530/sid/102676424
* SUPERAQUELLO 'Pecho 'E Paloma'
http://fburls.com/14-xpGo5Fab/t/s/txt/cid/558530/sid/102676424
* POLBO 'Ye Quiero Mucho''
http://fburls.com/24-v68j1IeF/t/s/txt/cid/558530/sid/102676424
* MALACATES TREBOL SHOP 'De Que Sirve Querer?'
http://fburls.com/4-uhOJGH8m/t/s/txt/cid/558530/sid/102676424
* LOS HOLLYWOOD - 'No Te Aguites'
http://fburls.com/71-EWNfBFGz/t/s/txt/cid/558530/sid/102676424

-

VISITA ENLACE PARA UN MP3 GRATIS!
http://fburls.com/12-7O9mgUJd/t/s/txt/cid/558530/sid/102676424

-

Diablito Records
http://fburls.com/64-37lHAAZl/t/s/txt/cid/558530/sid/102676424

MySpace
http://fburls.com/9-sDIfDX1X/t/s/txt/cid/558530/sid/102676424

Twitter
http://fburls.com/66-BgSX7GUr/t/s/txt/cid/558530/sid/102676424

Facebook
http://fburls.com/83-gUw7cLpl/t/s/txt/cid/558530/sid/102676424

###

Purchase securely here:
iTunes: http://fburls.com/88-jKiTfvIR



DIABLITO RECORDS sent this email to misc@openbsd.org
Questions? Contact r...@diablitorecords.com or DIABLITO RECORDS, Del Carmen,
Coyoacan, Mexico City D.F., Mexico

Download the toolbar: http://diablitorecords.fanbridge.com/toolbar
Update Your Information - http://fburls.com/6-Eo7lFX5E
Forward to a friend - http://fburls.com/74-pOPOuUMz
Unsubscribe - http://fburls.com/81-v9wGdsGi
Privacy Policy - http://www.FanBridge.com/learn/privacy.php

This email message is powered by FanBridge:
http://www.FanBridge.com/b.php?id=121542
Powering Valuable Fan Relationships

Re: openbsd 3.9 umass not linking to a sd

[Swa Frantzen]

> it doesn't want to play nice with USB drives.

Ok: I finally found the problem: my test disks all were a portable  
ones -powered from the USB bus-.

Cause that's what I had around the house.
I know the USB port needs to deliver enough juice to make it work, and  
I had taken that into
account: I had plugged in the power only connector on another USB  
port, getting more power

if needed.
But apparently that's still not enough power from that server's  
motherboard. Only after plugging it
in on a standalone power supply the drive seems to spin up. (I had not  
heard it trying to spin
up and fail (the server makes way too much noise to ever hear the  
quite silent drive).


So yeah: 3.9 does support it and I can now order some external 1Tbyte  
drives to use as backup

medium, they now are cheaper than tape anyway.

Next step will be to figure out how to get dump to fill disks like it  
can fill tapes, or something
somewhat similar. But at least I now have a path out of that corner I  
found myself in.


Lesson:
- don't assume the drive gets enough power, not even if you plug it in  
on 2 USB ports


Wishlist:
Error messages telling you something (if that's possible at all to  
start with).

"I'm giving it all she's got Jim, need more dilithium crystals"

Re: http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability

[Ross Cameron]

On Wed, Nov 4, 2009 at 5:54 PM, Theo de Raadt 
wrote:
>> > For the record, this particular problem was resolved in OpenBSD a
>> while back, in 2008.
>>
>> Nice, but:
>>
>> "Since 2.6.23, it has been possible to prevent applications from
>> mapping low pages (to prevent null pointer dereferencing in the
>> kernel) via the /proc/sys/vm/mmap_min_addr sysctl, which sets the
>> minimum address allowed for such mappings."
>>
>> 2.6.23 released: B Tue, 9 Oct 2007
>>
>> Ref:
>> http://lkml.org/lkml/2007/10/9/241
>> http://james-morris.livejournal.com/26303.html
>
> And that knob was turned off.

Actually no it was turned on.

Fedora 8 was released in Nov 2007 and to run certain Wine applications
as non-root you had to disable the vm.mmap_min_addr sysctl.
By default it was set to a value of 65536 and you had to change this to
0.

This is well documented all over the Wine forums.
I know because this drove me up the bend when they introduced this patch.


--
"Opportunity is most often missed by people because it is dressed in
overalls and looks like work."
Thomas Alva Edison
Inventor of 1093 patents, including:
The light bulb, phonogram and motion pictures.

Re: http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability

[Matthias Kilian]

On Wed, Nov 04, 2009 at 04:55:58PM +0100, Justin Smith wrote:
> > And now we get into the fun stuff.
> >
> > Ever heard of 'secure by default' ?
> >
> > This knob is set to '0' by default.
> >
> > How many Linux installations actually read the above paragraph, understood
> > what value it could have to set to something other than zero, and changed
> > it accordingly.
> >
> > 'Nuff said.
> 
> 
> "By default, Ubuntu 8.04 and later with a non-zero
> /proc/sys/vm/mmap_min_addr setting were not vulnerable."
> 
> Ubuntu 8.04 released in 2008 april.

And if you install something like wine, the knob is set back to 0,
probably without any notice (at least in ubuntu-8.10). You don't
even have to run it, just installing it is enough, if I understand
the mechanism correctly.

But more important is the fact that the original kernel sources
have the knob set to 0 by default.

Ciao,
Kili

ipsec Phase 2 tunnels will not initiate from OBSD side

[Dag Richards]

Running  4.3 GENERIC#698 i386

I have a VPN with a vendor using a I think he said it was a Sonic Wall 
FW.  We are able to get Phase 1 associations up and happy. But Phase 2 
never seems to start, at least not from my side.


If he sends traffic from his side then his device makes a phase 2 
proposal, and I accept and traffic flows.  I can do nothing to kick this 
off from my end.


I have an ipsec.conf phile for this vendor

ike active esp from { 172.18.101.22 } to { 10.0.3.222 10.0.6.222 
10.0.11.43 10.0.11.188 10.0.11.222 10.0.11.36 } local 10.120.10.50 peer 
xxx.xxx.xx.xx.x0x main auth hmac-sha1 enc 3des-cbc group modp1024 quick 
auth hmac-sha1 enc 3des-cbc group none psk "SEKRET"


He sends me i a ping I get a flow

ipsecctl -s flow | grep xxx.xxx.xx.xx.x0x
flow esp in from 10.0.11.43 to 172.18.101.22 peer xxx.xxx.xx.xx.x0x 
srcid 10.120.10.50/32 dstid xxx.xxx.xx.xx.x0x/32 type use
flow esp out from 172.18.101.22 to 10.0.11.43 peer xxx.xxx.xx.xx.x0x 
srcid 10.120.10.50/32 dstid xxx.xxx.xx.xx.x0x/32 type require



I the past I have been able to: echo "M active" > /var/run/isakmpd.fifo
But since I have a phase 1 up, I guess this won't have any effect?

I guess I am not really even sure what to be showing anyone, usually 
once pahse 1 is established everything has just worked.

Re: http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability

[Jacob Meuser]

On Wed, Nov 04, 2009 at 04:55:58PM +0100, Justin Smith wrote:
> On Wed, Nov 4, 2009 at 4:14 PM, Todd T. Fries  wrote:
> > Penned by Justin Smith on 20091104 15:45.33, we have:
> > | Theo wrote:
> > |
> > | > For the record, this particular problem was resolved in OpenBSD a
> > | while back, in 2008.
> > |
> > | Nice, but:
> > |
> > | "Since 2.6.23, it has been possible to prevent applications from
> > | mapping low pages (to prevent null pointer dereferencing in the
> > | kernel) via the /proc/sys/vm/mmap_min_addr sysctl, which sets the
> > | minimum address allowed for such mappings."
> > |
> > | 2.6.23 released:  Tue, 9 Oct 2007
> > |
> > | Ref:
> > | http://lkml.org/lkml/2007/10/9/241
> > | http://james-morris.livejournal.com/26303.html
> > |
> > | --
> > | JS
> >
> > And now we get into the fun stuff.
> >
> > Ever heard of 'secure by default' ?
> >
> > This knob is set to '0' by default.
> >
> > How many Linux installations actually read the above paragraph, understood
> > what value it could have to set to something other than zero, and changed
> > it accordingly.
> >
> > 'Nuff said.
> 
> 
> "By default, Ubuntu 8.04 and later with a non-zero
> /proc/sys/vm/mmap_min_addr setting were not vulnerable."
> 
> Ubuntu 8.04 released in 2008 april.

quote from the article in the subject:

  The latest bug is mitigated by default on most Linux distributions,
  thanks to their correct implementation of the mmap_min_addr feature.
  But to make RHEL compatible with a larger body of applications, that
  distribution is vulnerable to attack even when the OS shows the
  feature is enabled, Spengler said.

so, on RedHat, one can't even turn it on?  doesn't Linus work for RedHat?

-- 
jake...@sdf.lonestar.org
SDF Public Access UNIX System - http://sdf.lonestar.org

Re: http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability

[Marco Peereboom]

And it is totally on on *all* 90239490234873984 distros right?

On Wed, Nov 04, 2009 at 06:43:14PM +0200, Ross Cameron wrote:
> On Wed, Nov 4, 2009 at 5:54 PM, Theo de Raadt 
> wrote:
> >> > For the record, this particular problem was resolved in OpenBSD a
> >> while back, in 2008.
> >>
> >> Nice, but:
> >>
> >> "Since 2.6.23, it has been possible to prevent applications from
> >> mapping low pages (to prevent null pointer dereferencing in the
> >> kernel) via the /proc/sys/vm/mmap_min_addr sysctl, which sets the
> >> minimum address allowed for such mappings."
> >>
> >> 2.6.23 released: B Tue, 9 Oct 2007
> >>
> >> Ref:
> >> http://lkml.org/lkml/2007/10/9/241
> >> http://james-morris.livejournal.com/26303.html
> >
> > And that knob was turned off.
> 
> Actually no it was turned on.
> 
> Fedora 8 was released in Nov 2007 and to run certain Wine applications
> as non-root you had to disable the vm.mmap_min_addr sysctl.
> By default it was set to a value of 65536 and you had to change this to
> 0.
> 
> This is well documented all over the Wine forums.
> I know because this drove me up the bend when they introduced this patch.
> 
> 
> --
> "Opportunity is most often missed by people because it is dressed in
> overalls and looks like work."
> Thomas Alva Edison
> Inventor of 1093 patents, including:
> The light bulb, phonogram and motion pictures.

Re: svnd vs softraid for encrypting /home et al

[umaxx]

Hi,

On Mon, 2 Nov 2009 21:35:45 -0400
Ted Unangst  wrote:

> softraid offers a few advantages.
> 
> 1.  Better crypto.  The crypto algorithm currently used by softraid is
> designed a little better.  It could, in theory, also use hardware,
> except the choice of algorithm actually prevents that.  doh.  At the
> very least, if you decided you needed hardware acceleration, a small
> change to the code would enable it, whereas with svnd it's a pretty
> major change.
> 
> 2.  Efficiency.  The filesystem in a filesystem incurs more overhead.
> There's also the fact that svnd goes through the crazy parts of the
> buffer layer more than you probably want to.  Not a big deal, you
> probably don't notice it much.
> 
> 3.  Administration.  softraid is still under development, and the
> tools and support for it will continue to improve.  In particular,
> without making promises, softraid autodiscovery is a possibility and
> will likely work better than anything you cook up with vnconfig.
> 
> The only advantage I can think of for svnd is that it's stabler code
> and won't be changing in the future, but that's exactly what makes
> softraid better.  Today, they are about equal, but softraid support is
> going to get better, svnd will not.

I have one advantage to mention:
I have done some comparison measurements (with bonnie benchmark) and 
some self-written dd scripts under 4.5 - result: in my setup svnd seems to be 
much faster. 
I think this is maybe related to the 1. point because (better) crypto is 
slow(er).

Regards,

Joerg

Re: http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability

[Tom Van Looy]

Ross Cameron wrote:
> Actually no it was turned on.

This is from the commit to the Linux kernel:

"The amount of space protected is indicated by the new proc tunable
proc/sys/vm/mmap_min_addr and defaults to 0, preserving existing behavior."

It was turned off, 0 means no protection.

Re: http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability

[Tom Van Looy]

Matthias Kilian wrote:
> And if you install something like wine, the knob is set back to 0,
> probably without any notice (at least in ubuntu-8.10).

That can explain why it's off on my system (karmic koala).

By the way, this is from the debian wiki:

Debian 5.0.3 ships with a default mmap_min_addr of '0'. This means that
the Debian system, by default, is susceptible to these NULL-pointer
privilege escalation techniques. Unless you know that you have
applications that require this functionality, it is recommended that you
increase the value of mmap_min_addr on your system.

Off by default.

can't load library 'libXdmcp.so.10.0

[Tomáš Bodžár]

Hi all,

I have full installation of i386 snapshot from 1.11.2009 (latest on
mirrors) and I can't use X. When I try startx either as root or normal
user I get :

$ startx
xauth: can't load library 'libXdmcp.so.10.0'
xauth: can't load library 'libXdmcp.so.10.0'
xauth: can't load library 'libXdmcp.so.10.0'
xinit: can't load library 'libXdmcp.so.10.0'
xauth: can't load library 'libXdmcp.so.10.0'
$

And :

$ locate libXdmcp
/usr/X11R6/lib/libXdmcp.a
/usr/X11R6/lib/libXdmcp.la
$

I can see only implementation of newer X server here
http://www.openbsd.org/plus.html and no action regarding this here
http://www.openbsd.org/faq/current.html

Am I missing something or is it a problem in snapshot? I'm using
snapshots for long time and no problem with X any time before and it
was running fine with snapshot from 23.10.2009 (clean installation
too).

-- 
http://www.openbsd.org/lyrics.html

Re: http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability/

[Henry Sieff]

On Wed, Nov 4, 2009 at 5:18 AM, Donald Allen  wrote:

[SNIP]

> I realize that I'm preaching to the choir -- you know all this. But I
> think it's a mistake for (especially) the OpenBSD community to speak
> of OpenBSD as just about security, when it's so much more than that.

I think I would rephrase that - OpenBSD is just about security, and
security implies far more than simply patching holes. Stability,
administrative transparency, and thorough documentation are all
critical and overly neglected aspects of security. If you don't know
the proper way to configure feature X, you cannot be sure it is
configured securely.

OpenBSD simply looks at security in a holistic fashion, while every
other OS I have to suffer through views security as a 'feature'.

Re: can't load library 'libXdmcp.so.10.0

[Beto]

Hi, try this

# ldconfig -m /usr/X11R6/lib/

Saludos

2009/11/4 TomC!E! BodE>C!r 

> Hi all,
>
> I have full installation of i386 snapshot from 1.11.2009 (latest on
> mirrors) and I can't use X. When I try startx either as root or normal
> user I get :
>
> $ startx
> xauth: can't load library 'libXdmcp.so.10.0'
> xauth: can't load library 'libXdmcp.so.10.0'
> xauth: can't load library 'libXdmcp.so.10.0'
> xinit: can't load library 'libXdmcp.so.10.0'
> xauth: can't load library 'libXdmcp.so.10.0'
> $
>
> And :
>
> $ locate libXdmcp
> /usr/X11R6/lib/libXdmcp.a
> /usr/X11R6/lib/libXdmcp.la
> $
>
> I can see only implementation of newer X server here
> http://www.openbsd.org/plus.html and no action regarding this here
> http://www.openbsd.org/faq/current.html
>
> Am I missing something or is it a problem in snapshot? I'm using
> snapshots for long time and no problem with X any time before and it
> was running fine with snapshot from 23.10.2009 (clean installation
> too).
>
> --
> http://www.openbsd.org/lyrics.html
>
>


--
Beto
www.compumundohypermegared.org

Re: http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability/

[Donald Allen]

On Wed, Nov 4, 2009 at 1:48 PM, Henry Sieff  wrote:
> On Wed, Nov 4, 2009 at 5:18 AM, Donald Allen  wrote:
>
> [SNIP]
>
>> I realize that I'm preaching to the choir -- you know all this. But I
>> think it's a mistake for (especially) the OpenBSD community to speak
>> of OpenBSD as just about security, when it's so much more than that.
>
> I think I would rephrase that - OpenBSD is just about security, and
> security implies far more than simply patching holes. Stability,
> administrative transparency, and thorough documentation are all
> critical and overly neglected aspects of security. If you don't know
> the proper way to configure feature X, you cannot be sure it is
> configured securely.
>
> OpenBSD simply looks at security in a holistic fashion, while every
> other OS I have to suffer through views security as a 'feature'.

Perhaps. I don't presume to know enough about what Theo and the other
developers think or how the development is done to have an opinion on
that. But my point is that whether your assertion is true or not, the
net result is the best platform for general computing that I know of,
and not just in situations where security concerns are (or should be)
paramount. OpenBSD has been a type-cast as a smart choice in
high-vulnerability situations (where you certainly wouldn't dare use
Windows or Linux), which is true, but the problem is that the
descriptions tend to *limit* its usefulness or applicability to such
situations, leading to questions like "does OpenBSD run on a laptop?".
My point is that OpenBSD is also the best choice (except if you care a
lot about Flash :-) in situations where you *would* dare to use
Windows or Linux . If I were doing software development on a machine
located in a bank vault with no network connection, that machine would
be running OpenBSD.

/Don

Re: ipsec Phase 2 tunnels will not initiate from OBSD side

[Stuart Henderson]

On 2009-11-04, Dag Richards  wrote:
> Running  4.3 GENERIC#698 i386
>
> I have a VPN with a vendor using a I think he said it was a Sonic Wall 
> FW.  We are able to get Phase 1 associations up and happy. But Phase 2 
> never seems to start, at least not from my side.
>
> If he sends traffic from his side then his device makes a phase 2 
> proposal, and I accept and traffic flows.  I can do nothing to kick this 
> off from my end.
>
> I have an ipsec.conf phile for this vendor
>
> ike active esp from { 172.18.101.22 } to { 10.0.3.222 10.0.6.222 
> 10.0.11.43 10.0.11.188 10.0.11.222 10.0.11.36 } local 10.120.10.50 peer 
> xxx.xxx.xx.xx.x0x main auth hmac-sha1 enc 3des-cbc group modp1024 quick 
> auth hmac-sha1 enc 3des-cbc group none psk "SEKRET"
>
> He sends me i a ping I get a flow
>
> ipsecctl -s flow | grep xxx.xxx.xx.xx.x0x
> flow esp in from 10.0.11.43 to 172.18.101.22 peer xxx.xxx.xx.xx.x0x 
> srcid 10.120.10.50/32 dstid xxx.xxx.xx.xx.x0x/32 type use
> flow esp out from 172.18.101.22 to 10.0.11.43 peer xxx.xxx.xx.xx.x0x 
> srcid 10.120.10.50/32 dstid xxx.xxx.xx.xx.x0x/32 type require
>
>
> I the past I have been able to: echo "M active" > /var/run/isakmpd.fifo
> But since I have a phase 1 up, I guess this won't have any effect?
>
> I guess I am not really even sure what to be showing anyone, usually 
> once pahse 1 is established everything has just worked.

turn on pcap (see the isakmpd manual) and read the capture file
with tcpdump, this often gives clues more easily than looking at
isakmpd's logs.

Re: http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability/

[Egon E. Braun Filho]

On Wed, 4 Nov 2009 13:46:26 +1100
Aaron Mason  wrote:

> Wine is a good idea, but it's stifling an even better idea - making
> applications compatible across multiple OSes, something that hasn't
> needed to be done in the M$ world because of the stranglehold they
> had/have over the consumer market.
> 

Microsoft will not follow free standanrds, Linux will follow
Microsoft/IBM/Intel/W3C/bullshit_human_slaving_private standards.

And I believe that is not portability in no way. That is just
assassinating legacy and freedom.

> Let's put this into perspective: Linux would absolutely jump in
> popularity if Valve ported Steam and the Source engine to it, meaning
> games like the Half Life series, Left 4 Dead and Team Fortress 2 could
> run natively - not to mention that it would prompt other games that
> sell their wares through the Steam CDS to port their games as well -
> but since most of the games run just fine in Wine these days, there's
> no incentive.

This will happen. We just have to wait for Linus/Redhat/Suse/etc to sign
more NDAs.

Look after your kids.

-- 
Egon E. Braun Filho 

Can be PF block skype?

[David Taveras]

Greetings,

Can PF be programmed to block skype ? Provided we have port 80 and 443
Opened to the world, and perhaps DNS port too... skype finds any open
port to connect to.

Regards,
David Taveras

Re: http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability/

[Egon E. Braun Filho]

On Wed, 4 Nov 2009 13:46:26 +1100
Aaron Mason  wrote:

> Wine is a good idea, but it's stifling an even better idea - making
> applications compatible across multiple OSes, something that hasn't
> needed to be done in the M$ world because of the stranglehold they
> had/have over the consumer market.
> 

Microsoft will not follow free standanrds, Linux will follow
Microsoft/IBM/Intel/W3C/bullshit_human_slaving_private standards.

And I believe that is not portability in no way. That is just
assassinating legacy and freedom.

> Let's put this into perspective: Linux would absolutely jump in
> popularity if Valve ported Steam and the Source engine to it, meaning
> games like the Half Life series, Left 4 Dead and Team Fortress 2 could
> run natively - not to mention that it would prompt other games that
> sell their wares through the Steam CDS to port their games as well -
> but since most of the games run just fine in Wine these days, there's
> no incentive.

This will happen. We just have to wait for Linus/Redhat/Suse/etc to sign
more NDAs.

Look after your kids.

-- 
Egon E. Braun Filho 

Re: Can be PF block skype?

[Laurent CARON]

On 04/11/2009 20:48, David Taveras wrote:

Greetings,

Can PF be programmed to block skype ? Provided we have port 80 and 443
Opened to the world, and perhaps DNS port too... skype finds any open
port to connect to.

Regards,
David Taveras



Hi,

Why having your users directly natted to the 'evil' internet ?

Laurent

Re: Can be PF block skype?

[Han Boetes]

David Taveras wrote:
> Can PF be programmed to block skype? Provided we have port 80
> and 443 Opened to the world, and perhaps DNS port too... skype
> finds any open port to connect to.

I don't think so. But if you install snort you can. Google for
snort and skype and you'll find quite a few decent hits.



# Han

Re: Can be PF block skype?

[David Taveras]

Your saying that a skype client can proxy itself through another skype
client on the same network?

In any case, iam sure there must be a way if cisco can do it, pf can.

--David

On Wed, Nov 4, 2009 at 2:12 PM, Yamidt Henao  wrote:
> It is impossible, skype application, can connect through other client skype
> in the same network.
>
>
> Regards,
>
> Yamidt
>
> On Wed, Nov 4, 2009 at 1:48 PM, David Taveras 
> wrote:
>>
>> Greetings,
>>
>> Can PF be programmed to block skype ? Provided we have port 80 and 443
>> Opened to the world, and perhaps DNS port too... skype finds any open
>> port to connect to.
>>
>> Regards,
>> David Taveras

Re: Can be PF block skype?

[Tomáš Bodžár]

Skype is crap, but really good in going trough firewalls so if you
want to block this and you're company then prepare rules about using
of ICT for users and they must sign it. If they break those rules then
use sanctions against them. Of course that this will not stop experts.
Or if you want to be friendly you can give them option that they can
use Ekiga or similar app, but not Skype because of security
implications.

But in fact if they are capable of using searching they may find this
page https://imo.im where is Skype available trough Flash.

On Wed, Nov 4, 2009 at 8:48 PM, David Taveras  wrote:
> Greetings,
>
> Can PF be programmed to block skype ? Provided we have port 80 and 443
> Opened to the world, and perhaps DNS port too... skype finds any open
> port to connect to.
>
> Regards,
> David Taveras

Re: http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability/

[Tomáš Bodžár]

Ok to add more idiotic ideas to debate about Linux/MS and
interoperability and so on why not add this one?

http://www.computerworlduk.com/community/blogs/index.cfm?entryid=2620&blogid=
14

EU Wants to Re-define bClosedb as bNearly Openb

'.While there is a correlation between openness and
interoperability, it is also true that interoperability can be
obtained without openness, for example via homogeneity of the ICT
systems, which implies that all partners use, or agree to use, the
same solution to implement a European Public Service..'

On Wed, Nov 4, 2009 at 5:39 PM, Egon E. Braun Filho 
wrote:
> On Wed, 4 Nov 2009 13:46:26 +1100
> Aaron Mason  wrote:
>
>> Wine is a good idea, but it's stifling an even better idea - making
>> applications compatible across multiple OSes, something that hasn't
>> needed to be done in the M$ world because of the stranglehold they
>> had/have over the consumer market.
>>
>
> Microsoft will not follow free standanrds, Linux will follow
> Microsoft/IBM/Intel/W3C/bullshit_human_slaving_private standards.
>
> And I believe that is not portability in no way. That is just
> assassinating legacy and freedom.
>
>> Let's put this into perspective: Linux would absolutely jump in
>> popularity if Valve ported Steam and the Source engine to it, meaning
>> games like the Half Life series, Left 4 Dead and Team Fortress 2 could
>> run natively - not to mention that it would prompt other games that
>> sell their wares through the Steam CDS to port their games as well -
>> but since most of the games run just fine in Wine these days, there's
>> no incentive.
>
> This will happen. We just have to wait for Linus/Redhat/Suse/etc to sign
> more NDAs.
>
> Look after your kids.
>
> --
> Egon E. Braun Filho 
>
>



--
http://www.openbsd.org/lyrics.html

Re: Can be PF block skype?

[Tomáš Bodžár]

But Cisco can do it on Application layer. I'm not sure about pf, but
last time I read man page about pf and pf.conf it wasn't able to do
that. I think that there was some post about it on Undeadly too.

On Wed, Nov 4, 2009 at 9:21 PM, David Taveras  wrote:
> Your saying that a skype client can proxy itself through another skype
> client on the same network?
>
> In any case, iam sure there must be a way if cisco can do it, pf can.
>
> --David
>
> On Wed, Nov 4, 2009 at 2:12 PM, Yamidt Henao  wrote:
>> It is impossible, skype application, can connect through other client skype
>> in the same network.
>>
>>
>> Regards,
>>
>> Yamidt
>>
>> On Wed, Nov 4, 2009 at 1:48 PM, David Taveras 
>> wrote:
>>>
>>> Greetings,
>>>
>>> Can PF be programmed to block skype ? Provided we have port 80 and 443
>>> Opened to the world, and perhaps DNS port too... skype finds any open
>>> port to connect to.
>>>
>>> Regards,
>>> David Taveras

Re: Can be PF block skype?

[Mark Romer]

Not sure if this is any good, looks like it is opensource though.

http://www.lynanda.com/products/software-for-corporations/traffic-filtering/l
ynanda-skype-filter

Mark

2009/11/4 TomC!E! BodE>C!r 

> But Cisco can do it on Application layer. I'm not sure about pf, but
> last time I read man page about pf and pf.conf it wasn't able to do
> that. I think that there was some post about it on Undeadly too.
>
> On Wed, Nov 4, 2009 at 9:21 PM, David Taveras 
> wrote:
> > Your saying that a skype client can proxy itself through another skype
> > client on the same network?
> >
> > In any case, iam sure there must be a way if cisco can do it, pf can.
> >
> > --David
> >
> > On Wed, Nov 4, 2009 at 2:12 PM, Yamidt Henao 
> wrote:
> >> It is impossible, skype application, can connect through other client
> skype
> >> in the same network.
> >>
> >>
> >> Regards,
> >>
> >> Yamidt
> >>
> >> On Wed, Nov 4, 2009 at 1:48 PM, David Taveras 
> >> wrote:
> >>>
> >>> Greetings,
> >>>
> >>> Can PF be programmed to block skype ? Provided we have port 80 and 443
> >>> Opened to the world, and perhaps DNS port too... skype finds any open
> >>> port to connect to.
> >>>
> >>> Regards,
> >>> David Taveras

Installing OpenBSD on SSD drives

[Jean-François SIMON]

 Hello,
Is there any particular problem with installing OpenBSD on a SSD HD ?  I
once could on one machine but on my actual machine it simply does'nt work.
After a while, the SSD disk becomes like overloaded and unavailable to
continue the installing process of 4.6.
Regards

Re: Installing OpenBSD on SSD drives

[STeve Andre']

On Wednesday 04 November 2009 16:10:06 Jean-Frangois SIMON wrote:
>  Hello,
> Is there any particular problem with installing OpenBSD on a SSD HD ?  I
> once could on one machine but on my actual machine it simply does'nt work.
> After a while, the SSD disk becomes like overloaded and unavailable to
> continue the installing process of 4.6.
> Regards

I played with one, briefly, and it seemed to work.  A litte weird, not
hearing anything from it...

But I'm not at all eager to actually use them just yet.  Look for the
goofs Intel has had with them.  How long will they last, and what is
the failure mode like?  More often than not a spinning disk will give
notice of impending death with a few bad spots before The End.  But
what of an SSD?  By its very nature I could see an address line going,
leaving a very weird pattern of unaffected data.

SSDs are the future, I'm fairly sure but I think they need to mature
as well as get bigger.

Lastly, saying where the install hangs would really help.  And of
course how big is it and who made it?

--STeve Andre'

RES: Can be PF block skype?

[Ricardo Augusto de Souza]

Excelent answer.

Also try blocking skype netblock.


-Mensagem original-
De: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] Em nome de Laurent
CARON
Enviada em: quarta-feira, 4 de novembro de 2009 18:08
Para: misc@openbsd.org
Cc: David Taveras
Assunto: Re: Can be PF block skype?

On 04/11/2009 20:48, David Taveras wrote:
> Greetings,
>
> Can PF be programmed to block skype ? Provided we have port 80 and 443
> Opened to the world, and perhaps DNS port too... skype finds any open
> port to connect to.
>
> Regards,
> David Taveras
>

Hi,

Why having your users directly natted to the 'evil' internet ?

Laurent

Re: Installing OpenBSD on SSD drives

[Roger Schreiter]

Jean-Frangois SIMON schrieb:
> ...
> Is there any particular problem with installing OpenBSD on a SSD HD ?  I

Hello,

it is like for any OS on SSD HD. Make sure, you are using
no swap partition!

And if you are using an application, which is writing
a lot of things into files, put the respective dirs into
ramdisks!

We are running some embedded PCs with OpenBSD, which have the
SSD HD completely write protected. All partitions are
mounted read only, and /tmp, /dev and /var is put into
ramdisks. Works fine.

Regards,
Roger.

Re: Installing OpenBSD on SSD drives

[Ted Unangst]

2009/11/4 Roger Schreiter :
> it is like for any OS on SSD HD. Make sure, you are using
> no swap partition!

This is ridiculous advice.

> And if you are using an application, which is writing
> a lot of things into files, put the respective dirs into
> ramdisks!

Combined with this is even dumber.

If you can't swap, you're already in trouble if you run into memory
pressure.  So then you go and put the filesystem in RAM to make sure
there's lots of extra memory pressure?

Re: Installing OpenBSD on SSD drives

[Aaron Mason]

On Thu, Nov 5, 2009 at 9:12 AM, Ted Unangst  wrote:
> 2009/11/4 Roger Schreiter :
>> it is like for any OS on SSD HD. Make sure, you are using
>> no swap partition!
>
> This is ridiculous advice.
>
>> And if you are using an application, which is writing
>> a lot of things into files, put the respective dirs into
>> ramdisks!
>
> Combined with this is even dumber.
>
> If you can't swap, you're already in trouble if you run into memory
> pressure.  So then you go and put the filesystem in RAM to make sure
> there's lots of extra memory pressure?
>
>

I'm with Ted on this one.  At the very least, stick a USB drive in and
use that for swap.  If things are going to write to SSDs a lot, get
two (if budget allows) and stripe/RAID-5 them - this actually does
wonders for increasing the lifespan of SSDs.

--
Aaron Mason - Programmer, open source addict
- Oh, why does everything I whip leave me?

Re: Installing OpenBSD on SSD drives

[philippe aubry]

Hello,
I'm using a 32 GB SSD drive from approximatly one year with openBSD 4.4 into
a SOEKRIS and no troubles with that, the great think is NO NOISE, NO HEAT.
I used the soekris as firewall and the uptime is approximatly 178 days.

Regards

2009/11/4 Jean-Frangois SIMON 

>  Hello,
> Is there any particular problem with installing OpenBSD on a SSD HD ?  I
> once could on one machine but on my actual machine it simply does'nt work.
> After a while, the SSD disk becomes like overloaded and unavailable to
> continue the installing process of 4.6.
> Regards

Installing OpenBSD on SSD drives

[Jean-François SIMON]

Hello,

Is there any particular problem with installing OpenBSD on a SSD HD ?

I once could on one machine but on my actual machine it simply does'nt work.
After a while, the SSD disk becomes like overloaded and unavailable to
continue the installing process of 4.6.

Regards

Re: Installing OpenBSD on SSD drives

[Aaron Mason]

2009/11/5 Jean-Frangois SIMON :
>  Hello,
> Is there any particular problem with installing OpenBSD on a SSD HD ?  I
> once could on one machine but on my actual machine it simply does'nt work.
> After a while, the SSD disk becomes like overloaded and unavailable to
> continue the installing process of 4.6.
> Regards
>
>

Hi Jean-Francios,

Is this a used SSD?  That happens with used ones because they end up
doing twice the work - once to erase the used block and again to
actually write the block (and several blocks around them, AAMOF).

If you have a "secure erase" option available, use it.  This will
restore the data blocks to an unused state, and restore full speed
again.

HTH

2009/11/5 STeve Andre' 
>But I'm not at all eager to actually use them just yet.  Look for the
>goofs Intel has had with them.  How long will they last, and what is
>the failure mode like?  More often than not a spinning disk will give
>notice of impending death with a few bad spots before The End.  But
>what of an SSD?  By its very nature I could see an address line going,
>leaving a very weird pattern of unaffected data.

I'd say SMART would answer the call by sending DANGER WILL ROBINSON
messages to the OS - it would be up to the OS to intercept these
messages and inform the sysadmin, however.

My $0.02.

--
Aaron Mason - Programmer, open source addict
- Oh, why does everything I whip leave me?

Re: Installing OpenBSD on SSD drives

[Roger Schreiter]

Ted Unangst schrieb:
> ...
>> no swap partition!
> 
> This is ridiculous advice.
> ...
>> a lot of things into files, put the respective dirs into
>> ramdisks!
> 
> Combined with this is even dumber.


Hi,

anyway, intensive swapping onto SDD HD will destroy your SDD HD.

If RAM is the limiting resource in your system, you are right,
my advice is ridiculous.

In any else case, my advice is important, and for many, many
applications it is possible to equip a system with enough RAM,
making swapping uneccessary.

Ramdisks and complete write protections of the HD is of course
just an option to think about, and depends on the application,
if appropriate or not.



Regards,
Roger.

Re: Installing OpenBSD on SSD drives

[Robert]

On Wed, 04 Nov 2009 23:00:39 +0100
Roger Schreiter  wrote:

> Jean-Frangois SIMON schrieb:
> > ...
> > Is there any particular problem with installing OpenBSD on a SSD
> > HD ?  I
> 
> Hello,
> 
> it is like for any OS on SSD HD. Make sure, you are using
> no swap partition!
> 
> And if you are using an application, which is writing
> a lot of things into files, put the respective dirs into
> ramdisks!
> 
> We are running some embedded PCs with OpenBSD, which have the
> SSD HD completely write protected. All partitions are
> mounted read only, and /tmp, /dev and /var is put into
> ramdisks. Works fine.
> 
> Regards,
> Roger.

That advice might have had some merit with 1GB Compact Flash drives ...

On eg. a 80GB SSD partition 60 and leave the rest empty. With that you
have _a lot_ of sectors to remap in case some fail. That will increase
the lifetime of the drive.
Usually flash fales gracefully, can't write but still read, so one would
be able to recover the data.
Flash is no mirical cure, having backups is still mandatory.
I don't expect my 2,5" drive in my laptop to last longer than the
stated 5 years the avarage MLC SSD gets quoted. All that banging around,
even turned off, in the laptop bag takes it's toll.
Harddrives that store critical data are swapped in the 2 to 3 year time
frame at latest, if they didn't fail on their own before and are
repurposed in less crucial systems like desktops. (...less potential
downtime, less power consumption, more peace of mind)

On the gp's topic, there is nothing special about SSD's that should
keep them from working like any other (guessing) SATA device.
("It doesn't work!" Isn't anywhere near a cry for help that warrants an
answer...)

- Robert

Re: Installing OpenBSD on SSD drives

[K K]

2009/11/4 Jean-Frangois SIMON :
>  Hello,
> Is there any particular problem with installing OpenBSD on a SSD HD ?  I
> once could on one machine but on my actual machine it simply does'nt work.
> After a while, the SSD disk becomes like overloaded and unavailable to
> continue the installing process of 4.6.
> Regards

Sounds like an issue with your SSD?
Can you supply a dmesg, and details on the SSD, make/model/supplier,
as well as the motherboard and how the drive appears to the BIOS?


On Wed, Nov 4, 2009 at 4:12 PM, Ted Unangst  wrote:
> 2009/11/4 Roger Schreiter :
>> it is like for any OS on SSD HD. Make sure, you are using
>> no swap partition!
>
> This is ridiculous advice.

This *was* reasonable advice for the older generations of
CompactFlash, but may no longer be a consideration with newer
flash/SSD drives.

I have run many embedded servers (mostly OpenBSD on Soekris) without
swap, never had any problems traceable to the lack of swap space.


>> And if you are using an application, which is writing
>> a lot of things into files, put the respective dirs into
>> ramdisks!
>
> Combined with this is even dumber.
>
> If you can't swap, you're already in trouble if you run into memory
> pressure.  So then you go and put the filesystem in RAM to make sure
> there's lots of extra memory pressure?

Actually, the above is standard advice for running any Unix on flash,
as people have been doing with Soekris and CF since at least 2001.

The idea isn't to put "the filesystem" into RAM, but rather to reduce
the write operations by mounting filesystems used for frequently
written smal files (e.g. /var/tmp) as ramdisks.

Kevin

Re: Installing OpenBSD on SSD drives

[Ted Unangst]

On Wed, Nov 4, 2009 at 5:44 PM, K K  wrote:
> This *was* reasonable advice for the older generations of
> CompactFlash, but may no longer be a consideration with newer
> flash/SSD drives.
>
> I have run many embedded servers (mostly OpenBSD on Soekris) without
> swap, never had any problems traceable to the lack of swap space.

Why do we keep repeating 10 year old advice that may have applied to
crappy 1GB flash and think it matters for 100GB drives using rather
different technology?  When you run newfs, do you make sure to line
the cylinder groups up just right?  Because that was standard advice
too.

More relevantly, I bet you never tried starting firefox on your
soekris.  Why does everyone assume that the only possible use for an
SSD hard drive is in some crippled embedded box?  Heaven forbid
somebody put a fast drive in a computer that they'll actually use.

I've got 4GB of SSD swap in my laptop.  Yes, 4GB of swap on SSD!
OMG!!!  It'll wear out in a month!

Why do you assume that merely creating a swap partition somehow forces
the kernel to use it?  If your system is running without a swap
partition, it can run without writing to swap too.

Re: can't load library 'libXdmcp.so.10.0

[frantisek holop]

hmm, on Wed, Nov 04, 2009 at 07:43:33PM +0100, TomC!E! BodE>C!r said that
> Hi all,
> 
> I have full installation of i386 snapshot from 1.11.2009 (latest on
> mirrors) and I can't use X. When I try startx either as root or normal
> user I get :
> 
> $ startx
> xauth: can't load library 'libXdmcp.so.10.0'
> xauth: can't load library 'libXdmcp.so.10.0'
> xauth: can't load library 'libXdmcp.so.10.0'
> xinit: can't load library 'libXdmcp.so.10.0'
> xauth: can't load library 'libXdmcp.so.10.0'
> $
> 
> And :
> 
> $ locate libXdmcp
> /usr/X11R6/lib/libXdmcp.a
> /usr/X11R6/lib/libXdmcp.la
> $

that file is missing from snapshot's xbase46.tgz
it is in the next one though.

-f
-- 
microsoft is suing apple 'cause they have employees too.

PF: Is it possible to route a LAN IP through a specific IP of the EXT nic?

[David Taveras]

Hello community,

I have a LAN of 10 users connected to a box that nats them all through
the external NIC and thus the default servers public IP. THat box has
several public IPs. Is there anyway I can NAT a specific user to use a
specific IP as their translated IP?

Thank you.

-- David

Re: Can be PF block skype?

[Predrag Punosevac]

David Taveras wrote:
> Can PF be programmed to block skype? Provided we have port 80
> and 443 Opened to the world, and perhaps DNS port too... skype
> finds any open port to connect to.

It has been discussed earlier. The short answer is yes with a little 
help

http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/038646.html

Re: PF: Is it possible to route a LAN IP through a specific IP of the EXT nic?

[Bryan Irvine]

It's all in here man.
http://www.openbsd.org/faq/pf/nat.html

Basically:
nat on $ext_if from $your_user to any -> 1.2.3.4



On Wed, Nov 4, 2009 at 3:51 PM, David Taveras  wrote:
> Hello community,
>
> I have a LAN of 10 users connected to a box that nats them all through
> the external NIC and thus the default servers public IP. THat box has
> several public IPs. Is there anyway I can NAT a specific user to use a
> specific IP as their translated IP?
>
> Thank you.
>
> -- David

Re: svnd vs softraid for encrypting /home et al

[Brad Tilley]

On Wed, Nov 4, 2009 at 12:02 PM, umaxx  wrote:

> I have one advantage to mention:
> I have done some comparison measurements (with bonnie benchmark) and
> some self-written dd scripts under 4.5 - result: in my setup svnd seems to be
> much faster.
> I think this is maybe related to the 1. point because (better) crypto is 
> slow(er).

I find svnd to be fast as well. I use it on notebooks and underpowered
Celeron CPUs and the encryption overhead is imperceptible. I also like
the fact that I can copy the encrypted containers from one OpenBSD
install to the other. For now, I plan to stick with vnconfig. Only /,
/usr and /var are clear text on my laptops and I'm OK with that. /home
is encrypted, swap in encrypted and /tmp is in memory. So I still have
some privacy.

Brad

Boletin Cientifico Coband | Numero 49 | Noviembre 2009

[Boletin Cientifico Coband]

   Boletmn Cientmfico Coband

Si utiliza Gmail o no ve correctamente este boletmn puede acceder a la versisn 
online

  
   

 
_
2005-2009
4 aqos promoviendo el avance de la ciencia psicolsgica en Argentina
  El Proyecto COBAND es una asociacisn cientmfica sin fines de lucro formada 
por estudiantes, graduados, docentes, profesionales e investigadores que 
promueven el avance de la ciencia psicolsgica en Argentina

   


 

Boletmn Cientmfico Coband | Nzmero 49 | Noviembre 2009

  

 _
Proyecto COBAND | El mayor portal de ciencia psicolsgica en Argentina
_
  

 _
Anuncios | Editorial | Eventos | Recursos | Areas | Llamados | Pedidos | Libros 
| Actualizacisn | Perfiles  

 
 En este nZmero

 

Anuncios

  Pasantma en Psicologma Experimental  

Prsximos eventos

  Ciclo de seminarios sobre Sociologma de Ciencia   III Congreso Interamericano 
de Neurociencia   II Congreso Internacional de Investigacisn de la Facultad de 
Psicologma de la Universidad Nacional de La Plata  

Recursos

  Carreras en psicologma  

Areas de vacancia

  Psicologma del trafico y la seguridad  

Llamados para artmculos

  Revista Argentina de Ciencias del Comportamiento   Revista Chilena de 
Neuropsicologma   Acta Psiquiatrica y Psicolsgica de Amirica Latina  

Pedidos de voluntarios

  Proyecto de comprensisn de las bases cerebrales del Asperger   Investigacisn 
en psicoling|mstica   Estudio ecopsicolsgico de autopercepcisn en jsvenes   
Proyecto de investigacisn sobre los trastornos psiquiatricos Dificit de 
Atencisn por hiperactividad y el trastorno Bipolar  

Libros recomendados

  Psicologma Social y Seguridad de Transito  

Actualizacisn cientmfica

  Avances en Psicologma Latinoamericana  

Perfiles psicolsgicos

  Vilayanur Subramanian Ramachandran   

Anuncios destacados

  Capacitacisn en Terapia Cognitivo Conductual   Principios de Terapia 
Cognitiva   Programa de Actualizacisn en Terapia Cognitiva   Introduccisn a la 
Terapia Racional Emotiva Conductual Abordaje Cognitivo Conductual del 
Manejo de la IraPosgrado en Terapia Racional Emotiva Conductual   Programa 
Nebraska de Entrenamiento en Primeros Auxilios Psicolsgicos   Modificacisn de 
la Conducta: Qui es y csmo aplicarla   CALENDARIO ONLINE DE EVENTOS CIENTMFICOS


 .  Nuestra FRASE guma

 

 "El mejor resultado es producto de que todos en el grupo hagan lo mejor para 
sm mismos y para el grupo"

 conoCI la revista del proyecto coband

 

 


 patrocinadores

 



 

El Proyecto COBAND es patrocinado por la Sociedad Interamericana de Psicologma 

 anuncianteS institucionales

 











 







  ANUNCIANTES PROFESIONALES

 


Lic. Marma Elsa Sciascio

 

U.B.A.
Psicoterapeuta cognitiva 

 

F. AIGLE - UNMP

 

Adolescentes | Adultos
Parejas | Familias
Orientacisn vocacional

 

Consultorios en Nuqez y Vicente Lspez

 

Telifonos
4756-0495 | 15-5481-9660



 ?no figura entre estos anunciANTES?


 APROVECHE LA BASE DE DATOS MAS GRANDE Y ACTUALIZADA DE LA ARGENTINa al 
servicio de la ciencia

DIFUNDA SU ACTIVIDAD entre mAs DE 50 MIL ESTUDIANTES, GRADUADOS, DOCENTES, 
PROFESIONALES E INVESTIGADORES DE PSICOLOGMA Y CIENCIAS DE LA SALUD

ACOMPAQENOS POR EL AVANCE DE LA ciencia psicolSgica EN ARGENTIna


 




 ?es parte de una instituciSn cientmfica?



 difunda sus actividades y cursos a toda la comunidad psicolSgica

[ PLAN PARA ANUNCIANTES INSTITUCIONALES ]


 

 

 ?ORGANIZA UN CONGRESO O EVENTO ESPECIAL?



CONOZCA NUestra plataforma de difusiSn cientMfica

[ plan para anunciantes ORGANIZACIONALEs ]


 




 ?NECESITA VOLUNTARIO para sus investigaciones?



?edita una revista y estA haciendo un llamado para artMculos?



UTILICE ESTE BOLETMN PARA difundir SU PEDIDO TOTALMENTE GRATIS

[ plan para anunciantes cientmficos ]


 




 CONEXIONES

 


Alianza
Psicolsgica  









 

   
 
  _
 
  

Capacitacisn en Terapia Cognitivo Conductual

  

Principios de Terapia Cognitiva

  

Programa Nebraska de Entrenamiento en Primeros Auxilios Psicolsgicos

  

Modificacisn de la Conducta: Qui es y csmo aplicarla

   

Programa de Actualizacisn en Terapia Cognitiva

  

Introduccisn a la Terapia Racional Emotiva Conductual

  

Abordaje Cognitivo Conductual del Manejo de la Ira

  

Curso Posgrado en Terapia Racional Emotiva Conductual

 
Anuncios

  Pasantma en Psicologma Experimental


 

El Laboratorio de Psicologma Experimental y Aplicada (PSEA - UBA - CONICET), 
dirigido por la Dra. Alba Mustaca, convoca a estudiantes de grado o egresados 
recientes para la realizacisn de pasantmas en el area de la investigacisn 
basica.

 

Actualmente el equipo se encuentra investigando los mecanismos implicados en un 
modelo de frustracisn, con ratas y humanos.

 

Se espera que el pasante adquiera formacisn practica, metodolsgica y conceptual 
en el area de los procesos basicos del aprendizaje.

 

Los interesados deben contar con disponibilidad horaria semanal para la 
realizacisn de las actividades experim

Re: http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability/

[Tobias Ulmer]

Dear sweetheart,

On Thu, Nov 05, 2009 at 01:12:58AM +0100, Claire beuserie wrote:
> Yes, I know, I was present in the room when Illja gave the talk in 2006 at
> the CCC Kongress and the two OpenBSD developers in the room decided to
> completely ignore the exploit he showed until Miod reproduced it two weeks
> later...


http://events.ccc.de/congress/2006/Fahrplan/day_4.en.html:
Schedule Day 4: 30.12.2006
11:30
Unusual bugs Ilja

http://openbsd.org/errata39.html:
017: SECURITY FIX: January 3, 2007   i386 only
Insufficient validation in vga(4) may allow an attacker to gain root
privileges if the kernel is compiled with option PCIAGP and the actual
device is not an AGP device. The PCIAGP option is present by default on
i386 kernels only.

http://blogs.23.nu/ilja/2007/01/:
"So one of the things I noticed after my unusual bugs talk, the OpenBSD
guys fix bugs _FAST_. I mean really fast ! bugfix and announcement
within a few days. Not many vendors can pull that off."

Two weeks, eh? Want it in a black frame with a white caption
reading "EPIC FAIL"? I'd start gimp for that.

> 
> If you are not an OpenBSD developer, don't make public statements like that,
> if OpenBSD developers decide to sit on a bug for a couple of months, it does
> not justify their full disclosure conflict where bugs are swept under the
> carpet

Newsflash: I decide what I write on a public mailinglist. The rest of
the sentence doesn't even parse, but i think it's something like "Theo
once hurt my feelings on the internets".

What i always wanted to know, how do I join the secret Facebook group of
people that have been flamed by Theo or another OpenBSD developer? Do
you have an IRC channel? Is an emo haircut and a pic from weird angles
really required in the application?


I should have roasted you in the first reply like my guts told me to,
instead i gave you the benefit of the doubt, my mistake. Doesn't happen
again. Promise.

Misc'ed for entertainment

> 
> On Thu, Nov 5, 2009 at 12:55 AM, Tobias Ulmer  wrote:
> 
> > On Wed, Nov 04, 2009 at 01:46:52PM +0100, Claire beuserie wrote:
> > > Dear Tobias,
> > >
> > > what you stated contradicts what Otto and Art posted.
> >
> > Ehm, no it doesn't. There are two different components, the actual null
> > pointer dereference and the ability to map a page to address zero.
> >
> > What i'm pointing out is that mapping a page at adress 0 isn't new. It's
> > also not a bug (this is true for the executable stack as well, as Art
> > points out with some sarcasm). The ability for a programm to do so was
> > recognised in 2006 by some developers, and prevented by a change to the
> > kernel in 2008.
> >
> > It only becomes a problem once someone finds a NULL pointer dereference
> > in the kernel. One such problem was discovered recently, and was fixed
> > asap.
> >
> > If you had done some research for the file i linked to, you would find
> > that Ilja gave a talk in 2006, called "unusual bugs", where he
> > demonstrated this class of vulnerabilities on OpenBSD. I'm sure plenty
> > of Linux developers were sitting in the audience as well, laughing about
> > us...
> >
> > Again, the bug was fixed asap:
> > ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.9/i386/017_agp.patch
> >
> >
> > >
> > > Are you to be quoted as an OpenBSD developer on this?
> >
> > Certainly not, since I'm no OpenBSD developer.
> >
> > >
> > > Salutions,
> > >
> > > Claire
> > >
> > > On Wed, Nov 4, 2009 at 3:46 AM, Tobias Ulmer  wrote:
> > >
> > > > On Wed, Nov 04, 2009 at 02:57:59AM +0100, Claire beuserie wrote:
> > > > > Hi,
> > > > >
> > > > > On Wed, Nov 4, 2009 at 12:58 AM, Theo de Raadt <
> > dera...@cvs.openbsd.org
> > > > >wrote:
> > > > >
> > > > > > 2) At least three of our developers were aware of this exploitation
> > > > > >   method going back perhaps two years before than the commit, but
> > we
> > > > > >   gnashed our teeth a lot to try to find other solutions.  Clever
> > > > > >   cpu architectures don't have this issue because the virtual
> > address
> > > > > >   spaces are seperate, so i386/amd64 are the ones with the big
> > impact.
> > > > > >   We did think long and hard about tlb bashing page 0 everytime we
> > > > > >   switch into the kernel, but it still does not look attractive
> > from
> > > > > >   a performance standpoint.
> > > > > >
> > > > >
> > > > > I'm confused.
> > > > >
> > > > > That came out a bit weird: are you saying you knew about the bug for
> > 2
> > > > years
> > > > > but did not fix it?
> > > >
> > > > It's not "the bug", it's a class of vulnerabilities that allows to
> > > > exploit a NULL pointer dereference under certain circumstances.
> > > >
> > > > http://packetstorm.linuxsecurity.com/poisonpen/8lgm/ptchown.c
> > > > is commonly cited as the oldest public source (1994). Use google for
> > > > more.
> > > >
> > > > >
> > > > >
> > > > > c.b-
> > > >
> > > > --
> > > > Sent from my noname server.
> > > >
> >
> > --
> > Sent from my noname server.
> >

-- 
Sent from my noname server.

Re: svnd vs softraid for encrypting /home et al

[Josh Grosse]

On Wed, Nov 04, 2009 at 07:02:54PM -0500, Brad Tilley wrote:
> ...Only /,
> /usr and /var are clear text on my laptops and I'm OK with that. /home
> is encrypted, swap in encrypted and /tmp is in memory. So I still have
> some privacy.

Did you forget /var/tmp?  :)