Re: http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability/
>From http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability/ : > or desktop environments such as Wine For some definitions of "desktop environments".
Re: http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability/
Claire beuserie writes: > That came out a bit weird: are you saying you knew about the bug for 2 years > but did not fix it? Yes. Because the solution sucks. And all others we tried were just not workable. Just like we knew that executable stacks can be used for exploits and didn't fix that for many years. //art
Re: seeing separate logs for differrent interfaces.
On Tue, Nov 3, 2009 at 1:52 PM, Henning Brauer wrote: > > pfctl -vvsI is what you're after. > Thanks Michael Henning :-) --Siju
does pf make sense for a desktop computer?
Hi all, since the upgrade to version 4.6 had pf activated by default, I was confronted with the question wheather it is reasonable to use it on my desktop computer or not. I would like to know if someone is using it that way and if it's worth to invest my time into the configuration of pf. Regards, Moritz PS: After using obsd for one year now, I can just say that I just love it! I am very grateful to you developers out there for you sharing your work. I will keep on supporting for sure!
Re: does pf make sense for a desktop computer?
--- Moritz Herrmann [Wed, Nov 04, 2009 at 11:51:52AM +0100]: --- > Hi all, > since the upgrade to version 4.6 had pf activated by default, > I was confronted with the question wheather it is reasonable to use it > on my desktop computer or not. > I would like to know if someone is using it that way and if it's worth > to invest my time into > the configuration of pf. well i guess it depends on how hostile your environment where you have this machine is. but personally, i think egress filtering is always worthwhile.
Re: does pf make sense for a desktop computer?
> > since the upgrade to version 4.6 had pf activated by default, > > I was confronted with the question wheather it is reasonable to use it > > on my desktop computer or not. The question you are "confronted with" has already been solved for you: yes, it is reasonable - that's why it is the default. > > I would like to know if someone is using it that way and if it's worth > > to invest my time into the configuration of pf. What are you talking about? The time investment is minimal, and the config is a few lines, mostly un-commented defaults. As usual on OpenBSD.
Re: very slow xterm window refresh with TrueType fonts
> I'm experiencing this problem since a few snapshots now: > [...] > While resizing, moving or hovering the xterm window with other windows, the > xterm window's content is refreshing painfully slowly. If someone else has > experienced this problem, I would really appreciate some ideas or > informations about this :) Hi! Just wanted to tell, that since then I've managed to get it working again. The problem was that I've used the XAA accelmethod by default with the radeon driver (with a "ATI Radeon Mobility X1400" in a Lenovo ThinkPad T60). The Xorg.0.log nicely gives me the heads up that it is not supported with this type of chip, and use the EXA accelmethod instead of the default XAA. After making this configuration change in xorg.conf, everything is snappy again. Could it be possible to use the EXA method by default with these radeon drivers so there won't be any problems like this? Daniel -- LIVAI Daniel PGP key ID = 0x4AC0A4B1 Key fingerprint = D037 03B9 C12D D338 4412 2D83 1373 917A 4AC0 A4B1
Re: http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability/
On Wed, Nov 04, 2009 at 02:57:59AM +0100, Claire beuserie wrote: > Hi, > > On Wed, Nov 4, 2009 at 12:58 AM, Theo de Raadt wrote: > > > 2) At least three of our developers were aware of this exploitation > > method going back perhaps two years before than the commit, but we > > gnashed our teeth a lot to try to find other solutions. Clever > > cpu architectures don't have this issue because the virtual address > > spaces are seperate, so i386/amd64 are the ones with the big impact. > > We did think long and hard about tlb bashing page 0 everytime we > > switch into the kernel, but it still does not look attractive from > > a performance standpoint. > > > > I'm confused. > > That came out a bit weird: are you saying you knew about the bug for 2 years > but did not fix it? Allowing a mapping at address zero is not a bug per se, but it opens a door for other bugs to be exploited more effectively. This door has been closed, but only after hard thinking went into how to close it. -Otto
Premature end of archive
Dear all i try install clamav from packages but get error like this , how to solved ? - i try another mirror still same - try donwload to local pc still same # export PKG_PATH=ftp://ftp.openbsd.org/pub/OpenBSD/4.6/packages/i386/ # pkg_add -i clamav Premature end of archive clamav-0.95.2: complete Adjusting sha for /usr/local/lib/libclamav.a from k3C2K5oQcz5KJ1wrU0uLgN9h6iZ1w6MYh5gIYM02On4= to orCLZWKfCRHFq1lVJcXljBP3QjUq2trZIlRJ49Np5zk= /usr/sbin/pkg_add: Installation of clamav-0.95.2 failed, partial installation recorded as partial-clamav-0.95.2 -- sonjaya http://sicute.blogspot.com
Re: Native Instruments 'Soundcards'
On Fri, 30 Oct 2009 07:59:30 + Jacob Meuser wrote: > > I still kind of want to trade it in but it's looking like there > > might not be any other 4in/4out USB soundcard that's suitable > > (they're all either too complex or appear to be old so probably > > need custom drivers). > > Universal Serial Bus > Device Class Definition for Audio Devices > Release 1.0 > March 18, 1998 > > older than that? again, by that spec, devices could be made to > operate at 1-2ms latency, which is certainly low enough to be > considered "pro". If quality/speed was actually a requirement, why would anyone mess with USB in the first place? If you need high quality "pro" gear with 4in/4out wouldn't you be far better off with a pair of PCI based JULI@ cards (www.esi-audio.com) or something similar? -- J.C. Roberts
Capital One Classic - Higher Acceptance rates, even for poor credit profiles
--- OK-mail You have received this email because you are a registered member of OK-mail.co.uk. If you no longer wish to receive emails like this please see instructions at the bottom of the email. Make sure you get the best from us by adding this address to your address book, find out more... http://tidyurl247.com/1s95-27775 --- Dear Mischelle, The Capital One Progress card guarantees to reduce your interest rate if you use it sensibly. Its the best on the market if you have a lower credit profile and want to earn a more competitive rate. Apply now: http://tidyurl247.com/1s9n-27775 TotallyMoney.com is owned and operated by Media Ingenuity Ltd. ) Copyright 2009, Media Ingenuity Ltd. All rights reserved. Contact us by email on feedb...@totallymoney.com Totally Money | 3rd Floor, 46a Rosebery Avenue, London EC1R 4RP UK --- This email has been sent to the following address: m...@openbsd.org. We respect your privacy and only send emails to registered users. You can unsubscribe from our promotions mailing list by visiting our website, using the link below. http://tidyurl247.com/1s96-27775 (please allow five working days from receipt for us to process your request). To change your preferences or to de-register please visit: http://tidyurl247.com/1s97-27775 For more information about us, or to view our privacy policy, please visit the links below. Privacy: http://tidyurl247.com/1s98-27775 About Us: http://tidyurl247.com/1s99-27775 OK-mail Ltd, 46 Gillingham Street, London SW1V 1HU mailcode=50908
Re: Premature end of archive
On Wed, Nov 4, 2009 at 5:49 AM, sonjaya wrote: > Dear all > i try install clamav from packages but get error like this , how to solved ? > - i try another mirror still same > - try donwload to local pc still same > > # export PKG_PATH=ftp://ftp.openbsd.org/pub/OpenBSD/4.6/packages/i386/ > # pkg_add -i clamav > Premature end of archive >clamav-0.95.2: complete > Adjusting sha for /usr/local/lib/libclamav.a from > k3C2K5oQcz5KJ1wrU0uLgN9h6iZ1w6MYh5gIYM02On4= to > orCLZWKfCRHFq1lVJcXljBP3QjUq2trZIlRJ49Np5zk= > /usr/sbin/pkg_add: Installation of clamav-0.95.2 failed, partial > installation recorded as partial-clamav-0.95.2 > Did you make sure to pkg_delete the partial install before trying again?
Re: Premature end of archive
yes already pkg_delete but still same show up that problem On Wed, Nov 4, 2009 at 7:11 PM, Nick Guenther wrote: > On Wed, Nov 4, 2009 at 5:49 AM, sonjaya wrote: >> Dear all >> i try install clamav from packages but get error like this , how to solved ? >> - i try another mirror still same >> - try donwload to local pc still same >> >> # export PKG_PATH=ftp://ftp.openbsd.org/pub/OpenBSD/4.6/packages/i386/ >> # pkg_add -i clamav >> Premature end of archive >>clamav-0.95.2: complete >> Adjusting sha for /usr/local/lib/libclamav.a from >> k3C2K5oQcz5KJ1wrU0uLgN9h6iZ1w6MYh5gIYM02On4= to >> orCLZWKfCRHFq1lVJcXljBP3QjUq2trZIlRJ49Np5zk= >> /usr/sbin/pkg_add: Installation of clamav-0.95.2 failed, partial >> installation recorded as partial-clamav-0.95.2 >> > > Did you make sure to pkg_delete the partial install before trying again? > -- sonjaya http://sicute.blogspot.com http://www.pojokdomain.com(sell & buy domain with free )
Re: Premature end of archive
On Wed, Nov 4, 2009 at 12:49 PM, sonjaya wrote: > yes already pkg_delete but still same show up that problem Delete the partial again and try pkg_add -r Cheers, Steph
Re: http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability/
On Wed, 4 Nov 2009 at 1:46 PM, Aaron Mason wrote: >On Wed, Nov 4, 2009 at 1:04 PM, Gonzalo Lionel Rodriguez > wrote: >> 2009/11/3 Claire beuserie : >>> Hi, >>> >>> On Wed, Nov 4, 2009 at 12:58 AM, Theo de Raadt >> wrote: >>> 2) At least three of our developers were aware of this exploitation method going back perhaps two years before than the commit, but we gnashed our teeth a lot to try to find other solutions. Clever cpu architectures don't have this issue because the virtual address spaces are seperate, so i386/amd64 are the ones with the big impact. We did think long and hard about tlb bashing page 0 everytime we switch into the kernel, but it still does not look attractive from a performance standpoint. >>> >>> I'm confused. >>> >>> That came out a bit weird: are you saying you knew about the bug for 2 >> years >>> but did not fix it? >>> >>> >>> c.b- >>> >>> >> >> Linux way. >> >> > >What a knob. It makes me sad to say I used his crap now if he has >that much contempt for those who value security before practicality. > >It's good to see Theo et al stick to their guns on this issue. I'd >rather have a machine that is secure than one that can run Windows >binaries. > >Wine is a good idea, but it's stifling an even better idea - making >applications compatible across multiple OSes, something that hasn't >needed to be done in the M$ world because of the stranglehold they >had/have over the consumer market. > >Let's put this into perspective: Linux would absolutely jump in >popularity if Valve ported Steam and the Source engine to it, meaning >games like the Half Life series, Left 4 Dead and Team Fortress 2 could >run natively - not to mention that it would prompt other games that >sell their wares through the Steam CDS to port their games as well - >but since most of the games run just fine in Wine these days, there's >no incentive. > >Linus is shooting himself in the foot and he has no idea. Linux tries >to be everything to everyone, and by doing it the way is does, it >greatly limits its potential. > >OpenBSD does one thing and does it well - being secure. That's all >there is to it. I think that sells OpenBSD unintentionally short. Yes, the attention to security is of enormous value, but the care and intelligence that characterizes the whole effort results in a system that is extremely stable, very easy to administer, and very well documented. It is the only system I know of, and I've tried almost all of them, that pays attention to the things that really matter. The result is an environment where you do your work, rather than fighting with your tools. I replaced Linux on three laptops and a workstation with OpenBSD (after a quick divorce from FreeBSD -- too many bugs) that I use for general computing tasks including a lot of software development and database work, and you couldn't pay me to go back. I realize that I'm preaching to the choir -- you know all this. But I think it's a mistake for (especially) the OpenBSD community to speak of OpenBSD as just about security, when it's so much more than that. /Don Allen > >-- >Aaron Mason - Programmer, open source addict >- Oh, why does everything I whip leave me?
Re: http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability
Theo wrote: > For the record, this particular problem was resolved in OpenBSD a while back, in 2008. Nice, but: "Since 2.6.23, it has been possible to prevent applications from mapping low pages (to prevent null pointer dereferencing in the kernel) via the /proc/sys/vm/mmap_min_addr sysctl, which sets the minimum address allowed for such mappings." 2.6.23 released: Tue, 9 Oct 2007 Ref: http://lkml.org/lkml/2007/10/9/241 http://james-morris.livejournal.com/26303.html -- JS
Re: http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability
On Wed, Nov 04, 2009 at 03:45:33PM +0100, Justin Smith wrote: > Theo wrote: > > > For the record, this particular problem was resolved in OpenBSD a > while back, in 2008. > > Nice, but: > > "Since 2.6.23, it has been possible to prevent applications from > mapping low pages (to prevent null pointer dereferencing in the > kernel) via the /proc/sys/vm/mmap_min_addr sysctl, which sets the > minimum address allowed for such mappings." > > 2.6.23 released: Tue, 9 Oct 2007 > > Ref: > http://lkml.org/lkml/2007/10/9/241 > http://james-morris.livejournal.com/26303.html > > -- > JS Optional prevention is not worth a lot. -Otto
Re: http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability
Otto Moerbeek wrote: On Wed, Nov 04, 2009 at 03:45:33PM +0100, Justin Smith wrote: Theo wrote: For the record, this particular problem was resolved in OpenBSD a while back, in 2008. Nice, but: "Since 2.6.23, it has been possible to prevent applications from mapping low pages (to prevent null pointer dereferencing in the kernel) via the /proc/sys/vm/mmap_min_addr sysctl, which sets the minimum address allowed for such mappings." 2.6.23 released: Tue, 9 Oct 2007 Ref: http://lkml.org/lkml/2007/10/9/241 http://james-morris.livejournal.com/26303.html -- JS Optional prevention is not worth a lot. not exactly on topic but Pope Benedict XVI would likely agree with otto. see, even the pope doesn't like linus.
Re: http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability
Penned by Justin Smith on 20091104 15:45.33, we have: | Theo wrote: | | > For the record, this particular problem was resolved in OpenBSD a | while back, in 2008. | | Nice, but: | | "Since 2.6.23, it has been possible to prevent applications from | mapping low pages (to prevent null pointer dereferencing in the | kernel) via the /proc/sys/vm/mmap_min_addr sysctl, which sets the | minimum address allowed for such mappings." | | 2.6.23 released: Tue, 9 Oct 2007 | | Ref: | http://lkml.org/lkml/2007/10/9/241 | http://james-morris.livejournal.com/26303.html | | -- | JS And now we get into the fun stuff. Ever heard of 'secure by default' ? This knob is set to '0' by default. How many Linux installations actually read the above paragraph, understood what value it could have to set to something other than zero, and changed it accordingly. 'Nuff said. -- Todd Fries .. t...@fries.net _ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | "..in support of free software solutions." \ sip:freedae...@ekiga.net | \ sip:4052279...@ekiga.net \\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt
Re: kern.bufcachepercent
On Tue, Nov 3, 2009 at 11:44 PM, Bob Beck wrote: > 2009/11/3 Luis Useche : > >> >> I read in the 4.6 changelog that his was part of the release. >> >> Am I missing something? Do I have to recompile? Or this is just a bug? > > Yeah you are missing something. Listen to the *whole* presentation and > read the *whole* changelog. This is *not* in 4.6 > > It is in current. OK. Sorry for the noise. In any case, this change is in the 4.6 changelog (twice, http://www.openbsd.org/plus46.html): "Added dynamic buffer cache sizing. The sysctl kern.bufcachepercent will allow you to specify a high-water mark above 10 percent for use by the cache. If you run low on memory, the page daemon will reclaim pages from the buffer cache. " "Added a kern.bufcachepercent sysctl(8) to allow adjusting the buffer cache size on a running system." Moreover it is also in the sysctl(8) manual: "kern.bufcachepercent integer yes" If all I am saying is wrong, sorry again. I just think this would be an error in the documentation worth to take into account. Luis.
PF Performance Tweak Folklore
Good day to everyone, I'm a happy PF user, and have been for over a decade now. I'm writing to ask some questions about performance now that I've got a system that needs to handle some real traffic. I've been digging up various tweaks and settings from the archives (and elsewhere) over the years, and I'd like to know which of it is still useful and accurate, and which is "folklore". Sorry for the length of the post, but I hope that at the very least this thread will collect some information where the searchbots can find it... I've got a pair of 3GHz Celeron machines in a failover config. Each machine has 1GB RAM and 4 gigabit intel (em) interfaces. One LAN, one WAN, one pfsync, and one unused. They're running 4.3 generic uniprocessor. I intentionally went with a high clock single-core box because PF isn't multi-core capable. The systems work great, but are chewing up about 60% of their time on interrupts (~9000 according to vmstat, with ~7500 going to the LAN/WAN cards). This is fine; everything is working and I know that high interrupt load was inevitable at the time. However, I need to ramp up the traffic on this system soon (we're at 30Mbps / 3.5kpps right now), so I want to make sure I can keep the load under control. I know that the first thing I should do is upgrade to 4.6, which I plan to do. However, I'm looking for other "best practices", which I've divided into two major sections below: Interrupt Mitigation: = Since the system is under moderately heavy interrupt load, I'd like to try and improve that if possible since it seems that's going to be the first limit I hit on this system. In the "Tuning OpenBSD" paper: http://www.openbsd.org/papers/tuning-openbsd.ps they mention "sharing interrupts" on a high load system. If I understand correctly, the theory is that if all my NICs are on the same interrupt, the kernel can stay in the interrupt handler (no context switch) and service all the NICs at once, rather than handling each separately. Am I understanding this right? Should I try to lump all (or some) of my NICs onto the same IRQ? Or are there better approaches (see below). Several sources have suggested using APIC, which should be available in non-ancient hardware. I'm not sure if APIC replaces or complements the suggestion above about interrupt sharing. I checked my box, and my dmesg didn't mention APIC, so I don't think I'm taking advantage of it right now. The -misc archives have oblique references to APIC only being enabled on multiprocessor (MP) kernels rather than uniprocessor (UP) ones. Is this still true? I also saw hints that 4.6 now has APIC on in UP by default. Can anyone confirm or deny? Since PF isn't multi-core capable, I believed that UP was the way to go for firewalls (and my machine isn't multicore anyway). However, I'm happy to run MP if there are side benefits like APIC that would increase performance. Next up, FreeBSD has been touting support for message-signaled interrupts (MSI/MSI-X), claiming that this increases performance: http://onlamp.com/pub/a/bsd/2008/02/26/whats-new-in-freebsd-70.html?page=4 I'm not quite clear on whether this helps with a packet-forwarding workload or not. Is there support for this in OpenBSD, or would it not really help anyway? Sysctl Tweaks: == I've been getting errors like: WARNING: mclpool limit reached; increase kern.maxclusters So I did what it asked (I doubled the value to 12288), but am still getting the error. I've heard of people increasing this much more (20x the default!), but also taunts of insanity for doing so: http://monkey.org/openbsd/archive/misc/0407/msg01521.html So, what is a sane value for this? Are there other causes that need to be investigated when you get an "mclpool" warning, or should you just keep cranking up the value? Also, is there harm in going to high (besides wasting memory)? Next, I've seen interface drops (ifq.drops != 0), so I've cranked up ifq.maxlen to 256 * #nics (1024) per recommendations on -misc. I was still getting occasional drops, so I doubled to 2048, and am holding steady there. I've seen recommendations not to go beyond 2500; what should I be worried about in this case? High latency? Memory issues? Do I really need to be worried about a few drops? Finally, as was mentioned on the list a few days ago, increasing recvspace/sendspace doesn't help with a firewall (except for locally-sourced connections) because it's just forwarding packets. Just so I'm totally clear, is this true even in the case of packet reassembly (scrub) and randomization, or do those features cause the firewall to terminate and re-initiate connections that would benefit from the buffers? For that matter, are there any protocol options that help performance of a packet forwarding box (again, ignoring locally-sourced connections)? I'm thinking about buffers, default MSS, ECN, window scaling, SACK, etc. I know it doesn't hurt to turn them
Re: kern.bufcachepercent
On Wed, Nov 04, 2009 at 10:26:50AM -0500, Luis Useche wrote: >OK. Sorry for the noise. In any case, this change is in the 4.6 >changelog (twice, http://www.openbsd.org/plus46.html): > >"Added dynamic buffer cache sizing. The sysctl kern.bufcachepercent >will allow you to specify a high-water mark above 10 percent for use >by the cache. If you run low on memory, the page daemon will reclaim >pages from the buffer cache. " > >"Added a kern.bufcachepercent sysctl(8) to allow adjusting the buffer >cache size on a running system." No, three times: "Backed out all the c2k9 buffer cache changes committed during c2k9." Maurice
Re: kern.bufcachepercent
I don't know what version of plus46.html you are looking at - but that text doesnt' appear in any version I look at. Of course it is in the cvs commit log, but that's not the same thing. That same commit was backed out before 4.6 - and has since gone back into current. 2009/11/4 Luis Useche : > On Tue, Nov 3, 2009 at 11:44 PM, Bob Beck wrote: >> 2009/11/3 Luis Useche : >> >>> >>> I read in the 4.6 changelog that his was part of the release. >>> >>> Am I missing something? Do I have to recompile? Or this is just a bug? >> >> Yeah you are missing something. Listen to the *whole* presentation and >> read the *whole* changelog. This is *not* in 4.6 >> >> It is in current. > > OK. Sorry for the noise. In any case, this change is in the 4.6 > changelog (twice, http://www.openbsd.org/plus46.html):
Interface ierrs only with MP kernel (i386)
As I continue to work on my previous issue with my Sun V120 and network hangs, I decided to install 4.6 release onto an HP DL360 G4 box with the latest BIOS and firmware updates as a possible replacement for the Sun. After many hours of load testing and changing configurations, I found that I always get input errors on the network interfaces when running the multiprocessor kernel. But I get no errors at all with the uniprocessor kernel. I can reproduce this problem with the internal bge (BCM5704C) and also with a PCI-X Intel Pro/1000 MT (82546GB) card. All I need to do is bring up the system using the MP kernel and push traffic through it. I'm using a simple wget on an internal machine to repeatedly pull a large file from a webserver on the external LAN. Within an hour I easily have over 1000 input errors. With the uniprocessor kernel, I sustained 90Mbps through the firewall for 8 hours straight with 0 errors. I'm running separate 100Mbps switches for internal and external LANs. I don't see any ifq.drops in either case. I'm thinking this is not a hardware issue since it works fine in one case but not in the other, without changing any hardware or cables. I understand that the interrupt handling is different in the MP kernel, so could that be where this issue is originating? It would be great to have both CPUs available as I plan to run some other things (aside from pf) on this box but I can settle for one CPU if that is the only solution. I tried disabling hyperthreading but that did not affect the issue. Here's the relevant netstat -i output for my 1-hour load test with em interfaces and the MP kernel: em0 150000:04:23:a6:b4:a6 24029262 710 12738132 0 0 em1 150000:04:23:a6:b4:a7 12753283 1009 24038738 0 0 After switching to the SP kernel: em0 150000:04:23:a6:b4:a6 16393437 0 14391074 0 0 em1 150000:04:23:a6:b4:a7 14431184 0 16445995 0 0 Searching the lists, I only found one reference to something like this but it was on 4.0 and I didn't see a resolution. Has anyone else seen this behavior? http://www.mail-archive.com/misc@openbsd.org/msg31490.html As a next step, I'm planning to install the latest snapshot to see if the issue still exists. In the meantime, here is the dmesg from the system. The kernel is #0 because I installed patches 002_xmm.patch and 003_getsockopt.patch. OpenBSD 4.6 (GENERIC.MP) #0: Mon Nov 2 11:43:12 EST 2009 lea...@fw1.bitbytes.com:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Intel(R) Xeon(TM) CPU 3.40GHz ("GenuineIntel" 686-class) 3.41 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,CNXT-ID,CX16,xTPR real mem = 3757613056 (3583MB) avail mem = 3648847872 (3479MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 12/31/99, BIOS32 rev. 0 @ 0xf, SMBIOS rev. 2.3 @ 0xec000 (56 entries) bios0: vendor HP version "P52" date 07/16/2007 bios0: HP ProLiant DL360 G4 acpi0 at bios0: rev 2 acpi0: tables DSDT FACP SPCR MCFG APIC SSDT acpi0: wakeup devices acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 200MHz cpu1 at mainbus0: apid 6 (application processor) cpu1: Intel(R) Xeon(TM) CPU 3.40GHz ("GenuineIntel" 686-class) 3.41 GHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,CNXT-ID,CX16,xTPR ioapic0 at mainbus0: apid 8 pa 0xfec0, version 20, 24 pins ioapic1 at mainbus0: apid 9 pa 0xfec1, version 20, 24 pins ioapic1: misconfigured as apic 0, remapped to apid 9 ioapic2 at mainbus0: apid 10 pa 0xfec82000, version 20, 24 pins ioapic3 at mainbus0: apid 11 pa 0xfec82400, version 20, 24 pins acpiprt0 at acpi0: bus 1 (IP2P) acpiprt1 at acpi0: bus 2 (ICHR) acpiprt2 at acpi0: bus 7 (PCXA) acpiprt3 at acpi0: bus 10 (PCXB) acpiprt4 at acpi0: bus 6 (PTB0) acpiprt5 at acpi0: bus 13 (PTA0) acpiprt6 at acpi0: bus 3 (PTC0) acpiprt7 at acpi0: bus 0 (PCI0) acpicpu0 at acpi0: FVS, 3400, 2800 MHz acpicpu1 at acpi0: FVS, 3400, 2800 MHz acpitz0 at acpi0: critical temperature 31 degC bios0: ROM list: 0xc/0x8000 0xc8000/0x4000! 0xcc000/0x1600 0xee000/0x2000! pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 "Intel E7520 Host" rev 0x0c ppb0 at pci0 dev 2 function 0 "Intel E7520 PCIE" rev 0x0c pci1 at ppb0 bus 13 ppb1 at pci0 dev 4 function 0 "Intel E7520 PCIE" rev 0x0c pci2 at ppb1 bus 6 ppb2 at pci2 dev 0 function 0 "Intel PCIE-PCIE" rev 0x09 pci3 at ppb2 bus 7 em0 at pci3 dev 1 function 0 "Intel PRO/1000MT (82546GB)" rev 0x03: apic 10 int 0 (irq 5), address 00:04:23:a6:b4:a6 em1 at pci3 dev 1 function 1 "Intel PRO/1000MT (82546GB)" rev 0x03: apic 10 int 1 (irq 5), address 00:04:23:a6:b4:a7 ppb3 at pci2 dev 0 function 2 "Intel PCIE-PCIE" re
Re: Native Instruments 'Soundcards'
On Wed, Nov 04, 2009 at 01:45:01AM -0800, J.C. Roberts wrote: > On Fri, 30 Oct 2009 07:59:30 + Jacob Meuser > wrote: > > > > I still kind of want to trade it in but it's looking like there > > > might not be any other 4in/4out USB soundcard that's suitable > > > (they're all either too complex or appear to be old so probably > > > need custom drivers). > > > > Universal Serial Bus > > Device Class Definition for Audio Devices > > Release 1.0 > > March 18, 1998 > > > > older than that? again, by that spec, devices could be made to > > operate at 1-2ms latency, which is certainly low enough to be > > considered "pro". > > If quality/speed was actually a requirement, why would anyone mess with > USB in the first place? > > If you need high quality "pro" gear with 4in/4out wouldn't you be far > better off with a pair of PCI based JULI@ cards (www.esi-audio.com) or > something similar? think laptop, or other machines without available PCI slots ... > -- > J.C. Roberts -- jake...@sdf.lonestar.org SDF Public Access UNIX System - http://sdf.lonestar.org
Re: PF Performance Tweak Folklore
* Jason Healy [2009-11-04 16:37]: > The systems work great, but are chewing up about 60% of their time on > interrupts (~9000 according to vmstat, with ~7500 going to the LAN/WAN > cards). This is fine; everything is working and I know that high > interrupt load was inevitable at the time. However, I need to ramp up > the traffic on this system soon (we're at 30Mbps / 3.5kpps right now), > so I want to make sure I can keep the load under control. you probably don't need to worry. especially with em load doesn't remotely increase linearaly with traffic. > I know that the first thing I should do is upgrade to 4.6, which I > plan to do. However, I'm looking for other "best practices", which > I've divided into two major sections below: yes, 4.6 is MUCH faster than 4.3. > > Interrupt Mitigation: > = > > Since the system is under moderately heavy interrupt load, I'd like to > try and improve that if possible since it seems that's going to be the > first limit I hit on this system. In the "Tuning OpenBSD" paper: > > http://www.openbsd.org/papers/tuning-openbsd.ps > > they mention "sharing interrupts" on a high load system. If I > understand correctly, the theory is that if all my NICs are on the > same interrupt, the kernel can stay in the interrupt handler (no > context switch) and service all the NICs at once, rather than handling > each separately. Am I understanding this right? Should I try to lump > all (or some) of my NICs onto the same IRQ? Or are there better > approaches (see below). i doubt that makes a difference these days. i don't worry any more. > Several sources have suggested using APIC, which should be available > in non-ancient hardware. I'm not sure if APIC replaces or complements > the suggestion above about interrupt sharing. I checked my box, and > my dmesg didn't mention APIC, so I don't think I'm taking advantage > of it right now. The -misc archives have oblique references to APIC > only being enabled on multiprocessor (MP) kernels rather than > uniprocessor (UP) ones. Is this still true? I also saw hints that > 4.6 now has APIC on in UP by default. Can anyone confirm or deny? 4.6 will just use the APIC. > Since PF isn't multi-core capable, I believed that UP was the way to > go for firewalls (and my machine isn't multicore anyway). However, > I'm happy to run MP if there are side benefits like APIC that would > increase performance. > > Next up, FreeBSD has been touting support for message-signaled > interrupts (MSI/MSI-X), claiming that this increases performance: > > http://onlamp.com/pub/a/bsd/2008/02/26/whats-new-in-freebsd-70.html?page=4 > > I'm not quite clear on whether this helps with a packet-forwarding > workload or not. Is there support for this in OpenBSD, or would it > not really help anyway? no support. > I've been getting errors like: > > WARNING: mclpool limit reached; increase kern.maxclusters > > So I did what it asked (I doubled the value to 12288), but am still > getting the error. I've heard of people increasing this much more > (20x the default!), but also taunts of insanity for doing so: > > http://monkey.org/openbsd/archive/misc/0407/msg01521.html > > So, what is a sane value for this? there is no easy or one-size-fits-all answer. > Next, I've seen interface drops (ifq.drops != 0), so I've cranked up > ifq.maxlen to 256 * #nics (1024) per recommendations on -misc. I > was still getting occasional drops, so I doubled to 2048, and am > holding steady there. I've seen recommendations not to go beyond > 2500; what should I be worried about in this case? High latency? > Memory issues? Do I really need to be worried about a few drops? latency mostly. memory isn't that much of an issue for this. i do have systems beyond 2500, but they handle many hundred MBit/s. > Finally, as was mentioned on the list a few days ago, increasing > recvspace/sendspace doesn't help with a firewall (except for > locally-sourced connections) because it's just forwarding packets. right. > Just so I'm totally clear, is this true even in the case of packet > reassembly (scrub) and randomization, or do those features cause the > firewall to terminate and re-initiate connections that would benefit > from the buffers? doesn't change a thing. send/recvspace only apply to sockets, aka stuff in userland. > For that matter, are there any protocol options that help performance > of a packet forwarding box (again, ignoring locally-sourced > connections)? I'm thinking about buffers, default MSS, ECN, window > scaling, SACK, etc. I know it doesn't hurt to turn them on, but am I > doing any good for the connections I'm forwarding? > > Thanks for any input and advice you can provide; I'm looking forward > to using PF for another 10 years... =) just use 4.6 and don't push buttons - you won't need to. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail a
Re: http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability
> > For the record, this particular problem was resolved in OpenBSD a > while back, in 2008. > > Nice, but: > > "Since 2.6.23, it has been possible to prevent applications from > mapping low pages (to prevent null pointer dereferencing in the > kernel) via the /proc/sys/vm/mmap_min_addr sysctl, which sets the > minimum address allowed for such mappings." > > 2.6.23 released: Tue, 9 Oct 2007 > > Ref: > http://lkml.org/lkml/2007/10/9/241 > http://james-morris.livejournal.com/26303.html And that knob was turned off.
Re: http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability
On Wed, Nov 4, 2009 at 4:14 PM, Todd T. Fries wrote: > Penned by Justin Smith on 20091104 15:45.33, we have: > | Theo wrote: > | > | > For the record, this particular problem was resolved in OpenBSD a > | while back, in 2008. > | > | Nice, but: > | > | "Since 2.6.23, it has been possible to prevent applications from > | mapping low pages (to prevent null pointer dereferencing in the > | kernel) via the /proc/sys/vm/mmap_min_addr sysctl, which sets the > | minimum address allowed for such mappings." > | > | 2.6.23 released: Tue, 9 Oct 2007 > | > | Ref: > | http://lkml.org/lkml/2007/10/9/241 > | http://james-morris.livejournal.com/26303.html > | > | -- > | JS > > And now we get into the fun stuff. > > Ever heard of 'secure by default' ? > > This knob is set to '0' by default. > > How many Linux installations actually read the above paragraph, understood > what value it could have to set to something other than zero, and changed > it accordingly. > > 'Nuff said. "By default, Ubuntu 8.04 and later with a non-zero /proc/sys/vm/mmap_min_addr setting were not vulnerable." Ubuntu 8.04 released in 2008 april. -- JS
Re: kern.bufcachepercent
Maurice: Thanks for pointing that out. Bob: At this point this is probably irrelevant. In any case, I found it in the officiel webpage http://www.openbsd.org/plus46.html. Thanks for your help! Luis On Wed, Nov 4, 2009 at 10:42 AM, Bob Beck wrote: > I don't know what version of plus46.html you are looking at - but that > text doesnt' appear in any version I look at. > > Of course it is in the cvs commit log, but that's not the same thing. > That same commit was backed out before 4.6 - and has since gone back > into current. > > 2009/11/4 Luis Useche : >> On Tue, Nov 3, 2009 at 11:44 PM, Bob Beck wrote: >>> 2009/11/3 Luis Useche : >>> I read in the 4.6 changelog that his was part of the release. Am I missing something? Do I have to recompile? Or this is just a bug? >>> >>> Yeah you are missing something. Listen to the *whole* presentation and >>> read the *whole* changelog. This is *not* in 4.6 >>> >>> It is in current. >> >> OK. Sorry for the noise. In any case, this change is in the 4.6 >> changelog (twice, http://www.openbsd.org/plus46.html):
Cierre de Inscripciones
Buenos dmas, ?Csmo esta? Haga como la Mayorma de los Lmderes de Ventas estan haciendo. Venga a pasar una maqana entera con Mario Borghino, en la conferencia "Gestisn en Ventas" que se realizara el dma 21 de noviembre en el Hotel Melia Mixico Reforma. ATENCISN: Mas de 130 personas ya confirmaron su participacisn. No tendremos mas vacantes disponibles a partir de la prsxima semana. !Tome esta decisisn ahora! Haga su inscripcisn HOY. Entre al sitio a continuacisn y tsrnese en un nuevo Lmder de Ventas a partir de este encuentro. www.klaeventos.com.mx/borghino Muchas gracias. Atentamente, Patricia Silva K.L.A. Educacisn y Eventos Empresariales MIXICO Tel. (55) 5635 98 61 Tel/Fax (55) 5635 30 47 SKYPE patricia.klamexico
Re: http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability/
> -Urspr|ngliche Nachricht- > Von: "Donald Allen" > Gesendet: 04.11.09 14:23:04 > An: misc@openbsd.org > Betreff: Re: http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability/ ... > I realize that I'm preaching to the choir -- you know all this. But I > think it's a mistake for (especially) the OpenBSD community to speak > of OpenBSD as just about security, when it's so much more than that. I second that - it is the attitude of how the devs (and Theo in particular) strive for a clean code and fight the temptation to implement a 'twist' only to allow some poorly written app to run on OpenBSD. Remember the outcry some years ago when a change broke backward compatibility disabling some poorly written apps to run under OpenBSD since then? 'Security' is just another result out of this firm stand for their believes. BTW: Anyone around who has not yet bought his set of CDs? Believe me - this is a clever investment in future development and a fine way saying THANK YOU! STEFAN Mail: ste...@wollny.de GnuPG-Key ID: 0x9C26F1D0
Re: http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability
On Wed, Nov 4, 2009 at 10:55 AM, Justin Smith wrote: > "By default, Ubuntu 8.04 and later with a non-zero > /proc/sys/vm/mmap_min_addr setting were not vulnerable." > > Ubuntu 8.04 released in 2008 april. Ubuntu 8 also ships with a setuid pulseaudio by default, which renders the mmap_min_addr protection useless.
LOS RABANES + DIABLITO VOL. II + MP3 GRATIS!
Your Email client is not formatted to view HTML emails. We have included the text email of the message. Purchase securely here: iTunes: http://fburls.com/55-l467mT6S DIABLITO RECORDS sello indie alterlatino de mexico distribuido por WARNER MUSIC MEXICO PROMOCION DIABLITO - UN MP3 GRATIS! BUSCA EL ENLACE AL FINAL DEL EMAIL! DIABLITO RECORDS firma a RABANES de Panama! Nuevo disco 'Demons On Fire' saldra en Mexico marzo 2010! http://fburls.com/0-4GI433ra/t/s/txt/cid/558530/sid/102676424 DIABLITO RECORDS presenta acoplado DIABLITO VOL II * Nuevo acoplado DIABLITO VOL. II presentando los grupos indie alterlatino de Mexico, EEUU, Puerto Rico, Sur y Centro America: PASTILLA, ARHKOTA, TASSO, LOS HOLLYWOOD, CANDY, TANKE, LOS WEEDS, ASTRA HEIGHTS, DEBRALLEITOR, LEVITICO, SUPERAQUELLO, POLBO, ARDNAXELA, PINK FLAMINGO, THE MELOVSKYS, MALACATES TREBOL SHOP, y MONGOL GOL GOL YA A LA VENTA EN TIENDAS DE MEXICO! DISPONIBLE AQUI http://fburls.com/53-OK1LhT6t/t/s/txt/cid/558530/sid/102676424 http://fburls.com/46-CVC0ArJ6/t/s/txt/cid/558530/sid/102676424 http://fburls.com/84-62rpMcUG/t/s/txt/cid/558530/sid/102676424 http://fburls.com/38-zEn7IMFD/t/s/txt/cid/558530/sid/102676424 http://fburls.com/61-JlXBHDjI/t/s/txt/cid/558530/sid/102676424 http://fburls.com/49-krogx0NT/t/s/txt/cid/558530/sid/102676424 http://fburls.com/66-d2ESn3r9/t/s/txt/cid/558530/sid/102676424 http://fburls.com/19-GPAmFAFW/t/s/txt/cid/558530/sid/102676424 http://fburls.com/85-xKaL2aoG/t/s/txt/cid/558530/sid/102676424 http://fburls.com/13-l4TPZi3w/t/s/txt/cid/558530/sid/102676424 http://fburls.com/94-JGXCEnDd/t/s/txt/cid/558530/sid/102676424 http://fburls.com/73-zkNbZ4if/t/s/txt/cid/558530/sid/102676424 http://fburls.com/15-ge12owF2/t/s/txt/cid/558530/sid/102676424 http://fburls.com/28-nh7boAij/t/s/txt/cid/558530/sid/102676424 http://fburls.com/41-Z7oH3IE4/t/s/txt/cid/558530/sid/102676424 http://fburls.com/24-bDLTSUa0/t/s/txt/cid/558530/sid/102676424 http://fburls.com/97-n7EVBeVp/t/s/txt/cid/558530/sid/102676424 - CONCIERTOS: 5 nov 2009 12:00p TANKE @ FUSSIBLE FESTIVAL - CU Mexico City, MX, Distrito Federal 7 nov 2009 4:00p TANKE (w/ LEVITICO) @ ROCXY SALA DE CONCIERTOS Ecatepec, Edo. De Mexico, MC)xico 7 nov 2009 8:00p LOS HOLLYWOOD @ TBC Ensenada, Baja California 14 nov 2009 8:00p PASTILLA @ ROCXY SALA DE CONCIERTOS Mexico DF, MX, Distrito Federal 14 nov 2009 8:00p LOS WEEDS @ TOKYO POP Mexico City, MX, Distrito Federal 15 nov 2009 8:00p CANDY @ CAFE IGUANA Monterrey, MX, Nuevo LeC3n 21 nov 2009 8:00p LEVITICO @ SALON TIJUANA Mexico City, MX, Distrito Federal 5 dic 2009 8:00p LOS WEEDS @ GOLIATH FESTIVAL (w. The Black Eyed Peas, Los Bunkers, etc...) Mexico City, MX, Distrito Federal 10 dic 2009 10:00p CANDY @ PATA NEGRA Mexico City DF, Distrito Federal * TANKE @ FESTIVAL FUSSIBLE CU 12PM GRATIS! JUEVES NOV 5 12HR. * TANKE Y LEVITICO @ ROCXY SALA DE CONCIERTOS - EDO. DE MEXICO SABADO NOV 7 16HR. (con Massapan, Roxes, Boy In Problem, Mi Computadora Me Habla) via Jose L Portillo No. 515 (Salon Minuet) Col. Guadalupe Victoria Ecatepec Edo. De Mexico TODAS LAS EDADES / Cupo limitado Preventa 40mxn / Dia 60mxn - VIDEOS DIABLITO VOL. II * TASSO 'Don't Love Me (I Never Will)' http://fburls.com/1-8oUoSKEh/t/s/txt/cid/558530/sid/102676424 * SUPERAQUELLO 'Pecho 'E Paloma' http://fburls.com/14-xpGo5Fab/t/s/txt/cid/558530/sid/102676424 * POLBO 'Ye Quiero Mucho'' http://fburls.com/24-v68j1IeF/t/s/txt/cid/558530/sid/102676424 * MALACATES TREBOL SHOP 'De Que Sirve Querer?' http://fburls.com/4-uhOJGH8m/t/s/txt/cid/558530/sid/102676424 * LOS HOLLYWOOD - 'No Te Aguites' http://fburls.com/71-EWNfBFGz/t/s/txt/cid/558530/sid/102676424 - VISITA ENLACE PARA UN MP3 GRATIS! http://fburls.com/12-7O9mgUJd/t/s/txt/cid/558530/sid/102676424 - Diablito Records http://fburls.com/64-37lHAAZl/t/s/txt/cid/558530/sid/102676424 MySpace http://fburls.com/9-sDIfDX1X/t/s/txt/cid/558530/sid/102676424 Twitter http://fburls.com/66-BgSX7GUr/t/s/txt/cid/558530/sid/102676424 Facebook http://fburls.com/83-gUw7cLpl/t/s/txt/cid/558530/sid/102676424 ### Purchase securely here: iTunes: http://fburls.com/88-jKiTfvIR DIABLITO RECORDS sent this email to misc@openbsd.org Questions? Contact r...@diablitorecords.com or DIABLITO RECORDS, Del Carmen, Coyoacan, Mexico City D.F., Mexico Download the toolbar: http://diablitorecords.fanbridge.com/toolbar Update Your Information - http://fburls.com/6-Eo7lFX5E Forward to a friend - http://fburls.com/74-pOPOuUMz Unsubscribe - http://fburls.com/81-v9wGdsGi Privacy Policy - http://www.FanBridge.com/learn/privacy.php This email message is powered by FanBridge: http://www.FanBridge.com/b.php?id=121542 Powering Valuable Fan Relationships
Re: openbsd 3.9 umass not linking to a sd
> it doesn't want to play nice with USB drives. Ok: I finally found the problem: my test disks all were a portable ones -powered from the USB bus-. Cause that's what I had around the house. I know the USB port needs to deliver enough juice to make it work, and I had taken that into account: I had plugged in the power only connector on another USB port, getting more power if needed. But apparently that's still not enough power from that server's motherboard. Only after plugging it in on a standalone power supply the drive seems to spin up. (I had not heard it trying to spin up and fail (the server makes way too much noise to ever hear the quite silent drive). So yeah: 3.9 does support it and I can now order some external 1Tbyte drives to use as backup medium, they now are cheaper than tape anyway. Next step will be to figure out how to get dump to fill disks like it can fill tapes, or something somewhat similar. But at least I now have a path out of that corner I found myself in. Lesson: - don't assume the drive gets enough power, not even if you plug it in on 2 USB ports Wishlist: Error messages telling you something (if that's possible at all to start with). "I'm giving it all she's got Jim, need more dilithium crystals"
Re: http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability
On Wed, Nov 4, 2009 at 5:54 PM, Theo de Raadt wrote: >> > For the record, this particular problem was resolved in OpenBSD a >> while back, in 2008. >> >> Nice, but: >> >> "Since 2.6.23, it has been possible to prevent applications from >> mapping low pages (to prevent null pointer dereferencing in the >> kernel) via the /proc/sys/vm/mmap_min_addr sysctl, which sets the >> minimum address allowed for such mappings." >> >> 2.6.23 released: B Tue, 9 Oct 2007 >> >> Ref: >> http://lkml.org/lkml/2007/10/9/241 >> http://james-morris.livejournal.com/26303.html > > And that knob was turned off. Actually no it was turned on. Fedora 8 was released in Nov 2007 and to run certain Wine applications as non-root you had to disable the vm.mmap_min_addr sysctl. By default it was set to a value of 65536 and you had to change this to 0. This is well documented all over the Wine forums. I know because this drove me up the bend when they introduced this patch. -- "Opportunity is most often missed by people because it is dressed in overalls and looks like work." Thomas Alva Edison Inventor of 1093 patents, including: The light bulb, phonogram and motion pictures.
Re: http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability
On Wed, Nov 04, 2009 at 04:55:58PM +0100, Justin Smith wrote: > > And now we get into the fun stuff. > > > > Ever heard of 'secure by default' ? > > > > This knob is set to '0' by default. > > > > How many Linux installations actually read the above paragraph, understood > > what value it could have to set to something other than zero, and changed > > it accordingly. > > > > 'Nuff said. > > > "By default, Ubuntu 8.04 and later with a non-zero > /proc/sys/vm/mmap_min_addr setting were not vulnerable." > > Ubuntu 8.04 released in 2008 april. And if you install something like wine, the knob is set back to 0, probably without any notice (at least in ubuntu-8.10). You don't even have to run it, just installing it is enough, if I understand the mechanism correctly. But more important is the fact that the original kernel sources have the knob set to 0 by default. Ciao, Kili
ipsec Phase 2 tunnels will not initiate from OBSD side
Running 4.3 GENERIC#698 i386 I have a VPN with a vendor using a I think he said it was a Sonic Wall FW. We are able to get Phase 1 associations up and happy. But Phase 2 never seems to start, at least not from my side. If he sends traffic from his side then his device makes a phase 2 proposal, and I accept and traffic flows. I can do nothing to kick this off from my end. I have an ipsec.conf phile for this vendor ike active esp from { 172.18.101.22 } to { 10.0.3.222 10.0.6.222 10.0.11.43 10.0.11.188 10.0.11.222 10.0.11.36 } local 10.120.10.50 peer xxx.xxx.xx.xx.x0x main auth hmac-sha1 enc 3des-cbc group modp1024 quick auth hmac-sha1 enc 3des-cbc group none psk "SEKRET" He sends me i a ping I get a flow ipsecctl -s flow | grep xxx.xxx.xx.xx.x0x flow esp in from 10.0.11.43 to 172.18.101.22 peer xxx.xxx.xx.xx.x0x srcid 10.120.10.50/32 dstid xxx.xxx.xx.xx.x0x/32 type use flow esp out from 172.18.101.22 to 10.0.11.43 peer xxx.xxx.xx.xx.x0x srcid 10.120.10.50/32 dstid xxx.xxx.xx.xx.x0x/32 type require I the past I have been able to: echo "M active" > /var/run/isakmpd.fifo But since I have a phase 1 up, I guess this won't have any effect? I guess I am not really even sure what to be showing anyone, usually once pahse 1 is established everything has just worked.
Re: http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability
On Wed, Nov 04, 2009 at 04:55:58PM +0100, Justin Smith wrote: > On Wed, Nov 4, 2009 at 4:14 PM, Todd T. Fries wrote: > > Penned by Justin Smith on 20091104 15:45.33, we have: > > | Theo wrote: > > | > > | > For the record, this particular problem was resolved in OpenBSD a > > | while back, in 2008. > > | > > | Nice, but: > > | > > | "Since 2.6.23, it has been possible to prevent applications from > > | mapping low pages (to prevent null pointer dereferencing in the > > | kernel) via the /proc/sys/vm/mmap_min_addr sysctl, which sets the > > | minimum address allowed for such mappings." > > | > > | 2.6.23 released: Tue, 9 Oct 2007 > > | > > | Ref: > > | http://lkml.org/lkml/2007/10/9/241 > > | http://james-morris.livejournal.com/26303.html > > | > > | -- > > | JS > > > > And now we get into the fun stuff. > > > > Ever heard of 'secure by default' ? > > > > This knob is set to '0' by default. > > > > How many Linux installations actually read the above paragraph, understood > > what value it could have to set to something other than zero, and changed > > it accordingly. > > > > 'Nuff said. > > > "By default, Ubuntu 8.04 and later with a non-zero > /proc/sys/vm/mmap_min_addr setting were not vulnerable." > > Ubuntu 8.04 released in 2008 april. quote from the article in the subject: The latest bug is mitigated by default on most Linux distributions, thanks to their correct implementation of the mmap_min_addr feature. But to make RHEL compatible with a larger body of applications, that distribution is vulnerable to attack even when the OS shows the feature is enabled, Spengler said. so, on RedHat, one can't even turn it on? doesn't Linus work for RedHat? -- jake...@sdf.lonestar.org SDF Public Access UNIX System - http://sdf.lonestar.org
Re: http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability
And it is totally on on *all* 90239490234873984 distros right? On Wed, Nov 04, 2009 at 06:43:14PM +0200, Ross Cameron wrote: > On Wed, Nov 4, 2009 at 5:54 PM, Theo de Raadt > wrote: > >> > For the record, this particular problem was resolved in OpenBSD a > >> while back, in 2008. > >> > >> Nice, but: > >> > >> "Since 2.6.23, it has been possible to prevent applications from > >> mapping low pages (to prevent null pointer dereferencing in the > >> kernel) via the /proc/sys/vm/mmap_min_addr sysctl, which sets the > >> minimum address allowed for such mappings." > >> > >> 2.6.23 released: B Tue, 9 Oct 2007 > >> > >> Ref: > >> http://lkml.org/lkml/2007/10/9/241 > >> http://james-morris.livejournal.com/26303.html > > > > And that knob was turned off. > > Actually no it was turned on. > > Fedora 8 was released in Nov 2007 and to run certain Wine applications > as non-root you had to disable the vm.mmap_min_addr sysctl. > By default it was set to a value of 65536 and you had to change this to > 0. > > This is well documented all over the Wine forums. > I know because this drove me up the bend when they introduced this patch. > > > -- > "Opportunity is most often missed by people because it is dressed in > overalls and looks like work." > Thomas Alva Edison > Inventor of 1093 patents, including: > The light bulb, phonogram and motion pictures.
Re: svnd vs softraid for encrypting /home et al
Hi, On Mon, 2 Nov 2009 21:35:45 -0400 Ted Unangst wrote: > softraid offers a few advantages. > > 1. Better crypto. The crypto algorithm currently used by softraid is > designed a little better. It could, in theory, also use hardware, > except the choice of algorithm actually prevents that. doh. At the > very least, if you decided you needed hardware acceleration, a small > change to the code would enable it, whereas with svnd it's a pretty > major change. > > 2. Efficiency. The filesystem in a filesystem incurs more overhead. > There's also the fact that svnd goes through the crazy parts of the > buffer layer more than you probably want to. Not a big deal, you > probably don't notice it much. > > 3. Administration. softraid is still under development, and the > tools and support for it will continue to improve. In particular, > without making promises, softraid autodiscovery is a possibility and > will likely work better than anything you cook up with vnconfig. > > The only advantage I can think of for svnd is that it's stabler code > and won't be changing in the future, but that's exactly what makes > softraid better. Today, they are about equal, but softraid support is > going to get better, svnd will not. I have one advantage to mention: I have done some comparison measurements (with bonnie benchmark) and some self-written dd scripts under 4.5 - result: in my setup svnd seems to be much faster. I think this is maybe related to the 1. point because (better) crypto is slow(er). Regards, Joerg
Re: http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability
Ross Cameron wrote: > Actually no it was turned on. This is from the commit to the Linux kernel: "The amount of space protected is indicated by the new proc tunable proc/sys/vm/mmap_min_addr and defaults to 0, preserving existing behavior." It was turned off, 0 means no protection.
Re: http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability
Matthias Kilian wrote: > And if you install something like wine, the knob is set back to 0, > probably without any notice (at least in ubuntu-8.10). That can explain why it's off on my system (karmic koala). By the way, this is from the debian wiki: Debian 5.0.3 ships with a default mmap_min_addr of '0'. This means that the Debian system, by default, is susceptible to these NULL-pointer privilege escalation techniques. Unless you know that you have applications that require this functionality, it is recommended that you increase the value of mmap_min_addr on your system. Off by default.
can't load library 'libXdmcp.so.10.0
Hi all, I have full installation of i386 snapshot from 1.11.2009 (latest on mirrors) and I can't use X. When I try startx either as root or normal user I get : $ startx xauth: can't load library 'libXdmcp.so.10.0' xauth: can't load library 'libXdmcp.so.10.0' xauth: can't load library 'libXdmcp.so.10.0' xinit: can't load library 'libXdmcp.so.10.0' xauth: can't load library 'libXdmcp.so.10.0' $ And : $ locate libXdmcp /usr/X11R6/lib/libXdmcp.a /usr/X11R6/lib/libXdmcp.la $ I can see only implementation of newer X server here http://www.openbsd.org/plus.html and no action regarding this here http://www.openbsd.org/faq/current.html Am I missing something or is it a problem in snapshot? I'm using snapshots for long time and no problem with X any time before and it was running fine with snapshot from 23.10.2009 (clean installation too). -- http://www.openbsd.org/lyrics.html
Re: http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability/
On Wed, Nov 4, 2009 at 5:18 AM, Donald Allen wrote: [SNIP] > I realize that I'm preaching to the choir -- you know all this. But I > think it's a mistake for (especially) the OpenBSD community to speak > of OpenBSD as just about security, when it's so much more than that. I think I would rephrase that - OpenBSD is just about security, and security implies far more than simply patching holes. Stability, administrative transparency, and thorough documentation are all critical and overly neglected aspects of security. If you don't know the proper way to configure feature X, you cannot be sure it is configured securely. OpenBSD simply looks at security in a holistic fashion, while every other OS I have to suffer through views security as a 'feature'.
Re: can't load library 'libXdmcp.so.10.0
Hi, try this # ldconfig -m /usr/X11R6/lib/ Saludos 2009/11/4 TomC!E! BodE>C!r > Hi all, > > I have full installation of i386 snapshot from 1.11.2009 (latest on > mirrors) and I can't use X. When I try startx either as root or normal > user I get : > > $ startx > xauth: can't load library 'libXdmcp.so.10.0' > xauth: can't load library 'libXdmcp.so.10.0' > xauth: can't load library 'libXdmcp.so.10.0' > xinit: can't load library 'libXdmcp.so.10.0' > xauth: can't load library 'libXdmcp.so.10.0' > $ > > And : > > $ locate libXdmcp > /usr/X11R6/lib/libXdmcp.a > /usr/X11R6/lib/libXdmcp.la > $ > > I can see only implementation of newer X server here > http://www.openbsd.org/plus.html and no action regarding this here > http://www.openbsd.org/faq/current.html > > Am I missing something or is it a problem in snapshot? I'm using > snapshots for long time and no problem with X any time before and it > was running fine with snapshot from 23.10.2009 (clean installation > too). > > -- > http://www.openbsd.org/lyrics.html > > -- Beto www.compumundohypermegared.org
Re: http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability/
On Wed, Nov 4, 2009 at 1:48 PM, Henry Sieff wrote: > On Wed, Nov 4, 2009 at 5:18 AM, Donald Allen wrote: > > [SNIP] > >> I realize that I'm preaching to the choir -- you know all this. But I >> think it's a mistake for (especially) the OpenBSD community to speak >> of OpenBSD as just about security, when it's so much more than that. > > I think I would rephrase that - OpenBSD is just about security, and > security implies far more than simply patching holes. Stability, > administrative transparency, and thorough documentation are all > critical and overly neglected aspects of security. If you don't know > the proper way to configure feature X, you cannot be sure it is > configured securely. > > OpenBSD simply looks at security in a holistic fashion, while every > other OS I have to suffer through views security as a 'feature'. Perhaps. I don't presume to know enough about what Theo and the other developers think or how the development is done to have an opinion on that. But my point is that whether your assertion is true or not, the net result is the best platform for general computing that I know of, and not just in situations where security concerns are (or should be) paramount. OpenBSD has been a type-cast as a smart choice in high-vulnerability situations (where you certainly wouldn't dare use Windows or Linux), which is true, but the problem is that the descriptions tend to *limit* its usefulness or applicability to such situations, leading to questions like "does OpenBSD run on a laptop?". My point is that OpenBSD is also the best choice (except if you care a lot about Flash :-) in situations where you *would* dare to use Windows or Linux . If I were doing software development on a machine located in a bank vault with no network connection, that machine would be running OpenBSD. /Don
Re: ipsec Phase 2 tunnels will not initiate from OBSD side
On 2009-11-04, Dag Richards wrote: > Running 4.3 GENERIC#698 i386 > > I have a VPN with a vendor using a I think he said it was a Sonic Wall > FW. We are able to get Phase 1 associations up and happy. But Phase 2 > never seems to start, at least not from my side. > > If he sends traffic from his side then his device makes a phase 2 > proposal, and I accept and traffic flows. I can do nothing to kick this > off from my end. > > I have an ipsec.conf phile for this vendor > > ike active esp from { 172.18.101.22 } to { 10.0.3.222 10.0.6.222 > 10.0.11.43 10.0.11.188 10.0.11.222 10.0.11.36 } local 10.120.10.50 peer > xxx.xxx.xx.xx.x0x main auth hmac-sha1 enc 3des-cbc group modp1024 quick > auth hmac-sha1 enc 3des-cbc group none psk "SEKRET" > > He sends me i a ping I get a flow > > ipsecctl -s flow | grep xxx.xxx.xx.xx.x0x > flow esp in from 10.0.11.43 to 172.18.101.22 peer xxx.xxx.xx.xx.x0x > srcid 10.120.10.50/32 dstid xxx.xxx.xx.xx.x0x/32 type use > flow esp out from 172.18.101.22 to 10.0.11.43 peer xxx.xxx.xx.xx.x0x > srcid 10.120.10.50/32 dstid xxx.xxx.xx.xx.x0x/32 type require > > > I the past I have been able to: echo "M active" > /var/run/isakmpd.fifo > But since I have a phase 1 up, I guess this won't have any effect? > > I guess I am not really even sure what to be showing anyone, usually > once pahse 1 is established everything has just worked. turn on pcap (see the isakmpd manual) and read the capture file with tcpdump, this often gives clues more easily than looking at isakmpd's logs.
Re: http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability/
On Wed, 4 Nov 2009 13:46:26 +1100 Aaron Mason wrote: > Wine is a good idea, but it's stifling an even better idea - making > applications compatible across multiple OSes, something that hasn't > needed to be done in the M$ world because of the stranglehold they > had/have over the consumer market. > Microsoft will not follow free standanrds, Linux will follow Microsoft/IBM/Intel/W3C/bullshit_human_slaving_private standards. And I believe that is not portability in no way. That is just assassinating legacy and freedom. > Let's put this into perspective: Linux would absolutely jump in > popularity if Valve ported Steam and the Source engine to it, meaning > games like the Half Life series, Left 4 Dead and Team Fortress 2 could > run natively - not to mention that it would prompt other games that > sell their wares through the Steam CDS to port their games as well - > but since most of the games run just fine in Wine these days, there's > no incentive. This will happen. We just have to wait for Linus/Redhat/Suse/etc to sign more NDAs. Look after your kids. -- Egon E. Braun Filho
Can be PF block skype?
Greetings, Can PF be programmed to block skype ? Provided we have port 80 and 443 Opened to the world, and perhaps DNS port too... skype finds any open port to connect to. Regards, David Taveras
Re: http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability/
On Wed, 4 Nov 2009 13:46:26 +1100 Aaron Mason wrote: > Wine is a good idea, but it's stifling an even better idea - making > applications compatible across multiple OSes, something that hasn't > needed to be done in the M$ world because of the stranglehold they > had/have over the consumer market. > Microsoft will not follow free standanrds, Linux will follow Microsoft/IBM/Intel/W3C/bullshit_human_slaving_private standards. And I believe that is not portability in no way. That is just assassinating legacy and freedom. > Let's put this into perspective: Linux would absolutely jump in > popularity if Valve ported Steam and the Source engine to it, meaning > games like the Half Life series, Left 4 Dead and Team Fortress 2 could > run natively - not to mention that it would prompt other games that > sell their wares through the Steam CDS to port their games as well - > but since most of the games run just fine in Wine these days, there's > no incentive. This will happen. We just have to wait for Linus/Redhat/Suse/etc to sign more NDAs. Look after your kids. -- Egon E. Braun Filho
Re: Can be PF block skype?
On 04/11/2009 20:48, David Taveras wrote: Greetings, Can PF be programmed to block skype ? Provided we have port 80 and 443 Opened to the world, and perhaps DNS port too... skype finds any open port to connect to. Regards, David Taveras Hi, Why having your users directly natted to the 'evil' internet ? Laurent
Re: Can be PF block skype?
David Taveras wrote: > Can PF be programmed to block skype? Provided we have port 80 > and 443 Opened to the world, and perhaps DNS port too... skype > finds any open port to connect to. I don't think so. But if you install snort you can. Google for snort and skype and you'll find quite a few decent hits. # Han
Re: Can be PF block skype?
Your saying that a skype client can proxy itself through another skype client on the same network? In any case, iam sure there must be a way if cisco can do it, pf can. --David On Wed, Nov 4, 2009 at 2:12 PM, Yamidt Henao wrote: > It is impossible, skype application, can connect through other client skype > in the same network. > > > Regards, > > Yamidt > > On Wed, Nov 4, 2009 at 1:48 PM, David Taveras > wrote: >> >> Greetings, >> >> Can PF be programmed to block skype ? Provided we have port 80 and 443 >> Opened to the world, and perhaps DNS port too... skype finds any open >> port to connect to. >> >> Regards, >> David Taveras
Re: Can be PF block skype?
Skype is crap, but really good in going trough firewalls so if you want to block this and you're company then prepare rules about using of ICT for users and they must sign it. If they break those rules then use sanctions against them. Of course that this will not stop experts. Or if you want to be friendly you can give them option that they can use Ekiga or similar app, but not Skype because of security implications. But in fact if they are capable of using searching they may find this page https://imo.im where is Skype available trough Flash. On Wed, Nov 4, 2009 at 8:48 PM, David Taveras wrote: > Greetings, > > Can PF be programmed to block skype ? Provided we have port 80 and 443 > Opened to the world, and perhaps DNS port too... skype finds any open > port to connect to. > > Regards, > David Taveras
Re: http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability/
Ok to add more idiotic ideas to debate about Linux/MS and interoperability and so on why not add this one? http://www.computerworlduk.com/community/blogs/index.cfm?entryid=2620&blogid= 14 EU Wants to Re-define bClosedb as bNearly Openb '.While there is a correlation between openness and interoperability, it is also true that interoperability can be obtained without openness, for example via homogeneity of the ICT systems, which implies that all partners use, or agree to use, the same solution to implement a European Public Service..' On Wed, Nov 4, 2009 at 5:39 PM, Egon E. Braun Filho wrote: > On Wed, 4 Nov 2009 13:46:26 +1100 > Aaron Mason wrote: > >> Wine is a good idea, but it's stifling an even better idea - making >> applications compatible across multiple OSes, something that hasn't >> needed to be done in the M$ world because of the stranglehold they >> had/have over the consumer market. >> > > Microsoft will not follow free standanrds, Linux will follow > Microsoft/IBM/Intel/W3C/bullshit_human_slaving_private standards. > > And I believe that is not portability in no way. That is just > assassinating legacy and freedom. > >> Let's put this into perspective: Linux would absolutely jump in >> popularity if Valve ported Steam and the Source engine to it, meaning >> games like the Half Life series, Left 4 Dead and Team Fortress 2 could >> run natively - not to mention that it would prompt other games that >> sell their wares through the Steam CDS to port their games as well - >> but since most of the games run just fine in Wine these days, there's >> no incentive. > > This will happen. We just have to wait for Linus/Redhat/Suse/etc to sign > more NDAs. > > Look after your kids. > > -- > Egon E. Braun Filho > > -- http://www.openbsd.org/lyrics.html
Re: Can be PF block skype?
But Cisco can do it on Application layer. I'm not sure about pf, but last time I read man page about pf and pf.conf it wasn't able to do that. I think that there was some post about it on Undeadly too. On Wed, Nov 4, 2009 at 9:21 PM, David Taveras wrote: > Your saying that a skype client can proxy itself through another skype > client on the same network? > > In any case, iam sure there must be a way if cisco can do it, pf can. > > --David > > On Wed, Nov 4, 2009 at 2:12 PM, Yamidt Henao wrote: >> It is impossible, skype application, can connect through other client skype >> in the same network. >> >> >> Regards, >> >> Yamidt >> >> On Wed, Nov 4, 2009 at 1:48 PM, David Taveras >> wrote: >>> >>> Greetings, >>> >>> Can PF be programmed to block skype ? Provided we have port 80 and 443 >>> Opened to the world, and perhaps DNS port too... skype finds any open >>> port to connect to. >>> >>> Regards, >>> David Taveras
Re: Can be PF block skype?
Not sure if this is any good, looks like it is opensource though. http://www.lynanda.com/products/software-for-corporations/traffic-filtering/l ynanda-skype-filter Mark 2009/11/4 TomC!E! BodE>C!r > But Cisco can do it on Application layer. I'm not sure about pf, but > last time I read man page about pf and pf.conf it wasn't able to do > that. I think that there was some post about it on Undeadly too. > > On Wed, Nov 4, 2009 at 9:21 PM, David Taveras > wrote: > > Your saying that a skype client can proxy itself through another skype > > client on the same network? > > > > In any case, iam sure there must be a way if cisco can do it, pf can. > > > > --David > > > > On Wed, Nov 4, 2009 at 2:12 PM, Yamidt Henao > wrote: > >> It is impossible, skype application, can connect through other client > skype > >> in the same network. > >> > >> > >> Regards, > >> > >> Yamidt > >> > >> On Wed, Nov 4, 2009 at 1:48 PM, David Taveras > >> wrote: > >>> > >>> Greetings, > >>> > >>> Can PF be programmed to block skype ? Provided we have port 80 and 443 > >>> Opened to the world, and perhaps DNS port too... skype finds any open > >>> port to connect to. > >>> > >>> Regards, > >>> David Taveras
Installing OpenBSD on SSD drives
Hello, Is there any particular problem with installing OpenBSD on a SSD HD ? I once could on one machine but on my actual machine it simply does'nt work. After a while, the SSD disk becomes like overloaded and unavailable to continue the installing process of 4.6. Regards
Re: Installing OpenBSD on SSD drives
On Wednesday 04 November 2009 16:10:06 Jean-Frangois SIMON wrote: > Hello, > Is there any particular problem with installing OpenBSD on a SSD HD ? I > once could on one machine but on my actual machine it simply does'nt work. > After a while, the SSD disk becomes like overloaded and unavailable to > continue the installing process of 4.6. > Regards I played with one, briefly, and it seemed to work. A litte weird, not hearing anything from it... But I'm not at all eager to actually use them just yet. Look for the goofs Intel has had with them. How long will they last, and what is the failure mode like? More often than not a spinning disk will give notice of impending death with a few bad spots before The End. But what of an SSD? By its very nature I could see an address line going, leaving a very weird pattern of unaffected data. SSDs are the future, I'm fairly sure but I think they need to mature as well as get bigger. Lastly, saying where the install hangs would really help. And of course how big is it and who made it? --STeve Andre'
RES: Can be PF block skype?
Excelent answer. Also try blocking skype netblock. -Mensagem original- De: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] Em nome de Laurent CARON Enviada em: quarta-feira, 4 de novembro de 2009 18:08 Para: misc@openbsd.org Cc: David Taveras Assunto: Re: Can be PF block skype? On 04/11/2009 20:48, David Taveras wrote: > Greetings, > > Can PF be programmed to block skype ? Provided we have port 80 and 443 > Opened to the world, and perhaps DNS port too... skype finds any open > port to connect to. > > Regards, > David Taveras > Hi, Why having your users directly natted to the 'evil' internet ? Laurent
Re: Installing OpenBSD on SSD drives
Jean-Frangois SIMON schrieb: > ... > Is there any particular problem with installing OpenBSD on a SSD HD ? I Hello, it is like for any OS on SSD HD. Make sure, you are using no swap partition! And if you are using an application, which is writing a lot of things into files, put the respective dirs into ramdisks! We are running some embedded PCs with OpenBSD, which have the SSD HD completely write protected. All partitions are mounted read only, and /tmp, /dev and /var is put into ramdisks. Works fine. Regards, Roger.
Re: Installing OpenBSD on SSD drives
2009/11/4 Roger Schreiter : > it is like for any OS on SSD HD. Make sure, you are using > no swap partition! This is ridiculous advice. > And if you are using an application, which is writing > a lot of things into files, put the respective dirs into > ramdisks! Combined with this is even dumber. If you can't swap, you're already in trouble if you run into memory pressure. So then you go and put the filesystem in RAM to make sure there's lots of extra memory pressure?
Re: Installing OpenBSD on SSD drives
On Thu, Nov 5, 2009 at 9:12 AM, Ted Unangst wrote: > 2009/11/4 Roger Schreiter : >> it is like for any OS on SSD HD. Make sure, you are using >> no swap partition! > > This is ridiculous advice. > >> And if you are using an application, which is writing >> a lot of things into files, put the respective dirs into >> ramdisks! > > Combined with this is even dumber. > > If you can't swap, you're already in trouble if you run into memory > pressure. So then you go and put the filesystem in RAM to make sure > there's lots of extra memory pressure? > > I'm with Ted on this one. At the very least, stick a USB drive in and use that for swap. If things are going to write to SSDs a lot, get two (if budget allows) and stripe/RAID-5 them - this actually does wonders for increasing the lifespan of SSDs. -- Aaron Mason - Programmer, open source addict - Oh, why does everything I whip leave me?
Re: Installing OpenBSD on SSD drives
Hello, I'm using a 32 GB SSD drive from approximatly one year with openBSD 4.4 into a SOEKRIS and no troubles with that, the great think is NO NOISE, NO HEAT. I used the soekris as firewall and the uptime is approximatly 178 days. Regards 2009/11/4 Jean-Frangois SIMON > Hello, > Is there any particular problem with installing OpenBSD on a SSD HD ? I > once could on one machine but on my actual machine it simply does'nt work. > After a while, the SSD disk becomes like overloaded and unavailable to > continue the installing process of 4.6. > Regards
Installing OpenBSD on SSD drives
Hello, Is there any particular problem with installing OpenBSD on a SSD HD ? I once could on one machine but on my actual machine it simply does'nt work. After a while, the SSD disk becomes like overloaded and unavailable to continue the installing process of 4.6. Regards
Re: Installing OpenBSD on SSD drives
2009/11/5 Jean-Frangois SIMON : > Hello, > Is there any particular problem with installing OpenBSD on a SSD HD ? I > once could on one machine but on my actual machine it simply does'nt work. > After a while, the SSD disk becomes like overloaded and unavailable to > continue the installing process of 4.6. > Regards > > Hi Jean-Francios, Is this a used SSD? That happens with used ones because they end up doing twice the work - once to erase the used block and again to actually write the block (and several blocks around them, AAMOF). If you have a "secure erase" option available, use it. This will restore the data blocks to an unused state, and restore full speed again. HTH 2009/11/5 STeve Andre' >But I'm not at all eager to actually use them just yet. Look for the >goofs Intel has had with them. How long will they last, and what is >the failure mode like? More often than not a spinning disk will give >notice of impending death with a few bad spots before The End. But >what of an SSD? By its very nature I could see an address line going, >leaving a very weird pattern of unaffected data. I'd say SMART would answer the call by sending DANGER WILL ROBINSON messages to the OS - it would be up to the OS to intercept these messages and inform the sysadmin, however. My $0.02. -- Aaron Mason - Programmer, open source addict - Oh, why does everything I whip leave me?
Re: Installing OpenBSD on SSD drives
Ted Unangst schrieb: > ... >> no swap partition! > > This is ridiculous advice. > ... >> a lot of things into files, put the respective dirs into >> ramdisks! > > Combined with this is even dumber. Hi, anyway, intensive swapping onto SDD HD will destroy your SDD HD. If RAM is the limiting resource in your system, you are right, my advice is ridiculous. In any else case, my advice is important, and for many, many applications it is possible to equip a system with enough RAM, making swapping uneccessary. Ramdisks and complete write protections of the HD is of course just an option to think about, and depends on the application, if appropriate or not. Regards, Roger.
Re: Installing OpenBSD on SSD drives
On Wed, 04 Nov 2009 23:00:39 +0100 Roger Schreiter wrote: > Jean-Frangois SIMON schrieb: > > ... > > Is there any particular problem with installing OpenBSD on a SSD > > HD ? I > > Hello, > > it is like for any OS on SSD HD. Make sure, you are using > no swap partition! > > And if you are using an application, which is writing > a lot of things into files, put the respective dirs into > ramdisks! > > We are running some embedded PCs with OpenBSD, which have the > SSD HD completely write protected. All partitions are > mounted read only, and /tmp, /dev and /var is put into > ramdisks. Works fine. > > Regards, > Roger. That advice might have had some merit with 1GB Compact Flash drives ... On eg. a 80GB SSD partition 60 and leave the rest empty. With that you have _a lot_ of sectors to remap in case some fail. That will increase the lifetime of the drive. Usually flash fales gracefully, can't write but still read, so one would be able to recover the data. Flash is no mirical cure, having backups is still mandatory. I don't expect my 2,5" drive in my laptop to last longer than the stated 5 years the avarage MLC SSD gets quoted. All that banging around, even turned off, in the laptop bag takes it's toll. Harddrives that store critical data are swapped in the 2 to 3 year time frame at latest, if they didn't fail on their own before and are repurposed in less crucial systems like desktops. (...less potential downtime, less power consumption, more peace of mind) On the gp's topic, there is nothing special about SSD's that should keep them from working like any other (guessing) SATA device. ("It doesn't work!" Isn't anywhere near a cry for help that warrants an answer...) - Robert
Re: Installing OpenBSD on SSD drives
2009/11/4 Jean-Frangois SIMON : > Hello, > Is there any particular problem with installing OpenBSD on a SSD HD ? I > once could on one machine but on my actual machine it simply does'nt work. > After a while, the SSD disk becomes like overloaded and unavailable to > continue the installing process of 4.6. > Regards Sounds like an issue with your SSD? Can you supply a dmesg, and details on the SSD, make/model/supplier, as well as the motherboard and how the drive appears to the BIOS? On Wed, Nov 4, 2009 at 4:12 PM, Ted Unangst wrote: > 2009/11/4 Roger Schreiter : >> it is like for any OS on SSD HD. Make sure, you are using >> no swap partition! > > This is ridiculous advice. This *was* reasonable advice for the older generations of CompactFlash, but may no longer be a consideration with newer flash/SSD drives. I have run many embedded servers (mostly OpenBSD on Soekris) without swap, never had any problems traceable to the lack of swap space. >> And if you are using an application, which is writing >> a lot of things into files, put the respective dirs into >> ramdisks! > > Combined with this is even dumber. > > If you can't swap, you're already in trouble if you run into memory > pressure. So then you go and put the filesystem in RAM to make sure > there's lots of extra memory pressure? Actually, the above is standard advice for running any Unix on flash, as people have been doing with Soekris and CF since at least 2001. The idea isn't to put "the filesystem" into RAM, but rather to reduce the write operations by mounting filesystems used for frequently written smal files (e.g. /var/tmp) as ramdisks. Kevin
Re: Installing OpenBSD on SSD drives
On Wed, Nov 4, 2009 at 5:44 PM, K K wrote: > This *was* reasonable advice for the older generations of > CompactFlash, but may no longer be a consideration with newer > flash/SSD drives. > > I have run many embedded servers (mostly OpenBSD on Soekris) without > swap, never had any problems traceable to the lack of swap space. Why do we keep repeating 10 year old advice that may have applied to crappy 1GB flash and think it matters for 100GB drives using rather different technology? When you run newfs, do you make sure to line the cylinder groups up just right? Because that was standard advice too. More relevantly, I bet you never tried starting firefox on your soekris. Why does everyone assume that the only possible use for an SSD hard drive is in some crippled embedded box? Heaven forbid somebody put a fast drive in a computer that they'll actually use. I've got 4GB of SSD swap in my laptop. Yes, 4GB of swap on SSD! OMG!!! It'll wear out in a month! Why do you assume that merely creating a swap partition somehow forces the kernel to use it? If your system is running without a swap partition, it can run without writing to swap too.
Re: can't load library 'libXdmcp.so.10.0
hmm, on Wed, Nov 04, 2009 at 07:43:33PM +0100, TomC!E! BodE>C!r said that > Hi all, > > I have full installation of i386 snapshot from 1.11.2009 (latest on > mirrors) and I can't use X. When I try startx either as root or normal > user I get : > > $ startx > xauth: can't load library 'libXdmcp.so.10.0' > xauth: can't load library 'libXdmcp.so.10.0' > xauth: can't load library 'libXdmcp.so.10.0' > xinit: can't load library 'libXdmcp.so.10.0' > xauth: can't load library 'libXdmcp.so.10.0' > $ > > And : > > $ locate libXdmcp > /usr/X11R6/lib/libXdmcp.a > /usr/X11R6/lib/libXdmcp.la > $ that file is missing from snapshot's xbase46.tgz it is in the next one though. -f -- microsoft is suing apple 'cause they have employees too.
PF: Is it possible to route a LAN IP through a specific IP of the EXT nic?
Hello community, I have a LAN of 10 users connected to a box that nats them all through the external NIC and thus the default servers public IP. THat box has several public IPs. Is there anyway I can NAT a specific user to use a specific IP as their translated IP? Thank you. -- David
Re: Can be PF block skype?
David Taveras wrote: > Can PF be programmed to block skype? Provided we have port 80 > and 443 Opened to the world, and perhaps DNS port too... skype > finds any open port to connect to. It has been discussed earlier. The short answer is yes with a little help http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/038646.html
Re: PF: Is it possible to route a LAN IP through a specific IP of the EXT nic?
It's all in here man. http://www.openbsd.org/faq/pf/nat.html Basically: nat on $ext_if from $your_user to any -> 1.2.3.4 On Wed, Nov 4, 2009 at 3:51 PM, David Taveras wrote: > Hello community, > > I have a LAN of 10 users connected to a box that nats them all through > the external NIC and thus the default servers public IP. THat box has > several public IPs. Is there anyway I can NAT a specific user to use a > specific IP as their translated IP? > > Thank you. > > -- David
Re: svnd vs softraid for encrypting /home et al
On Wed, Nov 4, 2009 at 12:02 PM, umaxx wrote: > I have one advantage to mention: > I have done some comparison measurements (with bonnie benchmark) and > some self-written dd scripts under 4.5 - result: in my setup svnd seems to be > much faster. > I think this is maybe related to the 1. point because (better) crypto is > slow(er). I find svnd to be fast as well. I use it on notebooks and underpowered Celeron CPUs and the encryption overhead is imperceptible. I also like the fact that I can copy the encrypted containers from one OpenBSD install to the other. For now, I plan to stick with vnconfig. Only /, /usr and /var are clear text on my laptops and I'm OK with that. /home is encrypted, swap in encrypted and /tmp is in memory. So I still have some privacy. Brad
Boletin Cientifico Coband | Numero 49 | Noviembre 2009
Boletmn Cientmfico Coband Si utiliza Gmail o no ve correctamente este boletmn puede acceder a la versisn online _ 2005-2009 4 aqos promoviendo el avance de la ciencia psicolsgica en Argentina El Proyecto COBAND es una asociacisn cientmfica sin fines de lucro formada por estudiantes, graduados, docentes, profesionales e investigadores que promueven el avance de la ciencia psicolsgica en Argentina Boletmn Cientmfico Coband | Nzmero 49 | Noviembre 2009 _ Proyecto COBAND | El mayor portal de ciencia psicolsgica en Argentina _ _ Anuncios | Editorial | Eventos | Recursos | Areas | Llamados | Pedidos | Libros | Actualizacisn | Perfiles En este nZmero Anuncios Pasantma en Psicologma Experimental Prsximos eventos Ciclo de seminarios sobre Sociologma de Ciencia III Congreso Interamericano de Neurociencia II Congreso Internacional de Investigacisn de la Facultad de Psicologma de la Universidad Nacional de La Plata Recursos Carreras en psicologma Areas de vacancia Psicologma del trafico y la seguridad Llamados para artmculos Revista Argentina de Ciencias del Comportamiento Revista Chilena de Neuropsicologma Acta Psiquiatrica y Psicolsgica de Amirica Latina Pedidos de voluntarios Proyecto de comprensisn de las bases cerebrales del Asperger Investigacisn en psicoling|mstica Estudio ecopsicolsgico de autopercepcisn en jsvenes Proyecto de investigacisn sobre los trastornos psiquiatricos Dificit de Atencisn por hiperactividad y el trastorno Bipolar Libros recomendados Psicologma Social y Seguridad de Transito Actualizacisn cientmfica Avances en Psicologma Latinoamericana Perfiles psicolsgicos Vilayanur Subramanian Ramachandran Anuncios destacados Capacitacisn en Terapia Cognitivo Conductual Principios de Terapia Cognitiva Programa de Actualizacisn en Terapia Cognitiva Introduccisn a la Terapia Racional Emotiva Conductual Abordaje Cognitivo Conductual del Manejo de la IraPosgrado en Terapia Racional Emotiva Conductual Programa Nebraska de Entrenamiento en Primeros Auxilios Psicolsgicos Modificacisn de la Conducta: Qui es y csmo aplicarla CALENDARIO ONLINE DE EVENTOS CIENTMFICOS . Nuestra FRASE guma "El mejor resultado es producto de que todos en el grupo hagan lo mejor para sm mismos y para el grupo" conoCI la revista del proyecto coband patrocinadores El Proyecto COBAND es patrocinado por la Sociedad Interamericana de Psicologma anuncianteS institucionales ANUNCIANTES PROFESIONALES Lic. Marma Elsa Sciascio U.B.A. Psicoterapeuta cognitiva F. AIGLE - UNMP Adolescentes | Adultos Parejas | Familias Orientacisn vocacional Consultorios en Nuqez y Vicente Lspez Telifonos 4756-0495 | 15-5481-9660 ?no figura entre estos anunciANTES? APROVECHE LA BASE DE DATOS MAS GRANDE Y ACTUALIZADA DE LA ARGENTINa al servicio de la ciencia DIFUNDA SU ACTIVIDAD entre mAs DE 50 MIL ESTUDIANTES, GRADUADOS, DOCENTES, PROFESIONALES E INVESTIGADORES DE PSICOLOGMA Y CIENCIAS DE LA SALUD ACOMPAQENOS POR EL AVANCE DE LA ciencia psicolSgica EN ARGENTIna ?es parte de una instituciSn cientmfica? difunda sus actividades y cursos a toda la comunidad psicolSgica [ PLAN PARA ANUNCIANTES INSTITUCIONALES ] ?ORGANIZA UN CONGRESO O EVENTO ESPECIAL? CONOZCA NUestra plataforma de difusiSn cientMfica [ plan para anunciantes ORGANIZACIONALEs ] ?NECESITA VOLUNTARIO para sus investigaciones? ?edita una revista y estA haciendo un llamado para artMculos? UTILICE ESTE BOLETMN PARA difundir SU PEDIDO TOTALMENTE GRATIS [ plan para anunciantes cientmficos ] CONEXIONES Alianza Psicolsgica _ Capacitacisn en Terapia Cognitivo Conductual Principios de Terapia Cognitiva Programa Nebraska de Entrenamiento en Primeros Auxilios Psicolsgicos Modificacisn de la Conducta: Qui es y csmo aplicarla Programa de Actualizacisn en Terapia Cognitiva Introduccisn a la Terapia Racional Emotiva Conductual Abordaje Cognitivo Conductual del Manejo de la Ira Curso Posgrado en Terapia Racional Emotiva Conductual Anuncios Pasantma en Psicologma Experimental El Laboratorio de Psicologma Experimental y Aplicada (PSEA - UBA - CONICET), dirigido por la Dra. Alba Mustaca, convoca a estudiantes de grado o egresados recientes para la realizacisn de pasantmas en el area de la investigacisn basica. Actualmente el equipo se encuentra investigando los mecanismos implicados en un modelo de frustracisn, con ratas y humanos. Se espera que el pasante adquiera formacisn practica, metodolsgica y conceptual en el area de los procesos basicos del aprendizaje. Los interesados deben contar con disponibilidad horaria semanal para la realizacisn de las actividades experim
Re: http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability/
Dear sweetheart, On Thu, Nov 05, 2009 at 01:12:58AM +0100, Claire beuserie wrote: > Yes, I know, I was present in the room when Illja gave the talk in 2006 at > the CCC Kongress and the two OpenBSD developers in the room decided to > completely ignore the exploit he showed until Miod reproduced it two weeks > later... http://events.ccc.de/congress/2006/Fahrplan/day_4.en.html: Schedule Day 4: 30.12.2006 11:30 Unusual bugs Ilja http://openbsd.org/errata39.html: 017: SECURITY FIX: January 3, 2007 i386 only Insufficient validation in vga(4) may allow an attacker to gain root privileges if the kernel is compiled with option PCIAGP and the actual device is not an AGP device. The PCIAGP option is present by default on i386 kernels only. http://blogs.23.nu/ilja/2007/01/: "So one of the things I noticed after my unusual bugs talk, the OpenBSD guys fix bugs _FAST_. I mean really fast ! bugfix and announcement within a few days. Not many vendors can pull that off." Two weeks, eh? Want it in a black frame with a white caption reading "EPIC FAIL"? I'd start gimp for that. > > If you are not an OpenBSD developer, don't make public statements like that, > if OpenBSD developers decide to sit on a bug for a couple of months, it does > not justify their full disclosure conflict where bugs are swept under the > carpet Newsflash: I decide what I write on a public mailinglist. The rest of the sentence doesn't even parse, but i think it's something like "Theo once hurt my feelings on the internets". What i always wanted to know, how do I join the secret Facebook group of people that have been flamed by Theo or another OpenBSD developer? Do you have an IRC channel? Is an emo haircut and a pic from weird angles really required in the application? I should have roasted you in the first reply like my guts told me to, instead i gave you the benefit of the doubt, my mistake. Doesn't happen again. Promise. Misc'ed for entertainment > > On Thu, Nov 5, 2009 at 12:55 AM, Tobias Ulmer wrote: > > > On Wed, Nov 04, 2009 at 01:46:52PM +0100, Claire beuserie wrote: > > > Dear Tobias, > > > > > > what you stated contradicts what Otto and Art posted. > > > > Ehm, no it doesn't. There are two different components, the actual null > > pointer dereference and the ability to map a page to address zero. > > > > What i'm pointing out is that mapping a page at adress 0 isn't new. It's > > also not a bug (this is true for the executable stack as well, as Art > > points out with some sarcasm). The ability for a programm to do so was > > recognised in 2006 by some developers, and prevented by a change to the > > kernel in 2008. > > > > It only becomes a problem once someone finds a NULL pointer dereference > > in the kernel. One such problem was discovered recently, and was fixed > > asap. > > > > If you had done some research for the file i linked to, you would find > > that Ilja gave a talk in 2006, called "unusual bugs", where he > > demonstrated this class of vulnerabilities on OpenBSD. I'm sure plenty > > of Linux developers were sitting in the audience as well, laughing about > > us... > > > > Again, the bug was fixed asap: > > ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.9/i386/017_agp.patch > > > > > > > > > > Are you to be quoted as an OpenBSD developer on this? > > > > Certainly not, since I'm no OpenBSD developer. > > > > > > > > Salutions, > > > > > > Claire > > > > > > On Wed, Nov 4, 2009 at 3:46 AM, Tobias Ulmer wrote: > > > > > > > On Wed, Nov 04, 2009 at 02:57:59AM +0100, Claire beuserie wrote: > > > > > Hi, > > > > > > > > > > On Wed, Nov 4, 2009 at 12:58 AM, Theo de Raadt < > > dera...@cvs.openbsd.org > > > > >wrote: > > > > > > > > > > > 2) At least three of our developers were aware of this exploitation > > > > > > method going back perhaps two years before than the commit, but > > we > > > > > > gnashed our teeth a lot to try to find other solutions. Clever > > > > > > cpu architectures don't have this issue because the virtual > > address > > > > > > spaces are seperate, so i386/amd64 are the ones with the big > > impact. > > > > > > We did think long and hard about tlb bashing page 0 everytime we > > > > > > switch into the kernel, but it still does not look attractive > > from > > > > > > a performance standpoint. > > > > > > > > > > > > > > > > I'm confused. > > > > > > > > > > That came out a bit weird: are you saying you knew about the bug for > > 2 > > > > years > > > > > but did not fix it? > > > > > > > > It's not "the bug", it's a class of vulnerabilities that allows to > > > > exploit a NULL pointer dereference under certain circumstances. > > > > > > > > http://packetstorm.linuxsecurity.com/poisonpen/8lgm/ptchown.c > > > > is commonly cited as the oldest public source (1994). Use google for > > > > more. > > > > > > > > > > > > > > > > > > > c.b- > > > > > > > > -- > > > > Sent from my noname server. > > > > > > > > -- > > Sent from my noname server. > > -- Sent from my noname server.
Re: svnd vs softraid for encrypting /home et al
On Wed, Nov 04, 2009 at 07:02:54PM -0500, Brad Tilley wrote: > ...Only /, > /usr and /var are clear text on my laptops and I'm OK with that. /home > is encrypted, swap in encrypted and /tmp is in memory. So I still have > some privacy. Did you forget /var/tmp? :)