Re: HP DL320G6 not seeing internal drives

[a b]

Snapshot results.

OpenBSD 4.7 (RAMDISK_CD) #351: Tue Mar  9 10:02:25 MST
2010
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/RAMDISK_CD
cpu0: Intel(R) Xeon(R) CPU E5502 @ 1.87GHz (GenuineIntel 686-class) 1.87 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,
xTPR
real mem  = 3881558016 (3701MB)
avail mem = 3781189632 (3606MB)
mainbus0
at root
bios0 at mainbus0: AT/286+ BIOS, date 12/31/99, BIOS32 rev. 0 @
0xf, SMBIOS rev. 2.6 @ 0xe77fe000 (134 entries)
bios0: vendor HP version
W07 date 07/24/2009
bios0: HP ProLiant DL320 G6
acpi0 at bios0: rev 2
acpi0:
tables DSDT FACP SPCR MCFG HPET  SPMI ERST APIC SRAT  BERT HEST DMAR
SSDT SSDT SSDT SSDT
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at
mainbus0: apid 16 (boot processor)
cpu0: apic clock running at 133MHz
cpu at
mainbus0: not configured
ioapic0 at mainbus0: apid 8 pa 0xfec0, version
20, 24 pins
ioapic1 at mainbus0: apid 0 pa 0xfec8, version 20, 24 pins
acpiprt0 at acpi0: bus 1 (IP2P)
acpiprt1 at acpi0: bus 3 (NIB1)
acpiprt2 at
acpi0: bus 4 (IPT5)
acpiprt3 at acpi0: bus 0 (PRB2)
acpiprt4 at acpi0: bus 10
(PT07)
acpiprt5 at acpi0: bus 7 (PT03)
acpiprt6 at acpi0: bus 13 (PT01)
acpiprt7 at acpi0: bus 0 (PCI0)
bios0: ROM list: 0xc/0xb000 0xcb000/0x1a00
0xcca00/0xc000!
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at
pci0 dev 0 function 0 Intel 5500 Host rev 0x13
ppb0 at pci0 dev 1 function 0
Intel X58 PCIE rev 0x13
pci1 at ppb0 bus 13
ppb1 at pci0 dev 3 function 0
Intel X58 PCIE rev 0x13
pci2 at ppb1 bus 7
ppb2 at pci0 dev 7 function 0
Intel X58 PCIE rev 0x13
pci3 at ppb2 bus 10
em0 at pci3 dev 0 function 0
Intel PRO/1000 PT (82571EB) rev 0x06: apic 0 int 6 (irq 7), address
00:15:17:d6:76:66
em1 at pci3 dev 0 function 1 Intel PRO/1000 PT (82571EB)
rev 0x06: apic 0 int 13 (irq 11), address 00:15:17:d6:76:67
pchb1 at pci0 dev
13 function 0 vendor Intel, unknown product 0x343a rev 0x13
pchb2 at pci0
dev 13 function 1 vendor Intel, unknown product 0x343b rev 0x13
pchb3 at
pci0 dev 13 function 2 vendor Intel, unknown product 0x343c rev 0x13
pchb4
at pci0 dev 13 function 3 vendor Intel, unknown product 0x343d rev 0x13
pchb5 at pci0 dev 13 function 4 Intel 5520/X58 QuickPath rev 0x13
pchb6 at
pci0 dev 13 function 5 Intel 5520 QuickPath rev 0x13
pchb7 at pci0 dev 13
function 6 vendor Intel, unknown product 0x341a rev 0x13
pchb8 at pci0 dev
14 function 0 vendor Intel, unknown product 0x341c rev 0x13
pchb9 at pci0
dev 14 function 1 vendor Intel, unknown product 0x341d rev 0x13
pchb10 at
pci0 dev 14 function 2 vendor Intel, unknown product 0x341e rev 0x13
pchb11
at pci0 dev 14 function 3 vendor Intel, unknown product 0x341f rev 0x13
pchb12 at pci0 dev 14 function 4 vendor Intel, unknown product 0x3439 rev
0x13
Intel X58 Misc rev 0x13 at pci0 dev 20 function 0 not configured
Intel
X58 GPIO rev 0x13 at pci0 dev 20 function 1 not configured
Intel X58 RAS
rev 0x13 at pci0 dev 20 function 2 not configured
uhci0 at pci0 dev 26
function 0 Intel 82801JI USB rev 0x00: apic 8 int 20 (irq 5)
uhci1 at pci0
dev 26 function 1 Intel 82801JI USB rev 0x00: apic 8 int 23 (irq 7)
uhci2 at
pci0 dev 26 function 2 Intel 82801JI USB rev 0x00: apic 8 int 22 (irq 10)
ehci0 at pci0 dev 26 function 7 Intel 82801JI USB rev 0x00: apic 8 int 22
(irq 10)
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 Intel EHCI root hub
rev 2.00/1.00 addr 1
ppb3 at pci0 dev 28 function 0 Intel 82801JI PCIE rev
0x00
pci4 at ppb3 bus 2
ppb4 at pci4 dev 0 function 0 ServerWorks PCIE-PCIX
rev 0xb5
pci5 at ppb4 bus 3
bge0 at pci5 dev 4 function 0 Broadcom BCM5715
rev 0xa3, BCM5715 A3 (0x9003): apic 8 int 16 (irq 7), address
18:a9:05:00:ae:00
brgphy0 at bge0 phy 1: BCM5714 10/100/1000baseT/SX PHY, rev.
0
bge1 at pci5 dev 4 function 1 Broadcom BCM5715 rev 0xa3, BCM5715 A3
(0x9003): apic 8 int 17 (irq 11), address 18:a9:05:00:ae:01
brgphy1 at bge1
phy 1: BCM5714 10/100/1000baseT/SX PHY, rev. 0
ppb5 at pci0 dev 28 function 4
Intel 82801JI PCIE rev 0x00
pci6 at ppb5 bus 4
uhci3 at pci0 dev 29 function
0 Intel 82801JI USB rev 0x00: apic 8 int 20 (irq 5)
uhci4 at pci0 dev 29
function 1 Intel 82801JI USB rev 0x00: apic 8 int 23 (irq 7)
uhci5 at pci0
dev 29 function 2 Intel 82801JI USB rev 0x00: apic 8 int 22 (irq 10)
ehci1
at pci0 dev 29 function 7 Intel 82801JI USB rev 0x00: apic 8 int 20 (irq 5)
usb1 at ehci1: USB revision 2.0
uhub1 at usb1 Intel EHCI root hub rev
2.00/1.00 addr 1
ppb6 at pci0 dev 30 function 0 Intel 82801BA Hub-to-PCI rev
0x90
pci7 at ppb6 bus 1
vga1 at pci7 dev 3 function 0 ATI ES1000 rev 0x02
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
Compaq iLO rev
0x03 at pci7 dev 4 function 0 not configured
Compaq iLO rev 0x03 at pci7 dev
4 function 2 not configured
uhci6 at pci7 dev 4 function 4 Hewlett-Packard
USB rev 0x00: apic 8 int 22 (irq 10)
Hewlett-Packard IPMI rev 0x00 at pci7
dev 4 function 6 not configured
usb2 at uhci6: 

Re: HP DL320G6 not seeing internal drives

[Stuart Henderson]

On 2010-03-11, a b rclo...@yahoo.co.uk wrote:
 Snapshot results.

thanks, Brad points out that this device id needs adding to the
ahci driver:

..
 Intel 82801JI RAID rev 0x00 at pci0
 dev 31 function 2 not configured
..

Index: ahci.c
===
RCS file: /cvs/src/sys/dev/pci/ahci.c,v
retrieving revision 1.158
diff -u -p -r1.158 ahci.c
--- ahci.c  21 Jan 2010 10:16:44 -  1.158
+++ ahci.c  11 Mar 2010 08:35:29 -
@@ -442,6 +442,8 @@ static const struct ahci_device ahci_dev
 
{ PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_82801H_RAID,
NULL,   NULL },
+   { PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_82801JI_RAID,
+   NULL,   NULL },
 
{ PCI_VENDOR_NVIDIA,PCI_PRODUCT_NVIDIA_MCP65_AHCI_2,
NULL,   ahci_nvidia_mcp_attach },

I'll get you some install media built to test.

Re: HP DL320G6 not seeing internal drives

[a b]

 thanks, Brad points out that this device id needs adding to the

Kudos to
Brad !;-)

 I'll get you some install media built to test.

Aw-shucks,
you guys  makes me wonder why anyone would want to use anything other than
OpenBSD with this sort of community spirit !;-)

Thanks v. much, and keep
up the (very good) work !

Problems with Carp, Multi-WAN and pf syntax.

[Marcus Mülbüsch]

Hello all,

   How do I configure a pf in a way that traffic that comes in one one 
CARP-Interface goes out to the same CARP-Interface? The syntax in 
-current has changed from the FAQ (which assumes OpenBSD-4.6).


http://www.openbsd.org/faq/pf/pools.html#outgoing

   On a HP ProLiant with BCM5703X NICS I had to go with -current, 
because the NICS do not work with 4.6 (see here: 
http://old.nabble.com/ProLiant-DL360-G3---bge-won't-work-td26746681.html 
and here: http://marc.info/?l=openbsd-cvsm=12492713264w=2 )


  I can make neither head nor tails from the manpage in this regard, so 
can anybody help?


Marcus M|lb|sch

A small research paper - Thoughts about Cisco.

[TS Lura]

Dear OpenBSD community,

I'm doing a small research paper on Cisco and try to find out if they are
evil or not in relative to open/free source/standards, and business
practice. Eg. locking people to their product line aka the MS way.

I'm sending this mail to you guys because I think many of you know allot
about networking, and the networking industry. I'm hoping that someone would
be kind and share some of their impressions of Cisco with me.

My hypothesis is that Cisco is following the best business practice in
relation to proprietary and open/free source.
To answer this hypothesis I'm trying to find out if Cisco is using their
proprietary solution when there is a better open/free  alternative.

My preliminary thoughts is taken from what I have perceived, that Cisco
makes a proprietary solution to give them a edge and uniqueness in the
marked which they can harvest capital from. And when that solution has
become commonplace they switch over to non-proprietary solutions to become
more interoperable and thus stay competitive.

First, Is this reasonable observation?
Second, Are there any deviations from this trend? If so, why?


I'm very grateful for any reply I get.


Kind regards,

TSLura.

Re: Apache - bandwidth usage limit per vhost

[Ozgur Kazancci]

Mr. Coppa,
Thank you very much for the patch.

It compiles without any error and it works ok but I've noticed that if the 
mod_throttle is loaded, apache doesn't want to restart with 'apachectl restart' 
anymore. You should manually 'apachectl stop' and 'apachectl start' it;

A demonstration:

# apachectl start
/usr/sbin/apachectl start: httpd started
# apachectl restart
/usr/sbin/apachectl restart: httpd restarted -- (httpd stopped but did not 
start again)
# apachectl stop
/usr/sbin/apachectl stop: httpd (pid 947?) not running 

# apachectl start
/usr/sbin/apachectl start: httpd started

Do you have any suggestions?

Kind Regards.

---
Ozgur Kazancci

Re: Joomla - MySQL Problem: Could not connect to MySQL

[Jan]

I didn't notice, that httpd was still running.

kill -TERM ID_of_httpd
httpd -u

solved the problem. Thank you! Everything works fine!


Jan




Alexander Hall wrote:

Jan wrote:

Thank you for the numerous responses! Except the solution to change
localhost to 127.0.0.1 in the whole script, I tried everything you


Do try that then. I dont know the script at hand, but it cannot be that
many places that creates a database connection, can it?

IIRC, localhost implies file socket, and even if I'm wrong, it requires
a name lookup, and you might be missing /etc stuff in the chroot.


proposed. It still doesn't work. Here a short review:

=== Are you trying to connect to the MySQL socket outside of the httpd
chroot?
=== after having run apachectl start, I tried the same process using
httpd -u. But nothing changed.


You did mean you killed httpd in between, yes?



=== mysql -h localhost -u root -p
Works perfect. mysql -h localhost -u joomla -p works also.


How about mysql -h 127.0.0.1 -P 3306 -u joomla -p ?

/Alexander


=== Have a look in /var/www/logs/
===in the errorlog of the folder is no entry. access_log shows up:
172.16.172.130 -- [09/Mar/2010:09:47:26 -0700] POST
/user01/installation/index.php HTTP/1.1 200 4270

=== At the very least you'll also need the php5-mysql-5.2.6.tgz package
installed as well.
=== php5-mysql and php5-mysqli packets are installed both

=== At the very least you'll also need the php5-mysql-5.2.6.tgz package
installed as well.
== That's the output of the mysql part in the phpinfo();:

mysql

MySQL Supportenabled

active persistent links0
active links0
client api version5.0.51a
mysql_module_typeexternal
mysql_socket/var/run/mysql/mysql.sock
mysql_include-I/usr/local/include/mysql
mysql_libs-L/usr/local/include/mysql


directivelocal valuemaster value

mysql.allow_persistentOnOn
mysql.connect_timeout6060
mysql.default_hostno valueno value
mysql.default_passwordno valueno value
mysql.default_portno valueno value
mysql.default_socketno valueno value
mysql.default_userno valueno value
mysql.max_linksUnlimitedUnlimited
mysql.max_persistentUnlimitedUnlimited
mysql.trace_modeOffOff



Thank you!

Jan

Re: A small research paper - Thoughts about Cisco.

[Christiano F. Haesbaert]

2010/3/11 TS Lura tsl...@gmail.com:
 Dear OpenBSD community,

 I'm doing a small research paper on Cisco and try to find out if they are
 evil or not in relative to open/free source/standards, and business
 practice. Eg. locking people to their product line aka the MS way.

 I'm sending this mail to you guys because I think many of you know allot
 about networking, and the networking industry. I'm hoping that someone
would
 be kind and share some of their impressions of Cisco with me.

 My hypothesis is that Cisco is following the best business practice in
 relation to proprietary and open/free source.
 To answer this hypothesis I'm trying to find out if Cisco is using their
 proprietary solution when there is a better open/free  alternative.

 My preliminary thoughts is taken from what I have perceived, that Cisco
 makes a proprietary solution to give them a edge and uniqueness in the
 marked which they can harvest capital from. And when that solution has
 become commonplace they switch over to non-proprietary solutions to become
 more interoperable and thus stay competitive.

 First, Is this reasonable observation?
 Second, Are there any deviations from this trend? If so, why?


 I'm very grateful for any reply I get.

I had bad experiences with cisco being nice, we had to implement
udld in our equipments, which cisco wrote and made a standard, but
it seems they wrote it in a way that no one can implement, read:
they simply won't explain the machine states protocol.

http://www.faqs.org/rfcs/rfc5171.html

It's simply insane, they write stuff so that no one can understand and/or
implement.

That was my closest experience with cisco niceness and I consider it
enough to build up my hate.

Re: A small research paper - Thoughts about Cisco.

[Tomas Bodzar]

Read this http://kerneltrap.org/node/5382 especially part with title
The politics of vulnerabilities: and you will get idea how much is
Cisco nice.


On Thu, Mar 11, 2010 at 1:41 PM, Christiano F. Haesbaert
haesba...@haesbaert.org wrote:
 2010/3/11 TS Lura tsl...@gmail.com:
 Dear OpenBSD community,

 I'm doing a small research paper on Cisco and try to find out if they are
 evil or not in relative to open/free source/standards, and business
 practice. Eg. locking people to their product line aka the MS way.

 I'm sending this mail to you guys because I think many of you know allot
 about networking, and the networking industry. I'm hoping that someone
 would
 be kind and share some of their impressions of Cisco with me.

 My hypothesis is that Cisco is following the best business practice in
 relation to proprietary and open/free source.
 To answer this hypothesis I'm trying to find out if Cisco is using their
 proprietary solution when there is a better open/free B alternative.

 My preliminary thoughts is taken from what I have perceived, that Cisco
 makes a proprietary solution to give them a edge and uniqueness in the
 marked which they can harvest capital from. And when that solution has
 become commonplace they switch over to non-proprietary solutions to become
 more interoperable and thus stay competitive.

 First, Is this reasonable observation?
 Second, Are there any deviations from this trend? If so, why?


 I'm very grateful for any reply I get.

 I had bad experiences with cisco being nice, we had to implement
 udld in our equipments, which cisco wrote and made a standard, but
 it seems they wrote it in a way that no one can implement, read:
 they simply won't explain the machine states protocol.

 http://www.faqs.org/rfcs/rfc5171.html

 It's simply insane, they write stuff so that no one can understand and/or
 implement.

 That was my closest experience with cisco niceness and I consider it
 enough to build up my hate.





--
http://www.openbsd.org/lyrics.html

Re: Apache - bandwidth usage limit per vhost

[Ozgur Kazancci]

Oh, my mistake.. I forgot that it was a jailed httpd.

There was a File Not Found: /usr/lib/apache/modules/mod_throttle.so message 
in the error_log, but the file was already there (out of chroot path). So, I 
copied the mod_throttle.so file into /var/www/conf/modules and changed the path 
of LoadModule throttle_module in httpd.conf.

'apachectl restart' is working again.

Thanks.

// Ozgur

Re: sysctl(3)

[Toni Mueller]

Hi Otto,

On Thu, 11.03.2010 at 07:08:24 +0100, Otto Moerbeek o...@drijf.net wrote:
 On Thu, Mar 11, 2010 at 12:23:22AM +0100, Toni Mueller wrote:
  Btw, in the snapshot of today, the sysctl(3) man page is absent:
  
  $ find . -name 'sysctl*'
  ./cat8/sysctl.0
  ./cat5/sysctl.conf.0
  $
 
 Did you install the comp set? It's in there:
 $ tar ztf comp47.tgz | grep syscl
 ./usr/include/sys/sysctl.h
 ./usr/share/man/cat3/sysctl.0

thanks for the heads-up! No, I only installed the 'man' package on a
different machine than the one I am working on (not OpenBSD, either).
But I'll now grab 'comp' too and see if that helps.


-- 
Kind regards,
--Toni++

Re: HP DL320G6 not seeing internal drives

[Jonathan Gray]

It should be possible to change this in the bios from RAID
to AHCI also.

On Thu, Mar 11, 2010 at 08:53:02AM +, Stuart Henderson wrote:
 On 2010-03-11, a b rclo...@yahoo.co.uk wrote:
  Snapshot results.
 
 thanks, Brad points out that this device id needs adding to the
 ahci driver:
 
 ..
  Intel 82801JI RAID rev 0x00 at pci0
  dev 31 function 2 not configured
 ..

FROM SCIB 11/3/2010

[SIAM BANK]

From Siam City Bank

Director, International Remittance

Foreign Operations Dept,

Siam City Bank Of Thailand Plc,

Bangkok Thailand



Good day

Your long overdue Payment.



I saw your email ( in the Central Computer among the list of unpaid 
beneficiaries,  and lotto winners that was originated from Africa, Europe, Asia 
Plus Middle east, Americans ) among the list of individuals and companies that 
your unpaid fund has been located to the Bank, THAILAND



Your email appeared among the beneficiaries, who will receive a payment of your 
fund and has been approved already for months. You are requested to get back to 
me for more direction and instruction on how to receive your fund. 



However, we received an email from one Mr. Virgle Lee Samples who told us that 
he is your next of kin and that you died in a car accident last week.





He has also submitted his account for us to transfer the fund to him including 
his International passport; we want to hear from you before we can make the 
transfer to confirm if you are dead or not.



 Once again, I apologize to you on behalf Of IMF (International Monetary Fund) 
for failure to pay your funds in time, which according to records in the system 
had been long overdue.



Yours Sincerely,



Tony Chasra

apachectl restart bug?

[Ozgur Kazancci]

When apachectl issuing a restart, it sends a SIGHUP signal to httpd,
and when httpd receives this signal, it doesn't exit from its chroot.
So, apachectl restart becomes unfunctional when you have external
modules via LoadModule in your httpd.conf.

I have the following line in my httpd.conf:

LoadModule throttle_module  /usr/lib/apache/modules/mod_throttle.so

When you have such a line, (and the module file exists there) apache
doesn't want to restart (apachectl restart) anymore.

After executing apachectl restart command, error_log file receives:
Syntax error on line 276 of /conf/httpd.conf: Cannot load
/usr/lib/apache/modules/mod_throttle.so into server: File not found
But the file is already there.
So i should manually 'apachectl stop' and 'apachectl start' to restart httpd;

A demonstration:

# apachectl start
/usr/sbin/apachectl start: httpd started
# apachectl restart
/usr/sbin/apachectl restart: httpd restarted  --httpd stopped but didn't start 
again
# apachectl stop
/usr/sbin/apachectl stop: httpd (pid 947?) not running

# apachectl start
/usr/sbin/apachectl start: httpd started

System: OpenBSD 4.6-stable with the stock httpd (Apache/1.3.29)

Regards.

-- 
Ozgur Kazancci

Re: apachectl restart bug?

[Antoine Jacoutot]

On Thu, 11 Mar 2010, Ozgur Kazancci wrote:

 When apachectl issuing a restart, it sends a SIGHUP signal to httpd,
 and when httpd receives this signal, it doesn't exit from its chroot.
 So, apachectl restart becomes unfunctional when you have external
 modules via LoadModule in your httpd.conf.
 
 I have the following line in my httpd.conf:
 
 LoadModule throttle_module  /usr/lib/apache/modules/mod_throttle.so
 
 When you have such a line, (and the module file exists there) apache
 doesn't want to restart (apachectl restart) anymore.

Oh common, at least read the apachectl(8) man page.


-- 
Antoine

Re: apachectl restart bug?

[Maurice Janssen]

On Thu, Mar 11, 2010 at 04:08:10PM +0200, Ozgur Kazancci wrote:
When apachectl issuing a restart, it sends a SIGHUP signal to httpd,
and when httpd receives this signal, it doesn't exit from its chroot.
So, apachectl restart becomes unfunctional when you have external
modules via LoadModule in your httpd.conf.

That's a documented 'feature' in man apachectl:

 restart   Restart httpd(8) by sending it a SIGHUP.  If the daemon is
   not running, it is started.  This command automatically
   checks the configuration files via configtest before initi-
   ating the restart to make sure httpd(8) doesn't die.  If
   httpd runs chrooted (default in OpenBSD) and 3rd party mod-
   ules are loaded, restart may fail due to path inconsisten-
   cy.  Completely stop and start the daemon instead.

Re: apachectl restart bug?

[Gilles Chehade]

On Thu, Mar 11, 2010 at 03:20:33PM +0100, Antoine Jacoutot wrote:
 On Thu, 11 Mar 2010, Ozgur Kazancci wrote:
 
  When apachectl issuing a restart, it sends a SIGHUP signal to httpd,
  and when httpd receives this signal, it doesn't exit from its chroot.
  So, apachectl restart becomes unfunctional when you have external
  modules via LoadModule in your httpd.conf.
  
  I have the following line in my httpd.conf:
  
  LoadModule throttle_module  /usr/lib/apache/modules/mod_throttle.so
  
  When you have such a line, (and the module file exists there) apache
  doesn't want to restart (apachectl restart) anymore.
 
 Oh common, at least read the apachectl(8) man page.
 

or the FAQ ...

Gilles

-- 
Gilles Chehade
freelance developer/sysadmin/consultant

   http://www.poolp.org

Re: A small research paper - Thoughts about Cisco.

[Pete Vickers]

On 11. mars 2010, at 12.13, TS Lura wrote:

 Dear OpenBSD community,

 I'm doing a small research paper on Cisco and try to find out if they are
 evil or not in relative to open/free source/standards, and business
 practice. Eg. locking people to their product line aka the MS way.

 I'm sending this mail to you guys because I think many of you know allot
 about networking, and the networking industry. I'm hoping that someone
would
 be kind and share some of their impressions of Cisco with me.

 My hypothesis is that Cisco is following the best business practice in
 relation to proprietary and open/free source.
 To answer this hypothesis I'm trying to find out if Cisco is using their
 proprietary solution when there is a better open/free  alternative.

 My preliminary thoughts is taken from what I have perceived, that Cisco
 makes a proprietary solution to give them a edge and uniqueness in the
 marked which they can harvest capital from. And when that solution has
 become commonplace they switch over to non-proprietary solutions to become
 more interoperable and thus stay competitive.

 First, Is this reasonable observation?
 Second, Are there any deviations from this trend? If so, why?


 I'm very grateful for any reply I get.


 Kind regards,

 TSLura.


Hi,

Lots of flame-bait in there, which at least I am happily ignoring. Couple of
interesting points though:

1. Time to market, it's normally 'do it yourself' in private first, then open
source later. E.g. Cisco did ISL first until 802.1Q was later established as
the standard, and adopted by them.

2. Throughbred solutions, e.g. some (most?) products are a mix match of
proprietary  open source, e.g. see this link for open source software
incorporated into a particular Cisco product:
http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/license/fwsmoslic.html


/Pete

Re: Problems with Carp, Multi-WAN and pf syntax.

[Marcus Mülbüsch]

Marcus M|lb|sch schrieb:

   How do I configure a pf in a way that traffic that comes in one one 
CARP-Interface goes out to the same CARP-Interface? The syntax in 
-current has changed from the FAQ (which assumes OpenBSD-4.6).


   After some help from a friendly soul, and reducinge my pf.conf to 
the bare minimum it still does not work as intended. Either I have hit a 
bug, or still have a wrong conf.


NICS are configured so:

# /etc/hostname.bge0
inet 192.168.3.1 255.255.255.0 192.168.3.255

# /etc/hostname.em0 (WAN-1)
inet wan1-ip 255.255.255.248 wan1-brd
!route add -mpath default wan1-gw

# /etc/hostname.em1 (WAN-2)
inet wan2-ip 255.255.255.248 wan2-brd
!route add -mpath default wan-2gw

sysctl is configured for multipath and forwarding:

# /etc/syctl.conf
net.inet.ip.forwarding=1
net.inet.ip.multipath=1

pf.conf looks like this:

# /etc/pf.conf

# Macros
if_wan1 = em0
if_wan2 = em1
if_wan  = { $if_wan1 $if_wan2 }
if_dmz  = bge0
gw_wan1 = wan1-gw
gw_wan2 = wan2-gw

# Allow ICMP
passin log  quick   on $if_wan inet proto icmp from any to any

# Redirect WWW traffic
passin log  quick   on $if_wan inet proto tcp from any to any 
  rdr-to some-servers round-robin


#  NAT for outgoing connections on each internet interface
passout logon $if_wan1from any   to any nat-to ($if_wan1)
passout logon $if_wan2from any   to any nat-to ($if_wan2)

#  route packets from any IPs on $if_wan1 to $gw_wan2 and the same for 
$if_versa and $gw_versa
passout log quick   on $if_wan1 from $if_wan2 
route-to ($if_wan2 $gw_wan2)
passout log quick   on $if_wan2 from $if_wan1 
  route-to ($if_wan1 $gw_wan1)



At first everything seems to be fine:

Accessing the www-servers from outside per the wan2 interface works as 
intended: The traffic goes in through the wan2 interface, gets 
redirected to the www-servers via round robin (if one of them goes down 
that doesn't matter, as is the whole idea), and gets back through wan2.


However. If I access the www-servers from outside via wan-1 ip, 50% of 
the time the traffic tries to go back through the wan-2 interface, and 
that is something I don't understand.


Same for ICMP.

Any help?

Marcus M|lb|sch

Re: 4.6 reboots x336 ibm server(s)

[FRLinux]

Hey guys, sent an acpi dump with dmesg info a couple of months ago to
this list hoping the developers might be able to fix this. Just
letting you know that 4.7 snapshot still reboots the box unless you
disable ppb*. Any way i can help?

Cheers,
Steph

Re: A small research paper - Thoughts about Cisco.

[TS Lura]

I'm sorry.

My intent was not to be inflammatory.

My experience with Cisco as a company is limited, so I'm therefor trying to
find out more. In that process I maybe asking a controversial question.
Which for some is quite obvious.

Thanks for the replies so far.

.tsl




On Thu, Mar 11, 2010 at 2:33 PM, Pete Vickers p...@systemnet.no wrote:


 On 11. mars 2010, at 12.13, TS Lura wrote:

  Dear OpenBSD community,
 
  I'm doing a small research paper on Cisco and try to find out if they are
  evil or not in relative to open/free source/standards, and business
  practice. Eg. locking people to their product line aka the MS way.
 
  I'm sending this mail to you guys because I think many of you know allot
  about networking, and the networking industry. I'm hoping that someone
 would
  be kind and share some of their impressions of Cisco with me.
 
  My hypothesis is that Cisco is following the best business practice in
  relation to proprietary and open/free source.
  To answer this hypothesis I'm trying to find out if Cisco is using their
  proprietary solution when there is a better open/free  alternative.
 
  My preliminary thoughts is taken from what I have perceived, that Cisco
  makes a proprietary solution to give them a edge and uniqueness in the
  marked which they can harvest capital from. And when that solution has
  become commonplace they switch over to non-proprietary solutions to
 become
  more interoperable and thus stay competitive.
 
  First, Is this reasonable observation?
  Second, Are there any deviations from this trend? If so, why?
 
 
  I'm very grateful for any reply I get.
 
 
  Kind regards,
 
  TSLura.
 

 Hi,

 Lots of flame-bait in there, which at least I am happily ignoring. Couple
 of interesting points though:

 1. Time to market, it's normally 'do it yourself' in private first, then
 open source later. E.g. Cisco did ISL first until 802.1Q was later
 established as the standard, and adopted by them.

 2. Throughbred solutions, e.g. some (most?) products are a mix match of
 proprietary  open source, e.g. see this link for open source software
 incorporated into a particular Cisco product:
 http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/license/fwsmoslic.html


 /Pete

Re: Problems with Carp, Multi-WAN and pf syntax.

[Stuart Henderson]

On 2010-03-11, Marcus M?lb?sch muelbue...@as-infodienste.de wrote:
 Hello all,

 How do I configure a pf in a way that traffic that comes in one one 
 CARP-Interface goes out to the same CARP-Interface?

you're probably looking for reply-to, something along these lines:

pass in quick on gif1 inet to (gif1) reply-to 10.33@gif1
pass in quick on pppoe0 inet to (pppoe0) reply-to 0.0@pppoe0

help with mail retrieval/cleaning/storage setup using openbsd

[inet_user23]

Hi,

I need to setup an obsd box to work as a local storing mail server
(where I can run some antivirus like clamav), for a domain that is
hosted on the web.

My idea is to have a script that periodically fetches the mail for all
users, via POP3 or other protocol, from the the Internet domaing
hosting service, runs some kind of antivirus software and then
stores them locally for later retrieval (via POP3 ou IMAP) by the
users.

Has anyone worked on a similar setup and could share some
insights?

Thanks in advance.

Regards,

Jose

Re: sysctl(3)

[Toni Mueller]

On Thu, 11.03.2010 at 14:31:46 +0100, Toni Mueller openbsd-m...@oeko.net 
wrote:
 But I'll now grab 'comp' too and see if that helps.

I've now looked at the man page in -current, and it does not cover the
leaves below PF_KEY.

-- 
Kind regards,
--Toni++

Re: help with mail retrieval/cleaning/storage setup using openbsd

[Lars Nooden]

On 2010-3-11 6:59 PM, inet_use...@samerica.com wrote:

 My idea is to have a script that periodically fetches the mail for all
 users, 

For that, one option is fetchmail:

http://www.openbsd.org/4.6_packages/i386/fetchmail-6.3.9.tgz-long.html

/Lars

Re: sysctl(3)

[Jason McIntyre]

On Thu, Mar 11, 2010 at 06:02:49PM +0100, Toni Mueller wrote:
 On Thu, 11.03.2010 at 14:31:46 +0100, Toni Mueller openbsd-m...@oeko.net 
 wrote:
  But I'll now grab 'comp' too and see if that helps.
 
 I've now looked at the man page in -current, and it does not cover the
 leaves below PF_KEY.
 

i think otto meant only about the missing page, not the PF_KEY stuff.
that is currently documented, but we're working on a fix...

jmc

Re: Apache - bandwidth usage limit per vhost

[Ted Roby]

On Thu, Mar 11, 2010 at 6:17 AM, Ozgur Kazancci
ozgur.kazan...@info.uvt.rowrote:

 Oh, my mistake.. I forgot that it was a jailed httpd.

 There was a File Not Found: /usr/lib/apache/modules/mod_throttle.so
 message in the error_log, but the file was already there (out of chroot
 path). So, I copied the mod_throttle.so file into /var/www/conf/modules and
 changed the path of LoadModule throttle_module in httpd.conf.

 'apachectl restart' is working again.

 Thanks.

 // Ozgur


Just curious..   did 'apachectl graceful' tell you anything about that
missing file when testing?
That's my first and favorite debug command for apache esp. in production
env.

Re: Apache - bandwidth usage limit per vhost

[Ted Roby]

On Thu, Mar 11, 2010 at 10:17 AM, Ted Roby ted.r...@gmail.com wrote:



 On Thu, Mar 11, 2010 at 6:17 AM, Ozgur Kazancci 
 ozgur.kazan...@info.uvt.ro wrote:

 Oh, my mistake.. I forgot that it was a jailed httpd.

 There was a File Not Found: /usr/lib/apache/modules/mod_throttle.so
 message in the error_log, but the file was already there (out of chroot
 path). So, I copied the mod_throttle.so file into /var/www/conf/modules and
 changed the path of LoadModule throttle_module in httpd.conf.

 'apachectl restart' is working again.

 Thanks.

 // Ozgur


 Just curious..   did 'apachectl graceful' tell you anything about that
 missing file when testing?
 That's my first and favorite debug command for apache esp. in production
 env.



Sorry!!  I meant to ask about 'apachectl configtest'. THAT is my
favorite

Re: A small research paper - Thoughts about Cisco.

[Daniel Ouellet]

On 3/11/10 6:13 AM, TS Lura wrote:

Dear OpenBSD community,

I'm doing a small research paper on Cisco and try to find out if they are
evil or not in relative to open/free source/standards, and business
practice. Eg. locking people to their product line aka the MS way.

I'm sending this mail to you guys because I think many of you know allot
about networking, and the networking industry. I'm hoping that someone would
be kind and share some of their impressions of Cisco with me.

My hypothesis is that Cisco is following the best business practice in
relation to proprietary and open/free source.
To answer this hypothesis I'm trying to find out if Cisco is using their
proprietary solution when there is a better open/free  alternative.

My preliminary thoughts is taken from what I have perceived, that Cisco
makes a proprietary solution to give them a edge and uniqueness in the
marked which they can harvest capital from. And when that solution has
become commonplace they switch over to non-proprietary solutions to become
more interoperable and thus stay competitive.

First, Is this reasonable observation?
Second, Are there any deviations from this trend? If so, why?


I'm very grateful for any reply I get.


Kind regards,

TSLura.



Well, this is a big question and you will get a very wide feedback and I 
would guess, not much good one, but I sure could wrong.


For my own having to deal with them for years and have sadly plenty of 
SmartNet contract as well, they only thing I can tell you, and there is 
a lot. The only time I ear from Cisco, even if some IOS may have big 
bugs in them and that may affect me, they will only contact me when the 
SmartNet time to renew comes! One would thank that they may follow up 
with their own urgent fix, but no!


For the ISL, you already got that reply, but a few years ago, they still 
were trying to force you to buy their switches and use ISL over the 
standard 802.11Q!


For VoIP, even if SIP is the wide standard, they still try to lock you 
in their Skiny protocol over the wide standard one and even if you hve 
smartnet on their 7960 SIP phones, unless you use their own proprietary 
system they will not support the SIP standard and provide IOS upgrade 
for it as they should, even with smartnet. They called meon that and try 
to talk me init, but I cancel ALL the smartnet for ANY Cisco IP phones 
and that's a lots of them. What's the point of having smartnet if you 
can't get IOS upgrades and there answer was for the physical device if 
it break, you get it replace and all. Well, you know what, if it break I 
can replace if with Polycom instead and they support it better then 
Cisco does! But if I can't do that, then even getting a new Cisco is 
better and cheaper int he end then having a worthless smartnet on the 
phones!


As for OpenStandard, CARP and VRRP is a good example, you can research 
that if you like. That's an OpenBSD solution over a Cisco suppose to be 
Open one!


Then you have the same thing when you need new equipment, if you tell 
Cisco that you are looking at competition product of their, then you 
will get discount as long as you know what you are talking about on the 
hardware. Never on the SmartNet. But very interestingly here, if you 
talk about Open solutions, like the bgpd or even the ospfd, or better 
yet, the upcoming MPLS, then you really get them talking and yes, they 
will call you and try to talk to you in not touching that telling you 
all kind of bullshit that it's not supported, that you will get problem, 
it will not work, that you will be better served by Cisco and they will 
stand by you to help you in emergency and all that crap sale talk.


Don't get me wrong Cisco does have good product for most of them. They 
will help some, may be not as they should for sure if you have SmartNet, 
but that will cost you big time!


However, you will be stuck in this endless continuous under power 
hardware that needs constant upgrade all the time and they will suck you 
dry in smartnet contract for not much servic in the end provided sadly 
in the last few years by 1/2 the time from people that you can't even 
understand when you talk to them. Sadly the one I find the best are when 
you open your ticket at night and you get them from down under in 
Australia. They follow up better and give you better feedback then sadly 
anyone so far I got in the US and definitely much better then when you 
are so unlucky to get them from Asia when they follow their script to 
the letter for most of them when you talk tot hem. You will get some 
good one at time, but by far it's not the norm as long as you can 
understand them. Don't get me wrong, some are very nice and know their 
stuff, but that's not the norm by far and for the price you have to pay 
for your smartnet, you sure hell have the right to expect BETTER!!!


In short, my own experience is as follow. The niceness of Cisco is 
directly in reverse of the choice of solution you pick being the start 

Re: Apache - bandwidth usage limit per vhost

[Ozgur Kazancci]

 Just curious..   did 'apachectl graceful' tell you anything about that
missing file when testing?
--

No, 'apachectl graceful' did not give any error.

Re: sysctl(3)

[Jason McIntyre]

On Thu, Mar 11, 2010 at 05:22:39PM +0001, Jason McIntyre wrote:
 On Thu, Mar 11, 2010 at 06:02:49PM +0100, Toni Mueller wrote:
  On Thu, 11.03.2010 at 14:31:46 +0100, Toni Mueller openbsd-m...@oeko.net 
  wrote:
   But I'll now grab 'comp' too and see if that helps.
  
  I've now looked at the man page in -current, and it does not cover the
  leaves below PF_KEY.
  
 
 i think otto meant only about the missing page, not the PF_KEY stuff.
 that is currently documented, but we're working on a fix...
 

er, undocumented rather.
jmc

openbsd on EFI

[Ted Roby]

I'm a mac user who switched because of System 10 (10.1).
I like the bsd env, but I have found myself back on my true
security blanket, OpenBSD.

I've read various opinions on EFI, and know what to expect
as a reply from the hard-liners, but I would like to get a
more general opinion of all who contribute to this list regarding
their opinions on EFI from the angle of reliability and security.

At its most extreme, EFI seems to create a sub-layer where
the Operating System never truly has control of the hardware.

Given that scenario, is there any possibility (and desire) of
flashing the EFI with an Open (read, OpenBSD approved)
 solution?

I'm not talking about rEFIt, which I use, but a more
permanent equation. As it is now, rEFIt does not replace anything.
This is evidenced by the fact that resetting PRAM
(cmd+option+p+r at startup, three times) restores the original
bootloader. I assume the copy used for this restore can't be entirely
Read-Only as Apple wants to update it as well.

I am keeping my current Macbook (rev3,1) in a devel state, and
am entirely compliant with any desired experimentation.
If there's a high possibility this experimentation could fry my chips,
then I just need a year to complete my AppleCare coverage. (haha!)

Re: Apache - bandwidth usage limit per vhost

[Ozgur Kazancci]

  Just curious..   did 'apachectl graceful' tell you anything about that
  missing file when testing?
  That's my first and favorite debug command for apache esp. in production
  env.
 
 
 
 Sorry!!  I meant to ask about 'apachectl configtest'. THAT is my
 favorite
--
No error.

# apachectl configtest
Processing config directory: /var/www/conf/modules/*.conf
 Processing config file: /var/www/conf/modules/host.conf
Syntax OK

pjsua + asterisk: debugging or working config

[Jacob Yocom-Piatt]

trying to get pjsua working with asterisk using a really basic config 
file and am having trouble: registration keeps timing out.


here is the config file:

--registrar=sip:A.B.C.D 
--id=sip:u...@a.b.c.d

--realm=*
--username=user
--password=pass

pjsua then sends registration requests and times out.

12:30:21.978   pjsua_core.c TX 410 bytes Request msg 
REGISTER/cseq=51529 (tdta0x20b5330a8) to UDP A.B.C.D:5060:

REGISTER sip:A.B.C.D SIP/2.0
Via: SIP/2.0/UDP 
172.17.57.242:5060;rport;branch=z9hG4bKPj6ac2000313cd8c03

Max-Forwards: 70
From: sip:u...@a.b.c.d;tag=6ac2000213cd8c03
To: sip:u...@a.b.c.d
Call-ID: 6ac2000113cd8c03
CSeq: 51529 REGISTER
User-Agent: PJSUA v0.7.0/openbsd
Contact: sip:u...@a.b.c.d:5060;transport=UDP
Expires: 55
Content-Length:  0

any clues as to how i can debug this or a working configuration for use 
with asterisk would be appreciated.


cheers,
jake

Re: help with mail retrieval/cleaning/storage setup using openbsd

[Tomas Bodzar]

http://www.kernel-panic.it/openbsd/mail/


On Thu, Mar 11, 2010 at 5:59 PM,  inet_use...@samerica.com wrote:
 Hi,

 I need to setup an obsd box to work as a local storing mail server
 (where I can run some antivirus like clamav), for a domain that is
 hosted on the web.

 My idea is to have a script that periodically fetches the mail for all
 users, via POP3 or other protocol, from the the Internet domaing
 hosting service, runs some kind of antivirus software and then
 stores them locally for later retrieval (via POP3 ou IMAP) by the
 users.

 Has anyone worked on a similar setup and could share some
 insights?

 Thanks in advance.

 Regards,

 Jose





-- 
http://www.openbsd.org/lyrics.html

Re: A small research paper - Thoughts about Cisco.

[Ted Roby]

On Thu, Mar 11, 2010 at 4:13 AM, TS Lura tsl...@gmail.com wrote:

 Dear OpenBSD community,

 I'm doing a small research paper on Cisco and try to find out if they are
 evil or not in relative to open/free source/standards, and business
 practice. Eg. locking people to their product line aka the MS way.


My experience has nothing to do with the sales/support side of Cisco, but
I'm going to reply anyway!

As a sys admin with servers located at the old Mae West building
(San Jose, Market and Post), I had a password dictionary attack launched
against my mail server from a compromised machine inside of Cisco's
test labs. I was able to verify through unrelated networks and DNS servers
that the compromised machine was located in their test labs in San Jose.

Most of you with this experience will agree that an attack from within the
same city as your server, let alone the same country, is quite rare.

Despite my emailing all associated admin addresses I could find with
Cisco, and even getting one reply back from a sysadmin of theirs, the
machine remained corrupted and spewing out dictionary attacks for
quite some time. Of course, I was blocking it both at the application and
firewall. After a couple of weeks I gave up checking to see if the machine
had even been shutdown.

As a person who Cisco had no monetary interest in, but was directly
affecting
through their own negligence, I received as much care as Ben Stein might
expect from a 1935 German Healthcare Plan.

Re: IPv6, ftp-proxy and PF rules

[FRLinux]

On Thu, Mar 11, 2010 at 6:45 AM, Mattieu Baptiste mattie...@gmail.com wrote:
 correctly routed on my firewall. But as I don't want to route a giant
 port range for FTP on this firewall, I intend to use ftp-proxy. But
 the rdr-to rule doesn't seem to redirect packets to the ftp-proxy
 process.

I get you now. Since this is a newish feature, i guess it needs more testing :)

Steph

Re: A small research paper - Thoughts about Cisco.

[Brad Tilley]

On Thu, 11 Mar 2010 15:43 +, TS Lura tsl...@gmail.com wrote:
 I'm sorry.
 
 My intent was not to be inflammatory.
 
 My experience with Cisco as a company is limited, so I'm therefor trying
 to
 find out more. In that process I maybe asking a controversial question.
 Which for some is quite obvious.
 
 Thanks for the replies so far.
 
 .tsl

Do they donate to OpenSSH? They use it a lot, but they are not listed
here:

http://openbsd.org/donations.html

Maybe they donate privately.

Brad

Re: apachectl restart bug?

[David Coppa]

On Thu, 11 Mar 2010, Gilles Chehade wrote:

 On Thu, Mar 11, 2010 at 03:20:33PM +0100, Antoine Jacoutot wrote:
  On Thu, 11 Mar 2010, Ozgur Kazancci wrote:
  
   When apachectl issuing a restart, it sends a SIGHUP signal to httpd,
   and when httpd receives this signal, it doesn't exit from its chroot.
   So, apachectl restart becomes unfunctional when you have external
   modules via LoadModule in your httpd.conf.
   
   I have the following line in my httpd.conf:
   
   LoadModule throttle_module  /usr/lib/apache/modules/mod_throttle.so
   
   When you have such a line, (and the module file exists there) apache
   doesn't want to restart (apachectl restart) anymore.
  
  Oh common, at least read the apachectl(8) man page.
  
 
 or the FAQ ...

Is this something utterly stupid?

just wasting some time...
david

--- apachectl.orig  Wed Mar  3 23:20:53 2010
+++ apachectl   Thu Mar 11 20:11:31 2010
@@ -27,6 +27,9 @@
 # the path to your httpd binary, including options if necessary
 HTTPD=/usr/sbin/httpd
 #
+# the path to your httpd configuration file
+CONFIGFILE=/var/www/conf/httpd.conf
+#
 # a command that outputs a formatted text version of the HTML at the
 # url given on the command line.  Designed for lynx, however other
 # programs may work.  
@@ -116,11 +119,19 @@
fi
else
if $HTTPD $RCFLAGS -t /dev/null 21; then
-   if kill -HUP $PID ; then
-   echo $0 $ARG: httpd restarted
+   if ps ax | grep $PID | grep chroot /dev/null  \
+   egrep '^ *LoadModule' $CONFIGFILE /dev/null
+   then
+   echo $0 $ARG: httpd chrooted with external modules
+   echo $0 $ARG: trying stop/start
+   $0 stop  sleep 2  $0 start
else
-   echo $0 $ARG: httpd could not be restarted
-   ERROR=6
+   if kill -HUP $PID ; then
+   echo $0 $ARG: httpd restarted
+   else
+   echo $0 $ARG: httpd could not be restarted
+   ERROR=6
+   fi
fi
else
echo $0 $ARG: configuration broken, ignoring restart

4.7: huge partition at install time

[Harald Dunkel]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi folks,

I tried todays installer CD of 4.7. Installation went fine, except
for one problem: It failed to initialize the 1.4 TByte data partition,
and on the first reboot it complained about a file system problem and
entered single user mode.

Surely no big thing, but I wonder whether it would be possible to use
ffs2 by default, if the partition is too huge for ffs?


Regards

Harri
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkuZTMYACgkQUTlbRTxpHjdtRQCgkcG+Y5SZ+/nyPYxwjFCxfcdN
q7AAoJKtHHND9+btXeS8kgkvil5tcM8d
=MXh6
-END PGP SIGNATURE-

Re: 4.7: huge partition at install time

[Tomas Bodzar]

No one canceled RTFM and UTFG

http://www.openbsd.org/faq/faq14.html#LargeDrive

On Thu, Mar 11, 2010 at 9:04 PM, Harald Dunkel ha...@darkharri.de wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 Hi folks,

 I tried todays installer CD of 4.7. Installation went fine, except
 for one problem: It failed to initialize the 1.4 TByte data partition,
 and on the first reboot it complained about a file system problem and
 entered single user mode.

 Surely no big thing, but I wonder whether it would be possible to use
 ffs2 by default, if the partition is too huge for ffs?


 Regards

 Harri
 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

 iEYEARECAAYFAkuZTMYACgkQUTlbRTxpHjdtRQCgkcG+Y5SZ+/nyPYxwjFCxfcdN
 q7AAoJKtHHND9+btXeS8kgkvil5tcM8d
 =MXh6
 -END PGP SIGNATURE-





-- 
http://www.openbsd.org/lyrics.html

Re: openbsd on EFI

[Stuart Henderson]

On 2010-03-11, Ted Roby ted.r...@gmail.com wrote:
 At its most extreme, EFI seems to create a sub-layer where
 the Operating System never truly has control of the hardware.

since the 386SL cpu, i386 machines have had SMM (system management
mode) which runs underneath the OS...

Re: pjsua + asterisk: debugging or working config

[Stuart Henderson]

On 2010-03-11, Jacob Yocom-Piatt j...@fixedpointgroup.com wrote:
 trying to get pjsua working with asterisk using a really basic config 
 file and am having trouble: registration keeps timing out.

 here is the config file:

 --realm=*

a literal '*'? you probably need whatever's set in asterisk/sip.conf
as realm.

--no-vad may be useful too.

Su Empresa Ante 35 Millones de Usuarios Mexicanos En Internet - iMex´10 Marzo 26 Mexico DF - Presentado x Google, WSI, OCC Mundial y Doppler

[Pamela Huerta]

Si no puede ver correctamente el contenido de este Newsletter Haga Click
Aqui

Congress  Marketing Presenta

Congreso Nacional iMexB410
Internet Marketing Experts Mexico City
Sponsored By
Google - WSI We Simplify The Internet - OCC Mundial - Doppler E-Mail
Marketing Made SimpleiMex[IMAGE]

Ser Visto Para Ser Rentable
El Internet como medio de mercadotecnia ofrece beneficios excepcionales y
un potencial de reconocimiento de marca para todo tipo de industria. Un
evento sin precedentes que propone alternativas de vanguardia y
tecnologCa expuestas por lCderes en el C!mbito. La mercadotecnia por
Internet es altamente rentable, ofrece muchas ventajas C:nicas que la
publicidad tradicional no puede igualar, asC como herramientas de alto
impacto y desempeC1o que desarrollarC!n un verdadero vCnculo entre su
empresa y su mercado meta.

Objetivos y beneficios
B?QuC) puede hacer la mercadotecnia por internet por mi negocio?
b Generar trC!fico a su sitio web o instalaciones fCsicas (generaciC3n
de contactos, ventas, etc.)
b Mejorar sus actividades promocionales en lCnea b una forma mC!s de
llegar a los clientes
b Extender el posicionamiento de su marca en nuevos mercados
b Dar a su negocio una ventaja sobre su competencia
b Reducir sus costos de mercadotecnia a la vez que mejora sus
resultados

Viernes 26 de Marzo de 2010 - Crowne Plaza Hotel de MC)xico[IMAGE]

Algunos de los temas generales a tratar
. Tu presencia en internet
. Posicionamiento, trC!fico objetivo y mercadotecnia online
. Impacto de las redes sociales como estratC)gia de negocios
. La visiC3n de Google
. e-mail Marketing
Y muchos mC!s!

[IMAGE] Descargue su Brochure en pdf con detalles y costos del evento
Click AquC

Congress  Marketing Online S.C.
B) 2009 - Afinandoideas.com. Todos los derechos reservados.
TelC)fonos en la Cd. de Guadalajara 01(33)1201-6898, (33)1562-1784 y
(33)3110-6502

Este Mensaje ha sido enviado a misc@openbsd.org como usuario de Congress
 Marketing o bien un usuario le refirio para recibir este boletCn. Como
usuario de Congress  Marketing, en este acto autoriza de manera expresa
que Congress  Marketing le puede contactar vCa correo electrC3nico u
otros medios. Si usted ha recibido este mensaje por error, haga caso
omiso de el y reporte su cuenta respondiendo este correo con el subject
BAJA CM000SCRMZ. Unsubscribe to this mailing list, reply a blank message
withe the subject UNSUBSCRIBE CM000SCRMZ Tenga en cuenta que la gestiC3n
de nuestras bases de datos es de suma importancia y no es intenciC3n de
la empresa la inconformidad del receptor.

Re: 4.7: huge partition at install time

[Harald Dunkel]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 03/11/10 21:18, Tomas Bodzar wrote:
 No one canceled RTFM and UTFG
 
 http://www.openbsd.org/faq/faq14.html#LargeDrive
 

I am not talking about the boot partition, but about a data partition
set up at install time.

Not to mention that OpenBSD is so easy to install, you hardly need
the documentation :-).


Regards

Harri
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEUEARECAAYFAkuZWDAACgkQUTlbRTxpHjfffACWPEkIhd9CPHSi7qSAWRp4q8pO
SACeOjdPIHfpJ8K45Ij80Yws7ar++xI=
=BBMh
-END PGP SIGNATURE-

Re: Atheros AR5212 802.11a/b/g mini-pci wont do 802.11g hostap

[Aaron Mason]

Yeah, this is something I did battle with awhile ago.  I have a laptop
with an Atheros 5005 based card that I use as a gateway between a
wired and wireless network.  As far as I know, the ath(4) driver
doesn't have the ability to do 11g, only 11a and 11b.  Same thing with
a DCMA81 11abg card.

I can't see it being too hard to do, the driver will support OFDM54 -
whether this will cooperate with a 802.11g based router I couldn't
say.

On Thu, Mar 11, 2010 at 2:54 AM, Forman, Jeffrey j...@jeffreyforman.net
wrote:
 To do some more testing, I upgraded to the latest i386 snapshot, but seems
 that I get the same results. 802.11a/b work, but not g. A subscriber
emailed
 me off list about forcing mode 11g in the hostname.ath0 file, which I
did.
 But to no avail, that did not work either.


 On Wed, Mar 10, 2010 at 8:48 AM, Forman, Jeffrey
j...@jeffreyforman.netwrote:

 Hi Misc,

 I recently have built myself a pcengines alix single board computer with
an
 Winstrom CM9 (atheros ar5212) mini pci wifi card, that according to ath(4)
 supports hostap mode. I believe I have my hostname.ath0 file setup
 correctly, but the card refuses to go into 11g mode, only using 11b/11a.
 When attempting to run sh /etc/netstart ath0 with the below
 hostnames.ath0, I receive no error message. The card just goes into 11b or
 11a mode.

 Is there something I'm missing, or any debugging I can provide to get this
 functionality working? Currently I am running the 4.6 stable branch on
this
 machine.

 Thanks,
 Jeff

 dmesg:
 OpenBSD 4.6-stable (GENERIC) #2: Sun Mar  7 23:07:23 EST 2010
 r...@builder:/usr/src/sys/arch/i386/compile/GENERIC
 cpu0: Geode(TM) Integrated Processor by AMD PCS (AuthenticAMD 586-class)
 499 MHz
 cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX
 real mem  = 268009472 (255MB)
 avail mem = 250335232 (238MB)
 mainbus0 at root
 bios0 at mainbus0: AT/286+ BIOS, date 11/05/08, BIOS32 rev. 0 @ 0xfd088
 pcibios0 at bios0: rev 2.1 @ 0xf/0x1
 pcibios0: pcibios_get_intr_routing - function not supported
 pcibios0: PCI IRQ Routing information unavailable.
 pcibios0: PCI bus #0 is the last bus
 bios0: ROM list: 0xe/0xa800
 cpu0 at mainbus0: (uniprocessor)
 pci0 at mainbus0 bus 0: configuration mode 1 (bios)
 pchb0 at pci0 dev 1 function 0 AMD Geode LX rev 0x33
 glxsb0 at pci0 dev 1 function 2 AMD Geode LX Crypto rev 0x00: RNG AES
 vr0 at pci0 dev 9 function 0 VIA VT6105M RhineIII rev 0x96: irq 10,
 address 00:0d:b9:1b:b6:4c
 ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
 0x004063, model 0x0034
 vr1 at pci0 dev 10 function 0 VIA VT6105M RhineIII rev 0x96: irq 11,
 address 00:0d:b9:1b:b6:4d
 ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
 0x004063, model 0x0034
 vr2 at pci0 dev 11 function 0 VIA VT6105M RhineIII rev 0x96: irq 15,
 address 00:0d:b9:1b:b6:4e
 ukphy2 at vr2 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
 0x004063, model 0x0034
 ath0 at pci0 dev 12 function 0 Atheros AR5212 rev 0x01: irq 9
 ath0: AR5213A 5.9 phy 4.3 rf5112a 3.6, FCC2A*, address 00:1b:b1:02:de:ad
 glxpcib0 at pci0 dev 15 function 0 AMD CS5536 ISA rev 0x03: rev 0,
32-bit
 3579545Hz timer, watchdog, gpio
 gpio0 at glxpcib0: 32 pins
 pciide0 at pci0 dev 15 function 2 AMD CS5536 IDE rev 0x01: DMA, channel
0
 wired to compatibility, channel 1 wired to compatibility
 wd0 at pciide0 channel 0 drive 0: SanDisk SDCFH-008G
 wd0: 1-sector PIO, LBA, 7641MB, 15649200 sectors
 wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 4
 pciide0: channel 1 ignored (disabled)
 ohci0 at pci0 dev 15 function 4 AMD CS5536 USB rev 0x02: irq 12, version
 1.0, legacy support
 ehci0 at pci0 dev 15 function 5 AMD CS5536 USB rev 0x02: irq 12
 usb0 at ehci0: USB revision 2.0
 uhub0 at usb0 AMD EHCI root hub rev 2.00/1.00 addr 1
 isa0 at glxpcib0
 isadma0 at isa0
 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
 com0: console
 com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
 pcppi0 at isa0 port 0x61
 midi0 at pcppi0: PC speaker
 spkr0 at pcppi0
 npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
 usb1 at ohci0: USB revision 1.0
 uhub1 at usb1 AMD OHCI root hub rev 1.00/1.00 addr 1
 biomask 71e7 netmask ffe7 ttymask 
 mtrr: K6-family MTRR support (2 registers)
 nvram: invalid checksum
 umass0 at uhub0 port 1 configuration 1 interface 0 Western Digital
 External HDD rev 2.00/1.75 addr 2
 umass0: using SCSI over Bulk-Only
 scsibus0 at umass0: 2 targets, initiator 0
 sd0 at scsibus0 targ 1 lun 0: WD, 2500BMV External, 1.75 SCSI2 0/direct
 fixed
 sd0: 238475MB, 512 bytes/sec, 488397168 sec total
 softraid0 at root
 root on wd0a swap on wd0b dump on wd0b

 # cat
 /etc/hostname.ath0

 inet 10.10.1.1 255.255.255.0 10.10.1.255 mediaopt hostap nwid mywifi wpa
 wpaciphers tkip,ccmp wpapsk redacted description Wireless HostAP

 # ifconfig ath0 media
 ath0: flags=8863UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST mtu
 1500
 lladdr 00:1b:b1:de:ad
 description: Wireless 

Re: apachectl restart bug?

[Denis Doroshenko]

On 3/11/10, David Coppa dco...@gmail.com wrote:
  Is this something utterly stupid?

  just wasting some time...
  david

  --- apachectl.orig  Wed Mar  3 23:20:53 2010
  +++ apachectl   Thu Mar 11 20:11:31 2010
  @@ -27,6 +27,9 @@
   # the path to your httpd binary, including options if necessary
   HTTPD=/usr/sbin/httpd
   #
  +# the path to your httpd configuration file
  +CONFIGFILE=/var/www/conf/httpd.conf

it may fail in case one uses -d and/or -f flags to the httpd (e.g.
sets them in /etc/rc.conf or /etc/rc.conf.local)

  +#
   # a command that outputs a formatted text version of the HTML at the
   # url given on the command line.  Designed for lynx, however other
   # programs may work.
  @@ -116,11 +119,19 @@
 fi
 else
 if $HTTPD $RCFLAGS -t /dev/null 21; then
  -   if kill -HUP $PID ; then
  -   echo $0 $ARG: httpd restarted
  +   if ps ax | grep $PID | grep chroot /dev/null  \
  +   egrep '^ *LoadModule' $CONFIGFILE /dev/null
  +   then
  +   echo $0 $ARG: httpd chrooted with external modules
  +   echo $0 $ARG: trying stop/start
  +   $0 stop  sleep 2  $0 start
 else
  -   echo $0 $ARG: httpd could not be restarted
  -   ERROR=6
  +   if kill -HUP $PID ; then
  +   echo $0 $ARG: httpd restarted
  +   else
  +   echo $0 $ARG: httpd could not be restarted
  +   ERROR=6
  +   fi
 fi
 else
 echo $0 $ARG: configuration broken, ignoring restart

Re: 4.7: huge partition at install time

[Bryan]

On 3/11/2010 2:53 PM, Harald Dunkel wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 03/11/10 21:18, Tomas Bodzar wrote:

No one canceled RTFM and UTFG

http://www.openbsd.org/faq/faq14.html#LargeDrive



I am not talking about the boot partition, but about a data partition
set up at install time.

Not to mention that OpenBSD is so easy to install, you hardly need
the documentation :-).



That is your first mistake.

For one thing, you mentioned a file system problem... what was the 
exact error?  If you are trying to fsck that slice, you'll have to wait 
a long time, and you'll need a whole gob of RAM to fsck it.  You'd do 
better splitting that into two disks.  Search the mailing list for large 
drive issue...


Bryan

Re: 4.7: huge partition at install time

[Stuart Henderson]

On 2010-03-11, Harald Dunkel ha...@darkharri.de wrote:

 On 03/11/10 21:18, Tomas Bodzar wrote:
 No one canceled RTFM and UTFG
 
 http://www.openbsd.org/faq/faq14.html#LargeDrive
 

 I am not talking about the boot partition, but about a data partition
 set up at install time.

 Not to mention that OpenBSD is so easy to install, you hardly need
 the documentation :-).

Maybe we should make it harder then!
Read the FFS vs. FFS2 section.

Re: OT: multiple web servers on OpenBSD (WAS: OT: vmware blah blah)

[Claus]

Scott McEachern wrote:

... I ended up doing this:

- one OpenBSD box, with multiple IP address aliases
- one OpenBSD firewall, which rdr's external IPs to the appropriate  
  webserver IP
- 5 chrooted OpenBSD default (1.3.29) Apache's (at this time, I have no 
  need for Apache 2, but hey, it's in ports.)

- 5 custom httpd.conf files for each
- 5 custom php.ini files for each (plus other related config file friends)
- 5 different httpd daemons for each (httpd0-4), just in case
- virtual aliases with Apache is not a solution because the sites use 
  https/ssl

- all the sites have all the php-*, pear-*, mod_* stuff at their disposal


I have the same setup running.  Each apache instance runs chrooted under 
their own user id and home directory.


The setup I had before that was more interesting as it only needed one 
IP.  A main httpd instance was setup to do proxy for the individual 
httpd instances of each site.  The main instance ran on port 80 with the 
real IP.  The site instances ran on localhost with each their own port 
number and weren't accessible from outside of the machine.  Logging, SSL 
and maintenance is a pain though.

ftp-proxy for outgoing connection

[Christopher Zimmermann]

Hi,

my -current firewall is configured to block all in, block all out 
and allow only certain outbound connections.

Now I want to allow outbound ftp connections.

I read ftp-proxy(8) and 
http://openbsd.org/faq/pf/ftp.html#client.

As I understand it, ftp-proxy could be used to create rules for 
inbound and outbound connections on 4.6. Now on -current the rdr 
keyword is missing from the pf.conf syntax. Instead ftp-proxy(8) 
suggests using rdr-to, but this only works for inbound 
connections.

Is it possible to allow ftp connections from a local client to
public ftp serves on the internet? Possibly by using ftp-proxy?


Kind regards,

Christopher

Re: OT: multiple web servers on OpenBSD (WAS: OT: vmware blah blah)

[Matthew Weigel]

On Thu, 11 Mar 2010 16:47:54 -0600, Claus cnie...@gmx.net wrote:

 I have the same setup running.  Each apache instance runs chrooted under

 their own user id and home directory.

That's a lot of apache instances running... and how much functionality are
you really getting out of them?

Lighttpd or NginX with FastCGI works very well.  I'm running php-fastcgi
once per domain, chrooted to its virtual host directory; I've also got
non-PHP FastCGI applications running in unrelated chroots.

One process (lighttpd) handles SSL and most logging (each PHP instance
logs
in its chroot, but that separates different users' PHP logs too). 
Maintenance
is still a pain, though, as I have to copy all relevant binaries, PHP
modules,
and dependent shared libraries into each chroot every upgrade.  I keep
meaning
to write a script to maintain that: copy new binaries (e.g., php-fastcgi)
over,
determine what shared objects they link to, copy those over, and delete
old
versions.
-- 
 Matthew Weigel
 hacker
 unique  idempot . ent

Re: ftp-proxy for outgoing connection

[Noah Pugsley]

Use 4.6, read this: http://www.openbsd.org/faq/current.html#20090901 or 
wait until 4.7 and read the new man page.


Cheers,
noah

Christopher Zimmermann wrote:

Hi,

my -current firewall is configured to block all in, block all out 
and allow only certain outbound connections.


Now I want to allow outbound ftp connections.

I read ftp-proxy(8) and 
http://openbsd.org/faq/pf/ftp.html#client.


As I understand it, ftp-proxy could be used to create rules for 
inbound and outbound connections on 4.6. Now on -current the rdr 
keyword is missing from the pf.conf syntax. Instead ftp-proxy(8) 
suggests using rdr-to, but this only works for inbound 
connections.


Is it possible to allow ftp connections from a local client to
public ftp serves on the internet? Possibly by using ftp-proxy?


Kind regards,

Christopher

Re: IPv6, ftp-proxy and PF rules

[Claudio Jeker]

On Mon, Mar 08, 2010 at 10:36:46AM +0100, Mattieu Baptiste wrote:
 Hi all,
 
 I have a public FTP server accessible through redirections on my
 firewall via ftp-proxy (my server has a private IPv4 address on a
 local subnet).
 I d'like to make it accessible through my IPv6 connectivity (gif
 tunnel with hurricane electric). With this IPv6 connectivity, all my
 servers have public addresses. But I can't find a way to do it with
 ftp-proxy which seems to support my setup.
 
 In my pf.conf I have:
 
 anchor ftp-proxy/*
 pass in log quick on gif0 inet6 proto tcp to port ftp rdr-to ::1 port 8121
 
 Then I start the IPv6 instance of ftp-proxy with:
 
 /usr/sbin/ftp-proxy -6 -p 8121
 
 I tried to start ftp-proxy with -vv -D 7 but I haven't any output
 (with the IPv4 instance of ftp-proxy I can see the ftp connection).
 Nothing happens. It seems the redirection in my pf.conf isn't
 happening. On the other hand, with the log keyword on this rule, the
 rule correctly matches since I can see it on pflog0...
 
 Any Ideas ?
 

Local IPv6 redirects do not work at least not to ::1. This is a
bu^Wfeature in netinet6. It seems none of our IPv6 users care to much to
fix it (or they're equaly scared of the code).

-- 
:wq Claudio

Re: ftp-proxy for outgoing connection

[Stuart Henderson]

On 2010-03-11, Christopher Zimmermann madro...@zakweb.de wrote:
 Hi,

 my -current firewall is configured to block all in, block all out 
 and allow only certain outbound connections.

 Now I want to allow outbound ftp connections.

 I read ftp-proxy(8) and 
 http://openbsd.org/faq/pf/ftp.html#client.

 As I understand it, ftp-proxy could be used to create rules for 
 inbound and outbound connections on 4.6. Now on -current the rdr 
 keyword is missing from the pf.conf syntax. Instead ftp-proxy(8) 
 suggests using rdr-to, but this only works for inbound 
 connections.

 Is it possible to allow ftp connections from a local client to
 public ftp serves on the internet? Possibly by using ftp-proxy?

I suspect your understanding of inbound is from the viewpoint
of your network; PF doesn't care about that at all, it's only
concerned with whether a packet is inbound or outbound to a
particular interface.

rdr only works for inbound connections too.

A rule like the following works just fine for a ftp connection
from a local client to a public ftp server:

pass in quick log on {lan, wifi, natted} inet proto tcp \
to port 21 rdr-to 127.0.0.1

Re: Route modified dynamically

[Stuart Henderson]

On 2010-03-10, Massimo Lusetti mass...@cedoc.mo.it wrote:
 Hi misc,
   I got a 4.5 box which act as a perimeter ipsec routing gateway, it
   has 682 flow (by ipsecctl -sf | wc -l).

 Some of this flow are up with a static route to the other point of the
 ipsec tunnel and some of these routes are changing dynamically (netstat
 shows UGHMS flags).

 When these routes changes dynamically my tunnel fall cause i cannot
 reach my tunnel endpoint anymore.

 Probably these redirect are coming from some ciscozze with HSRP or
 something and I've already asked the ciscozze admin to look without any
 luck so I guess I've to do something on my side and I'm here to ask for
 hints.

M flag - yes, that's from a redirect. sysctl net.inet.icmp.rediraccept=0
should prevent them from being accepted, but there will be a reason
why you're getting them, you should try and work out what this is...

Re: OT: multiple web servers on OpenBSD (WAS: OT: vmware blah blah)

[Scott McEachern]

Claus wrote:


I have the same setup running.  Each apache instance runs chrooted 
under their own user id and home directory.




I realized after I sent that message that I left out a couple of 
details, like each instance also having its own user (www0-4).  I leave 
the default www user and /var/www stuff pretty much untouched in case I 
need to look at something 'untainted' by my fingers.  The normal install 
of the modules modifies those bits of course, which are later copied to 
the individual httpd homedirs as needed.  I don't recall exactly what 
does and doesn't need copying, I have it all _very_ throughly documented 
kinda script-like so I can reproduce it quickly if need be, with my 
notes and copy/paste-able mass link / copy / etc commands.


The setup I had before that was more interesting as it only needed one 
IP.  A main httpd instance was setup to do proxy for the individual 
httpd instances of each site.  The main instance ran on port 80 with 
the real IP.  The site instances ran on localhost with each their own 
port number and weren't accessible from outside of the machine.  
Logging, SSL and maintenance is a pain though.


I never tried the proxy method simply because I wanted all daemons to be 
autonomous.  If something died, so be it (I should note it's never 
happened yet).  Not to mention, I use a couple of the sites for 
development, so sometimes I have to kill an individual httpd{x} instance 
when I monkey with the config.


I have briefly considering moving from Apache to nginx, but haven't for 
a few reasons:


1) ATM, I don't need the performance of nginx vs. Apache, not by a long shot
2) I love the track record of OpenBSD's Apache.  It's been fine for me 
for years.
3) just when I was peeking into nginx (stable) a security vuln popped 
up.  I'm sure it's excellent, but *to me* it could mature, 
security-wise.  (no flames please)

4) time to play with it all and get everything nicely together
5) simple philosophy: if it ain't broke, don't fix it.

When I have time, I need to figure out some automated solution to deal 
with the logs.  I use cronolog for rotation with custom log file 
formats, and have plans to do some things with webalizer-type apps, but 
that's still on the back burner.


My interest is in using relayd to filter bad requests (again, back 
burner for now.)  I have *not* done my homework on this yet, but when I 
farted around with it briefly a few days back, I ran into problems with 
the relayd config for SSL acceleration.  Again, when I have time I'll 
look into it, but I was stumped and figured I'll make sure my RTFM-fu is 
strong before I post here about it.  (Besides, isn't it somehow more 
satisfying to finally go *aha I fixed my mistake* without asking for help?)


I knew I wasn't the only one that realized (for many circumstances, I'm 
not saying _all_) that VM'ing a lot of services is just silly, but it's 
nice to hear from others also doing the multiple httpd thing with OpenBSD.


For Matthew Weigel:

Yes, there are a lot of httpd instances.  I'm not entirely sure of how 
shared memory applies in this case (probably not), but on my web server 
my memory use is 129M/316M, and that includes a bunch of other daemons 
(eg. databases), when pretty much idle.  It has plenty of room to grow, 
but if memory becomes an issue, I'll look harder into nginx.  (I'd like 
to do it just for the knowledge, but again, time constraints.)


For the installation of everything into the chroot, I can't comment on 
non-Apache setups, but with Apache it loads that stuff before chrooting 
so only one installed version needs to be done, which makes life 
easier.  The links (etc) still have to be done.  It could easily be 
scripted, but I prefer to have my notes (with my big don't forget 
warnings) where I can just paste the commands.  If your documentation 
(notes) are solid, you'll be fine, and I just played musical tables with 
the servers (new drives for both) using carp and another box a few 
months back with no probs.  As long as your notes are thorough enough 
that a blind drunk moron could do it.. :)


Hope this isn't noise on the list.

--

-RSM

http://www.erratic.ca

Re: Route modified dynamically

[Claudio Jeker]

On Fri, Mar 12, 2010 at 12:28:33AM +, Stuart Henderson wrote:
 On 2010-03-10, Massimo Lusetti mass...@cedoc.mo.it wrote:
  Hi misc,
I got a 4.5 box which act as a perimeter ipsec routing gateway, it
has 682 flow (by ipsecctl -sf | wc -l).
 
  Some of this flow are up with a static route to the other point of the
  ipsec tunnel and some of these routes are changing dynamically (netstat
  shows UGHMS flags).
 

Wow that's a strange flag combo. Why is S  M set together?
Hmm. Another strange routing thing I need to have a loot at.
Most probably the cloning is done wrong.

  When these routes changes dynamically my tunnel fall cause i cannot
  reach my tunnel endpoint anymore.
 
  Probably these redirect are coming from some ciscozze with HSRP or
  something and I've already asked the ciscozze admin to look without any
  luck so I guess I've to do something on my side and I'm here to ask for
  hints.
 
 M flag - yes, that's from a redirect. sysctl net.inet.icmp.rediraccept=0
 should prevent them from being accepted, but there will be a reason
 why you're getting them, you should try and work out what this is...

-- 
:wq Claudio

Pravo je vreme da se pobrinete za svoj izgled

[E-topshop]

Top Shop

Top Shop

‚PoD
etna | Lepota | Budi fit! | DomaDinstvo | Zdrav Eivot | Saveti i
zabava

Do savršenog izgleda
bez muke!

Ab Tronic X 2

Do D
vrstih trbušnjaka bez veEbanja. Ab Tronic X2 radi umesto Vas!

Ab Tronic X2

7.990 rsd

poruD
ite

više

Hair Do - POPUST!

Super frizura u svakoj prilici za svega nekoliko minuta! Savršeno
pristaju svakoj kosi!

Hair Do

6.791,5 rsd

poruD
ite

više

Top Shop

Ab Rocket - POPUST!

Dvrsti trbušnjaci uz minimalni napor. VeEbajte uz prijatnu masaEu
leDa!

Ab Rocket

5.992 rsd

poruD
ite

više

Leg Magic - POPUST!

Zategnute noge i zadnjica za samo 13 minuta veEbanja dnevno! Izgledajte
privlaD
no.

PQP5P=P0P6P5Q P4P;Q P=PP3 Leg Magic 

6.391 rsd

poruD
ite

više

Variolux MasaEer

VibromasaEa celog tela, oblikuje ruke, noge, zadnjicu i stomak,
eliminiše celulit!

Variolux Massager

14.990 rsd

poruD
ite

više

Winsor Pilates 3 DVD-a

Najpopularniji program pilates treninga na svetu! Uz POPUST od D
ak 62%!

Winsor Pilates

1.341 rsd

poruD
ite

više

2 X Snuggie - POPUST!

Hladno vreme ne prestaje. Obezbedite sebi i još nekom najtoplije Debe -
sa rukavima!

2 x Snuggie

2.990 rsd

poruD
ite

više

Proactiv + POKLON!

Krema za masnu koEu. Pripremite svoje lice za leto. Uz POKLON papuD
e!

Proactiv

990 rsd

poruD
ite

više

Velform Enchance Bra

2 prsluka za podizanje grudi u crnoj i kren boji. Zavodljiv dekolte za 1
minut!

Velgorm Enchance Bra

3.490 rsd

poruD
ite

više

Rejuvera + POKLON

Kompletna nega lica po super ceni! Proactiv krema na POKLON!

Rejuvera + Poklon

5.490 rsd

poruD
ite

više

Nega tela i kose

Paket kozmetike za negu tela i kose. Losoin i Å¡ampon protiv peruti +
krema za lice i telo.

Stara planinska riznica - paket

1.590 rsd

poruD
ite

više

Nega i relaksacija tela

Kozmetika za negu i relaksaciju tela. Anticelulit gel + piling so + krema
za negu lica i tela.

Stara planinska riznica - relaksacija i nega tela

1.690 rsd

poruD
ite

više

Rina's 1+2 PAKET!

Knjige sa recepturama za skidanje kilograma i odrEavanje idealne telesne
teEine.

Rina's 1+2

1.190 rsd

poruD
ite

više

H2O Mop Ultra

ParoD
istaD
 3 u 1 - D
išDenje podova, tepiha i nameštaja - sve u
jednom!

H2O Mop Ultra

9.990 rsd

poruD
ite

više

FlavorWave Oven

Brzo pripremanje ukusnih i zdravih obroka i priprema više jela od jednom!

FlavorWave Turbo Oven

11.490 rsd

poruD
ite

više

Quelle popust od 30%!

Ovu elektronsku poštu primate, ukoliko ste svojevoljno ostavili svoju
e-mail adresu na nekom od sajtova Top Shop-a, uD
estvovali u našoj poklon
igri ili nagradnom kvizu ili se prijavili za e-D
asopis Top Shop-a ili
nekog od nasih brendova.

Ponude date u ovom e-mailu vaEe iskljuD
ivo za porudEbine upuDene
putem Interneta ili broja telefona 021 489 26 60. Ponude vaEe do 31. 03.
2010. ili do isteka zaliha. Isporuku vršimo samo u Srbiji.

Ukoliko ne Eelite više da primate naše elektronske poruke, za
odjavljivanje sa naše e-mailing liste, , kliknite ovde. U obrazac na
internet stranici upišite svoju taD
nu e-mail adresu i odjavu potvrdite.

Studio Moderna d.o.o., Bulevar vojvode Stepe 30, 21000 Novi Sad, Tel: 021
489 26 60, Fax: 021 489 29 08, E-mail: i...@news.e-topshop.tv

[IMAGE]If you would no longer like to receive our emails please
unsubscribe by clicking here.

Re: loongson was -current or -stable [was: Not another Browser Question]

[Siju George]

On Sat, Mar 6, 2010 at 3:37 PM, Eric Furman ericfur...@fastmail.net wrote:
 Yea ,and its made by the Chinese.
 Fuck China.
 China is one of the worst murderous dictatorships
 in the last 500 years.
 If it was 1935 and the UberMensch PC would you
 all be falling over yourselves to get one??
 George Santayana is rolling over in his grave.
 My appy poly loggies for my political rant.
 Cary on...


Like OpenBGPD and Hitler?

--Siju

Re: Muzica Populara Romaneasca

[Mihaela Tanase]

Buna,
Uite un site cu muzica populara sa descarci gratis mp3, m-am gandit ca poate 
iti place muzica populara.
www.muzoon.go.ro 

Su Empresa Ante 35 Millones de Usuarios Mexicanos En Internet - iMex´10 Marzo 26 Mexico DF - Presentado x Google, WSI, OCC Mundial y Doppler

[Fernanda Rivas]

Si no puede ver correctamente el contenido de este Newsletter Haga Click
Aqui

Congress  Marketing Presenta

Congreso Nacional iMexB410
Internet Marketing Experts Mexico City
Sponsored By
Google - WSI We Simplify The Internet - OCC Mundial - Doppler E-Mail
Marketing Made SimpleiMex[IMAGE]

Ser Visto Para Ser Rentable
El Internet como medio de mercadotecnia ofrece beneficios excepcionales y
un potencial de reconocimiento de marca para todo tipo de industria. Un
evento sin precedentes que propone alternativas de vanguardia y
tecnologCa expuestas por lCderes en el C!mbito. La mercadotecnia por
Internet es altamente rentable, ofrece muchas ventajas C:nicas que la
publicidad tradicional no puede igualar, asC como herramientas de alto
impacto y desempeC1o que desarrollarC!n un verdadero vCnculo entre su
empresa y su mercado meta.

Objetivos y beneficios
B?QuC) puede hacer la mercadotecnia por internet por mi negocio?
b Generar trC!fico a su sitio web o instalaciones fCsicas (generaciC3n
de contactos, ventas, etc.)
b Mejorar sus actividades promocionales en lCnea b una forma mC!s de
llegar a los clientes
b Extender el posicionamiento de su marca en nuevos mercados
b Dar a su negocio una ventaja sobre su competencia
b Reducir sus costos de mercadotecnia a la vez que mejora sus
resultados

Viernes 26 de Marzo de 2010 - Crowne Plaza Hotel de MC)xico[IMAGE]

Algunos de los temas generales a tratar
. Tu presencia en internet
. Posicionamiento, trC!fico objetivo y mercadotecnia online
. Impacto de las redes sociales como estratC)gia de negocios
. La visiC3n de Google
. e-mail Marketing
Y muchos mC!s!

[IMAGE] Descargue su Brochure en pdf con detalles y costos del evento
Click AquC

Congress  Marketing Online S.C.
B) 2009 - Todos los derechos reservados.
TelC)fonos en la Cd. de Guadalajara 01(33)1201-6898, (33)1562-1784 y
(33)3110-6502

Este Mensaje ha sido enviado a misc@openbsd.org como usuario de Congress
 Marketing o bien un usuario le refirio para recibir este boletCn. Como
usuario de Congress  Marketing, en este acto autoriza de manera expresa
que Congress  Marketing le puede contactar vCa correo electrC3nico u
otros medios. Si usted ha recibido este mensaje por error, haga caso
omiso de el y reporte su cuenta respondiendo este correo con el subject
BAJA CM000SCRMZ. Unsubscribe to this mailing list, reply a blank message
withe the subject UNSUBSCRIBE CM000SCRMZ Tenga en cuenta que la gestiC3n
de nuestras bases de datos es de suma importancia y no es intenciC3n de
la empresa la inconformidad del receptor.

Re: Route modified dynamically

[Paul de Weerd]

On Fri, Mar 12, 2010 at 01:43:39AM +0100, Claudio Jeker wrote:
| On Fri, Mar 12, 2010 at 12:28:33AM +, Stuart Henderson wrote:
|  On 2010-03-10, Massimo Lusetti mass...@cedoc.mo.it wrote:
|   Hi misc,
| I got a 4.5 box which act as a perimeter ipsec routing gateway, it
| has 682 flow (by ipsecctl -sf | wc -l).
|  
|   Some of this flow are up with a static route to the other point of the
|   ipsec tunnel and some of these routes are changing dynamically (netstat
|   shows UGHMS flags).
|  
|
| Wow that's a strange flag combo. Why is S  M set together?

SM both set ? Why are you not making a v6 joke, Claudio ? :)

Paul 'WEiRD' de Weerd

--
[++-]+++.+++[---].+++[+
+++-].++[-]+.--.[-]
 http://www.weirdnet.nl/

[demime 1.01d removed an attachment of type application/pgp-signature]

Re: ftp-proxy for outgoing connection

[Vadim Zhukov]

On 12 March 2010 c. 03:23:00 Stuart Henderson wrote:
 On 2010-03-11, Christopher Zimmermann madro...@zakweb.de wrote:
  Hi,
 
  my -current firewall is configured to block all in, block all out
  and allow only certain outbound connections.
 
  Now I want to allow outbound ftp connections.
 
  I read ftp-proxy(8) and
  http://openbsd.org/faq/pf/ftp.html#client.
 
  As I understand it, ftp-proxy could be used to create rules for
  inbound and outbound connections on 4.6. Now on -current the rdr
  keyword is missing from the pf.conf syntax. Instead ftp-proxy(8)
  suggests using rdr-to, but this only works for inbound
  connections.
 
  Is it possible to allow ftp connections from a local client to
  public ftp serves on the internet? Possibly by using ftp-proxy?

 I suspect your understanding of inbound is from the viewpoint
 of your network; PF doesn't care about that at all, it's only
 concerned with whether a packet is inbound or outbound to a
 particular interface.

 rdr only works for inbound connections too.

 A rule like the following works just fine for a ftp connection
 from a local client to a public ftp server:

 pass in quick log on {lan, wifi, natted} inet proto tcp \
 to port 21 rdr-to 127.0.0.1

Well, if block out all is set on external interface then ftp-proxy
outgoing connections will be blocked - ftp-proxy(8) does not create PF
rules for connections itself. Something like

pass out on $ext_if from ($ext_if) to port ftp

will workaround this, but I think ftp-proxy(8) should be fixed instead...

--
  Best wishes,
Vadim Zhukov

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?

Re: apachectl restart bug?

[David Coppa]

On Thu, Mar 11, 2010 at 10:39 PM, Denis Doroshenko
denis.doroshe...@gmail.com wrote:

 it may fail in case one uses -d and/or -f flags to the httpd (e.g.
 sets them in /etc/rc.conf or /etc/rc.conf.local)

This doesn't obey to -d too:

# the path to your PID file
PIDFILE=/var/www/logs/httpd.pid

the problem is apachectl being generally crappy!

ciao,
david

Re: ftp-proxy for outgoing connection

[Christopher Zimmermann]

On Fri, 12 Mar 2010 00:23:00 + (UTC) Stuart Henderson wrote:

 On 2010-03-11, Christopher Zimmermann madro...@zakweb.de wrote:
  Hi,
 
  my -current firewall is configured to block all in, block all out 
  and allow only certain outbound connections.
 
  Now I want to allow outbound ftp connections.
 
  I read ftp-proxy(8) and 
  http://openbsd.org/faq/pf/ftp.html#client.
 
  As I understand it, ftp-proxy could be used to create rules for 
  inbound and outbound connections on 4.6. Now on -current the rdr 
  keyword is missing from the pf.conf syntax. Instead ftp-proxy(8) 
  suggests using rdr-to, but this only works for inbound 
  connections.
 
  Is it possible to allow ftp connections from a local client to
  public ftp serves on the internet? Possibly by using ftp-proxy?
 
 I suspect your understanding of inbound is from the viewpoint
 of your network; PF doesn't care about that at all, it's only
 concerned with whether a packet is inbound or outbound to a
 particular interface.

ok, thanks. Thats clear. I don't have a whole net. Its just a 
single workstation, using pppoe0 to reach the internet. So the 
ftp client is running on the firewall, not behind it. The packets 
will be outbound on my pppoe0, but not inbound any any interface, 
will they?

 rdr only works for inbound connections too.

As I unterstood it, it works _only_ for inbound connections.

 A rule like the following works just fine for a ftp connection
 from a local client to a public ftp server:
 
 pass in quick log on {lan, wifi, natted} inet proto tcp \
 to port 21 rdr-to 127.0.0.1

Isn't this just the example from the default pf.conf with
on {...} added and port 8021 left away?

After reading http://www.openbsd.org/faq/current.html#20090901

it seems to me that it is in fact not possible at the moment to 
use a ftp-client on a firewall until the current restrictio on 
rdr-to in pfctl will be removed. Is this true?


Chrisotpher

Re: ftp-proxy for outgoing connection

[Stuart Henderson]

On 2010/03/12 10:14, Vadim Zhukov wrote:
 On 12 March 2010 ?. 03:23:00 Stuart Henderson wrote:
  On 2010-03-11, Christopher Zimmermann madro...@zakweb.de wrote:
   Hi,
  
   my -current firewall is configured to block all in, block all out
   and allow only certain outbound connections.
  
   Now I want to allow outbound ftp connections.
  
   I read ftp-proxy(8) and
   http://openbsd.org/faq/pf/ftp.html#client.
  
   As I understand it, ftp-proxy could be used to create rules for
   inbound and outbound connections on 4.6. Now on -current the rdr
   keyword is missing from the pf.conf syntax. Instead ftp-proxy(8)
   suggests using rdr-to, but this only works for inbound
   connections.
  
   Is it possible to allow ftp connections from a local client to
   public ftp serves on the internet? Possibly by using ftp-proxy?
 
  I suspect your understanding of inbound is from the viewpoint
  of your network; PF doesn't care about that at all, it's only
  concerned with whether a packet is inbound or outbound to a
  particular interface.
 
  rdr only works for inbound connections too.
 
  A rule like the following works just fine for a ftp connection
  from a local client to a public ftp server:
 
  pass in quick log on {lan, wifi, natted} inet proto tcp \
  to port 21 rdr-to 127.0.0.1
 
 Well, if block out all is set on external interface then ftp-proxy 
 outgoing connections will be blocked - ftp-proxy(8) does not create PF 
 rules for connections itself. Something like

True, I was just considering the differences from 4.6.

 pass out on $ext_if from ($ext_if) to port ftp
 
 will workaround this, but I think ftp-proxy(8) should be fixed instead...

hmm, that used to be there... what do you think, does this make sense?

Index: ftp-proxy.8
===
RCS file: /cvs/src/usr.sbin/ftp-proxy/ftp-proxy.8,v
retrieving revision 1.14
diff -u -p -r1.14 ftp-proxy.8
--- ftp-proxy.8 21 Nov 2009 13:59:31 -  1.14
+++ ftp-proxy.8 12 Mar 2010 07:41:10 -
@@ -170,6 +170,7 @@ Adjust the rules as needed.
 .Bd -literal -offset 2n
 anchor ftp-proxy/*
 pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
+pass out on egress proto tcp from (self) to port 21 user proxy
 .Ed
 .Sh SEE ALSO
 .Xr ftp 1 ,

Re: apachectl restart bug?

[Stuart Henderson]

On 2010-03-12, David Coppa dco...@gmail.com wrote:
 On Thu, Mar 11, 2010 at 10:39 PM, Denis Doroshenko
denis.doroshe...@gmail.com wrote:

 it may fail in case one uses -d and/or -f flags to the httpd (e.g.
 sets them in /etc/rc.conf or /etc/rc.conf.local)

 This doesn't obey to -d too:

 # the path to your PID file
 PIDFILE=/var/www/logs/httpd.pid

 the problem is apachectl being generally crappy!

I don't think there's much point in having apachectl parse enough
to work this out, but maybe it's worth checking if httpd is still running
after the HUP and printing a simple warning if not..