ASISTENTES EJECUTIVAS: ÚNICA PRESENTACIÓN OCTUBRE 29 EN PUERTO VALLARTA.
[IMAGE] Mayores informes responda este correo electrsnico con los siguientes datos. Empresa: Nombre: Telifono: Email: Nzmero de Interesados: Y en breve le haremos llegar la informacisn completa del evento. O bien comunmquense a nuestros telifonos un ejecutivo con gusto le atendera Tels. (33) 8851-2365, (33)8851-2741. Copyright (C) 2010, PMS Capacitacisn Efectiva de Mixico S.C. Derechos Reservados. PMS de Mixico, El logo de PMS de Mixico son marcas registradas. ADVERTENCIA PMS de Mixico no cuenta con alianzas estratigicas de ningzn tipo dentro de la Republica Mexicana. NO SE DEJE ENGAQAR - DIGA NO A LA PIRATERIA. Todos los logotipos, marcas comerciales e imagenes son propiedad de sus respectivas corporaciones y se utilizan con fines informativos solamente. Este Mensaje ha sido enviado a misc@openbsd.org como usuario de Pms de Mixico o bien un usuario le refiris para recibir este boletmn. Como usuario de Pms de Mixico, en este acto autoriza de manera expresa que Pms de Mixico le puede contactar vma correo electrsnico u otros medios. Si usted ha recibido este mensaje por error, haga caso omiso de el y reporte su cuenta respondiendo este correo con el subject BAJAASISTENTES Unsubscribe to this mailing list, reply a blank message with the subject UNSUBSCRIBE BAJAASISTENTES Tenga en cuenta que la gestisn de nuestras bases de datos es de suma importancia y no es intencisn de la empresa la inconformidad del receptor.
Re: Mobile VPN
On Mon, 2010-10-04 at 10:10 -0600, Shiu Lam wrote: > Does anyone knows any OpenVPN client for S60 mobile phones? > > Thanks > > Claudiu Pruna wrote: > > On Sat, 2010-10-02 at 11:56 +0300, Evgeniy Sudyr wrote: > > > >> I was able to get it working with 4.6/4.7 and E60/E65/E52 it works as > >> expected :) > >> > >> Nokia VPN config tool will save hours instead trial by error. > >> > >> On Fri, Oct 1, 2010 at 10:29 PM, Claudiu Pruna > >> wrote: > >> > >> On Fri, 2010-10-01 at 21:19 +0200, David Coppa wrote: > >> > On Fri, Oct 1, 2010 at 9:11 PM, Claudiu Pruna > >> wrote: > >> > >I was wondering has anyone got an S60 mobile phone > >> to connect to > >> > > OpenBSD Ipsec ? > >> > > > >> > >I did some tryies, but no luck. > >> > > >> > Maybe this is of some use: > >> > > >> > http://betabug.ch/wiki/VPNNotes > >> > > >> > I'm sorry, but I have no personal experiences with "mobile > >> vpns"... > >> > > >> > cheers, > >> > david > >> > >> > >> thanks a lot, sounds very interesting, I will test it and see > >> what > >> happens ;) > >> > >> -- > >> > >> Claudiu Pruna > >> > >> > >> > >> > >> > >> -- > >> -- > >> With regards, > >> Eugene Sudyr > >> > >> > > Well, I have tried that and ... it works > > Yes, it is working ok, but if your setup is like mine and after > > connecting to the ipsec, your internal network contains more branches > > connected through vpn and in conclusion the internal network "contains" > > more unroutable ip address classes, the problem appears because you > > appear in your network with the ip that your phone gets from the > > internet connection it has. So it is a little bit tricky to route your > > phone to other ip classes then the one you are directly connected. > > I have used in ipsecctl the "tag" option, and then in pf.conf I have > > created an nat pool which is just for the phones connecting from > > outside. > > > > But it is a start, I mean, from no vpn (except symbian pptp) until here > > we allready have a big progress. It would be nice if we could also get > > working the xauth and ip address assigning to phone through ipsec, but > > as I am not a developer, I hope it will happen someday. > > > > Cheers > > > There isn't any Openvpn client for any mobile phone. -- Claudiu Pruna
Re: masquerade in smtpd?
On 10/4/2010 11:28 PM, Markus Bergkvist wrote: Can smtpd do masquerading of outgoing email? Something like what is described here http://www.postfix.org/STANDARD_CONFIGURATION_README.html#fantasy hostname doesn't seem to do the trick. /Markus It currently can't I have a diff somewhere which bring initial (and basic) support for masquerading, I need to dig it up and see if it still works Gilles
Re: OpenBSD Vim Programming FAQ
It asks for a password and shit. Not sure how I could use this. On Mon, Oct 04, 2010 at 11:32:10PM +0200, Tomas Vavrys wrote: > After 2 months I have to announce that I am unable to finish the > guide. I am too busy at the moment and unfortunately I will be still > busy for a long time. Anyway, there has been a lot of people > interested in this guide, so I suppose someone could use my work/ideas > and make it come true. > > Document link (First week progress) > https://docs.google.com/a/cleancode.cz/document/pub?id=11NGGh2Wbr7gESXCCxwHhwe35V_HCROMKNNIQE1qB6-0 > > Feel free to edit it, keep it or distribute it.
Re: No Livelock on 2 Oct 2010 current
On Mon, Oct 04, 2010 at 10:41:15PM +, Stuart Henderson wrote: > On 2010-10-04, Insan Praja SW wrote: > > I can't see any livelocks. I'm aware of new algorithm on mclgeti got > > something to do with this, I just want to confirm this. If this systat > > output tells me the truth, well that just a huge achievement. > > # pstat -d u mcllivelocks > > You will probbaly see more livelocks than before (the detection is more > sensitive), but the effect on network traffic should be smaller. > this restores the visibility of network livelocks to systat. anyone object? if not i'll commit it tomorrow morning around 10am in a GMT+10 timezeon. Index: sbin/sysctl/sysctl.c === RCS file: /cvs/src/sbin/sysctl/sysctl.c,v retrieving revision 1.173 diff -u -p -r1.173 sysctl.c --- sbin/sysctl/sysctl.c19 Aug 2010 18:14:14 - 1.173 +++ sbin/sysctl/sysctl.c5 Oct 2010 01:20:59 - @@ -447,6 +447,9 @@ parse(char *string, int flags) case KERN_CONSDEV: special |= CHRDEV; break; + case KERN_NETLIVELOCKS: + special |= UNSIGNED; + break; } break; Index: sys/kern/kern_sysctl.c === RCS file: /cvs/src/sys/kern/kern_sysctl.c,v retrieving revision 1.193 diff -u -p -r1.193 kern_sysctl.c --- sys/kern/kern_sysctl.c 23 Sep 2010 13:24:22 - 1.193 +++ sys/kern/kern_sysctl.c 5 Oct 2010 01:21:02 - @@ -110,6 +110,7 @@ extern int nselcoll, fscale; extern struct disklist_head disklist; extern fixpt_t ccpu; extern long numvnodes; +extern u_int mcllivelocks; extern void nmbclust_update(void); @@ -585,6 +586,8 @@ kern_sysctl(int *name, u_int namelen, vo else dev = NODEV; return sysctl_rdstruct(oldp, oldlenp, newp, &dev, sizeof(dev)); + case KERN_NETLIVELOCKS: + return (sysctl_rdint(oldp, oldlenp, newp, mcllivelocks)); default: return (EOPNOTSUPP); } Index: sys/sys/sysctl.h === RCS file: /cvs/src/sys/sys/sysctl.h,v retrieving revision 1.106 diff -u -p -r1.106 sysctl.h --- sys/sys/sysctl.h19 Aug 2010 18:14:13 - 1.106 +++ sys/sys/sysctl.h5 Oct 2010 01:21:03 - @@ -190,7 +190,8 @@ struct ctlname { #defineKERN_FILE2 73 /* struct: file entries */ #defineKERN_RTHREADS 74 /* kernel rthreads support enabled */ #defineKERN_CONSDEV75 /* dev_t: console terminal device */ -#defineKERN_MAXID 76 /* number of valid kern ids */ +#defineKERN_NETLIVELOCKS 76 /* int: number of network livelocks */ +#defineKERN_MAXID 77 /* number of valid kern ids */ #defineCTL_KERN_NAMES { \ { 0, 0 }, \ @@ -269,6 +270,7 @@ struct ctlname { { "file2", CTLTYPE_STRUCT }, \ { "rthreads", CTLTYPE_INT }, \ { "consdev", CTLTYPE_STRUCT }, \ + { "netlivelocks", CTLTYPE_INT }, \ } /* Index: usr.bin/systat/mbufs.c === RCS file: /cvs/src/usr.bin/systat/mbufs.c,v retrieving revision 1.29 diff -u -p -r1.29 mbufs.c --- usr.bin/systat/mbufs.c 23 Sep 2010 10:49:55 - 1.29 +++ usr.bin/systat/mbufs.c 5 Oct 2010 01:21:04 - @@ -41,6 +41,7 @@ struct mclpool_info { int mclpool_count = 0; int mbpool_index = -1; struct pool mbpool; +u_int mcllivelocks = 0; /* interfaces */ static int num_ifs; @@ -198,6 +199,15 @@ read_mb(void) int i, p, nif, ret = 1; size_t size; + mib[0] = CTL_KERN; + mib[1] = KERN_NETLIVELOCKS; + size = sizeof(mcllivelocks); + if (sysctl(mib, 2, &mcllivelocks, &size, NULL, 0) < 0 && + errno != EOPNOTSUPP) { + error("sysctl(KERN_NETLIVELOCKS)"); + goto exit; + } + num_disp = 0; if (getifaddrs(&ifap)) { error("getifaddrs: %s", strerror(errno)); @@ -341,6 +351,7 @@ showmbuf(struct if_info *ifi, int p, int print_fld_str(FLD_MB_IFACE, ifi->name); if (p == -1 && ifi == interfaces) { + print_fld_uint(FLD_MB_LLOCKS, mcllivelocks); print_fld_size(FLD_MB_MSIZE, mbpool.pr_size); print_fld_size(FLD_MB_MALIVE, mbpool.pr_nget - mbpool.pr_nput); print_fld_size(FLD_MB_MHWM, mbpool.pr_hiwat); @@ -349,8 +360,6 @@ showmbuf(struct if_info *ifi, int p, int #if NOTYET print_fld_uint(FLD_MB_RXDELAY, ifi->data.ifi_rxdelay); print_fld_uint(FLD_MB_TXDELAY, ifi->data.ifi_txdelay); - if (ifi->data.ifi_livelocks) - print_fld_size(FLD_MB_LLOCKS, ifi->data.ifi_
upgrade to 4.7
Hello misc, I've a little doubt, In my old firewall I wrote the rdr rules thus: rdr pass on egress -> ip port 3030 block log all pass out on $dmz ... to port 3030 It's fine now I wrote rules thus: match in on egress ... rdr-to ip port 3030 block log all pass in on egress .. to port 3030 pass out on $dmz .. to port 3030 with "rdr pass", I don't need write the "pass in" rule I must write the rule thus ? Regards
Re: OpenBGP Filter - Selectively Announcing by Peer.
On Mon, Oct 4, 2010 at 6:12 PM, Claudio Jeker wrote: > On Mon, Oct 04, 2010 at 02:20:55PM -0300, Eduardo Meyer wrote: >> Hello, >> >> I want to selectively announce what I get from my peers (whom I am >> transit for) for a certain upstream peer. I decided to use community >> to do so, like that: >> >> # Add what I get from my transit peers to communyt $myasn:1010 >> match from $peer_t1 set community $myasn:1010 >> match from $peer_t2 set community $myasn:1010 >> >> # Selectively announce it to by upstream peer number 2 >> deny to $peer_up2 >> allow to $peer_up2 community $myasn:1010 >> >> But it did not work. >> >> I dont want to manually declare the networks I get, and my upstream >> wont allow me to "announce all". >> >> What is wrong with the above OpenBGP rules? >> > > You need to set the announce type to "all" which means process all entries > in the RIB with the outbound filterset. Announce "self" which is the > default for eBGP sessions will block all non empty as pathes before > passing the prefix to the outbound filtering. As soon as you do tranist > you need "announce all" plus correct filters. Hello Jeker, I am "announcing al" already. Please enlighten ment, when I do a bgpctl sh rib out nei The prefixes I see are the ones the peer *accepted* from me or the ones I am actually announcing, no matter if the peer accepts or not? Because I "announce all" and later, filter by community, and the abouve "sh rib out nei " shows empty. Thanks again. > > -- > :wq Claudio > > -- === Eduardo Meyer pessoal: dudu.me...@gmail.com profissional: ddm.farmac...@saude.gov.br
Re: No Livelock on 2 Oct 2010 current
On 2010-10-04, Insan Praja SW wrote: > I can't see any livelocks. I'm aware of new algorithm on mclgeti got > something to do with this, I just want to confirm this. If this systat > output tells me the truth, well that just a huge achievement. # pstat -d u mcllivelocks You will probbaly see more livelocks than before (the detection is more sensitive), but the effect on network traffic should be smaller.
Re: OpenBSD Vim Programming FAQ
After 2 months I have to announce that I am unable to finish the guide. I am too busy at the moment and unfortunately I will be still busy for a long time. Anyway, there has been a lot of people interested in this guide, so I suppose someone could use my work/ideas and make it come true. Document link (First week progress) https://docs.google.com/a/cleancode.cz/document/pub?id=11NGGh2Wbr7gESXCCxwHhwe35V_HCROMKNNIQE1qB6-0 Feel free to edit it, keep it or distribute it.
masquerade in smtpd?
Can smtpd do masquerading of outgoing email? Something like what is described here http://www.postfix.org/STANDARD_CONFIGURATION_README.html#fantasy hostname doesn't seem to do the trick. /Markus
Re: OpenBGP Filter - Selectively Announcing by Peer.
On Mon, Oct 04, 2010 at 02:20:55PM -0300, Eduardo Meyer wrote: > Hello, > > I want to selectively announce what I get from my peers (whom I am > transit for) for a certain upstream peer. I decided to use community > to do so, like that: > > # Add what I get from my transit peers to communyt $myasn:1010 > match from $peer_t1 set community $myasn:1010 > match from $peer_t2 set community $myasn:1010 > > # Selectively announce it to by upstream peer number 2 > deny to $peer_up2 > allow to $peer_up2 community $myasn:1010 > > But it did not work. > > I dont want to manually declare the networks I get, and my upstream > wont allow me to "announce all". > > What is wrong with the above OpenBGP rules? > You need to set the announce type to "all" which means process all entries in the RIB with the outbound filterset. Announce "self" which is the default for eBGP sessions will block all non empty as pathes before passing the prefix to the outbound filtering. As soon as you do tranist you need "announce all" plus correct filters. -- :wq Claudio
Re: carp + client avahi-daemon = OpenBSD kernel hang
--On Monday, October 04, 2010 12:11:01 PM + Stuart Henderson wrote: > On 2010-10-03, Devin Reade wrote: > if only all problem reports were this good!> Thanks. I'm also a developer, just not in the OpenBSD kernel. > Until you can move to a dedicated nic, I would > suggest switching to using syncpeer in pfsync config, and ipsec [snip] I forgot to include /etc/hostname.pfsync0, but it is using syncpeer on vr0. > So basically there are untrusted machines on the interface on which you > also run pfsync. That depends on your definition of untrusted. vr0 being the DMZ, all machines there are under my control and I'm pretty confident that there's nothing malicious happening. It is true, though, that there is traffic other than pfsync on that segment. Are you suspecting that other traffic (and in particular avahi-daemon) is interfering with pfsync? The dual-port NICs arrived, so I can put pfsync on its own interface now and see if that affects the situation. One other recent datapoint: In following Kenneth's suggestion of breaking into the kernel, I disabled the watchdog and set ddb.panic=1 ddb.console=1 Since then I have had time to trigger only one failure so far (again, no panic, no automatic drop to ddb), but in that case when I did a 'continue' in ddb, the failed machine returned to operation. So it looks like the hang may not have been a permanent hang, but just long enough to (previously) trigger the watchdog which had a timeout 32 seconds. But that's still inconclusive. (I have nothing else useful to add yet re ddb.) Devin
Re: How to use /dev/srandom
> > -d 1 Diehard OPERM5 Test Suspect > > -d 14Diehard Sums TestDo Not Use And from the site: Note that a few tests appear to have stubborn bugs. In particular, the diehard operm5 test seems to fail all generators in dieharder. and: Similarly, the diehard sums test appears to produce a systematically non-flat distribution of p-values for all rngs tested, in particular for the "gold standard" cryptographic generators aes and threefish, as well as for the "good" generators in the GSL (mt19937, taus, gfsr4). It seems very unlikely that all of these generators would be flawed in the same way, so this test also should not be used to test your rng. Enjoy your windmill tilting.
Re: How to use /dev/srandom
Janne Johansson wrote: > List of the CURRENT fully implemented tests (as of the 08/18/08 snapshot): > > #=# > # dieharder version 3.29.4beta Copyright 2003 Robert G. Brown > # > #=# > Installed dieharder tests: > Test Number Test NameTest Reliability > === > -d 0Diehard Birthdays Test Good > -d 1 Diehard OPERM5 Test Suspect > -d 2Diehard 32x32 Binary Rank Test Good > -d 3 Diehard 6x8 Binary Rank Test Good > -d 4Diehard Bitstream Test Good > -d 5 Diehard OPSO Good > -d 6 Diehard OQSO Test Good > -d 7 Diehard DNA Test Good > -d 8Diehard Count the 1s (stream) Test Good > -d 9 Diehard Count the 1s Test (byte) Good > -d 10 Diehard Parking Lot Test Good > -d 11 Diehard Minimum Distance (2d Circle) Test Good > -d 12 Diehard 3d Sphere (Minimum Distance) Test Good > -d 13 Diehard Squeeze Test Good > -d 14Diehard Sums TestDo Not Use > -d 15Diehard Runs Test Good > -d 16 Diehard Craps Test Good > -d 17 Marsaglia and Tsang GCD Test Good > -d 100STS Monobit Test Good > -d 101 STS Runs Test Good > -d 102 STS Serial Test (Generalized) Good > -d 200 RGB Bit Distribution Test Good > -d 201 RGB Generalized Minimum Distance Test Good > -d 202 RGB Permutations Test Good > -d 203 RGB Lagged Sum Test Good > -d 204RGB Kolmogorov-Smirnov Test Test Good Interesting. Looks like ent with more tests. You should submit a port.
Re: Incorrect FAQ entry about "ksh(1) does not appear to read my .profile"
Sean, Sorry my bad. Thanks for enlightening me. Abel, ksh -l works for me and will use both of your suggestions. Thanks On Mon, Oct 4, 2010 at 1:24 AM, Sean Kamath wrote: > > On Oct 3, 2010, at 2:52 PM, Amit Kulkarni wrote: > > > Then why is it placed there in the FAQ entry? Somebody thought there's a > > relation there. > > It's there because when you start an X terminal (xterm), you can tell xterm > (via X resource DB) if you want shells it starts to be "login shells", and > that's what that resource setting is doing. It is not a resource setting > for ksh. Further, it's in the FAQ about "why isn't my .profile being read" > for the ksh because most people are completely unaware of what is going on > when they click that "Terminal" button. > > .Xdefaults may or may not be read by X-based applications, and is often > loaded into the Resource DB of the X server on login (depending on the > system -- everything does it differently). At one point is was .Xresources > (which may be what X reads still -- I don't know anymore, I stopped thinking > about xrdb about 8 years ago). > > The space is completely irrelevant, and this thread should die. > > > IMHO, I think ksh should be able to read .profile by default > > The rules of what ksh reads and when are based on ancient login mechanisms > -- .profile was read only on login. In the csh, .login was read on login, > and .cshrc was read on every invocation of csh. > > ksh reads the file pointed to by the environment variable ENV on > invocation. > > Put things you want to happen when you log in (via SSH, for example) into > .profile, and also set ENV=$HOME/.kshrc into it. Then put everything into > .kshrc that you want to invoke with all subshells. > > It's no good to say "I think ksh should do. . ." because it ain't gonna > happen. It would break all sorts of crap if it did. > > > Sean > > PS Linux's pdksh sucks, and does all sorts of weird shit. OpenBSD's ksh is > much more sane. > > > > On Sat, Oct 2, 2010 at 10:39 PM, Abel Abraham Camarillo Ojeda < > > acam...@verlet.org> wrote: > > > >> .Xdefaults has nothing to do with .profile ...
Re: How to use /dev/srandom
2010/10/4 Brad Tilley > Janne Johansson wrote: > > > What I meant was that one can complain of that the NIST programs (diehard > > and > > dieharder springs to mind) only do certain tests, > > Check out ent (it's in ports) it does chi-square, entropy, and a few > other tests to grade the data stream. Not perfect, but about the best > you'll do for now. > > List of the CURRENT fully implemented tests (as of the 08/18/08 snapshot): #=# # dieharder version 3.29.4beta Copyright 2003 Robert G. Brown# #=# Installed dieharder tests: Test Number Test NameTest Reliability === -d 0Diehard Birthdays Test Good -d 1 Diehard OPERM5 Test Suspect -d 2Diehard 32x32 Binary Rank Test Good -d 3 Diehard 6x8 Binary Rank Test Good -d 4Diehard Bitstream Test Good -d 5 Diehard OPSO Good -d 6 Diehard OQSO Test Good -d 7 Diehard DNA Test Good -d 8Diehard Count the 1s (stream) Test Good -d 9 Diehard Count the 1s Test (byte) Good -d 10 Diehard Parking Lot Test Good -d 11 Diehard Minimum Distance (2d Circle) Test Good -d 12 Diehard 3d Sphere (Minimum Distance) Test Good -d 13 Diehard Squeeze Test Good -d 14Diehard Sums TestDo Not Use -d 15Diehard Runs Test Good -d 16 Diehard Craps Test Good -d 17 Marsaglia and Tsang GCD Test Good -d 100STS Monobit Test Good -d 101 STS Runs Test Good -d 102 STS Serial Test (Generalized) Good -d 200 RGB Bit Distribution Test Good -d 201 RGB Generalized Minimum Distance Test Good -d 202 RGB Permutations Test Good -d 203 RGB Lagged Sum Test Good -d 204RGB Kolmogorov-Smirnov Test Test Good -- To our sweethearts and wives. May they never meet. -- 19th century toast
Re: How to use /dev/srandom
Janne Johansson wrote: > What I meant was that one can complain of that the NIST programs (diehard > and > dieharder springs to mind) only do certain tests, but that is just because > noone > can make a short program that _proves_ a certain stream is random. The only > thing available seems to be a series of tests against a defined set of > properties a > random stream shouldnt have, but that list isnt conclusive, nor finished. Check out ent (it's in ports) it does chi-square, entropy, and a few other tests to grade the data stream. Not perfect, but about the best you'll do for now. Brad
Re: How to use /dev/srandom
2010/10/4 Kevin Chadwick > >Then of course the tiiiny tiiiny problem of defining in code how to > >_prove_ that the input > >is random. Proving some input is skewed in one of 123 ways is easy and > >relatively fast, > >but proving that the input data will never fail a statistical test is.. > >Hard. > > If a situation is possible where a certain device starts doing a ton of > work in a highly regular fashion that the entropy gathering code > doesn't dismiss and so affects the entropy, then I can see this being > useful, but if that was possible which I doubt, then maybe the entropy > gathering should be improved. > > What I meant was that one can complain of that the NIST programs (diehard and dieharder springs to mind) only do certain tests, but that is just because noone can make a short program that _proves_ a certain stream is random. The only thing available seems to be a series of tests against a defined set of properties a random stream shouldnt have, but that list isnt conclusive, nor finished. And it probably never will. Its just among the best options available right now, and it takes lots of time to run and it can only disprove certain inputs, not prove randomness in the others. -- To our sweethearts and wives. May they never meet. -- 19th century toast
OpenBGP Filter - Selectively Announcing by Peer.
Hello, I want to selectively announce what I get from my peers (whom I am transit for) for a certain upstream peer. I decided to use community to do so, like that: # Add what I get from my transit peers to communyt $myasn:1010 match from $peer_t1 set community $myasn:1010 match from $peer_t2 set community $myasn:1010 # Selectively announce it to by upstream peer number 2 deny to $peer_up2 allow to $peer_up2 community $myasn:1010 But it did not work. I dont want to manually declare the networks I get, and my upstream wont allow me to "announce all". What is wrong with the above OpenBGP rules? -- === Eduardo Meyer pessoal: dudu.me...@gmail.com profissional: ddm.farmac...@saude.gov.br
Re: Mobile VPN
Does anyone knows any OpenVPN client for S60 mobile phones? Thanks Claudiu Pruna wrote: On Sat, 2010-10-02 at 11:56 +0300, Evgeniy Sudyr wrote: I was able to get it working with 4.6/4.7 and E60/E65/E52 it works as expected :) Nokia VPN config tool will save hours instead trial by error. On Fri, Oct 1, 2010 at 10:29 PM, Claudiu Pruna wrote: On Fri, 2010-10-01 at 21:19 +0200, David Coppa wrote: > On Fri, Oct 1, 2010 at 9:11 PM, Claudiu Pruna wrote: > >I was wondering has anyone got an S60 mobile phone to connect to > > OpenBSD Ipsec ? > > > >I did some tryies, but no luck. > > Maybe this is of some use: > > http://betabug.ch/wiki/VPNNotes > > I'm sorry, but I have no personal experiences with "mobile vpns"... > > cheers, > david thanks a lot, sounds very interesting, I will test it and see what happens ;) -- Claudiu Pruna -- -- With regards, Eugene Sudyr Well, I have tried that and ... it works Yes, it is working ok, but if your setup is like mine and after connecting to the ipsec, your internal network contains more branches connected through vpn and in conclusion the internal network "contains" more unroutable ip address classes, the problem appears because you appear in your network with the ip that your phone gets from the internet connection it has. So it is a little bit tricky to route your phone to other ip classes then the one you are directly connected. I have used in ipsecctl the "tag" option, and then in pf.conf I have created an nat pool which is just for the phones connecting from outside. But it is a start, I mean, from no vpn (except symbian pptp) until here we allready have a big progress. It would be nice if we could also get working the xauth and ip address assigning to phone through ipsec, but as I am not a developer, I hope it will happen someday. Cheers
Re: How to use /dev/srandom
>Then of course the tiiiny tiiiny problem of defining in code how to >_prove_ that the input >is random. Proving some input is skewed in one of 123 ways is easy and >relatively fast, >but proving that the input data will never fail a statistical test is.. >Hard. If a situation is possible where a certain device starts doing a ton of work in a highly regular fashion that the entropy gathering code doesn't dismiss and so affects the entropy, then I can see this being useful, but if that was possible which I doubt, then maybe the entropy gathering should be improved. Or do you mean a tool that can alert and so pause actions like ssl if highly sensitive, which may be useful but it was stated that arandom is like a duracell bunny on john smiths bitter and won't drain the entropy. >>It is more efficient. There is almost always enough entropy for >>arandom, and if there isn't, you would have a hard time detecting >>that. I would be interested what effect an attacker purposefully draining the entropy could have (Ted's comment suggests little, but you never know) and if your proposed tool could detect and warn of that.
Re: How to use /dev/srandom
Kevin Chadwick writes: > First I'd ask how well can anyone prove that the NIST statistical test > suite can reliably judge randomness? It can't; it can only weed out weak generators but could not distinguish an entropic generator from, say, MD5. See http://lcamtuf.coredump.cx/soft/stompy.tgz for some fun. -- http://noncombatant.org/
Re: Router components
David Higgs wrote: > I know SSDs don't require TRIM, but most benchmarks are made by > knob-twiddlers that are presumably overemphasizing the performance > degradation you get without it. Is this even noticeable in practice? I've used an inexpensive SSD (cheapest one I could find at the time) in an Intel Celeron based OpenBSD home firewall for more than a year. It works fine. Here is part of an old dmesg: wd0 at pciide1 channel 0 drive 0: wd0: 1-sector PIO, LBA, 61057MB, 125045424 sectors wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 6 No noise, cool, low power. Try it for a year, then post back your experience. Brad
Re: Router components
On Mon, Oct 4, 2010 at 2:28 AM, Sean Kamath wrote: > I just bought a Alix 2d13 board. Then ended up buying about 7 of them for > work for OOB back-channel machines. > > Insanely straightforward, and they Just Work(tm). > I did exactly what Sean did myself several months ago. Purchased a 2d13 board from Netgate [1]. I boot off a 2GB CF card, and stuck a cheap USB HD off of the alix board. The thing just runs without any fuss. I use it to connect my home network to another network via OpenVPN over my home Internet connection. When I get around to it, I might throw a mini-pci 802.11b/g card in there to create a WAP. dmesg porn: OpenBSD 4.7 (GENERIC) #1: Thu Jun 3 07:32:40 EDT 2010 r...@builder47.my.domain:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Geode(TM) Integrated Processor by AMD PCS ("AuthenticAMD" 586-class) 499 MHz cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX real mem = 268009472 (255MB) avail mem = 250978304 (239MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 11/05/08, BIOS32 rev. 0 @ 0xfd088 pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: pcibios_get_intr_routing - function not supported pcibios0: PCI IRQ Routing information unavailable. pcibios0: PCI bus #0 is the last bus bios0: ROM list: 0xe/0xa800 cpu0 at mainbus0: (uniprocessor) pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 1 function 0 "AMD Geode LX" rev 0x33 glxsb0 at pci0 dev 1 function 2 "AMD Geode LX Crypto" rev 0x00: RNG AES vr0 at pci0 dev 9 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 10, address 00:0d:b9:1b:b6:4c ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, model 0x0034 vr1 at pci0 dev 10 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 11, address 00:0d:b9:1b:b6:4d ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, model 0x0034 vr2 at pci0 dev 11 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 15, address 00:0d:b9:1b:b6:4e ukphy2 at vr2 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, model 0x0034 glxpcib0 at pci0 dev 15 function 0 "AMD CS5536 ISA" rev 0x03: rev 3, 32-bit 3579545Hz timer, watchdog, gpio gpio0 at glxpcib0: 32 pins pciide0 at pci0 dev 15 function 2 "AMD CS5536 IDE" rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: wd0: 1-sector PIO, LBA, 7641MB, 15649200 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 4 pciide0: channel 1 ignored (disabled) ohci0 at pci0 dev 15 function 4 "AMD CS5536 USB" rev 0x02: irq 12, version 1.0, legacy support ehci0 at pci0 dev 15 function 5 "AMD CS5536 USB" rev 0x02: irq 12 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 "AMD EHCI root hub" rev 2.00/1.00 addr 1 isa0 at glxpcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo com0: console com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo pcppi0 at isa0 port 0x61 midi0 at pcppi0: spkr0 at pcppi0 npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 usb1 at ohci0: USB revision 1.0 uhub1 at usb1 "AMD OHCI root hub" rev 1.00/1.00 addr 1 biomask 73e7 netmask ffe7 ttymask mtrr: K6-family MTRR support (2 registers) nvram: invalid checksum umass0 at uhub0 port 1 configuration 1 interface 0 "Western Digital External HDD" rev 2.00/1.75 addr 2 umass0: using SCSI over Bulk-Only scsibus0 at umass0: 2 targets, initiator 0 sd0 at scsibus0 targ 1 lun 0: SCSI2 0/direct fixed sd0: 238475MB, 512 bytes/sec, 488397168 sec total vscsi0 at root scsibus1 at vscsi0: 256 targets softraid0 at root root on wd0a swap on wd0b dump on wd0b clock: unknown CMOS layout Cheers, Jeff [1] http://store.netgate.com/ALIX2D3-2D13-Kit-Blue-Unassembled-P173C86.aspx
Re: route-to and divert-packet
Il giorno lun, 04/10/2010 alle 10.03 -0400, Daniel Browning-Weber ha scritto: > Those work great, without the divert-packet. And the divert-packet > works great, if I only have one internet connection. But I'm trying > to get them to both be applied. I'll look into that in the next few days, i'm running in short of time currently... :)
Re: BIOCTL Rebuild: invalid argument
On Mon, Oct 04, 2010 at 06:34:03AM -0700, Clint Pachl wrote: > I tried to rebuild a single disk in a 4 disk raid-10 array using the > following command: > > # bioctl -R 0:3 sd0 > bioctl: BIOCSETSTATE: invalid argument > > What does this mean exactly? > > I did rebuild the array via the MegaRAID BIOS utility. Are we able > to rebuild arrays via bioctl? No. You need to use the CTRL-M BIOS thing. At some point I'll add support for that to bioctl but currently it is only for softraid.
No Livelock on 2 Oct 2010 current
Hi Misc@, On this machine; OpenBSD 4.8-current (GENERIC.MP) #5: Sat Oct 2 21:06:09 WIT 2010 r...@border-rf.mygreenlinks.net:/usr/src/sys/arch/i386/compile/GENERIC.MP RTC BIOS diagnostic error f cpu0: Intel(R) Xeon(R) CPU X3220 @ 2.40GHz ("GenuineIntel" 686-class) 2.41 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,S SE3,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM real mem = 1069002752 (1019MB) avail mem = 1041489920 (993MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 03/26/07, SMBIOS rev. 2.4 @ 0x3fbe4000 (42 entries) bios0: vendor Intel Corporation version "S3000.86B.02.00.0054.061120091710" date 06/11/2009 bios0: Intel S3000AH acpi0 at bios0: rev 2 acpi0: sleep states S0 S1 S4 S5 acpi0: tables DSDT SLIC FACP APIC WDDT HPET MCFG ASF! SSDT SSDT SSDT SSDT SSDT HEST BERT ERST EINJ acpi0: wakeup devices SLPB(S4) P32_(S4) UAR1(S1) PEX4(S4) PEX5(S4) UHC1(S1) UHC2(S1) UHC3(S1) UHC4(S1) EHCI(S1) AC9M(S4) AZAL( S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 266MHz cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Xeon(R) CPU X3220 @ 2.40GHz ("GenuineIntel" 686-class) 2.41 GHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,S SE3,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM cpu2 at mainbus0: apid 1 (application processor) cpu2: Intel(R) Xeon(R) CPU X3220 @ 2.40GHz ("GenuineIntel" 686-class) 2.41 GHz cpu2: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,S SE3,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM cpu3 at mainbus0: apid 3 (application processor) cpu3: Intel(R) Xeon(R) CPU X3220 @ 2.40GHz ("GenuineIntel" 686-class) 2.41 GHz cpu3: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,S SE3,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM ioapic0 at mainbus0: apid 5 pa 0xfec0, version 20, 24 pins ioapic0: misconfigured as apic 0, remapped to apid 5 acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 4 (P32_) acpiprt2 at acpi0: bus 1 (PEX0) acpiprt3 at acpi0: bus -1 (PEX1) acpiprt4 at acpi0: bus -1 (PEX2) acpiprt5 at acpi0: bus -1 (PEX3) acpiprt6 at acpi0: bus 2 (PEX4) acpiprt7 at acpi0: bus 3 (PEX5) acpicpu0 at acpi0: PSS acpicpu1 at acpi0: PSS acpicpu2 at acpi0: PSS acpicpu3 at acpi0: PSS acpibtn0 at acpi0: SLPB bios0: ROM list: 0xc/0x9000 0xc9000/0x1000 0xca000/0x1800 0xcb800/0x1000 cpu0: Enhanced SpeedStep 2401 MHz: speeds: 2394, 1596 MHz pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 "Intel E7230 Host" rev 0x00 ppb0 at pci0 dev 28 function 0 "Intel 82801GB PCIE" rev 0x01: apic 5 int 17 (irq 255) pci1 at ppb0 bus 1 ppb1 at pci0 dev 28 function 4 "Intel 82801G PCIE" rev 0x01: apic 5 int 17 (irq 255) pci2 at ppb1 bus 2 em0 at pci2 dev 0 function 0 "Intel PRO/1000 PT (82571EB)" rev 0x06: apic 5 int 16 (irq 9), address 00:15:17:86:52:fc em1 at pci2 dev 0 function 1 "Intel PRO/1000 PT (82571EB)" rev 0x06: apic 5 int 17 (irq 10), address 00:15:17:86:52:fd ppb2 at pci0 dev 28 function 5 "Intel 82801G PCIE" rev 0x01: apic 5 int 16 (irq 255) pci3 at ppb2 bus 3 em2 at pci3 dev 0 function 0 "Intel PRO/1000MT (82573E)" rev 0x03: apic 5 int 17 (irq 10), address 00:15:17:49:04:0d "Intel 82573E Serial" rev 0x03 at pci3 dev 0 function 3 not configured "Intel 82573E KCS" rev 0x03 at pci3 dev 0 function 4 not configured uhci0 at pci0 dev 29 function 0 "Intel 82801GB USB" rev 0x01: apic 5 int 23 (irq 11) uhci1 at pci0 dev 29 function 1 "Intel 82801GB USB" rev 0x01: apic 5 int 19 (irq 11) uhci2 at pci0 dev 29 function 2 "Intel 82801GB USB" rev 0x01: apic 5 int 18 (irq 11) uhci3 at pci0 dev 29 function 3 "Intel 82801GB USB" rev 0x01: apic 5 int 16 (irq 9) ehci0 at pci0 dev 29 function 7 "Intel 82801GB USB" rev 0x01: apic 5 int 23 (irq 11) ehci0: timed out waiting for BIOS usb0 at ehci0: USB revision 2.0 uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1 ppb3 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0xe1 pci4 at ppb3 bus 4 skc0 at pci4 dev 0 function 0 "D-Link DGE-530T B1" rev 0x11, Yukon Lite (0x9): apic 5 int 21 (irq 11) sk0 at skc0 port A: address 00:1c:f0:11:6c:d4 eephy0 at sk0 phy 0: 88E1011 Gigabit PHY, rev. 5 em3 at pci4 dev 1 function 0 "Intel PRO/1000MT (82540EM)" rev 0x02: apic 5 int 22 (irq 11), address 00:07:e9:0f:44:e3 vga1 at pci4 dev 4 function 0 "ATI ES1000" rev 0x02 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) radeondrm0 at vga1: apic 5 int 18 (irq 11) drm0 at radeondrm0 em4 at pci4 dev 5 function 0 "Intel PRO/1000MT (82541GI)" rev 0x05: apic 5
Re: Router components
On Mon, Oct 4, 2010 at 3:51 PM, russell wrote: > Stuart Henderson wrote: >> >> On 2010-10-04, David Higgs wrote: >>> >>> I am building a replacement router/firewall for home use and am >>> soliciting suggestions/commentary/alternatives on the components >>> below. >> >> What sort of internet connection and what will be running over it? >> Will you be doing crypto on the firewall (ipsec/some other vpn)? Just your basic consumer-class cable connection, and practically nothing. Crypto acceleration might be nice, but in no way a requirement. >>> I was planning to use an SSD in the 32 GB size range, but the archives >>> indicate we don't have TRIM support yet. Though this obviously isn't >>> a showstopper to usage, am I better off getting an older-generation >>> SSD that doesn't require TRIM, or perhaps hold off on SSDs until the >>> tech is more mature? >> >> Newer SSDs don't *require* TRIM, it is optional. I think it's probably >> a better idea to get the newer generation. Though a 2-4GB CF might be >> quite good enough too. >> >> For what a lot of people need for a router/firewall a 2-4GB CF >> card in an IDE adapter would be fine too (smaller works too if you can >> still find them, but it's easier to have this much space). I know SSDs don't require TRIM, but most benchmarks are made by knob-twiddlers that are presumably overemphasizing the performance degradation you get without it. Is this even noticeable in practice? Good suggestion on the CF card, though I would feel dirty using it in that overpowered Atom system... >>> Finally, I want this box to act as wireless AP, and hope to have >>> out-of-the-box 802.11n support (when eventually available). I've read >>> that run(4) is a solid chipset in this regard; any other suggestions? >> >> run(4) does not support host AP. >> >> athn(4) is likely the best choice, I haven't used it with OpenBSD but it >> looks like this is the most actively developed wireless driver at the >> moment. >> I have used it with commercial APs running their embedded linux-based OS >> and the hardware itself works very well indeed. >> >> As I think you're aware we don't support 802.11n capabilities yet, also >> note we don't support clients that use power-saving mode (this is an >> absolute show-stopper for some users; some client hardware has no way >> to disable this). >> > I tend to swear by ral(4) > Mainly due to the unscientific but proven mechanisim > all my ral cards have worked, and all my ath cards end up having a > unsupported chipset. > and there was something freaky about that zyd, > almost working is worse than not working at all. > > Given half a chance stay away from usb radios. > > but ral has always been there for me. > best of luck. > I know I enjoy my k6-2(450) based firewall/nat device infinitely more than > the netgear piece of crap it replaced. Crap, missed lack of AP support in run(4). Disappointing that USB radios aren't all that great. I've been pretty happy with my ral(4) card as well, even in the face of occasional interface hangs. Thanks. --david
BIOCTL Rebuild: invalid argument
I tried to rebuild a single disk in a 4 disk raid-10 array using the following command: # bioctl -R 0:3 sd0 bioctl: BIOCSETSTATE: invalid argument What does this mean exactly? I did rebuild the array via the MegaRAID BIOS utility. Are we able to rebuild arrays via bioctl? # bioctl sd0 Volume Status Size Device ami0 0 Online73494691840 sd0 RAID10 0 Online36747345920 0:1.0 noencl MAP3367NP 0108> 1 Online36747345920 0:2.0 noencl MAP3367NP 0108> 2 Online36747345920 0:3.0 noencl MAP3367NP 0108> 3 Online36747345920 0:4.0 noencl MAP3367NP 0108> $ sysctl hw.sensors.ami0 hw.sensors.ami0.drive0=online (sd0), OK $ dmesg | grep ^ami ami0 at pci2 dev 4 function 0 "AMI MegaRAID" rev 0x20: apic 2 int 20 (irq 11) ami0: AMI 475, 64b/lhc, FW 163D, BIOS v5.07, 32MB RAM ami0: 1 channels, 0 FC loops, 1 logical drives OpenBSD 4.8-current (GENERIC.MP) #385: Tue Sep 21 05:01:01 MDT 2010 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Intel Pentium III ("GenuineIntel" 686-class) 1 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PSE36,SER,MMX,FXSR,SSE real mem = 2138599424 (2039MB) avail mem = 2093604864 (1996MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 03/26/01, BIOS32 rev. 0 @ 0xfd7e3, SMBIOS rev. 2.1 @ 0xef840 (46 entries) bios0: vendor Intel Corporation version "L440GX0.86B.0133.P14.0103261759" date 03/26/01 bios0: Intel L440GX+ acpi0 at bios0: rev 0 acpi0: sleep states S0 S1 S4 S5 acpi0: tables DSDT FACP APIC acpi0: wakeup devices PCI0(S4) COMB(S4) USBC(S1) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 1 (boot processor) cpu0: apic clock running at 99MHz cpu1 at mainbus0: apid 0 (application processor) cpu1: Intel Pentium III ("GenuineIntel" 686-class) 1 GHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PSE36,SER,MMX,FXSR,SSE ioapic0 at mainbus0: apid 2 pa 0xfec0, version 11, 24 pins acpiprt0 at acpi0: bus 0 (PCI0) acpicpu0 at acpi0 acpicpu1 at acpi0 acpibtn0 at acpi0: SLPB bios0: ROM list: 0xc/0x8000 0xc8000/0x1800 0xc9800/0x1000 pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 "Intel 82440BX AGP" rev 0x00 intelagp0 at pchb0 agp0 at intelagp0: aperture at 0xf800, size 0x400 ppb0 at pci0 dev 1 function 0 "Intel 82440BX AGP" rev 0x00 pci1 at ppb0 bus 1 ppb1 at pci1 dev 15 function 0 "DEC 21150-BC PCI-PCI" rev 0x06 pci2 at ppb1 bus 2 ami0 at pci2 dev 4 function 0 "AMI MegaRAID" rev 0x20: apic 2 int 20 (irq 11) ami0: AMI 475, 64b/lhc, FW 163D, BIOS v5.07, 32MB RAM ami0: 1 channels, 0 FC loops, 1 logical drives scsibus0 at ami0: 40 targets sd0 at scsibus0 targ 0 lun 0: SCSI2 0/direct fixed sd0: 70090MB, 512 bytes/sec, 143544320 sec total scsibus1 at ami0: 16 targets ahc0 at pci0 dev 12 function 0 "Adaptec AIC-7896/7 U2" rev 0x00: apic 2 int 19 (irq 11) scsibus2 at ahc0: 16 targets, initiator 7 ahc1 at pci0 dev 12 function 1 "Adaptec AIC-7896/7 U2" rev 0x00: apic 2 int 19 (irq 11) scsibus3 at ahc1: 16 targets, initiator 7 em0 at pci0 dev 13 function 0 "Intel PRO/1000MT (82546EB)" rev 0x01: apic 2 int 17 (irq 11), address 00:04:23:ac:66:d2 em1 at pci0 dev 13 function 1 "Intel PRO/1000MT (82546EB)" rev 0x01: apic 2 int 22 (irq 5), address 00:04:23:ac:66:d3 fxp0 at pci0 dev 14 function 0 "Intel 8255x" rev 0x08, i82559: apic 2 int 21 (irq 10), address 00:03:47:11:2e:58 inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4 ohci0 at pci0 dev 16 function 0 "NEC USB" rev 0x43: apic 2 int 16 (irq 11), version 1.0 ohci1 at pci0 dev 16 function 1 "NEC USB" rev 0x43: apic 2 int 21 (irq 10), version 1.0 ehci0 at pci0 dev 16 function 2 "NEC USB" rev 0x04: apic 2 int 22 (irq 5) usb0 at ehci0: USB revision 2.0 uhub0 at usb0 "NEC EHCI root hub" rev 2.00/1.00 addr 1 piixpcib0 at pci0 dev 18 function 0 "Intel 82371AB PIIX4 ISA" rev 0x02 pciide0 at pci0 dev 18 function 1 "Intel 82371AB IDE" rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility atapiscsi0 at pciide0 channel 0 drive 0 scsibus4 at atapiscsi0: 2 targets cd0 at scsibus4 targ 0 lun 0: ATAPI 5/cdrom removable cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 pciide0: channel 1 disabled (no drives) uhci0 at pci0 dev 18 function 2 "Intel 82371AB USB" rev 0x01: apic 2 int 21 (irq 10) piixpm0 at pci0 dev 18 function 3 "Intel 82371AB Power" rev 0x02: SMI iic0 at piixpm0 spdmem0 at iic0 addr 0x50: 512MB SDRAM registered ECC PC100CL2 spdmem1 at iic0 addr 0x51: 512MB SDRAM registered ECC PC100CL2 spdmem2 at iic0 addr 0x52: 512MB SDRAM registered ECC PC100CL2 spdmem3 at iic0 addr 0x53: 512MB SDRAM registered ECC PC100CL2 vga1 at pci0 dev 20 function 0 "Cirrus Logic CL-GD5480" rev 0x23 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) usb1 at ohci0: USB re
Re: Router components
Stuart Henderson wrote: On 2010-10-04, David Higgs wrote: I am building a replacement router/firewall for home use and am soliciting suggestions/commentary/alternatives on the components below. What sort of internet connection and what will be running over it? Will you be doing crypto on the firewall (ipsec/some other vpn)? I was planning to use an SSD in the 32 GB size range, but the archives indicate we don't have TRIM support yet. Though this obviously isn't a showstopper to usage, am I better off getting an older-generation SSD that doesn't require TRIM, or perhaps hold off on SSDs until the tech is more mature? Newer SSDs don't *require* TRIM, it is optional. I think it's probably a better idea to get the newer generation. Though a 2-4GB CF might be quite good enough too. For what a lot of people need for a router/firewall a 2-4GB CF card in an IDE adapter would be fine too (smaller works too if you can still find them, but it's easier to have this much space). Finally, I want this box to act as wireless AP, and hope to have out-of-the-box 802.11n support (when eventually available). I've read that run(4) is a solid chipset in this regard; any other suggestions? run(4) does not support host AP. athn(4) is likely the best choice, I haven't used it with OpenBSD but it looks like this is the most actively developed wireless driver at the moment. I have used it with commercial APs running their embedded linux-based OS and the hardware itself works very well indeed. As I think you're aware we don't support 802.11n capabilities yet, also note we don't support clients that use power-saving mode (this is an absolute show-stopper for some users; some client hardware has no way to disable this). I tend to swear by ral(4) Mainly due to the unscientific but proven mechanisim all my ral cards have worked, and all my ath cards end up having a unsupported chipset. and there was something freaky about that zyd, almost working is worse than not working at all. Given half a chance stay away from usb radios. but ral has always been there for me. best of luck. I know I enjoy my k6-2(450) based firewall/nat device infinitely more than the netgear piece of crap it replaced.
Re: route-to and divert-packet
> The code says it well - after your divert(4) client reinjects the > packet back into the kernel, it bypasses any pf checks and goes > straight to the {ip_,ip6_}output function because of possible loops. That's all perfectly sensible, and I feel more likely to hurt myself if I could get a packet to go back into pf. > What exactly are you trying to accomplish here, with the > combination of these two? I have two network connections I want to load balance. I'm using the example rules here: http://www.openbsd.org/faq/pf/pools.html#outgoing Those work great, without the divert-packet. And the divert-packet works great, if I only have one internet connection. But I'm trying to get them to both be applied. 2010/10/4 Martin Pelikan : > 2010/10/3, Daniel Browning-Weber : >> Okay, and the divert (4) man page says that outbound packets, >> after being reinjected, "are processed directly by the relevant >> IP/IPv6 output function," so I probably can't get pf to take >> another look at them so that "route-to" will apply. >> >> If I were feeling brave and wanted to mess with this in the >> kernel, should I try to get the packet's routing changed >> after processing? Or would it be less insane for me to >> try to play with the routing before the divert? > > The code says it well - after your divert(4) client reinjects the > packet back into the kernel, it bypasses any pf checks and goes > straight to the {ip_,ip6_}output function because of possible loops. > > What exactly are you trying to accomplish here, with the combination > of these two? > Please be more specific about your goals, not just the technical stuff around. > > I'm not sure about this though, but passing the packet to divert app > and changing IP headers _in there_ should suffice for most what you'd > accomplish using route-to (now I'm waiting for the cold-shower of > corrections and RTFM's). Provided that your routing table is > consistent with what you want to do, of course. > -- > Martin Pelikan
Re: How to use /dev/srandom
2010/10/4 Kevin Chadwick > > I do love all this considerations. Just wondering by on earth entropy > > doesn't get much attention in a world where people seems so worried > > about security and privacy. > > Do you mean the world in general or the OpenBSD world. > > I presume you've read the OpenBSD crypto papers that talk about how > impossible it is to create a true random generator. > > First I'd ask how well can anyone prove that the NIST statistical test > suite can reliably judge randomness? > > It just tries to prove the opposite. If the data has patterns it can find, its not random. Proving something is random is insanely much harder. -- To our sweethearts and wives. May they never meet. -- 19th century toast
PF OS fingerprint update
If you use the pf OS fingerprinting feature you want to apply the following diff to your system or -current OpenBSD boxes will not be identified as beeing OpenBSD. To apply the patch just use: cd /etc patch < this_mail pfctl -f /etc/pf.conf -- :wq Claudio Index: pf.os === RCS file: /cvs/src/etc/pf.os,v retrieving revision 1.22 diff -u -p -r1.22 pf.os --- pf.os 8 Aug 2009 09:24:51 - 1.22 +++ pf.os 1 Oct 2010 14:11:04 - @@ -298,12 +298,15 @@ S22:64:1:52:M*,N,N,S,N,W0:Linux:2.2:ts: # - OpenBSD - 16384:64:0:60:M*,N,W0,N,N,T: OpenBSD:2.6::NetBSD 1.3 (or OpenBSD 2.6) -16384:64:1:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.0-4.0::OpenBSD 3.0-4.0 -16384:64:0:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.0-4.0:no-df:OpenBSD 3.0-4.0 (scrub no-df) +16384:64:1:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.0-4.8::OpenBSD 3.0-4.8 +16384:64:0:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.0-4.8:no-df:OpenBSD 3.0-4.8 (scrub no-df) 57344:64:1:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.3-4.0::OpenBSD 3.3-4.0 57344:64:0:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.3-4.0:no-df:OpenBSD 3.3-4.0 (scrub no-df) 65535:64:1:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.0-4.0:opera:OpenBSD 3.0-4.0 (Opera) + +16384:64:1:64:M*,N,N,S,N,W3,N,N,T: OpenBSD:4.9::OpenBSD 4.9 +16384:64:0:64:M*,N,N,S,N,W3,N,N,T: OpenBSD:4.9:no-df:OpenBSD 4.9 (scrub no-df) # - Solaris -
Kerberos: Server not found in database: krbtgt/ualberta...@realm
In the KDC log file, I get the following errors: 2010-10-04T02:40:11 TGS-REQ pa...@mokaz.com from IPv4:10.0.9.15 for afs/ualberta...@mokaz.com 2010-10-04T02:40:11 Server not found in database: afs/ualberta...@mokaz.com: No such entry in the database 2010-10-04T02:40:11 TGS-REQ pa...@mokaz.com from IPv4:10.0.9.15 for krbtgt/ualberta...@mokaz.com 2010-10-04T02:40:11 Server not found in database: krbtgt/ualberta...@mokaz.com: No such entry in the database Why am I getting these errors? Are they compiled in? How do I quiet this? For clients, all of my Kerberos settings are in DNS; there is no krb5.conf. Here is krb5.conf on the Kerberos server: [libdefaults] default_realm = MOKAZ.COM clockskew = 120 [kadmin] require-preauth = true password_lifetime = 365 days [kdc] require-preauth = true [logging] kadmind = FILE:/var/heimdal/kadmind.log
举国同欢庆
f6e0h?e0i.d;6o<f/e f(efd;,gd:e (e3g3;o< f,"h?f(o<misc e&f f3f>g$:h/7g9e;h?i>> e=e: --- g=g;h%ie$'e8--e8&ffh!!igg=g;h%ih=/d;6 g=eo<www.xidengke.com ee$ fh'>> ef6h."i>> d;%d8 d?!f/d;d>eho<h/&g;h/7g;e=g=g;h%ie$'e8f%h/"
Re: How to use /dev/srandom
I do love all this considerations. Just wondering by on earth entropy doesn't get much attention in a world where people seems so worried about security and privacy. Have you ever used any specific method to measure the randomness quality of the numbers generated by the kernel when randomness pool goes low? By means of the NIST Statistical Test Suite or anything like that. Maybe it could be possible to maintain a 'randomness quality factor' variable updated in the kernel to be able to estimate, in a given time, the randomness available. Just thinking loud! I'd take a look to that. El 29/09/2010 19:16, Theo de Raadt escribis: On Wed, Sep 29, 2010 at 12:49 PM, Kevin Chadwick wrote: And isn't srandom sometimes (very rarely!) appropriate? E.g. for generating encryption keys? If arandom is somehow not appropriate for generating keys, it should be fixed. I'd be interested to hear more. For those who don't want to go read the code, the algorith on the very back end is roughly this: (a) collect entropy until there is a big enough buffer (b) fold it into the srandom buffer, eventually That is just like the past. But the front end is different. From the kernel side: (1) grab a srandom buffer and start a arc4 stream cipher on it (discarding the first bit, of course) (2) now the kernel starts taking data from this on every packet it sends, to modulate this, to modulate that, who knows. (3) lots of other subsystems get small chunks of random from the stream; deeply unpredictable when (4) on very interrupt, based on quality, the kernel injects something into (a) (5) re-seed the buffer as stated in (1) when needed Simultaneously, userland programs need random data: (i) libc does a sysctl to get a chunk from the rc4 buffer (ii) starts a arc4 buffer of it's own, in that program (iii) feeds data to the program, and re-seeds the buffer when needed The arc4 stream ciphers get new entropy when they need. But the really neat architecture here is that a single stream cipher is *unpredictably* having entropy taken out of it, by hundreds of consumers. In regular unix operating systems, there are only a few entropy consumers. In OpenBSD there are hundreds and hundreds. The entire system is full of random number readers, at every level. That is why this works so well. I notice arandom doesn't pause. Is arandom always better or only when there's enough entropy? It is more efficient. There is almost always enough entropy for arandom, and if there isn't, you would have a hard time detecting that. There is always enough. The generator will keep moving, until it has fetched too much, or too much time has gone by. Then it reseeds; though I think it fundamentally does not care if the srandom buffer it feeds from is full or not.
Descanso doble
Muy buenos dias, en esta oportunidad estamos ofreciendo la segunda estadia gratuita, puede ver mas acerca de la propuesta en, http://www.fullallotment.com/barcelo.htm en plan todo inlcuido, la mejor ubicacion de Cancun frente al mar, desde ya le agradezco su tiempo y atencion, saludos cordiales Elsa Sanchez
Re: carp + client avahi-daemon = OpenBSD kernel hang
On 2010-10-03, Devin Reade wrote: So basically there are untrusted machines on the interface on which you also run pfsync. This is an unsupported configuration, as per pfsync(4): It is important that the pfsync traffic be well secured as there is no authentication on the protocol and it would be trivial to spoof packets which create states, bypassing the pf ruleset. Either run the pfsync protocol on a trusted network - ideally a network dedicated to pfsync messages such as a crossover cable between two firewalls, or specify a peer address and protect the traffic with ipsec(4). (though I do think this warning could be strengthened). There might be a way that this particular problem with multicast traffic from avahi could be avoided (full pcap traces of the relevant traffic e.g. "tcpdump -i interface -s 1500 -w somefile.pcap" would help work this out) but it's still unsafe. Until you can move to a dedicated nic, I would suggest switching to using syncpeer in pfsync config, and ipsec with manual keying to protect the traffic e.g. isakmpd_flags="-Ka" ipsec=YES and in ipsec.conf on one side, flow esp proto pfsync from 1.1.1.1 to 2.2.2.2 esp from 1.1.1.1 to 2.2.2.2 spi 0x12345678:0x9abcdef0 \ authkey 0x:0x \ enckey 0x:0x and the other, flow esp proto pfsync from 2.2.2.2 to 1.1.1.1 esp from 2.2.2.2 to 1.1.1.1 spi 0x9abcdef0:0x12345678 \ authkey 0x:0x \ enckey 0x:0x (using your own random hex numbers in place of these). You will probably want to pass the ipsec traffic (proto esp) with the "no-sync" option in pf.conf. (I would not choose to use automatic ipsec keying for this).
Re: Kerberos: Server not found in database: krbtgt/ualberta...@realm
On Mon, 4 Oct 2010, Clint Pachl wrote: > In the KDC log file, I get the following errors: > > 2010-10-04T02:40:11 TGS-REQ pa...@mokaz.com from IPv4:10.0.9.15 for > afs/ualberta...@mokaz.com > 2010-10-04T02:40:11 Server not found in database: afs/ualberta...@mokaz.com: > No such entry in the database > 2010-10-04T02:40:11 TGS-REQ pa...@mokaz.com from IPv4:10.0.9.15 for > krbtgt/ualberta...@mokaz.com > 2010-10-04T02:40:11 Server not found in database: > krbtgt/ualberta...@mokaz.com: No such entry in the database > > > Why am I getting these errors? Are they compiled in? > > How do I quiet this? > > For clients, all of my Kerberos settings are in DNS; there is no krb5.conf. > > Here is krb5.conf on the Kerberos server: Try adding the following into your krb5.conf: [appdefaults] kinit = { afslog = no } Or comment the entry in /etc/afs/ThisCell. -- Antoine
Re: Incorrect FAQ entry about "ksh(1) does not appear to read my .profile"
On Oct 3, 2010, at 2:52 PM, Amit Kulkarni wrote: > Then why is it placed there in the FAQ entry? Somebody thought there's a > relation there. It's there because when you start an X terminal (xterm), you can tell xterm (via X resource DB) if you want shells it starts to be "login shells", and that's what that resource setting is doing. It is not a resource setting for ksh. Further, it's in the FAQ about "why isn't my .profile being read" for the ksh because most people are completely unaware of what is going on when they click that "Terminal" button. .Xdefaults may or may not be read by X-based applications, and is often loaded into the Resource DB of the X server on login (depending on the system -- everything does it differently). At one point is was .Xresources (which may be what X reads still -- I don't know anymore, I stopped thinking about xrdb about 8 years ago). The space is completely irrelevant, and this thread should die. > IMHO, I think ksh should be able to read .profile by default The rules of what ksh reads and when are based on ancient login mechanisms -- .profile was read only on login. In the csh, .login was read on login, and .cshrc was read on every invocation of csh. ksh reads the file pointed to by the environment variable ENV on invocation. Put things you want to happen when you log in (via SSH, for example) into .profile, and also set ENV=$HOME/.kshrc into it. Then put everything into .kshrc that you want to invoke with all subshells. It's no good to say "I think ksh should do. . ." because it ain't gonna happen. It would break all sorts of crap if it did. Sean PS Linux's pdksh sucks, and does all sorts of weird shit. OpenBSD's ksh is much more sane. > On Sat, Oct 2, 2010 at 10:39 PM, Abel Abraham Camarillo Ojeda < > acam...@verlet.org> wrote: > >> .Xdefaults has nothing to do with .profile ...
Re: Router components
On Oct 3, 2010, at 11:15 PM, David Higgs wrote: >> NONE OF IT WILL MATTER TO YOU. > > I'll google up some smaller systems (Soekris, ALIX, etc?) > and see how they strike me. Pointers here are even more welcome, as I > am not as familiar with this end of the spectrum and want to avoid the > aforementioned "crappy super-low-power systems." > > Thanks for the input. I just bought a Alix 2d13 board. Then ended up buying about 7 of them for work for OOB back-channel machines. Insanely straightforward, and they Just Work(tm). Sean
Re: route-to and divert-packet
2010/10/3, Daniel Browning-Weber : > Okay, and the divert (4) man page says that outbound packets, > after being reinjected, "are processed directly by the relevant > IP/IPv6 output function," so I probably can't get pf to take > another look at them so that "route-to" will apply. > > If I were feeling brave and wanted to mess with this in the > kernel, should I try to get the packet's routing changed > after processing? Or would it be less insane for me to > try to play with the routing before the divert? The code says it well - after your divert(4) client reinjects the packet back into the kernel, it bypasses any pf checks and goes straight to the {ip_,ip6_}output function because of possible loops. What exactly are you trying to accomplish here, with the combination of these two? Please be more specific about your goals, not just the technical stuff around. I'm not sure about this though, but passing the packet to divert app and changing IP headers _in there_ should suffice for most what you'd accomplish using route-to (now I'm waiting for the cold-shower of corrections and RTFM's). Provided that your routing table is consistent with what you want to do, of course. -- Martin Pelikan
Re: Router components
On 2010-10-04, David Higgs wrote: > I am building a replacement router/firewall for home use and am > soliciting suggestions/commentary/alternatives on the components > below. What sort of internet connection and what will be running over it? Will you be doing crypto on the firewall (ipsec/some other vpn)? > I was planning to use an SSD in the 32 GB size range, but the archives > indicate we don't have TRIM support yet. Though this obviously isn't > a showstopper to usage, am I better off getting an older-generation > SSD that doesn't require TRIM, or perhaps hold off on SSDs until the > tech is more mature? Newer SSDs don't *require* TRIM, it is optional. I think it's probably a better idea to get the newer generation. Though a 2-4GB CF might be quite good enough too. For what a lot of people need for a router/firewall a 2-4GB CF card in an IDE adapter would be fine too (smaller works too if you can still find them, but it's easier to have this much space). > Finally, I want this box to act as wireless AP, and hope to have > out-of-the-box 802.11n support (when eventually available). I've read > that run(4) is a solid chipset in this regard; any other suggestions? run(4) does not support host AP. athn(4) is likely the best choice, I haven't used it with OpenBSD but it looks like this is the most actively developed wireless driver at the moment. I have used it with commercial APs running their embedded linux-based OS and the hardware itself works very well indeed. As I think you're aware we don't support 802.11n capabilities yet, also note we don't support clients that use power-saving mode (this is an absolute show-stopper for some users; some client hardware has no way to disable this).
Re: How to use /dev/srandom
On Thu, 30 Sep 2010 11:37:14 +0200 Daniel Gracia wrote: > I do love all this considerations. Just wondering by on earth entropy > doesn't get much attention in a world where people seems so worried > about security and privacy. Do you mean the world in general or the OpenBSD world. I presume you've read the OpenBSD crypto papers that talk about how impossible it is to create a true random generator. First I'd ask how well can anyone prove that the NIST statistical test suite can reliably judge randomness?
pflogd dying silently?
Hi, on a machine running something close to what should be OpenBSD 4.8, I'm seeing pflogd "disapearing" every few days whithout any message in log files. Not to say that it's an annoying issue from the security point of view... Is this a known problem with a fix in -current ? Should I try to gather more information and file a PR ? -- Matthieu Herrb
Re: Mobile VPN
On Sat, 2010-10-02 at 11:56 +0300, Evgeniy Sudyr wrote: > I was able to get it working with 4.6/4.7 and E60/E65/E52 it works as > expected :) > > Nokia VPN config tool will save hours instead trial by error. > > On Fri, Oct 1, 2010 at 10:29 PM, Claudiu Pruna > wrote: > > On Fri, 2010-10-01 at 21:19 +0200, David Coppa wrote: > > On Fri, Oct 1, 2010 at 9:11 PM, Claudiu Pruna > wrote: > > >I was wondering has anyone got an S60 mobile phone > to connect to > > > OpenBSD Ipsec ? > > > > > >I did some tryies, but no luck. > > > > Maybe this is of some use: > > > > http://betabug.ch/wiki/VPNNotes > > > > I'm sorry, but I have no personal experiences with "mobile > vpns"... > > > > cheers, > > david > > > thanks a lot, sounds very interesting, I will test it and see > what > happens ;) > > -- > > Claudiu Pruna > > > > > > -- > -- > With regards, > Eugene Sudyr > Well, I have tried that and ... it works Yes, it is working ok, but if your setup is like mine and after connecting to the ipsec, your internal network contains more branches connected through vpn and in conclusion the internal network "contains" more unroutable ip address classes, the problem appears because you appear in your network with the ip that your phone gets from the internet connection it has. So it is a little bit tricky to route your phone to other ip classes then the one you are directly connected. I have used in ipsecctl the "tag" option, and then in pf.conf I have created an nat pool which is just for the phones connecting from outside. But it is a start, I mean, from no vpn (except symbian pptp) until here we allready have a big progress. It would be nice if we could also get working the xauth and ip address assigning to phone through ipsec, but as I am not a developer, I hope it will happen someday. Cheers -- Claudiu Pruna
Re: smtpd and spamd, with antivirus
On Fri, 1 Oct 2010 08:42:04 -0400 "Michael W. Lucas" wrote: > Hi, > > I have to build a new mail relay host, and would like to use spamd and > smtpd on OpenBSD. I'm required to provide antivirus scanning of mail > contents, however. Has anyone attached any antivirus software to this > combination? > > I'm well aware that spamd stops a vast amount of viruses, but I'm not > the one writing the requirements. Hi Michael, I think you will be pretty much done by setting up hermes antispam proxy in front of your server, or even on the same machine. just setup smtpd to "listen on lo0 port 2025", and let hermes pickup smtp sessions after gleylisting is done by spamd. -- With best regards, Gregory Edigarov
Re: Router components
On Sun, Oct 3, 2010 at 11:02 PM, Nick Holland wrote: > On 10/03/10 22:11, David Higgs wrote: >> I am building a replacement router/firewall for home use > > stop there. > > You aren't General Motors, Yahoo, or Google. > You are looking to spend a lot of time and money trying to optimize > performance on a super-fast-sport-car that will be only used to go to > and from work in rush hour traffic. You aren't going any faster than > the guy in front of you is going, or in this case, than your ISP is > handing you data. > > There is nothing built in the last 10 years that can't do a home > router/firewall like this for most people, with the exception of a few > crappy super-low-power systems that people like to suggest as the answer > to all questions (and then complain when the pathetic NICs and anemic > CPUs don't pump data like a ten year old machine with non-pathetic NICs > does). > > NONE OF IT WILL MATTER TO YOU. Yeah, you got me -- I know it's overkill. But give me a little credit, I don't plan on tweaking knobs or compiling custom kernels to squeeze performance. I outgrew that phase five years ago on my circa 1999 desktop-turned-router that just recently passed on. To stick with the car analogy, I just want a reliable new car with better gas mileage, that will get me through the next 10 years or more. > Realtek NICs, three digit celeron processors, the worst of the worst > will pump more data than your ISP will deliver, so what do you gain by > tweaking for the last one percent of data flow you will never see? > > Conventional stuff will cost less and run more reliably than fancy > stuff, and while you may save a few watts, you are unlikely to recoup > your investment. > > And why would you put an SSD on a firewall? so you can discover they > are a lot more expensive and less reliable than an old hard disk? If > you want fast and reliable, use an old, burned in HD, and back up your > /etc directory. If you want low power or silent, get a CF adapter and a > small CF card, or if your hw can boot from it, a USB flash drive. I was researching SSDs to make the box quieter and maybe lower power; I/O speed was just a bonus. I can just as easily use spinning platters until SSD tech improves and/or converges with OpenBSD support. I'll google up some smaller systems (Soekris, ALIX, etc?) and see how they strike me. Pointers here are even more welcome, as I am not as familiar with this end of the spectrum and want to avoid the aforementioned "crappy super-low-power systems." Thanks for the input. --david
Re: How to use /dev/srandom
On Mon, 4 Oct 2010 13:33:00 +0200 Janne Johansson wrote: > 2010/10/4 Kevin Chadwick > > > > I do love all this considerations. Just wondering by on earth entropy > > > doesn't get much attention in a world where people seems so worried > > > about security and privacy. > > > > Do you mean the world in general or the OpenBSD world. > > > > I presume you've read the OpenBSD crypto papers that talk about how > > impossible it is to create a true random generator. > > > > First I'd ask how well can anyone prove that the NIST statistical test > > suite can reliably judge randomness? > > > > > It just tries to prove the opposite. If the data has patterns it can find, > its not random. > Proving something is random is insanely much harder. > > -- > To our sweethearts and wives. May they never meet. -- 19th century toast > Thought about that but surely you'd need a lab to do that well as you'd need a ridiculous amount of processing power and/or would be helping any attacker do his job. Plus truly random data could very occasionally have short lived random patterns. I imagine the current system monitors the input and output of the entropy pool, which would seem like the logical thing to do, but I wouldn't know. If you can improve the current codes info or accuracy, then cool.