System hangs when copying large files?
Hi list, I do a backup of a remote system by running rsync over ssh. The backup is stored as tgz. Both systems running OBSD 5.0. For convinience I rsync the whole system to keep the backup script very simple in crontab. The remote system uses about 17.8G. Once in a while the remote systems hangs and needs to be rebooted. Furthermore, after the rsync-backup is done, I copy the tarball (11G) over to a terastation share mounted with slight. Unfortunately this also fails (file too large). Do I have to modify any system limits or something to solve that problem? Or do I have to increase memory/swap? How much would I need? Tia, Elmar
Accessing /etc/hostname.* via raw disk
Hi, I have an OpenBSD guest VM, which needs to be configured before it boots up. I can access the OS through the VMWare APIs', but then need to configure the /etc/hostname.* file to update the IP address. One way I can think of is to lookup fsck code, and figure this out (or I may be wrong). If there is a better way, I'd appreciate pointers. Thanks in advance. -Amarendra
Re: Accessing /etc/hostname.* via raw disk
On Wed, May 09, 2012 at 03:40:22PM +0530, Amarendra Godbole wrote: Hi, I have an OpenBSD guest VM, which needs to be configured before it boots up. I can access the OS through the VMWare APIs', but then need to configure the /etc/hostname.* file to update the IP address. One way I can think of is to lookup fsck code, and figure this out (or I may be wrong). If there is a better way, I'd appreciate pointers. Thanks in advance. I get pissed off with VMWare tools everyday :) Boot from a network/iso change what you need and reboot. I suppose you can even automatize it... jirib
Re: Accessing /etc/hostname.* via raw disk
On Wed, May 09, 2012 at 06:50:39AM -0400, Jiri B wrote: On Wed, May 09, 2012 at 03:40:22PM +0530, Amarendra Godbole wrote: Hi, I have an OpenBSD guest VM, which needs to be configured before it boots up. I can access the OS through the VMWare APIs', but then need to configure the /etc/hostname.* file to update the IP address. One way I can think of is to lookup fsck code, and figure this out (or I may be wrong). If there is a better way, I'd appreciate pointers. Thanks in advance. I get pissed off with VMWare tools everyday :) Boot from a network/iso change what you need and reboot. I suppose you can even automatize it... jirib Or disable network interface, boot, fix config, enable network interface, reboot. -Otto
Cafetera de Filtro 51% OFF | Peninsula Valdez 75% OFF | Tandil 67% OFF | Cena Gourmet en BRANDS 52% OFF | Kingston de 8 GB 50% OFF | Camara Digital SAMSUNG 49% OFF | Grill George Foreman 59% OFF
Para visualizar correctamente este newsletter ingresa a http://news1.bonuscupon.com.ar/r.html?uid=1.b.29hh.4a.xb5yp3cb19
pfsync on VMs causes hung m_cluncount
I've just finished setting up two virtual machines with OB 5.1 current snapshot. When I enable pfsync I get the following: carp: pfsync0 demoted group carp by 1 to 1 (pfsync bulk start) carp: pfsync0 demoted group pfsync by 1 to 1 (pfsync bulk start) carp: pfsync0 demoted group carp by -1 to 0 (pfsync bulk done) carp: pfsync0 demoted group pfsync by -1 to 0 (pfsync bulk done) uvm_fault(0xd0a2f1a0, 0x0, 0, 1) - e kernel: page fault trap, code=0 Stopped at m_cluncount+0x1a: movzwl 0x12(%edx),%eax ddb ddb ddb ddb ddb m_cluncount(d6daf300,1,0,800,2) at m_cluncount+0x1a em_rxeof(d1ddd000,,c0,f53b7f14,d057c157) at em_rxeof+0x1fe em_intr(d1ddd000) at em_intr+0x140 Xintr_ioapic2() at Xintr_ioapic2+0x70 --- interrupt --- cpu_idle_cycle(d0aeafa0) at cpu_idle_cycle+0xf Bad frame pointer: 0xd0ba1e28 ps *3 0 0 0 7 0x40100200idle0 uvm_fault(0xd0a2f1a0, 0x0, 0, 1) - e kernel: page fault trap, code=0 Faulted in DDB; continuing... ddb rebooting... OpenBSD 5.1-current (GENERIC) #210: Thu Apr 26 01:36:40 MDT 2012 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium II (GenuineIntel 686-class) 2.93 GHz cpu0: FPU,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,PGE,CMOV,MMX,FXSR,SSE,SSE2,SSE3,POPCNT real mem = 1073266688 (1023MB) avail mem = 1044905984 (996MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 06/23/99, BIOS32 rev. 0 @ 0xff046, SMBIOS rev. 2.4 @ 0x3ec0 (10 entries) bios0: vendor Seabios version 0.5.1 date 01/01/2007 bios0: Red Hat KVM acpi0 at bios0: rev 0 acpi0: sleep states S5 acpi0: tables DSDT FACP SSDT APIC acpi0: wakeup devices acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat acpiprt0 at acpi0: bus 0 (PCI0) acpicpu0 at acpi0 mpbios0 at bios0: Intel MP Specification 1.4 cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 1000MHz mpbios0: bus 0 is type PCI mpbios0: bus 1 is type ISA ioapic0 at mainbus0: apid 1 pa 0xfec0, version 11, 24 pins ioapic0: misconfigured as apic 0, remapped to apid 1 bios0: ROM list: 0xc/0x8c00 0xc9000/0x800 0xc9800/0x800 0xca000/0x2200 vmt0 at mainbus0 vmware: open failed, eax=564d5868, ecx=001e, edx=5658 vmt0: failed to open backdoor RPC channel (TCLO protocol) pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Intel 82441FX rev 0x02 pcib0 at pci0 dev 1 function 0 Intel 82371SB ISA rev 0x00 pciide0 at pci0 dev 1 function 1 Intel 82371SB IDE rev 0x00: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: QEMU HARDDISK wd0: 16-sector PIO, LBA48, 12288MB, 25165824 sectors wd0(pciide0:0:0): using PIO mode 0, DMA mode 2 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: QEMU, QEMU DVD-ROM, 0.12 ATAPI 5/cdrom removable cd0(pciide0:1:0): using PIO mode 0 uhci0 at pci0 dev 1 function 2 Intel 82371SB USB rev 0x01: apic 1 int 11 piixpm0 at pci0 dev 1 function 3 Intel 82371AB Power rev 0x03: apic 1 int 9 iic0 at piixpm0 iic0: addr 0x19 3e=00 48=00 4a=00 4e=00 fc=00 fe=00 words 00= 01= 02= 03= 04= 05= 06= 07= iic0: addr 0x1b 3e=00 48=00 4a=00 4e=00 fc=00 fe=00 words 00= 01= 02= 03= 04= 05= 06= 07= iic0: addr 0x1c 0f=00 3e=00 48=00 4a=00 4e=00 fc=00 fe=00 words 00= 01= 02= 03= 04= 05= 06= 07= iic0: addr 0x1d 0f=00 3e=00 48=00 4a=00 4e=00 fc=00 fe=00 words 00= 01= 02= 03= 04= 05= 06= 07= iic0: addr 0x1e 3e=00 48=00 4a=00 4e=00 fc=00 fe=00 words 00= 01= 02= 03= 04= 05= 06= 07= iic0: addr 0x1f 3e=00 48=00 4a=00 4e=00 fc=00 fe=00 words 00= 01= 02= 03= 04= 05= 06= 07= iic0: addr 0x29 00=d0 01=d0 02=d0 03=d0 04=d0 05=d0 06=d0 07=d0 08=d0 words 00= 01= 02= 03= 04= 05= 06= 07= iic0: addr 0x2b 00=d0 01=d0 02=d0 03=d0 04=d0 05=d0 06=d0 07=d0 08=d0 words 00= 01= 02= 03= 04= 05= 06= 07= iic0: addr 0x4c 00=d0 01=d0 02=d0 03=d0 04=d0 05=d0 06=d0 07=d0 08=d0 words 00= 01= 02= 03= 04= 05= 06= 07= iic0: addr 0x4e 00=d0 01=d0 02=d0 03=d0 04=d0 05=d0 06=d0 07=d0 08=d0 words 00= 01= 02= 03= 04= 05= 06= 07= vga1 at pci0 dev 2 function 0 Cirrus Logic CL-GD5446 rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) em0 at pci0 dev 3 function 0 Intel PRO/1000MT (82540EM) rev 0x03: apic 1 int 11, address 52:54:00:04:6a:67 em1 at pci0 dev 4 function 0 Intel PRO/1000MT (82540EM) rev 0x03: apic 1 int 11, address 52:54:00:7b:ce:15 Qumranet Virtio Memory rev 0x00 at pci0 dev 5 function 0 not configured isa0 at pcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo com0: probed fifo depth: 0 bytes
makemap(8) manpage
The manpage for makemap(8) mentions some usefull options that I would like to use, but the actual makemap binary says e.g. ~$ /usr/sbin/makemap -d /tmp/map makemap: unknown option -- d usage: makemap [-o dbfile] [-t type] file On this system, I replaced sendmail with smtpd. It seems I am running smtpd's makemap (which is /usr/libexec/smtpd/makemap) but 'man makemap' gives me the manpage of sendmail's makemap (which is /usr/libexec/sendmail/makemap and indeed recognizes the many options). Is this expected? Jan
Re: makemap(8) manpage
On Wed, May 09, 2012 at 03:58:42PM +0200, Jan Stary wrote: The manpage for makemap(8) mentions some usefull options that I would like to use, but the actual makemap binary says e.g. ~$ /usr/sbin/makemap -d /tmp/map makemap: unknown option -- d usage: makemap [-o dbfile] [-t type] file On this system, I replaced sendmail with smtpd. It seems I am running smtpd's makemap (which is /usr/libexec/smtpd/makemap) but 'man makemap' gives me the manpage of sendmail's makemap (which is /usr/libexec/sendmail/makemap and indeed recognizes the many options). Is this expected? Yes, you will have to install the man pages manually as long as smtpd is not the default MTA. Since you're supposed to run smtpd -current that shouldn't be an issue :) -- Gilles Chehade https://www.poolp.org | http://pool.ps @poolpOrg
Du har 1 ny melding !
Du har 1 ny melding ! Vennligst fornye Sparebank 1 konto. Din SpareBank 1 konto er lest. E logge inn, vennligst klikk pe linken nedenfor: http://www2.sparebank1.no/portal/1001/3_privat | ) SpareBank 1 Gruppen AS. | Personvern, sikkerhet og vilker. |
Re: Accessing /etc/hostname.* via raw disk
On 2012-05-09, Amarendra Godbole amarendra.godb...@gmail.com wrote: Hi, I have an OpenBSD guest VM, which needs to be configured before it boots up. I can access the OS through the VMWare APIs', but then need to configure the /etc/hostname.* file to update the IP address. One way I can think of is to lookup fsck code, and figure this out (or I may be wrong). If there is a better way, I'd appreciate pointers. Thanks in advance. -Amarendra If only there were a protocol to allocate network addresses...
Re: System hangs when copying large files?
On 2012-05-09, [BG-Consulting] Elmar Bschorer elmar.bscho...@bugconsulting.de wrote: Hi list, I do a backup of a remote system by running rsync over ssh. The backup is stored as tgz. Both systems running OBSD 5.0. For convinience I rsync the whole system to keep the backup script very simple in crontab. The remote system uses about 17.8G. Once in a while the remote systems hangs and needs to be rebooted. unless you can obtain more information (e.g. from DDB) this is going to be hard to track down. Furthermore, after the rsync-backup is done, I copy the tarball (11G) over to a terastation share mounted with slight. Unfortunately this also fails (file too large). Do I have to modify any system limits or something to solve that problem? Or do I have to increase memory/swap? How much would I need? slight? do you mean sharity light? iirc that uses nfsv2 which has size limits. (also it doesn't work very well). you might do better with samba's smbclient, or maybe you could share out from the terastation via nfsv3 or iscsi.
OT: SSH not secure?
According these guys connect trough SSH to a remote server is not secure... http://www.wziss.com/ Look in Case Studies Cheers, Alvaro [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: OT: SSH not secure?
2012/5/9 Alvaro Mantilla Gimenez alv...@alvaromantilla.com: According these guys connect trough SSH to a remote server is not secure... It's only as secure as the local and/or remote machine. There's nothing SSH can do about that.
Re: OT: SSH not secure?
On Wed, May 09, 2012 at 09:20:44AM -0600, Alvaro Mantilla Gimenez wrote: According these guys connect trough SSH to a remote server is not secure... http://www.wziss.com/ Look in Case Studies Cheers, Alvaro [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc] Of course you can catch passwords etc if you have access to the hardware or root access for software tracing. I don't believe their claims that they can prevent that. -Otto
Re: OT: SSH not secure?
Exactly! LOL El 09/05/2012, a las 09:53, S. Scott escribis: On May 9, 2012, at 11:25, Alvaro Mantilla Gimenez alv...@alvaromantilla.com wrote: According these guys connect trough SSH to a remote server is not secure... http://www.wziss.com/ Look in Case Studies Cheers, Alvaro [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc] Lets break this down. You have a case where a malicious administrator -- whom you granted elevated trust and permissions -- with physical access and the technical 'clearance' to install and run all the mentioned hack tools and, by extrapolation, any/all the other unmentioned hack tools as well that would yield User's password and you're concerned about ssh. Good luck with your malicious administrator and the other 999,999 things you really need to be concerned about. [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Caro usuário da conta (misc@openbsd.org)
Caro usuario da conta (misc@openbsd.org), Estamos atualizando nosso banco de dados e e-mail centro conta. Estamos a excluir todas as contas de Webmail nco utilizados e criar mais espago para novas contas. Para garantir que vocj nco experimenta interrupgco do servigo durante este permodo, por favor clique no link abaixo e Validagco Webmail registrar sua conta: Validagco de link https://docs.google.com/a/inovaunicamp.org/spreadsheet/viewform?formkey=dHZRb 3hVUElzcF9UWGNFR3lwVEY2U3c6MQ https://docs.google.com/a/inovaunicamp.org/spreadsheet/viewform?formkey=dHZR b3hVUElzcF9UWGNFR3lwVEY2U3c6MQ Depois de ter preenchido o formulario com sucesso, vocj tem que clicar em ENVIAR. Webmail Validagco Equipe ) 2012 Csdigo Atengco: ID67565432334.
Re: OT: SSH not secure?
On Wed, 2012-05-09 at 11:53 -0400, S. Scott wrote: Good luck with your malicious administrator and the other 999,999 things you really need to be concerned about. It's more of the DAC silliness: you're not secure because you trust your systems administrator; I don't have to do that... (I just have to trust the person who administers the DAC rules). Note the money sentence at the end of the case study: Currently, the only secure way to use ssh or sftp on a UNIX/Linux machine to connect with mission critical server is using our AutoSSH and/or AutoSFTP: only our AutoSSH and AutoSFTP can detect truss/tusc/strace and dtrace attack, and detect Trojan Horse attack. Using AutoSSH and/or AutoSFTP with public/private key pair with pass phrase protection for the private key is the most secure way of connecting with mission critical servers Right... because AutoSFTP and AutoSSH do not allow an administrator to tamper with *them* at all? Weldon
Re: OT: SSH not secure?
On 2012-05-09, Alvaro Mantilla Gimenez alv...@alvaromantilla.com wrote: According these guys connect trough SSH to a remote server is not secure... http://www.wziss.com/ And if you're connecting to a compromised web server, HTTPS doesn't automatically make that secure either. This is not the threat that this particular protocol guards against. Look in Case Studies Here's another: if you use agent forwarding, even if you use ssh-add -c when you add your identities to require that they're confirmed to prevent the most common attack scenario with agent forwarding, the admin could have replaced the ssh binary with one which makes the connection and runs his own commands over it, or allows access to a second session via multiplexing. And another: if you do the above *and* build your own ssh binary to make sure that's legitimate, the admin could have replaced the compiler, or make, or install, or something else, with one which builds/installs a trojanned program.
Re: OT: SSH not secure?
On Wed, 9 May 2012 17:42:09 +0200 Martin SchrC6der wrote: It's only as secure as the local and/or remote machine. There's nothing SSH can do about that I have a bucket of water. Can anyone tell me why my hand gets wet if I put it inside the bucket.
Re: OT: SSH not secure?
On 9 May 2012 13:18, Kevin Chadwick ma1l1i...@yahoo.co.uk wrote: On Wed, 9 May 2012 17:42:09 +0200 Martin SchrC6der wrote: It's only as secure as the local and/or remote machine. There's nothing SSH can do about that I have a bucket of water. Can anyone tell me why my hand gets wet if I put it inside the bucket. That's because you need to buy AutoBucket.
Re: OT: SSH not secure?
It's only as secure as the local and/or remote machine. There's nothing SSH can do about that I have a bucket of water. Can anyone tell me why my hand gets wet if I put it inside the bucket. That's because you need to buy AutoBucket. And only AutoBucket can protect you against water temperature attacks. You don't want to risk burning your hand with hot water, do you? Miod
Re: OT: SSH not secure?
On 9 May 2012 14:59, Miod Vallat m...@online.fr wrote: It's only as secure as the local and/or remote machine. There's nothing SSH can do about that I have a bucket of water. Can anyone tell me why my hand gets wet if I put it inside the bucket. That's because you need to buy AutoBucket. And only AutoBucket can protect you against water temperature attacks. You don't want to risk burning your hand with hot water, do you? Well noted, but that's only supported in AutoBucket Enterprise Edition.
Re: OT: SSH not secure?
On Wed, 9 May 2012 14:35:42 -0300 Christiano F. Haesbaert wrote: That's because you need to buy AutoBucket. Having spent some time recently on some linux mailing lists. I have to say this lists fuckin A.
Re: OT: SSH not secure?
I think Alvaro should read the classic paper: Reflections on Trusting Trust. Alvaro, Written by one of the guys who wrote UNIX and the original C compiler, which is what almost every UNIX based system is derived from... http://cm.bell-labs.com/who/ken/trust.html -- http://www.glumbert.com/media/shift http://www.youtube.com/watch?v=tGvHNNOLnCk This officer's men seem to follow him merely out of idle curiosity. -- Sandhurst officer cadet evaluation. Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted. -- Gene Spafford learn french: http://www.youtube.com/watch?v=30v_g83VHK4
Re: IPv6 and carp(4) problems
Resurrecting an old topic...
On 2011-10-27 16:05, Stefan Rinkes wrote:
I'm currently using a current kernel with following patch:
--- sys/netinet6/in6.c 8 Aug 2011 13:04:35 - 1.93
+++ sys/netinet6/in6.c 27 Oct 2011 19:59:00 -
@@ -2476,6 +2476,14 @@ in6if_do_dad(struct ifnet *ifp)
* NS would confuse the DAD procedure.
*/
return (0);
+#if NCARP 0
+ case IFT_CARP:
+ /*
+ * XXX: DAD does not work currently on carp(4)
+ * so disable it for now.
+ */
+ return (0);
+#endif
default:
/*
* Our DAD routine requires the interface up and running.
It disables DAD on CARP, cause it does not work on normal CARP and creates
false alarms on balancing CARP. Not great, but at least balancing and IPv6
works now.
Looking at the code, DAD should already be disabled on carp interfaces.
As soon as you assign a vhid to a carp interface, a link-local address
is attached. in6_ifattach_linklocal() unconditionally sets IN6_IFF_NODAD
on the interface. Further down it removes it but not for CARP interfaces:
if (in6if_do_dad(ifp) ((ifp-if_flags IFF_POINTOPOINT) ||
(ifp-if_type == IFT_CARP)) == 0) {
ia-ia6_flags = ~IN6_IFF_NODAD;
ia-ia6_flags |= IN6_IFF_TENTATIVE;
}
So all CARP interfaces should have IN6_IFF_NODAD set.
Simon
Re: OT: SSH not secure?
Thanks for pointing that article out. I read that paper sometime ago. My intention with this thread was exactly this: get a lot of comments and put some smiles in people4s faces. I received this trough linkedin from some experts group or something like that (yeap...no comments). Is interesting how many people believe on information that they just received on a social (professional???) network... Cheers, Alvaro El 09/05/2012, a las 12:39, bofh escribis: I think Alvaro should read the classic paper: Reflections on Trusting Trust. Alvaro, Written by one of the guys who wrote UNIX and the original C compiler, which is what almost every UNIX based system is derived from... http://cm.bell-labs.com/who/ken/trust.html -- http://www.glumbert.com/media/shift http://www.youtube.com/watch?v=tGvHNNOLnCk This officer's men seem to follow him merely out of idle curiosity. -- Sandhurst officer cadet evaluation. Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted. -- Gene Spafford learn french: http://www.youtube.com/watch?v=30v_g83VHK4 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
fw_update
Hi everybody, I was coming to OpenBSD 5.1 looking for reasonable privacy and when I install it (amd64 flavour), I see that fw_update automatically installs propietary firmware without my permission. Actually even worse, it updates it automatically from the net! The parts affected are quite meaningful: the network card and the video card... I mean.. Should I request that you install propietary firmware for my sound card too so that everybody can record my voice too? I would like to hear your arguments on this and if there is a simple way to disable fw_update and uninstall in general everything propietary affecting the network card that I have not been warned about. I read on the FAQ that I should have been asked about this firmware but I wasnB4t! (amd64 cd installer). Thanks much, Mark
Re: fw_update
On 05/09/12 21:33, mark sullivan wrote: Hi everybody, I was coming to OpenBSD 5.1 looking for reasonable privacy and when I install it (amd64 flavour), I see that fw_update automatically installs propietary firmware without my permission. Actually even worse, it updates it automatically from the net! The parts affected are quite meaningful: the network card and the video card... I mean.. Should I request that you install propietary firmware for my sound card too so that everybody can record my voice too? I would like to hear your arguments on this and if there is a simple way to disable fw_update and uninstall in general everything propietary affecting the network card that I have not been warned about. I read on the FAQ that I should have been asked about this firmware but I wasnB4t! (amd64 cd installer). Thanks much, Mark I just want to note: last time I installed OpenBSD (a 5.1-snapshot) this feature worked correctly. I was asked by the installer.
Re: fw_update
For me as well. Maybe someone needs to read more careful and just don't push enter all the way. // Johan On May 9, 2012 10:02 PM, Tobias Sarnowski tob...@trustedco.de wrote: On 05/09/12 21:33, mark sullivan wrote: Hi everybody, I was coming to OpenBSD 5.1 looking for reasonable privacy and when I install it (amd64 flavour), I see that fw_update automatically installs propietary firmware without my permission. Actually even worse, it updates it automatically from the net! The parts affected are quite meaningful: the network card and the video card... I mean.. Should I request that you install propietary firmware for my sound card too so that everybody can record my voice too? I would like to hear your arguments on this and if there is a simple way to disable fw_update and uninstall in general everything propietary affecting the network card that I have not been warned about. I read on the FAQ that I should have been asked about this firmware but I wasnB4t! (amd64 cd installer). Thanks much, Mark I just want to note: last time I installed OpenBSD (a 5.1-snapshot) this feature worked correctly. I was asked by the installer.
Re: fw_update
On Wed, May 09, 2012 at 21:33, mark sullivan wrote: I was coming to OpenBSD 5.1 looking for reasonable privacy and when I install it (amd64 flavour), I see that fw_update automatically installs propietary firmware without my permission. Actually even worse, it updates it automatically from the net! The parts affected are quite meaningful: the network card and the video card... I mean.. Should I request that you install propietary firmware for my sound card too so that everybody can record my voice too? I would like to hear your arguments on this and if there is a simple way to disable fw_update and uninstall in general everything propietary affecting the network card that I have not been warned about. I read on the FAQ that I should have been asked about this firmware but I wasnB4t! (amd64 cd installer). The firmware is only loaded onto the network card if you enable the interface using ifconfig. If you do not trust your network card, don't use it. If you don't trust the network card, but you still want to use it, you're shit out of luck. It won't work without the firmware.
Re: fw_update
Il giorno 09/mag/2012 21:38, mark sullivan mark.sulli...@gmx.fr ha scritto: Hi everybody, I was coming to OpenBSD 5.1 looking for reasonable privacy and when I install it (amd64 flavour), I see that fw_update automatically installs propietary firmware without my permission. Actually even worse, it updates it automatically from the net! The parts affected are quite meaningful: the network card and the video card... I mean.. Should I request that you install propietary firmware for my sound card too so that everybody can record my voice too? What's the purpose of having a non-working wifi card? If you have concerns with firmwares, swap your card with, for example, an atheros or another card that doesn't need a firmware. And, btw, the other firmware is for a webcam (uvideo), not the video card... Ciao David
Re: fw_update
On 05/09/12 22:55, Johan Ryberg wrote: For me as well. Maybe someone needs to read more careful and just don't push enter all the way. While that's a natural thought nowadays, it's not the case here; $ cvs log -r1.654 install.sub /.../ OPENBSD_5_1: 1.655.0.2 OPENBSD_5_1_BASE: 1.655 /.../ revision 1.654 date: 2011/11/08 19:55:52; author: deraadt; state: Exp; lines: +2 -6 Now that the code is well tested, don't ask the firmware question anymore. Saves 141 precious bytes on the inside of the media. ok krw = /Alexander // Johan On May 9, 2012 10:02 PM, Tobias Sarnowskitob...@trustedco.de wrote: On 05/09/12 21:33, mark sullivan wrote: Hi everybody, I was coming to OpenBSD 5.1 looking for reasonable privacy and when I install it (amd64 flavour), I see that fw_update automatically installs propietary firmware without my permission. Actually even worse, it updates it automatically from the net! The parts affected are quite meaningful: the network card and the video card... I mean.. Should I request that you install propietary firmware for my sound card too so that everybody can record my voice too? I would like to hear your arguments on this and if there is a simple way to disable fw_update and uninstall in general everything propietary affecting the network card that I have not been warned about. I read on the FAQ that I should have been asked about this firmware but I wasnB4t! (amd64 cd installer). Thanks much, Mark I just want to note: last time I installed OpenBSD (a 5.1-snapshot) this feature worked correctly. I was asked by the installer.
Re: fw_update
On 2012-05-09, mark sullivan mark.sulli...@gmx.fr wrote: I would like to hear your arguments on this and if there is a simple way to disable fw_update and uninstall in general everything propietary affecting the network card that I have not been warned about. In the cases of the firmware which is installed from a package, usually due to lack of redistribution rights, you can do this: # pkg_delete /var/db/pkg/*-firmware-* # echo 127.0.0.1 firmware.openbsd.org /etc/hosts From your email it seems like this is possibly the main thing you're worried about and is pretty simple to remove/workaround. Other firmware exists in /etc/firmware which is part of the base system (fxp, bnx, myx etc) which never had a question, you could probably do this to remove it and make it hard to reinstall at update time:- # rm -rf /etc/firmware # touch /etc/firmware (tar doesn't like unpacking a dir over a file or vice-versa) There's also firmware / microcode compiled into some drivers like isp(4), see /sys/dev/microcode, you'll have to track down the relevant devices, remove them from kernel config and recompile. Other devices usually have the firmware on some type of rom, eeprom or flash storage device. You're presumably going to need a vendor-supplied tool or a soldering iron to uninstall these. None of the above are really supported though, and in all these cases the simplest way to avoid loading the firmware is to disconnect the relevant device, it will work just as well unplugged as without firmware,. If you're using a PC you should probably also be aware that there is likely to be bios-installed code which runs in system management mode behind the back of the OS, this is also proprietary and could also affect the network card and all other parts of the machine. Also some of the various management controllers you might find have pretty far-reaching capabilities in this respect.
Re: fw_update
I would like to hear your arguments on this and if there is a simple way to disable fw_update and uninstall in general everything propietary affecting the network card that I have not been warned about. If you're using a PC you should probably also be aware that there is likely to be bios-installed code which runs in system management mode behind the back of the OS, this is also proprietary and could also affect the network card and all other parts of the machine. Also some of the various management controllers you might find have pretty far-reaching capabilities in this respect. If you have concerns with firmwares, swap your card with, for example, an atheros or another card that doesn't need a firmware. Some atheros does use firmware, eg athn(4). You can use pf to block those network devices that have firmware you don't trust. Easiest way to disable the uvideo firmware (and any bios video spyware) is to stick black electrical tape over the webcam lens.
Re: fw_update
On Thu, May 10, 2012 at 10:34, Brett wrote: You can use pf to block those network devices that have firmware you don't trust Way too late at that point. It's already copied your top zecret data to the NSA.
Re: fw_update
On Thu, 10 May 2012 00:55:07 + Ted Unangst t...@tedunangst.com wrote: On Thu, May 10, 2012 at 10:34, Brett wrote: You can use pf to block those network devices that have firmware you don't trust Way too late at that point. It's already copied your top zecret data to the NSA. They have all my data anyway, due to the other camera they secreted in the roof above my desk.
Re: fw_update
On Wed, 2012-05-09 at 21:33 +0200, mark sullivan wrote: Hi everybody, I was coming to OpenBSD 5.1 looking for reasonable privacy and when I install it (amd64 flavour), I see that fw_update automatically installs propietary firmware without my permission. Actually even worse, it updates it automatically from the net! The parts affected are quite meaningful: the network card and the video card... I mean.. Should I request that you install propietary firmware for my sound card too so that everybody can record my voice too? I would like to hear your arguments on this and if there is a simple way to disable fw_update and uninstall in general everything propietary affecting the network card that I have not been warned about. I read on the FAQ that I should have been asked about this firmware but I wasnB4t! (amd64 cd installer). Thanks much, Mark This surprised me too, having been used to being asked when 5.1 was still -current. Note that if you don't set up a network interface during the install (or more to the point, don't initially boot with an /etc/hostname.$INTERFACE file), fw_update won't try to run. Weldon
Re: Hardware (firewall) recommendation
Dear All, I am resurrecting this thread which I followed carefully because I need some hardware advice for the firewall machine which is going to serve our new scientific computing laboratory. Initially behind this firewall, we will have only two small (16 and 8 nodes) clusters, a GPU based super computer, a CVS/File server and a web-server for PMWiki. They will be accessible to users (15-20 for now) only via SSH(NX X) and HTTP protocols. We are vendor locked due to the contract between DeLL and the University system of Georgia. I would like to hear opinion about: Dell PowerEdge R210 II Ultra-compact Rack Server http://www.dell.com/us/enterprise/p/poweredge-r210-2/pd I am looking at the one with Intel Gigabit ET Quad Port Adapter, Gigabit Ethernet NIC, PCIe x4 Does One Dual port Broadcom BCM 5716 work on OpenBSD? What about those Broadcom NetXtremes ? It is not going to have RAID controller. We are looking at the one with Dual-core Intel Celeron G400 and G500 series Thank you so much! Predrag
Re: fw_update
On Wed, 2012-05-09 at 23:39 +0200, David Coppa wrote: What's the purpose of having a non-working wifi card? If you have concerns with firmwares, swap your card with, for example, an atheros or another card that doesn't need a firmware. And, btw, the other firmware is for a webcam (uvideo), not the video card... For me the issue was surprise (something I dislike in an installer); I was asked to confirm the download when 5.1 was -current and not asked when it was a release. I had assumed the reason for the confirmation was the license, but the note in the commit suggests it was because fw_update might be buggy. Also, while I recognize this is an edge case, I have in the past sold systems with OpenBSD installed on them to other people, and now that I come to think of it I have no idea whether that's legal to do with, say, iwn-firmware installed on it (it's probably not). Weldon
Re: ipsec.conf ,routers and endpoints - third try
firewall dual homed network facing static nic address = 5.5.5.4 (rfc1918/rfc6598) virgin media router facing static nic address = 3.3.3.2 (rfc1918/rfc6598) virgin media router static address = 3.3.3.3 (rfc1918/rfc6598) virgin media dynamic wan address = 1.1.1.1 (internet-routable) firewall default route = 3.3.3.3 network_a default route = 5.5.5.4 your local_gw address would be the router-facing rfc1918 address and remote_gw would be the dynamic internet-routable address of the other gateway. hi stuart thanks for your answer and advice, i am working on a modified ddns update script to signal a restart of isakmpd when the dynamic ip changes, will implement isakmpd else will follow your suggestion and use openvpn for my net to net link, i had already planned to use openvpn for my roadwarriors. shadrock The problem is that when the address of one side changes, it's the *other* side that yo uneed to restart. so you might want a regularly-run script to do a lookup to work out when this needs doing, although in practice I don't think VM change addresses all that often so it might be good enough to have the update script email/text you to tell you to update the other side... hi stuart having reread your first post on the subject, i now realize when the address of one side changes it's the*other* side that needs to update remote_gw in ipsec.conf and restart. i was considering each end running a script which used ping to check connectivity to the remote gateway like openvpn's method, if ping timed out then a dns hostname lookup would be used to resolve the ip, ipsec.conf would then be updated and restarted and an email sent to the manager of the network informing of the remote address change. this would be all scripted so there would be no need for me to get involved. shadrock
Re: fw_update
Ah, ok. Sorry Mark. I didn't know that. Johan On May 10, 2012 12:46 AM, Alexander Hall ha...@openbsd.org wrote: On 05/09/12 22:55, Johan Ryberg wrote: For me as well. Maybe someone needs to read more careful and just don't push enter all the way. While that's a natural thought nowadays, it's not the case here; $ cvs log -r1.654 install.sub /.../ OPENBSD_5_1: 1.655.0.2 OPENBSD_5_1_BASE: 1.655 /.../ revision 1.654 date: 2011/11/08 19:55:52; author: deraadt; state: Exp; lines: +2 -6 Now that the code is well tested, don't ask the firmware question anymore. Saves 141 precious bytes on the inside of the media. ok krw ==**==** = /Alexander // Johan On May 9, 2012 10:02 PM, Tobias Sarnowskitob...@trustedco.de** wrote: On 05/09/12 21:33, mark sullivan wrote: Hi everybody, I was coming to OpenBSD 5.1 looking for reasonable privacy and when I install it (amd64 flavour), I see that fw_update automatically installs propietary firmware without my permission. Actually even worse, it updates it automatically from the net! The parts affected are quite meaningful: the network card and the video card... I mean.. Should I request that you install propietary firmware for my sound card too so that everybody can record my voice too? I would like to hear your arguments on this and if there is a simple way to disable fw_update and uninstall in general everything propietary affecting the network card that I have not been warned about. I read on the FAQ that I should have been asked about this firmware but I wasnB4t! (amd64 cd installer). Thanks much, Mark I just want to note: last time I installed OpenBSD (a 5.1-snapshot) this feature worked correctly. I was asked by the installer.
