System hangs when copying large files?

2012-05-09 Thread [BG-Consulting] Elmar Bschorer
Hi list,

I do a backup of a remote system by running rsync over ssh. The backup is
stored as tgz. Both systems running OBSD 5.0. For convinience I rsync the
whole system to keep the backup script very simple in crontab. The remote
system uses about 17.8G.

Once in a while the remote systems hangs and needs to be rebooted.

Furthermore, after the rsync-backup is done, I copy the tarball (11G) over to
a terastation share mounted with slight. Unfortunately this also fails (file
too large).

Do I have to modify any system limits or something to solve that problem? Or
do I have to increase memory/swap? How much would I need?



Tia,

Elmar



Accessing /etc/hostname.* via raw disk

2012-05-09 Thread Amarendra Godbole
Hi,

I have an OpenBSD guest VM, which needs to be configured before it
boots up. I can access the OS through the VMWare APIs', but then need
to configure the /etc/hostname.* file to update the IP address. One
way I can think of is to lookup fsck code, and figure this out (or I
may be wrong). If there is a better way, I'd appreciate pointers.
Thanks in advance.

-Amarendra



Re: Accessing /etc/hostname.* via raw disk

2012-05-09 Thread Jiri B
On Wed, May 09, 2012 at 03:40:22PM +0530, Amarendra Godbole wrote:
 Hi,
 
 I have an OpenBSD guest VM, which needs to be configured before it
 boots up. I can access the OS through the VMWare APIs', but then need
 to configure the /etc/hostname.* file to update the IP address. One
 way I can think of is to lookup fsck code, and figure this out (or I
 may be wrong). If there is a better way, I'd appreciate pointers.
 Thanks in advance.

I get pissed off with VMWare tools everyday :) Boot from a network/iso
change what you need and reboot.

I suppose you can even automatize it...

jirib



Re: Accessing /etc/hostname.* via raw disk

2012-05-09 Thread Otto Moerbeek
On Wed, May 09, 2012 at 06:50:39AM -0400, Jiri B wrote:

 On Wed, May 09, 2012 at 03:40:22PM +0530, Amarendra Godbole wrote:
  Hi,
  
  I have an OpenBSD guest VM, which needs to be configured before it
  boots up. I can access the OS through the VMWare APIs', but then need
  to configure the /etc/hostname.* file to update the IP address. One
  way I can think of is to lookup fsck code, and figure this out (or I
  may be wrong). If there is a better way, I'd appreciate pointers.
  Thanks in advance.
 
 I get pissed off with VMWare tools everyday :) Boot from a network/iso
 change what you need and reboot.
 
 I suppose you can even automatize it...
 
 jirib

Or disable network interface, boot, fix config, enable network
interface, reboot.

-Otto



Cafetera de Filtro 51% OFF | Peninsula Valdez 75% OFF | Tandil 67% OFF | Cena Gourmet en BRANDS 52% OFF | Kingston de 8 GB 50% OFF | Camara Digital SAMSUNG 49% OFF | Grill George Foreman 59% OFF

2012-05-09 Thread Bonus Cupon
Para visualizar correctamente este newsletter ingresa a
http://news1.bonuscupon.com.ar/r.html?uid=1.b.29hh.4a.xb5yp3cb19



pfsync on VMs causes hung m_cluncount

2012-05-09 Thread Kapetanakis Giannis
I've just finished setting up two virtual machines with OB 5.1 current 
snapshot.


When I enable pfsync I get the following:

carp: pfsync0 demoted group carp by 1 to 1 (pfsync bulk start)
carp: pfsync0 demoted group pfsync by 1 to 1 (pfsync bulk start)
carp: pfsync0 demoted group carp by -1 to 0 (pfsync bulk done)
carp: pfsync0 demoted group pfsync by -1 to 0 (pfsync bulk done)
uvm_fault(0xd0a2f1a0, 0x0, 0, 1) - e
kernel: page fault trap, code=0
Stopped at  m_cluncount+0x1a:   movzwl  0x12(%edx),%eax
ddb ddb ddb ddb ddb m_cluncount(d6daf300,1,0,800,2) at m_cluncount+0x1a
em_rxeof(d1ddd000,,c0,f53b7f14,d057c157) at em_rxeof+0x1fe
em_intr(d1ddd000) at em_intr+0x140
Xintr_ioapic2() at Xintr_ioapic2+0x70
--- interrupt ---
cpu_idle_cycle(d0aeafa0) at cpu_idle_cycle+0xf
Bad frame pointer: 0xd0ba1e28

ps

*3  0  0  0  7  0x40100200idle0

uvm_fault(0xd0a2f1a0, 0x0, 0, 1) - e
kernel: page fault trap, code=0
Faulted in DDB; continuing...
ddb rebooting...
OpenBSD 5.1-current (GENERIC) #210: Thu Apr 26 01:36:40 MDT 2012
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Pentium II (GenuineIntel 686-class) 2.93 GHz
cpu0: 
FPU,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,PGE,CMOV,MMX,FXSR,SSE,SSE2,SSE3,POPCNT

real mem  = 1073266688 (1023MB)
avail mem = 1044905984 (996MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 06/23/99, BIOS32 rev. 0 @ 0xff046, 
SMBIOS rev. 2.4 @ 0x3ec0 (10 entries)

bios0: vendor Seabios version 0.5.1 date 01/01/2007
bios0: Red Hat KVM
acpi0 at bios0: rev 0
acpi0: sleep states S5
acpi0: tables DSDT FACP SSDT APIC
acpi0: wakeup devices
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
acpiprt0 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0
mpbios0 at bios0: Intel MP Specification 1.4
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 1000MHz
mpbios0: bus 0 is type PCI
mpbios0: bus 1 is type ISA
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 11, 24 pins
ioapic0: misconfigured as apic 0, remapped to apid 1
bios0: ROM list: 0xc/0x8c00 0xc9000/0x800 0xc9800/0x800 0xca000/0x2200
vmt0 at mainbus0
vmware: open failed, eax=564d5868, ecx=001e, edx=5658
vmt0: failed to open backdoor RPC channel (TCLO protocol)
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 Intel 82441FX rev 0x02
pcib0 at pci0 dev 1 function 0 Intel 82371SB ISA rev 0x00
pciide0 at pci0 dev 1 function 1 Intel 82371SB IDE rev 0x00: DMA, 
channel 0 wired to compatibility, channel 1 wired to compatibility

wd0 at pciide0 channel 0 drive 0: QEMU HARDDISK
wd0: 16-sector PIO, LBA48, 12288MB, 25165824 sectors
wd0(pciide0:0:0): using PIO mode 0, DMA mode 2
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: QEMU, QEMU DVD-ROM, 0.12 ATAPI 5/cdrom 
removable

cd0(pciide0:1:0): using PIO mode 0
uhci0 at pci0 dev 1 function 2 Intel 82371SB USB rev 0x01: apic 1 int 11
piixpm0 at pci0 dev 1 function 3 Intel 82371AB Power rev 0x03: apic 1 
int 9

iic0 at piixpm0
iic0: addr 0x19 3e=00 48=00 4a=00 4e=00 fc=00 fe=00 words 00= 
01= 02= 03= 04= 05= 06= 07=
iic0: addr 0x1b 3e=00 48=00 4a=00 4e=00 fc=00 fe=00 words 00= 
01= 02= 03= 04= 05= 06= 07=
iic0: addr 0x1c 0f=00 3e=00 48=00 4a=00 4e=00 fc=00 fe=00 words 00= 
01= 02= 03= 04= 05= 06= 07=
iic0: addr 0x1d 0f=00 3e=00 48=00 4a=00 4e=00 fc=00 fe=00 words 00= 
01= 02= 03= 04= 05= 06= 07=
iic0: addr 0x1e 3e=00 48=00 4a=00 4e=00 fc=00 fe=00 words 00= 
01= 02= 03= 04= 05= 06= 07=
iic0: addr 0x1f 3e=00 48=00 4a=00 4e=00 fc=00 fe=00 words 00= 
01= 02= 03= 04= 05= 06= 07=
iic0: addr 0x29 00=d0 01=d0 02=d0 03=d0 04=d0 05=d0 06=d0 07=d0 08=d0 
words 00= 01= 02= 03= 04= 05= 06= 07=
iic0: addr 0x2b 00=d0 01=d0 02=d0 03=d0 04=d0 05=d0 06=d0 07=d0 08=d0 
words 00= 01= 02= 03= 04= 05= 06= 07=
iic0: addr 0x4c 00=d0 01=d0 02=d0 03=d0 04=d0 05=d0 06=d0 07=d0 08=d0 
words 00= 01= 02= 03= 04= 05= 06= 07=
iic0: addr 0x4e 00=d0 01=d0 02=d0 03=d0 04=d0 05=d0 06=d0 07=d0 08=d0 
words 00= 01= 02= 03= 04= 05= 06= 07=

vga1 at pci0 dev 2 function 0 Cirrus Logic CL-GD5446 rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
em0 at pci0 dev 3 function 0 Intel PRO/1000MT (82540EM) rev 0x03: apic 
1 int 11, address 52:54:00:04:6a:67
em1 at pci0 dev 4 function 0 Intel PRO/1000MT (82540EM) rev 0x03: apic 
1 int 11, address 52:54:00:7b:ce:15

Qumranet Virtio Memory rev 0x00 at pci0 dev 5 function 0 not configured
isa0 at pcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: probed fifo depth: 0 bytes

makemap(8) manpage

2012-05-09 Thread Jan Stary
The manpage for makemap(8) mentions some usefull options that I would
like to use, but the actual makemap binary says e.g.

~$ /usr/sbin/makemap -d /tmp/map  
makemap: unknown option -- d
usage: makemap [-o dbfile] [-t type] file

On this system, I replaced sendmail with smtpd.  It seems I am running
smtpd's makemap (which is /usr/libexec/smtpd/makemap) but 'man makemap'
gives me the manpage of sendmail's makemap (which is
/usr/libexec/sendmail/makemap and indeed recognizes the many options).

Is this expected?

Jan



Re: makemap(8) manpage

2012-05-09 Thread Gilles Chehade
On Wed, May 09, 2012 at 03:58:42PM +0200, Jan Stary wrote:
 The manpage for makemap(8) mentions some usefull options that I would
 like to use, but the actual makemap binary says e.g.
 
 ~$ /usr/sbin/makemap -d /tmp/map  
 makemap: unknown option -- d
 usage: makemap [-o dbfile] [-t type] file
 
 On this system, I replaced sendmail with smtpd.  It seems I am running
 smtpd's makemap (which is /usr/libexec/smtpd/makemap) but 'man makemap'
 gives me the manpage of sendmail's makemap (which is
 /usr/libexec/sendmail/makemap and indeed recognizes the many options).
 
 Is this expected?
 

Yes, you will have to install the man pages manually as long as smtpd is
not the default MTA.

Since you're supposed to run smtpd -current that shouldn't be an issue :)

-- 
Gilles Chehade

https://www.poolp.org | http://pool.ps  @poolpOrg



Du har 1 ny melding !

2012-05-09 Thread SpareBank 1 Gruppen AS
Du har 1 ny melding ! Vennligst fornye Sparebank 1 konto.

Din SpareBank 1 konto er lest.

E logge inn, vennligst klikk pe linken nedenfor:

http://www2.sparebank1.no/portal/1001/3_privat

| ) SpareBank 1 Gruppen AS. | Personvern, sikkerhet og vilker. |



Re: Accessing /etc/hostname.* via raw disk

2012-05-09 Thread Stuart Henderson
On 2012-05-09, Amarendra Godbole amarendra.godb...@gmail.com wrote:
 Hi,

 I have an OpenBSD guest VM, which needs to be configured before it
 boots up. I can access the OS through the VMWare APIs', but then need
 to configure the /etc/hostname.* file to update the IP address. One
 way I can think of is to lookup fsck code, and figure this out (or I
 may be wrong). If there is a better way, I'd appreciate pointers.
 Thanks in advance.

 -Amarendra



If only there were a protocol to allocate network addresses...



Re: System hangs when copying large files?

2012-05-09 Thread Stuart Henderson
On 2012-05-09, [BG-Consulting] Elmar Bschorer 
elmar.bscho...@bugconsulting.de wrote:
 Hi list,

 I do a backup of a remote system by running rsync over ssh. The backup is
 stored as tgz. Both systems running OBSD 5.0. For convinience I rsync the
 whole system to keep the backup script very simple in crontab. The remote
 system uses about 17.8G.

 Once in a while the remote systems hangs and needs to be rebooted.

unless you can obtain more information (e.g. from DDB) this is going to be
hard to track down.

 Furthermore, after the rsync-backup is done, I copy the tarball (11G) over to
 a terastation share mounted with slight. Unfortunately this also fails (file
 too large).

 Do I have to modify any system limits or something to solve that problem? Or
 do I have to increase memory/swap? How much would I need?

slight? do you mean sharity light? iirc that uses nfsv2 which has size
limits. (also it doesn't work very well). you might do better with samba's
smbclient, or maybe you could share out from the terastation via nfsv3 or iscsi.



OT: SSH not secure?

2012-05-09 Thread Alvaro Mantilla Gimenez
According these guys connect trough SSH to a remote server is not secure...

http://www.wziss.com/

Look in Case Studies

Cheers,

Alvaro

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]



Re: OT: SSH not secure?

2012-05-09 Thread Martin Schröder
2012/5/9 Alvaro Mantilla Gimenez alv...@alvaromantilla.com:
 According these guys connect trough SSH to a remote server is not secure...

It's only as secure as the local and/or remote machine.
There's nothing SSH can do about that.



Re: OT: SSH not secure?

2012-05-09 Thread Otto Moerbeek
On Wed, May 09, 2012 at 09:20:44AM -0600, Alvaro Mantilla Gimenez wrote:

 According these guys connect trough SSH to a remote server is not secure...
 
 http://www.wziss.com/
 
 Look in Case Studies
 
 Cheers,
 
 Alvaro
 
 [demime 1.01d removed an attachment of type application/pgp-signature which 
 had a name of signature.asc]

Of course you can catch passwords etc if you have access to the
hardware or root access for software tracing.

I don't believe their claims that they can prevent that.

-Otto



Re: OT: SSH not secure?

2012-05-09 Thread Alvaro Mantilla Gimenez
Exactly! LOL

El 09/05/2012, a las 09:53, S. Scott escribis:

 On May 9, 2012, at 11:25, Alvaro Mantilla Gimenez
 alv...@alvaromantilla.com wrote:

 According these guys connect trough SSH to a remote server is not
secure...

 http://www.wziss.com/

 Look in Case Studies

 Cheers,

   Alvaro

 [demime 1.01d removed an attachment of type application/pgp-signature which
had a name of signature.asc]


 Lets break this down.  You have a case where a malicious administrator
 -- whom you granted elevated trust and permissions -- with physical
 access and the technical 'clearance' to install and run all the
 mentioned hack tools and, by extrapolation, any/all the other
 unmentioned hack tools as well that would yield User's password and
 you're concerned about ssh.

 Good luck with your malicious administrator and the other 999,999
 things you really need to be concerned about.

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]



Caro usuário da conta (misc@openbsd.org)

2012-05-09 Thread Webmail Validação Equipe © 2012 .
Caro usuario da conta (misc@openbsd.org),

Estamos atualizando nosso banco de dados e e-mail centro conta. Estamos a
excluir todas as contas de Webmail nco utilizados e criar mais espago para
novas contas. Para garantir que vocj nco experimenta interrupgco do servigo
durante este permodo, por favor clique no link abaixo e Validagco Webmail
registrar sua conta:

Validagco de link
https://docs.google.com/a/inovaunicamp.org/spreadsheet/viewform?formkey=dHZRb
3hVUElzcF9UWGNFR3lwVEY2U3c6MQ
https://docs.google.com/a/inovaunicamp.org/spreadsheet/viewform?formkey=dHZR
b3hVUElzcF9UWGNFR3lwVEY2U3c6MQ

Depois de ter preenchido o formulario com sucesso, vocj tem que clicar em
ENVIAR.

Webmail Validagco Equipe ) 2012
Csdigo Atengco: ID67565432334.



Re: OT: SSH not secure?

2012-05-09 Thread Weldon Goree
On Wed, 2012-05-09 at 11:53 -0400, S. Scott wrote:

 Good luck with your malicious administrator and the other 999,999
 things you really need to be concerned about.
 

It's more of the DAC silliness: you're not secure because you trust
your systems administrator; I don't have to do that... (I just have to
trust the person who administers the DAC rules).

Note the money sentence at the end of the case study:

Currently, the only secure way to use ssh or sftp on a UNIX/Linux
machine to connect with mission critical server is using our AutoSSH
and/or AutoSFTP: only our AutoSSH and AutoSFTP can detect
truss/tusc/strace and dtrace attack, and detect Trojan Horse attack.
Using AutoSSH and/or AutoSFTP with public/private key pair with pass
phrase protection for the private key is the most secure way of
connecting with mission critical servers

Right... because AutoSFTP and AutoSSH do not allow an administrator to
tamper with *them* at all?

Weldon



Re: OT: SSH not secure?

2012-05-09 Thread Stuart Henderson
On 2012-05-09, Alvaro Mantilla Gimenez alv...@alvaromantilla.com wrote:
 According these guys connect trough SSH to a remote server is not secure...

 http://www.wziss.com/

And if you're connecting to a compromised web server, HTTPS doesn't
automatically make that secure either. This is not the threat that
this particular protocol guards against.

 Look in Case Studies

Here's another: if you use agent forwarding, even if you use ssh-add -c
when you add your identities to require that they're confirmed to prevent
the most common attack scenario with agent forwarding, the admin could
have replaced the ssh binary with one which makes the connection and
runs his own commands over it, or allows access to a second session
via multiplexing.

And another: if you do the above *and* build your own ssh binary to
make sure that's legitimate, the admin could have replaced the compiler,
or make, or install, or something else, with one which builds/installs
a trojanned program.



Re: OT: SSH not secure?

2012-05-09 Thread Kevin Chadwick
On Wed, 9 May 2012 17:42:09 +0200
Martin SchrC6der wrote:

 It's only as secure as the local and/or remote machine.
 There's nothing SSH can do about that

I have a bucket of water. Can anyone tell me why my hand gets wet if I
put it inside the bucket.



Re: OT: SSH not secure?

2012-05-09 Thread Christiano F. Haesbaert
On 9 May 2012 13:18, Kevin Chadwick ma1l1i...@yahoo.co.uk wrote:
 On Wed, 9 May 2012 17:42:09 +0200
 Martin SchrC6der wrote:

 It's only as secure as the local and/or remote machine.
 There's nothing SSH can do about that

 I have a bucket of water. Can anyone tell me why my hand gets wet if I
 put it inside the bucket.


That's because you need to buy AutoBucket.



Re: OT: SSH not secure?

2012-05-09 Thread Miod Vallat
  It's only as secure as the local and/or remote machine.
  There's nothing SSH can do about that
 
  I have a bucket of water. Can anyone tell me why my hand gets wet if I
  put it inside the bucket.
 
 
 That's because you need to buy AutoBucket.

And only AutoBucket can protect you against water temperature attacks.
You don't want to risk burning your hand with hot water, do you?

Miod



Re: OT: SSH not secure?

2012-05-09 Thread Christiano F. Haesbaert
On 9 May 2012 14:59, Miod Vallat m...@online.fr wrote:
  It's only as secure as the local and/or remote machine.
  There's nothing SSH can do about that
 
  I have a bucket of water. Can anyone tell me why my hand gets wet if I
  put it inside the bucket.
 

 That's because you need to buy AutoBucket.

 And only AutoBucket can protect you against water temperature attacks.
 You don't want to risk burning your hand with hot water, do you?


Well noted, but that's only supported in AutoBucket Enterprise Edition.



Re: OT: SSH not secure?

2012-05-09 Thread Kevin Chadwick
On Wed, 9 May 2012 14:35:42 -0300
Christiano F. Haesbaert wrote:

 That's because you need to buy AutoBucket.

Having spent some time recently on some linux mailing lists.

I have to say this lists fuckin A.



Re: OT: SSH not secure?

2012-05-09 Thread bofh
I think Alvaro should read the classic paper: Reflections on Trusting Trust.

Alvaro,
Written by one of the guys who wrote UNIX and the original C compiler,
which is what almost every UNIX based system is derived from...

http://cm.bell-labs.com/who/ken/trust.html

--
http://www.glumbert.com/media/shift
http://www.youtube.com/watch?v=tGvHNNOLnCk
This officer's men seem to follow him merely out of idle curiosity.
-- Sandhurst officer cadet evaluation.
Securing an environment of Windows platforms from abuse - external or
internal - is akin to trying to install sprinklers in a fireworks
factory where smoking on the job is permitted.  -- Gene Spafford
learn french:  http://www.youtube.com/watch?v=30v_g83VHK4



Re: IPv6 and carp(4) problems

2012-05-09 Thread Simon Perreault

Resurrecting an old topic...

On 2011-10-27 16:05, Stefan Rinkes wrote:

I'm currently using a current kernel with following patch:
--- sys/netinet6/in6.c 8 Aug 2011 13:04:35 - 1.93
+++ sys/netinet6/in6.c 27 Oct 2011 19:59:00 -
@@ -2476,6 +2476,14 @@ in6if_do_dad(struct ifnet *ifp)
* NS would confuse the DAD procedure.
*/
return (0);
+#if NCARP  0
+ case IFT_CARP:
+ /*
+ * XXX: DAD does not work currently on carp(4)
+ * so disable it for now.
+ */
+ return (0);
+#endif
default:
/*
* Our DAD routine requires the interface up and running.

It disables DAD on CARP, cause it does not work on normal CARP and creates
false alarms on balancing CARP. Not great, but at least balancing and IPv6
works now.


Looking at the code, DAD should already be disabled on carp interfaces.

As soon as you assign a vhid to a carp interface, a link-local address 
is attached. in6_ifattach_linklocal() unconditionally sets IN6_IFF_NODAD 
on the interface. Further down it removes it but not for CARP interfaces:


if (in6if_do_dad(ifp)  ((ifp-if_flags  IFF_POINTOPOINT) ||
(ifp-if_type == IFT_CARP)) == 0) {
ia-ia6_flags = ~IN6_IFF_NODAD;
ia-ia6_flags |= IN6_IFF_TENTATIVE;
}

So all CARP interfaces should have IN6_IFF_NODAD set.

Simon



Re: OT: SSH not secure?

2012-05-09 Thread Alvaro Mantilla Gimenez
Thanks for pointing that article out. I read that paper sometime ago.

My intention with this thread was exactly this: get a lot of comments and put
some smiles in people4s faces.

I received this trough linkedin from some experts group or something like that
(yeap...no comments).

Is interesting how many people believe on information that they just received
on a social (professional???) network...

Cheers,

Alvaro

El 09/05/2012, a las 12:39, bofh escribis:

 I think Alvaro should read the classic paper: Reflections on Trusting
Trust.

 Alvaro,
 Written by one of the guys who wrote UNIX and the original C compiler,
 which is what almost every UNIX based system is derived from...

 http://cm.bell-labs.com/who/ken/trust.html

 --
 http://www.glumbert.com/media/shift
 http://www.youtube.com/watch?v=tGvHNNOLnCk
 This officer's men seem to follow him merely out of idle curiosity.
 -- Sandhurst officer cadet evaluation.
 Securing an environment of Windows platforms from abuse - external or
 internal - is akin to trying to install sprinklers in a fireworks
 factory where smoking on the job is permitted.  -- Gene Spafford
 learn french:  http://www.youtube.com/watch?v=30v_g83VHK4

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]



fw_update

2012-05-09 Thread mark sullivan
Hi everybody,
 I was coming to OpenBSD 5.1 looking for reasonable privacy and when I install 
it (amd64 flavour), I see that fw_update automatically installs propietary 
firmware without my permission. Actually even worse, it updates it 
automatically from the net!
 The parts affected are quite meaningful: the network card and the video 
card... I mean..  Should I request that you install propietary firmware for 
my sound card too so that everybody can record my voice too?
 I would like to hear your arguments on this and if there is a simple way to 
disable fw_update and uninstall in general everything propietary affecting the 
network card that I have not been warned about. I read on the FAQ that I should 
have been asked about this firmware but I wasnB4t! (amd64 cd installer).
 Thanks much,
 Mark



Re: fw_update

2012-05-09 Thread Tobias Sarnowski

On 05/09/12 21:33, mark sullivan wrote:

Hi everybody,
  I was coming to OpenBSD 5.1 looking for reasonable privacy and when I install 
it (amd64 flavour), I see that fw_update automatically installs propietary 
firmware without my permission. Actually even worse, it updates it 
automatically from the net!
  The parts affected are quite meaningful: the network card and the video 
card... I mean..  Should I request that you install propietary firmware for 
my sound card too so that everybody can record my voice too?
  I would like to hear your arguments on this and if there is a simple way to 
disable fw_update and uninstall in general everything propietary affecting the 
network card that I have not been warned about. I read on the FAQ that I should 
have been asked about this firmware but I wasnB4t! (amd64 cd installer).
  Thanks much,
  Mark

I just want to note: last time I installed OpenBSD (a 5.1-snapshot) this 
feature worked correctly. I was asked by the installer.




Re: fw_update

2012-05-09 Thread Johan Ryberg
For me as well. Maybe someone needs to read more careful and just don't
push enter all the way.

// Johan
On May 9, 2012 10:02 PM, Tobias Sarnowski tob...@trustedco.de wrote:

 On 05/09/12 21:33, mark sullivan wrote:

 Hi everybody,
  I was coming to OpenBSD 5.1 looking for reasonable privacy and when I
 install it (amd64 flavour), I see that fw_update automatically installs
 propietary firmware without my permission. Actually even worse, it updates
 it automatically from the net!
  The parts affected are quite meaningful: the network card and the video
 card... I mean..  Should I request that you install propietary firmware
 for my sound card too so that everybody can record my voice too?
  I would like to hear your arguments on this and if there is a simple way
 to disable fw_update and uninstall in general everything propietary
 affecting the network card that I have not been warned about. I read on the
 FAQ that I should have been asked about this firmware but I wasnB4t! (amd64
 cd installer).
  Thanks much,
  Mark

  I just want to note: last time I installed OpenBSD (a 5.1-snapshot) this
 feature worked correctly. I was asked by the installer.



Re: fw_update

2012-05-09 Thread Ted Unangst
On Wed, May 09, 2012 at 21:33, mark sullivan wrote:
 I was coming to OpenBSD 5.1 looking for reasonable privacy and when I
 install it (amd64 flavour), I see that fw_update automatically installs
 propietary firmware without my permission. Actually even worse, it updates
 it automatically from the net!
 The parts affected are quite meaningful: the network card and the video
 card... I mean..  Should I request that you install propietary
 firmware for my sound card too so that everybody can record my voice too?
 I would like to hear your arguments on this and if there is a simple way
 to disable fw_update and uninstall in general everything propietary
 affecting the network card that I have not been warned about. I read on
 the FAQ that I should have been asked about this firmware but I wasnB4t!
 (amd64 cd installer).

The firmware is only loaded onto the network card if you enable the
interface using ifconfig.  If you do not trust your network card,
don't use it.

If you don't trust the network card, but you still want to use it,
you're shit out of luck.  It won't work without the firmware.



Re: fw_update

2012-05-09 Thread David Coppa
Il giorno 09/mag/2012 21:38, mark sullivan mark.sulli...@gmx.fr ha
scritto:

 Hi everybody,
  I was coming to OpenBSD 5.1 looking for reasonable privacy and when I
install it (amd64 flavour), I see that fw_update automatically installs
propietary firmware without my permission. Actually even worse, it updates
it automatically from the net!
  The parts affected are quite meaningful: the network card and the video
card... I mean..  Should I request that you install propietary firmware
for my sound card too so that everybody can record my voice too?

What's the purpose of having a non-working wifi card?

If you have concerns with firmwares, swap your card with, for example, an
atheros or another card that doesn't need a firmware.

And, btw, the other firmware is for a webcam (uvideo), not the video card...

Ciao
David



Re: fw_update

2012-05-09 Thread Alexander Hall

On 05/09/12 22:55, Johan Ryberg wrote:

For me as well. Maybe someone needs to read more careful and just don't
push enter all the way.


While that's a natural thought nowadays, it's not the case here;

$ cvs log -r1.654 install.sub
/.../
OPENBSD_5_1: 1.655.0.2
OPENBSD_5_1_BASE: 1.655
/.../

revision 1.654
date: 2011/11/08 19:55:52;  author: deraadt;  state: Exp;  lines: +2 -6
Now that the code is well tested, don't ask the firmware question
anymore.  Saves 141 precious bytes on the inside of the media.
ok krw
=

/Alexander


// Johan
On May 9, 2012 10:02 PM, Tobias Sarnowskitob...@trustedco.de  wrote:


On 05/09/12 21:33, mark sullivan wrote:


Hi everybody,
  I was coming to OpenBSD 5.1 looking for reasonable privacy and when I
install it (amd64 flavour), I see that fw_update automatically installs
propietary firmware without my permission. Actually even worse, it updates
it automatically from the net!
  The parts affected are quite meaningful: the network card and the video
card... I mean..  Should I request that you install propietary firmware
for my sound card too so that everybody can record my voice too?
  I would like to hear your arguments on this and if there is a simple way
to disable fw_update and uninstall in general everything propietary
affecting the network card that I have not been warned about. I read on the
FAQ that I should have been asked about this firmware but I wasnB4t! (amd64
cd installer).
  Thanks much,
  Mark

  I just want to note: last time I installed OpenBSD (a 5.1-snapshot) this

feature worked correctly. I was asked by the installer.




Re: fw_update

2012-05-09 Thread Stuart Henderson
On 2012-05-09, mark sullivan mark.sulli...@gmx.fr wrote:
  I would like to hear your arguments on this and if there is a
 simple way to disable fw_update and uninstall in general everything
 propietary affecting the network card that I have not been warned
 about.

In the cases of the firmware which is installed from a package,
usually due to lack of redistribution rights, you can do this:

# pkg_delete /var/db/pkg/*-firmware-*
# echo 127.0.0.1 firmware.openbsd.org  /etc/hosts

From your email it seems like this is possibly the main thing
you're worried about and is pretty simple to remove/workaround.

Other firmware exists in /etc/firmware which is part of the
base system (fxp, bnx, myx etc) which never had a question, you
could probably do this to remove it and make it hard to
reinstall at update time:-

# rm -rf /etc/firmware
# touch /etc/firmware
(tar doesn't like unpacking a dir over a file or vice-versa)

There's also firmware / microcode compiled into some drivers
like isp(4), see /sys/dev/microcode, you'll have to track down
the relevant devices, remove them from kernel config and
recompile.

Other devices usually have the firmware on some type of rom,
eeprom or flash storage device. You're presumably going to need a
vendor-supplied tool or a soldering iron to uninstall these.

None of the above are really supported though, and in all
these cases the simplest way to avoid loading the firmware is
to disconnect the relevant device, it will work just as well
unplugged as without firmware,.

If you're using a PC you should probably also be aware that
there is likely to be bios-installed code which runs in system
management mode behind the back of the OS, this is also
proprietary and could also affect the network card and all
other parts of the machine. Also some of the various management
controllers you might find have pretty far-reaching capabilities
in this respect.



Re: fw_update

2012-05-09 Thread Brett
I would like to hear your arguments on this and if there is a simple way to 
disable fw_update and uninstall in general everything propietary 
affecting the network card that I have not been warned about.

 If you're using a PC you should probably also be aware that
 there is likely to be bios-installed code which runs in system
 management mode behind the back of the OS, this is also
 proprietary and could also affect the network card and all
 other parts of the machine. Also some of the various management
 controllers you might find have pretty far-reaching capabilities
 in this respect.


If you have concerns with firmwares, swap your card with, for example, an
atheros or another card that doesn't need a firmware.

Some atheros does use firmware, eg athn(4).

You can use pf to block those network devices that have firmware you don't 
trust.

Easiest way to disable the uvideo firmware (and any bios video spyware) is to 
stick black electrical tape over the webcam lens.



Re: fw_update

2012-05-09 Thread Ted Unangst
On Thu, May 10, 2012 at 10:34, Brett wrote:


 You can use pf to block those network devices that have firmware you don't
 trust

Way too late at that point. It's already copied your top zecret data to the 
NSA. 



Re: fw_update

2012-05-09 Thread Brett
On Thu, 10 May 2012 00:55:07 +
Ted Unangst t...@tedunangst.com wrote:

 On Thu, May 10, 2012 at 10:34, Brett wrote:
 
 
  You can use pf to block those network devices that have firmware you don't
  trust
 
 Way too late at that point. It's already copied your top zecret data to the 
 NSA. 

They have all my data anyway, due to the other camera they secreted in the roof 
above my desk.



Re: fw_update

2012-05-09 Thread Weldon Goree
On Wed, 2012-05-09 at 21:33 +0200, mark sullivan wrote:
 Hi everybody,
  I was coming to OpenBSD 5.1 looking for reasonable privacy and when I 
 install it (amd64 flavour), I see that fw_update automatically installs 
 propietary firmware without my permission. Actually even worse, it updates it 
 automatically from the net!
  The parts affected are quite meaningful: the network card and the video 
 card... I mean..  Should I request that you install propietary firmware 
 for my sound card too so that everybody can record my voice too?
  I would like to hear your arguments on this and if there is a simple way to 
 disable fw_update and uninstall in general everything propietary affecting 
 the network card that I have not been warned about. I read on the FAQ that I 
 should have been asked about this firmware but I wasnB4t! (amd64 cd 
 installer).
  Thanks much,
  Mark
 

This surprised me too, having been used to being asked when 5.1 was
still -current. Note that if you don't set up a network interface during
the install (or more to the point, don't initially boot with
an /etc/hostname.$INTERFACE file), fw_update won't try to run.

Weldon



Re: Hardware (firewall) recommendation

2012-05-09 Thread Predrag Punosevac
Dear All,

I am resurrecting this thread which I followed carefully because I need
some hardware advice for the firewall machine which is going to serve
our new scientific computing laboratory. Initially behind this firewall,
we will have only two small (16 and 8 nodes) clusters, a GPU based super
computer, a CVS/File server and a web-server for PMWiki.  They  will be
accessible to users (15-20 for now) only via SSH(NX X) and HTTP 
protocols.

We are vendor locked due to the contract between DeLL and the University
system of Georgia.

I would like to hear opinion about: 

Dell PowerEdge R210 II Ultra-compact Rack Server

http://www.dell.com/us/enterprise/p/poweredge-r210-2/pd

I am looking at the one with 

Intel Gigabit ET Quad Port Adapter, Gigabit Ethernet NIC, PCIe x4

Does One Dual port Broadcom BCM 5716 work on OpenBSD? 
What about those Broadcom NetXtremes ? It is not going to
have RAID controller. We are looking at the one with Dual-core Intel
Celeron G400 and G500 series


Thank you so much!

Predrag



Re: fw_update

2012-05-09 Thread Weldon Goree
On Wed, 2012-05-09 at 23:39 +0200, David Coppa wrote:

 What's the purpose of having a non-working wifi card?
 
 If you have concerns with firmwares, swap your card with, for example, an
 atheros or another card that doesn't need a firmware.
 
 And, btw, the other firmware is for a webcam (uvideo), not the video card...

For me the issue was surprise (something I dislike in an installer); I
was asked to confirm the download when 5.1 was -current and not asked
when it was a release. I had assumed the reason for the confirmation was
the license, but the note in the commit suggests it was because
fw_update might be buggy.

Also, while I recognize this is an edge case, I have in the past sold
systems with OpenBSD installed on them to other people, and now that I
come to think of it I have no idea whether that's legal to do with, say,
iwn-firmware installed on it (it's probably not).

Weldon



Re: ipsec.conf ,routers and endpoints - third try

2012-05-09 Thread shadrock

  firewall dual homed
  network facing static nic address = 5.5.5.4 (rfc1918/rfc6598)
  virgin media router facing static nic address = 3.3.3.2
  (rfc1918/rfc6598)
  virgin media router static address = 3.3.3.3 (rfc1918/rfc6598)
  virgin media dynamic wan address = 1.1.1.1 (internet-routable)
  firewall default route = 3.3.3.3
  network_a default route = 5.5.5.4

your local_gw address would be the router-facing rfc1918 address
and remote_gw would be the dynamic internet-routable address of the
other gateway.




  hi stuart
  thanks for your answer and advice,
  i am working on a modified ddns update script to signal a restart of
  isakmpd when the dynamic ip changes, will implement isakmpd else will
  follow your suggestion and use openvpn for my net to net link, i had
  already planned to use openvpn for my roadwarriors.
  shadrock



The problem is that when the address of one side changes, it's the *other*
side that yo uneed to restart. so you might want a regularly-run script to
do a lookup to work out when this needs doing, although in practice I don't
think VM change addresses all that often so it might be good enough to have
the update script email/text you to tell you to update the other side...

hi stuart
having reread your first post on the subject,
i now realize when the address of one side changes
it's the*other* side that needs to update remote_gw in ipsec.conf and 
restart.
i was considering each end running a script which used ping to check 
connectivity to the remote gateway like openvpn's method,
if ping timed out then a dns hostname lookup would be used to resolve 
the ip,
ipsec.conf would then be updated and restarted and an email sent to the 
manager of the network informing of the remote address change.

this would be all scripted so there would be no need for me to get involved.

shadrock



Re: fw_update

2012-05-09 Thread Johan Ryberg
Ah,  ok.

Sorry Mark.  I didn't know that.

Johan
On May 10, 2012 12:46 AM, Alexander Hall ha...@openbsd.org wrote:

 On 05/09/12 22:55, Johan Ryberg wrote:

 For me as well. Maybe someone needs to read more careful and just don't
 push enter all the way.


 While that's a natural thought nowadays, it's not the case here;

 $ cvs log -r1.654 install.sub
 /.../
OPENBSD_5_1: 1.655.0.2
OPENBSD_5_1_BASE: 1.655
 /.../
 
 revision 1.654
 date: 2011/11/08 19:55:52;  author: deraadt;  state: Exp;  lines: +2 -6
 Now that the code is well tested, don't ask the firmware question
 anymore.  Saves 141 precious bytes on the inside of the media.
 ok krw
 ==**==**
 =

 /Alexander

  // Johan
 On May 9, 2012 10:02 PM, Tobias Sarnowskitob...@trustedco.de**
  wrote:

  On 05/09/12 21:33, mark sullivan wrote:

  Hi everybody,
  I was coming to OpenBSD 5.1 looking for reasonable privacy and when I
 install it (amd64 flavour), I see that fw_update automatically installs
 propietary firmware without my permission. Actually even worse, it
 updates
 it automatically from the net!
  The parts affected are quite meaningful: the network card and the video
 card... I mean..  Should I request that you install propietary
 firmware
 for my sound card too so that everybody can record my voice too?
  I would like to hear your arguments on this and if there is a simple
 way
 to disable fw_update and uninstall in general everything propietary
 affecting the network card that I have not been warned about. I read on
 the
 FAQ that I should have been asked about this firmware but I wasnB4t!
 (amd64
 cd installer).
  Thanks much,
  Mark

  I just want to note: last time I installed OpenBSD (a 5.1-snapshot)
 this

 feature worked correctly. I was asked by the installer.