Re: Dump on soekris slow?
On Fri, Nov 14, 2008 at 11:41:03AM +0100, David Vasek wrote: > I am always getting similar transfer speeds (up to 5MB/s) under OpenBSD > (and the same with NetBSD) with external USB hard disks too, while the > real transfer speed under some other OS's (Linux, Windows) is around 28 > MB/s on the same hardware. I mean, on the very same pieces of hardware, > usually running a different OS from a live CD. As far as I remember, it > is for both reading and writing. > > It seems to me to be by design of umass(4) or other USB drivers. There > must be reason for it. i think linux "lies" about it finishing the write, try for example writing a big-ish file to usb disk and than umounting the volume, it will take aprox. the same time as doing those two operations on OBSD.
Re: new home box for secure data storage
On Wed, Oct 29, 2008 at 04:14:22PM -0400, Douglas A. Tutty wrote: > I'll be setting up a new box for the house and I want to use OpenBSD for > it, both for its security and since it will be an older box it will run > better than with Debian. > > Roles: > > main firewall for dialup internet access. > fetchmail and sendmail to ISP smarthost > other simple stuff (have another box for insecure stuff like watching > videos, surfing the net with javascript and flash). > > > We've moved and now our main security threat is physical security. We > don't want the data on the computer (i.e. in the /home directories) to > be readable if someone steals the box. if someone knowledgeable enough has physical access to the running box, you can't keep the data private.
Re: OpenBSD 4.3 - openldap - slaptest not found - ~/.profile PATH
"sudo which slaptest" will tell you where in your PATH slaptest is. add that to your root's PATH and it will work. also, depending on you are invoking the root shell .profile might not be executed at all. On Fri, Oct 24, 2008 at 10:42:10AM +0200, [EMAIL PROTECTED] wrote: > On 10/23/08, Almir Karic <[EMAIL PROTECTED]> wrote: > > most likelly /usr/local/sbin is not in your root's PATH, do > > PATH="$PATH:/usr/local/sbin" as root and slaptest should be found. > > Would you kindly demonstrate a foolproof root's ~/.profile, since I > wasn't able to figure the lines to do it permanently? Root's ~/. > profile below. Thanks in advance. > > # $OpenBSD: dot.profile,v 1.5 2005/03/30 21:18:33 millert Exp $ > # > # sh/ksh initialization > > PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin:/usr/local/sbin:/usr/local/bin > export PATH > : ${HOME='/root'} > export HOME > export > PKG_PATH=ftp://ftp.myopenbsdmirror.org/pub/OpenBSD/4.3/packages/i386/:ftp://myopenbsdmirror2.org/pub/OpenBSD/4.3/packages/i386/ > umask 022 > > if [ -x /usr/bin/tset ]; then >eval `/usr/bin/tset -sQ \?$TERM` > fi
Re: OpenBSD 4.3 - openldap - slaptest not found
most likelly /usr/local/sbin is not in your root's PATH, do PATH="$PATH:/usr/local/sbin" as root and slaptest should be found. On Thu, Oct 23, 2008 at 04:50:30PM +0200, soko.tica wrote: > I've been trying to set OpenBSD 4.3 (release) primary domain > controller according to howto o Danielle Mazzechio > http://www.kernel-panic.it/openbsd/pdc/ and I'm facing a strange > problem I'm not able to figure. Following the instructions, upon > configuration of /etc/openldap/slapd.conf, I'm not able to execute > slaptest -u as root, but once I'm logged as user, sudo slaptest -u > executes and config file test succeedes. > > Any idea about the cause of this? Many thanks in advance. > > Excerpt below: > > # install -d -o _openldap /var/run/openldap > # slaptest -u > ksh: slaptest: not found > # exit > $ sudo slaptest -u > Password: > /blahblah (ignored) > config file testing succeeded
Re: list available wireless networks
ifconfig -M On Mon, Oct 20, 2008 at 11:57:41AM +0400, Dmitrij D. Czarkoff wrote: > Hi, all! > > How can I query available wireless networks in OpenBSD (the thing You do with > "iwlist ifname scan" in linux)? > > -- > Dmitrij D. Czarkoff > > P.S.: Please cc me as I'm not on a list.
Re: Doubled binary in /bin in snapshot?
On Tue, Oct 14, 2008 at 03:22:32PM +0200, Tomas Bodzar wrote: > Hi all, > > have you same "problem" ? Look at $ls -lF /bin > There is a [* and test* ,both binaries do the same and cmp(1) says,that > they are same. > > Am I missing something or it's bug? you are missing the lesson in history in unix shell scripting :-) they are not doubled, they are hard links: $ ls -i /bin/{test,[} 25985 /bin/[ 25985 /bin/test
Re: Strace for OpenBSD
ktrace. On Fri, Sep 19, 2008 at 09:41:58AM -0300, Gonzalo Lionel Rodriguez wrote: > Hi everybody, somebody say to me what is the equivalent to 'strace' for > OpenBSD? > > Regards. > > Gonzalo. > -- vi vi vi -- the number fo the beast
Re: PF rule evaluation
On Mon, Aug 25, 2008 at 11:05:38AM +1000, Mikel Lindsaar wrote: > Hello list, > > I have purchased and read the book of PF (good book by the way) as > well as the man pages, and I have a question that I have not been able > to find a definitive answer on: > > "Does PF only evaluate every packet against the ruleset once on all > interfaces, or does it evaluate once for each interface?" AFAIK pf by default creates state for initial packets, and once the state is created by default pf passes packets on all interfaces belonging to that state. the state-policy can be changed to change this. -- vi vi vi -- the number fo the beast
Re: pfctl
On Mon, Jul 28, 2008 at 09:18:39AM +0100, Charlie Clark wrote: > openbsd misc wrote: >> interessting point. How about dumping it to a file or something so you are >> able to check what was loaded last time (e.g. a file with 400 under >> /var/whatever)? >> >> > What I want is, I have a script that when I commit a ruleset with pfctl > it uses pfctl to query the loaded rules and outputs that to a file, I > get the rulesets there using fwbuilder, which loads the ruleset directly > using pfctl, I have another script which checks the currently loaded > ruleset against the file that my commit script creates and does a diff, > if the ruleset hasn't been commited using my script (or doesn't match > the file) after a minute, it will roll the rules back. This is good > incase an admin loads a ruleset which locks them out. But I have no way > to get my set to recognize changes to options so when I try to commit a > ruleset using my script it thinks that I'm trying to commit the same > ruleset. > > Does this make more sence? diff of a loaded ruleset is not that useful (for humans) IMHO, a better way would be to diff the ruleset (possibly excluding the comments and spaces etc). even better way to do that would be to JustDoIt (no diff checking whatsoever, and let the admins reload the rule when they commit any changes to it. -- vi vi vi -- the number fo the beast
Re: BIND and CNAME-ing
On Wed, Jul 23, 2008 at 01:17:04PM -0700, Parvinder Bhasin wrote: > Hi, > > I am stuck at this situation: > > Where I have a domain: abc.com : > > I would like to have user who type http://abc.com (without the www) > redirected to a a different site for example : www.xyz.com > Redirection for www.abc.com to www.xyz.com works fine. > > I have tried CNAME-ing abc.com to www.xyz.com but that wouldn't work (I > can see it why). > Is there a way to do this in BIND zone configuration? with this in my zone i get to google.com when i try to access test.mydomain.org: testIN CNAME google.com. -- vi vi vi -- the number fo the beast
Re: DHCP question
On Wed, Jul 23, 2008 at 04:33:27PM +0900, Hari wrote: > Hello. I just finished installing OpenBSD 4.3. The dhcp setup during > network configuration was fine, meaning, IP address was properly > assigned. I went ahead with the default values provided. However, > after rebooting post installation, I am getting the following messages > that seems to point to a network problem (and of course, no IP address > is assigned): > > > fxp0: warning: SCB timed out (x 3) > fxp0: config command timeout > DHCPDISCOVER on fxp0 to 255.255.255.255 port 67 interval 1 > send_packet: Network is down > No DHCPOFFERS received. > No working leases in persistent database - sleeping. > > > Several `intervals` are tried. > > Dump of some relevant(?) files: > > #ifconfig > lo0: flags-8049 mtu 33208 > groups: lo > inet 127.0.0.1 netmask 0xff00 > inet6 ::1 prefixlen 128 > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 > fxp0: flags-8049 mtu 33208 isn't having LOOPBACK flag and mtu 33208 on a 'real' interface strange? -- vi vi vi -- the number fo the beast
Re: This is what Linus Torvalds calls openBSD crowd
On Wed, Jul 16, 2008 at 05:10:46PM -0500, Marco Peereboom wrote: > Yes it is. To illustrate the stupidity and pointlessness of this all. > > Linus is a troll, we know, who cares? insulting anyone is IMHO hardly ever necessary/good, trolling (of known folks, such as linus and rms) is (again IMHO) best ignored.
Re: This is what Linus Torvalds calls openBSD crowd
On Wed, Jul 16, 2008 at 02:03:00PM -0500, Marco Peereboom wrote: > debian users are masturbating amoebas is this really necessary? and if so why?
Intel 82801H HD Audio
i have a lenovo 3000 N200, and i can't seem to get sound to work. when i play an mp3 with either mp3blaster or mplayer it seems to play just fine, but i don't hear any sound comming from the speakers, here are dmesg (i only added AZALIA_DEBUG option to GENERIC configuration), audioctl -a and mixerctl -a i hope the situation has changed since http://readlist.com/lists/openbsd.org/misc/13/66209.html :-) any help appreciated. (if you prefer web browser the file is also available on http://www.kiberpipa.org/~redduck666/sound_dbug ) OpenBSD 4.4-beta (GENERIC) #0: Tue Jul 8 20:15:41 CEST 2008 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Pentium(R) Dual CPU T2370 @ 1.73GHz ("GenuineIntel" 686-class) 1.73 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,TM2,CX16,xTPR real mem = 2137419776 (2038MB) avail mem = 2058584064 (1963MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 12/21/07, BIOS32 rev. 0 @ 0xfdbf0, SMBIOS rev. 2.4 @ 0xdc010 (25 entries) bios0: vendor LENOVO version "68ET31WW" date 12/21/2007 bios0: LENOVO 0769EAG acpi0 at bios0: rev 2 acpi0: tables DSDT FACP APIC HPET MCFG TCPA TMOR SLIX APIC BOOT SSDT SSDT SSDT SSDT SSDT acpi0: wakeup devices HDEF(S3) PXSX(S3) PXSX(S3) USB1(S3) USB2(S3) USB3(S3) USB4(S3) EHC1(S3) EHC2(S3) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus -1 (PEGP) acpiprt2 at acpi0: bus 2 (RP01) acpiprt3 at acpi0: bus 4 (RP02) acpiprt4 at acpi0: bus 5 (RP03) acpiprt5 at acpi0: bus 6 (RP04) acpiprt6 at acpi0: bus -1 (RP05) acpiprt7 at acpi0: bus -1 (RP06) acpiprt8 at acpi0: bus 8 (PCIB) acpiec0 at acpi0 acpicpu0 at acpi0: C3, C2 acpibtn0 at acpi0: LID0 acpibtn1 at acpi0: PWRB acpiac0 at acpi0: AC unit online acpibat0 at acpi0: BAT1 model "PA3465U " serial 3658Q type Li-Ion oem "COMPAL " acpivideo at acpi0 not configured acpivideo at acpi0 not configured bios0: ROM list: 0xc/0xee00! 0xcf000/0x1a00 0xdc000/0x4000! 0xe/0x1800! cpu0 at mainbus0 cpu0: unknown Enhanced SpeedStep CPU, msr 0x06130d2b06000d2b cpu0: using only highest and lowest power states cpu0: Enhanced SpeedStep 1733 MHz (1388 mV): speeds: 1733, 800 MHz pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 "Intel GM965 Host" rev 0x0c vga1 at pci0 dev 2 function 0 "Intel GM965 Video" rev 0x0c wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) agp0 at vga1: aperture at 0xd000, size 0x1000 "Intel GM965 Video" rev 0x0c at pci0 dev 2 function 1 not configured uhci0 at pci0 dev 26 function 0 "Intel 82801H USB" rev 0x03: irq 5 uhci1 at pci0 dev 26 function 1 "Intel 82801H USB" rev 0x03: irq 10 ehci0 at pci0 dev 26 function 7 "Intel 82801H USB" rev 0x03: irq 7 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1 azalia0 at pci0 dev 27 function 0 "Intel 82801H HD Audio" rev 0x03: irq 11 azalia0: host: High Definition Audio rev. 1.0 azalia0: host: 4 output, 4 input, and 0 bidi streams azalia_attach: resetting azalia_attach: reset counter = 4999 azalia_attach: reset counter = 4987 azalia0: found a codec at #0 azalia0: found a codec at #1 azalia_init_corb: CORB allocation succeeded. azalia_init_corb: CORBWP=0; size=256 azalia_init_rirb: RIRB allocation succeeded. azalia_init_rirb: RIRBRP=0, size=256 azalia0: codec[0] vid 0x10ec0862, subid 0x384e17aa, rev. 0.1, HDA version 1.0 azalia_codec_init: nidstart=1 #functions=1 azalia_codec_init: FTYPE result = 0x0101 azalia_codec_init: There are 37 widgets in the audio function. encodings=1 PCM formats=e0160<24bit,20bit,16bit,96kHz,48kHz,44.1kHz> inamp: mute=0 size=0 steps=0 offset=0 outamp: mute=0 size=0 steps=0 offset=0 gpio: wake=0 unsol=1 gpis=0 gpos=0 gpios=2 azalia0: dac02 wcap=1d encodings=1 PCM formats=e0160<24bit,20bit,16bit,96kHz,48kHz,44.1kHz> outamp: mute=0 size=3 steps=64 offset=64 azalia0: dac03 wcap=1d encodings=1 PCM formats=e0160<24bit,20bit,16bit,96kHz,48kHz,44.1kHz> outamp: mute=0 size=3 steps=64 offset=64 azalia0: dac04 wcap=1d encodings=1 PCM formats=e0160<24bit,20bit,16bit,96kHz,48kHz,44.1kHz> outamp: mute=0 size=3 steps=64 offset=64 azalia0: dac05 wcap=1d encodings=1 PCM formats=e0160<24bit,20bit,16bit,96kHz,48kHz,44.1kHz> outamp: mute=0 size=3 steps=64 offset=64 azalia0: dac06 wcap=211 encodings=1 PCM formats=1e0160<32bit,24bit,20bit,16bit,96kHz,48kHz,44.1kHz> azalia0: vendor07 wcap=f0 azalia0: vendor08 wcap=f0 azalia0: adc09 wcap=10011b encodings=1 PCM formats=60160<20bit,16bit,96kHz,48kHz,44.1kHz> inamp: mute=1 size=5 steps=31 offset=9 connections=0x22; selected=0x22 azalia0: vendor0a wcap=f0 azalia0:
Re: NAT over internet & VPN?
On Wed, Jun 4, 2008 at 5:49 AM, Matt Garman <[EMAIL PROTECTED]> wrote: > What I'd like to do is have my OBSD box to NAT on the tun device > (VPN tunnel). I.e., so I can use the VPN connection seamlessly from > any system on my home network. basically you want to route your traffic encrypted to your home and than let it to internet? to do this kind of a thing i'm using openvpn in bridged mode and all NAT-ing is done on external interface, the gateway does not differ between vpn client and local client). it should be noted that people on this list tend to prefer ipsec over openvpn. -- For far too long, power has been concentrated in the hands of "root" and his "wheel" oligarchy. We have instituted a dictatorship of the users. All system administration functions will be handled by the People's Committee for Democratically Organizing the System (PC-DOS).
Re: postfix error
On Fri, May 23, 2008 at 1:40 PM, Zhivko Tashev <[EMAIL PROTECTED]> wrote: > Hi, > I'm using OpenBSD 4.2 GENERIC and postfix-2.5.20070531-sasl2-mysql (from > ports). > Postfix is configured only as SMTP transfer agent. > Couple of days ago, postfix started generating the following error message: > (Host or domain name not found. Name service error for > name=sps-marketing.com type=A: Host found but no data record of requested > type) > This appears on 99% of the domains I try to send mail to. I've googled the > problem and several changes made no difference. > in example: ignore_mx_lookup_error = yes/no; changing the dns servers; > sending from different locations; spamcop.net says that my IP is not listed. > I appreciate any help and thank you for your time. > i think your DNS server isn't functioning correctly. -- For far too long, power has been concentrated in the hands of "root" and his "wheel" oligarchy. We have instituted a dictatorship of the users. All system administration functions will be handled by the People's Committee for Democratically Organizing the System (PC-DOS).
Re: Bridge Firewall
On Fri, May 23, 2008 at 1:37 PM, Stephan Andreas <[EMAIL PROTECTED]> wrote: > Default is block in and out on $ext_if. > Is it a problem with the bridge? yes, bridges tend to do funny things. in any case add 'log' to your default block rule and check ''tcpdump -n -e -ttt -i pflog0'' (i read it in the official docs BTW) and it should tell you on which interface and which way (in or out) the packet was blocked. i have my external interface and the DMZ interface in the bridge, i'm passing all traffic on dmz interface and do filtering only on external interface. HTH -- For far too long, power has been concentrated in the hands of "root" and his "wheel" oligarchy. We have instituted a dictatorship of the users. All system administration functions will be handled by the People's Committee for Democratically Organizing the System (PC-DOS).
Re: Why Perl for pkg_* tools ?
On Fri, May 23, 2008 at 9:37 AM, Marc Espie <[EMAIL PROTECTED]> wrote: > As far as perl goes, it's about the only language that fit the bill. > The older pkg_* were totally impossible to maintain and extend, and > I needed a sensible script language that was in base. at the risk of starting a flame war, considered python? beside not being in the base, any other downsides for this particular task? -- For far too long, power has been concentrated in the hands of "root" and his "wheel" oligarchy. We have instituted a dictatorship of the users. All system administration functions will be handled by the People's Committee for Democratically Organizing the System (PC-DOS).
Re: Decipering "Understanding IP addressing"
On Wed, May 21, 2008 at 9:36 PM, Kendall Shaw <[EMAIL PROTECTED]> wrote: > 232 what? 2^32 -- For far too long, power has been concentrated in the hands of "root" and his "wheel" oligarchy. We have instituted a dictatorship of the users. All system administration functions will be handled by the People's Committee for Democratically Organizing the System (PC-DOS).
Re: replacement pix firewall with pf
On Mon, May 12, 2008 at 6:40 AM, sonjaya <[EMAIL PROTECTED]> wrote: > so i have some question : > - In PIX FW cisco i just make translate ipublic to ip dmz , so how do > it in pf without ip alias in wan interface? AFAIK you can't. why would you want to do that? -- For far too long, power has been concentrated in the hands of "root" and his "wheel" oligarchy. We have instituted a dictatorship of the users. All system administration functions will be handled by the People's Committee for Democratically Organizing the System (PC-DOS).
Re: colors in regular openbsd terminal
On Mon, May 5, 2008 at 8:25 AM, Parvinder Bhasin <[EMAIL PROTECTED]> wrote: > Hi, > > I was wondering if there was to get some colors inside the regular terminal > (not Xterm or Xorg). > I know if I alias colorls it sort of works for just listing directories and > files but I would like to customize the look of the entire terminal for > example : > > lets say I type in "ifconfig " , I would like to change the colors on the > ip addresses and the interface names. > Any pointers would come in handy. Thanks in advance. i don't know of any nice ways :/ /sbin/ifconfig | sed "s/^[a-z]*[0-9]/`tput setaf 1`&`tput setaf 0`/" this colors the interface names in red, if you want more complicated things there are good chances you will be better with awk than sed :-) -- For far too long, power has been concentrated in the hands of "root" and his "wheel" oligarchy. We have instituted a dictatorship of the users. All system administration functions will be handled by the People's Committee for Democratically Organizing the System (PC-DOS).
Re: Doubt about license
On Sun, May 4, 2008 at 12:12 PM, Pieter Verberne <[EMAIL PROTECTED]> wrote: > Uhm, dunno what IIRC is.. But wouldn't it be just great to put anything > like this in a file's header? : > # This file is in public domain > or even better: > # public domain > > So IIRC requires the full license? That's a shame, it would be nicer to > use the license's name only. heh, IIRC == If I Recall/Remember Correctly -- For far too long, power has been concentrated in the hands of "root" and his "wheel" oligarchy. We have instituted a dictatorship of the users. All system administration functions will be handled by the People's Committee for Democratically Organizing the System (PC-DOS).
Re: Environment variables
On Fri, Apr 18, 2008 at 3:20 PM, Jurjen Oskam <[EMAIL PROTECTED]> wrote: > So ps does show FOO, *and* it shows the value of FOO changing after > ten seconds. > what is so weird about it? you set your program an env var via env(1) for first ten seconds it has that env var, than the putenv(3) call happens and it changes the value of FOO. -- error: one bad user found in front of screen
Re: authpf: allowing both ipv4 and ipv6 traffic
On Mon, Apr 14, 2008 at 2:59 PM, Stuart Henderson <[EMAIL PROTECTED]> wrote: > On 2008-04-14, Almir Karic <[EMAIL PROTECTED]> wrote: > > On Sun, Apr 13, 2008 at 7:45 PM, Barry Commander > ><[EMAIL PROTECTED]> wrote: > >> Hi > >> In order to allow wireless clients both IPv4 and IPv6 access to my > wireless > >> access point (protected with authpf) > >> do I need to have them login as authpf twice? Once with IPv4 and again > with > >> IPv6? > > > > no. just add all of your rules (inet, inet6 and whatever else you > > might have) to the /etc/authpf/users/$USER/authpf.rules > > how are you going to get the IPv4 address of the user if they > have logged in to authpf by IPv6, and vice-versa? > hehe, oops :-) -- error: one bad user found in front of screen
Re: authpf: allowing both ipv4 and ipv6 traffic
On Sun, Apr 13, 2008 at 7:45 PM, Barry Commander <[EMAIL PROTECTED]> wrote: > Hi > In order to allow wireless clients both IPv4 and IPv6 access to my wireless > access point (protected with authpf) > do I need to have them login as authpf twice? Once with IPv4 and again with > IPv6? no. just add all of your rules (inet, inet6 and whatever else you might have) to the /etc/authpf/users/$USER/authpf.rules -- error: one bad user found in front of screen
Re: vsftpd/SSL
On Sun, Apr 13, 2008 at 7:37 PM, Manuel Heckel <[EMAIL PROTECTED]> wrote: > Hi, > > me again here. if it's the wrong place to ask, please tell me. > > i still have problems with vsftp and ssl, but i don't think it's a > problem of vsftpd. from my intern lan everything works fine, just from > outside the connections get dropped when the TLS starts. my config: pf > with nat and ftp-proxy for the ftp connections from inside; vsftpd on > the same machine, listening on port 21, forced ssl. as said, from my lan > everthing works fine, from the outside only without SSL. vhy not use scp or sftp? they are sane protocols that don't require things like ftp-proxy(8) to work. -- error: one bad user found in front of screen
Re: Sed or perl subsitutions - in place
On Fri, Apr 4, 2008 at 10:07 AM, Parvinder Bhasin <[EMAIL PROTECTED]> wrote: > I am writing up a script to automatically increment the serial number of > bind dns zone file , but I am running across issues doing in place > substitution with either sed or even perl for that matter. I can do this > easily in Linux but am having hard time doing so in openbsd. I would like > to search for the serial number , increment by one and then save the file. > > Any help...highly appreciated. > > Thx. > > Here is my code snippet: > > #!/bin/sh > > for file in $(ls /var/named/master/*.file); > do > if [ -f $file ]; > then >OLD=`grep serial $file | awk '{print $1}'` >echo $OLD >NEW=$(($OLD + 1)) >echo $NEW >*perl -p -i -e 's/$OLD/$NEW/' $file <--tried using perl > but still the file didn't change with the incremented serial number >sed 's/$OLD/$NEW/' $file <-I know this will only > search and replace but how do I do in in-place so that the file itself is > modified.* > fi > done > > s/$OLD/$NEW/ should be in " not in ': perl -p -i -e "s/$OLD/$NEW/" "$file" -- error: one bad user found in front of screen
Re: Would OpenBSD and Squid be considered a "Proxy Firewall"?
On Fri, Mar 21, 2008 at 9:27 PM, Ed Flecko <[EMAIL PROTECTED]> wrote: > Hi folks, > I'm reading a book on network security and it mentions "proxy > firewalls", so I'm wondering if an OpenBSD box with Squid installed > would fit this description? Or, are there other "proxy firewalls" the > author is referring to? > > The book mentions that although "proxy firewalls" tend to slow traffic > down, they are much more secure than a typical, "statefull packet > filtering" firewall. He says they will ignore the typical "network > discovery" methods, i.e. nmap, etc., etc. > > As a matter of curiosity, has anyone ran an nmap scan against an > OpenBSD box with Squid? What did the scan results indicate? my guess would be it referes to `synproxy state'. -- error: one bad user found in front of screen
Re: Samba(SMB) or Netatalk(AFP)?
On Wed, Mar 19, 2008 at 11:27 AM, Barry Commander <[EMAIL PROTECTED]> wrote: > You could still either su to the user whos files you want from root, or you > could map their UID. > Both would allow you access to other users files. yep, welcome to the wonderful world of NFS :-), a toy such as kerberos will be needed to secure it, i have never done this on OBSD tho. -- error: one bad user found in front of screen
Re: Samba(SMB) or Netatalk(AFP)?
On Wed, Mar 19, 2008 at 11:12 AM, Barry Commander <[EMAIL PROTECTED]> wrote: > Doesn't NFS mean restricting root access on each client in order to prevent > people accessing other files? Is there a way (short of restricting root > access) > to prevent this? > RTFM. -maproot is what you want, see exports(5). -- error: one bad user found in front of screen
Re: Opening VPN ports
On Mon, Mar 17, 2008 at 11:26 PM, Dave Beckstrom <[EMAIL PROTECTED]> wrote: > Hi Everyone, > > I have an OpenBSD 3.3 transparently bridged packet filtering firewall. I > would like to enable a VPN connection through the firewall into a Win2K3 > server that sits behind the firewall. > > I am finding conflicting information on what ports/protocol to open up. > Microsoft is saying protocol ID 47 and TCP port 1723 both inbound and > outbound. If that's true, then something like the following should work: > > > pass in quick on ext_if proto 47 from any to any > pass out quick on ext_if proto 47 from any to any > > > pass in quick on ext_if proto tcp from any to any port 1723 keep state > pass out quick on ext_if proto tcp from any to any port 1723 keep state > > I had not luck with the above. If I disable PF I can connect fine, so I > know for sure that the problem has to do with PF blocking my access. > > To complicate matters, I've found other references to protocols 50 & 51 and > port 500. > > I'm hoping that one of you who has this working can let me know what I need > to config in order to allow my VPN connection to pass through the firewall. add 'log' statement to your block rule, than tcpdump -n -e -ttt -i pflog0 to see which packets are being droped and by which rule, example (from 4.2 tho): Mar 18 07:39:26.412253 rule 8/(match) block out on fxp0: 192.168.1.2.42731 > 192.168.1.98.6335: [|tcp] (DF) [tos 0x10] you see the packet is blocked on it's way out of fxp0. -- error: one bad user found in front of screen
Re: Samba(SMB) or Netatalk(AFP)?
On Tue, Mar 11, 2008 at 8:59 AM, Sunnz <[EMAIL PROTECTED]> wrote: > 2008/3/11, Karl Karlsson <[EMAIL PROTECTED]>: > > > > > Just use the same uid/gid on the client as you have in your export file. > > As simple as that. > > > > > > > But... the user account on the clients already has their own > uid/gid... do I have to make new accounts? Or am I missing something? no you are not missing anything :/, if you have an uid 1000 owned directory on NFS server, and uid 1000 on two laptops, both of the will have write access to that directory (this is true with nfs v3, not sure about v4). -- error: one bad user found in front of screen
Re: pf - routing
i would like to thanks you two, thanks :-) ''use the bridge, luke'' was the hint i needed, i found everything else on google and in the relevant man pages. the firewall is mostly already configured, it will soon be replacing our current linux router, the firewall rules are *much much much* more readable/maintainable :-) -- error: one bad user found in front of screen
Re: pf - routing
On Fri, Mar 7, 2008 at 12:53 PM, Stuart Henderson <[EMAIL PROTECTED]> wrote: > > hm, maybe i misunderstanding the concept of a bridge, but from > > what i read you can assign an IP to $ext_if, and bridge (and filter > > off course) the $dmz_if to $ext_if ? where is the extra IP wasted? > > Because you still need to use one of the public addresses as a > gateway for the other machines. If you bridge it goes on the router, > if you route it goes on the firewall. (since you say you are NATting > for another subnet, you obviously already need to have a public > address on the firewall to NAT to). no NAT in DMZ :-) (at least that is the plan) if the DMZ is bridged to $ext_if, won't it use the same gateway as my router? -- error: one bad user found in front of screen
Re: pf - routing
On Thu, Mar 6, 2008 at 1:39 AM, Stuart Henderson <[EMAIL PROTECTED]> wrote: > > On 2008-03-05, Stuart Henderson <[EMAIL PROTECTED]> wrote: > > On 2008-03-05, Jussi Peltola <[EMAIL PROTECTED]> wrote: > >> On Wed, Mar 05, 2008 at 11:28:16AM +, Stuart Henderson wrote: > >>> There are ways, but they're hacks, and harder to get right than NAT or > >>> asking for another address. (And if you're already using NAT, you'll be > >>> renumbering the end hosts anyway, so moving block shouldn't be all that > >>> painful). > >> > >> Couldn't you bridge the DMZ? Not as simple, but not a hack either. > > > > Ah, how could I forget about that! (probably repressed from trying > > to combine it with rdr before and getting very confused :-) > > Oh, hang on. But then the IP address you were giving the firewall has > to be given to the router instead, so this doesn't gain you anything. > > hm, maybe i misunderstanding the concept of a bridge, but from what i read you can assign an IP to $ext_if, and bridge (and filter off course) the $dmz_if to $ext_if ? where is the extra IP wasted? -- error: one bad user found in front of screen
Re: pf - routing
On Wed, Mar 5, 2008 at 12:43 PM, Jussi Peltola <[EMAIL PROTECTED]> wrote: > On Wed, Mar 05, 2008 at 11:28:16AM +, Stuart Henderson wrote: > > There are ways, but they're hacks, and harder to get right than NAT or > > asking for another address. (And if you're already using NAT, you'll be > > renumbering the end hosts anyway, so moving block shouldn't be all that > > painful). > > Couldn't you bridge the DMZ? Not as simple, but not a hack either. now here is an idea :-) thanks will have a look at it and come back when i have more questions. -- error: one bad user found in front of screen
Re: pf - routing
On Wed, Mar 5, 2008 at 11:04 AM, Stuart Henderson <[EMAIL PROTECTED]> wrote: > On 2008-03-05, Almir Karic <[EMAIL PROTECTED]> wrote: > > this is the deal, i am designing the network and i have some > > questions, regarding route (OBSD 4.2) setup. the relevant interfaces > > are $dmz_if (uplink for the servers in DMZ) and $ext_if the router > > uplink. > > > > the idea is to save one external IP by NOT assigning an external IP to > > the $dmz_if, is it possible? > > You say you're *designing* the network, so you're not trying to hack an > extra address out of an existing too-small setup. The correct approach is > to ask your ISP or LIR for a block of addresses the right size to fit > the machines you need. This is perfectly justified. the situation is the following, right now we have a linux router with which has an 3 IF's uplink, dmz and lan, we don't like the way it does nat for both lan (which is OK) and DMZ, which has proven not to be too good, i am trying to replace that old linux router with OBSD router, and would like to take the oportinity to get rid of nat, while still not wasting the additional external ip. so no, i'm *not* trying to hack additional adress out of existing setup :-) > If you're desperate to save IP addresses, put the internal hosts on > private addresses and rdr the whole lot. Then because you don't need to > put the public addresses on an interface at all, you can also use the > all-0 and all-1 host addresses too. > nat is what i am trying to get rid of in the first place (at least in DMZ). -- error: one bad user found in front of screen
pf - routing
this is the deal, i am designing the network and i have some questions, regarding route (OBSD 4.2) setup. the relevant interfaces are $dmz_if (uplink for the servers in DMZ) and $ext_if the router uplink. the idea is to save one external IP by NOT assigning an external IP to the $dmz_if, is it possible? so the $dmz_if would be 10.0.0.1, and the servers would have external IP as their 'primary' IP and an alias to somewhere in 10.0.0/24 so far i come up with: pass in on $pub_if route-to $dmz_if from any to $ip ($pub_if is there as i am testing FROM $pub_if, i will change it to something like ''{ $ext_if $pub_if $int_if }'' once i am done testing) but that doesn't work, the ping doesn't get through, which if i add an alias in the same subnet as the external IP's the ping from $pub_if:network to my $ip gets through just fine. any pointers/links/suggestions on how to achieve that? -- error: one bad user found in front of screen
raidframe troubles
i did all the things reccommanded by the summary section of raidctl(8) (i even tried changing the 'a' partition to 'e', to be the same as in the man page, no luck), i also tried following http://unixsadm.blogspot.com/2007/10/openbsd-raidframe-mirror-software-raid.html no change either. my GENERIC.RAID is different from GENERIC in only two lines: pseudo-device raid 4 option RAID_AUTOCONFIG my trouble is: # newfs /dev/rraid0a /dev/rraid0a: 3564.5MB in 730 sectors of 512 bytes 18 cylinder groups of 202.47MB, 12958 blocks, 25984 inodes each super-block backups (for fsck -b #) at: 32, 414688, 829344, 1244000, 1658656, 2073312, 2487968, 2902624, 3317280, 3731936, 4146592, 4561248, 4975904, 5390560, 5805216, 6219872, 6634528, 7049184, # mount /dev/rraid0a /mnt/ mount_ffs: /dev/rraid0a on /mnt: Block device required :( some (hopefully) relevant info: # disklabel wd1 # Inside MBR partition 3: type A6 start 63 size 8434062 # /dev/rwd1c: type: ESDI disk: ESDI/IDE disk label: Maxtor 90432D2 flags: bytes/sector: 512 sectors/track: 63 tracks/cylinder: 255 sectors/cylinder: 16065 cylinders: 525 total sectors: 8440992 rpm: 3600 interleave: 1 trackskew: 0 cylinderskew: 0 headswitch: 0 # microseconds track-to-track seek: 0 # microseconds drivedata: 0 16 partitions: #size offset fstype [fsize bsize cpg] a: 10 63 4.2BSD 2048 16384 16 b: 100 100063swap c: 84409920 unused 0 0 d: 7334062 1100063RAID # disklabel wd2 # Inside MBR partition 3: type A6 start 63 size 8434062 # /dev/rwd2c: type: ESDI disk: ESDI/IDE disk label: Maxtor 90432D2 flags: bytes/sector: 512 sectors/track: 63 tracks/cylinder: 255 sectors/cylinder: 16065 cylinders: 525 total sectors: 8440992 rpm: 3600 interleave: 1 trackskew: 0 cylinderskew: 0 headswitch: 0 # microseconds track-to-track seek: 0 # microseconds drivedata: 0 16 partitions: #size offset fstype [fsize bsize cpg] a: 10 63 4.2BSD 2048 16384 16 b: 100 100063swap c: 84409920 unused 0 0 d: 7334062 1100063RAID # fdisk wd1 Disk: wd1 geometry: 525/255/63 [8440992 Sectors] Offset: 0 Signature: 0xAA55 Starting EndingLBA Info: #: id C H S - C H S [ start:size ] 0: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused 1: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused 2: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused *3: A6 0 1 1 -524 254 63 [ 63: 8434062 ] OpenBSD # fdisk wd2 Disk: wd2 geometry: 525/255/63 [8440992 Sectors] Offset: 0 Signature: 0xAA55 Starting EndingLBA Info: #: id C H S - C H S [ start:size ] 0: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused 1: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused 2: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused *3: A6 0 1 1 -524 254 63 [ 63: 8434062 ] OpenBSD # cat /etc/raid0.conf START array 1 2 0 START disks /dev/wd1d /dev/wd2d START layout 128 1 1 1 START queue fifo 100 # disklabel raid0 # Inside MBR partition 3: type A6 start 128 size 7333760 # /dev/rraid0c: type: RAID disk: raid label: fictitious flags: bytes/sector: 512 sectors/track: 128 tracks/cylinder: 8 sectors/cylinder: 1024 cylinders: 7162 total sectors: 7333888 rpm: 3600 interleave: 1 trackskew: 0 cylinderskew: 0 headswitch: 0 # microseconds track-to-track seek: 0 # microseconds drivedata: 0 16 partitions: #size offset fstype [fsize bsize cpg] a: 730 128 4.2BSD 2048 163841 c: 73338880 unused 0 0 # fdisk raid0 Disk: raid0 geometry: 7162/8/128 [7333888 Sectors] Offset: 0 Signature: 0xAA55 Starting EndingLBA Info: #: id C H S - C H S [ start:size ] 0: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused 1: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused 2: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused *3: A6 0 1 1 - 7161 7 128 [ 128: 7333760 ] OpenBSD # raidctl -sv raid0 raid0 Components: /dev/wd1d: optimal /dev/wd2d: optimal No spares. Component label for /dev/wd1d: Row: 0, Column: 0, Num Rows: 1, Num Columns: 2 Version: 2, Serial Number: 10
Re: 4.0 -> 4.1 broke ipsec
pf is probably the problem, 'keep state' is assumed unless explicitelly stated otherwise. On 7/6/07, Heinrich Rebehn <[EMAIL PROTECTED]> wrote: Hello list, after using ipsec for some years now, i never experienced an upgrade breaking it. But after after moving to 4.1 (new install) i can not get it to work anymore. I have copied the complete /etc/isakmpd directory from the 4.0 installation to the new one and also copied /etc/imakmpd/private/local.pub to /etc/isakmpd Below is a snippet from the output of "isakmpd -d -DA=70" on my gateway: The peer antbook3 is trying to establish a connection, but the local isakmpd cannot validate antbook3's cert. antbook3's installation has not changed at all. I have never seen the message "unable to get local issuer certificate" before. 111621.667743 Mesg 50 message_parse_payloads: offset 28 payload ID 111621.667812 Mesg 50 message_parse_payloads: offset 62 payload CERT 111621.667852 Mesg 50 message_parse_payloads: offset 799 payload SIG 111621.667924 Mesg 60 message_validate_payloads: payload ID at 0x8810241c of message 0x88f39500 111621.668011 Mesg 70 TYPE: 2 111621.668052 Mesg 70 DOI_DATA: 00 111621.668128 Mesg 70 DATA: 111621.668210 Mesg 40 ipsec_validate_id_information: proto 0 port 0 type 2 111621.668251 Mesg 60 message_validate_payloads: payload CERT at 0x8810243e of message 0x88f39500 111621.668313 Mesg 70 ENCODING: X509_SIG 111621.668348 Mesg 70 DATA: 111621.668431 Mesg 60 message_validate_payloads: payload SIG at 0x8810271f of message 0x88f39500 111621.668503 Mesg 70 DATA: 111621.668542 Trpt 70 transport_release: freeing 0x813c5c40 111621.668617 Misc 30 ipsec_responder: phase 1 exchange 2 step 4 111621.668707 Negt 40 ike_phase_1_recv_ID: FQDN: 111621.668755 Negt 40 616e7462 6f6f6b33 2e616e74 2e756e69 2d627265 6d656e2e 6465 111621.668827 Cryp 70 x509_hash_find: no certificate matched query 111621.669061 Default x509_cert_validate: unable to get local issuer certificate 111621.669224 Default rsa_sig_decode_hash: received CERT can't be validated 111621.672638 Negt 50 get_raw_key_from_file: file /etc/isakmpd/pubkeys//fqdn/antbook3.ant.uni-bremen.de not found 111621.672685 Default rsa_sig_decode_hash: no public key found 111621.672731 Default dropped message from 172.21.113.59 port 500 due to notification type INVALID_ID_INFORMATION Verifying the cert by hand: [EMAIL PROTECTED] [/etc/isakmpd/certs] # openssl verify -CAfile ../ca/ca.crt antbook3.crt antbook3.crt: OK [EMAIL PROTECTED] [/etc/isakmpd/certs] # md5 ../ca/ca.crt MD5 (../ca/ca.crt) = e83c31211832100dcd79ae6f4612cf00 Making sure that the gateway uses the same ca crt: [EMAIL PROTECTED] [~] # md5 /etc/isakmpd/ca/ca.crt MD5 (/etc/isakmpd/ca/ca.crt) = e83c31211832100dcd79ae6f4612cf00 I will happily post more information if needed, but i am unsure if i can post the output of "openssl x509 -text ..." of a cert. Would this enable someone else to use it? Thanks for any hints Heinrich -- Heinrich Rebehn University of Bremen Physics / Electrical and Electronics Engineering - Department of Telecommunications - Phone : +49/421/218-4664 Fax :-3341 -- almir
Re: openbsd 4.0 installed, need to add network interface after install
On 6/29/07, Brian Candler <[EMAIL PROTECTED]> wrote: Given that your on-board LAN isn't working either, maybe the motherboard has a serious fault. But you might not be able to return it until you can prove that *Windows* can't find any network cards either :-) that's simple, create a screen session with (multiple) windows in it and show them ifconfig -A in each of those. :) -- almir
Re: Setting up a virtual hosting machine w. SSH/SFTP accounts - pitfalls/experiences?
On 6/29/07, Daniel Ouellet <[EMAIL PROTECTED]> wrote: Almir Karic wrote: > if you have trully big setups you might wanna look at ldap, from what > i've heard/read it should perform well under heavy read intensive > operations. I always see a lots of LDAP talks and some documents on it for many things including managing multiples users on multiples servers as a way to make life easier. To be honest. I never set one up yet. Doesn't know much about it either. Always been on my list of things to learn and explore. I guess I never came across a very good document that explain it so well to me with pro/cons to trigger my interest to try it yet. Lots on the net for sure. It just haven't grab me yet. May be that's the best things after slice bread and I am missing out. I don't know. May be if someone have a reference they ever come across that really trigger their interest and turn them to it, I would love to read it. I would very much appreciate the pointers to much reading. My ignorance on that subject always makes me think that it could be done with SQL, what ever flavor you like, so why yet use an other database LDAP? See my total dark side to it. (;> I never came across a reason or reading to push me to learn it and see it as better then other solutions. I am more then open to be put in the 21th century and learn it however if that's so blind of me. http://www.ldapman.org/articles/intro_to_ldap.html IMO good intro to ldap. if you just want to deploy a not-huge mail server you probably won't see any advantages of ldap over mysql. what you can do with ldap (IMO) much better than with mysql is ACL, i found the 'self' to be pretty nice, example: access to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=my,dc=domain" write by anonymous auth by self write by * none -- almir
Re: Setting up a virtual hosting machine w. SSH/SFTP accounts - pitfalls/experiences?
On 6/29/07, Daniel Ouellet <[EMAIL PROTECTED]> wrote: >> 3) Mail setups >> >> I can find lots of setups with virtual mailusers. I have been >> succesfully using a Courier-imap/Postfix/MySQL setup for several years >> now, connected to a webbased mailmanagement tool. >> If I was to drop all that in favor of a more 'core' OpenBSD setup - what >> would be a nice maintainable (both for users and myself) way to offer >> single users multiple domains / mailboxes? > > i like virtual mail users. I am curious about this statement here. Care to provide more details? I used to do and am still doing a lots of it in QMail that is changing for postfix now and was actually going to add MySQL backend for that to make my life easier to manage multiple domains and obviously multiple users. I am curious at the replay as it may look like you have something more efficient? I was actually looking to just possibly use the postmap with hash may be, or may be the built db tools. Wasn't sure however if that would be best then MySQL. Obviously much smaller setup. Simpler is always better anyway. So, I would appreciate just a bit more suggestion, or details on your statement, so that may be something better I haven't thought of yet might be best. I am sure not oppose to use MySQL however. As for any web tools, I could care less. CLI is plenty good for me and anyone else here. SSH access does wonders... (:> what excatly are you curious about? :) if you have relativelly few users the postfix hashes should do the trick, there is one annoyance tho, after every edit you have to run postmap (easily solvable by wrapper scripts). i tend to use mysql, maybe it is because i'm used to it. if you have trully big setups you might wanna look at ldap, from what i've heard/read it should perform well under heavy read intensive operations. -- almir
Re: Setting up a virtual hosting machine w. SSH/SFTP accounts - pitfalls/experiences?
On 6/29/07, Matt <[EMAIL PROTECTED]> wrote: 2) Chroot jails / limited shells - do's and don'ts I understand the implications of chroot jails. I understand they are not worth the risk. Which is a shame really as they bring certain functionality (or limits if you will) that I would consider nice to have. How do you prevent people from snooping around the system, looking for that sloppy permissioned file / gathering intelligence about your clientbase? All by setting permissions manually? How do you prevent them from compiling and installing all sorts of things? regarding the info about client database, it depends what kind of backend are you using, if it is flat files than permissions are sane way to protect them IMO. regarding compiling, IMO not worth the hassle to try to prevent that, it is not really hard to compile the code on other machine + lack of compiler makes it painfull for you to follow -current. regarding all sorts of junk that they might throw at you, well, i use ulimit. it works. 3) Mail setups I can find lots of setups with virtual mailusers. I have been succesfully using a Courier-imap/Postfix/MySQL setup for several years now, connected to a webbased mailmanagement tool. If I was to drop all that in favor of a more 'core' OpenBSD setup - what would be a nice maintainable (both for users and myself) way to offer single users multiple domains / mailboxes? i like virtual mail users. 4) Other considerations Any advice on what to avoid and what to certainly do/check/follow up on is appreciated. I will certainly miss stuff that might present a problem down the road. For instance things like cronjobs- do you limit their use by custom scripts or do you just monitor abuse? IMO not worth the effort to restrict usage of crontab. (afterall it is fairly simple to setup ssh keys and a cronjob on local machine that will execute some code/script/whatever) I am aware of things like 'accounting', 'quota' and 'ulimit' - any other handy utils I might check? logcheck (never set it up on OBSD tho, just linux). -- almir
Re: Intel Core 2
On 6/27/07, Theo de Raadt <[EMAIL PROTECTED]> wrote: At this time, I cannot recommend purchase of any machines based on the Intel Core 2 until these issues are dealt with (which I suspect will take more than a year). Intel must be come more transparent. (While here, I would like to say that AMD is becoming less helpful day by day towards open source operating systems too, perhaps because their serious errata lists are growing rapidly too). so what laptop would you recommend to buy? -- almir
Re: xfce windows manager
x11/xfce4 On 6/25/07, Alex Kwan <[EMAIL PROTECTED]> wrote: Hello, I wanted to use xfce for my systems' windows manager, which packages are must required? (I have install the X base). thanks! Alex -- almir
Re: named X route monitor problem
On 6/21/07, Jeff Santos <[EMAIL PROTECTED]> wrote: 1. Is this address an IPv6 one? Can I find out who is asking for it and why? ugghh, named log? tcpdump? 2. How can I tell named not to deal with IPv6? an ugly workaround would be to block all ipv6 traffic on named port. -- almir
Re: Openbsd as a paravirtualized Xen domU
last time i checked the only port of obsd to xen was foo (far from production ready). On 6/19/07, David Greenberg <[EMAIL PROTECTED]> wrote: Where can I find this project, or more specifically a working kernel source/binary image or an entire Xen domU image? Thanks! David -- almir
Re: Restart Apache with clean enviroment
env -i is your friend. On 6/16/07, Mackan <[EMAIL PROTECTED]> wrote: Hi list! How do you guys restart apache (apachectl stop / start) without having all the current shell variables show up in phpinfo() that is exported in the shell? Mackan -- almir
Re: Regular Expression Problem
egrep '[EMAIL PROTECTED],4}$' mail.txt ##<-- you want this, it get's the lines you posted. On 6/14/07, OBSD <[EMAIL PROTECTED]> wrote: Hi Almir, your suggestion does not work completely. What? It misses the [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] I had the same issue as I used cat mail.txt | egrep "[EMAIL PROTECTED],4}$" the problem is that '.-_' is parsed as a range and not 3 literal characters '.', '-' and '_', if you look at what i wrote now you'll see that i moved '-' at the end so it doesn't get parsed as range. -- almir
Re: Regular Expression Problem
On 6/14/07, OBSD <[EMAIL PROTECTED]> wrote: Hi All, thanks for all the suggestions. With this it works: cat mail.txt | egrep "[EMAIL PROTECTED]" | egrep "\.[a-zA-Z]{2,4}$" It is probably possible to avoid the last egrep but I have not find out how. egrep '[EMAIL PROTECTED],4}$' mail.txt btw, http://www.catb.org/jargon/html/U/UUOC.html -- almir
Re: authpf dropping all connections when disconnecting
Is this normal, or have I done something wrong. this is normal. -- almir
Re: Two instances of chrooted OBSD Apache?
I am rather unexperienced in this field so any advice is highly appreciated! (including other relatively safe php4+php5 methods that might work on OpenBSD) both lighttpd and apache allow you to have both php4 and php5 side by side. in apache one has to be a FCGI process the other can be either FCGI or mod_php (and you just AddHandler in Directory/Location/VirtualHost/.../). i am NOT too paranoid about security, so my setup includes lighttpd and each site that wants php get's own FCGI process, so that standard unix permissions apply. -- almir
Re: About BSD Certification
On 6/8/07, Rico Secada <[EMAIL PROTECTED]> wrote: Taking a certification doesn't prove anything imho. And the way that they focus on the 4 different BSD's.. you could have someone being an expert in OpenBSD yet he has never used DragonflyBSD, would this make him less interesting to hire for a BSD specific job? if it is dflybsd specific job than yes, otherwise no. -- almir
Re: find -exec {} help
On 6/5/07, Marc Espie <[EMAIL PROTECTED]> wrote: On Mon, Jun 04, 2007 at 11:45:27PM +0200, Almir Karic wrote: > >I don't see any -i option documented in the sed manpage. > > -i on some seds (gsed, ssed, FBSD sed, maybe others) means ''in > place'' edit, that feature can be reimplemented with ''sed '' file > >new_file; mv -g new_file file'' (it also makes sure it generates > safe temp file, so doesn't overwrite any file accidentally). but it > doesn't exists in OBSD sed, so his answer was 'wrong'. What is mv -g ? doesn't seem to be any standard option I know about ? me feels like an idiot :/, i meant mv -f and not mv -g :/ -- almir
Re: find -exec {} help
\> This works indeed. But better use the additional quotes around $1. Just get used to them, because $1 could contain IFS characters. true, but in this case it doesn't really matter how shell splits words :) >i am cheating tho, and have sh symlinked to bash. Why? i learnt to use bash, and posix sh is not good enaugh any more. tho to be fair, most of the features i like in bash are (probably) implemented in ksh and zsh as well, i just never bothered to learn either. I don't see any -i option documented in the sed manpage. -i on some seds (gsed, ssed, FBSD sed, maybe others) means ''in place'' edit, that feature can be reimplemented with ''sed '' file new_file; mv -g new_file file'' (it also makes sure it generates safe temp file, so doesn't overwrite any file accidentally). but it doesn't exists in OBSD sed, so his answer was 'wrong'. -- almir
Re: find -exec {} help
> >...-exec sh -c 'something with $1' {} \; is fully safe as well. sh -c 'echo foo"$1"bar' baz -> foobar Seems not. a typo, sorry, it should be sh -c 'echo foo$1bar' -- baz i am cheating tho, and have sh symlinked to bash. -- almir
Re: find -exec {} help
A completely safe solution would be writing a small script: #! /bin/sh exec sed s/old/new/ < "$1" > "$1".new and using find . -type f -name \*.htm -exec /path/to/script {} \; or find . -type f -name \*.htm -print0 | xargs -0 -L 1 -r /path/to/script ...-exec sh -c 'something with $1' {} \; is fully safe as well. -- almir
Re: find -exec {} help
Find . -name "*.htm" -exec 'sed s/old/new/' > '{}'.new the above command is probably a sytnax error, due to unterminated -exec (add \; at the end to fix this), that apart that command should look for a command 'sed s/old/new/' (note: it should NOT invoke sed command with s/old/new/ argument). find . -name "*.htm" -exec echo '{}.new' \; should do what you want. -- almir
obsd as xen guest
anyone managed to get obsd to run as xen guest OS? care to share how? the only document i found is http://ropersonline.com/openbsd/xen/openbsd-xen-howto , and well: xen:/home/vserver/obsd# hg clone http://hg.recoil.org/openbsd-xen-sys.hg requesting all changes abort: HTTP Error 500: Internal Server Error :( does anyone know any alternative ways of running obsd as xen guest? or does anyone know of any mirrors of the above directory? -- almir
Re: q
On 4/21/07, Soner Tari <[EMAIL PROTECTED]> wrote: I guess the OP means, for example, Ubuntu-like setting, where there is a root account of course but you cannot log in as root (actually, you can drop to root shell in single user mode or by sudo -i). I believe this hopefully serves the purpose of preventing the habit of system admins to log in as root, thus can protect the system from inadvertent behaviour on the command line (and perhaps GUI too). Probably nothing else in practice. they are trying to solve a social problem , people using root account way too much, with a techinal solution, sudo + disabling root login by default, not gonna work :-) -- almir
Re: Distributed File System
considered nfs over kerberos? On 4/17/07, Pete Vickers <[EMAIL PROTECTED]> wrote: try web DAV - works a treat for me on OpenBSD with linux, Mac & windows clients... /pete On 17 Apr 2007, at 2:28 AM, Rico Secada wrote: > Hi all. > > At work I am experiencing with setting up some distributed file > system, at the current moment working with NFS. The problem is that > it is being setup at work and people, from their homes, need to be > able to mount the system. > > I have no prior experience in this, except for setting up and using > NFS across a LAN. > > I would greatly appreciate any recommendations regarding security, > effectiveness and other advices! > > I have been thinking about tunneling NFS over SSH2, and possibly > using some kind of cache, but I do not know if this is actually the > best approach. I have also been thinking about using AFS as posted > before. > > Also perhaps, but not necessary, support for Windows could be > needed in the long run. > > What are you guys using and how is it setup? > > Best and kind regards! > > Rico. -- almir
Re: Beep!
On 4/10/07, Ryan Corder <[EMAIL PROTECTED]> wrote: On Tue, 2007-04-10 at 07:53 -0700, Manuel Ravasio wrote: > I'm creating some shell scripts for various administrative purposes, and I'd > really like to add some kind of command at the end of each in order to have > the pc speaker BEEP when the script is over. \b isn't \b a backspace? -- almir
Re: External Router
use route tables, set the getaway 10.30.9.253 for the subnet on which your other office is, and use your ISP's getaway as default getaway. you can manipulate route tables with route(8). On 3/19/07, Ricardo Lucas <[EMAIL PROTECTED]> wrote: Hello ppl from misc, I have an issue, I have a little lan with a oBSD box that connect to my ISP and bring the Internet to this lan, but I have another router inside that lan that connects me to my another office, and I have a win2000 machine that is the DNS for this router, so, if I want to connect to my other office I have to set the machines configurations to gateway -> 10.30.9.253, the router and DNS 10.30.9.250, the win2000 machine, and if I want to use the internet i have to use set the machines configurations to gateway -> 10.30.9.254, the oBSD box and DNS are from my ISP. So what I want is that the oBSD handle this job, I mean, I want use only the oBSD as a router and when the traffic is for the other office the oBSD send the traffic to the 10.30.9.253 router and when the the traffic is for the Internet the oBSD send the traffic trough it's connection to my ISP. So, that's it... -- Best regards Ricardo Lucas -- almir
Re: weird PF behavior
why do you bother asking questions if you are not willing to accept answers? you either need: pass out on bge0 from block out on bge0 from to { , } or: block quick out on bge0 from to { , } pass out on bge0 from alternatively you could have a combined table containing both outside and llcidr sets of addresses, but you can't nest tables so it's probably more work to maintain. the PF faq has something on the subject (tables.html, macros.html). the above post gives you the solutions to this problem, you rejected one of the solutions with because of a feeling, you didn't bother to use the second one (tables) nor to read the given docs :/. -- almir
Re: weird PF behavior
On 3/16/07, Ryan Corder <[EMAIL PROTECTED]> wrote: On Fri, 2007-03-16 at 11:09 +0100, Alexander Hall wrote: > Ryan Corder wrote: > > > alternatively, I did this and it seemed to work > > > > pass out on bge0 from to { any, ! } > > pass out on bge0 from to { any, ! } > > The above is an overkill equivalent to > > pass out on bge0 from to any > > which I doubt is what you want. this isn't the way it is acting. what i want is pass out everything except pass out everything except and it seems to be working that way. the {} thingy is strictly text expansion, which means your rules expand to: pass out on bge0 from to any pass out on bge0 from to ! pass out on bge0 from to any pass out on bge0 from to ! if you use ''pfctl -sr'' you will see that we were right. -- almir
Important OpenBSD errata
is this a second remote hole in default install? -- almir
Re: Save ports
On 3/5/07, Toni Mueller <[EMAIL PROTECTED]> wrote: Hi, On Thu, 22.02.2007 at 22:36:21 +0100, Joachim Schipper <[EMAIL PROTECTED]> wrote: > Just filtering aggressively using pf works as well, of course. it depends. My current impression is that if you can get away with having the TCP stack reject packets w/o spending the effort of running it through pf, than that's a performance benefit. But I'm not sure that the person asking will be in such a situation. if someone sent you a packet they already wasted your bandwidth, so the only thing you gain is minor performance benefit as the services in question aren't wasting your RAM. -- almir
Re: Is Theo still hiking ????
you are missing some things, the most important of which are that ipv6 is supposed to last for DECADES and all computers behind nat should get their public ips (that is what someone suggested earlier). those are two by far the most important things you ommited from your calculation, others are some ips won't be availible to ''average'' human beings (private ip ranges, broadcast adresses, router adresses...), also enterprise will grab crapload of ips for business needs. On 1/28/07, Michael Jensen <[EMAIL PROTECTED]> wrote: On 1/28/07, Almir Karic <[EMAIL PROTECTED]> wrote: > they said the SAME thing about ipv4 :/ > > > > 65536 x the total number of possible 48-bit MAC addresses. > > > > irrelevant. > > > -- > almir Why not try to calculate a bit. well the number is a bit big so it hard to just imagine it and hard to compare to other numbers. But if there are forexample 6 billion people on earth. They could each have 2^128-2^33=2^95 ip adresses. 2^95 = 39.614.081.257.132.168.796.771.975.168 I think i can cope a year or two before i i need more than that. :) -- almir
Re: Is Theo still hiking ????
they said the SAME thing about ipv4 :/ 65536 x the total number of possible 48-bit MAC addresses. irrelevant. -- almir
Re: Is Theo still hiking ????
whats sad is how many people will never let go of NAT after they migrate to ipv6. why not start saving ipv6 adresses at the begening? -- almir
Re: apache security
Maybe use permissions, diff user on each site, chmod to disallow writing from other users? that would solve the problem, but i have no idea how to achive it, and google doesn't seem to like me :/. any hints? -- almir
apache security
what i would like to achieve is that on a shared host if bad guys (tm) break into one site they can't get to other sites. is this possible? i've been looking at su-exec but it is for cgi scripts only :/, what other options there are? AFAIK chroot is not the correct answer to my question as it protects the rest of the system from being exploited if one of the sites gets cracked but it can't protect one site from another... -- almir
Re: difference between macros and tables in pf
it will be proccessed in ''another way''. 192.168.0.0/16 means ''any ip adress which has first 16 bits the same as 192.168.0.0''. and first 16 bits in this case are ''192.162''. On 1/9/07, Artyom Goryainov <[EMAIL PROTECTED]> wrote: And when I write for example local_net=192.168.0.0/16 will it be expanded in rules to individual addresses, or it will be processed another way? -- almir