Re: OT - gmail alternatives

2010-12-09 Thread Brad Tilley
Adam M. Dutko wrote:
> How do they deal with legal jurisdiction?  Technically the government can
> still subpoena and they'd have to turn over the documents in the persons
> account, including backups.  

Use GPG so all the ISP could do is hand over the encrypted bits. You
hold the key.

Brad



OT - Switzerland domain name registrars

2010-12-08 Thread Brad Tilley
Can anyone recommend good/reputable domain name registrars in
Switzerland to buy .ch domains from and/or transfer .com names to? I'm
in the US and have heard good things about switchplus, but I wanted to
ask here as I know many OpenBSD people are in Europe.

Thanks,

Brad



Re: SSD with firmware upgrade under OpenBSD

2010-11-30 Thread Brad Tilley
Kevin Chadwick wrote:

> I almost completely agree, but also disagree and yes I'd say it's not
> worth getting into again. I would have to check the latest developments
> as I can imagine an algorithm which solved the problem during idle
> periods or didn't use it's full capacity but currently I don't agree
> fully with "huge amounts of data". The problem was reduced immensely by
> spreading writes across all free sectors rather than sequentially but I
> believe? the problem re-appears on a busy nearly full disk. I would also
> hope/imagine the only affect would be getting bad sectors in that area
> but I haven't looked into it very far as I currently have no need to
> and so maybe I should shut up untill I do. However, I for one will not
> be treating SSDs like HDDs in all applications of disks untill after I
> learn more.

One thing you might consider... buy a SSD and do some testing. Attach it
to an OpenBSD box, put a file system on it, then write a script similar
to this to repeatedly fill and empty the file system:

while :
  do
dd if=/dev/arandom of=big_un.bin bs=64k
sync
sleep 1
rm -P big_un.bin
 done

Let that run for a few years and see how long the disk actually lasts.
You could put up a website with live results. You'd become famous too...
especially if you hit the decade mark and the thing still works :)

Also, I just noticed that the high-end Intel SSDs claim 2,000,000 hours
MTBF. I wonder why they market that number and then say "3 year
warranty". There's only roughly 26,280 hours in a three year period.

Brad



Re: SSD with firmware upgrade under OpenBSD

2010-11-30 Thread Brad Tilley
Kevin Chadwick wrote:
> On Tue, 30 Nov 2010 16:44:51 +0100
> Jan Stary  wrote:
> 
>> On Nov 30 12:32:16, Kevin Chadwick wrote:
>>> On Mon, 29 Nov 2010 21:17:17 -0500
>>> Brad Tilley  wrote:
>>>
>>>> Do they really fail that often?
>>> My current understanding is that a mostly empty SSDS electronics will
>>> fail before it forgets what it's written but a mostly full and busy SSD
>>> may start forgeting fairly soon, unless it shuffles data which would
>>> slow it down considerably.
>> My current understanding is that you treat a SSD as any other disk and
>> never even notice that your wd0/sd0 is not a piece of metal rotating
>> at 7200RPM, unless you read/write huge amounts of data, which you don't.
>>
>> Let's not get into that again.
>>
> 
> I almost completely agree, but also disagree and yes I'd say it's not
> worth getting into again. I would have to check the latest developments
> as I can imagine an algorithm which solved the problem during idle
> periods or didn't use it's full capacity but currently I don't agree
> fully with "huge amounts of data". The problem was reduced immensely by
> spreading writes across all free sectors rather than sequentially but I
> believe? the problem re-appears on a busy nearly full disk. I would also
> hope/imagine the only affect would be getting bad sectors in that area
> but I haven't looked into it very far as I currently have no need to
> and so maybe I should shut up untill I do. However, I for one will not
> be treating SSDs like HDDs in all applications of disks untill after I
> learn more.

I've been treating my SSD like any other hard disk during the last year.
It is still working fine. The specs say it has a MTBF of 1,000,000 hours
and I've only used it for about 10,000 hours so far. I've been at 60%
capacity since day one.

If it fails before meeting the MTBF, I'll send it back for a refund. If
it lasts as long as they claim it will (about a hundred years), then
I'll be dead before it stops working. :)

Brad



Re: SSD with firmware upgrade under OpenBSD

2010-11-29 Thread Brad Tilley
On 11/29/2010 02:56 PM, Ted Unangst wrote:
> buying a new SSD to replace your "burned out" one every year is still
> cheaper than building a 15k sas drive raid set with equivalent
> performance.

I've been using an inexpensive Kingston SSD for more than a year now in
a 4.6 box. It works fine and I've never thought about flashing its
firmware. Its MTBF is astronomical. Do they really fail that often?

Brad



Re: Advice on learning C as first language

2010-11-24 Thread Brad Tilley
Brad Tilley wrote:
> James Hozier wrote:
> 
>> Are there any books that are more noob-friendly that want to learn C as 
>> their first language and explain basic programming terms along the way?

Forgot to mention a book... If you decide to take the C++ route, I
suggest "Accelerated C++".

http://www.acceleratedcpp.com/



Re: Advice on learning C as first language

2010-11-24 Thread Brad Tilley
James Hozier wrote:

> Are there any books that are more noob-friendly that want to learn C as their 
> first language and explain basic programming terms along the way?

I'm no expert, but I do program C for applications (not operating
systems). My advice would be to study data structures, pointers and
concepts such as const, struct, etc. and to understand why types are
important. When you script with Python/Perl/Ruby much of that is glossed
over, but is really important.

By itself, C is very basic and small and can be learned quickly.
However, if you need a data structure to do useful things, you need to
find a library or roll your own.

I would suggest learning C++ as a C with more stuff built-in. Its STL
has well-tested lists, queues, stacks, maps, vectors, hashes, etc.
built-in to it so you are not rolling your own or looking at external
libraries. It also has references (but you can still use raw pointers if
you like) and the C++ compiler won't let you get away with nearly as much.

Just my experience, good luck.

Brad



Re: OT: Disadvantages of using virtual firewalls like OpenBSd

2010-11-23 Thread Brad Tilley
Nick Holland wrote:

> what's changed?
> Layering? Nope.
> Crappy programming?  Nope.
> Better hardware?  not really.
> Features-before-security?  Nope.

Good points. The goals of virtualization are, easy management, power
savings, quick provisioning and deployment, redundancy, etc. When you
talk about security and virtualization at the guest level, the
prevailing attitude is, "If it gets hacked, we'll just restore it from a
known good snapshot... problem solved."

I don't hear much talk at all about the host machine and security (the
real server that hosts all the pretend servers is just assumed to be
OK). There just seems to be a lot of trust in the vendors.

Brad

> Lots new features, though.
> And they fixed a few bugs AFTER they were brought to the vendor's
> attention.  Reactive at its best.   You think they FIXED more bugs than
> they added with the new features?
> 
> I think the virtualization products have proven their attitude towards
> security and correctness.  If something changed, it is theirs to
> prove...and then, you still have the complexity issue.  A more complex
> system is unlikely to be more secure or more reliable than a simple system.
> 
> Nick.



Re: OT: Disadvantages of using virtual firewalls like OpenBSd

2010-11-23 Thread Brad Tilley
carlopmart wrote:

>  Advantages are very clear for me: provisioning, administration tasks,
> etc ... But I will to know disadvantages. What is your opinion from the
> point of view of security?

I use virtualization for many things (mainly for the productivity
advantages that you list), but it has always bothered me because
virtualization is pretending.

In Java, for example, the VM pretends about a lot of things that are not
true in the physical world. This makes it easy and convenient for
programmers. The problem is that they come to believe that the pretend
things are real and then make assumptions (when dealing with physical
machines) that are incorrect.

I would say that so long as you understand that a lot of pretending is
going on when doing any sort of virtualization, (and you accept that)
and that you know the differences between the pretend machines and the
real machines then you know all you need to know in order to decide if
it is right for your environment.

Brad



Re: OT IPv6 Was: nfsv4?

2010-10-31 Thread Brad Tilley
On 10/31/2010 04:01 PM, Diana Eichert wrote:

> excuses only go for so long.  I tell you IPv6 deployment is moving
> forward.

Perhaps we can shame them into facing facts:

$ dig +short  www.netbsd.org
2001:4f8:3:7:2e0:81ff:fe52:9a6b

$ dig +short  www.freebsd.org
2001:4f8:fff6::21

$ dig +short  www.openbsd.org
silence



Re: OT IPv6 Was: nfsv4?

2010-10-30 Thread Brad Tilley
On 10/30/2010 04:18 PM, Marco Peereboom wrote:


> Lets hope the youtubes and facebooks go v6 so that they get of my v4
> lawn.

No need to hope:

$ dig  +short www.v6.facebook.com
2620:0:1cfe:face:b00c::3

Brad



Re: nfsv4?

2010-10-29 Thread Brad Tilley
On 10/29/2010 09:24 PM, Corey wrote:

> I've put off learning anything really about IPv6 in hopes that after
> most organizations ignore it, it withers and dies (at least in its
> current form).  



I like it. It works well with OpenBSD and you can get free tunnels from
Sixxs and others to use (if your ISP isn't native). Virginia Tech has
had a native production ipv6 network for many years now.

I setup OpenSSH to only listen on inet6 (AddressFamily inet6). This
Keeps all the v4 only brute force ssh scanner noise out of the logs.
What a waste of logging. Also, by creating  records, it's human
friendly.

Using pf to only talk to other OpenBSD hosts and OpenSSH to only do
inet6 are great features.

Brad



Re: nfsv4?

2010-10-29 Thread Brad Tilley
James A. Peltier wrote:

> No, the NFS share is re-exported out via Samba as a native CIFS mount to 
> Windows machines.  It's a simple copy paste for them

CIFS? How do you encrypt that? That's all clear text (except the auth)
right?

Brad



Re: nfsv4?

2010-10-27 Thread Brad Tilley
James A. Peltier wrote:

> Now, that said, is there anything that you could recommend instead of NFSv4 
> for offering secure file services to multiple platforms?

Apache with SSL may be a solution. I've used it on small scale projects.
 You can auth users against LDAP, AD, etc. Should work with any client
that has a SSL capable web browser/client of some sort. It's very
portable, file system and client agnostic.

The one downside (IMO) is that the clients won't see it as a native file
system mount, but there are interfaces available and you can always
write your own or customize one to fit your needs.

Your own little dropbox-ish solution.

Brad



Re: Force passwordcheck in login.conf

2010-10-18 Thread Brad Tilley
One last note... it seems that OpenPAM on the other BSDs and LinuxPAM on
Linux systems address all of PCI requirement 8. However, they all seem
to differ slightly with their PAM implementations and PAM in general
seems overly complex (to me at least).

I mis-configured PAM on a test system (commented out one line in error)
and found that root could log in by typing *anything* and that the
normal root password still worked too.

Brad



Re: Force passwordcheck in login.conf

2010-10-17 Thread Brad Tilley
On 10/17/2010 12:56 PM, Dewey Hylton wrote:

>> just a quick note on how we addressed 8.5.13 ... yes, it requires python,
> but we are
>> a python shop so this was not an issue for us. i'm just posting it for the
> purpose of
>> sharing ideas.
>>
>> http://www.deweyonline.com/files/openbsd/login_-custompasswd

Thanks. I'll add that as a possible solution for folks who wish to add
Python to the base install.

Brad



Re: Auto Logout Idle Users

2010-10-15 Thread Brad Tilley
Jurjen Oskam wrote:
> On Thu, Oct 14, 2010 at 06:17:23PM -0400, Brad Tilley wrote:
> 
>> I thought about doing that too. I need to test it more to see what
>> happens when ksh is the shell and the user executes csh manually. I
>> suppose ksh will still honor TMOUT in that case.
> 
> TMOUT is at most a convenience, not a security measure:
> 
> $ TMOUT=600
> $ readonly TMOUT
> $ exec perl -e 'delete $ENV{TMOUT} ; exec "/bin/ksh";'
> $ echo $TMOUT
> 0
> $ 
> 

Understood. If an employee did that, there should be measures in place
at the policy level to deal with that behavior (if it is discovered).
70% of the PCI DSS controls are policy and procedure, not technical.

Thanks to all for feedback, I appreciate it.

Brad



Re: Auto Logout Idle Users

2010-10-14 Thread Brad Tilley
On 10/14/2010 06:45 PM, Ben Niccum wrote:

>> I thought about doing that too. I need to test it more to see what
>> happens when ksh is the shell and the user executes csh manually. I
>> suppose ksh will still honor TMOUT in that case.
>>
>> Brad
>>
> 
> Don't mean to complicate things for you, but just thought I should
> mention that if the user does:
> 
> # exec /bin/csh
> 
> Then csh takes over ksh's active process, and even though the TMOUT
> variable is still there, csh doesn't honor it, and ksh is no longer
> around to object.
> 
> -Ben

Great point. That's precisely the sort of thing I'd like to have thought
about. Much of the compliance efforts may look good on paper, but have
no impact on actual usage or may be trivially circumvented as you point
out. So while disabling a shell may get a check mark during PCI
compliance efforts, that may be all you end up with.

Brad



Re: Auto Logout Idle Users

2010-10-14 Thread Brad Tilley
On 10/14/2010 05:13 PM, Jan Stary wrote:
> On Oct 14 17:01:30, Brad Tilley wrote:
>> Jan Stary wrote:
>>
>>> Why do you want to logout idle users?
>>> There is sysutils/idled if you need it.
>>
>> I'm experimenting with getting an OpenBSD base system to meet the PCI
>> DSS requirements.
> 
> Does PCI DSS require you to log users out?

After 15 minutes of inactivity, users must re-enter the password.
Something such as that.

>> I'm trying to avoid using any software outside the base system.
>>
>>>> rm /bin/csh
>>>> cp /bin/ksh /bin/csh
>>
>>> You just forced your csh users to use ksh. Why do you want them to hate you?
>>
>> It's just a shell, they'll get over it.
> 
> Unbelievable.

I'm not actually doing this to users on an existing system. I'm just
experimenting. Thinking out loud about the issues before having to deal
with it.



Re: Auto Logout Idle Users

2010-10-14 Thread Brad Tilley
On 10/14/2010 05:08 PM, Darrin Chandler wrote:
 rm /bin/csh
 cp /bin/ksh /bin/csh
>>
>>> You just forced your csh users to use ksh. Why do you want them to hate you?
>>
>> It's just a shell, they'll get over it.
> 
> Remove it from /etc/shells instead. Replacing csh with ksh is evil, and
> I don't mean that in a good way.
> 

I thought about doing that too. I need to test it more to see what
happens when ksh is the shell and the user executes csh manually. I
suppose ksh will still honor TMOUT in that case.

Brad



Re: Auto Logout Idle Users

2010-10-14 Thread Brad Tilley
Jan Stary wrote:

> Why do you want to logout idle users?
> There is sysutils/idled if you need it.

I'm experimenting with getting an OpenBSD base system to meet the PCI
DSS requirements. I'm trying to avoid using any software outside the
base system.

>> rm /bin/csh
>> cp /bin/ksh /bin/csh

> You just forced your csh users to use ksh. Why do you want them to hate you?

It's just a shell, they'll get over it.

> Why don't you also 'mv /bin/rm /bin/ls' while you are at it?

Not a very similar comparison.




Re: Auto Logout Idle Users

2010-10-14 Thread Brad Tilley
Adam M. Dutko wrote:
>> Any good reason to not do this?
>>
>>
> They're not the same shell.  

Yes, I know that part :)

> I can't think of any security reasons because
> I'm not familiar with the code but as far as logs and noise factor I imagine
> it would go up or various things might start breaking that depend on csh.

Base seems to only have two shells as ksh and sh have the same md5
checksum. I'm hoping csh is only included for historical reasons or in
honor of Bill Joy or something such as that.

Brad



Re: Auto Logout Idle Users

2010-10-14 Thread Brad Tilley
Brad Tilley wrote:
> I created the file /etc/profile to force sh and ksh to logout users
> after a certain period of idleness:
> 
> $ cat /etc/profile
> 
> # Force sh and ksh to logout idle users after 15 minutes
> # Prevent normal users from disabling this setting
> readonly TMOUT=900
> export TMOUT
> 
> That works great. I've tried to do the same to the other default shell
> in base (csh). I added 'set autologout=15' to /etc/csh.cshrc and then to
> /etc/csh.login as well (I'm turning knobs like a good clueless user).
> 
> I then read the csh man page, but saw no mention of autologout. Perhaps
> the OpenBSD version of csh does not support this? Is there a way to do
> this with csh? If not, I'll need to remove access to the shell.

Replying to myself. I can't seem to make csh auto logout inactive users.
So I did this:

rm /bin/csh
cp /bin/ksh /bin/csh

Any good reason to not do this?

Brad



Re: FW: Force passwordcheck in login.conf

2010-10-14 Thread Brad Tilley
Stuart VanZee wrote:
> For 8.5.12 see login.conf man page, look for passwordcheck.
> You will have to write (or find) a program that keeps track
> of previously used passwords.  I just stored a hash of them
> in a file and have it check to see if the new password hash
> matches any of the old 4 password hashes.

I considered that as a possible solution as well, but it seems that
approach would weaken the security of the passwords, especially if you
just use an unsalted hash (md5 or sah1) to store them.

Brad



Re: Force passwordcheck in login.conf

2010-10-14 Thread Brad Tilley
Leif Blixt wrote:
> Well, I don't think so. You only need to logon to the console when you have 
> big problems, and we just have set a really long and complicated password for 
> the root user and stored it away for emergency use in a safe. You still have 
> the external shell protection by restricting who can access the server room. 
> All other users must use sudo anyway, so you don't need the root password on 
> a daily basis, and that's enough for PCI DSS.
> 
> /Leif


Requirement 8.5 applies to "non-consumer users and administrators" I
would assume that means root at a local console. Let me know what your
QSA determines. It seems some of this is open to interpretation and
depends on the opinion of the QSA.

Brad


> -Original Message-
> From: Brad Tilley [mailto:b...@16systems.com] 
> Sent: den 14 oktober 2010 14:09
> To: Leif Blixt; openbsd-misc
> Subject: Re: Force passwordcheck in login.conf
> 
> Leif Blixt wrote:
>> Hi!
>>
>> We have just figured out a different approach, and will discuss our new idea 
>> with our QSA tomorrow. The idea is to completely turn of the possibility to 
>> log in with passwords, and to use SSH key pairs with long and good 
>> passphrases instead. It will lead to more work with administrating accounts 
>> and there is a small problem on how to distribute the public key to all 
>> servers, but we don't have to set up a RADIUS server just yet!
>>
>> I will let you know what the response from our QSA is.
>>
>> /Leif
> 
> Can you do that? I think local logon would still be an issue, at least
> the way I read it. Anyone in front of the machine at a console would be
> subject to the requirements.
> 
> Brad



Re: Force passwordcheck in login.conf

2010-10-14 Thread Brad Tilley
Leif Blixt wrote:
> Hi!
> 
> We have just figured out a different approach, and will discuss our new idea 
> with our QSA tomorrow. The idea is to completely turn of the possibility to 
> log in with passwords, and to use SSH key pairs with long and good 
> passphrases instead. It will lead to more work with administrating accounts 
> and there is a small problem on how to distribute the public key to all 
> servers, but we don't have to set up a RADIUS server just yet!
> 
> I will let you know what the response from our QSA is.
> 
> /Leif

Can you do that? I think local logon would still be an issue, at least
the way I read it. Anyone in front of the machine at a console would be
subject to the requirements.

Brad



Re: Force passwordcheck in login.conf

2010-10-14 Thread Brad Tilley
Leif Blixt wrote:
> Brad Tilley  16systems.com> writes:
> 
>> I was experimenting with a program to meet PCI DSS 1.2 password length
>> and content/complexity requirements and integrating it with login.conf
>> for users who have shell access to OpenBSD systems. It seems to work as
>> expected, but I wanted to run my configuration by misc.
>>
>> I appended the following two lines to the end of both default and staff
>> in login.conf. Look OK?
>>
>> :passwordcheck=/path/to/program:\
>> :passwordtries=0:
>>
>> I understand that it would be easy (and redundant) to use minpasswordlen
>> to meet the length requirement, but it's easy to check that in the
>> program itself.
>>
>> Brad
>>
>>
> 
> 
> We are currently being reviewed for PCI DSS compliance, and the big problems
> we have right now with the combination of PCI DSS and OpenBSD is the following
> PCI DSS requirements:
> 8.5.12 Password history check - you may not use the last 4 passwords.
> 8.5.13 Lockout after 6 failed attempts - OpenBSD does not lock accounts
> automatically.
> 8.5.14 If 8.5.13 takes affect, the account must be locked for at least 30
> minutes.

I concluded the same for requirement 8. See my rough notes here. I plan
to add to that page as I do more testing:

http://16systems.com/OpenBSD/pci.html

> How have you addressed these requirements? I'm starting to think we need a
> RADIUS solution, which seems a bit redundant working with OpenBSD...
> 
> Regards, Leif

RADIUS may do it if the backend can enforce those things (I don't know
enough about this to comment, but OpenLDAP may work). If that cannot do
it, read Appendix B of the PCI DSS carefully. They allow compensating
controls when the requirements cannot be followed precisely.

Brad



Auto Logout Idle Users

2010-10-13 Thread Brad Tilley
I created the file /etc/profile to force sh and ksh to logout users
after a certain period of idleness:

$ cat /etc/profile

# Force sh and ksh to logout idle users after 15 minutes
# Prevent normal users from disabling this setting
readonly TMOUT=900
export TMOUT

That works great. I've tried to do the same to the other default shell
in base (csh). I added 'set autologout=15' to /etc/csh.cshrc and then to
/etc/csh.login as well (I'm turning knobs like a good clueless user).

I then read the csh man page, but saw no mention of autologout. Perhaps
the OpenBSD version of csh does not support this? Is there a way to do
this with csh? If not, I'll need to remove access to the shell.

Thanks

Brad

P.S. I only mean the local shells, not OpenSSH. I do this when required
to autologout idle ssh users:

ClientAliveInterval 900
ClientAliveMax 0



Re: Force passwordcheck in login.conf

2010-10-13 Thread Brad Tilley
Mark Romer wrote:
> use passwdqc  it is in packages.
> 
> in login.conf under default I have:
> :minpasswordlen=12:\
> :login-tries=4:\
> :passwordtries=3:\
> :passwordcheck=/usr/local/libexec/passwdqc -3 12
> 
> Mark

I've heard complaints that it is too stringent (I tend to agree, no
offense to Solar). PCI DSS 1.2 only requires numbers and alphabetic
chars in the password. So, letmein123 meets the requirement.

Brad



Force passwordcheck in login.conf

2010-10-12 Thread Brad Tilley
I was experimenting with a program to meet PCI DSS 1.2 password length
and content/complexity requirements and integrating it with login.conf
for users who have shell access to OpenBSD systems. It seems to work as
expected, but I wanted to run my configuration by misc.

I appended the following two lines to the end of both default and staff
in login.conf. Look OK?

:passwordcheck=/path/to/program:\
:passwordtries=0:

I understand that it would be easy (and redundant) to use minpasswordlen
to meet the length requirement, but it's easy to check that in the
program itself.

Brad



Re: insecure scheduler in OpenBSD 4.7

2010-10-11 Thread Brad Tilley
On 10/11/2010 04:59 PM, Martin Schrvder wrote:
> 2010/10/11 Dmitry-T :
>> How you use the OpenBSD as web servers and hosting platform?
> 
> RTFAQ
> 
>> Permanently catch and kill processes?
> 
> man ulimit

What do you see when you man ulimit?

> Best
>Martin



Re: Wireless Network GUI

2010-10-07 Thread Brad Tilley
Guillaume DualC) wrote:
> On Thu, 7 Oct 2010 09:33:44 -0300, "Christiano F. Haesbaert"
>  wrote:
>> Why not make a curses GUI ? I find it much more useful than gtk/qt (IMHO).
> 
> In my opinion, the aim of this project is to provide a graphical tool,
> which can be inserted in some WM like XFCE, etc.
> Guillaume.

FLTK is in ports. It creates small, fast and portable standalone GUIs.
I've used it to make a few simple GUI frontends. I like it better than
Python/WxWidgets, or Python/QT, GTK, etc.

Brad



Re: Netbook for OpenBSD?

2010-10-06 Thread Brad Tilley
On 10/06/2010 09:54 PM, Mikle Krutov wrote:
> Hello, list! 
> I'm  a FreeBSD user (a very little experience with openbsd in the past),
> but i'm kind of interested in any bsd flavour (i like *nix, but dislike
> linux for some reasons).
> So, the question is if there is any positive experience with using
> OpenBSD on modern netbooks of the following: 
> 1) Samsung N127
> 2) ASUS Eee PC 900AX
> 3) MSI U120-094
> Or any other models with 10" monitor and 4+ battery lifetime?
> By positive i mean mainly correctly & stable working wireless. 
> If nothing fits, please give me a recommendation which usb wireless card
> should i use. 
> Thank you for your time,

Most places have demos out for customers to test. So, install OpenBSD
-current to a USB stick, then go to Office Max or Best Buy or someplace
similar and boot the Netbooks from the USB stick to see which has the
best supported hardware. Be sure to type on the keyboard too, make sure
it fits your hands.

man the wireless drivers to see a list of supported USB 802.11 cards.

Brad



Re: How to use /dev/srandom

2010-10-04 Thread Brad Tilley
Janne Johansson wrote:

> List of the CURRENT fully implemented tests (as of the 08/18/08 snapshot):
> 
> #=#
> #  dieharder version 3.29.4beta Copyright 2003 Robert G. Brown
> #
> #=#
> Installed dieharder tests:
>  Test Number Test NameTest Reliability
> ===
>   -d 0Diehard Birthdays Test  Good
>   -d 1   Diehard OPERM5 Test   Suspect
>   -d 2Diehard 32x32 Binary Rank Test  Good
>   -d 3  Diehard 6x8 Binary Rank Test  Good
>   -d 4Diehard Bitstream Test  Good
>   -d 5  Diehard OPSO  Good
>   -d 6 Diehard OQSO Test  Good
>   -d 7  Diehard DNA Test  Good
>   -d 8Diehard Count the 1s (stream) Test  Good
>   -d 9  Diehard Count the 1s Test (byte)  Good
>   -d 10 Diehard Parking Lot Test  Good
>   -d 11 Diehard Minimum Distance (2d Circle) Test Good
>   -d 12 Diehard 3d Sphere (Minimum Distance) Test Good
>   -d 13 Diehard Squeeze Test  Good
>   -d 14Diehard Sums TestDo Not Use
>   -d 15Diehard Runs Test  Good
>   -d 16   Diehard Craps Test  Good
>   -d 17 Marsaglia and Tsang GCD Test  Good
>   -d 100STS Monobit Test  Good
>   -d 101   STS Runs Test  Good
>   -d 102   STS Serial Test (Generalized)  Good
>   -d 200   RGB Bit Distribution Test  Good
>   -d 201   RGB Generalized Minimum Distance Test  Good
>   -d 202   RGB Permutations Test  Good
>   -d 203 RGB Lagged Sum Test  Good
>   -d 204RGB Kolmogorov-Smirnov Test Test  Good


Interesting. Looks like ent with more tests. You should submit a port.



Re: How to use /dev/srandom

2010-10-04 Thread Brad Tilley
Janne Johansson wrote:

> What I meant was that one can complain of that the NIST programs (diehard
> and
> dieharder springs to mind) only do certain tests, but that is just because
> noone
> can make a short program that _proves_ a certain stream is random.  The only
> thing available seems to be a series of tests against a defined set of
> properties a
> random stream shouldnt have, but that list isnt conclusive, nor finished.

Check out ent (it's in ports) it does chi-square, entropy, and a few
other tests to grade the data stream. Not perfect, but about the best
you'll do for now.

Brad



Re: Router components

2010-10-04 Thread Brad Tilley
David Higgs wrote:



> I know SSDs don't require TRIM, but most benchmarks are made by
> knob-twiddlers that are presumably overemphasizing the performance
> degradation you get without it.  Is this even noticeable in practice?

I've used an inexpensive SSD (cheapest one I could find at the time) in
an Intel Celeron based OpenBSD home firewall for more than a year. It
works fine. Here is part of an old dmesg:

wd0 at pciide1 channel 0 drive 0: 
wd0: 1-sector PIO, LBA, 61057MB, 125045424 sectors
wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 6

No noise, cool, low power. Try it for a year, then post back your
experience.

Brad



Re: Linux or OpenBSD

2010-09-27 Thread Brad Tilley
Martin Schrvder wrote:
> 2010/9/27 Brad Tilley :
>> How many privilege escalation attacks (normal user getting a root shell)
>> has OpenBSD had during the last five years? There have been several of
> 
> The absence of reports doesn't prove that the flaws don't exist (and
> no, I'm not sitting on a 0day for OpenBSD :).
> 
> Best
>Martin

I agree. I only meant that history shows Linux has these and OpenBSD has
not (or very few in comparison). That does not mean OpenBSD is perfect
and will never have a user to root escalation attack. Humans make
mistakes in everything, to include the writing of software.

Brad



Re: Linux or OpenBSD

2010-09-26 Thread Brad Tilley
On 09/26/2010 04:54 PM, Kevin Chadwick wrote:

> It's occured to me that I think what Theo suggested was actually about
> using more than one architecture, which may be a better method over
> Linux.

How many privilege escalation attacks (normal user getting a root shell)
has OpenBSD had during the last five years? There have been several of
these in the Linux kernel (one just this month). We tested the latest
one and it worked against a fully-patched RHEL box that had the SELinux
"restrictive" policy in place.

I don't mean this as bashing Linux, just pointing out facts. I think
history shows that OpenBSD has a better track record here (if that means
anything to anyone).

Brad



Re: Linux or OpenBSD

2010-09-22 Thread Brad Tilley
Rikky Taylor wrote:
> I was after some general advice. I need to setup a routing firewall with 3
> interfaces, moderate traffic and a fair amount of NAT'ing in the rules.
> 
> 
> 
> Given identical modern server hardware would I expect a performance difference
> between an OpenBSD/PF setup and a Linux/IPTables one?
> 
> 
> 
> Rikky


Either will work fine so long as you purchase good NICs and avoid
cutting-edge (untested) hardware. The only things Linux does noticeably
better is:

* Dealing with SMP
* Dealing with lot's and lot's of RAM
* Dealing with huge file-systems

None of those things are needed for simple firewalls.

Brad



Re: Processeur Atom ?

2010-06-10 Thread Brad Tilley
FRLinux wrote:
> On Thu, Jun 10, 2010 at 7:32 PM, Joachim Schipper
>  wrote:
>>> I would like to make a firewall / router running OpenBSD.
>> Okay, but what is your question?
> 
> 
> I guess he is asking if all Atom processors are compatible with
> OpenBSD, which i guess is pretty much a given :)

I use it on several atom based netbooks. Works fine. Has for a long time.

> My question (sorry for hijacking this thread) is : is there any people
> on this list who switched from soekris (geode) to atom, and are they
> happy with speed and everything? Reason I mention that is i'd love to
> move my setup to atom/ssd eventually but haven't seen much on the list
> about it.
> 
> Cheers,
> Steph



Re: Processeur Atom

2010-06-10 Thread Brad Tilley
E.T wrote:
> very, very small processor. N270 best performance? . Firewall or desktop ?
> 
> 
>> OpenBSD 4.6-current (RAMDISK_CD) #149: Mon Sep 14 04:31:59 MDT 2009
>> t...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/RAMDISK_CD
>> cpu0: Intel(R) Atom(TM) CPU N270 @ 1.60GHz ("GenuineIntel" 686-class)
>> 1.60 GHz
>> cpu0:
>

Maybe, but it beats the pants off the old Asus eeePC I had. It's a
netbook. I use it for portable productivity, coding, testing and web
surfing... not as an Internet gateway/FW.



Re: Processeur Atom

2010-06-10 Thread Brad Tilley
E.T wrote:
> Hi 
> 
> In this text, I have a athlon1 available. But it takes a lot of
> room, very hot, a lot of noise, and consumes much electricity. I try to
> disconnect the fan to see, but the CPU temperature was up to 105 B0 C in 5
> minutes. Otherwise, OpenBSD operating nickel above, I installed all the
> packets, X-Windows nickel. No problemo. 
> 
> They gave me 15 minutes a Atom
> 510mo. I did an install with all the packets, X-windows crash, crash T_T.
> 
> 
> Atom 230, 330 is the first generation of the processor. 410, 510 is the
> second generation. What is not stated on the website of openbsd. 
> 
> My main
> question and therefore, is that OpenBSD supports a 100%, the atom D510?.
> The X server is configured with more time. But there will be no more bugs
> or conflicts later, more severe and troublesome. 
> 
> Nobody has tested this
> platform. 
> 
> Thank you for the assistance  

My newest atom is this:

OpenBSD 4.6-current (RAMDISK_CD) #149: Mon Sep 14 04:31:59 MDT 2009
t...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/RAMDISK_CD
cpu0: Intel(R) Atom(TM) CPU N270 @ 1.60GHz ("GenuineIntel" 686-class)
1.60 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,TM2,xTPR
real mem  = 1064595456 (1015MB)
avail mem = 1024802816 (977MB)

I have not used anything newer than that in the atom family. But what I
have used works fine.

Brad



Re: pf and "!"

2010-06-10 Thread Brad Tilley
Peter Fraser wrote:
> man pf.conf never describes what "!"  does.  The "!" is used in some examples
> and
> a lot of the time is obvious what will happens.  The pf faq has  somewhat more
> of
> an explanation of "!" with multiple address,  but its explanation only refers
> to the
> use of "!" in tables. There is never any statement of what  !addr.


I've always thought it was the logical not.


> I expect that description given in the pf faq covers the behavior of "!" in
> any
> places that ip addresses are given.
> 
> I tripped over this when I want to block 2 ip address from accessing a
> service
> 
> I (and I realize I was wrong ) always considered that
> 
> pass quick  from { addr 1, addr2 }
> 
> Could be written as
> 
> pass quick from addr1
> pass quick from addr2
> 
> put if "!" are used this obvious should not be true
> 
> pass quick from { !addr1,  !addr2 }
> 
> cannot be the same as ( at least I hope since I haven't built the system to
> test it)
> 
> pass quick from !addr1
> pass quick from !addr2
> 
> furthermore the descriptions that do exist do not cover the boundary cases
> 
> such as 192.168.0.1-192.168.0.30 !192.168.0.20-192.168.0.40



Re: It is 2010. Still no >3GB support by default?

2010-06-07 Thread Brad Tilley
Dexter Tomisson wrote:
> I'd really, really like to know what's the matter with a larger memory
> support?
> 
> Why is 'bigmem' still not default? What faults/bugs does it still has?
> 
> What do you need to make it ok? Do you need a hardware donation to make that
> better,
> do you need few bucks, do you need a good coder to improve that, or again
> some license problems perhaps?,
> what's the problem, share with us please, I'd really like to help with
> everything i can.
> 
> I hope, maybe someday, our beloved Puffy will catch up to the 21st century.

Your multicore, mega-memory box with its 12 jabillionbyte hard disk
would probably be happier some place else.

> Regards.
> 
> deX 



Re: Installer bug? - Upgrade 4.6 to 4.7 failed to upgrade base47, on i386 and amd64

2010-06-05 Thread Brad Tilley

Theo de Raadt wrote:


  If [you] don't know what you are doing, install a new snapshot.


We do this frequently. Works very well. bsd.rd makes it easy to move to 
a new snapshot. We buy -release CDs too, but seldom open them.


Brad



Re: GNU/Linux user wanting to make the switch to OpenBSD for ADSL2+ Router.

2010-05-27 Thread Brad Tilley
Jon Scruggs wrote:

 How reliable is the
> Wireless N with that chipset here?

To my knowledge, there is no 802.11N support in OpenBSD. Read the last
paragraph:

http://www.openbsd.org/cgi-bin/man.cgi?query=athn&sektion=4&apropos=0&manpath=OpenBSD+Current&arch=i386

Brad



Re: Help contacting Richard Stallman

2010-05-26 Thread Brad Tilley
Julian Acosta wrote:

> Really we need to contact with Richard Stallman, just for give us his
> opinion and answer us some questions about free software,
> How can I contact him?
> What's his real email?

Just talk a lot about open source and the Linux operating system. He'll
show up.



Re: Consideration before installling on SSD hard drive

2010-05-22 Thread Brad Tilley

On 5/22/2010 12:21 PM, Marco Peereboom wrote:

Yeah; ignore dos and donts the ssd, if of any quality, will do fine.


That has been my experience with SSDs on OpenBSD and Linux. I've been 
using an inexpensive Kingston SSD for about six months now, it works 
great. Here is an older dmesg from it:


http://16systems.com/OpenBSD/celeron_ssd.txt



On May 22, 2010, at 10:03 AM, jean-francois  wrote:


Good afternoon gents,

I am building up a server with basically a solid state drive for the OS
and a 1 TB hard drive for the datas.

In order to maximize the life time of the SSD, I will avoir mounting
slides that sustain continuous or sparsed write access.

Could you briefly let me know the do's and don't ?

Thanks.

Jean-FranC'ois




Re: openbsd not blob free?

2010-05-05 Thread Brad Tilley
Kent Watsen wrote:
> There is a discussion on the osol-discuss mailing list this morning where
> it's pointed out that OpenBSD source tree has a blob in it:
> 
> http://osdir.com/ml/opensolaris-discuss/2010-05/msg00095.html
> 
> The location of the blob in the tree is here:
> 
> http://www.openbsd.org/cgi-bin/cvsweb/src/sys/dev/microcode/afb/microcode.h?rev=1.1;content-type=text%2Fplain
> 
> A posting from Alan Coopersmith from last December:
> 
> http://lists.freedesktop.org/archives/x-packagers/2009-December/91.html
> 
> The only "official" OpenBSD position statement I could find is on the 3.9
> lyrics page:
> 
> http://www.openbsd.org/lyrics.html#39
> 
> Where it says " OpenBSD remains blob-free"  - not true?

I believe these are device specific (firmware, etc). Here's another:

http://www.openbsd.org/cgi-bin/cvsweb/src/sys/dev/microcode/atmel/atmel_intersil_fw.h?rev=1.2;content-type=text%2Fplain



Re: State of multiprocessing and multithreading in OpenBSD

2010-05-05 Thread Brad Tilley
Tony Abernethy wrote:
> Peter N. M. Hansteen wrote:
>> pe...@bsdly.net (Peter N. M. Hansteen) writes:
>>
>>> I would think that would be a fair question to ask the person who
>> told
>>> you PF is garbage because it is multithreaded:
>> eh, "because it is *not* multithreaded:"
>>
> Now watch when application programmers use multithreaded stuff because
> they think it will somehow solve all their problems.

I only find threads useful in GUI programming when there's a need to
make the GUI seem responsive while other stuff is going on. That's about
all the use I have ever gotten from threads although I'm sure some apps
(video encoding, etc.) make heavy use of them since now everyone has
6-way cores, etc.

Brad

> If you ***CAN*** ***EVER*** make such a typo, do you really think
> that they even stand a chance?
> 
> Couple this with wrong-way branches on equal comparisons (edges), and
> you do not even need to get into error-recovery stuff to find a mess.



Re: scp speed ffs/fat

2010-04-28 Thread Brad Tilley
On Thu, 29 Apr 2010 07:09 +0800, shweg...@gmail.com wrote:
> Transfering a file using scp into my home directory gives me this speed 
> (home netword): 658.8KB/s
> while copying it directly into a usb stick (fat32) gives me this: 1.5MB/s
> 
> is it normal?

scp is encrypted and traveling across your network. Those things will
impact transfer speeds.

> This is the fstab entry of home:
> /dev/sd0h /home ffs rw,nodev,nosuid,softdep 1 2
> 
> tks
> Still on 4.6, I'm a lazy -release user...



Re: confused about updating -current

2010-04-28 Thread Brad Tilley
On Wed, 28 Apr 2010 17:05 -0500, "Chris Bennett"
 wrote:
> A while back on some thread, someone said that they ran -current 
> versions for a long while, updating ports tree for that snapshot and 
> could "run" with that particular -current as long as they liked by 
> adding packages as needed by building with that ports snapshot, rather 
> than using a later ports tree or packages.
> 
> This seems like it could be a good way to jump forward but not need to 
> constantly update even if a new package is needed, since ports tree 
> holds proper builds for that snapshot at that time.
> 
> Do I understand this correctly that this will work just fine?

That is how I sometimes use -snapshots. I'll download today's i386
snapshot and the snapshot ports.tar.gz. I'll then install and run such a
system for a year or so, sometimes less. I've not had issues with this
approach. In these instances, I do not update the base install or the
ports tree. I just use what I downloaded at that date and time.

Brad



Re: confused about updating -current

2010-04-28 Thread Brad Tilley
On Wed, 28 Apr 2010 08:08 -0600, "Ted Roby"  wrote:
> On Wed, Apr 28, 2010 at 7:53 AM, Brad Tilley  wrote:
> 
> >
> > Nor am I, but I do that often with base installs and have not had any
> > major issues. There would be security concerns (especially with ports if
> > you're using a full blown desktop). You can follow -current if you have
> > the time and ability to keep-up or just occasionally install snapshots
> > and update them periodically.
> >
> >
> OpenBSD-current is unique in respects to all other -current or DEVEL
> or UNSTABLE projects. As Theo said, this is a forward-moving project,
> and Secure by Default. It is not a model where sucurity and bugfixes
> get handled "later". Unique to OpenBSD is the fact that you can listen
> in on just a few mailing lists (ports-changes, src-changes, etc) and
> you will end up with explanations one what is being updated, and maybe
> even why it was changed. The most interesting part is when a Developer
> makes a change indicating many larger changes to come down the road.
> 
> See, these guys do their homework and prepare the way.
> 
> In my opinion the best way to operate OpenBSD is to run -current, and
> keep a fresh eye on changes. To me, stable is nothing more than a
> snapshot in time for those who don't have time to investigate the
> past and future of the project. You can take any given CD set and it'll
> "just work" with plenty of accurate documentation. The newer the
> release the more likely your newer hardware will be supported...
> 
> So, why do you want stable?

I did not say anything about -stable. Occasionally installing snapshots
has nothing to do with -stable. Not sure why you bring it up?

Brad



Re: confused about updating -current

2010-04-28 Thread Brad Tilley
On Wed, 28 Apr 2010 08:37 -0500, "Ahlsen-Girard, Edward F CTR USAF AFSOC
AFSOC/A6OK"  wrote:
> On 2010-04-27 23:01:30 Alastair Johnson wrote:
> 
> > if i install a system from install47.iso taken from the snapshots
> folder on
> > a mirror i end up with a -current system eg:
> >
> > OpenBSD 4.7-current (GENERIC) #636:
> >
> > the docs state that you cant go from -current to -stable so my
> question is -
> > what happens if i do update it?
> > surely thats exactly what will happen once 4.7 is released.
> >
> > ie, if i do this:
> >
> > cd /usr ; cvs -qd anon...@anoncvs.server-somewhere:/cvs get
> -rOPENBSD_4_7 -P
> > src
> >
> > and then follow the instructions for rebuilding the kernel and
> binaries.
> >
> > http://www.openbsd.org/stable.html
> >
> >
> > will i just end up with a mess or a sligtly more uptodate -current
> >
> > what happens to my 4.7-current system after 4.7 is released. can i
> still
> > update it with bug fixes and security patches etc? surely it will
> become a
> > -stable system?
> >
> > many thanks
> >
> > alastair johnson
> 
> If you want a stable system right away, do a completely fresh install of
> 4.6, and follow the instructions for tracking stable.
> 
> If you don't mind waiting a few days, do a completely fresh install of
> the 4.7 release (which, as Theo pointed out, is NOT -current) and track
> stable from there.
> 
> If for whatever reason you cannot tolerate a fresh install, you *might*
> be able to safely wait ("wait" means, run the system exactly as it is
> today, don't try to update anything at all) until the 4.8 release comes
> out (around November) and upgrade to that.  But I'm in no position to
> say that that is safe.


Nor am I, but I do that often with base installs and have not had any
major issues. There would be security concerns (especially with ports if
you're using a full blown desktop). You can follow -current if you have
the time and ability to keep-up or just occasionally install snapshots
and update them periodically.

Brad

 
> The short answer is start again and install a release this time.
> 
> --
> Ed Ahlsen-Girard, Contractor (EITC)
> AFSOC/A6OK
> email: edward.ahlsen-girard@hurlburt.af.mil
> 850-884-2414
> DSN: 579-2414



Re: confused about updating -current

2010-04-27 Thread Brad Tilley
On Wed, 28 Apr 2010 00:01 +0100, "Alastair Johnson"
 wrote:
> if i install a system from install47.iso taken from the snapshots folder
> on
> a mirror i end up with a -current system eg:
> 
> OpenBSD 4.7-current (GENERIC) #636:
> 
> the docs state that you cant go from -current to -stable so my question
> is -
> what happens if i do update it?

You'll be following -current.

> surely thats exactly what will happen once 4.7 is released.

Right now, your -current system is likely newer than 4.7-release. See
the commits as to when 4.7-release was.

> ie, if i do this:
> 
> cd /usr ; cvs -qd anon...@anoncvs.server-somewhere:/cvs get -rOPENBSD_4_7
> -P
> src
> 
> and then follow the instructions for rebuilding the kernel and binaries.
> 
> http://www.openbsd.org/stable.html
> 
> 
> will i just end up with a mess or a sligtly more uptodate -current

No mess, but your -current system will be more current. 

> what happens to my 4.7-current system after 4.7 is released. can i still
> update it with bug fixes and security patches etc? surely it will become
> a
> -stable system?
> 
> many thanks
> 
> alastair johnson



Re: reporting a bug in ports/net/flow-tools?

2010-04-27 Thread Brad Tilley
On Tue, 27 Apr 2010 17:41 +0300, "Stas Miasnikou" 
wrote:
> Michael W. Lucas:
> > Sendbug doesn't seem to have a "ports" option, and my bug report
> > doesn't have a single recommend solution in any case, so I'm asking
> > here.
> > 
> > The flow-log2rrd, flow-rpt2rrd, and flow-rptfmt programs in flow-tools
> > each start with the line:
> > 
> > #!/bin/env python
> > 
> > This won't work on OpenBSD.  OpenBSD's env is in /usr/bin, and python
> > is installed (at least on my system) as /usr/local/bin/python2.5.
> > There is no generic "python" command.  These programs will run under
> > any of the 3 python ports.
> 
> The python packages tell you to make symbolic links when you install 
> them.  Not sure about ports though.

ports are the same, and after the install pkg_info will tell you again
see the "Install Notice":

$ pkg_info python
Information for inst:python-2.5.4p2

Comment:
interpreted object-oriented programming language

Required by:
libxslt-1.1.26
py-libxml-2.7.6

Description:
Python is an interpreted, interactive, object-oriented
programming language that combines remarkable power with
very clear syntax. For an introduction to programming in
Python you are referred to the Python Tutorial. The Python
Library Reference documents built-in and standard types,
constants, functions and modules. Finally, the Python
Reference Manual describes the syntax and semantics of the
core language in (perhaps too) much detail.

Python's basic power can be extended with your own modules
written in C or C++.  On most systems such modules may be
dynamically loaded. Python is also adaptable as an
extension language for existing applications. See the
internal documentation for hints.


Maintainer: Damien Miller 

WWW: http://www.python.org/

Install notice:
If you want to use this package as your default system python, as root
create symbolic links like so (overwriting any previous default):
 ln -sf /usr/local/bin/python2.5 /usr/local/bin/python
 ln -sf /usr/local/bin/python2.5-config /usr/local/bin/python-config
 ln -sf /usr/local/bin/pydoc2.5  /usr/local/bin/pydoc



Re: Is this a case of paranoia?

2010-04-25 Thread Brad Tilley
On Sun, 25 Apr 2010 17:48 +0200, "Danny"  wrote:
> Shane,
> 
> What I have found with our company's installation of Webmarshall is that
> you can
> , for example, go to linux.box.sk and surf around for about 5 mins, then
> all of
> a sudden it gets blocked.

95% of what these devices trigger on are false-positives. Anyone who has
ever dealt with them for any length of time should know that. The trick
is tuning them and white-listing stuff to make them more useful. Bottom
line... there is nothing malicious about openbsd.org websites. Your
network "security device" has yet another false-positive. 

Most people I know don't put these things in block mode precisely for
these reasons. 

Brad
 
> I don't think that Webmarshall is THAT clever to figure out that you are
> on a
> site that contains "unauthorized" content. I think that there is an
> overpaid,
> underworked, MCSE on the Webmarshall server looking for something he can
> use as
> "proof" that they still need his expertise ...
> 
> Danny
> 
> > I hope it is just your employer blocking OpenBSD and Marshal has not
> > added it to their list!



Re: Multibooting (was : OpenBSD culture)

2010-04-19 Thread Brad Tilley
On Mon, 19 Apr 2010 11:07 +0100, "Peter Kay (Syllopsium)"
 wrote:
> OpenBSD does not require a primary partition, nor does NetBSD. Solaris
> does 
> for the moment,
> although code to fix that has been committed.
> 
> I have a Windows 7 x64, OpenBSD, Solaris, NetBSD multiboot. It's not that 
> difficult to arrange.
> 
> I did most of the partitioning in Windows, setting up a primary partition 
> for Solaris, then logical
> partitions for OpenBSD and NetBSD.
> 
> Either the NetBSD or OpenBSD media can then be used to edit the partition 
> types to the
> recognised ones. Install as normal, then use EasyBCD to edit the 
> Vista/Windows 7 boot menu
> - modify as appropriate if you're using grub etc or XP.. 

Another Option. Assuming a i386 or amd64 PC:

1. Put another hard drive into the computer.
2. Go into the BIOS and make the new hard drive have higher priority.
3. Boot the computer and install OpenBSD onto the new hard drive (Run
dmesg to be sure you're doing the right thing)
4. When you want to go back into the other OS, change the drive priority
in the BIOS and reboot.

Not pretty, but it works and keeps drives separate and no fooling with
grub, partitions, Windows boot loader, etc. 

Brad



Re: OpenBSD culture?

2010-04-15 Thread Brad Tilley
On Sat, 17 Apr 2010 05:20 -0300, "VICTOR TARABOLA CORTIANO"
 wrote:

> Saying that ISC is "more free" than GPL makes no sense

Saying "Do not remove our text" does not restrict your freedom. That's
all the ISC asks of you. Leave the copyright notice and the permission
to use alone.

Brad



Re: OpenBSD culture?

2010-04-14 Thread Brad Tilley
On Wed, 14 Apr 2010 07:17 -0400, "Steve Shockley"
 wrote:
> On 4/14/2010 5:11 AM, Zachary Uram wrote:
> > smacks of superiority and even condescension at times. Is this a fair
> 
> I don't think they're superior and condescending... I think they're 
> superior and busy.
> 
> 

Busy? There are more people who work on some small sections of the Linux
kernel than who work on all of OpenBSD. Read the commits. You'll see
that a few people are doing a lot of high-quality work. This is probably
as much of a resource issue as it is a culture issue.

Brad



Re: Trying to boot OpenBSD on Juniper Networks J2320.

2010-04-13 Thread Brad Tilley
On Tue, 13 Apr 2010 19:29 -0400, "bofh"  wrote:
> Now I'm curious - in what way would a "decent juniper hardware" be
> better than some off the shelf stuff? 

MTBF is greater. If you don't care about that, there's probably not much
difference... unless you need routers in space. Not sure a home-built
newegg box would pass the tests, but you never know:

http://www.networkworld.com/community/node/48399



Re: Soekris net5501 locks up with Ralink 2860 miniPCI

2010-04-07 Thread Brad Tilley
On Wed, 07 Apr 2010 07:18 -0600, "Daniel Melameth" 
wrote:
> On Wed, Apr 7, 2010 at 7:04 AM, Stuart Henderson 
> wrote:
> > The newest ones that I've had personal experience of being problem-
> > free in AP mode are the old PRISM cards (when running suitable firmware
> > on them) and one specific model of ath(4) (the one IBM used to use in
> > some Thinkpads)...
> 
> The only AP that every worked reliably for me was the venerable 11b
> wi(4).
> 
> > I've had reasonable success with RT2860 ral(4) and acx(4) but there
> > have been some problems. RF performance of the 2.4GHz RT2860 has been
> > really good for me, but there are still problems, I have to ifconfig
> > down+up from cron to avoid the worst of the hangs on some AP dealing
> > with a wider range of clients (probably the same as you see e.g.
> > client associates but doesn't get working network access).. acx(4)
> > are near impossible to obtain without ripping them from a commercial
> > AP (and there they aren't widely used any more) and RF performance
> > isn't so good but they were working a bit more reliably for me.
> > So with heavy heart I had to resort to commercial boxes in some places...
> 
> I concur with this completely.  I have used over a half dozen
> different pieces of hardware in an attempt to find a stable AP
> solution on OpenBSD--and have worked with a couple developers to track
> down and fix various bugs--but I was never able to achieve this.  If
> you want a stable AP, that'll work with varied clients, you will
> likely not find it in OpenBSD at this time.

Me too. Went to the Penguin! Felt bad about it, but now have a stable
AP.



Re: feature request: fallback boot image

2010-04-02 Thread Brad Tilley
On Fri, 02 Apr 2010 17:08 +0200, "Paul de Weerd" 
wrote:

> Your timeout idea is interesting. The bootloader loads the kernel
> image and then starts executing it. After this, the bootloader is no
> longer active, who will do this timing out ? The kernel (or the
> garbage that was loaded in its place) is the only code running at
> this point.

Probably naive of me to think that the bootloader could get some sort of
return code (0 = OK). Maybe it's too late for it to do anything at that
point. I don't know the process well enough to talk intelligently about
it, just curious.



> You seem to have a valid issue, but a proper solution does not appear
> to be obvious to me. I take it you don't have two machines under your
> control in these remote locations so you could exchange serial console
> between the two ? (a USB to serial adapter on one machine connected to
> the serial port of the other and vice versa)

I've done this a lot. Usually it works very well. Old, low-power
hardware can be used that no longer has mush purpose.

Brad



Re: Anomali on /var available space

2010-03-27 Thread Brad Tilley
On Sat, 27 Mar 2010 13:09 +0100, "Peter N. M. Hansteen"
 wrote:
> Kabayan  writes:
> 
> > Problem solve after I restart pflogd
> > New problem is Why the pflogd process almost use 100% capacity of my /var ?
> 
> My guess would be that your pf.conf logs traffic with log (all) on at
> least one rule that matches a lot of traffic, and possibly your
> newsyslog.conf does not implement a very aggressive log rotation
> schedule.
>
> Logging all packets is not all that useful unless you're deep in
> debugging something. 

I occasionally log packets that pf blocks (just to see who is poking
around). Normally, that's about 100K per hour and only 4 old logs are
kept so a small /var is OK most of the time.  Then one day, some new
network gear was installed that messed-up the layer 2 bridging and
introduced a loop and STP stopped working. From that came a huge
broadcast storm. pf logs filled up a 4GB /var in 3 minutes. I've never
seen that many packets in that short amount of time. I still log pf
blocks and 99% of the time, it's OK.

Brad



Re: gnu grep -o flag

2010-03-24 Thread Brad Tilley
No.

i...@iso2:~/Desktop$ grep import IDS_targets.py 
import MySQLdb
import socket
import getpass
import datetime

i...@iso2:~/Desktop$ grep import -o IDS_targets.py 
import
import
import
import


On Wed, 24 Mar 2010 13:33 -0500, "Marco Peereboom" 
wrote:
> huh?
> 
> didn't you just grep for that?
> 
> On Wed, Mar 24, 2010 at 07:00:06PM +0200, Gregory Edigarov wrote:
> > Hello Everybody,
> > 
> > Just wonder how could one implement what gnu grep -o flag does using
> > our toolchain? 
> > 
> > from ggrep(1):
> > 
> >  -o, --only-matching
> >   Show  only the part of a matching line that matches
> >   PATTERN.
> > 
> > 
> > -- 
> > With best regards,
> > Gregory Edigarov



Re: 4.6 patch support

2010-03-22 Thread Brad Tilley
On Mon, 22 Mar 2010 14:45 +0100, "Marc Espie"  wrote:
> On Mon, Mar 22, 2010 at 08:11:53AM -0400, Woodchuck wrote:
> > Ports/packages are sort of hit-or-miss.
> > 
> > This is a very Spartan situation, and comes from a shortage of
> > resources.
> 
> Partly.
> 
> Being able to drop old shit fairly quickly is also very important in
> terms
> of quality, since we don't have to read through a maze of old code
> ifdefs.
> 
> If you prefer, sure it's a shortage of resources. We want to maximize
> quality with limited resources, and so we err on the side of aggressive
> removal of dying features.
> 
> It would take a *massive* influx of resources to change that situation.

This is a great point in general about OpenBSD. Look at the commits of
the Linux kernel or FreeBSD versus the commits of OpenBSD... the
difference is huge. Not only in terms of number of commits, but also
number of developers making the commits. OpenBSD does a lot with what
little they have when compared to other projects... just my opinion.

Brad

> Even with more resources, we will still prefer quality over long-term
> support.  With lots and lots of resources, we could possibly reengineer
> long-term support without sacrificing quality.
> 
> Think about it. What do you prefer ? half-baked support and badly broken
> features, or good support over a limited period of time, and the best
> features we can create ?



Re: recent hardware with older OpenBSD versions

2010-03-21 Thread Brad Tilley
On Sun, 21 Mar 2010 11:36 +0100, "T. Valent"  wrote:

> In the end it seems like I have to give up the idea of keeping all
> installations on the same level, it seems like I have create a complete
> new platform (new motherboard type and new OpenBSD version) for all new
> customers, just because I cannot find any compatible motherboard anymore.

Some manufacturers, such as ASUS, produce boards that are guaranteed to
be available for X months with the same chipsets. They call it "ASUS
Corporate Stable". Check out their website.



Re: script to update dyndns IP

2010-03-19 Thread Brad Tilley
On Fri, 19 Mar 2010 00:20 -0700, "Aaron Stellman"  wrote:
> On Thu, Mar 18, 2010 at 09:52:28PM -0400, Brad Tilley wrote:
> > There are ports that do this with more features, but I thought others
> > might like to do it in base with no added software. I've been using this
> > script since 4.2 and it works OK:
> 
> since when is net/curl in base?

It's not. My mistake. Thanks to some suggestions off-list on using lynx
rather than curl, this seems to work OK:


#!/bin/ksh

# Cron this script to run every X minutes. Written for OpenBSD base.
# set FORCE_SSL_PROMPT:yes in /etc/lynx.cfg

user=test
pass=test
host=test.dyndns.org

# Get Current IP
lynx -dump http://checkip.dyndns.org:8245/ | awk '{print $4}' | sed
'/^$/d' > ip_new.txt

# Compare new with old.
diff ip_new.txt ip_old.txt

# If different, send update.
if [ $? -ne 0 ]
then
  ip=$(cat ip_new.txt)
  # Following two lines are optional. Log date of change and IP history.
  date >> ip_date.txt
  cat ip_old.txt >> ip_history.txt
  lynx -dump -auth=${user}:${pass}
  "https://members.dyndns.org/nic/update?hostname=${host}&myip=${ip}";
fi

# Whether a change has occurred or not, overwrite old with new
cp -f ip_new.txt ip_old.txt



Re: script to update dyndns IP

2010-03-18 Thread Brad Tilley
On Thu, 18 Mar 2010 21:52 -0400, "Brad Tilley" 
wrote:
> There are ports that do this with more features, but I thought others
> might like to do it in base with no added software. I've been using this
> script since 4.2 and it works OK:
> 
> #!/bin/ksh
> 
> # Cron this script to run every X minutes. Written for OpenBSD.
> 
> # Get Current IP
> lynx -dump http://checkip.dyndns.org:8245/ | awk '{print $4}' | sed
> '/^$/d' > ip_new.txt
> 
> # compare new with old
> diff ip_new.txt ip_old.txt
> 
> # if different, send update
> if [ $? -ne 0 ]
> then
>   #echo "The IP has changed"
>   ip=$(cat ip_new.txt)
>   # Following two lines are optional. Log date of change and IP history.
>   date >> ip_date.txt
>   cat ip_old.txt >> ip_history.txt
>   curl --insecure
>   
> "https://user:p...@members.dyndns.org/nic/update?hostname=host.xxx&myip=$ip&wildcard=NOCHG&mx=NOCHG&backmx=NOCHG";
> fi
> 
> # Whether a change has occurred or not, overwrite old with new
> cp ip_new.txt ip_old.txt


I was under the impression that curl was in base. My mistake. It must
have pulled in as a dependency somewhere as I don't recall explicitly
installing it. I understand that lynx can be used to replace curl.

Brad



script to update dyndns IP

2010-03-18 Thread Brad Tilley
There are ports that do this with more features, but I thought others
might like to do it in base with no added software. I've been using this
script since 4.2 and it works OK:

#!/bin/ksh

# Cron this script to run every X minutes. Written for OpenBSD.

# Get Current IP
lynx -dump http://checkip.dyndns.org:8245/ | awk '{print $4}' | sed
'/^$/d' > ip_new.txt

# compare new with old
diff ip_new.txt ip_old.txt

# if different, send update
if [ $? -ne 0 ]
then
  #echo "The IP has changed"
  ip=$(cat ip_new.txt)
  # Following two lines are optional. Log date of change and IP history.
  date >> ip_date.txt
  cat ip_old.txt >> ip_history.txt
  curl --insecure
  
"https://user:p...@members.dyndns.org/nic/update?hostname=host.xxx&myip=$ip&wildcard=NOCHG&mx=NOCHG&backmx=NOCHG";
fi

# Whether a change has occurred or not, overwrite old with new
cp ip_new.txt ip_old.txt



Re: kde4 dead?

2010-03-15 Thread Brad Tilley
On Mon, 15 Mar 2010 10:56 -0400, "Brad Tilley" 
wrote:
> On Mon, 15 Mar 2010 15:27 +0100, "Antoine Jacoutot"
>  wrote:
> > On Mon, 15 Mar 2010, Tobias Ulmer wrote:
> > 
> > > On Mon, Mar 15, 2010 at 04:33:03AM -0500, Donald Cooley wrote:
> > > > openports shows that the openbsd version of kde4 is nearly two years
> > > > old.  are there any future plans to update kde4?
> > > > 
> > > > Regards,
> > > > Donald Cooley
> > > 
> > > http://lists.kde.org/?l=kde-devel&w=2&r=1&s=openbsd&q=b
> > > KDE doesn't give a fuck about OpenBSD, so why should we?
> > 
> > Actually, KDE only cares about Linux.
> 
> The isfinite() issue? That's C99 and POSIX stuff, right? Or are you guys
> talking about something else? OpenBSD does have a log2() (unlike FreeBSD
> 7.x) even though you can get there by doing log()/log(2). 
> 
> Brad

Never mind. I did not realize that list was a result of a search for
OpenBSD. Duh.



Re: kde4 dead?

2010-03-15 Thread Brad Tilley
On Mon, 15 Mar 2010 15:27 +0100, "Antoine Jacoutot"
 wrote:
> On Mon, 15 Mar 2010, Tobias Ulmer wrote:
> 
> > On Mon, Mar 15, 2010 at 04:33:03AM -0500, Donald Cooley wrote:
> > > openports shows that the openbsd version of kde4 is nearly two years
> > > old.  are there any future plans to update kde4?
> > > 
> > > Regards,
> > > Donald Cooley
> > 
> > http://lists.kde.org/?l=kde-devel&w=2&r=1&s=openbsd&q=b
> > KDE doesn't give a fuck about OpenBSD, so why should we?
> 
> Actually, KDE only cares about Linux.

The isfinite() issue? That's C99 and POSIX stuff, right? Or are you guys
talking about something else? OpenBSD does have a log2() (unlike FreeBSD
7.x) even though you can get there by doing log()/log(2). 

Brad

> -- 
> Antoine



Re: A small research paper - Thoughts about Cisco.

2010-03-11 Thread Brad Tilley
On Thu, 11 Mar 2010 15:43 +, "TS Lura"  wrote:
> I'm sorry.
> 
> My intent was not to be inflammatory.
> 
> My experience with Cisco as a company is limited, so I'm therefor trying
> to
> find out more. In that process I maybe asking a controversial question.
> Which for some is quite obvious.
> 
> Thanks for the replies so far.
> 
> .tsl

Do they donate to OpenSSH? They use it a lot, but they are not listed
here:

http://openbsd.org/donations.html

Maybe they donate privately.

Brad



Intel Gigabit ET NIC Quad Port

2010-03-10 Thread Brad Tilley
We're considering this card for an OpenBSD Snort box. I think em
supports it well. It uses the 82576EB controller. Has anyone used the
card much? If so, are you satisfied with it? 

http://ark.intel.com/Product.aspx?id=36796

Thanks,

Brad



Re: OT: multiple web servers on OpenBSD (WAS: OT: vmware blah blah)

2010-03-08 Thread Brad Tilley
On Mon, 08 Mar 2010 10:18 -0700, "Ted Roby"  wrote:

> I can think of one good reason I need a vm machine:
> So I can put OpenBSD on the Xserves, and run OSX in the vm for mac-only
> apps the client requires.

Another good reason:

Reverting compromised Windows machines back to a point in time when they
were probably clean (or at least not obviously infected). The malware
served-up in some of the ads on the Intertubes is horrible. Even ads on
main stream websites can cause severe infestations. 

Brad



Re: -current or -stable [was: Not another Browser Question]

2010-03-04 Thread Brad Tilley
On Thu, 04 Mar 2010 15:12 -0500, "nixlists"  wrote:

> It seems the opinion on running current in production ranges from
> being overly optimistic to being very cautious. If running -current in
> production is only recommended for people who are intimately familiar
> with the internals, doesn't that exclude many if not most users?

You don't have to be an expert to run -current. If you can read and
follow instructions, you can do it. The process is well-documented. It's
like following a grand recipe while preparing a gourmet dish... most
people (who can cook) can do it if they really want.

Brad



Re: -current or -stable [was: Not another Browser Question]

2010-03-04 Thread Brad Tilley
On Thu, 04 Mar 2010 11:44 -0500, "nixlists"  wrote:
> On Thu, Mar 4, 2010 at 11:35 AM, Chris Bennett
>  wrote:
> > You are talking about two separate issues.
> >
> > Stability is not related to security directly.
> > The two are intricately combined but not the same.
> 
> But both are related to downtime and data loss. I understand stability
> bugs are likely to pop-up more often with current, and this has been
> my experience. Weird freezes without panic that I did not have with
> release/stabe

I've had good experience with -current with no major stability problems.
Of course, this is usage scenario 1) where I install a snapshot and use
it for a few years before updating again before updating to -current
again.

Brad



Re: -current or -stable [was: Not another Browser Question]

2010-03-03 Thread Brad Tilley
On Wed, 03 Mar 2010 09:02 -0500, "Scott McEachern" 
wrote:
> Manuel Giraud wrote:
> > I wasn't clear enough: by "new package", I meant "a package not
> > installed on my system yet" and not "the bleeding edge version of one
> > package".
> >
> >   
> Ah ok, sorry, I misunderstood.
> > Maybe I'll stick to -current too. But I'd like to give try staying
> > -stable for a while and I could still play with the new toys every 6
> > month anyway. I wonder why does the FAQ recommend -stable over -current?
> >
> >   
>  From the FAQ:
> 
> "Put bluntly, the "best" version of OpenBSD is /-current/."
> 
> Please read the FAQ.  It is explained why there are situations where 
> -stable is more _suitable_ for some people, -current for others.

If -stable does not work for you, there are at least two ways (in my
mind) to use -current.

1. Download today's snapshot, which is -current, along with the
ports.tar.gz that comes with it and then install and use that for months
without actively following -current. Basically, you don't try to keep up
and are only -current for a short while. I do that sometimes and have
never had an issue. At times you may end up with a funky system that is
not -stable or -current but it works just fine and has appropriate
documentation.

2. Download today's snapshot, which is -current, and then actively keep
up with the source tree. Most people probably use -current in this
fashion and this is probably the way the developers intend for it to be
used.

As a user, I can only speak for myself, but having used -current in both
ways, I can say that either approach works.

Brad



Re: fsck UNEXPECTED INCONSISTENCY

2010-03-02 Thread Brad Tilley
On Tue, 02 Mar 2010 07:50 -0800, "J.C. Roberts"
 wrote:
> And I thought I was expected to be inconsistent. ;)
> 
> Anyhow, I was upgrading from the Feb 2, to the most recent snapshot, and
> fsck is coming up with a problem on one of my partitions. I can probably
> get it working ("fix" is such a strong word) with `fsck -fy` but my real
> concern is if the drive is failing?
> 
> atactl tells me everything is just fine?
> 
> I have a nearly identical system, with the same type of disk, which
> reports similar atactl attributes... but then again, I don't really trust
> SATA/PATA drives very much or their supposedly "smart" monitoring.
> 
> The data on the system is not only backed up, but it's also easily
> replaced since the machine is only used for src and ports builds. I think
> I might lose a total of a few newly downloaded distfiles since the last
> backup.
> 
> What I really want to do here is understand *why* some portion of the
> disk has become unreadable?


cd /bad_partition && dd if=/dev/zero of=big_file.zero bs=512
conv=sync,noerror

Let it run until it finishes. That won't explain why the sectors are
bad, but it may give a good indication of the problem area and answer
the failing drive question. If dd reports IO issues, you may want to
replace the drive.

Brad

 
> All of the below were done in single user mode over serial.
> (sorry about the width)
> 
> 
> # atactl wd0 smartenable
> # atactl wd0 readattr
> Attributes table revision: 16
> ID   Attribute name  Threshold  Value  Raw
>   3  Spin Up Time  63   1800x46f2
>   4  Start/Stop Count   0   2530x00d2
>   5  Reallocated Sector Count  63   2530x0007
>   6  Read Channel Margin  100   2530x
>   7  Seek Error Rate0   2530x
>   8  Seek Time Performance187   2530x9edb
>   9  Power-On Hours Count   0   2350xee5c
>  10  Spin Retry Count 157   2530x
>  11  Calibration Retry Count  223   2530x
>  12  Device Power Cycle Count   0   2530x00f0
> 192  Power-Off Retract Count0   2530x
> 193  Load Cycle Count   0   2530x
> 194  Temperature0   2530x000f
> 195  Hardware ECC Recovered 0   2530x170d
> 196  Reallocation Event Count   0   2530x
> 197  Current Pending Sector Count   0   2530x0001
> 198  Off-Line Scan Uncorrectable Sect   0   2530x
> 199  Ultra DMA CRC Error Count  0   1990x
> 200  Write Error Rate   0   2530x
> 201  Soft Read Error Rate   0   2530x
> 202  Data Address Mark Errors   0   2530x
> 203  Run Out Cancel   180   2530x0001
> 204  Soft ECC Correction0   2530x
> 205  Thermal Asperity Check 0   2530x
> 207  Spin High Current  0   2530x
> 208  Spin Buzz  0   2530x
> 209  Offline Seek Performance   0   2530x
>  99  Unknown0   2530x
> 100  Unknown0   2530x
> 101  Unknown0   2530x
> #
> 
> 
> # atactl wd0 smartstatus
> No SMART threshold exceeded
> # 
> 
> 
> # atactl wd0 identify
> Model:6Y250L6, Rev: YAR41BW0, Serial #: 
> Device type: ATA, fixed
> Cylinders: 16383, heads: 16, sec/track: 63, total sectors: 490234752
> Device capabilities:
> ATA standby timer values
> IORDY operation
> IORDY disabling
> Device supports the following standards:
> ATA-1 ATA-2 ATA-3 ATA-4 ATA-5 ATA-6 ATA-7 
> Device supports the following command sets:
> NOP command
> READ BUFFER command
> WRITE BUFFER command
> Host Protected Area feature set
> Read look-ahead
> Write cache
> Power Management feature set
> SMART feature set
> Flush Cache Ext command
> Flush Cache command
> Device Configuration Overlay feature set
> 48bit address feature set
> Automatic Acoustic Management feature set
> Set Max security extension commands
> Advanced Power Management feature set
> DOWNLOAD MICROCODE command
> SMART self-t

Re: Advice requested on modem & WiFi for old notebook

2010-03-01 Thread Brad Tilley
On Mon, 01 Mar 2010 20:41 -0500, "Dave Anderson" 
wrote:
> I've inherited an old notebook (Sony Vaio PCG-FX120) and installed
> 4.6-release on it; while I haven't yet done extensive testing, most
> things (except the LoseModem, of course) seem to work (full dmesg
> below, and sent to dm...@openbsd.org).
> 
> Now I want to add WiFi and a working modem to it and, based on looking
> through the dmesg and the man pages for 802.11 device drivers, there are
> a couple of issues I'd like to understand better before buying anything.
> I'd appreciate either direct answers or pointers to places which discuss
> this that I haven't found.  (I've done some searching of the mailing
> list archives, but my search-fu is not strong.)  Any general comments on
> using pcmcia vs cardbus vs USB for WiFi or a modem are also welcome.
> After I've narrowed the list of possible devices I plan to do more
> specific searching of the mailing-list archives.


USB 802.11 devices work well and are inexpensive. The man pages provide
specific brands with model numbers. apropos wireless and then man the
drivers to find one you like. I've had good experience with rum and run
based devices.

Brad


> The system has two pcmcia/cardbus slots and 2 USB ports.  What seem to
> me to be the relevant dmseg lines and the questions they raise are:
> 
> pcmcia
> 
>   pcic0 at isa0 port 0x3e0/2 iomem 0xd/16384
>   pcic0 controller 0:  has sockets A and B
>   pcmcia0 at pcic0 controller 0 socket 0
>   pcmcia1 at pcic0 controller 0 socket 1
>   pcic0: irq 3, polling enabled
> 
>   This appears to be fully functional.
> 
> cardbus
> 
>   cbb0 at pci1 dev 2 function 0 "Ricoh 5C476 CardBus" rev 0x80: couldn't
>   map interrupt
>   cbb1 at pci1 dev 2 function 1 "Ricoh 5C476 CardBus" rev 0x80: couldn't
>   map interrupt
> 
>   Since I didn't see any "not configured" messages for cbb*, my guess is
>   that this is at least partly functional; is that correct?  What
>   limitations does the "couldn't map interrupt" message imply for WiFi
>   or modem use?  (There don't seem to be any BIOS options which affect
>   this.)
> 
> USB
> 
>   uhci0 at pci0 dev 31 function 2 "Intel 82801BA USB" rev 0x03: irq 9
>   uhci1 at pci0 dev 31 function 4 "Intel 82801BA USB" rev 0x03: irq 11
>   usb0 at uhci0: USB revision 1.0
>   uhub0 at usb0 "Intel UHCI root hub" rev 1.00/1.00 addr 1
>   usb1 at uhci1: USB revision 1.0
>   uhub1 at usb1 "Intel UHCI root hub" rev 1.00/1.00 addr 1
> 
>   Most of the man pages for USB 802.11 drivers mention USB 2.0; at least
>   one specifically states that USB 1.0 is not supported.  Other than
>   actually trying each one, how can I tell which of them will work with
>   USB 1.0?
> 
> Thanks for any help.
> 
>   Dave
> 
> OpenBSD 4.6 (GENERIC) #58: Thu Jul  9 21:24:42 MDT 2009
> dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
> cpu0: Intel Pentium III ("GenuineIntel" 686-class) 696 MHz
> cpu0:
> FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,SER,MMX,FXSR,SSE
> real mem  = 333475840 (318MB)
> avail mem = 313233408 (298MB)
> mainbus0 at root
> bios0 at mainbus0: AT/286+ BIOS, date 03/13/01, BIOS32 rev. 0 @ 0xfd878,
> SMBIOS rev. 2.31 @ 0xd8010 (38 entries)
> bios0: vendor Phoenix Technologies LTD version "R0211U0" date 03/13/01
> bios0: Sony Corporation PCG-FX120(UC)
> apm0 at bios0: Power Management spec V1.2
> apm0: AC on, battery charge unknown
> acpi at bios0 function 0x0 not configured
> pcibios0 at bios0: rev 2.1 @ 0xfd860/0x7a0
> pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf30/176 (9 entries)
> pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82371FB ISA" rev 0x00)
> pcibios0: PCI bus #3 is the last bus
> bios0: ROM list: 0xc/0xc000 0xd8000/0x4000! 0xdc000/0x4000!
> cpu0 at mainbus0: (uniprocessor)
> pci0 at mainbus0 bus 0: configuration mode 1 (bios)
> pchb0 at pci0 dev 0 function 0 "Intel 82815 Host" rev 0x11
> vga1 at pci0 dev 2 function 0 "Intel 82815 Video" rev 0x11
> wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
> wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
> intagp0 at vga1
> agp0 at intagp0: aperture at 0xf800, size 0x400
> ppb0 at pci0 dev 30 function 0 "Intel 82801BAM Hub-to-PCI" rev 0x03
> pci1 at ppb0 bus 1
> mem address conflict 0x13f0/0x1000
> mem address conflict 0x13f01000/0x1000
> "TI TSB43AA22 FireWire" rev 0x02 at pci1 dev 0 function 0 not configured
> cbb0 at pci1 dev 2 function 0 "Ricoh 5C476 CardBus" rev 0x80: couldn't
> map interrupt
> cbb1 at pci1 dev 2 function 1 "Ricoh 5C476 CardBus" rev 0x80: couldn't
> map interrupt
> fxp0 at pci1 dev 8 function 0 "Intel 82562" rev 0x03, i82562: irq 9,
> address 08:00:46:14:eb:5a
> inphy0 at fxp0 phy 1: i82562ET 10/100 PHY, rev. 0
> ichpcib0 at pci0 dev 31 function 0 "Intel 82801BAM LPC" rev 0x03: 24-bit
> timer at 3579545Hz
> pciide0 at pci0 dev 31 function 1 "Intel 82801BAM IDE" rev 0x03: DMA,
> channel 0 wired to compatibility, channel 1 wired to compatibility
> wd0 at pciide0 channel 0 d

OT: Cloud Computing Security

2010-02-25 Thread Brad Tilley
Is it too early for Friday humor? If not, here are some clowns worth
watching:

http://www.youtube.com/watch?v=VjfaCoA2sQk



Re: OpenBSD insecure OS?

2010-02-24 Thread Brad Tilley
On Wed, 24 Feb 2010 19:36 +, "carlos albino garcia grijalba"
 wrote:
> Folks i dont mean obsd is insecure i love obsd, ive been using it for 5
> years
> i just want the community to read the history
> sorry.


OpenBSD doesn't have the rubber stamps. That's what confuses people.
However, it has been certified for use by circus clowns (under certain
conditions and restrictions):

http://marc.info/?l=openbsd-misc&m=126596870506480&w=2

 
> > Date: Wed, 24 Feb 2010 12:20:03 -0700
> > From: dwchand...@stilyagin.com
> > To: genesi...@hotmail.com
> > CC: misc@openbsd.org
> > Subject: Re: OpenBSD insecure OS?
> >
> > On Wed, Feb 24, 2010 at 07:02:15PM +, carlos albino garcia grijalba
> wrote:
> > > I foud this:
> > > http://allthatiswrong.wordpress.com/2010/01/20/the-insecurity-of-openbsd/
> > >
> > > so ?
> >
> > http://marc.info/?t=12641295802&r=1&w=2
> >
> > So.
> >
> > --
> > Darrin Chandler|  Phoenix BSD User Group  |  MetaBUG
> > dwchand...@stilyagin.com   |  http://phxbug.org/  |
> http://metabug.org/
> > http://www.stilyagin.com/  |  Daemons in the Desert   |  Global BUG
> Federation
> 
> _
> Hotmail: Trusted email with powerful SPAM protection.
> https://signup.live.com/signup.aspx?id=60969



Re: OpenBSD Volunteer needed today in Los Angeles - Solved!

2010-02-21 Thread Brad Tilley
On Sun, 21 Feb 2010 15:35 -0800, "Michael Dexter" 
wrote:
> Thank you Seth and Brooke for materializing and putting on a great
> OpenBSD booth at SCaLE in Los Angeles.
> 
> Overheard question of the day: Could you please get EAL level 4
> certification so I can use you in the US Air Force? (Milaero country...)

Glad the booth was manned... however, with time, money and the right
scenario, anyone can get a rubber stamp: 

http://web.archive.org/web/20060527063317/http://eros.cs.jhu.edu/~shap/NT-EAL4.html

> Michael



Re: OT: opinions on IDS / IPS solutions

2010-02-18 Thread Brad Tilley
On Wed, 17 Feb 2010 22:59 -0500, "Jason Beaudoin"
 wrote:
> Hi There,
> 
> As I often have greater respect for a much larger portion of this list
> than the rest of the internet, I am curious what is thought about
> current IDS/IPS hardware from vendors like Trustwave, Checkpoint,
> Alert Logic, mod_security, even snort.. etc, and in particular, the
> sensibility and effectiveness of using them in high-security
> environments.

I use Snort in IDS mode on OpenBSD and am very satisfied with it. It's
hard to justify spending 10's or 100's of thousands of dollars for
commercial solutions that have the same issues as Snort (false
positives, requires tuning and constant monitoring). I have used large
IBM/ISS Proventia systems in the past. Some of the commercial offerings
will not even give you a terminal so you can use tcpdump... can you
believe that? You have the perfect spot on the network and the perfect
hardware, but you can only use it in a very limited fashion. Very
frustrating.

General purpose OpenBSD boxes with big beefy network interfaces cost a
lot less and does more. I use FreeBSD to run BASE as the analysis
frontend. The OpenBSD Snort sensors ship their alerts to it. I would use
OpenBSD for the frontend as well, but BASE is not currently in ports and
I have not had time to work on porting it and prefer not to go outside
of ports.

Also, I would stay away from IPS mode. There are enough network problems
as is without something randomly deciding to drop packets. There's no
better way to make a network engineer mad than to send them on a wild
goose chase trying to figure out why packets are not getting delivered
only to find out that the IPS is dropping them because certain SSL
traffic looks like a buffer overflow or something. 

That has been my experience.

Brad

> From a compliance perspective, I don't have much choice. From the
> costs, infrastructure, and administrative perspectives, I am currently
> evaluating whether or not I should be leaning towards and IDS or IPS
> solution, and of course which system/vendor. My understanding is that
> something like snort requires a fair bit of maintenance and
> IT-attention, the trade-off being cost, so I am leaning away from
> this. Between detection and prevention, preventing break-ins seems a
> bit sillier than trying to actively monitor what's going on and to
> then look for threats, so this pushes me more towards IDS over IPS.
> 
> Thoughts, suggestions, flames, are all welcome.
> 
> Thanks.
> 
> ~Jason



Re: Security feed

2010-02-17 Thread Brad Tilley
On Wed, 17 Feb 2010 20:05 +0100, "Jean-Francois" 
wrote:
> Hello All,
> 
> I am a little bit out of subject but please allow me to ask you about
> feeds of 
> security issues.
> 
> Thank you

I read this page and the links off of it:

http://www.openbsd.org/errata.html 



Re: routing and pf at 10Gbps

2010-02-12 Thread Brad Tilley
On Fri, 12 Feb 2010 14:59 +0100, "Bret Lambert" 
wrote:
> On Fri, Feb 12, 2010 at 2:52 PM, Diana Eichert 
> wrote:
> > On Thu, 11 Feb 2010, Claudio Jeker wrote:
> >
> >> Henning, I told you, we should not talk about unfinsihed projects.
> >> We planned to announce this in exactly 7 weeks. Anyway, to late, the cat
> >> is out of the bag.
> >> So Henning and Oga are working at offloading pf into the graphic card
> >> cores by using the DRI interface. The shader will evaluate the ruleset
> >> and packets in parallel and use the graphic memory for the state table.
> >> Additionally if the speed of one card is not enough you can use SLI or
> >> crossfire to use multiple cards in parallel.
> >>
> >> --
> >> :wq Claudio
> >
> > okay, now you have piqued my interest
> >
> > I will sit back and wait for mor info
> 
> I, too, hope to get news of this shortly after March is over.

The rumor is that they are using CUDA on Nvidia graphics cards with
advanced object oriented C++ and it is so fast that several developers
are considering switching from C to C++ even for the kernel, after
migrating to ZFS and replacing Perl in base with Java. Good times for
OpenBSD indeed. Glad to see they are finally making some much needed
improvements.

OK... enough Friday humor.
 
> >
> > thanks
> >
> > diana 



Re: Read_Write buffers for dd WAS: little cp diff

2010-02-08 Thread Brad Tilley
On Mon, 08 Feb 2010 09:06 -0500, "Sean Kennedy"  wrote:
> Moving this to m...@...
> 
> Would part of this discussion usefully related to such issues like using
> 'dd'
> for diskwipes/copies/reformatting and slow data movement speeds?
> 
> There are times when I am wiping (for reuse) hard disks using 'dd' and I
> set
> the BlockSize to > 512 (like 1M or so sometimes)


In my experience, a bs of 64k is about as big and fast as you'll get. Setting 
bs larger than that may make dd a tad faster, but not much.  Also, when IO 
errors occur with a larger bs you'll drop more data than you would have using a 
512 byte block. Some modified dd's, such as ddrescue, set larger blocksizes 
initially in an effort to increase speed, but revert to 512 bytes upon IO 
errors.

Brad


> and the transfer speeds are quite a lot slower than for using 'dd' on
> some
> other Operating systems. (Linux or Windows)
> 
> Mind you, for a lot of this, I am using oBSD RamDISK, so I am not
> anticipating
> a full-fledged OS support for the ATA or SCSI or USB2 platforms. But for
> those
> systems where I am using -stable or -current,  the speeds are still
> comparably
> slow.
> 
> I concur with Theo's point on portability and making a sysctl for kernel
> is
> hazardous, but what am I seeing in the above for 'dd' that would be
> causing
> the poor performance?
> (* BTW, I am using  if=/dev/zero for the baseline, other if=/...'es may
> have
> lower performance as an input for compare*)
> 
> 
> Just my 2 cents.
> 
> -sean
> 
> > Subject: Re: little cp diff
> > 2010/2/8 Theo de Raadt :
> > > For those of you who asked why cp needs to be portable, come on.
> > > You've got it all wrong.  If cp isn't written in a portable fashion,
> > > then what is the point of doing anything else in a portable fashion.
> > This is good and reasonable answer. So I think we should stop discussion.
> > antonvm



Re: Is OpenBSD + PF accredited or certified in any way ?

2010-02-02 Thread Brad Tilley
On Tue, 02 Feb 2010 18:09 +, "Bayard Bell" 
 wrote:
> Formal evaluation just means that the features judged relevant to the  
> evaluation can be minimally verified. On the flip side, there's David  
> Litchfield's observation in the introduction to The Oracle Hacker's  
> Handbook: "The Oracle RDBMS was evaluated under Common Criteria to  
> EAL4... However, the first few versions of Oracle that gained EAL4 had  
> a buffer overflow in the authentication mechanism." He goes on to that  
> standards are necessary to some extent but not fully indicative.  
> You'll find summary arguments and starting links off the Common  
> Criteria's Wikipedia entry. Given such limitations, perhaps you might  
> propose a more open evaluation and make code access for audit,  
> including by escrow access for an established third-party authority,  
> as a major criteria?

Common Criteria - http://www.iso15408.net - has largely replaced ITSEC and 
others. Like some other ISO standards, you may have to purchase a copy. I would 
say that CC makes some people feel good, but does little in the way of real 
Security. Microsoft Windows XP is EAL4 certified when configured certain ways. 
I think the certification process can be very narrowly focused on a few parts 
of the system so the vendor can say, "Look at this component of our OS, but not 
those" or "Certify our OS when configured a certain way". 

It's a costly process too and takes awhile to complete. I'm not sure any open 
source OS is certified. For proft, vendor backed Linux distributions (RHEL) may 
be as they have the time and money to waste on it and TrustedBSD makes 
reference to CC, but I don't think it's certified.

Brad
 
> Am 1 Feb 2010 um 23:06 schrieb Keith:
> 
> > I've used OpenBSD & PF for a number of years without issue and am  
> > now in the position that I want to create a dmz between the Internet  
> > and my organisations WAN. Our security people are asking if the  
> > firewall that we use is accreditated by ITSEC and I am pretty sure  
> > it isn't but it turns out that our security people will be happy is  
> > the firewall is accredited for use by another government !
> >
> > I am very happy with my PF firewalls and their reliability and don't  
> > want to be forced into purchasing some cisco / forenet comercial  
> > firewall that I've never used before so am desperate to find some  
> > details of any foreign governments that are using OpenBSD / PF as a  
> > firewall or any details of any certification of the PF firewall.
> >
> > Can anyone help me out ?
> >
> > Thanks
> > Keith
> >
> >
> > __ Information from ESET NOD32 Antivirus, version of virus  
> > signature database 4825 (20100201) __
> >
> > The message was checked by ESET NOD32 Antivirus.
> >
> > http://www.eset.com



Re: vsftpd

2010-01-28 Thread Brad Tilley
On Thu, 28 Jan 2010 21:44 +0200, "Lars Nooden"  wrote:
> Jean-FranC'ois SIMON wrote:
> > Is this normal way or do I miss something ?
> 
> For ftp the normal way is to work with the chrooted ftp daemon that is
> part of the OpenBSD base:
>   http://www.openbsd.org/faq/faq10.html#AnonFTP
>   http://www.openbsd.org/cgi-bin/man.cgi?query=ftpd
> 
> /Lars

Just curious... what does ftp.openbsd.org run? 



Re: fsck segfault on a big partition, 4.6

2010-01-27 Thread Brad Tilley
Whoops... re-reading, I see that I missed your disklabel output... sorry.


On Wed, 27 Jan 2010 17:25 -0500, "Brad Tilley"  wrote:
> On Wed, 27 Jan 2010 20:43 +, "Rob Sheldon" 
> wrote:
> 
> [snip]
> 
> > softraid0 at root
> > root on sd1a swap on sd1b dump on sd1b
> > 
> > ...that's odd, it's showing swap (and dump) on sd1b, but there's no such
> > thing:
> > 
> > $ sudo df /dev/sd1b
> > df: /dev/sd1b: Device not configured
> >
> > ...maybe it really doesn't like running without swap?
> 
> It's there. disklabel -vh sd1 and you'll see b is swap. Try swapctl as
> well... also dmesg | grep swap:
> 
> root on sd1a swap on sd1b dump on sd1b
>  
> 
> > Oh wait, it's showing only 3G of memory installed. I just physically
> > checked the machine, and it has 4 full banks of 2G each. amd64 should be
> > able to address that, right?
> 
> I think you would need a bigmem enabled kernel.
>  
> > That could certainly explain why fsck is unhappy.
> > 
> > Thanks,
> > 
> > - R.
> > 
> > -- 
> > [__ Robert Sheldon
> > [__ Founder, No Problem
> > [__ Information technology support and services
> > [__ Software and web design and development
> > [__ (530) 575-0278
> > [__ "You must be the change you wish to see in the world." -- Mahatma
> > Gandhi



Re: fsck segfault on a big partition, 4.6

2010-01-27 Thread Brad Tilley
On Wed, 27 Jan 2010 20:43 +, "Rob Sheldon"  wrote:

[snip]

> softraid0 at root
> root on sd1a swap on sd1b dump on sd1b
> 
> ...that's odd, it's showing swap (and dump) on sd1b, but there's no such
> thing:
> 
> $ sudo df /dev/sd1b
> df: /dev/sd1b: Device not configured
>
> ...maybe it really doesn't like running without swap?

It's there. disklabel -vh sd1 and you'll see b is swap. Try swapctl as well... 
also dmesg | grep swap:

root on sd1a swap on sd1b dump on sd1b
 

> Oh wait, it's showing only 3G of memory installed. I just physically
> checked the machine, and it has 4 full banks of 2G each. amd64 should be
> able to address that, right?

I think you would need a bigmem enabled kernel.
 
> That could certainly explain why fsck is unhappy.
> 
> Thanks,
> 
> - R.
> 
> -- 
> [__ Robert Sheldon
> [__ Founder, No Problem
> [__ Information technology support and services
> [__ Software and web design and development
> [__ (530) 575-0278
> [__ "You must be the change you wish to see in the world." -- Mahatma
> Gandhi



Re: PowerEdge 850 for a small office firewall

2010-01-27 Thread Brad Tilley
On Wed, 27 Jan 2010 07:54 -0500, "Chris Dukes"  wrote:
> On Tue, Jan 26, 2010 at 04:38:08PM -0800, mehma sarja wrote:
> > I am running an embedded 533 MHz with 256 MB memory and it is woefully
> > inadequate for an office setting. Even for a home setting which wants stuff
> > like snort running as well. I would WAG atleast a 2 GB memory and the Atoms
> > max out at that...? If the firewall will be doing other stuff like snort,
> > vpn, dns, dhcp, nat, (I am talking pfSense here), then 2 GB is rather short
> > and I'd like to see a beefier CPU as well. So, the question really is what
> > all are you going to be doing with it?
> 
> Is it still woefully inadequate if snort, vpn, and DNS are moved
> off the firewall?

On a busy interface, Snort can use a good deal of CPU consistently:

load averages:  0.50,  0.31,  0.24 08:09:25
33 processes:  31 idle, 2 on processor
CPU0 states:  4.4% user,  0.0% nice,  0.2% system,  8.8% interrupt, 86.6% idle
CPU1 states:  0.0% user,  0.0% nice,  0.0% system,  0.0% interrupt,  100% idle
CPU2 states:  0.0% user,  0.0% nice,  0.0% system,  0.0% interrupt,  100% idle
CPU3 states: 11.8% user,  0.0% nice,  0.0% system,  0.0% interrupt, 88.2% idle
Memory: Real: 180M/542M act/tot  Free: 2819M  Swap: 0K/518M used/tot

  PID USERNAME PRI NICE  SIZE   RES STATE WAIT  TIMECPU COMMAND
16499 _snort310  171M  158M onproc/1  -24.9H 16.89% snort
 5502 root   20 1116K 2080K sleep/1   select0:51  0.00% sendmail
16446 _pflogd40  636K  444K sleep/0   bpf   0:06  0.00% pflogd


> I ask because running DNS on the firewall has given me the heebie jeebies
> for years.  And I have dim memories of a few security exploits for snort.
> > 
> 
> -- 
> Chris Dukes 



Re: rename(2) man page (was: Re: OpenSMTPd actual development and integration)

2010-01-25 Thread Brad Tilley
On Mon, 25 Jan 2010 12:32 -0800, "Ben Calvert"  wrote:

> Tracing this discussion back to it's origins  earlier this month, I see
> the
> problem as arising from a statement made by a Mathematician (DJB) about
> the
> infallibility of his software when used with certain filesystems.
> 
> It is understandable for someone from a theoretical field (math) to
> assume
> that there exists such a thing as certainty in real life... but
> unacceptable
> in a software engineer.

Not sure it is correct to say that DJB is only theoretical. He wrote the SHA1 
code that won the Engineyard SHA1 contest. His code is 12 times faster than 
OpenSSL's SHA1. DJB has also written a lot of Unix utilities, some of which are 
controversial, nevertheless, he can write code.

http://www.win.tue.nl//sha-1-challenge.html

Brad



Re: The insecurity of OpenBSD

2010-01-22 Thread Brad Tilley
On Fri, 22 Jan 2010 07:22 -0600, "Marco Peereboom"  wrote:
> It doesn't and I'll argue all day that it won't help you a bit.
> 
> Here is an example:
> 1. running system with OMGACL
> 2. pkg_add -ui
> 3. couple of days later at 3am bz got come to the datacenter because
>the app bombed
> 4. oh, the acl terminated it; adjust
> 5. repeat 3 - 4 until it "works"
> 6. repeat 2 - 5 in perpetuity
> 
> - or -
> 
> 1. Disable ACL.

[snip]

I saw a group of sys admins go through those very steps several years ago while 
attempting to deploy SELinux. After 3 months of trying to make it work, they 
disabled it. It could have been done, but they would have had to triple the 
support staff to make it work.



Re: Books on reverse engineering?

2010-01-21 Thread Brad Tilley
On Wed, 20 Jan 2010 17:52 -0800, "James Hozier"  wrote:
> With every single laptop I've bought/been given over the years, I
> was able to run OpenBSD on them almost flawlessly save a few
> quick/simple hacks to make anything that didn't work, work.
> 
> The one main issue I've had with ALL of them was the wireless
> card...maybe I was just unlucky to have gotten ones with crappy
> chipsets 

Purchase a few 802.11 USB sticks. You can find devices that have very 
well-documented chipsets on newegg for less than 15 dollars (USD). These 
devices are 100% supported in OpenBSD. The man pages list these devices and are 
very accurate. For example, man run and see the HARDWARE section.

You might also consider installing OpenBSD -current to a USB stick and try 
booting the laptop from that before purchasing. That way, you'd know exactly 
what hardware you were getting.

Brad

[snip]



Re: the root is on

2010-01-16 Thread Brad Tilley
On Sat, 16 Jan 2010 14:37 +0100, "Manuel Giraud"  
wrote:
> Otto Moerbeek  writes:
> 
> >> Here's a probably stupid question: since the kernel can detect the "root
> >> on sd0a" why is there still a need for fstab entry for it?
> >
> > Because you might want to specify mount options, or an alternate root.
> 
> In fact, I was wondering because I have installed OpenBSD on an usb
> flash drive.
> 
> I use softraid and have a script to decrypt the RAID partition and setup
> a custom fstab with the correct 'sd?' for decrypted devices, it works
> alrigh. But if root is not sd0a, I have to 'boot bsd.rd' and 'ed
> /etc/fstab' before. Does anybody doing this and have a better solution?

Not sure I understand, but I have similar softraid crypto setups and there's no 
need to boot bsd.rd to edit /etc/fstab. When booting bsd or bsd.mp and you are 
dumped to sh to run bioctl, use ed to correct /etc/fstab there.

Also, in my experience, this is not an issue unless you are adding and removing 
sd devices. For example, the physical volume may be wd0 and the softraid volume 
may be sd0 at the moment, but when you insert a USB stick and reboot, then that 
USB stick will become sd0 and the softraid volume will become sd1. In that case 
/etc/fstab must be edited. I think Marco is working on a general fix for this.

Brad

> 
> -- 
> Manuel Giraud



Re: thinkpad x200 wireless 5100 old issue

2010-01-12 Thread Brad Tilley
> > If this machine isn't production, then no harm could come from trying
> > a snapshot.  It would give the developers a much better idea as to
> > where you system's at.  Use a USB thumb drive if you're that worried
> > about trashing your data.
> >
> > -- 
> > Aaron Mason - Programmer, open source addict
> > I've taken my software vows - for beta or for worse
> >
> 
> ok, you've convinced me, I'll give it a try on a usb thumb for a start.
> tks

It's the easiest "bootable OS on a USB stick" install you'll ever do. Just 
install like you normally would except rather than using the internal hard 
drive, select the USB drive.

Brad 



Re: scsi output similar to atactl identify

2010-01-04 Thread Brad Tilley
On Tue, 05 Jan 2010 01:46 +1100, "Jonathan Gray"  wrote:
> For raid controllers like your mfi, you can use bioctl(8) to list some
> information about the individual drives.

Not quite as informative as atactl... adding a -q breaks it:

# bioctl -ihv sd0 
Volume  Status   Size Device  
 mfi0 0 Online  67.8G sd0 RAID1
  0 Online  68.4G 1:0.0   noencl 
 'unknown serial'
  1 Online  68.4G 1:1.0   noencl 
 'unknown serial'

# bioctl -ihvq sd0
bioctl: DIOCINQ: Invalid argument


>From the bioctl man page:

-q  Show vendor, product, revision, and serial number for the given disk.



scsi output similar to atactl identify

2010-01-04 Thread Brad Tilley
Is there a way to get scsi output data similar to 'atactl device identify' 
output? 

# atactl /dev/rwd0c identify
Model: Kingston SSDNow V Series 64GB, Rev: B090522a, Serial #: 06J990030232
Device type: ATA, fixed
Cylinders: 16383, heads: 16, sec/track: 63, total sectors: 125045424
Device capabilities:
ATA standby timer values
IORDY operation
IORDY disabling
Device supports the following standards:
ATA-4 ATA-5 ATA-6 ATA-7 
Master password revision code 0xfffe
Device supports the following command sets:
READ BUFFER command
WRITE BUFFER command
Write cache
Power Management feature set
Security Mode feature set
SMART feature set
Flush Cache command
Device has enabled the following command sets/features:
READ BUFFER command
WRITE BUFFER command
Write cache
Power Management feature set
SMART feature set
Flush Cache command


Reading the scsi manpage, the inquiry command: scsi -f /dev/rsd2c -c "12 0 0 0 
64 0" -i 0x64 "s8 z8 z16 z4" outputs the name of the controller "DELL PERC 5/i 
1.03" but no info about the drives connected to it.

Brad



Re: 802.11n cards for AP?

2010-01-01 Thread Brad Tilley
On Fri, 01 Jan 2010 19:16 -0500, "Steven M. Caesare"  
wrote:
> So... back in the 3.6ish days, I had a Prism-based 802.11b card that I
> used in my OpenBSD FW for a wireless access point. Worked like a charm
> until I relocated my FW, and could no longer get good RF coverage. Went
> with a consumer-based 802.11g AP configured as a bridge.
> 
> 
> 
> That unit just died.
> 
> 
> 
> I've found some cable/antenna assemblies that might allow me to remote
> an antenna to a good spot in the house for coverage, and I'm thus
> re-considering going with a FW based AP setup once again.
> 
> 
> 
> According to the OpenBSD site, the following 802.11n devices are
> supported:
> 
> 
> 
> athn
> 
> iwn
> 
> ral
> 
> run

As of 4.6-release, 802.11n is not yet implemented. The devices you list work, 
but not in n. From the run man page:

CAVEATS
 The run driver does not support any of the 802.11n capabilities offered
 by the RT2800 and RT3000 chipsets.  Additional work is required in
 ieee80211(9) before those features can be supported.



  1   2   >