wallowed setting for /usr/local
It seems based on the release notes that this is part of the 6.0 install. I installed 5.9 just before the 6.0 release and then did an upgrade and do not see that modification made in /etc/fstab post upgrade. Expected? Brian
Re: does re-injection even work?
I can't look at the code now but perhaps only allow udp and not tcp from untrusted hosts? I think tcp is only used for really large transfers, which a non malicious user wouldn't need. The only exception I can think if is for a zone transfer between aurhirativw servers. Brian On Jul 10, 2012 12:38 PM, Peter J. Philipp p...@centroid.eu wrote: Hi, I have built some skeleton code (it's ugly) for a proxy for dns based on my wildcarddnsd. I'm using divert(4) sockets but whenever I put the pf rules on the reinjection doesn't work for me. Here is my pf rules: # pfctl -srules pass all flags S/SA block drop in on ! lo0 proto tcp from any to any port 6000:6010 block drop in on re0 inet from fuckoff to any pass in on re0 inet proto udp from any to any port = 53 scrub (reassemble tcp) divert-packet port and here is the skeleton code: http://ipv4.goldflipper.net/private/dnsdivert.tgz I did this rather fast hoping to get it in for someone I know who is being used for a DNS amplifier attack but the final tests broke the hope of stopping it with this. The way you use that is run the program in the foreground and it should print for what dns name a query is. But when I run it the reinject does not happen and dig for example will stop in its tracks and not deliver an answer from named. Any small hint would be appreciated, -peter
Re: firewall not catching?
I would take steps to see if another rule is being matched when you see the flaw? Brian On Jul 9, 2012 12:28 PM, Peter J. Philipp p...@centroid.eu wrote: On Mon, Jul 09, 2012 at 12:47:18PM -0600, Luis Coronado wrote: You need to provide more information about your situation to be able to help you. dmesg, pf ruleset, network config., etc. -luis Due to the sensitivity of the host I cannot do that. But I'll tell you what I will do. Upgrade. Perhaps by next week even. I'll let you know if the problem persists then, and perhaps I'll even get an OK to share the hardware data by then. I understand you can't help me much more, thanks anyways... Regards, -peter On Mon, Jul 9, 2012 at 12:34 PM, Peter J. Philipp p...@centroid.eu wrote: Hi, Was there any bugfixes between 5.0 and 5.1 that would allow certain packets through the pf filter? I have a case where I cannot block a certain IP on a 5.0 box. I tested that same IP on an 5.1 box with a spoofer and I found my same rules to catch, so it's not my logic I don't think. I tested with tcpdump, netcat, and custom software. Any hint would be nice, -peter
Re: question_about_OpenBSD_on_ADSL_modems/routers
I have an openbsd box plugged into a switch with other things that then connects to a dsl modem, no problem. On Jun 25, 2012 8:15 AM, Zafer DaÅtan z...@z-sistem.com wrote: 25.06.2012 18:03 tarihinde, soko.tica yazdı: ... I am not sure if the RockSolid cards are supported by OpenBSD. Can anyone confirm they are? ... Single port modem works fine, it seems to OS as a realtech ethernet. -zafer
Re: Keeping -Stable updated
If this is a production server I think you want to track the patch branch? On Jun 19, 2012 4:41 PM, thunderlight1 thunderlig...@gmail.com wrote: Hi! I'm quite new to OpenBSD, and just installed 5.1 release which I upgraded to -stabel according to instruction described on section 5 in the FAQ. My question is: Do I need to run all the steps specified on section 5 in the FAQ each day (maybe using a cron-job) to have an updated -stabel release on a production environment? Can someone point me in a direction on the web where there is a solution which would not require to update the system completly and reboot? I looked everywhere but could not find an answer to this question. Best regards, Cesar da Silva
Re: Upgrading OpenBSD
In freebsd you could use portupgrade or portmaster; I dont know what the openbsd options are. On May 21, 2012 6:48 PM, Richards, Toby toby.richa...@slo.courts.ca.gov wrote: While my question involves other BSD's as well as Linux systems, I am asking this here because OpenBSD's philosophy is the most attractive to me. I've got about 50 servers to manage. OpenBSD does have an Upgrade option, but does it upgrade the installed packages? As far as I can tell, it does not. I do very much appreciate the technology that has come from the OpenBSD project, yet it seems to me that most *free* operating systems do not fully support an upgrade path. I can't [fully] upgrade from one OpenBSD release to another (unless following STABLE gets me from one RELEASE to another, but AFAIK it does not). I cannot seamlessly upgrade from Free/PC-BSD 8.x to 9.x. Instead I must re-install from scrach. The same goes for CentOS/RHEL 5.x to 6.x, and for every version of Mint Linux. The two major commercial operating systems (considered to be evil by the FOSS community) easily upgrade from one version to the next. That's important in a real-life production environment. In 2001, I upgraded 200 workstations and 7 servers from Windows NT 4.0 to Windows 2000 without incident. I've had similar experience with all subsiquent MicroEvil systems. I do hate MicroEvil, but I can make only limited conclusions regarding the upgrade paths of other operating systems: 1) Your project exists only for the sake of doing the project, and for the technologies that it produces (such as OpenSSH). 2) Folks are expected to install a version of OpenBSD, but not upgrade because there's no reason to fix something that isn't broken. 3) OpenBSD is only for organizations who have so few servers or so many IT folks that re-installing everything from scratch is not inviably cumbersome. 4) I am oblivious to some upgrade path technique for FOSS operating systems. Please enlighten me. Respectfully Submitted, R. Toby Richards Network Administrator Superior Court of California In and for the County of San Luis Obispo (805) 781-4150
Re: Sendmail at home
You can easily send receive using gmail, either with a gmail account or with google apps and your domain at home, though neither of these likely involve your own sendmail setup. If you want your own mailserver, you need port 25 to be allowed both ways and a static IP (more proper) or dynamic dns (improper hack) is also needed. Brian On Thu, May 10, 2012 at 10:30 AM, Laurence Rochfort laurence.rochf...@gmail.com wrote: I want to setup sendmail so that I can send mail from my home network. I have no experience with sendmail outside a corporate environment where DNS makes everything happen automagically. I have a Gmail account. Is sending via Gmail possible or sensible? Any advice would be appreciated.
Re: NAS server
freebsdwo...@gmail.com wrote: Hello I'm looking to buy a cheap tower server to create a database and nfs system. I have (16 gigs) ddr2 ram free and (4x750 GB) SATA2 drives. Anyone have links? Will run openbsd Thanks Ben Sent from my Verizon Wireless BlackBerry FreeNAS ? http://www.freenas.org/ That is a lot of ram, you could build quite the vm server with 16gb ram and over 2 tb of disk space, assuming you keep one as a spare. Brian
Re: NAS server
freebsdwo...@gmail.com wrote: Hello I'm looking to buy a cheap tower server to create a database and nfs system. I have (16 gigs) ddr2 ram free and (4x750 GB) SATA2 drives. Anyone have links? Will run openbsd Thanks Ben Sent from my Verizon Wireless BlackBerry So I dont get to much smackdown for recommending a freebsd solution, Hhere is a slashdot article http://geektechnique.org/projectlab/797/openbsd-encrypted-nas-howto Brian
Re: 3.7 is released!
On Fri, 20 May 2005, Steve Loranz wrote: I'm confused. The site says 3.7 was released yesterday just like Theo's mail says. So, what is the CD claiming to be 3.7 that arrived at my door at the end of April? -steve I heard that was a benefit given to folks who actually PAID for the OS. Brian The path to a desireable destination is often more difficult than the path to stay where you are.
dns
I see now there's a patch, apologies for not checking errata first. Brian The path to a desireable destination is often more difficult than the path to stay where you are.