Re: Internet slowdown when pf is enabled? Running on i386 -current
Reza Muhammad wrote: Hi guys, I'm having a problem with my Internet connection in my home network. I noticed that \ my Internet connection has been very slow since I upgraded to -current a week ago. \ First, I thought it was just my ISP problem. Then, I tried to connect to the \ Internet directly from my laptop, it worked fine. Did it happen before the upgrade? What were you running before? I noticed that the Internet is slowing down when pf is enabled. I changed my pf.conf \ to only do nat, and scrub incoming packets, but it is still slow. Here's the output \ of 'ping' to the Internet. [snip] noticed that the connection is more than 4 times slower? # here's my pf settings [EMAIL PROTECTED]:~% sudo pfctl -sa TRANSLATION RULES: nat on sis0 inet from 192.168.1.0/24 to any - (sis0:0) FILTER RULES: scrub in all fragment reassemble pass in all flags S/SA keep state pass out all flags S/SA keep state No queue in use [snip] my home network is on 192.168.1.0/24, but I see a lot of connections with state \ NO_TRAFFIC:SINGLE that are from other networks (I'm assuming they are coming from my \ ISP's network). Can someone help me out here? Would hardware be the problem? I just \ thought that if the network card was broken, it should just not work right? Rather \ than the connection being slower? Anyway, let me just post my dmesg also There is a lot of external broadcast traffic they are probably the cause of the large number of state insertions/deletions. They are either a badly designed p2p/broadcast/whatever protocol, or the result of the worm/malware of the month. Can you add block drop in quick on sis0 all at the start of your ruleset? This way the external traffic does not create states at all. Can -- In theory, there is no difference between theory and practice. But, in practice, there is.
Re: OBSD's perspective on SELinux
Rui Miguel Silva Seabra wrote:
Hi,
On Mon, Sep 24, 2007 at 04:31:22PM +0100, Brian Candler wrote:
On Sun, Sep 23, 2007 at 10:54:06PM +0100, Rui Miguel Silva Seabra wrote:
On Sat, Sep 22, 2007 at 06:47:46PM -0500, L. V. Lammert wrote:
OBSD is UNIX, .. SELinux is Linux. If you want a secure, efficient,
compact OS done by folks you can trust and actually talk to, use OBSD; if
you want 'fairly secure Linux' [which has had thousands of hand in it
including NSA, as mentioned previousy], use OpenSUSE with ***AppArmor***.
Simple and easy to implement, even by less senior Admins.
Can you say root can only run this and that application when su'ed from
that guy, and may not open any net connection, but open this file and none
else in OpenBSD? If so, how can I do it? :)
You solve the problem a different way:
- You don't give the guy root access, but their own userid
The guy can be some stupid binary software with an if(uid!=root) bail();
People running arbitrary binary software requiring root on their systems
deserve what they get. You can not work around this stupidity by ANY policy.
- You set file permissions so this userid can read only the file of interest
none else = find / -type f -exec chmod o-r \{\} \; is a lot of overkill
You do not to do it everywhere, just protect what is needed (logs, data
whatever)
Most daemons in OpenBSD run isolated (chroot) in their own space without
access
to anything at all, without resorting to magic solutions, and any additional
work on the part of the administrator.
- You use pf rules so that this user ID cannot send network packets
- If this guy needs root for something (e.g. to bind to port 80), then you
write a three-line setuid root wrapper which binds to port 80 for them.
If you have a lot of this to do, then consider an 'open server' which
returns the open file descriptor.
All in all, forms of doing it all, but doing all you described creates a lot
more work than creating an SELinux policy :)
We have also systrace, which allows to create SELinux like policies.
Disregard its vulnerabilities for a moment and think about it.
What happened? (even before the vulnerabilities were announced)
Nobody used it.
No general/global repository of policies survived.
Few security tools attempted to use it.
It's only good use so far is in the ports tree, making sure
that port authors can be sure that programs did not access unwanted parts of
the filesystem. This is not a security use. It is useful as tool to help
for porters.
Why?
Every system and setup is unique. You can not define 'tight' policies and
expect them to be valid in other systems.
If you are an experienced systems administrator, you can make anything work.
Knowing the limitations and vulnerabilities, you can put systrace, to
good use as an extra line of defense.
But such complex mechanisms rarely aid the overall security.
It creates a false sense of security (tm)
Few take full advantage of it.
The rest are either turned off or misconfigured.
Most wrongly believe that they are magically protected.
Look at Windows. It has some advanced filesystem permissions stuff,
with elaborate rights, inheritance, bells and whistles.
Is it used correctly? No.
Is it easily auditable? No.
Can you easily tighten default permissions without breaking lots of
stuff? Very unlikely.
You come accross all kinds of programs using it incorrectly and create a
whole bunch of security problems.
It does make good marketing material though.
In security, complex != good.
Can
--
In theory, there is no difference between theory and practice.
But, in practice, there is.
Re: Wasting our Freedom
Theodore Tso wrote: On Mon, Sep 17, 2007 at 03:06:37PM -0700, Can E. Acar wrote: The only remaining issue is whether Nick Jiri have enough original contributions to the code to be added to the Copyright. I believe this needs to be resolved between Reyk and Nick and Jiri. The main reason of Theo's message, linked earlier, was the lack of response on this issue. It seems that the SFLC is dismissing this issue, and thus stalling its resolution by the developers. OK, so all of this flaming, and digging up of licenses ripped off, and chaff thrown up in the air, and moaning and bewailing about theft, is now down to these two lines regarding Nick and Jiri: Yes, quite an improvement, considering how it all started, dont you think? Pity it took so much pushing and dragging to get people to do the right thing. There is just one little step to go. It is can not be that hard, can it? * Copyright (c) 2004-2007 Reyk Floeter [EMAIL PROTECTED] * Copyright (c) 2006-2007 Nick Kossifidis [EMAIL PROTECTED] * Copyright (c) 2007 Jiri Slaby [EMAIL PROTECTED] [snip rest of BSD license] It's under a BSD license; what material difference does those two lines make, for goodness sake? It's under a BSD license, so it's not like anything won't be given back. As a programmer, you sure would know what difference any two lines would make on your program. When it comes to law, you seem to lose that intuition. Whether or not they have made enough for changes is really a question for the lawyers, and may differ from one jurisdiction to another --- but whether or not they have now, or maybe will not make until later --- Well, they can add their names *anywhere* in the whole file, *except* these two lines. See, these lines have a whole different meaning when it comes to laws. When they make sufficient contribution, they sure can add their names. What is so difficult to understand here? I have seen some academic papers, where the first author did all the work, the second author is the professor who funded the work, and the remaining five authors are just coming along for a ride. You know what the difference is? The original author *allows* them to put their names as authors. Here, you are adding names, and say why not. It is both unethical and illegal. does it really make a difference? Who gets hurt if someone gets they get a bit more credit than they deserve? Certainly the most important thing is that Reyk is given proper credit, right? As long as it is not a derived work, Reyk gets to decide who is in the copyright. Even if it is a derived work, it is polite to ask. If, at the beginning, Nick and Jiri, and others asked Reyk to be included in the Copyright for the adaptation work they did on the HAL. I do not believe he would have refused. I can not talk for him, but things would be have been resolved in a much nicer and positive way. Instead they chose to push Reyk for months to dual license his code, then attempted to change the whole license. Even now, when there is just a small issue left, people are still dragging and resisting. I am really disappointed by all this. I would have expected that once such a patch is suggested (let alone being committed to some public place) some senior/respected/responsible Linux person would tell them what they are doing is wrong. Right from the start. I now see this is not how things work around here. Senior developers are either too busy or reluctant to get their hands dirty. In OpenBSD, (which, I accept is a much smaller community) when one developer does something wrong, the clue stick is there to be used by one of the more experienced developers. Which means, issues are resolved quickly and with much less pain. Can -- In theory, there is no difference between theory and practice. But, in practice, there is.
Re: Wasting our Freedom
Lennart Sorensen wrote: On Tue, Sep 18, 2007 at 11:55:29AM -0700, Can E. Acar wrote: Well, they can add their names *anywhere* in the whole file, *except* these two lines. See, these lines have a whole different meaning when it comes to laws. When they make sufficient contribution, they sure can add their names. What is so difficult to understand here? Please define Sufficient contribution. And in what juristiction that definition applies. Please note that I am not a lawyer. It would be best if you do your own research, and consult a lawyer. Please look up the definition of derivative work. Even Wikipedia would do for some basic definitions. The copyright laws in most countries adhere to the Berne Convention, yet another phrase to look up. From my own research, one guideline I would consider is: The new material must be original and copyrightable in itself. But, again, if it comes to that, the lawyers will decide and we can have no more say on the subject. Let me, instead tell you how we handle this when working on BSD code: We communicate. If we feel we did some extensive changes to a file, we ask. Get OKs from other senior developers, preferably the authors and then add our name. During our license audits of the OpenBSD tree, a couple of years ago, our developers went into great pains to locate the authors and clarify the questionable licenses that were our tree. We are actively working on replacing the remaining non-BSD licensed code in our tree. Not by slapping on our own licenses, but by asking the authors nicely to relicense, finding replacements with an acceptable license, or by rewriting them. Can -- In theory, there is no difference between theory and practice. But, in practice, there is.
Re: Wasting our Freedom
Daniel Hazelton wrote: On Sunday 16 September 2007 23:00:09 Can E. Acar wrote: [snip] Theo summarized the latest situation here, some days ago: http://marc.info/?l=openbsd-miscm=118963284332223w=2 and here is a very brief summary: http://marc.info/?l=openbsd-miscm=118965266709012w=2 If you really want to know the latest situation, please read these links, and think about it. No need. Here are the facts: It is now obvious that you have no interest in facts, You blindly repeat what you made yourself to believe. I will waste no more time with you. Can -- In theory, there is no difference between theory and practice. But, in practice, there is.
Re: Wasting our Freedom
Theodore Tso wrote: On Mon, Sep 17, 2007 at 09:23:41PM +0200, Claudio Jeker wrote: Because they put their copyright plus license on code that they barely modified. If they would have added substantial work into the OpenHAL code and by doing that creating something new I would not say much. Number 1, some of the Linux wireless developers screwed up earlier versions. No denying that, the problems were pointed out during the patch reviewed problem, AND THEY WERE FIXED. Not all, see below: Number 2, if you take a look at their latest set of changes (which have still not been accepted), the HAL code is under a pure BSD license (ath5k_hw.c). Other portions are dual licensed, but not the HAL --- if people would only take a look at http://git.kernel.org/?p=linux/kernel/git/linville/wireless-dev.git;a=tree;f=drivers/net/wireless;h=2d6caeba0924c34b9539960b9ab568ab3d193fc8;hb=everything from latest ath5k_hw.c: * Copyright (c) 2004-2007 Reyk Floeter [EMAIL PROTECTED] * Copyright (c) 2006-2007 Nick Kossifidis [EMAIL PROTECTED] * Copyright (c) 2007 Jiri Slaby [EMAIL PROTECTED] [snip rest of BSD license] The only remaining issue is whether Nick Jiri have enough original contributions to the code to be added to the Copyright. I believe this needs to be resolved between Reyk and Nick and Jiri. The main reason of Theo's message, linked earlier, was the lack of response on this issue. It seems that the SFLC is dismissing this issue, and thus stalling its resolution by the developers. The rest is, as you say, history. Can -- In theory, there is no difference between theory and practice. But, in practice, there is.
Re: Wasting our Freedom
On Sunday 16 September 2007 15:23:25 Daniel Hazelton wrote: On Sunday 16 September 2007 05:17:53 J.C. Roberts wrote: On Sunday 16 September 2007, Jeff Garzik wrote: J.C. Roberts wrote: http://marc.info/?l=linux-wirelessm=118857712529898w=2 Link with outdated info. http://madwifi.org/browser/branches/ath5k Link with outdated info. I suggest actually taking the time to get the facts before making completely baseless statements. When you make obviously erroneous statements, it leaves everyone to believe you are either hopelessly misinformed, or a habitual liar. -Which is it? Please take a moment to understand the Linux development process. A better place to look would be 'ath5k' branch of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-dev.g it but nonethless, the fact remains that ath5k is STILL NOT UPSTREAM and HAS NEVER BEEN UPSTREAM, as can be verified from git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux-2.6.git (official linux repo; nothing is official until it hits here) Part of the reason why ath5k is not upstream is that developers are actively addressing these copyright concerns -- as can be clearly seen by the changes being made over time. So let's everybody calm down, ok? Regards, Jeff Jeff, Look at what you are saying from a different perspective. Let's say someone took the linux kernel source from the official repository, removed the GPL license and dedicated the work to public domain or put it under any other license, and for kicks back-dated the files so they are older than the originals. Then they took this illegal license removal copy of your code and put it in a public repository somewhere. You'd be perfectly content with such a development because it had not been officially brought upstream by the offical public domain or whatever project? But that isn't the situation being discussed. You've sent this mail to the *LINUX* *KERNEL* ML, not the MadWifi ML. The patches in question were not accepted into the Linux Kernel, so this is *NOT* the place to send mail related to them. You are so cleanly isolating and cutting away of a group of developers. I sincerely hope your fellow developers will not cut you off if you make a similar mistake. I know mine wont. What you are saying is, a Copyright violation done by someone else is Somebody Else's Problem (tm). There are a couple of issues with this point of view: First, these developers got questionable advice from senior Linux kernel developers, and SLFC (which is closely related to FSF) in the process. There have been complete silence from the leaders of their own community (Linux Kernel developers, FSF, ...) all perhaps used your argument to convince themselves that this is not their problem. However, from an outsider point of view, this lack of silence means an agreement to something that is ethically and legally wrong. Furthermore, this is a case about collaboration and cooperation between GPL and BSD developers. I believe they share some common goals related to freedom and improvement of Open Source software. This case illustrates some important issues that should interest ALL free software developers: 1) How tricky code sharing between different projects can be even when intents and goals are pretty much alike. 2) MANY developers on BOTH sides have NO clue about the laws and ethics associated with handling Copyrights and Licenses. 3) The copyrights and licenses are the foundations of our work. We put out great usually volunteer work, to create and improve. The licenses specify the terms and conditions under which we allow our work to be used. When we allow ANY license violation to occur, it affects our own work, regardless of the license on it. *PLEASE* go do a Google search or check the MadWifi site for their discussion list/forum/whatever and complain there. This has been done. Really. They have been contacted privately before the issue became public. Got no results. The issue is then made public, with the results you see now. This is no longer a MadWifi problem. No, you would most likely be absolutely livid and extremely vocal getting the problem fixed immediately, so your reasoning falls apart. Yes, true, but you are attacking people who haven't done anything wrong. And by your own words, Mr. Roberts, OpenBSD has violated peoples copyrights: Most of us are also aware of the instance where OpenBSD took some GPL code and replaced the license with BSD. What OpenBSD did in that cases was just as illegal, Sometimes inaction is wrong. In case of the OpenBSD Broadcom driver using parts of the GPL driver which was under construction and prematurely committed to a public repository, NONE of the OpenBSD developers argued for what was done. It was illegal, and the driver was removed immediately. What was being debated was the approach. The OpenBSD project or the
Re: The Atheros story in much fewer words
Shawn K. Quinn Wrote: You know, it's fine if you hate the GPL. But I'll be damned if I just sit here and let you spread outright Goddamned *lies* about the free software movement and the people that represent it. GPL is just a license, hate is a too strong word for it. We usually prefer to point out that it is not free (enough). There are people that represent the free software movement, and there are people that take the words of the GNU project and twist the meanings to suit themselves. This is what Nick illustrated, and quite nicely, I think. I'm not cheap. I'm not greedy. All I am after, is the freedom to use my computer the way I want to without Microsoft, Apple, Google, AOL, Adobe, Real, or other large companies being able to step in and say no you can't do that, it's not in our (financial) best interests to let you. For me, it's always been about freedom. I would think for most of the free software movement that truly knows what's going on, it *is* about freedom. Why take it so personally. It is not GPL or GNU that is being attacked here. There are always those that are misled or even malicious in every community. Sometimes it is just a lack of knowledge, or being overeager to achieve the goals. Such problems should be pointed out so that they can be fixed. What surprises me the most is the resistance from the community to recognize that something they did was wrong. There seems to be a lack of independent thought, most people are blindly repeating each other without forming an opinion themselves. Those people that care about freedom and open source and GNU is supposed to be an intelligent, open minded, community right? Otherwise they would just use Windows or whatever. While it may be seen as distateful to make modifications to BSD-licensed code, and place those modifications under the GPL or a similar share alike license, based upon what I understand of copyright law, it's perfectly legal. Even though BSD-style licenses are compatible with the GPL, there are perfectly acceptable social goals achieved only by releasing under the GPL or a similar license. You are talking about derivative works here. Not every modification is considered original and comprehensive enough to deserve its own copyright. Otherwise, it would be just a matter of re-arranging and splitting code, renaming functions and variables, and there, you have a BSD licensed gcc (bcc?) Think about it ... Can -- In theory, there is no difference between theory and practice. But, in practice, there is.
Re: The Atheros story in much fewer words
Steve Szmidt wrote: On Thursday 13 September 2007 16:19, Theo de Raadt wrote: Reyk can take them to court over this, but he must do it before the year 2047. Except he took most of it from Sam Leffler who said it is OK to license under the GPL. So while it's good to see you defending your code, it was not entirely yours to start with. Reyk's work (the replacement HAL) is in seperate files -- it is a seperately copyrighted work. OK, I see that Reyk wrote it after Sam would not release it. I see that Sam seemed happy to dual license it. Though it looks clear that Jiri Slaby was wrong in stripping the license, which subsequently was not accepted by any repository. No, Sam's code and Reyk's code are completely different. Sam has an open source driver and a closed source binary blob, the HAL. Reyk reverse engineered the HAL and wrote an open source replacement. Sam DID NOT open the HAL code, it is still a closed binary object. Can you see now why Reyk's code is so critical? Otherwise GPL and BSD developers have to include a binary object into the kernel, which is out of their control. They can not fix bugs in there and make sure it works with present and future kernels. NetBSD had to change their *KERNEL INTERNALS* just to be compatible with this one BLOB!: http://marc.info/?l=openbsd-miscm=118818182531027w=2 So, please go read the Theo's messages again. http://marc.info/?l=openbsd-miscm=118965266709012w=2 http://marc.info/?l=openbsd-miscm=118963284332223w=2 Multiple versions of wrong handling of copyrights have been done, by several people. All those steps have been published in public repositories. Some pulled back, some still there, Please do not spread incorrect information any more. This action does not however represent the GPL community from what I can see. Stealing work from one or the other has not been evident other than some people being confused as to what came from where. Which is the chicken and which is the egg kind of thing. Yes, this does NOT represent the GPL community. It is a mistake done by a GPL project that is either clueless in terms of how copyrights work, and/or got some bad legal advice. However, what they did is wrong, and the situation is *still* not resolved after all this time. What does represent the GPL community is their inability to deal with such problems. They think that OpenBSD people defending their own copyrights are the enemies. They fail to see that proper respect to copyrights and an ethical understanding and collaboration between open source projects is vital to the survival of *their* GPL projects. It is generalities which has bunches of people up in arms which of course happens when there is not enough specificity. It is pretty safe to say that most people are honest, but where misunderstanding can occur, it will. I have not seen one coherent response from the community that is up in arms that hints that they understand the problem. So, this misunderstanding looks like a common problem with the bunch. Can -- In theory, there is no difference between theory and practice. But, in practice, there is.
Re: ifstated.conf for pppoe
anybody got an ifstated.conf they're willing to share for having redundancy on their pppoe connection? example: your firewall that does the pppoe goes down and you want another machine to restart the pppoe session and route your network. I dont have the configuration with me right now (and it is probably gone since the site using it does not have adsl anymore) however the most fun configuration I did was something like that: two adsl links, two OpenBSD firewalls, using carp for failover. each firewall had connections to _both_ adsl modems, so that they can balance outgoing stuff. The load balancing was done using multipath routing (route -multi). The carp was used on the inner interface. So if carp was master, I would bring UP both pppoe interfaces if one of the pppoe connections went down, I would adjust routing to route over the remaining session etc. In order to make failover work smoothly, I matched the MAC addresses on the corresponding outer interfaces of each firewall so that they can see the same pppoe sessions, and built the kernel with PPPOE_TERM_UNKNOWN_SESSIONS Can -- In theory, there is no difference between theory and practice. But, in practice, there is.
Re: Unstable PPPoE
Hello ladies and gentlemen! I'm having a frustrating problem. My internet is highly unstable when using bit torrent. I don't think there's anything special about my configuration: my gateway is a craptop with inbuilt Intel ethernet and a url0 USB ethernet for the modem. The connection is bridged, using pf (obviously) for routing / firewall and kernel PPPoE for dialing via my bridged netcomm nb5+. I suspect it is a problem with your modem. Have you tried replacing it? I have seen modems lock up on bittorrent/mule traffic. Usually bridge mode prevents this, but I have no experience with your particular modem. Basically, when I try to use bit torrent the connection dies after about 20mins. The kernel PPPoE daemon doesn't bring it back up. In fact, even doing #sh /etc/netstart doesn't bring it back up. The only way to bring it back up is via a reboot :( In your case, reboot == disconnect + connect USB ethernet, it may even reset the modem if it is powered by USB. Perhaps you can just unplug/replug your USB ethernet cable and see if this removes the need to reboot? It may also be a problem with the url0 ethernet driver. Very frustrating. It also takes about 10-15mins to reconnect; surely that's a bit too long, even for PPPoE? This is expected since your ISP does not know you terminated the old session. Thus you are waiting for it to timeout before your ISP would let you establish a new one. You can compile a kernel with PPPOE_TERM_UNKNOWN_SESSIONS (see pppoe(4)) to have pppoe terminate the old session. I know this isn't a problem with my ISP as I've always been able to download bt stably when I was using the modem in router mode. I thought it might have been an MTU problem, but I'm using the mss fix in /etc/pf.conf, so I don't think it's that. I played around with a few values just to be sure, but I'm open to suggestions. What you describe is not related to MSS/MTU I'll post my dmesg, /etc/pf.conf and /etc/hostname.pppoe. If there's anything else I should send, please let me know! After you have tried the above suggestions, and if the problem is NOT in url(4) driver and/or the modem you can enable debugging on the pppoe0 interface 'ifconfig pppoe0 debug' and/or use tcpdump on the ethernet interface to examine pppoe packets. Check the archives for details. -- In theory, there is no difference between theory and practice. But, in practice, there is.
