[no subject]
--- http://reedandink.com
Google, automation, and lack of security
Not directly about OpenBSD, but worth reading: http://blogs.techrepublic.com.com/security/?p=3007
XSS Verizon router exploit
This article, http://is.gd/6k4q7, reminded me why I use OpenBSD for my router, however weak the exploit may be. It also reminds me to make a donation, which I'll be doing now. I encourage everyone to keep supporting OpenBSD however they can!
Re: Security via the NSA?
--Good luck verifying the mathematics yourself, though. No small statement, that On Sat, Nov 21, 2009 at 05:42:48PM -0500, Samuel Baldwin wrote: 2009/11/21 AG computing.acco...@googlemail.com: Depends on whether one trusts the NSA or not. That's the nice thing about open source software; we don't have to, because we can verify their code or mathematics ourselves. Anything can be backdoored. An agency that wants to do so would probably be less obvious about it. I don't know the current state of NSA mathematical research, obviously, but it used to be THE biggest employer of mathematicians on the planet, and there was a point when it had a considerable advance in cryptography to about anybody else. It's a well-documented story that the NSA suggested changes to the DES initialisation vector before it became a standard. Backdoor ? no. Resistance to differential cryptanalysis ? you bet. The fun thing about that is that, at that point, differential cryptanalysis hadn't been invented... and wouldn't be for roughly ten years. For the general public, that is. I don't know if they still have this kind of advance. Probably less. Good luck verifying the mathematics yourself, though.
Security via the NSA?
Will OpenBSD be the next to be 'helped'? http://www.npr.org/blogs/thetwo-way/2009/11/nsa_microsoft_windows_7.html
startx fails as non-root user
I'm sorry I cannot reproduce the output here, but when I startx as a non-root user on my 4.5/amd64/bsd.mp box (not -stable, but the stock install), several errors are displayed (in paraphrase): 1. X is already running on the console -- though I have just logged in after a reboot. 2. Can't create /tmp/some-file -- /tmp is mounted as mfs under swap, like so: swap /tmp mfs rw,nodev,nosuid,-s=153600 0 0 There are others I cannot even remember in paraphrase, unfortunately. That said, I have no problem with startx as root. My non-root user is already added to group wheel, if that is notable. Thanks.
Re: startx fails as non-root user
Thanks; I'll work with that. Incidentally, my use of mfs for /tmp was so that ports would compile faster... perhaps I should stick to packages! --- On Fri, 9/25/09, Bob Beck b...@ualberta.ca wrote: From: Bob Beck b...@ualberta.ca Subject: Re: startx fails as non-root user To: Doug Milam doug_mi...@yahoo.com Date: Friday, September 25, 2009, 12:57 PM Smells like permission problems on your mfs /tmp 2009/9/25 Doug Milam doug_mi...@yahoo.com: I'm sorry I cannot reproduce the output here, but when I startx as a non-root user on my 4.5/amd64/bsd.mp box (not -stable, but the stock install), several errors are displayed (in paraphrase): 1. X is already running on the console -- though I have just logged in after a reboot. 2. Can't create /tmp/some-file -- /tmp is mounted as mfs under swap, like so: swap /tmp mfs rw,nodev,nosuid,-s=153600 0 0 There are others I cannot even remember in paraphrase, unfortunately. That said, I have no problem with startx as root. My non-root user is already added to group wheel, if that is notable. Thanks.
Re: dhcpd and net.inet.ip.mforwarding / multipath
Thanks very much. I'm trying to keep it as simple as possible, and yet I'm wondering too about multiple NICs... another post. --- On Tue, 9/15/09, Josh Hoppes josh.hop...@gmail.com wrote: From: Josh Hoppes josh.hop...@gmail.com Subject: Re: dhcpd and net.inet.ip.mforwarding / multipath To: Doug Milam doug_mi...@yahoo.com Cc: Misc OpenBSD misc@openbsd.org Date: Tuesday, September 15, 2009, 2:07 AM mforwarding is for multicast forwarding and multipath is to enable multiple paths for the same destination network segment. On Mon, Sep 14, 2009 at 5:08 PM, Doug Milam doug_mi...@yahoo.com wrote: Hello, I want to be sure that the following two sysctl variables are not needed for a basic internet router/gateway with NAT: net.inet.ip.mforwarding net.inet.ip.multipath I've already enabled: net.inet.ip.forwarding Perhaps the first two are needed for 'exotic' services like Bonjour, etc.? Thanks, Doug
dhcpd and net.inet.ip.mforwarding / multipath
Hello, I want to be sure that the following two sysctl variables are not needed for a basic internet router/gateway with NAT: net.inet.ip.mforwarding net.inet.ip.multipath I've already enabled: net.inet.ip.forwarding Perhaps the first two are needed for 'exotic' services like Bonjour, etc.? Thanks, Doug
Re: Turning off sendmail
and it only seems to take up about 1 mb of memory, which is far less than i thought. having experimented with turning it off via sendmail_flags=NO, i don't notice any performance gain. thanks everyone! --- On Fri, 11/14/08, Chris Kuethe [EMAIL PROTECTED] wrote: From: Chris Kuethe [EMAIL PROTECTED] Subject: Re: Turning off sendmail To: [EMAIL PROTECTED] Date: Friday, November 14, 2008, 9:55 AM it's unwise because you won't get the daily security mails. it's unnecessary because it only listens on localhost. On Fri, Nov 14, 2008 at 8:31 AM, Doug Milam [EMAIL PROTECTED] wrote: To cut down on services I don't use, I'd like to disable sendmail, unless this is unwise. If so, I'd like to know why. Thanks. -- GDB has a 'break' feature; why doesn't it have 'fix' too?
Turning off sendmail
To cut down on services I don't use, I'd like to disable sendmail, unless this is unwise. If so, I'd like to know why. Thanks.
SSL error
I've followed the SSL instructions in the FAQ, http://www.openbsd.org/faq/faq10.html#HTTPS, but I get the following error in Firefox (other browsers don't work either) SSL received a record that exceeded the maximum permissible length. (Error code: ssl_error_rx_record_too_long) PF allows connections to port 443, and the IfDefine segment of my httpd.conf is enabled to listen on this port. -DSSL is enabled in rc.conf.local Ideas? I'm out. Thanks, Doug * * http://milam.homeunix.net
Re: Perpetually Current
I'm also fairly new to OpenBSD. As I understand from this thread, having installed -current (4.4) from a snapshot CD, the easiest way to keep -current is to burn a subsequent snapshot to a CD and follow the upgrade process from there?
Re: Perpetually Current
Thanks; that's straightforward and refreshingly more direct than I thought. A hallmark of OpenBSD! * * http://milam.homeunix.net --- On Sun, 11/2/08, Tobias Ulmer [EMAIL PROTECTED] wrote: From: Tobias Ulmer [EMAIL PROTECTED] Subject: Re: Perpetually Current To: Doug Milam [EMAIL PROTECTED] Cc: Misc OpenBSD misc@openbsd.org Date: Sunday, November 2, 2008, 3:04 PM On Sun, Nov 02, 2008 at 01:39:04PM -0800, Doug Milam wrote: I'm also fairly new to OpenBSD. As I understand from this thread, having installed -current (4.4) from a snapshot CD, the easiest way to keep -current is to burn a subsequent snapshot to a CD and follow the upgrade process from there? Boot bsd.rd and update, just make sure you select the snapshots dir. There are more ways to do it, however this one is fairly safe.
NSA Resources For Rapid Targeting and Routing Analysis
Coincidence? Subject: NSA Resources For Rapid Targeting and Routing Analysis Date: Sat, 2 Jun 2007 08:53:31 +0200 (CEST) In order to send ICMP or TCP packets (or spoofed UDP packets), pinging for rapid acquisition and analysis of a target IP's packet traffic routing data at the Internet IXP-level, NSA has primarily used, starting earlier than early 2006, the following IP ranges, with identification information where available, for initial rapid target pings. Other resources for subsequent tracking of a target's IP packet traffic have been previously reported via Cryptome.org. NetRange: 216.218.128.0 - 216.218.255.255 CIDR: 216.218.128.0/17 Hurricane Electric 760 Mission Court Fremont CA 94539 US DNS: ns3.he.net [216.218.132.2]sandy.thehideout.net. ns2.he.net [216.218.131.2]sandy.thehideout.net ns1.he.net [216.218.130.2]sandy.thehideout.net. Previously, while using the name of FAST COLOCATION SERVICES, with an address in Wasilla AK (Alaska), USA; DNS was: sandy2.thehideout.net [72.52.64.32] sandy.thehideout.net [72.52.64.32] * * The most dangerous man, to any government, is the man who is able to think things out for himself, without regard to the prevailing superstitions and taboos. --Mencken
Re: NSA Resources For Rapid Targeting and Routing Analysis
On Fri, Sep 19, 2008 at 10:12 AM, Ted Unangst [EMAIL PROTECTED] wrote: On Fri, Sep 19, 2008 at 12:38 PM, Doug Milam [EMAIL PROTECTED] wrote: Subject: NSA Resources For Rapid Targeting and Routing Analysis Date: Sat, 2 Jun 2007 08:53:31 +0200 (CEST) In order to send ICMP or TCP packets (or spoofed UDP packets), pinging for rapid acquisition and analysis of a target IP's packet traffic routing data at the Internet IXP-level, NSA has primarily used, starting earlier than early 2006, the following IP ranges, with identification information where available, for initial rapid target pings. Other resources for subsequent tracking of a target's IP packet traffic have been previously reported via Cryptome.org. Can somebody please translate that into normal? sure: The government is out to get us all. Put on your tinfoil hat and prepare for the revolution! The Republicans/Illuminatti/Freemasons are coming from Wasilla AK -B They always said the internet was a hostile place. * * The most dangerous man, to any government, is the man who is able to think things out for himself, without regard to the prevailing superstitions and taboos. --Mencken
Re: Stop in line 73 of Makefile
Anything I can do short of re-installing from a CD? I was able to rebuild the kernel successfully... * * The most dangerous man, to any government, is the man who is able to think things out for himself, without regard to the prevailing superstitions and taboos. --Mencken --- On Mon, 9/8/08, Marc Espie [EMAIL PROTECTED] wrote: From: Marc Espie [EMAIL PROTECTED] Subject: Re: Stop in line 73 of Makefile To: Doug Milam [EMAIL PROTECTED] Cc: Philip Guenther [EMAIL PROTECTED], Misc OpenBSD misc@openbsd.org Date: Monday, September 8, 2008, 7:42 AM On Sun, Sep 07, 2008 at 08:52:54PM -0700, Doug Milam wrote: Thanks; I had never set or changed any flags until a few days ago, in trying to 'fix' this issue. Perhaps someone compromised the system via FTP (ftpd was running only anonymously), or via HTTP. * * Sorry to be harsh, but it's most likely to be your own fuck-up. Most people with strangely behaving systems usually have done something wrong, like running a too old kernel with old binaries, or having something out of synch. Jumping to conclusions and blaming unknown pirates is ways simpler than looking for the fault in yourself...
Stop in line 73 of Makefile
Performing 'make build' as root...there is no 'schg' flag on /bin/chgrp === bin/chmod install -c -s -o root -g bin -m 555 chmod /bin/chmod strip: Bad address (cd /usr/sbin; ln -sf ../../sbin/chown .; ln -sf ../../bin/chgrp .) (cd /usr/bin; ln -sf ../../bin/chmod chflags) install -c -o root -g bin -m 444 chmod.cat1 /usr/share/man/cat1/chmod.0 install -c -o root -g bin -m 444 chgrp.cat1 /usr/share/man/cat1/chgrp.0 install -c -o root -g bin -m 444 chown.cat8 /usr/share/man/cat8/chown.0 install -c -o root -g bin -m 444 chflags.cat1 /usr/share/man/cat1/chflags.0 /bin/chgrp - /bin/chmod rm: /bin/chgrp: Operation not permitted *** Error code 1 Stop in /usr/src/bin/chmod (line 134 of /usr/share/mk/bsd.prog.mk). *** Error code 1 Stop in /usr/src/bin (line 48 of /usr/share/mk/bsd.subdir.mk). *** Error code 1 Stop in /usr/src (line 48 of /usr/share/mk/bsd.subdir.mk). *** Error code 1 Stop in /usr/src (line 73 of Makefile). * * The most dangerous man, to any government, is the man who is able to think things out for himself, without regard to the prevailing superstitions and taboos. --Mencken
Re: Stop in line 73 of Makefile
Thanks; I had never set or changed any flags until a few days ago, in trying to 'fix' this issue. Perhaps someone compromised the system via FTP (ftpd was running only anonymously), or via HTTP. * * The most dangerous man, to any government, is the man who is able to think things out for himself, without regard to the prevailing superstitions and taboos. --Mencken --- On Sun, 9/7/08, Philip Guenther [EMAIL PROTECTED] wrote: From: Philip Guenther [EMAIL PROTECTED] Subject: Re: Stop in line 73 of Makefile To: [EMAIL PROTECTED] Cc: Misc OpenBSD misc@openbsd.org Date: Sunday, September 7, 2008, 12:32 PM On Sun, Sep 7, 2008 at 9:18 AM, Doug Milam [EMAIL PROTECTED] wrote: Performing 'make build' as root...there is no 'schg' flag on /bin/chgrp === bin/chmod install -c -s -o root -g bin -m 555 chmod /bin/chmod strip: Bad address Umm, that's not an expected error from 'strip' during install. Your system appears to suffer all sorts of oddball failures. rm: /bin/chgrp: Operation not permitted unlink(/bin/chgrp) is returning EPERM. Either you're installing to an unusual file system, or the /bin/chgrp file has flags set (you say no schg, but what about uchg, uappnd, or sappnd?), or your rm binary is broken/hacked, or your running kernel is broken/hacked. IMHO, the only way to be sure you have a good system at this point is to reinstall from scratch via an actual CD. You never said whether you found who had used the chflags command on /bsd. If the answer was don't know who, then consider that you're running a system that has had root-level changes made that you can't explain and therefore can't trust, and then ask yourself why you *haven't* already reinstalled from a CD. Philip Guenther
Re: Stop in line 888 of Makefile
ln /bsd /obsd worked after changing to noschg and rebuilding under securelevel -1. * * The most dangerous man, to any government, is the man who is able to think things out for himself, without regard to the prevailing superstitions and taboos. --Mencken --- On Thu, 9/4/08, Doug Milam [EMAIL PROTECTED] wrote: From: Doug Milam [EMAIL PROTECTED] Subject: Re: Stop in line 888 of Makefile To: Misc OpenBSD misc@openbsd.org Date: Thursday, September 4, 2008, 8:09 PM It does not, no Doug Milam wrote: ln: /obsd: Operation not permitted *** Error code 1 Stop in /usr/src/sys/arch/i386/compile/GENERIC (line 888 of Makefile). --running as root Does make install work when run outside of your script? Tom
Stop in line 888 of Makefile
ln: /obsd: Operation not permitted *** Error code 1 Stop in /usr/src/sys/arch/i386/compile/GENERIC (line 888 of Makefile). --running as root
Re: Stop in line 888 of Makefile
I have not set an immutable flag, but the current flag is schg for /bsd On Thu, Sep 04, 2008 at 08:01:35AM -0700, Doug Milam wrote: ln: /obsd: Operation not permitted *** Error code 1 Stop in /usr/src/sys/arch/i386/compile/GENERIC (line 888 of Makefile). --running as root Have you ever set an immutable flag? (ls -lo /bsd /nbsd /obsd) Kind regards, Hannah.
Re: Stop in line 888 of Makefile
It does not, no Doug Milam wrote: ln: /obsd: Operation not permitted *** Error code 1 Stop in /usr/src/sys/arch/i386/compile/GENERIC (line 888 of Makefile). --running as root Does make install work when run outside of your script? Tom
Re: ln: /obsd: Operation not permitted
Thanks; that was my best guess since these commands are part of a shell script. In any case, this script was run as root (not merely using sudo). --- On Sun, 8/24/08, Philip Guenther [EMAIL PROTECTED] wrote: From: Philip Guenther [EMAIL PROTECTED] Subject: Re: ln: /obsd: Operation not permitted To: [EMAIL PROTECTED] Cc: Misc OpenBSD misc@openbsd.org Date: Sunday, August 24, 2008, 10:36 PM On Sun, Aug 24, 2008 at 10:26 PM, Doug Milam [EMAIL PROTECTED] wrote: The following error occurs after the command cd /usr/src/sys/arch/i386/compile/GENERIC; make clean make depend make ln /bsd /obsd ln: /obsd: Operation not permitted *** Error code 1 You *sure* that was the command you invoked? That looks like the result of doing make install as non-root. Philip Guenther
ln: /obsd: Operation not permitted
The following error occurs after the command cd /usr/src/sys/arch/i386/compile/GENERIC; make clean make depend make ln /bsd /obsd ln: /obsd: Operation not permitted *** Error code 1 Ideas/suggestions welcome, thanks.
Re: Blosxom (cgi/perl)
Thanks! That makes sense, although I'm not familiar with creating dev and null -- for what exactly? Jean Raby [EMAIL PROTECTED] wrote: On Tue, Jun 3, 2008 at 5:30 PM, Doug Milam wrote: Wondering if anyone has had any luck running the Perl blog Blosxom on their OpenBSD web server. I realize it's largely a matter of getting Perl in general to work within the chroot, but aside from this, any specific success with this program? Hello, I am (or at least was) running blosxom here, on current, no problem at all aside from getting perl binaries in the chroot AND creating various devices in the chroot. (zero and null if my memory is right) bye -- Jean
Great OS, thanks
Hi, Merely a note of thanks to the entire OpenBSD team and community for providing a stellar OS. Today I switched my webserver to running on OpenBSD 4.2 and am very pleased that an audited httpd is part of the system. Setting this up and an FTP server has always been a bit of a chore...until now. I'm very glad also that ftpd works so well and is secure as any ftp daemon can be. It's great not to rely on third-party tools here. The OS does what I want while remaining clean and uncluttered. Keep up the good work! Regards, Doug Milam - Looking for last minute shopping deals? Find them fast with Yahoo! Search.
pf: antispoofing and LANs
Hello,
From reading the documentation, I couldn't quite tell where the antispoofing
rule should fall in a pf ruleset.
Is this syntax correct? I thought I'd be able to access another LAN machine
freely via ssh (I've already tested that ssh does work without a firewall), but
I cannot.
table lan { 192.168.0.0/24 }
block all
antispoof for $ext_if
pass in quick on $ext_if from lan to $ext_if
pass out quick on $ext_if from $ext_if to lan
Thanks,
DM
--
Be aware. Stay present. Speak honestly.
-
Never miss a thing. Make Yahoo your homepage.
Passive ftp problem: 425 error
Greetings, I'm having trouble getting FTP to work in passive mode. (I've set the machine up as an FTP server). I can connect in active mode, with a PORT connection, but I'm seeing a 425 error (can't open passive connection; can't assign requested address) for passive attempts. The FTP server is 'self-protected' by pf and I've got one high port assigned in addition to 21, of course. I chose to restrict the high port to one port rather than a range. I've also set this in sysctl.conf. The machine also sits on a LAN behind a router which currently only allows in port 21, but allows out everything. Suggestions welcome! -- Be aware. Stay present. Speak honestly. - Get easy, one-click access to your favorites. Make Yahoo! your homepage.
