radius client /NAS server for OpenBSD
Hi, I am looking for a RADIUS client/NAS server that can glean accounting info like packets/bytes transferred, time connected and even kick users who exceed a threshold. I know that freeradius is in ports but I don't see any Radius client/NAS port. Any ideas? -Girish
relayd(8) transparent proxy does not work!
Hi Misc, Perhaps I am doing something silly but I rather want to get relayd working with simple HTTP transparent proxy. No SSL. My relayd.conf: relay transdivertproxy { listen on 127.0.0.1 port 8080 transparent forward to destination interface re0 } My pf.conf: pass in on egress inet proto tcp from 192.168.2.12 to any port http divert-to 127.0.0.1 port 8080 pass out on egress inet proto tcp from 192.168.2.12 to any port http divert-reply And relayctl show sessions shows that the session is running. But lynx is just hanging. And tcpdump shows packets going back and forth but the TCP handshake does not go thro'.. What am I doing wrong? -Girish -- Gayatri Hitech http://gayatri-hitech.com
Re: relayd(8) transparent proxy does not work!
By any chance did I hit this bug? I hope not: http://openbsd.7691.n7.nabble.com/using-relayd-in-transparent-mode-td35424.html On Tue, Apr 9, 2013 at 6:22 PM, Girish Venkatachalam girishvenkatacha...@gmail.com wrote: Hi Misc, Perhaps I am doing something silly but I rather want to get relayd working with simple HTTP transparent proxy. No SSL. My relayd.conf: relay transdivertproxy { listen on 127.0.0.1 port 8080 transparent forward to destination interface re0 } My pf.conf: pass in on egress inet proto tcp from 192.168.2.12 to any port http divert-to 127.0.0.1 port 8080 pass out on egress inet proto tcp from 192.168.2.12 to any port http divert-reply And relayctl show sessions shows that the session is running. But lynx is just hanging. And tcpdump shows packets going back and forth but the TCP handshake does not go thro'.. What am I doing wrong? -Girish -- Gayatri Hitech http://gayatri-hitech.com -- Gayatri Hitech http://gayatri-hitech.com
replacement for transproxy?
Hi Misc, I see transproxy port has been removed in 5.2. I thought relayd(8) could do instead but then I want relayd to forward the HTTP request to tinyproxy and not directly proxy to the web server. What is the way out? Does relayd support transparent proxying to tinyproxy? -Girish -- Gayatri Hitech http://gayatri-hitech.com
Re: vlc and udp multicast
On Sun, Jan 6, 2013 at 10:27 AM, Erling Westenvik erling.westen...@gmail.com wrote: It's been more than a year since my last unsuccessful attempt to sync music between OpenBSD machines running vlc 0.8.6, but since vlc in ports now is at 2.0.4, I've decided to give it another try. Good idea. ;) First I start a server instance of vlc on some machine: $ vlc -d stream --sout #standard{access=udp,mux=ts,dst=239.255.12.42} and then I start a client instance of vlc on the same machine: $ vlc -d udp://@239.255.12.42 --control netsync --netsync-master-ip ip and I get sound on that machine. However, when I try to start a similar client instance of vlc on another machine, I get no sound on that machine. I get the feeling that I'm missing out something about multicast, but what? Routing table entries? Special pf-rules? What? Perhaps mulitcast_host=YES in /etc/rc.conf.local Finally: I have no problems running a vlc server instance with multiple clients on different machines when using http encapsulation, but they won't sync properly. HTTP is not a good streaming protocol though many radio stations seem to use it nevertheless. RTSP is better. Ideas are appreciated! (stream and ip above, are references to local definitions) Though I have never tried your setup I wish to ask this: Why not mplayer or ffmpeg? Why vlc? Even live555 will work. -Girish -- Gayatri Hitech http://gayatri-hitech.com
Re: serial over USB
Also try turning off hardware flow control On Thu, Jan 3, 2013 at 6:46 AM, Stuart Henderson s...@spacehopper.org wrote: On 2013-01-02, Jan Stary h...@stare.cz wrote: This is 5.2/i386 on an IBM Thinkpad T40. As this laptop does not have a serial port, I bought me this USB-to-serial gizmo: There is a real serial port, but no standard de9 connector on the main laptop, it's only available via the dock interface. Now from this Thinkpad, I try to connect with cu -l /dev/cuaU0 -38400 That say 'Connected', but nothing else happens. I can see a garbled login screen such as kXKMr/i386 (gw.stare.cz) (tty00) login: -i I usually see something like that with a wrong baudrate. You won't have usable chars like this if the baud rate is wrong. What kind of problem is this? Faulty/incomplete null modem cable? (do you have at least pins 2/3/5 connected? sometimes it helps to *only* have 2/3/5 connected.) Faulty USB-to-RS232 adapter? Have you tried the USB/RS232 and null modem connected to some other computer? (you can just run cu on both sides and type, it won't echo locally but you should see text from the other side) Can my ucom do 38400? How do I find out? Would it make sense to try other baudrates (on both the ALIX and my end, obviously)? Doubtful, but you could try it. Is anybody using an USB-to-serial connection to an ALIX? Yes. -- Gayatri Hitech http://gayatri-hitech.com
Re: Best postscript printer with network support?
I mean to print with a2ps on TCP port 515 with LPD... On Thu, Dec 27, 2012 at 4:28 PM, Girish Venkatachalam girishvenkatacha...@gmail.com wrote: I want to print from my OpenBSD machines on the ethernet LAN. I asked HP and Epson but did not get a good response. I want to avoid HP. I want basic printing with Postscript ability over the network. Also good value for money. I don't think I should spend more than 300$. Are there any recommendations? Or can we make do with HP's PCL on port 9100? Will this work well on OpenBSD? -Girish -- Gayatri Hitech http://gayatri-hitech.com -- Gayatri Hitech http://gayatri-hitech.com
Re: X issues with Intel HD 2000 graphics card on ASUS P8 H61 mobo
On Wed, Dec 26, 2012 at 12:00 AM, Beni navig...@grindcore.ch wrote: Yep, this sounds exactly like the problem I ran into. The -configure option segfaults before it writes a working configuration. So you need to write it yourself. Using the xorg.conf.new file wont work because I doesn't come into existence. No in my case xorg.conf.new is written but the segfault happens *after* it is written. Make sure you change the resolutions in the Xorg file to something supported by your monitor. And depending on the monitor you might need a monitor section in your Xorg. This takes quite some fiddling to get the settings right for your hardware and whenever it doesn't work you need to reboot because you cant switch back to the console. Well the keyboard stops working and I am sure the whole machine is hung, I even suspect a kernel panic; anyway this does not logically make sense. Monitor resolution change cannot undo a kernel panic... Maybe you could post a Xorg log where you don't provide a non existent config file. Does it segfault then, too? It didn't for me. I started with: # X -config xorg.conf.new and it won't segfault but kernel panic. ;) segfault is better since you get the machine to work with. Not with xdm or X in which case the machine just hangs. What I didn't try yet but I'm considering it: Compiling and installing current. Because the whole switching-back-to-console thing is said to be fixed there. (Can't give you the link right now - I'm on very slow rural area mobile web) I got the upstream current source thro' CVSup but the Xenocara compile would break. Perhaps I am doing something wrong. I am going to switch back to -stable and get a backtrace to Mathieu. -Girish -- Gayatri Hitech http://gayatri-hitech.com
Re: X issues with Intel HD 2000 graphics card on ASUS P8 H61 mobo
bump Should I dump my newly purchased hardware? ;) -Girish On Sat, Dec 22, 2012 at 7:56 AM, Girish Venkatachalam girishvenkatacha...@gmail.com wrote: Here is the dmesg and Xorg. Machine crashes if you run X and I have to cold reboot. --dmesg--- OpenBSD 5.2 (GENERIC) #0: Thu Dec 20 16:46:58 IST 2012 r...@latest.gayatri-hitech.com:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Pentium(R) CPU G620 @ 2.60GHz (GenuineIntel 686-class) 2.60 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,NXE,LONG,SSE3,PCLMUL,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,XSAVE,LAHF real mem = 3438231552 (3278MB) avail mem = 3371216896 (3215MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 10/11/11, SMBIOS rev. 2.7 @ 0xe94b0 (94 entries) bios0: vendor American Megatrends Inc. version 0504 date 07/31/2012 bios0: ASUSTeK COMPUTER INC. P8H61-M LX R2.0 acpi0 at bios0: rev 2 acpi0: sleep states S0 S1 S3 S4 S5 acpi0: tables DSDT FACP APIC MCFG HPET SSDT SSDT SSDT BGRT acpi0: wakeup devices PS2K(S4) PS2M(S4) UAR1(S4) P0P1(S4) PXSX(S4) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) PXSX(S4) RP04(S4) PXSX(S4) RP05(S4) PXSX(S4) RP06(S4) PXSX(S4) RP07(S4) PXSX(S4) RP08(S4) PEGP(S4) PEG0(S4) PEG1(S4) PEG2(S4) PEG3(S4) GLAN(S4) EHC1(S4) EHC2(S4) HDEF(S4) PWRB(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 99MHz cpu at mainbus0: not configured ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins acpimcfg0 at acpi0 addr 0xf800, bus 0-63 acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus -1 (P0P1) acpiprt2 at acpi0: bus 2 (RP01) acpiprt3 at acpi0: bus -1 (RP02) acpiprt4 at acpi0: bus 3 (RP03) acpiprt5 at acpi0: bus -1 (RP04) acpiprt6 at acpi0: bus -1 (RP05) acpiprt7 at acpi0: bus -1 (RP06) acpiprt8 at acpi0: bus -1 (RP07) acpiprt9 at acpi0: bus -1 (RP08) acpiprt10 at acpi0: bus 1 (PEG0) acpiprt11 at acpi0: bus -1 (PEG1) acpiprt12 at acpi0: bus -1 (PEG2) acpiprt13 at acpi0: bus -1 (PEG3) acpiec0 at acpi0: Failed to read resource settings acpicpu0 at acpi0: C3, C2, C1, PSS acpipwrres0 at acpi0: FN00 acpipwrres1 at acpi0: FN01 acpipwrres2 at acpi0: FN02 acpipwrres3 at acpi0: FN03 acpipwrres4 at acpi0: FN04 acpitz0 at acpi0: critical temperature is 103 degC acpitz1 at acpi0: critical temperature is 103 degC acpibat0 at acpi0: BAT0 not present acpibat1 at acpi0: BAT1 not present acpibat2 at acpi0: BAT2 not present acpibtn0 at acpi0: PWRB acpibtn1 at acpi0: LID0 acpivideo0 at acpi0: GFX0 acpivout0 at acpivideo0: DD02 bios0: ROM list: 0xc/0xe400 cpu0: Enhanced SpeedStep 2595 MHz: speeds: 2600, 2500, 2400, 2300, 2200, 2100, 2000, 1900, 1800, 1700, 1600 MHz pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Intel Core 2G Host rev 0x09 ppb0 at pci0 dev 1 function 0 Intel Core 2G PCIE rev 0x09: apic 2 int 16 pci1 at ppb0 bus 1 vga1 at pci0 dev 2 function 0 Intel HD Graphics 2000 rev 0x09 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) intagp0 at vga1 agp0 at intagp0: aperture at 0xe000, size 0x1000 inteldrm0 at vga1: apic 2 int 16 drm0 at inteldrm0 Intel 6 Series MEI rev 0x04 at pci0 dev 22 function 0 not configured ehci0 at pci0 dev 26 function 0 Intel 6 Series USB rev 0x05: apic 2 int 23 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1 azalia0 at pci0 dev 27 function 0 Intel 6 Series HD Audio rev 0x05: msi azalia0: codecs: Realtek/0x0887 audio0 at azalia0 ppb1 at pci0 dev 28 function 0 Intel 6 Series PCIE rev 0xb5: apic 2 int 16 pci2 at ppb1 bus 2 ppb2 at pci0 dev 28 function 2 Intel 6 Series PCIE rev 0xb5: apic 2 int 18 pci3 at ppb2 bus 3 re0 at pci3 dev 0 function 0 Realtek 8168 rev 0x06: RTL8168E/8111E-VL (0x2c80), apic 2 int 18, address 30:85:a9:b1:6f:af rgephy0 at re0 phy 7: RTL8169S/8110S PHY, rev. 5 ehci1 at pci0 dev 29 function 0 Intel 6 Series USB rev 0x05: apic 2 int 23 usb1 at ehci1: USB revision 2.0 uhub1 at usb1 Intel EHCI root hub rev 2.00/1.00 addr 1 pcib0 at pci0 dev 31 function 0 Intel H61 LPC rev 0x05 pciide0 at pci0 dev 31 function 2 Intel 6 Series SATA rev 0x05: DMA, channel 0 configured to native-PCI, channel 1 configured to native-PCI pciide0: using apic 2 int 19 for native-PCI interrupt wd0 at pciide0 channel 0 drive 0: ST3250312AS wd0: 16-sector PIO, LBA48, 238475MB, 488397168 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 6 ichiic0 at pci0 dev 31 function 3 Intel 6 Series SMBus rev 0x05: apic 2 int 18 iic0 at ichiic0 iic0: addr 0x20 01=00 02=00 03=00 04=00 05=00 06=00 07=e8 08=e8 09=e8 0a=e8 0b=22 0c=22 0d=88 0e=88 0f=00 10=00 11=00 12=80 13=04 14=00 15=00 16=0d
Re: X issues with Intel HD 2000 graphics card on ASUS P8 H61 mobo
On Tue, Dec 25, 2012 at 12:58 AM, Beni navig...@grindcore.ch wrote: I think you ran into the known sandy bridge problem. It the X server fails it wont be able to resume to a console. So all you get is a black screen. Yes. That is what I got even after the config you suggested. # X -config xorg.conf.new Same result. You need to fix your Xorg configuration. What command did you use to start X? This (EE) Unable to locate/open config file: /roo /xorg.conf.new looks like you try to use a nonexistent config file. Try to provide a /etc/X11/xorg.conf which sets the graphics device to the intel driver: Section Device Identifier Intel Driver intel EndSection I did. Section Screen Identifier Default Screen DeviceIntel DefaultDepth 24 SubSection Display Depth 24 Modes 1920x1080 1024x768 640x480 EndSubSection EndSection Hope this helps. Beni Thanks for your effort. But it did not work. I did exactly as you suggested. If I try and # X -configure it segfaults. This is for your info. -Girish
Re: Any recommendation for WAN optimization?
bump On Tue, Jul 24, 2012 at 10:10 PM, Girish Venkatachalam girishvenkatacha...@gmail.com wrote: Particularly for MS SQL kind of stuff? Do we have anything interesting in ports? Using ssh with -C flag? -Girish -- Gayatri Hitech http://gayatri-hitech.com -- Gayatri Hitech http://gayatri-hitech.com
Any recommendation for WAN optimization?
Particularly for MS SQL kind of stuff? Do we have anything interesting in ports? Using ssh with -C flag? -Girish -- Gayatri Hitech http://gayatri-hitech.com
Re: Manual IPsec setup with ipsec.conf
On Thu, Apr 5, 2012 at 11:37 AM, Jason McIntyre j...@kerhand.co.uk wrote: On Thu, Apr 05, 2012 at 05:53:27AM +0530, Girish Venkatachalam wrote: Dear all, Such a silly thing is not documented anywhere, no vpn(8) man page and not on the Internet. Subject: Manual IPsec setup with ipsec.conf have you looked at the manual page for ipsec.conf? jmc Sorry I did not mean to antagonize. I did read the section. But an example would be a great addition. -Girish -- G3 Tech Networking appliance company web: http://g3tech.in mail: gir...@g3tech.in
Question on LPD and OpenBSD printing
Dear all, If this is OT kindly pardon me. I have a script based on Net::LPR. #!/usr/bin/perl -w use strict; use vars '@ARGV'; use Net::LPR; use IO::File; die usage: $0 filename printer queue\n if (@ARGV != 3); my $lp = new Net::LPR( StrictRFCPorts = 0, RemoteServer = $ARGV[1], RemotePort = 515, PrintErrors = 0, RaiseErrors = 0, ) or die Can't create print context\n; my $fh = new IO::File $ARGV[0], O_RDONLY or die Can't open $ARGV[0]: $!\n; my $size = ($fh-stat())[7]; # Hope file doesn't change while printing $lp-connect() or die Can't connect to printer: .$lp-error.\n; my $jobkey = $lp-new_job() or die Can't create new job: .$lp-error.\n; $lp-send_jobs('lp') or die Can't send jobs: .$lp-error.\n; # Can easily print postscript by changing method to job_mode_postscript $lp-job_mode_text($jobkey) or die Can't set job mode to text: .$lp-error.\n; #$lp-job_mode_postscript($jobkey) or die Can't set job mode to text: .$lp-error.; $lp-job_send_control_file($jobkey) or die Can't send control file: .$lp-error.\n $lp-job_send_data($jobkey, '', $size); while (my $line = $fh-getline()) { $lp-job_send_data($jobkey, $line); } $lp-disconnect(); I try this against a HP Professional m1213ncj printer and it does nothing. Is there a way to use netcat to print directly to the JetDirect port 9100? I find this ppd in hpijs package but the printer is on the network. What to do? I tried both postscript printing and text printing. The silence and laziness of the printer is positively boring. What do you think? -Girish -- G3 Tech Networking appliance company web: http://g3tech.in mail: gir...@g3tech.in
Re: Question on LPD and OpenBSD printing
I mean HP m1213nf On Wed, Apr 4, 2012 at 8:35 PM, Girish Venkatachalam girishvenkatacha...@gmail.com wrote: Dear all, If this is OT kindly pardon me. I have a script based on Net::LPR. #!/usr/bin/perl -w use strict; use vars '@ARGV'; use Net::LPR; use IO::File; die usage: $0 filename printer queue\n if (@ARGV != 3); my $lp = new Net::LPR( StrictRFCPorts = 0, RemoteServer = $ARGV[1], RemotePort = 515, PrintErrors = 0, RaiseErrors = 0, ) or die Can't create print context\n; my $fh = new IO::File $ARGV[0], O_RDONLY or die Can't open $ARGV[0]: $!\n; my $size = ($fh-stat())[7]; # Hope file doesn't change while printing $lp-connect() or die Can't connect to printer: .$lp-error.\n; my $jobkey = $lp-new_job() or die Can't create new job: .$lp-error.\n; $lp-send_jobs('lp') or die Can't send jobs: .$lp-error.\n; # Can easily print postscript by changing method to job_mode_postscript $lp-job_mode_text($jobkey) or die Can't set job mode to text: .$lp-error.\n; #$lp-job_mode_postscript($jobkey) or die Can't set job mode to text: .$lp-error.; $lp-job_send_control_file($jobkey) or die Can't send control file: .$lp-error.\n $lp-job_send_data($jobkey, '', $size); while (my $line = $fh-getline()) { $lp-job_send_data($jobkey, $line); } $lp-disconnect(); I try this against a HP Professional m1213ncj printer and it does nothing. Is there a way to use netcat to print directly to the JetDirect port 9100? I find this ppd in hpijs package but the printer is on the network. What to do? I tried both postscript printing and text printing. The silence and laziness of the printer is positively boring. What do you think? -Girish -- G3 Tech Networking appliance company web: http://g3tech.in mail: gir...@g3tech.in -- G3 Tech Networking appliance company web: http://g3tech.in mail: gir...@g3tech.in
Re: Question on LPD and OpenBSD printing
On Wed, Apr 4, 2012 at 8:58 PM, Jan Stary h...@stare.cz wrote: I try this against a HP Professional m1213ncj printer and it does nothing. Before using the script, try to get it printing with just lpr. Failed. It is silent. nmap reports port as open, if I disable LPD script does not work, so LPD seems sane but it refuses to respond. Is there a way to use netcat to print directly to the JetDirect port 9100? Maybe. What other interfaces does the printer have? What other ways are there to talk to the printer besides port 9100? Does it listen on the standard lpd port? I did an nmap scan. Those are the only ports. It does listen on LPD. 515. I find this ppd in hpijs package but the printer is on the network. I must be missign something here: cannot PPD files be used with remote printers just as with local printers, via foomatic-filters? You are not missing anything here. I want a config an /etc/printcap that can print to this fellow remotely. ;) Thanks. -Girish -- G3 Tech Networking appliance company web: http://g3tech.in mail: gir...@g3tech.in
Re: Question on LPD and OpenBSD printing
On 4/4/12, Jan Stary h...@stare.cz wrote: On Apr 04 21:54:30, Girish Venkatachalam wrote: On Wed, Apr 4, 2012 at 9:40 PM, Jan Stary h...@stare.cz wrote: Failed. It is silent. What failed? How does your /etc/printcap describe the printer? I just modified from the default remote printer commented out section. rm=ip lpr is from /usr/bin, not LPRng I tried that as well. lpq lists the jobs but nothing happens/moves in the printer. Repeat: how does your printcap decribe the printer? As in: show me your printcap. ftp://g3tech.in/printcap # export PRINTER=rp@IP # lpr /etc/passwd Printer works. It prints from Mac machine, not from OpenBSD. So it is alive, and does not refuse to to respond, right? Correct. file.ppd is nothing but a made up name for a file that you need to replace with the right PPD file for that printer. Right. OpenBSD has never give me so much trouble before. ;) It is not OpenBSD that is giving you trouble. My ignorance. :) -Girish -- G3 Tech Networking appliance company web: http://g3tech.in mail: gir...@g3tech.in
Re: Question on LPD and OpenBSD printing
I don't want to use CUPS. I will also avoid LPRng. Please guide me. lpr command from Mac is working like a cake. It uses CUPS and IPP. -Girish On 4/4/12, Girish Venkatachalam girishvenkatacha...@gmail.com wrote: On 4/4/12, Jan Stary h...@stare.cz wrote: On Apr 04 21:54:30, Girish Venkatachalam wrote: On Wed, Apr 4, 2012 at 9:40 PM, Jan Stary h...@stare.cz wrote: Failed. It is silent. What failed? How does your /etc/printcap describe the printer? I just modified from the default remote printer commented out section. rm=ip lpr is from /usr/bin, not LPRng I tried that as well. lpq lists the jobs but nothing happens/moves in the printer. Repeat: how does your printcap decribe the printer? As in: show me your printcap. ftp://g3tech.in/printcap # export PRINTER=rp@IP # lpr /etc/passwd Printer works. It prints from Mac machine, not from OpenBSD. So it is alive, and does not refuse to to respond, right? Correct. file.ppd is nothing but a made up name for a file that you need to replace with the right PPD file for that printer. Right. OpenBSD has never give me so much trouble before. ;) It is not OpenBSD that is giving you trouble. My ignorance. :) -Girish -- G3 Tech Networking appliance company web: http://g3tech.in mail: gir...@g3tech.in -- G3 Tech Networking appliance company web: http://g3tech.in mail: gir...@g3tech.in
Re: Question on LPD and OpenBSD printing
On Wed, Apr 4, 2012 at 11:36 PM, Jan Stary h...@stare.cz wrote: On Apr 04 22:25:18, Girish Venkatachalam wrote: ftp://g3tech.in/printcap Sigh. Next time, please post the six damn lines inline. rp:HP PRinter:\ :lp=:rm=192.168.1.6:rp=lp:\ :af=/etc/foomatic/hp.ppd:\ :if=/usr/local/bin/foomatic-rip:\ :sd=/var/spool/output:\ :lf=/var/log/lpd-errs:\ :sh: # export PRINTER=rp@IP Does that mean rp@192.168.1.6? I tried that as well as what you suggest below. I get on the command line, connecting to localhost... Anyway, I don't think this is correct: it should be simply rp, i.e. the name of the printer in your printcap. With the above printcp, an empty lpq, and a correctly running lpd, what does the following do? echo test | lpr -Prp Yes empty lpq , lpd runs and the above command does nothing. If it doesn't work, what does lpd-errs say? Nothing. Okay I am giving up now. -Girish -- G3 Tech Networking appliance company web: http://g3tech.in mail: gir...@g3tech.in
Re: Question on LPD and OpenBSD printing
On Thu, Apr 5, 2012 at 4:46 AM, Jan Stary h...@stare.cz wrote: Nothing. Then something else is broken. Run lpd with -l to make sure that the print job at least made it to lpd as a request. If the queue clears that is what it means right? It does make it. I will also take a stab at the -l switch. You do actually have the foomatic* packages installed, right? You did not just blindly copy the ':if=/usr/local/bin/foomatic-rip:' line, right? But of course yes. If you install hpijs it is installed as a dependency. -Girish -- G3 Tech Networking appliance company web: http://g3tech.in mail: gir...@g3tech.in
Manual IPsec setup with ipsec.conf
Dear all, Such a silly thing is not documented anywhere, no vpn(8) man page and not on the Internet. I am forced to send this mail though it is embarrassing having worked on the internals of manual IPsec keying back in 2004. But well here goes. on peer A: remoteip=173.167.82.52 remotenet=10.1.23.0/24 flow esp from 59.99.242.167 to $remoteip flow esp from 192.168.1.0/24 to $remotenet peer $remoteip esp from 59.99.242.167 to $remoteip spi 0xdeadbeef:0xbeefdead auth hmac-sha1 \ authkey 0xeda8f06463b2d0fed008ccc474216dba8c463a7c:0x91c763de940ce1745215c84b7 535269acaef516d \ enckey 0xb341aa065c3850edd6a61e150d6a5fd3:0xf7795f6bdd697a43a4d28dcf1b79062d on peer B: localnet=192.168.0.0/16 remoteip=59.99.242.167 flow esp from 173.167.82.52 to 59.99.242.167 flow esp from 10.1.23.0/24 to 192.168.1.0/24 peer $remoteip esp from 173.167.82.52 to 59.99.242.167 spi 0xbeefdead:0xdeadbeef auth hmac-sha1 \ authkey 0x91c763de940ce1745215c84b7535269acaef516d:0xeda8f06463b2d0fed008ccc47 4216dba8c463a7c \ enckey 0xf7795f6bdd697a43a4d28dcf1b79062d:0xb341aa065c3850edd6a61e150d6a5fd3 It is a test. I don't care about the keys and IP addresses. pf(4) is disabled both sides and here is the output of #ipsecctl -sa on peer B # ipsecctl -sa -v FLOWS: flow esp in from 192.168.1.0/24 to 10.1.23.0/24 peer 59.99.242.167 type require flow esp out from 10.1.23.0/24 to 192.168.1.0/24 peer 59.99.242.167 type require flow esp in from 59.99.242.167 to 173.167.82.52 peer 59.99.242.167 type require flow esp out from 173.167.82.52 to 59.99.242.167 peer 59.99.242.167 type require SAD: esp tunnel from 173.167.82.52 to 59.99.242.167 spi 0xbeefdead auth hmac-sha1 enc aes sa: spi 0xbeefdead auth hmac-sha1 enc aes state mature replay 0 flags 4 lifetime_cur: alloc 0 bytes 0 add 1333585323 first 0 address_src: 173.167.82.52 address_dst: 59.99.242.167 esp tunnel from 59.99.242.167 to 173.167.82.52 spi 0xdeadbeef auth hmac-sha1 enc aes sa: spi 0xdeadbeef auth hmac-sha1 enc aes state mature replay 0 flags 4 lifetime_cur: alloc 0 bytes 0 add 1333585323 first 0 address_src: 59.99.242.167 address_dst: 173.167.82.52 And peer A: # ipsecctl -sa -v FLOWS: flow esp in from 10.1.23.0/24 to 192.168.1.0/24 peer 173.167.82.52 type require flow esp out from 192.168.1.0/24 to 10.1.23.0/24 peer 173.167.82.52 type require flow esp in from 173.167.82.52 to 59.99.242.167 peer 173.167.82.52 type require flow esp out from 59.99.242.167 to 173.167.82.52 peer 173.167.82.52 type require SAD: esp tunnel from 173.167.82.52 to 59.99.242.167 spi 0xbeefdead auth hmac-sha1 enc aes sa: spi 0xbeefdead auth hmac-sha1 enc aes state mature replay 0 flags 4 lifetime_cur: alloc 0 bytes 0 add 1333585275 first 0 address_src: 173.167.82.52 address_dst: 59.99.242.167 esp tunnel from 59.99.242.167 to 173.167.82.52 spi 0xdeadbeef auth hmac-sha1 enc aes sa: spi 0xdeadbeef auth hmac-sha1 enc aes state mature replay 0 flags 4 lifetime_cur: alloc 0 bytes 196 add 1333585275 first 1333585277 address_src: 59.99.242.167 address_dst: 173.167.82.52 lifetime_lastuse: alloc 0 bytes 0 add 0 first 1333585277 I cannot ping between 192.168.1.50 and 10.1.23.2 What is going on? -Girish -- G3 Tech Networking appliance company web: http://g3tech.in mail: gir...@g3tech.in
IPSec isakmpd pre shared interoperability with Fortigate VPN
Dear all, I am having a ball of a time configuring ipsec.conf against our friendly Fortigate VPN box. I think the model is some very old one, perhaps 50B or something. Now some other Linux based commercial VPN is able to talk to it as Fortigate also is from the same parent. So is every other boy out there. But I want OpenBSD to talk to it. I am sure with a lot of hard work I could possibly sort this out but some wisdom from you is good, particularly for the archives and google. If it matters in any manner at all, my ipsec.conf is #ike passive esp from $localnet to $remotenet peer $remoteip \ main auth hmac-sha1 enc 3des group modp1536 \ quick auth hmac-sha1 enc 3des group none psk removed Do you want isakmpd.conf too? I got one from some site. Here is the phase 1 auth reject message I get. 201238.986501 Default attribute_unacceptable: AUTHENTICATION_METHOD: got PRE_SHARED, expected RSA_SIG 201238.986523 Default attribute_unacceptable: AUTHENTICATION_METHOD: got PRE_SHARED, expected RSA_SIG 201238.986547 Default attribute_unacceptable: AUTHENTICATION_METHOD: got PRE_SHARED, expected RSA_SIG 201238.986557 Default messag Any pointers are much appreciated. Thanks to all. -Girish -- G3 Tech Networking appliance company web: http://g3tech.in mail: gir...@g3tech.in
LiveUSB OpenBSD and LiveCD-OpenBSD site updated
After a long long time. Sigh. http://liveusb-openbsd.sf.net http://livecd-openbsd.sf.net -Girish -- G3 Tech Networking appliance company web: http://g3tech.in mail: gir...@g3tech.in
WAN link aggregation
Dear folks, I find that there are primarily 4 ways to aggregate/concentrate/failover WAN links. 1) trunk(4) 2) ECMP(read FAQ) 3) pf(4) route-to 4) relayd(8) Router 5) BGP I say 4 since BGP cannot be used in most cases. Which is the best way to achieve this goal in our usual approach of simplicity and grace? Or am I missing something? I understand that only outgoing traffic can be aggregated. Incoming traffic should technically be aggregated by using pf(4) route-to switch but I find that it does not happen. What am I missing? I sure need a lot more practical experience in this... -Girish -- Gayatri Hitech http://gayatri-hitech.com gir...@gayatri-hitech.com
Re: pf and DNS
On Fri, Jan 7, 2011 at 2:43 PM, Martin Schrvder mar...@oneiros.de wrote: And consequently pf which does not know a thing about domains does not help us. What exactly is the problem you want to solve? Sorry for having been abstract. Here is the detailed explanation. One domain translates to around 100 IP addresses. But pf does not agree to using a domain and doing the domain to IP translation on the fly. Due to this , whatever IP address pf(4) knows at the time of ruleset loading alone works. And I do not want to use a userland proxy. How to do it? -Girish -- Gayatri Hitech http://gayatri-hitech.com gir...@gayatri-hitech.com
pf and DNS
I try to use OpenBSD wherever I can and in the firewall I have installed in a big jewel store here I have the following problem. Many websites these days Akamize or do whatever that gives them a different IP address everytime you access it. And consequently pf which does not know a thing about domains does not help us. I want a solution which can address this. What I currently do is add an entry manually to /etc/hosts and ask everyone in the network to us my DNS. It is crappy and bereft with 100s of problems. First thing is that it does not allow us to use Akamaizer and load balancing feature offered by them. And it is not a good idea to change on every computer... Is there a better idea? -Girish -- Gayatri Hitech http://gayatri-hitech.com gir...@gayatri-hitech.com
spamd in a cloud setup?
Dear folks, OpenBSD's spamd is a network level spam filter and consequently we need the MX records to point to spamd before it hits our mail server thereby achieving bandwidth protection as well as spam protection. This is really fantastic. Now the issue is this. Since MX records do not understand TCP port numbers, we cannot have different MX records point to different SMTP servers on the same IP address. The reason this is a problem is that assume that I have to run spamd(8) against 100 domains. Do I need to have 100 different IP addresses in my cloud? I hope the question makes sense. Sorry for sounding confusing. -Girish -- Gayatri Hitech http://gayatri-hitech.com gir...@gayatri-hitech.com
LiveUSB-OpenBSD updated with 4.7 images
Hi all, This link says it all. http://liveusb-openbsd.sf.net Download and enjoy. -Girish -- Gayatri Hitech web: http://gayatri-hitech.com SpamCheetah Spam filter: http://spam-cheetah.com
Re: Help contacting Richard Stallman
This thread could be more humorous. -Girish On Fri, May 28, 2010 at 9:11 PM, Igor Sobrado sobr...@openbsd.org wrote: On Fri, May 28, 2010 at 4:51 PM, Marco Peereboom sl...@peereboom.us wrote: On Fri, May 28, 2010 at 04:28:56PM +0200, Reyk Floeter wrote: So the question is - am I living in a parallel universe? Simple! yes. Agreed, in a level IV multiverse at least (before you ask, we need a very good cosmologist to define `at least' here). But don't worry, BSDs are on a de Sitter universe even if some people (Linux kids) think the other way. -- Gayatri Hitech web: http://gayatri-hitech.com SpamCheetah Spam filter: http://spam-cheetah.com
Re: Stop spam from ISP Mailserver
On Tue, Apr 27, 2010 at 4:31 PM, open...@e-solutions.re wrote: Hi, I have a client, he receives a lot of spam from his ISP Mailserver. Is there a way to limit spam using an OpenBSD Gateway with PF and Spamd at his place ? (His mailserver is ISP Mailserver, so he hasn't mailserver) I think it is not possible, true ? If you have an idea ... I have a totally different perspective and answer due to my experience fighting spam. In fact I get close to 40 GB downloads for my open source spam product based on spamd. It does a great job of spam control or else why would people download? ;) Even in my customer locations in Chennai where they run my appliance they get only 5 spam messages in a year. But you should understand that the incidence of spam in India is much lower than America. Anyway read up this page: http://spam-cheetah.com/install.html to understand what you can achieve with pf(4) and spamd for spam control and how you ensure that the TCP rdr is completed in the reverse direction also. You need to configure the mail server's gateway as spamd. This is only necessary when you run spamd and do rdr(a reverse of NAT) . Whereas if you act as a TCP proxy in which you setup a connection to the mail server from the spamd machine using nc or some similar thing(you could configure using inetd(8)) then your mail server can be anywhere. I have never tried that config and I can bet that rdr is way more efficient... Sorry I can't do more justice to this topic as I am running out of time. Later. Ever yours, Girish -- Gayatri Hitech web: http://gayatri-hitech.com SpamCheetah Spam filter: http://spam-cheetah.com
IPSec VPN and tunnel mode routing
Dear all, I find no explicit mention of how to encapsulate and decapsulate IPsec protected packets in tunnel mode. Are we supposed to use gre0 or gif0 interface to add routes? I am able to create SAs using automatic keying with isakmpd and 1 line in ipsec.conf. But I am unable to connect two private networks. How to achieve that? Google did not help at all. Neither did a paper on www.openbsd.org. Thanks. -Girish -- Gayatri Hitech web: http://gayatri-hitech.com SpamCheetah Spam filter: http://spam-cheetah.com
Re: IPSec VPN and tunnel mode routing
Many thanks for the answers. I should certainly thank Daniel with a full heart since he really made my day. Many thanks. On Tue, Mar 30, 2010 at 6:32 PM, Stuart Henderson s...@spacehopper.org wrote: I am able to create SAs using automatic keying with isakmpd and 1 line in ipsec.conf. If you describe your configuration, the output from the relevant commands (e.g. sudo ipsecctl -sa, netstat -n), what if any changes you've made to PF rules to accommodate the vpn, how you're testing, etc, perhaps someone can help. I always thought that pf should have nothing to do with IPsec VPN at least till we get the basic traffic going. And that is what I did. I shall add pf now. But I am unable to connect two private networks. How to achieve that? the simplest way is basically: setup automatic keying, add an ike esp... line to ipsec.conf, turn on IP forwarding, make sure the firewall is setup correctly, and that's about it. Well I want IPsec to do the tunnel encapsulation and routing for me first. Crypto as well of course. ;) I checked with the command given in the enc man page. # tcpdump -envps 1500 -i enc0 -l I shall write a webpage about this since others might lose sleep over this. Rather disappointing that such a basic crypto setup is poorly documented. For now, I shall give my two cents worth tips for the archives. (This is without NAT or any firewall in between and no pf on either tunnel endpoints. pfctl -d ;) host A IP : 192.168.11.3 host A private net: 10.1.1.0/24 host B IP: 192.168.11.4 host B private net: 10.2.2.0/24 In case it is not clear, I am trying to access 10.2.2.0/24 machines from 10.1.1.0/24 machines using host A and host B as tunnel endpoints. IPsec is only between host A and B. Hope I don't confuse. Obviously things will work in reverse too. Here is the sequence of commands I run on host A. Before we start, here is the Zeroth step. We need to have the public key of one IP available on the other side. On host B(192.168.11.4) #scp /etc/isakmpd/local.pub 192.168.11.3:/etc/isakmpd/pubkeys/ipv4/192.168.11.4 Ditto on host A. #scp /etc/isakmpd/local.pub 192.168.11.4:/etc/isakmpd/pubkeys/ipv4/192.168.11.3 Now the game starts. # pfctl -d # isakmpd -K # cat /etc/ipsec.cont localip = 192.168.11.3 remoteip = 192.168.11.4 local_net = 10.1.1.0/24 remote_net = 10.2.2.0/24 ike esp from $local_net to $remote_net peer $remoteip ike esp from $localip to $remote_net peer $remoteip ike esp from $localip to $remoteip (this is what the file contains) # ipsecctl -n -f /etc/ipsec.conf (Things are fine) Now start things up. # ipsecctl -f /etc/ipsec.conf - On to host B now. # pfctl -d # isakmpd -K # cat /etc/ipsec.conf localip = 192.168.11.4 remoteip = 192.168.11.3 local_net = 10.2.2.0/24 remote_net = 10.1.1.0/24 ike passive esp from $local_net to $remote_net peer $remoteip ike passive esp from $localip to $remote_net peer $remoteip ike passive esp from $localip to $remoteip #ipsecctl -f /etc/ipsec.conf --- Now we are all set. No more configuration necessary. Now I come to the part that hurt me the most. How to test that we are doing things correctly? # ipsecctl -F will flush all SAs. # ipsecctl -sa should give an output like this. FLOWS: flow esp in from 192.168.11.3 to 192.168.11.4 peer 192.168.11.3 srcid 192.168.11.4/32 dstid 192.168.11.3/32 type use flow esp out from 192.168.11.4 to 192.168.11.3 peer 192.168.11.3 srcid 192.168.11.4/32 dstid 192.168.11.3/32 type require flow esp in from 10.1.1.0/24 to 10.2.2.0/24 peer 192.168.11.3 srcid 192.168.11.4/32 dstid 192.168.11.3/32 type use flow esp out from 10.2.2.0/24 to 10.1.1.0/24 peer 192.168.11.3 srcid 192.168.11.4/32 dstid 192.168.11.3/32 type require flow esp in from 192.168.11.3 to 10.2.2.0/24 peer 192.168.11.3 srcid 192.168.11.4/32 dstid 192.168.11.3/32 type use flow esp out from 10.2.2.0/24 to 192.168.11.3 peer 192.168.11.3 srcid 192.168.11.4/32 dstid 192.168.11.3/32 type require SAD: esp tunnel from 192.168.11.4 to 192.168.11.3 spi 0x2c37b55e auth hmac-sha2-256 enc aes esp tunnel from 192.168.11.3 to 192.168.11.4 spi 0x5d7e114e auth hmac-sha2-256 enc aes esp tunnel from 192.168.11.4 to 192.168.11.3 spi 0x70420aad auth hmac-sha2-256 enc aes esp tunnel from 192.168.11.3 to 192.168.11.4 spi 0xa0b67b12 auth hmac-sha2-256 enc aes esp tunnel from 192.168.11.4 to 192.168.11.3 spi 0xa84c08c3 auth hmac-sha2-256 enc aes esp tunnel from 192.168.11.3 to 192.168.11.4 spi 0xf517c42c auth hmac-sha2-256 enc aes Don't worry. I am not revealing any secret information. We are using automatic keying here. Since I have only two machines I have to simulate private networks. Here is a very useful tip. Interface aliasing saves the day. I run this on host A to simulate the 10.1.1.0/24 network. I only need one IP. # ifconfig rl0 alias 10.1.1.1 netmask 255.255.255.0 If you type ifconfig, you
Unofficial OpenBSD 4.6 USB installer on LiveUSB-OpenBSD page!
Dear all, My friend wanted it. I wanted it too just for fun. So I did it. Please remember, it is 100% unofficial. This project is not officially or unofficially endorsed by OpenBSD in any way. So use it at your own risk! That said, I am quite certain that many of you will benefit in a big way from a USB installer for OpenBSD 4.6 instead of a DVD/CD install method. http://liveusb-openbsd.sf.net and direct download link here: https://sf.net/projects/liveusb-openbsd/files/usb-inst46.bin/download It is a lot of fun I tell you. I recently tested it and it worked like a charm. I have tried to make the installer as official as I can. I played no tricks, it is just the CD/DVD installer in the USB stick. ;) As to how I did this, that is an altogether different matter. -Girish -- Gayatri Hitech web: http://gayatri-hitech.com SpamCheetah Spam filter: http://spam-cheetah.com
Re: Unofficial OpenBSD 4.6 USB installer on LiveUSB-OpenBSD page!
No you got it wrong. You are supposed to say install from disk (instead of install from cd0) Already mounted? [no] (Press enter) And the sets will all show up. Try again. All sets are there in the USB stick but you have to follow a slightly different procedure. -Girish On Fri, Dec 18, 2009 at 8:10 PM, Brad Tilley misc@openbsd.org wrote: On Fri, 18 Dec 2009 19:34 +0530, Girish Venkatachalam girishvenkatacha...@gmail.com wrote: I played no tricks, it is just the CD/DVD installer in the USB stick. ;) I normally just install -current or -release to a USB stick and then use that (booting from bsd.rd on the USB stick). Granted, the sets have to install over the network, but it works well. Brad -- Gayatri Hitech web: http://gayatri-hitech.com SpamCheetah Spam filter: http://spam-cheetah.com
OpenBSD and my portable mp3 player
I am warning you ahead that some of this may be braindead simple or trivial for some of you but I am still sending this because many of you will benefit by this mail. Here is what I did with my portable Sandisk mp3 player. I have a strange problem. I am a devout Hindu and I want to listen to Vedic chants every morning. But now I live in a place far away from my office. So I wanted a way to listen to these slokas/mantras from my home. Then I remembered that I had an old Sandisk pocket size mp3 player lying idle with me. I connected it to my USB port and OpenBSD recognized as: umass0 at uhub0 port 2 configuration 1 interface 0 SanDisk SDMX1 MP3 Player rev 2.00/1.00 addr 2 umass0: using SCSI over Bulk-Only scsibus0 at umass0: 2 targets, initiator 0 sd0 at scsibus0 targ 1 lun 0: SanDisk, SDMX1 MP3 Player, 1.13 SCSI0 0/direct removable sd0: 486MB, 512 bytes/sec, 995328 sec total No, this was not the first time. There was something wrong with my hub. And I had to try it few times. Anyway once I got this far, I created an fdisk partition. # fdisk -e sd0 I created a FAT32 file system on it(ID 06). Then disklabel would still give a weird output. I expected to see sd0i as is the case with the 0B file system ID. First time I got it wrong. The player did not recognize my file system. Then I got it right with this command. # newfs_msdos /dev/sd0c Now disklabel behaves itself. ;) Mount it with # mount /dev/sd0i /mnt Copy all the mp3 files. I converted to mp3 from flash videos using $ ffmpeg -i foo.flv foo.mp3 Copy files to mp3 player. # cp *mp3 /mnt # cd # umount /mnt Disconnect and enjoy. ;) When I ran into the format issue wikipedia helped and told me what file system format I am supposed to use in mp3 players. This morning when I listened to my Vedic chants I thought: Can't I just concatenate the three mantras rudram, chamakam and purushasuktam mp3 files? That is what I did just now. $ mp3cat rudram.mp3 chamakam.mp3 purushasuktam.mp3 --output=prayer.mp3 Now I can pray during my long town bus journey from home to office in Chennai. ;) Hopefully these tips will help some of you. Thanks to OpenBSD and its great developers! Ever yours, -Girish -- Gayatri Hitech web: http://gayatri-hitech.com SpamCheetah Spam filter: http://spam-cheetah.com
Please use this to convert people to OpenBSD
Dear friends, People have the mistaken idea that OpenBSD is meant for the creme de la creme or the privileged crowd. That is absolutely and patently false. OpenBSD has all the elements of true UNIX. We are very friendly but we are choosy about who our friends are. ;) Anyway jokes aside, kindly download this image http://liveusb-openbsd.sf.net and read this article. http://linuxjournal.com/article/9787 I have configured mplayer OSD menus in the stick image. You can run this and show to disbelieving Linux or *buntu enthusiasts. Guess what? You can even convert Windoze folks. Mplayer is that sexy. Try it. -Girish -- Gayatri Hitech web: http://gayatri-hitech.com SpamCheetah Spam filter: http://spam-cheetah.com
LiveUSB project with a new look
Dear folks, I added a non X version and dressed up the page a bit. http://liveusb-openbsd.sf.net All versions have mplayer. ;) Now there are 3 variants. A minimal version without X, a Lite version with Windowmaker and few packages and a full version with firefox browser. Thanks. -Girish -- Gayatri Hitech web: http://gayatri-hitech.com SpamCheetah Spam filter: http://spam-cheetah.com
Re: LiveUSB project with a new look
Dear folks, I got a personal mail that my USB images do not fit into 1GB and 2G sticks. Obviously I got this wrong. 10^3 != 2^10 I have images of 2*1024^3 whereas USB sticks are short by roughly 80 MB. I found a very interesting way of tackling this issue. Hence this mail. Once again qemu comes to rescue. I created a qemu filestore of the correct size. $ qemu-img create usb-lite.bin.new 100 Then I booted both images with qemu like this # qemu -hda usb-lite.bin -hdb usb-lite.bin.new And from inside qemu I newfs(8)ed the new disk like this. # fdisk -iy wd1 # disklabel -E wd1 # newfs wd1 Then I transferred the entire contents with tar. # mount /dev/wd1a /mnt # cd /mnt # mount /dev/wd0a / # tar zcXpf - / | tar zxpf - (I should have used dump(8), restore(8) but they don't work under qemu) Once this finishes, install the bootloaders. # pwd /mnt # cp usr/mdec/b* . # ./usr/mdec/installboot -v boot biosboot wd1 # shutdown -hp now Cool eh? -Girish -- Gayatri Hitech web: http://gayatri-hitech.com SpamCheetah Spam filter: http://spam-cheetah.com
Re: LiveUSB based on 4.6 project at sourceforge
On Sat, Nov 14, 2009 at 9:33 AM, Nenhum_de_Nos math...@eternamente.info wrote: hey ... there is even a version with mplayer !!! now I don't have to use ubuntu anymore in the work notebook :) really thanks, the hell of a great thing :) Hey Bud, You confused me for a minute. There is mplayer in both editions with full menu support and there are color man pages and a whole lot of other goodies. ;) Enjoy! -Girish -- Gayatri Hitech web: http://gayatri-hitech.com SpamCheetah Spam filter: http://spam-cheetah.com
LiveUSB based on 4.6 project at sourceforge
Hello misc, Kindly spare a moment for this site: http://liveusb-openbsd.sourceforge.net Hope you like it. You know that OpenBSD already comes with cwm and several other networking daemons. This USB stick is a great way to carry OpenBSD 4.6 with you wherever you go. Enjoy! -Girish -- Gayatri Hitech web: http://gayatri-hitech.com SpamCheetah Spam filter: http://spam-cheetah.com
Re: [pf question] Positive condition for adding in the table?
On Thu, Aug 27, 2009 at 4:32 PM, Ivan Radovanovicriv...@gmail.com wrote: I am new into pf configuration and I am curious if it is possible to add some host into table in firewall rules if some conditions are met (not if they are broken). I was thinking about some way to prevent port scanning of machine and what came to me as obvious way to do it is this (in some pseudocode) block all communication with bad_guys allow all communication with good_guys allow any communication with my open port and put ip in good_guys table block sending any rst packet from me and put ip in bad_guys table /* somebody tried to connect to non-open port */ /* more criteria to remove someone from good_guys and put in bad_guys, according to connection rate, etc */ Anyway when I tried to code this into pf rules I discovered that I can't put host into table according to positive condition. Is there some workaround for this, or maybe some better/smarter way to achieve the same thing I want to achieve? Please read up on pf(4) anchors. And also on connection overloads in pf.conf(5). Stuff like max-conn-rate and so on. You already said you know about pf(4) tables. You need to populate the tables based on different criteria. I know that connection overload is one. You should be able to define other conditions to populate the tables. And you can use anchors along with tables, define conditions and get what you want. I hope I have not left out anything important. Best of luck. -Girish -- Gayatri Hitech web: http://gayatri-hitech.com SpamCheetah Spam filter: http://spam-cheetah.com
Re: [pf question] Positive condition for adding in the table?
On Thu, Aug 27, 2009 at 4:59 PM, Ivan Radovanovicriv...@gmail.com wrote: Thanks for your respone. If I understand you correctly pf kernel module actually supports operating with tables based on positive conditions (ie not only when rule is broken, but also when rule is true), and the way to define rules of that kind is using directly some of IOCTLs documented in pf(4)? Plese confirm if that is true, since I couldn't find that kind of functionality with pfctl(8) (I tried making conditions with max-src-conn-rate set to 0 with idea that making one connection will break this rule so I could add ip in table that way, but pfctl(8) is too smart to accept rules with max-src-conn-rate set to 0) There is no need to write any C code with pf(4) ioctls. A simple pf.conf should get you what you want. What do you mean by max-src-conn-rate set to zero? I think you are needlessly complicating things. If your goal is to send reset, then you can always do them with pf in a much more straight forward manner. set block-policy return bad-guys Try to keep things simple. -Girish -- Gayatri Hitech web: http://gayatri-hitech.com SpamCheetah Spam filter: http://spam-cheetah.com
Re: Running another OS under OpenBSD
On 21:50:08 Dec 25, Marco Peereboom wrote: Right, now tell me again about strl* Also about the kernel source. -Girish
Re: Yahoo! mail and OpenBSD greylisting
On 20:40:30 Dec 22, Stuart Henderson wrote: Oh hmm. Just grepped my mail logs and pulled out a few addresses to check, it seems dnswl's coverage of yahoo isn't all that great (at least not for their UK-facing outbound servers). And pulling their prefixes out of a bgp feed is fiddly at best, they have at least three different AS. I am yet to try this. do you care to expand on this, which standards are they breaking that are related to this? Well we discussed long ago that there is no such thing as a standard that says that mails be retried from the same IP address. So technically speaking yahoo! does not break any standard. But I am having issues with yahoo! when greylisting is involved. It is possible that I might have misconfigured something. In case nobody else has problem with yahoo! mail then I know I have a problem instead. -Girish
Re: IPv6 virtual hosts
On 17:31:02 Dec 22, Henning Brauer wrote: if you plan to look at apache2 code, make sure you're close to a toilet. puke on the keyboard tends to be nasty. He he. I believe there is a new e-mail archival project called lucene which is written in the greatest programming language on the planet...you guessed right Java. Now that gives us enough hint about what the Apache project is all about. ;) -Girish
Re: Yahoo! mail and OpenBSD greylisting
On 09:30:48 Dec 22, Jordi Espasa Clofent wrote: Hi Girish, ?Have you tried to contact with Yahoo! technical staff about it? I know you are serious , so I don't want to kid. I almost got talking to a relatively highly placed individual in yahoo! to take a look at OpenBSD greylisting. But guess what? The typical corporate response: We do not care about open source. We will steal what we want from it without acknowledging any credit. And we are a big company with a lot of money. So we can continue the way we want. I can forward you the mildly agitating e-mail response I got from the yahoo! top gun. ;) Apropos of yahoo! breaking standards...well what can we do? -Girish
Yahoo! mail and OpenBSD greylisting
Hello folks, I am unable to manually whitelist yahoo! mail sender IP addresses since yahoo! does not play well with greylisting. However I can whitelist gmail, aol, hotmail, rediff and so on since they publish SPF records. Is there a way to determine the IP addresses yahoo! uses for sending mail? I can think of possibly modifying the greyscanner perl script to look for patterns and whitelist. Any ideas? Thanks. -Girish
Re: Samba printing, OpenBSD client to Windows server
On 20:33:56 Nov 29, Stuart Henderson wrote: Unless your printer supports postsript natively (most cheap printers don't) you need some kind of converting filter. You mean like a2ps? /usr/ports/print/a2ps -Girish
Re: ftpd(8) is not logging
On 10:12:46 Nov 28, L?VAI D?niel wrote: Hi! I'm using OpenBSD's ftpd(8), and specified the -l option on the command line when starting it, which according to the man page, makes ftpd(8) to log to syslog with facility LOG_FTP. Well, I've set up syslog.conf to capture that facility to a file: LOG_FTP.* /var/log/ftpd Did you give a TAB character between the two tokens? syslog hates whitespaces. Only tabs between entries on a line. -Girish
Re: PF blocking outbound packets that don't have S/SA flags
On 01:10:03 Nov 21, Joe S wrote: OS: OpenBSD 4.4 RELEASE i386 PF is blocking traffic that I want it to pass. I notice this when I run nmap 4.76 (compiled from source). It appears that my packets are being dropped because they don't match the pass out quick rule in my pf.conf. I noticed this rule is modified due to the default setting to match on flags S/SA. How do I create a rule to ignore the flags S/SA so that my scans can complete? # nmap -sS -T5 -sV -p- 2.2.2.2 Starting Nmap 4.76 ( http://nmap.org ) at 2008-11-20 22:47 PST sendto in send_ip_packet: sendto(4, packet, 40, 0, 2.2.2.2, 16) = No route to host Offending packet: TCP 1.1.1.1:37016 2.2.2.2:80 A ttl=45 id=13618 iplen=40 seq=3279582132 win=2048 ack=3457570278 Sleeping 15 seconds then retrying sendto in send_ip_packet: sendto(4, packet, 40, 0, 2.2.2.2, 16) = No route to host Offending packet: TCP 1.1.1.1:37016 2.2.2.2:80 A ttl=45 id=13618 iplen=40 seq=3279582132 win=2048 ack=3457570278 Sleeping 60 seconds then retrying (truncated for brevity) PF logs show that the packets are dropped due to rule 0 match: # tcpdump -n -e -ttt -s 1514 -r /var/log/pflog host 2.2.2.2 Nov 20 22:42:37.938337 rule 0/(match) block out on fxp0: 1.1.1.1.46363 2.2.2.2.80: . ack 834370022 win 2048 Nov 20 22:42:52.940776 rule 0/(match) block out on fxp0: 1.1.1.1.46363 2.2.2.2.80: . ack 1 win 2048 Nov 20 22:45:02.202499 rule 0/(match) block out on fxp0: 1.1.1.1.42175 2.2.2.2.80: . ack 2174811336 win 1024 Nov 20 22:45:17.206752 rule 0/(match) block out on fxp0: 1.1.1.1.42175 2.2.2.2.80: . ack 1 win 1024 Nov 20 22:46:17.194321 rule 0/(match) block out on fxp0: 1.1.1.1.42175 2.2.2.2.80: . ack 1 win 1024 Nov 20 22:47:12.874250 rule 0/(match) block out on fxp0: 1.1.1.1.37016 2.2.2.2.80: . ack 3457570278 win 2048 Nov 20 22:47:27.877828 rule 0/(match) block out on fxp0: 1.1.1.1.37016 2.2.2.2.80: . ack 1 win 2048 Nov 20 22:48:27.865343 rule 0/(match) block out on fxp0: 1.1.1.1.37016 2.2.2.2.80: . ack 1 win 2048 (truncated for brevity) Here are my PF rules # pfctl -s rules block return log all block return in quick inet6 all pass quick proto icmp all keep state allow-opts pass out quick all flags S/SA keep state allow-opts pass in log on fxp0 proto tcp from any to (fxp0) port = ssh flags S/SA keep state pass in on fxp0 proto tcp from any to (fxp0) port = www flags S/SA keep state pass quick on vlan0 all flags S/SA keep state allow-opts pass quick on vlan1 all flags S/SA keep state allow-opts Here is my pf.conf # cat /etc/pf.conf # SETTINGS set block-policy return set loginterface fxp0 set skip on lo scrub in What happens when you remove the above scrub line? Have you tested? -Girish
Re: help with network connectivity
On 20:07:02 Nov 20, Jon wrote: I have updated the /etc/myname with the server I have updated the /etc/mygate with the comcast's gateway IP I have set the IP address using ipconfig ? ipconfig? the /etc/hostname.em0 has 'inet static IP 255.255.255.0 NONE' in it. Shouldn't it be inet 192.168.1.234 255.255.255.0 192.168.1.255 ^ You have to use broadcast address. Try it. That may be the problem. I can resolve using the gateway as my nameserver in /etc/resolve.conf If you set named= in /etc/rc.conf.local you can use your OpenBSD machine as the nameserver. It is chrooted and secure. Set /etc/resolv.conf to nameserver 127.0.0.1 -Girish
Re: help with network connectivity
On 10:28:34 Nov 21, Girish Venkatachalam wrote: If you set named= in /etc/rc.conf.local you can use your Typo. It should be named_flags= -Girish
Re: PF and the old SIP issue
On 19:32:58 Nov 19, Jason Beaudoin wrote: On Wed, Nov 19, 2008 at 11:24 AM, Mikel Lindsaar [EMAIL PROTECTED] wrote: FWIW I run about 8 asterisk servers behind openbsd firewalls. I have found the most non-problematic way to run them has been by using the asterisk servers as a SIP proxy for your SIP clients and making sure that canreinvite in asterisk is turned off, this increases your load on the asterisk server, but I haven't found that to be a real problem. sounds like a great article for undeadly.org! Slightly off topic but since many people do not like the horrible Asterisk code and design ( no offense meant) and of course the sucky GPL license, whatever is happening on a BSD licensed Asterisk implementation? I mean an EPABX in software? That will be really cool. Is someone working on it? It will be great if an OpenBSD style Asterisk clone is developed. ;) What do you people think? -Girish
Re: ifconfig promiscuous mode
On 03:43:49 Nov 18, Man Lam wrote: Hi, How to enable and disable the promiscuous mode with OpenBSD 4.3. I didn't find the -promisc argument in ifconfig. man pcap -Girish
Re: apache 1.3.29 + PHP 5.2.6 on OpenBSD 4.4
On 02:01:19 Nov 17, Daniel Ouellet wrote: This doesn't apply here because the library is pre-loaded before the httpd is chrooted. More details: Pre-loading Shared Libraries To extend the functionality of the webserver it can dynamically load shared libraries, e.g. a database access library. Shared libraries for a binary program are normally loaded by the runtime linker when the program is invoked (and thus before it can call the chroot system call). Thus shared libraries like the mod_php PHP4 module, which is linked as a shared library to the httpd program when it is started, impose no problem. PHP4 will be available whether your httpd is started chrooted or not because the shared library is loaded before the chroot() system call is invoked. PHP4 itself, however, does dynamically load additional functionality at runtime and as needed. If you try to access a PostgreSQL function in PHP4 e.g. then it will fail in a chrooted httpd because only the PHP4 module is dynamically linked to httpd but not the PostgreSQL client library. The latter is loaded (mapped) to the running httpd executable by PHP4. This was for php4 but also apply to php5 as the modules are loaded before the chrooted take place. Hope this help this a little and to avoid users to run httpd with -u. Thanks. ;) I did not know this. -Girish
Re: vpn with an iphone
On 12:36:00 Nov 17, Johan Beisser wrote: PoPToP is in ports. I dunno a thing about iPhone but there is also /usr/ports/net/pptp -Girish
Re: Fresh install question
On 15:34:47 Nov 17, Jorge Valbuena wrote: One simple thing that i will try is: If is already installed OpenBSD 4.2 and wants to install 4.3 or 4.4 , first take a look at the /etc/fstab file and write down the name of the /home partition /dev/wd0h /home ffs rw,nodev,nosuid 1 2 When installing the new version leave untouched that partition, and after first boot put the line manually in your new /etc/fstab I hope this can help ! It also helps to note down the starting and ending cylinders of the partition you want to preserve. You can think of the OpenBSD fdisk partition as one big contiguous block of sectors. Irrespective of its physical location, it is one single unidimensional series of sectors. Each sector is exactly 512 bytes. OpenBSD fdisk and disklabel unlike the ones found in other OSes always tell us the cylinder boundaries. This has helped me think a bit more clearly. -Girish
Re: apache 1.3.29 + PHP 5.2.6 on OpenBSD 4.4
On 08:04:25 Nov 17, Andrei Pirvan wrote: Hello The problem I have is that default apache can't load PHP module. PHP was installed from packages (php5-core-5.2.6.tgz), so here is nothing custom made. The only error I have is when I try to start apache is when I make a configtest. # apachectl configtest Starting Pure-FTPd Processing config directory: /var/www/conf/modules/*.conf Processing config file: /var/www/conf/modules/php5.conf Syntax error on line 1 of /var/www/conf/modules/php5.conf: Cannot load /usr/local/lib/php/libphp5.so into server: Cannot load specified object Both httpd and php works well separately , and /usr/local/lib/php/libphp5.so exists. Try the httpd -u switch to run it outside /var/www chroot. You could insert this into /etc/rc.conf.local. The apache modules live in /usr/local/lib and is consequently outside the chroot. -Girish
Re: cvs, cvsup and xenocara advice
On 01:28:57 Nov 13, Ansen Lloyd wrote: 1. What are the main differences between cvs and cvsup when updating sources to stable? cvs is the revision control technology. You can use cvs to check out the main OpenBSD repository to your local machine by which you only get the files pertaining to the revision you ask. Whereas cvsup and cvsync are tools that fetch the entire cvs repository to your local machine. So you have to necessary run a cvs checkout on your local repository to obtain the sources. 2. I'm just the typical home user of obsd, so which should I use, cvs or cvsup? I use cvsync. cvsup is not written in C. ;) You can use cvs if you have copious bandwidth. If you are like me you have to either use cvsup or cvsync. 3. As of Nov 13th of 2008 why do only 4 of the 17 cvsup servers have the xenocara repository? ( according to this list: http://www.openbsd.org/cvsup.html ) Some mirrors may be out of date. -Girish
Re: Layer 7 relaying still needs pf?
On 21:45:56 Nov 13, Edd Barrett wrote: Hi, Why does layer 7 relaying require pf still? There are cases where relaying works in tandem with redirection. pf never looks into the packet payloads. -Girish
Re: VLC/MPlayer/ffmpeg audio/video sync issues introduced in 4.4..
On 19:13:41 Nov 10, Brynet wrote: See, I typically use VLC only.. with mplayer for the odd file, but I haven't tweaked it's configuration file at all, as for VLC, I have tried toggling a lot of settings.. I'll try the settings you mentioned, but the fact is... video playback has slowed down since the upgrade of 4.3 to 4.4, with files that previously played well.. this is definately indicating breakage that showed up sometime between the 6 month release gap. I read the pkg_info for the mplayer package, the only relevant entry may be the shared memory field.. the userldt option seems unrelated, I don't use the Win32 codecs. Thanks a lot for helping me out with this though, was starting to think it was all in my head... ;) Have you checked your xv support in X? $ xvinfo -Girish
Re: Using a separate boot partition
On 19:52:30 Nov 11, Joseph Alten wrote: Due to technical constraints, my setup requires that I have a separate boot partition (basically the kernel and anything else critical for booting), and then of course my root partition other data partitions on a separate disk. I'm kind of new to OpenBSD, and so far what I've managed to do is copy /bsd to a separate partition, then at the boot prompt I run boot hd0a -a, then specify my root partition when prompted by the kernel. While this has the desired effect, I'd rather not run this every time I want to boot OpenBSD. Is there a kernel parameter I can pass that lets the kernel know ahead of time the root device I wish to mount? Basically I'm looking for the OpenBSD equivalent of root=/dev/xxx Linux kernel parameter. I think I managed to get FreeBSD working similarly with the vfs.root.mountfrom= parameter, but this doesn't appear to exist in OpenBSD. Thanks for looking into this. Of course it is possible. Read boot.conf(8) for this. You can set the root device like this: # cat /etc/boot.conf set device wd0a It could be wd1a or sd1a also. You get the idea right? -Girish
Re: Packet Filter: how to keep device names on hardware failure?
On 13:43:11 Nov 07, Guido Tschakert wrote: Surely we assume that nobody fakes the mac. I could be wrong but I don't think it possible to fake the MAC reported in dmesg(8). ifconfig can fake MAC address but this should be unique since it is reported by the NIC whilst probing. -Girish
Re: tap devices on bridge cannot connect
On 17:37:11 Nov 06, Lord Sporkton wrote: I am running Qemu with 2 virtual machines. I have put the tap devices into a bridge with a trunk interface, the trunk acts as a gateway, allowing a virtual network inside the host server which can nat to public IPs and be firewalled. For some reason the 2 vmhosts cannot communicate. they will arp each other up but not actually ping each other. THey are windows hosts. I have a site to site vpn back to my house which i can ping both vm hosts successfully from my house computer through the vpn. i can ping the trunk interface from the hosts as well. just not vmhost to vmhost. Any thoughts on why they can not ping each other? I think qemu has two modes for networking and only TCP proxying works. Not sure about UDP. But ping does not work. If you configure qemu to do 'real' networking then I believe ping will work. People more knowledgeable than me should comment any further. Thanks. -Girish
Re: Problems booting OpenBSD
On 20:34:44 Nov 02, Rafael Cunha de Almeida wrote: Hello, I'm having trouble booting my new opebsd installation. I was able to boot usihg the CD and I tried to use installboot to record the biosboot to the PBR. I booted with -s option, so I'd start in single user mode and I mounted /usr to /mnt/. Then I did: % /mnt/mdec/installboot /boot /mnt/mdec/biosboot sd0 ... installboot: broken MBR This almost always means that your following step did not succeed. Look below. I also tried: % /mnt/mdec/installboot /boot /mnt/mdec/biosboot sd0a installboot: superblock: devread: lseek: invalid argument This is wrong. You should mount /dev/sd0a on a directory , then copy the two boot files, the /usr/mdec/boot and /usr/mdec/biosboot to the root like this. # mount /dev/sd0a /mnt # cp /usr/mdec/b* /mnt And then you should run installboot like this. # ./usr/mdec/installboot boot /mnt/biosboot sd0 Try this. It might work. ;) Best of luck! I have grub currently installed on MBR. OpenBSD is on linux's /dev/sda2. Does anyone know what could be wrong? Of course, I'd like it better if I don't have to destroy in order to get this working :-). I don't like grub anymore. ;) -Girish
Re: editors in floppy44.fs (OpenBSD 4.4.) - newbee help
On 13:36:22 Nov 01, Chris Kuethe wrote: As long as your filesystems are still readable, you can use a more comfortable tool: mount /dev/wd0a /mnt mount /dev/wd0d /mnt/var mount /dev/wd0e /mnt/usr /mnt/usr/sbin/chroot /mnt vi (or mg) /etc/fstab you could possibly even just copy your fstab from your freshly mounted /var (/var/backups/etc_fstab.*) This is what I was also wondering Chris. I always vi in single user mode. Or since I have an NFS mount on my network I mount it thro' NFS after assigning a static IP (DHCP does not work) and work. I have never had to use ed either in single user mode or for scripting. I use vim all the time. He he. -Girish
Re: installboot: broken mbr on 4.4
On 10:35:43 Nov 01, Michael wrote: I have been trying to install 4.4 on a previous 4.3 partition, but keep getting this message after formatting and new installation: installboot: broken MBR And then when booting from the hd, all I get is: ERR M This means that installboot failed(I think). I have tried a new installation 3 times and then tried upgrading after the 3rd try, with same error. I use Air-Boot for boot manager and have used it for years. Here is the openbsd and a partition within my 40 gig hd: hd: 78125000 sectors A6 starts 12546765 size 13350015 for 25896780 a partition starts 12546765 and ends 13366080 Is it beyond the addressable limit of your BIOS? I wonder. Is it set to LBA mode or linear mode? Just guessing. Josh Grosse had me try the following commands: Step 1) Boot 4.4 installation media, select the shell at the Install/Upgrade/Shell prompt. Step 2) Mount your a partition as /mnt: # mount /dev/wd0a /mnt Step 3) Ensure the second stage boot loader is stored in /mnt/boot: # cp -p /usr/mdec/boot /mnt/boot Step 4) Rerun installboot, installing a new biosboot that points to /mnt/boot: # /usr/mdec/installboot -v /mnt/boot /usr/mdec/biosboot wd0 I never give the full patch for the first stage bootloader. I usually give # cd /mnt # /usr/mdec/installboot -v boot /mnt/biosboot wd0 It should not be /usr/mdec/biosboot. Definitely not. If you mount your /dev/wd0a partition on /mnt, then the above command will work. Otherwise you have to choose the mount point of your root partition. Does installboot -v report any errors? If that goes thro' then I think you are mostly safe though I have never heard of Air-Boot boot manager ever. ;) I got the same results (installboot: broken MBR and then ERR M when booting openbsd). I then thought that since 4.3 installed just fine why not try his command with the 4.3 cd, so I did. The commands worked perfectly and now I am able to boot into 4.4. Why would it work with the 4.3 cd and not 4.4 cd? It's the same partition with new install. I dunno. My guess is as good as mine. I am sure Nick will reply to this but I will do my bit. ;) Can you reformat your disk and start from the beginning? And ensure that you install OpenBSD on the right cylinder boundaries? Are you very particular that you have to use a 'boot manager' and multiboot? I was thinking that multiboot was a big pain in the neck and only for those who have not yet decided which OS is best for their needs... Best of luck and I do hope you solve your problem soon. -Girish
Re: editors in floppy44.fs (OpenBSD 4.4.) - newbee help
On 02:39:06 Nov 02, Edd Barrett wrote: As much as i love vi/vim/nvi, these are not available in ramdisk kernels. vi is certainly there. You have to mount /usr. -Girish
Re: editors in floppy44.fs (OpenBSD 4.4.) - newbee help
On 10:01:54 Nov 02, Girish Venkatachalam wrote: vi is certainly there. You have to mount /usr. Which means it is not part of RAMDISK kernel. Sorry Edd is right and I was wrong. I end up using vi from somewhere I don't remember whenever I boot in single user mode. I guess it needs /tmp and /usr mounted or something. Once again I need to check this. But the fact that NFS mount is available in base install and ramdisks is quite cool... -Girish
Re: change serial console to display
On 08:49:13 Oct 28, ico wrote: Hello gents, I did configure my old box with serial console probably 2 y ago. Now I'd like to get it back to normal. I don't have null modem cable available. What needs to be changed? I already tried without success: echo /etc/boot.conf or set tty pc0 but I'm still not able to get login on display. Any suggestions? Your /etc/ttys should have the line: tty00 /usr/libexec/getty std.9600 vt100 on secure -Girish
Re: generate pgp
On 13:44:46 Oct 28, Benjamin Adams wrote: I'm trying to generate pgp to use with email. Anyone know a simple how to? or can help me with commandline tool? thanks I was in the same boat as you several months ago and after a lot of dilly dallying I ended up enabling it in my favorite mail client mutt(1). Actually mutt makes life simple in many ways and PGP is no exception. You have to learn to use a tiny proportion of the vast options that GNU privacy guard offers you. It is typical GNU bloat-ware and has mile long man pages. Anyway please find an excerpt from my muttrc that could get you going assuming that you know how to use mutt already... There are several tiny HOWTOs on the Internet for solving your problem if you google for 'mutt pgp'. Hope this helps. -Girish # My PGP settings # GnuPG commands set pgp_decode_command=gpg %?p?--passphrase-fd 0? --no-verbose --batch --output - %f set pgp_verify_command=gpg --no-verbose --batch --output - --verify %s %f set pgp_decrypt_command=gpg --passphrase-fd 0 --no-verbose --batch --output - %f #set pgp_sign_command=gpg --no-verbose --batch --output - --passphrase-fd 0 --armor --detach-sign --textmode %?a?-u %a? %f set pgp_sign_command=gpg --no-verbose --batch --output - --passphrase-fd 0 --armor --textmode --clearsign %?a?-u %a? %f set pgp_clearsign_command=gpg --no-verbose --batch --output - --passphrase-fd 0 --armor --textmode --clearsign %?a?-u %a? %f set pgp_encrypt_only_command=/usr/local/bin/pgpewrap gpg -v --batch --output - --encrypt --encrypt-to 0x48e0da0a --textmode --armor --always-trust -- -r %r -- %f set pgp_encrypt_sign_command=/usr/local/bin/pgpewrap gpg --passphrase-fd 0 -v --batch --output - --encrypt --encrypt-to 0x48e0da0a --sign %?a?-u %a? --armor --always-trust -- -r %r -- %f set pgp_import_command=gpg --no-verbose --import -v %f set pgp_export_command=gpg --no-verbose --export --armor %r set pgp_verify_key_command=gpg --no-verbose --batch --fingerprint --check-sigs %r set pgp_list_pubring_command=gpg --no-verbose --batch --with-colons --list-keys %r set pgp_list_secring_command=gpg --no-verbose --batch --with-colons --list-secret-keys %r set pgp_getkeys_command= set pgp_sign_as=S set pgp_autoinline set pgp_replyinline set crypt_autosign set crypt_replysign set crypt_verify_sig set crypt_autosign
Re: file encrypyion
On 15:48:25 Oct 29, Paul M wrote: I'm looking for a way to encrypy backup files for secure storage. Gpg is an obvious candidate, but I'm wondering if there's anything in base, perhaps a creative use of ssh or some other tool, though not something liable to break, obviously. Any thoughts would be much appreciated. In case you are not averse to entering passwords everytime you mount then mount_vnd(8) works. Just follow the instructions in the man page carefully. Not at all hard to get it working. Much cleaner than OpenSSL or GPG as the whole file system is encrypted. -Girish
Re: relayd - tcp_write: connect timed out
On 18:22:37 Oct 25, uday wrote: Hi Guys, I'm trying out relayd here and first of all, filicitation to PYR and the community for their work on this piece of software. This is my first time install and while trying it out, I came on to an issue, I keep on getting tcp_write: connect timed out when relayd checks the hosts table. I searched the entire net for a solution and the only solution I found is that a good timeout could solve the issue (rather than a patch that is wrong said by the man himself PYR), I just ran out of luck I tried in every possible way to change the config of this it's just not working, on the webserver side I'm not even seing an attempt to connect, this is weird for me. I know I'm doing something wrong here but I don't see it, I greatly appreciate if anyone encountered this problem to share a bit of info with me. This is the message I'm getting when I try to connect to the loadbalancer on port 80: relay httpproxy, session 1 (1 active), 0, 192.168.4.22 - :80, session failed It could well be a simple networking/routing issue. I have seen this whilst testing relayd for the first time. Although it is taken for granted that the logical network topology matches the routing tables we often do not abide by this rule. For instance can you ensure that you can connect to the web server from the redirector(the machine running relayd) by using netcat? Run this on the web server. $ nc -l 1234 and from the relayd machine try $ nc 192.168.4.78 1234 I would also check if the webserver is healthy and running fine though I am sure you would have done that sanity check. If the routing tables are not in order you have got something wrong in your setup and that is the first thing to fix. For instance have you ensured that the web server and the clients are in separate networks connected/routed by the relayd machine? There are certain unwritten ground rules to be followed for rdr to work. For instance if your reverse path does not match the forward path between the client and the server, then rdr will fail and the TCP handshake will not go through. Basically rdr should get a chance to see the packets in both directions to function properly. Kindly ensure that. Thanks. -Girish
Re: slow network performance behind cisco
On 16:46:18 Oct 24, Pierre Riteau wrote: Because the delay between the two machines is very low. It appears you need to read about bandwidth-delay product as well. Actually it is quite a deep concept. How TCP guesses the bandwidth is quite a challenge. And often TCP gets it wrong. It is Shannon's noisy channel coding theorem that determines the bandwidth of any channel be it wired or wireless. TCP guesses the speed at which it can send data using very sophisticated algorithms and protocols. Numerous papers have been written on this topic but the long and short of it is this: Your network bandwidth is often underutilized and the best way to get the best out of it is to use multiple TCP connections(not threads...please don't get me wrong here). This will solve the problem when the bottleneck is in your LAN but otherwise it will not help(at all) . In fact this is the technique employed by all download accelerators including the downthemall FF extension. Now the TCP send and receive buffers that Otto suggested (BTW I had the same problem as Sebastian and Otto helped me offlist) help TCP's bandwidth guessing algorithm to accurately guess the buffer sizes or to be precise the TCP window sizes to match the bandwidth delay product in common scenarios(ADSL and roundabout bandwidths). So I always add 65536 to my /etc/sysctl.conf. IOW this value helps TCP to fill the pipe so to speak. Now why doesn't OpenBSD ship with these values as the default? Long ago sthen@ answered this. It would consume more kernel memory on the low end hardware we support. (Maybe it is time for us to take a look at the default value again) You can read more about this here. http://www.linuxjournal.com/article/9815 One way to look at the bandwidth delay product vis a vis available bandwidth is this. Let us take a satellite link for example. Satellites have very good bandwidth as they operate in the higher microwave frequencies but the packets have to travel 72,000 kms(36,000 x 2 Geo synchronous satellites) and hence they have a latency of ~ 470 milliseconds. Now how can TCP figure this out? It looks at the round trip times of the three packets involved in the three way handshake(let us keep it simple). It exponentially increases its speed till it gets a packet loss. And then it backs off. It uses two parameters called alpha and beta internally. Anyway I hope I did not bore you folks. Many thanks. -Girish
Re: alix 2c3 and i2c
On 16:16:02 Oct 23, Per-Erik Persson wrote: A while ago I purchased an alix board. The plan is to hook up some external i2c sensors to it. I see the i2c-header on the board, but while reviewing the dmesg I cannot find anything related to i2c. Has the header no real function or is the driver for the i2c bus not written yet or do I need to enable it in some way? Reading the code under i2c gives me hints about bitbanging the gpio, but that is just guessing. How can i squared c driver not be written yet? ;) Do you think OpenBSD will run on so many platforms without supporting this bus? I go to /usr/src/sys/dev/i2c and find some files there. Any guess what those files do? -Girish
Re: Can't SSH into CARP'd system from the outside
On 21:26:51 Oct 18, Vivek Ayer wrote: [demime 1.01d removed an attachment of type application/octet-stream which had a name of pf.conf] [demime 1.01d removed an attachment of type application/x-trash which had a name of pf.conf.BAK] This list does not allow attachments. You can either copy paste them into the mail text or use a mail client like mutt. -Girish
Re: Can't SSH into CARP'd system from the outside
On 22:45:49 Oct 18, Vivek Ayer wrote: Actually, I feel kind of stupid for asking the question. Of course you can never ssh into the virtual carp interface, which is what I was trying to do. SSHing into the physical interface still works no problem. Then again, it would be Yay..CARP is working 100%. You can of course use the CARP virtual interface. In fact you are supposed to use that if you setup CARP. ;) The only thing you can do to the CARP interface (which is the public IP in this case) is ping it, right? No. For all practical purposes that is the IP address you should use. Granted all the redirection to my web server still works, and the carp interface is actually the domain IP, will I just be able to type the domain in a web browser and watch http come up? By this, I mean: INTERNET -- CARP0 --- Routers 1 and 2 --- CARP1 SWITCH --- CARP3 --- Web Servers 1 and 2. I'm going to be CARPing my web servers as well. So how would this work? Public IP request would go to one of the two routers which would redirect to one of the two web servers? Basically, how would http or named interact with the virtual interface? You can find a good writeup on CARP here. http://www.openbsd.org/faq/pf/carp.html I have not properly understood your setup but I can give you some ideas. CARP does not redirect IP traffic. That is handled separately. However by virtue of CARP IP being virtual the redirection is handled by CARP itself. You need to think a lot on the lines of inbound or outbound CAP load balancing/fail-over. If it is a web server you probably need inbound fail-over. Then CARP handles everything for you if you access the CARP virtual IP. OpenBSD gives you several other ways to redirect traffic. relayd(8) and pf(4) trickery using route-to come to mind. I would rather that I do fail-over with CARP and load balancing with relayd and leave route-to alone... The choice is yours. -Girish
Re: reliable, dd over simple ip network
On 23:57:17 Oct 17, Matthew Dempsky wrote: On Fri, Oct 17, 2008 at 10:52 PM, Johan Beisser [EMAIL PROTECTED] wrote: You know ssh will compress what goes through its tunnel to begin with, right? ssh_config(5) says Compression defaults to no. That is quite correct. And I left out the cd /destir for the restore command that happens at the other side. Moreover with gzip you can select a compression level between 0 and 9 that suits your network and processing speeds best. And you could loop this command line for all the partitions in a simple shell script after you setup ssh-agent(1). -Girish
Re: X not start
On 20:37:53 Oct 18, Daniel Bareiro wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I did not try to initiate X of that way. After to have tried, it did not work either. This is what I obtain in the log: (EE) Unable to locate/open config file Why are you getting this error? Copy the /root/xorg.conf.new file to /etc/X11/xorg.conf (EE) Failed to load module dri (module does not exist, 0) Harmless. (EE) Failed to load module fbdev (module does not exist, 0) Harmless but you can remove that line from xorg.conf. You have to look for Load fbdev line. (EE) CIRRUS(0): No valid modes found (EE) Screen(s) found, but none have a usable configuration. This is what you have to fix. Try googling and look at pcidump(8) and also trying modifying the Modes line to something conservative like 800x600 just for testing. You need a bit of patience with X. ;) Best of luck! -Girish
Re: reliable, dd over simple ip network
On 17:29:56 Oct 17, Mike wrote: will work out much faster and better than plain old dd(1). On the other side you have to run # input | restore xf - -Girish whats the input going to be? Sorry I was wrong. It was meant to be done in one step from the dump side. This works for me. # dump af - /dev/rwd0d | gzip -c - | ssh hostname gzip -d -| restore rf - Hope it works out for you. Thanks. -Girish
Re: reliable, dd over simple ip network
On 21:28:56 Oct 15, Neko wrote: Good day to all of you, i have found a really dirty way of going around this, so im fishing for advices on finding a reliable way to dd over simple ip network with the generic bsd. could this be done in a straight pipe ? i have an ftp on the generic bsd, containing data, this bsd system is on a multiple os drive. i have no choice to dd, since multiple partition got updated out of hand, no way to single track specific updated folders. *well actually yes, its the dirty way stipulated above* since my partitions have 16% free on all systems, i cant tarball the drive sent it to target machine and uncompress, anyays, if you have suggestion on opensource pkgs, services i could open, or any bright idea i would like to hear them, dd(1) is not a good idea. If you want to back up across the n/w, then dump(8) with ssh(8) may be interesting. # dump af - | ssh ... will work out much faster and better than plain old dd(1). On the other side you have to run # input | restore xf - -Girish
Re: Shutdown with the power button
On 15:41:27 Oct 16, Guillermo Bernaldo de Quiros Maraver Pedroche wrote: see /etc/rc.shutdown and set: powerdown=YES # set to YES for powerdown Try this. It might work. My /etc/sysctl.conf has the line machdep.kbdreset=1 # permit console CTRL-ALT-DEL to do a nice halt I find that this along with the above option set in /etc/rc.shutdown is a nice way to shutdown the machine by pressing the magic buttons... -Girish
Re: X not start
On 00:55:38 Oct 17, Daniel Bareiro wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all! I'm trying to use KDE in OpenBSD but I'm having problems with the basic step: to obtain that X server works. I have this problem with OpenBSD 4.3. With snapshot of OpenBSD 4.4, X server works without problems. For both cases, I indicated during the installation that X server would be used. Both installations are kvm virtual machines in the same hardware. In both installations I generate the X configuration file with: # X -configure And I test it with: # X -config xorg.conf.new If the previous step reported success then you should try exactly what it says. And it asks you to run # X -config /root/xorg.conf.new There is a silly bug and 'X -config' won't work with relative paths... -Girish
Re: Best Way to get OpenBSD installed on Sun Blade 1000/2000
On 17:41:49 Oct 13, Vivek Ayer wrote: I'm getting zilch. I'm starting to suspect that I got ripped off on this cable. I could be just as wrong. I just need to test this cable with a windows machine via hyperterminal to absolutely make sure it's not working. You can create a null modem cable yourself. Or you could buy one off a good hardware store. ;) You can test very well with two PCs connected back to back using one of the serial port communication programs like cu(1), minicom(1) or tip(1). -Girish
Re: USB disklabel trouble
On 07:48:18 Oct 11, Edward F. Ahlsen-Girard wrote: Ladies and Gentlemen: I wanted to use a 4GB thumb drive to move a complete partition from one system to another, and needed to get a ffs volume on it. It was originally fat32. Ran disklabel -E, said to use the whole disk, no luck. Tried fdisk, and now even less luck: both WXP and OpenBSD can tell there's a device there, but neither seems to know what to do with it. Dmesg and the errors from both of today's attempts at disklabel are attached. Let me put things in perspective here. disklabel(8) necessarily follows fdisk(8). It is never the other way round. fdisk creates an OpenBSD partition type(0xA6) [ see attached output]. If you do not intend to install another OS on this disk or in case you want only to create ONE FFS partition then you can simply do this. # fdisk -iy /dev/sd0 Your OpenBSD partition will be the third and it will start after the first sector. fdisk partitions should always be correctly aligned. Anyway once you are done with fdisk, your next task is to disklabel and then newfs to format the file system. disklabel creates sub partitions inside the fdisk portion. In our case the fdisk primary partition covers the whole of the 4GB USB stick. Now invoke disklabel with the -E switch as it is interactive and nice. # disklabel -E sd0 Now you can add a partition with the 'a' key. Just press ENTER for the default values. Once you are done, do a 'w' and 'q'. It does what you guessed it will do.;) Now, check whether things are in order with this command. # disklabel sd0 It should not say unholy things. ;) Now create an FFS file system with newfs(8). # newfs /dev/sd0a or if you created more partitions,then you have to create file systems on all of them. Then you are ready to mount. # mount /dev/sd0a /mnt Enjoy OpenBSD.;) Have fun! -Girish # fdisk wd0 Disk: wd0 geometry: 60801/255/63 [976773168 Sectors] Offset: 0 Signature: 0xAA55 Starting Ending LBA Info: #: id C H S - C H S [ start:size ] --- 0: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused 1: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused 2: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused *3: A6 0 1 1 - 60800 254 63 [ 63: 976768002 ] OpenBSD #
Re: PF Queue on a GROUP of nics?
On 16:39:30 Oct 06, Sunnz wrote: Is it possible? Say I have a few nics of the same group... dc0 dc1 dc2 dc3... which all belong to a group dc. And say if I wanted to limit the overall bandwidth for the group... so say at any point in time the overall outgoing bandwidth of the group dc will not be over 100mbp. Would it work if I just apply altq to dc in pf? Or do I need to bridge it... this is where I have no ideas... but say I add a bridge0 that contains dc0 dc1 dc3 dc2, and apply altq to bridge0 in pf. No need to add a bridge. You are looking for ifconfig(8). Look for interface groups and you are done. -Girish
Re: Azalia configured but no audio
On 03:18:01 Oct 06, Jacob Meuser wrote: mplayer should be controlling `play.gain' from audioctl(1), which should correspond to `inputs.dac' from mixerctl(1). either of these should affect the playback volume, but if not, then you can use mplayer's `-softvol' switch to adjust volume in software rather than hardware; see mplayer(1). Well I have been putting up with an inability to increase the volume of mplayer but one can reduce it with '/' or '9' key. The '0' and '*' keys do not work however. Something wrong somewhere but I never got time to check. -Girish
Re: pkg_add interrupted by network dis connection, how to resume installation ?
On 01:43:16 Oct 05, Jesus Sanchez wrote: go to /var/db/pkg as root, do: # ls partial* the output are the partial packages you have to delete with pkg_delete This is what I do since my pkg_add sometimes fails due to an unannounced power outage or a network outage. (I have fixed both now) # pkg_info|grep partial Then delete it with # pkg_delete partial-foo... But then sometimes power goes off when our good friend doesn't even get time to register a partial install. Then you have to manually delete the offending files. # pkg_add foo 12 /tmp/conflict.txt Then do a grep, cut and some other UNIX jugglery to get rid of the problem files. Best, Girish
Re: odd greyscanner behaviour
On 14:28:40 Aug 29, Jose Fragoso wrote: Hi, I am running OpenBSD 4.4, spamd and greyscanner41 in a box. Looking at the log entries from the greyscanner, I found this entry and others which I find a bit strange: Aug 28 12:55:44 wall greytrapper[25604]: Trapped 209.85.132.241: Mailed from sender gmail.com with no MX or A Now, this IP address has an A record and it is from google. So my guess is that due to some temporary network instability, the reverse lookup is failing. But should the greyscanner script not be able to identify this and disregard instead of trapping the IP address? You must be aware that google and other such popular mail services like yahoo!, hotmail etc. blatantly flout RFC2821 and retry mails from a bank of mail servers. This does not go well with greylisting of course. Consequently I have observed google's mail servers getting tarpitted. But I have also seen that over time when more mails start coming from these domains the greylisting process whitelists them. I would rather we not interfere with the internal clockwork of OpenBSD greylisting by manually correcting such arrant misbehaviors by popular mail vendors. Instead the correction happens over time automatically just the way the human body takes care of common cold. At least that is the way I tackled this issue. The longer answer is to be found in Calomel's site[1] and other Internet resources. -Girish 1) http://www.calomel.org/spamd_config.html
Re: odd greyscanner behaviour
On 08:30:22 Aug 30, Stuart Henderson wrote: On 2008-08-30, Girish Venkatachalam [EMAIL PROTECTED] wrote: You must be aware that google and other such popular mail services like yahoo!, hotmail etc. blatantly flout RFC2821 and retry mails from a bank of mail servers. I couldn't find this mentioned in RFC2821, could you point out the section number which talks about this? In any event, it's definitely not all that unusual... Obviously then I must be wrong. Mail servers are supposed to retry from the same IP address as per the RFCs. That is what I know/think. Let me head to ietf.org and get back. :) -Girish
Re: odd greyscanner behaviour
On 16:44:19 Aug 30, Girish Venkatachalam wrote: I couldn't find this mentioned in RFC2821, could you point out the section number which talks about this? In any event, it's definitely not all that unusual... Obviously then I must be wrong. Mail servers are supposed to retry from the same IP address as per the RFCs. That is what I know/think. Let me head to ietf.org and get back. :) Stuart, I got this from RFC2821. +--+ 3.7 Relaying In general, the availability of Mail eXchanger records in the domain name system [22, 27] makes the use of explicit source routes in the Internet mail system unnecessary. Many historical problems with their interpretation have made their use undesirable. SMTP clients SHOULD NOT generate explicit source routes except under unusual circumstances. SMTP servers MAY decline to act as mail relays or to accept addresses that specify source routes. When route information is encountered, SMTP servers are also permitted to ignore the route information and simply send to the final destination specified as the last element in the route and SHOULD do so. There has been an invalid practice of using names that do not appear in the DNS as destination names, with the senders counting on the intermediate hosts specified in source routing to resolve any problems. If source routes are stripped, this practice will cause failures. This is one of several reasons why SMTP clients MUST NOT generate invalid source routes or depend on serial resolution of names. When source routes are not used, the process described in RFC 821 for constructing a reverse-path from the forward-path is not applicable and the reverse-path at the time of delivery will simply be the address that appeared in the MAIL command. A relay SMTP server is usually the target of a DNS MX record that designates it, rather than the final delivery system. The relay server may accept or reject the task of relaying the mail in the same way it accepts or rejects mail for a local user. If it accepts the task, it then becomes an SMTP client, establishes a transmission channel to the next SMTP server specified in the DNS (according to the rules in section 5), and sends it the mail. If it declines to relay mail to a particular address for policy reasons, a 550 response SHOULD be returned. +--+ Does the last sentence of the first paragraph above suggest this? And I find several places in the RFC where this idea is strongly suggested. Going by common sense however only those who don't comply with SMTP standards would do such a silly thing. It is still possible to use a bank of MTAs but allocate the job of retrials to come from the same IP address. -Girish
Re: odd greyscanner behaviour
On 16:44:19 Aug 30, Girish Venkatachalam wrote: I couldn't find this mentioned in RFC2821, could you point out the section number which talks about this? In any event, it's definitely not all that unusual... Obviously then I must be wrong. Mail servers are supposed to retry from the same IP address as per the RFCs. That is what I know/think. Let me head to ietf.org and get back. :) Oops. Sorry. I mistook the OP's complaint to be the common case of the gmail problem. I now know that it is very much related to the MTA bank issue but not the same thing I understood. Not having a valid MX or A is a violation of the RFC of course. But is it explicitly mentioned? I don't know. -Girish
Re: odd greyscanner behaviour
On 14:10:04 Aug 30, Paul de Weerd wrote: | | Does the last sentence of the first paragraph above suggest this? The section you quoted refers to receiving, not sending mail (more specifically, to source routing e-mail). Oh! Can you point these out ? I've read the RFC and couldn't find any such strong suggestions you speak of. It is news to me that the RFC does not actually mandate retries from the same IP address as Peter M Hansteen wrote. | Going by common sense however only those who don't comply with SMTP | standards would do such a silly thing. Why is it a silly thing ? Why would only those who don't comply with SMTP standards do it ? It's not in violation of 2821 (not that I could find nor you have provided evidence for, at least). I dunno why but it seems like a violation to me. We will be left with no method to figure out who is retrying. But this is not how the gmails of this internet currently work. At this point in time, that means either whitelisting those senders you deem a) trustworthy enough to not send you spam and b) important enough to whitelist in the first place. Otherwise you risk missing some mail because they're not retried from the same IP. Missing mails? This has never happened with me. Delayed yes but not missing them. I have a `getwhite` script that updates my personal whitelist on a daily basis. Since I consider GMail important enough to receive (that is, some people send me e-mail I consider important from gmail) and I think this party is trustworthy enough to not spam me, I have whitelisted the Google SPF records in my script. I use the following snippet (for those curious about my script, it's available at http://www.weirdnet.nl/openbsd/cronjobs/getwhite) : host -t TXT _netblocks.google.com | tr ' ' \\n | grep ^ip4 | \ cut -f2 -d':' $WHITELIST.new I get a connection timed out error. I don't believe there is a clean solution to this at the moment. I love spamd, as it prevents *A LOT* of spam from reaching my MX in the first place but it can be detrimental in certain cases such as these. I really do not think it is a spamd/greylisting issue. The real problem lies elsewhere. We may have to deal with it but it is not really our problem. -Girish
Re: pf-nat help
On 14:09:57 May 15, Jesus Sanchez wrote: nat on $ext_if from $localnetwork to any - (ext_if) How about changing this line to read nat on $ext_if from $localnetwork to any - ($ext_if:0) -Girish
Re: Screen,colorls,xterms issue. 4.2
On 07:45:06 May 11, Jesus Sanchez wrote: I tried to set the TERM variable to rxvt value export TERM=rxvt on the /etc/profile and I have problems with the virtual terminals now. (the ones invoked by Ctrl+Alt+F1 to F4). I get weird color when doing colorls -G in screen session, so your solution it's not valid to me, but thanks for the info. Your question was for X and my answer was also for X sessions. For the console you have to stick to wsvt25. It is so simple. Before starting screen from X, $ export TERM=rxvt Before starting screen from the console, $ export TERM=wsvt25 Is there any confusion now? -Girish
Re: Spamd table
On 23:45:06 May 11, Pui Edylie wrote: Hi When i ran pfctl -t spamd-white -T show it shows a list of IP addresses and those IP addresses are mostly from China and etc ... (IE spamming countries) I have enabled syslog logging with -v from the log file when tailing it, i did not see any (WHITE) entry only (GREY) and (BLACK) I am interested where do i find out the whitelisted IP address? This is the rc.local.conf spamd_flags=-v -G 2:4:864 -y fxp3 -Y fxp3 -n SolOne SMTP OpenBSD 4.1 table spamd-white persist rdr pass inet proto tcp from !spamd-white to any \ port smtp - $spamvip port spamd I think it is pretty obvious to anybody reading this e-mail why spamd is doing the exact opposite of what you want it to do. Any guesses? I will take the suspense away. You really should give a passtime of at least 10 minutes. Ideal values might be around 30. Default is 25. So either leave the -G flag alone or use something like -G 10:4:864. In case you want whitelisting to happen sooner than normal. Best of luck! -Girish
Re: Screen,colorls,xterms issue. 4.2
On 22:20:18 May 10, Jesus Sanchez wrote: Hi, I'm using OpenBSD 4.2, a clean install. I have experienced some problems using screen and X with colorsls. The issue is that when I launch 'screen' on virtual terminals (C0,C1...) I don't have any problem but when launch X, on the xterm/rxvt I have open I can't launch a screen because the colors goes mad and shows white on black combinations I have not set on my rxvt (I use some grey tones combinations). I have set an alias for ls='colorls -GF' (color output) and this causes the problems on a screen session. I have set the TERM=xterm-color on my /etc/profile. As Stuart pointed out you should not do this. I used to experience hell since I used to make the same mistake. ;) Later life got simple after doing a code walk through of screen's source and figured that the problem is fixed by setting $ export TERM=rxvt ;) Funny we arrive at simple solutions through circuitous routes. ;) -Girish
Re: Jack, sun and envy problem
On 14:39:14 May 04, Jean-michel Bessot wrote: Hi I have a problem to start jackd to use my audiophile 2496 card. $ jackd -d sun jackd 0.109.10 [copyright information] JACK compiled with System V SHM support. loading driver .. Enhanced3DNow! detected SSE2 detected sun_driver: setting capture parameters failed: [EMAIL PROTECTED] cannot load driver module sun no message buffer overruns I use the Openbsd 4.3 -current (GENERIC#841 i386) and the envy driver is loaded. $ dmesg | grep envy envy0 at pci4 dev 6 function 0 IC Ensemble Envy24 I/O Ctrlr rev 0x02: irq 10 audio0 at envy0 When I use mplayer -ao sun, sound works but I need jack to play music. How can I resolve this problem ? What makes you imagine that jack is necessary to play music? jack is needed only for advanced DAW work. For playing music on OpenBSD with mplayer all you need is the sun audio driver and mplayer stock package comes packaged with it and it just works. Does # cat /bsd /dev/audio create any noise? -Girish
Re: Editing C with...
On 13:51:58 May 03, Robert C Wittig wrote: vi/vim. I use it for most of my editing tasks, not just writing C code. I use vim since it enhances my coding speed in a big way. As to KNF I guess it is just a habit that I want to inculcate for all my C coding. Right now it is voluntary and occasionally painful but I don't want to lose the chance to make it automatic by going in for a tool. I am bowled over by vim's knowledge of config file syntax and the way it highlights various keywords. That way I can afford to be a bit lazy with certain programming languages or even config file directives. It would highlight typos in a different color. Occasionally vim does go wrong however but so far it has not affected me. I type out this mail with vim and it helps me appear good since I have auto spell check on. With bad keyboards I tend to make silly typos and vim can save my day by highlighting it and alerting me. Of course I would not be so much in love with vim but for its vi key bindings. As to power editing you should really read the short and sweet document written by the author of vim Bram Moolenaar. (If someone can locate it for me I shall be obliged. ;) He emphasizes how the steep learning curve experienced by vi learners are paid back in full in due course of time. I can vouch for it. So what if it is counter intuitive in the beginning? So what if it is sometimes tougher than emacs? Once you use it every time you create a document be it LaTeX or e-mail or source code or config file editing, you stick to one editor and that according to me is an amazing convenience. Its ability to read and write files makes it even more powerful of course. And the output of commands. Hope this helps. That said choice is yours as always. ;) Open source is a democratic world. ;) -Girish
Re: Dual boot problem
On 01:00:04 Apr 08, Andrei wrote: Thanks Josh, this works fine. The reason I did not consider boot.conf at the beginning is that it concerns second-stage bootstrap, while I was trying to find a solution first-stage bootstrap. Then you have to do it manually. OpenBSD is not very convenient for multiboot or for having more than one OpenBSD on the same disk. -Girish