Re: Collision with dbus-daemon-launch-helper and latest snapshot/packages

[Jason Crawford]

Thanks for the quick response. Glad to know my system isn't randomly busted.

On Tue, Apr 7, 2015 at 10:29 AM, Marc Espie  wrote:
> On Tue, Apr 07, 2015 at 09:59:08AM -0400, Jason Crawford wrote:
>> Hello all,
>>
>> I updated to the latest snapshot (dmesg below) and when trying to
>> update my packages to the lastest from ftp.eu.openbsd.org, I get:
>>
>> quirks-2.61 signed on 2015-04-05T21:43:07Z
>> Collision in dbus-daemon-launch-helper-1.8.16: the following files already 
>> exist
>> /usr/local/libexec/dbus-daemon-launch-helper (dbus-1.8.16v0
>> and dbus-daemon-launch-helper-1.8.16)
>
> Bad timing.
>
> Wait for dbus-daemon-launch-helper-1.8.16p0, which will probably show up in a 
> day or
> two on your favorite mirror.
>
> ajacoutot@ did a slight mistake in his first commit to separate dbus into two 
> packages.
>
> The mistake has been fixed, but  a set of broken packages was shipped.

Collision with dbus-daemon-launch-helper and latest snapshot/packages

[Jason Crawford]

Hello all,

I updated to the latest snapshot (dmesg below) and when trying to
update my packages to the lastest from ftp.eu.openbsd.org, I get:

quirks-2.61 signed on 2015-04-05T21:43:07Z
Collision in dbus-daemon-launch-helper-1.8.16: the following files already exist
/usr/local/libexec/dbus-daemon-launch-helper (dbus-1.8.16v0
and dbus-daemon-launch-helper-1.8.16)
Can't install avahi-0.6.31p15->0.6.31p17: can't resolve
dbus-daemon-launch-helper-1.8.16
Can't install polkit-0.112p7->0.112p8: can't resolve
dbus-daemon-launch-helper-1.8.16
Can't install consolekit-0.4.6p12->0.4.6p14: can't resolve
dbus-daemon-launch-helper-1.8.16
Can't install geoclue2-2.1.10p1->2.1.10p2: can't resolve
dbus-daemon-launch-helper-1.8.16
Can't install upower-0.99.2p0->0.99.2p6: can't resolve
dbus-daemon-launch-helper-1.8.16
Couldn't find updates for avahi-0.6.31p15, consolekit-0.4.6p12,
geoclue2-2.1.10p1, polkit-0.112p7, upower-0.99.2p0

I can't remove dbus without removing most of my GUI packages, so I'm
not sure how to proceed from here. Below is my dmesg and list of
manually installed packages, then list of all packages installed.

OpenBSD 5.7-current (GENERIC.MP) #903: Thu Apr  2 13:47:34 MDT 2015
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 4209770496 (4014MB)
avail mem = 4078329856 (3889MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xdbeda000 (35 entries)
bios0: vendor Phoenix Technologies LTD version "V1.04" date 10/22/2009
bios0: Gateway NV53
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP SLIC SSDT APIC MCFG HPET
acpi0: wakeup devices LID0(S3) SLPB(S3) PB2_(S4) PB3_(S4) PB4_(S4)
PB5_(S4) PB6_(S4) PB7_(S4) PB9_(S4) PB10(S4) OHC0(S3) OHC1(S3)
OHC2(S3) OHC3(S3) OHC4(S3) EHC0(S3) [...]
acpitimer0 at acpi0: 3579545 Hz, 32 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: AMD Athlon(tm) II Dual-Core M300, 2000.97 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,PAGE1GB,LONG,3DNOW2,3DNOW,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,3DNOWP,OSVW,IBS,SKINIT,ITSC
cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB
64b/line 16-way L2 cache
cpu0: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative
cpu0: DTLB 48 4KB entries fully associative, 48 4MB entries fully associative
cpu0: AMD erratum 721 detected and fixed
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 200MHz
cpu0: mwait min=64, max=64, C-substates=0.0.0.0.0, IBE
cpu1 at mainbus0: apid 1 (application processor)
cpu1: AMD Athlon(tm) II Dual-Core M300, 2000.04 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,PAGE1GB,LONG,3DNOW2,3DNOW,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,3DNOWP,OSVW,IBS,SKINIT,ITSC
cpu1: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB
64b/line 16-way L2 cache
cpu1: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative
cpu1: DTLB 48 4KB entries fully associative, 48 4MB entries fully associative
cpu1: AMD erratum 721 detected and fixed
cpu1: smt 0, core 1, package 0
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 21, 24 pins
acpimcfg0 at acpi0 addr 0xe000, bus 0-9
acpihpet0 at acpi0: 14318180 Hz
acpi0: unable to load \\_SB_.PCI0._INI.EXH2
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (PB2_)
acpiprt2 at acpi0: bus -1 (PB3_)
acpiprt3 at acpi0: bus 3 (PB4_)
acpiprt4 at acpi0: bus -1 (PB5_)
acpiprt5 at acpi0: bus 9 (PB6_)
acpiprt6 at acpi0: bus -1 (PB7_)
acpiprt7 at acpi0: bus -1 (PB9_)
acpiprt8 at acpi0: bus -1 (PB10)
acpiprt9 at acpi0: bus 10 (P2P_)
acpiprt10 at acpi0: bus 1 (AGP_)
acpiec0 at acpi0
acpicpu0 at acpi0: PSS
acpicpu1 at acpi0: PSS
acpitz0 at acpi0: critical temperature is 95 degC
acpitz1 at acpi0: critical temperature is 95 degC
acpibtn0 at acpi0: PWRB
acpibtn1 at acpi0: LID0
acpibtn2 at acpi0: SLPB
acpibat0 at acpi0: BAT0 model "AS09A61" serial  4548 type LION oem "494453"
acpiac0 at acpi0: AC unit online
acpivideo0 at acpi0: VGA_
acpivideo1 at acpi0: VGA_
acpivout0 at acpivideo1: LCD_
cpu0: 2000 MHz: speeds: 2000 1400 800 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "AMD RS880 Host" rev 0x00
ppb0 at pci0 dev 1 function 0 vendor "Acer", unknown product 0x9602 rev 0x00
pci1 at ppb0 bus 1
radeondrm0 at pci1 dev 5 function 0 "ATI Mobility Radeon HD 4200" rev 0x00
drm0 at radeondrm0
radeondrm0: apic 2 int 18
azalia0 at pci1 dev 5 function 1 "ATI Radeon HD 4200 HD Audio" rev 0x00: msi
azalia0: no supported codecs
ppb1 at pci0 dev 4 function 0 "AMD RS780 PCIE" rev 0x00: msi
pci2 at ppb1 bus 3
bge0 at pci2 dev 0 function 0 "Broadcom BCM5784" rev 0x10, BCM5784 A1
(0x5784100): msi, address 00:26:2d:6f:6b:

Re: OpenBSD as a Mailserver

[Jason Crawford]

I've done latest openbsd stable with dovecot and postfix with postgres back
end and roundcube for web interface. OpenSMTPd has some SQL support but I
haven't tried it.
On Mar 25, 2015 9:01 AM, "Markus Rosjat"  wrote:

> Hi there,
>
> what's the usual setup these days for mailserver ?
>  I have a old machine and like to jump into the future :)
>
> old setup:
>
> OpenBSD 4.2
> Courier
> Sendmail
> LDAP
>
> I would like to keep LDAP because I may want to migrate my mailboxes.
>
> thanks for the advice
>
> Regards
>
> --
> Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de
>
> G+H Webservice GbR Gorzolla, Herrmann
> Königsbrücker Str. 70, 01099 Dresden
>
> http://www.ghweb.de
> fon: +49 351 8107220   fax: +49 351 8107227
>
> Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before
> you print it, think about your responsibility and commitment to the
> ENVIRONMENT

Re: Software for time management & calendar

[Jason Crawford]

I use redmine for project management and that includes a calendar and time
tracking system.
On Mar 22, 2015 1:44 PM, "Lampshade"  wrote:

> What software you use for this purposes?

Re: Secure Secure Shell

[Jason Crawford]

Stop cross posting.
Stop posting articles from people who don't know what they're talking about.
Or possibly just stop posting.

On Tue, Jan 6, 2015 at 9:33 AM, whoami toask  wrote:
> https://stribika.github.io/2015/01/04/secure-secure-shell.html
>
> Is the default config for SSHD enough secure?
>
> Or the different distros modifications are the ones that make it not the best 
> regarding security?
>
> Thanks.

Re: kernel panic from sys/dev/acpi/dsdt.c rev1.210 change

[Jason Crawford]

I know on my laptop no acpi meant doesn't work. My saving grace is I
always keep a kernel from the previous snapshot I tried as obsd. So if
bsd doesn't work, I just boot from that. Do you have an older snapshot
kernel you can tell tech support to boot into?

On Thu, Jun 26, 2014 at 7:36 PM, Scott Vanderbilt  wrote:
> Having done a little man page reading on boot-time configuration, I learned
> about the existence of ukc. I'm wondering whether something like
>
>   ukc> disable acpi0
>
> might circumvent the kernel panic and allow the boot to successfully
> complete. I'm hoping that since this is a server, ACPI is non-essential.
> Just grasping at straws in an effort to get this machine up and running
> again.
>
> Thanks.
>
>
>
>
> On 6/26/2014 4:21 PM, Scott Vanderbilt wrote:
>>
>> I have this exact same kernel panic. Unfortunately, it's occurring on a
>> host at a remote co-lo. Does anyone know a way that I can get the
>> on-site tech to suppress the assertion by way of some boot-time
>> configuration? Then at least I can get this machine up and running so I
>> can immediately upgrade to the latest snapshot, which apparently fixes
>> this issue.
>>
>> Thanks.
>>
>>
>> On 6/25/2014 8:05 AM, Jason Crawford wrote:
>>>
>>> My system panic's from the KASSERT() call at line 2269 after dsdt.c was
>>> updated to 1.210.
>>>
>>> All I have is the basic panic message and the dmesg from the last known
>>> working snapshot kernel. I tried to get more information but my USB
>>> keyboard does not work in the kernel debugger, and my on-board keyboard
>>> no longer works at all (I use the laptop as a desktop now). I typed up
>>> everything I could see of that panic message by hand.
>>>
>>> Any patches that need to be tested I will be glad to try out.
>>>
>>> Here's the panic message and dmesg output.
>>>
>>> --- panic ---
>>> acpi0 at bios0: rev 2panic: kernel diagnostic assertion
>>> "rgn->v_opregion.iobase % sz == 0" failed: file
>>> "../../../../dev/acpi/dsdt.c", line 2269
>>> Stopped atDebugger+0x9:leave
>>> panic() at panic+0xfe
>>> __assert() at __assert+0x25
>>> aml_rwgas() at aml_rwgas+0x1fd
>>> aml_rwfield() at aml_rwfield+0x205
>>> aml_eval() at aml_eval+0x1ae
>>> aml_parse() at aml_parse+0x183d
>>> aml_parse() at aml_parse+0x1ff
>>> aml_parse() at aml_parse+0x1ff
>>> aml_parse() at aml_parse+0x1ff
>>> end trace frame: 0x81ef48f0, count: 0
>>> RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS
>>> PANIC!
>>> IF RUNNING SMP, USE 'mach ddbcpu <#>' AND 'trace' ON OTHER PROCESSORS,
>>> TOO.
>>> DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION!
>>>
>>>
>>> --- dmesg ---
>>> OpenBSD 5.5-current (GENERIC.MP) #219: Thu Jun 19 22:16:22 MDT 2014
>>>  dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
>>> real mem = 4209770496 (4014MB)
>>> avail mem = 4088930304 (3899MB)
>>> mpath0 at root
>>> scsibus0 at mpath0: 256 targets
>>> mainbus0 at root
>>> bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xdbeda000 (35 entries)
>>> bios0: vendor Phoenix Technologies LTD version "V1.04" date 10/22/2009
>>> bios0: Gateway NV53
>>> acpi0 at bios0: rev 2
>>> acpi0: sleep states S0 S3 S4 S5
>>> acpi0: tables DSDT FACP SLIC SSDT APIC MCFG HPET
>>> acpi0: wakeup devices LID0(S3) SLPB(S3) PB2_(S4) PB3_(S4) PB4_(S4)
>>> PB5_(S4) PB6_(S4) PB7_(S4) PB9_(S4) PB10(S4) OHC0(S3) OHC1(S3) OHC2(S3)
>>> OHC3(S3) OHC4(S3) EHC0(S3) [...]
>>> acpitimer0 at acpi0: 3579545 Hz, 32 bits
>>> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
>>> cpu0 at mainbus0: apid 0 (boot processor)
>>> cpu0: AMD Athlon(tm) II Dual-Core M300, 2000.97 MHz
>>> cpu0:
>>>
>>> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,3DNOWP,OSVW,IBS,SKINI
>>>
>>> T,ITSC
>>> cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB
>>> 64b/line 16-way L2 cache
>>> cpu0: ITLB 32 4KB entries fully associative, 16 4MB entries fully
>>> associative
>>> cpu0: DTLB 48 4KB entries fully associative, 48 4MB entries fully
>>> associat

Re: kernel panic from sys/dev/acpi/dsdt.c rev1.210 change

[Jason Crawford]

I can also confirm that newest snapshot works now.

On Thu, Jun 26, 2014 at 7:45 AM, Nils R  wrote:
> Works now with the latest snapshot (dsdt.c rev. 1.211), thanks!

kernel panic from sys/dev/acpi/dsdt.c rev1.210 change

[Jason Crawford]

My system panic's from the KASSERT() call at line 2269 after dsdt.c was
updated to 1.210.

All I have is the basic panic message and the dmesg from the last known
working snapshot kernel. I tried to get more information but my USB
keyboard does not work in the kernel debugger, and my on-board keyboard
no longer works at all (I use the laptop as a desktop now). I typed up
everything I could see of that panic message by hand.

Any patches that need to be tested I will be glad to try out.

Here's the panic message and dmesg output.

--- panic ---
acpi0 at bios0: rev 2panic: kernel diagnostic assertion
"rgn->v_opregion.iobase % sz == 0" failed: file
"../../../../dev/acpi/dsdt.c", line 2269
Stopped atDebugger+0x9:leave
panic() at panic+0xfe
__assert() at __assert+0x25
aml_rwgas() at aml_rwgas+0x1fd
aml_rwfield() at aml_rwfield+0x205
aml_eval() at aml_eval+0x1ae
aml_parse() at aml_parse+0x183d
aml_parse() at aml_parse+0x1ff
aml_parse() at aml_parse+0x1ff
aml_parse() at aml_parse+0x1ff
end trace frame: 0x81ef48f0, count: 0
RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS PANIC!
IF RUNNING SMP, USE 'mach ddbcpu <#>' AND 'trace' ON OTHER PROCESSORS, TOO.
DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION!


--- dmesg ---
OpenBSD 5.5-current (GENERIC.MP) #219: Thu Jun 19 22:16:22 MDT 2014
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 4209770496 (4014MB)
avail mem = 4088930304 (3899MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xdbeda000 (35 entries)
bios0: vendor Phoenix Technologies LTD version "V1.04" date 10/22/2009
bios0: Gateway NV53
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP SLIC SSDT APIC MCFG HPET
acpi0: wakeup devices LID0(S3) SLPB(S3) PB2_(S4) PB3_(S4) PB4_(S4)
PB5_(S4) PB6_(S4) PB7_(S4) PB9_(S4) PB10(S4) OHC0(S3) OHC1(S3) OHC2(S3)
OHC3(S3) OHC4(S3) EHC0(S3) [...]
acpitimer0 at acpi0: 3579545 Hz, 32 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: AMD Athlon(tm) II Dual-Core M300, 2000.97 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,3DNOWP,OSVW,IBS,SKINI
T,ITSC
cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB
64b/line 16-way L2 cache
cpu0: ITLB 32 4KB entries fully associative, 16 4MB entries fully
associative
cpu0: DTLB 48 4KB entries fully associative, 48 4MB entries fully
associative
cpu0: AMD erratum 721 detected and fixed
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 200MHz
cpu0: mwait min=64, max=64, C-substates=0.0.0.0.0, IBE
cpu1 at mainbus0: apid 1 (application processor)
cpu1: AMD Athlon(tm) II Dual-Core M300, 2000.03 MHz
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,3DNOWP,OSVW,IBS,SKINI
T,ITSC
cpu1: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB
64b/line 16-way L2 cache
cpu1: ITLB 32 4KB entries fully associative, 16 4MB entries fully
associative
cpu1: DTLB 48 4KB entries fully associative, 48 4MB entries fully
associative
cpu1: AMD erratum 721 detected and fixed
cpu1: smt 0, core 1, package 0
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 21, 24 pins
acpimcfg0 at acpi0 addr 0xe000, bus 0-9
acpihpet0 at acpi0: 14318180 Hz
acpi0: unable to load \\_SB_.PCI0._INI.EXH2
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (PB2_)
acpiprt2 at acpi0: bus -1 (PB3_)
acpiprt3 at acpi0: bus 3 (PB4_)
acpiprt4 at acpi0: bus -1 (PB5_)
acpiprt5 at acpi0: bus 9 (PB6_)
acpiprt6 at acpi0: bus -1 (PB7_)
acpiprt7 at acpi0: bus -1 (PB9_)
acpiprt8 at acpi0: bus -1 (PB10)
acpiprt9 at acpi0: bus 10 (P2P_)
acpiprt10 at acpi0: bus 1 (AGP_)
acpiec0 at acpi0
acpicpu0 at acpi0: PSS
acpicpu1 at acpi0: PSS
acpitz0 at acpi0: critical temperature is 95 degC
acpitz1 at acpi0: critical temperature is 95 degC
acpibtn0 at acpi0: PWRB
acpibtn1 at acpi0: LID0
acpibtn2 at acpi0: SLPB
acpibat0 at acpi0: BAT0 model "AS09A61" serial  4548 type LION oem "494453"
acpiac0 at acpi0: AC unit online
acpivideo0 at acpi0: VGA_
acpivideo1 at acpi0: VGA_
acpivout0 at acpivideo1: LCD_
cpu0: 2000 MHz: speeds: 2000 1400 800 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "AMD RS880 Host" rev 0x00
ppb0 at pci0 dev 1 function 0 vendor "Acer", unknown product 0x9602 rev 0x00
pci1 at ppb0 bus 1
radeondrm0 at pci1 dev 5 function 0 "ATI Mobility Radeon HD 4200" rev 0x00
drm0 at radeondrm0
radeondrm0: apic 2 int 18
azalia0 at pci1 dev 5 function 1 "ATI Radeon HD 4200 HD Audio" rev 0x00: msi
azalia0: no supported codecs
ppb1 at pci0 dev 4 function 0 "AMD RS780 PCIE" rev 0x0

Lost battery and A/C info on March 26 snapshot

[Jason Crawford]

Upgrading from March 25 snapshot to March 26 snapshot caused me to lose
status on the battery and A/C for my laptop. Dmesg's are below,
acpidump from both snapshots are attached. If there's any other needed
info please let me know and I'll get that when possible.



OpenBSD 5.5-current (GENERIC.MP) #25: Tue Mar 25 15:40:38 MDT 2014
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 4209770496 (4014MB)
avail mem = 4088979456 (3899MB)
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xdbeda000 (35 entries)
bios0: vendor Phoenix Technologies LTD version "V1.04" date 10/22/2009
bios0: Gateway NV53
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP SLIC SSDT APIC MCFG HPET
acpi0: wakeup devices LID0(S3) SLPB(S3) PB2_(S4) PB3_(S4) PB4_(S4)
PB5_(S4) PB6_(S4) PB7_(S4) PB9_(S4) PB10(S4) OHC0(S3) OHC1(S3) OHC2(S3)
OHC3(S3) OHC4(S3) EHC0(S3) [...]
acpitimer0 at acpi0: 3579545 Hz, 32 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: AMD Athlon(tm) II Dual-Core M300, 2000.93 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,3DNOWP,OSVW,IBS,SKINIT,ITSC
cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB
64b/line 16-way L2 cache
cpu0: ITLB 32 4KB entries fully associative, 16 4MB entries fully
associative
cpu0: DTLB 48 4KB entries fully associative, 48 4MB entries fully
associative
cpu0: AMD erratum 721 detected and fixed
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 200MHz
cpu0: mwait min=64, max=64, C-substates=0.0.0.0.0, IBE
cpu1 at mainbus0: apid 1 (application processor)
cpu1: AMD Athlon(tm) II Dual-Core M300, 2000.04 MHz
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,3DNOWP,OSVW,IBS,SKINIT,ITSC
cpu1: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB
64b/line 16-way L2 cache
cpu1: ITLB 32 4KB entries fully associative, 16 4MB entries fully
associative
cpu1: DTLB 48 4KB entries fully associative, 48 4MB entries fully
associative
cpu1: AMD erratum 721 detected and fixed
cpu1: smt 0, core 1, package 0
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 21, 24 pins
acpimcfg0 at acpi0 addr 0xe000, bus 0-9
acpihpet0 at acpi0: 14318180 Hz
acpi0: unable to load \\_SB_.PCI0._INI.EXH2
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (PB2_)
acpiprt2 at acpi0: bus -1 (PB3_)
acpiprt3 at acpi0: bus 3 (PB4_)
acpiprt4 at acpi0: bus -1 (PB5_)
acpiprt5 at acpi0: bus 9 (PB6_)
acpiprt6 at acpi0: bus -1 (PB7_)
acpiprt7 at acpi0: bus -1 (PB9_)
acpiprt8 at acpi0: bus -1 (PB10)
acpiprt9 at acpi0: bus 10 (P2P_)
acpiprt10 at acpi0: bus 1 (AGP_)
acpiec0 at acpi0
acpicpu0 at acpi0: PSS
acpicpu1 at acpi0: PSS
acpitz0 at acpi0: critical temperature is 95 degC
acpitz1 at acpi0: critical temperature is 95 degC
acpibtn0 at acpi0: PWRB
acpibtn1 at acpi0: LID0
acpibtn2 at acpi0: SLPB
acpibat0 at acpi0: BAT0 model "AS09A61" serial  4548 type LION oem "494453"
acpiac0 at acpi0: AC unit online
acpivideo0 at acpi0: VGA_
acpivideo1 at acpi0: VGA_
acpivout0 at acpivideo1: LCD_
cpu0: 2000 MHz: speeds: 2000 1400 800 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "AMD RS880 Host" rev 0x00
ppb0 at pci0 dev 1 function 0 vendor "Acer", unknown product 0x9602 rev 0x00
pci1 at ppb0 bus 1
radeondrm0 at pci1 dev 5 function 0 "ATI Mobility Radeon HD 4200" rev 0x00
drm0 at radeondrm0
radeondrm0: apic 2 int 18
azalia0 at pci1 dev 5 function 1 "ATI Radeon HD 4200 HD Audio" rev 0x00: msi
azalia0: no supported codecs
ppb1 at pci0 dev 4 function 0 "AMD RS780 PCIE" rev 0x00: msi
pci2 at ppb1 bus 3
bge0 at pci2 dev 0 function 0 "Broadcom BCM5784" rev 0x10, BCM5784 A1
(0x5784100): msi, address 00:26:2d:6f:6b:e2
brgphy0 at bge0 phy 1: BCM5784 10/100/1000baseT PHY, rev. 4
ppb2 at pci0 dev 6 function 0 "AMD RS780 PCIE" rev 0x00: msi
pci3 at ppb2 bus 9
athn0 at pci3 dev 0 function 0 "Atheros AR9281" rev 0x01: apic 2 int 18
athn0: AR9280 rev 2 (2T2R), ROM rev 22, address 70:1a:04:80:80:93
ahci0 at pci0 dev 17 function 0 "ATI SBx00 SATA" rev 0x00: apic 2 int
22, AHCI 1.1
scsibus0 at ahci0: 32 targets
sd0 at scsibus0 targ 0 lun 0:  SCSI3
0/direct fixed naa.5000cca59ec6ae72
sd0: 476940MB, 512 bytes/sector, 976773168 sectors
cd0 at scsibus0 targ 1 lun 0:  ATAPI
5/cdrom removable
ohci0 at pci0 dev 18 function 0 "ATI SB700 USB" rev 0x00: apic 2 int 16,
version 1.0, legacy support
ohci1 at pci0 dev 18 function 1 "ATI SB700 USB" rev 0x00: apic 2 int 16,
version 1.0, legacy support
ehci0 at pci0 dev 18 function 2 "ATI SB700 USB2" rev 0x00: apic 2 int 17
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "ATI EHCI root hub" rev 2.00/1.00 addr 1
o

Re: Something similar to Soekris boards, for server applications

[Jason Crawford]

On 11/30/11 11:27, Sime Ramov wrote:
> Hello, I am looking for something in the spirit of Soekris boards, but
> more suited for server applications, e.g. for hosting Django apps.
> 
> Current net6501 is maxed out at 2 GB of RAM and 1.6 Ghz *single-core*
> (two threads) atom.
> 
> The reason I am considering Soekris is because dedicated servers are
> often underused and idling. Few GB of memory, anemic processor and SSD
> gets one a surprisingly long way, especially with properly chosen stack
> and caching.
> 
> So the general idea is: one Django app = one Soekris board. This is much
> better than virtualization (bare metal forever) or putting more apps on
> a big server.
> 
> Some apps would run great on this, but a more powerful CPU and more
> memory would be needed for more demanding workloads.
> 
> Any recommendations for similar, but a bit more powerful and versatile
> hardware (think one app = one hardware device)? Thanks.
> 

Maybe look at this:

http://www.newegg.com/Product/Product.aspx?Item=N82E16816101364

It's cheaper, has twice the RAM, 6 SATA ports, 1.8GHz Atom dual core.
Oh, and rackmount case.

--
Jason

Re: Donations

[Jason Crawford]

Which sucks because I was ver pro-sweedish women! Damn it all to hell...
On Dec 7, 2010 5:19 PM, "Clint Pachl"  wrote:
> Jason Crawford wrote:
>> Better add Visa to the list as well
>>
>
> And Swiss banks and Swedish women. :-)

Re: Donations

[Jason Crawford]

Better add Visa to the list as well

http://www.salon.com/news/feature/2010/12/07/wikileaks_17/

On Sat, Dec 4, 2010 at 10:25 PM, Theo de Raadt 
wrote:
> In the future, if people can show preference for the non-Paypal
> transaction methods when they donate, we would appreciate that over
> Paypal.
>
> Since the projects hackathons (and many other things) are very much
> funded by donations, it is hard for us to fully dissasociate
> completely from Paypal.  However we can ask and recommend that people
> pass less money through them.
>
> If you don't know why I am sending this mail.. you are reading US
> managed news, and need to much much more informed
>
> Thanks.

Re: Stopped at pf_test_rule+0xa87

[Jason Crawford]

On Tue, Dec 1, 2009 at 1:25 PM, Brynet  wrote:
> Jason Crawford wrote:
>> I subscribe to 
>> http://flirble.disruptiveproactivity.com/rss/openbsd_stable_src.rss
>> and that picked up the change to stable in question. That site also
>> offers feeds for changes to ports -stable
>> http://flirble.disruptiveproactivity.com/rss/openbsd_stable_ports.rss
>
> That was the RSS feed I was talking about, it does NOT mention this
> change at all.
>
> -Bryan.
>
>

Then you need a better rss reader, as I am staring at the change right
now, sent to me via that exact rss feed. Maybe Google Reader has the
elusive crystal ball that so many users here assume the devs have.

--
Jason

Re: Stopped at pf_test_rule+0xa87

[Jason Crawford]

I subscribe to 
http://flirble.disruptiveproactivity.com/rss/openbsd_stable_src.rss
and that picked up the change to stable in question. That site also
offers feeds for changes to ports -stable
http://flirble.disruptiveproactivity.com/rss/openbsd_stable_ports.rss

On Tue, Dec 1, 2009 at 11:49 AM, Brynet  wrote:
> Hi,
>
> Here is the change that Henning made to pf in -STABLE, I wasn't even
> aware of it.
>
> http://marc.info/?l=openbsd-cvs&m=124955744915786&w=2
> http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf.c.diff?r1=1.655.4.1;r2=1.655;only_with_tag=OPENBSD_4_6
>
> Would it be possible to track commits to -STABLE? a few RSS feeds exist
> but none of them appeared to have noticed this one.
>
> Thanks,
>
> @Alastair, you should at least be following errata's.
> http://www.openbsd.org/errata46.html
>
> -Bryan.

Re: gcc to 4.1 openbsd

[Jason Crawford]

On Mon, Aug 17, 2009 at 5:20 PM, Yamidt Henao wrote:
> Hi,
>
> where I find the gcc version for OpenBSD 4.1.
>
> Best Regards,
>
> Y.H
>
>

http://www.openbsd.org/41.html

--
Jason

Re: Parallel build in ports - make -j4

[Jason Crawford]

On Sun, Mar 22, 2009 at 2:34 PM, Pedro de Oliveira  wrote:
> Hello,
>
> I was wondering if there's any way to use make -j4 when building ports from
> source? Any obscure option on mk.conf?
>
> Currently if I run on a port, for example: make -j4 install it just uses one
> thread on the makefile of the port.
>
> Is there any way to pass the "-j4" option to make command inside the port?
>
>

My guess is you want to use the MAKE_JOBS environment variable. Take a
look in bsd.port.mk

-- 
Jason

Re: Longest Uptime?

[Jason Crawford]

On Tue, Oct 28, 2008 at 8:54 PM, new_guy <[EMAIL PROTECTED]> wrote:
> I know. Longest uptime is silly, macho, pointless stuff... but I ran across
> an old SunOS 2.6 box that had been up for 387 days. It had been hacked. The
> only reason it was not an open mail relay is that /var was full. So, I
> thought to myself, "I bet I could run an OpenBSD box for that amount of time
> or longer without getting hacked and without doing much to it." Just
> wondering what's the longest OpenBSD uptime some folks on misc have seen?
>
> Thanks
> --
> View this message in context: 
> http://www.nabble.com/Longest-Uptime--tp20219082p20219082.html
> Sent from the openbsd user - misc mailing list archive at Nabble.com.
>
>

Hmm, yeah sure I'll bite. The longest I've seen that I still have a
record of (screen shot of the uptime command) was a machine I
installed as a firewall for a very important mail server. Please note,
I was not in charge of maintaining it, otherwise it would not have
reached this uptime, but it was over two years. As far as I could tell
(I got onto the box once in a blue moon) it was not hacked, but seeing
as all it did was run pf, and only allowed ssh from 2 IP addresses
(both I controlled, and were firewalled themselves), that doesn't seem
extraordinary. I will type out the uptime/uname command as in the
picture:

$ uptime
10:54AM  up 745 days, 22:36, 0 users, load averages: 0.13, 0.09, 0.08
$ uname -a
OpenBSD bassfishing 3.1 GENERIC#0 i386
$

As far as uptimes I don't have records of, a friend of mine has worked
on old systems that weren't rebooted because they were afraid it would
not boot back up again. One of them pre-internet, I believe it did
some financial stuff. However, no proof there.

-- 
Jason

Re: Update release 3.8 on AMD64 with a “fix” for the recent “DNS cache poisoning” vulnerability?

[Jason Crawford]

On Wed, Jul 30, 2008 at 2:43 PM, skogzort <[EMAIL PROTECTED]> wrote:
> Hello,
> Ib m trying to protect our DNS server from the vulnerability referred to in:
> CVE -2008-1447 and US-Cert Vulnerability Note VU#800113. I see that there is a
> patch for BIND in 4.2 and 4.3 that addresses this vulnerability, but not for
> 3.8.
> I have inherited an Open BSD DNS server that provides external DNS for our web
> server and serves NTP for our infrastructure. I donb t know UNIX or Open BSD.
> Ib m reading through the Open BSD website and asking questions on the mailing
> lists to try and get an overview of what I need to do to upgrade/update/patch
> this server.B
> It was suggested to me that I may have to b manually merge the patchb , but
> I canb t find any instructions for that. I know that if I could upgrade our
> release to 4.2 or 4.3 then I could follow the instructions in the patch
> itself, but I wonder if that would be more work and potential for mistakes
> then necessary. I was also told to use b portsb , but I read that using
> ports was only for people who have experience with Open BSD and beginners were
> not allowed to ask questions in mailing lists about using ports.
> What do you think: manually merge the patch, upgrade to 4.2 or 4.3 and apply,
> or use "ports"?
> My inexperience is a factor, I am looking for the shortest steps (so there
> will be less chance for error) that will still allow for a quick revert,
> should the b fixb  fail.
> Thanks again to everyone who helped with my last question and who may help
> with this. I really appreciate your time and opinions. B B B
> Kyle
>

The shortest step that is officially supported by OpenBSD would be
upgrade to 4.3, then recompile /usr/src/usr.sbin/bind after
patching/cvs'ing the source code. It might be possible to backport the
patches, but that is not something for the inexperienced/lighthearted.

-- 
Jason

Re: How can the bootprompt be removed from the bootloader on an amd64 system?

[Jason Crawford]

On Wed, Jul 2, 2008 at 6:36 PM, Jon <[EMAIL PROTECTED]> wrote:
> I would like the bootloader to accept no user input and do nothing but
> load the kernel.

man boot.conf
look for timeout

Re: ssh_config, chroot, or user rights to restrict user access?

[Jason Crawford]

On Wed, Feb 20, 2008 at 2:02 PM, LeRoy, Ted <[EMAIL PROTECTED]> wrote:
> I'm taking a class on system security.  We're in teams and we have to
> allow attacking teams ssh access to our devices.
>
> I'd like to limit the user account access for the other groups,
> permitting them a shell and a few commands, but no ability to browse the
> box or do things like cat or cp /etc/passwd.
>
> I'm running OpenBSD 4.2 on the server they'll be attacking.  I'm an
> OpenBSD noob.  Learning under fire.
>
> If someone can help me figure out whether using ssh_config, chroot, or
> just using permissions will be the easiest, most effective way to go
> about it, and how to proceed, it will be much appreciated.  Alternatives
> would be great too.
>

The easiest way is to upgrade to -current, as openssh in -current has
the ChrootDirectory option in sshd_config now. Look at:
http://undeadly.org/cgi?action=article&sid=20080220110039&mode=expanded&count=5
for more details.

Re: How to specify 256bit AES keys in Automatic Keying mode for ipsecctl

[Jason Crawford]

On Feb 7, 2008 11:09 AM, Christian Weisgerber <[EMAIL PROTECTED]> wrote:
> Jason Crawford <[EMAIL PROTECTED]> wrote:
>
> > While I was reading through the man pages for ipsec.conf and
> > ipsecctl, I noticed that for automatic keying there is no way to
> > specify any type of key size. I was wondering if anyone know of a way
> > to do that, because I am very interested in setting up strong crypto
> > ipsec tunnels using AES with 256bit keys,
>
> You currently can't do this.
> Somebody sent a patch for isakmpd to tech@ as a first step towards
> adding AES-192 and AES-256 support in ipsecctl, but that hasn't
> been picked up yet.
>

The person who posted that patch has gotten back to me in private. I
currently do not have a test bed for this, but I will see what I can
do in the future as I would love to see this commited.

How to specify 256bit AES keys in Automatic Keying mode for ipsecctl

[Jason Crawford]

Hello Misc,
While I was reading through the man pages for ipsec.conf and
ipsecctl, I noticed that for automatic keying there is no way to
specify any type of key size. I was wondering if anyone know of a way
to do that, because I am very interested in setting up strong crypto
ipsec tunnels using AES with 256bit keys, and ipsec.conf says AES only
uses 128bit keys. I'm sure it can be done in Manual Keying mode, as
I've used blowfish up to 448bit keys in manual mode, however I would
really like to use Automatic Keying mode in a future installation I am
planning.

Re: wireless support with OpenBSD vmware guest

[Jason Crawford]

On 6/18/07, Juan Miscaro <[EMAIL PROTECTED]> wrote:

Hi gang,

I would like to run VMware on Linux and use OpenBSD as a VM to act as
my Internet gateway (pf, postfix, spamfilter).  I will have another
Linux VM or two that will act as fileserver and lan services.  I would
like to provide internet access to my lan using wireless protocols.  Is
this possible?  That is, will I be able to use a wireless network card
with an OpenBSD VM?

   Juan


As long as you only use USB Wireless cards, I see no reason why you
couldn't do this, as you can hand off USB devices directly to vmware
(I've used USB stuff in VMware all the time). However, I DON'T think
you should set up your network this way, as you've basically ruined
any real security. But, it should be possible.

Jason

Re: cvsync broken?

[Jason Crawford]

On 5/10/07, Claus Assmann <[EMAIL PROTECTED]> wrote:

On Thu, May 10, 2007, Hannah Schroeter wrote:

> Just trying to cvsync my stuff. And it wants to remove quite much:

> hostname cvsync.de.openbsd.org

same problem with
  anoncvs1.usa.openbsd.org
and
  anoncvs3.usa.openbsd.org


I talked with Todd Miller about this (anoncvs3 specifically) and he
said it is a problem with the upstream mirror that appears to be fixed
now (my cvsup server doesn't delete stuff anymore).

Jason

Re: rmoption INET6

[Jason Crawford]

On 3/28/07, John Brahy <[EMAIL PROTECTED]> wrote:

So if I use GENERIC and then disable ipv6 is that a safe thing do to? In
light of the recent security issue and since I don't use ipv6 I thought it
would make the system more secure, but I definitely don't want to make it
unstable.



If you follow stable, your system will be patched and no longer
vulnerable. If you REALLY want to disable IPv6, enable pf, and put:
block in quick inet6
That was even recommended as the workaround for the latest IPv6 issue,
and would fix any future issues.

Jason

Re: Daylight savings fix with OpenNTPD

[Jason Crawford]

If you set /etc/localtime to /usr/share/zoneinfo/US/Eastern, it'll
automatically switch between EST and EDT.

On 3/21/07, Dan Farrell <[EMAIL PROTECTED]> wrote:

I'm using the EST timezone (as reported in 'date') and yet I'm still an
hour behind... much like you...

NTPD is running and syncing up with pool.ntp.org.

And in looking further Bob's right (as usual)... I'm not using the
correct timezone setting.

I had to change that to the 'correct' EST setting...

zic -I EST5EDT


Perhaps you need to do something similar? I got this from-

http://archives.neohapsis.com/archives/openbsd/2005-08/0756.html


danno

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Bob Beck
Sent: Tuesday, March 20, 2007 3:44 PM
To: Bray Mailloux
Cc: misc@openbsd.org
Subject: Re: Daylight savings fix with OpenNTPD

* Bray Mailloux <[EMAIL PROTECTED]> [2007-03-20 13:33]:
> Have a patch been issued?

Yes. see the errata page

> It might just be the time servers, but date is
> reporting 11:04:31 when it is 12:05.

It aint the time servers they report in UCT.

Your timezone is wrong

-Bob

Re: Groklaw artical about the BSD license

[Jason Crawford]

On 1/16/07, Vim Visual <[EMAIL PROTECTED]> wrote:

yes, the article is somehow misleading...

at this point I would like to ask another question here, in misc;
namely... how do you feel/ what do you think of big companies making
profit out of o'bsd or whatever bsd variant and not giving anything
back for that? Think of, for instance, the MacOSX case...
How would you feel like if o'bsd had another kind of license, "for
instance" a GPLv3 one?

just curious...



License flame war program initiatingNOW

seriously, please read the archives, especially these two:

http://marc.theaimsgroup.com/?l=openbsd-cvs&m=99118909527873&w=2
http://marc.theaimsgroup.com/?l=openbsd-tech&m=110809672612810&w=2

Jason

Re: {ftp3,anoncvs3}.usa.openbsd.org outage?

[Jason Crawford]

I talked with Todd earlier today, hard disk failure, he's currently
working on getting everything back up.

On 11/14/06, Ben Calvert <[EMAIL PROTECTED]> wrote:

plier.ucar.edu ( {ftp3,anoncvs3}.usa.openbsd.org ) has been down for the
last several days.  Does anyone know if this is a permanent or
temporary outage?

scanning the anoncvs mirror list at
http://www.openbsd.org/anoncvs.html#CVSROOT i notice that at least one
other mirror is pulling from anoncvs3.usa,

Thanks,

ben

-
"I think what we need to do is convince people who live in the lands
they live in to build the nations."

George W. Bush
October 11, 2000
Presidential Debate -- Winston-Salem, North Carolina.

Re: Fwd: Oldest Server you run

[Jason Crawford]

On 10/13/06, DoN. Nichols <[EMAIL PROTECTED]> wrote:

On 2006/10/12 at 05:04:10PM -0400, Jason Crawford wrote:

> And I ment to send this to the whole list

A nuisance, having the "From: " set to the individual poster,
not the list, isn't it?


[ ... ]

> Oldest machine I had running (until I moved to an appartment that
> can't accomodate more than a couple machines) was a sparc station2 at
> 40MHz and 32MB ram with two 512MB hard drives. Didn't have an onboard
> nic,

Huh?  I though that the SS-2 had an AUI connector, so all
you need is an external transceiver, not a NIC.  I've used them with
Thicknet, Thinnet, and 10BaseT at various times.


Yes you are right. It's been a little while since I've pulled that
machine out, but all it needed was an external transceiver. Hopefully
I'll be able to dust it off at some point in the near future and see
if it runs 4.0 well.



>  but I put one on it and it was my DNS server just fine with
> OpenBSD up to 3.7 or so until I moved, and as far as I know it should
> still work. I also run a friend's firewall on a p166 machine with 64MB
> of ram.

The oldest one which I am still running (at present) is an old
Sun LX -- running an older Solaris, but a planned changeover to OpenBSD.
Intended function is DNS server.

Enjoy,
DoN.

--
 Email:   <[EMAIL PROTECTED]>   | Voice (all times): (703) 938-4564
(too) near Washington D.C. | http://www.d-and-d.com/dnichols/DoN.html
   --- Black Holes are where God is dividing by zero ---

Fwd: Oldest Server you run

[Jason Crawford]

And I ment to send this to the whole list

-- Forwarded message --
From: Jason Crawford <[EMAIL PROTECTED]>
Date: Oct 12, 2006 5:03 PM
Subject: Re: Oldest Server you run
To: Falk Husemann <[EMAIL PROTECTED]>


On 10/12/06, Falk Husemann <[EMAIL PROTECTED]> wrote:

Hello List!
We're trying to put an old server to good use again and would like to
know what's exactly the oldest machine running OpenBSD?


As machine we defined something with processor, ram, network, hard
disk and a connection to the internet. So no Newton or toaster (at
least not if there's no disk being toasted).


Thank you in advance,
Falk


Oldest machine I had running (until I moved to an appartment that
can't accomodate more than a couple machines) was a sparc station2 at
40MHz and 32MB ram with two 512MB hard drives. Didn't have an onboard
nic, but I put one on it and it was my DNS server just fine with
OpenBSD up to 3.7 or so until I moved, and as far as I know it should
still work. I also run a friend's firewall on a p166 machine with 64MB
of ram.

Jason

Re: license for getopt.c?

[Jason Crawford]

On 5/31/06, Ted Unangst <[EMAIL PROTECTED]> wrote:

On 5/31/06, Will H. Backman <[EMAIL PROTECTED]> wrote:
> While wandering through the usr.bin source tree (not to imply that I am
> qualified to take the journey), I noticed that getopt.c doesn't have a
> license clause in it.
> Anyone know who "david" might be?
>$OpenBSD: getopt.c,v 1.6 2003/07/10 00:06:51 david Exp $

it would be helpful if you mentioned *which* getopt.c.  the one in
libc (before it was deleted) certainly did have a license.  i also
doubt david wrote the file in question if that's why you're asking.


Well he mentioned the usr.bin source tree, and there is only one
getopt.c file in usr.bin source tree. And he mentioned david because
he's the last one to edit the file according to the $OpenBSD$ RCS Id.
If I recall correctly, not having a license means full Copyright law
is in effect, which means no copying allowed, however getopt.c in
/usr/src/usr.bin/getopt/ doesn't seem to have much of anything except
a call to getopt(3).

Jason

Re: dd problem

[Jason Crawford]

1) stat(2), the st_blksize field in the stat struct
2) no, because it's the device, not dd, that's not letting it work.
CD-ROMS only want to output 2K of data at a time, so if you request
less than that, they just won't do it. Generally though, most devices
will output less than st_blksize, but it'll just go damn slow.

Jason

On 5/31/06, akonsu <[EMAIL PROTECTED]> wrote:

 thanks everybody.

1. how do i determine the corect block size for a device?
2. is the fact that dd does not work without any bs parameter a bug and
should be reported?

thanks
konstantin

try
>dd if=/dev/rcd0c of=disk.iso bs=32k
>
> note the "rcd0c" instead of "cd0a".  The 'a' vs. 'c' doesn't (seem to)
> matter, I just philosophically prefer the 'c' implying entire disk,
> rather than just one partition.  The "raw" mode of access makes a lot of
> difference here.
>
> I put the "bs=32k" in there for a bit of additional performance, but it
> turns out that without the "bs=" line, it didn't work at all.  After a
> little thought (and testing), I remembered that on most modern
> platforms, CDROM drives have a 2k block size, so apparently dd has
> trouble moving 512 bytes at a time out of CDROM drives.  I confirmed
> that "bs=2k" worked, "bs=1k" does not, so I might possibly be not
> totally wrong on that.  "bs=32k" seemed to go about twice as fast as
> "bs=2k".
>
> Well, I learned something. :)
>
> Nick.

Re: clamav-0.88.2

[Jason Crawford]

Well it appears that stable packages havn't been completely updated on
the ftp sites. I would then suggest you grab the stable ports tree and
install via that method. This may not always be easy, but in the case
of a virus scanner, you probably want it to be updated as quick as
possible. I always try to have a build machine on any site that I run
OpenBSD on if possible (or my house if nowhere else), so I can build
stable releases for src and ports, and push it to a local ftp server
to do local ftp upgrades, makes my life a lot easier.

Jason

On 5/26/06, Peter Fraser <[EMAIL PROTECTED]> wrote:

I did check, I still have the output of my screen

I did an ftp to ftp.openbsd.org/pub/OpenBSD/3.0/packages/i386

And clamav-0.88.2 is still not listed there.

Clicking the clamav-0.88.2.tgz. i386 in
www.openbsd.org/pkg-statble.html in firefox give 550 Failed to change
director

I suppose that someone, no me has a caching proxy, that giving me
trouble
if other people can find the package


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Jason Crawford
Sent: Friday, May 26, 2006 2:41 PM
To: Peter Fraser
Cc: misc@openbsd.org
Subject: Re: clamav-0.88.2

On 5/26/06, Peter Fraser <[EMAIL PROTECTED]> wrote:
> 3.8 had clamav-088.2 and 3.9 only has clamav-088
> Is there going to be (soon) and update to the 3.9
> packages for clamav ?

According to http://www.openbsd.org/pkg-stable.html 3.9 does have
clamav-0.88.2 in it's packages. And my spam/virus email filter runs
3.9-stable with clamav-0.88.2. Check the site next time.

Jason

Re: clamav-0.88.2

[Jason Crawford]

It's on cvs, I don't think they update the src and ports tar files on
the ftp site with stable cvs updates.

Jason

On 5/26/06, Peter Fraser <[EMAIL PROTECTED]> wrote:

I just pulled down ftp.openbsd.org/pub/OpenBSD/3.9/ports.tar.gz

and it too contains only clamav-0.88 not clamav-0.88.2


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Peter Fraser
Sent: Friday, May 26, 2006 2:57 PM
To: misc@openbsd.org
Subject: Re: clamav-0.88.2

I did check, I still have the output of my screen

I did an ftp to ftp.openbsd.org/pub/OpenBSD/3.0/packages/i386

And clamav-0.88.2 is still not listed there.

Clicking the clamav-0.88.2.tgz. i386 in
www.openbsd.org/pkg-statble.html in firefox give 550 Failed to change
director

I suppose that someone, no me has a caching proxy, that giving me
trouble
if other people can find the package


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Jason Crawford
Sent: Friday, May 26, 2006 2:41 PM
To: Peter Fraser
Cc: misc@openbsd.org
Subject: Re: clamav-0.88.2

On 5/26/06, Peter Fraser <[EMAIL PROTECTED]> wrote:
> 3.8 had clamav-088.2 and 3.9 only has clamav-088
> Is there going to be (soon) and update to the 3.9
> packages for clamav ?

According to http://www.openbsd.org/pkg-stable.html 3.9 does have
clamav-0.88.2 in it's packages. And my spam/virus email filter runs
3.9-stable with clamav-0.88.2. Check the site next time.

Jason

Re: clamav-0.88.2

[Jason Crawford]

On 5/26/06, Peter Fraser <[EMAIL PROTECTED]> wrote:

3.8 had clamav-088.2 and 3.9 only has clamav-088
Is there going to be (soon) and update to the 3.9
packages for clamav ?


According to http://www.openbsd.org/pkg-stable.html 3.9 does have
clamav-0.88.2 in it's packages. And my spam/virus email filter runs
3.9-stable with clamav-0.88.2. Check the site next time.

Jason

Re: Static functions in C code

[Jason Crawford]

On 5/26/06, Diego Giagio <[EMAIL PROTECTED]> wrote:

On 5/25/06, Ted Unangst <[EMAIL PROTECTED]> wrote:
> how many parse_config functions do you think spamd needs?

It was an example. The point is: is there a reason for not using
static on functions with internal linkage? There's at least one reason
to use static: name clashes.


And Marco was explaining why he (and probably other OpenBSD devs)
don't use static: name clashes. static makes things more difficult to
debug, and having 50 different static functions named the same thing
could get pretty confusing in large projects.

Re: keeping spamd's whitelist over a rebuild

[Jason Crawford]

On 5/26/06, Craig Hammond <[EMAIL PROTECTED]> wrote:

I am wanting up upgrade a 3.8 system to 3.9
I normally do this by backing up any data I need and doing a clean
install.

It's mainly the whitelisted entries I want to keep over the rebuild.
I figured out to extract them by going:
spamdb | grep WHITE | cut -d "|" -f 2 > ~/spamd-white

But i can't figure out how to load it back in.
spamdb -a   only lets you load one IP at a time.

Can I just grab a copy of /var/db/spamd, and then restore in on the
new system, or would that break something.



Why not just save the /var/db/spamd file on another computer, and copy
it back over before you start spamd on a fresh install? That's the db
file that stores your white/grey list.

Jason

Re: altq pf and interface group

[Jason Crawford]

On 5/18/06, holger glaess <[EMAIL PROTECTED]> wrote:

hi
i try to use an interface group name together with altq in my firewall config .

example
ifconfig bge0 group wan_if



altq on wan_if cbq bandwidth 100Mb queue { std, www, ssh, admin  }

if i try to aktivate  this i got an syntax error from pfctl.

if i do the interface as macro and the altq line like this

altq on $wan_if cbq bandwidth 100Mb queue { std, www, ssh, admin  }
everything works perfekt.

all other kinds rules works perfect with the interface group name
( rules , rdr , nat )

it is an bug ?


Unless things have changed that I havn't noticed (and I try to follow
pf development closely), no altq is not supported on interface groups.
Here is the thread where I asked the same question back in August
2005, and Henning provided the answer:

http://marc.theaimsgroup.com/?t=11242975202&r=1&w=2&n=4

Re: Laptop recommendations

[Jason Crawford]

On 5/11/06, rjn <[EMAIL PROTECTED]> wrote:

Hi all,

I'm looking into getting a new laptop (I start college in the fall).
In particular, I'm looking for something OpenBSD compatible.  I
considering either a Lenovo Thinkpad or the MacBook Pro.  From what
I've seen you can only boot the macbook pro if you have windows
installed.

I'm wondering if anybody has experience with the new Lenovo models and
the macbook pro?

Thanks,
RJ


The "official" page for compatible laptops can be found here:
http://www.openbsd.org/i386-laptop.html

Re: Anyone Interested in Programmable AMD Coprocessors?

[Jason Crawford]

On 4/23/06, Falk Husemann <[EMAIL PROTECTED]> wrote:
> I (maybe like you) just read the corresponding article on TheRegister
> ().
>
> I'd bet it wont make it to mainstream if compilers don't support it.
>
> What do you think?

I think FPGA's are about to hit mainstream. Take a look at the CELL
processor (and PS3). That processor is f'ing sweet, and you can
already buy IBM servers with it in there. Basically, it's a Power5
based CPU that controls 8 FPGA's, and is extremely fast, 4.0GHz is
about 256GFLOPS.

Jason

Re: anoncvs + OPENBSD_3_9_BASE

[Jason Crawford]

On 3/23/06, Bob Bostwick (Lists) <[EMAIL PROTECTED]> wrote:
> Is that why /snapshots/packages/i386/ is not available?  I'm probably
> going to get yelled at for asking this, but I really don't know the
> answer.  I just upgraded to -current, if I can't use
> /snapshots/packages/i386/ for installing packages, where should I
> install from?  Yes I ordered a 3.9 CD, but would like to use this system
> before the release.  Do I have to re-install 3.8?  Yes I am installing
> what I can from /usr/ports/xxx (yes I updated that too) but some things
> I want are not in there...

This has been beaten to death in other threads. The developers are
busy making sure that OpenBSD 3.9 is going to be released on schedule,
and don't really have that much time to spend on snapshots (right
now). If you really want to follow current, try getting the current
ports tree and compiling the packages yourself until the packages dir
is back in the snapshots dir.

Jason

Re: IDS solution

[Jason Crawford]

On 3/21/06, Hutger H. <[EMAIL PROTECTED]> wrote:
> Hi folks,
>
> I've been looking for a consolidated IDS solution that I can deploy in
> my network. Snort is really a good option but currently it seems that
> they are charging for updates, it that true? I'd like to find out a free
> of charge Linux, or BSD, solution that can works as good as snort works
> and, rather with some successful deployment cases.
>
> Any ideas?

Well as far as charging for updates goes, that's only for rulesets I
believe. Basically, the rules that you get with the snort tar ball are
all you get, if you want updates to them you gotta pay. But later
versions of snort are free, so upgrading from 2.4.3 to 2.4.4 is free,
just not the extra snort rules. And even then, only the SourceFire VRT
Certified Rules cost money (for subscriptions and redistribution
rights I believe), a community driven rule group is still free,
however they don't "Guarentee" the rules. If I were you, I'd stick
with snort, you'll be hard pressed to find a free NIDS that is as
robust, and I speak from experience, as I've setup some pretty damn
large and complex snort deployments for my work in the past.

Jason

Re: anoncvs + OPENBSD_3_9_BASE

[Jason Crawford]

On 3/15/06, Didier Wiroth <[EMAIL PROTECTED]> wrote:
> Hi,
>
> I unsuccessfully tried to retrieve the OPENBSD_3_9_BASE via anoncvs.
> At this time, is this tag blocked/denied until the official release or is it 
> possible to download them?

I run my own anoncvs mirror that syncs against
anoncvs3.usa.openbsd.org, and my tree got the 3.9 tag just fine
(OPENBSD_3_9). So maybe try that mirror instead.

Jason

Re: SGI's

[Jason Crawford]

On 3/11/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> On Sat, 11 Mar 2006 11:51:24 -0500, "Jason Crawford"
> <[EMAIL PROTECTED]> wrote:
>
> >I am soon going to be getting an Octane with dual R12000SC CPUs. I was
> >wondering how well OpenBSD would work on this computer (I am pretty
> >sure there isn't SMP support on the SGI stuff yet) and how much help
> >is needed in getting the SGI port to work even better.
> >
> >Jason
>
> Hi Jason,
>
> Octane support is a "planned project" but currently there is no support
> for Octane as far as I know.
>
> The only currently supported model is the SGI O2. The "little blue
> toaster" O2 systems are a lot of fun and amazingly quick when they have
> lots of RAM. When you stuff them full of RAM, they just scream, moreso
> than any other arch I've used.
>
> I've got a few O2 systems over here but I haven't touched the for months
> and haven't used them with OpenBSD since 3.6/3.7. Even with the earlier
> OpenBSD releases, once you get past the SGI-isms, they work very well.

Well on the OpenBSD sgi page, it says that the R12000 CPUs are
supported. Is it some other piece of hardware like disk controller or
something that prevents OpenBSD from running on an Octane?

Jason

Re: SGI's

[Jason Crawford]

On 3/11/06, Roger Neth Jr <[EMAIL PROTECTED]> wrote:
> On 3/11/06, Jason Crawford <[EMAIL PROTECTED]> wrote:
> > I am soon going to be getting an Octane with dual R12000SC CPUs. I was
> > wondering how well OpenBSD would work on this computer (I am pretty
> > sure there isn't SMP support on the SGI stuff yet) and how much help
> > is needed in getting the SGI port to work even better.
> >
> > Jason
> >
> >
>
> Hello, I setup an SGI 02 with 3.8 last year and runs without a
> problem. The only problem I had was understanding the SGI boot methods
> and partitions. Once I understood that no problem.
>
> As far as I know there isn't any X yet and I connect serially. I think
> X is being worked on.

Serial would be best for me, the SGI monitor I have is like 21+
inches. I am pretty excited about trying this out, mips is one of the
archs I don't have much experience with yet (some basic IRIX admin
before, but that's it), so when I found one I thought I'd add it to my
already somewhat large personal collection of differnet archs. I just
wish I had a second one I could donate to the OpenBSD guys (SMP
support would kick ass).

Jason

SGI's

[Jason Crawford]

I am soon going to be getting an Octane with dual R12000SC CPUs. I was
wondering how well OpenBSD would work on this computer (I am pretty
sure there isn't SMP support on the SGI stuff yet) and how much help
is needed in getting the SGI port to work even better.

Jason

Re: Sun Ultra 1 and Ultra 5

[Jason Crawford]

On 3/3/06, Matthew Weigel <[EMAIL PROTECTED]> wrote:
> Jason Crawford wrote:
>
> > there, sorry. But as far as getting serial console to work, all you
> > have to do is make sure that a keyboard and monitor are NOT plugged
>
> Actually, just the keyboard has to be unplugged. :-)

Cool since I sold my U5 and I don't have a Sun monitor for my U1, I
could never confirm whether the monitor had to be plugged in or not,
but I figured better safe than sorry. Thanks for confirming.

Jason

Re: Sun Ultra 1 and Ultra 5

[Jason Crawford]

On 3/3/06, Gustavo Rios <[EMAIL PROTECTED]> wrote:
> Hey folks,
>
> i have an sun workstation in hand and had never had a previous
> experience with sun hardare before. I would like redirect console to
> serial port. These machine are very old, and hardware documentation
> has been lost. It has a serial port, doesn't it?
>
> I was trying to get X working, but no lucky. Does anybody have openbsd
> 3.8 running on such hardware? Could you send your xorg.conf file?

I've run OpenBSD on both, however never with X so I can't help you
there, sorry. But as far as getting serial console to work, all you
have to do is make sure that a keyboard and monitor are NOT plugged
into the back, and a null-modem cable plugged into the serial port A,
and when you boot the box, it'll just work. The great thing about sun
boxes is the serial support, it "Just Works".

Jason

Re: xargs PF or BPF

[Jason Crawford]

On 2/13/06, Andrew Pinski <[EMAIL PROTECTED]> wrote:
>
> On Feb 13, 2006, at 10:00 PM, Jason Crawford wrote:
> >>
> >> Time to write your own program in C instead if the time to invoke
> >> rm is taking too much time.
> >
> > No point, xargs does what I need it to do, and is much more efficient
> > than having find execute rm itself. The fewer times you call execve(2)
> > the better.
>
>
> One execve is enough? Then rewriting the script into C will save
> all execve.  Do you think rm(1) does anything special,
> other than remove(3)?

You misunderstand. find calls execve(2) for every file it finds
matching the criteria, where as xargs will only execve(2) once either
the pipe is closed or it hits the max args. That's A LOT fewer
execve(2) calls. And rm calls unlink(2), as remove(3) would waste even
more resources.

Jason

Re: xargs PF or BPF

[Jason Crawford]

On 2/13/06, Andrew Pinski <[EMAIL PROTECTED]> wrote:
>
> On Feb 13, 2006, at 9:53 PM, Jason Crawford wrote:
>
> > On 2/13/06, Andrew Pinski <[EMAIL PROTECTED]> wrote:
> >> On Feb 13, 2006, at 9:24 PM, Damien Miller wrote:
> >>> Because that will fail when there are too many arguments, and will
> >>> probably break on filenames with spaces (use xargs -0 for these).
> >>
> >> Why not use -exec in find?
> >>
> >> find . -type f -name ttt -exec rm {}\;
> >
> > Because as stated many times on this list already (originally to
> > correct me), that will execute rm for each file, while piping to xargs
> > will only run rm once xargs stops getting input, or when it hits max
> > command line length, in which case it will execute another rm based on
> > input from the pipe.
>
> Time to write your own program in C instead if the time to invoke
> rm is taking too much time.

No point, xargs does what I need it to do, and is much more efficient
than having find execute rm itself. The fewer times you call execve(2)
the better.

Jason

Re: xargs PF or BPF

[Jason Crawford]

On 2/13/06, Andrew Pinski <[EMAIL PROTECTED]> wrote:
> On Feb 13, 2006, at 9:24 PM, Damien Miller wrote:
> > Because that will fail when there are too many arguments, and will
> > probably break on filenames with spaces (use xargs -0 for these).
>
> Why not use -exec in find?
>
> find . -type f -name ttt -exec rm {}\;

Because as stated many times on this list already (originally to
correct me), that will execute rm for each file, while piping to xargs
will only run rm once xargs stops getting input, or when it hits max
command line length, in which case it will execute another rm based on
input from the pipe.

Jason

Re: PF or BPF

[Jason Crawford]

On 2/13/06, Stuart Henderson <[EMAIL PROTECTED]> wrote:
> On 2006/02/13 17:28, Jason Crawford wrote:
> > Well in the case of /usr/src, I think you must MIGHT hit the maximum
> > argument length for the shell by using xargs
>
> I haven't seen xargs do the wrong thing here. Embedded spaces annoy,
> but that's what -print0 (to find) and -0 (to xargs) are for. I almost
> always use xargs here, to the extent I have to look up how to do a
> 'find -exec' most times that I want to use it.

I guess I'm used to older behavior I've seen on other non-OpenBSD
systems. Thanks for the corrections from everyone. Like someone has
previously stated, you learn something new from some of these threads
that were previously thought useless.

> > That and well, explaining xargs to Dave
> > will end up leading to another 20+ mail thread
>
> I think an actual utility that doesn't need programming skills to
> experiment with it might be easier than explaining Berkeley Packet
> Filter vs. Packet Filter. I know most of us know what BPF is,
> but googling around from a beginner's point of view I'm still not
> quite sure how I learnt about it.  There's a paper at
> http://www.tcpdump.org/papers/bpf-usenix93.pdf (section 2, 'the
> network tap', for example) but I know I haven't read that before.
>
> Learning xargs and find (not to mention regular expressions,
> shell syntax - for/while/..., and so on) are probably more useful
> to general sysadmin tasks than learning what BPF is, though..
> (even learning how to use tcpdump is probably more generally
> useful than learning about BPF - and let's pre-empt one possible
> path down that avenue: root being able to see certain passwords
> with 'tcpdump -s1500 -X' is not a security hole, it's just a
> demonstration of why some protocols should be buried).

He couldn't even figure out how to find the applications that use bpf,
so I think figuring out all the features in a utility might be out of
his grasp...

Jason

Re: PF or BPF

[Jason Crawford]

On 2/13/06, Stuart Henderson <[EMAIL PROTECTED]> wrote:
> On 2006/02/13 16:53, Jason Crawford wrote:
> > On 2/13/06, Matthias Kilian <[EMAIL PROTECTED]> wrote:
> > > On Mon, Feb 13, 2006 at 02:03:27PM -0700, Diana Eichert wrote:
> > > > find /usr/src -name "*.[c|h]" -exec grep 'bpf.h' /dev/null {} \;
> > >^(a) ^(b)
> > >
> > > (a) I doubt there are any file names ending in a pipe symbol in /usr/src.
> > man ksh
>
> it's in quotes, this is handled by find, not the shell.

Right, my mistake.

> > > (b) pipeing to xargs(1) may be faster.
> > why?
>
> grep foo 1 2 3 4 5 6 7 ...
>
> vs.
>
> grep foo 1
> grep foo 2
> grep foo 3
> grep foo 4
> grep foo 5
> grep foo 6
> grep foo 7

Well in the case of /usr/src, I think you must MIGHT hit the maximum
argument length for the shell by using xargs, unless you did it inside
of each directory in /usr/src. That and well, explaining xargs to Dave
will end up leading to another 20+ mail thread

Jason

Re: PF or BPF

[Jason Crawford]

On 2/13/06, Matthias Kilian <[EMAIL PROTECTED]> wrote:
> On Mon, Feb 13, 2006 at 02:03:27PM -0700, Diana Eichert wrote:
> > find /usr/src -name "*.[c|h]" -exec grep 'bpf.h' /dev/null {} \;
>^(a) ^(b)
>
> (a) I doubt there are any file names ending in a pipe symbol in /usr/src.
man ksh
> (b) pipeing to xargs(1) may be faster.
why?

Jason

Re: PF or BPF

[Jason Crawford]

On 2/13/06, Dave Feustel <[EMAIL PROTECTED]> wrote:
> On Monday 13 February 2006 14:52, Jason Crawford wrote:
> > You cannot learn all there is to know about bpf and how to effectively
> > use it in 10 minutes, so you, personally, do NOT need to use bpf at
> > all. It's what the other utilities like pf and tcpdump use to do what
> > they do. The utilities are nice user friendly wrappers to the bpf
> > interfaces, and someone with your experience (lack there of?) should
> > probably not be touching bpf directly. bpf is very powerful and very
> > useful, but you really need to understand a lot more than what you
> > have grasped so far to use bpf effectively.
>
> Well, one thing is for certain, the caustic responders to this thread aren't 
> psychic.
>
> So let's try   a   r e a l   s i m p l e   q u e s t i o n :
>
> What OpenBSD programs use bpf.
>
> Please don't try to figure out why I am asking the question.
> Just answer it or go do something else that won't upset you.

You're right, none of the responders are psychic, which is why if you
don't include some information, the responses may be inaccurate.
Reading the man page (and some unix common sense) will easily answer
that for you. 1) you have all the source code 2) the man page says
what exact include file bpf has for it's ioctl interface and 3) you
can use find and/or grep to search text files. It's really not hard,
just try to actually think. While you may get upset about this kind of
stuff, I have much better and more important things to worry about.
Trust me, nothing on an internet mailing list is that important to me.

Jason

Re: PF or BPF

[Jason Crawford]

On 2/13/06, Dave Feustel <[EMAIL PROTECTED]> wrote:
> On Monday 13 February 2006 13:51, dereck wrote:
> > This is getting ridiculous!  The guy said he was under
> > attack.(!)  What is the point of a _misc_ list anyway?
> >  He's not clogging the dev list!
> >
> > The responses here are totally out of line.  Haven't
> > any of you guys EVER had a desperate situation before?
>
> Dereck,
>
> Thanks for the support. However, my situation is not desparate.
> By refusing to answer a question to which he indicated he had an
> answer, Ted has left all of us hanging as to whether he *really*
> knows what the differences are between the capabilities of pf and bpf.
>  *I* could certainly not testify that Ted actually knows the answer to
> that question as he claims to. :-)

If he can code rthreads, I think it's pretty safe to say he
understands the differences between bpf and pf, those seem like some
really inflammatory remarks to me. If you bother to take some time to
read the manuals instead of expecting to be spoon fed the information
on the mailing list, then you'll learn a lot more, as well as not get
flamed by others on the list. Ted has much better things to do (like
make rthreads kick even more ass) than to answer silly questions by a
user who is too lazy to read.

>
> (BTW, I had read the bpf man page and, frankly, I couldn't make
> any sense out of it on first reading. I started getting a better idea
> of bpf by the time I started reading the freebsd bpf man page,
> but then I started wondering "why bother with bpf? How do I
> even use it?". It must have a useful purpose or it wouldn't be in OpenBSD.)

You cannot learn all there is to know about bpf and how to effectively
use it in 10 minutes, so you, personally, do NOT need to use bpf at
all. It's what the other utilities like pf and tcpdump use to do what
they do. The utilities are nice user friendly wrappers to the bpf
interfaces, and someone with your experience (lack there of?) should
probably not be touching bpf directly. bpf is very powerful and very
useful, but you really need to understand a lot more than what you
have grasped so far to use bpf effectively.

Jason

Re: The Apache Question

[Jason Crawford]

On 2/8/06, Jason Crawford <[EMAIL PROTECTED]> wrote:
> On 2/7/06, Marcin Wilk <[EMAIL PROTECTED]> wrote:
> > Why change that
> > It is apache, but with some pathes. But still iti s apache (changing
> > name may be bad for futurre coders, that wouldl ike to make somep
> > lugin for OpenBSD http server, & before they will start to make it,
> > theyw ill have to learn, that httpd in OBSD is just apache 1.3).
> >
> > Besides i don't understand why so many people would like to change
> > current web server, when it's working fine & well & it is enough secure?
> > Is there any realy nice argument besides the digit ?
> > I think no, so, why people always ask that
>
> I think the biggest argument for changing the web server is the fact
> that the Apache in tree doesn't do IPv6, and Apache 2.x does. And,
> btw, if you look at early 2.0 releases, you'll see they are still
> under the Apache 1.1 License or whatever 1.3 was under. The
> incompatible Apache license wasn't put in until after a few 2.x
> releases.

Sorry to reply to myself, but I was curious as to how far along 2.0.x
was still the Apache 1.1 License, so I checked out older versions of
source from:
http://archive.apache.org/dist/httpd/
And I have found that 2.0.48 is the last version with the Apache 1.1
License (compatible with OpenBSD) and that 2.0.49 is the first version
with the Apache 2.0 License (incompatible with OpenBSD). So if anyone
is truely interested in Apache 2.0.x, it looks like as far as the
license is concerned, it's doable if 2.0.48 is used.

> >
> > At 22:11 2006-02-07, you wrote:
> > >Wouldn't it be better then to start a spinoff project (openhttpd or
> > >something comes to mind) instead of still calling it apache httpd 1.3?
> > >
> > >Stuart Henderson wrote:
> > >>On 2006/02/07 21:23, RedShift wrote:
> > >>>I've noticed OpenBSD still uses Apache httpd 1.3.
> > >>Well, not exactly. Diff the source trees and you'll see it's not
> > >>quite the same thing...

Re: The Apache Question

[Jason Crawford]

On 2/7/06, Marcin Wilk <[EMAIL PROTECTED]> wrote:
> Why change that
> It is apache, but with some pathes. But still iti s apache (changing
> name may be bad for futurre coders, that wouldl ike to make somep
> lugin for OpenBSD http server, & before they will start to make it,
> theyw ill have to learn, that httpd in OBSD is just apache 1.3).
>
> Besides i don't understand why so many people would like to change
> current web server, when it's working fine & well & it is enough secure?
> Is there any realy nice argument besides the digit ?
> I think no, so, why people always ask that

I think the biggest argument for changing the web server is the fact
that the Apache in tree doesn't do IPv6, and Apache 2.x does. And,
btw, if you look at early 2.0 releases, you'll see they are still
under the Apache 1.1 License or whatever 1.3 was under. The
incompatible Apache license wasn't put in until after a few 2.x
releases.

>
> At 22:11 2006-02-07, you wrote:
> >Wouldn't it be better then to start a spinoff project (openhttpd or
> >something comes to mind) instead of still calling it apache httpd 1.3?
> >
> >Stuart Henderson wrote:
> >>On 2006/02/07 21:23, RedShift wrote:
> >>>I've noticed OpenBSD still uses Apache httpd 1.3.
> >>Well, not exactly. Diff the source trees and you'll see it's not
> >>quite the same thing...

Re: view available inodes on partition

[Jason Crawford]

On 1/25/06, Matthew Closson <[EMAIL PROTECTED]> wrote:
> Hello,
>
> Is there a way to view how many inodes are still available on a partition.
> I'm decompressing a ton of small files onto a 60Gb onto my /dev/wd1a. And
> I'm not really concerned about running out of space, but possibly out of
> inodes, I just used the default parameters creating the filesystem, which
> is ffs.  Thanks,
>

man 1 df

Re: CVSync servers not syncing?

[Jason Crawford]

On 1/20/06, Alexander Farber <[EMAIL PROTECTED]> wrote:
> Maybe because they are tagging it 3.9?
>

Unless they decided to suddenly change how they release OpenBSD, they
most certainly are not. 3.9 has JUST moved to beta yesterday (or 2
days ago, I forget) and trust me, you don't want to tag early beta
code as release.

Jason

Re: patch management on larger install bases

[Jason Crawford]

On 1/9/06, Russell Fulton <[EMAIL PROTECTED]> wrote:
> I am just starting to upgrade all my obsd boxes to 3.8.  I have a copy
> of the official CDs -- I know the the ISOs are copyright but is there a
> way of burning an updated set so I don't have to patch each system
> individually?
>
> Alternately, with the kernel I'm guessing I can replace /bsd (and
> /bsd.rd) using the little shuffle recommended in the upgrade docs.
> Which perl files need replacing?
>
> How do others who manage several boxes apply patches like the recent ones?
>
This has been beaten to death on the archives. But I'll be nice and
give you a hint:
man 8 release
I'm sure you can figure it out from there, especially while searching
the archives.

Jason

Re: pf not logging to /var/log/pflog...

[Jason Crawford]

On 1/9/06, poncenby smythe <[EMAIL PROTECTED]> wrote:
> On 9 Jan 2006, at 10:43, Olivier Mehani wrote:
>
> > On Sun, Jan 08, 2006 at 10:51:12PM +, poncenby smythe wrote:
> >> I am running 3.8 GENERIC on i386 and can't figure out why pf
> >> isn't  logging
> >> the packets I've told it to, here is a snippet from /etc/ pf.conf...
> >
> > Maybe a stupid check, but did you enable pf in rc.conf ?
>
> pf is set to NO in /etc/rc.conf, but is enabled with the following
> commands in ppp.linkup script:
>
> adsl:
>  ! sh -c "/sbin/ifconfig pflog0 up"
>  ! sh -c "/sbin/pfctl -f /etc/pf.conf -e"
>
> the ppp link is called adsl and running pfctl -ss reports pf is enabled.
>
Well that would be why. If you look in /etc/rc (which is supposed to
start pf) you'll see it runs a daemon called pflogd. Judging by the
name, that just MIGHT be what you're missing and need.

Jason

Re: Issue when moving to -stable

[Jason Crawford]

On 1/8/06, Jamie Gavahan <[EMAIL PROTECTED]> wrote:
> On 1/8/06, Jason Crawford <[EMAIL PROTECTED]> wrote:
> > On 1/8/06, Andris Delfino <[EMAIL PROTECTED]> wrote:
> > > Hi, because of the recent release of patches for 3.8, I'm moving to
> > > -stable. I could build and boot the new kernel following the
> > > instructions at http://www.openbsd.org/stable.html, but I have a
> > > problem with the second step to build de binaries, which is:
> > >
> > > rm -r /usr/obj/*
> > >
> > > The error I get is:
> > >
> > > rm: /usr/obj/*: No such file or directory
> > >
> > > I don't know what should I do now, procede with the next step (make
> > > obj && make build) or do something first.
> >
> > Looks like /usr/obj/ is empty, so yes you can proceed with the regular
> > build by doing:
> > make obj && make build
>
> The /usr/obj directory may not exist.  Do a mkdir -p /usr/obj before doing
> make obj && make build.
>

Well by default /usr/obj does exist, and Andris didn't state that he
changed any of the default stuff, so I'm just going to assume it's the
same. No point in jumping through hoops for someone who doesn't give
all pertinent information.

Jason

Re: Issue when moving to -stable

[Jason Crawford]

On 1/8/06, Andris Delfino <[EMAIL PROTECTED]> wrote:
> Hi, because of the recent release of patches for 3.8, I'm moving to
> -stable. I could build and boot the new kernel following the
> instructions at http://www.openbsd.org/stable.html, but I have a
> problem with the second step to build de binaries, which is:
>
> rm -r /usr/obj/*
>
> The error I get is:
>
> rm: /usr/obj/*: No such file or directory
>
> I don't know what should I do now, procede with the next step (make
> obj && make build) or do something first.

Looks like /usr/obj/ is empty, so yes you can proceed with the regular
build by doing:
make obj && make build

Jason

Re: /etc/isakmpd/ missing from etc38.tgz?

[Jason Crawford]

On 12/23/05, Karl O. Pinc <[EMAIL PROTECTED]> wrote:
> Hi,
>
> I just did a 3.6 -> 3.7 -> 3.8 upgrade and
> looking through the /etc/security mailing
> I see that I don't have /etc/disklabls/
> or /etc/isakmpd/.  These directories do
> not seem to be in etc38.tgz, although they
> do show up on a system I did a clean 3.8
> install on.  (3.8 patched to stable as
> of Dec 20.)
>
> 1) Have I done something wrong that these
> directories have not shown up?

Yes

>
> 2) Is there anything I need to do to recover
> other than create the same directory structure
> that exists on my clean install on the
> upgraded boxes?

You need to personally update /etc yourself, updating doesn't extract
etc38.tgz, as that would over write ALL your personal settings
including users and passwords. There are sections in the upgrade guide
for updating etc, so make sure you do those. If you want to get just
the directories, you can do:
DESTDIR= make distrib-dirs
inside /usr/src/etc but you still need to actually put the files
there. Follow the upgrade guide better.

Jason

Re: BerkeleyDB on 3.8

[Jason Crawford]

On 12/22/05, J.D. Bronson <[EMAIL PROTECTED]> wrote:
> How can I tell what version the BDB is that comes within OpenBSD 3.8?
>
> thanks
>
Check out http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/db/ to
see the one included with OpenBSD, and /usr/ports/databases/db/ for
other versions.

Jason

Re: Unable to build Gateway route

[Jason Crawford]

On 12/22/05, martin <[EMAIL PROTECTED]> wrote:
>
>
> --- Jason Crawford <[EMAIL PROTECTED]> wrote:
>
>
> > > IP - 209.216.76.1
> > > Netmask - 255.255.255.252
> > > GW - 209.216.77.6
> > >
> > Either a typo in your netmask, or a typo in your gateway, since your
> > gateway IP does not belong to the current netmask you assigned to
> > your
> > external IP. I have a feeling it's a typo in the netmask as that's a
> > very very small one.
> >
> > Jason
>
>
> Jason.
>
> The figures are correct (I wondered about the unusual GW when I first
> rx'd it but they said it was correct).  The thing is, I've had this
> connection for a couple of years and have run a  number of firewalls
> with no issue with these ie. Linux Router Project, Freesco and others I
> have tested.  It is running now with a commercial firewall with no
> problems.
>
> Can I force it to accept the gateway IP ?
>
> Regards...Martin
>
Unless they don't follow IPv4 specs properly, with those exact
numbers, none of them should work. 209.216.76.1 is nowhere near
209.216.77.6 so the netmask of 255.255.255.252 will not let you talk
to 209.216.77.6 without another route. My guess, 255.255.252.0 is the
netmask you want, as that would include both IPs. Or maybe you
mistyped the 3rd set, and they should both be 76 or 77, although
you'll still have to change the netmask to something like
255.255.255.240. Whether other OS's worked or not is irrelevant, the
current WILL NOT WORK with an OS that follows the IPv4 spec PROPERLY.
If your ISP is indeed handing this info to you, then they are complete
morons, as it WILL NOT WORK.

Jason

Re: Unable to build Gateway route

[Jason Crawford]

On 12/22/05, martin <[EMAIL PROTECTED]> wrote:
> Hello.
>
> I've been running other firewalls on this IP address with the same
> settings in the past, but am having problems setting up the Gateway
> with OpenBSD 3.8.  It comes back with  "no route to host" and when I do
> a nestat -rn, the Gateway is missing even though /etc/mygate exists.
>
> IP - 209.216.76.1
> Netmask - 255.255.255.252
> GW - 209.216.77.6
>
Either a typo in your netmask, or a typo in your gateway, since your
gateway IP does not belong to the current netmask you assigned to your
external IP. I have a feeling it's a typo in the netmask as that's a
very very small one.

Jason

Re: OpenBSD is popular as a VM image

[Jason Crawford]

On 12/22/05, Graham Toal <[EMAIL PROTECTED]> wrote:
> > Just an update on the popularity of the OpenBSD 3.8 VM image:
> > Since it was posted on Dec 19 (4 days ago), apache logs have shown 2826
> > hits on the file with just over 277 gigs of traffic created by those
> > downloads.
> > Not bad for only a few days.
>
> I hope this isn't too OT for this list, but...
>
> do you know if it is possible under VMWare to have the
> virtual system be the only one which talks to the real
> ether card, while having the hosted PC only communicate
> to the net by routing via the VM'd system?
>
> What I'm thinking is that we could set up an OpenBSD
> as a personal firewall to a (cough, spit) Windows machine,
> and channel all the IP for the Windows machine through
> that VM'd OpenBSD system.  Currently I'm using an
> extra box under my desk for a BSD firewall but since my
> main PC is already running 3 emulated systems as my
> development environment (one 'clean' PC for programming,
> one Linux for a dev web server, and believe it or not
> one emulated Vax/VMS for legacy work) it would be really
> nice to throw the OBSD firewall under VMware as well
> and have everything in one box!
>
> (incidentally this is one of the nicest development
> environments I've had for some time.  VMware is cool,
> but having a PC with 3 flat panel displays is pretty
> nice too!)
>
I have a very similar setup going on, but not with that VMware player
or whatever it is. I have my host machine with 3 network cards in it,
only 1 of which has an IP on the host machine, the other two network
cards are ip-less for the host, but virtuals use them with IPs, and
the hosted machine routes through one of the virtual machines to
actually get out to the Internet. I won't go into any further details
on-list, as this is pretty OT, so email me privately if you need
further explanation.

Jason

Re: Hardware RNG speed

[Jason Crawford]

On 12/19/05, Michael Alexander Hamburg <[EMAIL PROTECTED]> wrote:
> Hello to the list,
>
> I'm working on a cryptography project, and one of the things the project
> requires is a moderately high-bandwidth source of truly random numbers.
> To accomplish this, I set up OpenBSD on a board with a (Soekris) Hifn 7955
> accelerator card, but the rate I'm getting by reading out of /dev/srandom
> is pretty low (200B/s).  However, this has to be coming from the card,
> because the machine has no other reasonable source of entropy other than
> the network: no hard drive, no keyboard, etc.
>
> Now, unless the card's specs are deceptive, its random number generator
> must support a higher rate than this: it claims 70 1024-bit Diffie-Hellman
> key exchanges per second, and each such key exchange requires a full
> 1024-bit random number, which comes out to 8.8kB/s.  The minimum data rate
> for my application is about 1k/s, and I would strongly prefer not to use a
> PRNG.
>
> Is there a more direct way to query the RNG?  random(4) claims that the
> RNG is not mapped directly to a device (/dev/random is not currently
> implemented), but rather that it periodically refreshes the system entropy
> pool.  Is there a way to force this to occur more often, or to transfer
> more data?  Or do the numbers lie, and I'm getting all the data I can?
>
> Thanks for your time,
> Mike Hamburg
>
> P.S. I'm looking at different sources of random numbers, and cost and
> integration are important factors.  Would an AMD Geode LX or VIA C3 or C7
> processor's on-board RNG provide a significantly higher data rate than
> a Soekris card, at a comparable quality?
>

What about taking a cord that's plugged into the sound card port and
microphone port, and reading in from the microphone? I've heard that
is a pretty good source of randomness (all that annoying feedback),
although I may be completely wrong, feel free to correct me if I am.

Jason

Re: How can I switch the terminal?

[Jason Crawford]

On 12/19/05, openbsd shen <[EMAIL PROTECTED]> wrote:
> How to switch the terminal in OpenBSD, it looks is not Alt+F[1-7] likes
> Linux.

http://www.openbsd.org/faq/faq7.html#SwitchConsole

Try reading the damn documentation first. Also try reading
http://www.openbsd.org/mail.html as well, thoroughly since you didn't
do it right the first time, you would have to have read it to get on
this mailing list. Btw, CTRL+ALT+F[1-7] worked on Linux before just
Alt+F[1-7] did.

Jason

Re: stuck on "upgrading from 3.7 to 3.8 - Exception handling flag day"

[Jason Crawford]

On 16 Dec 2005 14:41:38 -0800, Randal L. Schwartz  wrote:
> > "Theo" == Theo de Raadt <[EMAIL PROTECTED]> writes:
>
> Theo> If you get stuck doing an upgrade build, please do a standard upgrade
> Theo> or reinstall.
>
> Theo> We have never promised that such builds will work perfectly, nor can we
> Theo> dedicate 3-4 developers full-time to making sure they do.  Which is
> Theo> pretty much what it would take.
>
> I understand that.  However, I'm hoping that someone else reading this
> mailing list will have tried the paragraph given in the FAQ, and either
> succeeded with a workaround, or discovered the futility as well.
>
> I'm upgrading a remote box, so a "standard upgrade" is not an option,
> nor is a reinstall.  There was no warning in the FAQ that the
> information was definitely broken.  It must have worked for *someone*
> or it wouldn't have been put in the FAQ, I presume.
>

First off, I fail to see how extracting the install sets via ssh can't
be done, as that's mentioned in the FAQ as one upgrade method. Second,
the source upgrade stuff has worked for people in the past, but they
usually know enough about the system to actually fix something if it
breaks. A source upgrade probably has less of a chance of working as
extracting the install sets via ssh as mentioned in the FAQ, so you're
running a risk either way. My suggestion, get the box shipped back to
you or ship out a new hard drive with the new install on it, and all
the other data copied over. Since OpenBSD is compiled to work on all
i386 boxes, it shouldn't really matter which box you install it on, as
long as you properly set the network config how it should be on the
remote box.

Jason

Re: dd performance

[Jason Crawford]

I think the very first thing you should change is use the raw device
in OpenBSD (/dev/rsd0c) and that should speed things up a bit.

Jason

On 12/15/05, chefren <[EMAIL PROTECTED]> wrote:
> Wiping identical 18GB SCSI disks on same Dell 1750 machine:
>
>
> OpenBSD 3.8:
>
> dd if=/dev/zero of=/dev/sd0c bs=1024k
>
> 6MB/s
>
>
> Linux 2.4:
>
> dd if=/dev/zero of=/dev/sda bs=1024k
>
> 53MB/S
>
>
>
> Any clue about the difference? Of course I'm also interested in
> different ways to do this but the difference is what puzzles me.
>
> +++chefren

Re: Just confirming: no way to do a pf rdr based on hostname?

[Jason Crawford]

On 12/12/05, Peter Landry <[EMAIL PROTECTED]> wrote:
> Hi All,
> We're migrating an old Microsoft ISA Server system to OpenBSD pf. First
> off, before I ask any questions, kudos to everyone -- Installing OpenBSD
> 3.8 was a very pleasant, painless experience for someone who's never
> used it before. Setting up pf/nat was also extraordinarily easy. The
> docs are great.

Welcome, glad to hear you enjoyed it so far.

>
> That aside, the only thing that I haven't been able to migrate yet is
> ISA's ability to redirect web requests coming in on the same IP to
> different machines based on the host name. IE- www.a.com (IP
> 123.123.0.1) gets redirected to the internal IP 192.168.0.1 while
> www.b.com (also IP 123.123.0.1) gets redirected to the internal IP
> 192.168.0.2.

This is application level filtering and such, pf doesn't do that.

>
> I haven't found anything in the docs, and all the list archive questions
> I've found were specific to ipnat, not pf.
>
> I'm thinking that I can't do it. In that case, my options seem to be 1)
> use different external IP's for each website, and redirect to different
> internal servers based on IP 2) redirect all web traffic to the legacy
> ISA system, which will then redirect based on hostname. I'm hesitant to
> use up all our IPs for option 1, but I'm thinking option 2 is even
> worse... Are there any options I haven't thought of?

I would suggest looking at squid for reverse proxying. It's
transparent, and you can have pf redirect all port 80 traffic to
squid, which will then decide where to route the http request based on
what site they asked for. This would also help protect your web
servers from various attacks (but not all) since they wouldn't be
talking directly with your web server, as well as squid being in a
chroot and running as an unprivileged user. You could also setup squid
to do caching which would reduce the load on your web server if need
be. Good luck,

Jason

Re: removing old files - /usr grows with each release

[Jason Crawford]

On 12/11/05, Andreas Bartelt <[EMAIL PROTECTED]> wrote:
> Hi all,
>
> according to http://www.openbsd.org/faq/faq4.html#SpaceNeeded 250 MB for
> /usr is sufficient, in case X isn't installed on an OpenBSD system. My
> /usr partition (located on a 512 MB CompactFlash drive) recently has
> reached its limits after living through multiple releases (3.4 - 3.8).
>
> du -h:
> ...
> /dev/wd0e  359M311M   30.3M91%/usr
>
> folders in my /usr partition:
> bin 19.9M
> games 1.4M
> include 16.8M
> lib 100M
> libdata 76.8M
> libexec 2.6M
> lkm 2.0K
> local 10.8M
> mdec 220K
> obj -> /home/obj
> ports -> /home/ports
> sbin 15.9M
> share 62.6M
> src -> /home/src
>
> My goal is to savely remove all files from older releases, which aren't
> needed anymore.
>
> At least in /usr/lib, there seem to be some directories, which
> exclusively contain files from older releases, namely
> /usr/lib/gcc-lib/i386-unknown-openbsd[release number]. Is it save to
> remove them after upgrading to a newer release? The content of
> /usr/libdata seems to be growing with each release, too. Which
> directories/files may be removed from /usr without risking too much?
>
> Is it better to wipe /usr and do a complete reinstall of all /usr
> content from a fresh OpenBSD system?
>

You might want to try something like having find search / and show any
files with a creation or modification time that would be before 3.8
release files, and redirecting the output to a file. I think that
would be one way to at least get started, but any files needed for 3.8
would have been created or modified at the same time as specified in
the installation sets. Or you could do a mix of creating a 3.8 file
list via the installation sets and the find output, making sure that
none of the files in your 3.8 file list are listed in the find output,
then starting to remove. I would strongly suggest though, that you
test them on another system that you purposefully install older
versions and upgrade on before doing it on your production system. The
best option though, if possible, is a reformat and reinstall, as you
run no risk of breaking dependencies and only use space needed.

Jason

Re: Why Perl (a request to the developer sof the Ports-System)

[Jason Crawford]

On 12/2/05, Miod Vallat <[EMAIL PROTECTED]> wrote:
> > > http://www.perl.com/download.csp#srclic
> > > It is NOT gpl'ed.
> >
> > According to this:
> > http://www.openbsd.org/cgi-bin/cvsweb/src/gnu/usr.bin/perl/README?rev=1.8&content-type=text/x-cvsweb-markup
> > it is GPL'd.
>
> According to this very same file, it is not. It is dual-licensed, which
> is VERY different from being GPL only.
>
I didn't say GPL ONLY, I was just pointing out that it's wrong to say
it's GPL'd. And the fact that it's in the gnu directory of OpenBSD
would suggest to people that OpenBSD seems to choose the GPL license
for distributing perl.

Jason

Re: Why Perl (a request to the developer sof the Ports-System)

[Jason Crawford]

On 12/2/05, Jimmy Scott <[EMAIL PROTECTED]> wrote:
> On Fri, Dec 02, 2005 at 06:14:18PM +0100, Sebastian Rother wrote:
> > I scrited with pdksh all the time lon for now.
> > Now I'm interested into learning another Scripting-Language.
> >
> > I can't decide between Perl and Python.
> > Perl has a lot modules but it's GPLed.
> > Python on the other hand is under a BSD-compatible License and has less
> > modules.
>
> http://www.perl.com/download.csp#srclic
> It is NOT gpl'ed.

According to this:
http://www.openbsd.org/cgi-bin/cvsweb/src/gnu/usr.bin/perl/README?rev=1.8&content-type=text/x-cvsweb-markup
it is GPL'd.

>
> >
> > I would like to know some "facts" why Perl is in the base system on a
> > BSD even Python is a BSD-licensed alternativ. Does it have some
> > advantages I don#t know?
> >
> > I read a lot papers about both languages. Also CS-related Papers but I
> > can't decide.
>
> I advice to try both, Python is nice in it's syntax and it's harder to
> "misuse", I mean, there are a LOT of Perl programmers out there that do
> theire best to make theire program unreadable, to say it softly.
>
> The downside about Perl (in my opinion) is the whole "you can do it in
> more than one way" and "you can do it on a single line" spirit.

Definitely try both, as no one can really tell you which language is
better for your situation except...you. And if you try both, you'll
definitely learn more than if you only tried one. There are always
downsides and upsides to any language, and the best way to judge which
fits your situation the most is just to dive in and get dirty.

> 

Jason

Re: cvsup of OpenBSD-src is old

[Jason Crawford]

On 12/1/05, Jason Crawford <[EMAIL PROTECTED]> wrote:
> On 12/1/05, Jeremy C. Reed <[EMAIL PROTECTED]> wrote:
> > I am trying to get the latest OpenBSD HEAD (-current) of the CVS
> > repository (RCS ,v files) using cvsup. But it is old.
> >
> > My retrieved CVSROOT/ChangeLog goes up to 2005/05/03 23:12:53
> >
> > CVSROOT/config and CVSROOT/options has:
> >
> > tag=OpenBSD
> > umask=002
> > dlimit=49152
> >
> > Have tried cvsup.jp.OpenBSD.org and cvsup.de.openbsd.org.
> >
> > cvsup config is:
> >
> > *default host=cvsup.de.openbsd.org
> > *default base=/usr
> > *default prefix=/archive/OpenBSD-CVS
> > *default release=cvs
> > *default delete use-rel-suffix
> > *default compress
> >
> > #OpenBSD-all
> > OpenBSD-src
>
> Unless I'm mistaken, OpenBSD-src means the actual source code, not the
> CVS repository. You want to use OpenBSD-all which will mirror the CVS
> repository (the whole thing, not just src).

Oops, I am mistaken, silly little tag keyword changes quite a bit. I
guess it's been a while since I've used anything other than
OpenBSD-all with cvsup

> > #OpenBSD-www
> > #OpenBSD-ports
> > #OpenBSD-x11
> > #OpenBSD-xf4
> >
> > How or where can I get the latest?
> >
> > I have looked at http://www.openbsd.org/cvsup.html and a few examples and
> > docs from the mirrors.
> >
> > Note that I am not using the OpenBSD-provided cvsup client. I am not doing
> > this on OpenBSD.
> >
> > Please carbon-copy me on replies.
> >
>
> Once you change OpenBSD-src to OpenBSD-all, it should work just fine
> (but get the 2.5GB CVS repository as a whole).
>
> jason

Re: cvsup of OpenBSD-src is old

[Jason Crawford]

On 12/1/05, Jeremy C. Reed <[EMAIL PROTECTED]> wrote:
> I am trying to get the latest OpenBSD HEAD (-current) of the CVS
> repository (RCS ,v files) using cvsup. But it is old.
>
> My retrieved CVSROOT/ChangeLog goes up to 2005/05/03 23:12:53
>
> CVSROOT/config and CVSROOT/options has:
>
> tag=OpenBSD
> umask=002
> dlimit=49152
>
> Have tried cvsup.jp.OpenBSD.org and cvsup.de.openbsd.org.
>
> cvsup config is:
>
> *default host=cvsup.de.openbsd.org
> *default base=/usr
> *default prefix=/archive/OpenBSD-CVS
> *default release=cvs
> *default delete use-rel-suffix
> *default compress
>
> #OpenBSD-all
> OpenBSD-src

Unless I'm mistaken, OpenBSD-src means the actual source code, not the
CVS repository. You want to use OpenBSD-all which will mirror the CVS
repository (the whole thing, not just src).

> #OpenBSD-www
> #OpenBSD-ports
> #OpenBSD-x11
> #OpenBSD-xf4
>
> How or where can I get the latest?
>
> I have looked at http://www.openbsd.org/cvsup.html and a few examples and
> docs from the mirrors.
>
> Note that I am not using the OpenBSD-provided cvsup client. I am not doing
> this on OpenBSD.
>
> Please carbon-copy me on replies.
>

Once you change OpenBSD-src to OpenBSD-all, it should work just fine
(but get the 2.5GB CVS repository as a whole).

jason

Re: Network Analyzer

[Jason Crawford]

On 11/25/05, Roy Morris <[EMAIL PROTECTED]> wrote:
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] Behalf Of
> > Matthew Graham
> > Sent: Friday, November 25, 2005 2:24 PM
> > To: misc
> > Subject: Network Analyzer
> >
> >
> > I am fairly new to OpenBSD with significant experience with Linux. I'm
> > considering switching some of our infrastructure based systems to
> > OpenBSD because of the security reputation and ease of updates.
> >
> > One of the intended boxes is a network monitor that will go inline
> > between a host and an Ethernet switch. I've configured a transparent
> > bridge and it works great. The ease of this alone is impressive.
> >
> > One utility I'm used to using for monitoring is Ethereal.
> > I've seen all
> > of the comments from the OpenBSD user community and
> > understand why it's
> > no longer available through ports. Does anyone know of a similar tool
> > that will work well with OpenBSD and is also secure? I need more
> > information in human readably form that I can get from tcpdump or
> > sniffit.
> >
> > Thank for any advice anyone can give.
> >
>
> I just want to be sure you consider the difference between
> capturing and viewing. You can as I do capture all your packets
> using tcpdump and review them off the box using ethereal as
> you normally would. Have you considered that option? I mean on
> an alternate OS.

Well the biggest problem is that you are still viewing the capture of
the potentially bad traffic that could still do things to Ethereal.
It's no different than if you were just running Ethereal, unless you
stress to do it as an unprivileged user, since Ethereal's biggest
problem is doing too much as root. Make sure to run Ethereal against
the captured data as an _unprivileged_ user and you should be OK.

Jason

Re: Telnet daemon retired in 3.8 ?

[Jason Crawford]

Well, the parent poster asked for an alternative, so I said sshd. If he
wanted telnetd, then he wouldn't ask for an alternative, very simple. And
you act as if I had anything to do with telnetd being removed. I have
nothing to do about anything OpenBSD does, short of maybe helping to fix a
bug or two I might happen to find. You don't like telnetd being gone, use
another OS or just use an alternative, like the parent poster asked about in
his first email (sshd).

On 11/7/05, Ioan Nemes <[EMAIL PROTECTED]> wrote:
>
> It in not the question of sshd works or, not! In large environments,
> where you have a large number of legacy hardware (like Apollo 700,
> HP 3000, HP 7000, Solaris 2.5.1 etc., etc.), and the purpose of a UNIX
> box is other than to run a firewall, a webserver, mail-server, or
> MySQL,
> plus you have thousand + users, and clients (internal/external on
> different
> client platforms), yes it is bad not have telnetd running. Matthew is
> quite
> right, telnet is live and will be for very long time. It was a bad
> choice
> to be removed from the source tree. You reduce your options.
>
> Above, I am not arguing pro/contra telnetd, or sshd!
>
> Ioan
>
>
> >>> Jason Crawford <[EMAIL PROTECTED]> 08/11/2005 11:55:55 am
> >>>
> telnetd was completely removed from the source tree around the end of
> may,
> soon after 3.7 was released. As far as an alternative, why does sshd
> not
> work? There are ssh daemons for almost all other operating systems,
> unless
> maybe you're using OpenVMS or Plan9 (although I think there is at least
> one
> for those as well, just not OpenSSH).
>
> On 11/7/05, Matthew S Elmore <[EMAIL PROTECTED]> wrote:
> >
> > I cannot appear to locate a telnet daemon in 3.8 installs now. It
> > appears to have silently disappeared between 3.7 and 3.8.
> >
> > I see no mention of this in the release notes or after a cursory
> search
> > of the mailing lists. It's possible it is mentioned somewhere and I
> am
> > missing it.
> >
> > I understand the advantages of ssh over telnet, but telnet is still
> > heavily used in many environments.
> >
> > Is it merely hiding somewhere or can someone recommend an
> alternative
> > for me?
> >
> > Regards,
> > Matt
>
>
>
> ---
> Scanned by Fairfield City Council - NetCleanse for all known viruses.
> http://www.netcleanse.com

Re: Telnet daemon retired in 3.8 ?

[Jason Crawford]

telnetd was completely removed from the source tree around the end of may,
soon after 3.7 was released. As far as an alternative, why does sshd not
work? There are ssh daemons for almost all other operating systems, unless
maybe you're using OpenVMS or Plan9 (although I think there is at least one
for those as well, just not OpenSSH).

On 11/7/05, Matthew S Elmore <[EMAIL PROTECTED]> wrote:
>
> I cannot appear to locate a telnet daemon in 3.8 installs now. It
> appears to have silently disappeared between 3.7 and 3.8.
>
> I see no mention of this in the release notes or after a cursory search
> of the mailing lists. It's possible it is mentioned somewhere and I am
> missing it.
>
> I understand the advantages of ssh over telnet, but telnet is still
> heavily used in many environments.
>
> Is it merely hiding somewhere or can someone recommend an alternative
> for me?
>
> Regards,
> Matt

Re: pf and altq group interface ...

[Jason Crawford]

Unless things have changed since I last asked this same question,
interface groups don't work in altq. Next time search the archives.

Jason

On 10/10/05, Karl-Heinz Wild <[EMAIL PROTECTED]> wrote:
> maybe i've missed something.
>
> ifconfig rl0 group wan_if
>
> pf.conf:
>
> -> altq on wan_if cbq bandwidth 100Mb queue { http ssh }
>
> produce an error when loading the ruleset.
> but every other rules like
>
> -> pass in on wan_if proto tcp to port ssh keep state queue ssh
>
> will be accepted.
>
> isn't that a bit confusing?
>
> Karl-Heinz

Re: 3.6 -> 3.7 make build problem

[Jason Crawford]

Well the compiler issue was pretty simple for me, follow the compiler
upgrade faq here:

http://www.openbsd.org/faq/faq5.html#NewCompiler

But make sure you first compile gcc 3 from 3.6 source code (by adding
i386 to the gcc3 list in bsd.own.mk file in /usr/share/mk) and then
recompile 3.6 source code completely. Then recompile the gcc 3
compiler using 3.7 source code, and recompile the 3.7 source from
there (3.7 uses gcc 3 by default for i386). This following thread from
April helped me out as well:

http://marc.theaimsgroup.com/?t=11141833565&r=1&w=2

On 9/29/05, eric <[EMAIL PROTECTED]> wrote:
> On Thu, 2005-09-29 at 13:40:36 -0400, Jason Crawford proclaimed...
>
> > I ran into the same issue myself, as I have a server with the aac raid
> > card, and no way to upgrade from 3.6 to 3.7 (I'm running 3.8-release
> > on it now). Reading the archives and various upgrade faq's on
> > OpenBSD's website, I found a method that worked for me, but no
> > guarantees for anyone else. First, I made sure my 3.6 source was fully
> > up to date with the OPENBSD_3_6 tag, then I compiled gcc3 from the
> > openbsd 3.6 sources, which involved me changing around the bsd.own.mk
> > file in /usr/share/mk to remove i386 from the list of gcc2 archs. You
> > run through the new compiler faq, which is compiling gcc3 twice, first
> > to get a workable gcc3 compiler from gcc2, then to recompile gcc3 with
> > gcc3 you just did. Next I ran through the entire make build in 3.6
> > using the gcc3 compile, the change to bsd.own.mk automatically makes
> > it compile the right version of everything to use the gcc3 compiler.
> > It failed for me on texinfo (or something in the gnu directory), but I
> > just ran through the rest of the  make build process by hand. Then I
> > installed all the binaries, having to do the parts after gnu by hand
> > since the one app failed, so now I was running 3.6 with gcc3 binaries.
> > Next I moved /usr/src to /usr/src.old and grabbed OpenBSD 3.7 source
> > into /usr/src (also move /usr/obj to /usr/obj.old and a new /usr/obj
> > for 3.7 source). Then I compiled the new gcc3 compiler in 3.7 (later
> > version) twice like the faq says for new compilers, and then compiled
> > the 3.7 kernel with aac support, rebooted, and recompiled my system.
> > One part that I was unclear about was whether I tried to recompile
> > some parts of 3.7 before rebooting into the kernel, or whether i
> > rebooted into the kernel before compiling the system, which could make
> > a big difference. I can do some more research if you wish, but again
> > this is a completely unsupported method of upgrade, and I don't
> > guarantee that this will work for anyone other than myself. The
> > process of upgrading source from 3.7 to 3.8 was much easier than 3.6
> > to 3.7, mostly because there wasn't a huge compiler change.
>
> If you can let me know if there was anything else I'd appreciate it. I just
> need to get over the compiler hump. No support is expected, by the way.
>
> Thanks a bunch.
>
> - Eric

Re: 3.6 -> 3.7 make build problem

[Jason Crawford]

I ran into the same issue myself, as I have a server with the aac raid
card, and no way to upgrade from 3.6 to 3.7 (I'm running 3.8-release
on it now). Reading the archives and various upgrade faq's on
OpenBSD's website, I found a method that worked for me, but no
guarantees for anyone else. First, I made sure my 3.6 source was fully
up to date with the OPENBSD_3_6 tag, then I compiled gcc3 from the
openbsd 3.6 sources, which involved me changing around the bsd.own.mk
file in /usr/share/mk to remove i386 from the list of gcc2 archs. You
run through the new compiler faq, which is compiling gcc3 twice, first
to get a workable gcc3 compiler from gcc2, then to recompile gcc3 with
gcc3 you just did. Next I ran through the entire make build in 3.6
using the gcc3 compile, the change to bsd.own.mk automatically makes
it compile the right version of everything to use the gcc3 compiler.
It failed for me on texinfo (or something in the gnu directory), but I
just ran through the rest of the  make build process by hand. Then I
installed all the binaries, having to do the parts after gnu by hand
since the one app failed, so now I was running 3.6 with gcc3 binaries.
Next I moved /usr/src to /usr/src.old and grabbed OpenBSD 3.7 source
into /usr/src (also move /usr/obj to /usr/obj.old and a new /usr/obj
for 3.7 source). Then I compiled the new gcc3 compiler in 3.7 (later
version) twice like the faq says for new compilers, and then compiled
the 3.7 kernel with aac support, rebooted, and recompiled my system.
One part that I was unclear about was whether I tried to recompile
some parts of 3.7 before rebooting into the kernel, or whether i
rebooted into the kernel before compiling the system, which could make
a big difference. I can do some more research if you wish, but again
this is a completely unsupported method of upgrade, and I don't
guarantee that this will work for anyone other than myself. The
process of upgrading source from 3.7 to 3.8 was much easier than 3.6
to 3.7, mostly because there wasn't a huge compiler change.

On 9/29/05, eric <[EMAIL PROTECTED]> wrote:
> [ Note: I don't like doing this. I would rather use a snapshot and   ]
> [ just get -current, but I have the Adaptec bullshit on this machine ]
> [ and need a kernel that support aac(4). ]
>
> I'm going from 3.6 to 3.7, and just trying to get the fscking adaptec
> controller working.
>
> Following information found in release(8), I wind up with this:
>
> 1. Reboot new GENERIC.MP kernel. Works fine.
> 2. Clean up /usr/obj/*
> 3. I have to upgrade my compiler.
>
> # gcc -v
> Reading specs from /usr/lib/gcc-lib/i386-unknown-openbsd3.6/2.95.3/specs
> gcc version 2.95.3 20010125 (prerelease, propolice)
>
> Alas, /usr/obj/gnu/egcs/gcc/ isn't found on this machine. Do I need to
> rebuild all my 3.6-STABLE sources first? Then upgrade the 2.x compile, then
> move to 3.x?
>
> If I follow instructions in the FAQ and try and compile gcc 3.x, I get this
> far.
>
> # rm -r /usr/obj/gnu/usr.bin/gcc/*
> # cd /usr/src/gnu/usr.bin/gcc
> # make -f Makefile.bsd-wrapper clean
> # make -f Makefile.bsd-wrapper obj
> # make -f Makefile.bsd-wrapper depend
> # make -f Makefile.bsd-wrapper
>
> [snip]
>
> /usr/src/gnu/usr.bin/gcc/gcc/unwind-dw2-fde-glibc.c:139: error: `PT_LOOS'
> undeclared (first use in this function)
> /usr/src/gnu/usr.bin/gcc/gcc/unwind-dw2-fde-glibc.c:139: error: (Each
> undeclared identifier is reported only once
> /usr/src/gnu/usr.bin/gcc/gcc/unwind-dw2-fde-glibc.c:139: error: for each
> function it appears in.)
> /usr/src/gnu/usr.bin/gcc/gcc/unwind-dw2-fde-glibc.c: In function
> `_Unwind_Find_FDE':
> /usr/src/gnu/usr.bin/gcc/gcc/unwind-dw2-fde-glibc.c:283: warning: implicit
> declaration of function `dl_iterate_phdr'
> *** Error code 1
>
> Stop in /usr/src/gnu/usr.bin/gcc/obj (line 208 of libgcc.mk).
> *** Error code 1
>
> Stop in /usr/src/gnu/usr.bin/gcc/obj (line 2160 of Makefile).
> *** Error code 1
>
> Stop in /usr/src/gnu/usr.bin/gcc (line 84 of
> /usr/src/gnu/usr.bin/gcc/Makefile.bsd-wrapper).
> #
>
> Thanks for hitting me with a cluestick. MANTRA: don't buy adaptec. don't buy
> adaptec. don't buy adaptec.

Re: question about OPENBSD_3_8_BASE

[Jason Crawford]

I believe this has been discussed many times on the list, however here
is a basic rundown:
OPENBSD_X_Y_BASE is the code that appears on the CD, it's a sticky tag
of the release code that doesn't change
OPENBSD_X_Y is the stable branch that is based off of the previous
tag, and is mostly just security and reliability fixes, and not
program upgrades (except openssh). This branch is maintained until 1
month after the 2nd release after the X.Y release.
If you want the code from the CD, use OPENBSD_X_Y_BASE, if you want
the stable code for X.Y release, with security/reliability fixes, use
OPENBSD_X_Y. Please search the archives/read the website for more
info.

Jason

On 9/28/05, Didier Wiroth <[EMAIL PROTECTED]> wrote:
> Hi,
>
> I have a few questions regarding TAGs, especially for a new ones.
> When a X_Y_BASE TAG is issued for example OPENBSD_3_8_BASE, does that
> mean
> the sources are not changing anymore or are there still changes?
> How do you know when the code is fixed and will be the same as on the
> cd. When the code
> doesn't change anymore, is it published on a specific mailing list or is
> it possible to use a cvs command (I'm not very
> familiar with cvs actually) to find out?
>
> Many thx
> Didier

Re: Dell PowerEdge 2650

[Jason Crawford]

On 9/20/05, John Brahy <[EMAIL PROTECTED]> wrote:
> I've got two poweredge 2650's w/ PERC 3/di raid cards and I've tried OpenBSD
> 3.7, 3.6 and 3.5. I've found that the aac in 3.7 is completely unstable, the
> aac in 3.6 would have problems after an hour or so of heavy use. BUT, 3.5
> seems to be stable but now I'm stuck on a version of an os that is about to
> become unsupported.

aac support in 3.8 seems to be much better than 3.7 in my experience,
however I still suggest better hardware if possible.

> 
> I think the only long term solution is to change hardware. I have been
> considering Sun's trade in offer. I haven't found it on Sun's site but it is
> mentioned here (http://www.theinquirer.net/?article=26143)
> I have a friend that's a Sun dealer www.acsacs.com and they said they honor
> it. I don't believe they sell online. Does anyone know if OpenBSD likes this
> hardware?
> 
> It's really Adaptec's fault. Those fuckers won't give up the source so the
> OpenBSD developers can't provide a good driver for their hardware. My
> company will not purchase any more servers from Dell as long as they
> continue to use Adaptec cards.
> 

First off, we never asked for "source" from adaptec, we were only
asking for documentation to make the driver more stable, and write
management utilities. However they only provide documentation if you
sign an NDA, which is unacceptable for any free software. Second, all
the PERC4 cards Dell uses are no longer Adaptec, but LSI Logic (unless
they've changed again reciently), which is fully supported in OpenBSD,
including completely open management utilities.

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
> Jan Johansson
> Sent: Tuesday, September 20, 2005 8:14 AM
> To: Ryan Rothert
> Cc: misc@openbsd.org
> Subject: Re: Dell PowerEdge 2650
> 
> Ryan Rothert <[EMAIL PROTECTED]> wrote:
> > 3.6 will install on it. I believe the aac driver still exists
> > but is disabled by default. You could install 3.6, recompile
> > the kernel with aac support enabled then upgrade.
> 
> This is a bad advice.
> 
> The aac driver was disabled because it was broken and could not
> be fixed because there was no documentation.
> 
> Using aac is like playing Russian Roulette with your data.

Re: Dell PowerEdge 2650

[Jason Crawford]

On 9/20/05, Jan Johansson <[EMAIL PROTECTED]> wrote:
> Ryan Rothert <[EMAIL PROTECTED]> wrote:
> > 3.6 will install on it. I believe the aac driver still exists
> > but is disabled by default. You could install 3.6, recompile
> > the kernel with aac support enabled then upgrade.
> 
> This is a bad advice.
> 
> The aac driver was disabled because it was broken and could not
> be fixed because there was no documentation.
> 
> Using aac is like playing Russian Roulette with your data.
> 
However if you have no choice but to use aac, what else are you going
to do? For a lot of people (like me) who have machines with the aac
raid controller, it's either uncomment the aac driver in the kernel,
or use a different OS. Buying another raid controller isn't always an
option, especially when it's company hardware. I currently run 3.8
release on a machine with aac, and it's running a lot better than it
did on 3.7 actually.

Jason

Re: downloading http

[Jason Crawford]

man 1 ftp

On 9/15/05, George Georgalis <[EMAIL PROTECTED]> wrote:
>
> Pardon the stupid question. But how does one download http in
> OpenBSD? I looked for fetch in packages but did not find. I see
> this dir /usr/rOPENBSD_3_7/infrastructure/fetch but I'm not sure
> what it is or how to use it.
>
> Is ports required to get files by this protocol? I'm not sure what
> else I can do to find the package
> ls ~ftp/OpenBSD/3.7/packages/i386/ |grep get
> ls ~ftp/OpenBSD/3.7/packages/i386/ |grep ht
> and search for http download didn't get me anything but fetchmail. Is
> there a better way to search for packages?
>
> // George
>
> --
> George Georgalis, systems architect, administrator <
> http://galis.org/ cell:646-331-2027 mailto:[EMAIL PROTECTED]

Re: Crash in recient snapshot of current.

[Jason Crawford]

On 8/25/05, Jason Crawford <[EMAIL PROTECTED]> wrote:
> On 8/25/05, Jason Crawford <[EMAIL PROTECTED]> wrote:
> > I updated my cvs tree today, and recompiled GENERIC with today's
> > source, and now the system crashes on boot, telling me that it cannot
> > read the disk label, but a GENERIC from two days ago can read the disk
> > label just fine. Here is the working dmesg from GENERIC of two days
> > ago, and dmesg from GENERIC from today with the trace and ps output.
> > Any other information that's needed, please ask, I'm not sure what
> > else to include, but this stuff is always asked for.
> >
> 
> A little more info, as I downloaded the August 24 snapshot, to see if
> my source tree had somehow gotten corrupted. I got an error message
> while in the bsd.rd kernel, that both fdisk and disklabel reported:
> DIOCGDINFO: Input/output error
> I'm not sure what that means exactly, but I'm sure that info would
> help in figuring out the problem.
> 
Even more information, I found the exact code that causes the crash.
It is whatever code that was commited between revision 1.86 and 1.87
of sd.c inside /usr/src/sys/scsi that is the culprit. I compiled the
most recient kernel except sd.c being revision 1.86, and it works. I
changed sd.c to revision 1.87 and the system crashes with the error
message reported in my first mail. I really hope that there is a
developer out there who will figure out why this is causing the crash,
because I can't see an obvious reason from the code. Here is the exact
diff for r1.86 to r1.87:

Index: sd.c
===
RCS file: /cvs/src/sys/scsi/sd.c,v
retrieving revision 1.86
retrieving revision 1.87
diff -u -r1.86 -r1.87
--- sd.c21 Aug 2005 16:25:52 -  1.86
+++ sd.c23 Aug 2005 23:31:04 -  1.87
@@ -1,4 +1,4 @@
-/* $OpenBSD: sd.c,v 1.86 2005/08/21 16:25:52 krw Exp $ */
+/* $OpenBSD: sd.c,v 1.87 2005/08/23 23:31:04 krw Exp $ */
 /* $NetBSD: sd.c,v 1.111 1997/04/02 02:29:41 mycroft Exp $ */

 /*-
@@ -216,10 +216,9 @@
scsi_autoconf | SCSI_IGNORE_ILLEGAL_REQUEST |
SCSI_IGNORE_MEDIA_CHANGE | SCSI_SILENT);

-   /* Try to start the unit if it wasn't ready. */
-   if (error == EIO)
-   error = scsi_start(sc_link, SSS_START,
-   SCSI_IGNORE_ILLEGAL_REQUEST | SCSI_IGNORE_MEDIA_CHANGE);
+   /* Spin up the unit ready or not. */
+   error = scsi_start(sc_link, SSS_START, scsi_autoconf | SCSI_SILENT |
+   SCSI_IGNORE_ILLEGAL_REQUEST | SCSI_IGNORE_MEDIA_CHANGE);

if (error)
result = SDGP_RESULT_OFFLINE;
@@ -386,11 +385,10 @@
(part == RAW_PART && fmt == S_IFCHR) ? SCSI_SILENT : 0 |
SCSI_IGNORE_ILLEGAL_REQUEST | SCSI_IGNORE_MEDIA_CHANGE);

-   /* Try to start the unit if it wasn't ready. */
-   if (error == EIO)
-   error = scsi_start(sc_link, SSS_START,
-   SCSI_IGNORE_ILLEGAL_REQUEST |
-   SCSI_IGNORE_MEDIA_CHANGE);
+   /* Spin up the unit, ready or not. */
+   error = scsi_start(sc_link, SSS_START,
+   (part == RAW_PART && fmt == S_IFCHR) ? SCSI_SILENT : 0 |
+   SCSI_IGNORE_ILLEGAL_REQUEST | SCSI_IGNORE_MEDIA_CHANGE);

if (error) {
if (part == RAW_PART && fmt == S_IFCHR) {

Re: Crash in recient snapshot of current.

[Jason Crawford]

On 8/25/05, Jason Crawford <[EMAIL PROTECTED]> wrote:
> I updated my cvs tree today, and recompiled GENERIC with today's
> source, and now the system crashes on boot, telling me that it cannot
> read the disk label, but a GENERIC from two days ago can read the disk
> label just fine. Here is the working dmesg from GENERIC of two days
> ago, and dmesg from GENERIC from today with the trace and ps output.
> Any other information that's needed, please ask, I'm not sure what
> else to include, but this stuff is always asked for.
> 

A little more info, as I downloaded the August 24 snapshot, to see if
my source tree had somehow gotten corrupted. I got an error message
while in the bsd.rd kernel, that both fdisk and disklabel reported:
DIOCGDINFO: Input/output error
I'm not sure what that means exactly, but I'm sure that info would
help in figuring out the problem.

Jason

Re: Collisions in 3.7 under VMware

[Jason Crawford]

On 8/25/05, Steve Shockley <[EMAIL PROTECTED]> wrote:
> I've got a 3.7 box running under VMware 2.5.1.  This box acts as a "hub"
> for Unison (over SSH), and the data is stored on a SNAP server mounted via
> NFS (not my choice).
> 
> Originally, using the le driver, network performance was abysmal, and I
> was getting a lot of collisions.
> 
> I noticed that "le at pci" has been replaced by pcn in -current, so for
> kicks I backported the driver to 3.7.  (I hate chasing -current on a
> production box.)

If you really want to use the old le driver, just disable pcn using
the config command, and your kernel will fall back to the old le
driver. However I find pcn works much better for me, so I suggest you
use it, it's as easy as creating a hardlink for hostname.pcn0 to
hostname.le1 (pci le always grabbed 1 or higher, 0 was isa). I leave
both files there, because if I need to go back to openbsd that's pre
pcn driver, then it'll use le again.

> 
> Now, performance is reasonable, but I'm still getting collisions.  A
> sample from systat ifstat:
> 
> Interfaces Ibytes  Ipkts  Ierrs   Obytes  Opkts  Oerrs
> Colls
> pcn0 11585832   8255  0   247940   1476  0
>  368
> 
> Is this normal and/or acceptable?  I've tried forcing full duplex on the
> nic, but it doesn't seem to have any effect.
> 
If you have other boxes on the same subnet, see what stats they are
getting, I don't seem to have many problems with pcn.

Jason

Crash in recient snapshot of current.

[Jason Crawford]

I updated my cvs tree today, and recompiled GENERIC with today's
source, and now the system crashes on boot, telling me that it cannot
read the disk label, but a GENERIC from two days ago can read the disk
label just fine. Here is the working dmesg from GENERIC of two days
ago, and dmesg from GENERIC from today with the trace and ps output.
Any other information that's needed, please ask, I'm not sure what
else to include, but this stuff is always asked for.

Working dmesg:
OpenBSD 3.8-beta (GENERIC) #0: Tue Aug 23 12:02:11 EDT 2005
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Pentium(R) 4 CPU 3.20GHz ("GenuineIntel" 686-class) 3.20 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3
real mem  = 133734400 (130600K)
avail mem = 115408896 (112704K)
using 1658 buffers containing 6791168 bytes (6632K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(77) BIOS, date 04/21/04, BIOS32 rev. 0 @ 0xfd880
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
apm0: flags 30102 dobusy 0 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xfd880/0x780
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf30/176 (9 entries)
pcibios0: PCI Interrupt Router at 000:07:0 ("Intel 82371FB ISA" rev 0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc/0x8000 0xc8000/0x1a00! 0xca000/0x1000
0xdc000/0x4000! 0xe4000/0x4000!
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82443BX AGP" rev 0x01
ppb0 at pci0 dev 1 function 0 "Intel 82443BX AGP" rev 0x01
pci1 at ppb0 bus 1
pcib0 at pci0 dev 7 function 0 "Intel 82371AB PIIX4 ISA" rev 0x08
pciide0 at pci0 dev 7 function 1 "Intel 82371AB IDE" rev 0x01: DMA,
channel 0 configured to compatibility, channel 1 configured to
compatibility
pciide0: channel 0 ignored (disabled)
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0:  SCSI0
5/cdrom removable
cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
"Intel 82371AB Power" rev 0x08 at pci0 dev 7 function 3 not configured
vga1 at pci0 dev 15 function 0 "VMware Virtual SVGA II" rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
bha3 at pci0 dev 16 function 0 "BusLogic MultiMaster" rev 0x01: irq
11, BusLogic 9xxC SCSI
bha3: model BT-958, firmware 5.07B
bha3: sync, parity
scsibus1 at bha3: 8 targets
sd0 at scsibus1 targ 0 lun 0:  SCSI2
0/direct fixed
sd0: 4096MB, 522 cyl, 255 head, 63 sec, 512 bytes/sec, 8388608 sec total
pcn0 at pci0 dev 17 function 0 "AMD 79c970 PCnet-PCI" rev 0x10,
Am79c970A, rev 0: irq 9, address 00:0c:29:6c:86:aa
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
sysbeep0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
biomask fd65 netmask ff65 ttymask ffe7
pctr: user-level cycle counter enabled
dkcsum: sd0 matches BIOS drive 0x80
root on sd0a
rootdev=0x400 rrootdev=0xd00 rawdev=0xd02

Crashing dmesg:
OpenBSD 3.8-beta (GENERIC) #0: Thu Aug 25 11:54:29 EDT 2005
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Pentium(R) 4 CPU 3.20GHz ("GenuineIntel" 686-class) 3.20 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3
real mem  = 133734400 (130600K)
avail mem = 115408896 (112704K)
using 1658 buffers containing 6791168 bytes (6632K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(77) BIOS, date 04/21/04, BIOS32 rev. 0 @ 0xfd880
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
apm0: flags 30102 dobusy 0 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xfd880/0x780
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf30/176 (9 entries)
pcibios0: PCI Interrupt Router at 000:07:0 ("Intel 82371FB ISA" rev 0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc/0x8000 0xc8000/0x1a00! 0xca000/0x1000
0xdc000/0x4000! 0xe4000/0x4000!
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82443BX AGP" rev 0x01
ppb0 at pci0 dev 1 function 0 "Intel 82443BX AGP" rev 0x01
pci1 at ppb0 bus 1
pcib0 at pci0 dev 7 function 0 "Intel 82371AB PIIX4 ISA" rev 0x08
pciide0 at pci0 dev 7 function 1 "Intel 82371AB IDE" rev 0x01: DMA,
channel 0 configured to compatibility, channel 1 configured to
compatibility
pciide0: channel 0 ignored (disabled)
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0:  SCSI0
5/cdrom removable
cd0(pciide0:1:0

Re: How to configure bind to work under OpenBSD 3.7

[Jason Crawford]

Put:
named_flags=""
in /etc/rc.conf.local
and bind will work. Edit files in /var/named/ directory to suit your
needs as well, but the above line in /etc/rc.conf.local will start
named on boot, and it will just work. Read /etc/rc.conf to see how to
start other daemons, but put changes into /etc/rc.conf.local

Jason

On 8/25/05, Joco Salvatti <[EMAIL PROTECTED]> wrote:
> HI all,
> 
> I'd like to know where I could find informations about how to configure bind
> to
> work under OpenBSD 3.7. I've already made a search in the net, but the
> available documents are vacant. I've already looked at FAQ files, but I also
> cound't find a thing.
> 
> Thanks.
> 
> --
> Joco Salvatti
> Undergraduating in Computer Science
> Federal University of Para - UFPA
> web: http://salvatti.expert.com.br
> e-mail: [EMAIL PROTECTED]

Re: /usr/share/pf/ suggestion

[Jason Crawford]

On 8/24/05, Bryan Irvine <[EMAIL PROTECTED]> wrote:
> > I personally like to 'pass keep state' with a 'scrub all' rule. This
> > at least gives me some interesting statistics to poke at when I'm
> > bored. Plus, I can firewall who gets to ssh into my machine.
> 
> Another good use is {max-src-states  ##} for webservers and the like.
> I have a webserver that would crash at 9am every morning when a few
> bots (2 in particaular) would crawl the site.  They are poorly
> configured and open roughly 120 simlutaneous connections.  They were
> very low bandwidth, but there went all available connections.
> 
> To quote Theo it's "Horse-shit" to say you don't need to filter single hosts.
> 

I left out a lot of my reasoning for feeling the way I do in my first
mail about not needing a packet filter on single hosts, and it's more
a personal preference, not telling everyone that you're all idiots for
wanting to. If your web server crashes because it has 240 connections
open (I'm assuming 120 per bot) then there seems to be something else
wrong with it, and shouldn't be ignored by just throwing up pf. It was
more that for me, if I throw up pf to protect a single host, I tend to
get lazy in the administration of it, and start ignoring things that
should really be looked at (like applications opening up random ports,
in reference to an earlier KDE post). I really don't think that a
desktop environment should be opening up anything at all, and so I'd
rather just not run it instead of run a desktop environment that I
have no idea what it's doing on the network. If anyone is interested
any further as to why I feel the way I do, email me privately, since
this is getting way off topic and doesn't belong on the openbsd-misc
mailing list anyways.

Jason

Re: /usr/share/pf/ suggestion

[Jason Crawford]

On 8/23/05, Theo de Raadt <[EMAIL PROTECTED]> wrote:
> > > That is the most ridiculous thing I've heard all day.  Lots of people
> > > run servers and must block them, on the same machine.  Probably every
> > > single one of us.
> >
> > I'm not sure I understand what you mean. If you're going to run a
> > server, what's the point of blocking it? Might as well turn it off.
> 
> My laptops filter port 6000 and up, thank you very much.
> 
> I will not stop running X.
> 
> You must just just plain not understand what you are saying.
> 
> Your statements are beyond ridiculous.  You are saying "If you need
> to filter it, you should not be running it".

X doesn't have to listen on TCP 6000, you can setup a unix socket, and
it's no longer reachable from the network, and you still have full
functionality (I know, I do just that). There's more than one way to
do anything. If something needs to only be locally accessable, only
have it listen locally, or use unix sockets instead of tcp/udp sockets
completely.

Jason

Re: /usr/share/pf/ suggestion

[Jason Crawford]

On 8/23/05, Theo de Raadt <[EMAIL PROTECTED]> wrote:
> > Secondly, it seems pretty pointless to setup pf on a single host.
> 
>   
> 
> That is the most ridiculous thing I've heard all day.  Lots of people
> run servers and must block them, on the same machine.  Probably every
> single one of us.

I'm not sure I understand what you mean. If you're going to run a
server, what's the point of blocking it? Might as well turn it off.

> 
> > Instead of worrying about the
> > firewall, which takes up more memory and cpu and all that, just shut
> > off services that you don't need and be done with it. If the attacker
> > can hurt your OpenBSD machine, then your firewall is vulnerable as
> > well, and it won't protect any applications that need open ports
> > listening. Turning off services is always much better than turning on
> > services (pf) if you need protection. And the way OpenBSD is setup by
> > default, nothing is listening except a couple inetd services (which I
> > always turn off), and sshd if you said y in install, that's it.
> 
> Anyone who says "I only need to block packets in my firewall" has got
> it all wrong.

I never said that. PF isn't the only way to block packets, like TCP
wrappers or ACL's within the server itself. It seems that adding
another layer to the mix takes up more CPU and RAM than needed, since
most servers have some sort of ACL list for acceptable hosts, and tcp
wrappers does a good job too.

Jason

Re: /usr/share/pf/ suggestion

[Jason Crawford]

On 8/23/05, Stuart Henderson <[EMAIL PROTECTED]> wrote:
> --On 23 August 2005 17:25 -0400, Jason Crawford wrote:
> 
> > Secondly, it seems pretty pointless to setup pf on a single host.
> 
> It has it's uses - spamd, for one...
> 
Which is already covered in the spamd man page and doesn't need
another entry in the FAQ.

Re: /usr/share/pf/ suggestion

[Jason Crawford]

On 8/23/05, Will H. Backman <[EMAIL PROTECTED]> wrote:
> > -Original Message-
> > From: j knight [mailto:[EMAIL PROTECTED]
> > Sent: Tuesday, August 23, 2005 4:47 PM
> > To: Will H. Backman
> > Subject: Re: /usr/share/pf/ suggestion
> >
> > --- Quoting Will H. Backman on 2005/08/23 at 14:59 -0400:
> >
> > > Would it be useful to add an example pf rule set for just a simple
> host?
> > > All of the examples assume a router.
> > >
> >
> > This would be more useful in the faq. Please send what you've written.
> >
> > :-)
> >
> >
> >
> > .joel
> 
> # pf rules for a stand alone machine.
> 
> #Change external interface to match yours
> ext_if=xl0
> 
> scrub in all
> 
> block in all
> 
> pass out keep state
> 
> pass quick on lo all
> 

First off, it should be, set skip on lo0 (or lo, but by default
there's only one lo interface anyways). Secondly, it seems pretty
pointless to setup pf on a single host. Instead of worrying about the
firewall, which takes up more memory and cpu and all that, just shut
off services that you don't need and be done with it. If the attacker
can hurt your OpenBSD machine, then your firewall is vulnerable as
well, and it won't protect any applications that need open ports
listening. Turning off services is always much better than turning on
services (pf) if you need protection. And the way OpenBSD is setup by
default, nothing is listening except a couple inetd services (which I
always turn off), and sshd if you said y in install, that's it.

Jason

Re: How to patch a physically weak system & recommended use of sudo?

[Jason Crawford]

On 8/18/05, Scott Plumlee <[EMAIL PROTECTED]> wrote:
> Nick Holland wrote:
> > Tim wrote:
> >
> >>Hello
> >>
> >>1. I have a old computer that is slow and has little memory. But I
> >>want to keep it updated with patches. I can't compile these patches
> >>on the system but I could do it on another faster system. But how can
> >>I later apply the compiled patches to the weak system?
> >
> >
> > In addition to the previously mentioned release(8) process (also
> > documented here: http://www.openbsd.org/faq/faq5.html#Release), there is
> > another thing you could do:  run snapshots.  They will have all the
> > security and reliability updates (before they are in -stable, in fact),
> > but also feature updates.
> >
> >
> >>2. Alot of you seem to use sudo instead of su - when you want to do
> >>something that requires privileges. Why is this? What settings are
> >>you using for sudo?
> >
> >
> > Took me a while to get interested in sudo, which is unfortunate.  Way
> > cool program.
> >
> > When I set up an OpenBSD system, one of the first things I do is create
> > a personal user for myself, put myself in the wheel group, configure
> > sudo to let wheel users do anything, log in as that user, and disable
> > root logins.  Completely disable.  This does a few things...
> 
> Is your preferred method for doing so to remove the root user, or set
> the shell to nologin, or something else?  I like the idea, but I'd
> rather not shoot myself in the foot doing it.

Disabling root locally is extremely dangerous in my opinion. Just
disable any remote root logins, but keep root locally accessable. If
the attacker has local access, not being able to login as root doesn't
do much.

Jason