Re: breeding developers
Well, seems hard to breed the developers when OpenBSD EU store does not accept large orders when I tried to check out :( Sorry, we are not able to accept orders over 250 GBP. //Jonas On 2010-03-14 08.52, Antoine Jacoutot wrote: Hi. I'm usually not very active on misc@ but since pre-order for 4.7 have started, I think it is the right time to remind us all that CD sales are not only important but critical to the project. First, lack of money means less hackathons, which renders hacking less fun, and fun is the number 1 motivation for most people imho. No money - no hackathon - no fun - no hack... you see the point. Also a project this big (yes, a hobby can be huge) does not rules itself out of the air and money is needed for infrastructure, administration, hardware and tons of other things. So if you like OpenBSD, don't forget its biannual bithday and buy CDs. If you don't like OpenBSD, then buy even more CDs because having competition is good for other projects. Thank you all.
pf and fragmented IPv6 packets
Like a month ago we got a complain from a user that our website was unreachable over IPv6. We have 2x Native Ipv6 transits. The user had bought IPv6 from an ISP thay uses tunneling to deliver it to the organization. After some packet traces we found out that the problem was in PF and that it doesn't seem to handle fragmented IPv6 packets. Sure enough, from the man page of pf.conf: Currently, only IPv4 fragments are supported and IPv6 fragments are blocked unconditionally. The problem is that some of Swedens largest ISPs uses tunneling for IPv6 to their customers so we can't just say, ditch em. Terredo seems to work fine. Is there a workaround or plans to implement support for this is pf? We have multiple firewalls and the others have no problems with ipv6 + fragmented packets. //Jonas
Re: pf and fragmented IPv6 packets
Thanks Rod for your input. We use pf as a firewall, and when we get the users IPv6 packets they are already fragmented. Native IPv6 and Terredo tunnels does not get fragmented on the way to us. I will read up on your links ;) // Jonas I have an IPv6 over IPv4 connection. I once had two, one using a hexago tunnel and the other I still have using a Hurricane Electric one. I have never had a problem connecting through OpenBSD with a pf firewall to native IPv6 sites like Google's v6 or the hosts on the /32 IPv6 netblock I maintain using an OpenBSD / OpenBGPd router. Maybe I'm just lucky. I'm a bit confused as to why packets need to be fragmented on IPv6 other than to play DDOS games. Nobody needs packets bigger than the specified minumum (1280B) and the usual problem is a PMTUD blackhole anyway. Don't you just love all those cretins that block all ICMP packets on IPv4? They can stuff up IPv6 too. There is some advice about debugging this kind of problem in van Beijnum's Running IPv6. Try starting with that or finding out why there are oversized packets there anyway. The real fly in the ointment is the stupid way one can frag packets madly in IPv6 with mayhem in mind. * If you want to allow reassembly you have to figure out what to do about mailicious frags which can exhaust your RAM quite easily. * See http://www.ruxcon.org.au/files/2006/dowd_ipv6.ppt I'm too tired to reread this to see if it all makes sense but if I left it until I was fresher I'd have forgotten to reply ;-) Hope you can get some good out of it ??? Regards, *** NOTE *** Please DO NOT CC me. I am subscribed to the list. Mail to the sender address that does not originate at the list server is tarpitted. The reply-to: address is provided for those who feel compelled to reply off list. Thankyou. Rod/ --- This life is not the real thing. It is not even in Beta. If it was, then OpenBSD would already have a man page for it. -- Jonas Thambert CISSP, CISA, CISM Swedish IT Incident Centre, GovCERT-SE AS41884 National Post and Telecom Agency P O Box 5398, SE-102 49 Stockholm, Sweden Office address: Birger Jarlsgatan 16, Stockholm Tel dir: +46 8 678 57 65 Mob: +46 706 25 57 65 Op: +46 8 678 55 00 Fax: +46 8 678 55 05 SITIC: +46 8 678 5799 Mailto: jonas.thamb...@sitic.se http://www.sitic.se http://www.pts.se -- Get my PGP-Key at: http://www.sitic.se/jonas.thambert_at_sitic.se.asc
Re: apache DOS tool
Aiko Barz wrote: On Mon, Jun 22, 2009 at 09:32:56PM +1200, Richard Toohey wrote: The solution, like the problem, lies in the network layer. See iptables and similar network stack filters to provide protection against this vector./unquote Seems like they (and you) are saying are Apache is not the place for the fix? The apache would be the right place to fix the issue IMHO since other webservers are not affected that much. Maybe something like not counting an unfinished request as an active workerthread. But this is up to the people who know the program internals, which I don't. So long, Aiko This is more intresting: http://www.phrack.com/issues.html?issue=66id=9#article //Jonas
Latest Phrack
Anyone tested this against OpenBSDs stack? http://www.phrack.com/issues.html?issue=66id=9#article //Jonas
Re: creating a vpn tunnel to all
Chris Bullock wrote: Background: We are using Metro Ethernet to connect several sites to our main office. In order to save money the telco has a couple of sites riding the same vlan coming into us. One of these sites is one of our remote offices and the other is a competing office. Problem: Since we are on the vlan there is no way I can route without the possibility of someone running a sniffer and sniffing my packets, so my goal is I want all my traffic from my remote office to come through my main office even Internet. To map this tunnel using isakmpd would I just create a tunnel to 0.0.0.0? Regards, Chris Setup VPN between the remote offices and your main site. Aggregate all the traffic to your main site where you have internet connectivity using an IGP or static routes. Should solve your ethernet snooping-problem. /Jonas
Re: Cannot upgrade from 3.8
I have several servers with the same problem. The solution has always been to disable one or two drivers that conflicts. To be able to upgrade the servers (DL380 G4) we have that uses Adaptec 2101S cards we had to disable iopsp* driver on boot. Before we had to disable the ciss driver on some servers. One server that uses LSI MegaRAID 310-1 we haven't been able to find the correct driver that conflicts. So we had to switch RAID-card :-( /Jonas Antti Harri wrote: Hello, I have a machine that I'm not able to upgrade because the machine won't boot newer kernels. They're hanging right after SATA init and it also displays different SATA/pciide chip model (VT6420) than with 3.8. I've tried 3.9-release from official CD, 4.0-release and 4.1-release kernels and some snapshots. hw.machine=i386 hw.model=AMD Athlon(TM) XP 1700+ (AuthenticAMD 686-class, 256KB L2 cache) hw.ncpu=1 hw.byteorder=1234 hw.physmem=267988992 hw.usermem=267653120 hw.pagesize=4096 hw.disknames=wd0,cd0,fd0 hw.diskcount=3 hw.sensors.3=it0, VCORE_A, volts_dc, 1.84 V hw.sensors.4=it0, VCORE_B, volts_dc, 0.00 V hw.sensors.5=it0, +3.3V, volts_dc, 3.22 V hw.sensors.6=it0, +5V, volts_dc, 4.92 V hw.sensors.7=it0, +12V, volts_dc, 11.97 V hw.sensors.8=it0, Unused, volts_dc, -8.60 V hw.sensors.9=it0, -12V, volts_dc, -17.00 V hw.sensors.10=it0, +5VSB, volts_dc, 5.00 V hw.sensors.11=it0, VBAT, volts_dc, 4.08 V hw.sensors.12=it0, Temp1, temp, 47.00 degC / 116.60 degF hw.sensors.13=it0, Temp2, temp, 37.00 degC / 98.60 degF hw.sensors.14=it0, Temp3, temp, 127.00 degC / 260.60 degF hw.cpuspeed=1467 OpenBSD 3.8 (GENERIC) #138: Sat Sep 10 15:41:37 MDT 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: AMD Athlon(TM) XP 1700+ (AuthenticAMD 686-class, 256KB L2 cache) 1.47 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE cpu0: AMD Powernow: FID real mem = 267988992 (261708K) avail mem = 237649920 (232080K) using 3296 buffers containing 13500416 bytes (13184K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(48) BIOS, date 06/28/05, BIOS32 rev. 0 @ 0xf1940 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 30102 dobusy 0 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0x1ff2 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf1f20/208 (11 entries) pcibios0: PCI Interrupt Router at 000:17:0 (VIA VT82C586 ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0x1000 0xcc000/0x4400! cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 VIA VT8377 PCI rev 0x80 ppb0 at pci0 dev 1 function 0 VIA VT8377 PCI-PCI rev 0x00 pci1 at ppb0 bus 1 vga1 at pci0 dev 10 function 0 Matrox MGA Millennium II 2164W rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) fxp0 at pci0 dev 12 function 0 Intel 82557 rev 0x08, i82559: irq 10, address 00:90:27:93:85:c2 inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4 pciide0 at pci0 dev 15 function 0 VIA VT8237 SATA rev 0x80: DMA pciide0: using irq 3 for native-PCI interrupt wd0 at pciide0 channel 0 drive 0: ST3200822AS wd0: 16-sector PIO, LBA48, 190782MB, 390721968 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 pciide1 at pci0 dev 15 function 1 VIA VT82C571 IDE rev 0x06: ATA133, channel 0 configured to compatibility, channel 1 configured to compatibility atapiscsi0 at pciide1 channel 0 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: PLEXTOR, DVDR PX-708A, 1.08 SCSI0 5/cdrom removable cd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 2 pciide1: channel 1 disabled (no drives) uhci0 at pci0 dev 16 function 0 VIA VT83C572 USB rev 0x81: irq 12 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 16 function 1 VIA VT83C572 USB rev 0x81: irq 12 usb1 at uhci1: USB revision 1.0 uhub1 at usb1 uhub1: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered uhci2 at pci0 dev 16 function 2 VIA VT83C572 USB rev 0x81: irq 3 usb2 at uhci2: USB revision 1.0 uhub2 at usb2 uhub2: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub2: 2 ports with 2 removable, self powered uhci3 at pci0 dev 16 function 3 VIA VT83C572 USB rev 0x81: irq 3 usb3 at uhci3: USB revision 1.0 uhub3 at usb3 uhub3: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub3: 2 ports with 2 removable, self powered ehci0 at pci0 dev 16 function 4 VIA VT6202 USB rev 0x86: irq 5 usb4 at ehci0: USB revision 2.0 uhub4 at usb4 uhub4: VIA EHCI root hub, rev 2.00/1.00, addr 1 uhub4: 8 ports with 8 removable, self powered pcib0 at pci0 dev 17 function 0 VIA VT8237 ISA rev 0x00 auvia0 at pci0 dev 17 function 5 VIA VT8233 AC97 rev 0x60: irq 5 ac97: codec id 0x41445368 (Analog Devices
High Load - t/s
I have a OpenBSD 3.9 server with courier imapd-ssl running. The load on the server is heavy from transactions on the disk where I store the emails. I'm using a Adaptec 2010S SCSI RAID card. I have tried and tweaked the courier imap server the best I can without any luck. From iostat. ttycd0 fd0 sd0 sd1 cpu tin tout KB/t t/s MB/s KB/t t/s MB/s KB/t t/s MB/s KB/t t/s MB/s us ni sy in id 01 0.00 0 0.00 0.00 0 0.00 50.72 4 0.19 9.92 16 0.15 1 0 0 0 99 0 268 0.00 0 0.00 0.00 0 0.00 0.00 0 0.00 14.51 144 2.04 0 0 1 0 99 0 89 0.00 0 0.00 0.00 0 0.00 0.00 0 0.00 14.10 143 1.97 1 0 0 0 99 0 89 0.00 0 0.00 0.00 0 0.00 0.00 0 0.00 12.40 139 1.68 0 0 2 0 98 0 89 0.00 0 0.00 0.00 0 0.00 0.00 0 0.00 11.40 146 1.62 1 0 1 0 98 0 89 0.00 0 0.00 0.00 0 0.00 0.00 0 0.00 12.03 140 1.64 0 0 0 1 99 0 89 0.00 0 0.00 0.00 0 0.00 0.00 0 0.00 10.97 141 1.51 0 0 0 0100 The sd1 disk has 140 t/s. CPU-load is nothing. w: 12:35PM up 46 days, 6:15, 1 user, load averages: 7.11, 5.46, 3.09 Any ideas? Regards Jonas
Re: High Load - t/s
What's the actual problem? high load average in itself is not necessarily a problem. --- Lars Hansson The problem is the t/s on the sd1 device where I have the email-storage. Have less than 10 accounts and clients on a Xeon 3.0 Ghz server with 1 Gb RAM. I have tried to see why I have so many t/s on the disk but I can not figure it out. The disks are SCSI-disks 15 000 rpm. /Jonas
Question regarding mailserver setup
Hi, Im using postfix,amavisd,clamav,spamassassin on a OpenBSD 3.9 server. The setup works great. The problem I have is that I would like to use Razor or Pyzor. I tried and installed razor but it doesnt seem to work very well. On another Linux server I have Pyzor and it catches almost all spam I get. What is the best anti-spam solution to use for OpenBSD? Regards Jonas
Problem upgrading to 3.9 - Proliant dl380 g2 with LSI MegaRAID 320-1 RAID-card
Hello list, I'm having problem upgrading a 3.8 stable to 3.9 stable. The server is a Prolian dl380 g2 with a LSI MegaRAID 320-1. When booting the CD it stops right after ami driver is loaded: ami0 at pci3 dev 4 function 0 Symbios Logic MegaRAID rev 0x01: irq 7 Under 3.8 it works great. I have tested to diables the ciss-driver when booting and also disable the onboard smart array card in bios just to see if it changes things. Proliant bios Im using is P29 and MegaRAID bios is from mid 2004. Anyone with same problem? /Jonas
Re: Problem upgrading to 3.9 - Proliant dl380 g2 with LSI MegaRAID 320-1 RAID-card
David Gwynne wrote: On 24/08/2006, at 7:39 PM, Jonas Thambert wrote: Hello list, I'm having problem upgrading a 3.8 stable to 3.9 stable. The server is a Prolian dl380 g2 with a LSI MegaRAID 320-1. When booting the CD it stops right after ami driver is loaded: can you try a snapshot and see if the problem still exists? dlg I will try and upgrade the MegaRAID bios first, as Henning has suggested. Might be a BIOS problem. Another user with Bios problem: http://archives.neohapsis.com/archives/openbsd/2006-08/1120.html /Jonas