Re: firefox-esr and icedtea-web
Apologize the noise. Just for the record: Firefox limits NPAPI support (technology required for Java applets) 64-bit Firefox The 64-bit version of Firefox does not support NPAPI plug-ins, including Java. Firefox 52 and above Beginning with Firefox 52 (released March 2017), plug-in support is limited to Adobe Flash, and drops support for NPAPI, impacting plugins for Java, Silverlight, and other similar NPAPI based plugins.
Re: bikeCAD.ca and icedtea-web
Sorry for the typo.
bikeCAD.ca and icedtead-web
Hi. I need to access bikecad.ca's Java applet. I installed icedtea-web and restarted firefox-esr but the applet won't show up in my browser. Any advices?
help please, my real memory is disappearing
Hello, maybe you still recall about problem with ftpd memory allocation I posted here few days before. Since then I tried to do more "research" and found same issue on two different HW boxes both with OpenBSD 4.5 and OpenBSD 4.6. To summarize it, I found that built-in ftpd server takes too much memory while clients are downloading files and this memory is not freed neither when downloads are finished nor when I kill ftpd. What's more, top, ps, vmstat does not show by which process is memory allocated. All I can see during ftp downloads initiated by clients it's just decreasing free memory and increasing allocated memory from top command output. After few minutes of downloading I lost about 800MB real memory. Allocated memory shown by top command is a part of real memory behind the "/". This should be something like allocated memory which is not currently used if I'm not mistaken. Although I'm not sure if this could be intentional behavior I have three main questions: 1. Is it normal that memory is not freed after I kill ftpd daemon? 2. Is it normal ftpd can take about 800MB of real memory while serving GET requests? (only 1 client is able to consume that portion of memory) 3. Is it normal that this memory seems to be lost from the system? It's not visible as allocated by some process. Thank you for your help. MK
ftpd, OpenBSD 4.5 memory behavior
Hello all, recently I've noticed on my OpenBSD 4.5 Stable box strange memory behavior while downloading files from ftpd daemon. It seems ftpd is somehow allocates more and more memory. Memory is not freed until something else needs it. At least it is always freed after daily script runs. I've noticed this problem while few clients were downloading files from the box and I don't recall I saw something similar on OpenBSD 4.4. top output shows something like this: Memory: Real: 53M/836M (normal state should be about 53M/170M) I was also trying to reproduce the "problem" by downloading files from ftpd and saving remaining free memory every 10 minutes. Date | Free Memory (KB) | 2009-11-11 18:30:01 | 807936 | | 2009-11-11 18:40:01 | 771072 | | 2009-11-11 18:50:02 | 561152 | | 2009-11-11 19:00:02 | 329728 | | 2009-11-11 19:10:02 | 214016 | | 2009-11-11 19:20:02 | 211968 | Is it a normal situation? Thanks MK
Does motherboard INTEL MB BLKD945GSEJT work with OpenBSD
Hello, I'm trying to build a router with low electric consumption. I've found quite interesting and cheap motherboard Intel Desktop Board D945GSEJT http://support.intel.com/Products/Desktop/Motherboards/D945GSEJT/D945GSEJT-overview.htm It's based on Atom N270, and it has integrated Ethernet adapter Realtek 8111DL. I have not found anything on Google about this board under OpenBSD. Is anyone using it? Thanks MK
Re: IPsec Windows Vista client - OpenBSD, NAT-T problem
It solved my problem, thank you very much. _ MK -- From: "Marcello Cruz" Sent: Thursday, April 23, 2009 6:30 PM To: Cc: "MK" Subject: Re: IPsec Windows Vista client - OpenBSD, NAT-T problem Dear MK, There is a problem with the IPSec implementation on Vista and W2K8. Microsoft seems to have a patch. Please, see these articles: * http://support.microsoft.com/kb/957624/en-us * http://support.microsoft.com/kb/946887/en-us * http://technet.microsoft.com/en-us/library/bb878090.aspx If you try to connect to your VPN using XP or W2K clients it works fine. King regards, Marcello Cruz - Original Message - From: "MK" To: Sent: Thursday, April 23, 2009 12:49 PM Subject: IPsec Windows Vista client - OpenBSD, NAT-T problem Hello, I'm trying to learn how to setup IPsec connection, therefore I stared with quite simple settings. I'd like to allow clients from outside to connect my OpenBSD server through encrypted channel, however I came across some difficulties I'm not able to solve. scheme of my environment is following: client (Windows Vista) - NAT (mikrotik) --- internet --- (public IP) OpenBSD I decided to use PSK to simplify my settings: my ipsec.conf file contains: ike passive from any to any \ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes psk my_key From my understanding this should allow all clients to connect my server via encrypted channel. I started isakmpd and setup a client for Windows Vista - for beginning I used TheGreenBow IPSec VPN Client. After a few minutes I had working environment so I deiced to use native Windows Vista IPsec client and here is my problem: Vista client is not able to communicate with my OpenBSD server for some reason I do not see. I was checking settings of the client and did not find any problem, then I just tried to shutdown isakmpd and to start it again with -T flag without NAT-T support. Immediately after this change, Vista client successfully connected to OpenBSD and communication was encrypted and working. If I start isakmpd again with NAT-T support then Vista can not negotiate IPsec with OpenBSD. I think NAT-T is important for me, because if I understand it well, it should allow IPsec communication for more clients behind same NAT simultaneously, however from some reason if I allow NAT-T support in OpenBSD, Vista can not reach the server anymore. TheGreenBow IPSec VPN Client works just fine even with NAT-T. I'm out of ideas and I'd like to kindly ask you for any help. I started isakmpd with -L switch to provide some additional information for both clients (working GreenBow and Vista client) Best regards MK Vista- NAT-T not working: 0:25:01.013804 84.42.224.147.500 > 217.197.149.135.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: c8434925c7d015f1-> msgid: len: 232 payload: SA len: 60 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 48 proposal: 1 proto: ISAKMP spisz: 0 xforms: 1 payload: TRANSFORM len: 40 transform: 1 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = AES_CBC attribute KEY_LENGTH = 128 attribute HASH_ALGORITHM = SHA attribute GROUP_DESCRIPTION = MODP_1024 attribute AUTHENTICATION_METHOD = PRE_SHARED attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 0e10 payload: VENDOR len: 24 payload: VENDOR len: 20 (supports NAT-T, RFC 3947) payload: VENDOR len: 20 (supports v2 NAT-T, draft-ietf-ipsec-nat-t-ike-02) payload: VENDOR len: 20 payload: VENDOR len: 20 payload: VENDOR len: 20 payload: VENDOR len: 20 [ttl 0] (id 1, len 260) 00:25:01.014657 217.197.149.135.500 > 84.42.224.147.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: c8434925c7d015f1->fbb7ca86fb1f0a6b msgid: len: 188 payload: SA len: 60 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 48 proposal: 1 proto: ISAKMP spisz: 0 xforms: 1 payload: TRANSFORM len: 40 transform: 1 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = AES_CBC attribute KEY_LENGTH = 128 attribute HASH_ALGORITHM = SHA attribute GROUP_DESCRIPTION = MODP_1024 attribute AUTHENTICATION_METHOD = PRE_SHARED attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 0e10 payload: VENDOR len: 20 (supports OpenBSD-4.0) payload: VENDOR len: 20 (supports v2 NAT-T, draft-ietf-ipsec-nat-t-ike-02) payload: VENDOR len: 20 (supports v3 NAT-T, draft-ietf-
IPsec Windows Vista client - OpenBSD, NAT-T problem
Hello, I'm trying to learn how to setup IPsec connection, therefore I stared with quite simple settings. I'd like to allow clients from outside to connect my OpenBSD server through encrypted channel, however I came across some difficulties I'm not able to solve. scheme of my environment is following: client (Windows Vista) - NAT (mikrotik) --- internet --- (public IP) OpenBSD I decided to use PSK to simplify my settings: my ipsec.conf file contains: ike passive from any to any \ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes psk my_key From my understanding this should allow all clients to connect my server via encrypted channel. I started isakmpd and setup a client for Windows Vista - for beginning I used TheGreenBow IPSec VPN Client. After a few minutes I had working environment so I deiced to use native Windows Vista IPsec client and here is my problem: Vista client is not able to communicate with my OpenBSD server for some reason I do not see. I was checking settings of the client and did not find any problem, then I just tried to shutdown isakmpd and to start it again with -T flag without NAT-T support. Immediately after this change, Vista client successfully connected to OpenBSD and communication was encrypted and working. If I start isakmpd again with NAT-T support then Vista can not negotiate IPsec with OpenBSD. I think NAT-T is important for me, because if I understand it well, it should allow IPsec communication for more clients behind same NAT simultaneously, however from some reason if I allow NAT-T support in OpenBSD, Vista can not reach the server anymore. TheGreenBow IPSec VPN Client works just fine even with NAT-T. I'm out of ideas and I'd like to kindly ask you for any help. I started isakmpd with -L switch to provide some additional information for both clients (working GreenBow and Vista client) Best regards MK Vista- NAT-T not working: 0:25:01.013804 84.42.224.147.500 > 217.197.149.135.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: c8434925c7d015f1-> msgid: len: 232 payload: SA len: 60 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 48 proposal: 1 proto: ISAKMP spisz: 0 xforms: 1 payload: TRANSFORM len: 40 transform: 1 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = AES_CBC attribute KEY_LENGTH = 128 attribute HASH_ALGORITHM = SHA attribute GROUP_DESCRIPTION = MODP_1024 attribute AUTHENTICATION_METHOD = PRE_SHARED attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 0e10 payload: VENDOR len: 24 payload: VENDOR len: 20 (supports NAT-T, RFC 3947) payload: VENDOR len: 20 (supports v2 NAT-T, draft-ietf-ipsec-nat-t-ike-02) payload: VENDOR len: 20 payload: VENDOR len: 20 payload: VENDOR len: 20 payload: VENDOR len: 20 [ttl 0] (id 1, len 260) 00:25:01.014657 217.197.149.135.500 > 84.42.224.147.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: c8434925c7d015f1->fbb7ca86fb1f0a6b msgid: len: 188 payload: SA len: 60 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 48 proposal: 1 proto: ISAKMP spisz: 0 xforms: 1 payload: TRANSFORM len: 40 transform: 1 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = AES_CBC attribute KEY_LENGTH = 128 attribute HASH_ALGORITHM = SHA attribute GROUP_DESCRIPTION = MODP_1024 attribute AUTHENTICATION_METHOD = PRE_SHARED attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 0e10 payload: VENDOR len: 20 (supports OpenBSD-4.0) payload: VENDOR len: 20 (supports v2 NAT-T, draft-ietf-ipsec-nat-t-ike-02) payload: VENDOR len: 20 (supports v3 NAT-T, draft-ietf-ipsec-nat-t-ike-03) payload: VENDOR len: 20 (supports NAT-T, RFC 3947) payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 216) 00:25:01.078015 84.42.224.147.500 > 217.197.149.135.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: c8434925c7d015f1->fbb7ca86fb1f0a6b msgid: len: 260 payload: KEY_EXCH len: 132 payload: NONCE len: 52 payload: NAT-D len: 24 payload: NAT-D len: 24 [ttl 0] (id 1, len 288) 00:25:01.113648 217.197.149.135.4500 > 84.42.224.147.4500: [udp sum ok] udpencap: isakmp v1.0 exchange ID_PROT cookie: c8434925c7d015f1->fbb7ca86fb1f0a6b msgid: len: 260 payload: KEY_EXCH len: 132 payload: NONCE len: 52 payload: NAT-D len: 24 payload: NAT-D len: 24 [ttl 0] (
authpf shell is not terminating
Hello all, I have some strange difficulties with authpf shell on my OpenBSD 4.2 stable server. Everything works as expected but after the client tries to terminate session by CTRL+C, there is still an active process on the server related to this user. In fact it's not possible to close the session correctly by client. Could you please give me some clue what am I doing wrong? before CTRL+C -+= 21897 root sshd: user1[priv] (sshd) | \-+- 29963 user1sshd: [EMAIL PROTECTED] (sshd) | \--= 28195 user1 -authpf: [EMAIL PROTECTED] (authpf) - After CTRL+C -+= 21897 root sshd: user1 [priv] (sshd) | | \--- 29963 user1 sshd: [EMAIL PROTECTED] (sshd) authpf is not there anymore but ssh session is still active Thank you MK
Re: spamd stopped logging
Hi, I've found that I have same problem for dhcpd daemon too. No messages are coming to syslogd anymore. Please can anyone confirm it? I was able to reproduce same problem on other box too. For me it's very strange that these problems started after patching BIND because I don't know how could it be related. - Original Message - From: "mk" <[EMAIL PROTECTED]> To: Sent: Wednesday, July 30, 2008 1:07 AM Subject: Re: spamd stopped logging Hello I was able to reproduce this problem on second OpenBSD 4.2 Stable box. spamd was logging all verbose information until I installed 013: SECURITY FIX for Bind issue. Before patch activation, I was able to see messages like this: Jul 30 00:35:02 maronet spamd[12359]: (GREY) 146.164.48.5: <> -> <[EMAIL PROTECTED]> These messages are not logged anymore. Can anyone reproduce it too? Thank you MK - Original Message - From: "mk" <[EMAIL PROTECTED]> To: Sent: Sunday, July 27, 2008 2:48 PM Subject: spamd stopped logging Hello all I've found that my spamd on OpenBSD 4.2 stable box stopped logging information provided by -v flag. I did not make any changes on my box in last few days at least I think. (except named build) It was working without any problem for several months. Now, all I can get from spamd into my log file is that daemon started, that's all. my syslog.conf !spamd daemon.err;daemon.warn;daemon.info /var/log/spamd /var/log/spamd exists, but spamd writes there only these messages: Jul 27 11:57:19 sra spamd[3752]: listening for incoming connections I'm starting spamd this way: spamd_flags="-v -G5:4:864" I tried to restart it manually also with syslogd but nothing changed. Thanks for any hint. MK
Re: spamd stopped logging
Hello I was able to reproduce this problem on second OpenBSD 4.2 Stable box. spamd was logging all verbose information until I installed 013: SECURITY FIX for Bind issue. Before patch activation, I was able to see messages like this: Jul 30 00:35:02 maronet spamd[12359]: (GREY) 146.164.48.5: <> -> <[EMAIL PROTECTED]> These messages are not logged anymore. Can anyone reproduce it too? Thank you MK - Original Message - From: "mk" <[EMAIL PROTECTED]> To: Sent: Sunday, July 27, 2008 2:48 PM Subject: spamd stopped logging Hello all I've found that my spamd on OpenBSD 4.2 stable box stopped logging information provided by -v flag. I did not make any changes on my box in last few days at least I think. (except named build) It was working without any problem for several months. Now, all I can get from spamd into my log file is that daemon started, that's all. my syslog.conf !spamd daemon.err;daemon.warn;daemon.info /var/log/spamd /var/log/spamd exists, but spamd writes there only these messages: Jul 27 11:57:19 sra spamd[3752]: listening for incoming connections I'm starting spamd this way: spamd_flags="-v -G5:4:864" I tried to restart it manually also with syslogd but nothing changed. Thanks for any hint. MK
spamd stopped logging
Hello all I've found that my spamd on OpenBSD 4.2 stable box stopped logging information provided by -v flag. I did not make any changes on my box in last few days at least I think. (except named build) It was working without any problem for several months. Now, all I can get from spamd into my log file is that daemon started, that's all. my syslog.conf !spamd daemon.err;daemon.warn;daemon.info /var/log/spamd /var/log/spamd exists, but spamd writes there only these messages: Jul 27 11:57:19 sra spamd[3752]: listening for incoming connections I'm starting spamd this way: spamd_flags="-v -G5:4:864" I tried to restart it manually also with syslogd but nothing changed. Thanks for any hint. MK
pcmcia fast ethernet RP-1632DRC
Hello all, was anybody of you able to use RP-1632DRC Fast Ethernet pcmcia card on your OpenBSD box successfully? I bought it for my HP NX6110 laptop and I'm not able to have it working. I have OpenBSD 4.3, the adapter is detected by OS (as rl0) but that's everything. I receive error message "watchdog timeout" even though that cable and my network connectivity is ok. Card has Realtek 8139. http://www.repotec.com/default.asp?pagename=Network_Interface_Card/RP_1632DRC.htm Is there any chance to have this card working? Any help is appreciated Thank you MK my dmesg is bellow OpenBSD 4.3 (GENERIC) #698: Wed Mar 12 11:07:05 MDT 2008 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Celeron(R) M processor 1.40GHz ("GenuineIntel" 686-class) 1.41 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,TM,SBF real mem = 527855616 (503MB) avail mem = 502341632 (479MB) User Kernel Config UKC> disablwe\^H \^H\^H \^He acpi 417 acpi0 disabled UKC> quit Continuing... mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 07/25/05, BIOS32 rev. 0 @ 0xf, SMBIOS rev. 2.3 @ 0xfc68f (23 entries) bios0: vendor Hewlett-Packard version "68DTD Ver. F.0A" date 07/25/2005 bios0: Hewlett-Packard HP Compaq nx6110 (PY530ES#AKB) acpi at bios0 function 0x0 not configured pcibios0 at bios0: rev 2.1 @ 0xf/0x2000 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf07c0/176 (9 entries) pcibios0: bad IRQ table checksum pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf93b0/176 (9 entries) pcibios0: PCI Exclusive IRQs: 5 10 11 pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82801FBM LPC" rev 0x00) pcibios0: PCI bus #3 is the last bus bios0: ROM list: 0xc/0x1! cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 "Intel 82915GM Host" rev 0x03 agp0 at pchb0: aperture at 0xc000, size 0x1000 vga1 at pci0 dev 2 function 0 "Intel 82915GM Video" rev 0x03 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) "Intel 82915GM Video" rev 0x03 at pci0 dev 2 function 1 not configured uhci0 at pci0 dev 29 function 0 "Intel 82801FB USB" rev 0x03: irq 11 uhci1 at pci0 dev 29 function 1 "Intel 82801FB USB" rev 0x03: irq 10 uhci2 at pci0 dev 29 function 2 "Intel 82801FB USB" rev 0x03: irq 10 uhci3 at pci0 dev 29 function 3 "Intel 82801FB USB" rev 0x03: irq 10 ehci0 at pci0 dev 29 function 7 "Intel 82801FB USB" rev 0x03: irq 11 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1 ppb0 at pci0 dev 30 function 0 "Intel 82801BAM Hub-to-PCI" rev 0xd3 pci1 at ppb0 bus 2 bwi0 at pci1 dev 4 function 0 "Broadcom BCM4318" rev 0x02: irq 11, address 00:14:a5:13:97:f7 cbb0 at pci1 dev 6 function 0 "TI PCI7XX1 CardBus" rev 0x00: irq 10 "TI PCI7XX1 FireWire" rev 0x00 at pci1 dev 6 function 2 not configured bce0 at pci1 dev 14 function 0 "Broadcom BCM4401B1" rev 0x02: irq 11, address 00:14:38:1a:a3:b1 bmtphy0 at bce0 phy 1: BCM4401 10/100baseTX PHY, rev. 0 cardslot0 at cbb0 slot 0 flags 0 cardbus0 at cardslot0: bus 3 device 0 cacheline 0x10, lattimer 0x20 pcmcia0 at cardslot0 auich0 at pci0 dev 30 function 2 "Intel 82801FB AC97" rev 0x03: irq 11, ICH6 AC97 ac97: codec id 0x41445374 (Analog Devices AD1981B) ac97: codec features headphone, 20 bit DAC, No 3D Stereo audio0 at auich0 "Intel 82801FB Modem" rev 0x03 at pci0 dev 30 function 3 not configured ichpcib0 at pci0 dev 31 function 0 "Intel 82801FBM LPC" rev 0x03: PM disabled pciide0 at pci0 dev 31 function 1 "Intel 82801FB IDE" rev 0x03: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: wd0: 16-sector PIO, LBA48, 38154MB, 78140160 sectors atapiscsi0 at pciide0 channel 0 drive 1 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: SCSI0 5/cdrom removable wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 cd0(pciide0:0:1): using PIO mode 4, DMA mode 2 pciide0: channel 1 ignored (disabled) usb1 at uhci0: USB revision 1.0 uhub1 at usb1 "Intel UHCI root hub" rev 1.00/1.00 addr 1 usb2 at uhci1: USB revision 1.0 uhub2 at usb2 "Intel UHCI root hub" rev 1.00/1.00 addr 1 usb3 at uhci2: USB revision 1.0 uhub3 at usb3 "Intel UHCI root hub" rev 1.00/1.00 addr 1 usb4 at uhci3: USB revision 1.0 uhub4 at usb4 "Intel UHCI root hub" rev 1.00/1.00 addr 1 isa0 at ichpcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pmsi0 at pckbc0 (aux slot) pckbc0: using irq 12 for aux slot wsmouse0 at pmsi0 mux 0 pcppi0 at isa0 port 0
Re: nologin shell allows me to connect to FTP server
Maybe I'm wrong but in man pages is nothing about difference between these two shells. Of course I had firstly searched man pages before I asked my question here. from manpages: "nologin displays a message that an account is not available and exits non-zero. It is intended as a replacement shell field for accounts that have been disabled. If the file /etc/nologin.txt exists, nologin displays its contents to the user instead of the default message." So I supposed that in case of "nologin" shell, user account will be completely disabled. MK - Original Message - From: "Otto Moerbeek" <[EMAIL PROTECTED]> To: "MK" <[EMAIL PROTECTED]> Cc: Sent: Sunday, February 19, 2006 9:17 PM Subject: Re: nologin shell allows me to connect to FTP server On Sun, 19 Feb 2006, MK wrote: Hello to everybody I meant that nologin shell disallows access for user account on all services. But I'm still able to connect to FTP server and POPA3D even that userID has assigned nologin shell. Is it correct behaviour? If so, where is difference between nologin shell and false shell. It is correct behaviour. The difference between nologin and false is descibed in the man page of nologin. -Otto
nologin shell allows me to connect to FTP server
Hello to everybody I meant that nologin shell disallows access for user account on all services. But I'm still able to connect to FTP server and POPA3D even that userID has assigned nologin shell. Is it correct behaviour? If so, where is difference between nologin shell and false shell. Thank you for all replies MK
Re: OpenBSD PF IP Fragment Remote Denial Of Service
Hello everybody I undersatnd that this issue doesn't affect many people even though I'd like to know about the problem. Is there any mailing list related to newly discovered security problems in OpenBSD? I know only about security-announce list but as far as I know there are only messages related to Errata patches and to be hones I haven't seen an email from this list for really long time. In my opinion it is very important to have information about all potentional risks. For example this problem in PF: I have information about it only from this mailing list and I think I was lucky that I spoted this among many others messages and topics. Maybe it is my fault by I'm just a human and I just do not have time to get through all emails on many lists, search for new bugs on SecurityFocus, Secunia and so on. So my question is simple, is there any project which delas in all security problems in OpenBSD? Or is it really necessary to check misc list and other lists, many webpages every day? Thank you Best Regards MK - Original Message - From: "Dries Schellekens" <[EMAIL PROTECTED]> To: "Subcommander l0r3zz" <[EMAIL PROTECTED]> Cc: Sent: Wednesday, February 01, 2006 9:28 AM Subject: Re: OpenBSD PF IP Fragment Remote Denial Of Service Subcommander l0r3zz wrote: This came across security focus and I haven't seen it mentioned here. THey claim 3.8 is vulnerable, anybody know anything? This has been fixed in -current, 3.8-stable and 3.7-stable. This crash only works if you have 'scrub fragment crop' or 'scrub fragment drop-ovl' in your pf rules. Not a lot of people use this option so there is no patch on errata.hml Cheers, Dries
Re: Block MAC address
What about this idea? Setup your firewall configuration file to allow only IPs you want to provide access and then use arp permanent entries for them. I use it to restrict internet, only for trusted pair of ip/mac and it works great. MK - Original Message - From: "Bc. Radek Krejca" <[EMAIL PROTECTED]> To: "OpenBSD general usage list" Sent: Friday, January 13, 2006 11:19 PM Subject: Block MAC address Hello, I need to restrict some mac addresses or better allow set of addresses and block others. How can I do it? Is there any tool in OpenBSD? -- Regards, Bc. Radek Krejca [EMAIL PROTECTED] http://www.ceskedomeny.cz http://www.skdomeny.com http://www.starnet.cz
Re: How to log all entered commands?
I've installed your patch. Works really great. Thanks very very much for it. Have a nice day MK - Original Message - From: "ober" <[EMAIL PROTECTED]> To: "Ted Unangst" <[EMAIL PROTECTED]> Cc: "MK" <[EMAIL PROTECTED]>; Sent: Tuesday, December 27, 2005 7:33 PM Subject: Re: How to log all entered commands? MK try it now. http://www.linbsd.org/log_execve.38.patch Thanks to Ted for pointing out the not so obvious mistakes in it. Thanks. -Ober On Mon, 26 Dec 2005, Ted Unangst wrote: On 12/25/05, ober <[EMAIL PROTECTED]> wrote: Here is a patch, probably something want to test before using on a production box. http://www.linbsd.org/log_execve.38.patch It logs commands to syslog like this: EXECVE: uid:1000 fullpath:/bin/ls command:ls foo EXECVE: uid:1000 fullpath:/sbin/dmesg command:dmesg EXECVE: uid:1000 fullpath:/usr/bin/touch command:touch fff accessing a user pointer from kernel is an easy denial of service attack.
Re: How to log all entered commands?
Unfortunately not, because there is no timestamp in the log file and there is no easy way how to analyze which user executed particular command on the system. I'm looking for something such as logs generated by sudo. Thanks anyway MK - Original Message - From: "Siju George" <[EMAIL PROTECTED]> To: "MK" <[EMAIL PROTECTED]> Cc: Sent: Saturday, December 24, 2005 7:26 PM Subject: Re: How to log all entered commands? On 12/24/05, MK <[EMAIL PROTECTED]> wrote: Hello I'm trying to log all command which are entered by users but till now still without success. I think I was close with "accton" and "lastcomm" commands but unfortunetaly it logs only commands without parameters, so for instance if I disable pf, "pfctl -d" I have in log only pfctl so there is now way, to figure out what exactly happened. script is in base. $script -a /var/user/terminal-session.txt will log every thing to that file. Or and other file you choose. Some problems exist if users run screen manipulating programs like vi. They are documented in $man script Hope this helps :-) Kind Regards -- Siju Oommen George, Network Consultant. HiFX IT & MEDIA SERVICES PVT. LTD. http://www.hifx.net
Re: How to log all entered commands?
Thank you for your suggestion. But there is some problem during the source compile. In fact I have same problem as described here: http://www.bsdforums.org/forums/showthread.php?t=27287 and of course there is no answer. :( Thank you MK - Original Message - From: "Stuart Henderson" <[EMAIL PROTECTED]> To: "Qv6" <[EMAIL PROTECTED]> Cc: Sent: Saturday, December 24, 2005 1:47 PM Subject: Re: How to log all entered commands? > I'm trying to log all command which are entered by users but till now > still without success. sudosh, but it's not in ports.
How to log all entered commands?
Hello I'm trying to log all command which are entered by users but till now still without success. I think I was close with "accton" and "lastcomm" commands but unfortunetaly it logs only commands without parameters, so for instance if I disable pf, "pfctl -d" I have in log only pfctl so there is now way, to figure out what exactly happened. I also modified syslog.conf to log all in debug mode but as I expected it didn't help. It seems that Google doesn't have any idea as well. Is there any solution for my needs? Thanks a lot for any idea MK
Re: solutions that interoperate with win xp
SA 70 sa_remove: SA 0x7c497a00 removed from SA list 120012.882638 SA 80 sa_release: SA 0x7c497a00 had 4 references 120012.882673 SA 90 sa_find: no SA matched query my isakmpd.conf and policy files are same as in http://openbsd.cz/~pruzicka/vpn.html if somebody could help I'll be very happy because I'm almost without any experience with IPsec. Thank you MK - Original Message - From: <[EMAIL PROTECTED]> To: Sent: Monday, December 19, 2005 2:23 AM Subject: VPN: solutions that interoperate with win xp heya, i've been grinding away to get a VPN setup where i can have win xp clients connect to my openbsd firewall and access the network behind it. i have tried a number of things, none of which have yet worked for all my users. i am very much interested in hearing from other admins who have currently working solutions along these lines. i have setup isakmpd between my home and my business location, so i know i am not a complete idiot when it comes to this stuff ;). when i tried to use the native windows IPsec implementation, both as described in http://openbsd.cz/~pruzicka/vpn.html and through the confusing GUI, i was not able to get anywhere. when i used ipseccmd.exe, it would not give me any useful debugging outputs and crashed a couple times while i was trying to set this up. i would very much like to have a setup using the native IPsec in win xp, but am utterly in the dark as to the win xp configuration side of things. i have also setup openvpn, which works great for me from home, and i have been able to successfully get this working. however, one of the users that connects to my VPN is having problems making openvpn and his kerio firewall "play nice", and a working openvpn configuration cannot survive a reboot due to win xp being such a great OS. i am also aware of "the green bow" VPN client that is known to interoperate with isakmpd. i have avoided using this solution since i know it to be a resource hog on win xp. anybody else's views on this software would be nice. anything that you think could help me get a VPN with win xp talking to my openbsd firewall would be awesome. i would love a "howto" for the win xp boxes, but a smack with the cluestick is likely all i need. it would be nice for this to NOT use certificates, as i'd like to get a shared secret setup working first, then switch to certs later. cheers, jake
Re: OpenBSD 3.8 and IPA
Hello again I wrote to the author of IPA - Andrey Simonenko and described him our problem. He answered that he is currently working on new version of IPA. To solve problem quickly he has released a patch which modify IPA 1.3.6 to work in OpenBSD 3.8. I tried it and it works. According to Andrey the problem is caused by new format of PF rule which now has two bytes and packet counters - one for original direction of packet and another one for reverse direction. Which could be probably use in future to measure outgoing and incoming traffic separatelly in one rule where is keep state statement. The patch now sums both directions so it works as before. I placed the patch to my site, you can download it from: http://www.kubikcz.net/ipa-1.3.6.diff ( in the diff is maybe wrong line, I used line 176 instead of 173 and file has been patched successfuly ) Finally I'd like to thanks to Andrey very much for his great work. MK - Original Message - From: "Spruell, Darren-Perot" <[EMAIL PROTECTED]> To: Sent: Tuesday, November 15, 2005 11:52 PM Subject: Re: OpenBSD 3.8 and IPA From: MK [mailto:[EMAIL PROTECTED] worked fine. But now in OpenBSD 3.8 it seems that IPA doesn't work correctly. I can compile it, run it but the IPA can't see any traffic. I have same config file as before. I think that something had to change in new version of OpenBSD so IPA can't extract traffic from pf rules. I've noticed the same issue. Mine was on a snapshot several weeks ago (3.8-current). The IPA accounting rules just show 0, even when the rule counters increment for monitored pf rules. DS
OpenBSD 3.8 and IPA
Hello everybody I was using IPA application as FUP tool on my OpenBSD 3.7 box. Everything worked fine. But now in OpenBSD 3.8 it seems that IPA doesn't work correctly. I can compile it, run it but the IPA can't see any traffic. I have same config file as before. I think that something had to change in new version of OpenBSD so IPA can't extract traffic from pf rules. Have anybody of you running IPA on OpenBSD 3.8? Is there a patch? p.s. I'm sorry for this post maybe it should be addressed to the author of IPA, but I hope that somebody knows the answer Thank you very much MK
Re: trouble with file system
Ok, I tried to check the file system from single user mode. FSCK said that all mount points had been already marked as clean. But when I boot OS normally I show same problem as before. - Original Message - From: "Otto Moerbeek" <[EMAIL PROTECTED]> To: "MK" <[EMAIL PROTECTED]> Cc: Sent: Wednesday, October 12, 2005 12:00 PM Subject: Re: trouble with file system On Wed, 12 Oct 2005, MK wrote: This situation is wired for me and I do not understand it. Can somebody help? Thanks a lot Checking a fs while mounted is not very handy, since inconsistencies will be reported: the fs is being modified while fsck runs. fsck is trying to tell you that by reverting to NOWRITE operation. -Otto
trouble with file system
- Check Blocks and Sizes ** Phase 2 - Check Pathnames ** Phase 3 - Check Connectivity ** Phase 4 - Check Reference Counts ** Phase 5 - Check Cyl groups 15026 files, 2102174 used, 4192337 free (4777 frags, 523445 blocks, 0.1% fragmentation) This situation is wired for me and I do not understand it. Can somebody help? Thanks a lot MK