Even and Odd numbered OpenBSD versions
Hello, just a simple question. We have here at work a old hand at openbsd and he says he only uses openbsd versions that are even numbered. (3.8, 4.0, 4.2, 4.4 etc...) I am not sure why, did not have a chance to ask him. I believe that you should use the latest version available, but what does everything else think? thanks, Mark
Re: Narcicism?
Man, youth is really wasted on the young. On Dec 1, 2011 11:04 AM, "Rares Aioanei" wrote: > On 12/01/2011 05:39 PM, David Coppa wrote: > >> >> See the subject: "Narcicism" >> >> And, btw, the correct spelling is "Narcissism": as a guru, this is >> something you should already have known ;) >> >> ciao, >> David >> >> >> As a citizen of an English-speaking country AND a guru, John, you should > at least know how to spell. David's right, you know. > > -- > Rares Aioanei
Re: Can be PF block skype?
Not sure if this is any good, looks like it is opensource though. http://www.lynanda.com/products/software-for-corporations/traffic-filtering/l ynanda-skype-filter Mark 2009/11/4 TomC!E! BodE>C!r > But Cisco can do it on Application layer. I'm not sure about pf, but > last time I read man page about pf and pf.conf it wasn't able to do > that. I think that there was some post about it on Undeadly too. > > On Wed, Nov 4, 2009 at 9:21 PM, David Taveras > wrote: > > Your saying that a skype client can proxy itself through another skype > > client on the same network? > > > > In any case, iam sure there must be a way if cisco can do it, pf can. > > > > --David > > > > On Wed, Nov 4, 2009 at 2:12 PM, Yamidt Henao > wrote: > >> It is impossible, skype application, can connect through other client > skype > >> in the same network. > >> > >> > >> Regards, > >> > >> Yamidt > >> > >> On Wed, Nov 4, 2009 at 1:48 PM, David Taveras > >> wrote: > >>> > >>> Greetings, > >>> > >>> Can PF be programmed to block skype ? Provided we have port 80 and 443 > >>> Opened to the world, and perhaps DNS port too... skype finds any open > >>> port to connect to. > >>> > >>> Regards, > >>> David Taveras
mount /usr partition nosuid
Hello All, Sorry if it has been asked in the past, but is it ok to mount the /usr partition as nosuid? What if any default programs will that break? And also does that give me any added security benefits? Running 4.6 release generic i386 thanks, Mark
Re: mount /usr partition nosuid
All, thanks for the responses so far. I work for the Fed and we have to setup a dns sec bind server on our end. I was just reading some of their "advice" on setting up the server... 2. Mount BIND's chroot filesystem with the noexec,nosuid,nodev options. Of course all their instructions are for redhat and debian, but I want to do this on openbsd.. thanks, Mark On Thu, Dec 3, 2009 at 2:26 PM, Christopher Linn wrote: > On Thu, Dec 03, 2009 at 02:08:29PM -0500, Mark Romer wrote: > > Hello All, > > Sorry if it has been asked in the past, but is it ok to mount the /usr > > partition as nosuid? > > What if any default programs will that break? And also does that give me > > any added security benefits? > > Running 4.6 release generic i386 > > thanks, Mark > > why do you want to do this? (what problem are you trying to solve?) > > cel > > -- > Christopher Linn | By no means shall either the CEC > System Administrator II | or MTU be held in any way liable > Center for Experimental Computation | for any opinions or conjecture I >Michigan Technological University | hold to or imply to hold herein.
Re: mount /usr partition nosuid
Ok, I am not sure if I am replying to just that user or the whole group, when using the gmail client... anyway All, thanks for the responses so far. I work for the Fed and we have to setup a dns sec bind server on our end. I was just reading some of their "advice" on setting up the server... 2. Mount BIND's chroot filesystem with the noexec,nosuid,nodev options. Of course all their instructions are for redhat and debian, but I want to do this on openbsd.. I understand not being able to use the noexec option but I was not sure about the nosuid.. thanks very much On Thu, Dec 3, 2009 at 2:08 PM, Mark Romer wrote: > Hello All, > Sorry if it has been asked in the past, but is it ok to mount the /usr > partition as nosuid? > What if any default programs will that break? And also does that give me > any added security benefits? > Running 4.6 release generic i386 > thanks, Mark
Re: mount /usr partition nosuid
Ah yes, thanks Otto ! I think I was getting confused between the named binary in /usr/sbin/ and where the bind files are chrooted under /var/named Yes, so this would already be done in openbsd. thanks, Mark On Thu, Dec 3, 2009 at 2:08 PM, Mark Romer wrote: > Hello All, > Sorry if it has been asked in the past, but is it ok to mount the /usr > partition as nosuid? > What if any default programs will that break? And also does that give me > any added security benefits? > Running 4.6 release generic i386 > thanks, Mark
ipsec tunnel speeds
Can anyone please let me know what kind of through-put I can expect from one client machine to another through an openbsd ipsec tunnel? Thanks, Mark
Re: ipsec tunnel speeds
On Thu, Jun 21, 2012 at 3:13 PM, Johan Ryberg wrote: > lol =) > > Mark, you must be more specific. > > What hardware do you have? > What kind of connection do you have between the hosts? > What is the latency between the hosts? > > It's still impossible to answer your question but as a reference I got > around 450 Mbit over 1 Gb fiber with two HP G7, don't remember CPU > configuration. Without ipsec I got 800 Mbit. > > But this is not really useful because it all ends up what application you > are using and your own setup. You have to measure to really know. > > // Johan > On Jun 21, 2012 8:05 PM, "Michael Lechtermann" > wrote: > >> On 21.06.12 19:27, Mark Romer wrote: >> > Can anyone please let me know what kind of through-put I can expect from >> > one client machine to another through an openbsd ipsec tunnel? >> > >> > Thanks, Mark >> > >> >> 42 >> >> Johan, You are absolutely right, you can lart me now...(lol).. But I just wanted to know simply what others were getting for data transfer speeds over their ipsec tunnels. I know what speeds I am getting. I just want to know what others are seeing for their own setups. thanks, Mark
Re: ipsec tunnel speeds
Great question Ted Does anyone know the answer? Thanks Mark On Jun 22, 2012 12:58 PM, "Ted Unangst" wrote: > On Fri, Jun 22, 2012 at 12:52, Ryan McBride wrote: > > > 550Mb/s with aes-128-gcm (requires AES-NI and amd64) on > > hw.model=Intel(R) Xeon(R) CPU E5649 @ 2.53GHz > > hw.vendor=HP > > hw.product=ProLiant DL360 G7 > > what's the reason aes-128-gcm requires amd64? we can't add that code > to i386?
Re: OpenBSD users.
Maryland, right between DC and Baltimore. Mark On Wed, Jul 21, 2010 at 3:37 PM, kalle wrote: > Fjugesta - Sweden :)
Re: Force passwordcheck in login.conf
use passwdqc it is in packages. in login.conf under default I have: :minpasswordlen=12:\ :login-tries=4:\ :passwordtries=3:\ :passwordcheck=/usr/local/libexec/passwdqc -3 12 Mark On Tue, Oct 12, 2010 at 8:46 PM, Brad Tilley wrote: > I was experimenting with a program to meet PCI DSS 1.2 password length > and content/complexity requirements and integrating it with login.conf > for users who have shell access to OpenBSD systems. It seems to work as > expected, but I wanted to run my configuration by misc. > > I appended the following two lines to the end of both default and staff > in login.conf. Look OK? > > :passwordcheck=/path/to/program:\ > :passwordtries=0: > > I understand that it would be easy (and redundant) to use minpasswordlen > to meet the length requirement, but it's easy to check that in the > program itself. > > Brad
ipsec endpoint with multiple tunnels
Hello Misc, I was wondering if this was possible. I have our main site with a openbsd 4.7 system running ipsec in passive mode listening for connections. We currently have 1 other remote building. I have another openbsd 4.7 system there connecting to the system here. Which all works great, I am very happy with everything. We are going to get another remote building. Can the one host here in our main building make multiple ipsec tunnel connections from other remote sites? Is there anything special I would have to do to make this work? Thanks to all the openbsd devs for this awesome os. thanks, Mark
Re: ipsec endpoint with multiple tunnels
Never Mind, I found out the answer was yes. and yes it does work well.. Mark On Fri, Oct 15, 2010 at 8:53 AM, Mark Romer wrote: > Hello Misc, > I was wondering if this was possible. I have our main site with a openbsd > 4.7 system running ipsec in passive mode listening for connections. We > currently have 1 other remote building. I have another openbsd 4.7 system > there connecting to the system here. Which all works great, I am very happy > with everything. We are going to get another remote building. Can the one > host here in our main building make multiple ipsec tunnel connections from > other remote sites? Is there anything special I would have to do to make > this work? Thanks to all the openbsd devs for this awesome os. > thanks, Mark
Re: password-less console-only access and ssh remote access?
I believe you can do something like this. but I see it not really making you more secure, still questionable sed s/secure/insecure/g /etc/ttys >> /tmp/temp; mv /tmp/temp /etc/ttys Mark On Fri, Oct 22, 2010 at 3:56 PM, Jay K wrote: > > Turn off sudo and don't put users you don't want to have root in the > > wheel group. > > > > I find what you want to be questionable though. > > > But can't they still run "login"? > Why questionable? > I want security and convenience. > I don't consider passwords to be either. > physical security + ssh is what I want. > I've gotten by with just the second and being sure I don't need console > access after initial setup (I've run systems like this quite a while now, > including upgrading OpenBSD a few times on a few machines, and Debian > 4.0=>5.0) > > > Thanks, > - Jay
Re: OpenBSD 4.9 pre-orders
Sweet, I am in for one of those hoodies... Thanks Theo and all the Dev's for a great product (refering to openbsd) Mark On Wed, Mar 16, 2011 at 9:45 AM, Denny White wrote: > On Wed, Mar 16, 2011 at 11:14:31AM +0530, Mahesh J spoke thusly: > > OpenBSD developers have done it again > > Thanks and keep going. > > > > Your order currently is: > > -> 1 [T27] Open Source-ami Shirt (M) @ CDN $15.00 > > -> 1 [CD49] OpenBSD 4.9 CD @ CDN $50.00 > > -> Total: CDN $65.00 + Shipping. > > > > -- > > Mahesh > > > > > > On Wed, Mar 16, 2011 at 2:40 AM, Theo de Raadt >wrote: > > > > > I've turned on OpenBSD 4.9 pre-orders. Support us by buying something > > > please. These sales are a part of keeping the project going. > > > > > > As for clothing... there's going to be a black hoodie this time. > > > > > > Of course there is an OpenBSD 4.9 song to go with the new artwork. > > > That is at: > > > http://www.openbsd.org/lyrics.html > > > > > > Enjoy! > > > > Order number 2011/3/16-6:45:44-28389: > Your order currently is: > -> 1 [CD49] OpenBSD 4.9 CD @ CDN $50.00 > -> Total: CDN $50.00 + Shipping. > > There it is, kept going. \~/ > > > -- > > === > Denny White - denny...@cableone.net > GnuPG key : 0x1644E79A | http://wwwkeys.de.pgp.net > Fingerprint: D0A9 AD44 1F10 E09E 0E67 EC25 CB44 F2E5 1644 E79A > === > () ASCII ribbon campaign - against html e-mail > /\ www.asciiribbon.org - against proprietary attachments > ===
Re: Experiences running AIX in Qemu?
Johnny from Poland. Where did you come from, under a polish rock? On Fri, Apr 1, 2011 at 1:38 AM, Tomas Bodzar wrote: > Do you know www.ddg.gg and similar? They are offering sometimes > results for questions ;-) > > http://qemu-forum.ipi.fi/viewtopic.php?f=25&t=5078 > > If you are expecting functional system with that combination then you're > naive. > > On Fri, Apr 1, 2011 at 7:11 AM, johhny_at_poland77 > wrote: > > Did someone try it? Does it work? Any howtos/tips regarding it? > > > > Many thanks!
