Re: Email server and large Emails.
To start with, I based my anti-spam on the system described at http://www.flakshack.com/anti-spam/wiki/index.php and it works very very well. I think someone already suggested limiting the size of files that are scanned by the anti-virus, and I'd second that opinion. Chances are your boss and everyone else at your company has antivirus running on their PC right? So, the antivirus running on your mail server is just one of many lines of defense against virii. Let it handle the easy stuff (less than 5MB or whatever works for you) and leave the heavy lifting to the workstation AV that's installed anyway. You need to find that happy balance between performance and AV on your mail server, and make sure the boss knows you have to make this compromise because of the performance issues caused by large attachments. Either that or she has to buy you a 4-proc dual core box to handle all the AV processes. If she keeps complaining, remind her that the reason it's taking so long to get a 50MB email is because the person sending it is doing so on a 129Kb/s DSL uplink, not because your mail server is slow. -Original Message- From: stuartv [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 21, 2007 8:39 AM To: [EMAIL PROTECTED] Org (E-mail) Subject: Email server and large Emails. I have FINALLY been allowed to schedule time to replace the aging mail server. Currently, it is running OpenBSD 3.7, with sendmail, smtp-vilter, and clamav. This is our internal mail server and it uses fetchmail to get our email off of the public server and sends our email out using a smart relay host provided by our ISP. When I originally set this server up I was also running spamassassin but had to remove it because it was causing the system to time out and stop getting mail for some reason that I never figured out. The boss where I work has NO sense of humor about not getting her email, and doesn't seem to get enough spam that it bothered her so I did the better part of valor thing and just axed the spamassassin. Lately, we have been receiving emails with larger and larger attachments which has been causing the clamav to take to long scanning them and thus a time-out and again, no more email until I get it straitened out. So now to my question. What software works really well for an internal mail server? I would like some spam protection and I NEED Anti-virus, and I need it all to work even when a customer sends an email with a 50M file attachment because they sometimes do. I don't mind doing the research and figuring out how to make it all work (although a point in the right direction would be appreciated). I just would like to know what people are using that really works for them. Stuart van Zee Dataline Systems, Inc. [EMAIL PROTECTED]
Backups using Linux emulation
I'm trying to back up an OpenBSD box using a Linux binary running under Linux emulation. If you're really curious, the product I'm using is EMC/Legato Networker. The binary runs fine. The problem is that since it's running under Linux emulation, instead of backing up /var it backs up /emul/linux/var, etc. Does anyone know a way to make my backup software not follow the check in /emul/linux first rule, or some other way to make it back up the actual /var rather than /emul/linux/var? I posted this same question about a year ago and didn't get much of a response. Maybe this time around someone can provide some valuable insight. Thanks for the help everyone.
OpenBSD at DefCon
Is anyone on misc going to be at DefCon this weekend? If you are, get in touch. Would be nice to have a beer with other users or developers. If this has already been asked and I missed the thread, then flame away.
Re: popular mail squid virus scanning technique for openbsd
Take a look at the following links - I use something based on thisthis for spam filtering and it works better than any other free or commercial product I've tried. I don't use the antivirus portion (I have a separate system for that). Like others have said, this mail scanning should probably be done on some host other than your firewall. It would ideally be done by whatever host your MX record is set to. Think of it as a separate email firewall. This sort of stuff is fairly CPU intensive, especially if it's for a large group of users. http://www.flakshack.com/anti-spam/wiki/index.php http://flakshack.com/anti-spam/wiki/index.php?page=FairlySecureAntiVirusWiki -Original Message- From: Siju George [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 06, 2006 2:05 AM To: Smith Cc: misc@openbsd.org Subject: Re: popular mail squid virus scanning technique for openbsd On 6/6/06, Smith [EMAIL PROTECTED] wrote: I once posted that all the anti-virus checking should be done on the Windows boxes only. Let the mail server deliver mail, let the firewall block bad packets, and let Windows find the viruses. Why? Re-read what Chad stated in the last sentence below. Some people replied that that was ridiculous because the viruses should be blocked from the mail server with clamd. One person said that clamd can't be exploited remotely. Since then many vulnerabilities have been found in clamd and some of them remotely. Pity. Thankyou so much Christian, Bill, Chad Smith for your answers :-) Kind Regards Siju This message may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the intended recipient of this message you may not store, disclose, copy, forward, distribute or use this message or its contents for any purpose. If you have received this communication in error, please notify us immediately by return e-mail and delete the original message and any attachments from your e-mail system. Thank you.
Limiting userland RAM utilization
I have a userland process that once in a while goes haywire and starts consuming lots of RAM. While I'm troubleshooting the problem, I need to set up a way to limit this process's RAM consumption, to something along the lines of 200MB. I was looking at using some of the RAM limiting parameters in /etc/login.conf. The three I found most relevant are memorylocked, memoryuse, and vmemoryuse. I'm not sure which one of these is the one I need to tweak. At this point I'm ready to set them all to 200MB. If someone can provide some info on which one of these I should actually be using (or point to somewhere that does) I'd appreciate it. And please, no flaming about how I should use an app that doesn't consume too much RAM. I'm working on that, but I need a short term solution to control this app's RAM consumption without bringing my whole system down. As usual, thanks for all the help.
State of SAN
I'm trying to get a feel for what the state of attaching an OpenBSD server to a SAN is. I've looked at the i386 hardware support page as well as some manpages and all I can find is somewhat old supported HBAs. Is anyone on the list running OpenBSD SAN-attached, either via FiberChannel or iSCSI? If so, can you give me some info on what HBAs you're using? If you were to buy an HBA for an OpenBSD box today which HBA would you recommend?
Re: State of SAN
Thanks. Exactly what I needed. -Original Message- From: Jason Dixon [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 29, 2006 3:03 PM To: Michael Favinsky Cc: misc@openbsd.org Subject: Re: State of SAN On Mar 29, 2006, at 5:27 PM, Michael Favinsky wrote: I'm trying to get a feel for what the state of attaching an OpenBSD server to a SAN is. I've looked at the i386 hardware support page as well as some manpages and all I can find is somewhat old supported HBAs. Is anyone on the list running OpenBSD SAN-attached, either via FiberChannel or iSCSI? If so, can you give me some info on what HBAs you're using? If you were to buy an HBA for an OpenBSD box today which HBA would you recommend? http://marc.theaimsgroup.com/?l=openbsd-miscm=112977951023494w=2 -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net This message may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the intended recipient of this message you may not store, disclose, copy, forward, distribute or use this message or its contents for any purpose. If you have received this communication in error, please notify us immediately by return e-mail and delete the original message and any attachments from your e-mail system. Thank you.
Backups under linux emulation
Dear misc: I'm attempting to use (EMC) Legato Networker to backup one of my OpenBSD boxes. Since there's no OpenBSD binary, and Networker isn't open source, I'm using the Linux binary uner Linux emulation. The binary executes fine, and the OpenBSD box and Legato server are communicating perfectly. Backups work, but with one major problem: Legato backs up files by crawling the file system, starting at / going into each directory and backing up files as it finds them. The problem that I'm having is that, under linux emulation, the emulator first checks to see if a file/directory exists under /emul/linux. So, when the backup software tries to back up /var, it ends up backing up /emul/linux/var, and my actual /var never gets backed up. I have the same problem in /usr, and so on. Is there some method/way around this problem? How can I make my Linux binary back up the actual /var rather than /emul/linux/var? Thanks for the help. Michael
Re: Backups under linux emulation
Rick, this is good news. If you can provide me some more info on where you got it I'd be grateful. One thing you should be aware of: 6.0.2 has known vulnerabilities, per http://www.securityfocus.com/bid/14582. I suppose that's the price paid when running older unsuppoted software. I'd be a bit concerned about installing exploitable 6.0.2 on one of my servers. -Original Message- From: Rick Aliwalas [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 25, 2006 1:25 PM To: Michael Favinsky Cc: misc@openbsd.org Subject: Re: Backups under linux emulation On Wed, 25 Jan 2006, Michael Favinsky wrote: Dear misc: I'm attempting to use (EMC) Legato Networker to backup one of my OpenBSD boxes. Since there's no OpenBSD binary, and Networker isn't open source, I'm There is an openbsd client. We're using it (nwclient-6.0.2-openbsd-i386.tgz). I'm going to ask around to find out how we got it. Apparently it's not supported but works fine. -rick using the Linux binary uner Linux emulation. The binary executes fine, and the OpenBSD box and Legato server are communicating perfectly. Backups work, but with one major problem: Legato backs up files by crawling the file system, starting at / going into each directory and backing up files as it finds them. The problem that I'm having is that, under linux emulation, the emulator first checks to see if a file/directory exists under /emul/linux. So, when the backup software tries to back up /var, it ends up backing up /emul/linux/var, and my actual /var never gets backed up. I have the same problem in /usr, and so on. Is there some method/way around this problem? How can I make my Linux binary back up the actual /var rather than /emul/linux/var? Thanks for the help. Michael
Re: / never unmounts properly
That fixed it. Thanks Ted. -Original Message- From: Ted Unangst [mailto:[EMAIL PROTECTED] Sent: Thursday, November 03, 2005 5:08 PM To: Michael Favinsky Cc: misc@openbsd.org Subject: Re: / never unmounts properly On 11/3/05, Michael Favinsky [EMAIL PROTECTED] wrote: I just installed 3.8 on a server that never had OpenBSD on it. Whenever I reboot, I get a warning that / wasn't unmounted properly. This is followed by an fsck of / and bootup goes on as normal. All other filesystems are clean. I've tried reboot, halt, even sync sync sync reboot. The bootup sequence still shows that / wasn't unmounted properly. running fsck -fy / in single user mode should fix it. i never tracked down why this seems to happen.
/ never unmounts properly
I just installed 3.8 on a server that never had OpenBSD on it. Whenever I reboot, I get a warning that / wasn't unmounted properly. This is followed by an fsck of / and bootup goes on as normal. All other filesystems are clean. I've tried reboot, halt, even sync sync sync reboot. The bootup sequence still shows that / wasn't unmounted properly. Am I doing something wrong? Is there anything that can be done to deal with this? OpenBSD 3.8 (GENERIC) #138: Sat Sep 10 15:41:37 MDT 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium II (GenuineIntel 686-class, 512KB L2 cache) 399 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX, FXSR real mem = 267952128 (261672K) avail mem = 237613056 (232044K) using 3296 buffers containing 13500416 bytes (13184K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(62) BIOS, date 08/07/00, BIOS32 rev. 0 @ 0xfd83c pcibios0 at bios0: rev 2.1 @ 0xfd740/0x8c0 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf40/160 (8 entries) pcibios0: PCI Exclusive IRQs: 9 pcibios0: PCI Interrupt Router at 000:04:0 (Intel 82371FB ISA rev 0x00) pcibios0: PCI bus #2 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0x800 0xc8800/0x1000 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82443BX rev 0x03 pcib0 at pci0 dev 4 function 0 Intel 82371AB PIIX4 ISA rev 0x02 pciide0 at pci0 dev 4 function 1 Intel 82371AB IDE rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility atapiscsi0 at pciide0 channel 0 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: TEAC, CD-224E, 1.5A SCSI0 5/cdrom removable cd0(pciide0:0:0): using PIO mode 4, DMA mode 2 pciide0: channel 1 ignored (disabled) uhci0 at pci0 dev 4 function 2 Intel 82371AB USB rev 0x01: irq 11 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered Intel 82371AB Power rev 0x02 at pci0 dev 4 function 3 not configured ppb0 at pci0 dev 7 function 0 DEC 21152 PCI-PCI rev 0x03 pci1 at ppb0 bus 1 fxp0 at pci1 dev 3 function 0 Intel 82557 rev 0x05, i82558: irq 11, address 00:90:27:87:61:16 inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 0 siop0 at pci1 dev 4 function 0 Symbios Logic 53c895 rev 0x01: irq 15, using 4K of on-board RAM scsibus1 at siop0siop0: switching to single-ended mode : 16 targets ppb1 at pci0 dev 9 function 0 Intel i960 RP PCI-PCI rev 0x03 pci2 at ppb1 bus 2 ami0 at pci0 dev 9 function 1 Intel 80960RP ATU rev 0x03: irq 10 HP 438/32b ami0: FW C.02.08, BIOS vB.02.04, 16MB RAM ami0: 3 channels, 16 targets, 1 logical drives scsibus2 at ami0: 1 targets sd0 at scsibus2 targ 0 lun 0: AMI, Host drive #00, SCSI2 0/direct fixed sd0: 4066MB, 518 cyl, 255 head, 63 sec, 512 bytes/sec, 8327168 sec total scsibus3 at ami0: 16 targets scsibus4 at ami0: 16 targets scsibus5 at ami0: 16 targets vga1 at pci0 dev 13 function 0 Cirrus Logic CL-GD5446 rev 0x45 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pms0 at pckbc0 (aux slot) pckbc0: using irq 12 for aux slot wsmouse0 at pms0 mux 0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 sysbeep0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec biomask ef65 netmask ef65 ttymask ffe7 pctr: 686-class user-level performance counters enabled mtrr: Pentium Pro MTRR support dkcsum: sd0 matches BIOS drive 0x80 root on sd0a rootdev=0x400 rrootdev=0xd00 rawdev=0xd02 WARNING: / was not properly unmounted
Re: Portmap non-local set / unset attempt
That's what I thought. I have no idea why Legato continues to use portmapper at all. They've been telling me they're going to stop using it since at least 1999. I actually came up with a workaround that I think might expose a potential issue in rpcinfo. Since I couldn't get nsrexecd to automatically register with the portmapper, I tried to register it manually using rpcinfo -s. An entry was added, but it made the protocol number 2 instead of tcp (6), which is what I need. # rpcinfo -s 390113 1 7937 # rpcinfo -p localhost program vers proto port 102 tcp111 portmapper 102 udp111 portmapper 3901131 2 7937 # rpcinfo -t localhost 390113 rpcinfo: RPC: Program not registered program 390113 is not available I looked and couldn't find any way to set the protocol to TCP (6). Looking at the source for rpcinfo, I found the following: if ((pmap_set(prog_num, version_num, PF_INET, (u_short)port_num)) == 0) { fprintf(stderr, rpcinfo: Could not set registration for prog %s version %s port %s\n, argv[0], argv[1], argv[2]); exit(1); } Seems like rpcinfo will always set the protocol to the constant PF_INET, which is actually AF_INET, which is actually 2. In order to work around this, I created the following short program: #include rpc/rpc.h main() { pmap_set(390113, 1, 6, 7937); } Notice the 6 in the 3rd argument to pmap_set, rather than the constant PF_INET (2). After deleting the previous portmapper entry and running my little kludge, I get the following: # rpcinfo -p localhost program vers proto port 102 tcp111 portmapper 102 udp111 portmapper 3901131 tcp 7937 # rpcinfo -t localhost 390113 program 390113 version 1 ready and waiting Which brings me to ask: Should an additional argument be added to rpcinfo -s to specify a protocol, rather than forcing the constant PF_INET? -Original Message- From: Theo de Raadt [mailto:[EMAIL PROTECTED] Sent: Thursday, September 22, 2005 1:02 PM To: Michael Favinsky Cc: 'misc@openbsd.org' Subject: Re: Portmap non-local set / unset attempt I'm receiving the following messages from portmap when starting Legato Networker's nsrexecd. The nsrexecd I'm running is the Linux version under emulation: portmap[16083]: non-local unset attempt (might be from 127.0.0.1) portmap[16083]: non-local set attempt (might be from 127.0.0.1) The program (number 390113) does not successfully register with the portmapper: # rpcinfo -p localhost program vers proto port 102 tcp111 portmapper 102 udp111 portmapper Is this a security feature? Yes, most definately. Changes made years ago slightly changed the communications API between libc/rpc and the portmap daemon, to make it much harder to generate spoofed RPC mappings. An attacker would make such mappings point one RPC service at another RPC service, and with the right forwarding games you can get mis-interpretation by an end point reulting in some risks. Therefore our portmap sets up special 127.0.0.1 local bound sockets, and only accepts set/unset operations on those sockets. The *:111 sockets can still be used to make other requests, but not deal with binding establishment. The program you are using is linked against a RPC library that is using your external address to change the mappings, ie. perhaps your external IP address. That is the old legacy way that the Sun code used to do it, and it was a bug, and it is full of risk. It's astounding that other people have not fixed this yet, considering that I did the work on that nearly 10 years ago. revision 1.3 date: 1996/06/29 19:03:50; author: deraadt; state: Exp; lines: +135 -64 multiple receivers, port checking. testing help from bitblt People keep yammering this bullshit about Security is a process. Bullshit! Lies! It's about paying attention to the frigging details when they are right in front of your face. And it is very clear other vendors do not pay attention to the details, considering the work I did here was talked about all over BUGTRAQ back in that month. No wonder these vendors and their blogboys have to have this Security is a process mantra to protect themselves from looking bad. Is there a way to get nrsexecd to register with the portmapper? You cannot get a Linux binary to talk to our portmap, without modifying our portmap code to not have this security check. And that would be a shame. Sorry... This message may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the intended recipient of this message you may not store, disclose, copy, forward, distribute or use this message or its contents for any purpose. If you have received this communication in error, please notify us immediately by return e-mail and delete
tcpdump | more doesn't produce output
Has anyone tried a tcpdump | more ? Or a tcpdump | grep? When I try to pipe tcpdump output to either more or grep I don't get any network data output. Anyone have any explanation for this behavior? This issue's on OpenBSD 3.6. Here's a dmesg from the host in case it helps. OpenBSD 3.6 (GENERIC) #59: Fri Sep 17 12:32:57 MDT 2004 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium II (GenuineIntel 686-class, 512KB L2 cache) 267 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,MMX real mem = 100245504 (97896K) avail mem = 84336640 (82360K) using 1249 buffers containing 5115904 bytes (4996K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(d4) BIOS, date 03/06/98, BIOS32 rev. 0 @ 0xfd7ad apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown pcibios0 at bios0: rev 2.1 @ 0xfd740/0x8c0 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf50/160 (8 entries) pcibios0: PCI Interrupt Router at 000:04:0 (Intel 82371FB ISA rev 0x00) pcibios0: PCI bus #1 is the last bus WARNING: can't reserve area for I/O APIC. bios0: ROM list: 0xc/0x8000 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82443LX AGP rev 0x03 ppb0 at pci0 dev 1 function 0 Intel 82443LX AGP rev 0x03 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 Cirrus Logic CL-GD5465 rev 0x03 wsdisplay0 at vga1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) pcib0 at pci0 dev 4 function 0 Intel 82371AB PIIX4 ISA rev 0x01 pciide0 at pci0 dev 4 function 1 Intel 82371AB IDE rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: QUANTUM FIREBALL SE3.2A wd0: 16-sector PIO, LBA, 3079MB, 6306048 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: LG, CD-ROM CRD-8322B, 1.02 SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, DMA mode 2 uhci0 at pci0 dev 4 function 2 Intel 82371AB USB rev 0x01: irq 11 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered Intel 82371AB Power Mgmt rev 0x01 at pci0 dev 4 function 3 not configured le1 at pci0 dev 6 function 0 AMD 79c970 PCnet-PCI rev 0x25: irq 5 le1: address 00:60:b0:f7:1d:a8 le1: 8 receive buffers, 2 transmit buffers le2 at pci0 dev 10 function 0 AMD 79c970 PCnet-PCI rev 0x25: irq 10 le2: address 00:60:b0:cd:39:8f le2: 8 receive buffers, 2 transmit buffers le3 at pci0 dev 12 function 0 AMD 79c970 PCnet-PCI rev 0x25: irq 11 le3: address 00:60:b0:ee:fa:b3 le3: 8 receive buffers, 2 transmit buffers isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker sysbeep0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pccom0: console fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec biomask fb4d netmask ff6d ttymask ffef pctr: 686-class user-level performance counters enabled mtrr: Pentium Pro MTRR support dkcsum: wd0 matched BIOS disk 80 root on wd0a rootdev=0x0 rrootdev=0x300 rawdev=0x302 The following disclaimer was inserted automatically and is outside my control. This message may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the intended recipient of this message you may not store, disclose, copy, forward, distribute or use this message or its contents for any purpose. If you have received this communication in error, please notify us immediately by return e-mail and delete the original message and any attachments from your e-mail system. Thank you.
Re: tcpdump | more doesn't produce output
That did it. RTFM :) Thanks. -Original Message- From: Stuart Henderson [mailto:[EMAIL PROTECTED] Sent: Thursday, July 28, 2005 3:47 PM To: Michael Favinsky; misc Subject: Re: tcpdump | more doesn't produce output --On 28 July 2005 15:26 -0700, Michael Favinsky wrote: Has anyone tried a tcpdump | more ? Or a tcpdump | grep? It sounds like you want to make the output line-buffered, see tcpdump(8). This message may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the intended recipient of this message you may not store, disclose, copy, forward, distribute or use this message or its contents for any purpose. If you have received this communication in error, please notify us immediately by return e-mail and delete the original message and any attachments from your e-mail system. Thank you.
Re: Phase 2 problem between isakmpd and Netscreen
Sean, Take a look at http://www.vpnc.org/. They perform all sorts of VPN device interoperability tests, using OpenBSD as the common denominator. They have info on how to set up your Netscreen box to make it work with OpenBSD. -Original Message- From: Sean Knox [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 27, 2005 2:50 AM To: Hans-Joerg Hoexer Cc: misc Subject: Re: Phase 2 problem between isakmpd and Netscreen On Wed, 27 Jul 2005, Hans-Joerg Hoexer wrote: Hi, this worked with an older isakmpd version? Is this netscreen box some kind of appliance or just some windows software? Nope, I've not been able to get isakmpd and the netscreen to finish phase 2. Sorry I wasn't clearer about the type of netscreen...it's a Juniper Netscreen ISG2000. It's a 4u (I think) appliance that runs ScreenOS, Juniper's firewall OS. AFAIK, it runs an industry standard IPSec implementation. Datasheet/marketing fluff pdf here: http://www.juniper.net/products/integrated/dsheet/110036.pdf The general problem is, I can only test interoperatibility with open source vpn solutions on standard hareware. If people need to rely on interoperability with appliance X and Windows client Y and MacOS client Z, I need this kind of hardware/software. I understand completely. While I'd love to donate an ISG2000 without serving time in prison or going bankrupt, at the moment all I can do is test. As the smaller netscreen models also run the same OS, I'd imagine it'd be possible to debug with one of those. As mentioned, if my isakmpd logs/pcaps are possibly useful towarda a fix, let me know. I'll continue banging away at this in the meantime (and possibly bugging Juniper for more info). sk On Wed, Jul 27, 2005 at 01:35:34AM -0700, Sean Knox wrote: (posted a similar message originally on the IPSec list; thought I'd post here too) Hey all- I almost have a working VPN between isakmpd and a Netscreen box-- things fail at phase 2 as the peers enter quick mode. 64.81.74.226 = isakmpd 206.14.210.146 = netscreen 00:28:11.947907 64.81.74.226.500 206.14.210.146.500: [udp sum ok] isakmp v1.0 exchange QUICK_MODE cookie: eb114e8223bc0965-3aac9200ac79d919 msgid: 9e7ccdd5 len: 284 payload: HASH len: 24 payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 44 proposal: 1 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0xadfa06f3 payload: TRANSFORM len: 32 transform: 1 ID: AES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 1200 attribute ENCAPSULATION_MODE = TUNNEL attribute AUTHENTICATION_ALGORITHM = HMAC_SHA attribute GROUP_DESCRIPTION = 2 attribute KEY_LENGTH = 128 payload: NONCE len: 20 payload: KEY_EXCH len: 132 payload: ID len: 12 type: IPV4_ADDR = 64.81.74.226 payload: ID len: 12 type: IPV4_ADDR = 130.94.4.65 [ttl 0] (id 1, len 312) 00:28:12.138720 206.14.210.146.500 64.81.74.226.500: [udp sum ok] isakmp v1.0 exchange QUICK_MODE cookie: eb114e8223bc0965-3aac9200ac79d919 msgid: 9e7ccdd5 len: 300 payload: HASH len: 24 payload: SA len: 60 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 48 proposal: 1 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0x0502a8eb payload: TRANSFORM len: 36 transform: 1 ID: AES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 04b0 attribute ENCAPSULATION_MODE = TUNNEL attribute AUTHENTICATION_ALGORITHM = HMAC_SHA attribute GROUP_DESCRIPTION = 2 attribute KEY_LENGTH = 128 payload: NONCE len: 24 payload: KEY_EXCH len: 132 payload: ID len: 12 type: IPV4_ADDR = 64.81.74.226 payload: ID len: 12 type: IPV4_ADDR = 130.94.4.65 [ttl 0] (id 1, len 328) 00:28:15.838995 206.14.210.146.500 64.81.74.226.500: [udp sum ok] isakmp v1.0 exchange QUICK_MODE cookie: eb114e8223bc0965-3aac9200ac79d919 msgid: 9e7ccdd5 len: 300 payload: HASH len: 24 payload: SA len: 60 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 48 proposal: 1 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0x0502a8eb payload: TRANSFORM len: 36 transform: 1 ID: AES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 04b0 attribute ENCAPSULATION_MODE = TUNNEL attribute AUTHENTICATION_ALGORITHM = HMAC_SHA attribute GROUP_DESCRIPTION = 2 attribute KEY_LENGTH = 128 payload: NONCE len: 24 payload: KEY_EXCH len: 132 payload: ID len: 12 type: IPV4_ADDR = 64.81.74.226 payload: ID len: 12 type:
Re: HP ProLiant DL140 serial consola installation
I have some DL140's running OpenBSD. The BIOS redirection stops working when OpenBSD starts booting. Kinda sucks since you can't see the boot sequence or go into the BIOS setup from a serial console. Disable the BIOS console redirection and set OpenBSD to redirect the console to com0. -Original Message- From: Martin Bruns [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 29, 2005 8:55 AM To: [EMAIL PROTECTED]; misc@openbsd.org Subject: Re: HP ProLiant DL140 serial consola installation [EMAIL PROTECTED] schrieb: Martin Bruns wrote: Hi Marc, that was what I have done initially but then I fall back to 9600 but also there I did not get anything on the console after 'set tty com0'. To make it clear I can not use the serial nor the keyboard/monitor after that command. Maybe you serial link is not in order. Set the baudrate to 9600, so you are sure what parameters to set. I already check that :-( FOr a first try, disable the serial console feature in the BIOS (not in OpenBSD). Some times the serial BIOS console and the serial OpenBSD console interfere. In that case you would have the BIOS console on com0 and the OpenBSD console on com1. Good point. I just cross checked it. I disabled the serial BIOS and also tried with enabled serial BIOS but with different redirection during/after POST and BOOTLOADER. But non is working. This server has only one serial port so there is no com1 :-( Keep trying Martin This message may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the intended recipient of this message you may not store, disclose, copy, forward, distribute or use this message or its contents for any purpose. If you have received this communication in error, please notify us immediately by return e-mail and delete the original message and any attachments from your e-mail system. Thank you.
OSPFd over IPSEC (enc)?
Can two 3.7 servers running OSPFd talk OSPF to each other over an IPSEC tunnel, or worded in another way, an enc interface? I have two sites with a WAN link and I want to use the Internet (VPN) as a backup route. The concept is that under normal circumstances, the OSPF routing table would have valid routes between the two sites over both the VPN and WAN links. If the WAN link failed, there'd still be a valid route between the two sites over VPN. Please forgive the following disclaimer - I have no control over it. This message may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the intended recipient of this message you may not store, disclose, copy, forward, distribute or use this message or its contents for any purpose. If you have received this communication in error, please notify us immediately by return e-mail and delete the original message and any attachments from your e-mail system. Thank you.
Network Optimizers
Does anyone know of anything in/on OpenBSD that delivers funtionality similar to the Peribit or Expand Network Optimizers/Accelerators? This message may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the intended recipient of this message you may not store, disclose, copy, forward, distribute or use this message or its contents for any purpose. If you have received this communication in error, please notify us immediately by return e-mail and delete the original message and any attachments from your e-mail system. Thank you.