Re: No 4.2 or 4.3 Love
Dontek, You really need to go download, burn, and install the latest Firmware ISO (8.00) from the HP site. There are major updates provided there for multiple system components due to HP _really_ messing up on supplying decent firmware for their server platforms. Thankfully HP puts it all on one CD. Mitch -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shockley Sent: Wednesday, May 21, 2008 8:05 AM To: misc@openbsd.org Subject: Re: No 4.2 or 4.3 Love dontek wrote: The last version of OpenBSD I have been able to install on my Compaq Prolient DL360 G2 is 4.1. In all cases I am attempting to boot and install using the i386 cd4x.iso. In both cases of attempting to install 4.2 and 4.3, the installer hard-locks at the end of the dmesg. No keyboard input is possible after the lock-up. I have OpenBSD 4.2 and 4.3 on several DL360 G2s. Maybe there's a compatability problem between your media and the drive? Make sure your mainboard and controller firmware are up-to-date and try playing with the OS Type setting in BIOS, and/or APIC settings if they exist.
Re: FIPS 140-2
Theo, As am I, which was the point of the post :). Too many people, in my experience, spend time trying to certify just their solution, and don't take the interfacing systems into consideration. What good is certifying one part of a system when you have crap application code? All it means is that your pwnage takes place over a FIPS 140-2 certified secure channel. Too many people use that as an excuse to not do security elsewhere. Many of these people are trying to get Microsoft-based security solutions accredited, and use it as a check box on some spreadsheet to convince management that their solution is more secure just because of a certification that gets invalidated every time you patch the system (Patch Tuesday, anyone?), or change the system so that it doesn't match the baseline. I've seen too many people try to spread the FIPS or Common Criteria magic dust over bad code to get it certified. It doesn't matter what OS you run. Bad code is universal, and completely invalidates any security certification of the underlying system. Mitch -Original Message- From: Theo de Raadt [mailto:[EMAIL PROTECTED] Sent: Thursday, March 13, 2008 12:02 AM To: Mitch Parker Cc: Ryan McBride; misc@openbsd.org Subject: Re: FIPS 140-2 What good is an OpenBSD system running with a FIPS 140-2 certified cryptographic component handling SSL and SSH (using AES-256) if the interfacing systems aren't also well-protected, and your applications running on the system don't have safeguards against malicious usage? You're right -- better go back to Windows running FIPS 140-2 certified components I'm very very cynical about FIPS.
Re: FIPS 140-2
Ryan, You're right about the entire package needing to be FIPS 140-2 certified. Also, the other key component here is what algorithms/components the system is FIPS 140-2 certified for, such as 3DES, TLS, SSL, RNG, or AES. However, if you're attempting to do CA on a system, keep in mind that the other important issue is interfacing components. What good is an OpenBSD system running with a FIPS 140-2 certified cryptographic component handling SSL and SSH (using AES-256) if the interfacing systems aren't also well-protected, and your applications running on the system don't have safeguards against malicious usage? It's a nice check box for most auditors, but it doesn't make your entire system more secure, and never will :). Mitch -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ryan McBride Sent: Wednesday, March 12, 2008 10:04 PM To: misc@openbsd.org Subject: Re: FIPS 140-2 On Thu, Mar 13, 2008 at 12:29:47PM +1100, Damien Miller wrote: On Wed, 12 Mar 2008, Ed Ahlsen-Girard wrote: Does OpenBSD's OpenSSL use the FIPS 140-2 certified bits where applicable? No. Furthermore, there are no FIPS 140-2 certified bits - it is an entire package that is certified, you don't get to pick and choose. However, if you can find a FIPS 140-2 certified cryptographic accellerator that OpenSSL will use (and most of those supported by OpenBSD will fall into this category), OpenSSH will be using it as well, and you can then presumably put FIPS 140-2* on your product materials or audit questionaire or what have you. -Ryan * With some fine print disclaimer to ensure that nobody accuses you of claiming FIPS compliance for the whole system, of course.
Re: Merging 2 ADSL lines
L.V., You don't need bonding for incoming traffic :). PF will take care of the outbound load-balancing for you (and there's an example pf.conf that addresses this in Absolute OpenBSD) if configured correctly. If you have DNS set up right, you don't need bonding for incoming traffic. That's what MX records and priorities are for WRT SMTP, and PF and multiple A records are for WRT everything else. No provider you've seen will allow that because it's not necessary to do so due to the fact that DNS can already handle it with a minimum of work. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of L. V. Lammert Sent: Thursday, December 27, 2007 11:13 AM To: Sajith Cc: misc@openbsd.org Subject: Re: Merging 2 ADSL lines On Thu, 27 Dec 2007, Sajith wrote: Hi its Sajith Is it possible for Merging 2 ADSL lines Regards Sajith It is possible to share ADSL lines for oubound traffic, .. but no provider I have seen will allow bonding for incoming traffic (e.g. a mail server). Lee
Re: Merging 2 ADSL lines
Henning, I agree with you on this. However, I was looking at this from the SMTP and outgoing angles (which IMHO is a bit better designed for this scenario than HTTP, SSH, or other services). Obviously you'd want BGP for the Web or other services (and if you've got 2 ADSL lines, you're probably hosting a good chunk of that at a web host that hopefully has it). If someone has 2 ADSL lines they're bonding, chances are they're not going to want BGP set up (most people I know would have at least a /24, 2 T1s, and a good ISP). Will most providers even let you set up BGP if you're running less than a /24? My experience has been that most ADSL providers don't provide these services, but the leased line providers do. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Henning Brauer Sent: Thursday, December 27, 2007 12:42 PM To: misc@openbsd.org Subject: Re: Merging 2 ADSL lines * Mitch Parker [EMAIL PROTECTED] [2007-12-27 18:34]: You don't need bonding for incoming traffic :). PF will take care of the outbound load-balancing for you (and there's an example pf.conf that addresses this in Absolute OpenBSD) if configured correctly. If you have DNS set up right, you don't need bonding for incoming traffic. That's what MX records and priorities are for WRT SMTP, and PF and multiple A records are for WRT everything else. No provider you've seen will allow that because it's not necessary to do so due to the fact that DNS can already handle it with a minimum of work. that is a hobbyist solution that might work ok if you don't actually care for reliability etc - especially with the mutiple A records, when one line is down you won't be reachable for about half of of the people who would want to reach you. the real solution is of course bgp or two lines which go to the same provider IP-wise and he does his share in balancing and failover. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: Troubleshooting PCMCIA modem 3Com 3CXM756
Hello, I have one of these cards. It won't work unless you use the 3Com drivers on Windows, and even then it doesn't work right. If you use a standard US Robotics external modem, preferably a Sportster, or even possibly a Zoom PCMCIA modem, they should work. Mitch -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Raimo Niskanen Sent: Wednesday, June 13, 2007 5:22 AM To: misc@openbsd.org Subject: Troubleshooting PCMCIA modem 3Com 3CXM756 Hi all! I have an old laptop on whith I want to use ppp to connect to Internet, using a PCMCIA modem 3Com 3CXM756 Global GSM Cellular Modem PC Card First, I _think_ it shows up as /dev/cua03. In dmsg it pops up as device pccom3, and when trying with tip it appears that while the card is in it fails as described below, while the card is out it fails with device not configured. Nevertheless. ppp, minicom and tip all try to send AT commands but get no responses, as it appears. I do not see any logs, almost. ppp says it does ATZ^M and waits for OK which does not happen. minicom and tip try to dial and say it fails. Have you got any tip on how to troubleshoot this card, or does anyone know this card is a dead end and can name a proper serial line, USB or PCMCIA modem that is known to work? -- / Raimo Niskanen, Erlang/OTP, Ericsson AB
Re: OpenBSD PF Book
Danny, Another book which I highly recommend as a corollary is Absolute OpenBSD. I have used the pf section in that book multiple times as a reference. Mitch On 3/26/06 3:09 PM, Qwerty [EMAIL PROTECTED] wrote: Thank you to everyone for answering my question, I have indeed gone and purchased the book at Amazon. Thank You Danny __ Get your FREE Central.co.za Email today www.central.co.za
Re: openbsd and the money -solutions
Some of us: 1. Work for companies which want you to have a physical CD around, even if it is available via FTP. 2. Buy CD's (I have to preorder 3.9, and I will). 3. Put the stickers on our machines and servers. 4. Work on machines which may not be connected to the Internet. 5. Don't have the time to burn everything to CD. I'm more than willing to buy my CDs every 6 months. The problem with anything FTP-related is that not everyone follows the honor system that it implies. It's much easier to give someone a username and password than it is to dupe a CD :). The issue isn't with new ways to sell the product. It's with the fact that companies who have made a lot of money selling the feature set provided by OpenBSD, OpenSSH, and related projects like IBM, Red Hat, Cisco, and Check Point haven't contributed to the project. It's a double-edged sword. The license the projects are under encourages commercial usage moreso than other licenses. However, that doesn't mean that those who do are going to give back. The better possible solution (and the more professional one, IMHO), is when you have an OBSD-related project, encourage your customers to buy the CDs along with the project, with an explanation of what the project does. From: [EMAIL PROTECTED] on behalf of chefren Sent: Thu 3/23/2006 4:27 PM To: misc@openbsd.org Subject: Re: openbsd and the money -solutions On 03/23/06 20:52, Daniel E. Hassler wrote: I read that FTP is becoming far more popular than CDROMs as a means of obtaining OpenBSD. If this is because it's more convenient (vs. folks just being too cheap) then it might make sense to sell downloadable official (copyright Theo de Raadt) ISO images of releases as well as CDROMs. Yes, I read the FAQ I'm just thinking that selling only CDROMs in today's world may be akin to selling only floppies (no CDROMs available) a few years back. If you don't like this idea don't waste time on it - propose something better! Yep! CD sales will definitely go down/down/down and FTP use will definitely go up/up/up. Sell access to a new ftp.openbsd.org server with the real thing. I see no problem at all. The OpenBSD web site may definitely point to the free mirrors too but, like with old CD's, _let people pay for the real thing!_ This proposal has nothing to do with less-free or less-open, Theo had no problem with receiving money for the real CD's, why have trouble with receiving money for the real FTP??? It is clear it seems clueless for most techies, the Sunsite ftp site may even be the real server, but it's clear for me and lots of others that people and companies will be paying for being able to download from the real and trustable ftp.openbsd.org server. Sigh... Is it so difficult to try this for a period? I offer to do the administration. +++chefren
Re: Small office with BSD blueprint
Smith, I'd highly recommend the HP JetDirect in a small printer like a Laserjet 2x00 series. With 5-10 users and enough RAM in the printer, users won't even notice. They also seem to work well with whatever we throw at them, including OpenBSD (I'll be putting a LJ3500 on the network with an OBSD 3.8 server this week for a project). The 2x00 series is the smallest that can support a small office and have a JetDirect card internally. If you're going to go for Linux or BSD as your workstation OS, dd is your friend (and is very quick). If you have to use Windows, use Ghost. From: [EMAIL PROTECTED] on behalf of Smith Sent: Mon 3/20/2006 8:11 PM To: misc@openbsd.org Subject: Re: Small office with BSD blueprint I would even consider doing away with dns and point everyone to the isp dns along with using static ip addresses. You only need dns if you anticipate a lot of users making dns queries to the point of affecting your bandwidth or you need a dns server to point the rest of the internet to your websites. With 5 users, I don't think you will deal with these issues. I would definitely, on such a small setup, get rid of lpd. Use direct ip, meaning everyone prints directly to the printer. I work in a network with about 50 printers and 300 users, and I almost never hear a user complain about print jobs jamming. And some of my users do heavy duty printing. Of course we buy HP network printers or use HP Jetdirect boxes for printers that don't have network cards built in. Do a google for Windows *Print Migrator* 3.1 http://www.microsoft.com/downloads/details.aspx?FamilyID=9B9F2925-CBC9-44DA- B2C9-FFDBC46B0B17displaylang=en from MS's site (assuming you are catering to a windows workshop). This program is free from MS will make installing printers a breeze. I played with LPD before and it seems more of a headache than direct IP. For full install ... desktop... google for g4u and consider creating an internal ftp server (this is especially great for a unix worksop). Or, in theory, you can create a samba server, do some research on www.*netboot**disk*.com and buy a single copy of norton ghost and thus build yourself a enterprise ghost server without paying for ghost enterprise, in theory. Or, create an ssh server, download insert linux, play around with sshfs and ntfsclone on the insert cd to clone workstations (this method I haven't really experimented with other than to create the image). With such a small network, minimize as much work as you can by avoiding services. Joachim Schipper wrote: On Mon, Mar 20, 2006 at 03:23:36PM -0500, Will H. Backman wrote: Will H. Backman wrote: Looking for feedback on a basic blueprint for a small office using BSD. Situation: Small office with maybe five workstations. Question: What would an all BSD setup look like? Solution that comes to mind: * Single server for DNS, DHCP, LPD, SMTP, IMAP, and home directories. * Full install with whatever desktop environment is chosen. * automount home directories. * Instead of NIS, maybe cron job to rsyc files like /etc/passwd, /etc/hosts, /etc/printcap from central server. Does anyone out there have a similar setup?
Re: pf.conf to log specific but block all
Dan and Harry, Agreed. A consumer-class Netgear device will not be the best choice, as it's got an underpowered CPU and has more than enough issues with its configuration. While many SOHO routers can output to syslog, unless you spend the money for a higher-end product like a Juniper Netscreen, or retrofit a Linksys access point with a third-party Linux distribution, you're not going to get much in the ways of customization. However, using pf, snort, and outputting pf and snort to syslog will give you a clearer picture of what's going on. The tools are more straightforward and better-documented (IMHO) than their Linux-based counterparts. If you want to see everything real-time, you can use a tool like Kiwi Syslog Daemon or syslog-ng to collect the log messages from Snort (which is real-time) and pf (which isn't real time in my config - once every 5 minutes). The logs are also very straightforward to read when you use this method. Plus, pf is a lot more flexible than commercial products, and can run on a $50 PII with a couple of eBay special Realtek 8139 NICs comfortably. More importantly, you'll learn a lot more about what's going on with your network, and not only what's coming onto it, but what is also leaving it. Mitch -Original Message- From: [EMAIL PROTECTED] on behalf of Melameth, Daniel D. Sent: Fri 2/24/2006 10:12 PM To: misc@openbsd.org Subject: Re: pf.conf to log specific but block all Harry Putnam wrote: I want to use pf.conf in what may be an unusual place. Not the usual sheild between private net and internet. It would be more as a logging service but will need some config to allow two private net machines to access it. A network picture: INTERNET | DSLmodem | NETGEAR FW/router --- | | | | | | | m1 m2 m3m4 m5m6 m7 m6 is an obsd-3.8 machine now running current The ports on the Netgear are switched ports so not like a simple hub. There is a facility on the NETGEAR to send all traffic to an inside machine for whatever reason. Its called a DMZ Server although I don't think that is the normal usage of DMZ, but not experienced enough to know for sure. This might not work the way you are expecting it to. What you really want is a device that can mirror a switched port. At any rate I want to enable that feature and send all traffic to the obsd machine. I want to see more of what is happening at the actual firewall. It has poor logging facilities. None in realtime. And the fastest is daily by mail unless you want to logon to the router and do the cumbersom scanning by eye with the sorry java based interface. I don't really want to accept any traffic from the INTERNET via NETGEAR on the obsd box but want to be able to log specific stuff as it hits the pf.conf filter. I want to start analyzing what is coming at me more. I know this doesn't answer your question, but, IMHO, I suggest replacing that consumer class Netgear device with your OpenBSD box and be done with this whole mess--then you can do everything you laid out here with minimal complexity and far more flexibility.
Re: syslogd question
Craig, I'm going to second this, even though I don't work at an ISP (however, I do work with large amounts of syslog data). If you want to keep things organized, it's better to keep the syslog files organized by service. When you've got data coming from a large amount of servers, you want to: 1. Separate by service (ftp, ssh, mail, auth, etc.). 2. Use any external processing systems sparingly, and test them heavily for performance. 3. Have your scripts separate the machines, if needed, by machine name. Have them process syslog data after it's received. I'm using that setup and approach to handle data from approx. 20 commercial UNIX machines and various network devices at one location, and 2 OpenBSD 3.8 boxes and a Windows Server 2003 machine at another. It works very well. Take care, Mitch -Original Message- From: [EMAIL PROTECTED] on behalf of Craig Skinner Sent: Fri 2/10/2006 4:45 PM To: misc@openbsd.org Subject: Re: syslogd question On Fri, Feb 10, 2006 at 10:46:02AM -0600, [EMAIL PROTECTED] wrote: I am setting up an openbsd box to be the catcher for a couple of AIX boxes to pitch their log files to. Using the standard syslogd, I am wondering if I can set it up so that each of the AIX boxes gets its own log file on the openbsd box. Something like /var/log/aix1.log and /var/log/aix2.log. Or, would it just be easier to throw everything into one file and user perl to split out the two logs? I did a little googling around and found one page that looked like exactly my answer but it was 404 and not in the google cache. I work for an ISP and I think that the best way to handle this is not to seperate by machine, but by service. ie: we have a farm of a dozen webservers, another dozen smtp servers, a bunch of imap servers, dns,.. When a customer needs help, say logging into on of the ftp servers, I can tail the auth logs grep for their username. They could hit anyone of the boxes at a given time, so this way is the only practical solution. Also, if a dns zone is not being propagated, I can grep for the zone and see what all of the servers are doing, with relevant time stamps. If you need per machine, then just refine your grep. Craig.
Re: Oracle, anyone?
Josh, Agreed on all points. Oracle also likes to tie releases of their database to specific versions of Linux, not just platform types. I had that issue with 8i Release 2 on Red Hat. However, Oracle does have instructions available on their Metalink support site for installing on FreeBSD. Oracle does have its issues in terms of network security, and especially because they charge large amount of money to even allow you to authenticate via an LDAP or Kerberos server (Oracle Advanced Security). OpenBSD works best in a complementary role in an Oracle environment, especially due to pf and IPSec. However, I'd like to see if it would even work on OpenBSD. I would never run Oracle 10g on OpenBSD in production. However, I'll continue to run other things on it :). Thanks, Mitch On 12/4/05 11:57 PM, Josh Tolley [EMAIL PROTECTED] wrote: Running oracle on any unsupported platform is probably not the best idea, not only because you won't get support, but also because running it on a more secure platform will still leave you with lots of holes; in other words, you're going to need something in front of the box to protect it anyway. Of course, the more layers of defense, the better is an excellent mantra, but unfortunately much of the time there are considerations other than just security. OpenBSD is written for uses where freedom, stability, adherence to standards, and security are the top concerns (and things like performance, or accessibility to those who are only interested in reading their email and nothing else, for instance, aren't as high on the list). If having support is a concern, or if being able to get it up and running more or less quickly is a concern, OpenBSD isn't the platform for Oracle. They've got lots of little things they do in their installer to make sure you're running a platform they like (for instance, Fedora (an unsupported platform) is almost identical to RedHat Advanced Server (a supported platform), yet by default Oracle won't install on it (specifically because it checks RedHat's /etc/redhat-release file to see what system it's being installed on). In short, there likely will be lots of little work-arounds you'll have to deal with to get the install to work in the first place. All that being said, should lack of support, the extra time it will take, and the other issues that have been brought up not be issues for you, 1) lucky you, and 2) I for one would be very interested in whether or not you get it working. -Josh