Re: High Interrupt After 7.3 Upgrade
Hi Chris, On Tue, May 30, 2023 at 8:59 AM Chris Cappuccio wrote: > Samuel Jayden [samueljaydan1...@gmail.com] wrote: > > Hi again, > > > > Just for the record: > > I've downgraded to OpenBSD 7.2 (reinstalled) and everything is working > like > > a charm again. > > I don't know what is wrong with 7.3 but ipi interrupt rate is too much > and > > somehow OpenBSD performance is too bad.. > > Thanks for reading. > > > > Sounds like you are using 'systat' to measure interrupts. This is a bug > in systat was was fixed in 7.3. Here is Scott Cheloha's message from that > fix: > > "systat(1): vmstat: measure elapsed time with clock_gettime(2) instead of > ticks > > The vmstat view in systat(1) should not use statclock() ticks to count > elapsed time. First, ticks are low resolution. Second, the statclock > is sometimes randomized, so each tick is not necessarily of equal > length. Third, we're counting ticks from every CPU on the system, so > every rate in the view is divided by the number of CPUs. For example, > on an amd64 system with 8 CPUs you currently see: > > 200 clock > > ... when the true clock interrupt rate on that system is 1600. > > Instead, measure elapsed time with clock_gettime(2). Use CLOCK_UPTIME > here so we exclude time when the system is suspended. With this > change we no longer need "stathz" or "hertz". We can also get rid of > the anachronistic secondary clock failure test. > > > I'm not the OP, but that's interesting to me because I'm wondering if it's why Prometheus' node_exporter from packages is reporting wildly wrong CPU stats on 7.3 that don't at all match what you'd expect when comparing top/htop output? It was fine prior to upgrading to 7.3, but I've just left digging into it on the back burner due to other priorities. Thanks! Mark
Re: trying to add auth to specific location in httpd.conf
My bad. Just plain authenticate with "/path/to/the/htpasswd/file" above the fastcgi line did the trick. Regards, Fabio
trying to add auth to specific location in httpd.conf
Hi misc, Am trying to add HTTP Basic auth to an specific location in httpd.conf (a1). Is it possible? The other locations I want to mantain unprotected. usually can be done to the entire site with: authenticate "HTTP Basic" with "/htdocs/dev/.htpasswd" but for specific files, dunno how httpd.conf: location "/API/v1/a1" { fastcgi socket "/run/php-fpm.sock" } location "/API/v1/a2" { fastcgi socket "/run/php-fpm.sock" } location "/API/v1/a3" { fastcgi socket "/run/php-fpm.sock" } Regards, Fabio
Re: Faking the same LAN over the Internet
Sorry for top posting, Would https://openvpn.net/vpn-server-resources/site-to-site-layer-2-bridging-using-openvpn-access-server/ solve your problem? Regards, Erik Op 31-3-2020 om 11:34 schreef Chris Rawnsley: > In the period of The Great Isolation, a friend and I wish to play > a game that has LAN-only multiplayer. We, however, live in different > locations and, more importantly, different LANs. An often cited > approach to solving this is to set up a VPN and connect the two > devices to it. This requires that both devices run a VPN client > that connects to the third device that manages the connection. And > then, hey presto! You have a "LAN". > > The complication I have found is that we are both using a Nintendo > Switch (NinSw) and this device comes without a VPN client. Initially, > I thought it would be possible to use a VPN client on a computer > which was wired in over Ethernet and then share the wireless to the > NinSw. This setup would be mirrored on the other side. The diagram > below tries to make this clearer. Search for "Where my thinking" > to skip over this. > > > || > || .. > || ) ) ) |:| |:| > || `' > .---/::\[NinSw] > | [laptop] > | >[VPN] > | > | \/ > | _\__/_ > `-| ... |[uplink]// mirrored on the other side > `` > [gateway] > > > Where my thinking comes stuck is how the wired connection is shared > to the NinSw over wireless. The laptop, running MacOS in the case > of my friend, will setup its own NAT to isolate the wireless > connections from the uplink. The NinSw is then unable to receive > an IP from the VPN and therefore not appear as part of the same > network. > > Ignoring the particular case of how "Internet Connection Sharing" > works on MacOS, would it be possible to setup some "VPN bridge" > (yes, I made that up) on OpenBSD where it handles the details of > the VPN connection but forwards the IP address to another device? > > If anyone has more insight into this and can point me in the right > direction I would be grateful. Similarly if there's been a mistake > in my thinking please point it out as that could help too. > > > -- > Chris Rawnsley > > P.S. the game in question is Civilization 6 and, yes, they very > annoyingly restricted it to LAN-only multiplayer... > pEpkey.asc Description: application/pgp-keys
Relayd Crashing in transparent mode
Wondering if someone can help point me in the right direction. relayd keeps crashing on me, I suspect someone is attacking using corrupted packets in someway. Other attacks are much higher than normal (application layer) States look look inline (less than 5k) processor usage about 20 percent Running on KVM, Fully patched -Stable (6.4) Anyway right before the relay stop working, I am getting errors such as: session failed: Operation timed out bindany failed, invalid socket: Invalid argument Socket is not connected: Socket is not connected relay exiting, pid [X] Can anyone point me in the right direction to get more logging/how to investigate the errors I am getting? rcctl restart relayd always fixes the issue interment problem, but when an issue it will crash every couple minutes Config is: interval 30 log state changes log connection prefork 10 vip01 = "159.100.208.71" table { 10.5.6.121 10.5.6.171 } relay webRedirect0180 { listen on $vip01 port 80 transparent forward to port 80 \ mode loadbalance check tcp } relay webRedirect01443 { listen on $vip01 port 443 transparent forward to port 443 \ mode loadbalance check tcp } ...repeats about 20 times w/ different VIPs
Re: Certificate authority software
Op 21-9-2018 om 14:21 schreef Gregory Edigarov: Hello, list. I need to setup a CA for intranet. I have some (rather not very positive) experience with ejbca. before I will set it up, I want to take a look at alternatives, and so i need an advice on the choice of software. what would you guys use? something with less dependencies is preferred (but with web interface). thank you. -- With best regards, Gregory Edgarov I was quite happy with xCA. Kind regards, Erik
Re: Syspatch failures?
Op 3-3-2018 om 22:07 schreef Jeffrey Joshua Rollin: Hi all, I've installed OpenBSD today (not new to it, or to the list, but I am a chronic distro-hopper), and syspatch fails with the error message: syspatch: invalid URL configured in /etc/installurl All other software I've installed (including, but not limited to, zsh, mate, libreoffice) seems to work. My /etc/installurl is as follows: https://www.mirrorservice.org/pub/OpenBSD/ I would add that this is not the first time I've installed OpenBSD 6.2, either - but it is the first time syspatch has failed, IIRC. I've no idea what other info might be helpful, but I'll be happy to provide it if asked. Thanks, Jeff. Trailing /? Shouldn't it be https://www.mirrorservice.org/pub/OpenBSD ? Regards, Erik
Re: Need an advice about DHCP IPv6 server software
Op 9-12-2017 om 16:03 schreef Marc Peters: On Sat, Dec 09, 2017 at 01:50:37PM +0300, Denis wrote: Can you share IPv6 part of PF.conf you're using for local network SLAAC? Did you even bother to open the link Claus send? There is everything neatly documented you need IPv6 wise to get it up and running with pf. hth, Marc My pf.conf does not deviate too much from that one indeed. The only thing I did not see (but I did not look that well) was the pass out inet6 all statement...
Re: Need an advice about DHCP IPv6 server software
Op 8-12-2017 om 15:07 schreef Jan Kalkus: For what it’s worth, I’ve noticed Windows frequently will not grab IPv6 addresses via SLAAC. If I disable IPv6 on the network interface and then re-enable it, then I will be assigned an IPv6 address. Jan Kalkus [snip] I would recheck my configuration if I were you then... Here it is working 100% of the time on approx 10 windows (mixed W7/W10) machines. The rest of the network (linux and OpenBSD works very well as well with IPv6). Of course the firewall handing out the SLAAC is OpenBSD. Only be careful with virtual machines, since you would need settings on the hypervisor to permit multicast on vlans. The SLAAC broadcast is multicast... Erik
Re: authpf error: failed to create table (Device busy)
Did you test whether disabling ruleset optimization "fixes" the issue in your case too? \md Gesendet: Freitag, 07. Juli 2017 um 02:59 Uhr Von: "rafal.ramocki" An: misc@openbsd.org Betreff: Re: authpf error: failed to create table (Device busy) It looks like I've just hit the same bug. It looks like it is not related with authpf but rather with anchors generaly. I'm loading anchor from pf.conf, then this anchor loads another one with some rules. I have two similar rules in there and disabling one of them will stop returning an error from this anchor. pass in quick log proto tcp to { 10.58.16.10 10.58.16.20 10.58.16.30 } port 1522 pass in quick log proto tcp to { 10.58.16.11 10.58.16.21 10.58.16.31 } port 1522 I have quite a bit ancors so I'm failing to load rules few anchors ahead anyway. Revelant parts of config are as follows: /etc/pf.conf: anchor "vpn1" in on $if_vpn1 load anchor vpn1 from "/etc/anchors/vpn1.conf" /etc/anchors/vpn1.conf: anchor "user4" in from 172.31.224.217 load anchor user4 from "/etc/anchors/vpn1/user4" /etc/anchors/vpn1/user4: pass in quick log proto tcp to { 10.58.16.10 10.58.16.20 10.58.16.30 } port 1522 pass in quick log proto tcp to { 10.58.16.11 10.58.16.21 10.58.16.31 } port 1522 -- View this message in context: http://openbsd-archive.7691.n7.nabble.com/authpf-error-failed-to-create-table-Device-busy-tp321195p322214.html Sent from the openbsd user - misc mailing list archive at Nabble.com.
Re: authpf error: failed to create table (Device busy)
Hi again i was able to further track down the issue. If i set ruleset-optimization to none everything works fine. So it seems that the behavior is triggered somehow by the optimizer. Having a look at where the EBUSY is triggered, it looks like pf_find_ruleset in pfr_ina_define (sys/net/pf_table.c) does not return anything. I did not get any further yet, but possibly others can? Can anyone else confirm this behavior? regards \md Forwarded Message Date: Donnerstag, 22. Juni 2017 um 10:27 Uhr From: md.obsd.b...@gmx.at To: misc@openbsd.org Subject: authpf error: failed to create table (Device busy) Hi I recently transmitted a bug report concerning an authpf issue in 6.1 (see also [1]) where loading the rules in the authpf anchor fails like this: "pfctl: failed to create table __automatic_ba6b4284_0 in /newuser(25710): \ Device busy" Unable to modify filters I've not been able to reproduce the error using another set of source IPs. Maybe I'm overlooking an syntax/config error, but using the same rule in the base pf.conf file does not result in an evaluation error using pfctl -nf. Is any one able to reproduce the error either using the info in [1] or by it's own ruleset? I'd love to deliver additional debug info. Looking forward for feedback. \md [1] https://marc.info/?l=openbsd-bugs&m=149613063520544
authpf error: failed to create table (Device busy)
Hi I recently transmitted a bug report concerning an authpf issue in 6.1 (see also [1]) where loading the rules in the authpf anchor fails like this: "pfctl: failed to create table __automatic_ba6b4284_0 in /newuser(25710): \ Device busy" Unable to modify filters I've not been able to reproduce the error using another set of source IPs. Maybe I'm overlooking an syntax/config error, but using the same rule in the base pf.conf file does not result in an evaluation error using pfctl -nf. Is any one able to reproduce the error either using the info in [1] or by it's own ruleset? I'd love to deliver additional debug info. Looking forward for feedback. \md [1] https://marc.info/?l=openbsd-bugs&m=149613063520544
IKEv1 to AzureVPN exchange_validate failed
I am struggling to setup an ipsec vpn to azure. Following the azure IPSec parameters in the doc below: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices Getting the below errors in isakmpd, and am stumped where to look next: Default exchange_run: exchange_validate failed Default dropped message from 2.2.2.2 port 500 due to notification type PAYLOAD_MALFORMED Can anyone point me in the right direction, as my google-fu isn't feeling strong. Thanks! OpenBSD6.0/AMD64 MP vm on esxi 6.5 # cat /etc/ipsec.conf WAN1= "carp901001" #Interface address 1.1.1.1 localNets = "{10.10.0.0/24}" remoteGW= "2.2.2.2" #AzureGateway remoteNets = "{10.20.2.0/24}" #remote azure networks ike esp from $localNets to $remoteNets \ peer $remoteGW \ main auth hmac-sha1 enc aes-256 group modp1024 lifetime 28800 \ quick auth hmac-sha1 enc aes-256 group none lifetime 3600 \ psk somekey # isakmpd -dvvvK 073538.301968 Default isakmpd: starting [priv] 073548.958802 Default isakmpd: phase 1 done: initiator id 1.1.1.1, responder id 2.2.2.2, src: 1.1.1.1 dst: 2.2.2.2 073548.993564 Default isakmpd: quick mode done: src: 1.1.1.1 dst: 2.2.2.2 073549.027410 Default exchange_run: exchange_validate failed 073549.027425 Default dropped message from 2.2.2.2 port 500 due to notification type PAYLOAD_MALFORMED ^C073612.581088 Default isakmpd: shutting down... # 073612.581509 Default isakmpd: exit # ipsecctl -s all FLOWS: flow esp in from 10.20.2.0/24 to 10.10.0.0/24 peer 2.2.2.2 srcid 1.1.1.1/32 dstid 2.2.2.2/32 type use flow esp out from 10.10.0.0/24 to 10.20.2.0/24 peer 2.2.2.2 srcid 1.1.1.1/32 dstid 2.2.2.2/32 type require SAD: esp tunnel from 2.2.2.2 to 1.1.1.1 spi 0x44461664 auth hmac-sha1 enc aes-256 esp tunnel from 1.1.1.1 to 2.2.2.2 spi 0x55f07894 auth hmac-sha1 enc aes-256 07:29:44.949102 0.0.0.0.isakmp > 2.2.2.2.isakmp: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: e3ee87821c134d03-> msgid: len: 184 payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 44 proposal: 1 proto: ISAKMP spisz: 0 xforms: 1 payload: TRANSFORM len: 36 transform: 0 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = AES_CBC attribute HASH_ALGORITHM = SHA attribute AUTHENTICATION_METHOD = PRE_SHARED attribute GROUP_DESCRIPTION = MODP_1024 attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 28800 attribute KEY_LENGTH = 256 payload: VENDOR len: 20 payload: VENDOR len: 20 (supports v2 NAT-T, draft-ietf-ipsec-nat-t-ike-02) payload: VENDOR len: 20 (supports v3 NAT-T, draft-ietf-ipsec-nat-t-ike-03) payload: VENDOR len: 20 (supports NAT-T, RFC 3947) payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 212) 07:29:44.992169 2.2.2.2.isakmp > 1.1.1.1.isakmp: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: e3ee87821c134d03->5e09a5d35142c2d9 msgid: len: 212 payload: SA len: 60 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 48 proposal: 1 proto: ISAKMP spisz: 0 xforms: 1 payload: TRANSFORM len: 40 transform: 0 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = AES_CBC attribute KEY_LENGTH = 256 attribute HASH_ALGORITHM = SHA attribute GROUP_DESCRIPTION = MODP_1024 attribute AUTHENTICATION_METHOD = PRE_SHARED attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 7080 payload: VENDOR len: 24 payload: VENDOR len: 20 (supports NAT-T, RFC 3947) payload: VENDOR len: 20 (supports v2 NAT-T, draft-ietf-ipsec-nat-t-ike-02) payload: VENDOR len: 20 payload: VENDOR len: 20 payload: VENDOR len: 20 [ttl 0] (id 1, len 240) 07:29:44.993067 1.1.1.1.isakmp > 2.2.2.2.isakmp: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: e3ee87821c134d03->5e09a5d35142c2d9 msgid: len: 228 payload: KEY_EXCH len: 132 payload: NONCE len: 20 payload: NAT-D len: 24 payload: NAT-D len: 24 [ttl 0] (id 1, len 256) 07:29:45.036032 2.2.2.2.isakmp > 1.1.1.1.isakmp: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: e3ee87821c134d03->5e09a5d35142c2d9 msgid: len: 260 payload: KEY_EXCH len: 132 payload: NONCE len: 52 payload: NAT-D len: 24 payload: NAT-D len: 24 [ttl 0] (id 1, len 288) 07:29:45.036815 1.1.1.1.isakmp > 2.2.2.2.isakmp: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: e3ee87821c134d03->5e09a5d35142c2d9 msgid: len: 92 payload: ID len: 12 type: IPV4_ADDR = 1.1.1.1 p
Re: pf rule for openvpn
Op 23-10-2016 om 17:01 schreef Thuban: > Hi, > I have an openvpn server running and working, but can't > go "outside" the server to access the web. > > To configure the server, I followed this : > http://2f30.org/guides/openvpn.html > > So ip forwarding is ative, vpn port is open, clients can connect to the > vpn. But they can't access wwweb. > > I guess the problem comes from this pf rule : > > pass out on $ext_if from 10.8.0.0/24 to any nat-to ($ext_if) > > I've been on this issue for too many hours to have a clear mind on this. > Any advice to find why I'm stuck on the server? > > Regards. > > How about a rule that permits tunnel traffic to go out? How about a rule that permits the traffic to come in on the tunnel?
Started having bioctl encryption problems recently - lost data. Error within FAQ?
'Encrypting external disks' http://www.openbsd.org/faq/faq14.html#softraidCrypto Followed the FAQ instructions EXACTLY to encrypt an external drive, then copied data to it and after restarting the computer again.. I cannot access the drive, infact it doesn't look like anything is even on it. This has happened whilst following this tutorial on two different systems, using two different hard disks.. Are the FAQ instructions wrong? Thanks # Find the drive out $ dmesg | grep '^[sw]d' # Check the available partition on it $ fdisk wd1 Disk: wd1 geometry: 14593/255/63 [234441648 Sectors] Offset: 0 Signature: 0x0 Starting Ending LBA Info: #: id C H S - C H S [ start: size ] --- 0: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused 1: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused 2: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused 3: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused # disklabel wd1 # /dev/rwd1c: type: ESDI disk: ESDI/IDE disk label: KINGSTON SV300S3 duid: flags: bytes/sector: 512 sectors/track: 63 tracks/cylinder: 255 sectors/cylinder: 16065 cylinders: 14593 total sectors: 234441648 boundstart: 0 boundend: 234441648 drivedata: 0 16 partitions: # size offset fstype [fsize bsize cpg] c: 234441648 0 unused # #
Re: assigning ipv6 addresses to interfaces
On 31-01-16 17:13, LÉVAI Dániel wrote: LÉVAI Dániel @ 2016-01-31T14:10:21 +0100: Stuart Henderson @ 2016-01-30T23:01:54 +0100: On 2016-01-30, LÉVAI Dániel wrote: Hi! My ISP recently enabled ipv6 on their network, and started sending router advertisements (offering a /64 prefix) on their pppoe end. So now I have an autoconf'd v6 address on my pppoe0 device (yay!), and I wish to set my in-home devices a v6 address each. [...] You aren't supposed to have addresses within the same /64 on more than one interface. The normal method is that you get an address for the PPP interface using SLAAC autoconf (as you have now), and request one or more *additional* /64s using DHCPv6-PD (prefix delegation) - one per interface. The DHCPv6 client assigns to "downstream" (client-facing) interfaces from this assignment, and you would use rtadvd to advertise the prefix (and possibly other information) to clients. There is no software in OpenBSD base to handle prefix delegation. I recommend "dhcpcd" from packages and I've added a pkg-readme with a minimal setup to handle just this (it is also a full-featured DHCP client for v4, but I'm personally only using it for v6). Unlike some alternatives it is actively maintained upstream by a responsive developer. [...] re1: IAID <> pppoe0: IAID 00:00:00:01 pppoe0: IAID 00:00:00:02 pppoe0: no useable IA found in lease pppoe0: dhcp6_readlease: /var/db/dhcpcd-pppoe0.lease6: No such process pppoe0: soliciting a DHCPv6 lease athn0: IAID <> athn1: IAID <> pppoe0: ADV 2a01:36d:300:<>::/64 from fe80::5dd9:bcc7:cbab:8bb8 pppoe0: REPLY6 received from fe80::5dd9:bcc7:cbab:8bb8 re1: adding address 2a01:36d:300:<1>::1/72 athn0: preferring 2a01:36d:300:<1>::1/72 on re1 athn1: preferring 2a01:36d:300:<1>::1/72 on re1 pppoe0: renew in 302400 seconds, rebind in 483840 seconds pppoe0: adding reject route to 2a01:36d:300:<>::/64 via ::1 athn0: adding route to 2a01:36d:300:<1>::/72 forked to background, child pid 346 [...] Do I understand it correctly, that this should delegate each interface a /72, while leaving pppoe0's autoconf[privacy]'d addresses intact? So turns out, that if I request anything other than sla_id 0 or 1, I get another subnet, but with a /72 prefix. Also, using: ia_pd 1 re1/1 athn0/2 athn1/3 ... resulted in the same subnet/prefix sent to me, for all interfaces. For some reason I had to increment the sla_ids by 4 to get another subnet. So: ia_pd 1 re1/1 athn0/4 athn1/8 ... actually worked, and got three different subnets, but all came with a /72 prefix. And for some other reason, none of my devices (Linux, Android, Chromecast...) would accept a /72 address advertised, so although they all got a reply for their rtsol, they ignored it... I'm now just requesting one PD, with sla_id 0, assigning that to re1, bridging the athns and re1 together, and running rtadvd(8) on re1. Daniel A /72 should not work (and indeed does not work as you found out)! The smallest subnet (with the exception of a /127 /128) is /64. Your ISP is doing The Wrong Thing (tm). Instead your ISP should provide you with a /56 (for 256 subnets) or, even better, with a /48, where you would have 65536 subnets. The latter is the preferred standard although some ISP's do not understand the sheer size of IPv6, and therefore think that they are wasting space handing out /48's. NANOG is full of discussions about this. See http://serverfault.com/questions/426183/how-does-ipv6-subnetting-work-and-how-does-it-differ-from-ipv4-subnetting for example. Erik Jan.
Re: OpenBSD on Fiber
Using an HP proliant microserver N40 as firewall will get you enough bandwith at a very reasoble price (approx. 200 Euro). My 500 Mbit/s link can be fully saturated both down and uplink. Firewalling something like 10 vlan's (using a dedicated em interface for egress, and bge for the vlan's) works well. I did some tests for maximum bandwith and I got to the maximum 1 Gbit/s with a rather long pf. Get away from vmware for your firewall as others already suggested.
Re: Interface sequencing
Stefan Olsson schreef op 5-11-2014 om 16:48: >> That needs to go in a dhclient config file, you'll need different config >> files for each interface and run dhclient from a hostname.if line like >> "!dhclient -c /etc/dhclient-nogw em0". > is it not enough to just append the following to /etc/dhclient.conf?: > > interface "em0" { > ignore routers; > } You will get dns pushed though, and I doubt if you want to use the internal or the external ones...
Are there any default password managers in OpenBSD?
So I know the rule.. only remember a few very very long passwords (ex.: based on several words and a few special chars), and keep the rest of the passwords in a password manager (those aren't remembered and extreme long). But this gets me to 2 questions: - Are there any default password managers in OpenBSD (console/GUI based?)? Or there are only from ports that are not very audited? What is the advise to where to store the pwd's? - Are there any best-practises to generate a password? - that are kept in password manager, so ex.: 128 char long with special/random chars, etc. Thanks for your time
Re: is zeroing CRYPT needed?
Thanks everyone, now I understand! have a nice day! :) :) 2013/11/26 Ted Unangst > On Tue, Nov 26, 2013 at 09:49, obsd, cgi wrote: > > Wouldn't it be much easier that before I create the bioctl softraid > CRYPTO > > I would dd zero the psychical disk for the first.. dunno, 10 MBytes? > > Putting zeroes on the outside of an encrypted partition does not put > zeroes on the inside of the encrypted partition.
Re: is zeroing CRYPT needed?
Wouldn't it be much easier that before I create the bioctl softraid CRYPTO I would dd zero the psychical disk for the first.. dunno, 10 MBytes? 2013/11/25 Nick Holland > On 11/25/13 04:07, obsd, cgi wrote: > > according to: > > http://www.openbsd.org/cgi-bin/man.cgi?query=bioctl > > > > dd if=/dev/zero of=/dev/rsd3c bs=1m count=1 > > > > is needed. but Why? > > > > I've actually found it more useful to zero the raw RAID partition than > the "assembled" softraid "disk". This takes care of the case where > previous softraid disks had been created, which can be quite frustrating > when they pop up again unexpectedly. > > That's from experience...haven't been able to convince the softraid > developers, so I suspect there's something to *also* zeroing the > assembled disk. > > It takes but a couple seconds to do. Just do it. > > Nick.
is zeroing CRYPT needed?
according to: http://www.openbsd.org/cgi-bin/man.cgi?query=bioctl dd if=/dev/zero of=/dev/rsd3c bs=1m count=1 is needed. but Why?
apache bug?
http://i.imgur.com/9SJOrhq.png In the directory listing the ISO file looks like ~40 MByte, but the reality is 4 GBytes. What could the problem be? Or I should use nginx since apache will be obsolete? :) Thanks!
Re: GNOME on OpenBSD 5.3 amd64
I installed XFCE4. It works :) BIG THANKS! 2013/10/10 Richard Toohey > On 10/10/13 18:13, obsd, cgi wrote: > >> Hi! >> >> "External tutorial for 4.8 vs. official documentation for 5.3. >> This leads to the nonsense you've done to your 5.3 system below." >> >> -->> >> >> I went to openbsd.org, typed GNOME in the search form: >> - the first hit was a PDF from 2007 >> - all the remaining were regarding packages >> >> What now? Can you please point out where is the "official GNOME install >> documentation for 5.3"? or no one uses GNOME with 5.3 on the misc list? >> >> ps.: I found that other people have problems with GNOME on 5.3, maybe it's >> a bug? ( >> http://community.spiceworks.**com/topic/349701-gnome-on-** >> openbsd-5-3-amd64<http://community.spiceworks.com/topic/349701-gnome-on-openb sd-5-3-amd64>) >> >> Thanks >> >> UPDATE: oh, ok I just read the bottom part: "don't use virtualbox." - so >> the bug comes out when using virtualbox?, ok, Thanks! I will try it with >> other VM's or directly! >> >> >> 2013/10/9 Jérémie Courrèges-Anglas >> >> "obsd, cgi" writes: >>> >>> I tried to install GNOME on OpenBSD 5.3 amd64 for Desktop use (on >>>> VirtualBox), see the howto below. >>>> >>>> But after the howto, reboot, startx with a normal user: >>>> https://i.imgur.com/MaT8lcW.**png <https://i.imgur.com/MaT8lcW.png> >>>> >>>> Xorg.0.log >>>> https://pastee.org/p8ppa >>>> >>>> # original: >>>> >>>> http://www.gabsoftware.com/**tips/tutorial-install-gnome-** >> desktop-and-gnome-disp<http://www.gabsoftware.com/tips/tutorial-install-gnome -desktop-and-gnome-disp> >> lay-manager-on-openbsd-4-8/ >> >>> External tutorial for 4.8 vs. official documentation for 5.3. >>> This leads to the nonsense you've done to your 5.3 system below. >>> >>> --**- >>>> >>>> when installing: >>>> -g* >>>> >>>> --**- >>>> >>>> echo 'export PKG_PATH= >>>> >>> ftp://ftp.openbsd.org/pub/**OpenBSD/5.3/packages/amd64/<ftp://ftp.openbsd.org /pub/OpenBSD/5.3/packages/amd64/> >>> ' >>> >>>> ~/.profile; . ~/.profile >>>>>> >>>>> pkg_add -i -vv gnome-session gdm >>>> # if there was "Can't install foo" message, try the pkg_add line again >>>> >>>> --**- >>>> >>>> vi /etc/rc.local >>>> >>>> Append/modify the following lines in /etc/rc.local: >>>> >>>> if [ -x /usr/local/sbin/gdm ]; then >>>> echo -n ' gdm'; (sleep 5; /usr/local/sbin/gdm) & >>>> fi >>>> >>>> --**- >>>> >>>> echo 'exec gnome-session' > /root/.xinitrc; chmod +x /root/.xinitrc >>>> exit >>>> echo 'exec gnome-session' > .xinitrc; chmod +x .xinitrc >>>> >>>> --**- >>>> >>>> pkg_add -i -vv metacity >>>> pkg_add -i -vv gnome-panel >>>> pkg_add -i -vv nautilus >>>> >>>> --**- >>>> >>>> vi /etc/rc.conf.local >>>> >>>> Append/modify the following lines : >>>> >>>> xdm_flags=NO >>>> gnome_enable=YES >>>> gdm_enable=YES >>>> >>>> --**- >>>> >>>> pkg_add -i -vv gnome-terminal gnome-control-center gnome-menus >>>> gnome-settings-daemon gnome-themes-standard >>>> # for some reason, these aren't found: gnome-themes-extras gnome-utils >>>> gnome-applets2 gnome-system-monitor gnome-nettool >>>> >>>> --**- >>>> >>>> So the question is anybody has a working howto for installing GNOME on >>>> OpenBSD? >>>> >>> Just so that Antoine doesn't feel forced to send another mail about this >>> recurring subject: pkg_add gnome, *read* the various readmes, don't use >>> virtualbox. >>> >> Did you look in the archives - e.g. marc.info is a good place to search? > > e.g. > > http://marc.info/?l=openbsd-**misc&m=135275664028541&w=2<http://marc.info/?l= openbsd-misc&m=135275664028541&w=2> > > Don't use Gnome on OpenBSD these days, but used to without problems. > > >>> -- >>> jca | PGP: 0x06A11494 / 61DB D9A0 00A4 67CF 2A90 8961 6191 8FBF 06A1 >>> 1494
Re: USB ethernet for OpenBSD
So I bought a digitus dn-10050, it works!! BIG THANKS! # uname -a OpenBSD .foo 5.3 GENERIC#50 i386 # # dmesg|grep -i axe | sort -u axe0 at uhub0 port 4 configuration 1 interface 0 "ASIX Electronics AX88772A" rev 2.00/0.01 addr 3 axe0: AX88772, address 00:10:a3:XX:XX:XX ukphy0 at axe0 phy 16: Generic IEEE 802.3u media interface, rev. 1: OUI 0x000ec6, model 0x0006 # Only problem that after a reboot I have to re-plug the RJ45 because there will be no link. 2013/10/4 Janne Johansson > I bought two blue $2 usb-eth from china, they did not work on obsd, but > similar stuff (UNKNOWN4 in usbdevs) is available, so if anyone wants one, > we can try to whip up a working driver together. > The closest thing seems to be axe(4), except the current supported chip is > named 96xx-something and mine is marked 9700. > > I still think I got what I paid for though. 8^D > > > > 2013/10/3 alexey.kurin...@gmail.com > > > I want to buy D-Link DUB-E100, in man AXE(4) they listed, but not tested > > myself. I can reply when got it. > > > > > > On 10/04/13 00:27, Joseph A Borg wrote: > > > >> Hi! > >> > >>> > >>> Can someone please mention a working USB to Ethernet adapter for > OpenBSD > >>> 5.3? (anybody has a working one and can share the name of it?) > >>> > >>> It doesn't need to be Gbit big... just a 10/100 would be more then > >>> enough.. > >>> > >>> +1 if it could be buyed from: > >>> > >>> http://www.ebay.co.uk/ > >>> > >>> Many Thanks, have a nice day! > >>> > >> > > > > > -- > May the most significant bit of your life be positive.
Re: GNOME on OpenBSD 5.3 amd64
Hi! "External tutorial for 4.8 vs. official documentation for 5.3. This leads to the nonsense you've done to your 5.3 system below." -->> I went to openbsd.org, typed GNOME in the search form: - the first hit was a PDF from 2007 - all the remaining were regarding packages What now? Can you please point out where is the "official GNOME install documentation for 5.3"? or no one uses GNOME with 5.3 on the misc list? ps.: I found that other people have problems with GNOME on 5.3, maybe it's a bug? ( http://community.spiceworks.com/topic/349701-gnome-on-openbsd-5-3-amd64 ) Thanks UPDATE: oh, ok I just read the bottom part: "don't use virtualbox." - so the bug comes out when using virtualbox?, ok, Thanks! I will try it with other VM's or directly! 2013/10/9 Jérémie Courrèges-Anglas > "obsd, cgi" writes: > > > I tried to install GNOME on OpenBSD 5.3 amd64 for Desktop use (on > > VirtualBox), see the howto below. > > > > But after the howto, reboot, startx with a normal user: > > https://i.imgur.com/MaT8lcW.png > > > > Xorg.0.log > > https://pastee.org/p8ppa > > > > # original: > > > http://www.gabsoftware.com/tips/tutorial-install-gnome-desktop-and-gnome-disp lay-manager-on-openbsd-4-8/ > > External tutorial for 4.8 vs. official documentation for 5.3. > This leads to the nonsense you've done to your 5.3 system below. > > > --- > > > > when installing: > > -g* > > > > --- > > > > echo 'export PKG_PATH= > ftp://ftp.openbsd.org/pub/OpenBSD/5.3/packages/amd64/' > >>> ~/.profile; . ~/.profile > > pkg_add -i -vv gnome-session gdm > > # if there was "Can't install foo" message, try the pkg_add line again > > > > --- > > > > vi /etc/rc.local > > > > Append/modify the following lines in /etc/rc.local: > > > > if [ -x /usr/local/sbin/gdm ]; then > > echo -n ' gdm'; (sleep 5; /usr/local/sbin/gdm) & > > fi > > > > --- > > > > echo 'exec gnome-session' > /root/.xinitrc; chmod +x /root/.xinitrc > > exit > > echo 'exec gnome-session' > .xinitrc; chmod +x .xinitrc > > > > --- > > > > pkg_add -i -vv metacity > > pkg_add -i -vv gnome-panel > > pkg_add -i -vv nautilus > > > > --- > > > > vi /etc/rc.conf.local > > > > Append/modify the following lines : > > > > xdm_flags=NO > > gnome_enable=YES > > gdm_enable=YES > > > > --- > > > > pkg_add -i -vv gnome-terminal gnome-control-center gnome-menus > > gnome-settings-daemon gnome-themes-standard > > # for some reason, these aren't found: gnome-themes-extras gnome-utils > > gnome-applets2 gnome-system-monitor gnome-nettool > > > > --- > > > > So the question is anybody has a working howto for installing GNOME on > > OpenBSD? > > Just so that Antoine doesn't feel forced to send another mail about this > recurring subject: pkg_add gnome, *read* the various readmes, don't use > virtualbox. > > -- > jca | PGP: 0x06A11494 / 61DB D9A0 00A4 67CF 2A90 8961 6191 8FBF 06A1 1494
GNOME on OpenBSD 5.3 amd64
I tried to install GNOME on OpenBSD 5.3 amd64 for Desktop use (on VirtualBox), see the howto below. But after the howto, reboot, startx with a normal user: https://i.imgur.com/MaT8lcW.png Xorg.0.log https://pastee.org/p8ppa # original: http://www.gabsoftware.com/tips/tutorial-install-gnome-desktop-and-gnome-display-manager-on-openbsd-4-8/ --- when installing: -g* --- echo 'export PKG_PATH=ftp://ftp.openbsd.org/pub/OpenBSD/5.3/packages/amd64/' >> ~/.profile; . ~/.profile pkg_add -i -vv gnome-session gdm # if there was "Can't install foo" message, try the pkg_add line again --- vi /etc/rc.local Append/modify the following lines in /etc/rc.local: if [ -x /usr/local/sbin/gdm ]; then echo -n ' gdm'; (sleep 5; /usr/local/sbin/gdm) & fi --- echo 'exec gnome-session' > /root/.xinitrc; chmod +x /root/.xinitrc exit echo 'exec gnome-session' > .xinitrc; chmod +x .xinitrc --- pkg_add -i -vv metacity pkg_add -i -vv gnome-panel pkg_add -i -vv nautilus --- vi /etc/rc.conf.local Append/modify the following lines : xdm_flags=NO gnome_enable=YES gdm_enable=YES --- pkg_add -i -vv gnome-terminal gnome-control-center gnome-menus gnome-settings-daemon gnome-themes-standard # for some reason, these aren't found: gnome-themes-extras gnome-utils gnome-applets2 gnome-system-monitor gnome-nettool --- So the question is anybody has a working howto for installing GNOME on OpenBSD? Thanks
USB ethernet for OpenBSD
Hi! Can someone please mention a working USB to Ethernet adapter for OpenBSD 5.3? (anybody has a working one and can share the name of it?) It doesn't need to be Gbit big... just a 10/100 would be more then enough.. +1 if it could be buyed from: http://www.ebay.co.uk/ Many Thanks, have a nice day!
Premature end of script headers error with CGI
http://unix.stackexchange.com/questions/88062/how-to-enable-cgi-in-openbsd How could someone use a CGI (with a shell script) on OpenBSD? What could the problem be? The CGI is this: # cat /var/www/htdocs/cgi-bin/SEARCH.cgi printf "Content-type: text/html\n\n"; printf hi but it keeps saying: # cat /var/www/logs/error_log [Mon Aug 26 10:09:13 2013] [error] [client 10.0.2.2] Premature end of script headers: /htdocs/cgi-bin/SEARCH.cgi # yes, I tried many things..(permissions looks good, printf binary copied to chroot, httpd.conf looks ok..) several hours of pain.. can someone post a howto/URL? Thanks, have a better day :)
WPA2 AES on OpenBSD
I have an OpenBSD 5.1 i386 installed. I have no GUI/X. I googled for the answer but I can't find authentic one. How can I connect to a WPA2 PSK/AES wifi network using only the terminal? (so I don't have a "network manager" to simply select the given SSID, then enter passphare) Thanks for the short help, IMHO a lot of you configure wireless through terminal.. Thanks!
Re: sshguard
SshGuard are just a layer of the onion. Not the sole solution. Most methods you can, with certain degrees of effort and stubbornness, circumvent or break. /hasse -Ursprungligt meddelande- Från: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] För David Diggles Skickat: den 26 juli 2012 05:57 Till: misc@openbsd.org Ämne: Re: sshguard How secure is the principle of log sucking for anything more than stats? The inherent assumptions are risky I would think. I mean, if someone could deliberately craft certain strings with spaces or tabs that get passed, then they could subvert the sucking script. There is an absolute reliance on the syslog behaving in a certain way under all conditions! On Wed, Jul 25, 2012 at 09:50:40AM -0600, Chris Lobkowicz wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > sshguard prefers to use the "log-sucker" way of parsing authlog. I > don't even have a mention of sshguard in syslog.conf. > > the rc script just basically daemonises sshguard, and points it at > /var/log/authlog > > # /etc/rc.d/sshguard > daemon="/usr/local/sbin/sshguard" > # REALLY Touchy version > daemon_flags="-a 3 -l /var/log/authlog -w /var/db/sshguard/friends.db > - -b 5:/var/db/sshguard/blacklist.db" > # Less Touchy Version > #daemon_flags="-l /var/log/authlog -w /var/db/sshguard/friends.db -b > 5:/var/db/sshguard/blacklist.db" > > . /etc/rc.d/rc.subr > > rc_bg=YES > rc_reload=NO > > rc_cmd $1 > > > sshguard documentation on their website is quite thorough on how to > install/use. The documentation on how to tweak is a little lacking though. > > All that is missing from an install of sshguard is the required > entries into pf.conf, and which log files to monitor in the rc script. > > Works very, very well I might add. > > Good luck! > > Cheers > Chris > > > > > > > On 25/07/2012 08:04, Otto Moerbeek wrote: > > On Wed, Jul 25, 2012 at 02:25:44PM +0200, Hasse Hansson wrote: > > > >> Hello all. > >> # uname -a > >> OpenBSD odin.thorshammare.org 5.2 GENERIC#13 i386 > >> > >> sshguard-1.5 > >> Are we not supposed to use the entry in /etc/syslog.conf any more ? > >> " auth.info;authpriv.info |/usr/local/sbin/sshguard " > >> > >> I get a message on my console saying: > >> syslogd: unknown priority name "info |/usr/local/sbin/sshguard" > >> > >> The info about the syslog.conf entry seems to be gone in the > >> install message too. > >> > >> All the best > >> Hasse > > > > syslog is very picky about the difference between spaces and tabs. > > Always use one or more tabs. > > > > -Otto > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iQEcBAEBAgAGBQJQEBXQAAoJEFxdNdJhPdR3NK4IALCdIRU3ffb5W7l8rA1coIRR > 6/UNM3IfOyBa1mO9750oiMzOCPS8qyGQ/93nt9xt8TcQC2XYV0gGhGBa0jDLXLNe > ujRXBFHXoSmd4DZ60WaZ6Ej9+TNV3rN2WZRZRjXHWWtEm1dacTWhNDakBp3pCtY3 > GYfFLWTQe5wSHVxrI/yB9eiCz6dCdwcL1xewTsQrTYtahtT46uPweCqjUCtx5pFv > SogLHiWvA9qiUHhiPAoh/79KM11QDQGPpX+agm+LVA9/qkMuglAMhhaBM8IzXIIN > qkJiz4KNGQuqLh2BfEetIr6bM44W3G3QTy+z+N1HEdRH3jayC+wkvb7TT91zEbk= > =+k75 > -END PGP SIGNATURE-
Re: sshguard
-Ursprungligt meddelande- Från: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] För Chris Lobkowicz Skickat: den 26 juli 2012 01:26 Till: misc@openbsd.org Ämne: Re: sshguard I use both. Sshguard seems to catch a lot, and the subsequent pf ruleset for max-src-conn seems to catch a fair bit as well. Here is a snip of my pf.conf: # SSHguard protection table persist block in quick on em0 proto tcp from to any port ssh label "sshguard" # Bruteforce Protection table persist counters block log (all) quick from pass log (all) proto tcp to port ssh keep state (max-src-conn 5, max-src-conn-rate 5/120, overload ) As for the selectivity on services, I've never used it, so your mileage may vary, but I do believe sshguard will monitor a service, and block the offender on that service, and leave the other services access alone. Let us know how it goes. Cheers Chris On 25/07/2012 11:15, Alvaro Mantilla Gimenez wrote: > Is it a better solution than pf rules based on max-src-conn and/or > max-src-conn-rate? > > According to the documentation sshguard add ip address to > tablesowhat about if I want to "selectively" block ip address > to some services and let other services open? (i.e.: one ip offending > ssh access but still I want to have smtp open for that ip). I can > accomplish that with different tables/rules on pf...is there any way > to differentiate IPs blocked by sshguard based on the offended service? (ssh, smtp,..). I'm running both too :-) but with a slightly different twist on bruteforce and a "catch all" on sshguard. block in quick on egress from label "sshguard" Quote from their website : http://www.sshguard.net/docs/setup/firewall/pf/ Replace $ext_if with your WAN interface name if needed. Omit the proto tcp and the to any port 22 segment if you want to block all the traffic from attackers (not just ssh). /hasse
Re: sshguard
-Ursprungligt meddelande- Från: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] För Otto Moerbeek Skickat: den 25 juli 2012 16:05 Till: Hasse Hansson Kopia: misc@openbsd.org Ämne: Re: sshguard On Wed, Jul 25, 2012 at 02:25:44PM +0200, Hasse Hansson wrote: > Hello all. > # uname -a > OpenBSD odin.thorshammare.org 5.2 GENERIC#13 i386 > > sshguard-1.5 > Are we not supposed to use the entry in /etc/syslog.conf any more ? > " auth.info;authpriv.info |/usr/local/sbin/sshguard " > > I get a message on my console saying: > syslogd: unknown priority name "info |/usr/local/sbin/sshguard" > > The info about the syslog.conf entry seems to be gone in the install > message too. > > All the best > Hasse syslog is very picky about the difference between spaces and tabs. Always use one or more tabs. -Otto Thanks Will try that /hasse
Re: sshguard
-Ursprungligt meddelande- Från: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] För Otto Moerbeek Skickat: den 25 juli 2012 16:05 Till: Hasse Hansson Kopia: misc@openbsd.org Ämne: Re: sshguard On Wed, Jul 25, 2012 at 02:25:44PM +0200, Hasse Hansson wrote: > Hello all. > # uname -a > OpenBSD odin.thorshammare.org 5.2 GENERIC#13 i386 > > sshguard-1.5 > Are we not supposed to use the entry in /etc/syslog.conf any more ? > " auth.info;authpriv.info |/usr/local/sbin/sshguard " > > I get a message on my console saying: > syslogd: unknown priority name "info |/usr/local/sbin/sshguard" > > The info about the syslog.conf entry seems to be gone in the install > message too. > > All the best > Hasse syslog is very picky about the difference between spaces and tabs. Always use one or more tabs. -Otto Problem solved. A couple of tabs instead of spaces did the trick. The program now get triggered and runs from syslog.conf # ps -auxw | grep 'sshguard' _syslogd 19094 0.0 0.0 860 1148 ?? I 7:00PM0:00.01 /usr/local/sbin/sshguard Thanks a lot everybody. /hasse
Re: Problem understanding portupgrade error message
-Ursprungligt meddelande- Fren: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] Fvr Stuart Henderson Skickat: den 28 maj 2012 13:42 Till: misc@openbsd.org Dmne: Re: Problem understanding portupgrade error message On 2012-05-27, Geir Svalland wrote: > Can't install p5-DBD-SQLite-1.35p0v0 because of libraries >|library sqlite3.18.2 not found >| /usr/lib/libsqlite3.so.18.0 (system): minor is too small >| /usr/lib/libsqlite3.so.19.0 (system): bad major The sqlite library in the base OS had the version number changed a couple of times in quick succession, it will take a short while for packages to catch up because they were built against the first version number. Wait a day or two and try again. > Full dependency tree is p5-Clone-0.31p1 p5-MLDBM-2.04 > p5-PlRPC-0.2018p1 > p5-SQL-Statement-1.33 p5-Params-Util-1.00p2 p5-Net-Daemon-0.43p0 > p5-DBI-1.616 p5-FreezeThaw-0.43p2 > > Collision in p5-Geography-Countries-2009041301p0: the following files > already exist > > /usr/local/libdata/perl5/site_perl/Geography/Countries.pm from > p5-Geography-Countries-2009041301p0 (same checksum) > > Can't install p5-IP-Country-2.27p0: can't resolve > p5-Geography-Countries-2009041301p0 I don't understand that, output from pkg_add -vv -ui might help. Excellent. That did the trick. Thank you very much. It really got verbose, and even offered to repair my missing packet registrations. Problems gone. Only The sqlite library left and will follow your advice on that one too. /Hasse
Re: spamd greylisting: false positives
-Ursprungligt meddelande- Fren: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] Fvr David Diggles Skickat: den 28 maj 2012 03:54 Till: misc@openbsd.org Dmne: Re: spamd greylisting: false positives Ok, I searched calomel and had a good laugh. "smells like calomel" Grow up ! I recommended Calomel because that site gave me some good advice and understanding of spamd. First I tried Peters site, with no up to dates rules. Therefore I don't recommend it. Otherwise Peter is my kind of "Guru" but a bit focused on selling his books, and therefore dont Want to give away the full recipe for free. As always, you can not expect copy and paste. But a site that realy made a difference for me and my use of spamd : http://www.benzedrine.cx/relaydb.html /hasse
Re: spamd greylisting: false positives
-Ursprungligt meddelande- Fren: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] Fvr David Diggles Skickat: den 27 maj 2012 02:53 Till: misc@openbsd.org Dmne: Re: spamd greylisting: false positives This may seem like a dead horse to some by now, but I am disappointed no one replied to the msg, I supplied the detailed event information with timestamps, regarding lists.openbsd.org mails not being whitelisted by spamd when run in greylist mode. RFC282, 4.5.4.1 Sending Strategy: The sender MUST delay retrying a particular destination after one attempt has failed. In general, the retry interval SHOULD be at least 30 minutes; however, more sophisticated and variable strategies will be beneficial when the SMTP client can determine the reason for non-delivery. Retries continue until the message is transmitted or the sender gives up; the give-up time generally needs to be at least 4-5 days. The parameters to the retry algorithm MUST be configurable. Yet I have been advised not to mess with the default timings with -G option. It looks to me like the retry intervals of lists.openbsd.org are not sufficient to get it whitelisted by spamd. I am well beyond assuming anything, and prepared to learn / accept any constructive advice. Can anyone confirm they have the following scenario? * A clean installed OpenBSD 5.1 configured as a primary MX * Clean spamd settings, clean /var/db/spamd * Default spamd with no options * Default spamlogd with no options * The pf.conf uses spamd entries from the example pf.conf from etc.tgz * No manual whitelist entry for lists.openbsd.org * Incoming from lists.openbsd.org is eventually whitelisted by spamd I am just trying to learn the cause, and I have been fully prepared to wear egg on my face if my own configuration is causing the problem. I have not yet proven this is the case. I believe I have checked everything anyone suggested to check. I really don't want my next check be to roll back to 4.9 and see if lists.openbsd.org will auto whitelist like it previously did. In hope, David On Sat, May 26, 2012 at 01:19:38PM +1000, David Diggles wrote: > Ok I am still not getting emails from lists.openbsd.org (so > please if you reply, cc to me). > > I restarted spamd at this time after deleting /var/db/spamd and > clearing the bypass tables in pf at this time: > > 2012-05-26 02:13:12 # /usr/libexec/spamd > > Here is the last message to make it to sendmail from misc: > > fgrep from= /var/log/maillog|fgrep owner-misc|tail -1|awk '{print $1,$2,$3}' > May 26 01:54:35 > > The pf rules for spamd I have are taken from the default pf.conf: > > pass in on egress inet proto tcp from any to any port = 25 flags S/SA > rdr-to 127.0.0.1 port 8025 pass in on egress proto tcp from > to any port = 25 flags S/SA pass in log on egress proto tcp from > to any port = 25 flags S/SA pass out log on egress proto > tcp from any to any port = 25 flags S/S > > It is currently Sat May 26 12:54:31 EST 201 > > Times of passed smtp connections for May 26: > > tcpdump -n -e -ttt -r /var/log/pflog 2>&1|fgrep ".25:"|\ fgrep 'May > 26'|awk '{print $3}' > 01:14:53.793995 > 04:17:11.846707 > 05:00:19.443080 > 05:15:01.487277 > 07:17:51.114440 > 09:35:58.120098 > 10:14:21.444822 > 11:53:33.611903 > > So I will skip the first entry when I grep for the ip addresses, with > a tail +2 because it occurred > *before* I reset everything. > > tcpdump -n -e -ttt -r /var/log/pflog 2>&1|fgrep ".25:"|\ fgrep 'May > 26'|awk '{print $10}'|tail +2|\ awk -F. '{print > $1"."$2"."$3"."$4}'|sort -n > 17.254.6.112 > 74.125.82.47 > 113.172.232.215 > 129.21.208.44 > 202.58.38.80 > 203.59.1.110 > 206.46.252.115 > > I have the following tables. > > pfctl -s Tables > nospamd > spamd-white > > Confirming against the spamd-white table > > pfctl -t spamd-white -Ts >17.254.6.112 >74.125.82.47 >113.172.232.215 >129.21.208.44 >202.58.38.80 >203.59.1.110 >206.46.252.115 > > lists.openbsd.org = 192.43.244.163 > > So nothing from misc has made it to sendmail since I emptied > and on pf.conf > > These are all the attempts from lists.openbsd.org since I cleared the > spamdb and pf tables. > > fgrep 192.43.244.163 /var/log/spamd|fgrep 'May 26' > May 26 02:53:48 skitL spamd[25502]: 192.43.244.163: connected (1/0) > May 26 02:54:00 skitL spamd[25502]: 192.43.244.163: disconnected after 12 seconds. > May 26 03:00:24 skitL spamd[25502]: 192.43.244.163: connected (1/0) > May 26 03:00:36 skitL spamd[25502]: 192.43.244.163: disconnected after 12 seconds. > May 26 04:41:24 skitL spamd[25502]: 192.43.244.163: connected (1/0) > May 26 04:41:36 skitL spamd[25502]: 192.43.244.163: disconnected after 12 seconds. > May 26 05:04:19 skitL spamd[25502]: 192.43.244.163: connected (2/1) > May 26 05:04:31 skitL spamd[25502]: 192.43.244.163: disconnected after 12 seconds. > May 26 05:15:24 skitL spamd[25502]: 192.43.244.163: connected (1/0) > May 26 05:15:36 skitL spamd[25502]: 192.43.244.163: dis
Re: spamd greylisting: false positives
-Ursprungligt meddelande- Fren: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] Fvr David Diggles Skickat: den 25 maj 2012 11:14 Till: misc@openbsd.org Dmne: Re: spamd greylisting: false positives I am now trying it with -G120:6:864 Although I can't think how to reproduce the problem in a controlled way, other than wait and see what emails I don't get :/ On Fri, May 25, 2012 at 02:07:33AM -0500, Matthew Weigel wrote: > On 25.05.2012 01:09, David Diggles wrote: > >Can messages get dropped if mail servers fail to resend within time > >interval, after receiving the initial temporary failure message? > > It's dropped when it's first received, and it will continue to get > dropped until passtime minutes have passed. If it is then received > before greyexp hours have passed, it will be delivered and the remote > host will be whitelisted for sending mail. If greyexp hours pass > without seeing that tuple again, the tuple is deleted and it's back to > the beginning for that host. > > You reduced greyexp to 1 hour, which may well be causing your problems. > -- > Matthew Weigel > hacker > unique & idempot . ent Hello Not a behavior I can recognize. I would recommend to start over the configuration from the beginning, after checking the obvious system settings. Standard settings should be fine as a starter. Later on, adjust to your likings. You can find some good instructions (explainations) here : http://www.pantz.org/software/spamd/configspamd.html https://calomel.org/spamd_config.html Regards Hasse
Re: spamd greylisting: false positives
-Ursprungligt meddelande- Fren: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] Fvr David Diggles Skickat: den 25 maj 2012 11:14 Till: misc@openbsd.org Dmne: Re: spamd greylisting: false positives I am now trying it with -G120:6:864 Although I can't think how to reproduce the problem in a controlled way, other than wait and see what emails I don't get :/ On Fri, May 25, 2012 at 02:07:33AM -0500, Matthew Weigel wrote: > On 25.05.2012 01:09, David Diggles wrote: > >Can messages get dropped if mail servers fail to resend within time > >interval, after receiving the initial temporary failure message? > > It's dropped when it's first received, and it will continue to get > dropped until passtime minutes have passed. If it is then received > before greyexp hours have passed, it will be delivered and the remote > host will be whitelisted for sending mail. If greyexp hours pass > without seeing that tuple again, the tuple is deleted and it's back to > the beginning for that host. > > You reduced greyexp to 1 hour, which may well be causing your problems. > -- > Matthew Weigel > hacker > unique & idempot . ent Ahh... Just struck me Please check the syntax of your pf rules This is what's working for me : table persist pass in log on egress proto tcp from rdr-to 127.0.0.1 port smtp pass in log on egress proto tcp from ! rdr-to 127.0.0.1 port spamd /Hasse
Re: Help setting up a PF NAT gateway
Hi Stefan, On Mon, Oct 10, 2011 at 10:38 AM, Stefan Midjich wrote: > Simplest of things but I'm failing miserably. > > ... > > With tcpdump I can see packets going to vic3, but no further. > > Do you definitely have forwarding enabled? # sysctl net.inet.ip.forwarding net.inet.ip.forwarding=1 It that were 0 instead of 1, you'd get your symptoms. Edit /etc/sysctl.conf to enable forwarding if you haven't. Regards, Mark
Re: PF subdomain filtering
On Thu, Dec 16, 2010 at 5:21 PM, Rafal Brodewicz wrote: > Hi. > > How can I pass with PF traffic from all subdomains, for example > *.microsoft.com ? > > You're thinking at the wrong layer. PF doesn't care about *.microsoft.com. > Thanks. > -- > Rafal Brodewicz
Re: I can't mount HDDs
Jose P.G wrote: I swear that i am not a troll. I don't understand anything, LOL, why have to be a troll? My questions are REAL, i haven't read the faq carefully, i only seek for help (more fast, i think). REALLY, i don't understand, when i was learning about Linux Debian i was doing the same questions (though Linux is more easy for beginners), why this mailing list is different? I repeat, i don't understand why i have to be a troll. "Thank you". Jose, without trying to be too rude, if this is the mindset you're bringing to the table, you're in way over your head and should probably stick to learning Debian further (based on the questions you're asking here, you very definitely have _not_ learned Debian/linux yet). Regards, Mark
Re: I can't connect to Internet
Jose P.G wrote: Ok, Internet is working. But i have the same problem. The strange is that i can connect to the ftps when i am installing openbsd4.4, but not when i am doing this. pkg_path is correct so i suppose that i am making an error writing, though all i do is "export pkg_path= ftp://ftp.openbsd.org/ub/openbsd/4.4/packages/i386/"; and "pkg_add gnome2". What could be doing this? Thank you very much. I sure hope this is just a troll. He has written "OpenBSD" in just about every way that won't work and is ignoring everyone telling him repeatedly that he has to capitalize BSD.
Re: Sun M-class hardware denial of service
My understanding of this issue is that it is only likely to be caused by an exploited domain, or running OpenBSD. Both should be a rare event (OpenBSD isn't really production-ready on this hardware). It's acceptable in the majority of cases to just let the domain be unused. It's a bug, it's irritating, it should be fixed, but it's not a huge problem.
Re: Packet Filter: how to keep device names on hardware failure?
> Question: How can I make sure that "em2" doesn't become "em0" > if my dual-port NIC dies? This would be fatal for my firewall > setup. At least the antispoof rules _must_ be bound to the > network devices. Yep, this is an ugly problem. You could have a shellscript at boot scan ifconfig output and associate NICs with their MAC addresses, adding appropriate macros to pf.conf.
Re: Hardware recommendation for firewalls (more than 4 NICs)
> So you expect additional reliability from stacking ebayed cisco equipment > with OpenBSD bridges behind them, as the original poster mentioned, and cost > effectiveness by buying used cisco equipment and paying for relicensing so > that you can get updates, compared to setting up OpenBSD boxes as routers, I > am not following the logic, and still think the original post was > ridiculous. I understand the logic behind the no moving parts embedded > solution ideas, but am I the only person whom has seen embedded equipment > fail 2-4x more often than the Proliants behind them? I just don't think that > embedded=reliable is a cut and dry equation. Provided the Cisco boxes will failover to different bridges, I think that it would increase reliability. There are also many occasions where it is inpractical to have an OpenBSD box terminate a link - T3, OC-12, etc. I explicitly mentioned that OpenBSD is much cheaper. One might get higher cost effectiveness in a few occasions (such as where the networking guys are clueless about OpenBSD). Of course embedded != reliable, but there are many embedded systems available that provide much higher reliability than standard x86 systems. Most Cisco routers I've seen do have moving parts - big fans. You're probably not the only person to see such failure rates, but I expect new, well cared for Cisco routers have higher hardware reliability than new, well cared for Proliants. Other embedded equipment is very variable. What embedded equipment were you talking about? The original post was ridiculous, but that doesn't make your reply accurate.
Re: Hardware recommendation for firewalls (more than 4 NICs)
On Fri, Aug 08, 2008 at 06:54:05PM -0500, patric conant wrote: > You strongly overestimate the value of your comments (3 cents), it seems > like there are many places more appropriate than this one for you to suggest > middle-of-the-road hardware running a proprietary OS that has among the > worst security records in the industry. Oh, god, Cisco vs seems to degenerate into things like this. IOS and IOS XR actually has quite a good security history - other Cisco software, no. If you doubt me, actually look at the security record - oh, and be careful not to just compare OpenBSD's "only 2 remote holes in the default install" vs IOS - many (most) of the IOS vulnerabilities are for things that haven't been enabled by default on recent IOS images. Cisco routers general purpose computer parts of their routers are "middle-of-the-road hardware" in speed; much (slow) embedded hardware is far more reliable than the 'PC' equivelant. Server hardware (you shouldn't run anything important on a PC -- use proper server hardware) + Linux/Solaris/NetBSD/FreeBSD/OpenBSD works well as a router and firewall. IOS on a Cisco router does as well. The *nix solution works well and is cheap, but in my experience it's still slightly less stable than the Cisco equivelant. More importantly in many ways, Cisco hardware is usually marginally more reliable (both are reliable) than server hardware. IOS, while a complete PITA, is easier to configure than plain *nix OSes for networking stuff - one does not have sprawling config files, and making a config change updates running-config, making it easy to save your changes; ip address 192.0.2.0 255.255.255.255;do wr m is much easier than ifconfig fxp0 192.0.2.0/24;vi /etc/hostname.fxp0;. It's also much less error prone, which is important. With things like Quagga/Zebra this advantage is eliminated, but both of those have problems far more frequently than IOS. IOS is a lot easier to upgrade than any *nix - just copy the image, reload. Downtime is short, though many of their routers boot slow. This *could* be changed (I'm thinking something along the lines of Solaris LU - but easier), but as of yet has not been. But, it's *much* cheaper, and PF is vastly better than IOS's firewall. Software routers struggle at high PPS; Cisco makes some nice hardware that can handle that. As does Juniper, and a few others.
Re: Any offshore OpenBSD hosting?
> But if ISP's must have blackbox on their interfaces (hello FBI),than you can't > trust your local hosting company even if they are very friendly ;-) Cisco prefers a blueish-black color. Juniper boxes tend to be white and blue. In most Western countries there are many ISPs; if many of them were forced to have, in secret, black boxes on their networks, it would soon be public that that is occuring. Providers are, in many cases, being forced to allow, unmonitored, snooping by their governments - read up on CALEA. Hardware based routing platforms will be able to handle only a very small amount of traffic, the CPUs that are used in them tend to be very slow and even the fastest CPUs can route only a tiny amount of the traffic modern hardware-based routers can. So, if the government wants to monitor YOU specifically, or occasionally monitor everyone, they might be able to do it via CALEA. If I wished to monitor a large amount of peoples traffic (not all - that's not technically feasible), I would try and use passive taps with the cooperation of major transit providers. If I was on a smaller budget, then I would just do that with some major telcos. The NSA appears to have decided to use a hybrid approach. If I had very large amounts of money that I am willing to spend (well, government has lots of money, and it's not theirs, so why would they mind spending it?) I would do the same with cable providers (not the coax kind). I would definitely try and avoid small ISPs and IXPs - high maintenance, high whining and very difficult to perform surveillance using them clandestinely. Laying a submarine cable is far more expensive than starting an ISP or IXP. So, basically, you are being paranoid about the wrong things.
Re: ssh-keygen not reading stdin as expected
> Option -f filename, Filename of the key file, seems to be the right > option and '-' is the usual way of indicating stdin. So? Just use /dev/stdin.
OpenBGPD IPv6 problems
I'm running OpenBSD 4.2 on SPARC64. I have managed to get a simple BGP setup working on IPv4, however the IPv6 version of the same setup fails. A BGP session is established in both cases and peer B claims to be announcing what it should be announcing, yet in the IPv6 version peer A does not add it to its RIB. Host A: AS: 64512 Loopback: 192.168.0.1 2001:db8::1 To B: 192.168.1.1/24 2001:db8:1::1/64 Host B: AS: 64513 Loopback: 192.168.0.2 2001:db8::2 To A: 192.168.1.2/24 2001:db8:1::2/64 To miscellaneous subnet: 192.168.2.1/24 2001:db8:2::1/64 Host A: lo0: inet6 ::1 prefixlen 128 inet6 2001:db8::1 prefixlen 128 inet 127.0.0.1 netmask 0xff00 inet 192.168.0.1 netmask 0x gem1: inet6 2001:db8:1::1 prefixlen 64 inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255 bgp.conf.v4: AS 64512 router-id 192.168.0.1 neighbor 192.168.1.2 { remote-as 64513 announce all } allow from any bgp.conf.v6: AS 64512 router-id 192.168.0.1 neighbor 2001:db8:1::2 { remote-as 64513 announce all } allow from any bgpctl sh (v4): Neighbor AS MsgRcvdMsgSentOutQ Up/Down State/PrfRcvd 192.168.1.2 64513 3 3 0 00:00:13 2 bgpctl sh (v6): Neighbor AS MsgRcvdMsgSentOutQ Up/Down State/PrfRcvd 2001:db8:1::2 64513 3 4 0 00:00:31 0 bgpctl sh rib: *>192.168.0.2/32 192.168.1.2100 0 64513 i *>192.168.2.0/24 192.168.1.2100 0 64513 i bgpctl sh rib inet6: flags: * = Valid, > = Selected, I = via IBGP, A = Announced origin: i = IGP, e = EGP, ? = Incomplete flags destination gateway lpref med aspath origin Host B: lo0: inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet 192.168.0.2 netmask 0x inet6 2001:db8::2 prefixlen 128 gem0: inet 192.168.2.1 netmask 0xff00 broadcast 192.168.2.255 inet6 2001:db8:2::1 prefixlen 64 gem1: inet 192.168.1.2 netmask 0xff00 broadcast 192.168.1.255 inet6 2001:db8:1::2 prefixlen 64 bgpd.conf.v4: AS 64513 router-id 192.168.0.2 network 192.168.0.2/32 network 192.168.2.0/24 neighbor 192.168.1.1 { remote-as 64512 announce all } allow from any bgpd.conf.v6 AS 64513 router-id 192.168.0.2 network 2001:db8::2/128 network 2001:db8:2::/64 neighbor 2001:db8:1::1 { remote-as 64512 announce all } allow from any bgpctl sh (v4) Neighbor AS MsgRcvdMsgSentOutQ Up/Down State/PrfRcvd 192.168.1.1 64512 2 4 0 00:00:11 0 bgpctl sh (v6) Neighbor AS MsgRcvdMsgSentOutQ Up/Down State/PrfRcvd 2001:db8:1::1 64512 2 2 0 00:00:06 0 bgpctl sh rib AI*> 192.168.0.2/32 0.0.0.0100 0 i AI*> 192.168.2.0/24 0.0.0.0100 0 i bgpctl sh rib inet6 AI*> 2001:db8::2/128 :: 100 0 i AI*> 2001:db8:2::/64 :: 100 0 i
Blackhole / reject routes
Currently I'm blackholing and rejecting some traffic with route add -reject/-blackhole 127.0.0.1; this works fine, but bounces all the rejected/blackholed traffic to the loopback interface. This behaviour is.. annoying, and possibly ineffecient. I'm probably searching for a null/blackhole/fake address/interface. I tried creating an unconfigred pseudo-device, slapping an IP address on it and routing it to there; it blackholes traffic effectively, but also blackholes traffic if you have a reject. What is a better way to reject/blackhole traffic in OpenBSD?
KSH and Bash problem with long commands
Hi All, I have a small problem with the KSH and Bash on a OpenBSD 4.2. with very long commands. I have echo $SHELL /bin/ksh and echo $KSH_VERSION @(#)PD KSH v5.2.14 99/07/13.2 and in my ~/.inputrc is set horizontal-scroll-mode Off I found this setting in the man readline http://www.openbsd.org/cgi-bin/man.cgi?query=readline&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html But unfortunately it does not work. It does not warp the line either in KSH or Bash. Instead it overwrites the already written text which is annoying if you have very long commands. I have tried as well the /etc/inputrc with this entry but it does not work again. I read as well the man KSH but does not find any useable info there. Strange enough if I start a csh it works but not with the other shells. Has anybody maybe an fix or workaround how I can solve this? Every hint is appreciated!! Regards Stefan --
Re: brute force voip QoS
To: Stuart Henderson <[EMAIL PROTECTED]> Subject: Re: brute force voip QoS > > pass out queue (std_out,lowdelay) > > here, you place ACKs from downloads at a higher priority than > your voip calls. this is unlikely to be what you want with priq > over a 140Kb/s link.. According to pf.conf, that also prioritizes packets with ToS set to lowdelay; looking at what ToS the packets have would be a good idea.
Re: low-MHz server
You said you live rurally - in that case, perhaps you should build/buy a small quality (read as: won't get wet) shed, have your systems there and run some outdoor-rated CAT5e from it to your house. That should allow you to use KVM extenders, serial, etc. Remember the inverse-square law for RF. RF usually is attentuated greatly by opaque things, though just plants etc. will also attentuate. If you can place it behind a hill that would be good. Also, apply for the JREF Million Dollar Challenge. If you succeed, you should have a lot more options on reducing RF.
Re: brute force voip QoS
> My bandwidth is very very limited. Not more than 140 Kbps on both > sides at any time. I use G729 as a codec in order to reduce > consumption. Use the pf.conf below, when VoIP is the only traffic, > the quality of the calls is excelent with no voice cutting at all. > Now if I start a download I immediatelly see the quality degrade. > > That is why I thought of using some radical policy. That's strange; it may be your connection struggles at much lower bandwidths than nominal - for instance, perhaps it suffers high packet loss at 80% utilization; TCP could recover, but VoIP might be affected. Doing what you want should be quite simple, though. There are many ways I can think of of detecting VoIP traffic if your ruleset manages to - have pf log (all) on a pflog interface dedicated to it, look at queue traffic - and many ways of blocking everything other than that. I can't think of an elegant way of doing what you want, though!
Problems with pkg_add and partial installed package
Hello All, I have a problem with pkg_add on a OpenBSD 4.2. I tried to install the package freebsd_lib-4.11p0.tgz. The first try failed because the Internet connection breaks and on the second try and get this error: $ pkg_add -v freebsd_lib-4.11p0.tgz parsing freebsd_lib-4.11p0.tgz Can't install freebsd_lib-4.11p0 because of conflicts (partial-freebsd_lib-4.11p0) /usr/sbin/pkg_add: freebsd_lib-4.11p0:Fatal error The same happens if I try to install it over the ports. /usr/ports/emulators/freebsd_lib> make install ===> Installing freebsd_lib-4.11p0 from /usr/ports/packages/i386/all/ Can't install freebsd_lib-4.11p0 because of conflicts (partial-freebsd_lib-4.11p0) /usr/sbin/pkg_add: freebsd_lib-4.11p0:Fatal error *** Error code 1 I checked in /var/db/pkg but do not find any entry. Has anybody an idea how I can fix this? I read the man pkg_add and tried as well the -F switch but I does not help. Best Regards, Stefan --
Re: Regular Expression Problem
Hi All, thanks for all the suggestions. With this it works: cat mail.txt | egrep "[EMAIL PROTECTED]" | egrep "\.[a-zA-Z]{2,4}$" It is probably possible to avoid the last egrep but I have not find out how. Regards, Stefan >> I got in the output (Which I not want): >> [EMAIL PROTECTED] -> I believed with [a-zA-Z]{2,4} I can limit it after the >> "." Or? >> [EMAIL PROTECTED] -> It should be as well not possible with [a-zA-Z]{2,4} >> >> How can I exclude this? > You did not say that after the 2-4 characters the line should end... > End the pattern with $ >> As weel I got as output this which I do not want: >> [EMAIL PROTECTED] >> >> $ is normall end of a line. But it should not be in a mail address. >> >> [a-zA-Z0-9.-_]+@ >> I use the "+" here with the meaning the [a-zA-Z0-9.-_] has to be available >> min. one of them. Nothing for a @ makes really no sense. > You did not say it should be at the beginning.. everything can be in > front of the matching token. Start the pattern with ^ > Also you are not escaping the . - meaning it can match to anything. > try it with this: > egrep "[EMAIL PROTECTED],4}$" > good source to read more about it is re_format(7) > Regards, > Julian
Regular Expression Problem
Hi All, I have a problem with regular expressions and can not solve it. I wants to egrep from a big text file all mail addresses. For testing I created this file: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] I did the following cat mail.txt | egrep "[EMAIL PROTECTED],4}" or cat mail.txt | egrep "[EMAIL PROTECTED]" But I did not get which I expected. I got in the output (Which I not want): [EMAIL PROTECTED] -> I believed with [a-zA-Z]{2,4} I can limit it after the "." Or? [EMAIL PROTECTED] -> It should be as well not possible with [a-zA-Z]{2,4} How can I exclude this? As weel I got as output this which I do not want: [EMAIL PROTECTED] $ is normall end of a line. But it should not be in a mail address. [a-zA-Z0-9.-_]+@ I use the "+" here with the meaning the [a-zA-Z0-9.-_] has to be available min. one of them. Nothing for a @ makes really no sense. Every help is appreciated. Thank you. Regards, Stefan --
Max IPs per Interface
Good Morning, Could someone tell me what the maximum number of IP addresses OBSD will support per interface is please? I'd like to setup in excess of 255 IPs on my external firewall interface, and I'm wondering how BSD will handle this. Please advise. Regards, Garron Kramer -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
OBSD+PF+VLAN+CARP
Good Morning, I still seem to be having problems with PF+VLANs. It seems that PF does not want to NAT traffic from my internal VLAN to my external VLAN IP address. Can someone advise if they have managed to get PF (NAT) + VLAN + CARP working, and or if anyone has experienced the same issues as myself? Regards, Garron -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
PF+VLAN+CARP+PFSYNC
Good Morning, I'm currently in the process of configuring a new firewall for my company and would like to know the following: 1. Is it possible to configure OpenBSD firewall interface as follows: carp10 - int/ext virtual eth dev (ip of CVI - shared between fw's) | vlan10 - int/ext virtual eth dev (ip of NDI - not shared) | pcn0 - int/ext eth device (no ip) Basically, I'd like to use vlan's on top of physical interfaces, with carp devices on top of vlan logical interfaces. 2. I'm guessing that when the firewall is configured as above, I'll refer to vlan interface with carp specific IP address (rather than physical int)? 3. Do I need to add virtual IP addresses to the firewall to answer for each public IP address, or can I simply configure the router to route all traffic for subnet through IP address of external carp device of firewall? Regards, Garron -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Tcpdstat
Hi, does anybody get on a OpenBSD 4.x tcpdstat installed? Tcpdstat from http://staff.washington.edu/dittrich/talks/core02/tools/tcpdstat-uw.tar is a very nice tool to get summary information of a tcpdump file. The output includes the number of packets, the average rate and its standard deviation, the number of unique source and destination address pairs, and the breakdown of protocols. I would appreciate every help or hint to get it compiled. I can remember me that I could compile it on a OpenBSD 3.6 but on the new one 4.1 it fails always. Regards, Stefan
SQUID Banner
Hi, I am using OpenBSD 4.0 with the package squid-2.5.STABLE13.tgz I have a question to the /etc/squid.conf and the banner. If I am using an Environment Checking WebSites how http://ipid.shat.net/ I get after using Squid this result: HTTP_VIA1.1 obsd.test.com:3128 (squid/2.5.STABLE13) or with an other test Proxy Host/Type: 1.1 obsd.test.com:3128 (squid/2.5.STABLE13) I found in the /etc/squid.conf that Squid uses this for it: visible_hostname obsd.test.com Exist any possibility to avoid the output (squid/2.5.STABLE13)? and get only HTTP_VIA 1.1 obsd.test.com:3128 or only the output squid? On an Apache is it possible with the ServerToken to reduce the Banner but in Squid I do not find anything. I would be grateful for every hint. Maybe an extra software package? Regards, Stefan
Re: dmesg and fdisk do not match about usb external disk
On Thu, 8 Feb 2007 15:09:10 +0100, "mickey" <[EMAIL PROTECTED]> said: > On Thu, Feb 08, 2007 at 03:02:32PM +0100, frantisek holop wrote: > > hmm, on Thu, Feb 08, 2007 at 02:06:45PM +0100, mickey said that > > > On Thu, Feb 08, 2007 at 10:13:29AM +0100, frantisek holop wrote: > > > > hmm, on Tue, Jan 30, 2007 at 07:40:52PM -0500, Nick Holland said that > > > > > It means translation is stupid, but we keep doing it. :) > > > > > > > > it is not really the translation that got me worried > > > > (although wouldn't it be more consistent to use the n x 255 x 63 > > > > version everywhere?) but the different number of sectors.. > > > > thanks for the great explanation. > > > > > > who gives a flying fuck? > > > bios is using it's own geometry and we are using ours. > > > how about you ask those spammers to send dick measurements in meters? > > > > perhaps this could go into the faq? > > what? dick measurement techniques? And not long ago I wrote to the list that this list *is* nice and people don't get attacked unless they become obnoxious. Please thank you for proving me absolutely wrong. Jeez, you know more about how the bios and the OS report disk geometries and his enquiries annoy you? Please get over it. Sorry to everyone for also wasting more of this lists bandwidth.
Re: Netra X1 and Serial from OpenBSD
Google won't help you. Use dmesg and the manpages. OK, first dmesg to find the real serial io ports. If necessary man every device listed in dmesg. I think you'll find that you have a zs or a sab device. man sab Look in the FILES and SEE ALSO sections of the manpage. The message you get means that the carrier detect part of the driver hasn't yet detected a carrier. Traditional ways to deal with this were to re-wire the connector to cheat, or to use a driver (often by a mode bit in mknod) which ignores carrier. ttyb is AFAIK deprecated in favor of ttyNN. -sam