Re: how does one manage to fill a TB of data

2006-09-09 Thread Peter Blair

Database backups here at work are enormous.  A TB is nothing these days.

On 9/9/06, Peter Fraser [EMAIL PROTECTED] wrote:

 Multi system backups to disk

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of pedro la peu
Sent: Friday, September 08, 2006 8:50 PM
To: misc@openbsd.org
Subject: Re: preferred hardware platform

 And seriously, how does one manage to fill a TB of data?
 /rant

DVB.




Re: Active Directory authentication

2006-08-15 Thread Peter Blair

That's not an easy scenario.

Perhaps the simplest solution would work for you.

You could implement a generic account on the firewall called say
wifi-user.  SSH into the filewall (not using Kerberos or anything)
and log in using the shared password for wifi-user.

The login shell could point to a script that would ask for an NTLM
friendly username  password, and the firewall could then attempt to
read a file from \\someserver\someshare\file.txt using samba.

If the contents of that file match a pre-known string say
'authenticated' then you know that the supplied username  password
are valid on the AD.  If so, then proceed with authpf.

Now set up read permissions on that file.txt, and give read permission
to an AD group called wifi-users and add the users to the
wifi-users group.

It's not fancy, and I'm sure that some people on the list would
distaste the inellegance of the solution, but it has worked in the
past for me with a a squid-proxy setup.

On 8/15/06, Steve Shockley [EMAIL PROTECTED] wrote:

I'm researching setting up a wireless gateway using OpenBSD and authpf.
  We've got an existing Active Directory (2003) domain with about 5000
user accounts that I'd like to authenticate against.

LDAP seemed like the obvious choice, but it appears I need to create
local accounts to use login_ldap, and it'd be unwieldy to sync 5000
users.  There's also a patch for nsswitch, but I'd rather not use a
custom build if I don't have to.

Kerberos also sounded like a good idea, but if I understand correctly,
the clients would need a Kerberized ssh client, and they'd have to be
able to access the KDC before logging in to the gateway.

Is there a better way to do this?




Re: PF redirect to another IP on LAN

2006-07-29 Thread Peter Blair

man pf.conf

Secondly, it's been discussed numerous times on the list that bridges
have their place (I use them in production environments at our data
centre) but you'll find filtering a bridge much more difficult than
filtering a NAT.

On 7/29/06, elaconta.com Webmaster [EMAIL PROTECTED] wrote:

Hi

I've just successfully configured an OpenBSD bridge with two NICs to
separate and filter traffic between our private LAN (192.168.1.0/24) and
our router (192.168.1.120).
I've given an IP address to one of the NICs (192.168.1.121) on the
bridge and am running a Bind caching nameserver on it. Now, the next
thing we'd need to do would be to redirect any traffic that comes
throught the bridge destined to IP address 192.168.1.121 port 80 to
another server in the LAN (192.168.1.103 port 80).
From what i understand, this entails using PF and the rdr statement. Any
ideas on how to do this successfully? Thanks.

--
Elaconta.com webmaster
--




Re: looking for clue

2006-07-20 Thread Peter Blair

On 7/20/06, Rahul Sharma [EMAIL PROTECTED] wrote:

Hi Peter Phillips,
It is not Mr. Eric Pancer but me (rahulthehacker) who is asking for help on
dhcpd lease.


Wrong:

http://www.sigmasoft.com/~openbsd/archives/html/openbsd-misc/2006-06/msg01371.html



Re: looking for clue

2006-07-20 Thread Peter Blair

On 7/20/06, Rob Baldassano [EMAIL PROTECTED] wrote:

Please forgive me if I am wrong but...


This thread should die.


  Question is:
  Why would you WANT your clients to constantly get new IPs?
  it disrupts SSL communication traffic, especially when you are dealing with 
external ly available IPs.


Exactely.  This thread is just a relapse of an already settled issue
due to some mistaken identity.  You of course (IMHO) are correct;
Unfortunately this thread doesn't warrent the quality of your
response.

-Pete



Re: How to compile DHCPD source code

2006-07-07 Thread Peter Blair

First, *don't* download source from the cvsweb website.  That source
is handy for browsing, but you should be getting your code from a cvs
repository.

Look at the instructions for a given patch for guidance:

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/001_sendmail.patch

And then rebuild and install sendmail:
cd gnu/usr.sbin/sendmail
make obj
make depend
make
make install

On 7/7/06, Rahul Sharma [EMAIL PROTECTED] wrote:

Hi,
I need to make some minute changes to db.c file comes under DHCP source
code .
I wanted to know that how can i run dhcp now with these changes.
Plz tell me for this whether I have to recompile whole source code(Kernel)
again or if there is any way
to just compile only this DHCP code.

What I have done so far is
I have downloaded all files needed for DHCPD from
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/dhcpd/

After that i had made changes to file db.c.
Now I strucked here.
Any one Plz Help. Tell me what to do.
Thanks for reading this mail anyay.

Rahul




Re: How to compile DHCPD source code

2006-07-07 Thread Peter Blair

Rahul:

You don't need the sendmail patch, but it does outline the steps
required to (re-)compile and install system software.

-Pete

P.S.  Don't forget to CC misc@

On 7/7/06, Rahul Sharma [EMAIL PROTECTED] wrote:

Hi Peter,
 Thanks for ur reply.
 It seems confusing to me that for recompiling dhcpd code i require sendmail
patch.
 Can u Plz explain me that.
 Warm regards
 Rahul


On 7/7/06, Peter Blair [EMAIL PROTECTED] wrote:
 First, *don't* download source from the cvsweb website.  That source
 is handy for browsing, but you should be getting your code from a cvs
 repository.

 Look at the instructions for a given patch for guidance:


ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/001_sendmail.patch

 And then rebuild and install sendmail:
 cd gnu/usr.sbin/sendmail
 make obj
 make depend
 make
 make install

 On 7/7/06, Rahul Sharma [EMAIL PROTECTED] wrote:
  Hi,
  I need to make some minute changes to db.c file comes under DHCP
source
  code .
  I wanted to know that how can i run dhcp now with these changes.
  Plz tell me for this whether I have to recompile whole source
code(Kernel)
  again or if there is any way
  to just compile only this DHCP code.
 
  What I have done so far is
  I have downloaded all files needed for DHCPD from
 
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/dhcpd/
 
  After that i had made changes to file db.c.
  Now I strucked here.
  Any one Plz Help. Tell me what to do.
  Thanks for reading this mail anyay.
 
  Rahul




Re: Forbidding access in pf from subdomains

2006-07-06 Thread Peter Blair

Something like:

pass in quick on $ext_if from { $friendly_networks } to any port ssh keep state
block in on $ext_if from any to any port ssh

should work.  You can place $friendly_networks into a table that
gets loaded from a file if the list is large.  And/or update it via
pftcl on the fly.

On 7/6/06, Bharj, Gagan [EMAIL PROTECTED] wrote:

Hello Folks,

Our server is getting hammered on a daily basis by IPs trying to open an ssh
session.  Currently, I'm manually putting the subnets (in a pf table) that are
repeatedly trying to get in.  As you can see, this list will eventually get
very big and will be unmaintainable.  Is there any way that I can say only
allow IP addresses from particular ISPs or domains?

Regards,
Gagan




Re: Forbidding access in pf from subdomains

2006-07-06 Thread Peter Blair

Sorry, I didn't fully comprehend you e-mail (that's what I get for
reading my openbsd mail at work!) the first time around.

Have you attempted to write a script that gets the network address for
a host via `whois` and start expanding the blacklist?

For instance, monitor your logs for repeated attempts, and add that IP
to a list.  Then grow your denial subnet.  Start denying traffic
from the \30 network around that address, then up it to \29, then \28,
etc etc until you've effectively cut out the offending network.

The problem is that the offender my have a \26 network, but their IP
is part of a \16 network that has been privately subnetted.  So it's
difficult to say ok, jerk.com has xxx.yyy.zzz.xyz IP, and that
belongs to xxx.yyy\16 network, so I'll block out all 65 thousand
addresses.

On 7/6/06, Peter Blair [EMAIL PROTECTED] wrote:

Something like:

pass in quick on $ext_if from { $friendly_networks } to any port ssh keep state
block in on $ext_if from any to any port ssh

should work.  You can place $friendly_networks into a table that
gets loaded from a file if the list is large.  And/or update it via
pftcl on the fly.

On 7/6/06, Bharj, Gagan [EMAIL PROTECTED] wrote:
 Hello Folks,

 Our server is getting hammered on a daily basis by IPs trying to open an ssh
 session.  Currently, I'm manually putting the subnets (in a pf table) that are
 repeatedly trying to get in.  As you can see, this list will eventually get
 very big and will be unmaintainable.  Is there any way that I can say only
 allow IP addresses from particular ISPs or domains?

 Regards,
 Gagan




Re: News From HiFn

2006-07-05 Thread Peter Blair

Ya, that'd be nice if I ever made it to a prompt to enter 'anonymous',
but the connection fails well before that point.

$ ping ftp.hifn.com
PING ftp.hifn.com (208.10.194.169): 56 data bytes
64 bytes from 208.10.194.169: icmp_seq=0 ttl=117 time=100.851 ms
64 bytes from 208.10.194.169: icmp_seq=1 ttl=117 time=100.228 ms
^C
--- ftp.hifn.com ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 100.228/100.540/100.851/0.311 ms
$ ftp ftp.hifn.com
ftp: connect: Connection refused
ftp

Nice :)
On 7/5/06, J.C. Roberts [EMAIL PROTECTED] wrote:

On Tue, 4 Jul 2006 18:48:28 +0200, Joachim Schipper
[EMAIL PROTECTED] wrote:

On Tue, Jul 04, 2006 at 12:16:45PM -0400, Nick Guenther wrote:
 On 7/4/06, Peter Blair [EMAIL PROTECTED] wrote:
 On 6/29/06, J.C. Roberts [EMAIL PROTECTED] wrote:
  I just got a call this afternoon from Tom Moore to let me know they've
  set up an anon FTP site (no registration) with their documentation:
 
  ftp://ftp.hifn.com
 
  This should take care of any of the long standing issues OpenBSD has had
  with the HiFn's procedures for releasing documentation.
 
  I was told HiFn is still working on their new ftp site, so I'm not sure
  how complete it is at the moment but at least we know there's a start
  and they are willing to continue working on it.
 
 Has anyone tried recently to connect to ftp.hifn.com ?  I haven't been
 able to connect from multiple locations.

 Doesn't work here either. Curious...

Looks like they're still working on it, as announced; it does not accept
connections.

Give them some time; this is not entirely unexpected behaviour from a
server they just set up.

   Joachim


Joachim has a good point.

What error messages are you guys getting?  -I'm thinking there would be
a limit on the number of anon users the server will accept at any one
time.

Not only will all the various search engines try to index the site but
also I would not be surprised if many individuals tried to make a local
mirror of the site contents now that they are open.  -The traffic influx
might make a mess out of their IDS.

jcr


--
Free, Open Source CAD, CAM and EDA Tools
http://www.DesignTools.org




'route to' question

2006-07-05 Thread Peter Blair

Hello lists! (sorry if cross-list posting is frowned upon)

I'm setting up a BSD/pf machine that will be working as a binat
firewall for a number of hosts on two /28 subnets belonging to the
same co-location provider.

The BSD machine is already live, working hard for one subnet, and I
don't have extra hardware to test this out in a lab environment (nice,
I know), so I'd just like a little wisdom from the lists before I go
live with this pf change:

I'm wondering if I can use the route to option with pf in order to
force all traffic from subnet A through subnet A's gateway, while
subnet B's traffic goes through subnet B's gateway.  Right now, subnet
B is setup and running with B's gateway as the host for the 0.0.0.0
network.  Now, with straight routing, I can't seem to find a way to
enable multi-path routing to the 0.0.0.0 network along these lines:

if src is from netA: pass traffic to gwA
if src is from netB: pass traffic to gwB

Now, since I have only one external interface (see diagram at bottom),
how can I rearrange the following pf statements (from the pf faq):

pass out on em0 route-to (em0 $ext_gw2) from em0 to any
pass out on em0 route-to (em0 $ext_gw1) from em0 to any

Can I get by by simply aliasing all of the IPs on em0 (external
interface) or do I have to vlan the external device to get distinct
interface names?

Thanks, Pete.

Quick/Dirty Diagram:

204.15.193.0\28 + (aliases 204.15.193.2-14)
|
+-- (em0) BSD (em1) --+ (Tagged VLAN)
|   |
204.15.193.16\28 -- +   |
 ( aliases 204.15.193.18-30) +-+
  |
+-+- VLAN2 (192.168.3/24)
| |
| +- VLAN5 (10.10.5/24)
|
+--- VLAN6 (10.10.6/24)



Re: Question related to automaticly encrypted /tmp /vat/tmp (like swap..?)

2006-07-04 Thread Peter Blair

I haven't tried under OpenBSD, but mounting /tmp as a ramdisk could
prove viable.

On 7/4/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:

Some days ago I read a question related to encrypting a partition.
I just know that swap gets encrypted automaticly.
Wouldn`t it be possible to encrypt also /tmp and /var/tmp also automaticly
with the same mechanism wich is used to encrypt the SWAP?

Somebody mentioned that encrypting /tmp would be needed to because many
applicatiosn store their temp. data there (wich is mostly correct).

I didn`t posted that question to tech because misc@ is a better place but
maybe a developer could answer my question.
I thought about the statement that encrypting /tmp and /var/tmp is a good
idea and I would angree so are there any (technical?) reasons that can`t
be done even if a user does not use svnds?
And btw: wouldn`t it be better to use rm -P for /tmp/*  (or even -P as
default for rm?)?

Kind regards,
Sebastian




Re: News From HiFn

2006-07-04 Thread Peter Blair

Has anyone tried recently to connect to ftp.hifn.com ?  I haven't been
able to connect from multiple locations.

-Pete

On 6/29/06, J.C. Roberts [EMAIL PROTECTED] wrote:

Howdy misc@

Though I stayed out of the last public fiasco regarding HiFn here on the
misc@ list, I privately contacted the people I know at the company. I
didn't reply just to Hank Cohen who posted here on misc@ but I also
included the VP of engineering (Russ Dietz), the CEO (Chris Kebner) and
the VP of marketing (Tom Moore).

I just got a call this afternoon from Tom Moore to let me know they've
set up an anon FTP site (no registration) with their documentation:

ftp://ftp.hifn.com

This should take care of any of the long standing issues OpenBSD has had
with the HiFn's procedures for releasing documentation.

I was told HiFn is still working on their new ftp site, so I'm not sure
how complete it is at the moment but at least we know there's a start
and they are willing to continue working on it.

Please check out the readme on the FTP. Basically it says if you wish to
automatically get the HiFn updates/errata/notifications, you should
probably sign up for the HiFn extranet thing. You don't have to but
you can if you want.

Kind Regards,
JCR


--
Free, Open Source CAD, CAM and EDA Tools
http://www.DesignTools.org




Re: X not found

2006-07-04 Thread Peter Blair

If you have no parts of X installed, then how do you expect to link
against it?  If you plan to use your OpenBSD machine as a headless X
client, then you'll need to install the requisite libs.

You'll save yourself a lot of time and headache if you just install the X set.

On 7/4/06, Lawrence Horvath [EMAIL PROTECTED] wrote:

I have been getting the following error, and wasnt sure if i have to
totally install X or can i just install a minimal lib set to get the
error to stop, at this time I do not have any parts of X installed.

# make
===  qemu-0.8.0p3 uses X11, but /usr/X11R6 not found.

Thanks

--
-Lawrence




Re: starting Apache in SSL mode

2006-06-27 Thread Peter Blair

SSL certificates for a hostname requires a unique IP address.  Are you
trying to do virtual name hosting with https?

On 6/27/06, FTP [EMAIL PROTECTED] wrote:

On Mon, Jun 26, 2006 at 08:30:29AM -0700, Scott Francis wrote:
 On 6/26/06, FTP [EMAIL PROTECTED] wrote:
 Hi there,
 
 I was trying to start Apache in SSL mode and I did follow the
 http://openbsd.org/faq/faq10.html#HTTPS steps. After that I issued
 apachectl startssl and everything went fine.
 
 Now, when I point to the https://IP-address from my server I get an
 unable to connect error!
 
 What did I do wrong?
 
 In the ssl_engine_log I get: Configuring server new.host.name:443 for SSL
 protocol. This server has no domain assigned. Did I do something wrong in
 the certs?

 no, but you probably neglected to edit /var/www/conf/httpd.conf
 appropriately (ServerName and NameVirtualHost come to mind, as well as
 the appropriate name-specific parts of the SSL config in the same
 file). ssl_engine_log probably won't give you the info you need here;
 take a look at your access_log and error_log.
 --
 [EMAIL PROTECTED],darkuncle.net} || 0x5537F527
encrypted email to the latter address please
http://darkuncle.net/pubkey.asc for public key


Thanks for your reply.

Well, the error_log doesn't get any message. Also, the regular http does show 
the web page without having the IP address in the http.conf file. Why doesn't 
this work with SSL as well?
Certs etc. are in the correct path.

Thanks

George




Re: Nagios and Apache

2006-06-26 Thread Peter Blair

resource_file=/usr/local/nagios/etc/resource.cfg works great for the
default source install of Nagios.  But switch it to a RPM, or PKG'd
version of Nagios and you can't ensure that this directive will point
to the right place or not.

-Pete

On 6/24/06, Lars Hansson [EMAIL PROTECTED] wrote:

On Saturday 24 June 2006 18:13, Peter Blair wrote:
 At work we run Nagios across Linux, OpenBSD  FreeBSD machines.
 Compiling it from source is the only way to ensure config file
 compatibility.

Say what? How does the compilation affect the config file? The config file
format is exactly the same no matter where or when you compile nagios.

---
Lars Hansson




Re: pf woes

2006-06-26 Thread Peter Blair

Paste the entire contents of /etc/pf.conf

On 6/26/06, Matt Singerman [EMAIL PROTECTED] wrote:

I'm sorry if I didn't give enough info - what else would you have to know?




Re: pf woes

2006-06-26 Thread Peter Blair

And your root password.  Please e-mail that to the list.

On 6/26/06, Bryan Irvine [EMAIL PROTECTED] wrote:

On 6/26/06, Matt Singerman [EMAIL PROTECTED] wrote:
 I'm sorry if I didn't give enough info - what else would you have to know?
At the bare minimum, your pf.conf.

Also desirable are the IP's of your firewalls internal and external
interfaces as well as the ip of the FileMaker server, and the ip's of
the clients you want to connect to it.




Re: Totally bizarre problem - cannot connect to openbsd mahcine

2006-06-26 Thread Peter Blair

You should be able to configure one of the bridged interfaces to have
an IP in order for you to SSH into the box.

http://www.openbsd.org/faq/faq6.html#Bridge

On 6/26/06, Matt Singerman [EMAIL PROTECTED] wrote:

I believe the server was configured as a bridge - bridgename.bridge0
exists, and contains:

add dc0 add dc1 up

It was running for a good 300 days or so.  It was set up and
configured by my predecessor, and I am not completely sure on all of
its configurations.

On 6/26/06, Peter Blair [EMAIL PROTECTED] wrote:
 That sorta makes sense if your firewall was working as a bridge, but I
 don't think that you mentioned anything about a bridgename.bridge0.

 Was/Is your machine acting as a nat-style firewall?  If so, then
 you'll have to assign it some IPs.

 How long was it running since its last reboot?  Were the IP settings
 done manually via the console but never reflected in the
 /etc/hotname.dc* files?

 On 6/26/06, Matt Singerman [EMAIL PROTECTED] wrote:

  /etc/hostname.dc0 and .dc1 both just contain up and haven't been
  modified since 2003.
 
  Shouldn't there be an inet entry with the IP addresses for each of the
  cards listed?  What happened to them?




Re: Nagios and Apache

2006-06-24 Thread Peter Blair

On 6/23/06, Spruell, Darren-Perot [EMAIL PROTECTED] wrote:

Incidentally, if you haven't used the package(s) for Nagios, do. I had no
problems and I went with a package install. No mysteries.


At work we run Nagios across Linux, OpenBSD  FreeBSD machines.
Compiling it from source is the only way to ensure config file
compatibility.



Re: Nagios and Apache

2006-06-23 Thread Peter Blair

Obvious, but ensure that /var/www/cgi-bin/nagios is a valid directory
from the perspective of your chroot'd server.

Another caveat is to ensure that the named pipe is accessable to both
the nagios executable, and to the chroot'd cgi's (once they start
working that is).  Nagios references the pipe via absolute naming, so
you may have to 'break' things a bit and create a symlink under your
chroot directory of /usr/local/nagios/rw/nagios.cmd that points to
the actual pipe.

Also, try turning off chroot to see if that helps.  That will at the
least tell you if it's a visibility issue or not.

Best of luck!

On 6/23/06, Joco Salvatti [EMAIL PROTECTED] wrote:

Hi all,

I've installed and configured nagios, and I can open the start page
with no problems. But I don't have access to the links that monitor
services, such as Tatical Overview. At apache log I have the following
error messages:

[Fri Jun 23 15:42:51 2006] [error] (13)Permission denied: exec of
/cgi-bin/nagios/tac.cgi failed
[Fri Jun 23 15:42:51 2006] [error] [client 127.0.0.1] Premature end of
script headers: /cgi-bin/nagios/tac.cgi

My httpd.conf is how it follows:

ScriptAlias /cgi-bin/nagios /var/www/cgi-bin/nagios

Directory /var/www/cgi-bin/nagios
#  SSLRequireSSL
   Options ExecCGI

   AuthName Nagios Access
   AuthType Basic
   AuthUserFile /var/www/nagios/htpasswd.users
   Require valid-user

   Order deny,allow
   Deny from all
   Allow from 127.0.0.1
/Directory

Alias /nagios /var/www/nagios

Directory /var/www/nagios
#  SSLRequireSSL
   Options ExecCGI
   Options None
   AllowOverride None

   AuthName Nagios Access
   AuthType Basic
   AuthUserFile /var/www/nagios/htpasswd.users
   Require valid-user

   Order deny,allow
   Deny from all
   Allow from 127.0.0.1
/Directory

My apache server runs using the chroot feature. Could please anyone
tell me what's going wrong?

Thanks.


--
Joco Salvatti
Undergraduating in Computer Science
Federal University of Para - UFPA
web: http://www.openbsd-pa.org
e-mail: [EMAIL PROTECTED]




Re: combining 2 external interfaces ?

2006-06-18 Thread Peter Blair

RTFM:

man trunk

On 6/17/06, S t i n g r a y [EMAIL PROTECTED] wrote:

Is it possible to combine 2 external interface into
one in openBsD ?
actually its cheaper for me to buy two smaller
internet connection then a big one.
so i was thinking ...

*:$., 88,.$:*(((*$ Stingray *:$., 88,.$:*((*$
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com




Re: combining 2 external interfaces ?

2006-06-18 Thread Peter Blair

And here's another for you:

http://www.openbsd.org/faq/pf/pools.html#outgoing

On 6/17/06, S t i n g r a y [EMAIL PROTECTED] wrote:

Is it possible to combine 2 external interface into
one in openBsD ?
actually its cheaper for me to buy two smaller
internet connection then a big one.
so i was thinking ...

*:$., 88,.$:*(((*$ Stingray *:$., 88,.$:*((*$
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com




Re: head.c usage function

2006-05-30 Thread Peter Blair

Be careful -- if you have an application say /usr/local/whatever/foo
that is linked from /usr/local/bin/bar then when you call
/usr/local/bin/bar it will populate bar as the argv[0] element.
This may be what you want, but then again, perhaps you want to know
that foo is the application being called.

__progname *should* ensure that foo is is being used when doing
things like opening app-name specific logs etc.

On 5/30/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:


I usually write a usage function to take a single argument, i.e.
usage(const char *progname).  When I call usage(), which is always
from main(), I just pass in argv[0].  I'm under the impression that
argv[0] being set to the name of the program is standard (could be
wrong though).




Re: Xen/OpenBSD Summer of Code project

2006-05-30 Thread Peter Blair

That project (if/once completed) would be very useful.  I just cringe
at the thought of running a guestOS of openbsd under linux or Solaris
;)

On 5/30/06, Dries Schellekens [EMAIL PROTECTED] wrote:

Anil Madhavapeddy wrote:

 We've put up some Xen-related projects for the Google Summer of
 Code, and one of them of particular interest is a port of OpenBSD
 to Xen 3.0 as a native guest OS.

 Full list: http://www.xensource.com/summerofcode.html

 Interested hackers are encouraged to apply; it is a fun project,
 some NetBSD code already exists, and will be useful.

I see that this project got selected:
http://code.google.com/soc/xensource/about.html

Let's hope this work can be included in OpenBSD after the summer.


Cheers,

Dries




Re: head.c usage function

2006-05-30 Thread Peter Blair

Gak!  The should was hedged with quotes because I couldn't verify
how it behaved.  Apparently it's just a quick way to access argv[0].

Thanks!

On 30 May 2006 16:29:31 +0200, Artur Grabowski [EMAIL PROTECTED] wrote:

Peter Blair [EMAIL PROTECTED] writes:

 Be careful -- if you have an application say /usr/local/whatever/foo
 that is linked from /usr/local/bin/bar then when you call
 /usr/local/bin/bar it will populate bar as the argv[0] element.
 This may be what you want, but then again, perhaps you want to know
 that foo is the application being called.

 __progname *should* ensure that foo is is being used when doing
 things like opening app-name specific logs etc.

should? Says who? How do you handle hard links then? Why should anyone
even care what the file name was? The kernel isn't even aware that
a symbolic link was followed when performing the exec system call (it
could be made aware of the fact by horrible layering violations in the
filesystem code and/or best effort measures that would break down in
case of hard links).

$ grep usage: /usr/src/bin/rm/rm.c
(void)fprintf(stderr, usage: %s [-dfiPRr] file ...\n, __progname);
$ rm -J
rm: unknown option -- J
usage: rm [-dfiPRr] file ...
$ ln -s /bin/rm /tmp/foo
$ /tmp/foo -J
foo: unknown option -- J
usage: foo [-dfiPRr] file ...
$

See: /usr/src/lib/csu/*/crt0.c that fills in __progname. Considering
that argv[0] can be set to anything by the caller, __progname can be
set to anything too. If you trust it, you're wrong.

//art

 On 5/30/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:

  I usually write a usage function to take a single argument, i.e.
  usage(const char *progname).  When I call usage(), which is always
  from main(), I just pass in argv[0].  I'm under the impression that
  argv[0] being set to the name of the program is standard (could be
  wrong though).




Re: Xen/OpenBSD Summer of Code project

2006-05-30 Thread Peter Blair

Are you saying that OpenBSD is targetted as a Dom0 OS?  I couldn't
tell from the above mentioned links.

On 5/30/06, Dries Schellekens [EMAIL PROTECTED] wrote:

Peter Blair wrote:

 That project (if/once completed) would be very useful.  I just cringe
 at the thought of running a guestOS of openbsd under linux or Solaris
 ;)

A minor detail: OpenBSD will run on the Xen virtual machine monitor and
not on Linux or Windows (like VMWare). So the Linux instance (or even
multiple of them) will run in parallel to the OpenBSD domain.


Cheers,

Dries

 On 5/30/06, Dries Schellekens [EMAIL PROTECTED] wrote:
 Anil Madhavapeddy wrote:

  We've put up some Xen-related projects for the Google Summer of
  Code, and one of them of particular interest is a port of OpenBSD
  to Xen 3.0 as a native guest OS.
 
  Full list: http://www.xensource.com/summerofcode.html
 
  Interested hackers are encouraged to apply; it is a fun project,
  some NetBSD code already exists, and will be useful.

 I see that this project got selected:
 http://code.google.com/soc/xensource/about.html

 Let's hope this work can be included in OpenBSD after the summer.


 Cheers,

 Dries




Re: nice and convenient way to check latest current src changes?

2006-05-30 Thread Peter Blair

Here's a quick perl script to extract the html:

#!/usr/bin/perl
#
# cvs_dates.pl

while(STDIN)
{
   my($line) = $_;
   chomp($line);
   if( $line =~ /(\d{4}-\d{2}-\d{2}).{28}(\d{10,20})/ )
   {
   my($d) = $1;
   my($id) = $2;

   print $d,  , $id, \n;
   }
}

And just do something like:

wget -q -O - 'http://marc.theaimsgroup.com/?l=openbsd-cvsr=1b=200605w=2'
| perl cvs_dates.pl

On 5/29/06, Didier Wiroth [EMAIL PROTECTED] wrote:

Hello,

To follow the current source changes I usually check the following website:
http://marc.theaimsgroup.com/?l=openbsd-cvsr=1b=200605w=2
This isn't very handy as you have to click every message to view the log 
message and the files that were changed.

1) Is there a nice way to see current source changes?
(If possible, I would prefer NOT to subscribe to another new mailing list!)

2) Is there a nice and fast method to check the latest changes with the cvs 
command?

Thank you very much
Didier




Re: C++ problem in current snapshot (2006-05-22)

2006-05-25 Thread Peter Blair

Don't use iostream.h, as it's old, and only there for backwards
compatibility.  If possible, use iostream instead.

On 5/25/06, Toni Mueller [EMAIL PROTECTED] wrote:

Hello,


I'd like to compile a small C++ program (part of building the HylaFAX
port). This is the program:

-
#include iostream.h
int main(){ cout  Hello World!  endl; return 0;}
-

Compiling it goes like this:

$ c++ testit.cc
/tmp//cch21612.o(.text+0x1c): In function `main':
: undefined reference to `endl(ostream)'
/tmp//cch21612.o(.text+0x29): In function `main':
: undefined reference to `cout'
/tmp//cch21612.o(.text+0x2e): In function `main':
: undefined reference to `ostream::operator(char const*)'
/tmp//cch21612.o(.text+0x37): In function `main':
: undefined reference to `ostream::operator(ostream (*)(ostream))'
collect2: ld returned 1 exit status


I've searched for any libstdc++.so and friends, and also found them
where I'd expected them, but that seems to be insufficient.

Running ldconfig doesn't improve things.


What gives?


Best,
--Toni++




Re: traffic shaping question.

2006-05-23 Thread Peter Blair

I haven't personally tested this, but give it a look:

http://www.whoopis.com/howtos/web-bandwidth-limit.html

Unfortunately it doesn't have the same kind of benefits that altq/pf
provide, but as stated in the previous messages, you'd have to place
your webmail and iso services on different IPs.

On 5/23/06, Per-Olov Sjvholm [EMAIL PROTECTED] wrote:

On Tuesday 23 May 2006 12.56, S t i n g r a y wrote:
 I want to do traffic shaping as per protocol basis so
 if i give a certian bandwith to HTTP protocole , isnt
 there any way i can diffrenciate between HTTP webpages
  HTTP downloads of huge .iso files ?
 i dont want users who are downloading huge files
 effect userrs who are only checking their webmails.

 is there any way ?

 *:$., 88,.$:*(((*$ Stingray *:$., 88,.$:*((*$
 Tired of spam?  Yahoo! Mail has the best spam protection around
 http://mail.yahoo.com

Correct me if I am wrong.. But you can differentiate shaping of traffic of the
same protocol if it has different Type Of Service. You can for example give
higher priority to SSH shell and lower the priority of scp bulk file
transfers as they have different TOS. Don't know if there exist anything like
it for HTTP (don't think so). If it doesn't exist you probably have to find
another way (not in PF).

Or you could have the ISO downloads from a different IP.


/Per-Olov
--
GPG keyID: 4DB283CE
GPG fingerprint: 45E8 3D0E DE05 B714 D549 45BC CFB4 BBE9 4DB2 83CE




Re: traffic shaping question.

2006-05-23 Thread Peter Blair

Another alternative is to use
http://httpd.apache.org/docs/1.3/mod/mod_proxy.html#proxypass to proxy
your iso directory to another httpd instance running on a private IP,
eg:

setup your webserver with the regular public IP address(es), and
additionally setup a number of private IP addresses.

Start a webserver (doesn't have to be apache) that binds solely to the
private IP address(es) and configure pf accordinly (only allow in
packets to the private address from whatever address that the public
apache will bind to)

Setup your main server's proxypass to proxy say /iso to
http://10.11.12.13:8080/iso;

And configure altq to limit outgoing traffic on 10.11.12.13.

Mind you, this scheme is completely untested and may not be possible.

On 5/23/06, S t i n g r a y [EMAIL PROTECTED] wrote:

I want to do traffic shaping as per protocol basis so
if i give a certian bandwith to HTTP protocole , isnt
there any way i can diffrenciate between HTTP webpages
 HTTP downloads of huge .iso files ?
i dont want users who are downloading huge files
effect userrs who are only checking their webmails.

is there any way ?

*:$., 88,.$:*(((*$ Stingray *:$., 88,.$:*((*$
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com




Re: I'm testing cvs, $Id$ wrong last committed time

2006-05-18 Thread Peter Blair

What's your timezone?

On 5/18/06, Didier Wiroth [EMAIL PROTECTED] wrote:

Hello,
(openbsd novice)

I'm experimenting with cvs.

I'm running:
a) cvs repository on openbsd 3.9-stable:
repo:~ $ ls -la /etc/localtime  date
lrwxr-xr-x  1 root  wheel  37 May 12 17:34 /etc/localtime - 
/usr/share/zoneinfo/Europe/Luxembourg
Thu May 18 16:34:52 CEST 2006

b) client is running current:
client:~$ lrwxr-xr-x  1 root  wheel  37 May 15 00:03 /etc/localtime - 
/usr/share/zoneinfo/Europe/Luxembourg
Thu May 18 16:36:32 CEST 2006

I put a $Id$ in a file and do a commit
cvs -q -d $MYCVS ci -m test index.html

The index.html file $ID$ after the commit is:
$Id: index.html,v 1.4 2006/05/18 14:37:39 dda Exp $

The tag shows a time that is wrong, it's -2 hours, it should be 16:37:39,

Why, am I missing something?

Thank you for helping
Didier




Re: I'm testing cvs, $Id$ wrong last committed time

2006-05-18 Thread Peter Blair

woops -- replied before reading entire message.  *ducks*

On 5/18/06, Peter Blair [EMAIL PROTECTED] wrote:

What's your timezone?

On 5/18/06, Didier Wiroth [EMAIL PROTECTED] wrote:
 Hello,
 (openbsd novice)

 I'm experimenting with cvs.

 I'm running:
 a) cvs repository on openbsd 3.9-stable:
 repo:~ $ ls -la /etc/localtime  date
 lrwxr-xr-x  1 root  wheel  37 May 12 17:34 /etc/localtime - 
/usr/share/zoneinfo/Europe/Luxembourg
 Thu May 18 16:34:52 CEST 2006

 b) client is running current:
 client:~$ lrwxr-xr-x  1 root  wheel  37 May 15 00:03 /etc/localtime - 
/usr/share/zoneinfo/Europe/Luxembourg
 Thu May 18 16:36:32 CEST 2006

 I put a $Id$ in a file and do a commit
 cvs -q -d $MYCVS ci -m test index.html

 The index.html file $ID$ after the commit is:
 $Id: index.html,v 1.4 2006/05/18 14:37:39 dda Exp $

 The tag shows a time that is wrong, it's -2 hours, it should be 16:37:39,

 Why, am I missing something?

 Thank you for helping
 Didier




Re: I'm testing cvs, $Id$ wrong last committed time

2006-05-18 Thread Peter Blair

Since CEST is +2hours from GMT, then the cvs timestamp looks fine.

On 5/18/06, Darrin Chandler [EMAIL PROTECTED] wrote:

On Thu, May 18, 2006 at 04:42:47PM +0200, Didier Wiroth wrote:
 I put a $Id$ in a file and do a commit
 cvs -q -d $MYCVS ci -m test index.html

 The index.html file $ID$ after the commit is:
 $Id: index.html,v 1.4 2006/05/18 14:37:39 dda Exp $

 The tag shows a time that is wrong, it's -2 hours, it should be 16:37:39,

 Why, am I missing something?

I'm not the best cvs person in the world, but it makes sense to me.

What if you have someone else in a different time zone who is also
committing with $Id$ in their sources? It seems that times should be
stored in GMT/UTC always...

--
Darrin Chandler|  Phoenix BSD Users Group
[EMAIL PROTECTED]   |  http://bsd.phoenix.az.us/
http://www.stilyagin.com/  |




Re: what is this ?

2006-05-15 Thread Peter Blair

Does the section of the book talk about frame relay?  More context would help.

On 5/15/06, S t i n g r a y [EMAIL PROTECTED] wrote:

Well i am learning OpenBSD PF from a book  in the
book when creating sample rules the author refers to
CIR's when defining Macros but in the form of

prv_ad = p.p.p.p/24
ch_ad = w.w.w.w/32
prv_ad1 = p.p.1.p/24
prv_ad2 = p..p.2.p/24
ext_ad2 = e.e.e.f/32

there isnt any explanation of these anywhere in the
book
what are these ?
i am fimilier with notations as

10.0.0.0/24
192.168.0.0/16

thank you .

*:$., 88,.$:*(((*$ Stingray *:$., 88,.$:*((*$
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com




Re: what is this ?

2006-05-15 Thread Peter Blair

Perhaps this is what it's talking about.

http://www.ralphb.net/IPSubnet/cidr.html

On 5/15/06, S t i n g r a y [EMAIL PROTECTED] wrote:

No this book is only about openbsd PF no types of
networks




Re: Anti MAC spoofing in OpenBSD

2006-05-09 Thread Peter Blair

arpwatch

http://ee.lbl.gov/

And lock down the permitted mac addresses on your switch.

On 5/9/06, S t i n g r a y [EMAIL PROTECTED] wrote:

Ok i know PF dont filter using MAC address but can you
point me to package that has the feature of Anti MAC
Spoofing ?

regards



*:$., 88,.$:*(((*$ Stingray *:$., 88,.$:*((*$
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com




Re: network script on startup

2006-05-08 Thread Peter Blair

man getsomeoneelsetodoit

On 5/8/06, Nick Guenther [EMAIL PROTECTED] wrote:

On 5/8/06, S t i n g r a y [EMAIL PROTECTED] wrote:
 i have a network script that i want to execute before
 any  host on the network connects to my computer.

 thanks

man rc
man netstart




Re: multiple publicIPs

2006-05-06 Thread Peter Blair

Perhaps I'm confused, but it doesn't look (from your diagram) that
your pf machine is acting as a firewall for anything but itself.

If you want to filter traffic to your public machines, then you'll
have to either:

1) Use the pf-machine as a bridge between the internet ethernet
segment, and the ethernet segment with your publicly available
machines
2) Place your public machines into a DMZ, and filter/NAT/rdr traffic
to/from them via the pf machine.

On 5/5/06, Sparc [EMAIL PROTECTED] wrote:

Hello everyone,

  INTERNET
 ^
 |
 x - - - - - [SWITCH] - - - - - - - - - - x
  [PF firewall][Several publicIPs]

I am running a network with several public IP addresses that are used for 
different services and I used PF with a dedicated box (see illustrated) to 
control incoming and outgoing packets onto and from these public IPs. I have 
not been able to notice until such time that they were exposed to a different 
types of probes such as ping, use of port scanner, etc from the Internet. Below 
are the rules I used to supposedly block incoming packets to my public IPs.

Just for info, I used the gateway address provided by my ISP not the IP on my 
PF box. I havent tried using the PF as a gateway. I dont think its going to 
work.


# M A C R O S
ext_if=sis0
int_if=xl0
serversPUB={ my.pub.lic.1, my.pub.lic.2, my.pub.lic.3, etc... }
www_virt=my.pub.lic.1

# O P T I O N S
set optimization normal
set block-policy drop
set loginterface $ext_if
set skip on lo0

# N O R M A L I Z A T I O N
scrub in all

# N A T  /  R D R
#xlation gateway

# F I L T E R
#protect public and local address [ incoming, outgoing ]
block all
pass quick on lo0 all
antispoof log quick for { $ext_if, $int_if } inet

block drop in on $ext_if inet from any to $serversPUB  # I tried to tweak 
with different scenario,
   # doesnt work
pass in on $ext_if proto tcp from any to $www_virt port { www, https } \
  flags S/SA synproxy state
--

As you can see only a few rules are put here above just to give you an
idea how I did the blocking. The other rules with my services so far
are continuously going well. I just don't want to permit incoming
packets directly to my publicIPs that is why I have the PF as my
firewall to centrally manage incoming and outgoing.

On the above BLOCK rule, i supposed it blocks all incoming packets on
$ext_if through $serversPUB. Unfortunately it doesn't. I have bought
openbsd books including the Building firewall with OpenBSD pf by Jacek
and read lots of articles about rules in pf but haven't find one that
is similar to my setup, everything uses NAT / RDR to access services
(e.g. webserver, etc). Here, I didn't use rdr because it uses a public
IP as stated in MACROS.

I appreciate your help so much.

Thanks,
-Sparc




Re: IPSec faq ??

2006-05-05 Thread Peter Blair

http://undeadly.org/cgi?action=articlesid=20060222180512

On 5/5/06, carlopmart [EMAIL PROTECTED] wrote:

Hi all,

  Somebody knows when ipsec faq will be published on openbsd website?? i
need to deploy two openbsd 3.9 HA firewalls with vpn, dhcp and x509
certificates included? Somebody have some howto??

Thanks.

--
CL Martinez
carlopmart {at} gmail {d0t} com




Re: using queues to limit bandwidth

2006-05-01 Thread Peter Blair

ALTQ Should do the trick:

http://www.openbsd.org/faq/pf/queueing.html

On 5/1/06, Chris Bullock [EMAIL PROTECTED] wrote:

Can queues be used to queue overall bandwidth?  We have a project where we
will be sharing an Internet connection with another company, we will have an
IP and they will have an IP each company providing their own firewall.  I
understand that queuing is able to queue based on protocol, etc on the same
box but lets say there is a T1 shared between the companies, The company
tells us, you can have one of our IP addresses but you can only use 100k of
our bandwidth, can pf do this?  I guess this is more bandwitdh throttling
more so than queuing.
TIA,
Chris




Re: using queues to limit bandwidth

2006-05-01 Thread Peter Blair

I forgot to mention in my previous e-mail, that if you were to
implement the scenerio outlined in your e-mail, then the other company
would have to 'trust' that you're setting up your firewall to not
exceed your 100k of bandwidth.

Just setup a single queue that caps at 100k.

On 5/1/06, Chris Bullock [EMAIL PROTECTED] wrote:

Can queues be used to queue overall bandwidth?  We have a project where we
will be sharing an Internet connection with another company, we will have an
IP and they will have an IP each company providing their own firewall.  I
understand that queuing is able to queue based on protocol, etc on the same
box but lets say there is a T1 shared between the companies, The company
tells us, you can have one of our IP addresses but you can only use 100k of
our bandwidth, can pf do this?  I guess this is more bandwitdh throttling
more so than queuing.
TIA,
Chris




Re: Port collection missing...

2006-04-28 Thread Peter Blair

ftp://ftp.openbsd.org/pub/OpenBSD/3.7/ports.tar.gz

On 4/28/06, S t i n g r a y [EMAIL PROTECTED] wrote:

Well i just installed my First OpenBSD BOX :) feels
good !!! but to install packages i cannot find ports
collection in /usr how can i get them ? i am using 3.7
version.

regards


*:$., 88,.$:*(((*$ Stingray *:$., 88,.$:*((*$
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com




Re: Port collection missing...

2006-04-28 Thread Peter Blair

But perhaps you're confusing ports  packages:

http://www.openbsd.org/faq/faq15.html#PkgMgmt

Packages are pre-compiled.  Ports creates packages from source.  You
don't need the ports tree to install packages.

-Pete

On 4/28/06, Peter Blair [EMAIL PROTECTED] wrote:

ftp://ftp.openbsd.org/pub/OpenBSD/3.7/ports.tar.gz

On 4/28/06, S t i n g r a y [EMAIL PROTECTED] wrote:
 Well i just installed my First OpenBSD BOX :) feels
 good !!! but to install packages i cannot find ports
 collection in /usr how can i get them ? i am using 3.7
 version.

 regards


 *:$., 88,.$:*(((*$ Stingray *:$., 88,.$:*((*$
 Tired of spam?  Yahoo! Mail has the best spam protection around
 http://mail.yahoo.com




Re: Why advocate Old daemon book?

2006-04-27 Thread Peter Blair
As an aside: I recently read The Design and Implementation of 4.2 BSD
Operating System, which focused on the VAX architecture, and was
published sometime in the early 80s.  In spite of its age, I found the
concepts clearly stated and on a high level, I believe that reading
the book forwarded my general knowledge of how *BSD systems operate.

I especially enjoyed the chapter on memory management and paging.

My $0.02.

On 4/27/06, js [EMAIL PROTECTED] wrote:
 A silly question.

 I wonder why http://www.openbsd.org/books.html still recommend old
 daemon book, The Design and Implementation of the 4.4 BSD Operating
 System?
 As most of you know, there's newer version, The Design and
 Implementation of the FreeBSD Operating System.

 Is there any reason not to reccomend this new one?

 Thanks in advance.



Re: mrtg and snmp

2006-04-26 Thread Peter Blair
Perhaps: http://www.benzedrine.cx/pfstat.html would interest you.


On Thu, Apr 27, 2006 at 07:50:22AM +0700, riwanlky wrote:
  I just installed a pf on my openBSD box as a firewall. However I need
  to install MRTG and SNMP so that I can get the network utilization.
 
  Any documentation in the web that anyone can suggest?