Re: how does one manage to fill a TB of data
Database backups here at work are enormous. A TB is nothing these days. On 9/9/06, Peter Fraser [EMAIL PROTECTED] wrote: Multi system backups to disk -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of pedro la peu Sent: Friday, September 08, 2006 8:50 PM To: misc@openbsd.org Subject: Re: preferred hardware platform And seriously, how does one manage to fill a TB of data? /rant DVB.
Re: Active Directory authentication
That's not an easy scenario. Perhaps the simplest solution would work for you. You could implement a generic account on the firewall called say wifi-user. SSH into the filewall (not using Kerberos or anything) and log in using the shared password for wifi-user. The login shell could point to a script that would ask for an NTLM friendly username password, and the firewall could then attempt to read a file from \\someserver\someshare\file.txt using samba. If the contents of that file match a pre-known string say 'authenticated' then you know that the supplied username password are valid on the AD. If so, then proceed with authpf. Now set up read permissions on that file.txt, and give read permission to an AD group called wifi-users and add the users to the wifi-users group. It's not fancy, and I'm sure that some people on the list would distaste the inellegance of the solution, but it has worked in the past for me with a a squid-proxy setup. On 8/15/06, Steve Shockley [EMAIL PROTECTED] wrote: I'm researching setting up a wireless gateway using OpenBSD and authpf. We've got an existing Active Directory (2003) domain with about 5000 user accounts that I'd like to authenticate against. LDAP seemed like the obvious choice, but it appears I need to create local accounts to use login_ldap, and it'd be unwieldy to sync 5000 users. There's also a patch for nsswitch, but I'd rather not use a custom build if I don't have to. Kerberos also sounded like a good idea, but if I understand correctly, the clients would need a Kerberized ssh client, and they'd have to be able to access the KDC before logging in to the gateway. Is there a better way to do this?
Re: PF redirect to another IP on LAN
man pf.conf Secondly, it's been discussed numerous times on the list that bridges have their place (I use them in production environments at our data centre) but you'll find filtering a bridge much more difficult than filtering a NAT. On 7/29/06, elaconta.com Webmaster [EMAIL PROTECTED] wrote: Hi I've just successfully configured an OpenBSD bridge with two NICs to separate and filter traffic between our private LAN (192.168.1.0/24) and our router (192.168.1.120). I've given an IP address to one of the NICs (192.168.1.121) on the bridge and am running a Bind caching nameserver on it. Now, the next thing we'd need to do would be to redirect any traffic that comes throught the bridge destined to IP address 192.168.1.121 port 80 to another server in the LAN (192.168.1.103 port 80). From what i understand, this entails using PF and the rdr statement. Any ideas on how to do this successfully? Thanks. -- Elaconta.com webmaster --
Re: looking for clue
On 7/20/06, Rahul Sharma [EMAIL PROTECTED] wrote: Hi Peter Phillips, It is not Mr. Eric Pancer but me (rahulthehacker) who is asking for help on dhcpd lease. Wrong: http://www.sigmasoft.com/~openbsd/archives/html/openbsd-misc/2006-06/msg01371.html
Re: looking for clue
On 7/20/06, Rob Baldassano [EMAIL PROTECTED] wrote: Please forgive me if I am wrong but... This thread should die. Question is: Why would you WANT your clients to constantly get new IPs? it disrupts SSL communication traffic, especially when you are dealing with external ly available IPs. Exactely. This thread is just a relapse of an already settled issue due to some mistaken identity. You of course (IMHO) are correct; Unfortunately this thread doesn't warrent the quality of your response. -Pete
Re: How to compile DHCPD source code
First, *don't* download source from the cvsweb website. That source is handy for browsing, but you should be getting your code from a cvs repository. Look at the instructions for a given patch for guidance: ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/001_sendmail.patch And then rebuild and install sendmail: cd gnu/usr.sbin/sendmail make obj make depend make make install On 7/7/06, Rahul Sharma [EMAIL PROTECTED] wrote: Hi, I need to make some minute changes to db.c file comes under DHCP source code . I wanted to know that how can i run dhcp now with these changes. Plz tell me for this whether I have to recompile whole source code(Kernel) again or if there is any way to just compile only this DHCP code. What I have done so far is I have downloaded all files needed for DHCPD from http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/dhcpd/ After that i had made changes to file db.c. Now I strucked here. Any one Plz Help. Tell me what to do. Thanks for reading this mail anyay. Rahul
Re: How to compile DHCPD source code
Rahul: You don't need the sendmail patch, but it does outline the steps required to (re-)compile and install system software. -Pete P.S. Don't forget to CC misc@ On 7/7/06, Rahul Sharma [EMAIL PROTECTED] wrote: Hi Peter, Thanks for ur reply. It seems confusing to me that for recompiling dhcpd code i require sendmail patch. Can u Plz explain me that. Warm regards Rahul On 7/7/06, Peter Blair [EMAIL PROTECTED] wrote: First, *don't* download source from the cvsweb website. That source is handy for browsing, but you should be getting your code from a cvs repository. Look at the instructions for a given patch for guidance: ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/001_sendmail.patch And then rebuild and install sendmail: cd gnu/usr.sbin/sendmail make obj make depend make make install On 7/7/06, Rahul Sharma [EMAIL PROTECTED] wrote: Hi, I need to make some minute changes to db.c file comes under DHCP source code . I wanted to know that how can i run dhcp now with these changes. Plz tell me for this whether I have to recompile whole source code(Kernel) again or if there is any way to just compile only this DHCP code. What I have done so far is I have downloaded all files needed for DHCPD from http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/dhcpd/ After that i had made changes to file db.c. Now I strucked here. Any one Plz Help. Tell me what to do. Thanks for reading this mail anyay. Rahul
Re: Forbidding access in pf from subdomains
Something like: pass in quick on $ext_if from { $friendly_networks } to any port ssh keep state block in on $ext_if from any to any port ssh should work. You can place $friendly_networks into a table that gets loaded from a file if the list is large. And/or update it via pftcl on the fly. On 7/6/06, Bharj, Gagan [EMAIL PROTECTED] wrote: Hello Folks, Our server is getting hammered on a daily basis by IPs trying to open an ssh session. Currently, I'm manually putting the subnets (in a pf table) that are repeatedly trying to get in. As you can see, this list will eventually get very big and will be unmaintainable. Is there any way that I can say only allow IP addresses from particular ISPs or domains? Regards, Gagan
Re: Forbidding access in pf from subdomains
Sorry, I didn't fully comprehend you e-mail (that's what I get for reading my openbsd mail at work!) the first time around. Have you attempted to write a script that gets the network address for a host via `whois` and start expanding the blacklist? For instance, monitor your logs for repeated attempts, and add that IP to a list. Then grow your denial subnet. Start denying traffic from the \30 network around that address, then up it to \29, then \28, etc etc until you've effectively cut out the offending network. The problem is that the offender my have a \26 network, but their IP is part of a \16 network that has been privately subnetted. So it's difficult to say ok, jerk.com has xxx.yyy.zzz.xyz IP, and that belongs to xxx.yyy\16 network, so I'll block out all 65 thousand addresses. On 7/6/06, Peter Blair [EMAIL PROTECTED] wrote: Something like: pass in quick on $ext_if from { $friendly_networks } to any port ssh keep state block in on $ext_if from any to any port ssh should work. You can place $friendly_networks into a table that gets loaded from a file if the list is large. And/or update it via pftcl on the fly. On 7/6/06, Bharj, Gagan [EMAIL PROTECTED] wrote: Hello Folks, Our server is getting hammered on a daily basis by IPs trying to open an ssh session. Currently, I'm manually putting the subnets (in a pf table) that are repeatedly trying to get in. As you can see, this list will eventually get very big and will be unmaintainable. Is there any way that I can say only allow IP addresses from particular ISPs or domains? Regards, Gagan
Re: News From HiFn
Ya, that'd be nice if I ever made it to a prompt to enter 'anonymous', but the connection fails well before that point. $ ping ftp.hifn.com PING ftp.hifn.com (208.10.194.169): 56 data bytes 64 bytes from 208.10.194.169: icmp_seq=0 ttl=117 time=100.851 ms 64 bytes from 208.10.194.169: icmp_seq=1 ttl=117 time=100.228 ms ^C --- ftp.hifn.com ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max/stddev = 100.228/100.540/100.851/0.311 ms $ ftp ftp.hifn.com ftp: connect: Connection refused ftp Nice :) On 7/5/06, J.C. Roberts [EMAIL PROTECTED] wrote: On Tue, 4 Jul 2006 18:48:28 +0200, Joachim Schipper [EMAIL PROTECTED] wrote: On Tue, Jul 04, 2006 at 12:16:45PM -0400, Nick Guenther wrote: On 7/4/06, Peter Blair [EMAIL PROTECTED] wrote: On 6/29/06, J.C. Roberts [EMAIL PROTECTED] wrote: I just got a call this afternoon from Tom Moore to let me know they've set up an anon FTP site (no registration) with their documentation: ftp://ftp.hifn.com This should take care of any of the long standing issues OpenBSD has had with the HiFn's procedures for releasing documentation. I was told HiFn is still working on their new ftp site, so I'm not sure how complete it is at the moment but at least we know there's a start and they are willing to continue working on it. Has anyone tried recently to connect to ftp.hifn.com ? I haven't been able to connect from multiple locations. Doesn't work here either. Curious... Looks like they're still working on it, as announced; it does not accept connections. Give them some time; this is not entirely unexpected behaviour from a server they just set up. Joachim Joachim has a good point. What error messages are you guys getting? -I'm thinking there would be a limit on the number of anon users the server will accept at any one time. Not only will all the various search engines try to index the site but also I would not be surprised if many individuals tried to make a local mirror of the site contents now that they are open. -The traffic influx might make a mess out of their IDS. jcr -- Free, Open Source CAD, CAM and EDA Tools http://www.DesignTools.org
'route to' question
Hello lists! (sorry if cross-list posting is frowned upon) I'm setting up a BSD/pf machine that will be working as a binat firewall for a number of hosts on two /28 subnets belonging to the same co-location provider. The BSD machine is already live, working hard for one subnet, and I don't have extra hardware to test this out in a lab environment (nice, I know), so I'd just like a little wisdom from the lists before I go live with this pf change: I'm wondering if I can use the route to option with pf in order to force all traffic from subnet A through subnet A's gateway, while subnet B's traffic goes through subnet B's gateway. Right now, subnet B is setup and running with B's gateway as the host for the 0.0.0.0 network. Now, with straight routing, I can't seem to find a way to enable multi-path routing to the 0.0.0.0 network along these lines: if src is from netA: pass traffic to gwA if src is from netB: pass traffic to gwB Now, since I have only one external interface (see diagram at bottom), how can I rearrange the following pf statements (from the pf faq): pass out on em0 route-to (em0 $ext_gw2) from em0 to any pass out on em0 route-to (em0 $ext_gw1) from em0 to any Can I get by by simply aliasing all of the IPs on em0 (external interface) or do I have to vlan the external device to get distinct interface names? Thanks, Pete. Quick/Dirty Diagram: 204.15.193.0\28 + (aliases 204.15.193.2-14) | +-- (em0) BSD (em1) --+ (Tagged VLAN) | | 204.15.193.16\28 -- + | ( aliases 204.15.193.18-30) +-+ | +-+- VLAN2 (192.168.3/24) | | | +- VLAN5 (10.10.5/24) | +--- VLAN6 (10.10.6/24)
Re: Question related to automaticly encrypted /tmp /vat/tmp (like swap..?)
I haven't tried under OpenBSD, but mounting /tmp as a ramdisk could prove viable. On 7/4/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Some days ago I read a question related to encrypting a partition. I just know that swap gets encrypted automaticly. Wouldn`t it be possible to encrypt also /tmp and /var/tmp also automaticly with the same mechanism wich is used to encrypt the SWAP? Somebody mentioned that encrypting /tmp would be needed to because many applicatiosn store their temp. data there (wich is mostly correct). I didn`t posted that question to tech because misc@ is a better place but maybe a developer could answer my question. I thought about the statement that encrypting /tmp and /var/tmp is a good idea and I would angree so are there any (technical?) reasons that can`t be done even if a user does not use svnds? And btw: wouldn`t it be better to use rm -P for /tmp/* (or even -P as default for rm?)? Kind regards, Sebastian
Re: News From HiFn
Has anyone tried recently to connect to ftp.hifn.com ? I haven't been able to connect from multiple locations. -Pete On 6/29/06, J.C. Roberts [EMAIL PROTECTED] wrote: Howdy misc@ Though I stayed out of the last public fiasco regarding HiFn here on the misc@ list, I privately contacted the people I know at the company. I didn't reply just to Hank Cohen who posted here on misc@ but I also included the VP of engineering (Russ Dietz), the CEO (Chris Kebner) and the VP of marketing (Tom Moore). I just got a call this afternoon from Tom Moore to let me know they've set up an anon FTP site (no registration) with their documentation: ftp://ftp.hifn.com This should take care of any of the long standing issues OpenBSD has had with the HiFn's procedures for releasing documentation. I was told HiFn is still working on their new ftp site, so I'm not sure how complete it is at the moment but at least we know there's a start and they are willing to continue working on it. Please check out the readme on the FTP. Basically it says if you wish to automatically get the HiFn updates/errata/notifications, you should probably sign up for the HiFn extranet thing. You don't have to but you can if you want. Kind Regards, JCR -- Free, Open Source CAD, CAM and EDA Tools http://www.DesignTools.org
Re: X not found
If you have no parts of X installed, then how do you expect to link against it? If you plan to use your OpenBSD machine as a headless X client, then you'll need to install the requisite libs. You'll save yourself a lot of time and headache if you just install the X set. On 7/4/06, Lawrence Horvath [EMAIL PROTECTED] wrote: I have been getting the following error, and wasnt sure if i have to totally install X or can i just install a minimal lib set to get the error to stop, at this time I do not have any parts of X installed. # make === qemu-0.8.0p3 uses X11, but /usr/X11R6 not found. Thanks -- -Lawrence
Re: starting Apache in SSL mode
SSL certificates for a hostname requires a unique IP address. Are you trying to do virtual name hosting with https? On 6/27/06, FTP [EMAIL PROTECTED] wrote: On Mon, Jun 26, 2006 at 08:30:29AM -0700, Scott Francis wrote: On 6/26/06, FTP [EMAIL PROTECTED] wrote: Hi there, I was trying to start Apache in SSL mode and I did follow the http://openbsd.org/faq/faq10.html#HTTPS steps. After that I issued apachectl startssl and everything went fine. Now, when I point to the https://IP-address from my server I get an unable to connect error! What did I do wrong? In the ssl_engine_log I get: Configuring server new.host.name:443 for SSL protocol. This server has no domain assigned. Did I do something wrong in the certs? no, but you probably neglected to edit /var/www/conf/httpd.conf appropriately (ServerName and NameVirtualHost come to mind, as well as the appropriate name-specific parts of the SSL config in the same file). ssl_engine_log probably won't give you the info you need here; take a look at your access_log and error_log. -- [EMAIL PROTECTED],darkuncle.net} || 0x5537F527 encrypted email to the latter address please http://darkuncle.net/pubkey.asc for public key Thanks for your reply. Well, the error_log doesn't get any message. Also, the regular http does show the web page without having the IP address in the http.conf file. Why doesn't this work with SSL as well? Certs etc. are in the correct path. Thanks George
Re: Nagios and Apache
resource_file=/usr/local/nagios/etc/resource.cfg works great for the default source install of Nagios. But switch it to a RPM, or PKG'd version of Nagios and you can't ensure that this directive will point to the right place or not. -Pete On 6/24/06, Lars Hansson [EMAIL PROTECTED] wrote: On Saturday 24 June 2006 18:13, Peter Blair wrote: At work we run Nagios across Linux, OpenBSD FreeBSD machines. Compiling it from source is the only way to ensure config file compatibility. Say what? How does the compilation affect the config file? The config file format is exactly the same no matter where or when you compile nagios. --- Lars Hansson
Re: pf woes
Paste the entire contents of /etc/pf.conf On 6/26/06, Matt Singerman [EMAIL PROTECTED] wrote: I'm sorry if I didn't give enough info - what else would you have to know?
Re: pf woes
And your root password. Please e-mail that to the list. On 6/26/06, Bryan Irvine [EMAIL PROTECTED] wrote: On 6/26/06, Matt Singerman [EMAIL PROTECTED] wrote: I'm sorry if I didn't give enough info - what else would you have to know? At the bare minimum, your pf.conf. Also desirable are the IP's of your firewalls internal and external interfaces as well as the ip of the FileMaker server, and the ip's of the clients you want to connect to it.
Re: Totally bizarre problem - cannot connect to openbsd mahcine
You should be able to configure one of the bridged interfaces to have an IP in order for you to SSH into the box. http://www.openbsd.org/faq/faq6.html#Bridge On 6/26/06, Matt Singerman [EMAIL PROTECTED] wrote: I believe the server was configured as a bridge - bridgename.bridge0 exists, and contains: add dc0 add dc1 up It was running for a good 300 days or so. It was set up and configured by my predecessor, and I am not completely sure on all of its configurations. On 6/26/06, Peter Blair [EMAIL PROTECTED] wrote: That sorta makes sense if your firewall was working as a bridge, but I don't think that you mentioned anything about a bridgename.bridge0. Was/Is your machine acting as a nat-style firewall? If so, then you'll have to assign it some IPs. How long was it running since its last reboot? Were the IP settings done manually via the console but never reflected in the /etc/hotname.dc* files? On 6/26/06, Matt Singerman [EMAIL PROTECTED] wrote: /etc/hostname.dc0 and .dc1 both just contain up and haven't been modified since 2003. Shouldn't there be an inet entry with the IP addresses for each of the cards listed? What happened to them?
Re: Nagios and Apache
On 6/23/06, Spruell, Darren-Perot [EMAIL PROTECTED] wrote: Incidentally, if you haven't used the package(s) for Nagios, do. I had no problems and I went with a package install. No mysteries. At work we run Nagios across Linux, OpenBSD FreeBSD machines. Compiling it from source is the only way to ensure config file compatibility.
Re: Nagios and Apache
Obvious, but ensure that /var/www/cgi-bin/nagios is a valid directory from the perspective of your chroot'd server. Another caveat is to ensure that the named pipe is accessable to both the nagios executable, and to the chroot'd cgi's (once they start working that is). Nagios references the pipe via absolute naming, so you may have to 'break' things a bit and create a symlink under your chroot directory of /usr/local/nagios/rw/nagios.cmd that points to the actual pipe. Also, try turning off chroot to see if that helps. That will at the least tell you if it's a visibility issue or not. Best of luck! On 6/23/06, Joco Salvatti [EMAIL PROTECTED] wrote: Hi all, I've installed and configured nagios, and I can open the start page with no problems. But I don't have access to the links that monitor services, such as Tatical Overview. At apache log I have the following error messages: [Fri Jun 23 15:42:51 2006] [error] (13)Permission denied: exec of /cgi-bin/nagios/tac.cgi failed [Fri Jun 23 15:42:51 2006] [error] [client 127.0.0.1] Premature end of script headers: /cgi-bin/nagios/tac.cgi My httpd.conf is how it follows: ScriptAlias /cgi-bin/nagios /var/www/cgi-bin/nagios Directory /var/www/cgi-bin/nagios # SSLRequireSSL Options ExecCGI AuthName Nagios Access AuthType Basic AuthUserFile /var/www/nagios/htpasswd.users Require valid-user Order deny,allow Deny from all Allow from 127.0.0.1 /Directory Alias /nagios /var/www/nagios Directory /var/www/nagios # SSLRequireSSL Options ExecCGI Options None AllowOverride None AuthName Nagios Access AuthType Basic AuthUserFile /var/www/nagios/htpasswd.users Require valid-user Order deny,allow Deny from all Allow from 127.0.0.1 /Directory My apache server runs using the chroot feature. Could please anyone tell me what's going wrong? Thanks. -- Joco Salvatti Undergraduating in Computer Science Federal University of Para - UFPA web: http://www.openbsd-pa.org e-mail: [EMAIL PROTECTED]
Re: combining 2 external interfaces ?
RTFM: man trunk On 6/17/06, S t i n g r a y [EMAIL PROTECTED] wrote: Is it possible to combine 2 external interface into one in openBsD ? actually its cheaper for me to buy two smaller internet connection then a big one. so i was thinking ... *:$., 88,.$:*(((*$ Stingray *:$., 88,.$:*((*$ Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: combining 2 external interfaces ?
And here's another for you: http://www.openbsd.org/faq/pf/pools.html#outgoing On 6/17/06, S t i n g r a y [EMAIL PROTECTED] wrote: Is it possible to combine 2 external interface into one in openBsD ? actually its cheaper for me to buy two smaller internet connection then a big one. so i was thinking ... *:$., 88,.$:*(((*$ Stingray *:$., 88,.$:*((*$ Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: head.c usage function
Be careful -- if you have an application say /usr/local/whatever/foo that is linked from /usr/local/bin/bar then when you call /usr/local/bin/bar it will populate bar as the argv[0] element. This may be what you want, but then again, perhaps you want to know that foo is the application being called. __progname *should* ensure that foo is is being used when doing things like opening app-name specific logs etc. On 5/30/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I usually write a usage function to take a single argument, i.e. usage(const char *progname). When I call usage(), which is always from main(), I just pass in argv[0]. I'm under the impression that argv[0] being set to the name of the program is standard (could be wrong though).
Re: Xen/OpenBSD Summer of Code project
That project (if/once completed) would be very useful. I just cringe at the thought of running a guestOS of openbsd under linux or Solaris ;) On 5/30/06, Dries Schellekens [EMAIL PROTECTED] wrote: Anil Madhavapeddy wrote: We've put up some Xen-related projects for the Google Summer of Code, and one of them of particular interest is a port of OpenBSD to Xen 3.0 as a native guest OS. Full list: http://www.xensource.com/summerofcode.html Interested hackers are encouraged to apply; it is a fun project, some NetBSD code already exists, and will be useful. I see that this project got selected: http://code.google.com/soc/xensource/about.html Let's hope this work can be included in OpenBSD after the summer. Cheers, Dries
Re: head.c usage function
Gak! The should was hedged with quotes because I couldn't verify how it behaved. Apparently it's just a quick way to access argv[0]. Thanks! On 30 May 2006 16:29:31 +0200, Artur Grabowski [EMAIL PROTECTED] wrote: Peter Blair [EMAIL PROTECTED] writes: Be careful -- if you have an application say /usr/local/whatever/foo that is linked from /usr/local/bin/bar then when you call /usr/local/bin/bar it will populate bar as the argv[0] element. This may be what you want, but then again, perhaps you want to know that foo is the application being called. __progname *should* ensure that foo is is being used when doing things like opening app-name specific logs etc. should? Says who? How do you handle hard links then? Why should anyone even care what the file name was? The kernel isn't even aware that a symbolic link was followed when performing the exec system call (it could be made aware of the fact by horrible layering violations in the filesystem code and/or best effort measures that would break down in case of hard links). $ grep usage: /usr/src/bin/rm/rm.c (void)fprintf(stderr, usage: %s [-dfiPRr] file ...\n, __progname); $ rm -J rm: unknown option -- J usage: rm [-dfiPRr] file ... $ ln -s /bin/rm /tmp/foo $ /tmp/foo -J foo: unknown option -- J usage: foo [-dfiPRr] file ... $ See: /usr/src/lib/csu/*/crt0.c that fills in __progname. Considering that argv[0] can be set to anything by the caller, __progname can be set to anything too. If you trust it, you're wrong. //art On 5/30/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I usually write a usage function to take a single argument, i.e. usage(const char *progname). When I call usage(), which is always from main(), I just pass in argv[0]. I'm under the impression that argv[0] being set to the name of the program is standard (could be wrong though).
Re: Xen/OpenBSD Summer of Code project
Are you saying that OpenBSD is targetted as a Dom0 OS? I couldn't tell from the above mentioned links. On 5/30/06, Dries Schellekens [EMAIL PROTECTED] wrote: Peter Blair wrote: That project (if/once completed) would be very useful. I just cringe at the thought of running a guestOS of openbsd under linux or Solaris ;) A minor detail: OpenBSD will run on the Xen virtual machine monitor and not on Linux or Windows (like VMWare). So the Linux instance (or even multiple of them) will run in parallel to the OpenBSD domain. Cheers, Dries On 5/30/06, Dries Schellekens [EMAIL PROTECTED] wrote: Anil Madhavapeddy wrote: We've put up some Xen-related projects for the Google Summer of Code, and one of them of particular interest is a port of OpenBSD to Xen 3.0 as a native guest OS. Full list: http://www.xensource.com/summerofcode.html Interested hackers are encouraged to apply; it is a fun project, some NetBSD code already exists, and will be useful. I see that this project got selected: http://code.google.com/soc/xensource/about.html Let's hope this work can be included in OpenBSD after the summer. Cheers, Dries
Re: nice and convenient way to check latest current src changes?
Here's a quick perl script to extract the html: #!/usr/bin/perl # # cvs_dates.pl while(STDIN) { my($line) = $_; chomp($line); if( $line =~ /(\d{4}-\d{2}-\d{2}).{28}(\d{10,20})/ ) { my($d) = $1; my($id) = $2; print $d, , $id, \n; } } And just do something like: wget -q -O - 'http://marc.theaimsgroup.com/?l=openbsd-cvsr=1b=200605w=2' | perl cvs_dates.pl On 5/29/06, Didier Wiroth [EMAIL PROTECTED] wrote: Hello, To follow the current source changes I usually check the following website: http://marc.theaimsgroup.com/?l=openbsd-cvsr=1b=200605w=2 This isn't very handy as you have to click every message to view the log message and the files that were changed. 1) Is there a nice way to see current source changes? (If possible, I would prefer NOT to subscribe to another new mailing list!) 2) Is there a nice and fast method to check the latest changes with the cvs command? Thank you very much Didier
Re: C++ problem in current snapshot (2006-05-22)
Don't use iostream.h, as it's old, and only there for backwards compatibility. If possible, use iostream instead. On 5/25/06, Toni Mueller [EMAIL PROTECTED] wrote: Hello, I'd like to compile a small C++ program (part of building the HylaFAX port). This is the program: - #include iostream.h int main(){ cout Hello World! endl; return 0;} - Compiling it goes like this: $ c++ testit.cc /tmp//cch21612.o(.text+0x1c): In function `main': : undefined reference to `endl(ostream)' /tmp//cch21612.o(.text+0x29): In function `main': : undefined reference to `cout' /tmp//cch21612.o(.text+0x2e): In function `main': : undefined reference to `ostream::operator(char const*)' /tmp//cch21612.o(.text+0x37): In function `main': : undefined reference to `ostream::operator(ostream (*)(ostream))' collect2: ld returned 1 exit status I've searched for any libstdc++.so and friends, and also found them where I'd expected them, but that seems to be insufficient. Running ldconfig doesn't improve things. What gives? Best, --Toni++
Re: traffic shaping question.
I haven't personally tested this, but give it a look: http://www.whoopis.com/howtos/web-bandwidth-limit.html Unfortunately it doesn't have the same kind of benefits that altq/pf provide, but as stated in the previous messages, you'd have to place your webmail and iso services on different IPs. On 5/23/06, Per-Olov Sjvholm [EMAIL PROTECTED] wrote: On Tuesday 23 May 2006 12.56, S t i n g r a y wrote: I want to do traffic shaping as per protocol basis so if i give a certian bandwith to HTTP protocole , isnt there any way i can diffrenciate between HTTP webpages HTTP downloads of huge .iso files ? i dont want users who are downloading huge files effect userrs who are only checking their webmails. is there any way ? *:$., 88,.$:*(((*$ Stingray *:$., 88,.$:*((*$ Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com Correct me if I am wrong.. But you can differentiate shaping of traffic of the same protocol if it has different Type Of Service. You can for example give higher priority to SSH shell and lower the priority of scp bulk file transfers as they have different TOS. Don't know if there exist anything like it for HTTP (don't think so). If it doesn't exist you probably have to find another way (not in PF). Or you could have the ISO downloads from a different IP. /Per-Olov -- GPG keyID: 4DB283CE GPG fingerprint: 45E8 3D0E DE05 B714 D549 45BC CFB4 BBE9 4DB2 83CE
Re: traffic shaping question.
Another alternative is to use http://httpd.apache.org/docs/1.3/mod/mod_proxy.html#proxypass to proxy your iso directory to another httpd instance running on a private IP, eg: setup your webserver with the regular public IP address(es), and additionally setup a number of private IP addresses. Start a webserver (doesn't have to be apache) that binds solely to the private IP address(es) and configure pf accordinly (only allow in packets to the private address from whatever address that the public apache will bind to) Setup your main server's proxypass to proxy say /iso to http://10.11.12.13:8080/iso; And configure altq to limit outgoing traffic on 10.11.12.13. Mind you, this scheme is completely untested and may not be possible. On 5/23/06, S t i n g r a y [EMAIL PROTECTED] wrote: I want to do traffic shaping as per protocol basis so if i give a certian bandwith to HTTP protocole , isnt there any way i can diffrenciate between HTTP webpages HTTP downloads of huge .iso files ? i dont want users who are downloading huge files effect userrs who are only checking their webmails. is there any way ? *:$., 88,.$:*(((*$ Stingray *:$., 88,.$:*((*$ Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: I'm testing cvs, $Id$ wrong last committed time
What's your timezone? On 5/18/06, Didier Wiroth [EMAIL PROTECTED] wrote: Hello, (openbsd novice) I'm experimenting with cvs. I'm running: a) cvs repository on openbsd 3.9-stable: repo:~ $ ls -la /etc/localtime date lrwxr-xr-x 1 root wheel 37 May 12 17:34 /etc/localtime - /usr/share/zoneinfo/Europe/Luxembourg Thu May 18 16:34:52 CEST 2006 b) client is running current: client:~$ lrwxr-xr-x 1 root wheel 37 May 15 00:03 /etc/localtime - /usr/share/zoneinfo/Europe/Luxembourg Thu May 18 16:36:32 CEST 2006 I put a $Id$ in a file and do a commit cvs -q -d $MYCVS ci -m test index.html The index.html file $ID$ after the commit is: $Id: index.html,v 1.4 2006/05/18 14:37:39 dda Exp $ The tag shows a time that is wrong, it's -2 hours, it should be 16:37:39, Why, am I missing something? Thank you for helping Didier
Re: I'm testing cvs, $Id$ wrong last committed time
woops -- replied before reading entire message. *ducks* On 5/18/06, Peter Blair [EMAIL PROTECTED] wrote: What's your timezone? On 5/18/06, Didier Wiroth [EMAIL PROTECTED] wrote: Hello, (openbsd novice) I'm experimenting with cvs. I'm running: a) cvs repository on openbsd 3.9-stable: repo:~ $ ls -la /etc/localtime date lrwxr-xr-x 1 root wheel 37 May 12 17:34 /etc/localtime - /usr/share/zoneinfo/Europe/Luxembourg Thu May 18 16:34:52 CEST 2006 b) client is running current: client:~$ lrwxr-xr-x 1 root wheel 37 May 15 00:03 /etc/localtime - /usr/share/zoneinfo/Europe/Luxembourg Thu May 18 16:36:32 CEST 2006 I put a $Id$ in a file and do a commit cvs -q -d $MYCVS ci -m test index.html The index.html file $ID$ after the commit is: $Id: index.html,v 1.4 2006/05/18 14:37:39 dda Exp $ The tag shows a time that is wrong, it's -2 hours, it should be 16:37:39, Why, am I missing something? Thank you for helping Didier
Re: I'm testing cvs, $Id$ wrong last committed time
Since CEST is +2hours from GMT, then the cvs timestamp looks fine. On 5/18/06, Darrin Chandler [EMAIL PROTECTED] wrote: On Thu, May 18, 2006 at 04:42:47PM +0200, Didier Wiroth wrote: I put a $Id$ in a file and do a commit cvs -q -d $MYCVS ci -m test index.html The index.html file $ID$ after the commit is: $Id: index.html,v 1.4 2006/05/18 14:37:39 dda Exp $ The tag shows a time that is wrong, it's -2 hours, it should be 16:37:39, Why, am I missing something? I'm not the best cvs person in the world, but it makes sense to me. What if you have someone else in a different time zone who is also committing with $Id$ in their sources? It seems that times should be stored in GMT/UTC always... -- Darrin Chandler| Phoenix BSD Users Group [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ |
Re: what is this ?
Does the section of the book talk about frame relay? More context would help. On 5/15/06, S t i n g r a y [EMAIL PROTECTED] wrote: Well i am learning OpenBSD PF from a book in the book when creating sample rules the author refers to CIR's when defining Macros but in the form of prv_ad = p.p.p.p/24 ch_ad = w.w.w.w/32 prv_ad1 = p.p.1.p/24 prv_ad2 = p..p.2.p/24 ext_ad2 = e.e.e.f/32 there isnt any explanation of these anywhere in the book what are these ? i am fimilier with notations as 10.0.0.0/24 192.168.0.0/16 thank you . *:$., 88,.$:*(((*$ Stingray *:$., 88,.$:*((*$ Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: what is this ?
Perhaps this is what it's talking about. http://www.ralphb.net/IPSubnet/cidr.html On 5/15/06, S t i n g r a y [EMAIL PROTECTED] wrote: No this book is only about openbsd PF no types of networks
Re: Anti MAC spoofing in OpenBSD
arpwatch http://ee.lbl.gov/ And lock down the permitted mac addresses on your switch. On 5/9/06, S t i n g r a y [EMAIL PROTECTED] wrote: Ok i know PF dont filter using MAC address but can you point me to package that has the feature of Anti MAC Spoofing ? regards *:$., 88,.$:*(((*$ Stingray *:$., 88,.$:*((*$ Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: network script on startup
man getsomeoneelsetodoit On 5/8/06, Nick Guenther [EMAIL PROTECTED] wrote: On 5/8/06, S t i n g r a y [EMAIL PROTECTED] wrote: i have a network script that i want to execute before any host on the network connects to my computer. thanks man rc man netstart
Re: multiple publicIPs
Perhaps I'm confused, but it doesn't look (from your diagram) that your pf machine is acting as a firewall for anything but itself. If you want to filter traffic to your public machines, then you'll have to either: 1) Use the pf-machine as a bridge between the internet ethernet segment, and the ethernet segment with your publicly available machines 2) Place your public machines into a DMZ, and filter/NAT/rdr traffic to/from them via the pf machine. On 5/5/06, Sparc [EMAIL PROTECTED] wrote: Hello everyone, INTERNET ^ | x - - - - - [SWITCH] - - - - - - - - - - x [PF firewall][Several publicIPs] I am running a network with several public IP addresses that are used for different services and I used PF with a dedicated box (see illustrated) to control incoming and outgoing packets onto and from these public IPs. I have not been able to notice until such time that they were exposed to a different types of probes such as ping, use of port scanner, etc from the Internet. Below are the rules I used to supposedly block incoming packets to my public IPs. Just for info, I used the gateway address provided by my ISP not the IP on my PF box. I havent tried using the PF as a gateway. I dont think its going to work. # M A C R O S ext_if=sis0 int_if=xl0 serversPUB={ my.pub.lic.1, my.pub.lic.2, my.pub.lic.3, etc... } www_virt=my.pub.lic.1 # O P T I O N S set optimization normal set block-policy drop set loginterface $ext_if set skip on lo0 # N O R M A L I Z A T I O N scrub in all # N A T / R D R #xlation gateway # F I L T E R #protect public and local address [ incoming, outgoing ] block all pass quick on lo0 all antispoof log quick for { $ext_if, $int_if } inet block drop in on $ext_if inet from any to $serversPUB # I tried to tweak with different scenario, # doesnt work pass in on $ext_if proto tcp from any to $www_virt port { www, https } \ flags S/SA synproxy state -- As you can see only a few rules are put here above just to give you an idea how I did the blocking. The other rules with my services so far are continuously going well. I just don't want to permit incoming packets directly to my publicIPs that is why I have the PF as my firewall to centrally manage incoming and outgoing. On the above BLOCK rule, i supposed it blocks all incoming packets on $ext_if through $serversPUB. Unfortunately it doesn't. I have bought openbsd books including the Building firewall with OpenBSD pf by Jacek and read lots of articles about rules in pf but haven't find one that is similar to my setup, everything uses NAT / RDR to access services (e.g. webserver, etc). Here, I didn't use rdr because it uses a public IP as stated in MACROS. I appreciate your help so much. Thanks, -Sparc
Re: IPSec faq ??
http://undeadly.org/cgi?action=articlesid=20060222180512 On 5/5/06, carlopmart [EMAIL PROTECTED] wrote: Hi all, Somebody knows when ipsec faq will be published on openbsd website?? i need to deploy two openbsd 3.9 HA firewalls with vpn, dhcp and x509 certificates included? Somebody have some howto?? Thanks. -- CL Martinez carlopmart {at} gmail {d0t} com
Re: using queues to limit bandwidth
ALTQ Should do the trick: http://www.openbsd.org/faq/pf/queueing.html On 5/1/06, Chris Bullock [EMAIL PROTECTED] wrote: Can queues be used to queue overall bandwidth? We have a project where we will be sharing an Internet connection with another company, we will have an IP and they will have an IP each company providing their own firewall. I understand that queuing is able to queue based on protocol, etc on the same box but lets say there is a T1 shared between the companies, The company tells us, you can have one of our IP addresses but you can only use 100k of our bandwidth, can pf do this? I guess this is more bandwitdh throttling more so than queuing. TIA, Chris
Re: using queues to limit bandwidth
I forgot to mention in my previous e-mail, that if you were to implement the scenerio outlined in your e-mail, then the other company would have to 'trust' that you're setting up your firewall to not exceed your 100k of bandwidth. Just setup a single queue that caps at 100k. On 5/1/06, Chris Bullock [EMAIL PROTECTED] wrote: Can queues be used to queue overall bandwidth? We have a project where we will be sharing an Internet connection with another company, we will have an IP and they will have an IP each company providing their own firewall. I understand that queuing is able to queue based on protocol, etc on the same box but lets say there is a T1 shared between the companies, The company tells us, you can have one of our IP addresses but you can only use 100k of our bandwidth, can pf do this? I guess this is more bandwitdh throttling more so than queuing. TIA, Chris
Re: Port collection missing...
ftp://ftp.openbsd.org/pub/OpenBSD/3.7/ports.tar.gz On 4/28/06, S t i n g r a y [EMAIL PROTECTED] wrote: Well i just installed my First OpenBSD BOX :) feels good !!! but to install packages i cannot find ports collection in /usr how can i get them ? i am using 3.7 version. regards *:$., 88,.$:*(((*$ Stingray *:$., 88,.$:*((*$ Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: Port collection missing...
But perhaps you're confusing ports packages: http://www.openbsd.org/faq/faq15.html#PkgMgmt Packages are pre-compiled. Ports creates packages from source. You don't need the ports tree to install packages. -Pete On 4/28/06, Peter Blair [EMAIL PROTECTED] wrote: ftp://ftp.openbsd.org/pub/OpenBSD/3.7/ports.tar.gz On 4/28/06, S t i n g r a y [EMAIL PROTECTED] wrote: Well i just installed my First OpenBSD BOX :) feels good !!! but to install packages i cannot find ports collection in /usr how can i get them ? i am using 3.7 version. regards *:$., 88,.$:*(((*$ Stingray *:$., 88,.$:*((*$ Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: Why advocate Old daemon book?
As an aside: I recently read The Design and Implementation of 4.2 BSD Operating System, which focused on the VAX architecture, and was published sometime in the early 80s. In spite of its age, I found the concepts clearly stated and on a high level, I believe that reading the book forwarded my general knowledge of how *BSD systems operate. I especially enjoyed the chapter on memory management and paging. My $0.02. On 4/27/06, js [EMAIL PROTECTED] wrote: A silly question. I wonder why http://www.openbsd.org/books.html still recommend old daemon book, The Design and Implementation of the 4.4 BSD Operating System? As most of you know, there's newer version, The Design and Implementation of the FreeBSD Operating System. Is there any reason not to reccomend this new one? Thanks in advance.
Re: mrtg and snmp
Perhaps: http://www.benzedrine.cx/pfstat.html would interest you. On Thu, Apr 27, 2006 at 07:50:22AM +0700, riwanlky wrote: I just installed a pf on my openBSD box as a firewall. However I need to install MRTG and SNMP so that I can get the network utilization. Any documentation in the web that anyone can suggest?