intel pro NICs and OBSD

[Russell Fulton]

Hi Folks,
  I have just joined the list again after an absence of some
months.  I have checked two different archives and found no reference to
this issue, which surprises me.  If it has been discussed please accept
my apologies and give me a url to an archive with the relevant posts.

My question is are the em NIC drivers vulnerable to the recently
announced intel NIC driver stack overflow bugs?  I see that there are
new FREEBSD em drivers available on the Intel site but no mention of
Open BSD.

Cheers, Russell

Problems with making a new release

[Russell Fulton]

I am trying to generate a new release incorporating the two recent
patches that I can then install on a number of other machines.

I have one system with all the sources and have successfully built and
installed the new kernel. Following the instruction in man release I am
now trying to generate something that I can install on other systems.

I don't really care about the floppy or CD images since I intend to
upgrade most of the systems remotely -- i.e. I am primarily interested
in the .tgz files and the new kernel.

when I did

cd /usr/src/etc  nice make release

It ground away for at least half an hour and then make terminated:
TOPDIR=/usr/src/distrib/i386/ramdiskA/..
CURDIR=/usr/src/distrib/i386/ramdiskA
OBJDIR=/usr/src/distrib/i386/ramdiskA/obj REV=38 TARGDIR=/mnt
UTILS=/usr/src/distrib/i386/ramdiskA/../../miniroot sh
/usr/src/distrib/i386/ramdiskA/../../miniroot/runlist.sh
/usr/src/distrib/i386/ramdiskA/../common/list
COPY ${OBJDIR}/instbin instbin
cp: /mnt/instbin: Read-only file system
*** Error code 1

[h... some wrapping of lines above ]

any idea what is actually wrong?

Cheers, Russell

Building Fox gui on 3.8 -- threadsafe versions of getpwuid and friends

[Russell Fulton]

Hi
I am trying to install Fox on a 3.8 system but the compilation fails
because several functions such as getpwuid_r are missing.  These
functions are part of the posix standard and are thread safe versions of
 the originals which use static buffers to return results.

I've done some searching on Google but have not turned up anything
useful.  There are several courses of action possible but I am unsure
which route to take.

Hopefully there is a package which contains these routines but I have
not been able to find it.

Cheers, Russell

patch management on larger install bases

[Russell Fulton]

I am just starting to upgrade all my obsd boxes to 3.8.  I have a copy
of the official CDs -- I know the the ISOs are copyright but is there a
way of burning an updated set so I don't have to patch each system
individually?

Alternately, with the kernel I'm guessing I can replace /bsd (and
/bsd.rd) using the little shuffle recommended in the upgrade docs.
Which perl files need replacing?

How do others who manage several boxes apply patches like the recent ones?

Cheers, Russell

using cvs to access stable branch

[Russell Fulton]

With the recent release of two patches I have finally been forced to
come to grips with CVS and the source tree.

I have unpacked the source tarballs on the target machine and read through

http://www.openbsd.org/anoncvs.html#starting
and
http://www.openbsd.org/anoncvs.html#CVSROOT

following the examples in the latter:

-bash-3.00$ export [EMAIL PROTECTED]:/cvs
-bash-3.00$ cvs -q up -rOPENBSD_3_8 -Pd
ssh: connect to host anoncvs1.usa.openbsd.org port 22: Connection refused
cvs [update aborted]: end of file from server (consult above messages if
any)
-bash-3.00$ ssh anoncvs1.usa.openbsd.org
ssh: connect to host anoncvs1.usa.openbsd.org port 22: Connection refused


I'm confused...

Also http://www.openbsd.org/anoncvs.html#CVSROOT refers to the 'patch
branch' and 'current' --  I assume 'patch branch' is really stable ??

cheers, Russell

Re: using cvs to access stable branch

[Russell Fulton]

Christopher Pascoe wrote:
 Hi Russell,
 
 Try switching to anoncvs3.usa.openbsd.org.  It looks like anoncvs1 may be 
 having problems at the moment - it isn't responding at all now.
 
Doh!  Whose bright idea was it to get pf to send RST for outbound
dropped ssh sessions?  :) :)  If they had timed out I would have looked
for network problems...

I tried traceroute and got as far as the firewall.

Apologies for the noise :(

Russell

Re: pf not logging to /var/log/pflog...

[Russell Fulton]

Olivier Mehani wrote:
 On Mon, Jan 09, 2006 at 08:37:04PM +0100, Otto Moerbeek wrote:
 adsl:
! sh -c /sbin/ifconfig pflog0 up
 
 As far as I remember, it's not necessary to ifconfig pflog0 up to use it.
 
 Why enable pf only when the link is up? It's non-standard and
 potentially dangarous. You're better of using the standard way of
 enabling pf.
 
 However non standard, I don't clearly see the potential danger in this. Can 
 you
 elaborate ?

I think the philosophy is that if you have pf running all the time then
there are a lot less things to go wrong.  It starts at boot time and
that is it.

Russell

argus calloc failure on 3.7

[Russell Fulton]

Hi Folks,
 I am having problems running argus www.qosient.com on 3.7.  The 
server runs for a variable amount of time (ususlly 1 - 2 hours) and then dies when a 
calloc for 128 bytes fails.  We are fairly sure that this is not because of real 
memory exhustion (watching with top does not show any obvious leakying behaviour) so 
that points to possible bad frees or some other issue.  Argus runs happily on other 
BSDs (and other flavous of UNIX/Linux) and people have used it on older OBSD versions.

Theo's note about up coming changes to memory management in 3.8 made me wonder 
if anything was changed in 3.7 that may have caused latent bugs to manifest 
themselves.

Anyone have any ideas?

Cheers, Russell

x clients on 3.7 -- which install sets do I need?

[Russell Fulton]

Hi Folks,
 Which of the X install sets do I need if I just want to run x clients? 
Clearly I don't need xserver but what about xfonts?

Russell 

problems adding packages in 3.7

[Russell Fulton]

Hi Folks,
I'm getting errors about missing libraries while adding packages to a 
3.7 system.  This was a new install with 3.7 so there should not be any old 
stuff laying around

-bash-3.00$ sudo pkg_add 
ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/recode-3.6p1.tgz
Can't install 
ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/recode-3.6p1.tgz: lib not 
found intl.1.1
Even by looking in the dependency tree:
   libiconv-1.9.2, gettext-0.10.40p2
Maybe it's in a dependent package, but not tagged with @lib ?
(check with pkg_info -K -L)
If you are still running 3.6 packages, update them.
-bash-3.00$ uname -a
OpenBSD matata.insec.auckland.ac.nz 3.7 GENERIC#50 i386

I understand that it can not find lib intl.1.1 and that it has looked for it in 
the package dependencies.  However I don't understand what it is suggesting I 
do with pkg_info (yes I've read the man page).

A little more guidance would be appreciated.

Cheers, Russell

Re: problems adding packages in 3.7 -- solved

[Russell Fulton]

It has just been pointed out to me (off list) that I was loading the  package from the 3.6 tree.  Doh!!!  


Russell

Russell Fulton wrote:

Hi Folks,
I'm getting errors about missing libraries while adding packages to 
a 3.7 system.  This was a new install with 3.7 so there should not be 
any old stuff laying around


-bash-3.00$ sudo pkg_add 
ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/recode-3.6p1.tgz
Can't install 
ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/recode-3.6p1.tgz: 
lib not found intl.1.1

Even by looking in the dependency tree:
   libiconv-1.9.2, gettext-0.10.40p2
Maybe it's in a dependent package, but not tagged with @lib ?
(check with pkg_info -K -L)
If you are still running 3.6 packages, update them.
-bash-3.00$ uname -a
OpenBSD matata.insec.auckland.ac.nz 3.7 GENERIC#50 i386

I understand that it can not find lib intl.1.1 and that it has looked 
for it in the package dependencies.  However I don't understand what it 
is suggesting I do with pkg_info (yes I've read the man page).


A little more guidance would be appreciated.

Cheers, Russell

Re: howto clean disks ?

[Russell Fulton]

  Once information on a digital media has been overwritten, it cannot be
  recreated/restored in any lab. All this talk about electron microscopes
  and overwriting in multiple passes is just a load of crap derived from
  an old DoD standard. It has no practical meaning. One overwrite is
  enough. Please let this ugly rumour die :)

Peter Gutman presented a paper on the technique of using electron
microscopes to recover data from overwritten disks nearly 10 years ago
at a USENIX Security Symposium.  Peter did the research on this while at
IBM's Watson Laboratory.   Yes, it's very expensive (in terms of time)
and you need sophisticated equipment but it is well within the reach of
any technical university or well financed organisation.

Like all security decisions how you wipe your data depends on how
valuable it is.  For most stuff one pass is probably enough but OTOH
doing a five or seven pass with random data is not a large incremental
cost so why not do it properly.  The biggest cost in the exercise is the
time it takes to boot the machine up on a CD with the right tools and
start them running.  Do you really care if it takes one or five hours to
do the wipe. (OK there will be times when you do care and in that case
you opt for speed unless there is something extraordinarily sensitive on
the disk...)

Russell

[demime 1.01d removed an attachment of type application/x-pkcs7-signature which 
had a name of smime.p7s]

Re: VPN client connectivity issues with OBSD firewall

[Russell Fulton]

On Mon, 2005-05-30 at 12:16 +0530, Suresh Myneni wrote:
 Hopefully someone will be able to help me with a vpn client
 connectivity problem . Using Contivity VPN client on windows 2k going
 through OpenBSD 3.7 PF/NAT

 I have three workstations behind the firewall using private IPs. The
 internet usage is fine on all the machines. But when I use Contivity
 VPN client through NAT on a single machine to connect to the remote
 site, I am able to connect fine. When I use the second machine to
 connect to the remote site using the VPN client, the VPN client fails
 in the last stage of establishing the connection. It gives me a
 message Checking for banner text from x.x.x.x and then disconnects.

I know nothing about Contivity but is it possible that it objects to
having two sessions from one IP?  I assume that x.x.x.x is the external
NAT IP for your firewall.  If this is the problem then the 'fault' lies
with the vpn software not with the of configuration.

Cheers, Russell

[demime 1.01d removed an attachment of type application/x-pkcs7-signature which 
had a name of smime.p7s]

OBSD 3.7 ports -- mysql

[Russell Fulton]

Hi Folks,
 I've just installed mysql from the ports on my 3.7 system. All went
well (I did not see any errors) but so far as I can see only the client
stuff was installed.  The server is there in the ports tree
under /usr/local/libexec/mysqld but it is not installed.  Nor does
there appear to be a start up script or safe-mysqld.

Any ideas?

Cheers, Russell

[demime 1.01d removed an attachment of type application/x-pkcs7-signature which 
had a name of smime.p7s]