Re: Keeping track of MAC addresses
On Thu, 21 Feb 2019 at 07:15, wrote: > > > did you take a look at net/arpwatch? > > Too many emails; email to root is not a useful mechanism for me. arpwatch could be configured to send emails to an address other than root. At the time I was using it, the --help showed a command line option for specifying alternative email addresses, but it did not work then. It's been many years since I used it, so this may have changed, but I had to adjust #define's for WATCHER and WATCHEE, to hard code alternative email addresses into the binary. Combined with an email to SMS text message gateway service, this gave my manager and I almost instant notification when staff with physical access added hosts to certain networks they were not permitted to. Shane
Re: Upgrading to current prep
> On Sat, Mar 10, 2018 at 11:42:55PM -0500, Rupert Gallagher wrote: > > > only as originally intended for unix systems. Further, variable > > content partitions such as /var and /home should be large enough to > > allow for ssd wear levelling, or you will toss away expensive ssds > > like autumn leaves. Finally, all games should be moved from the I keep hearing about longevity issues with flash based storage. It seems this paranoia just won't die. I'm coming up to 13 years of installing OpenBSD onto flash based storage and I've not had a failure yet. Only ever used softdep and noatime. Installed into Sun Ultra's with IDE-CD adaptors, Soekris 5501 and 6501, ALIX 2's and 3's and now also running off thumb drives in these sweet little EdgeRouter LITE's. Always stuck to SanDisk and Lexar. https://marc.info/?l=openbsd-misc&m=113148165022620&w=2 I had one 2.5" Corsair SSD fail outside of OpenBSD usage, but it was a sudden death and well within the infant mortality stage of the bathtub curve. And on a note related to SSD longevity, I've run Samsung SSD's in my Sony PS4 and PS4 Pro since both were released and they both constantly write video capture data to "disk" while on and this is a feature I cannot switch off. They're both still working fine too. My PS4 would have hammered that SSD for hours most days for about 4 years. Shane
Re: Kernel memory leaking on Intel CPUs?
On Saturday, 6 January 2018, Eric Furman wrote: > I always love threads like this. :) > Doesn't it tell anybody anything that none of the developers have > commented? > > Theo talked about how scary some bugs in some Intel CPU’s were, a decade ago... https://marc.info/?l=openbsd-misc&m=118296441702631&w=2 So I will be most interested to see the OpenBSD take on this after the embargo period is over.
Re: Kernel memory leaking on Intel CPUs?
On Friday, 5 January 2018, Rupert Gallagher wrote: > The Intel flop hits the US .mil as well, because they depend on COTS > Xeons. > > I pity the Russians. I wonder if they pay through the nose for Oracle's > power hungry hardware, or make it cheaper and power efficient of their own. > > On Thu, Jan 4, 2018 at 18:28, Jordan Geoghegan > wrote: > > > The Russians heavily use SPARC for aerospace/military applications as > well as their in house domestic-use-only Elbrus machines, for what I > imagine to be reasons precisely like this. @mail.com> SPARC architecture is open to others to develop their own CPU designs. The Russians are not forced to buy SPARC from Oracle.
Re: OpenBSD 5.3 released May 1, 2013
On 1 May 2013 23:42, Stuart Henderson wrote: > > May 1, 2013. > > We are pleased to announce the official release of OpenBSD 5.3. > This is our 33rd release on CD-ROM (and 34th via FTP). We remain > proud of OpenBSD's record of more than ten years with only two remote > holes in the default install. > > As in our previous releases, 5.3 provides significant improvements, > including new features, in nearly all areas of the system: > Another awesome release! You guys rock! Especially love the Full Disk Encryption!
Re: OpenBSD forked
On 18 June 2012 15:46, Raymond Lillard wrote: > On 06/17/2012 12:31 PM, Peter J. Philipp wrote: >> >> Having followed OpenBSD for quite some time I noticed that good developers >> come and go. They come in, make something great happen, and disappear >> again. >> Also there have been forks and I also noticed that no fork gets a light >> judgment. Rightfully so. And then I always appreciated the permanent >> >> element in OpenBSD that guides our attention to areas we as users and >> sideliners don't always see immediately. I'll keep buying CD's when >> available >> and I do donations here and there when I feel like it, and I don't regret >> it. > > > ditto. > > I almost always remain silent in political matters, > (relating to OpenBSD that is). > > I will list some reasons why I am not going anywhere > soon for a "free" OS. I have been using, donating > hardware and purchasing CDs since 3.0. > > > Reason 1: Legacy Architectures > I have many "legacy " machines in service because they > can be acquired for next to free (sometimes just free). > > These legacy machines are very good at exposing subtle > bugs not found by compiling and running on Intel/AMD > hardware. > > Since these legacy architectures are "strange" in the > i386/AMD64 context, exploiters are unlikely to bother > with them. None of my Internet facing machines are on > popular architectures. > > I have seen attackers come and leave as soon as they > figure out what they are up against. The combination > of OpenBSD and uncommon architectures is a very tough > nut to crack. > > > Reason 2: Security > This is an unknown. All FOSS claims to be free, fast > and secure. Even Microsoft claims to be secure. Maybe > the new team will be as fanatical as Theo, likely not > if their FAQ is to be believed. Their reputation for > security will be revealed with the passage of time. > > > Reason 3: Crypto > I don't know where the new project is located, but > they seem to have a server in Southfield, MI USA and > another in Denmark. I hope none of the developers is > subject to US export laws regarding cryptography and > that the code is maintained on servers also not subject > to those laws. > > Just look at the recent MegaUpLoad case. That case > is reportedly about a bunch of ripped off movies. > I have googled a bit and have not found a physical > location for the project or its code. > > > Reason 4: Stability > The new project FAQ states they intend to be "less > restrictive with the codebase when it comes to > experimenting with features." Maybe in the long run > some of the new features may be introduced into OBSD, > but in the near term I expect much instability given > the broad range of deeply embedded things they intend > to change. > > > Reason 1 is a big problem for me and my crusty old war > horses. Reasons 2 & 3 may be unfounded, the secrecy > here (there are no developer names listed on the project > web site) is not very confidence building. As to > reason 4, I am only mildly interested in fast. I want > correct and stable execution above all else. For this > reason I expect to continue with OBSD for a long time. > > I do have considerable sympathy for clearing GNU out > of the code base though. > > Now going back into lurker mode. > Regards, > Ray The secretive nature is concerning. But I hope that this situation can somehow turn out to be beneficial to both projects in the long term. As long as my favourite and most relied upon OS continues to evolve, I will be happy. And I will certainly continue to buy from and donate to the OpenBSD project where possible. Shane
Re: OpenBSD on EC2/Amazon
On 26 April 2012 17:56, Otto Moerbeek wrote: > > In an ideal world, availability of source code should not matter. > > Most interesting exploits are probably guest1 -> hypervisor (and then > -> guest2). > > I refuse to believe that the glued on hardware suppport for > virtulization on modern i386/amd64 processors have a real value wrt > security. This kind of thing can only be done right if it's done from > the start when designing the processor architecture. Yes that's what I'm nervous about. Guest->Guest and Guest->Hypervisor(->Guest). Especially after Tavis Ormandy's paper from a while back... http://taviso.decsystem.org/virtsec.pdf And now, we have things like Vasto and vulnerabilities that have enabled the download of VM's to "steal the cloud". Shane
Re: I want copy pf.conf from FreeBSD 8.2 to OpenBSD 5 and use it
On 8 November 2011 23:25, Mostaf Faridi wrote: > Thanks > My problem is this I do not enough time to start from scratch and make new > rule Your philosophy is not compatible with OpenBSD. Grabbing a random incompatible ruleset from the Internet and then trying to fix it is going to take more time that learning how to deal with this from scratch. So find the time for: http://www.openbsd.org/faq/pf/nat.html and especially: http://www.openbsd.org/faq/pf/nat.html#binat and this for reference: http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf&manpath=OpenBSD+5.0 Or otherwise the answer to your questions is, no.
Re: Would you accept a free guest article or blog post for openbsd-wiki.org?
On 10 June 2011 07:45, Ingo Schwarze wrote: > Stuart Henderson wrote on Thu, Jun 09, 2011 at 09:21:38PM +: > >> Seriously, if whoever "maintains" openbsd-wiki.org is reading, >> do us all a favour and take it offline unless you have time to look >> after it... > > Even if you have the time to maintain it, > take it offline all the same. > Your time is better spent helping nick@ to improve the FAQ > and helping jmc@ to improve the manuals, > because there you don't start from scratch > and users actually find your documentation. > And it is checked by developers for relevance and accuracy > and kept up to date. > > To re-iterate what i said here: > > http://www.openbsd.org/papers/bsdcan11-mandoc-openbsd.html (page 2) > > "Make documentation easily accessible: > Have it at as few places as possible, > and as much as possible at one single place. > In OpenBSD, almost all documentation is manuals, > and the little that doesn't fit there is all in the FAQ." > > Well, there's a bit more, but not much. > Like /usr/local/share/doc/pkg-readmes/. > > We most definitely do *not* want documentation scattered around > half the web, ending up with most of it utterly outdated and > unmaintained. At least phallus pills are available there.
Re: vmmap: bad software everywhere
On 4 June 2011 08:48, Amit Kulkarni wrote: >>> How comes nobody in other OSes noticed ? Well, people probably did, and >>> tweaked their allocators to "work", by using preferably the low address >>> space, >>> and having addresses that increase slowly, so that a lot of pointers are >>> below >>> 4GB, and a lot of pointer diffs are under 4GB. >> >> Or you could just be engaging in an ad hominem attack without actually >> looking at their implementations and assuming they're not doing it >> right because they're not you or your favorite platform. But hey, we >> don't know anyone who'd do *that* in the OpenBSD community. Right? > > This is baiting. > > There might have been instances of attacks in the past, I don't know. > But in this particular case, Marc is absolutely right. OpenBSD is late > to the bigmem party but when they get there, they try and raise issues > which benefit everybody. Tortoise / Hare. Could it be that all the hares are partying just before the finish line which none of them yet bothered to cross and none of them have noticed that the careful tortoise has cautiously made his way past their drunken fluffy arses and is crossing the line to take the win? : - )
Re: full disk encryption & google chrome on OpenBSD!
On Sunday, 20 March 2011, Kevin Chadwick wrote: > On Sat, 19 Mar 2011 08:29:13 -0700 > Ben Calvert wrote: > >> On Mar 19, 2011, at 7:49 AM, Kevin Chadwick wrote: >> >> > On Fri, 18 Mar 2011 16:58:59 + >> > Kevin Chadwick wrote: >> > >> >> I do get a fair increase in cpu usage for a disk at full speed disk with >> >> vnd but it's acceptable. Have people already done cpu usage and >> >> transfer speed comparisons to save me further tests. >> > >> > Well I was about to run a comparison test on vmware and I'm well >> > confused unless it's a strange vmware bug or maybe the dynamic size disk >> > mechanism. I might have to pull out a box. >> >> Why do people do this? >> >> when you're running more than one OS at a time, there's no way to control >> what's running on the other system(s) and interfering with the process you're >> testing. or what vmware subsystem is thrashing around and creating overhead. >> > > Surely that would affect both partitons inconsistently. Of course I see > the point but if you get a good idea of it quickly especially if there's > a big difference and have lots to do and bear it in mind and can control > your host (ignoring vmware) then it should be fine. I'm still confused > why it isn't but I could probably just use one partition to reinforce > the results at marcos link. I am definately far more worried about > vmware bugs than my host systems doings when testing, though it's > usually just configs and so doesn't matter unless something crashes. > One of the relayd socket engines started crashing recently but it's > stopped now and obviously I'd test that on a real system if it reoccurs. > > p.s. Thanks marco Bear in mind that as great as the benefits to virtualization can be, or appear to be, it introduces some quirky edge cases that make it especially bad for benchmarking. I've seen benchmarks performed in VMware which return results that are far far faster than when the benchmark/app/OS is running on the bare metal. And others where the realworld performance is bad, but the benchmark numbers are good, due to timing lies. If something interesting came out of a benchmark under VMware, I'd be wondering if it was significant or just a virtualization quirk. But worse still, performance issues can also be masked and thus missed. Unknowns that invalidate benchmarking period for me. Shane
Re: Specs for a firewall.
Okay, someone asked me for this a while back and I promised them I'd get back to them once I'd updated to 4.8. Still haven't updated, so apologies for that. This may well be an abomination to the pf Gods, but it works for me. On 2 March 2011 00:37, Michael Grigoni wrote: > On 1 Mar 2011 at 21:19, SJP Lists wrote: > >> With my link at about 12Mbit/S worth of web traffic and altq keeping >> my VoIP calls nice and clean, my Soekris 5501 with OpenBSD 4.6 hovers >> around 85% idle. > > Would you please describe what you do for inbound traffic shaping / > rate limiting; do you route through a loopback interface and do outbound Like you mention below with the lack of end-to-end QoS, since I don't control the upstream router I also don't do anything for inbound traffic shaping, since by the time a packet is received at my firewalls end of the last mile, it is too late to control the bandwidth that was now already used. It's history by the time my firewall knows about it. I realise I can shape it on the way out of an internal interface and thereby slow down the follow-up packets in the flow, assuming a well behaved non-malicious remote host, but I don't bother. That is something I'd like to play with if I can ever find the time. > shaping? VoIP is such a compromise for voice quality when there is > no national end-to-end QoS on IP traffic -- and to think that Obama's > FCC is/was seriously proposing VoIP as a mandate? Gads! It never > ceases to amaze me what people will settle for in voice link quality -- > cell phones' convenience seems to have destroyed expectations of > uninterrupted and clear voice channels and VoIP may work most of > the time but just wait until you are in an important conversation with > a client and suddenly you sound like a Klingon, or the echo sounds > like the traffic was routed to the moon and back or dropouts and > resulting predictive reconstruction makes you sound like a Munchkin -- > or worse, the data is lost (all this still happens on cell phones too) > I find myself warning the other party at the start of every conversation > that I am on a VoIP link. Day to day, I forget that I'm a VoIP user until a balance reminder email comes through telling me that I still have 9 months or so of credit to go. Audio quality for me with G.729(a?) is as good as or better than a land line and it is consistent, regardless of how busy my link is. And my yearly phone bill is half of just my old telco's line rental for the year! Before even considering the call costs that came on top of that. That VoIP cost includes local, mobile and interstate calls (little to no international, although that's cheap too). > -- what we're they thinking > > Anyway, whatever altq approaches that have worked for you would > be great to know... > > Michael The most important thing I found, was to measure your upstream bandwidth to have a starting point to work down from to see at what point altq starts to work. The point here is to avoid saturation. I find that point and then move down a bit more to build in some margin for link performance fluctuation. You are trading a little off your maximum speed to gain a lot of control. I was performing multiple simultaneous FTP uploads and downloads while testing VoIP calls. I employ Empty ACK prioritisation as Daniel details at: http://www.benzedrine.cx/ackpri.html which seems to give the feel of doubling my link performance as far as interactivity goes. For the portion of my upstream bandwidth I dedicate to realtime applications such as VoIP and fast paced gaming, I do not allow other queues to borrow from. So I'm giving up even more speed from regular traffic to reserve to the realtime apps. Might seem like overkill, but I'm happy with my general usage download speed of 11-12Mbit/S and would not want to add a little to that to have a crappy phone service. My queues can be found at: http://www.flashbsd.net/altq BTW, having ADSL2+ Annex M with about 2.3Mbit/S upstream helps. And my ISP (Internode) is super reliable too. In more than 3 years I've only noticed 2 or 3 outages and each time they only lasted minutes. Cheers, Shane
Re: Specs for a firewall.
On 1 March 2011 14:11, Nick Holland wrote:
> DO NOT jump on the
> Alix/Soekris/Other-wacko-low-power-low-performing-specialty hardware
> train until you know what you are doing. It is good to see that people
> aren't automatically recommending Soekris for everything ("the answer is
> Soekris. What's your question?") so much anymore... unfortunately, now
> it's Alix. Stick to standard computers until you are really comfortable
> with OpenBSD (or ANY OS you are planning on using).
I agree that it is best to avoid the Soekris and ALIX for a newcomer,
due to the serial console and PXE boot requirements. But although
they are low power and low performance, the current models are more
than a match for typical ADSL2+ requirements.
With my link at about 12Mbit/S worth of web traffic and altq keeping
my VoIP calls nice and clean, my Soekris 5501 with OpenBSD 4.6 hovers
around 85% idle.
Yes, I need to pull my finger out and upgrade.
Re: ALIX/current as an Access Point
On 28 February 2011 10:12, m brandenberg wrote: > On Sun, 27 Feb 2011, Jan Stary wrote: > >> I have been using www.pcengines.ch/alix2c1.htm >> as my home router for years. It is runnig current/i386. > > Have you been running from Compact Flash? I am interested in > hearing about your experiences getting maximum life from the > CF cards. I've started playing with one of these and they're > looking good. (I knocked mine to the floor twice while > compiling GENERIC and it didn't even notice.) > > -- > Monty Brandenberg SanDisk Write Leveling White Paper showing use cases closer to real World... http://www.sandisk.com/Assets/File/OEM/WhitePapersAndBrochures/RS-MMC/WPaperW earLevelv1.0.pdf Shane
Re: ALIX/current as an Access Point
On 28 February 2011 10:12, m brandenberg wrote: > On Sun, 27 Feb 2011, Jan Stary wrote: > >> I have been using www.pcengines.ch/alix2c1.htm >> as my home router for years. It is runnig current/i386. > > Have you been running from Compact Flash? I am interested in > hearing about your experiences getting maximum life from the > CF cards. I've started playing with one of these and they're > looking good. (I knocked mine to the floor twice while > compiling GENERIC and it didn't even notice.) > > -- > Monty Brandenberg I've been running OpenBSD from CF coming on 6 years at my home and client sites, with Sun's, PC's and little Soekris and ALIX machines. http://www.mail-archive.com/misc@openbsd.org/msg11452.html Not a single failure yet. The limited writes issue is a non-issue, since write wear leveling algorithms serve to evenly distribute writes over the entire media. With typical endurance of 100,000 erase/writes per flash block, that's 400TB to kill a 4GB card. On a card that can write at 30MB/s, you would have to write to it in it's entirety, non-stop for 154 days before you killed it. Without even stopping to read from it. And some parts support 1,000,000 write cycle endurance, so that ridiculous constant flat-chat worst case scenario becomes over 4 years to part death. If you throw in 50/50 read/write duty cycle then now it's 8 years. In reality, what small device would have a really busy CF? Just use them, enjoy and don't worry. I use softdep and noatime mount options, to reduce writes just because I can, but they're not needed. Shane
Re: Security List
On 9 February 2011 12:37, woolsherpahat wrote: >>> On 6 February 2011 05:23, Alessandro Baggi >>> wrote: >>> Hi List, i had registered me to the security list: >>> security-annou...@openbsd.org since 9 Genuary 2011, but any email come on my >>> account. Some that had security list subscribtion, can tell me if since >>> 09/01/2001 at today there are mails? >> >> I use a script which scrapes http://www.openbsd.org/errata48.html >> daily and emails me the changes as they occur. >> >> >> Shane > > That sounds pretty cool... any chance you would be willing to share? Okay, I'm probably not doing this the best way, so as embarrassing as this is, it might hopefully get improved by someone... #!/bin/sh # # OpenBSD_errata48.sh # # Check for any changes to the OpenBSD 4.8 Errata list and email # an alert if so. # Move the lastest successful OpenBSD errata grab so that is becomes # the previous successful grab. mv /home/scripts/OpenBSD_errata48_latest.txt \ /home/scripts/OpenBSD_errata48_previous.txt # Use lynx to just output to stdout the text of the OpenBSD Errata # page, without a URL list. Output the status to an error file so # that sending bogus emails due to server being unavailable does not # occur. # # Then filter out everything but the errata detail lines and output # to a temporary file that will only be used if the web server status # is "200 OK". lynx -dump -nolist -error_file=/home/scripts/OBSD_errata48_err.txt \ http://www.openbsd.org/errata48.html | egrep "^ \* ?| ?" \ > /home/scripts/OpenBSD_errata48_current.txt # Check the error status file to make sure the file was successfully # retrieved. If successful, procede with comparison between the # current and previous errata, to determine whether an email should # be sent. if egrep " 200 OK" /home/scripts/OBSD_errata48_err.txt then mv /home/scripts/OpenBSD_errata48_current.txt \ /home/scripts/OpenBSD_errata48_latest.txt if ! diff /home/scripts/OpenBSD_errata48_latest.txt \ /home/scripts/OpenBSD_errata48_previous.txt > /dev/null then diff /home/scripts/OpenBSD_errata48_latest.txt \ /home/scripts/OpenBSD_errata48_previous.txt \ | egrep "^\<" | sed 's/\< //g' \ | tr -d "\n" | perl -pe 's/\* /\n\n/g' \ | sed 's/ */ /g' \ | mail -s "OpenBSD 4.8 Errata!" y...@yourdomain.net fi else rm /home/scripts/OpenBSD_errata48_current.txt fi rm /home/scripts/OBSD_errata48_err.txt
Re: Security List
On 6 February 2011 05:23, Alessandro Baggi wrote: > Hi List, i had registered me to the security list: > security-annou...@openbsd.org since 9 Genuary 2011, but any email come on my > account. Some that had security list subscribtion, can tell me if since > 09/01/2001 at today there are mails? I use a script which scrapes http://www.openbsd.org/errata48.html daily and emails me the changes as they occur. Shane
Re: Please help me decide: OpenWrt vs. OpenBSD
On Friday, 21 January 2011, Aaron Glenn wrote: > On Thu, Jan 20, 2011 at 9:07 PM, Stuart Henderson > wrote: >> On 2011-01-19, S Mathias wrote: >>> I have a RouterBoard 450G [680 Mhz cpu, 256 MB ram, 512 MB flash]. I just >>> can't decide what to put on it: >>> >>> OpenWrt or >>> OpenBSD >> >> RB450G? OpenBSD, please. Send the diffs you use to tech@. > > it took a full 8 replies to get to the correct response? > now I understand why enlightened people find misc@ complete noise with > negligible signal. Wasn't everyone else assuming the OP was going to port?
Re: Please help me decide: OpenWrt vs. OpenBSD
On Thursday, 20 January 2011, S Mathias wrote: > Purpose: Just a "home router". > > Question: > > What is more secure/reliable in this case? > OpenWrt or OpenBSD? > Anyone got any opinions? What should i choose? I've been using OpenBSD since 2.5, '99. In that time, the only time I've seen it crash was due to hardware failures or spectacular stuff ups on my part. When you use OpenBSD for long enough and really come to appreciate it, you won't look back. Shane
Re: spamd in a cloud setup?
On Wednesday, 29 December 2010, Paul de Weerd wrote: > On Wed, Dec 29, 2010 at 10:47:11PM +1100, SJP Lists wrote: > | This raises the PTR problem. > | > | Only one of those domains is going to have records that match forward > | and reverse? If not, some anti-SPAM gateways will drop. > > How so ? > > a.example.com. IN MX 10 mx.example.com. > b.example.com. IN MX 10 mx.example.com. > c.example.com. IN MX 10 mx.example.com. > d.example.com. IN MX 10 mx.example.com. > mx.example.com. IN A 192.0.2.1 > mx.example.com. IN 2001:db8::1 > 1.2.0.192.in-addr.arpa. IN PTR mx.example.com. > 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. IN PTR mx.example.com. > > Why does your MX have to live in the same zone as what it's MX'ing > for ? > > Paul 'WEiRD' de Weerd > > -- >>[<++>-]<+++.>+++[<-->-]<.>+++[<+ > +++>-]<.>++[<>-]<+.--.[-] > http://www.weirdnet.nl/ > Ah yes, true. Spoke too soon! Appologies!
Re: spamd in a cloud setup?
On 29 December 2010 22:47, SJP Lists wrote: > On 29 December 2010 22:35, Gregory Edigarov wrote: >> On Wed, 29 Dec 2010 16:22:33 +0530 >> Girish Venkatachalam wrote: >> >>> Dear folks, >>> >>> OpenBSD's spamd is a network level spam filter and consequently we >>> need the MX records to point to spamd >>> before it hits our mail server thereby achieving bandwidth protection >>> as well as spam protection. >>> >>> This is really fantastic. >>> >>> Now the issue is this. >>> >>> Since MX records do not understand TCP port numbers, we cannot have >>> different MX records point to different >>> SMTP servers on the same IP address. >>> >>> The reason this is a problem is that assume that I have to run >>> spamd(8) against 100 domains. Do I need to have >>> 100 different IP addresses in my cloud? >>> >>> I hope the question makes sense. Sorry for sounding confusing. >> >> don't see the problem, >> setup your mx records for all your zones to something like: >>IN MX 10 mail >> mailIN A 192.168.0.1 >> >> then make spamd listen on the address, and you're done. >> >> -- >> With best regards, >>Gregory Edigarov > > This raises the PTR problem. > > Only one of those domains is going to have records that match forward > and reverse? If not, some anti-SPAM gateways will drop. Sorry, what I meant to say, is "If so, some anti-SPAM gateways will drop connections that don't match forward and reverse".
Re: spamd in a cloud setup?
On 29 December 2010 22:35, Gregory Edigarov wrote: > On Wed, 29 Dec 2010 16:22:33 +0530 > Girish Venkatachalam wrote: > >> Dear folks, >> >> OpenBSD's spamd is a network level spam filter and consequently we >> need the MX records to point to spamd >> before it hits our mail server thereby achieving bandwidth protection >> as well as spam protection. >> >> This is really fantastic. >> >> Now the issue is this. >> >> Since MX records do not understand TCP port numbers, we cannot have >> different MX records point to different >> SMTP servers on the same IP address. >> >> The reason this is a problem is that assume that I have to run >> spamd(8) against 100 domains. Do I need to have >> 100 different IP addresses in my cloud? >> >> I hope the question makes sense. Sorry for sounding confusing. > > don't see the problem, > setup your mx records for all your zones to something like: >IN MX 10 mail > mailIN A 192.168.0.1 > > then make spamd listen on the address, and you're done. > > -- > With best regards, >Gregory Edigarov This raises the PTR problem. Only one of those domains is going to have records that match forward and reverse? If not, some anti-SPAM gateways will drop. Shane
Re: 4.6 box periodic 100% cpu on vmware
On 28 December 2010 03:33, Matthew Sullenberger wrote: > I will be updating to the latest version very soon to see if that resolves the > problem. I wasn't aware of the VMT package that provides some of the tools and > things, so that is good! > > I wouldn't normally utilize a virtual firewall, but this is not an edge > firewall, and it is sitting inbetween two internal network segments that > consist (primarily) of virtual machines on the same VMWare Infrastructure. All > traffic inbound/outbound from external networks is still going through a > physical firewall before it hits anything else! Are there untrusted users on either of those internal networks? Or hosts in that network with services exposed to other untrusted users elsewhere? Is the VMware management interface exposed to any network or host that is exposed to untrusted users? If so, watch this for just one example to be wary of... http://www.youtube.com/watch?v=60MDvnturZg After acknowledging this vulnerability VMware took five months to patch it. I realise the VMware management interface should not be exposed to untrusted users, but given that it usually is (internal staff), this remotely exploitable vulnerability is not exactly low impact. I have to wonder what they consider to be high impact and how quickly they will patch then. Oh and... http://www.youtube.com/watch?v=rVXp9etCqMo All eggs, one flimsy basket. Shane
Re: Donations
On 10 December 2010 03:42, Mehma Sarja wrote: > On 12/9/10 4:54 AM, Chandrakant Kumar wrote: >> >> On Thursday 09 December 2010 05:39 PM, Hugo Osvaldo Barrera wrote: >>> >>> On 05/12/10 23:04, Adam M. Dutko wrote: > > I hope that one day due process is denied you. > I am wondering what type of due process should be granted to these individuals. What basis/jurisdiction of law are we talking about? Natural human rights? US law? International Law? I'm just wondering because I think it's critical to the whole discussion. Julian Assange isn't a US citizen so the US Government probably feels justified doing whatever they want even if it is "unethical", yet many think he should be protected by some of the US justice code/process. Is due process universal? >>> >>> If I kill a cow, should I be deported to India, and processed there for >>> that crime? (Note that in most parts of india, it IS a crime). >>> Oh, I live in Argentina, the largest exporter of cow-meat. Maybe we >>> should all be deported there. >>> >>> -- >>> Hugo Osvaldo Barrera >>> >>> >> We are waiting for you here in India ;) >> > That's why Americans call cowburgers hamburgers, for fear of repercussions > from the holy land. But seriously, re-incarnation takes care of all that. > Meaning, if you kill a cow in this life, you come back as a cow and someone > can kill you. It's the Indian version of an eye for an eye. Sarah Palin's coming back as a dung beetle then.
Re: OT - secondary DNS recommendations
On 9 December 2010 13:26, Daniel Melameth wrote: > On Wed, Dec 8, 2010 at 9:49 AM, Scott McEachern wrote: >> Given the (general) support of WikiLeaks here, I was wondering if anyone >> could recommend a free alternative to replace EveryDNS.net? >> >> I know how to use Google to find free alternatives, I'm looking for >> *recommendations* for a simple two-domain home network. > > I don't care much for the propaganda on this list as of late, but, > regardless, I've been happily using http://freedns.afraid.org for home > use for several years. Would this be propaganda too? http://www.google.com.au/images?hl=en&q=Iraqi+child
Re: Donations
On 7 December 2010 02:42, Joe Barnett wrote: > On 12/5/10 5:11 PM, Jamie Paul Griffin wrote: >> >> if nothing else think about the charges they put on every transaction: you sell something on ebay, they charge you; you process their payment through paypal (ebay) they charge you again. they're clearly ripping us all us all off - fact! and to top it all of the charges have become extortionate. >> > > Perhaps everything should just be (lowercase) free? No charge ever > for anything. Heck, if that is how it worked, then this entire I think the main point was the double charging. eBay owns PayPal. > selective outrage. Speaking of that outrage, I think it would be > great if he put his money where his mouth is and not accept US > dollars in support of OpenBSD... but I am not holding my breath). >From what has been said in the past, most donation money comes from end user pockets and not big business or governments. So the project should snub US citizen donations because their government is corrupt? All peoples under an unethical government should be treated as if their governments secretive actions are all their fault? I'd view many US citizens as victims of that same government and given their liberties deprived since 9/11, those who might get most benefit from OpenBSD ought to be able to give back. Theo did however protest US aggression, even while $2M of US fund money was feeding the project. Thankfully most of that cruise missiles worth got used before it could be taken back. Shane
Re: Donations
On 5 December 2010 22:20, SJP Lists wrote: > On 5 December 2010 17:05, Theo de Raadt wrote: >>> On Dec 4, 2010, at 7:25 PM, Theo de Raadt wrote: >>> > If you don't know why I am sending this mail.. you are reading US >>> > managed news, and need to much much more informed >>> >>> It's in the US news. Even the mainstream news on TV. At least in Silicon >>> Valley. ;-) >> >> No, it isn't in the US news. >> >> The US news is all about the messenger, to distract you from reading >> the message. >> >> If you think it is in the US news, you have a long way to go. >> >> guardian.co.uk/world is the best place to read the *message*. > > I would love to witness the theory that people can bring about change > by voting with their dollars, but nowadays there never seems to be > enough willing to prove that a big enough dent can be made to bring > about positive change. I fear that convenience matters more to a lot > of people than say a political adviser publicly calling for the > assassination of a messenger who is just communicating the wrong > doings of the most powerful against the weakest. > > > Still, I want to continue to hope and where possible at least try to > be the change I want to see in the World, as that saying goes. > > So, > > 1. login to eBay > 2. Click the Profile tab > 3. Click close account > 4. Prove I am me > 5. etc (wait for my last bloody transaction to complete before they > allow me to leave!) > 6. Hopefully get presented with a "Why?" form so I can tell them to > burn in hell for selling out to the Worlds biggest and most dangerous > terrorist group. > > > My last donation recently to OpenBSD and the biggest since I started > using OpenBSD with 2.5 in 1999/2000, was via PayPal. And I used > PayPal for lots of other things for years. My next donation will be > via other means. > > Cheers, > > > Shane J Pearson > > --- > > When bad men combine, the good must associate; else they will fall one > by one, an unpitied sacrifice in a contemptible struggle. Oh and since PayPal are owned by eBay, here's a list of eBay acquisitions, which might need to receive a message of some sort: http://en.wikipedia.org/wiki/List_of_acquisitions_by_eBay
Re: Donations
On 5 December 2010 17:05, Theo de Raadt wrote: >> On Dec 4, 2010, at 7:25 PM, Theo de Raadt wrote: >> > If you don't know why I am sending this mail.. you are reading US >> > managed news, and need to much much more informed >> >> It's in the US news. Even the mainstream news on TV. At least in Silicon >> Valley. ;-) > > No, it isn't in the US news. > > The US news is all about the messenger, to distract you from reading > the message. > > If you think it is in the US news, you have a long way to go. > > guardian.co.uk/world is the best place to read the *message*. I would love to witness the theory that people can bring about change by voting with their dollars, but nowadays there never seems to be enough willing to prove that a big enough dent can be made to bring about positive change. I fear that convenience matters more to a lot of people than say a political adviser publicly calling for the assassination of a messenger who is just communicating the wrong doings of the most powerful against the weakest. Still, I want to continue to hope and where possible at least try to be the change I want to see in the World, as that saying goes. So, 1. login to eBay 2. Click the Profile tab 3. Click close account 4. Prove I am me 5. etc (wait for my last bloody transaction to complete before they allow me to leave!) 6. Hopefully get presented with a "Why?" form so I can tell them to burn in hell for selling out to the Worlds biggest and most dangerous terrorist group. My last donation recently to OpenBSD and the biggest since I started using OpenBSD with 2.5 in 1999/2000, was via PayPal. And I used PayPal for lots of other things for years. My next donation will be via other means. Cheers, Shane J Pearson --- When bad men combine, the good must associate; else they will fall one by one, an unpitied sacrifice in a contemptible struggle.
Re: OT: Disadvantages of using virtual firewalls like OpenBSd
On 24 November 2010 19:34, SJP Lists wrote: > On 24 November 2010 01:12, Brad Tilley wrote: >> carlopmart wrote: >> >>> Advantages are very clear for me: provisioning, administration tasks, >>> etc ... But I will to know disadvantages. What is your opinion from the >>> point of view of security? >> >> I use virtualization for many things (mainly for the productivity >> advantages that you list), but it has always bothered me because >> virtualization is pretending. >> >> In Java, for example, the VM pretends about a lot of things that are not >> true in the physical world. This makes it easy and convenient for >> programmers. The problem is that they come to believe that the pretend >> things are real and then make assumptions (when dealing with physical >> machines) that are incorrect. > > Yes, the virtualization of the programmable interval timer is one > example where pretending makes for some crazy situations. Only a few > nights ago, I patched a Debian ESXi 4.1 VM and when it rebooted it > would not boot, stating that the PIT was not functioning. > > Time keeping is weird in x86 virtualization. I've seen Windows ESX > VM's with time that not only stops and then suddenly jumps forwards, > but even goes back! > > Seen the madness of a virtualized NTP server? VMware have a > Timekeeping whitepaper that is sugar coated to say the least. > > All anyone need do is watch the advisories for VMware to soon realise > that the choice is a trade off, where the drawbacks (security and > weirdness) are as big as the benefits. > > And again, I say look at the Google research that found all > implementations vulnerable. If security matters less than the cost of > dedicated hardware, then use it. Oh and another thing, a colleague of mine and myself noticed on separate occasions with different VM's and OS' under what probably would have been ESX 3.5 at the time, that a scheduled task would not run if the console was not open / have focus! I also noticed that while time appeared to completely stand still in a Windows VM under ESX, it could be made to tick again by generating lots of interrupts. Vigorous mouse movement barely made a difference, however performing a file system search got the clock counting faster than realtime. I now wonder if this is due to dropped interrupts or lost ticks as VMware refer to in [1], a document which describes the time keeping weirdness that needs to be dealt with to get around the fact that the x86 architecture was not designed from the ground up for this type of virtualization. So what other weird complexities do that need to employ to get around other quirks? Sorry, but as far as I am concerned, virtualization presents a new and complex attack surface that no guest OS could control. So if you're using OpenBSD for a security focused role, I'd forget x86 virtualization. Shane [1] http://www.vmware.com/files/pdf/Timekeeping-In-VirtualMachines.pdf
Re: OT: Disadvantages of using virtual firewalls like OpenBSd
On 24 November 2010 07:28, Brad Tilley wrote: > Nick Holland wrote: > >> what's changed? >> Layering? Nope. >> Crappy programming? Nope. >> Better hardware? not really. >> Features-before-security? Nope. > > Good points. The goals of virtualization are, easy management, power > savings, quick provisioning and deployment, redundancy, etc. When you > talk about security and virtualization at the guest level, the > prevailing attitude is, "If it gets hacked, we'll just restore it from a > known good snapshot... problem solved." > > I don't hear much talk at all about the host machine and security (the > real server that hosts all the pretend servers is just assumed to be > OK). There just seems to be a lot of trust in the vendors. I'm waiting for the worm that specifically attacks ESX, or the like and takes out entire infrastructures that have been built on that trust. Shane
Re: OT: Disadvantages of using virtual firewalls like OpenBSd
On 24 November 2010 01:12, Brad Tilley wrote: > carlopmart wrote: > >> Advantages are very clear for me: provisioning, administration tasks, >> etc ... But I will to know disadvantages. What is your opinion from the >> point of view of security? > > I use virtualization for many things (mainly for the productivity > advantages that you list), but it has always bothered me because > virtualization is pretending. > > In Java, for example, the VM pretends about a lot of things that are not > true in the physical world. This makes it easy and convenient for > programmers. The problem is that they come to believe that the pretend > things are real and then make assumptions (when dealing with physical > machines) that are incorrect. Yes, the virtualization of the programmable interval timer is one example where pretending makes for some crazy situations. Only a few nights ago, I patched a Debian ESXi 4.1 VM and when it rebooted it would not boot, stating that the PIT was not functioning. Time keeping is weird in x86 virtualization. I've seen Windows ESX VM's with time that not only stops and then suddenly jumps forwards, but even goes back! Seen the madness of a virtualized NTP server? VMware have a Timekeeping whitepaper that is sugar coated to say the least. All anyone need do is watch the advisories for VMware to soon realise that the choice is a trade off, where the drawbacks (security and weirdness) are as big as the benefits. And again, I say look at the Google research that found all implementations vulnerable. If security matters less than the cost of dedicated hardware, then use it. Shane
Re: Building a Practical Penetration Test Lab
On 13 November 2010 01:50, Chet Langin wrote: > -Original Message- > >>I have run OpenBSD in production on both VMWare server and ESXi. It was > the only machine >facing the Internet that the auditors had no findings on. >> >>-- >> >>Edward Ahlsen-Girard >>Ft Walton Beach, FL > > > > Which is good, but, then, it appears to me that VMWare and ESXi become > comparatively weak links in the setup. True. Based on the research performed by Tavis Ormandy at Google [1], the weakest virtual machine can become an entry point to then be used to subvert the host server or other adjacent virtual machines. So it seems to me that security in a virtualized environment is limited to the combination of the security of the least secure exposed VM and the security of the host. Exploit a vulnerable VM and then it's vulnerable host and you now own all the VM's served by that host, including the OpenBSD ones. If OpenBSD is not in control of ring zero, you lose. Alas, sometimes we have no choice. 1. http://taviso.decsystem.org/virtsec.pdf Shane
Re: Architeture Choose
On 9 November 2010 04:44, Christopher Dukes wrote: > On Fri, 2010-11-05 at 14:30 -0400, Joe McDonagh wrote: >> "If your Sun fails" <-- that's a big IF. It's approaching a possibility >> of 0 in my experience. >> >> If performance isn't an issue and stability is your chief goal, none of >> this hardware is as stable as a Sun. > > Not quite my experience. > In 2001 I worked at a place with a lot of used Sun hardware courtesy of > Fujitsu layoffs (Sparc 20s, Ultra 5s). > Entirely too many fried ethernet ports on the sparc 20s. > And it took too many iterations to find a sparc 20 that wouldn't crash > and burn while building OpenBSD from source. > A fidgety developer kicking an ultra 5 from a | orientation to a _ > orientation would reliably destroy the power supply and harddrives. > On the bright side, I could repair the ultra 5s with power supply and > drives scavenged from eMachines with ALI motherboards with the wonderful > DMA that shoved garbage into memory for every OS we tried on them. > > I thought the Micro Channel based RS/6Ks (Before the horrid SMP ones > designed by Group Bull) were a bit more bullet proof, with the only dead > hardware I'd experience being. > 1) Rats pissing on the system boards, because the customer refused to > keep the covers on their systems in manufacturing. > 2) A ladybird beetle invasion. > The RT PC was pretty reliable too. I had one manufactured in 1987 that > was still trundling along in 2006 when I gave it away. Maybe I got lucky, but all my Sun gear works nicely. 10x U10's/U5's, a Blade 150, 2x Ultra 60's, 1x Ultra 80 and a Sun Fire V250. This includes a U10 with an exploded yellow diode and the Sun Fire V250 having been dropped (presumably in transit) causing the LOM card to rip off the plastic from one end of it's mate connector in the motherboard. Not knowing that, attempting to power it up caused smoke and a really bad feeling. I had to do some MacGyver'ing to fix that, but it's working fine. Shane
Re: 4.8 arrival!
On 27 October 2010 10:14, Rod Whitworth wrote: > On Tue, 26 Oct 2010 17:36:00 -0500, Neal Hogan wrote: > >>Chicago . . . THANKS! >> > > And all the way through customs to Sydney Australia. > WOW! Me too. And more nice shirts and a 2.5 CD for old times sake and to get my hands on my favorite stickers! Shane
Re: Nobreak
On 2 October 2010 02:16, Henning Brauer wrote: > * Gregory Edigarov [2010-09-30 16:13]: >> nut is in ports, though I would recomend to build it by hands. > > sigh. cut the crap. the package is fine. and handbuilding is stupid, > pretty much without exceptions. > > -- > Henning Brauer, h...@bsws.de, henn...@openbsd.org > BS Web Services, http://bsws.de > Full-Service ISP - Secure Hosting, Mail and DNS Services > Dedicated Servers, Rootservers, Application Hosting I don't know about nut, but I have come across one package where I'd prefer to build as a port. arpwatch, destination email address is hard coded in. Unless I missed something obvious. Shane
Re: undeadly article
On 18 August 2010 23:57, Jacob Meuser wrote: > On Wed, Aug 18, 2010 at 04:28:57PM +0300, Mihai Popescu B.S. wrote: >> Hello, >> >> My post was not intended as a direct hit for the article. I told my >> opinion to misc@ because undeadly ask for subscription, no more >> anonymous coward post. Am I wrong ? >> >> I target airport behaviour with my comment. I use the airport for 6 >> flight until now, no problem at all with security teams. I was quick >> and polite in answers and the time with them was short. Most of them >> have the "nose" to see what they are dealing with. > > bullshit. sorry, but that is not true. > > I regularly get picked on by "authority", but it's alwasy just been > a pointless hassle. I'll never forget the time a cop stopped me > in my own neighborhood, in the rain, for walking against a signal, > when his car was the only moving vehicle within a half mile. the > best part was when he dropped his papers in a puddle. Flying from Melbourne to Sydney, at the Qantas baggage scanner I was very sternly challenged as to what exactly an item was on my keyring (a rubber Corsair Flash Voyager GT 16GB thumbdrive). Before I could answer, she said "is this an MP3 player!?", as if it was a crime. "No, it's a thumb drive storage device", "oh okay then". Seriously. I'd hate it to have been one of the new Corsair Padlock2 drives, complete with number pads and blinken lights that blinken with key presses without the need for power from a computer. I'm sure it would have been taken for a wireless detonation device. Then when I carry on lots of explosives (spare Li-ion laptop batteries on account that we can't courier them any more with laptops between offices!), nobody blinks an eye! Even though I now know that I had too many of them. Shane
Re: dmesg of Dell Optiplex 780 + problem with xlock(1)
On 12 August 2010 21:15, Tomas Bodzar wrote: > Hi all, > > bellow is dmesg of OpenBSD running on corporate desktop. Everything is > running fine including web camera or USB headphones. There is just one > small issue. I can't use xlock(1) for locking of screen. After I use > xlock(1) it's not able to wake up anymore. I will investigate later. > > OpenBSD 5.8 (GENERIC.MP) #356: Mon Aug 9 00:28:02 MDT 2010 Wow OpenBSD 5.8. Man that REALLY must have been one hell of a bender I had "last" Friday night.
Re: OpenBSD Training
On 29 July 2010 01:39, Robert wrote: > On Wed, 28 Jul 2010 15:59:33 +0100 > Michal wrote: >> Apart from ESXi is free but the management isn't...you need vSphere to >> manage the thing. This seams like a very expensive way to learn an > > Just a note: > You don't need vSphere for this setup; only if you have to manage a > couple of vmware servers (= real hardware) you would need it. > In the free version you have to manage each vmware host (not virtual > machine) manually through a web interface, which unfortunately only > runs under Windows... > So, yes, you can run this at without any vmWare licence cost. You can still use the vSphere Client and point it to the ESXi server, instead of a vSphere server. In fact, from the free ESXi web interface you can download the vSphere client to use in that fashion. Shane
Re: OT (kinda): someone else killed a ssd while running openbsd on it?
On 23 July 2010 06:28, roberth wrote: > Lo, > > anyone ever killed a SSD while running OpenBSD ontop of it? Been running OpenBSD systems from compact flash for more than 6 years. Sandisk and Lexar. I have not managed to kill one yet. Just using softdeps and noatime as a precaution, although I'm told they're not necessary. Shane
Re: [Fvwm][Bug?] Keyboard layout changes when fvwm restart
On 19 July 2010 18:07, Bruce Khereid wrote: > QWERTY layout. But after I restarted the fvwm (by typing restart in > FvwmTalk), things changed, it began to interpret the configurations in > Dvorak layout, that is, Ctrl-F and Ctrl-D in Dvorak layout, which are Ctrl-Y > and Ctrl-H in QWERTY, started to turn the page. > > Is that a bug of Fvwm? Is anybody encountered this problem before? Oh that's just Theo... HE'S IN UR ROUTR REMAPPIN UR KEEZ
Re: traffic management
2010/6/3 irix : > Hello Misc, > > Ideally this control altq the similarity in the tc tool in Linux. > > -- > Best regards, > irix mailto:i...@ukr.net Nobody here is stopping you from using Linux.
Re: traffic management
2010/6/2 irix : > Hello Misc, > > But at least you can say why? > >>no kidding. As we've told "irix" before, it will not happen. > > -- > Best regards, > irix mailto:i...@ukr.net Because it makes my VoIP phones at home and a friends workplace go from hit-and-miss to... "ohh yeah, that's right, we're using VoIP now! I forgot!", every time I receive a bill from my PSTN Telco with $0 for phone calls (for the past years). ie, pf/altq works so well for me that VoIP becomes so well behaved that I forget I'm even using it, even when uploads and downloads are going like the clappers. Once I go ADSL2+ Naked, then I hopefully won't be getting bills from that crusty money grubbing old Telco ever again, so I might almost completely forget how much pf/altq rocks (until "obvious troll is obvious" comes back of course). So, like others have said, it seems pretty far from broken to me. Maybe you have mis-configured it. Shane
Re: Help contacting Richard Stallman
> On 26 May 2010 23:13, Brad Tilley wrote: > Julian Acosta wrote: > >> Really we need to contact with Richard Stallman, just for give us his >> opinion and answer us some questions about free software, >> How can I contact him? >> What's his real email? > > Just talk a lot about open source and the Linux operating system. He'll > show up. Yes, one of his minions will stumble across this thread while they are performing Google searches for him and deliver these most important advocacy results to him with freshly hand peeled and pitted grapes.
Re: cd arrived in Italy, and in Sweden too
On 11 May 2010 00:37, Benny Lvfgren wrote: > matteo filippetto wrote: >> >> Hi all, >> >> today cd arrived in Italy > > ...and mine came today as well, together with two mugs and two t-shirts that > my girlfriend immediately banned from use in public amongst non-nerds. :-) > > Thanks, folks. No stranger ever went out of their way to say something about any of my generic printed t-shirts or even any of my old Linux t-shirts (back when I was still finding myself :). But OpenBSD t-shirts? Strangers go out of their way to comment on my OpenBSD t-shirts over the years. I remember once a baker leaned over the counter after I'd bought a pie, raised his finger to his lips and went sshh. I thought, WTF? Then he points to my OpenSSH t-shirt! Ahhh. But even better, even a hot young Asian chick commented about my "cool" Puffy t-shirt. Let me set the scene here, hot young Asian chicks don't go out of their way to talk to me. THANK YOU OpenBSD!!! I reckon your girlfriend knows this and that's why she does not wanting you wearing them. Shane
Re: Is this a case of paranoia?
On 25 April 2010 00:14, Danny wrote: > My apologies then. It is just a screenshot of our IT guys classifying OpenBSD > as > a Hacking website. > >> Attachments are not passed along on misc@ Okay, if it makes them feel better, maybe you'd like to inform them that Cisco [1], Sun [2] and even Microsoft [3] (among others [4]) trust the people behind the OpenBSD project. 1. http://www.cisco.com/en/US/tech/tk583/tk617/technologies_q_and_a_item09186a0080267e0f.shtml 2. http://hub.opensolaris.org/bin/view/Community+Group+security/SSH 3. http://technet.microsoft.com/en-us/library/bb463209.aspx 4. http://www.openssh.org/users.html http://www.openbsd.org/users.html Shane
Re: Is this a case of paranoia?
Crap, sorry all! On 24 April 2010 22:12, SJP Lists wrote: > Hey Danny, > > This list strips attachments, but I would like to see that screenshot. > > Can you send it to me? > > Cheers, > > > Shane
Re: Is this a case of paranoia?
Hey Danny, This list strips attachments, but I would like to see that screenshot. Can you send it to me? Cheers, Shane On 24 April 2010 23:20, Danny wrote: > Hi guys, > > Here is a screenshot of what the IT guys at my work thinks of OpenBSD. Before > I > took this screenshot I could access www.openbsd.org for about an hour. After > that I started getting the message you see on the included pic. > > Is this a bad case of paranoia? :-) > > Thank You > > Danny > > [demime 1.01d removed an attachment of type image/x-ms-bmp]
Re: OpenBSD culture?
On 14 April 2010 19:11, Zachary Uram wrote: > As a long time Linux user I will soon try out OpenBSD, I have been > reading the list emails and contacted 1 OpenBSD top person who was > very rude. There is some of the "RTFM" or "get lost" attitude in > Linux, but if a questioner seems sincere there is usually a certain > level of friendliness in Linux community towards them. Just what I > have briefly observed the OpenBSD community is more abrupt and less > interested in helping newbies, they prefer one find the answer solely > on their own if possible. I must say I detect a certain attitude that > smacks of superiority and even condescension at times. Is this a fair > assessment of 6the OpenBSD culture? > > Zach The developers don't make OpenBSD for you, but they are good enough to give away the fruits of those efforts for free. You think people work hard on the code and documentation and then should not be annoyed when someone does not have the decency to do the minumum amount of work required to help themselves? Especially given the fine documentation? Why shouldn't you be expected to put in some effort to get something out of OpenBSD? If you're not willing to RTFM, then it probably would be best to get lost. Shane
Re: Still going strong
On 25 March 2010 02:33, m brandenberg wrote: > On Wed, 24 Mar 2010, Theo de Raadt wrote: > >> These things make me smile. >> >> OpenBSD 4.7 (GENERIC) #300: Fri Mar 19 08:58:21 MDT 2010 >> dera...@vax.openbsd.org:/usr/src/sys/arch/vax/compile/GENERIC >> VAXstation 4000/90 [13000202 04010002] > > They were built slow but they were built well. > (Almost makes me want to dig mine out) Yeah? Have you seen an Alpha can clean up a liquid spill? Vax's can do dry and wet!
Re: $100 to configure ALTQ on a 4.6 router
On 23 February 2010 12:59, Ted Walther wrote: > I have a simple setup; a soekris box running 4.6 doing NAT for my local > network. > > I'd like a configuration to give skype traffic top priority, then my DNS > server, then ssh sessions, then http and SSL, then everything else, and > bittorrent. I have so little upload bandwidth I don't want to waste > any; only 80k up on a good day, and the web server is hosting stuff > almost constantly. > > If this is up your alley, and you know this stuff inside out, please > contact me and I'll fill in a couple more details of my internal network > and provide the current NAT configuration in use (which has some stuff > in it to work with the special DNS setup) You'll have to ask yourself, do you want a secure network, or do you want to use Skype? Also, Skype can be awkward to prioritize against HTTP and HTTPS, since it very often uses ports 80 and 443. http://www.m86security.com/kb/article.aspx?id=12084 I suppose you could configure a local proxy to only be used by Skype and then prioritize port 443 from that proxy to the Internet. But, really, yuck.
Re: Jacek Books
On 16 February 2010 19:34, Otto Moerbeek wrote: > On Tue, Feb 16, 2010 at 07:06:32PM +1100, SJP Lists wrote: > >> On 16 February 2010 06:33, wrote: >> >> > If you want i can send you my Paypal receipts to prove it. I never received >> > the books. >> > It is a swindle ! nothing else ... >> >> I have been waiting too. But I have heard people speak of Jacek being >> ill a few times over the years, to the point that his publications get >> delayed. Leading me to think that he has something more serious than >> a cold. >> >> I'm concerned about his health first and foremost. I'm looking >> forward to the book but I don't want it hurried if the cost is his >> health. > > I agree that it is not good to pay and not receive anything. So you > dispute the deal via the proper channels to get your stuff or your > money back. > > Breaking copyright law to get your goods is not the right way. I agree. But for the record, I personally never suggested or supported the idea that copyright infringement is a solution to this problem. In fact, I have worked in landmark copyright cases for one of the Worlds most successful IP lawyers (and continue to do so). Including tendering evidence to court as a witness and being cross examined. So for many reasons, I wouldn't dare. Shane
Re: Jacek Books
On 16 February 2010 06:33, wrote: > If you want i can send you my Paypal receipts to prove it. I never received > the books. > It is a swindle ! nothing else ... I have been waiting too. But I have heard people speak of Jacek being ill a few times over the years, to the point that his publications get delayed. Leading me to think that he has something more serious than a cold. I'm concerned about his health first and foremost. I'm looking forward to the book but I don't want it hurried if the cost is his health. Shane
Re: ouch
On 5 February 2010 05:01, J.C. Roberts wrote: > I just finished installing the most recent snapshot, rebooted and > ran sysmerge. I powered down the system, booted it up again, logged > into my account, and was greeted by: > >panic: kernel trap (ignored) > > The timing was absolutely perfect, and for half a moment I wondered, so > I wish to thank the the hilarious nameless bastard with the foresight to > add the above text to the default input file of fortune(6). > > -jcr Is this because OpenBSD users feel left out of the fun of kernel dumps? Feel the need to reminisce the good old days of lesser systems?
Re: Is OpenBSD + PF accredited or certified in any way ?
On 2 February 2010 10:06, Keith wrote: > I've used OpenBSD & PF for a number of years without issue and am now in the > position that I want to create a dmz between the Internet and my > organisations WAN. Our security people are asking if the firewall that we > use is accreditated by ITSEC and I am pretty sure it isn't but it turns out > that our security people will be happy is the firewall is accredited for use > by another government ! For the interest factor (and since I can't find the email it's just hearsay), I sent an email to the OpenBSD sparc mailing list in December 2005 and to my surprise, received an out-of-office on-holidays bounce back from someone in the Pentagon Army Operations Center! However, governments the World over staffed with people who hate their jobs, have difficulty getting public transport working. So how they're supposed to accredit something as complex as an OS is beyond me! That sort of crap is for arse covering anyway. For washing ones hands of the problem and being able to claim to have performed due diligence, even if they know it's a bullshit exercise.
Re: obsd as domU?
2010/1/13 Ciprian Dorin, Craciun : >> 3.) Many of the benefits you gain by running a stable and secure >> operating system like OpenBSD are lost when you run it as a "guest" on >> top of some other insecure "host" operating system. > >This is only true if either: >* there is a security bug in the virtualization software (highly > improbable, and maybe easibly fixed); http://taviso.decsystem.org/virtsec.pdf "No virtual machine tested was robust enough to withstand the testing procedure used, and multiple exploitable flaws were presented that could allow an attacker restricted to a virtualised environment to reliably escape onto the host system." http://www.vmware.com/security/advisories/VMSA-2009-0006.html "A critical vulnerability in the virtual machine display function might allow a guest operating system to run code on the host." http://www.vmware.com/security/advisories/VMSA-2008-0019.html "A memory corruption condition may occur in the virtual machine hardware. A malicious request sent from the guest operating system to the virtual hardware may cause the virtual hardware to write to uncontrolled physical memory." Shane
Re: VLANs, OpenBSD, Cisco HP
2010/1/14 James Peltier : > on the HP ProCurve I have added the VLANs to the switch and ports and it > works but not the way I would expect. > > Port B4 has VLAN 301 tagged and A1 is the port on which the OpenBSD box is > connected which is also tagged VLAN 301. It's been a while since I did this with a ProCurve and OpenBSD, but have you tried setting A1 as a trunk?
Re: Lanner FW-8760 1U firewall platform.
2010/1/12 Diana Eichert : > On Tue, 12 Jan 2010, SJP Lists wrote: > > SNIP >> >> Looks like it might have a serial console too... > > just a headsup > > probably redirection of video to serial, better than a sharp > stick in the eye, but not a ROM monitor. Bummer. Hope not. I've been spoiled by Soekris and ALIX machines. Shane
Lanner FW-8760 1U firewall platform.
Howdy folks, I thought some on the list might find this embedded bare bones 1U firewall product interesting. They claim it supports OpenBSD, has 8x Intel 82574L GbE (expandable to 16), a CF socket, 2x SATA and support for Intel Core i3, i5, and i7 processors up to 3.33GHz. Looks like it might have a serial console too... http://www.lannerinc.com/expansion/FW-8760 Cheers, Shane
Re: help to keep disk spinning
2009/12/25 Paul M : > Here we're talking about 2 separate cases, electrical and mechanical. > > In electrical componentry, it's power up/power down that compromises the > reliability of a part (circuit). This is primarily due to heat - it's the > temperature cycling in the circuit components thats the bad guy. Highest current is drawn at spin up and therefore highest load on the motor and supporting components. In addition, spin up and down causes head load and unload cycles in modern drives, which vendors quote a given number before failure. Checking a random Seagate drive, I see 300,000 cycles quoted and 34 Watts to spin up versus 5 Watts to idle. For arguements sake, if Frantisek's drive had similar load/unload limits and sleeps for 10S and works for 10S constantly, with that qouted value it could be expected to last less than 70 days. 26 times less than the warrantee of this Seagate drive.
Re: Looking for "Secure Architectures with OpenBSD" pdf.
2009/12/11 jackwssp q : > 2 Tomas Bodzar: > Why you so ugly? I don't looking for pf manual. As you can see above, i'm > not alone. When i got it, will share it for all on misc@, and you may > furiously try to stop me. Funny. When you need help beyond the books and come here for it, I imagine few who remember you would *want* to help you with that attitude. You wanna talk about ugly? You're crapping on the community and asking them to help you do it, while trying to suggest they'll benefit from it. The book is good and cheap and the free docco is more up to date.
Re: Looking for "Secure Architectures with OpenBSD" pdf.
2009/12/10 Tomas Bodzar : > This book is not for free download. > > On Wed, Dec 9, 2009 at 9:36 PM, jackwssp q wrote: >> Sounds like piping. >> >> You should share it for us or shut the mouth. You can have this for free, along with the software!... http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf What a bargain.
Re: Open Source hardware (Re: can't get vesa @ 1280x800 or nv)
2009/12/6 rhubbell : > Another sensitive type. Guess there are always a few on every list. Your manner is counter productive, including for yourself. So why do you persist? Unless of course you're more interested in causing mischief than getting anything out of OpenBSD. Please, either adjust your attitude or leave.
Re: How to determine what ports are being used?
2009/11/28 Christoph Leser : > 1723 is PPTP. This uses GRE ( generic routing encapsulation ). > > You must allow this protocol. > > And, as far as I know, openBSD cannot NAT this protocol ( it is possible to > nat GRE for pptp if you peek into the next higher level protocol ( ppp in this > case ? ) but this is not implemented ) pf can NAT GRE, but I beleive only one session per endpoint. http://monkey.org/openbsd/archive/misc/0403/msg01041.html
Re: OT: Have you hugged your local OpenBSD dev lately?
2009/11/20 rhubbell : > Definitely not missing the point. Maybe you missed mine. Not "worrying" > because you trust everything about OpenBSD and everyone that's worked on > it and every package you've installed and every piece of hardware you've > installed, etc., etc. It's naive to point elsewhere and say "see, they're > not secure". For example should I trust you and the other "tooters" just > because you insist OpenBSD's secure? It's not about absolute trust, or faith, it's about playing the odds. You can choose a OS built with security as the primary focus at one extreme, or one that's insecure by default at the other. No OS will be absolutely secure, but at least one tries to be.
Re: http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability
2009/11/5 Justin Smith : > "By default, Ubuntu 8.04 and later with a non-zero > /proc/sys/vm/mmap_min_addr setting were not vulnerable." > > Ubuntu 8.04 released in 2008 april. They've moved on from this then... http://ubuntuforums.org/showthread.php?t=143334
Re: Installing OpenBSD on SSD drives
2009/11/5 Jean-Frangois SIMON : > Hello, > Is there any particular problem with installing OpenBSD on a SSD HD ? I've been using flash based SSD's in OpenBSD systems for 6 or 7 years, starting with small CF in firewalls and now SATA SSD's in desktops and laptops. Never had a problem installing to them and never had one go bad. I just use noatime, softdep and no swap (but I guess looking at the opinions of devs here, no swap is now just a bad habit). Shane
Re: Porting HammerFS
2009/7/22 Henning Brauer : > * Christiano Farina Haesbaert [2009-07-21 21:02]: >> openbsd usually runs on small underpowered servers/routers > > rright. > > it's also slow, ya know. > > and beer is dry. This multiple choice exam is easy... http://theinspirationroom.com/daily/print/2007/2/carlton-dry-fishbowl.jpg ; - )
Re: pf, altq, packet rate
2009/5/28 Johan Beisser : >> I was trying to highlight to irix that once traffic is received, it is >> too late to alter the bandwidth it already used coming in. >> >> In other words, doing it on the incoming is pointless. Thus, as in >> your examples, the logic behind shaping only on the outbound. > > You can always inform the other end that your window is smaller than > it is (pf.conf(5) red/rio/ecn on the queue). > > Or, simply randomly drop some incoming packets for that protocol to > force retransmission (see pf.conf(5) "probability" flag for a given > line) which should cause the remote end renegotiate its link to you as > unreliable, and retransmit. A probability of 5% would prevent inbound > connections from fully saturating. I know this is an option, but forcing the resending of traffic doesn't seem to be the most efficient method to me, when I could instead just shape that same traffic when it leaves another interface.
Re: pf, altq, packet rate
2009/5/28 Johan Beisser : > On Wed, May 27, 2009 at 11:04 AM, SJP Lists wrote: >> How do you shape traffic that you have already received? Or to put it >> another way, how do you alter the past? > > I've always just assigned inbound traffic to the existing outbound > queues. My assumption is that the responding traffic would use the > queues appropriately, and the results (watched via pftop) seem to bear > this out. Thanks Lars and Johan, I was trying to highlight to irix that once traffic is received, it is too late to alter the bandwidth it already used coming in. In other words, doing it on the incoming is pointless. Thus, as in your examples, the logic behind shaping only on the outbound. i.e.You can easily delay sending something you have, but you have little to no control over the ingress traffic of a link where only the local host you have control of. Shane
Re: pf, altq, packet rate
2009/5/28 irix : > Okey, i see. But I can not understand why you are sure that traffic > can only outlet Shape , You can say that's silly to try to Shape traffic that came, > but if it works it's worse than outgoing (if only for tcp) it is not > stupid ? How do you shape traffic that you have already received? Or to put it another way, how do you alter the past?
Re: OpenBSD ESXi VMware image on Soekris Net5501
Hi, 2009/5/21 Obiozor Okeke : > Hi Diana (and Stuart) thanks for all your advice. > > The problem or nut we're > trying to crack is that we're trying to deploy OpenBSD to remote clients and > we wanted an inexpensive but very high reliability system with the flexibility > to change configurations (switch in/out different VMs) and add/modify services > remotely on-the-fly. For example we could upgrade a client from 4.4 to 4.5 > along with all the custom apps and client data packaged in a VM. We would > grab the old 4.4 VM bring it back to our lab, then upgrade and re-configure it > the way we wanted to and drop it back on the ESXi. Then just change the > network configs and switch the old for the new all remotely without ever > visiting the client > > Thanks again all. Even if this were feasible (given the hardware limitations of the 5501), you would still have to maintain ESX in a manner which requires console access. Wrapping OpenBSD up in ESX defeats the typical purpose of using OpenBSD. ESX and other x86 virtualization software introduces a whole new vulnerable layer of software which requires patching and rebooting. Take it from the horses mouth... "A critical vulnerability in the virtual machine display function might allow a guest operating system to run code on the host. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-1244 to this issue." http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=disp layKC&externalId=1009853 "A memory corruption condition might occur in the virtual machine hardware. A malicious request sent from the guest operating system to the virtual hardware might cause the virtual hardware to write to uncontrolled physical memory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-4917 to this issue." http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=disp layKC&externalId=1007507 "VMware addresses an in-guest privilege escalation on 64-bit guest operating systems. VMware products emulate hardware functions including CPU, memory, and I/O. A flaw in VMware's CPU hardware emulation could allow the virtual CPU to jump to an incorrect memory address. Exploitation of this issue on the guest operating system does not lead to a compromise of the host system, but could lead to a privilege escalation on guest operating systems. An attacker would need to have a user account on the guest operating system. Affected guest operating systems include 64-bit Windows, 64-bit FreeBSD, and possibly other 64-bit operating systems." http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=disp layKC&externalId=1007090 This is just a small sample. All this will get you extra complexity and the doubt that a problem with the guest software is really with it or the host. Shane
Re: [dera...@cvs.openbsd.org: Re: I would like to send this to misc@ and security-announce@, from me.]
2009/5/5 Mischa Diehm : > On Mon, May 04, 2009 at 01:38:16PM -0600, Bob Beck wrote: >> Look dude, that ftp site made something available before any of the >> second level mirrors were even opened up to other sites to retreive >> it. Deliberate action was taken to release something early without >> mirroring it from a credible source. Judging by the contents, not all >> of it was exactly 4.5. This is cause for concern to anyone using the >> mirror. > > How many unofficial ftp servers are there on this dangerous > internet which are or might or could be having wrong packages? This is > what ftp.html is all about right? Why is there a list of official > mirrors anyway? This was a special case though, since kd85.com was previously listed as hosting a second level mirror. Surely it deserves special mention, since so many people would have developed a lot of trust in that mirror.
Re: 4.5 delivery - How do they do it?
2009/4/21 Theo de Raadt : > precognition means that we can identify an upcoming > period when such packets will come in -- packets which would > defragment and subsequently arrange themselves into an attack above > the socket layer. since we can precognitively pre-identify the risk, > we can drop them right on the ethernet card and avoid even having them > dma into memory! > > Well, we have only parts of this working in the tree. A few pieces > are still missing, but Austin is trying a prototype of the algoritms > and heuristics in his shipping operation. Do I feel a theo.c commit coming on?
Re: Low power OpenBSD machine
2009/4/17 Nenhum_de_Nos : > that I was known, I just want to be sure it won't die out of a sudden. > thanks anyway. I've been using CF cards in OpenBSD firewalls for about 4 or 5 years. I have yet to see a failure with SanDisk and Lexar CF cards. As a precaution, I only use softdeps and noatime to address write limits. Shane
Re: donation
2009/4/10 Michiel van Baak : > I'm very happy how stuff went with kd85 and I got info about what > happened with my money and it's exactly as it was advertised on both the > official openbsd website as on wim's website. Ingo rightfully requested an account of what happened to money he donated more than a year ago and stated that he reserved the right to a refund of that money with interest, had the transaction not been completed. The best case scenario to vindicate Wim, was for Ingo to receive that proof. But he then receives the refund plus interest from kd85! In my mind, that heavily suggests that Wim either sat on the money all that time, or otherwise did not make or retain good book keeping and therefore without being able to provide proof, had no other recourse but to refund the money to Ingo. Does this not ring alarm bells for you? Or is there a more innocent scenario? > Why send theo a CC if you have trouble with kd85 ? Because Theo is one of the two most important entities in such a transaction? The other being the donor? Theo should be allowed to have visibility of the actions of a middle man who is responsible for such an important part of the project. Especially a middle man who has almost admitted to sitting on money for at least one donation, for more than a year. I understand this logic, but it up to Theo to protest if it is not wanted. Not you. > If you have trouble with kd85 it's an issue between them and you, and > noone cares cept you and kd85. In this matter, I care and I am just a happy OpenBSD user who has never needed to use kd85. It seems that Theo cares too.
Re: Games
2009/4/9 STeve Andre' : > Nah, its Systemagic. ;-) Yeah, my favourite too.
Re: Stupid Ideas - softraid and ExpEther
2009/4/7 J.C. Roberts : > The design involves a technology called "Express Ether" though it is > typically written as "ExpEther," and it is basically a way to run a > PCIe bus over ethernet. Though this might be the first you've heard of > it, ExpEther has been in development at NEC for the last five years, > and yes, I'm currently working on getting the documentation released for > the existing silicon. DMA to host memory via Ethernet? O_o
Re: European orders
2009/4/2 Daniel Seuffert : >> Why are you on this list? > > Because Mr. de Raadt accuses Mr. Vandeputte in public for having done some > bad things without any evidence yet. Did you not think that this is an event in progress? It appears that neither side has finalized this matter. So involvement from outsiders can only interfere. If Theo felt he needed to stop shipments to Wim, then he had an obvious question to address. Which he has done. They should be allowed to sort this out privately.
Re: European orders
2009/4/1 Daniel Seuffert : > Mr. de Raadt, > > I don't care what you do for a living. If it's not enough get a job and > work like anybody else. > > Daniel Seuffert Theo works hard and from the goodness of his heart we all benefit from it. But you have a problem with him expecting to receive payment for delivered products? Something which assists him to continue the development and running of the project we love?
Re: hier command not found: ksh: hier: not found
2009/3/24 patrick keshishian : > On Mon, Mar 23, 2009 at 11:40 PM, Theo de Raadt > wrote: >> Yeah, it happens to me too: >> >> # strcpy >> ksh: strcpy: not found >> >> Very strange... > > > why the fuck are you guys logged in as root? use sudo(8); see afterboot(8) Theo is allowed to be logged in as root, at all times. I don't think he will accidentally dial his hard drive with AT commands. Shane
Re: hier command not found: ksh: hier: not found
2009/3/24 my mail : > How to use hier? The hier manual page nicely describes the filesystem hierarchy. Not all manual pages describe a tool.
Re: openbsd in virtualization
2009/3/20 Markus Hennecke : > Guido Tschakert wrote: >> >> the question is: do you use the vmware-tools from server 2.0 and if you do >> so, how did you manage it? > > No, we are running server 1.0.8 for our OpenBSD vmware installations. We > have some laptops with our Windows client software that needs fast access to > a database on an OpenBSD server. All setup for evaluation of the whole > packet. So we need the ability to gracefully shutdown the vm if the laptop > is powered down. The vm must start when the laptop is started. It is a setup > for users with low skills on computers (medical personel mostly), so the > ability to start and shut down a vm is not something I can expect. > > OpenBSD 4.4 or newer will run happily with the vmware server 2.0, but no > automatic shutdown is a real show stopper. VMware Workstation 6 and VMware Server 2 provide command line options for controlling specific VM's with the vmrun command. http://www.vmware.com/products/beta/ws/vmrunCommand.pdf You could script VM suspends for when the host is being shutdown and VM unsuspends when the host starts up. I use vmrun to shut VM's down to prepare them to be rsync'ed with remote copies. Shane
Re: openbsd in virtualization
2009/3/18 Michiel van Baak : > I'm running OpenBSD 4.4 and -current under KVM here at home. > I wont run it in production tho. Real hardware is much more stable. I agree. I use VMware Workstation at home/work and ESX3 at work. I had a lot of distrust initially (2004), but over a few years I had developed confidence that it could be reliable for test systems and servers where I was being forced to use VM's. However I have seen performance quirks with ESX3.5 and when I patched my 6.5 Workstation to 6.5.1, OpenBSD -stable gets ddb> when trying to build release. Now my paranoia is back and I think it was healthy paranoia all along. Plus, besides the reduced stability, there is all the research that has proven that this new complex software layer has introduced a whole new realm for attack. Anyone just needs to take a look through the descriptions of VMware's patches. Descriptions which state that exploitation of x vulnerability can cause arbitrary code execution outside of the rooted guest and into other guests and even the host.
Re: Ramifications of blocking SYN+FIN TCP packets
2009/3/13 Rod Whitworth : >>You could have scrubbing turned off at the bride > > So what's she going to do? Just the dishes? > Why did he marry her anyway? > > Careful Rod, from memory Diana is a crack shot and packs!
Re: 4.4 on ESXi 3.5 (was: vic(4) on amd64)
2009/3/12 : > I discovered a severe performance problem, wherein an OpenBSD guest would > run fine for some period of hours, and then become horribly bogged down > during disk operations, to the point of unusability. This was true even > when the guest was nearly idle and the VM host had abundant uncommitted > resources, and was equally true on 32 bit and 64 bit OpenBSD guests. > > This was a showstopper, but the problem appears to have been "resolved" by > lying to the hypervisor. Since I told it that the guest was "Red Hat > Enterprise Linux 64 bit", instead of "Other 64 bit", the problem has so far > not recurred. Thanks David, I came across this problem a few days ago and have yet to get back looking at it. So I'm glad for this tip! Shane
Re: PF firewall system capable of handling a multi-gigabit link
2009/3/9 Alface Voadora : > Thanks, > > but stating the obvious is not very helpful. And failing to state how and what you researched is not helpful to people who might be interested in helping you. A consequence of that is that others need to "state the obvious" since they don't know where to start with where you are at in the process of helping yourself.
Re: pfsync vs contrackd
2009/2/19 Mikel Jimenez : > What are the limitations of contrackd? Maybe this is a better place to ask... http://conntrack-tools.netfilter.org/support.html
Re: Car is limiting speed
I've narrowed it down to my car. My speed is limited to 80kph on a 110kph highway. What should I check?
Re: pf.conf and tags
Hi Steve, 2009/1/23 Steve Laurie : > > I've got a Sun Microsystems Ultra 5 270MHz 64bit CPU with 128MB of RAM. > Would that be better than the 1GHz 1024MB RAM x86 bitsa I'm using at the > moment? I'd be surprised if that U5 was faster than the 1GHz x86. Back with OpenBSD 3.7 or so, I found with Ultra 5's that those which had the lower sized L2 cache, were a lot slower than those with the 2MB L2 cache. Direct crossover connection: 94.1 Mbits/sec (end-point directly to end-point). 360MHz in the Ultra 5 (256k L2): pf OFF: 67.2 Mbits/sec pf ON: 47.3 Mbits/sec. 333MHz in the Ultra 5 (2M L2): pf OFF: 77.0 Mbits/sec pf ON: 74.0 Mbits/sec. The 270MHz UltraSPARC in your Ultra 5 probably has 256k of L2 cache, so I think you'll get a speed penalty due to cycle speed and the small L2 cache size. Although lots of pf performance gains have been made since then and I don't know if any of them would have made the L2 difference less dramatic. Shane
Belkin F5D5005 has switched from sk(4) to re(4) RTL8169
Hello all, Just a heads up if anyone specifically tries to get sk(4) by sourcing Belkin F5D5005 cards. I just purchased a pack of 10, since I had others which were sk(4), but these new cards are all RTL8169 based. The box shows Ver.2001 Shane
Re: PPTP Server behind PF firewall
2008/12/12 cbc : > Hello, > > I have a PPTP server (running Windows Server) behind PF (OpenBSD > 4.4). I tried 'rdr pass' on 1723/TCP and all GRE traffic, without > success. Then, I tried to set up an alias on WAN interface and create > a binat rule, doesn't work too. > > Is there any limitation with PF? I wouldn't like to use Netfilter > (ip_gre module) to solve this problem. Any idea? > > Thanks in advance, http://marc.info/?l=openbsd-misc&m=119549491121338&w=2
Re: 4.4 arrived in New Zealand
Got mine today. Sydney Australia. Thanks to all the devs and supportive user community! Another brilliant set and release!
Re: Random crashes with Intel D945GCLF2
2008/10/10 Damian Gerow <[EMAIL PROTECTED]>: > Mark Kettenis wrote: >> Boy, those Intel-branded boards have shitty BIOSes... > > And support. They've basically said that OpenBSD is not a supported OS, so > they won't help me. Neither do they support diagnostics from third-party > programs or companies. > > I think I've learned my lesson here. I thought it odd being an Intel board not using an Intel NIC. Not really their board? Shane
