Re: Package dependencies size estimate script
Hi Aaron
On 11/6/09, Aaron Mason wrote:
> On Fri, Nov 6, 2009 at 2:42 AM, wrote:
>> Hi
>>
>> Just wanted to share a script with fellow OpenBSD
>> desktop users who like to keep minimal non-base
>> software on the machine and prefer to use lighter
>> alternatives whenever possible.
>>
>> This script will help you estimate the total space
>> which will be used by a given package as well as
>> all the dependencies (recursively).
>>
>> It has to be run inside a directory with your
>> mirror of all packages. The o/p is a text file
>> in /tmp directory.
>>
>> This was made quickly for myself long time back.
>> Please consider the quality as such. Works for me.
>> Hope it can come in handy to someone.
>>
>> Take care.
>>
>> Srikant.
>>
>> -
>>
>> #!/bin/sh
>> # Find the full depency list for a given package
>> # in cmd. line
>> # Assumes one is in a dir with all packages
>>
>> # Temporary files
>> tmp_file_1=$(mktemp)
>> tmp_file_2=$(mktemp)
>> tmp_file_3=$(mktemp)
>>
>> echo $1 > $tmp_file_1
>>
>> ctr=0
>> over=0
>> while [ $over -ne 1 ]
>> do
>>cat $tmp_file_1 | fgrep -v -f $tmp_file_3 \
>>| xargs -I % pkg_info -f % \
>>| fgrep @depend | cut -d : -f 3 \
>>| grep -v '^$' | sort \
>>| uniq >> $tmp_file_2
>>
>>md5_old=`cat $tmp_file_1 | md5`
>>md5_new=`cat $tmp_file_2 | md5`
>>if [ `echo $md5_new | fgrep -xc $md5_old` -eq 1 ]; then
>>over=1
>>fi
>>cat $tmp_file_1 >> $tmp_file_3
>>cat $tmp_file_2 > $tmp_file_1
>>ctr=$(( ctr+1 ))
>> done
>>
>> cat $tmp_file_2 | sort | uniq > /tmp/$1-dependencies
>> echo "-" >> /tmp/$1-dependencies
>> ctr=$(( ctr-2 ))
>> echo "No. of levels of dependencies : $ctr" \
>>>> /tmp/$1-dependencies
>> count=`cat $tmp_file_2 | sort | uniq | wc -l | sed 's/ //g'`
>> echo "No. of dependencies : $count" \
>>>> /tmp/$1-dependencies
>>
>> cat $tmp_file_2 | sort | uniq | xargs -I % pkg_info -s % \
>>| fgrep Size: | awk '{ print $2 }' > $tmp_file_3
>> siz=0
>> {
>> while read rline
>> do
>>siz=$(( siz+rline ))
>> done
>> } < $tmp_file_3
>> echo "Estimated total size of dependencies: $siz" \
>>>> /tmp/$1-dependencies
>>
>> rm -rf $tmp_file_1
>> rm -rf $tmp_file_2
>> rm -rf $tmp_file_3
>>
>>
>
> pkg-info will also look for PKG_PATH and check remotely if there are
> any addresses there, I believe, so having a local mirror isn't
> necessary.
>
> --
> Aaron Mason - Programmer, open source addict
> I've taken my software vows - for beta or for worse
>
Thanks for pointing it out as well as the diff.
Learnt a couple of things from it.
Take care.
Srikant.
ichiic0 errors on 4.3
Hi
I have been noticing these kernel messages once in
a while on my i386 machine running 4.3 (+ all patches
up to date). The drive is brand new 500GB SATA.
ichiic0: exec: op 1, addr 0x2e, cmdlen 1, len 1, flags 0x00: timeout, status 0x0
ichiic0: abort failed, status 0x0
ichiic0: exec: op 1, addr 0x2e, cmdlen 1, len 1, flags 0x00: timeout, status 0x0
ichiic0: abort failed, status 0x0
ichiic0: exec: op 1, addr 0x2e, cmdlen 1, len 1, flags 0x00: timeout, status
0x40
ichiic0: abort failed, status 0x0
ichiic0: exec: op 1, addr 0x2e, cmdlen 1, len 1, flags 0x00: timeout, status
0x40
ichiic0: abort failed, status 0x40
Is this the sign of an impending motherboard failure?
It is an intel D915GVWB. Can someone please shed some
light on the meaning of these. I know 4.5 is about to
be released. I will definitely move on to it. If this
regards some issue which was fixed in 4.4 or later,
I apologize for bringing this up again.
The dmesg is as follows. Let me know if anything else
is required for analysis .
OpenBSD 4.3 (GENERIC) #0: Thu Feb 12 22:22:54 IST 2009
root@:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Pentium(R) 4 CPU 3.06GHz ("GenuineIntel" 686-class) 3.07 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,TM2,CNXT-ID,CX16,xTPR
real mem = 1599647744 (1525MB)
avail mem = 1537679360 (1466MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 10/12/05, SMBIOS rev. 2.3 @ 0xe5bf1 (32
entries)
bios0: vendor Intel Corp. version "WB91X10J.86A.1319.2005.1012.0939" date
10/12/2005
bios0: Intel Corporation D915GVWB
apm0 at bios0: Power Management spec V1.2
apm0: battery life expectancy 0%
apm0: AC off, battery charge unknown, estimated 0:00 hours
acpi at bios0 function 0x0 not configured
pcibios at bios0 function 0x1a not configured
bios0: ROM list: 0xc/0xae00!
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82915G Host" rev 0x04
agp0 at pchb0: aperture at 0x6000, size 0x1000
vga1 at pci0 dev 2 function 0 "Intel 82915G Video" rev 0x04
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
azalia0 at pci0 dev 27 function 0 "Intel 82801FB HD Audio" rev 0x03: irq 11
azalia0: codec[s]: Realtek ALC880
audio0 at azalia0
ppb0 at pci0 dev 28 function 0 "Intel 82801FB PCIE" rev 0x03
pci1 at ppb0 bus 1
ppb1 at pci0 dev 28 function 1 "Intel 82801FB PCIE" rev 0x03
pci2 at ppb1 bus 2
ppb2 at pci0 dev 28 function 2 "Intel 82801FB PCIE" rev 0x03
pci3 at ppb2 bus 3
ppb3 at pci0 dev 28 function 3 "Intel 82801FB PCIE" rev 0x03
pci4 at ppb3 bus 4
uhci0 at pci0 dev 29 function 0 "Intel 82801FB USB" rev 0x03: irq 9
uhci1 at pci0 dev 29 function 1 "Intel 82801FB USB" rev 0x03: irq 10
uhci2 at pci0 dev 29 function 2 "Intel 82801FB USB" rev 0x03: irq 11
uhci3 at pci0 dev 29 function 3 "Intel 82801FB USB" rev 0x03: irq 11
ehci0 at pci0 dev 29 function 7 "Intel 82801FB USB" rev 0x03: irq 9
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
ppb4 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0xd3
pci5 at ppb4 bus 5
vr0 at pci5 dev 0 function 0 "VIA VT6105 RhineIII" rev 0x8b: irq 11, address
00:21:91:8e:3f:4b
ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 9: OUI 0x004063,
model 0x0034
vr1 at pci5 dev 1 function 0 "VIA VT6105 RhineIII" rev 0x8b: irq 11, address
00:21:91:8d:e8:be
ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 9: OUI 0x004063,
model 0x0034
fxp0 at pci5 dev 8 function 0 "Intel 82801FB LAN" rev 0x01, i82562: irq 11,
address 00:16:76:63:2f:e3
inphy0 at fxp0 phy 1: i82562ET 10/100 PHY, rev. 0
ichpcib0 at pci0 dev 31 function 0 "Intel 82801FB LPC" rev 0x03: PM disabled
pciide0 at pci0 dev 31 function 1 "Intel 82801FB IDE" rev 0x03: DMA, channel 0
configured to compatibility, channel 1 configured to compatibility
atapiscsi0 at pciide0 channel 0 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: SCSI0 5/cdrom
removable
cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 ignored (disabled)
pciide1 at pci0 dev 31 function 2 "Intel 82801FB SATA" rev 0x03: DMA, channel 0
configured to native-PCI, channel 1 configured to native-PCI
pciide1: using irq 10 for native-PCI interrupt
wd0 at pciide1 channel 0 drive 0:
wd0: 16-sector PIO, LBA48, 476940MB, 976773168 sectors
wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 5
ichiic0 at pci0 dev 31 function 3 "Intel 82801FB SMBus" rev 0x03: irq 10
iic0 at ichiic0
adt0 at iic0 addr 0x2e: emc6d100 rev 0x68
spdmem0 at iic0 addr 0x50: 256MB DDR SDRAM non-parity PC3200CL2.5
spdmem1 at iic0 addr 0x51: 1GB DDR SDRAM non-parity PC3200CL3.0
spdmem2 at iic0 addr 0x52: 256MB DDR SDRAM non-parity PC2700CL2.5
usb1 at uhci0: USB revision 1.0
uhub1 at usb1 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb2 at uhci1: USB revision 1.0
uhub2
Re: PF issue
Have you tried doing a tcpdump on fxp0 and pflog0 while trying to access the web server on home firewall? Might give you clues. Srikant.
Re: separating normal ssh logins from authpf logins
If I am not misreading your question, Few things which I can think of are: 1. For regular logins, shell in /etc/passwd will be regular shell while for authpf users, /usr/sbin/authpf 2. See login.conf man page. Having a separate login class for authpf and regular users will give good control on what they can do 3. Separate small partition for regular remote users with noexec mount flag in /etc/fstab helps security 4. Seperate groups for each class of users coupled with dir and file system permissions helps security 5. In case some users only do SFTP, see internal-sftp option for sshd_config Hope this helps. Srikant.
Re: How to filter based on application protocol being used
Thanks a lot jean-philippe ! Will give it a try immediately. Regards Srikant Tangirala.
Re: How to filter based on application protocol being used
Thanks for such a prompt reply. I will not use Linux even if you pay me. It has been OpenBSD for me for past three years and it will remain so as long as OpenBSD remains what it stands for. That aside, see, I have used this tool called ourmon successfully on OpenBSD to detect P2P traffic and block the users in conjunction with authpf and pf. The tool can do other detections as well. It matches packets/traffic-patterns with those observed by network admins as being related to a specific type of application protocol. Payload is not inspected, although a grep may be happening. It works by passively monitoring the packets flowing by, no kernel stuff involved. Just want to know if anyone has come up with a good solution to this problem. If there is none yet, fine, we continue with what we have or even partial solutions will help a bit. Thanks for your time. Srikant Tangirala. On Fri, May 9, 2008 at 11:55 AM, Reyk Floeter <[EMAIL PROTECTED]> wrote: > On Fri, May 09, 2008 at 10:40:18AM +0530, Srikant Tangirala wrote: > > for all the common protocols? With my little bit > > of knowledge what I figure is that we need some > > piece of software(s) which understands each protocol > > thoroughly, can look at raw packets in real-time > > and detect the protocol being used. Even then, > > ah, i'm just looking at your mail again - you a are kidding, there is > no way to do content inspection in "real-time". go and use linux where > you can use stupid and dangerous stuff in the kernel. this is not what > openbsd is about. > > reyk
How to filter based on application protocol being used
Hello All Since many of standard services can be made to listen on any port on the server side, and proxies with custom configuration can be used in cases otherwise, how effective is a firewall if it blocks based on standard service ports? Is there a way in which the application protocols being used can be detected and then this knowledge be used to let pf know what to filter and what not? So, is there some way to ensure that traffic to port 53 is in fact not from a program like iodine and what goes to port 80 is only HTTP/HTTPS, and so on for all the common protocols? With my little bit of knowledge what I figure is that we need some piece of software(s) which understands each protocol thoroughly, can look at raw packets in real-time and detect the protocol being used. Even then, it may get bypassed in cases like 'protocol obfuscation' feature of eMule being used, or if sufficient amount of random garbage traffic is generated to deter proper analysis. Please correct if I am wrong or the question itself is impertinent to this list. Any help will be great. Thanks in advance. Srikant Tangirala.
Routing trouble with PPPoE on 3.8
Hello
I am trying to connect my obsd 3.8-stable system to internet
via PPPoE ( ISDN connection-64Kbps). ppp program reports
an established connection, ifconfig shows an IP address
assigned to tun0 interface. But i simply can't use any program
like ping, ftp or firefox to connect to any server. They say
"no route to host". I must be doing something stupid. Is the
pf ruleset the problem?
I have configured the userland pppoe with a plain ppp.conf:
default:
set log Phase Chat LCP IPCP CCP tun command
pppoe:
set device "!/usr/sbin/pppoe -i rl0"
set mtu max 1492
set mru max 1492
set speed sync
disable acfcomp protocomp
deny acfcomp
set authname "[EMAIL PROTECTED]"
set authkey ""
When i run ppp, here is what i see-
#ifconfig rl0 up
#ppp pppoe
Working in interactive mode
Using interface tun0:
ppp ON mycomp> dial
ppp ON mycomp> Warning: deflink: Reducing configured MRU
from 1500 to 1492
Ppp ON mycomp>
PPp ON mycomp>
PPP ON mycomp>
$ifconfig
lo0: flags=8049 mtu 33224
groups: lo0
inet 127.0.0.1 netmask 0xff00
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
rl0: flags=8843
mtu 1500
lladr 00:50:ba:a1:b1:0c
media: Ethernet autoselect (none)
status no carrier
inet6 fe80::250:baff:fea7:b47c%rl0 prefixlen 64 scopeid 0x1
pflog0: flags=141 mtu 33224
pfsync0: flags=0<> mtu 1348
enc0: flags=0<> mtu 1536
tun0: flags=8011 mtu 1492
inet 210.211.129.64 --> 210.211.128.1 netmask 0x
inet6 fe80::250:baff:fea7:b47c%tun0 -> prefixlen 64 tentative
scopeid 0x6
#cat pf.conf
scrub in all
block in all
block out all
antispoof quick for { rl0 tun0 lo0 }
pass in log on tun0 proto tcp from any to any port ssh flags S/SA \
synproxy state
pass out on tun0 proto tcp all modulate state flags S/SA
pass out on tun0 proto { icmp, udp } all keep state
pass in log on rl0 proto tcp from any to any port ssh flags S/SA \
synproxy state
pass out on rl0 proto tcp all modulate state flags S/SA
pass out on rl0 proto { icmp, udp } all keep state
Do i need to have the above three rules for both tun0 and rl0?
pf is enabled in rc.conf apart from inetd and sshd. Not running
named.
This is a simple home PC- i386 with GENERIC kernel patched
up to date. rl0 is definitely the right interface, got it from dmesg
output. Sorry, did not include dmesg output since it is too long
to type. If needed, i will.
I did not customize dhclient.conf. I created a hostname.tun0 with
just "dhcp" in it. That did not solve my problem. Still cannot connect.
I do not have any other hostname.rl0 etc.No other config files in
/etc/ppp directory were changed.
I did not customize resolv.conf by hand. Seems like ppp puts
stuff in it everytime i invoke it.
#cat resolv.conf
nameserver 203.197.30.4
nameserver 202.54.2.17
Kindly let me know what i'm doing wrong.
Thanks a lot for your time.
Srikant.
--
Srikant Tangirala
[EMAIL PROTECTED]
--
http://www.fastmail.fm - The professional email service
