Re: ssh IPV6 link local through jumphost

[Ian Timothy]

> On Feb 23, 2024, at 10:33, Tom  wrote:
> 
> command `ssh user@fe80::262:bff::@em0` works just fine.
> 
> `ssh -J  user9001@jumpserver user@fe80::262:bff::%em0`

Don’t know if this is the problem, but I notice your two addresses are 
different. Notice @em0 vs %em0. 

PF Rules for Dual Upstream Gateways

[Ian Timothy]

Hello,

I have two ISPs where one connection is primary and the other is low-bandwidth 
for temporary failover only. ifstated handles the failover by simply changing 
the default gateway. But under normal conditions I want to be able to connect 
via either connection at any time without changing the default gateway.

A long time ago under the old pf syntax I had this in /etc/pf.conf which worked 
fine, and as far as I can remember was the only thing needed to enable this 
desired behavior:

pass in on $wan1_if reply-to ( $wan1_if $wan1_gw )
pass in on $wan2_if reply-to ( $wan2_if $wan2_gw )

But I’ve not been able to find the right way to do this under the new pf 
syntax. From what I’ve been able to find this is supposedly does the same 
thing, but no success so far:

pass in on $wan1_if reply-to ($wan1_if:peer)
pass in on $wan2_if reply-to ($wan2_if:peer)

What am I missing? Or this there a better way to do this?

dhcpd code options

[Ian Timothy]

In /etc/dhcpd.conf the line:

option option-066 “…”;

gives error:

fatal in dhcpd: Configuration file errors encountered
 
dhcp-options(5) states:

Options ... may be defined by the name option-nnn where nnn is the
decimal number of the option code. ... For example:

option option-133 "my-option-133-text”;
option option-129 1:54:c9:2b:47;

I’ve also tried `option-66`, `66`, putting it in different sections of the 
.conf file.

Am I missing something?

Thanks,
Ian

Re: IKEv2 on Windows 10

[Ian Timothy]

> On 14 Jan 2021, at 01:28, Stuart Henderson  wrote:
> 
> On 2021-01-13, Ian Timothy  wrote:
>> Looking at some of the other information provided, I tried this along with 
>> the registry edit below:
>> 
>> PS> Add-VpnConnection -Name "IPB2" -ServerAddress "vpn.company.com" 
>> -TunnelType IKEv2 -AuthenticationMethod MachineCertificate 
>> -AllUserConnection -Force
> 
> "-AuthenticationMethod MachineCertificate" - I thought you were using
> MSCHAP not machine certs?

I’m just trying anything and everything at this point. I’ll do whatever works.


> FWIW I'm adding the connection manually and then doing this:
> 
> Set-VpnConnection -ConnectionName "vpn" -EncryptionLevel Maximum 
> -SplitTunneling $false -passthru
> 
> Set-VpnConnectionIPsecConfiguration -ConnectionName "vpn" 
> -AuthenticationTransformConstants GCMAES128 -CipherTransformConstants 
> GCMAES128 -EncryptionMethod AES128 -IntegrityCheckMethod SHA256 -DHGroup 
> ECP256 -PfsGroup ECP256 -passthru 
> 
> iked.conf (using the same config for Windows/Android/iOS cloents, and
> for ease of client setup allowing the default Windows crypto as well as
> better ones):
> 
> ikev2 "vpn" passive esp from 0.0.0.0/0 to 0.0.0.0 \
>  local xxx \
>  peer any \
>  ikesa enc aes-128 enc aes-256  prf hmac-sha2-256 prf hmac-sha1  auth 
> hmac-sha2-256  group curve25519 group ecp521 group ecp256 group modp2048 
> group modp1024 \
>  childsa enc aes-128-gcm enc aes-256-gcm group curve25519 group ecp521 group 
> ecp256 group modp2048 \
>  childsa enc aes-128 enc aes-256  auth hmac-sha2-256 auth hmac-sha1 \
>  childsa enc aes-128-gcm enc aes-256-gcm \
>  srcid "xxx" \
>  eap "mschap-v2" \
>  config address xxx/25 \
>  config name-server xxx \
>  tag "$name-$id"
> 
> (plus the user config).

I’m getting the following error on Windows upon connecting:

“IKE failed to find valid machine certificate.”

I’ve done a fresh install of Windows 10 Pro using a new download of the ISO, 
but still get the above error.



#
# Generate certificates
#

ikectl ca vpn delete

# CN is “VPN"
ikectl ca vpn create
ikectl ca vpn install

# CN is “vpn.company.com”, same as srcid in iked.conf
ikectl ca vpn certificate 10.0.0.1 create
ikectl ca vpn certificate 10.0.0.1 install

# CN is 10.0.2.100, same is IP in following line
ikectl ca vpn certificate 10.0.2.100 create
ikectl ca vpn certificate 10.0.2.100 export



#
# Show certificates
#

$ ikectl show ca vpn certificates
subject= /C=US/ST=State/L=City/O=Company/OU=Information 
Systems/CN=VPN/emailAddress=t...@company.com
SHA256 
Fingerprint=83:BE:37:FD:A9:B1:53:11:F6:7D:90:25:20:42:21:46:13:52:E1:C3:14:9B:F9:E1:74:C8:89:6A:3E:55:0F:FC
notBefore=Jan 16 19:51:53 2021 GMT
notAfter=May 13 19:51:53 2033 GMT

subject= /C=US/ST=State/L=City/O=Company/OU=Information 
Systems/CN=vpn.company.com/emailAddress=t...@company.com
SHA256 
Fingerprint=9F:93:75:73:6A:F2:BE:59:4A:14:BD:C6:F3:1C:C0:DC:20:26:0D:B7:AE:1C:07:BC:FE:6A:04:C2:20:07:BC:6D
notBefore=Jan 16 19:52:15 2021 GMT
notAfter=Jan 16 19:52:15 2022 GMT

subject= /C=US/ST=State/L=City/O=Company/OU=Information 
Systems/CN=10.0.2.100/emailAddress=t...@company.com
SHA256 
Fingerprint=BF:E5:C4:64:55:4D:4E:E7:BC:7F:D9:6E:90:C2:06:BD:66:9A:40:04:EB:C3:BE:A3:2A:DA:91:1A:E7:3D:42:A4
notBefore=Jan 16 19:52:41 2021 GMT
notAfter=Jan 16 19:52:41 2022 GMT



#
# Install certificates on Windows
#

1. scp 10.0.2.100.zip from vpn.company.com to Windows client
2. Unzip
3. Double click ca.pfx
1. Select “Local Machine”
2. Select “Place certificates in following store”
1. Select “Trusted Root Certificate Authorities”
4. Double click 10.0.2.100.pfx, repeat above except use “Personal” store


Windows VPN device settings at the moment:
Name: “VPN”
General tab
Server: vpn.company.com
Security tab
VPN type: IKEv2
Authentication: Use machine certificates

PowerShell:

PS> Set-VpnConnection -ConnectionName "VPN" -EncryptionLevel Maximum 
-SplitTunneling $false -passthru
PS> Set-VpnConnectionIPsecConfiguration -ConnectionName "VPN" 
-AuthenticationTransformConstants GCMAES128 -CipherTransformConstants GCMAES128 
-EncryptionMethod AES128 -IntegrityCheckMethod SHA256 -DHGroup ECP256 -PfsGroup 
ECP256 -passthru



#
# iked.conf at the moment
#

ikev2 "vpn-eap" passive esp \
from 0.0.0.0/0 to 0.0.0.0 \
local egress peer any \
ikesa enc aes-128 enc aes-256  prf hmac-sha2-256 prf hmac-sha1  auth 
hmac-sha2-256  group curve25519 group ecp521 group ecp256 group modp2048 group 
modp1024 \
childsa enc aes-128-gcm enc aes-256-gcm group curve25519 group ecp521 group 
ecp256 group modp2048 \
childsa enc aes-128 enc aes-256  auth hmac-sha2-256 auth hmac-sha1 \
childsa enc aes-128-gcm enc aes-25

Re: IKEv2 on Windows 10

[Ian Timothy]

> On 13 Jan 2021, at 06:04, Cand Tec  wrote:
> 
> This is my first time responding to a post so forgive me if I violate any 
> protocols here. I currently use OBSD 6.8 amd64 as a FW for 3 office clients, 
> all running on high-end repurposed desktops. Due to covid I've had to quickly 
> setup ikev for a very small number of home users, none of which are 
> roadwarriors and all use Win10. Yes, I know I should be using ikev2, so don't 
> chew me out, at the time it was just quicker. 
> Using the UI in Win10 is not the way to go. Apparently the Win10 default 
> parameters via UI does not provide the required ciphers.
> I used powershell to modify the parameters first then use the vpn connection 
> properties to finalize the settings. It worked 100% of the times without 
> fail. When I duplicated using only the Win10 UI iand t failed in every 
> instance.
> 
> Here are the powershell cmds I used to modify my default vpn settings which 
> has worked everytime -
> PS C:\> Add-VpnConnection -Name "VPN_NAME" -ServerAddress vpn.domain.com 
> -TunnelType "L2tp"
> PS C:\> Set-VpnConnectionIPsecConfiguration -ConnectionName "VPN_NAME" 
> -AuthenticationTransformConstants None -CipherTransformConstants AES256 
> -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup None -DHGroup 
> Group14 -PassThru -Force

Indeed that does not work for IKEv2:
ikev1_recv: header ispi 0x94edd5a8931477d9 rspi 0x nextpayload 
1 version 0x10 exchange 2 flags 0x00 msgid 0 length 256
ikev1_recv: IKEv1 not supported


Looking at some of the other information provided, I tried this along with the 
registry edit below:

PS> Add-VpnConnection -Name "IPB2" -ServerAddress "vpn.company.com" -TunnelType 
IKEv2 -AuthenticationMethod MachineCertificate -AllUserConnection -Force
PS> Set-VpnConnectionIPsecConfiguration -ConnectionName "IPB2" 
-AuthenticationTransformConstants None -CipherTransformConstants AES256 
-EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -DHGroup Group14 
-PfsGroup None -PassThru -AllUserConnection

But that doesn’t seem to help anything.


> Here's some info I found helpful -
> 
> 
> 
> 
> 
> L2TP issues with Win 10 – phase1 does not form due to insecure default 
> parameters
> REGISTRY SOLUTION:  
> https://www.stevenjordan.net/2016/09/secure-ikev2-win-10.html
>  
> Create a registry key that enforces modern cipher and transform sets.
> 
> STEP 1:  Edit Registry or create GPO:
> 
> HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters\
> STEP 2: Create new DWORD value:
> NegotiateDH2048_AES256
> STEP 3:  Modify DWORD value: 2
> 
> 
> 
> One caveat, whenever a major Win10 update is installed it tends to reset the 
> Win10 vpn parameters you modified. It's not consistent, but I've had to reset 
> it a few times. Other than that it has been flawless so far...if you can call 
> it that.
> 
> Hopefully this helps.
> 

IKEv2 on Windows 10

[Ian Timothy]

Hi,

I'm trying to get IKEv2 VPN working with Windows 10. I'm able to use PSK with 
macOS without issue. Changing to EAP MSCHAP for use with Windows results in the 
following error:

"The network connection between your computer and the VPN server could not be 
established because the remote server is not responding. The could be because 
one of the network devices (e.g. firewalls, NAT, routers, etc.) between your 
computer and the remote server is not configured to allow VPN connections."

I’ve worked through many examples online, but I’m not sure what's the next step 
to troubleshoot this?

Thanks!



# uname -rsv
OpenBSD 6.8 GENERIC.MP#2


#
# iked.conf
#

ikev2 "vpn-psk" passive esp \
from 0.0.0.0/0 to 0.0.0.0/0 \
local egress peer any \
srcid vpn.company.com \
eap "mschap-v2" \
config address 10.0.2.0/24 \
config netmask 255.255.0.0 \
config name-server 10.0.0.1 \
tag "$name-$id" 

# Changing 'eap "mschap-v2"' to 'psk "password"' works just fine for macOS.


#
# Generate certificates
#

pkg_add zip

ikectl ca vpn create
ikectl ca vpn install

# CN should be same as srcid in iked.conf
ikectl ca vpn certificate vpn.company.com create
ikectl ca vpn certificate vpn.company.com install

# CN should be same as client ip address
ikectl ca vpn certificate 10.0.2.100 create
ikectl ca vpn certificate 10.0.2.100 export


#
# Windows config
#

- VPN device
   - General tab
  - Server: vpn.company.com
   - Security tab
  - VPN type: IKEv2
  - Authentication: Use machine certificates

- Certs install
   - ca.crt --> Certificates (Local Computer)/Trusted Root Certification 
Authorities/Certificates
   - 10.0.2.100 --> Certificates (Local Computer)/Personal/Certificates


#
# iked log
#

doas iked -dvv
create_ike: using signature for peer 
ikev2 "vpn-eap" passive tunnel esp inet from 0.0.0.0/0 to 0.0.0.0/0 local 
23.AAA.AAA.129 peer any ikesa enc aes-128-gcm,aes-256-gcm prf 
hmac-sha2-256,hmac-sha2-384,hmac-sha2-512,hmac-sha1 group 
curve25519,ecp521,ecp384,ecp256,modp4096,modp3072,modp2048,modp1536,modp1024 
ikesa enc aes-256,aes-192,aes-128,3des prf 
hmac-sha2-256,hmac-sha2-384,hmac-sha2-512,hmac-sha1 auth 
hmac-sha2-256,hmac-sha2-384,hmac-sha2-512,hmac-sha1 group 
curve25519,ecp521,ecp384,ecp256,modp4096,modp3072,modp2048,modp1536,modp1024 
childsa enc aes-128-gcm,aes-256-gcm esn,noesn childsa enc 
aes-256,aes-192,aes-128 auth 
hmac-sha2-256,hmac-sha2-384,hmac-sha2-512,hmac-sha1 esn,noesn srcid 
vpn.ipaperbox.com lifetime 10800 bytes 536870912 eap "MSCHAP_V2" config address 
10.0.2.0 config netmask 255.255.0.0 config name-server 10.0.0.1
/etc/iked.conf: loaded 2 configuration rules
ca_privkey_serialize: type RSA_KEY length 1192
ca_pubkey_serialize: type RSA_KEY length 270
config_new_user: inserting new user windows
user "windows" "password"
config_getpolicy: received policy
ca_privkey_to_method: type RSA_KEY method RSA_SIG
config_getpfkey: received pfkey fd 3
ca_getkey: received private key type RSA_KEY length 1192
config_getcompile: compilation done
config_getsocket: received socket fd 4
config_getsocket: received socket fd 5
config_getsocket: received socket fd 6
config_getsocket: received socket fd 7
config_getstatic: dpd_check_interval 60
config_getstatic: no enforcesingleikesa
config_getstatic: no fragmentation
config_getstatic: mobike
config_getstatic: nattport 4500
ca_getkey: received public key type RSA_KEY length 270
ca_dispatch_parent: config reset
ca_reload: loaded ca file ca.crt
ca_reload: loaded crl file ca.crl
ca_reload: /C=US/ST=State/L=City/O=Company Name/OU=Information 
Systems/CN=vpn.company.com/emailAddress=t...@company.com
ca_reload: loaded 1 ca certificate
ca_reload: loaded cert file 10.0.0.1.crt
ca_validate_cert: /C=US/ST=State/L=City/O=Company Name/OU=Information 
Systems/CN=vpn.company.com/emailAddress=t...@company.com subject issuer mismatch
ca_reload: local cert type X509_CERT
config_getocsp: ocsp_url none tolerate 0 maxage -1
ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20

policy_lookup: setting policy 'vpn-eap'
spi=0x804dbcb818c0c11e: recv IKE_SA_INIT req 0 peer 166.BBB.BBB.161:56819 local 
23.AAA.AAA.129:500, 624 bytes, policy 'vpn-eap'
ikev2_recv: ispi 0x804dbcb818c0c11e rspi 0x
ikev2_policy2id: srcid FQDN/vpn.ipaperbox.com length 21
ikev2_pld_parse: header ispi 0x804dbcb818c0c11e rspi 0x 
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 624 
response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 256
ikev2_pld_sa: more 2 reserved 0 length 40 proposal #1 protoid IKE spisize 0 
xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id 

VPN IKEv2 Traffic Flows Only One Direction

[Ian Timothy]

I’ve been a long time user of OpenBSD, but this is the first time I’m trying to 
setup a VPN. I’m not sure what I’m doing wrong, or what should be the next step 
to troubleshoot. I’ve probably reviewed every IKEv2 how-to I can find.

I need to end up with a configuration that will support several simultaneous 
roaming users connecting from anywhere they happen to be.

Client:
macOS 10.15.7
Using builtin VPN client

Server:
OpenBSD 6.6
em1 = 23.X.X.128/29
em0 = 10.0.0.0/16
enc0 = 10.1.0.0.16

>From the client I can connect to 10.0.0.1 but anything outside that network 
>traffic slows but does not return:


# --- client: curl -v ipinfo.io/ip ---

*   Trying 216.239.36.21:80...
[ never connects ]




# --- server: iked -dv ---

ikev2 "vpn" passive esp inet from 0.0.0.0/0 to 0.0.0.0/0 local 23.30.51.129 
peer any ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1 
auth hmac-sha2-256,hmac-sha1 group modp2048,modp1536,modp1024 childsa enc 
aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 srcid vpn.ipaperbox.com 
lifetime 10800 bytes 536870912 psk 0x70617373776f7264 config address 10.1.0.0 
config netmask 255.255.0.0 config name-server 10.0.0.1
[--- CLIENT CONNECTS ---]
spi=0x69f90afcc96f7600: recv IKE_SA_INIT req 0 peer 166.X.X.161:62140 local 
23.X.X.129:500, 604 bytes, policy 'vpn'
spi=0x69f90afcc96f7600: send IKE_SA_INIT res 0 peer 166.X.X.161:62140 local 
23.X.X.129:500, 432 bytes
spi=0x69f90afcc96f7600: recv IKE_AUTH req 1 peer 166.X.X.161:54501 local 
23.X.X.129:4500, 544 bytes, policy 'vpn'
spi=0x69f90afcc96f7600: send IKE_AUTH res 1 peer 166.X.X.161:54501 local 
23.X.X.129:4500, 272 bytes, NAT-T
spi=0x69f90afcc96f7600: sa_state: VALID -> ESTABLISHED from 166.X.X.161:54501 
to 23.X.X.129:4500 policy 'vpn'
[--- CLIENT DICONNECT ---]
spi=0x69f90afcc96f7600: recv INFORMATIONAL req 2 peer 166.X.X.161:54501 local 
23.X.X.129:4500, 80 bytes, policy 'vpn'
spi=0x69f90afcc96f7600: send INFORMATIONAL res 2 peer 166.X.X.161:54501 local 
23.X.X.129:4500, 80 bytes, NAT-T
spi=0x69f90afcc96f7600: ikev2_ikesa_recv_delete: received delete
spi=0x69f90afcc96f7600: sa_state: ESTABLISHED -> CLOSED from 166.X.X.161:54501 
to 23.X.X.129:4500 policy 'vpn'



# --- server: tcpdump -i em1 -n host ipinfo.io and port 80 ---

tcpdump: listening on em1, link-type EN10MB
03:37:34.210823 10.1.114.47.59349 > 216.239.36.21.80: SWE 
3159801057:3159801057(0) win 65535  (DF)
03:37:35.228721 10.1.114.47.59349 > 216.239.36.21.80: S 
3159801057:3159801057(0) win 65535  (DF)
03:37:36.242039 10.1.114.47.59349 > 216.239.36.21.80: S 
3159801057:3159801057(0) win 65535  (DF)
03:37:37.254607 10.1.114.47.59349 > 216.239.36.21.80: S 
3159801057:3159801057(0) win 65535  (DF)
03:37:38.267900 10.1.114.47.59349 > 216.239.36.21.80: S 
3159801057:3159801057(0) win 65535  (DF)
03:37:39.330256 10.1.114.47.59349 > 216.239.36.21.80: S 
3159801057:3159801057(0) win 65535  (DF)
03:37:41.345983 10.1.114.47.59349 > 216.239.36.21.80: S 
3159801057:3159801057(0) win 65535  (DF)
03:37:45.424183 10.1.114.47.59349 > 216.239.36.21.80: S 
3159801057:3159801057(0) win 65535  (DF)
03:37:53.510541 10.1.114.47.59349 > 216.239.36.21.80: S 
3159801057:3159801057(0) win 65535  (DF)
03:38:10.364579 10.1.114.47.59349 > 216.239.36.21.80: S 
3159801057:3159801057(0) win 65535  (DF)



# --- server: tcpdump -i enc0 -n host ipinfo.io and port 80 ---

tcpdump: listening on enc0, link-type ENC
[ no output ]



# --- server: iked.conf ---

# TODO: Change from psk authtication to user-based later.

ikev2 "vpn" passive esp \
from 0.0.0.0/0 to 0.0.0.0/0 \
local egress peer any \
srcid vpn..com \
psk "password" \
config address 10.1.0.0/16 \
config netmask 255.255.0.0 \
config name-server 10.0.0.1 \
tag "IKED” 



#  server: pf.conf ---

doas cat pf.conf.vpn 
int_if = "em0"

ext_if = "em1"
ext_net = "23.X.X.128/29"

gateway_ip_ext = "{ 23.X.X.129 }"
gateway_ip_int = "{ 10.0.0.1 }"

set skip on {lo, enc0}

block return# block stateless traffic
pass# establish keep-state

pass out on $ext_if from $int_if:network to any nat-to ($ext_if:0)



# --- server: sysctl net.inet.{ipcomp.enable,esp.enable,esp.udpencap} ---

net.inet.ipcomp.enable=1
net.inet.esp.enable=1
net.inet.esp.udpencap=1

Re: Purging a wifi connection

[Timothy Brown]

On Fri, Feb 21, 2020 at 02:10:49PM -0700, Raymond, David wrote:
> I have a problem when I have two wifi services available, say, a hotel
> wifi and my cellphone hotspot.  Suppose I put the hotel wifi in my
> hostname.xxx file and run sh /etc/netstart and I don't like the
> results.  Removing the hotel wifi from the hostname file, replacing it
> with my hotspot wifi, and rerunning sh /etc/netstart results in the
> computer trying to connect with the hotel wifi again, even though this
> connection is no longer in the hostname file.  If I then reboot the
> computer and rerun sh /etc/netstart, it connects with the hotspot wifi
> as desired.
> 
> My question is whether there is a way to purge the non-desired wifi
> connection without rebooting the computer.
> 

Hi David,

In cases like this, I typically don't update my hostname.xxx file and
instead run `ifconfig` by hand.

For example to remove ESSID foo:
  ifconfig -join foo

Or to remove all known networks:
  ifconfig -joinlist

The `ifconfig` manpage explains this.

Regards
Tim

Re: Status of ath10k?

[Timothy Brown]

Hi Grogor,

On Sun, Oct 06, 2019 at 12:31:13PM +0200, Gregor Best wrote:
> I've got a new laptop in the mail (Dell XPS 13") which has a WiFi card
> in it that on Linux attaches to ath10k. It looks like there was an
> effort to port that driver to FreeBSD a while ago, but I haven't been
> able to find any recent information.
> 
> What's the status of that on OpenBSD? Is there a driver under way or is
> this a "get comfortable with a urtwn or hack it yourself" situation?

As far as I know (which is very little!), it has not been ported.

I was issued a Dell XPS 13 (9380) a couple of months ago. Linux used the
ath10k driver, for the WiFi, which was a QCA6174 chip. I thought it would
be a matter of swapping out the card, as they are normally an M.2 type.
However on this model Dell decided to solder it to the main-board!

I ended up giving it back to work IT and got a Dell Latitude 3300, as
that was all I could find from Dell that stated it had an Intel chip
(8265). It's nowhere near as sleek as the XPS 13, however everything
works under OpenBSD (thanks everyone!).

Regards
Timothy

Re: Question regarding wi-fi card support

[Timothy Brown]

On Thu, Aug 08, 2019 at 09:30:20PM +, flauenroth wrote:
> I am in the need for a proper wi-fi solution for my Lenovo E485. 

I've replaced the original one in my work Dell XPS13 with:

iwm0 at pci2 dev 0 function 0 "Intel Dual Band Wireless AC 8260" rev 0x3a, msi
iwm0: hw rev 0x200, fw ver 16.242414.0,

It's M.2 card, works well.

Tim

Re: wsmouse: disable touch-panel

[Timothy Brown]

On Mon, Jun 10, 2019 at 03:43:34PM +0200, frantisek holop wrote:
> hello,
> 
> i have a faulty touch panel in this notebook and i need to disable it.
> because of KARL and following -current in general i'd much prefer a non
> config -e solution.  that leaves wscons and X.org.
> 
> if i read Xorg log file correctly, x.org picks up touch panel from
> wsmouse.  after reading wsmouse(4), it is not clear to me how can i
> disable mouse1, mouse2, and mouse3.
> 
> any ideas what i could put in /etc/wsconsctl.conf ?
> 

Hi,

Not too sure about a a config change to disable it. However on my crappy
work Dell laptop (XPS 9343), I can disable it in the BIOS. Have you looked
to see if you can do that?

Timothy

Re: Radeon discrete graphics issues

[Timothy Legge]

I knew the solution would be something simple, more than likely related to
my inability to read properly :D
Thanks for the pointers Jonathan, sorry it took a while for the point to
stick.

I guess the next natural question is, can I put my hardware to use helping
develop support for this?
I'm no programmer, but I can be a test subject for others working on this.
And is it worth installing -current and sending the developers the dmesg
for reference? I've just realised I've only ever been running -stable on
this box.

On 19 November 2017 at 09:26, Jonathan Gray <j...@jsg.id.au> wrote:

> There is kernel support for the initial GCN parts
> (CAPE VERDE, PITCAIRN, TAHITI) acceleration for those requires userland
> changes.  The last generation with full acceleration is Northern Islands.
>
> On Sun, Nov 19, 2017 at 09:04:40AM +, Timothy Legge wrote:
> > So after re-reading man pages and a quick consultation of some Wikipedia
> > pages, kernel support for most Radeon cards upto those in the Northern
> > Islands family are supported. That ties in nicely with what you've
> outlined
> > as thats the family that came before they made the change to the GCN
> > Microarchitecture and Instruction set.
> >
> > Hopefully it's something that will be supported in the not too distant
> > future.Until then, it's back in my box.
> >
> > Thanks all.
> >
> > On 19 November 2017 at 01:34, Jonathan Gray <j...@jsg.id.au> wrote:
> >
> > > The userland driver that page describes won't work without kernel
> support.
> > >
> > > For GCN parts like OLAND it is worse as they require Mesa to be built
> > > against LLVM libraries for 2D acceleration.  And LLVM
> libraries/llvm-config
> > > etc are not built/shipped in base.
> > >
> > > On Sun, Nov 19, 2017 at 01:16:19AM +, Timothy Legge wrote:
> > > > I copy/pasted "OLAND Radeon HD 8000 series" from the radeon(4)
> > > > <https://man.openbsd.org/radeon> man page under the section header
> > > > "Supported Hardware". Maybe I'm missing something.
> > > >
> > > > On 19 November 2017 at 01:08, Jonathan Gray <j...@jsg.id.au> wrote:
> > > >
> > > > > On Sat, Nov 18, 2017 at 07:43:03PM +, Timothy Legge wrote:
> > > > > > @Maurice, Don't worry about teaching me to suck eggs, I'd rather
> > > cover
> > > > > all
> > > > > > the bases :)
> > > > > >
> > > > > > I've run "fw_update -a"  to ensure that the drivers are
> installed and
> > > > > where
> > > > > > they need to be. (Bit overkill I know, but I'd rather be sure at
> this
> > > > > > point.)
> > > > > > As for support from the Radeon driver as linked above, it falls
> > > under the
> > > > > > "OLAND Radeon HD 8000 series".
> > > > >
> > > > > The radeon code in the kernel is derived from Linux 3.8, support
> for
> > > > > the OLAND family wasn't added till 3.9.
> > > > >
> > > > > > It's almost as though the kernel forgets to add "radeondrm0 at
> vga1"
> > > and
> > > > > > "drm0 at radeondrm0" as seen on other dmesg from systems with
> Radeon
> > > > > cards.
> > > > > > I can't help shake the sense that the fix to this is going to be
> > > > > something
> > > > > > rather simple, and I'm just too stupid to figure it out! :)
> > > > > >
> > > > > > On 18 November 2017 at 19:14, Maurice McCarthy <
> mansel...@gmail.com>
> > > > > wrote:
> > > > > >
> > > > > > > I assume the radeon firmware is in /etc/firmware. If not
> download
> > > > > > > http://firmware.openbsd.org/firmware/6.2/radeondrm-
> > > > > firmware-20150927.tgz
> > > > > > > and untar it in that directory. (Sorry if I'm teaching granny
> to
> > > suck
> > > > > > > eggs.)
> > > > > > >
> > > > > > >
> > > > > > > <https://www.avast.com/sig-email?utm_medium=email_
> > > > > > > source=link_campaign=sig-email_content=webmail>
> > > > > > > Virus-free.
> > > > > > > www.avast.com
> > > > > > > <https://www.avast.com/sig-email?utm_medium=email_
> > > > > > > source=link_campaign=sig-email_content=webmail>
> > > > > > > <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
> > > > > > >
> > > > >
> > >
>

Re: Radeon discrete graphics issues

[Timothy Legge]

So after re-reading man pages and a quick consultation of some Wikipedia
pages, kernel support for most Radeon cards upto those in the Northern
Islands family are supported. That ties in nicely with what you've outlined
as thats the family that came before they made the change to the GCN
Microarchitecture and Instruction set.

Hopefully it's something that will be supported in the not too distant
future.Until then, it's back in my box.

Thanks all.

On 19 November 2017 at 01:34, Jonathan Gray <j...@jsg.id.au> wrote:

> The userland driver that page describes won't work without kernel support.
>
> For GCN parts like OLAND it is worse as they require Mesa to be built
> against LLVM libraries for 2D acceleration.  And LLVM libraries/llvm-config
> etc are not built/shipped in base.
>
> On Sun, Nov 19, 2017 at 01:16:19AM +, Timothy Legge wrote:
> > I copy/pasted "OLAND Radeon HD 8000 series" from the radeon(4)
> > <https://man.openbsd.org/radeon> man page under the section header
> > "Supported Hardware". Maybe I'm missing something.
> >
> > On 19 November 2017 at 01:08, Jonathan Gray <j...@jsg.id.au> wrote:
> >
> > > On Sat, Nov 18, 2017 at 07:43:03PM +, Timothy Legge wrote:
> > > > @Maurice, Don't worry about teaching me to suck eggs, I'd rather
> cover
> > > all
> > > > the bases :)
> > > >
> > > > I've run "fw_update -a"  to ensure that the drivers are installed and
> > > where
> > > > they need to be. (Bit overkill I know, but I'd rather be sure at this
> > > > point.)
> > > > As for support from the Radeon driver as linked above, it falls
> under the
> > > > "OLAND Radeon HD 8000 series".
> > >
> > > The radeon code in the kernel is derived from Linux 3.8, support for
> > > the OLAND family wasn't added till 3.9.
> > >
> > > > It's almost as though the kernel forgets to add "radeondrm0 at vga1"
> and
> > > > "drm0 at radeondrm0" as seen on other dmesg from systems with Radeon
> > > cards.
> > > > I can't help shake the sense that the fix to this is going to be
> > > something
> > > > rather simple, and I'm just too stupid to figure it out! :)
> > > >
> > > > On 18 November 2017 at 19:14, Maurice McCarthy <mansel...@gmail.com>
> > > wrote:
> > > >
> > > > > I assume the radeon firmware is in /etc/firmware. If not download
> > > > > http://firmware.openbsd.org/firmware/6.2/radeondrm-
> > > firmware-20150927.tgz
> > > > > and untar it in that directory. (Sorry if I'm teaching granny to
> suck
> > > > > eggs.)
> > > > >
> > > > >
> > > > > <https://www.avast.com/sig-email?utm_medium=email_
> > > > > source=link_campaign=sig-email_content=webmail>
> > > > > Virus-free.
> > > > > www.avast.com
> > > > > <https://www.avast.com/sig-email?utm_medium=email_
> > > > > source=link_campaign=sig-email_content=webmail>
> > > > > <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
> > > > >
> > >
>

Re: Radeon discrete graphics issues

[Timothy Legge]

I copy/pasted "OLAND Radeon HD 8000 series" from the radeon(4)
<https://man.openbsd.org/radeon> man page under the section header
"Supported Hardware". Maybe I'm missing something.

On 19 November 2017 at 01:08, Jonathan Gray <j...@jsg.id.au> wrote:

> On Sat, Nov 18, 2017 at 07:43:03PM +, Timothy Legge wrote:
> > @Maurice, Don't worry about teaching me to suck eggs, I'd rather cover
> all
> > the bases :)
> >
> > I've run "fw_update -a"  to ensure that the drivers are installed and
> where
> > they need to be. (Bit overkill I know, but I'd rather be sure at this
> > point.)
> > As for support from the Radeon driver as linked above, it falls under the
> > "OLAND Radeon HD 8000 series".
>
> The radeon code in the kernel is derived from Linux 3.8, support for
> the OLAND family wasn't added till 3.9.
>
> > It's almost as though the kernel forgets to add "radeondrm0 at vga1" and
> > "drm0 at radeondrm0" as seen on other dmesg from systems with Radeon
> cards.
> > I can't help shake the sense that the fix to this is going to be
> something
> > rather simple, and I'm just too stupid to figure it out! :)
> >
> > On 18 November 2017 at 19:14, Maurice McCarthy <mansel...@gmail.com>
> wrote:
> >
> > > I assume the radeon firmware is in /etc/firmware. If not download
> > > http://firmware.openbsd.org/firmware/6.2/radeondrm-
> firmware-20150927.tgz
> > > and untar it in that directory. (Sorry if I'm teaching granny to suck
> > > eggs.)
> > >
> > >
> > > <https://www.avast.com/sig-email?utm_medium=email_
> > > source=link_campaign=sig-email_content=webmail>
> > > Virus-free.
> > > www.avast.com
> > > <https://www.avast.com/sig-email?utm_medium=email_
> > > source=link_campaign=sig-email_content=webmail>
> > > <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
> > >
>

Re: Radeon discrete graphics issues

[Timothy Legge]

@Maurice, Don't worry about teaching me to suck eggs, I'd rather cover all
the bases :)

I've run "fw_update -a"  to ensure that the drivers are installed and where
they need to be. (Bit overkill I know, but I'd rather be sure at this
point.)
As for support from the Radeon driver as linked above, it falls under the
"OLAND Radeon HD 8000 series".
It's almost as though the kernel forgets to add "radeondrm0 at vga1" and
"drm0 at radeondrm0" as seen on other dmesg from systems with Radeon cards.
I can't help shake the sense that the fix to this is going to be something
rather simple, and I'm just too stupid to figure it out! :)

On 18 November 2017 at 19:14, Maurice McCarthy  wrote:

> I assume the radeon firmware is in /etc/firmware. If not download
> http://firmware.openbsd.org/firmware/6.2/radeondrm-firmware-20150927.tgz
> and untar it in that directory. (Sorry if I'm teaching granny to suck
> eggs.)
>
>
>  source=link_campaign=sig-email_content=webmail>
> Virus-free.
> www.avast.com
>  source=link_campaign=sig-email_content=webmail>
> <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
>

Radeon discrete graphics issues

[Timothy Legge]

Hi list!

I've been struggling with this issue for the past week (admittedly in the
evenings only), and I've finally run into a dead end and thus I'm now
throwing myself upon the mercy of the @misc list in the hope someone will
be able to provide some direction on how to solve the issue.

I'm using an HP 6000 Pro Microtower as a desktop, and everything with the
OpenBSD installation runs smoothly and leaves me with a well functioning
rig. However, once I moved to setting up Xenocara (installing xfce4 and
various desktop apps) thats where my issues started.
I'm using a discrete graphics card, an ATI Radeon R7 200, rather than the
integrated Intel graphics, and it appears that it's not being configured
correctly. After spending a number of nights this past week working on
trying to get the card to work, I resorted to a fresh install of OpenbBSD,
switching between the discrete and integrated graphics to see if I could
identify the issue. It seems that the kernel identifies the Intel graphics
correctly and loads the inteldrm driver and all is happy, yet it refuses to
correctly identify the Radeon card when its installed. It's also worth
mentioning that there is no option in the BIOS to disable the integrated
graphics, apparently the BIOS is clever enough to do this by its own. I've
included both the dmesg and pcidump -v for the machine with the Radeon card
installed for your reference.

Thanks in advance for any help you can offer.

Tim

*dmesg*

OpenBSD 6.2 (GENERIC.MP) #134: Tue Oct  3 21:22:29 MDT 2017
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 7427723264 (7083MB)
avail mem = 7195590656 (6862MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xe9fb0 (84 entries)
bios0: vendor Hewlett-Packard version "786G2 v02.03" date 10/19/2015
bios0: Hewlett-Packard HP Compaq 6000 Pro MT PC
acpi0 at bios0: rev 0
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP APIC ASF! MCFG TCPA SLIC HPET
acpi0: wakeup devices COM1(S4) PCI0(S4) PEG1(S4) PEG2(S4) IGBE(S4) PCX1(S4)
PCX2(S4) PCX5(S4) PCX6(S4) HUB_(S4) USB1(S3) USB2(S3) USB3(S3) USB4(S3)
USB5(S3) USB6(S3) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM)2 Duo CPU E8400 @ 3.00GHz, 2992.86 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,XSAVE,LONG,LAHF,PERF,SENSOR
cpu0: 6MB 64b/line 16-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 7 var ranges, 88 fixed ranges
cpu0: apic clock running at 332MHz
cpu0: mwait min=64, max=64, C-substates=0.2.2.2.2, IBE
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Core(TM)2 Duo CPU E8400 @ 3.00GHz, 2992.51 MHz
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,XSAVE,LONG,LAHF,PERF,SENSOR
cpu1: 6MB 64b/line 16-way L2 cache
cpu1: smt 0, core 1, package 0
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins
, remapped to apid 1
acpimcfg0 at acpi0 addr 0xf400, bus 0-63
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (PEG1)
acpiprt2 at acpi0: bus -1 (PEG2)
acpiprt3 at acpi0: bus 32 (PCX1)
acpiprt4 at acpi0: bus 48 (PCX2)
acpiprt5 at acpi0: bus -1 (PCX5)
acpiprt6 at acpi0: bus -1 (PCX6)
acpiprt7 at acpi0: bus 16 (HUB_)
acpicpu0 at acpi0: !C3(100@50 mwait.1@0x30), !C2(500@17 mwait.1@0x10),
C1(1000@1 mwait.1), PSS
acpicpu1 at acpi0: !C3(100@50 mwait.1@0x30), !C2(500@17 mwait.1@0x10),
C1(1000@1 mwait.1), PSS
"PNP0F13" at acpi0 not configured
"PNP0003" at acpi0 not configured
tpm0 at acpi0: TPM_ addr 0xfed4/0x5000: Infineon SLB9635 1.2 rev 0x10
acpibtn0 at acpi0: PBTN
"PNP0C14" at acpi0 not configured
cpu0: Enhanced SpeedStep 2992 MHz: speeds: 3000, 1998 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel Q45 Host" rev 0x03
ppb0 at pci0 dev 1 function 0 "Intel Q45 PCIE" rev 0x03: msi
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 "ATI Radeon HD 8600" rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
azalia0 at pci1 dev 0 function 1 vendor "ATI", unknown product 0xaab0 rev
0x00: msi
azalia0: no supported codecs
"Intel Q45 HECI" rev 0x03 at pci0 dev 3 function 0 not configured
puc0 at pci0 dev 3 function 3 "Intel Q45 KT" rev 0x03: ports: 1 com
com4 at puc0 port 0 apic 1 int 17: ns16550a, 16 byte fifo
com4: probed fifo depth: 15 bytes
em0 at pci0 dev 25 function 0 "Intel ICH10 D BM LM" rev 0x02: msi, address
00:0f:fe:f4:05:db
uhci0 at pci0 dev 26 function 0 "Intel 82801JD USB" rev 0x02: apic 1 int 20
uhci1 at pci0 dev 26 function 1 "Intel 82801JD USB" rev 0x02: apic 1 int 

cannot send mail

[Timothy Marion]

Hi All,

I am able to receive mail but I cannot send mail. Could anyone point me in
the right direction?

Thanks,

Tim

# $OpenBSD: smtpd.conf,v 1.9 2016/05/03 18:43:45 jung Exp $


pki jupiter.timothymarion.com certificate "/etc/letsencrypt/live/
www.timothymarion.com/fullchain.pem"
pki jupiter.timothymarion.com key "/etc/letsencrypt/live/
www.timothymarion.com/privkey.pem"

table aliases file:/etc/mail/aliases

listen on all

accept from any for domain "timothymarion.com" alias deliver to mbox
accept for local alias deliver to mbox
accept from local for any relay


/var/log/mailog

Oct 8 23:04:50 jupiter smtpd[21640]: 0cd1353692397daf smtp event=connected
address=14.177.236.10 host=static.vnpt.vn
Oct 8 23:04:51 jupiter smtpd[21640]: 0cd1353692397daf smtp
event=failed-command address=14.177.236.10 host=static.vnpt.vn
command="AUTH LOGIN" result="503 5.5.1 Invalid command: Command not
supported"
Oct 8 23:04:51 jupiter smtpd[21640]: 0cd1353692397daf smtp event=closed
address=14.177.236.10 host=static.vnpt.vn reason=quit>br>

Re: Suggestion

[Timothy Baldock]

Renzo Fabriek wrote:

On Friday 09 March 2012 13:10:13 Nomen Nescio wrote:

Who in their right mind would EVER want to run this crap?

You answered your own question. My guess? People who are too cheap to buy
Windows and too stupid to figure out how to find a free copy of XP or Win 7
on the net and do the activation or find a password. That's a pretty small
user space.


Free copy's of Windows? Do  they exist?



Free as in ripped off.

Although the Hypervisor-only version of 2008 R2 is iirc free as in not 
costing any money.

Re: SATA RAID card suggestions?

[Timothy Baldock]

I'd recommend the Areca cards, they are expensive but worth the money IMO

On 13 Oct 2011, at 21:23, Christiano F. Haesbaert haesba...@haesbaert.org
wrote:

 On 10 October 2011 22:57, Richard Johnson rd...@river.com wrote:
 On Mon, 10 Oct 2011 14:50:45 -0700, Ryan Corder wrote:
 On Mon, Oct 10, 2011 at 02:16:47PM -0600, Richard Johnson wrote:
 I've had great success with the Areca ARC-1210.

  http://www.areca.com.tw/products/pcie.htm

 Wups, I was apparently too tired last night to find the Areca cards,
though
 I could have sworn I'd studied the arc(4) man page.  That is, until I
 reviewed it again this evening after receiving your response.

 Thanks for getting me pointed in the right direction.

 Now to find one in stock.



 Did you find another alternative ?
 I like this areca cards, but they are way to expensive for me, if you
 find a cheaper solution please let me know.
 I need a pci-e raid 5 card.

Hardware Question

[Timothy Legge]

I can remember, going back about 10 years now, that I used to use a server
with a dedicated ADSL nic.

I'm curious to know if these types of card still exist, and if anyone has
any experiance of using them under OpenBSD?

Re: full disk encryption google chrome on OpenBSD!

[Timothy Legge]

I've found this thread to be an interesting read so far, but I do have a few
questions...

How is Webkit these days?? I only know so much as far as Apple's use of it,
and it has been a source of heavy patching in Safari for some time.

And what are the advantages or dissadvantages of using chromium over xxxterm
in an OpenBSD Desktop environment?

On 18 March 2011 18:42, Antoine Jacoutot ajacou...@bsdfrog.org wrote:

 On Fri, 18 Mar 2011, Marco Peereboom wrote:

  And if you use chrome why would you bother encrypting your disk anyway?

 Marco that is completely irrelevant in that case and you know it :)
 On a side note, why would I trust xxxterm more than chromium? They both
 use webkit and source is available for both.

 --
 Antoine

Setting up a CA and installing generated certificates

[Timothy Legge]

Hi all,

Ive been strugeling with setting up a CA on my OpenBSD Box. Ive been trying
to figur out where I've been going wrong over the past 3 or 4 days, and Im
at a loss now.

Im currently running 4.8, and I've been using this rather helpful guide:
www.tumfatig.net/20110103/back-to-the-sea-the-certificate-authority-ca-episode-iv/

I've been able to do everyhting in the various guides that are listed on
that site, save setting up the CA correctly.

I follow the instructions as presented, but I still cant get the dam thing
to work.

I am very happy with the process of generating the certificates, however, Im
not sure how to actually install the dam certs after they have been created
so that I can enable SSL in Apache, Dovecot, OpenLDAP and Postfix.

The only service I have tried to get working so far has been Apache, but
every time I start httpd with -DSSL it tells me that the cert files that I
am linking to are either not present, or empty.

I would love it if someone could possibley clarify the steps needed to
install the cert and key files after the have been generated.

I am of course happy to provide more information to those willing to help,
just let me know what info you need :)

Tim

Specs for a firewall.

[Timothy Legge]

Hi list!

I'm looking to setup my first Open BSD firewall in the near future, and I
was hoping to get a little feedback from you about ideal specs for a first
time machine.

Below is a little about my situation.

I plan to install the firewall physically between my router (Apple Time
Capsule) and my ADSL 2+ Modem so it can filter all traffic sent and received
to the Internet.

As I understand it, I will be running pf to filter the traffic on each of
the NIC's installed, and I would like to install an IDS.
Besides this, Ill only really need to run what ever is nesacery to allow a
secure connection to be established to that machine so I can manage it from
within my network. (Happy to be corrected if I'm wrong, I'm still learning!)

I look forward to reading your advice, and I'm happy to provide any
aditional information.

Tim

To GD or not to GD

[Timothy Legge]

Ok. Im happy with the progress Im making with OpenBSD! Ive been using for a
little over a week now and Im impressed with what it can do so far.

I now have this question

I have installed Joomla! 1.6 which is working all fine and dandy, and Im
using the Comunity Builder addon to manage my users. Which is working as
intended too :) The only thing that isnt configured are the GD libraries.

From what I have researched, libgd support has to be built into PHP at
compile time in order for it to function correctly. So before I go ahead and
compile PHP 5 from source, I wanted to ask, given I have the choice, which
out of the following should I use? libgd (for GD 1 and GD 2 compatability),
Imagemagick, or NetPBM??

LDAPD with NFS Home mounts

[Timothy Legge]

Hello list!

I hope this message finds you all well.

Ive been spending some time today trying to figure out how to get NFS
working under OpenBSD with the shiny new LDAPD daemon.

As far as I can tell, I have LDAPD working as intended, but I would welcome
it if someone could give my config files a once over to ensure that Ive
understood the documentation correctly. Here is an example of my
/etc/rc.conf.local and my /etc/ldapd.conf for reference:

# Named server configuration.
named_flags=
named_user=named
named_chroot=/var/named

# Start the LDAP Daemon
ldapd_flags=

# Enable required services for NSF
#portmap=YES
#nfs_server=YES

#End Of File

#   $OpenBSD: ldapd.conf,v 1.2 2010/06/29 02:50:22 martinh Exp $

schema /etc/ldap/core.schema
schema /etc/ldap/inetorgperson.schema
schema /etc/ldap/nis.schema

listen on 10.0.1.20
listen on lo0
listen on /var/run/ldapi

rootdn ldaproot
rootpw password

namespace dc=timothylegge,dc=co,dc=uk {
rootdn  cn=root,dc=timothylegge,dc=co,dc=uk
rootpw  password
index   sn
index   givenName
index   cn
index   mail
fsync   on
#   cache-size
#   index-cache-size
relax schema
#   denyread access
#   denywrite access
#   allow   bind acceess
#   keyword to any
}

#End Of File

So all given, as I understand it, the above config files 'should' start
LDAPD correctly. I guess now would be a good time to say I also have the
built in DNS Server running on this box too, configured correctly for the
domain timothylegge.co.uk.

Im now stuck at the point of configuring NFS to use LDAPD for authentication
and access to the network mount points. At this point, I only want to allow
network access to the /home partition on the server. I would also like to
know how to add user accounts to the LDAPD server, as Im unsure how to do
this. Also, it will be Mac OS X 10.6 clients that will be using the NFS and
LDAPD server.

Any help at all would be welcome at this point :)

Looking forward to your comments.

Tim

LDAP and OpenBSD 4.8

[Timothy Legge]

Hi all!

Im am new to openBSD and have been happily playing around with it for just
over a week now and Im very impressed with how stable the OS is, and just
how well it runs.

So far I have managed to configure DNS and OAMP, which I am some what
familiar with from working on OS X Server.

Now Im wanting to setup and test LDAP under OpenBSD. I have spent most of
last night and today searching the internet and the mailing lists for advice
and help on setting this up.

I have come close, but have fallen foul of an error in OpenLDAP with bdb,
and try as I might, I have been unable to find a way around this issue. The
guild I was following, which was very informative and helpfull, is written
for an older version of OpenBSD and as such the packages being used are now
out dated.

I would be very greatfull if some kind soul could point me in the direction
of a good guild on setting up OpenLDAP under OpenBSD 4.8 and intergrating it
with the rest of my system so that I can use LDAP for my CMS.

Regards,

Tim

P.S.

I currently have MySQL installed and running well on the system. Would it be
an easier task to use this for LDAP rather than installing a second DB?

pf redirect problem

[Timothy Beyer]

Hello,

I'm having trouble setting up a redirect rule and I'm not sure where I'm going
wrong.  My redirect line and filter rules look like:

rdr on $ext_nic proto tcp from any to 38.xxx.xxx.213 - 192.168.1.227
pass in on $ext_nic proto tcp from any to 192.168.1.227 port ssh queue ssh
pass in on $ext_nic proto tcp from any to 192.168.1.227 port www queue www

The output of 'pfctl -s nat' is:

nat on fxp0 inet from 192.168.1.0/24 to any - 38.xxx.xxx.206
nat on fxp0 inet from 192.168.2.0/24 to any - 38.xxx.xxx.207
nat on fxp0 inet from 192.168.3.0/24 to any - 38.xxx.xxx.208
nat on dc3 inet from 192.168.1.0/24 to any - 192.168.10.156
nat on fxp0 inet from 192.168.10.15 to any - 38.xxx.xxx.206
rdr on fxp0 inet proto tcp from any to 38.xxx.xxx.209 - 192.168.1.16
rdr on fxp0 inet proto tcp from any to 38.xxx.xxx.210 - 192.168.1.21
rdr on fxp0 inet proto tcp from any to 38.xxx.xxx.212 - 192.168.1.12
rdr on fxp0 inet proto tcp from any to 38.xxx.xxx.211 - 192.168.1.24
rdr on fxp0 inet proto tcp from any to 38.xxx.xxx.213 - 192.168.1.227

All of the other redirects are working.  I see my filter rule in the output
from 'pfctl -s rules' but I can't connect via ssh from an external network
after reloading pf.conf.  Any insight would be very much appreciated.  I've
posted my full conf at http://pastebin.com/TZa0WzE0 if needed.

Thanks,

Tim

Re: pf redirect problem

[Timothy Beyer]

Here's some log output.  I forgot to note this is on OpenBSD 4.2.  The first
entry is a successful connection to one of the working redirects.  Connection
attempts to the redirect I'm trying to add don't show up in the log even after
adding a log directive in the filter rules.

-T


 tcpdump: listening on pflog0, link-type PFLOG
Sep 02 15:00:13.263016 rule 24/(match) pass in on fxp0: 75.xxx.xxx.209.51635 
192.168.1.16.22: [|tcp] (DF)
Sep 02 15:00:14.783786 rule 0/(match) block in on fxp0: 208.xxx.xxx.236.32780
 38.xxx.xxx.206.53:[|domain]
Sep 02 15:00:15.529433 rule 0/(match) block in on fxp0: 208.xxx.xxx.236.32780
 38.xxx.xxx.206.53:[|domain]
Sep 02 15:00:16.279410 rule 0/(match) block in on fxp0: 208.xxx.xxx.236.32780
 38.xxx.xxx.206.53:[|domain]
Sep 02 15:00:17.779913 rule 0/(match) block in on fxp0: 208.xxx.xxx.236.32780
 38.xxx.xxx.206.53:[|domain]
Sep 02 15:00:18.529400 rule 0/(match) block in on fxp0: 208.xxx.xxx.236.32780
 38.xxx.xxx.206.53:[|domain]
Sep 02 15:00:19.279498 rule 0/(match) block in on fxp0: 208.xxx.xxx.236.32780
 38.xxx.xxx.206.53:[|domain]
Sep 02 15:00:20.780050 rule 0/(match) block in on fxp0: 208.xxx.xxx.236 
38.xxx.xxx.206: icmp: echo request
Sep 02 15:00:21.529443 rule 0/(match) block in on fxp0: 208.xxx.xxx.236 
38.xxx.xxx.206: icmp: echo request
Sep 02 15:00:22.28 rule 0/(match) block in on fxp0: 208.xxx.xxx.236 
38.xxx.xxx.206: icmp: echo request

From: sven falempin [sven.falem...@gmail.com]
Sent: Thursday, September 02, 2010 2:05 PM
To: Timothy Beyer
Cc: misc@openbsd.org
Subject: Re: pf redirect problem

tcpdump on pflog will probably help (see the FAQ)

2010/9/2 Timothy Beyer
timot...@titaniumant.commailto:timot...@titaniumant.com
Hello,

I'm having trouble setting up a redirect rule and I'm not sure where I'm
going
wrong.  My redirect line and filter rules look like:

rdr on $ext_nic proto tcp from any to 38.xxx.xxx.213 - 192.168.1.227
pass in on $ext_nic proto tcp from any to 192.168.1.227 port ssh queue ssh
pass in on $ext_nic proto tcp from any to 192.168.1.227 port www queue www

The output of 'pfctl -s nat' is:

nat on fxp0 inet from 192.168.1.0/24http://192.168.1.0/24 to any -
38.xxx.xxx.206
nat on fxp0 inet from 192.168.2.0/24http://192.168.2.0/24 to any -
38.xxx.xxx.207
nat on fxp0 inet from 192.168.3.0/24http://192.168.3.0/24 to any -
38.xxx.xxx.208
nat on dc3 inet from 192.168.1.0/24http://192.168.1.0/24 to any -
192.168.10.156
nat on fxp0 inet from 192.168.10.15 to any - 38.xxx.xxx.206
rdr on fxp0 inet proto tcp from any to 38.xxx.xxx.209 - 192.168.1.16
rdr on fxp0 inet proto tcp from any to 38.xxx.xxx.210 - 192.168.1.21
rdr on fxp0 inet proto tcp from any to 38.xxx.xxx.212 - 192.168.1.12
rdr on fxp0 inet proto tcp from any to 38.xxx.xxx.211 - 192.168.1.24
rdr on fxp0 inet proto tcp from any to 38.xxx.xxx.213 - 192.168.1.227

All of the other redirects are working.  I see my filter rule in the output
from 'pfctl -s rules' but I can't connect via ssh from an external network
after reloading pf.conf.  Any insight would be very much appreciated.  I've
posted my full conf at http://pastebin.com/TZa0WzE0 if needed.

Thanks,

Tim




--
 No doubt it is one of the functions of art to replace religious faith by the
effective ingredient of beauty. At least beauty must have the power of a poem,
that is to say of a crime.

Re: Low power OpenBSD machine

[Timothy Hume]

Hi everyone,

Thank you for all the suggestions; these have given me plenty of ideas
to research.

Cheers,

Tim.

Re: web development on OpenBSD

[Timothy Wilson]

Hi there,

I was in a similar position to you a few months ago. I decided to go
with Ruby on Rails, it's really simple! But to get the most out of it
you should buy a book. Agile Development with rails is a good one.

It might be worth reading a php + mysql tutorial just to see how yucky it is.

Kind regards,
Timothy.

Re: rackmount servers: seeking green compromise

[Timothy Wilson]

Hello Jacob,

I might be missing something, but is anything stopping you from
consolidating your servers onto a single HP / Dell that you already
have? Or are these all at different customer sites? Depending on your
power and processor usage, you might actually find that a single HP /
Dell uses the same or less power than several 'low power' 1RU servers,
with the advantage that you don't have to buy any more gear.

I read your post to take it that all these boxes are at a single site,
rather than multiple, off site locations.

Otherwise, Intel has just released a new low power Xeon, which is
rated for just 45w if I recall correctly (dual core). Your OEM of
choice will no doubt have some systems configured with these new
processors.

Kind regards,
Timothy.

On 28/03/2008, Jacob Yocom-Piatt [EMAIL PROTECTED] wrote:
 have a number of rackmount machines of various sorts in service at the
  moment and, based on the relatively low load on them, am interested in
  finding equipment that is more optimal from the environmental /
  consumption point of view.

  machines that are currently in use are a smattering of dell, hp, sun and
  via c3 / c7 rigs. it is hard not to notice the substantial noise, power
  draw and heat that comes from the dell and hp rackmount systems and i
  would like to see if better rackmount server choices exist that satisfy
  the following criteria:

  - fast disks with hardware raid, i.e. u320 or sas, that are
  hotswappable; am willing to accept SATAII if other criteria work
  - non-i386 architecture; expect amd64 is the next best for cost
  - decent processor speed and single core; these will be mailservers,
  webservers, asterisk servers, etc, that aren't sufficiently loaded to
  make processor speed a serious performance bottleneck
  - low power draw / heat signature
  - low noise
  - 1U or 2U size

  the via c3 / c7 systems definitely do the trick for simple stuff like
  firewalls that don't require quick or redundant disks. my experience
  also indicates that you can certainly fully load the processor of a via
  c3 system and lag it pretty badly.

  i look forward to suggestions :)

  cheers,
  jake

Re: UFS2 status in 4.3?

[Timothy Wilson]

Hello,

I think Michael meant UFS, as in what FreeBSD uses. I too would like
to know the status on this, as I have a FreeBSD machine that could
become an OpenBSD machine :)

Kind regards,
Timothy

On 16/03/2008, Otto Moerbeek [EMAIL PROTECTED] wrote:
 On Sat, Mar 15, 2008 at 08:13:00PM +0200, Michael Dexter wrote:

  Hello,
 
  I didn't see any mention of changes to UFS2 support in 4.3:
 
  http://www.openbsd.org/43.html#new
 
  Will it still require a kernel recompilation to use?

 4.2 and 4.3 have ffs2 support.  No recompilation needed, which is
 already true for 4.2.

 4.3 does have large disk ( 2TB) disk support though.

 
  Perhaps no? http://fxr.watson.org/fxr/source/conf/GENERIC?v=OPENBSD
 
  Is it bootable?

 No. The boot media and boot loader do not support FFS2.

-Otto

dvorak key layout

[Timothy Wilson]

Hello misc@,

I was wondering how I can use a dvorak keyboard on the console? I've
googled, but I can only find how to's for X11, or for 2.x OpenBSD. I'm
sure its something simple in rc.conf (.local!), but I can't find it.
Any help would be appreciated.

Kind regards,
Timothy

Re: dvorak key layout

[Timothy Wilson]

Thanks Ryan,

Maybe this is new in 4.3 or 4.2? I don't have this option in 4.1. I
guess I should upgrade :)

Timothy.

On 16/03/2008, Ryan McBride [EMAIL PROTECTED] wrote:
 On Sun, Mar 16, 2008 at 12:47:48PM +1030, Timothy Wilson wrote:
  I was wondering how I can use a dvorak keyboard on the console? I've
  googled, but I can only find how to's for X11, or for 2.x OpenBSD. I'm
  sure its something simple in rc.conf (.local!), but I can't find it.
  Any help would be appreciated.

 Select us.dvorak as the keyboard layout in the installer
  -or-
 put 'us.dvorak' in /etc/kbdtype, and reboot
  -or-
 Use kbd(8) to set the keyboard encoding to us.dvorak on the command line
 (kbd -l will give you a list of all your options)

Re: UFS2 status in 4.3?

[Timothy Wilson]

Ah my mistake. I have to specify either 44bsd or ufs2 when I mount BSD
partitions in Linux, so I thought they were different.


On 15 Mar 2008 21:37:45 -0700, Unix Fan [EMAIL PROTECTED] wrote:
 Timothy Wilson wrote:

  Hello,

 

  I think Michael meant UFS, as in what FreeBSD uses. I too would like

  to know the status on this, as I have a FreeBSD machine that could

  become an OpenBSD machine :)

 

  Kind regards,



 They are the same thing, FFS is an acronym for Berkeley's Fast File 
 System - which is a decedent of ATT UFS (Unix File System).



 I agree, the naming conventions between the BSD's are unique... but see the 
 following and just accept the fact UFS2 or FFS2 are partially supported as 
 Otto explained.



 http://lists.freebsd.org/pipermail/freebsd-current/2003-April/001444.html

 http://en.wikipedia.org/wiki/Unix_File_System







 -Nix Fan.

Re: Does OpenBSD support Hebrew?

[Timothy Wilson]

Hi Amit,
Maybe I missed something, but you do have a Hebrew font installed on
your system and in your font path right?

On 24/09/2007, Marc Espie [EMAIL PROTECTED] wrote:
 We do not have full i18n support. The locale stuff in the base system
 is not finished (I know, I'm late...)

 Qt has its own locale system, so hebrew should work just fine in all
 Qt and KDE applications (including right-to-left text).

 Gnome and gtk also have some support.

 Vim supports more or less every script including hebrew.

 I don't know if there's any issue with input, I'm not familiar with
 hebrew, and I've only been working with japanese input.

 There might be some tweak to help OpenOffice. Does OpenOffice support
 hebrew on some platforms ? If it does, it might make sense to try to
 figure out the configuration differences.

Unstable PPPoE

[Timothy Wilson]

Hello ladies and gentlemen!

I'm having a frustrating problem. My internet is highly unstable when
using bit torrent. I don't think there's anything special about my
configuration: my gateway is a craptop with inbuilt Intel ethernet and
a url0 USB ethernet for the modem. The connection is bridged, using pf
(obviously) for routing / firewall and kernel PPPoE for dialing via my
bridged netcomm nb5+.

Basically, when I try to use bit torrent the connection dies after
about 20mins. The kernel PPPoE daemon doesn't bring it back up. In
fact, even doing
#sh /etc/netstart
doesn't bring it back up. The only way to bring it back up is via a
reboot :( Very frustrating. It also takes about 10-15mins to
reconnect; surely that's a bit too long, even for PPPoE? I know this
isn't a problem with my ISP as I've always been able to download bt
stably when I was using the modem in router mode. I thought it might
have been an MTU problem, but I'm using the mss fix in /etc/pf.conf,
so I don't think it's that. I played around with a few values just to
be sure, but I'm open to suggestions.
I'll post my dmesg, /etc/pf.conf and /etc/hostname.pppoe. If there's
anything else I should send, please let me know!

/etc/pf.conf:

# Timothy's PF.conf, running on failtop

# My fun as ports!
#
# Bit torrent
shitbox_bt  = 6881
craptop_bt  = 6882
failtop_bt  = { 6883, 6884, 6885, 6886 }
# SSH
shitbox_ssh = 22
craptop_ssh = 24
failtop_ssh = 25
# VoIP
johnbox_voip= { 3478, 5060, 8000, 8001 }

# Macro fun!!!
#tcp_services   = { www, ssh, domain, auth }
udp_services= { domain, ntp, 3478, 5060, 8000, 8001 } #look at
adding NTP for clients
allow_out   = { 1863, 6969, www, ftp-data, ftp, ssh, domain, pop3,
smtp, auth, http, https, 446, 8080 }
icmp_types  = { echoreq, unreach }
bt_pass = { 6881,6880,6882,6883, 6884, 6885, 6886 }

# Fun fun interfaces
ext_if  = pppoe0
int_if  = fxp0
local   = $int_if:network
outside = $ext_if:network
#ftpProxy   = 127.0.0.1

# IP Map (lots of fun)
shitbox_ip  = 192.168.1.10
craptop_ip  = 192.168.1.3
failtop_ip  = 192.168.1.55
johnbox_ip  = 192.168.1.8
martians= { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
  10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
  0.0.0.0/8, 240.0.0.0/4 }

# Normalisation fun!
scrub in #all
scrub out on pppoe0 max-mss 1440

# Fun fun rules!
#
# NAT section
nat on $ext_if from $local to any - ($ext_if)
nat-anchor ftp-proxy/*
rdr-anchor ftp-proxy/*
rdr on $int_if proto tcp from any to any port 21 - 127.0.0.1 port 8021

# Services
#
#Squid
rdr on $ext_if proto tcp from $ext_if:network to any port www -
$failtop_ip port 3128
# Outside users!
# Redirect Bit Torrent
rdr on $ext_if proto {udp,tcp} from any to $ext_if port $shitbox_bt -
$shitbox_ip
rdr on $ext_if proto tcp from any to $ext_if port $craptop_bt - $craptop_ip
rdr on $ext_if proto {udp,tcp} from any to $ext_if port $failtop_bt -
$failtop_ip
# Redirect SSH
rdr on $ext_if proto tcp from any to $ext_if port $shitbox_ssh - $shitbox_ip
rdr on $ext_if proto tcp from any to $ext_if port $craptop_ssh - $craptop_ip
rdr on $ext_if proto tcp from any to $ext_if port $failtop_ssh - $failtop_ip
# Redirect VoIP
rdr on $ext_if proto {tcp, udp} from any to $ext_if port $johnbox_voip
- $johnbox_ip
# Local users!
# Redirect SSH
rdr on $int_if proto tcp from $local to $ext_if port $shitbox_ssh -
$shitbox_ip
rdr on $int_if proto tcp from $local to $ext_if port $craptop_ssh -
$craptop_ip
rdr on $int_if proto tcp from $local to $ext_if port $failtop_ssh -
$failtop_ip


# Fun fun filtering section
antispoof for $ext_if
antispoof for $int_if
block drop in quick on $ext_if from $martians to any
block drop out quick on $ext_if from any to $martians

block return
pass from { lo0, $local } to any keep state
# Fun FTP allow fun
anchor ftp-proxy/*
pass out proto tcp from 127.0.0.1 to any port 21

# Fun services for everyone to be passed out
# Allow outgoing dns, needed by pfctl to resolve names.
pass out proto tcp to any port $allow_out
pass proto udp to any port domain
# Allow BitTorrent
pass inet proto { tcp, udp } to $shitbox_ip port $bt_pass flags S/SA
keep state (max-src-conn 500)
pass inet proto { tcp, udp } to $failtop_ip port $bt_pass flags S/SA
keep state (max-src-conn 500)

#pass proto tcp from $local to any port $allow_out
pass quick inet proto { tcp, udp } to any port $udp_services keep state

# Let ICMP traffic from local as well as outside
pass inet proto icmp all icmp-type $icmp_types keep state
# Traceroute
pass out on $ext_if inet proto udp from any to any port 33433  33626
keep state

# Pass our BT and SSH fun fun packets
pass proto tcp from any to $shitbox_ip port $shitbox_bt
pass proto tcp from any to $shitbox_ip port $shitbox_ssh
pass proto tcp from any to $craptop_ip port $craptop_bt
pass proto tcp from any to $craptop_ip port $craptop_ssh
pass proto tcp from any to $failtop_ip port $failtop_bt
pass proto tcp from 

Half-bridged DSL modem...no joy?

[Timothy Wilson]

Hello,
I'm trying to set up a gateway / firewall at my home. I've set my
modem into half bridge mode, and my ethernet card (url0) is able to
get the address correctly if I use dhclient once the system has booted
(more on that later). I've set /etc/resolv.conf to use the correct
name servers that my ISP provides. So I'm guessing that leaves the
question of setting the right gateway.

Here's /etc/hostname.url0:
dhcp NONE NONE NONE
!/sbin/route add default -ifp url0 0.0.0.1

However, when my machine boots up, it can't get an address via DHCP!
This is very strange; the modem is on and connected, so I know it has
the address to give out. Obviously because I don't have an IP address,
adding the default route fails too. The strange thing is though, that
once the machine is booted, I can log in and do dhclient and it all
works fine. I can even set the route, but I still can't connect to the
internet. Is there something glaringly obviously that I'm doing wrong?


I'm not sure what other information I should provide. I'll add my
dmesg, though I'm not sure that it's necessary:

OpenBSD 4.1 (GENERIC) #1435: Sat Mar 10 19:07:45 MST 2007
   [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Pentium III (GenuineIntel 686-class) 907 MHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE
real mem  = 251162624 (245276K)
avail mem = 221499392 (216308K)
using 3096 buffers containing 12681216 bytes (12384K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+ BIOS, date 02/25/02, BIOS32 rev. 0 @
0xfaf93, SMBIOS rev. 2.3 @ 0xec000 (46 entries)
bios0: TOSHIBA DynaBook T4/410PME
apm0 at bios0: Power Management spec V1.2
apm0: battery life expectancy 100%
apm0: AC on, battery charge high, estimated 3:03 hours
apm0: flags 20102 dobusy 0 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xf/0x1
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf0200/144 (7 entries)
pcibios0: PCI Interrupt Router at 000:07:0 (Acer Labs M1533 ISA rev 0x00)
pcibios0: PCI bus #4 is the last bus
bios0: ROM list: 0xc/0xc000 0xe/0x1!
acpi at mainbus0 not configured
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 Acer Labs M1644 PCI rev 0x01
ppb0 at pci0 dev 1 function 0 Acer Labs M5247 AGP/PCI-PC rev 0x00
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 Trident CyberBlade XP/Ai1 rev 0x82
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
ohci0 at pci0 dev 2 function 0 Acer Labs M5237 USB rev 0x03: irq 11,
version 1.0, legacy support
usb0 at ohci0: USB revision 1.0
uhub0 at usb0
uhub0: Acer Labs OHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
pciide0 at pci0 dev 4 function 0 Acer Labs M5229 UDMA IDE rev 0xc3:
DMA, channel 0 wired to compatibility, channel 1 wired to
compatibility
wd0 at pciide0 channel 0 drive 0: TOSHIBA MK4018GAS
wd0: 16-sector PIO, LBA, 38154MB, 78140160 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 4
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: MATSHITA, UJDA720 DVD/CDRW, 1.00 SCSI0
5/cdrom removable
cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
autri0 at pci0 dev 6 function 0 Acer Labs M5451 Audio rev 0x01: irq 11
ac97: codec id 0x414b4d02 (Asahi Kasei AK4543)
ac97: codec features headphone, 18 bit DAC, 18 bit ADC, AKM 3D
audio0 at autri0
midi0 at autri0: 4DWAVE MIDI UART
pcib0 at pci0 dev 7 function 0 Acer Labs M1533 ISA rev 0x00
alipm0 at pci0 dev 8 function 0 Acer Labs M7101 Power rev 0x00: 74KHz clock
iic0 at alipm0
admtemp0 at iic0 addr 0x4c: adm1032
fxp0 at pci0 dev 10 function 0 Intel 8255x rev 0x0d, i82550: irq 11,
address 00:00:39:8c:91:ed
inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4
TI TSB43AB22 FireWire rev 0x00 at pci0 dev 12 function 0 not configured
cbb0 at pci0 dev 17 function 0 Toshiba ToPIC100 CardBus rev 0x32: irq 11
cbb1 at pci0 dev 17 function 1 Toshiba ToPIC100 CardBus rev 0x32: irq 11
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
midi1 at pcppi0: PC speaker
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
cardslot0 at cbb0 slot 0 flags 0
cardbus0 at cardslot0: bus 3 device 0 cacheline 0x0, lattimer 0x0
pcmcia0 at cardslot0
cardslot1 at cbb1 slot 1 flags 0
cardbus1 at cardslot1: bus 4 device 0 cacheline 0x0, lattimer 0x0
pcmcia1 at cardslot1
biomask ef6d netmask ef6d ttymask ffef
pctr: 686-class user-level performance counters enabled
mtrr: Pentium Pro MTRR support
url0 at uhub0 port 2
url0: 

Re: Half-bridged DSL modem...no joy?

[Timothy Wilson]

Thanks Antoine and Stuart for your replies.

On 13/07/07, Stuart Henderson [EMAIL PROTECTED] wrote:

let's see what tricks this particular router is playing with
'half bridge'... (full bridge and pppoe is usually easier when
your ISP supports it): run this and fire off a dhclient

# tcpdump -vvniurl0 -os2000 port bootps or port bootpc


The problem is that I can't run tcpdump on boot, before the dhcp
allocation fails. Once the machine has booted, it can get dhcp fine :(
I tried removed the /etc/mygate file because I thought that could
interfere, but that made no difference either :(
No matter who I try to ping (well, just my ISPs name servers;
www.google.com obviously fails) it always comes back with sendto: No
route to host. I can't even traceroute!!

Maybe the modem's half bridging is broken, and I need to use full
bridged mode. Is that what is normally suggested? I can't find any
resources for half bridging PF gateways (or iptables for that matter).
Or is dhclient not working properly? I'm using some slightly stranger
hardware - it's a usb network thing. Could that make a difference?

User mount cdrom?

[Timothy Wilson]

Hello,
I'm having great difficulty allowing my users to mount the cdrom. I've
looked in the faq and both fstab and mount manpages, but still can't
find it! I think the GNU tools allow:

mount /dev/cd0a /mnt/cdrom -t cd9660 -o user

I'm looking for the appropriate fstab entry, but according to the man
pages, there doesn't seem to be a way? I thought it would be something
like this:

/dev/cd0a /mnt/cdrom cd9660 noauto,ro,user 0 0

But I get the following:

mount_cd9660: -o user: option not supported

Help!

Timothy.

Re: a cd key

[Timothy Wilson]

Had you thought about mounting certain areas as read only?
For example, /etc, /local can be mounted as read only. When you want
to make changes, such as installing a new package or whatever, just
remount the file systems read/write.
You can also use jails.

Timothy

Re: NOOP and Spamd

[Timothy A. Napthali]

The only problem I can foresee is that I remember reading somewhere that
some MTAs use NOOP as a kind of keep-alive at times. This may be an
issue depending on how those MTAs deal with not getting the 250 response
from SPAMD they were expecting.

Tim.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Dave Anderson
Sent: Tuesday, 20 March 2007 6:03 AM
Cc: OpenBSD Misc
Subject: Re: NOOP and Spamd

** Reply to message from Bob Beck [EMAIL PROTECTED] on Mon,
19 Mar 2007 09:40:52 -0600

* Sid Carter [EMAIL PROTECTED] [2007-03-19 03:25]:

  Regardless, if NOOP is in the SMTP standard, and spamd does not
  handle it correctly, that is a bug that needs to be fixed.

   Bullshit. that's not a good enough reason  - spamd does not
implement
all of smtp, and never will. saying it's in the smtp standard is the
wrong way to get anything into spamd :)

   OTOH, if there is real stuff from the century of the fruit bat
that
uses this I'll put it in.  If it's someone's BBS mailer from the
century of Def Leppard and Mullets I'm not bloating the code one line
to deal with it. I've asked the poster for details. Anyone else who can

confirm real stuff needing NOOP please let me know.

I certainly don't want to see spamd (or anything else) made
overcomplicated by somebody might need that code, but wouldn't it make
sense to include anything which is both in the standards and truly
trivial to implement sufficiently for spamd's purposes?  It seems to me
that in those cases the cost to implement and maintain is so low as to
be worthwhile even if it only avoids relatively unlikely problems.

Dave

--
Dave Anderson
[EMAIL PROTECTED]

OpenBSD 4.0 NET-SNMP - UCD Broken?

[Timothy A. Napthali]

Does anyone know if something happened to OpenBSD 4.0 or the net-snmp
package for OpenBSD 4.0? I've just installed both on a new box and SNMP
UCD objects are broken; they seem to be missing?

Re: 256 color support for terminals under X

[Timothy]

On Tuesday 20 June 2006 12:14 am, Bihlmaier Andreas wrote:
 Hello misc@,

 I stumbled across a problem with all X terminal emulators in OpenBSD
 (that is xterm and aterm, eterm and rxvt from ports).
 None of the above seems to support 256 colors. I tried various
 combinations of $TERM (xterm, xterm-color, xterm-xfree86,
 xterm-256color) with all the terminals, running and not running screen.

I use termtype gnome to get colors in vim.

Tim

Re: Spamd stats

[Timothy A. Napthali]

I got this script (spamd_parser.tgz) from a guy called Christopher
Kruslicky so all credit goes to him. It uses RRD Tool and provides a
fairly nice graph. It also runs as a daemon.

I butchered his code to produce two Perl daemons (spamd.zip) - one that
monitors the spamd log and updates the RRD database, and another that
builds new graphs from that database. The reason I did it this way is
that the graphs are hosted on another server and I needed to be able to
fetch, via SCP, a completed graph to be shown on the web page as opposed
to generating the graphs on demand. Keep in mind that although it seems
to work perfectly and has done so for over a year, my Perl skills are
newbie level so I'm sure I've done a few things that may not be the
best. Any way, feel free to use them if you wish.

Tim.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Mike Spenard
Sent: Saturday, 20 May 2006 6:29 AM
To: misc@openbsd.org
Subject: Spamd  stats

Hi,
 I'm looking for scripts to generate statistics off of /var/log/spamd

Thanks,
 Mike Spenard

[demime 1.01d removed an attachment of type application/x-compressed which had 
a name of spamd_parser.tgz]

[demime 1.01d removed an attachment of type application/x-zip-compressed which 
had a name of spamd.zip]

Re: /usr/share/pf/ suggestion

[Timothy Donahue]

On Tuesday 23 August 2005 11:58 pm, eric wrote:
 On Tue, 2005-08-23 at 16:53:25 -0600, Theo de Raadt proclaimed...

  It is plain simple bad advice.  And totally ridiculous.

 And plus, with ipv6, it's imperative that the filters be pushed down to the
 end-host so we can quit relying on stupid firewalls and NAT bullshit to
 break networks and slow progress. Itojun mentioned the fact that each host
 should have a firesuit in the ipv6 world.  It's quite good advice.

Well, lets not get ahead of ourselves here.  Filtering at the network edge is 
A Good Thing(TM) when done correctly, it is NAT that is not necessarily a 
good thing.  Filtering incoming (and possibly outgoing traffic) helps do 
several things, first it decreases the burden on your hosts.  It also allows 
you a place to stop traffic that should never leave your network, for 
example, only your mail servers should be allowed to send traffic on port 25.

I'm not saying that we should ignore host based firewalls, because that isn't 
the case, I'm just recommending that you not be so quick to dismiss the value 
of having a filter beyond the host.

Re: OpenBSD 3.8 negative free space (?WTF?)

[Timothy Donahue]

On Wednesday 24 August 2005 03:25 pm, John Kintaro Tate wrote:
 Okay.

 I am wondering where all the space nicked off to, since I only
 installed it not long ago. I havn't run out of space on a system for a
 long time, how do I figure out what the biggest files and stuff are
 again?

 Thanks in advance.

 Kintaro.


man find (Hint: see the -size option)

Re: My OpenBSD system cannot load any shared object anymore!!!

[Timothy Donahue]

We are going to need details of what you did before it stopped working.  
(Hint: you can boot into single user mode with boot -s at the boot prompt)

Tim Donahue

On Monday 22 August 2005 09:36 am, Joco Salvatti wrote:
 Hi all,

 I was trying to emulate linux binaries under my OpenBSD system 3.7, but I
 believe I made a mistake. My OpenBSD system cannot load any shared object
 anymore. Anything I try to run, the system can't load the shared object to
 which it's linked. I thought that restarting the system the problem would
 be solved, but it got wrost. It doesn't start ttys anymore, doesn't ask for
 login,
 the system is a mess.
 Is there anyway to solve this problem, or is it only the case of a new
 install?

 Thanks.

 --
 Joco Salvatti
 Undergraduating in Computer Science
 Federal University of Para - UFPA
 web: http://salvatti.expert.com.br
 e-mail: [EMAIL PROTECTED]

Re: backup filesystem

[Timothy Donahue]

On Thursday 18 August 2005 06:57 pm, Edd Barrett wrote:


 See this is why I asked here, I know that FFS is close friends with
 UFS, but I wasnt sure. So you reckon I can use native solaris FS and
 mount in OBSD?


close friends  compatible. Sun's current UFS was originally based on 
Berkeley's FFS, but has been modified quite a bit in the last 20+ years.

Rsync over ssh would work if you have a net connection between the two, and it 
would save on shipping costs.  If you are required to use something that both 
Solaris and OpenBSD can read then you are likely stuck with vfat or some type 
of standard removeable media (DVD burner?).  

Tim Donahue

Re: back and neck pain

[Timothy Donahue]

Does TCF count as a valid reason to call out sick from work?

On Friday 19 August 2005 09:43 am, Marius Van Deventer - Umzimkulu wrote:
 Percussive Maintenance :-)

  -Original Message-
  From: Richard Welty [mailto:[EMAIL PROTECTED]
  Sent: 19 August 2005 01:46 PM
  To: [EMAIL PROTECTED]; misc@openbsd.org
  Subject: Re: back and neck pain
 
  [EMAIL PROTECTED] writes:
   A friend told me about you- i have a' spondie'-l4-l5, that
   surgey helped a
   little, and 10 mos. later my car fell off the jacks, breaking
   my back-burst
   fracture of t-12, and aggrivating the 'spondie'. I have a lot
   of pain and
   percocets have helped, can you help me?
 
  here's something that works for me.
 
  get a friend to help, preferably a big friend who works out.
  give them a baseball bat, and have them start battering you
  about the head and neck with it.
 
  i guarantee you won't notice the back pain any more.
 
  hope this helps,
richard
  --
  Richard Welty
  [EMAIL PROTECTED]
  Averill Park Networking
  Java, PHP, PostgreSQL, Unix, Linux, IP Network
  Engineering, Security
Well, if you're not going to expect unexpected flames,
   what's the point of going anywhere? -- Truckle the Uncivil

 [demime 1.01d removed an attachment of type application/x-pkcs7-signature
 which had a name of smime.p7s]

Re: backup filesystem

[Timothy Donahue]

On Friday 19 August 2005 12:00 pm, Edd Barrett wrote:
  As others have pointed out, use a tarball on a vfat filesystem. You might
  want to doublecheck the capabilities of the various tar utilties, and
  perhaps use gtar
  (GNU Tar) on both ends.

 I dont have enough cash to buy another disk and I know there will not
 be space on the disk to tar up. (I iterate) The disk will be in active
 use.

 vfat sounds best.

Edd, although this just sounds like you are asking for trouble, I found a link 
for ext2 support for Solaris 9.  Good luck.

http://paulf.free.fr/software.html

Tim Donahue

Re: Hard Disk Password Security Info

[Timothy Donahue]

On Thursday 18 August 2005 11:02 am, Dave Feustel wrote:
 On Thursday 18 August 2005 09:38, Dimitry Andric wrote:
  See the atactl(8) manpage, in particular the sec* commands.

 I was looking that that manpage yesterday. It confirms that it
 is possible to make the disk data inaccessible to anyone without
 the user password.

  However, I don't believe these harddisks actually encrypt all data on the
  disk, so it's not really a security measure.

 OK. How long will it take you to get data off a disk made maximally secure
 via atactl commands? (Answer: most likely you won't get the data, ever).
 Also note that if atactl is used to set the user disk password, you
 will not be able to boot from a computer with a bios that doesn't offer you
 the opportunity to type in the user password you set while the system was
 running. That's what the 'freeze' command is for. (You did read about the
 freeze command, right?)

  By zapping the firmware, or triggering some other magic switch, you're
  probably always able to unlock these disks.

 That does seem to be the case right now for at least one company
 specializing in disk data recovery. But that approach to getting the data
 is expensive and time consuming. In other words: forget about getting
 access to password-protected disk data with a screwdriver and another
 computer.

The only way to recover information off of a disk that has the ata security 
password protection implemented correctly is to transplant the platters into 
another disk (of the same type).  IIRC, if the security spec is implemented 
correctly then just changing the external controller is not enough to allow 
the password to be bypassed and swapping the platters into another disk is 
not a trivial task.  It is not encrypted, but the controller will refuse to 
read information off of the disk.  

Tim Donahue

Re: The Care and Feeding of OpenBSD

[Timothy Donahue]

On Wednesday 17 August 2005 09:48 am, Will H. Backman wrote:
  I have the following line in my crontab '(/usr/src/  cvs -q update

 -PAd

  -rOPENBSD_3_7)'  If there are any updates, cron will email them to you
  (cron
  automattically emails any output to the user that owns the cron job,

 so

  setup
  your aliases and optionally your .forward file)

 I'm curious about the cvs options, specifically the -A.  The FAQ's don't
 use it in their examples.  Is the -A flag preferred?  I can see why it
 might be according to the cvs man page.

The -A option resets any tags, so you have to remember to specify the revision 
each time you run CVS.  It is found in the section for the update command.

Tim Donahue

Re: The Care and Feeding of OpenBSD

[Timothy Donahue]

On Wednesday 17 August 2005 12:59 pm, Will H. Backman wrote:
   2. Disaster Recovery:  Dump and Restore, or make a tar file for use

 as

   an install set?
 
  make a release for every upgrade (-stable) you do, add your packages
  to sitexx.tgz. backup your data and config files regularly.

 OK.  Looking at the release(8) man page...yikes!  Is this really the
 best way to start backing up an OpenBSD system?

Best Who quantifies what makes the best backup system.  I gave you one 
option which will rapidly get your system running after something like a HD 
failure or a fat-fingered 'rm -rf /*' instead of 'rm -rf ./*'.  You need to 
decide which method works best for you, for me it was the sitexx.tgz with 
the newly installed system and tar archives of the latest and greatest 
configuration.  For you, you might want to keep a DLT tape with the packages 
you install, the release you installed, and a cpio archive of the 
configs/data.  Or you may not even care about the installed system/packages 
and may just want to keep the configs/data that you need should disaster 
strike.  This is all subjective and needs to be reviewed based upon your 
company's requirements or personal need.

Tim Donahue

Re: The Care and Feeding of OpenBSD

[Timothy Donahue]

-Original Message-
From:  Hannah Schroeter [mailto:[EMAIL PROTECTED]
On Tue, Aug 16, 2005 at 11:36:42AM -0400, Timothy Donahue wrote:
[...]

As a general rule, if the update is in a library or in the /usr/src/sys 
folder 
then I build and install a new kernel then do a `make build`.  If the change 
is in an application, then I skip the kernel.

IIRC the kernel doesn't use anything to build not contained in
/usr/src/sys, so I think no new kernel needed for /usr/src/lib changes.


/usr/src/sys may well be self contained, however I have never tried building it 
without the full source tree nor have I spent the time to look through the code 
to see if it is.  I have found that the 15 minutes it takes to build, install, 
and reboot to install the new kernel isn't that big a burden since we have 
built a fair amount of redundancy into the services that are provided by 
OpenBSD.

Tim Donahue

Re: Major Surprise with xdm on 3.7

[Timothy Donahue]

On Thursday 11 August 2005 01:41 pm, Paul de Weerd wrote:

 The fact that you can not run multiple X servers on one videocard, as
 it currently stands.

 You really should read up on ttys(5) and the X Windows.


That isn't entirely true, on my Linux desktop I have gdm starting 2 virtual 
consoles with graphical logins, one I use for XDMCP to connect to other 
systems and the other gets used to log into the local computer.  This is 
great when I want to do something that is installed on my laptop, but want to 
take advantage of my dual head setup on my desktop.  I believe that you 
configure this in the Xservers for xdm, however I normally don't use xdm so 
Google will be your best bet for information.  

I have also seen allusions to the fact that it possible to have multiple 
keyboards/mice/monitors to allow multiple to allow multiple people to access 
a single workstation at the same time, but I have yet to see any concrete 
evidence of people that get it to work correctly.  However the OP seemed to 
be asking for what I described earlier, that is multiple virtual consoles for 
a Fast User Switching type setup on his computer, which is possible, please 
note: it is EXTREMELY resource intensive.

Tim Donahue

Re: just a 'thank you' ;)

[Timothy Donahue]

On Friday 05 August 2005 09:01 am, Peter Huncar wrote:
 Hi


[snip comparison of 2 different systems with different hardware and different 
services that result in a different load]

Replacing the NIC's with em or some other well designed gigabit card might 
help if his interrupt count are high, but I would personally start by 
offloading squid onto a separate server.  (You didn't list squid as running 
on your server and squid can eat up a lot of resources.)  

Tim Donahue

Re: just a 'thank you' ;)

[Timothy Donahue]

On Friday 05 August 2005 12:09 pm, Henning Brauer wrote:
 * Timothy Donahue [EMAIL PROTECTED] [2005-08-05 18:06]:
  Replacing the NIC's with em or some other well designed gigabit card

 em is not a well designed gigabit card.

  might help if his interrupt count are high

 not at all, there is no int mitigation on em.
 well, the hardware supports it, but there's so many bugs that it is
 turned off - at least here, not sure what linux does.

Henning, I'm sure this is a stupid question but are the int mitigation 
problems generic or specific to the em line?  Would a sk based card work 
better?

Tim Donahue

Re: suggested /etc/skel/ modifications

[Timothy Donahue]

On Thursday 28 July 2005 08:00 am, Jonathan Schleifer wrote:
 Moritz Grimm [EMAIL PROTECTED] wrote:
  This kind of paranoia adds nothing to security (~/.ssh and others that
  need it are already set to restrictive permissions), and there is no
  privacy from root no matter what. The rest is, again, personal
  preference and/or something about local policies.

 Ever heart of a multiuser system where one user shouldn't be able to
 acces the files of another user? Not all users are thinking about this
 issue and many forget to change the modes for confidential files. IMO,
 it's not paranoid, but useful. On a singleuser system, it might not
 matter, for example on your desktop. On my desktop, I don't have 700
 either. But on my server, it's very important for me to have 700.

This is fairly easy to customize since the adduser command is just a perl 
script.  (Hint: I believe that line 1143 in 3.7 might be a good place to 
start looking.)  

Tim Donahue

PS. See http://www.openbsd.org/faq/faq4.html#site for an easier way to 
distribute this change when you are installing.

Re: suggested /etc/skel/ modifications

[Timothy Donahue]

On Thursday 28 July 2005 12:37 pm, Dave Feustel wrote:
 On Thursday 28 July 2005 11:24 am, Moritz Grimm wrote:
  Dave Feustel wrote:
  And
[snip]
  of this anecdote: A pal once had to deal with a probably-owned OpenBSD
  box, because his clueless co-admin installed an outdated, vulnerable
  MySQL server by hand (not related to ports/packages at all), and likely
  configured it in a bad way, too. Some script kiddie managed to exploit
[snip]
  My point is mostly that, if you try really hard, you can make an OpenBSD
  box insecure. OpenBSD can also not help you when you run an
  OpenBSD-aware trojan as root, for example.
 
  Moritz

 Thanks. I have installed  several software packages not in the
 ports/packages and I realize that running sudo make install is not safe.
 Sometimes I just run the software under my non-root login without
 installing.

It isn't running software that isn't in the ports system that is the problem.  
The problem was the software version installed had some vulnerability and it 
was never updated to a patched version.  Not keeping up with security updates 
is how most systems get updated, and it can happen to any system no matter 
how secure the default install of the operating system is.   

Security is a big cat and mouse game, especially when you are a big target 
like say Microsoft or Google.  There is no one configuration that you can say 
is 100% bullet-proof, it is always a moving target where you are constantly 
juggling known exploits and bugs, new patches, system security, and system 
usability (which includes availability).  

Tim Donahue

Re: OpenBSD vs FreeBSD (network performance)

[Timothy Donahue]

There is not likely to be an up-to-date set of *reliable* performance tests 
that you can just look at on the web.  The best thing you can do is make your 
own based on the criteria that you are trying to compare them on, then 
install FreeBSD and OpenBSD and see what works better for your specific 
situation.

Tim Donahue

On Thursday 28 July 2005 04:44 pm, Marcelo de Souza wrote:
   Hi there,

   Can anybody point me any technical documentation that compares
 OpenBSD vs FreeBSD in terms of network performance?

   Or, what would be a good method for tests regarding this subject?
 And what about the appropriate tools?

   Thank you in advance.

Re: Speed isn't everything, luckily for OpenBSD.

[Timothy Donahue]

On Friday 22 July 2005 01:23 pm, Spruell, Darren-Perot wrote:
 From: Joe . [mailto:[EMAIL PROTECTED]

  are used to dealing with complex or unoptimized piles of crap. Part of
  encouraging people to switch should at the very least be communicating
  that there are no hidden options or that straightaway things are going
  to work as best as possible.

 I think, quite the opposite, that it's fine the way it is. It's not
 openbsd's fault that people fall prey to the stupid knob-tuning game and
 quite dumbly follow that line of thought. I think instead that the other
 OSes should be responsible for slapping a disclaimer on their {box, web
 page} saying something like This operating system, contrary to rational
 thinking, is not optimized for the most reasonable performance under the
 most common use cases. Instead of being functional out-of-the box, you are
 expected to re-compile critical portions of the system in order to get them
 to work to your specifications. If you don't find this behavior intuitive,
 feel free to use a more rational, completely functional operating system
 instead.

 DS

I'm going to have to agree with Henning, an operating system should be 
configured by the people who develop it to have sane defaults for all but the 
most unique cases and in my experience OpenBSD does an excellent job at doing 
this.  The people that have the strange corner cases where performance 
tuning will make a large difference generally also have the staff, or the 
money to pay for someone with the experience, to do the tuning.  In my mind, 
these are generally extreme cases where where throwing more processing power 
at the problem is not an efficient solution, for example huge Trading markets 
where transaction processing time counts (NYSE, NASDAQ).  

Tim Donahue

Re: [OT]: Garmin GPS Handheld with USB

[Timothy Donahue]

I tested Garmin eTrex under OpenBSD using just plain old `cu`, which fit my 
needs just fine since I was trying to capture the output from the NMEA 
stream.  You have to make sure you get your port settings correctly.  

Unfortunately I purchased mine before they released the USB cables, so I don't 
know if they are compatible with gardump/garload.

Tim Donahue

On Tuesday 28 June 2005 05:53 am, Johan P. Lindstrvm wrote:
 Never tried using the USB interface, and I had some issues with connecting
 the standard serial DB9 connector as well, not only the Garmin adapters
 either I must say, I didn't get the NMEA code flowing... what software did
 you use ?
  -- Johan

  On 6/28/05, eric [EMAIL PROTECTED] wrote:
  Is anyone using a Garmin GPS handheld unit with USB connectivity? I'm
  thinking about getting a new handheld and just need to make sure USB
  works under OpenBSD for gardump/garload. Serial works perfectly using the
  DB9 connection, but I've never tried the USB interface.
 
  Any replies are appreciated.
 
  Thanks.
 
  - Eric

Re: OT: Hardware keyloggers embedded in new keyboards?

[Timothy Donahue]

On Monday 20 June 2005 05:28 pm, [EMAIL PROTECTED] wrote:
 Someone here made referrence to 'nazis'.

 http://en.wikipedia.org/wiki/Godwin's_law


In said article please note: 

Quirk's exception 
Intentional invocation of this so-called Nazi Clause is ineffectual.

and 

Guy's corollary 
If a Usenet discussion mentions Godwin's law as a conterrebuttal to a 
mention 
of Hitler/Nazis, then the chance of Godwin's law being disputed is equal to 
one.

Re: OT: Hardware keyloggers embedded in new keyboards?

[Timothy A. Napthali]

You can't sell that bridge - I own it... :) 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Rod.. Whitworth
Sent: Monday, 20 June 2005 4:26 PM
To: Dave Feustel; [EMAIL PROTECTED]; Nick Holland
Cc: misc
Subject: Re: OT: Hardware keyloggers embedded in new keyboards?

On Mon, 20 Jun 2005 00:07:13 -0500, Dave Feustel wrote:

On Sunday 19 June 2005 08:51 pm, Nick Holland wrote:
 Dave Feustel wrote:
  http://bs.somewhere.real.not   
 
 This has nothing to do with OpenBSD.
 It isn't new.
 It isn't unique.
 In effect, you just spammed the list, advertising someone's product.
 
 If you are going to put totally off-topic stuff on the list, how 
 'bout making it interesting and new?

I thought you had more insight. All of OpenBSD's security is at risk 
with this technology.

I thought that you might have a brain.

All of OpenBSD's security at risk? How, in your wildest chemically
induced dreams, could it be?

1  Not everything that runs OBSD is a PC and even some of those that
are PCs are using serial consoles.

2 You have to own the PC to get to talk to the keyboard. How will
you do that do you suppose? If the PC has been hacked after the firewall
has been hacked it is probably running windows anyway and you can spy on
it in many ways without a keylogger. Sniffing the packets at the
firewall would do for a start.

3 How do you know which firewalls are hiding which keyloggers so that
it is worth your while to break in?
Oh! I know! They run little programs of their own that nobody notices
that send a message to mother, right?
And this program runs on every PC OS and so it can .

and on, and on, and on.

If there is one thing worse than conspiracy myths it is the crowd of
people without a built-in crap-detector who help spread the stories.

Hey, I've got a nice big bridge for sale with great views of Sydney
Harbour. No, really! Good price too!

R/

From the land down under: Australia.
Do we look umop apisdn from up over?

Do NOT CC me - I am subscribed to the list.
Replies to the sender address will fail except from the list-server.

Ftp-proxy

[Timothy Horie]

I can't seem to get ftp-proxy working. I've looked at quite a few 
websites and mailing list messages and I think I'm really close. But 
something isn't right. When a lan computer tries to ftp, it connects but 
when it does ls or dir it says 200 PORT command successful - not 
using PASV, eh? Connection closed by remote host.


I don't know what is wrong.

Here is my pf.conf ---

#   $OpenBSD: pf.conf,v 1.28 2004/04/29 21:03:09 frantzen Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

# Remember, last matching rule wins.

ext_if=em1
int_if=em0
wall=172.17.5.101
admin_pc={172.17.5.110 172.17.5.253}
nameservers={63.203.35.55 206.13.31.12}
notes=172.17.5.4
ext_notes={69.239.193.250}

scrub in

# NAT between lan and internet
nat on $ext_if from $int_if:network to any - $ext_if

#
# Use FTP Proxy for FTP Traffic
#
rdr on $int_if proto tcp from any to any port 21 - 127.0.0.1 port ftp-proxy

block all
antispoof quick for { lo $int_if } inet

#
# Allow FTP Traffic

#pass in on $int_if proto tcp from $int_if:network to any port 21
pass in on $ext_if inet proto tcp from any port 20 to ($ext_if) \
   port 55000  57000 user proxy flags S/SA keep state
pass out on $ext_if inet proto tcp from $ext_if to any port 20 \
   flags S/AUPRFS modulate state
pass out on $ext_if proto tcp from $ext_if to any port 21 flags S/AUPRFS 
modulate state

pass out on $ext_if proto tcp from $ext_if to any port  1024 \
   flags S/AUPRFS modulate state

# Allow ssh traffic in/out between admin and firewall
pass in on $int_if proto tcp from $admin_pc to $wall port ssh keep state

#
# Allow Web Access
#
pass in on $int_if proto tcp from $int_if:network to any port \
   {http https} keep state
pass out on $ext_if proto tcp from $ext_if to any port \
   {http https} keep state

#
# Allow Lotus Notes Access
#
pass in on $int_if proto tcp from $int_if:network to $ext_notes port \
   1352 keep state
pass out on $ext_if proto tcp from $ext_if to $ext_notes port \
   1352 keep state

#
# Allow SMTP Access
#
pass in on $int_if proto tcp from $notes to any port \
   smtp keep state
pass out on $int_if proto tcp from $int_if to $notes port \
   smtp keep state
pass out on $ext_if proto tcp from $ext_if to any port \
   smtp keep state

#
# Allow DNS Access
#
pass in on $int_if proto {udp tcp} from $int_if:network to $nameservers 
port \

   domain keep state
pass out on $ext_if proto {udp tcp} from $ext_if to $nameservers port \
   domain keep state

#
# Allow PING Access
#
pass out on $ext_if proto icmp from ($ext_if) to any keep state
pass out on $int_if proto icmp from ($int_if) to any keep state

Here is the ftp-proxy line in inetd.conf --
ftp-proxy   stream  tcp nowait  root/usr/libexec/ftp-proxy  
ftp-proxy -n -u proxy -m 55000 -M 57000 -t 180


In /etc/services, i have ftp-proxy defined as 8021

Thanks!
Tim

No man pages after installing bash

[Timothy Horie]

Hello,

I can't use man pages for some reason after I installed bash and login 
using bash. I typed 'man dump' and it says that it can't find a manual 
page for that.


I looked at some help on the web and there's a MANPATH but I'm not sure 
what to set it to. I also looked at the /etc/man.conf but everything in 
there should be the same as when I was using sh (csh). I don't know what 
the problem is.


Thanks
Tim

Re: No man pages after installing bash

[Timothy Horie]

Nevermind. I installed man37.tgz and now everything works.

Timothy Horie wrote:


Hello,

I can't use man pages for some reason after I installed bash and login 
using bash. I typed 'man dump' and it says that it can't find a manual 
page for that.


I looked at some help on the web and there's a MANPATH but I'm not 
sure what to set it to. I also looked at the /etc/man.conf but 
everything in there should be the same as when I was using sh (csh). I 
don't know what the problem is.


Thanks
Tim

Re: OT: Hardware keyloggers embedded in new keyboards?

[Timothy A. Napthali]

I'm fairly sure this is a hoax. I have seen this referenced several
times over the past few weeks and I have seen no evidence to indicate
and truth to the matter.

Apart from the obvious legal implications outside of the US how long do
you think Dell, HP or any other manufacturer would have customers for if
this were true?

See: http://www.snopes.com/computer/internet/dellbug.asp

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Dave Feustel
Sent: Monday, 20 June 2005 3:06 PM
To: Greg Thomas
Cc: OpenBSD-Misc
Subject: Re: OT: Hardware keyloggers embedded in new keyboards?

On Sunday 19 June 2005 07:24 pm, Greg Thomas wrote:
 On 6/19/05, Dave Feustel [EMAIL PROTECTED] wrote:
  http://www.amecisco.com/faq_hardwarekeylogger.htm#Q1
  
  
 
 Why just new ones?  Do you think this device is new or something?  
 
 Greg

The device is obviously not new.  What *is* new is that it is being
installed as oem equipment inside of keyboards for HP and Dell systems
and also inside of  'used keyboards which can be unobtrusively switched
in for older keyboards.
Then the companies doing the switching can secretly monitor all the
keystrokes of the user, picking up everything the user types.  There is
no way to detect the keylogger short of opening up the keyboard. Shortly
I predict the keylogging functiion will be incorporated into the
keyboard cpu so that even opening up the keyboard will not permit the
presence of the logger to be detected. 

What's new is that this functionality now comes builtin to new systems,
possibly at the behest of Homeland Security, which would in that case
know the password needed to retrieve the logged keystrokes. So far I see
no defense against this spying technique of password capture.

Dave

Strange ports package error (BerkeleyDB)

[Timothy Horie]

Hi,

I'm trying to install the BerkeleyDB port and I run into the following 
error. Can someone help? Thanks!


[EMAIL PROTECTED]:/usr/ports/databases/db# make install
=== databases/db/v3
===  Building package for db-3.1.17p1
Creating package /usr/ports/packages/i386/all/db-3.1.17p1.tgz
Error: @pkgcfl is obsolete, use @conflict instead
===  Cleaning for db-3.1.17p1
rm -f /usr/ports/packages/i386/all/db-3.1.17p1.tgz
*** Error code 1

Stop in /usr/ports/databases/db/v3 (line 1853 of 
/usr/ports/infrastructure/mk/bsd.port.mk).

*** Error code 1

Stop in /usr/ports/databases/db/v3 (line 1150 of 
/usr/ports/infrastructure/mk/bsd.port.mk).

*** Error code 1

Stop in /usr/ports/databases/db (line 103 of 
/usr/ports/infrastructure/mk/bsd.port.subdir.mk).

Re: Compiling Sendmail

[Timothy Horie]

I finally got sendmail recompiled and it's working.
I'm stuck on something though, and I can't seem to fix it
I pasted my message to http://thorie.com/sendmail.txt
I put this message on the sendmail newsgroup as well, but nobody seems 
to know the answer.

Can anyone give me some hints?
Or if not, tell me where I can go for some help regarding this problem?

Hugo Villeneuve wrote:


On Mon, Jun 06, 2005 at 04:27:39PM -0400, Joel Dinel wrote:
 


On 6/6/05, Timothy Horie [EMAIL PROTECTED] wrote:
   


I need to recompile it without TLS. I've tried a lot of ways to get rid
of it without a recompile, but all paths led nowhere. I don't want TLS,
I don't want to Start TLS, I don't want any error messages in the logs
regarding TLS, I don't want to have to disable or enable TLS, I don't
want anything to do with TLS.

I've spent the last two months trying to figure out how to get rid of
TLS, and recompiling sendmail without TLS is the last thing I can think of.

I am assuming sendmail is compiled with STARTTLS in 3.7 as well, so I'd
have to recompile there anyways.

Any ideas?
 


Remove STARTTLS support from your .m4 file, and regenerate a .cf file?
My stock OpenBSD installs work fine without TLS support if I don't use
it, and I don't have any
error messages whatsover.

/usr/share/sendmail/cf/openbsd-proto.mc
   



STARTTLS will be try when delivering outside mail in stock OpenBSD
configuration. Not having certificates, just disable STARTTLS from
being offered on incomming connections.

Most probably, adding , Modifier=S to the CLIENT_OPTIONS lines
in openbsd-proto.mc will disable STARTTLS on outgoing connection.

I beleive also Try_TLS:   NO in access.db will do the same.

Re: Compiling Sendmail

[Timothy Horie]

Here's a more detailed posting

http://thorie.com/sendmail

I have uploaded all of my sendmail config files and maillog and even a 
copy of the error message that is returned to the sender.


I don't know how to make it so the recipient addresses don't become 
@internal.host... when it reaches internal.host...


Fred Crowson wrote:


Timothy Horie wrote:


I finally got sendmail recompiled and it's working.
I'm stuck on something though, and I can't seem to fix it
I pasted my message to http://thorie.com/sendmail.txt
I put this message on the sendmail newsgroup as well, but nobody 
seems to know the answer.

Can anyone give me some hints?
Or if not, tell me where I can go for some help regarding this problem?



What are the values of:

MASQUERADE_AS()
MASQUERADE_DOMAIN()

in your .mc file?

If you posted your full .mc file and other relevant information you 
might get an answer try reading:


http://www.catb.org/~esr/faqs/smart-questions.html

thanks

Fred

Re: Compiling Sendmail

[Timothy Horie]

I don't need the LOCAL_RULE but if I get rid of the MAIL_HUB, then all 
the mail goes to local (even when it's addressed to @domain.com) and the 
microsoft server never receives that mail.


I played with some ways to get around that using mailertable and 
SMART_HOST but couldn't get it to work.


What will go in place of MAIL_HUB so that mail will go to the other server?

Stephen Marley wrote:


On Thu, Jun 09, 2005 at 04:32:03PM -0700, Timothy Horie wrote:
 


Here's a more detailed posting

http://thorie.com/sendmail

I have uploaded all of my sendmail config files and maillog and even a 
copy of the error message that is returned to the sender.


I don't know how to make it so the recipient addresses don't become 
@internal.host... when it reaches internal.host...
   



Simplify your config. For starters, ditch the LOCAL RULE at the bottom
of your cf and the MAIL_HUB and stickyhost.

I run several mailservers and mailertable is enough to pass incoming
mail on from a relay to the destination server.

Re: Compiling Sendmail

[Timothy Horie]

It's there.
It's right under FEATURE(`masquerade_entire_domain') in the .mc file.

Stephen Marley wrote:


On Thu, Jun 09, 2005 at 04:32:03PM -0700, Timothy Horie wrote:

I just noticed you don't have
dnl
dnl Enable support for /etc/mail/mailertable.
dnl
FEATURE(`mailertable', `hash -o /etc/mail/mailertable')dnl

in your cf file. Use /usr/share/sendmail/cf/openbsd-proto.mc as your
starting point. You're making this harder than it needs to be.

Re: i don't *mean* to be stupid. it just happens. need a refresher...

[Timothy Donahue]

On Wednesday 08 June 2005 08:59 am, Terry wrote:
 On Wed, Jun 08, 2005 at 08:19:58AM -0400, Rick Barter wrote:
  Also, it says ethereal is in /usr/ports/net/ethereal, but I can't find
[snip]
 What version are you running? I have a 3.5 box and a 3.6 box, still
 haven't loaded 3.7 yet :(, and the command find /usr/ports/ -type d
 -name ethereal finds /usr/ports/net/ethereal on the 3.5 box but not on
 the 3.6 box.

The cvsweb repository is always a good place to try and figure out why 
something doesn't seem to be in the repository anymore.

http://www.openbsd.org/cgi-bin/cvsweb/ports/net/ethereal/Attic/Makefile?hideattic=0

Tim Donahue

How do I restart sendmail?

[Timothy Horie]

I changed some options in the .mc file and rebuilt the 
/etc/mail/sendmail.cf file.

How do I restart sendmail?

Compiling Sendmail

[Timothy Horie]

Hello,

I have 3.6 and I downloaded sendmail 8.13.0.
I ran sh Build, and got the following compile error:

cc -O -I. -I../../sendmail   -I../../include -DNEWDB -DNIS -DMAP_REGEX  
-DNETISO -DFAST_PID_RECYCLE -DNOT_SENDMAIL   -c debug.c

In file included from debug.c:11:
../../sendmail/sendmail.h:96: netiso/iso.h: No such file or directory
*** Error code 1

Stop in /home/thorie/sendmail-8.13.0/obj.OpenBSD.3.6.i386/libsmutil.
*** Error code 1

Stop in /home/thorie/sendmail-8.13.0 (line 15 of Makefile).

How can I get the netiso header files?
Thanks,
Tim

Re: Compiling Sendmail

[Timothy Horie]

I need to recompile it without TLS. I've tried a lot of ways to get rid 
of it without a recompile, but all paths led nowhere. I don't want TLS, 
I don't want to Start TLS, I don't want any error messages in the logs 
regarding TLS, I don't want to have to disable or enable TLS, I don't 
want anything to do with TLS.


I've spent the last two months trying to figure out how to get rid of 
TLS, and recompiling sendmail without TLS is the last thing I can think of.


I am assuming sendmail is compiled with STARTTLS in 3.7 as well, so I'd 
have to recompile there anyways.


Any ideas?

Joel Dinel wrote:


On 6/6/05, Timothy Horie [EMAIL PROTECTED] wrote:
 


Hello,

I have 3.6 and I downloaded sendmail 8.13.0.
I ran sh Build, and got the following compile error:
   



You are probably not going to get any help here on that subject. The
sendmail version that comes with OpenBSD is more than fine for your
needs, and it has been audited. If you can't get it to build
correctly, and you don't know what the problem is, just don't bother.

If you really want a sendmail in the 8.13.X series, install OpenBSD 3.7 instead.

Re: howto clean disks ?

[Timothy Donahue]

On Wednesday 01 June 2005 03:28 am, Matt Phillips wrote:
 If you are truly paranoid use DBAN,  which is short for Darin's Boot and
 Nuke.  IMO it is the best disk wiping tool out there.  It gives you a
 couple different wiping methods to choose from, including the one used
 by the US DoD.  You can also specify how many passes it makes.

I'm sick of people passing on this US DoD standard as a fact.  The true US DoD 
standard states that it DOES NOT make the drive safe for reuse unless it will 
be used to store data of equal or greater security rating.  If the drive is 
no longer useful, after running this wipe the drive platters are destroyed.   

 According to the website, DBAN is used by the US Dept of Energy and the
 National Nuclear Security Administration, which ain't bad. 

It may be, before the drives are reused internally for an equally or more 
secure project.  Or just before the get thrown into the incinerator.

Tim Donahue

Re: howto clean disks ?

[Timothy Donahue]

On Wednesday 01 June 2005 08:06 am, Johan P. Lindstrvm wrote:
 The military (at least in Sweden) bakes a Trotyl / Pentyl cake with
 the drives as stuffing, don't know if that would change the magnetic
 properties but most likely make the process of collecting/organizing
 the pieces of the same drive quite labourious.

 I read an article on encasing your drives with Magnesium and
 Aluminium-Oxide and hook it up to the power supply through some
 programmable circut to remotely melt your drives, this would create a
 plasma at some 3000+ Celcius. Cant seem to find it again though...

 http://en.wikipedia.org/wiki/Plasma
 http://en.wikipedia.org/wiki/Exothermic_reaction


You are might be thinking about using something like thermite.  (Please note 
that thermite is dangerous stuff to play with because it does reach around 
3000 C.)  An oxy-acetyleme torch would be just as effective and a whole lot 
safer.

http://en.wikipedia.org/wiki/Thermite

Tim Donahue

Getting Yesterday's Date

[Timothy A. Napthali]

In GNU Date land on Linux I was able to do this:
 
 
Tim Napthali



Private:  +61 2 8920 8252
Mobile:   +61 421 050 754
Email: [EMAIL PROTECTED]
IM (MSN):   [EMAIL PROTECTED]
blocked::blocked::blocked::mailto:[EMAIL PROTECTED] 

 
There are only 10 kinds of people in the world,
those who understand binary, and those who don't.

[demime 1.01d removed an attachment of type application/x-pkcs7-signature which 
had a name of smime.p7s]

Getting Yesterday's Date (Repost due to error)

[Timothy A. Napthali]

Sorry for previous version of this post. I sent it accidentally before I
was finished.
 
In Linux I was able to do this:
 
date +%Y%m%d -d -1 day

Which would give yesterdays date as 20050530

How can I do this in OpenBSD? I've mucked about with date -r $(expr
$(date +%d) - 86400) but I can't get it to work properly.

Cheers,
Tim.

Re: Getting Yesterday's Date (Repost due to error)

[Timothy A. Napthali]

It should be safe. All my mail servers run GMT to prevent log confusion
(ie: It's a given that any log time is always GMT). 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Christian Weisgerber
Sent: Tuesday, 31 May 2005 9:49 AM
To: misc@openbsd.org
Subject: Re: Getting Yesterday's Date (Repost due to error)

Todd C. Miller [EMAIL PROTECTED] wrote:

 In sh or ksh you could do:
 date -r $(( `date +%s` - 86400 )) +%Y%m%d

This can return unexpected results.

$ export TZ=CET
$ date -r $((963000  )) +%Y%m%d
20050328
$ date -r $((963000-86400)) +%Y%m%d
20050326

I don't think there is a reliable solution without something like
FreeBSD's -v or GNU's -d extensions.

-- 
Christian naddy Weisgerber  [EMAIL PROTECTED]

Spamd SMTP Banner

[Timothy A. Napthali]

I've run into an interesting problem with the spamd SMTP banner.

I have a few OpenBSD 3.7 mail gateways running Postfix that are members
(from a DNS perspective) of an internal DNS domain such as
mail.company.org. They are MX destinations for mail for company.com, and
postfix reports to external SMTP servers as mail.company.com (the
servers are NAT translated).

The issue I have is that spamd uses gethostname to build the SMTP banner
so the name shown in the banner is of course mail.company.org and not
mail.company.com. Postfix of course reports as mail.company.com.

I'm wondering if changes could be made to spamd to accommodate this
perhaps by allowing more customisation of the spamd SMTP banner, or
perhaps adding a simple command line switch where the hostname could be
supplied (eg: spamd -H mail.company.com). For the moment, although my C
knowledge isn't that great, I have compiled a custom version of spamd
with hard coded hostnames and this works OK.

My interest with this is that initial connections to spamd are thus
exposing the servers internal name. Whilst this is not really a great
security problem in this situation it is undesirable. Any thoughts?

Cheers,
Tim.

Re: Safe development

[Timothy Donahue]

On Friday 20 May 2005 03:59 am, Stephan Wehner wrote:
 What am I trying to back up?

 What happened to me was I was running Mepis, and did an apt-get xfce4
 (I think it was xfcr4). But then startx wouldn't work any longer. I
 thought apt-get would be pretty safe...
 Then I switched to FreeBSD and after a port-upgrade installed the new
 version of firefox. Then firefox wouldn't work any more.

 In both cases I had no clue what had changed, or how to undo it.

 Hence my original question. I think starting over with OpenBSD will be
 worth it. But I'm trying to decide on a good way to set up backups
 right from the start.

 Are you saying I should put the /usr and /etc directories and so on in
 a cvs repository? Will I get to know which files to checkout as I
 install more ports? Or instead of a cvs repository I thought of just
 taking snapshots before any system changes. But then I thought this
 should be a common problem so I asked how to go about it.


How about tar and a DVD burner or a USB harddrive.  Granted, this is not an 
ideal backup situation but if all you are worried about is restoring after an 
update then it should work fine. 

CVS, well you are going to need GOBS of diskspace to keep the repository in.  
Every time a binary file gets updated it will keep a full copy of the updated 
file, not a very efficient way to go about keeping a system snapshot.

Tim Donahue

Re: Bind 9 - nsc or similar tool?

[Timothy Donahue]

On Wednesday 18 May 2005 11:41 am, Rod Dorman wrote:
 On Wednesday, May 18, 2005, 12:16:40, Jack J. Woehr wrote:
  Is there anything on OBSD like nsc on Linux which generates Bind 9
  config files?

 mg works for me :-)

The use of mg is completely optional, for example I prefer to use vi, but any 
text editor should suffice. :-)  If you need more control than that how about 
adding CVS into the mix.

Oh, and since you didn't seem to do your homework, it seems from the 5 seconds 
I spent look at nsc it may work just fine as is on OpenBSD.  

Tim Donahue