Re: VMD linux/debian cdrom issue
More 'color' ;-)
proxmox iso's do, and they also include zfs on root as an option,
but they require gui bits to install from what I can tell.
https://www.proxmox.com/en/downloads
Penned by Carlos Cardenas on 20180823 8:45.44, we have:
| On Thu, Aug 23, 2018 at 12:43:17PM +0200, Martijn van Duren wrote:
| > Hello Ales,
| >
| > I ran into the same problem and found that the Debian installer doesn't
| > include the virtio drivers and thus can't use the cdrom or the disk.
| >
| > I worked around this by bootstrapping the disk via the qemu port and
| > booting the disk from vmm once it's finally done. Qemu is significantly
| > slower than vmm, so do get another cup of $BEVERAGE.
| >
| > I haven't taken the time to contact Debian about this, so it's
| > probably not yet known to them.
| >
| > Hope this helps for now.
| >
| > martijn@
|
| To add some color what martijn said, the standard debian isos do not
| include the virtio drivers; however, the netinst iso does (for whatever
| reason). You can boot off that and perform a network install if you're
| so inclined.
|
| However, after typing that, I attempted to boot a netinst 9.5 iso and it
| looks like those drivers are not there anymore (they have hyperv and xen
| pv drivers present though). You can use an older netinst ISO to do it
| as it will still have them but I don't know how far back you'll need to
| go since it's been a while since I tested debian.
|
| At this point, if you want debian, it looks like you'll have to
| bootstrap with qemu. I would also encourage you to contact the debian
| folks about this as well, specifically the inclusion of virtio drivers
| since they are already including hyperv and xen.
|
| +--+
| Carlos
|
| > On 08/23/18 12:18, Ales Tepina wrote:
| > > Hello!
| > >
| > > I have a lenovo T470 running current on which i would like to use vmd
| > > to run debian for some work specific stuff.
| > > I'm having trouble installing debian though because the installer
| > > doesn't seem to find cdrom.
| > >
| > > My vm.conf is pretty basic:
| > > switch "local" {
| > > interface bridge0
| > > }
| > > vm "work" {
| > > disable
| > > memory 2G
| > > cdrom "/home/vm/debian-9.5.0-amd64-xfce-CD-1.iso"
| > > disk "/home/vm/debian.img"
| > > interface { switch "local" }
| > > }
| > >
| > > On the debian installer boot menu, i select Install and press TAB to
| > > edit the menu entry. I remove the "quiet" at the end and append from
| > > --- onwards so at the end it looks like this:
| > > (omitted part)/install.amd/vmlinuz desktop=xfce vga=788
| > > initrd=/install.amd/initrd.gz --- clocksource=tsc console=ttyS0,115200
| > > noapic
| > >
| > > The text based installer starts and i'm able to choose language,
| > > location and keyboard.
| > > At the "Detect and mount CD-ROM section, i'm informed that "No common
| > > CD-ROM drive was detected." and i'm given the option to load CD-ROM
| > > drivers from removable media. When i select NO the installer gives me
| > > the option to manually select a CD-ROM module or device. I can choose
| > > between none and cdrom. The cdrom option just asks me for a device
| > > like /dev/ cdrom
| > >
| > > I tried with debian netboot image - same problem.
| > >
| > > I've read Mike Larkin's slides "OpenBSD vmm/vmd Update" and if some of
| > > you are running linux in vmm (for testing purposes of course) i would
| > > be gratefull to know how did you manage to get past this problem?
| > >
| > > Best regards, Ales
| > >
| >
--
Todd Fries .. t...@fries.net
|\ 1.636.410.0632 (voice)
| Free Daemon Consulting, LLC\ 1.405.227.9094 (voice)
| http://FreeDaemonConsulting.com\ 1.866.792.3418 (FAX)
| PO Box 16169, Oklahoma City, OK 73113-2169 \ sip:freedae...@ekiga.net
| "..in support of free software solutions." \ sip:4052279...@ekiga.net
\
37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A
http://todd.fries.net/pgp.txt
Re: vmd: keeping time in vm's
Penned by Stuart Henderson on 20170209 18:57.59, we have: | On 2017-02-09, Eric Brown wrote: | > Dear List, | > | > I've recently learned (and discovered) that time in VM's is tricky | > business. I'm looking for the least stupid way to keep any semblance of | > time in vmd instances while I hungrily await a "correct solution" to | > descend from the heavens. | > | > I've disabled openntpd, installed ntp package (but not its daemon). Now | > I am running ntpdate every minute from cron. It seems to keep the | > clock, well, within a minute. | > | > Can anyone think of a better solution to this problem? | | Not a hugely better solution, but rdate(8) is in base, so at least you | don't need the ntp package.. I could be wrong, but seeing this in my guest: sysctl hw.sensors hw.sensors.vmmci0.timedelta0=-7127.806752 secs, OK, Mon Feb 27 11:02:53.434 and this in ntpctl output: sensor wt gd st next poll offset correction vmmci0 1 1 08s 15s 81357.122ms 0.000ms suggests to me that the time passed to the guest is used as a timedelta sensor using the native ntpd, no need for network traffic! -- Todd T. Fries . http://todd.fries.net/pgp.txt . @unix2mars . github:toddfries
Re: ipv6 static routing
Penned by dikshie on 20131208 19:50.21, we have: | On Mon, Dec 9, 2013 at 7:00 AM, Claudio Jeker wrote: | > Check with tcpdump if the packets go out and to the right place. | > Maybe try to figure out if they arrive at the destination to figure out | > where they get lost. | | sure, i'll check with tcpdump after working/business hour. | | -dikshie- I've installed a current snapshot on a kvm system and noted that with vio0 I have the same problem you experience unless I manually program the global IPv6 addresses via ndp. If I change to em0 (e1000 in kvm speak) it works like a champ. Perhaps you could try this change; I also would not be surprised if some multicast bits that recently changed got twiddled for vio(4) as well. Thanks, -- Todd Fries .. t...@fries.net |\ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC\ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com\ 1.866.792.3418 (FAX) | PO Box 16169, Oklahoma City, OK 73113-2169 \ sip:freedae...@ekiga.net | "..in support of free software solutions." \ sip:4052279...@ekiga.net \ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt
Re: OpenBSD 5.3, CARP and IPv6
Penned by andy on 20130904 15:21.22, we have: | Hi, one last question. | | I am reading through lots of examples and documentation on OpenBSD and v6 | and most seem to refer to adding the v6 address to /etc/hostname.X as an | 'alias', e.g.; | inet 10.0.0.1 255.255.255.0 | inet6 alias fec0:2029:f001:128::40 64 | | I have our test setup working now without the 'alias' directive, so should | it have an 'alias' or not? | | I cannot see that it should, as its not an inet alias. The interface has | one inet, and one inet6. | | If there were any additional inet or inet6 lines then those lines should | have the alias directive, but why should the first inet6 have an 'alias' | when it is not an alias address to the v4 address? | | Sorry to obsess about the details on this but want to get this completely | correct in the eyes of the developers? | | Cheers, Andy. At one point itojun@ had told me that the first IPv6 address is the link local, all others are aliases. ifconfig(8) would actually warn if you did not use the 'alias' syntax when there was an existing address. This warning has subsequently been removed. It has been since stated in this thread that 'ifconfig X inet6 2001:db8::1' unconditionally adds that as an alias. Note this is different than the IPv4 case where without an alias it would remove the first IPv4 address while adding the new address to the end of the interface list of addresses. So it would seem 'inet6 alias 2001:db8::1' is not needed. Experimenting confirms this is the case. My $.02 is that we should remove all mention of 'inet6 alias' in hostname.if(5) while retaining the ability to handle it (e.g. in /etc/netstart). Thanks, | On Sun, 01 Sep 2013 13:55:27 +0100, Andy wrote: | > Hi Stuart, yea I realised that after, it's also implied I guess as its | > using an IPv4 address after all. | > | > I will probably remove it as I didn't need it for IPv4 before. I was | > just trying everything I thought might be relevant to get it working | > when the real problem was not setting up my test environment properly... | > | > Considering the differences between v4 and v6 (ndp etc), would carppeer | > be more useful for v6 (I know it is currently v4 only)? | > | > I would prefer to not have to use carppeer as it is another thing to | > manage and configure correctly, but my priority is stability and | > speed(does it improve the speed of CARP setup/detection etc)? | > | > Thanks for your help :) Andy | > | > | > On Sat 31 Aug 2013 23:25:12 BST, Stuart Henderson wrote: | >> On 2013-08-30, Andy wrote: | >>> cat /etc/hostname.carp0 | >>> inet 18.2.32.10 255.255.255.0 18.2.32.255 | >>> inet6 a00:7e0::a 64 | >>> carpdev em0 carppeer 18.2.32.12 vhid 201 pass testpass advbase 3 | advskew | >>> 0 description "WAN" | >> | >> hmm, I wonder if we should extended the description of carppeer in | >> ifconfig(8) to make it clear that it's only for v4... -- Todd Fries .. t...@fries.net |\ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC\ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com\ 1.866.792.3418 (FAX) | PO Box 16169, Oklahoma City, OK 73113-2169 \ sip:freedae...@ekiga.net | "..in support of free software solutions." \ sip:4052279...@ekiga.net \ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt
Re: OpenBSD 5.3, CARP and IPv6
Penned by Andy on 20130829 9:57.29, we have: | Hi everyone, | | I'm hoping someone can help me as I'm not having much luck with adding | IPv6 to the mix of our already working IPv4 setup. | | What should /etc/hostname.carpX look like for an IPv6 setup? Is this | correct;? | | inet 10.0.10.1 255.255.255.0 10.0.10.255 vhid 1 pass temppass advbase 3 | advskew 0 | inet6 2a00:7e0:0:a::1 64 Any 'inet6' except the first link local reference in a given hostname.if(4) file should be followed by 'alias'. Aka you need: inet6 alias 2a00:7e0:0:a::1 The 64 is implicitly default, if you choose to explicitly list it thats ok too. | Or should I have a separate carpX interface for the IPv6? | | When I do a tcpdump on the master I see; | Aug 29 14:36:56.416723 00:00:5e:00:01:01 01:00:5e:00:00:12 0800 70: | CARPv2-advertise 36: vhid=1 advbase=3 advskew=0 demote=33 (DF) [tos 0x10] | Aug 29 14:36:56.416736 00:00:5e:00:01:01 33:33:00:00:00:12 86dd 90: | fe80::a00:27ff:fe71:f4ca > ff02::12: CARPv2-advertise 36: vhid=1 | advbase=3 advskew=0 demote=33 | Aug 29 14:36:56.420823 08:00:27:71:f4:ca 33:33:00:00:00:01 86dd 86: | fe80::1 > ff02::1: icmp6: neighbor adv: tgt is fe80::200:5eff:fe00:101 | Aug 29 14:36:56.420835 08:00:27:71:f4:ca 33:33:00:00:00:01 86dd 86: | fe80::1 > ff02::1: icmp6: neighbor adv: tgt is 2a00:77e0:0:a::1 | Aug 29 14:36:57.638468 00:00:5e:00:01:01 01:00:5e:00:00:12 0800 70: | CARPv2-advertise 36: vhid=1 advbase=3 advskew=100 demote=0 (DF) [tos 0x10] | Aug 29 14:36:57.641021 00:00:5e:00:01:01 33:33:00:00:00:12 86dd 90: | fe80::a00:27ff:fe88:bc8a > ff02::12: CARPv2-advertise 36: vhid=1 | advbase=3 advskew=100 demote=0 | Aug 29 14:37:01.049324 00:00:5e:00:01:01 01:00:5e:00:00:12 0800 70: | CARPv2-advertise 36: vhid=1 advbase=3 advskew=100 demote=0 (DF) [tos 0x10] | Aug 29 14:37:01.049685 00:00:5e:00:01:01 33:33:00:00:00:12 86dd 90: | fe80::a00:27ff:fe88:bc8a > ff02::12: CARPv2-advertise 36: vhid=1 | advbase=3 advskew=100 demote=0 | Aug 29 14:37:04.458514 00:00:5e:00:01:01 01:00:5e:00:00:12 0800 70: | CARPv2-advertise 36: vhid=1 advbase=3 advskew=100 demote=0 (DF) [tos 0x10] | Aug 29 14:37:04.462013 00:00:5e:00:01:01 33:33:00:00:00:12 86dd 90: | fe80::a00:27ff:fe88:bc8a > ff02::12: CARPv2-advertise 36: vhid=1 | advbase=3 advskew=100 demote=0 | Aug 29 14:37:06.648983 00:00:5e:00:01:01 01:00:5e:00:00:12 0800 70: | CARPv2-advertise 36: vhid=1 advbase=3 advskew=0 demote=33 (DF) [tos 0x10] | Aug 29 14:37:06.648996 00:00:5e:00:01:01 33:33:00:00:00:12 86dd 90: | fe80::a00:27ff:fe71:f4ca > ff02::12: CARPv2-advertise 36: vhid=1 | advbase=3 advskew=0 demote=33 | | I can see that the IPv6 CARP messages are using the link local address | and not the global IPv6 addresses I have configured? Why?? :( | This makes it really hard to write PF files as I would have to write | filter rules considering the each physical hosts MAC addresses :( Because multicast is on the local link not on the global addresses? Can you not use pf to filter fe80::/8 address space? | I'm also seeing errors stating that the inet6 carp address I have | configured is a duplicate address! Although this could be due to the | fact the firewalls are flapping between backup and master and there are | going to be multi master periods. I thought at one point there was a commit to ignore duplicate v6 ndp due to this issue. I can't find it right now though, so I don't know if it is in 5.3 or not. | net.inet.carp.allow=1 | net.inet.carp.preempt=1 | net.inet.carp.log=3 | net.inet6.ip6.forwarding=1 | net.inet6.ip6.redirect=0 | net.inet6.ip6.accept_rtadv=0 | | I am also starting to read "Firewalling IPv6 with OpenBSD's pf (packet | filter)". | | Thanks for your time, Andy. Hope the above helps. -- Todd Fries .. t...@fries.net |\ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC\ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com\ 1.866.792.3418 (FAX) | PO Box 16169, Oklahoma City, OK 73113-2169 \ sip:freedae...@ekiga.net | "..in support of free software solutions." \ sip:4052279...@ekiga.net \ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt
Re: IPSec VPNs when traffic originates from a daemon on the OBSD firewall
Penned by Andy on 20130704 9:25.40, we have: | On Thu 04 Jul 2013 15:22:55 BST, Anders Berggren wrote: | >>I'd rather not have to create extra tunnels or define VPN policies with subnets which have prefixes wider than the internal LANs. | >>That leaves mangling, but I cannot see how I would do the mangling in PF to make it work without doing a redirect through the loopback etc.. Just wondering if anyone knows of a cleaner way? | > | >I think widening the flow's source is cleanest (as I mentioned in my first reply). However, I think it's possible to use a gif tunnel for the tunnel encapsulation, and only use IPsec for the endpoint encryption. It would probably work, because unlike IPsec flows, it's not "source routed". | | Ah ha!!! Of course!! Thank you :D | | Andy. The other option is to add a local route that seems pointless but actually aids in the scenario. Consider a router with an internal network IP of 192.168.0.1/24. Consider a an IPSec tunnel from 192.168.0.0/24 <-> 192.168.1.0/24. Consider adding a route 'route add 192.168.1.0/24 192.168.0.1'. Suddenly the source IP of any daemon on the OpenBSD system becomes 192.168.0.1 when attempting to connect to any system on the 192.168.1.0/24 segment. This trick only works for IPv4. For IPv6, there is no solution beyond having each software choose its source address carefully. FWIW. -- Todd Fries .. t...@fries.net |\ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC\ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com\ 1.866.792.3418 (FAX) | PO Box 16169, Oklahoma City, OK 73113-2169 \ sip:freedae...@ekiga.net | "..in support of free software solutions." \ sip:4052279...@ekiga.net \ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt
small portable for OpenBSD
I'm hoping someone out there knows more than my google searching skills. I'm looking for a small (phone or slightly larger sized) computer that will run OpenBSD, has audio and wifi supported, and has a decentish battery life. I want to couple it with a mifi with verizon to do VoIP and IM and other random bits a small device can be useful at when not infront of a bigger laptop/desktop. I have a semi bricked N900, but it doesn't run OpenBSD, and a random update and a busted usb port have set it out of contention. I have a zaurus. It's cute, but battery life sucks, and the audio jack has a mic line but it is not currently supported. I'm sure others would like to hear about this not just me, so misc, any hardware recommendations (that hopefully won't break the bank?). Thanks, -- Todd Fries .. t...@fries.net |\ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC\ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com\ 1.866.792.3418 (FAX) | PO Box 16169, Oklahoma City, OK 73113 \ sip:freedae...@ekiga.net | "..in support of free software solutions." \ sip:4052279...@ekiga.net \ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt
Re: OpenBSD ignoring RFC-compliant IPv6 neighbor solicitation?
Penned by Patrik Lundin on 20130507 16:02.25, we have: | On Tue, May 07, 2013 at 09:16:25PM +0200, Stefan Bagdohn wrote: | > Wasn't this check introduced as mitigation of CVE-2008-2476 five years ago? | > E.g. http://ftp.openbsd.org/pub/OpenBSD/patches/4.4/common/001_ndp.patch | > | | Maby something along the lines of the 'nd6_onlink_ns_rfc4861' sysctl | flag mentioned at | http://www.freebsd.org/security/advisories/FreeBSD-SA-08:10.nd6.asc | could be used for the odd cases where it's needed? | | Regards, | Patrik Lundin This makes the most sense to me. Otherwise, someone should fix their broken router. -- Todd Fries .. t...@fries.net |\ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC\ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com\ 1.866.792.3418 (FAX) | PO Box 16169, Oklahoma City, OK 73113 \ sip:freedae...@ekiga.net | "..in support of free software solutions." \ sip:4052279...@ekiga.net \ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt
Re: turn ipw(4) off when not needed
Penned by Jan Stary on 20121017 10:46.55, we have:
| This is current/i386 on an IBM Thinkpad T40.
|
| It comes with an ipw(4) wifi interface, which works fine. Anyway,
| the ipw(4) seems to be one of the substantial battery eaters. So
| I would like to not use the interface when running on battery
| and not actually using a wifi connection.
|
| Running 'ifconfig ipw0 down' seems to do that: the antenna icon led
| switches off, and time left (as reported by apm) starts increasing.
| (What would be a more rigorous way to see that the battery is actually
| running off more slowly now, others being equal? The machine doesn't
| have any sensors, as reported by 'sysctl hw').
|
| I would like to let that happen automatically, if only because sometimes
| I forget to do that, and drain the battery considerably faster.
| What is the preffered way to do that? Is ifstated(8) the way?
|
| istated(8) is monitoring the 'interface link state'.
| Is 'no network' recognizable as an interface link state?
| What I would like to recognize with ipw0 is what
| 'no carrier' would be for an ethernet interface:
| is that a good analogy? 'no network' just means
| the interface is not associated to any network,
| not that there isn't a nework around, right?
|
| Now I tend to put
|
| ifconfig ipw0 | grep 'no network' > /dev/null && ifconfig ipw0 down
|
| into the root's crontab but that seems a bit crude.
|
| Jan
A slightly less crude way would be to put this there:
ifconfig egress | grep "^ipw0" > /dev/null && { apm | grep 'A/C adapter
state: connected' || ifconfig ipw0 down; }
because if 'egress' is not on ipw0 you're not using wireless,
and if the A/C adapter state is not connected, you're on battery.
Just sayin' ;-)
|
|
| OpenBSD 5.2-current (GENERIC) #36: Sun Oct 14 13:13:06 MDT 2012
| dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
| cpu0: Intel(R) Pentium(R) M processor 1500MHz ("GenuineIntel" 686-class) 1.50
GHz
| cpu0:
FPU,V86,DE,PSE,TSC,MSR,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,TM,PBE,EST,TM2
| real mem = 267317248 (254MB)
| avail mem = 251985920 (240MB)
| mainbus0 at root
| bios0 at mainbus0: AT/286+ BIOS, date 06/18/07, BIOS32 rev. 0 @ 0xfd750,
SMBIOS rev. 2.33 @ 0xe0010 (61 entries)
| bios0: vendor IBM version "1RETDRWW (3.23 )" date 06/18/2007
| bios0: IBM 237382G
| apm0 at bios0: Power Management spec V1.2
| acpi at bios0 function 0x0 not configured
| pcibios0 at bios0: rev 2.1 @ 0xfd6e0/0x920
| pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdea0/272 (15 entries)
| pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82371FB ISA" rev 0x00)
| pcibios0: PCI bus #6 is the last bus
| bios0: ROM list: 0xc/0x1 0xd/0x1000 0xd1000/0x1000
0xdc000/0x4000! 0xe/0x1
| cpu0 at mainbus0: (uniprocessor)
| cpu0: Enhanced SpeedStep 1496 MHz: speeds: 1500, 1400, 1200, 1000, 800, 600
MHz
| pci0 at mainbus0 bus 0: configuration mode 1 (bios)
| 0:31:1: io address conflict 0x5800/0x8
| 0:31:1: io address conflict 0x5808/0x4
| 0:31:1: io address conflict 0x5810/0x8
| 0:31:1: io address conflict 0x580c/0x4
| pchb0 at pci0 dev 0 function 0 "Intel 82855PM Host" rev 0x03
| intelagp0 at pchb0
| agp0 at intelagp0: aperture at 0xd000, size 0x1000
| ppb0 at pci0 dev 1 function 0 "Intel 82855PM AGP" rev 0x03
| pci1 at ppb0 bus 1
| vga1 at pci1 dev 0 function 0 "ATI Radeon Mobility M7" rev 0x00
| wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
| wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
| radeondrm0 at vga1: irq 11
| drm0 at radeondrm0
| uhci0 at pci0 dev 29 function 0 "Intel 82801DB USB" rev 0x01: irq 11
| uhci1 at pci0 dev 29 function 1 "Intel 82801DB USB" rev 0x01: irq 11
| uhci2 at pci0 dev 29 function 2 "Intel 82801DB USB" rev 0x01: irq 11
| ehci0 at pci0 dev 29 function 7 "Intel 82801DB USB" rev 0x01: irq 11
| usb0 at ehci0: USB revision 2.0
| uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
| ppb1 at pci0 dev 30 function 0 "Intel 82801BAM Hub-to-PCI" rev 0x81
| pci2 at ppb1 bus 2
| 2:0:0: mem address conflict 0xb000/0x1000
| 2:0:1: mem address conflict 0xb100/0x1000
| cbb0 at pci2 dev 0 function 0 "TI PCI1520 CardBus" rev 0x01: irq 11
| cbb1 at pci2 dev 0 function 1 "TI PCI1520 CardBus" rev 0x01: irq 11
| em0 at pci2 dev 1 function 0 "Intel PRO/1000MT (82540EP)" rev 0x03: irq 11,
address 00:0d:60:7f:83:fa
| ipw0 at pci2 dev 2 function 0 "Intel PRO/Wireless 2100" rev 0x04: irq 11,
address 00:0c:f1:16:9b:b8
| cardslot0 at cbb0 slot 0 flags 0
| cardbus0 at cardslot0: bus 3 device 0 cacheline 0x8, lattimer 0xb0
| pcmcia0 at cardslot0
| cardslot1 at cbb1 slot 1 flags 0
| cardbus1 at cardslot1: bus 6 device 0 cacheline 0x8, lattimer 0xb0
| pcmcia1 at cardslot1
| ichpcib0 at pci0 dev 31 function 0 "Intel 82801DBM LPC" rev 0x01: 24-bit
timer at 3579545Hz
| pciide0 at pci0 dev 31 function 1 "Intel 82801DBM IDE" rev 0x01: DMA, channel
0 configured to compatibility, channel 1 configured to compatibility
| wd0
Re: problem setting inet6 route
Penned by Claudio Jeker on 20120831 9:27.50, we have: | On Fri, Aug 31, 2012 at 09:22:06AM +, Stuart Henderson wrote: | > On 2012-08-31, Remi Locherer wrote: | > > I rented a server from Hetzner where I installed OpenBSD 5.1. Hetzner also | > > provides IPv6 but somehow with a strange setup. I got something like the | > > following from them: | > > | > > Gateway Address: 2001:db8:1:1110::1/64 | > > Subnet I can use: 2001:db8:1:/64 | > > | > > If I now assign for example 2001:db8:1::1/64 to the interface on my | > > server it doesn't let me set the default gateway becaus it's not in the | > > same subnet: | > > | > > openbsd# ifconfig rl0 inet6 2001:db8:1::/64 | > > openbsd# route add -inet6 default 2001:db8:1:1110::1 | > > route: writing to routing socket: Network is unreachable | > > add net default: gateway 2001:db8:1:1110::1: Network is unreachable | > > | > > For Linux they give these instructions: | > > linux# ip route add 2001:db8:1:1110::1 dev eth0 | > > linux# ip route add default via 2001:db8:1:1110::1 | > > | > > I tried: | > > openbsd# route add -inet6 -iface 2001:db8:1:1110::1 2001:db8:1:::1 | > > openbsd# route add -inet6 default 2001:db8:1:1110::1 | > > | > > But now it's not possible to ping6 2001:db8:1:1110::1 or any other IPv6 | > > address. | > | > No idea if it will work, but you could try something like this | > | > route add -inet6 -mpath default -ifp rl0 2001:db8:1:1110::1 | > | | Bad adivece. Hetzner gave the wrong gateway or the wrong network. It is | funny that the Linux example they give is using proper network numbers. | | In short, the gateway MUST be part of a connected route (network | configured on the interface) because ND or ARP for INET is needed to | figure out the MAC address to talk to that host on the L2 network. | | The only excpetion are point to point interfaces but those have a | destination IP on the interface and don't need a L2 address resolution | protocol. | -- | :wq Claudio I hate exceptions. 1and1.com, I'm looking at you. This abomination has survived too many years: hostname.if: !route add -llinfo -iface -net 10.255.0.0/16 10.255.255.1 -ifp nfe0 inet 1.2.3.4 255.255.255.255 inet 1.2.4.3 255.255.255.255 ... mygate: 10.255.255.1 This forces the subnet to be on the interface so one can reach a router without having any IP's on the local system corresponding to the remote router IP. Thanks, -- Todd Fries .. t...@fries.net _ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | 2525 NW Expy #525, Oklahoma City, OK 73112 \ sip:freedae...@ekiga.net | "..in support of free software solutions." \ sip:4052279...@ekiga.net \\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt
Re: pf / gif / ipv6
Penned by Michael Mercier on 20120812 12:03.16, we have:
| Hello,
|
| I am seeing a behavior in pf that I don't understand.
|
| # uname -mrvp
| 5.0 GENERIC#36 sparc64 SUNW,UltraSPARC-IIIi (rev 2.4) @ 1062 MHz
|
| When I have the following configured:
|
| (not complete configuration)
|
| ext_if = "hme0"
| int_if = "bge0"
|
| ipv6gws = "{ a.b.c.192 a.b.c.193 a.b.c.194 a.b.c.195 }"
|
| block log all
|
| # permit proto 41 to/from ipv6 gws
| #pass log quick on $ext_if inet proto 41 from any to any
| pass in log quick on $ext_if inet proto 41 from $ipv6gws to ($ext_if)
| pass out log quick on $ext_if inet proto 41 from ($ext_if) to $ipv6gws
Try adding:
pass log quick on gif inet6
Just because you pass the outer tunnel traffic doesn't mean you're passing the
inner tunnel traffic.
| pfctl -s rules produces:
| pass in log quick on hme0 inet proto ipv6 from a.b.c..192 to (hme0)
| pass in log quick on hme0 inet proto ipv6 from a.b.c..193 to (hme0)
| pass in log quick on hme0 inet proto ipv6 from a.b.c..194 to (hme0)
| pass in log quick on hme0 inet proto ipv6 from a.b.c..195 to (hme0)
| pass out log quick on hme0 inet proto ipv6 from (hme0) to a.b.c..192
| pass out log quick on hme0 inet proto ipv6 from (hme0) to a.b.c..193
| pass out log quick on hme0 inet proto ipv6 from (hme0) to a.b.c..194
| pass out log quick on hme0 inet proto ipv6 from (hme0) to a.b.c..195
|
| gif interface:
| ifconfig gif5 create
| ifconfig gif5 tunnel a.b.c.195 x.y.z.38
| ifconfig gif5 up
| route -n add -inet6 default ::1 -ifp gif5
|
| but this traffic is blocked by pf ($ext_if - hme0 is x.y.z.38):
|
| 20:31:03.536279 rule 11/(match) [uid 0, pid 28111] block in on hme0:
| a.b.c.195 > x.y.z.38: a:b:c:d::e > a:c:f:13:111:512f:f07a:8193:
| [|tcp] (len 28, hlim 57) (ttl 251, id 37052, len 88)
|
| rule 11 is "block log all" from above
|
| but if I uncomment the rule:
| pass log quick on $ext_if inet proto 41 from any to any
| traffic passes.
|
| NOTE: I have also tried modifying the rules to have $ext_if instead
| of ($ext_if) with the same results.
|
| My question is, what is being blocked by the rule?
|
| Thanks,
| Mike
--
Todd Fries .. t...@fries.net
_
| \ 1.636.410.0632 (voice)
| Free Daemon Consulting, LLC \ 1.405.227.9094 (voice)
| http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX)
| 2525 NW Expy #525, Oklahoma City, OK 73112 \ sip:freedae...@ekiga.net
| "..in support of free software solutions." \ sip:4052279...@ekiga.net
\\
37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A
http://todd.fries.net/pgp.txt
Re: pf: set skip option
Penned by Matt S on 20110411 16:59.09, we have:
| Okay, I did that but apparently I spoke too soon as a tcpdump reveals packets
| are still being blocked. Here is an example from a tcpdump on the pflog0
| interface:
|
| Apr 11 14:57:43.943764 rule 1/(match) block in on tun0: 172.16.254.2 >
| 10.40.60.1: icmp: echo request (gre encap)
|
| I guess I need to specifically allow GRE traffic?
Since you're not skipping on tun(4) that seems to be accurate.
| Thanks,
| Matt
|
| On 04/11/11 23:34, Matt S wrote:
| > Hello Everyone:
| >
| > I am using 4.8 RELEASE. Given the following pf.conf, would anyone be able
to
| > tell me why gre0 is not being skipped?
| >
| > set skip on lo
| > set skip on gre0
| > set skip on enc0
|
| You need to combine them, or they override each other.
|
| set skip on { lo0, gre0, enc0 }
|
| /Alexander
|
| >
| > anchor "ftp-proxy/*"
| >
| > block in all
| > pass out all
| >
| > antispoof for tun0
| > table persist
| > table {10.40.60.0/24, 10.40.65.0/24}
| >
| > match out on tun0 from 10.40.60.0/24 to any nat-to (tun0)
| >
| >
| > block log quick from
| > pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
| > pass in quick proto tcp from localhost to any port {http,https} rdr-to
| >127.0.0.1
| >
| > port 3128
| > pass inet proto icmp all icmp-type {echoreq, unreach}
| > pass in on tun0 inet proto tcp from any to any port ssh keep state
| >(max-src-conn
| >
| > 6, max-src-conn-rate 3/1, overload flush global) rdr-to
| 10.40.60.1
| > pass on em0 from {trustednets} to any
| >
| >
| > In order for in-bound packets from 10.40.65.1 not to be dropped, I have to
ping
| >
| > it 10.40.64.1 from 10.40.60.1 to set a state. Any help that you can
provide
| > would be appreciated.
| >
| > Thanks,
| > Matt
--
Todd Fries .. t...@fries.net
_
| \ 1.636.410.0632 (voice)
| Free Daemon Consulting, LLC \ 1.405.227.9094 (voice)
| http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX)
| 2525 NW Expy #525, Oklahoma City, OK 73112 \ sip:freedae...@ekiga.net
| "..in support of free software solutions." \ sip:4052279...@ekiga.net
\\
37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A
http://todd.fries.net/pgp.txt
Re: IPv6 woes: gateway on different subnet
Have you tried ping6 -n ff02::2%re0 ? Does anyone respond? Try using the respond(ers) as your IPv6 default gateway. Link local is best for IPv6 gateways for various reasons, if your upstream isn't picky (unlike he.net tunnels, for example). Penned by Moritz Grimm on 20110313 6:43.32, we have: | Hi, | | | after a couple of days of running into dead ends, I would appreciate | some help. | | To summarize: For more than 3 years I'm successfully running OpenBSD | (it's now at OPENBSD_4_9/i386, running GENERIC.MP) at the German hoster | Hetzner as my expensive little plaything. They offer native IPv6 for | some time now, and I want to use it. However, the same methodology used | with IPv4 does not work with IPv6 and I just can't figure out why (it's | supposed to work identically.) | | | The working IPv4 setup: | | Additional network is 78.47.124.160/29, the gateway is 78.46.41.129/27. | In /etc/hostname.re0 is the aliases and the route to the gateway of that | network: | | inet alias 78.47.124.161 255.255.255.248 78.47.124.167 | [...] | !route add -inet -iface -ifp re0 -net 78.46.41.128 78.46.41.129 -netmask | 255.255.255.224 | | I set the default gateway 78.46.41.129 in the first line of /etc/mygate. | This works: | | $ ping -I 78.47.124.161 www.google.com | PING www.l.google.com (74.125.77.147): 56 data bytes | 64 bytes from 74.125.77.147: icmp_seq=0 ttl=56 time=16.943 ms | [...] | | | The IPv6 setup (broken): | | The IPv6 network is supposed to be 2a01:4f8:110:4363::/64, the gateway | is 2a01:4f8:110:4360::1/59. So again there's the aliases in | /etc/hostname.re0 ... | | [...] | inet6 alias 2a01:4f8:110:4363::42 64 | [...] | !route add -inet6 -iface -ifp re0 -net 2a01:4f8:110:4360:: -prefixlen 59 | 2a01:4f8:110:4360::1 | | The second line in /etc/mygate sets the IPv6 default gateway | 2a01:4f8:110:4360::1. This does not work: | | $ ping6 ipv6.google.com | PING6(56=40+8+8 bytes) 2a01:4f8:110:4363::42 --> 2a00:1450:8005::68 | ping6: sendmsg: No route to host | ping6: wrote ipv6.l.google.com 16 chars, ret=-1 | | | A look at the routing table shows various differences between IPv4 and | IPv6. Again, the working IPv4 entries first: | | default 78.46.41.129 UGS 19 6792145 - 8 re0 | 78.46.41.128/27 link#1 UC2 0 - 4 re0 | 78.46.41.128/27 link#1 UCS 0 0 - 8 re0 | 78.46.41.129 00:26:88:76:21:1b UHLc 1 0 - 4 re0 | 78.46.41.142 00:1d:92:39:57:54 UHLc 0 6 - 4 lo0 | 78.47.124.160/29 link#1 UC0 0 - 4 re0 | 78.47.124.161 127.0.0.1 UGHS 097 33200 8 lo0 | | (.142 is the main IP of mrsserver.net) | | As can be seen, everything resolves nicely ... by comparison, IPv6 looks | fubar'd: | | default 2a01:4f8:110:4360::1 UGS 0 11 - 8 re0 | 2a01:4f8:110:4360::/59 2a01:4f8:110:4360::1 US 1 0 - 8 re0 | 2a01:4f8:110:4363::/64 link#1UC 0 0 - 4 re0 | 2a01:4f8:110:4363::42 00:1d:92:39:57:54 HL 0 0 - 4 lo0 | | That's it, nothing else from these networks, and the local host route | for ::42 isn't even (U)p. | | ndp -a shows: | | Neighbor Linklayer Address Netif ExpireS Flags | 2a01:4f8:110:4363::42 0:1d:92:39:57:54 re0 permanent R | fe80::21d:92ff:fe39:5754%re0 0:1d:92:39:57:54 re0 permanent R | fe80::1%lo0 (incomplete) lo0 permanent R | | I tried to use ndp -I to set the default IPv6 interface to re0, but what | that does is change the behavior of ping6 from EHOSTUNREACH to 100% | packet loss. After doing so, the gateway shows up in ndp: | | 2a01:4f8:110:4360::1 (incomplete) re0 permanent I | | ... and that's as far as I have come. I also tried to solicit router | information after setting net.inet6.ip6.accept_rtadv to 1, but there's | nothing like that on the wire. I have to do manual configuration. | | Lastly, the host's pf.conf is family-agnostic in almost all parts (and | the two remaining places have been triple-checked.) It's also creating | state for all outgoing traffic, so it really shouldn't interfere. | | What I haven't pursued, yet, is that Hetzner configured my network | wrong. This is hard to believe, though, as getting an IPv6 subnet from | them is 100% automated and a problem would probably affect all their | customers. | | I'm stumped. What have I missed? Any and all help is greatly appreciated! | | | Thanks, | | Moritz -- Todd Fries .. t...@fries.net _ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | 2525 NW Expy #525, Oklahoma City, OK 73112 \ sip:freedae...@ekiga.net | "..in support of free software solutions." \ sip:4052279...@ekiga.net \\\
Re: how to enable ipv6?
dhclient(8) on OpenBSD only supports IPv4, by design. wide-dhcpv6 exists in the ports tree, that is the available option for you if you want to use dhcpv6 and IPv6 today. Penned by johnw on 20110301 7:50.28, we have: | I search google, and all howto is assert isp not support ipv6 and use | tunnel/gif. | but I know my isp is support ipv6, | how can i enable ipv6 with dhclient? | thank you. -- Todd Fries .. t...@fries.net _ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | 2525 NW Expy #525, Oklahoma City, OK 73112 \ sip:freedae...@ekiga.net | "..in support of free software solutions." \ sip:4052279...@ekiga.net \\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt
Re: preferring ipv6?
SEE ALSO resolv.conf(5) Search for 'family' I suspect you want: family inet6 inet4 I run with this myself. Penned by Michael W. Lucas on 20110127 12:41.05, we have: | Hi, | | My desktop, running the January amd64 snapshot, has a ipv6 tunnel via | he.net. It seems that my applications all prefer using ipv4. | | Research led me to rfc3484 and the destination address selection | algorithm. A tunnel isn't going to work that way, fair enough. | | I found a discussion about making Linux prefer IPv6 | (http://wahjava.wordpress.com/2007/12/13/unable-to-view-ipv6-site-over-6to4-connection-in-firefox/). | Is there some way to make OpenBSD similarly prefer IPv6 when | available? | | Thanks, | ==ml | | -- | Michael W. Lucas | http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/ | Latest book: Network Flow Analysis http://www.networkflowanalysis.com/ | mwlu...@blackhelicopters.org, Twitter @mwlauthor -- Todd Fries .. t...@fries.net _ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | 2525 NW Expy #525, Oklahoma City, OK 73112 \ sip:freedae...@ekiga.net | "..in support of free software solutions." \ sip:4052279...@ekiga.net \\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt
Re: x*49.tgz checksums missing in snapshots/i386/SHA
This will be corrected as new snaps go out. Building differently didn't produce the same result as before, go figgure. Penned by MERIGHI Marcus on 20110119 5:20.13, we have: | hello all, | | just noticed that the SHA file is missing the checksums for the x*49.tgz | files. | | bye, | | marcus -- Todd Fries .. t...@fries.net _ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | 2525 NW Expy #525, Oklahoma City, OK 73112 \ sip:freedae...@ekiga.net | "..in support of free software solutions." \ sip:4052279...@ekiga.net \\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt
Re: hostname.if on 4.7 ignoring "-inet6"
Penned by Stuart Henderson on 20100614 12:28.46, we have:
| On 2010-06-14, rh...@hushmail.com wrote:
| > Hello list,
| >
| > I'm looking to explicitly disable IPv6 on interfaces where it is
| > not used. This includes link local addresses.
| >
| > However, this :
| >
| > # cat /etc/hostname.em0
| >
| > description "Some Port"
| > media 1000baseT
| > inet 172.16.176.166 255.255.255.252 NONE
| > -inet6
| > up
|
| Please try this diff.
|
| Index: netstart
| ===
| RCS file: /cvs/src/etc/netstart,v
| retrieving revision 1.129
| diff -u -p -r1.129 netstart
| --- netstart 12 Jan 2010 07:43:41 - 1.129
| +++ netstart 14 Jun 2010 11:27:47 -
| @@ -111,7 +111,7 @@ ifstart() {
| dest)
| cmd="$cmd $dtaddr"
| ;;
| - [a-z!]*)
| + [a-z!-]*)
| cmd2="$dt $dtaddr"
| ;;
| esac
I'd like to propose this alternate fix. What this is doing is ..
if $1 == "dest"; then
add $2 as a destination address
else
save all args for next iteration
fi
Given that intended behavior, I believe the following diff is a more
thorough fix, which even `works' properly for comments:
--- netstart
+++ netstart
@@ -111,7 +111,7 @@ ifstart() {
dest)
cmd="$cmd $dtaddr"
;;
- [a-z!]*)
+ *)
cmd2="$dt $dtaddr"
;;
esac
--
Todd Fries .. t...@fries.net
_
| \ 1.636.410.0632 (voice)
| Free Daemon Consulting, LLC \ 1.405.227.9094 (voice)
| http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX)
| 2525 NW Expy #525, Oklahoma City, OK 73112 \ sip:freedae...@ekiga.net
| "..in support of free software solutions." \ sip:4052279...@ekiga.net
\\
37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A
http://todd.fries.net/pgp.txt
Re: 4.7: doesn't route IPSEC traffic very well
Try s/hmac-sha2-256/hmac-sha1/ until you have updated all your firewalls. Also try seeing http://www.openbsd.org/faq/current.html#20100110 .. Penned by Toni Mueller on 20100317 17:55.34, we have: | Hi, | | I've installed the latest snapshot, with kernel bsd.mp#488, on a | machine that has several IPSEC connections to handle, some fixed | (branch offices), some for road warriors. The setup per se runs well | for several years, but after this upgrade, traffic to the branch | offices stopped. I checked one of the branch office's firewalls, which | runs a slightly older version of OpenBSD, that the encryped packets | arrive on the WAN interface. So I conclude that the gateway, running | the snapshot, pushes the packets out ok (I can observe these packets on | the gateway's enc0 interface, too, so confidence is high). In the | branch office's gateway, using 'netstat -rnf encap', I see all the | entries that there used to be, but I see _NO_ packets on its enc0 | interface. | | Ideas about how to debug these, are most welcome! | | | Kind regards, | --Toni++ -- Todd Fries .. t...@fries.net _ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | 2525 NW Expy #525, Oklahoma City, OK 73112 \ sip:freedae...@ekiga.net | "..in support of free software solutions." \ sip:4052279...@ekiga.net \\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt
Re: faith problems
This might be a better option, no custom kernel.. http://undeadly.org/cgi?action=article&sid=20080724184757 Penned by Andris K?d?r on 20100310 18:59.06, we have: | Hello, | | I try to build an ipv6-only network behind an OpenBSD box and | I am having problems with faith. | | 'ifconfig -C' shows that there is no faith support in the 4.6. release | kernel. So I try to compile a kernel with faith support enabled: | | pseudo-device faith 1 | | But the kernel does not compile. I get: | | ../../../../netinet/tcp_input.c: In function `tcp6_input': | ../../../../netinet/tcp_input.c:337: error: `IFT_FAITH' undeclared | (first use in this function) | ../../../../netinet/tcp_input.c:337: error: (Each undeclared | identifier is reported only once | ../../../../netinet/tcp_input.c:337: error: for each function it appears in.) | *** Error code 1 | | Please help. | | Regards, | Andris Kadar -- Todd Fries .. t...@fries.net _ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | 2525 NW Expy #525, Oklahoma City, OK 73112 \ sip:freedae...@ekiga.net | "..in support of free software solutions." \ sip:4052279...@ekiga.net \\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt
Re: multiple qemu hosts, typo
You need a tun(4) device per qemu '-net tap' argument, sometimes multiple per qemu instance, sometimes none per qemu instance.. Thanks, Penned by Rogier Krieger on 20100202 16:51.31, we have: | On Tue, Feb 2, 2010 at 15:27, Matthias Pfeifer wrote: | > [...] Then the second: | | > this gives me a " cannot create /dev/tun0: Device busy " | | If I'm not mistaken, you need separate tun(4) devices per qemu | instance. The reason for that lies in the device being ready for | simultaneous use only by a single process. | | To quote tun(4): | Each device has the exclusive open property; it cannot be opened if it is | already open and in use by another process. | | If I misunderstood, feel free to correct me. | | Regards, | | Rogier -- Todd Fries .. t...@fries.net _ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | 2525 NW Expy #525, Oklahoma City, OK 73112 \ sip:freedae...@ekiga.net | "..in support of free software solutions." \ sip:4052279...@ekiga.net \\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt
Re: internal-sftp vs. /usr/libexec/sftp-server
Know your code. One can have sftp access to a chroot dir only, no binaries required. This is similar but much more secure than ftpd's chroot support, with builtin ls and such. If you want to chroot a user with a shell, thats entirely different and much more work and not simple in any regard. Penned by Denis Doroshenko on 20100108 18:31.28, we have: | On 1/8/10, Todd T. Fries wrote: | > You can chroot internal-sftp but not external. | | well i chrooted external no prob, just put insude the chroot what ldd | /usr/libexec/sftp-server and i found out that the only thing, which is | sftp-server couldn't live without is /etc/pwd.db (besides minimal | device set described in sshd_config(5) and /dev/log). | | well, that required a little research with ktrace... | | the thing is, if i need to have any /usr/bin programs inside the | chroot, i'm gonna need /usr/libexec/ld.so and /usr/lib/*.so.* | anyway... so does internal sftp-server give any gain in such situation | besides some simplicity. | | then what also is of interest, how do they match, external and | internal? if external is being modified, is internal taken care as | well? | | thanks!! | | > Penned by Denis Doroshenko on 20100108 16:50.31, we have: | > | > | hi, | > | | > | is there any benefits of using internal-sftp over | > | /usr/libexec/sftp-server (which is being used with default | > | sshd_config)? sshd_config(5) says: | > | | > | For file transfer sessions using | > | ``sftp'', no additional configuration of the environment is nec- | > | essary if the in-process sftp server is used, though sessions | > | which use logging do require /dev/log inside the chroot directory | > | (see sftp-server(8) for details). | > | | > | so default sshd_config uses a program, but internal-sftp is better for | > | chroot. what are benefits of /usr/libexec/sftp-server except for stuff | > | like timezone, locale, resolver etc. being initialized each time an | > | sftp connection being made? | > | | > | thanks! | > | > | > -- | > Todd Fries .. t...@fries.net | > | > _ | > | \ 1.636.410.0632 (voice) | > | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | > | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | > | 2525 NW Expy #525, Oklahoma City, OK 73112 \ sip:freedae...@ekiga.net | > | "..in support of free software solutions." \ sip:4052279...@ekiga.net | > \\ | > | > 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A | > http://todd.fries.net/pgp.txt | > | > -- Todd Fries .. t...@fries.net _ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | 2525 NW Expy #525, Oklahoma City, OK 73112 \ sip:freedae...@ekiga.net | "..in support of free software solutions." \ sip:4052279...@ekiga.net \\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt
Re: internal-sftp vs. /usr/libexec/sftp-server
You can chroot internal-sftp but not external. Penned by Denis Doroshenko on 20100108 16:50.31, we have: | hi, | | is there any benefits of using internal-sftp over | /usr/libexec/sftp-server (which is being used with default | sshd_config)? sshd_config(5) says: | | For file transfer sessions using | ``sftp'', no additional configuration of the environment is nec- | essary if the in-process sftp server is used, though sessions | which use logging do require /dev/log inside the chroot directory | (see sftp-server(8) for details). | | so default sshd_config uses a program, but internal-sftp is better for | chroot. what are benefits of /usr/libexec/sftp-server except for stuff | like timezone, locale, resolver etc. being initialized each time an | sftp connection being made? | | thanks! -- Todd Fries .. t...@fries.net _ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | 2525 NW Expy #525, Oklahoma City, OK 73112 \ sip:freedae...@ekiga.net | "..in support of free software solutions." \ sip:4052279...@ekiga.net \\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt
Re: pf and fragmented IPv6 packets
Penned by Joakim Aronius on 20091215 8:47.29, we have: | * Todd T. Fries (t...@fries.net) wrote: | > Must is there, granted. For IPSec tunnels encapsulating IPv6 inside IPv4, | > there are tricky problems that were looked at during n2k9 but not solved | > that prevent the proper icmp6 too big message from being sent with the | > proper source address to match the VPN config so it might make it back | > to the proper system. Without this, MTU is not reduced, and fail is the | > result if using tunnel mode with IPSec encapsulating IPv6, only if this | > is traffic from a client behind a VPN gateway. For the gateways themselves, | > they generate the properly sized packets. | > | | Hi Todd, | | Host1--(net1)--GW1==(tunnel)==GW2--(net2)--Host2 | | If Host1 sends an IPv6 packet to Host2 with an MTU too big for the GW1-GW2 tunnel then the GW1 should send an ICMP packet too big to Host1. I assume that the ICMP packet should use GW1 and Host1 unicast addresses on net1 as source and destination, i.e. the MTU would then be related to traffic going through the gateway... But this would then not handle GW1 having multiple tunnels with different MTU.. Should the source address of the ICMPv6 message then be the GW1 tunnel internal endpoint IP? | | Does it matter if its an IPsec or a gif tunnel, as used by Sixxs (I guess not..)? | | thanks, | /Joakim | Ps.. and I also have problem reaching the sitic.se site using IPv6 (Sixxs tunnel).. gif(4) tunnels are routed not magically injected like IPSec, thus I have not had path MTU issues with them like I have with IPSec and tunnel mode. Note that when PMTU works properly, entries show up in the routing tables of the systems that are the recipients of the TOO BIG messages, so multiple tunnels of different MTU should not matter as much as the PMTU messages getting through properly on each. -- Todd Fries .. t...@fries.net _ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | 2525 NW Expy #525, Oklahoma City, OK 73112 \ sip:freedae...@ekiga.net | "..in support of free software solutions." \ sip:4052279...@ekiga.net \\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt
Re: running openbsd 4.6 under qemu
Penned by Bob Beck on 20091214 13:43.50, we have: | > | > Current qemu releases (more recent than in the ports tree) do not run on | > OpenBSD (have not been able to solve this yet *sigh*) so the above person has | > Linux running natively and OpenBSD inside a newer qemu. ?Originally it was | > kvm that had this bug but looks like qemu is now bug-for-bug compatible with | > this in recent versions of qemu. Whee. | | arch=qemu, arch=vmware anyone? | | it's not like it's and acutal PC :) Its not like its any different than a cira 2000 1st gen 1ghz AMD I have. If I don't `ukc> disable apm' it freezes when interrupts are enabled. On kvm and current qemu, if I don't `ukc> disable mpbios' it freezes when it sets tty flags (aka tickles the serial ports). Tom-a-toe, to-mah-toe -- Todd Fries .. t...@fries.net _ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | 2525 NW Expy #525, Oklahoma City, OK 73112 \ sip:freedae...@ekiga.net | "..in support of free software solutions." \ sip:4052279...@ekiga.net \\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt
Re: running openbsd 4.6 under qemu
Penned by Henning Brauer on 20091213 20:57.07, we have: | * Sam Watkins [2009-12-13 20:45]: | > I have been playing with qemu and finally found out how to get | > networking going for OpenBSD and NetBSD guests. If you are | > interested, please check out my qemu page. It shows my little | > Eee PC running 10 operating systems at once! | > | > http://sam.nipl.net/qemu.html | > | > The short answer for OpenBSD networking in qemu: | > | > config -ef /bsd | > disable mpbios | > quit | | huh? many of us are using qemu on their laptops to hack on openbsd. | i'm not doing this, and i doubt any of the others does. | | -- | Henning Brauer, h...@bsws.de, henn...@openbsd.org | BS Web Services, http://bsws.de | Full-Service ISP - Secure Hosting, Mail and DNS Services | Dedicated Servers, Rootservers, Application Hosting The confusion lies in the fact that the version(s) of qemu are different. Current qemu releases (more recent than in the ports tree) do not run on OpenBSD (have not been able to solve this yet *sigh*) so the above person has Linux running natively and OpenBSD inside a newer qemu. Originally it was kvm that had this bug but looks like qemu is now bug-for-bug compatible with this in recent versions of qemu. Whee. -- Todd Fries .. t...@fries.net _ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | 2525 NW Expy #525, Oklahoma City, OK 73112 \ sip:freedae...@ekiga.net | "..in support of free software solutions." \ sip:4052279...@ekiga.net \\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt
Re: pf and fragmented IPv6 packets
Must is there, granted. For IPSec tunnels encapsulating IPv6 inside IPv4, there are tricky problems that were looked at during n2k9 but not solved that prevent the proper icmp6 too big message from being sent with the proper source address to match the VPN config so it might make it back to the proper system. Without this, MTU is not reduced, and fail is the result if using tunnel mode with IPSec encapsulating IPv6, only if this is traffic from a client behind a VPN gateway. For the gateways themselves, they generate the properly sized packets. Penned by Joakim Aronius on 20091211 16:19.47, we have: | * Stuart Henderson (s...@spacehopper.org) wrote: | > On 2009/12/11 14:14, Joakim Aronius wrote: | > > Could someone please hit me with a clue stick if I am wrong here... | > > If there is tunnel reducing the MTU then the tunnel endpoint should | > > send an ICMPv6 packet too big to the sender. | > | > You can't rely on "should". | | Ok, granted, I was a bit sloppy with words there, the RFC says must for the ICMP message. But reading up a bit on how the source host shall handle the situation it turns out that you can do pretty much as you like... | | RFC 2460: | > In order to send a packet larger than a path's MTU, a node may use | > the IPv6 Fragment header to fragment the packet at the source and | > have it reassembled at the destination(s). However, the use of such | > fragmentation is discouraged in any application that is able to | > adjust its packets to fit the measured path MTU (i.e., down to 1280 | > octets). | | Cheers, | /Joakim -- Todd Fries .. t...@fries.net _ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | 2525 NW Expy #525, Oklahoma City, OK 73112 \ sip:freedae...@ekiga.net | "..in support of free software solutions." \ sip:4052279...@ekiga.net \\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt
Re: Looking for "Secure Architectures with OpenBSD" pdf.
Penned by Henry Sieff on 20091210 12:24.37, we have: | On Thu, Dec 10, 2009 at 11:44 AM, FRLinux wrote: | > On Thu, Dec 10, 2009 at 2:03 PM, Tomas Bodzar wrote: | >> http://www.openbsd.org/books.html#book3 | > | > Thanks for that, was unaware of that book. Just ordered my copy now :) | | Not sure about the other authors, but I remember Nazario from the | FW-WIZ list and he knows his stuff very well. Its probably a pretty | good book, aside from being 5 years old and so not being as current as | the documentation and all that. I wrote some of the backup and ipsec and v6 bits for that book, there is nothing that won't work today. There has definately been a few improvements, e.g. ipsecctl(8) and ipsec.conf(5) since, but knowing how to beat isakmpd properly never hurt anybody who uses ike on OpenBSD. I'd say at least 90% of the book is still relevent, but thats an arguably biased guess.. Thanks, -- Todd Fries .. t...@fries.net _ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | 2525 NW Expy #525, Oklahoma City, OK 73112 \ sip:freedae...@ekiga.net | "..in support of free software solutions." \ sip:4052279...@ekiga.net \\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt
Re: pf and fragmented IPv6 packets
Penned by Jonas Thambert on 20091210 9:39.33, we have: | Like a month ago we got a complain from a user that our website | was unreachable over IPv6. We have 2x Native Ipv6 transits. The user | had bought IPv6 from an ISP thay uses tunneling to deliver it | to the organization. After some packet traces we found out that the | problem was in PF and that it doesn't seem to handle fragmented IPv6 | packets. | | Sure enough, from the man page of pf.conf: | | "Currently, only IPv4 fragments are supported and IPv6 fragments are | blocked unconditionally." | | The problem is that some of Swedens largest ISPs uses tunneling for IPv6 | to their customers so we can't just say, ditch em. Terredo seems to work fine. | | Is there a workaround or plans to implement support for this is pf? We have multiple | firewalls and the others have no problems with ipv6 + fragmented packets. | | | //Jonas Somehow I think Stuart's approach with mss clamping would be better than letting fragments through like the example pf.conf in the below url.. http://ipv6samurai.blogspot.com/2009/12/technical-quickstart-for-ipv6.html As far as the real fix goes, I botched a revamp of some v6 fragment reassembly that was backed out a few years back, and passed it to another developer who spent some time on it while we were at n2k9, but has not had time to finish it. FWIW. -- Todd Fries .. t...@fries.net _ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | 2525 NW Expy #525, Oklahoma City, OK 73112 \ sip:freedae...@ekiga.net | "..in support of free software solutions." \ sip:4052279...@ekiga.net \\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt
Re: How to disable IPv6?
Penned by Corey on 20091206 13:52.42, we have: | I'll don the Nomex here and say that rather than turning IPv6 "off", | I just block it with pf. I don't know if that is what the OP wants, | but it is relatively simple to do (as opposed to twiddling things in | the kernel) and it keeps me from having to worry about any | unexpected consequences of the box receiving or transmitting IPv6 | traffic, which I currently know so little about that I worry about | it. | | Corey Between pf, 'ifconfig em0 -inet6' and 'echo family inet4 >> /etc/resolv.conf' you should have about all the anti v6 knobs a budding newbie should need. Me, I use IPv6 a lot. You, obviously do not. To each their own. -- Todd Fries .. t...@fries.net _ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | 2525 NW Expy #525, Oklahoma City, OK 73112 \ sip:freedae...@ekiga.net | "..in support of free software solutions." \ sip:4052279...@ekiga.net \\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt
Re: asynchronous I/O
Penned by Ted Unangst on 20091204 16:30.57, we have: | On Fri, Dec 4, 2009 at 1:34 PM, Todd T. Fries wrote: | > Unfortunately qemu has aio support. | | Does it really need it? I cooked up a basic userland implementation | using pthreads last night. They provide compatibility functions #ifndef AIO_SUPPORT, which in my book means they don't. someone> Ya. QEMU made the POSIX AIO support optional for older OS's and OS's without support... but it also helps QEMU performance quite a bit. someone> AIO is useful for VMs, proxy servers, web servers and a few other types of apps. todd> I guess I don't get what the difference between AIO and non blocking fd's are. I'd be more keen on getting current qemu working than getting an aio implementation specifically for qemu. Does aio really require threading? If you did implement aio using threads, it would be the first use of threading in all of base. Thanks, -- Todd Fries .. t...@fries.net _ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | 2525 NW Expy #525, Oklahoma City, OK 73112 \ sip:freedae...@ekiga.net | "..in support of free software solutions." \ sip:4052279...@ekiga.net \\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt
Re: asynchronous I/O
Penned by Dope Ice Apollyon the Third on 20091204 10:43.03, we have: | On Fri, Dec 4, 2009 at 10:20 AM, Luis Useche wrote: | > On Fri, Dec 4, 2009 at 12:07 AM, Ted Unangst wrote: | >> On Thu, Dec 3, 2009 at 11:47 PM, Dope Ice Apollyon the Third | >> wrote: | >>> On Thu, Dec 3, 2009 at 10:57 PM, Luis Useche wrote: | Hi Guys, | | I have been looking for information on how to do asynchronous I/Os in | OBSD with no luck. The only thing I have found so far is the O_ASYNC | flag in the fcntl syscall. I couldn't find any manual that talks about | this. Is this functionality included in OBSD?. If so, where can I find | information? | | >>> | >>> Well, open(2) mentions "If the O_SYNC flag is set, all I/O operations | >>> on the file will be done synchronously.", so I suppose we're supposed | >>> to assume the default is O_ASYNC. But I suspect what you're really | >>> looking for is select(2). | >> | >> He's probably looking for aio_read and aio_write and such, but as one | >> can tell by the absence of man pages, they don't exist here. | > | > Exactly, I am more interested more in something close to aio_read & | > aio_write. I was hoping there was some api I can use. Is there any | > reason why POSIX aio does not exist in OBSD? Security reasons maybe? | > | | Not to disparage your choice of API, but you've got me wondering: does | anyone actually use AIO? The best result I could find on koders.com | was a line from nginx that called a function whose name ended in _aio. | Everything else was just various other APIs that provide AIO as a | backend. | | -Nick Unfortunately qemu has aio support. Fortunately, enough other os's do not have aio that they have code to handle their needs without aio support. -- Todd Fries .. t...@fries.net _ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | 2525 NW Expy #525, Oklahoma City, OK 73112 \ sip:freedae...@ekiga.net | "..in support of free software solutions." \ sip:4052279...@ekiga.net \\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt
Re: http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability
Penned by Justin Smith on 20091104 15:45.33, we have: | Theo wrote: | | > For the record, this particular problem was resolved in OpenBSD a | while back, in 2008. | | Nice, but: | | "Since 2.6.23, it has been possible to prevent applications from | mapping low pages (to prevent null pointer dereferencing in the | kernel) via the /proc/sys/vm/mmap_min_addr sysctl, which sets the | minimum address allowed for such mappings." | | 2.6.23 released: Tue, 9 Oct 2007 | | Ref: | http://lkml.org/lkml/2007/10/9/241 | http://james-morris.livejournal.com/26303.html | | -- | JS And now we get into the fun stuff. Ever heard of 'secure by default' ? This knob is set to '0' by default. How many Linux installations actually read the above paragraph, understood what value it could have to set to something other than zero, and changed it accordingly. 'Nuff said. -- Todd Fries .. t...@fries.net _ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | "..in support of free software solutions." \ sip:freedae...@ekiga.net | \ sip:4052279...@ekiga.net \\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt
Re: gif tunnel with ipv6 end points
Penned by Thomas Schoeller on 20090902 21:50.14, we have: | hello, | | i'm trying to make a ipv4 over ipv6 tunnel, but ifconfig tells me: | | ifconfig: error in parsing address string: temporary failure in name | resolution | | when i'm issueing: | | ifconfig gif0 tunnel XX:XX:XX:0:0:0:0:1 XX:XX:XX:0:0:0:0:2 | | best regards | | thomas hint: you're missing 'inet6'. If you're doing OpenBSD <-> OpenBSD gif(4) tunneling (or know how to bump MTU on the remote end in general) you might find that 1200 is leaving way too much overhead per packet out. Try this in /etc/hostname.gif0 on one end: mtu 1400 !ifconfig \$if inet6 tunnel XX:XX:XX:XX::1 XX:XX:XX::2 inet 10.0.0.2 255.255.255.255 dest 10.0.0.1 And this on the other: mtu 1400 !ifconfig \$if inet6 tunnel XX:XX:XX:XX::2 XX:XX:XX:XX::1 inet 10.0.0.1 255.255.255.255 dest 10.0.0.2 -- Todd Fries .. t...@fries.net _ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | "..in support of free software solutions." \ sip:freedae...@ekiga.net | \ sip:4052279...@ekiga.net \\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt
Re: Authentication method fallback not working
Penned by Stuart Henderson on 20090828 8:51.04, we have: | On 2009-08-28, Ian Chard wrote: | > On 27/08/09 13:44, Schvberle Daniel wrote: | >>> Hi, | >>> | >>> I'm using OpenBSD 4.5-stable, and I'm trying to configure RADIUS | >>> authentication. What I want is for the system to try the | >>> RADIUS server, | >>> and if it fails, fall back to the local password file. In | >>> login.conf I have | >>> | >>> auth-defaults:auth=radius,passwd:radius-server=my.radius.server | >>> | >>> If the RADIUS server isn't there for whatever reason, the | >>> system doesn't | >>> fallback to password file authentication. The same happens | >>> if I specify | >>> the methods the other way round: the RADIUS server is never | >>> tried even | >>> if the password-file-based login fails. | >>> | >>> I need to make sure that I can always log in even if the | >>> RADIUS server | >>> has gone away. Is it possible to configure the system in this way? | >>> | >>> Thanks | >>> - Ian | >> | >> Why not make a new login class for radius users and make yourself | >> "backup" users in default class? Normally you'd login with users from | >> the radius class and if that fails you'd use a user form the default class. | >> Of course, that way you'd have to use different login names for the | >> two classes. | > | > That's a good workaround, thanks. Do you know if it's a bug that this | > doesn't work, or is it just not implemented? I assumed from the | > manpages that being able to specify more than one style implies that | > there's some kind of fallback mechanism. | > | > I just wanted to know whether it was worth filing a bug for this. | | I used to use authentication styles for skey; as login(1) says, "To specify | the alternate authentication mechanism style, the string :style is appended | to the user name (i.e., user:style)." | | So you shouldn't need a separate account, just login as "user:passwd". | The existence of "krb5-or-pwd" suggests to me that there's probably no | automatic fall-back but I haven't checked that. There is indeed no automatic fallback. krb5-or-pwd makes it very clear that if you want fallback, you must create an auth method that does what you wish. The ability for me to login as 'todd:passwd' is invaluable to me, as even krb5-or-pwd sometimes has conditions where sshd default timeouts are not long enough. Aka if no default route is set, and the kerberos server is not on the local network, it times out quickly. Otherwise, if the network is up but the kerberos server is not reachable, it takes over 10min to fallback to passwd, during which time the 5min sshd default timeout times the connection out. Especially my firewall but lots of my systems have: auth-defaults:auth=krb5-or-pwd,passwd: Thanks, -- Todd Fries .. t...@fries.net _ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | "..in support of free software solutions." \ sip:freedae...@ekiga.net | \ sip:4052279...@ekiga.net \\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt
Re: SFTP - Max Users
Not sure what unix you're running, over here, uid_t is 32bit. Penned by Robert on 20090827 20:52.31, we have: | On Thu, 27 Aug 2009 13:23:18 -0400 | "Morris, Roy" wrote: | | > G'day, | > I searched around but couldn't find a simple answer to this | > question. I want to host a sftp server and there could be | > thousands of accounts, although not all used at once. I was | > wondering if there is a limit to the number of user accounts | > I can create on a machine? I had originally thought of using | > a database for authentication but I don't see an easy way of doing | > that on OpenBSD. | > | > thanks | > Roy | | Number of local user accounts is liminted by the available user id's. | Since that's a 16 bit limit and if you stick to the 'from uid 1000 up' | rule, that'd leave you with 64536 possible accounts. | | - Robert -- Todd Fries .. t...@fries.net _ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | "..in support of free software solutions." \ sip:freedae...@ekiga.net | \ sip:4052279...@ekiga.net \\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt
Re: 'xterm -e mutt' doesn't show colors
Try TERM=xterm-color Penned by Pieter Verberne on 20090617 22:39.56, we have: | Hi, | | When I run mutt (or tmux/colorls -G/etc) from xterm, I have fancy | colors=] But when I run: | | $ xterm -e mutt | | I don't have colors =[ (I'm running dwm and I want xterm to start tmux | automaticly) | | $ cat .Xdefaults | XTerm.*.colorMode: on# yes, two capitals | XTerm.*.dynamicColors: on | xterm.*.loginShell: true | xterm.*.scrollBar: false | xterm.*faceName: Mono | xterm.*faceSize: 13 | xterm.*.visualBell: true | | $ echo $TERM | xterm-xfree86 | | All other settings in .Xdefaults are applied just fine with the '-e' | option, so I don't think it's a problem with that file or with | xterm-options; -title -T or -n . | | Can someone help me with this puzzle? | | Pieter -- Todd Fries .. t...@fries.net _ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | "..in support of free software solutions." \ 250797 (FWD) | \ \\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt
Re: two IP addresses on one pppoe connection
If you use the kernel mode pppoe, you can ifconfig add them as an alias to the interface, you might be able to do the same to the tun interface, see if it works... You are showing your roots, tun0:0 and tun0:1 are Linux naming conventions, here in OpenBSD we just add addresses to the device itself as 'aliases' aka: # ifconfig fxp0 inet 1.2.3.4 netmask 255.255.255.0 # ifconfig fxp0 inet alias 1.2.3.5 netmask 255.255.255.0 # ifconfig fxp0 inet alias 1.2.3.6 netmask 255.255.255.0 # ifconfig fxp0 fxp0: flags=... [..] inet 1.2.3.4 netmask 0xff00 broadcast 1.2.3.255 inet 1.2.3.5 netmask 0xff00 broadcast 1.2.3.255 inet 1.2.3.6 netmask 0xff00 broadcast 1.2.3.255 For further reading see ifconfig(8), hostname.if(5), and pppoe(4) (as opposed to pppoe(8)). Penned by Scott McEachern on 20090525 11:26.33, we have: > Hello all, > > I currently have a single line DSL connection with my ISP and I am > considering getting a 2nd IP from them for a second domain. The DSL > modem (a speedtouch 516 which has a single ethernet connection to the > LAN) is in bridge mode so the OpenBSD firewall handles the > connection/authentication. > > I was wondering if there is a way to have ppp/pppoe bind a second IP > address to one DSL connection? And if this is possible, would the IPs > then be bound to tun0:0 and tun0:1? I cannot find an answer to this in > my research. > > This is my current setup for a single IP, which works wonderfully: > > In /etc/rc.local: > > if [ -f /is_fw0 ]; then >echo -n ' PPPoE '; >ppp -ddial pppoe >sleep 2 > fi > > In /etc/ppp/ppp.conf: > > default: > set log Phase Chat IPCP CCP tun command > set redial 3 0 > set reconnect 5 10 > > pppoe: > set device "!/usr/sbin/pppoe -i ne3" > set mtu 1492 > set mrru 1524 > set speed sync > set cd 5 > set dial > set login > set timeout 0 > set authname myusername > set authkey mypassword > add! default HISADDR > enable dns > enable mssfixup > > > > -- > > - RSM > > http://erratic.ca -- Todd Fries .. t...@fries.net _ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | "..in support of free software solutions." \ 250797 (FWD) | \ \\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt
Re: OpenBSD on the desktop / 3D acceleration / printer
sane-project.org is in the ports tree for scanning as a backend, and is the de facto scanning support project for all of unix. You won't find anything usb related different between any of the unixes here. Penned by Joe Gidi on 20090520 17:31.26, we have: | Christopher Intemann wrote: | | > Hi, | > I'm thinking about installing OpenBSD on my desktop workstation. | > As far as I know, there are commercial (binary) drivers for some Nvidia | > and | > ATI cards applicable. | > Do these drivers work on OpenBSD as well? | | There is no support for binary blob drivers, and I'd be absolutely shocked | if it was even considered at any point. OpenBSD doesn't work that way. | | > If not, which graphics cards are supported for 3D acceleration at all? | | Intel and some ATI cards have working DRI/DRM. See | http://www.undeadly.org/cgi?action=article&sid=20081029164221 | | > Then, I would like to connect my USB printer/scanner (Epson SX100). | > From what I've learned from google, this device should work with Linux - | > but | > does it work with OpenBSD? | | I can't speak to that particular printer model, but odds are very good | that it will work with either lpd or CUPS when the appropriate | configuration is done. Some links on printing in OpenBSD: | | http://www.stilyagin.com/darrin/blog/2007/05/16/2200/ | http://www.stilyagin.com/darrin/blog/2006/08/27/1218/ | http://erdelynet.com/tech/openbsd/using-foo2zjs-with-openbsd-lpd/ | | > Thx, | > Chris | | -- | Joe Gidi | j...@entropicblur.com -- Todd Fries .. t...@fries.net _ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | "..in support of free software solutions." \ 250797 (FWD) | \ \\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt
Re: spam from chrooted CMSes
When dealing with web based submission, the best thing I have found is to make sure the web based submission adds its own headers like what it is and where the user came from and such so when diagnosing the problem one can easily block based on that information. If there is an account involved, you should include that info as well. If you're really cracking this nut properly, you'd include heuristics to temporarily block if too many messages are sent in a given time period, and permanently block pending review if too many temporary blocks occur within a given time period. Thanks, -- Todd Fries .. t...@fries.net _ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | "..in support of free software solutions." \ 250797 (FWD) | \ \\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt Penned by Uwe Dippel on 20090410 9:42.21, we have: > I'm running postfix as MTA on a machine with several CMS, on a chrooted > Apache. Recently, there is a huge number of spam being sent from there, > alas. When I scan the postfix-logs, all those come from 'root', meaning > they don't come through port 25. I run OpenBSD with mini-sendmail, and now > I wonder how I could find out from which CMS they are sent. Is there any > chance to find out from which CMS they are sent? > > Thanks, > > Uwe
Re: IPv6 null route
I believe you want: $ sudo route add -inet6 -net -blackhole 2607:f2f8:: -prefixlen 32 ::1 -- Todd Fries .. t...@fries.net _ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | "..in support of free software solutions." \ 250797 (FWD) | \ \\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt Penned by Garry Dolley on 20090406 19:29.46, we have: | Hey misc@, | | I'm trying to install a null route for an IPv6 block, but I get: | | $ sudo route add -inet6 2607:f2f8::/32 ::1 -blackhole | route: 2607:f2f8::/32: bad value | | What is bad about that v6 address? | | Note that even when omitting -blackhole, it will still error. | | I'm running OpenBSD 4.4 on amd64 arch. Stock GENERIC kernel. | | I'm sure it's simple but I don't deal w/ OpenBSD routers much. | | Thanks. | | -- | Garry Dolley | ARP Networks, Inc. | http://www.arpnetworks.com | (818) 206-0181 | Data center, VPS, and IP Transit solutions | Member Los Angeles County REACT, Unit 336 | WQGK336 | Blog http://scie.nti.st
Re: Carp with aliases route problem
You cannot get internet access on a backup carp interface, period. I have seen what you see before, and it comes from not starting things up in proper order manually, i.e. configuring a system, and not rebooting it after it was configured so that boot time configs get processed in proper order. The only way you are going to get a default route going out a carp interface is if you have the carp interface configured first prior to a physical interface for a given network that the default route's gateway is on. Please note that /etc/netstart via the 'ifmstart' function starts trunk/vlan/carp interfaces after normal interfaces, so you should have gotten the first route in your routing table mentioned below to go out the physical interface not the carp interface. Your best bet is to reboot and let the scripts that are designed to do this in the proper order for you do so, as you not only have the default route but the route to the network your default gateway is on going through the carp interface. As a corrilary, for those ISP's who think there is only need for a single /30 for a client's router, the concept of failover routers means 1 physical IP per router, and 1 IP for the failover IP, aka 3 IP's for the client side, dictating a /29. (sorry for this paragraph, but I am not happy with a particular upstream which thinks otherwise and is not willing to change). Thanks, -- Todd Fries .. t...@fries.net _ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | "..in support of free software solutions." \ 250797 (FWD) | \ \\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt Penned by Michiel van Baak on 20090221 12:24.02, we have: | Hi all, | | I'm having some trouble with a two-node CARP setup. | | Configuration: | | HostA | /etc/hostname.em0 | inet XXX.XXX.XXX.196 255.255.255.244 XXX.XXX.XXX.223 \ | media 100baseTX mediaopt full-duplex description External | | /etc/hostname.em1 | inet 192.168.10.2 255.255.255.0 192.168.10.255 \ | media 100baseTX mediaopt full-duplex description Internal | | /etc/hostname.em2 | inet 10.10.10.1 255.255.255.0 10.10.10.255 \ | media 100baseTX mediaopt full-duplex description pfsync | | /etc/hostname.pfsync0 | up syncdev em2 | | /etc/hostname.carp0 | inet XXX.XXX.XXX.198 255.255.255.224 XXX.XXX.XXX.223 vhid 1 pass foo | inet alias XXX.XXX.XXX.199 255.255.255.224 NONE | inet alias XXX.XXX.XXX.200 255.255.255.224 NONE | inet alias XXX.XXX.XXX.201 255.255.255.224 NONE | inet alias XXX.XXX.XXX.202 255.255.255.224 NONE | inet alias XXX.XXX.XXX.203 255.255.255.224 NONE | | /etc/hostname.carp1 | inet 192.168.10.1 255.255.255.0 192.168.10.255 vhid 2 pass bar | | $ cat /etc/sysctl.conf | grep -v '^#' | net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4 packets | net.inet.carp.preempt=1 # 1=Enable carp(4) preemption | | HostB | Almost the same, but using XXX.XXX.XXX.197 on em0 and 192.168.10.3 on | em1 and 10.10.10.2 on em2 and the carp interfaces have advskew 100 | configured so the box is BACKUP | | Now the problem: | I can reach XXX.XXX.XXX.196 and all configured aliases without trouble. | I can ssh in, relayd relays are working fine and all. If the box goes | down or looses connection the second box takes over and everyone is | happy. | BUT, I cannot reach XXX.XXX.XXX.197 when HostB is in backup state. | My suspicion is that this is a routing issue. Looking at the output of | route -n show: | | HostA: | $ route -n show -inet | Routing tables | | Internet: | DestinationGatewayFlags Refs Use Mtu Prio | Iface | defaultXXX.XXX.XXX.193 UGS9 53475499 -48 | carp0 | 10.10.10/24link#3 UC 10 -48 | em2 | 10.10.10.2 00:15:17:95:c4:43 UHLc 0 1207 -48 | em2 | XXX.XXX.XXX.192/27 link#6 UC210 -48 | carp0 | XXX.XXX.XXX.193 00:00:5e:00:01:0c UHLc 10 -48 | carp0 | XXX.XXX.XXX.194 00:17:cb:ab:81:fe UHLc 00 -48 | carp0 | XXX.XXX.XXX.195 00:19:e2:0c:31:fe UHLc 00 -48 | carp0 | XXX.XXX.XXX.196 00:15:17:9f:3d:88 UHLc 03 -48 | lo0 | XXX.XXX.XXX.196/30 link#1 UC 10 -48 | em0 | XXX.XXX.XXX.198 XXX.XXX.XXX.198 UH 05 -48 | carp0 | XXX.XXX.XXX.199 XX
Re: How to serve NFSv6 ?
To clarify. IPv6 nfs support does exist in the wild, just not for OpenBSD, yet. -- Todd Fries .. t...@fries.net _ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | "..in support of free software solutions." \ 250797 (FWD) | \ \\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt Penned by Peter Hessler on 20090215 12:42.24, we have: | openbsd uses nfsv3 over ipv4. nfsv4 is still being worked on, but is | not ready. nfsv3 does not work over ipv6. | | On 2009 Feb 15 (Sun) at 01:23:37 +0100 (+0100), jean-francois wrote: | :Hi All, | : | :Unfortunately it looks like I have mounted a NFS v2/3 server. Is'nt the | :standard nfs for OpenBSD 4.4 a v4 ? If so how is it I could not mount it | :as a V4 on the client but only as a v2 or v3 (i'm not sure which of 2 or | :3) ? | :Please help me to understand. Is it a good thing to go for NFSv4 | :instead ? | : | :Thanks | :J-F | : | | -- | Psychiatrists say that one out of four people are mentally ill. Check | three friends. If they're OK, you're it.
Re: Strange WLAN issue with ral(4) in hostap mode
There are power savings for 802.11 that OpenBSD does not support; this is entirely independent from saving battery via cpu clocking and it is also entirely independent from saving battery via adjusting the transmit power of the radio. The power savings for 802.11 actually put the radio to sleep for a given interval and wake it up sending a message to the AP which is supposed to hold packets for a given client until the client responds, which OpenBSD does not do, therefore packetloss ensues. I know this very well, my BlackBerry Pearl 8120 gets 90-95% packet loss with an OpenBSD based AP. Damien is aware of what needs doing, but I am to understand it is not a short or easy road to get there. Thanks, -- Todd Fries .. t...@fries.net _ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | "..in support of free software solutions." \ 250797 (FWD) | \ \\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt Penned by Damon McMahon on 20090103 8:09.21, we have: | Jussi - thanks for the response, but I've tried that to no effect, | e.g. on the Macbook Pro the Energy Saver settings for Mains and | Battery modes are identical. | | On Fri, 2 Jan 2009 05:45:45 +0200, Jussi Peltola wrote: | > Disable power saving on the clients.
Re: AH+ESP and IPv6
The other answer is, ESP provides AH, therefore AH is deprecated. Unless you really really want to play with AH to verify it works and such (which the below suggests it does not) ... -- Todd Fries .. t...@fries.net _ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | "..in support of free software solutions." \ 250797 (FWD) | \ \\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt Penned by Felipe Alfaro Solana on 20090102 17:38.51, we have: | On Tue, Dec 30, 2008 at 9:29 PM, wrote: | | > I'm trying to use both AH and ESP to setup IPsec using Transport mode | > between two IPv6 OpenBSD 4.4 hosts. | > | > So far it worked for AH Transport mode or ESP Transport mode but I don't | > quite know how to do both AH and ESP. Any ideas? | > | > Here's a snippet from /etc/ipsec.conf : | > | > ike esp transport from 2001::10 to 2001::5 psk "secret" | > | > The tried the following (and vice versa - ah vice esp). | > | > ike esp transport from 2001::10 to 2001::5 psk "secret" | > flow ah from 2001::10 to 2001::5 | > | > I'm not sure either. | | Since you can apply ESP then AH, or apply AH and then ESP (depending on | what's more important for you, the digital signature or the encryption) it's | not obvious to me how to do it. | | -- | http://www.felipe-alfaro.org/blog/disclaimer/
Re: Transport Mode ipsec(4) and inet6(4) gre(4) (WAS: isakmpd + gre crashing)
As mentioned in another post to this list recently I use IPv6 to secure my tunnels when roaming to get pre-allocated IPv6 on my laptop.. Look for 'totd' in the subject and I think you'll see some useful examples. Thanks, -- Todd Fries .. t...@fries.net _ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | "..in support of free software solutions." \ 250797 (FWD) | \ \\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt Penned by Brian A. Seklecki on 20081224 16:23.55, we have: > All: > > Back in 01/2006, circa 3.8, there was a thread related to the use of > gre(4) and Transport Mode ipsec(4) in isakmpd(8) to protect v4 tunnels. > > There was a repeatable kernel panic related to gre(4) packets needing a > smaller MTU as they are encapsualted in ipsec(4) packets, before being > transmited. > > I haven't looked if we have support, but gre(4) w/ ipv6 address and > stf(4) seem to be best options out there for secure v6 tunnels. > > That is, explicitly, gre(4) inside ipv6, since we dont' have stf(4). > > I can revisit that bug in our lab, except with a slightly larger > encapsulation packet overhead :) > > I'm wondering if a tranditional ipv6 isakmp(8) ipsec tunnel (using IPv4 > enpoints?!) is a safe alternative, or what other solutions people are > cooking up on OpenBSD for tunneling IPv6 security. > > Thanks for your feedback and safe holidays to all! > > ~BAS > > On Mon, 9 Jan 2006, Jason Taylor wrote: > >> Hi Brian, >> >> I did a few more tests this evening and I think you are right about the >> MTU issue. In OpenBSD 3.8, you can set the MTU of a GRE interface. I >> set the mtu of the GRE tunnel on one end (Perspex, which runs 3.8) and >> transferred a large file. It worked wonderfully and I am now in the >> process of updating my soekri to the latest 3.8. I think what is >> happening is the GRE tunnel sets its MTU according to the MTU of the >> physical interface, in my case fxp0 and sis0 and does not take into >> account the added overhead of IPsec... >> >> >> Cheers, >> >> /Jason >> >> On Jan 9, 2006, at 4:41 PM, Brian A. Seklecki wrote: >> >>> But as soon as I start an scp from Perspex to Soekris, Perspex reboots after a few hundred kb. Unfortunately, Perspex is in a datacenter and I do not have console access to it to see what the heck is happening at that exact moment. >>> >>> I don't recall. But for the record (IPSEC inside GRE): >>> >>> If the Transport IPSEC connection is negotiated between two hosts >>> inside the GRE tunnel private subnet and the IPSEC connection goes >>> down, the data flows in cleartext. *bad* >>> >>> The opposite would be (GRE-inside-IPSEC-Transport): >>> >>> If the Transport IPSEC tunnel is built between the two hosts` public >>> interfaces and the GRE tunnel is built normally and thus encrypted, >>> things should work. Of course, we run into the crash. >>> >>> The trick was I tried it on OpenBSD/Sparc where there is >>> no-such-thing as "Flash back to the BIOS" and it turns out a Sun >>> "watchdog timer" is getting hit. Watchdog timers on i386 must cause >>> the BIOS to reset. So the problem is in-kernel and the config is >>> probably too obscure for developers to spend time on. >>> >>> My solution was to re-IP my network properly, and use IP Supernets/ >>> summarization/ subnet aggregation thus consolidating the need for so >>> many spokes on a hub-and-spoke VPN config. >>> >>> ~~BAS >>> I noticed that there were no responses to your thread, but I was wondering if you had worked out your problem or if you decided to go the ipsec encapsulated in gre. Cheers, /Jason -- Jason Taylor e: j...@jtaylor.ca m: 514-815-8204 >>> >>> l8* >>> -lava >>> >>> x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8 >> > > l8* > -lava (Brian A. Seklecki - Pittsburgh, PA, USA) > http://www.spiritual-machines.org/ > > "Show me a young conservative and I'll show you someone with no heart. > Show me an old liberal and I'll show you someone with no brains." > ~ Winston Churchill
Re: Any Dev interested in SIS Ethernet/SATA driver development?
You should try current. I have these very chipsets on a board I have, and the IDE support works great for PATA drives, haven't plugged in any SATA drives I will admit, mind showing a dmesg so we can get an idea of how old a kernel you are running/ It was suggested to me the SIS 190 is such a rare find that it might not be worth the effort to support it. I'll let others comment if this is accurate or not. Thanks, -- Todd Fries .. t...@fries.net _ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | "..in support of free software solutions." \ 250797 (FWD) | \ \\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt Penned by Rene Maroufi on 20081226 21:26.45, we have: | Hi, | | I have a new PC with an Athlon 64 CPU, and SiS Chipsets. The SiS SATA | Chip, and the SiS Onboard Ethernet Controller doesn't work on OpenBSD. | The SATA-HDD works without DMA. I plugged in a PCI-Ethernet Card and an | IDE HDD, but if any developer have interest to develop a driver for the | SiS 190 Ethernet Controller, or the SiS 183 SATA Chip, I can provide SSH | access to the machine for developing (including sudo-root access of | course). | | Full dmesg (after plugging in the extra ethernet card, but before using | the IDE-HDD): | http://www.maroufi.net/dmesg_gawain | | A FreeBSD driver for the SiS 190 ethernet card exists here: | http://www.nabble.com/SiS-190-NIC-driver-td14260735.html | | Cheers | Reni | -- | Reni Maroufi | i...@maroufi.net
Re: gd without xbase?
If you have a package that somewhere down the line has requirements for
libraries only provided by xbase, well, you're going to need xbase. If
you're concerned about security, you can always un-setuid the bin/ dir,
but you really do need xbase for packages that require freetype shared
libs. It's not really that big, either.
Thanks,
--
Todd Fries .. t...@fries.net
_
| \ 1.636.410.0632 (voice)
| Free Daemon Consulting, LLC \ 1.405.227.9094 (voice)
| http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX)
| "..in support of free software solutions." \ 250797 (FWD)
| \
\\
37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A
http://todd.fries.net/pgp.txt
Penned by Aaron Martinez on 20081219 12:40.38, we have:
| I am running 4.4 stable on i386 for the sole purpose of running nagios.
| So that I could get visualizations on the statusmap, nagios docs say that
| gd is required.
|
| I have performed just a minimal install, bsd, base44, etc44 and man44.
| When i try installing gd i come up with the following error:
| # pkg_add -nv gd
| parsing gd-2.0.35
| Dependencies for gd-2.0.35 resolve to: libiconv-1.12, jpeg-6bp3,
| png-1.2.28 (todo: jpeg-6bp3,png-1.2.28)
| gd-2.0.35:parsing jpeg-6bp3
| found libspec c.48.0 in /usr/lib
| Pretending to add gd-2.0.35:jpeg-6bp3
| gd-2.0.35:parsing png-1.2.28
| Pretending to add gd-2.0.35:png-1.2.28
| found libspec c.48.0 in /usr/lib
| found libspec expat.9.0 in /usr/lib
| Can't install gd-2.0.35: lib not found fontconfig.5.1
| Dependencies for gd-2.0.35 resolve to: libiconv-1.12, jpeg-6bp3,
| png-1.2.28 (todo: jpeg-6bp3,png-1.2.28)
| Full dependency tree is libiconv-1.12,jpeg-6bp3,png-1.2.28
| Can't install gd-2.0.35: lib not found freetype.16.1
| found libspec iconv.5.0 in package libiconv-1.12
| found libspec jpeg.62.0 in package jpeg-6bp3
| found libspec m.3.0 in /usr/lib
| found libspec png.7.0 in package png-1.2.28
| found libspec z.4.1 in /usr/lib
| /dev/wd0g: 1432 bytes
| /dev/wd0f: 1381968 bytes
|
|
| I did some searching on this and found it most recently referenced about
| Openbsd 3.9 where people were indicating that gd was not going to have the
| x dependency in future releases.
|
| I have another machine that i did my nagios testing on that does NOT have
| gd installed but the .gd2 icons are displayed correctly in the statusmap.
| I do have php5-gd installed and doing a test install of php5-gd-no_x11
| which works. My question here is, even though nagios doesn't use php, is
| the php-gd what is allowing the icons to display in this case since i
| don't actually have gd installed?
|
| Is there any other way to make this work? i didn't really want to install
| php or xbase on this box.
|
| Thanks in advance and dmesg below.
|
| Aaron Martinez
|
|
|
| OpenBSD 4.4-stable (GENERIC) #1: Fri Dec 5 15:52:41 CST 2008
| r...@obsdbuild.minn.example.com:/usr/src/sys/arch/i386/compile/GENERIC
| cpu0: Intel(R) Pentium(R) 4 CPU 2.66GHz ("GenuineIntel" 686-class) 2.67 GHz
| cpu0:
|
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID,xTPR
| real mem = 527986688 (503MB)
| avail mem = 502087680 (478MB)
| mainbus0 at root
| bios0 at mainbus0: AT/286+ BIOS, date 07/10/03, BIOS32 rev. 0 @ 0xeb4e0,
| SMBIOS rev. 2.3 @ 0xf8dd4 (57 entries)
| bios0: vendor Hewlett-Packard version "786B2 v1.11" date 07/10/2003
| bios0: Hewlett-Packard HP d530 SFF(DG781A)
| acpi0 at bios0: rev 0
| acpi0: tables DSDT FACP SSDT SSDT SSDT SSDT SSDT SSDT SSDT APIC SSDT ASF!
| SSDT SSDT SSDT SSDT SSDT SSDT SSDT SSDT SSDT SSDT SSDT
| acpi0: wakeup devices PCI0(S4) HUB_(S4) COM1(S4) COM2(S4) USB1(S3)
| USB2(S3) USB3(S3) USB4(S3) EUSB(S3) PBTN(S4)
| acpitimer0 at acpi0: 3579545 Hz, 24 bits
| acpiprt0 at acpi0: bus 0 (PCI0)
| acpiprt1 at acpi0: bus 5 (HUB_)
| acpicpu0 at acpi0
| acpibtn0 at acpi0: PBTN
| bios0: ROM list: 0xc/0xa600 0xca600/0x2000 0xe0c00/0x9a00!
| cpu0 at mainbus0
| pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
| pchb0 at pci0 dev 0 function 0 "Intel 82865G Host" rev 0x02
| vga1 at pci0 dev 2 function 0 "Intel 82865G Video" rev 0x02
| wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
| wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
| agp0 at vga1: aperture at 0xf000, size 0x800
| drm at vga1 unsupported
| uhci0 at pci0 dev 29 function 0 "Intel 82801EB/ER USB" rev 0x02: irq 11
| uhci1 at pci0 dev 29 function 1 "Intel 82801EB/ER USB" rev 0x02: irq 5
| uhci2 at pci0 dev 29 function 2 "Intel 82801EB/ER USB" rev 0x02: irq 10
| ehci0 at pci0 dev 29 function 7 "Intel 82801EB/ER USB2" rev 0x02: irq 10
| usb0 at ehci0: USB revision 2.0
| uhub0 at usb0 "Intel EHCI root hub" rev 2
Re: verify installed packages' binaries integrity ?
Try: pkg_delete -n /var/db/pkg/* Look for any lines mentioning failes are missing or files have the wrong hash. For example, I added a '.' to README.OpenBSD in qemu: $ pkg_delete -n qemu /usr/sbin/pkg_delete should be run as root Pretending to delete qemu-0.9.1p4 Problem: checksum doesn't match for /usr/local/share/doc/qemu/README.OpenBSD NOT deleting: /usr/local/share/doc/qemu/README.OpenBSD remove dependency on sdl-1.2.13p6 --- qemu-0.9.1p4 --- Couldn't delete /usr/local/share/doc/qemu/README.OpenBSD (bad checksum) Problem being, regardless the os, unless you boot from clean media and execute no binaries etc from the compromised system's disk or any other files the compromised system has access to, you really can never trust anything you see or any programs you run. So, the above is only valid if you want to check for disk corruption, really. -- Todd Fries .. t...@fries.net _ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | "..in support of free software solutions." \ 250797 (FWD) | \ \\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt Penned by jul on 20081219 20:08.11, we have: | Stuart Henderson wrote on 18/12/08 21:14: | > On 2008-12-18, jul wrote: | >> a small question, is there any way to check integrity of installed | >> packages'binaries ? | > | > yes, by (ab)using pkg_create: | > | > for i in `find /var/db/pkg -name +CONTENTS`; do | > pkg_create -nf $i > /dev/null | > done | | | exactly, what i want. | | thanks a lot stuart | | for archives, seriously and as said before, it's only one step in | investigation. it doesn't replace a dd + forensic analysis for a | compromised host. | But when you are suspicious and there is no mtree/samhain/aide/else, it | helps.
Re: ipv6/pf/relayd/totd
Penned by Stephan A. Rickauer on 20081216 16:14.32, we have:
| I started playing with ipv6. It feels like back in the early 90's, when
| I had to learn how 'the Internet' works ;)
Yes, I recall sitting in a basement with friends around that time, deciding
with enough parts and computers we would learn how to setup an IPv4 network..
Lots of trials and errors later...
| Here's the setup:
|
| An ipv6 only host with a non-link-local address should be able to use
| the ipv4 world. I don't want to deal with a tunnel broker, nor do I have
| native ipv6 access to the internet.
Your assumption is invalid. If you have a non link local address you have,
by definition, a global IPv6 address, in which case someone (a tunnel broker
or a native provider) has allocated you an IPv6 address. If you can get to
anywhere in the IPv6 world, you can use places like:
http://.sixxs.org/
to visit IPv4 hosts via a free IPv6 `proxy' setup by sixxs.net. Note it
doesn't just spit out pages verbatim, but tries to tweak them to refer back
to the proxy; most of the time it succeeds.
| The ipv6 only client gets its ipv6 address via the rtadvd running on the
| gatway's internal interface. The gateway's external interface is ipv4
| only.
So however you've managed it you have an IPv6 subnet internally. But it is
not routed to the world? Shame. Go get a tunnel broker and fix this! You
really are missing out..
| The ipv6 host can already ping6 the gatway. DNS I have 'fixed' with
| totd, so ipv4 addressed are mapped into the ipv6 space:
|
| ipv6-client:~$ host www.google.ch
| www.l.google.com has address 74.125.39.147
| www.l.google.com has IPv6 address 2001:620:10:1401::4a7d:2767
|
|
| The default ipv6-gateway of my ipv6 client is properly set
| in /etc/mygate.
|
| I try to use pf on the gateway to intercept tcp/ip6 traffic and to feed
| it into relayd. The relevant parts are as follows:
|
| ---pf.conf--
| rdr pass inet6 proto tcp from lan:network -> :: port 8081
| ---pf.conf--
Wrong. Try this instead:
rdr pass inet6 proto tcp from lan:network -> lan port 8081
You cannot redirect to `::', a wildcard address. You must redirect to
a specific address.
| ---relayd.conf---
| tcp protocol tcpgeneric {
| tcp { backlog 128, nodelay, sack, socket buffer 131072 }
| }
|
| relay tcp6to4 {
| listen on :: port 8081
| forward to nat lookup inet
| protocol tcpgeneric
| }
| ---relayd.conf---
This relayd.conf looks like what I've done. here is my setup on the gateway
with a couple little twists (I'm using abcd::/48 as an example allocation):
-- pf.conf --
table <6to4ok> { abcd::/48 } # who is permitted to use this relay?
table <6to4net> { abcd:0:0:::/96 } # the 6to4 prefix
rdr pass inet6 proto tcp from <6to4ok> to <6to4net> port { 80 8080 } ->
abcd::1 port 8080
rdr pass inet6 proto tcp from <6to4ok> to <6to4net> -> abcd::1 port 8081
-- pf.conf --
-- relayd.conf --
tcp protocol tcpgeneric {
tcp { backlog 128, nodelay, sack, socket buffer 131072 }
}
http protocol httpgeneric {
header append "$REMOTE_ADDR" to "X-Forwarded-For"
header append "$SERVER_ADDR:$SERVER_PORT" to \
"X-Forwarded-By"
header change "Connection" to "close"
tcp { backlog 128, nodelay, sack, socket buffer 131072 }
}
relay tcp6to4 {
listen on :: port 8081
forward to nat lookup inet
protocol tcpgeneric
}
relay http6to4 {
listen on :: port 8080
forward to nat lookup inet
protocol httpgeneric
}
-- relayd.conf --
.. this way http traffic gets some info injected about being forwarded.
| After that kinda long intro, here's the problem:
|
| Though name resolution works, an actual connection to an ipv6 address on
| port 80 wouldn't work and isn't 'seen' by relayd either. If I tcpdump on
| the gateway I see that the client, after it got the faked ipv6 address,
| sends an "icmp6: neighbor sol: who has 2001:620:10:1401::4a7d:2767".
|
| So, it believes google is part of 'our' name space, which is probably
| wrong. I then tried to change the prefix of totd to a non-local prefix,
| like 2001:620:10:1400:: (instead of :1401::) so that a 'host
| www.google.ch' results in 2001:620:10:1400::4a7d:2767 and thus can't be
| treated as 'local'.
|
| When I do this I can see the traffic on the gatway:
| 2001:620:10:1401:20d:60ff:fe2e:251b.13239 >
| 2001:620:10:1400::4a7d:2768.80
|
| but it's still not seen by relayd.
|
| Can someone with some degree of patience shed some light on my dark
| spots?
I think the pf.conf tweak may be all thats necessary for you to see traffic
via relayd.
However, I'll go a step further and document what I was able to accomplish
without totd.
Without totd, just using pf.conf on the client and relayd on the client in
addition to the above that I've already documented on the gateway, I was
able to use IPv4 by sending only native IPv6 packets from the client to
the gateway.
On the cl
Re: type of softraid
tried bioctl -h softraid0 lately? -- Todd Fries .. t...@fries.net _ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | "..in support of free software solutions." \ 250797 (FWD) | \ \\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt Penned by Michael on 20081212 11:15.55, we have: | Hi, | | is it somehow possible to read the type of a softraid partition? | | When I have the following... (it actually is a crypto raid volume) ... | how could I figure out if it is RAID 0, 1 or C? | | | # fdisk sd0 | Disk: sd0 geometry: 491/255/63 [7897088 Sectors] | Offset: 0 Signature: 0xAA55 | Starting Ending LBA Info: | #: id C H S - C H S [ start:size ] | --- | 0: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused | 1: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused | 2: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused | *3: A6 0 1 1 -490 254 63 [ 63: 7887852 ] OpenBSD | | # disklabel sd0 | # Inside MBR partition 3: type A6 start 63 size 7887852 | # /dev/rsd0c: | type: SCSI | disk: SCSI disk | label: | flags: | bytes/sector: 512 | sectors/track: 63 | tracks/cylinder: 255 | sectors/cylinder: 16065 | cylinders: 491 | total sectors: 7897088 | rpm: 3600 | interleave: 1 | trackskew: 0 | cylinderskew: 0 | headswitch: 0 # microseconds | track-to-track seek: 0 # microseconds | drivedata: 0 | | 16 partitions: | #size offset fstype [fsize bsize cpg] | a: 7887852 63RAID | c: 78970880 unused 0 0 | | # bioctl sd0 | sd0: <, , 0.00>, serial \\037 0.00 | | # bioctl sd0a | sd0a: <, , 0.00>, serial \\037 0.00
Re: pf drops fragged IPv6 unconditionally
It was not stated, but I've setup firewalls in the past, I presume you have a firewall that is doing 'block in' as a catchall (which catches the fragments) .. Set your return policy on that rule if you wish it to return. -- Todd Fries .. [EMAIL PROTECTED] _ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | "..in support of free software solutions." \ 250797 (FWD) | \ \\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt Penned by Charlie Allom on 20081205 19:12.56, we have: | On Fri, Dec 05, 2008 at 12:43:33PM -0600, Todd T. Fries wrote: | > | > Theory suggests that PMTUD should handle things such that fragments do not | > appear, but encapsulation and tunneling via IPSec tend to generate them | > anyway.. | | Are we not breaking PMUTD by silently dropping these? Shouldn't there | be a way of implying something like 'block-policy return' ? | | C. | -- | 020 7729 4797 | http://blog.playlouder.com/
Re: pf drops fragged IPv6 unconditionally
You've stumbled on a missing feature for v6 support in pf.
Nothing is available at present to solve this correctly.
You could do something that defies reason like 'block in inet' instead of
'block in' but .. the bottom line is, 'pf' only has support for reassembling
IPv4 fragments, not IPv6. And yes, this renderes a stateful filtering
firewall mostly moot until this is fixed for IPv6, to be clear.
Theory suggests that PMTUD should handle things such that fragments do not
appear, but encapsulation and tunneling via IPSec tend to generate them
anyway..
Sorry,
--
Todd Fries .. [EMAIL PROTECTED]
_
| \ 1.636.410.0632 (voice)
| Free Daemon Consulting, LLC \ 1.405.227.9094 (voice)
| http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX)
| "..in support of free software solutions." \ 250797 (FWD)
| \
\\
37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A
http://todd.fries.net/pgp.txt
Penned by Charlie Allom on 20081205 18:28.46, we have:
| After wondering why my email was seeing MTU-like issues once I enabled
| an record, I see that pf is dropping IPv6 packets that are
| fragmented.
|
| pf.conf(5):
| 1546: Currently, only IPv4 fragments are supported and IPv6 fragments are
| blocked unconditionally.
|
| in pf.c, under #ifdef INET6:
| 4402: do {
| switch (pd2.proto) {
| case IPPROTO_FRAGMENT:
| /*
| * ICMPv6 error messages for
| * non-first fragments
| */
| REASON_SET(reason, PFRES_FRAG);
| return (PF_DROP);
|
| I think that's the part we just don't bother parsing them. Or one of them.
I've had enable 'pass in inet6'.
|
| Does anyone have any patches to enable this?
|
| C.
|
| --
| 020 7729 4797
| http://blog.playlouder.com/
Re: CARP with a single public IP address
Ironically, IPv6 cannot solve this scenario either, since by definition using ipv6 tends to require a tunnel which would naturally fall to the carped pair which would have the same constraints as the v4 side with regards to sending to/from the internet, yes? If you presume native v6, however, cudos, it should permit each fw to have its own ip and carp a third :-) -- Todd Fries .. [EMAIL PROTECTED] _ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | "..in support of free software solutions." \ 250797 (FWD) | \ \\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt Penned by Paul de Weerd on 20081205 12:11.27, we have: | Hey Felipe, | | On Fri, Dec 05, 2008 at 11:51:05AM +0100, Felipe Alfaro Solana wrote: | | Hi misc, | | | | I've been thinking about this for a while but can't seem to figure out | | a proper solution. Perhaps you have seen an scenario like this before | | and have ideas on how to tackle it. | | | | I have two OpenBSD 4.4 boxes configured in active/backup CARP, | | connected to an ADSL router. I want to reconfigure the ADSL router an | | turn it into a bridge. This way, my public IP address will move from | | the ADSL router into the CARP interface and will be shared by both | | OpenBSD machines. The ADSL router has a built-in hub where both | | OpenBSD machines are plugged into. | | Some years ago, I did exactly this. Configured a ADSL modem for | rfc1483 mode (which my ISP supported) and had two machines behind it | for routing (NATting) my local network out. | | | While the machine whose CARP interface is in ACTIVE won't have | | problems sending and processing traffic, the OpenBSD machine whose | | CARP interface is in BACKUP will. The machine whose CARP interface is | | in BACKUP will be able to send traffic to the Internet from its public | | IP address, but will not be able to process any response, for example | | to contact a NTP server: the UDP response from the NTP server will | | arrive at both OpenBSD machines (since both are sharing the public IP | | address), but the machine whose CARP interface is BACKUP will likely | | ignore the NTP response. For TCP is also very similar. | | I did this before we had openntpd and didn't run "that other" ntpd on | my machines. Internet access was only available when the machine was | CARP master. I think there's two solutions here, both of which have | issues. First solution (only solves the ntp issue), configure your | CARP'ed routers to use an ntpd on your local network (which gets its | time via the same set of CARP'ed routers). The other option is to get | more public IP's from your ISP. This makes your routers accessible | from the internet. | | Downsides are that the first solution requires an extra machine and | the second solution is probably difficult with most ISPs. | | | I have no idea how to deploy an scenario like this, while allowing the | | machine whose CARP interface is in BACKUP to access the Internet. A | | workaround is having the machine whose CARP interface is in BACKUP | | have a default route installed pointing to the machine whose CARP | | interface is ACTIVE. The problem is the setup is more complex and | | requires a way of dynamically adjusting the default route. A possible | | solution is using ifstated(8). Is it possible to use OSPF instead? | | I don't really like that solution. My suggestion would be to try and | minimize the amount of traffic the machines need to send to the | internet (preferably to 0). Maybe use IPv6 (if your ISP does native | v6 on the link) when you can't work around this. | | Cheers ;) | | Paul 'WEiRD' de Weerd | | -- | >[<++>-]<+++.>+++[<-->-]<.>+++[<+ | +++>-]<.>++[<>-]<+.--.[-] | http://www.weirdnet.nl/
Re: QEMU crashes
Just out of curiosity, humor me, run qemu as root with the following added options: -net nic,vlan=0 -net tap,vlan=0 I've observed that at some point user mode networking has started segv'ed on amd64 when running any qemu guest, and am sorry to report I have not yet tracked down the source of the issue.. Please let me know if you have other experiences. Thanks, -- Todd Fries .. [EMAIL PROTECTED] _ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | "..in support of free software solutions." \ 250797 (FWD) | \ \\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt Penned by Frank Bax on 20081103 21:07.44, we have: > I've been using qemu to run a Win98 guest on i386 host for about a year. > On Aug.2, I installed an i386 snapshot that was a few days old. Since > then, I've been running a Win98 guest on qemu-0.9.1p3 with no issues. > > Sometime over the past 12 months I realised I could be running amd64 on > my Core2Duo processor; so (using purchased cdrom's) I made the switch to > 8.4 amd64 release over the weekend. Not sure if I did it correctly; but > I did it as an upgrade, then deleted and added all packages. Seems to > be working fine so far; except for some problems with qemu. > > I notice that both -no-kqemu and -kernel-kqemu result in "invalid option". > > Am I allowed to run a guest like Win98 on host running amd64? It seems > to work ok when running a couple of apps (win & dos); as long as there > is no network access. > > The Win98 guest system crashes (segmentation fault, core dumped) when I > access internet from the guest. This can be either accessing a website > with IE or running pscp (an scp program for windows, from makers of > PuTTY). Ping does not cause guest to crash. > > Ping to 10.0.2.2 (host) works (time is 1ms). Ping to internet ip > address results in "Request timed out". Ping to name does manage dns > lookup; but still gets "Request timed out". > > When the Win98 guest crashes; my mouse pointer goes with it. I'm using > icewm. I manage to shutdown other apps with keyboard shortcuts; then > restart X. Is there a way to get mouse pointer back? > > kqemu is not installed. > > I don't know what other information about this issue to include here. > > I'm not sure if a dmesg is appropriate; but here it is: > > OpenBSD 4.4 (GENERIC.MP) #1812: Tue Aug 12 17:22:53 MDT 2008 > [EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/GENERIC.MP > real mem = 3206639616 (3058MB) > avail mem = 3109740544 (2965MB) > mainbus0 at root > bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xe0010 (68 entries) > bios0: vendor LENOVO version "7IET30WW (1.11 )" date 07/13/2007 > bios0: LENOVO 8744J2U > acpi0 at bios0: rev 2 > acpi0: tables DSDT FACP SSDT ECDT TCPA APIC MCFG HPET SLIC BOOT SSDT > SSDT SSDT SSDT > acpi0: wakeup devices LID_(S3) SLPB(S3) LURT(S3) DURT(S3) EXP0(S4) > EXP1(S4) EXP2(S4) EXP3(S4) PCI1(S4) USB0(S3) USB1(S3) USB2(S3) USB7(S3) > HDEF(S4) > acpitimer0 at acpi0: 3579545 Hz, 24 bits > acpimadt0 at acpi0 addr 0xfee0: PC-AT compat > cpu0 at mainbus0: apid 0 (boot processor) > cpu0: Intel(R) Core(TM)2 CPU T7200 @ 2.00GHz, 1994.62 MHz > cpu0: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,xTPR,LONG > cpu0: 4MB 64b/line 16-way L2 cache > cpu0: apic clock running at 166MHz > cpu1 at mainbus0: apid 1 (application processor) > cpu1: Intel(R) Core(TM)2 CPU T7200 @ 2.00GHz, 1994.34 MHz > cpu1: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,xTPR,LONG > cpu1: 4MB 64b/line 16-way L2 cache > ioapic0 at mainbus0 apid 1 pa 0xfec0, version 20, 24 pins > ioapic0: misconfigured as apic 2, remapped to apid 1 > acpihpet0 at acpi0: 14318179 Hz > acpiprt0 at acpi0: bus 0 (PCI0) > acpiprt1 at acpi0: bus 1 (AGP_) > acpiprt2 at acpi0: bus 2 (EXP0) > acpiprt3 at acpi0: bus 3 (EXP1) > acpiprt4 at acpi0: bus 4 (EXP2) > acpiprt5 at acpi0: bus 12 (EXP3) > acpiprt6 at acpi0: bus 21 (PCI1) > acpiec0 at acpi0 > acpicpu0 at acpi0: C3, C2 > acpicpu1 at acpi0: C3, C2 > acpitz0 at acpi0: critical temperature 127 degC > acpitz1 at acpi0: critical temperature 100 degC > acpibtn0 at acpi0: LID_ > acpibtn1 at acpi0: SLPB > acpibat0 at acpi0: BAT0 not present > acpibat1 at acpi0: BAT1 not present > acpiac0 at acpi0: AC unit online > acpithinkpad0 at acpi0 > acpidock at acpi0 not configured > acpivideo at acpi0 not configured > acpivideo at acpi0 not
Re: Little update to authpf
I think you might want to check to see if the file exists not just if the
asprintf succeeds..
But yes I do agree this is useful functionality that I've tested quite
thoroughly...
Index: authpf.c
===
RCS file: /cvs/src/usr.sbin/authpf/authpf.c,v
retrieving revision 1.107
diff -u -r1.107 authpf.c
--- authpf.c14 Feb 2008 01:49:17 - 1.107
+++ authpf.c11 Sep 2008 12:49:09 -
@@ -314,10 +314,22 @@
signal(SIGQUIT, need_death);
signal(SIGTSTP, need_death);
while (1) {
+ struct stat sb;
+ char *path_message;
+
printf("\r\nHello %s. ", luser);
printf("You are authenticated from host \"%s\"\r\n", ipsrc);
setproctitle("[EMAIL PROTECTED]", luser, ipsrc);
- print_message(PATH_MESSAGE);
+
+ if (asprintf(&path_message, "%s/%s/authpf.message",
+ PATH_USER_DIR, luser) == -1)
+ do_death(1);
+ if (stat(path_message, &sb) == -1) {
+ free(path_message);
+ if ((path_message = strdup(PATH_MESSAGE)) == NULL)
+ do_death(1);
+ }
+ print_message(path_message);
while (1) {
sleep(10);
if (want_death)
--
Todd Fries .. [EMAIL PROTECTED]
_
| \ 1.636.410.0632 (voice)
| Free Daemon Consulting, LLC \ 1.405.227.9094 (voice)
| http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX)
| "..in support of free software solutions." \ 250797 (FWD)
| \
\\
37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A
http://todd.fries.net/pgp.txt
Penned by Rafal Bisingier on 20080911 14:09.42, we have:
| Hi all,
|
| I do not know if this is the correct list, or even method to send
| patches, but did not found anything appropriate on the OpenBSD website.
|
| I'd like to propose a little feature enhancement for the authpf. Here
| are the details:
| - authpf can show a message to an user successfully logged in
| - this message is read from /etc/authpf/authpf.message
| - the message is the same for every user
| - i'll want to change it ;-)
|
| Below is a patch which change current behavior, so that the message is
| searched first in the /etc/authpf/USER dir, and if it's not found
| there, then the old behavior is used (so fully backward compatible).
| The patch looks very simple, but I did NOT tested it at all! Anyway it
| would be nice, if something like this make it's way into the HEAD. ;-)
|
| PS. Sorry for any language errors
|
| --
| Greetings
| Rafal Bisingier
|
|
| diff -u authpf.c.orig authpf.c
| --- authpf.c.orig 2008-09-09 17:23:43.315714111 +0200
| +++ authpf.c 2008-09-10 21:07:06.258107858 +0200
| @@ -314,10 +314,16 @@
| signal(SIGQUIT, need_death);
| signal(SIGTSTP, need_death);
| while (1) {
| + char*fn = NULL;
| printf("\r\nHello %s. ", luser);
| printf("You are authenticated from host \"%s\"\r\n",
| ipsrc); setproctitle("[EMAIL PROTECTED]", luser, ipsrc);
| - print_message(PATH_MESSAGE);
| + if (asprintf(&fn, "%s/%s/authpf.message",
| + PATH_USER_DIR, luser) == -1)
| + print_message(PATH_MESSAGE);
| + else
| + print_message(fn);
| + free(fn);
| while (1) {
| sleep(10);
| if (want_death)
Re: scrubbing problem(s) with pf
Did you read the pf suggestions via pppoe(4) ? AT&T tends to use pppoe(4).. -- Todd Fries .. [EMAIL PROTECTED] _ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | "..in support of free software solutions." \ 250797 (FWD) | \ \\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt Penned by Parvinder Bhasin on 20080909 9:59.02, we have: > I am having hard time with issue that some of the DSL (ATT) are having > issues connecting to website behind my openbsd firewall. Now if I > switched it back to cisco asa , access works flawlessly. > > Everyone including those on DSL(ATT) are able to access the website > (with cisco) but as soon as I put my Openbsd firewall website access to > SOME DSL (ATT) users stops working. > > I troubleshooted the problem to be related to "scrubbing (normalization > of packets)". > So I tried couple of options in scrubbing rules: and got couple of > people experiencing the problem to work but there are few still > complaining that they can't access the site. I have tried this from > multiple different connections. Even with Verizon EVDO internet access , > people can't access the site. Its reallly weired and I have been pulling > my hair on this. I don't really want to put other firewall in. > > I would like to know what other people who are running openbsd as > firewall are using for scrubbing. > > Here is what I used first time: > > scrub in all > > and then changed to > > scrub in all no-df > scrub out all no-df > > and got few of DSL users to see the site but then others still can't. > Verizon users can't either. > > Any thoughts/help highly appreciated. I dont' want to go BALD :) > > Thanks
Re: TV out for Xorg/OpenBSD?
Hey guys, I think I know what J.C. Roberts is looking for, but alas it is hard to find. I also purchased one of these vga -> svideo cables, and it truly is just that, some form of converter from vga to s-video with no logic inside. So, you have to have the perfect sync on the vga side to make the picture show up nice on the TV side. I never got this to work. What I have found is lots of video adapters have a builtin s-video port, which works for displaying videos on the tv. With one huge caveat. Out of the 5 cards I have that do s-video out, two of them pci 'ATI Mach64' cards, only one (one of the 'ATI Mach64' cards puts out a signal that looks decent. Some of them put out signals that flicker and never sync, others put out signals that color shift or do other visual eyesores. So, if you really are on a low budget, find a used computer store and get some Mach64 card or some other card that has a known good s-video output signal, and enjoy your movies. Me, personally, I'm looking forward to saving up for a widescreen (2-3 years out at best) that has a vga/dvi input for a computer to display to directly without the s-video limitations. Until then, I enjoy lots of video files in my living room courtesy OpenBSD. Have fun, P.S. Edd, if you do have a resolution that works with the VGA->S-Video cable, I suggest posting it here on the mailing list, there will be a use for it to be in the archives I am sure. -- Todd Fries .. [EMAIL PROTECTED] _ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | "..in support of free software solutions." \ 250797 (FWD) | \ \\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt Penned by J.C. Roberts on 20080819 1:48.46, we have: | On Sunday 17 August 2008, Edd Barrett wrote: | > Hi, | > | > We have this BSD box with some films on, and someone had the idea of | > hookiing it up to the TV so we can watch DVD's etc in the living | > room. Not a bad idea, but I don't know how. | > | > My friend bought a VGA->Scart cable, and I have tried various | > resolutions and various horizontal and vertical ranges without luck. | > | > I asked a friend who is into this sort of thing and he reckoned | > [EMAIL PROTECTED] is a good start, but the best I have had is a messed up | > picture with diagonal scan lines moving down the screen quickly. | > | > If you google you get links to linux "howto's" for the proprietary | > linux drivers, so no thanks to that. | > | > I wonder if anyone knows a way. | | | Edd, | | Could you post (or privately email) your xorg.conf and X.org.log | | I don't know a thing about S-Video and have never heard of "Scart" | before, but we might be able to get the TV Out (Composite Video) | working on that card with the default driver. | | At one point in time, the TV Out on nVidia cards was handled by a | separate chipset (brooktree/conexant/philips/?) but I doubt that is the | case on GeForce4mx and newer cards. None the less, the trick with cards | that have multiple outputs is making sure you're talking to the right | output. The nv(4) driver will try to auto-detect if an output device is | connected (monitor/TV/?) but it may not get it right and may default to | the wrong output. | | There are two things you can try: | 1.) Force access to the TV Out interface through the BusID | (see xorg.conf(5)) | | BusID "PCI:1:0:0" | # or | BusID "PCI:2:0:0" | | 2.) Force access to the TV Out interface through CrtcNumber | (see nv(4)) | | Option "CrtcNumber" "integer" | | You can often coerce (force) video cards with multiple outputs to play | nicely even when they are such total garbage that the vendor (nVidia) | is afraid to provide specifications for them. | | There is one issue I see that might be a problem, namely NTSC versus PAL | but a lot of TV sets these days can accept either, so we might get | lucky. If not, the PAL modelines you posted look reasonable. | | Kind Regards, | JCR
Re: ATTENTION: anyone using the the X driver for any ati card
The mirrors are taking a bit to get caught up. You want to look for snaps dated June 2, 17:00 or later .. another way to verify the newer ati driver is included is if mach64_drv.so is in xbase44.tgz. Thanks, -- Todd Fries .. [EMAIL PROTECTED] _ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | "..in support of free software solutions." \ 250797 (FWD) | \ \\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt Penned by Owain Ainsworth on 20080703 1:18.16, we have: | As a warning, the any X snapshot that hits a mirror around the time of | this email (they're currently copying out) will contain an update to the | radeon driver to 6.9.0. The r128 and mach64 drivers have been split out | in this release, but the "ati" wrapper should take care of that. | | Now, there's some changes in this driver update that you may wish to be | aware of: | | macpcc users: | if you use any quirks for your macbook, or have a mac, you may | want to check "man 4 radeon" and look at the "MacModel" option | if you have any trouble. The old mac quirk option (the name of | which escapes me right now), has been removed. | | dual head users: | If you used "MergedFb", i warn you that this has also gone, | superceded by xrandr 1.2. so if you use this in your setup, i | recommend you look into migrating. while intel specific, the | following page has some generally useful information: | |http://www.intellinuxgraphics.org/dualhead.html | | EXA acceleration: | this driver makes the EXA acceleration method the default (the | snaps also have a change to make intel default since bugs in it | have been fixed with the xserver update). Sometimes this | acceleration method is still a little slow (or quite slow in | some cases), so if you find the driver to be acting slower than | you're used to, first try: | | Option "MigrationHeuristic" "greedy" | | in xorg.conf. We may make this default until we update to | xserver 1.5, which needs to wait for it to be finalised and | released. | | If it's still too slow, then instead you can revert to XAA | acceleration for 2d using: | | Option "AccelMethod" "XAA" | A note on newer cards: | This new version of the radeon driver also supports newer cards | normally treated by the radeonhd driver, if you normally use | that driver, feel free to try this one if you're having any | trouble. | | That should be all the gotchas. If you notice any regressions, please | notify myself (oga@) and Matthieu Herrb (matthieu@) | | Cheers, | | -0- | -- | Don't take life too seriously -- you'll never get out of it alive.
Re: Permission problems using NFS on OpenBSD 4.2
the mount command is clearly destined to fail unless you add another line with network=10.0.1 or you change the mask to mask=255.255.0.0 -- Todd Fries .. [EMAIL PROTECTED] _ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | "..in support of free software solutions." \ 250797 (FWD) | \ \\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt Penned by Gregorio Arvilla on 20080417 16:00.19, we have: | Hi There, | | I'm trying to use NFS on OpenBSD 4.2 but I'm getting permission errors. | Here are the contents of the exports file: | | # $OpenBSD: exports,v 1.2 2002/05/31 08:15:44 pjanzen Exp $ | # | # NFS exports Database | # See exports(5) for more information. Be very careful: | misconfiguration | # of this file can result in your filesystems being readable by the | world. | /public_nfs -alldirs -ro -network=10.0.0 -mask=255.255.255.0 | | | Here are the contents of the rc.conf.local file: | | ntpd_flags= # enabled during install | nfs_server=YES | portmap=YES | | | And here are the contents of hosts file: | | # $OpenBSD: hosts,v 1.11 2002/09/26 23:35:51 krw Exp $ | # | # Host Database | # | # RFC 1918 specifies that these networks are "internal". | # 10.0.0.0 10.255.255.255 | # 172.16.0.0172.31.255.255 | # 192.168.0.0 192.168.255.255 | # | ::1 localhost.epvgroup localhost | 127.0.0.1 localhost.epvgroup localhost | ::1 lappc2.epvgroup lappc2 | 127.0.0.1 lappc2.epvgroup lappc2 | 10.10.1.232 epv2.epvgroup.com epv2 | | >From the 10.10.1.232 machine I'm trying to mount the /public_nfs | directory, here is | the command and the output: | | [EMAIL PROTECTED] greg]# mount -t nfs 10.10.1.110:/public_nfs /home/greg/mnt | mount: 10.10.1.110:/public_nfs failed, reason given by server: | Permission denied | [EMAIL PROTECTED] greg]# | | | I'm wondering if you can tell me what settings do I have to modify to | give permissions | to mount the directory. | | Thank You | | Greg
Re: httpdv6
Henning, I think you need to realize what you are saying is misleading at best. The v6 diff permits you to start listening on v6 _only_ if you specify a Listen directive that contains a v6 address, including but not limited to, a wildcard v6 address: :: . The v6 diff changes the misleading *:80 format to 0.0.0.0 80 _and/or_ :: 80, you may choose not to listen on v6 by omitting the Listen :: 80 and simply modify your Listen *:80 to be the more clear format: Listen 0.0.0.0 80 Yes this diff creates a mini flag day for httpd's conf file and some modules (I myself have run unmodified php modules with a v6 httpd, but I do not recommend it). I believe this is more than worth the v6 support. Do you have a diff to add v6 to httpd that is not objectionable to you? The diff Marc Balmer is presenting I have run in an earlier form on my production colo for a few years now. Kudos to him for taking it to the next level, lots of people will find this beneficial, I personally want to see this in, it is time httpd supported v6. Thanks, -- Todd Fries .. [EMAIL PROTECTED] _ | \ 1.636.410.0632 (voice) | Free Daemon Consulting \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | "..in support of free software solutions." \ 250797 (FWD) | \ \\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt Penned by Henning Brauer on 20071208 14:55.09, we have: | * Marc Balmer <[EMAIL PROTECTED]> [2007-12-08 09:51]: | > httpd with IPv6 support uses IPv6 addresses for ambigious constructs. | > That is documented in the httpd(8) manpage. | | that is completely wrong and disqualifies this patch. | you are fucking everybody for no good reason, as suddenly their httpds | will only listen on v6. | | -- | Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] | BS Web Services, http://bsws.de | Full-Service ISP - Secure Hosting, Mail and DNS Services | Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
Re: OpenBSD isakmpd and pf vs Cisco PIX or ASA
isakmpd does not do the crypto processing of the actual IPSec tunnels, it only does the ike negotiations. Presuming you want to use aes-128, `openssl speed aes' shows that a 1ghz system that is running 'vi' to type this message is capable of (at the lowest end) 27mbyte per second. I think you should do your own tests but it looks like you'd have to stoop pretty low to not be able to handle 5mbit. Thanks, -- Todd Fries .. [EMAIL PROTECTED] _ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | "..in support of free software solutions." \ 250797 (FWD) | \ \\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt Penned by Chris Bullock on 20071105 19:14.17, we have: | Some say that isakmpd is resource intensive. What is the recommended | hardware for a 5mb full duplex optical Internet connection that is doing | nothing but VPN. | Regards, | Chris | | On 11/4/07, Chris Bullock <[EMAIL PROTECTED]> wrote: | > | > We have been using OpenBSD my entire IT career, 5 1/2 years, I like the | > way its easy to roll out, configure and the cost the most. | > | > I would like an honest opinion of the group. We have customers that | > maintain their own firewalls and VPNs and it appears to us that that those | > sites seem to transmit data quicker than the sites that we maintain with | > OpenBSD firewalls and VPNs, assuming identical bandwidth. We have an | > OpenBSD VPN/firewall at our main site, so realistically, all of our data | > does transpose OpenBSD before it ultimately hits our network. | > | > My question is should I consider a non OpenBSD solutions, ie Cisco devs or | > should I attempt to tweak my existing boxes? | > Regards, | > Chris
Re: That whole "Linux stealing our code" thing
Uh, why do we need to defer to courts and seek legal funds and feed the sharks er lawyers just to comprehend what the two words "without modification"? As I explained to a friend of mine minutes ago .. adding GPL to BSD is sad to the BSD people (we can't use the GPL code then) adding GPL and removing BSD is not legal Who's side are you on anyway suggesting legal battles? The lawyers, the companies, or free software? On Saturday 01 September 2007 16:45:50 Reiner Jung wrote: > Gents, > > the driver was developed from Reyk in Germany. Reyk add a license to his > code. So the question will be, what is the Europen/German law here. > Maybe the OpenBSD project/Reyk should solve the problem in the same way > as the gpl-violations.org initiative do it. Let the court decide. Will > be happy to donate some money to force a decision at court. > > Reiner -- Todd Fries .. [EMAIL PROTECTED] _ | \ 1.636.410.0632 (voice) | Free Daemon Consulting \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | "..in support of free software solutions." \ 250797 (FWD) | \ \\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt
Re: That whole "Linux stealing our code" thing
On Saturday 01 September 2007 07:52:45 David H. Lynch Jr. wrote: > Theo de Raadt wrote: > > For the record -- I was right and the Linux developers cannot change > > the licenses in any of those ways proposed in those diffs, or that > > conversation (http://lkml.org/lkml/2007/8/28/157). > > > > It is illegal to modify a license unless you are the owner/author, > > because it is a legal document. > > With respect to both you and Eban, I would disagree.. They're not alone. You sir, are alone in your fantasy world. > The law requires complying with the license not preserving it. > The license is a part of the copyrighted work. > It grants users rights beyond those of copyright law. Hmm, complying with the license. How can you say you comply with the license that says you may not alter the licence yet you alter the license? [..] > If I am mis-understanding the license I appologize, but my view of > this dispute is that Linux developers are unethically and immorally, > but quite legally doing to BSD Licensed code pretty much what the > BSD License allows them to. You're wrong. Read the 'without modification' words a few times to get why. -- Todd Fries .. [EMAIL PROTECTED] _ | \ 1.636.410.0632 (voice) | Free Daemon Consulting \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | "..in support of free software solutions." \ 250797 (FWD) | \ \\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt
Re: IPsec on IPv6
IPv6 is supported with IPsec. Be aware that pf does not do IPv6 fragment reassembly yet, so there are some cases where tunneling traffic inside IPv6 IPsec connections has issues until you change the mtu to the remote gateway to compensate. I use IPSec over both IPv4 and IPv6 every week. On Sunday 26 August 2007 18:09:33 Leon yendor wrote: > There does not seem to be much mention of the combination in man pages etc > in 4.1. > > Is it really just like IPsec over IPv4 or ? > > Thankyou, > Leon. -- Todd Fries .. [EMAIL PROTECTED] _ | \ 1.636.410.0632 (voice) | Free Daemon Consulting \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | "..in support of free software solutions." \ 250797 (FWD) | \ \\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt
Re: Does auto mounter support nfsv3?
It is as hard as digging into the code and making it work. Apparently that's either not interesting or not easily doable. I've heard rumblings toward the latter, but don't let that stop you from having a look. On Wednesday 15 August 2007 09:33:31 Edd Barrett wrote: > Hi, > > On 15/08/07, Christian Weisgerber <[EMAIL PROTECTED]> wrote: > > IIRC, OpenBSD's amd only supports v2. > > Any idea if it hard to make v3 compatible? -- Todd Fries .. [EMAIL PROTECTED] _ | \ 1.636.410.0632 (voice) | Free Daemon Consulting \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | "..in support of free software solutions." \ 250797 (FWD) | \ \\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt
via systems?
I'm looking and probably just blind but haven't found any complete systems using the via c7 esther chipset. Specifically I'm looking for rsa accelleration. I suspect I'm not the only one looking and interested. Thanks, -- Todd Fries .. [EMAIL PROTECTED] _ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | "..in support of free software solutions." \ 250797 (FWD) | \ \\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt
Re: Disconnection php4 from the builds.
I definately agree with those previously stating that not all php code supports php5 yet. phpBB.com states 'running phpBB 2.0.x with PHP5 is not supported' .. though there is evidence in their changelogs that they are working on support for php5. This is definately not the only codebase in the same boat that does not yet work on php5. That said, I do agree at some point that php4 should be deprecated. I'm not convinced that time is yet. After OpenBSD 4.1 seems like a good time to me. For those not tracking current, that would give approximately a year when 4.2 comes out to have things working with php5. On Saturday 21 October 2006 12:29, Robert Nagy wrote: > Hi. > > A couple of us thing that people should switch to php5 > because the php4 ports is not going to be updated. > Everything in the ports tree uses php5 now and we do not > see any reasons to ship whit it. > > It is possible that a lot of people are relying on php4 > so we are still going to keep it in the tree but we are > not going to build the packages. > > If you have objections, please tell me. -- Todd Fries .. [EMAIL PROTECTED] _ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | "..in support of free software solutions." \ 250797 (FWD) | \ \\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt
Re: Encryption and Compression with ipsecctl?
On Tuesday 20 June 2006 21:00, Clint Pachl wrote: > Is IP compression/ipcomp flows implemented in ipsecctl(8)? I am trying > to perform encryption (enc) and compression (ipcomp) between two > OBSD3.9 hosts. IPcomp is known broken for at least two years, perhaps longer. Do not use it. > ipcomp(4) states, "Currently, IPCA can be created using the ipsecadm(8) > tool," with no mention of ipsecctl. > > Here is my simple setup: > > sysctl net.inet.ipcomp.enable=1 > > # ipsec.conf > flow esp from 192.168.2.2 to 192.168.2.1 > ipcomp from 192.168.2.2 to 192.168.2.1 spi 0x1000:0x1001 comp deflate > esp from 192.168.2.2 to 192.168.2.1 spi 0x1000:0x1001 \ > authkey > 0x:0x \ > enckey > 0x:0x > > The IP addresses and spi values are swapped on the other host's > ipsec.conf. I also tried using different spi values for ipcomp and esp. > > I performed many ftp and scp transfers, checking for ipcomp packets > using tcpdump and netstat, but no ipcomp traffic. Encryption between > the hosts is working properly. > > -pachl -- Todd Fries .. [EMAIL PROTECTED] _ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | "..in support of free software solutions." \ 250797 (FWD) | \ \\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt
FYI, 1and1 hosting fun (ip subnet zero)
I've been told that this is in the archives, but I couldn't find it, so I re-invented it and am presenting it here for anyone else who may find themselves in a similarly frustrating situation. The problem is that 1and1 hosting choses to have any root servers setup with `ip subnet zero'. That's a fancy way of stating that they expect systems to setup IP's with netmasks of 255.255.255.255 and then route to 10.255.255.1 `magically'. On a linux system dhcp is able to setup this routing table: $ netstat -nr Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 10.255.255.10.0.0.0 255.255.255.255 UH0 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 10.255.255.10.0.0.0 UG0 0 0 eth0 $ To manually implement this when their dhcpd is down (whee!) one would do this: # ifconfig eth0 1.2.4.165 netmask 255.255.255.255 # route add -host 10.255.255.1 netmask 0.0.0.0 dev eth0 # route add -net default gw 10.255.255.1 dev eth0 Unfortunately, it doesn't work at `home' on OpenBSD. While the obvious thing that came to my mind first was to set an inet alias for 10.255.255.2 and set a default route to 10.255.255.1, this would then send all packets out vr0 with a src IP of 10.255.255.2, not good. So to get a similar functionality I implemented this gross `hack #1' initially: $ cat /etc/hostname.vr0 inet 1.2.4.165 255.255.255.252 !arp -F -s 1.2.4.166 00:00:0C:07:AC:00 permanent $ cat /etc/mygate 1.2.4.166 $ Unfortunately this has two drawbacks, namely, the mac address is hardcoded and there are now three IP's unreachable: 1.2.4.167, 1.2.4.166, 1.2.4.164. Henning pointed me to the '-llinfo' and '-iface' flags of the route(8) command, which permits the following `hack #2'. Note that both drawbacks of `hack #1' have been addressed. This is the best way I've found to deal with 1and1 hosting's odd choice of routing setup: $ cat /etc/hostname.vr0 inet 1.2.4.165 255.255.255.255 !route add -llinfo -iface -net 10.255.0.0/16 10.255.255.1 -ifp vr0 $ cat /etc/mygate 10.255.255.1 $ netstat -nr -f inet Routing tables Internet: DestinationGatewayFlags Refs UseMtu Interface default10.255.255.1 UGS1744379 - vr0 10.255/16 link#1 UCLS10 - vr0 10.255.255.1 0:0:c:7:ac:0 UHLc10 - vr0 127/8 127.0.0.1 UGRS00 33224 lo0 127.0.0.1 127.0.0.1 UH 2 101 33224 lo0 1.2.4.165 0:40:ca:12:34:56 UHLc0 14 - lo0 => 1.2.4.165 link#1 UC 10 - vr0 224/4 127.0.0.1 URS 00 33224 lo0 $ arp -an ? (10.255.0.0) at (incomplete) on vr0(weird 6) ? (10.255.255.1) at 00:00:0c:07:ac:00 on vr0 ? (1.2.4.165) at 00:40:ca:12:34:56 on vr0 static $ Yes, I changed the IP and mac of the colo I'm taking care of at 1and1; I left the IP and mac of 1and1's subnet zero mess intact to provide maximal help to anyone experiencing this same hosting provider. No, 1and1 does not `support' OpenBSD as an os. To install OpenBSD, I dissected yaifo and realized that one can pepare a disk image with no fdisk label but simply a disklabel. This image can be made bootable, and it can be dd'ed directly to any disk. This is similar but destructively different than dd'ing the filesystem image to the swap partition on sparc. Since I had special routing issues and 1and1 does provide serial console, I didn't really need yaifo's custom sshd setup. FYI ;-) -- Todd Fries .. [EMAIL PROTECTED] _ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | "..in support of free software solutions." \ 250797 (FWD) | \ \\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt
X snaps headsup
New X snaps with a 'dlopen X server' diff are heading out to the mirrors today and tomorrow as they get built. I have put this into snapshots to get wide testing before Matthieu commits this diff. When you test, simply verify your X server starts and operates normally. When you do this update to a newer X snap, be sure to remove /usr/X11R6/lib/modules before doing so, as the names of the modules have changed, and the X server will not load the right ones if you have the old ones around. As a bonus, the diff activates modules on zaurus, macppc, sparc64 and amd64. Thanks for testing, -- Todd Fries .. [EMAIL PROTECTED] _ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | "..in support of free software solutions." \ 250797 (FWD) | \ \\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt
