openbgpd nexthop blackhole
Anyone have an example bgpd.conf that uses the nexthop blackhole option for null routing ddos attacks? Looking for an openbsd version of: http://www.secsup.org/Tracking/ -- Will Backman - Network Administrator Coastal Enterprises, Inc. 36 Water Street POB 268 Wiscasset, Maine 04578 Tel: (207) 882-7552 FAX: (207) 8827308 Email: [EMAIL PROTECTED] Website: http://www.ceimaine.org The mission of CEI is to help create economically and environmentally healthy communities in which all people, especially those with low incomes, can reach their full potential.
Re: openbgpd nexthop blackhole
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Claudio Jeker > Sent: Wednesday, May 04, 2005 4:18 PM > To: misc@openbsd.org > Subject: Re: openbgpd nexthop blackhole > > On Wed, May 04, 2005 at 02:55:56PM -0400, Will H. Backman wrote: > > Anyone have an example bgpd.conf that uses the nexthop blackhole option > > for null routing ddos attacks? > > > > Looking for an openbsd version of: > > http://www.secsup.org/Tracking/ > > > > Depends on what you like to achive but a basic starting point is: > > match from any community 65001:666 set nexthop blackhole > > This will blackhole all prefixes with the community tag set to 65001:666. > Normaly 65001 is your AS and it may be good to limit the match to a group > of neighbors (only customers should send you blackhole requests). > Last but not least a peer remote-as == source-as check would be good. > > match from $customer source-as $customer_as community $myas:666 \ > set nexthop blackhole > > -- > :wq Claudio And this would be combined with the -label option in the route command to get the 666? Taking their example: " Now, Black Hole Route the victim IP address: ip route victimip 255.255.255.255 Null0 tag 666" In openbsd: route add victimip/32 -blackhole -label 666
IPsec vulnerabilities
According to http://www.niscc.gov.uk/niscc/docs/al-20050509-00386.html, there are some problems with certain IPSec configurations. Looks like you always need to use the -auth flag with the -enc flag with ipsecadm when setting up esp. Should the man pages include these warnings? -- Will Backman - Network Administrator Coastal Enterprises, Inc. 36 Water Street POB 268 Wiscasset, Maine 04578 Tel: (207) 882-7552 FAX: (207) 8827308 Email: [EMAIL PROTECTED] Website: http://www.ceimaine.org The mission of CEI is to help create economically and environmentally healthy communities in which all people, especially those with low incomes, can reach their full potential.
Re: /etc/skel/.profile export PATH HOME TERM
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Christian Jones > Sent: Thursday, May 12, 2005 11:56 AM > To: misc@openbsd.org > Subject: Re: /etc/skel/.profile export PATH HOME TERM > > On 5/12/05, Andreas Kahari <[EMAIL PROTECTED]> wrote: > > These are variables typically used by processed started from the shell > > session. Without exporting the variables, they would not be seen by > > new processes. > > > That's true---but login(1) already exports them (see below, or man 1 > login). What about when sshd is set to not use login?
OpenBSD tested on students learning Unix
Just thought I would let the OpenBSD folks know that students in my class found OpenBSD easy to use compared to other Unix-like operating systems. The course is a college "Introduction to Unix" class, and on the last class of the semester, I set up a bunch of different versions of Unix-like operating systems for comparison. I break the student up into groups and give them some basic tasks, such as adding new users, booting to single user mode, mounting a volume, configuring a network interface, or viewing system resources. I used Linux, OpenBSD, Darwin, and Solaris. The OpenBSD group usually finished tasks first. -- Will Backman - Network Administrator Coastal Enterprises, Inc. 36 Water Street POB 268 Wiscasset, Maine 04578 Tel: (207) 882-7552 FAX: (207) 8827308 Email: [EMAIL PROTECTED] Website: http://www.ceimaine.org The mission of CEI is to help create economically and environmentally healthy communities in which all people, especially those with low incomes, can reach their full potential.
Re: File system mirroring for SMTP/POP Servers
> i regard reliability more important than availability as it comes to my > mail, userland arrangements like these give me the creeps. i'm > suggesting that he should try mitigating the reasons for his > unavailability first. users should get used to 99.9% availability, and > that's a reasonable figure for a non-replicated system. or look into > some database system with built-in replication functionality. > > anyway, have you any good examples to throw back at me? > > /k I suggest people look at Chapter 17 of Operating System Concepts (7th Edition) by Silberscatz, Galvin, and Gagne. You can get the EVIL powerpoint presentation on that chapter here: http://www3.interscience.wiley.com:8100/legacy/college/silberschatz/0471 694665/slides/ch17.ppt
Re: OpenBSD tested on students learning Unix
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Steve Shockley > Sent: Friday, May 13, 2005 5:39 PM > To: misc@openbsd.org > Subject: Re: OpenBSD tested on students learning Unix > > Will H. Backman wrote: > > Just thought I would let the OpenBSD folks know that students in my > > class found OpenBSD easy to use compared to other Unix-like operating > > systems. > > Do you think that OpenBSD did things in a way that seemed more obvious > to your students, or was it just better/accurate documentation? Solaris docs were hard to find, Linux docs are always out of date or apply to the wrong distro. Darwin just does a lot of stuff in different ways, such as Netinfo. OpenBSD docs are good, and given that the course was a command-line intro to the traditional Unix environment, OpenBSD's lack of reliance on GUI tools was a major benefit.
SDLC support in OpenBSD
Is there, or is anyone working on SDLC support on OpenBSD?
Re: Patch Branches!
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Joco Salvatti > Sent: Wednesday, May 18, 2005 11:29 AM > To: Misc OpenBSD > Subject: Patch Branches! > > Hi all, > > I followed with no errors the steps described in > http://www.openbsd.org/stable.html. Does it mean that my kernel and > program > binaries are all up to date? Does my kernel have the earlier known bugs > fixed? > Is my whole system up to date? > > Thanks... > -- > Joco Salvatti This question comes up so often. Perhaps the step to verify should be included in the patch steps.
Re: 3.7 is released!
Thank you to the team! So...what neat things are on the plate for 3.8?
Re: 3.7 is released!
Could you describe your upgrade process to the list? -Original Message- From: [EMAIL PROTECTED] on behalf of Matthew S Elmore Sent: Thu 5/19/2005 5:24 PM To: misc@openbsd.org Subject: Re: 3.7 is released! Excellent! I have already upgraded everything seems to be running great. :) Is it your birthday Theo? If so, make it a happy one!
upgrade set selection
During upgrade, it will list the set selection. Does the upgrade process detect what sets you selected for the previous install? -- Will Backman - Network Administrator Coastal Enterprises, Inc. 36 Water Street POB 268 Wiscasset, Maine 04578 Tel: (207) 882-7552 FAX: (207) 882-7308 Email: [EMAIL PROTECTED] Website: http://www.ceimaine.org The mission of CEI is to help create economically and environmentally healthy communities in which all people, especially those with low incomes, can reach their full potential.
Re: Safe development
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Simon Slater > Sent: Friday, May 20, 2005 1:09 PM > To: Stephan Wehner > Cc: misc@openbsd.org > Subject: Re: Safe development > > Using cvs to back up the system is going to be very > inefficient, especially with binary files. I'd suggest > going with your idea of a system snapshot before any > major system changes. A straightforward dump(8) and > restore(8) is easy to set up and your backed up data > can also be restored just by booting from any OpenBSD > CD providing it is stored on a local disk. > > I run the following script from the cron every Sunday > night so that I can always restore back to a few days > ago if the worst happens. (The /scratch partition is a > separate disk to the rest of the system) > > Works well enough for me. > > - Simon > > --- BEGIN --- > > #!/bin/sh > > dump -af - /dev/wd0a | gzip > > /scratch/backup/root.dump.gz > dump -af - /dev/ccd0a | gzip > > /scratch/backup/usr.dump.gz > dump -af - /dev/ccd0b | gzip > > /scratch/backup/var.dump.gz > dump -af - /dev/ccd0d | gzip > > /scratch/backup/home.dump.gz > dump -af - /dev/ccd0g | gzip > > /scratch/backup/cvs.dump.gz > > disklabel wd0 > /scratch/backup/disklabel_wd0.txt > disklabel wd1 > /scratch/backup/disklabel_wd1.txt > disklabel ccd0 > /scratch/backup/disklabel_ccd0.txt > > cp /etc/ccd.conf /scratch/backup > > dd if=/dev/rwd0a of=/dev/rwd1a bs=16b seek=1 skip=1 > conv=noerror > fsck -y /dev/rwd1a > > --- END --- > Care to include the restore procedure you would use?
Re: Safe development
> -Original Message- > From: Simon Slater [mailto:[EMAIL PROTECTED] > Sent: Friday, May 20, 2005 4:43 PM > To: Will H. Backman; misc@openbsd.org > Subject: Re: Safe development > > Luckily, restoring is not something i've had to do too > often so I don't have a pre-written script for doing > it but after booting from the CD and dropping to a > shell I would use something along the lines of > > --- BEGIN --- > > mount /dev/wd0a /mnt > cd /mnt > gzcat /scratch/backup/root.dump.gz | restore -r -f - > cd /mnt/home > gzcat /scratch/backup/home.dump.gz | restore -r -f - > cd /mnt/var > gzcat /scratch/backup/var.dump.gz | restore -r -f - > cd /mnt/cvs > gzcat /scratch/backup/cvs.dump.gz | restore -r -f - > > /usr/mdec/installboot /usr/mdec/boot > /usr/mdec/biosboot wd0 > > --- END --- > > These are pretty much from memory so they may not be > exactly right. Also if you boot from a CD you may need > to remount /tmp somewhere so that restore has enough > space to work. > > The added complication in my particular case is that > everything other than / is located on a ccd(4) disk > and the ccd driver is not in the RAMDISK kernel. Can't > recall how I got round this last time but I do > remember it causing me a few problems initially. > > Hope this helps > > - Simon > Perhaps the OpenBSD community can work to create something for the FAQ. One of our requirements for any new system is a tested restore procedure. I think that a suggested procedure can be very helpful, even though we all know that there are many ways to do it.
Re: pfsync across datacenters
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Alejo Sanchez > Sent: Monday, May 23, 2005 3:50 PM > To: misc@openbsd.org > Subject: pfsync across datacenters > > Hi, > > Does anybody have experience having a cluster of pf firewalls across > datacenters? Would a bit of delay on the pfsync connection make > problems ? (e.g. timing attacks, fw stopping...) > > TIA! Are your data centers on the same LAN? This is not a distance issue. I assume your firewalls would have to be on the same logical LAN.
Re: Burn Testing
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Gaby vanhegan > Sent: Tuesday, May 24, 2005 11:43 AM > To: misc@openbsd.org > Subject: Re: Burn Testing > > On 24 May 2005, at 16:00, Gaby vanhegan wrote: > > > Is there a similar burn-testing app that I can run on OpenBSD to test > > the stability of the machines over a 12 day period? > > I should have mentioned that there will be a prize* for the most > creative suggestion. > Thermite. Ok, maybe try replicating what was done here: http://www.feyrer.de/NetBSD/gmcgarry/
Re: risky alias..
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Mike > Sent: Wednesday, May 25, 2005 11:14 AM > To: misc@openbsd.org > Subject: Re: risky alias.. > > Jason Opperisano wrote: > > On Wed, May 25, 2005 at 04:09:20PM +0300, Mike wrote: > > > >>would be easily to get password or something else. > > > > > > if $bad_person has the ability to modify your user's or the system-wide > > shell initialization files, why exactly would they need to steal your > > password at that point? > > > > -j > > > > -- > > "Brian: Congratulations, Peter. You're the Spalding Gray of crap." > > --Family Guy > > > > > > i was just thinking that maybe my friend is a bad person or double agent > or maybe the janitor is clever and attacks silently in that time when im > going to bathroom and in a one time i forget to lock my desktop, then > all is lost and disaster is there. Set the immutable flag on all of your files and then change the kernel security level so that they cannot be changed even by root. All kinds of things will break, but then you can leave your system logged on while you walk away.
Re: Email Server
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Damien Hull > Sent: Wednesday, May 25, 2005 3:31 PM > To: [EMAIL PROTECTED] > Cc: misc > Subject: Re: Email Server > > [EMAIL PROTECTED] wrote: > > >On Tue, May 24, 2005 at 09:18:58AM -0700, Bruno Delbono wrote: > > > > > >>[EMAIL PROTECTED] wrote: > >> > >> > >> > >>>Ports aren't generally checked for much other than "Does it build?" and > >>>"Does it work?". > >>> > >>> > >>So, secure by default means that you should only run OpenBSD as it comes > >>and do not touch anything on it. Or else, it won't be secure by default; > >>your warranty is voided and Theo will spank you. > >> > >> > > > >"in the base install" is a very important phrase. Ports don't get > >audited much, if at all. This isn't any sort of slap to the porters; > >it's just there's a *lot* of code in the port and examing that code > >for correctness isn't their intent. Ports are a convenience, not a > >promise. Postfix and cyrus aren't base install, and therefore aren't > >covered. Ain't life terrible? > > > > > > > Thanks for the info. My concern is that OpenBSD is "secure by default" > when you do a base install but when you start adding things like Postfix > etc... are you still secure? > > I know you can configure the system so that most files are read only. I > also know that you can run Postfix in a sandbox ( jail ). It all depends > on how much work I want to put into securing the system. If the answer > to the above question is "no!", then I'll have to lock down Postfix > etc... If the answer to the above question is "Yes!" then I can leave > things the way they are and just install Postfix. > > There are trade offs between security and management over head. Putting > Postfix in a sandbox is a nice idea but my understanding is that you > have to take Postfix off-line to add any users and then putt it back in > the sandbox and then bring it back on-line. Leaving Postfix outside of a > sandbox means you just add users when you need to. I did this once on a > FreeBSD email server a few years back. I decided that a sandbox was to > much work. > > I'm still a long ways away from designing a system. I haven't even > decided which OS I want to use. If enough people on the list can > convince me that OpenBSD is the way to go I'll install it on a system, > ship it down to Seattle and collect my mail. This will be on a test > domain of course. Any operating system will end up using third party applications, and any operating system can be secure by default if it ships with no services running. When evaluating a third party application like postfix, you have two security realms. The actual application, and the operating systems that supports it. With OpenBSD, you have a very nice foundation that can help enhance the security of the third party service. For example, OpenBSD randomizes PID number creation, which made some exploits against insecure temp file creation that much more difficult. OpenBSD includes a lot of other protection mechanism that help applications without any real effort by you. OpenBSD also includes some nice tools like systrace that you can use to actively harden a service. While other operating systems may include similar protections, OpenBSD provides simple and effective mechanisms. Simplicity is very important. Compare OpenBSD/NetBSD systrace to the SELinux mechanism for an example. If I had to run an insecure service on any platform, it would be OpenBSD. It is better to assume that everything is insecure, and design to reduce the effectiveness of those failures. I think this is why the OpenBSD folks are moving as much as possible towards privilege separation. It is better to assume that your application is insecure.
getting ports from CVS
Ports are making me feel dumb. Now I know why I stick to packages. Following examples from http://www.openbsd.org/anoncvs.html#EXAMPLE I'm running 3.6 patch branch. Getting src from anonymous CVS has always worked, but attempting to get ports fails. I tried a few of the anoncvs servers. star# setenv [EMAIL PROTECTED]:/cvs star# cd /usr; cvs checkout -P -rOPENBSD_3_6 ports cvs server: cannot find module `ports' - ignored cvs [checkout aborted]: cannot expand modules star# or star# cd /usr star# cvs -q get -rOPENBSD_3_6 -P ports cvs server: cannot find module `ports' - ignored cvs [checkout aborted]: cannot expand modules star# What am I doing wrong? -- Will Backman - Network Administrator Coastal Enterprises, Inc. 36 Water Street POB 268 Wiscasset, Maine 04578 Tel: (207) 882-7552 FAX: (207) 882-7308 Email: [EMAIL PROTECTED] Website: http://www.ceimaine.org The mission of CEI is to help create economically and environmentally healthy communities in which all people, especially those with low incomes, can reach their full potential.
Mailing list software
I'm looking for some suggestions for very simple mailing list software under OpenBSD, and I'd like to use the base install as much as possible. Majordomo seems to be the only one that doesn't require the installation of a lot of other software. Does anyone use anything else? I'd use just a basic alias file, but I want to handle bounces gracefully and restrict sending to the list. -- Will Backman - Network Administrator Coastal Enterprises, Inc.
Re: SGI hardware options for OpenBSD 3.7
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Miod Vallat > Sent: Wednesday, June 01, 2005 6:28 AM > To: Dustin Lundquist > Cc: misc > Subject: Re: SGI hardware options for OpenBSD 3.7 > > > assume the sgi port for OpenBSD is build for MIPS IV (R5000+), this > > would prevent it from running on R4000/R4400 Ind(y|igo[2])s. IIR the > > R4000 and higher (MIPS III) are 64bit capable CPUs and could probably be > > supported with relative ease. I have an older Indy (R4x00) I will donate > > if someone wants to add support for the Ind(y|ingo2). > > I have plans to work on 64-bit support for R4k Indy & Indigo2 sometime > in the future, but I have more important real-life issues to solve > first. > > Miod I have an Indigo Elan if anyone wants it. It needs a new hardware clock battery.
Re: Asterisk with OpenBSD3.7
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Joshua P. Quintus > Sent: Thursday, June 02, 2005 11:58 AM > To: misc@openbsd.org > Subject: Asterisk with OpenBSD3.7 > > I was just wondering if anybody has Asterisk > (http://www.asterisk.org/) with OpenBSD. I am looking into it using it as > an auto attendant in a small office and was curious if anyone has had any > experiences with it on BSD before I started pricing out hardware. Good or > bad. > > Thanks > > - Josh I don't think you will be able to get the PCI hardware cards working such as the Wildcard.
Re: openbsd list fckery
> About a week ago, I was trying to upgrade my dual boot laptop to 3.7. I > had to run the installer about 20 times to figure out my problem and > correct it. In the process, I learned more about fdisk and disklabel > than I had ever needed to before, and I count that as a good thing. It > took no more than about 5 minutes each time to run the installer from > scratch to completion in each case. Typing Ctrl-C and then "install" > when you make a mistake isn't that difficult. > > -- I think the installer should be the last thing to go "user friendly". OpenBSD is not point and click. If you can figure out the installer, it means you actually read instructions. If you could install OpenBSD by just clicking "Next", you would be in for a rough ride after.
Re: openbsd list fckery
> -Original Message- > From: Michael Shalayeff [mailto:[EMAIL PROTECTED] > Sent: Friday, June 03, 2005 10:59 AM > To: Will H. Backman > Cc: misc@openbsd.org > Subject: Re: openbsd list fckery > > Making, drinking tea and reading an opus magnum from Will H. Backman: > > > About a week ago, I was trying to upgrade my dual boot laptop to 3.7. > > I > > > had to run the installer about 20 times to figure out my problem and > > > correct it. In the process, I learned more about fdisk and disklabel > > > than I had ever needed to before, and I count that as a good thing. It > > > took no more than about 5 minutes each time to run the installer from > > > scratch to completion in each case. Typing Ctrl-C and then "install" > > > when you make a mistake isn't that difficult. > > > > > > -- > > > > I think the installer should be the last thing to go "user friendly". > > OpenBSD is not point and click. If you can figure out the installer, it > > means you actually read instructions. If you could install OpenBSD by > > just clicking "Next", you would be in for a rough ride after. > > actually 90% of the installer we have is just pushing "next". > everything has most common reasonable defaults. > > so if it is really hard for you then perhaps you are just > retarded and need treatment w/ electricity and if that does > not help then perhaps should not use computers... > I never said it was hard for me. I read the instructions. I also read the afterboot man page.
Re: Suggested hardware for server?
> However, I have slowly been expanding this computer's role: it's > always been a firewall/gateway/NAT box. But I also want it to be a > massive data store (to house files for a video-on-demand system) > using nfs/samba, a backup server (rsync) and house some relatively > light-weight subversion (svn) repositories. > I'd invest in one machine to just be the firewall. As secure as OpenBSD is, the more features a firewall has, the more problems it can have.
3.7 xl0 watchdog timeouts
I'm getting watchdog timeout messages on the console for xl0. 3C589D PCMCIA in an old Dell PPL. Even though the link light is on, it doesn't seem to really talk to the network. Any ideas? -- Will Backman - Network Administrator Coastal Enterprises, Inc. 36 Water Street POB 268 Wiscasset, Maine 04578 Tel: (207) 882-7552 FAX: (207) 882-7308 Email: [EMAIL PROTECTED] Website: http://www.ceimaine.org The mission of CEI is to help create economically and environmentally healthy communities in which all people, especially those with low incomes, can reach their full potential.
Re: read-only storage media
Kernel security levels may do what you want with less hassle. Machine would need a reboot before they can be lowered. See man page (7) for securelevel > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Matt Garman > Sent: Friday, July 01, 2005 11:06 AM > To: OpenBSD Misc > Subject: read-only storage media > > Is there any kind of storage media that can be set as read-only, and > only reset to read and write by physical access? > > I'm thinking about something like the (seemingly ancient) 3.5" > floppy disks that had that little "switch" you could use to set the > disk to read only. > > Are there any hard drives that have a similar kind of feature? > > I'm thinking that this would be nice for a firewall machine: if the > machine was compromised, it still couldn't be modified (i.e., > volumes mounted read only can always be remounted read-write if the > machine is root compromised). > > I'm thinking that I could burn a CD-R (and re-burn it whenever > there's a configuration change), but it seems like the system might > have a lot of latency and the CD-ROM drive might prematurely fail. > > Any thoughts? > > Thanks, > Matt > > -- > Matt Garman > email at: http://raw-sewage.net/index.php?file=email
Re: spoofing question
"We consider the problem of inserting a malicious packet into a TCP connection, as well as establishing a TCP connection using an address that is legitimately used by another machine. We introduce the notion of a Spoofing Set as a way of describing a generalized attack methodology. We also discuss a method of constructing Spoofing Sets that is based on Phase Space Analysis and the presence of function attractors. We review the major network operating systems relative to this attack. The goal of this document is to suggest a way of measuring relative network-based sequence number generators quality, which can be used to estimate attack feasibility and analyze underlying PRNG function behavior. This approach can be applied to TCP/IP protocol sequence numbers, DNS query identifiers, session-id generation algorithms in cookie-based authentication schemes, etc." http://www.bindview.com/Services/Razor/Papers/2001/tcpseq.cfm Includes nice pictures > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Matt > Sent: Saturday, February 26, 2005 10:36 PM > To: misc@openbsd.org > Subject: spoofing question > > A general security question about spoofing modern *nix operating > systems, including OpenBSD. Is spoofing pretty much dead? Do modern > *nix machines still use the old BSD style incrementation of sequence > numbers (I don't know enough C to find it in the source)? Or are > sequence numbers now random (unspoofable). Also, don't high speed LANs > (gigabit, fibre) make it doubly hard to guess sequence number? I > couldn't find much on the subject. Thanks.
Re: getting dhclient to update bind forwarders IPs
> For the other part, if you're running your own nameserver, > why would you want to use forwarders at all? The use of forwarders is a good thing. It reduces the load on the root servers, and your DNS server gets to use closer servers that may already have the answer.
Re: getting dhclient to update bind forwarders IPs
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Stephen Marley > Sent: Tuesday, July 12, 2005 10:30 AM > To: misc@openbsd.org > Subject: Re: getting dhclient to update bind forwarders IPs > > On Tue, Jul 12, 2005 at 09:38:43AM -0400, Will H. Backman wrote: > > > For the other part, if you're running your own nameserver, > > > why would you want to use forwarders at all? > > > > The use of forwarders is a good thing. It reduces the load on the root > > servers, and your DNS server gets to use closer servers that may already > > have the answer. > > Actually, in most circumstances the use of forwarders is considered a > bad thing by many DNS experts. See USENET comp.protocols.dns.bind for > the arguments. > > -- > Stephen For the benefits of those who would like to read a good argument without searching the archives: http://groups-beta.google.com/group/comp.protocols.dns.bind/browse_threa d/thread/dd040ffb4edaf061/6eaff076e961d4c2?q=forwarders&rnum=191#6eaff07 6e961d4c2
3.7 panic after removing ath0 pcmcia card
Transcribed by hand, more data to follow in next email (dmesg etc): Computer is a Dell Latitude PPL Ath card was a Netgear WG511T Multiply freed item 0xd09d7000 Panic: free: duplicated free Stopped at Debugger+0x4: leave RUN AT LEAST 'TRACE' AND 'PS' AND INCLUDE OUTPUT WHEN REPORTING THIS PANIC DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION Ddb>trace Debugger(d0563264,7373656c,daaf1e1c,d09d7000,2) at Debugger+0x4 Panic(d04dc2df,d09d7000,daaf1e5c,d02243f,1) at panic+0x63 Free(d09d7000,2,1,0,d09d7000) at free+0x40 Ar5k_ar5212_detach(d09d7000,0,0,0,0) at ar5k_ar5212_detach+0x1d Ath_detach(d09e,0,202,d09e) at ath_detach+0x63 Ath_cardbus_detach(d09e,0,0,d0957e80 at config_detach+0x200 Cardbus_detach_card(d0957e00,7f,0,0,0) at cardbus_detach_card+0x2d Cardslot_event_throw(d0957e80) at cardslot_event_throw+0x12c Bad frame pointer: 0xd06d3e98 Ddb>ps PID PPIDPGRPUID S FLAGS WAIT COMMAND 18855 1 18855 0 3 0x40184 select sendmail 78981 78980 3 0x4086 ttyin getty 26939 1 26939 0 3 0x4086 ttyin getty 15366 1 15366 0 3 0x4086 ttyin getty 98651 98650 3 0x4086 ttyin getty 19619 1 19619 0 3 0x4086 ttyin csh 62281 62280 3 0x84select cron 32036 1 32036 0 3 0x184 select inetd 13895 1 13895 0 3 0x84poll ntpd 11531 1 544 83 3 0x186 poll ntpd 51544315431573 2 0x184 syslogd 43151 43150 3 0x84netio syslogd 27569 1 27569 77 3 0x184 polldhclient 11315 1 544 0 3 0x86poll phclient 13 0 0 0 3 0x100204crypto_wa crypto 12 0 0 0 3 0x100204aiodoned aiodoned 11 0 0 0 3 0x100204syncer update 10 0 0 0 3 0x100204cleaner cleaner 9 0 0 0 3 0x100204reaper reaper 8 0 0 0 3 0x100204pgdaemon pgdaemon 7 0 0 0 3 0x100204cardslote cardslot1 6 0 0 0 7 0x100204 cardslot0 5 0 0 0 3 0x100204usbtsk usbtask 4 0 0 0 3 0x100204usbevt usb0 3 0 0 0 3 0x100204apmev apm0 2 0 0 0 3 0x100204kmalloc kmthread 1 0 1 0 3 0x4084 waitinit 0 -1 - - 3 0x80204 scheduler swapper Ddb> -- Will Backman - Network Administrator Coastal Enterprises, Inc. http://www.ceimaine.org
Re: 3.7 panic after removing ath0 pcmcia card
OpenBSD 3.7 (GENERIC) #50: Sun Mar 20 00:01:57 MST 2005
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Pentium II ("GenuineIntel" 686-class, 512KB L2 cache) 234
MHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,F
XSR
real mem = 133734400 (130600K)
avail mem = 115527680 (112820K)
using 1658 buffers containing 6791168 bytes (6632K) of memory mainbus0
(root) bios0 at mainbus0: AT/286+(00) BIOS, date 11/25/98, BIOS32 rev. 0
@ 0xffe90 apm0 at bios0: Power Management spec V1.2
apm0: battery life expectancy 100%
apm0: AC on, battery charge high, estimated 4:06 hours pcibios0 at
bios0: rev 2.1 @ 0xf/0x1
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfb930/112 (5 entries)
pcibios0: PCI Interrupt Router at 000:07:0 ("Intel 82371 ISA and IDE"
rev 0x00)
pcibios0: PCI bus #2 is the last bus
bios0: ROM list: 0xc/0xc000
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0
function 0 "Intel 82443BX" rev 0x02
vga1 at pci0 dev 2 function 0 "Neomagic Magicgraph NM2160" rev 0x01
wsdisplay0 at vga1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation) cbb0 at pci0 dev 3
function 0 "Texas Instruments PCI1131 CardBus" rev 0x01: irq 11
cbb1 at pci0 dev 3 function 1 "Texas Instruments PCI1131 CardBus" rev
0x01: irq 11 pcib0 at pci0 dev 7 function 0 "Intel 82371AB PIIX4 ISA"
rev 0x01 pciide0 at pci0 dev 7 function 1 "Intel 82371AB IDE" rev 0x01:
DMA, channel 0 wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0:
wd0: 16-sector PIO, LBA, 4126MB, 8452080 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 atapiscsi0 at
pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at
scsibus0 targ 0 lun 0: SCSI0 5/cdrom
removable
cd0(pciide0:1:0): using PIO mode 4, DMA mode 2 uhci0 at pci0 dev 7
function 2 "Intel 82371AB USB" rev 0x01: irq 11 usb0 at uhci0: USB
revision 1.0 uhub0 at usb0
uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered "Intel 82371AB Power Mgmt"
rev 0x01 at pci0 dev 7 function 3 not configured cardslot0 at cbb0 slot
0 flags 0 cardbus0 at cardslot0: bus 1 device 0 cacheline 0x8, lattimer
0x20 pcmcia0 at cardslot0
cardslot1 at cbb1 slot 1 flags 0
cardbus1 at cardslot1: bus 2 device 0 cacheline 0x8, lattimer 0x20
pcmcia1 at cardslot1
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0 (mux 1 ignored for console): console keyboard, using
wsdisplay0 pms0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pms0 mux 0
sb0 at isa0 port 0x220/24 irq 5 drq 1: dsp v3.02 midi0 at sb0: audio0 at sb0 opl0 at sb0: model OPL3
midi1 at opl0:
pcppi0 at isa0 port 0x61
midi2 at pcppi0:
sysbeep0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port
0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom2: irq 5 already in use
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
biomask ef4d netmask ef4d ttymask ffcf
pctr: 686-class user-level performance counters enabled
mtrr: Pentium Pro MTRR support
ep1 at pcmcia1 function 0 "3Com Corporation, 3C589D, TP/BNC LAN Card
Ver. 2a" port 0xa000/16: address 00:60:97:91:1a:3b, utp/aui/bnc (default
utp)
dkcsum: wd0 matched BIOS disk 80
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302
WARNING: / was not properly unmounted
ath0 at cardbus0 dev 0 function 0 "Atheros Communications, Inc.,
AR5001--, Wireless LAN Reference Card": irq 11
ath0: mac 80.9 phy 4.3 radio 4.6, 802.11a/b/g, FCC1A, address
00:09:5b:ea:75:73 gpio at ath0 not configured
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of
> Will H. Backman
> Sent: Thursday, July 14, 2005 3:01 PM
> To: misc@openbsd.org
> Subject: 3.7 panic after removing ath0 pcmcia card
>
> Transcribed by hand, more data to follow in next email (dmesg etc):
> Computer is a Dell Latitude PPL
> Ath card was a Netgear WG511T
>
> Multiply freed item 0xd09d7000
> Panic: free: duplicated free
> Stopped at Debugger+0x4: leave
> RUN AT LEAST 'TRACE' AND 'PS' AND INCLUDE OUTPUT WHEN REPORTING THIS
> PANIC
> DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION
> Ddb>trace
> Debugger(d0563264,7373656c,daaf1e1c,d09d7000,2) at Debugger+0x4
> Panic(d04dc2df,d09d7000,daaf1e5c,d02243f,1) at panic+0x63
> Free(d09d7000,2,1,0,d09d7000) at free+0x40
> Ar5k_ar5212_detach(d09d7000,0,0,0,0) at ar5k_ar5212_detach+0x1d
> Ath_detach(d09e,0,202,d09e) at ath_detach+0x63
> Ath_cardbus_detach(d09e,0,0,d0957e80 at config_detach+0x200
> Cardbus_detach_card(d0957e00,7f,0,0,0) at cardbus_detach_card+0x2d
> Cardslot_event_t
Re: 3.7 panic after removing ath0 pcmcia card
> -Original Message- > From: Rogier Krieger [mailto:[EMAIL PROTECTED] > Sent: Thursday, July 14, 2005 5:37 PM > To: OpenBSD-misc list > Cc: Will H. Backman > Subject: Re: 3.7 panic after removing ath0 pcmcia card > > On 7/14/05, Will H. Backman <[EMAIL PROTECTED]> wrote: > > Transcribed by hand, more data to follow in next email (dmesg etc): > > Computer is a Dell Latitude PPL > > Ath card was a Netgear WG511T > > > > Multiply freed item 0xd09d7000 > > Panic: free: duplicated free > > Did you search the archives? I'm quite sure this came up during the > week. In fact, a snapshot (July 8th) fixed my problem, which seems > highly similar to yours. > > Cheers, > > Rogier > > -- > If you don't know where you're going, any road will get you there. Yes, I saw it in the archives, but I thought I would report it so the developers would have more information. Off list, I have been told that the fix will not be put into -stable, so moving to -current or using a different card seems to be the choice for now until -current becomes -release.
Re: Load Balance net connections w/ redirect
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > James Harless > Sent: Friday, July 15, 2005 2:33 PM > To: misc@openbsd.org > Subject: Load Balance net connections w/ redirect > > Hello all, > > I'm trying to redirect specific ports through a pf firewall that > loadbalances 2 outgoing net connections and having some problems. > This firewall connects to 2 different ISPs. It also performs > greylisting and pre-filtering of mail for viruses(virii?). I know > that I need to work in the 'reply-to' option somehow but, I can't see > to get it working. > Why not use an exterior routing protocol, which is designed to do this?
Re: Load Balance net connections w/ redirect
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > James Harless > Sent: Saturday, July 16, 2005 4:27 AM > Cc: OpenBSD-misc list > Subject: Re: Load Balance net connections w/ redirect > > I'm not sure I understand the suggestion. Feel free to enlighten > me... I'm completely open to ideas. > > James > > On 7/15/05, Will H. Backman <[EMAIL PROTECTED]> wrote: > > > -Original Message- > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf > > Of > > > James Harless > > > Sent: Friday, July 15, 2005 2:33 PM > > > To: misc@openbsd.org > > > Subject: Load Balance net connections w/ redirect > > > > > > Hello all, > > > > > > I'm trying to redirect specific ports through a pf firewall that > > > loadbalances 2 outgoing net connections and having some problems. > > > This firewall connects to 2 different ISPs. It also performs > > > greylisting and pre-filtering of mail for viruses(virii?). I know > > > that I need to work in the 'reply-to' option somehow but, I can't see > > > to get it working. > > > > > Why not use an exterior routing protocol, which is designed to do this? > > > > > -- > What would Bilano do? I'm making some assumptions about your setup. In general, when you load balance two connections, you use a routing protocol with your upstream providers. The routing protocol can detect link failures, and it is important to have routing table updates at both ends of your internet connections.
Re: interrupt comparison
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Andreas Bihlmaier > Sent: Monday, July 18, 2005 1:16 PM > To: misc@openbsd.org > Subject: interrupt comparison > > Hello @ misc@, > I just happend to run a little network benchmark since my networked seemed > to be > slower than I'm used to. > The result is that the max throuput I was able to get with a X-over cable > directly linked and with two (desently) fast machines is ~78 Mbps ! > Is this normal? > > Here are the hardware specs: > host1 -> ibm x40 1,4 ghz 1024mb ram intel em0 NIC 1000mbit > host2 -> athlon xp 2600+ 1024mb ram rl0 NIC 100mbit > Both machines are running OpenBSD snapshot ( 2005-06-28 ) > The dmesgs are at the very end of the mail (since I don't think they are > relevant for the situation). > Is the second machine really 100mb? If so, I don't think that number is too bad.
Re: '.' in username
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Thanos Tsouanas > Sent: Wednesday, July 20, 2005 7:02 AM > To: misc@openbsd.org > Subject: '.' in username > > Hello. > > I just found out that chsh complains if a username has a '.' in it: > > % sudo chsh foo.bar > [ ... ] > chsh: '.' is dangerous in a login name > > I'm sure there's a reason (why? regexps involved?) but I think that > since chsh complains, adduser should complain too. No? Try being the contact for a DNS SOA record with one of those.
Re: sniffer
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Clint M. Sand > Sent: Wednesday, July 20, 2005 12:15 PM > To: misc@openbsd.org > Cc: [EMAIL PROTECTED] > Subject: Re: sniffer > > On Tue, Jul 19, 2005 at 11:28:08AM -0500, eric wrote: > > On Tue, 2005-07-19 at 17:20:43 +0300, [EMAIL PROTECTED] proclaimed... > > > > > I need to sniff a network segment and I need to sniff both headers > and > > > data. Because tcpdump captures only headers its unsuitable for the > task. > > > I saw that ports has ettercap and sniffit but I didn' get around to > > > testing them to see if they will do the job I need. Can anyone > recommend > > > other tools that will do the work? > > > > Go read the manpage for tcpdump. Then go get tcpshow or something > similar. > > You don't need tcpshow. See -X for tcpdump. Speaking of tcpdump and other toolsAnyone know how to capture the entire layer 2 ethernet frame?
Skey login logging
Is there a way to get the system to report the auth mechanism (skey) used when there is a failed login? -- Will Backman - Network Administrator Coastal Enterprises, Inc. http://www.ceimaine.org
Re: DDOS Attack!!!who can help me?
With DOS, there was something you could do. With DDOS, you will have to either get a huge pipe and systems to just take it, or move and have your ISP do something like http://www.secsup.org/Tracking/
Re: network adapter order
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Nick Holland > Sent: Monday, August 01, 2005 9:01 AM > To: Michiel van der Kraats > Cc: misc@openbsd.org > Subject: Re: network adapter order > > On Mon, Aug 01, 2005 at 01:12:08PM +0200, Michiel van der Kraats wrote: > > Hi, > > > > Is it possible to change the order in which the kernel detects and > > names network interfaces? I have a system which has one fxp onboard > > and one fxp as a PCI card. With the PCI card, the onboard NIC is > > named fxp1 and the PCI card fxp0. Can something be done to change the > > ordering? It's conceptually easier to tell people the onboard NIC is > > their internal network. > > what does the ordering have to do with which one is which? Simply alter > your pf.conf rules. You probably want to use a macro to name the > interfaces, anyway. So $EXT becomes fxp0...so what? > > Altering the numbering order of PCI cards would require a custom kernel, > and that would be really, really bad in this case. (imagine booting off > a GENERIC kernel by mistake, and ending up with your network config > completely reversed!) > > Nick. Perhaps we could get some insight as to how this ordering happens from those who know. I've never had a problem with it changing on me, but it might be nice to know how the kernel decides, and what mistakes we might make that could cause it to happen. Just an attempt to turn a question into education.
Re: FTPS recommendations?
> Since FTP over SSL/TLS is going to require configuration changes on > the client side and possibly upgrades of client-side software, why not > just require a new client that supports SFTP? > OpenBSD ftp daemon rocks. If only OpenSSHd had the same config options for virtual hosts.
Re: VPN behind a router
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Helio Santana > Sent: Tuesday, August 02, 2005 8:58 AM > To: misc@openbsd.org > Subject: VPN behind a router > > Hi, > first excuse my english, please. > > I'm trying to make a VPN between 2 computers with OpenBSD behind a > router that connected to internet (See schema) > > Private LAN4 -- OBSD_4 Router_4 Internet Router_5 > - OBSD_5 Private LAN5 > > Every OBSD has 2 net cards 1 connected to router, and the other to the > hub in private lan. > > I have made all steps explained in "man vpn". > My private Lan's are 192.168.4.0/24 and 192.168.5.0/24. The Lan > between OBSD and router's are 192.168.41.0/24 and 192.168.51.0/24. > > Routers redirect all incoming trafic to his respective OBSD and have > his Firewalls disabled. > > External IP Router_4 is A.B.C.D, External IP Router_5 is W.X.Y.Z > > All computers in LAN4 has access to internet and can make a ping to > W.X.Y.Z... > > I can make an ssh connection from OBSD_4 to OBSD_5... even from an > conection from Internet I can make a ping, etc. > > The only way I have make possible to connect the VPN is configuring > routers as modems (I don't know whats the name of this in english, in > spanish 'monopuesto'). > > But I need to do configuring both routers as routers (in spanish > 'multipuesto'). > > Thanks in advance, > Helio. It appears that the VPN is passing through NAT, which can break standard VPN setups. Part of IPSec is AH, which checks to make sure that the headers are not modified in a strange way. NAT modifies the packets as they leave by replacing the return IP address. One common way around this is to reduce security and use ESP only.
man 5 passwd fix
I'm not sure how to fix it, but... Looking at "man 5 passwd", each field is bold in the narrative description except for the paragraph that explains the home_dir. I'm using 3.7. -- Will Backman - Network Administrator Coastal Enterprises, Inc. http://www.ceimaine.org
Re: man 5 passwd fix
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Jason McIntyre > Sent: Tuesday, August 02, 2005 12:36 PM > To: misc@openbsd.org > Subject: Re: man 5 passwd fix > > On Tue, Aug 02, 2005 at 10:00:45AM -0400, Will H. Backman wrote: > > I'm not sure how to fix it, but... > > Looking at "man 5 passwd", each field is bold in the narrative > > description except for the paragraph that explains the home_dir. I'm > > using 3.7. > > -- > > which bit exactly do you think should be marked up, and why? i don't > see what you mean... > > jmc There are paragraphs that describe the list of fields, such as: The GROUP field is the group that the user will The CLASS field is used by login(1) and other programs... The CHANGE field is the number in seconds... The EXPIRE field is the number in seconds... The GECOS field normally contains... The users home directory is the full... The SHELL field is the command interpreter the... I've put in all caps what shows up as bold on my screen. Notice that the paragraph that describes the home_dir field doesn't have HOME in bold. I was looking for some particulars about the home field (for chroot purposes) and my eye skipped right past that one because I was following bold keywords. This is not a real problem, but I thought it might help the usability of the man page.
Re: Ammunition needed to defend OpenBSD/pf
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Rod.. Whitworth > Sent: Tuesday, August 02, 2005 9:04 PM > To: Miscellaneous OBSD > Subject: Ammunition needed to defend OpenBSD/pf > > Somebody sent me a query asking for a justification for my proposal to > supply a firewall/router using OpenBSD when there was thsi device: > http://www.dlink.com/products/?pid=327 , with all its claimed bells and > whistles. > > Anybody know what, if anything, it does that an OBSD solution doesn't/ > cannot, that may be important? > > Or alternatively the reverse. Many of these devices provide the "what if I get hit by a bus" protection of a simple, single purpose system. If you use something like OpenBSD, it can be viewed as a homegrown application that must be supported by the organization, and that depends on the individual who set it up. You don't need to know how to use vi to modify the firewall settings on one of those dlink devices. I'm not saying that a dumb, web configurable device is better. I've seen too many point and click firewalls that were setup incorrectly by someone who didn't know what they were doing. Emacs and vi make sure a total idiot cannot change your firewall settings. I have had a $2500 point and click firewall die on me, and the support contract does me no good during the wait for the next day shipment. I replaced it with a PC and free software until the new unit showed up. If your business, not you, has the skills to manage OpenBSD, then do it.
Re: login group for users should be?
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Tim > Sent: Friday, August 05, 2005 7:22 AM > To: misc@openbsd.org > Subject: login group for users should be? > > When creating a user I am wondering what is > recommended when assigning a login group to the user. > > There are to alternatives, giving the user unique > login group (same as his name) or giving the user a > general login group such as users. > > What do you recommend? > > Thanks. Not to support one or the other, but some discussion of the user private group: http://www.redhat.com/docs/manuals/linux/RHL-7.3-Manual/ref-guide/s1-use rs-groups-private-groups.html This is not the traditional default in BSD systems.
Re: Requesting an change in the installer
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Bernd Schoeller > Sent: Friday, August 05, 2005 9:15 AM > To: misc@openbsd.org > Subject: Re: Requesting an change in the installer > > On Fri, Aug 05, 2005 at 03:00:25PM +0200, [EMAIL PROTECTED] wrote: > > [...] > > Quoting Bernd Schoeller <[EMAIL PROTECTED]>: > > > - call the single user kernel /bsd.sp > > > - add a hard link from /bsd.sp to /bsd > > > - add a description to 'man afterboot' for changing the default > > > kernel by doing 'rm /bsd && ln /bsd.mp /bsd' > > [...] > > > > I disagree the hardlink, since it would change bsd.* after using > 'config'. > > Different opinions here: I my view 'config -ef /bsd' should change the > configuration of the current kernel, which is /bsd.sp on a single > processor machine and /bsd.mp on a multi processor machine. Switch > back and forth between the two kernels should not delete your > configuration for the kernel. > > Bernd If some consensus is reached on this, perhaps it is time to update the FAQs to reflect best practices in the MP world.
Re: Major Surprise with xdm on 3.7
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Dave Feustel > Sent: Thursday, August 11, 2005 12:52 PM > To: misc@openbsd.org > Subject: Major Surprise with xdm on 3.7 > > I just discovered that even though xdm is running, > terminals C[0-3] are running in character mode > ie. if, while logged in via xdm, I enter ctl-alt-F[0-3], > I get a tty login!!! > And if, alfter logging in to one of those tty screens, > I atempt to start KDE, I am informed that I can't > because the x server is already running. > > How do I get xdm to handle all console logins? > > Thanks, > Dave Feustel The virtual consoles emulate a bunch of the old dumb terminals that would be attached to a Unix machine. Unix is multi-user. Having extra consoles is really a good thing. If you manage to lock up your session, you always have another terminal you can switch to for fixing things. You don't want xdm to be the only gateway into the machine, as it may get messed up.
Re: Major Surprise with xdm on 3.7
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Wijnand Wiersma > Sent: Thursday, August 11, 2005 2:05 PM > To: misc > Subject: Re: Major Surprise with xdm on 3.7 > > I never tried it in OpenBSD, but usually when I already have logged in > graphically I can go to a console, type X :1 -query localhost and get > another xdm login screen. > > Wijnand I have heard that OpenGL stuff doesn't like this, so while you can get multiple desktops on different virtual consoles, you won't have an equal experience on them.
Re: binpatch
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Gaby vanhegan > Sent: Tuesday, August 16, 2005 9:49 AM > To: misc@openbsd.org > Subject: Re: binpatch > > On 16 Aug 2005, at 14:04, Rico wrote: > > > tepatche is good. > > It doesn't look like it's been updated since 2003. Are there any > more recent tools? Does anyone else have any good/bad experiences > with tepatche? > > Gaby > I think that you should just document a repeatable manual procedure to patch the base system, ports, and packages.
The Care and Feeding of OpenBSD
I'm looking for comments on the care and feeding of OpenBSD servers. Essentially and "best practices" document for maintaining OpenBSD production servers. Yes, "best" is a stupid way to describe anything, but I'm hoping that there is some consensus in the community. 1. Change Management: Many changes are logged by the daily insecurity report, but not all. Perhaps altroot can help with backing out changes. Does anyone have experience with cfengine on OpenBSD? 2. Disaster Recovery: Dump and Restore, or make a tar file for use as an install set? 3. Tracking Stable: I'm assuming that production servers should follow stable patch branch. Perhaps use a make file to automate these steps? Check out src, XF4, ports. What if XF4 was not chosen at install and not needed? How do we know if we need to rebuild kernel and reboot or not? Reboots should be minimized. Upgrading packages now easier with new pkg options, but how do you know when packages are updated? 4. Version Upgrades: This will usually happen once a year given the life cycle of OpenBSD. As far as I can tell, the best practice is to read the upgrade FAQ that comes out with each release, and in general fresh install with hand merging of old config files is preferred. -- Will Backman - Network Administrator Coastal Enterprises, Inc. http://www.ceimaine.org
Re: The Care and Feeding of OpenBSD
> > 4. Version Upgrades: This will usually happen once a year given the life > > cycle of OpenBSD. As far as I can tell, the best practice is to read > > the upgrade FAQ that comes out with each release, and in general fresh > > install with hand merging of old config files is preferred. > > FAQ 1.7. - "The OpenBSD team makes a new release every six months, with > target > release dates in May and November. " > Sorry, I should have been more specific. Yes, OpenBSD produces a new release more often, but many people don't want to upgrade until support ends for their release. Given the length of support for any particular release, one can expect to be at least upgrading every year.
Re: The Care and Feeding of OpenBSD
> I have the following line in my crontab '(/usr/src/ && cvs -q update -PAd > -rOPENBSD_3_7)' If there are any updates, cron will email them to you > (cron > automattically emails any output to the user that owns the cron job, so > setup > your aliases and optionally your .forward file) > I'm curious about the cvs options, specifically the -A. The FAQ's don't use it in their examples. Is the -A flag preferred? I can see why it might be according to the cvs man page.
Re: The Care and Feeding of OpenBSD
> -Original Message- > From: Timothy Donahue [mailto:[EMAIL PROTECTED] > Sent: Wednesday, August 17, 2005 10:08 AM > To: Will H. Backman > Cc: misc@openbsd.org > Subject: Re: The Care and Feeding of OpenBSD > > On Wednesday 17 August 2005 09:48 am, Will H. Backman wrote: > > > I have the following line in my crontab '(/usr/src/ && cvs -q update > > > > -PAd > > > > > -rOPENBSD_3_7)' If there are any updates, cron will email them to you > > > (cron > > > automattically emails any output to the user that owns the cron job, > > > > so > > > > > setup > > > your aliases and optionally your .forward file) > > > > I'm curious about the cvs options, specifically the -A. The FAQ's don't > > use it in their examples. Is the -A flag preferred? I can see why it > > might be according to the cvs man page. > > The -A option resets any tags, so you have to remember to specify the > revision > each time you run CVS. It is found in the section for the update command. > > Tim Donahue Ok. I was looking at http://www.openbsd.org/anoncvs.html#EXAMPLE
Re: 8/13 snapshot and DHCP
> I successfully installed the 8/16 snapshot at the office (which uses a > different DHCP server) and dhclient acquires a lease with no problem. > However, at home (using a Linksys router as the DHCP server), dhclient > fails to get a lease. As noted earlier, dhclient from 3.7 works fine at > both locations. > > There's nothing suspicious in /etc/dhclient.conf or > /var/db/dhclient.leases.wi0. I'm at a loss as to how to help debug this. > > Any suggestions? > > Thanks, > Emmett "Buddy" Pate Maybe "tcpdump -X -iem0" on the interface during dhcp requests. Change the em0 to whatever your interface is.
Re: The Care and Feeding of OpenBSD
> > 2. Disaster Recovery: Dump and Restore, or make a tar file for use as > > an install set? > > make a release for every upgrade (-stable) you do, add your packages > to sitexx.tgz. backup your data and config files regularly. > > OK. Looking at the release(8) man page...yikes! Is this really the best way to start backing up an OpenBSD system?
Success with LinksysWPC11 v4 PCMCIA Wireless
Just wanted to write in about success with the Linksys WPC11 v4 PCMCIA Wireless B card. These were on sale at Staples for $5 USD. Plugged it in to a 3.7 release i386 laptop. Detected as rtw0. Set it for dhcp to connect to an unsecured network. Worked like a charm. Thanks OpenBSD. -- Will Backman - Network Administrator Coastal Enterprises, Inc. http://www.ceimaine.org
Re: The Care and Feeding of OpenBSD
> Best Who quantifies what makes the "best" backup system. I gave you > one > option which will rapidly get your system running after something like a > HD > failure or a fat-fingered 'rm -rf /*' instead of 'rm -rf ./*'. Sorry. I shouldn't have used the word "Best". What I am looking to do with this thread is to bring out some working options from the OpenBSD community and perhaps find some consensus around a simple and robust way to maintain OpenBSD systems. In the end, I'd like to produce a simple list of steps that anyone can follow, based on tools in the base system.
Re: The Care and Feeding of OpenBSD
> > list of steps that anyone can follow, based on tools in the base system. > > like, reading the dump and restore manpages? > Do you use dump and restore, or are you just giving and example? What about partition table backup?
Re: The Care and Feeding of OpenBSD
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Matthias Kilian > Sent: Wednesday, August 17, 2005 4:18 PM > To: misc@openbsd.org > Subject: Re: The Care and Feeding of OpenBSD > > On Wed, Aug 17, 2005 at 03:25:56PM -0400, Will H. Backman wrote: > > > like, reading the dump and restore manpages? > > > > > > > Do you use dump and restore, or are you just giving and example? > > Can't speak for Henning, but I use dump(8) and restore(8) at home, > on a server I rented from Strato, and for some boxes at our customer > (the latter running linux). > > Depending on hardware and infrastructure, you can dump(8) to tape, > to a separate disk (that's not very safe, though), to a remote > machine via ssh, or to an ftp server. I do this all day from > /etc/daily.local or via a separate cronjob, and I never had any > problems, even when dumping mounted filesystems. > > IMHO, one of the neat things in dump(8) and restore(8) is that you > get an file listing really fast in contrast to backups based on > tar(1), where you have to read the *complete* archive. > > > > What about partition table backup? > > Why? If you have some files removed or destroyed by accident, you > don't need the partition table for a restore. If one of your disks > is damaged, you get a new one and have to use fdisk(8) and disklabel(8) > anyways, and the labels of all mounted disks are in /var/backups, > i.e. at least on the archive of your last full dump. > > Ciao, > Kili I want to thank people for their input so far. Here is what I have so far: Seems like the FAQ http://www.openbsd.org/faq/faq14.html#Backup gives a good script for basic system backup and restore. As for change management, it looks like adding files to /etc/changelist might work fairly well for starters. Tracking stable seems to be a matter of unpacking the source and then keeping up to date using cron job to fetch through anoncvs. Because there might be some confusion about the need to reboot after building updates, reboot just in case. A generic plan would assume that src, XF4, and ports are all part of the picture. Packages can now be updated instead of removed and re-installed thanks to new pkg_add options, although config files might still need hand merging. Release upgrades should be done at every release through the upgrade option during the install, merge config files by hand. Special cases may require fresh install, so read the release notes first.
Re: My OpenBSD system cannot load any shared object anymore!!!
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Joco Salvatti > Sent: Monday, August 22, 2005 9:37 AM > To: Misc OpenBSD > Subject: My OpenBSD system cannot load any shared object anymore!!! > > Hi all, > > I was trying to emulate linux binaries under my OpenBSD system 3.7, but I > believe I made a mistake. My OpenBSD system cannot load any shared object > anymore. Anything I try to run, the system can't load the shared object to > which it's linked. I thought that restarting the system the problem would > be > solved, but it got wrost. It doesn't start ttys anymore, doesn't ask for > login, > the system is a mess. > Is there anyway to solve this problem, or is it only the case of a new > install? > > Thanks. > > -- > Joco Salvatti > Undergraduating in Computer Science > Federal University of Para - UFPA > web: http://salvatti.expert.com.br > e-mail: [EMAIL PROTECTED] Before you get all the angry replies, I thought I would give you a nice one: Please include the commands you typed and any specific error messages.
problem with rtw in hostap mode
I'm having trouble with a Linksys WPC11v4 card in hostap mode.
I've set it up using the example in the rtw man page for hostap.
I have to ifconfig down and up a lot to keep it working, and it looks
like some kernel error messages at the end.
OpenBSD 3.8-beta (GENERIC) #111: Sun Aug 21 18:44:56 MDT 2005
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Pentium II ("GenuineIntel" 686-class, 512KB L2 cache) 234
MHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,F
XSR
real mem = 133734400 (130600K)
avail mem = 115408896 (112704K)
using 1658 buffers containing 6791168 bytes (6632K) of memory mainbus0
(root) bios0 at mainbus0: AT/286+(00) BIOS, date 11/07/01, BIOS32 rev. 0
@ 0xffe90 apm0 at bios0: Power Management spec V1.2
apm0: battery life expectancy 100%
apm0: AC on, battery charge high, estimated 4:07 hours
apm0: flags 30102 dobusy 0 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xf/0x1
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfb940/112 (5 entries)
pcibios0: PCI Interrupt Router at 000:07:0 ("Intel 82371 ISA and IDE"
rev 0x00)
pcibios0: PCI bus #2 is the last bus
bios0: ROM list: 0xc/0xc000
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0
function 0 "Intel 82443BX" rev 0x02
vga1 at pci0 dev 2 function 0 "Neomagic Magicgraph NM2160" rev 0x01
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation) cbb0 at pci0 dev 3
function 0 "Texas Instruments PCI1131 CardBus" rev 0x01: irq 11
cbb1 at pci0 dev 3 function 1 "Texas Instruments PCI1131 CardBus" rev
0x01: irq 11 pcib0 at pci0 dev 7 function 0 "Intel 82371AB PIIX4 ISA"
rev 0x01 pciide0 at pci0 dev 7 function 1 "Intel 82371AB IDE" rev 0x01:
DMA, channel 0 wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0:
wd0: 16-sector PIO, LBA, 4126MB, 8452080 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 atapiscsi0 at
pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at
scsibus0 targ 0 lun 0: SCSI0 5/cdrom
removable
cd0(pciide0:1:0): using PIO mode 4, DMA mode 2 uhci0 at pci0 dev 7
function 2 "Intel 82371AB USB" rev 0x01: irq 11 usb0 at uhci0: USB
revision 1.0 uhub0 at usb0
uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered "Intel 82371AB Power" rev
0x01 at pci0 dev 7 function 3 not configured cardslot0 at cbb0 slot 0
flags 0 cardbus0 at cardslot0: bus 1 device 0 cacheline 0x8, lattimer
0x20 pcmcia0 at cardslot0
cardslot1 at cbb1 slot 1 flags 0
cardbus1 at cardslot1: bus 2 device 0 cacheline 0x8, lattimer 0x20
pcmcia1 at cardslot1
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0 pms0 at pckbc0 (aux
slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pms0 mux 0
sb0 at isa0 port 0x220/24 irq 5 drq 1: dsp v3.02 midi0 at sb0: audio0 at sb0 opl0 at sb0: model OPL3
midi1 at opl0:
pcppi0 at isa0 port 0x61
midi2 at pcppi0:
spkr0 at pcppi0
sysbeep0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port
0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom2: irq 5 already in use
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
biomask ef4d netmask ef4d ttymask ffcf
pctr: 686-class user-level performance counters enabled
mtrr: Pentium Pro MTRR support
rtw0 at cardbus0 dev 0 function 0 "Realtek, Rtl8139, \M^?\M^?" irq 11
rtw0: ver RTL8180F, radio MAX2820, amp MAX2422, address
00:13:10:66:c8:f5
ep1 at pcmcia1 function 0 "3Com Corporation, 3C589D, TP/BNC LAN Card
Ver. 2a" port 0xa000/16: address 00:60:97:91:1a:3b, utp/aui/bnc (default
utp)
dkcsum: wd0 matches BIOS drive 0x80
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302
rtw0: transmit timeout, priority 1
rtw0: transmit timeout, priority 1
rtw0: transmit timeout, priority 1
Data modified on freelist: word 4 of object 0xd0a08100 size 0xac
previous type devbuf (0xdeadbeee != 0xdeadbeef)
rtw0: transmit timeout, priority 1
rtw0: transmit timeout, priority 1
Data modified on freelist: word 4 of object 0xd09d2a00 size 0xc0
previous type devbuf (0xdeadbeee != 0xdeadbeef) Data modified on
freelist: word 4 of object 0xd0a08100 size 0x100 previous type devbuf
(0xdeadbeee != 0xdeadbeef) Data modified on freelist: word 4 of object
0xd0a31900 size 0x100 previous type devbuf (0xdeadbeee != 0xdeadbeef)
--
Will Backman - Network Administrator
Coastal Enterprises, Inc.
http://www.ceimaine.org
Re: problem with rtw in hostap mode
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Will H. Backman > Sent: Monday, August 22, 2005 1:06 PM > To: Misc OpenBSD > Subject: problem with rtw in hostap mode > Data modified on freelist: word 4 of object 0xd09d2a00 size 0xc0 > previous type devbuf (0xdeadbeee != 0xdeadbeef) Data modified on > freelist: word 4 of object 0xd0a08100 size 0x100 previous type devbuf > (0xdeadbeee != 0xdeadbeef) Data modified on freelist: word 4 of object > 0xd0a31900 size 0x100 previous type devbuf (0xdeadbeee != 0xdeadbeef) > > -- > Will Backman - Network Administrator > Coastal Enterprises, Inc. > http://www.ceimaine.org Kinda funny how the hex worked out: (0xdeadbeee != 0xdeadbeef) Perhaps I'm the only one that sees humor it that.
Re: 3.8 beta requests
>-Original Message- >From: [EMAIL PROTECTED] on behalf of Theo de Raadt >Sent: Mon 8/22/2005 7:33 PM >To: [EMAIL PROTECTED] >Subject: 3.8 beta requests > >We are heading towards making the real 3.8 release soonish. I would >like to ask the community to do lots of testing over the next week if >they can. What is the best way to test? Should we be downloading snapshots daily?
Re: problem with rtw in hostap mode
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Will H. Backman > Sent: Monday, August 22, 2005 2:33 PM > To: Misc OpenBSD > Subject: Re: problem with rtw in hostap mode > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf > Of > > Will H. Backman > > Sent: Monday, August 22, 2005 1:06 PM > > To: Misc OpenBSD > > Subject: problem with rtw in hostap mode > > Data modified on freelist: word 4 of object 0xd09d2a00 size 0xc0 > > previous type devbuf (0xdeadbeee != 0xdeadbeef) Data modified on > > freelist: word 4 of object 0xd0a08100 size 0x100 previous type devbuf > > (0xdeadbeee != 0xdeadbeef) Data modified on freelist: word 4 of object > > 0xd0a31900 size 0x100 previous type devbuf (0xdeadbeee != 0xdeadbeef) > > > > -- > > Will Backman - Network Administrator > > Coastal Enterprises, Inc. > > http://www.ceimaine.org > > Kinda funny how the hex worked out: (0xdeadbeee != 0xdeadbeef) > Perhaps I'm the only one that sees humor it that. Hmmm...Looking at the man page for rtw, I noticed that the example WEP key looks very similar to the error messages that I got. Is something hard-coded in there? I wasn't using WEP. The following hostname.if(5) example configures rtw0 to join whatever network is available on boot, using WEP key ``0x1deadbeef1'', channel 11, obtaining an IP address using DHCP: dhcp NONE NONE NONE nwkey 0x1deadbeef1 chan 11
Re: Complete disk disaster
Most drives keep track of errors and are able to warn you of trouble before they fail completely. SMART is not always reliable, but should warn you of coming problems. See the atactl man page
/usr/share/pf/ suggestion
Would it be useful to add an example pf rule set for just a simple host? All of the examples assume a router. -- Will Backman - Network Administrator Coastal Enterprises, Inc. http://www.ceimaine.org
Re: /usr/share/pf/ suggestion
> -Original Message- > From: j knight [mailto:[EMAIL PROTECTED] > Sent: Tuesday, August 23, 2005 4:47 PM > To: Will H. Backman > Subject: Re: /usr/share/pf/ suggestion > > --- Quoting Will H. Backman on 2005/08/23 at 14:59 -0400: > > > Would it be useful to add an example pf rule set for just a simple host? > > All of the examples assume a router. > > > > This would be more useful in the faq. Please send what you've written. > > :-) > > > > .joel # pf rules for a stand alone machine. #Change external interface to match yours ext_if=xl0 scrub in all block in all pass out keep state pass quick on lo all
Re: /usr/share/pf/ suggestion
> -Original Message- > From: Jason Crawford [mailto:[EMAIL PROTECTED] > Sent: Tuesday, August 23, 2005 5:25 PM > To: Will H. Backman > Cc: j knight; Misc OpenBSD > Subject: Re: /usr/share/pf/ suggestion > > On 8/23/05, Will H. Backman <[EMAIL PROTECTED]> wrote: > > > -Original Message- > > > From: j knight [mailto:[EMAIL PROTECTED] > > > Sent: Tuesday, August 23, 2005 4:47 PM > > > To: Will H. Backman > > > Subject: Re: /usr/share/pf/ suggestion > > > > > > --- Quoting Will H. Backman on 2005/08/23 at 14:59 -0400: > > > > > > > Would it be useful to add an example pf rule set for just a simple > > host? > > > > All of the examples assume a router. > > > > > > > > > > This would be more useful in the faq. Please send what you've written. > > > > > > :-) > > > > > > > > > > > > .joel > > > > # pf rules for a stand alone machine. > > > > #Change external interface to match yours > > ext_if=xl0 > > > > scrub in all > > > > block in all > > > > pass out keep state > > > > pass quick on lo all > > > > First off, it should be, set skip on lo0 (or lo, but by default > there's only one lo interface anyways). Secondly, it seems pretty > pointless to setup pf on a single host. Instead of worrying about the > firewall, which takes up more memory and cpu and all that, just shut > off services that you don't need and be done with it. If the attacker > can hurt your OpenBSD machine, then your firewall is vulnerable as > well, and it won't protect any applications that need open ports > listening. Turning off services is always much better than turning on > services (pf) if you need protection. And the way OpenBSD is setup by > default, nothing is listening except a couple inetd services (which I > always turn off), and sshd if you said y in install, that's it. > > Jason I agree in general, but then start adding the gnome or kde desktop or other applications and you never know what is listening.
Re: /usr/share/pf/ suggestion
> -Original Message- > From: Theo de Raadt [mailto:[EMAIL PROTECTED] > Sent: Tuesday, August 23, 2005 6:53 PM > To: Jason Crawford > Cc: Will H. Backman; j knight; Misc OpenBSD > Subject: Re: /usr/share/pf/ suggestion > > > > Your statements are beyond ridiculous. You are saying "If you need > > > to filter it, you should not be running it". > > > > X doesn't have to listen on TCP 6000, you can setup a unix socket, and > > it's no longer reachable from the network, and you still have full > > functionality (I know, I do just that). > > And I don't have the TIME OF DAY to do that, it is EASIER to filter! > > AND IT USES LESS PROCESSOR! > > AND IT USES LESS MEMORY! > > > There's more than one way to > > do anything. If something needs to only be locally accessable, only > > have it listen locally, or use unix sockets instead of tcp/udp sockets > > completely. > > No, that is not what you said: You did not say "there are many ways > to do this". > > Instead, you very specifically suggested that people NOT filter using > the packet filter, but to instead configure applications, or to NOT > run the servers in those locations then. > > And THAT is what is utterly ridiculous. > > It is plain simple bad advice. And totally ridiculous. > > You're wrong. People should run packet filters wherever they want, > since in many cases it is EASIER than thousands of lines of later > code running and having a pre-authentication bug. > > Telling people to go tune their applications, tune tune tune tune, > that is the mantra of Linux people who then run out of time and > expertise, and then leave their machines open. > > People will NOT avoid running kde which opens half a thousand stupid > ports, and they will NOT go and learn to configure those applications > with a thousand buttons, because they don't have the TIME OF DAY to > follow your ridiculous "push more buttons you don't know" advice. > > You're wrong. Everyone -- run pf wherever you find it easier. (Crawling out of my protective hole) So does it make sense to include a basic pf rule set for a basic end-user host that blocks everything by default? I've done it using the example I gave. Don't know if my way has some errors or not.
Re: /usr/share/pf/ suggestion
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of
> Bryan Irvine
> Sent: Wednesday, August 24, 2005 10:11 AM
> To: Misc OpenBSD
> Subject: Re: /usr/share/pf/ suggestion
>
> > I personally like to 'pass keep state' with a 'scrub all' rule. This
> > at least gives me some interesting statistics to poke at when I'm
> > bored. Plus, I can firewall who gets to ssh into my machine.
>
> Another good use is {max-src-states ##} for webservers and the like.
> I have a webserver that would crash at 9am every morning when a few
> bots (2 in particaular) would crawl the site. They are poorly
> configured and open roughly 120 simlutaneous connections. They were
> very low bandwidth, but there went all available connections.
>
> To quote Theo it's "Horse-shit" to say you don't need to filter single
> hosts.
>
> --Bryan
What crashed? Apache or OpenBSD?
Re: 3.8 beta requests
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Diana Eichert > Sent: Wednesday, August 24, 2005 10:08 AM > To: Miscellaneous OBSD > Subject: Re: 3.8 beta requests > > On Wed, 24 Aug 2005, Damien Miller wrote: > > > Remember that most of the developers run -current throughout the > > development cycle (often in production). > > > > -d > > and Theo get's really pissed off when someone breaks the tree so it won't > compile and/or the change creates disfunction in other parts of the > system, just read some of Theo's comments in the CVS list sometime. > > g.day In the end, quality control happens through selfish testing. The OpenBSD community doesn't evenly divide up the things to test. People test their own setups. I'm not concerned with making OpenBSD stable. I'm concerned with making i386 OpenBSD running Mambo stable. The wonderful thing about a participatory development process is that everyone's overlapping needs generally test the system fairly well. The real problem is people who encounter a problem and fail to report it. They just think "this is crap" and go on to something else.
Re: stupid wifi question
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of
> slack _usr
> Sent: Wednesday, August 24, 2005 10:41 AM
> To: misc@openbsd.org
> Subject: stupid wifi question
>
> Hi everyone,
>
> First of all, I'm sorry for such stupid question. I know, that I need
> few details, but I can't figure out what are they. I'm plaing with
> Intel(r) PRO/Wireless2200BG wifi card and it's configuration. I have
> found different descriptions for the /etc/dhclient.conf file. I have
> read "iwi" manual. There are different options (or maybe only
> different same option names). I'm newbie in a wifi networks. But in
> the other system, machine with windows and netstumbller I found these
> wifi networks settings:
>
> SSID: sessionid
> Network Authentification: Open
> Data Encryption: Wep
> Network key: 1011121311 (0x1011121311)
>
> There sessionid is changed only for anonimity purposes.
>
> So. In OpenBSD 3.7 stable iwi0 is working, but I can't associate to
> the access point.
> I need to use dhcp (em0 is working perfect). Now I'm trying to use
> such /etc/dhclient.conf configuration:
>
> initial-interval 1;
> send host-name "thinkpad";
> request subnet-mask, broadcast-address, routers, domain-name,
> domain-name-servers, host-name;
> interface "iwi0" {
> media "ssid sessionid wepkey 0x1011121311";
> }
>
> And when I try to use:
> #dhclient iwi0
> I get following errors:
> Trying medium "ssid sessionid wepkey 0x1011121311" 1
> DHCPDISCOVER on iwi0 to 255.255.255.255 port 67 interval 2
> send_packet: Network is down
>
> I get this in a cycle with different intervals (" 255.255.255.255 port
> 67 interval 2", " 255.255.255.255 port 67 interval 3", "
> 255.255.255.255 port 67 interval 7").
>
> What are the differences between "wepkey" and "nwkey" mentioned in iwi
> driver developer page
> (http://damien.bergamini.free.fr/ipw/ipw-openbsd.html).
> And in the same page there are good description, but only for static
> configurations. So if I 've understood everything correctly, I need to
> use /etc/dhclient.conf file for configuration. But I stuck there.
> Please, give me any advice or a link.
>
> Thanks for your patient, and sorry for me english.
>
> Regards,
>
> --
> Slack is GOOD. OBSD better.
I think you should be putting your settings in /etc/hostname.iwi0
See "man iwi" for examples.
3.8 snapshot laptop sleep issues
Running today's snapshot on an old laptop (Dell Latitude PPL), and I put the cover down to see if it would go to sleep and wake up properly. After it went to sleep, I opened the laptop back up, and it started to come back alive, but the screen stayed blank. I couldn't switch virtual consoles. Reset the machine. Nothing odd showed up in the logs, except that wd0 was not properly unmounted. Any way to start debugging this? -- Will Backman - Network Administrator Coastal Enterprises, Inc. http://www.ceimaine.org
Re: 3.8 snapshot laptop sleep issues
> -Original Message- > From: Dave Feustel [mailto:[EMAIL PROTECTED] > Sent: Wednesday, August 24, 2005 2:29 PM > To: Will H. Backman > Cc: misc@openbsd.org > Subject: Re: 3.8 snapshot laptop sleep issues > > On Wednesday 24 August 2005 12:31, Will H. Backman wrote: > > Running today's snapshot on an old laptop (Dell Latitude PPL), and I put > > the cover down to see if it would go to sleep and wake up properly. > > After it went to sleep, I opened the laptop back up, and it started to > > come back alive, but the screen stayed blank. > > I couldn't switch virtual consoles. Reset the machine. Nothing odd > > showed up in the logs, except that wd0 was not properly unmounted. > > Any way to start debugging this? > > > > -- > > Will Backman - Network Administrator > > Coastal Enterprises, Inc. > > http://www.ceimaine.org > > Did you try pushing the on/off switch for 5 seconds? > That will turn the laptop off unconditionally > and you can turn it back on for a reboot. > > -- > Tired of having to defend against Malware? > (You know: trojans, viruses, SPYWARE, ADWARE, > KEYLOGGERS, rootkits, worms and popups) > Then Switch to OpenBSD with a KDE desktop!!! My problem was not with trying to reboot. My problem was that the system didn't log anything in dmesg or syslog. I didn't even see any traces that it had gone to sleep in the logs. When the laptop woke up, the network cards also woke up. It was just that the screen was blank. I didn't know if there were any other places to look for logs or other error messages.
package installation script hints
I'm looking for hints and criticism for a package installation script. I do a full install, and then install a set of packages. To get the list of packages to install on another machine, I just grabbed a directory listing from /var/db/pkg, put them in my script, and then run that script on a fresh machine. Questions: 1. Packages get installed in a sub-optimal order. Quite often one package on the list will have already been installed as a dependency. I think my script downloads the redundant package before deciding that it was already installed. Good ways to stop that? 2. Any way to wild-card the package version numbers? I'd like to be able to get the most recent version. Here is the script: #!/bin/sh # Please change this to a local mirror GETME="ftp://ftp.openbsd.org/pub/OpenBSD/snapshots/packages/i386/"; packages=$(cat << EOF ORBit2-2.12.2 atk-1.10.1 bzip2-1.0.3 cdparanoia-3.a9.8 control-center2-2.10.1 desktop-file-utils-0.10p0 docbook-4.2p1 docbook-dsssl-1.72 eel-2.10.1 epiphany-1.4.8 esound-0.2.34 gail-1.8.4 gconf2-2.10.0 gettext-0.10.40p3 glib2-2.6.4 gnome-applets2-2.10.1p0 gnome-desktop-2.10.1 gnome-icon-theme-2.10.1 gnome-keyring-0.4.2 gnome-menus-2.10.1 gnome-mime-data-2.4.2 gnome-panel-2.10.1p0 gnome-session-2.10.0 gnome-terminal-2.10.0 gnome-themes-2.10.1 gnome-utils-2.10.1p0 gnome-vfs2-2.10.1 gstreamer-0.8.10 gstreamer-plugins-0.8.8p0 gtk+2-2.6.9 gtk-engines2-2.6.3p0 hicolor-icon-theme-0.5 iso8879-1986 jpeg-6bp2 libIDL-0.8.5 libart-2.3.17 libaudiofile-0.2.6 libbonobo-2.8.1 libbonoboui-2.8.1 libgcrypt-1.2.0 libglade2-2.5.1 libgnome-2.10.0 libgnomecanvas-2.10.1 libgnomeprint-2.10.3 libgnomeprintui-2.10.2 libgnomeui-2.10.0 libgpg-error-0.7 libgsf-1.11.1p0 libgtkhtml-2.6.3 libgtop2-2.10.1 libiconv-1.9.2p1 librsvg-2.9.5p1 libwnck-2.10.0 libxklavier-2.0 libxml-2.6.16p5 libxslt-1.1.12p1 metacity-2.10.1 mozilla-1.7.8-gtk2 nautilus-2.10.1 pango-1.8.1 png-1.2.8 popt-1.7 scrollkeeper-0.3.14 shared-mime-info-0.15 startup-notification-0.8 tiff-3.7.3 vte-0.11.12 xscreensaver-4.21-no_gle yelp-2.6.5 EOF) #packages=`ls /var/db/pkg` for i in $packages; do full=$GETME$i.tgz; pkg_add -v $full; done -- Will Backman - Network Administrator Coastal Enterprises, Inc. http://www.ceimaine.org
Re: package installation script hints
> -Original Message- > From: Marc Espie [mailto:[EMAIL PROTECTED] > Sent: Wednesday, August 24, 2005 6:43 PM > To: Will H. Backman > Cc: misc@openbsd.org > Subject: Re: package installation script hints > > On Wed, Aug 24, 2005 at 04:35:13PM -0400, Will H. Backman wrote: > > 1. Packages get installed in a sub-optimal order. Quite often one > > package on the list will have already been installed as a dependency. I > > think my script downloads the redundant package before deciding that it > > was already installed. Good ways to stop that? > > Put the full list in the single pkg_add you want to run, this will get > sorted appropriately. > > PKG_PATH=ftplocation pkg_add `cat pkglist` > is about what you want. Nice to see that pkg_add doesn't actually need the .tgz when PKG_PATH is specified. That reduces the need for a lot of my code. Just "ls /var/db/pkg > pkglist" and move that list to a new host and run pkg_add `cat pkglist`, with PKG_PATH properly set of course. Two more interesting things (assuming you found any of this interesting). 1 - If the new host happens to have one of those packages installed, perhaps because I stopped the installation of packages the first time, then pkg_add will stop when it hits an already installed package. I can fix that with pkg_delete `ls /var/db/pkg` and start over, but perhaps there is a better way? 2 - How is pkg_add -u working for people?
Re: 3.8 snapshot laptop sleep issues
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Jan Johansson > Sent: Thursday, August 25, 2005 12:34 AM > To: Will H. Backman > Cc: misc@openbsd.org > Subject: Re: 3.8 snapshot laptop sleep issues > > "Will H. Backman" <[EMAIL PROTECTED]> wrote: > > Running today's snapshot on an old laptop (Dell Latitude PPL), > > and I put the cover down to see if it would go to sleep and > > wake up properly. After it went to sleep, I opened the laptop > > back up, and it started to come back alive, but the screen > > stayed blank. I couldn't switch virtual consoles. Reset the > > machine. Nothing odd showed up in the logs, except that wd0 > > was not properly unmounted. Any way to start debugging this? > > This sounds like the common "X did not get the signal to wakeup > problem". > > You need apmd to use sleep mode with X, was it running? > > Did you look at an X screen or an login terminal when you > suspended? > > Was the screen really black or was there a blinking _ in the top > left corner? I enabled apmd and now it works. Thanks!
Re: How to configure bind to work under OpenBSD 3.7
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Joco Salvatti > Sent: Thursday, August 25, 2005 10:14 AM > To: Misc OpenBSD > Subject: How to configure bind to work under OpenBSD 3.7 > > HI all, > > I'd like to know where I could find informations about how to configure > bind > to > work under OpenBSD 3.7. I've already made a search in the net, but the > available documents are vacant. I've already looked at FAQ files, but I > also > cound't find a thing. > > Thanks. > > -- > Joco Salvatti > Undergraduating in Computer Science > Federal University of Para - UFPA > web: http://salvatti.expert.com.br > e-mail: [EMAIL PROTECTED] Just use the standard BIND documentation.
Re: package installation script hints
> > 2 - How is pkg_add -u working for people? > > It works fine for me. I don't know about other people yet, you tell me... Aug 24 snapshot, trying just "pkg_add -u" causes it to say updating package -> package for every single one of my installed packages, and it then asks me to run pkg_add -r for every installed package. Unfortunately, it is asking me to install the version that I already have.
Re: package installation script hints
> -Original Message- > From: Marc Espie [mailto:[EMAIL PROTECTED] > Sent: Friday, August 26, 2005 9:39 AM > To: Will H. Backman > Cc: misc@openbsd.org > Subject: Re: package installation script hints > > On Fri, Aug 26, 2005 at 09:28:04AM -0400, Will H. Backman wrote: > > > > > > > 2 - How is pkg_add -u working for people? > > > > > > It works fine for me. I don't know about other people yet, you tell > > me... > > > > Aug 24 snapshot, trying just "pkg_add -u" causes it to say updating > > package -> package for every single one of my installed packages, and it > > then asks me to run pkg_add -r for every installed package. > > Unfortunately, it is asking me to install the version that I already > > have. > > This is the expected behavior (for now). > pkg_add -r will not reinstall a package unless its signature changed, so > you will end up only installing the package that actually changed. Shouldn't it suggest what packages to update because of a newer version?
kernel: page fault trap
Running Aug 24 snapshot, kismet has been running fine many times over the past day. Now, just ran it and got the following: Source 0 (dlink): Opening radiotap_bsd_b source interface rtw0... Uvm_fault(0xd0598480, 0xd0a25000, 0 1) -> e Kernel: page fault trap, code=0 Stopped at strcmp+0xc: movb 0(%eax),%cl ddb> Not sure what I should do to capture more info for developers. I don't want to reboot and give dmesg yet in case there are some ddb commands I should run. -- Will Backman - Network Administrator Coastal Enterprises, Inc. http://www.ceimaine.org
Re: package installation script hints
> -Original Message- > From: Marc Espie [mailto:[EMAIL PROTECTED] > Sent: Friday, August 26, 2005 11:31 AM > To: Will H. Backman > Cc: misc@openbsd.org > Subject: Re: package installation script hints > > On Fri, Aug 26, 2005 at 09:58:20AM -0400, Will H. Backman wrote: > > > Shouldn't it suggest what packages to update because of a newer version? > > pkg_add -u doesn't have a notion of `newer version'. It stops at `this is > the package whose name most closely matches your existing package'. > > It matches the current model of OpenBSD development, where you point your > PKG_PATH at a location that contains all the packages from a given > release, > with very few exceptions. > > There is also the fact that the pkgname is not enough to identify the > package > completely. Specifically, packages may need to be updated when system > libraries > change. > > All of this is known, and registered correctly. > > pkg_add -u was under serious time constraints to get into OpenBSD 3.8. > It is expected that the next version will be much less wasteful. > > If you prefer, pkg_add -u in 3.8 is not at all perfect. > > But having to figure out all package names for pkg_add -r by hand was ways > more cumbersome... ;) Got it. I was just looking at the man page, and noticed that it mentioned this new feature and that it would need testing. I'm hoping to test it a lot, but I was unsure of the expected behavior.
Re: kernel: page fault trap
> -Original Message- > From: Matthias Kilian [mailto:[EMAIL PROTECTED] > Sent: Friday, August 26, 2005 12:47 PM > To: Will H. Backman > Cc: misc@openbsd.org > Subject: Re: kernel: page fault trap > > On Fri, Aug 26, 2005 at 11:27:38AM -0400, Will H. Backman wrote: > > Source 0 (dlink): Opening radiotap_bsd_b source interface rtw0... > > Uvm_fault(0xd0598480, 0xd0a25000, 0 1) -> e > > Kernel: page fault trap, code=0 > > Stopped at strcmp+0xc: movb 0(%eax),%cl > > ddb> > > > > Not sure what I should do to capture more info for developers. I don't > > want to reboot and give dmesg yet in case there are some ddb commands I > > should run. > > At least ps and trace, maybe trace /u, too. Copied by hand, so I hope there are no errors: Ddb> trace Strcmp(d0a0ea00,dac3de68,dac3dcf0,d0248032,dac3dd08) at strcmp+0xc Bpfioctl(1701,8020426c,dac3de68,3,d3bdf7b4) at bpfioctl+0x39a Spec_ioctl(dac3dd58,dac3de18,dac3dde0,d0242241,d3ba05b8) at spec_ioctl+0x40 Spec_vnoperate(dac3dd58,30042,d3bef1e0,d3bdf7b4,d057ffc0) at spec_vnoperate+0x1 6 VOP_IOCTL(d3ba05b8,8020426c,dac3de68,3,d3bef1e0,d3bdf7b4,d3ba0638,d3bdf7 b4)at V OP_IOCTL+0x40 Vn_ioctl(d3bd32a0,8020426c,dac3de68,d3bdf7b4) at vn_ioctl+0xd0 Sys_ioctl(d3bdf7b4,dac3ddf68,dac3df58,8813d055,26b) at sys_ioctl+0x122 Syscall() at syscall+0x2ee --- syscall (number 54) --- 0xcd830ad Ddb>
Re: kernel: page fault trap
> -Original Message- > From: Matthias Kilian [mailto:[EMAIL PROTECTED] > Sent: Friday, August 26, 2005 12:47 PM > To: Will H. Backman > Cc: misc@openbsd.org > Subject: Re: kernel: page fault trap > > On Fri, Aug 26, 2005 at 11:27:38AM -0400, Will H. Backman wrote: > > Source 0 (dlink): Opening radiotap_bsd_b source interface rtw0... > > Uvm_fault(0xd0598480, 0xd0a25000, 0 1) -> e > > Kernel: page fault trap, code=0 > > Stopped at strcmp+0xc: movb 0(%eax),%cl > > ddb> > > > > Not sure what I should do to capture more info for developers. I don't > > want to reboot and give dmesg yet in case there are some ddb commands I > > should run. > > At least ps and trace, maybe trace /u, too. Copied by hand, so I hope there are not mistakes, part 2: Ddb> ps PID PPIDPGRPUID S FLAGS WAIT COMMAND 375315399 15399 0 3 0x4086 nanosleep sleep *16097 15399 15399 0 7 0x4006 kismet_server 15399 14367 15399 0 3 0x4086 pause sh 18520 1 18520 77 3 0x184 poll dhclient 12235 1 13769 9 3 0x86poll dhclient 21237 1 21237 0 3 0x4086 ttyin getty 14367 1 14367 0 3 0x4086 pause ksh 19974 1 19974 0 3 0x40184 select sendmail 28135 1 28135 0 3 0x4086 ttyin getty 28651 28650 3 0x4086 ttyin getty 23478 1 23478 0 3 0x4086 ttyin getty 12349 1 12349 0 3 0x84select cron 21398 1 21398 0 3 0x84kqread apmd 31314 1 31314 0 3 0x184 select inetd 29603 19240 19240 73 2 0x184 syslogd 19240 1 19240 0 3 0x84netio syslogd 14 0 0 0 3 0x100204 crypto_wa crypto 13 0 0 0 3 0x100204aiodoned aiodoned 12 0 0 0 3 0x100204syncer update 11 0 0 0 3 0x100204cleaner cleaner 10 0 0 0 3 0x100204reaper reaper 9 0 0 0 3 0x100204pgdaemon pagedaemon 8 0 0 0 3 0x100204pftm pfpurge 7 0 0 0 3 0x100204 cardslote cardslot1 6 0 0 0 3 0x100204 cardslote cardslot0 5 0 0 0 3 0x100204usbtsk usbtask 4 0 0 0 3 0x100204usbevt usb0 3 0 0 0 3 0x100204apmev apm0 2 0 0 0 3 0x100204kmalloc kmthread 1 0 1 0 3 0x4084 wait init 0 -1 0 0 3 0x80204 scheduler swapper Ddb>
Re: X11 and nolisten tcp
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Vladislav Belogrudov > Sent: Monday, August 29, 2005 9:27 AM > To: misc@openbsd.org > Subject: Re: X11 and nolisten tcp > > ---http://marc.theaimsgroup.com/?l=openbsd-misc&m=110128694416505&w=2 > Looking at the commit history, this has been handled > by the > OpenBSD team. Someone thought it was good to turn off > but Theo > said it should be on so that is how it is. > -- > > well, that cannot be explained better > "You can do this, but you cannot" > > Thanks, that explains a lot ;) > OpenBSD could also choose to have no ports listening at all when the system starts up. By design, certain network applications or services are started up by default and do listen. I think a lot of the disagreement is around the nature of the X Window system. Many people consider it to be a network aware service, others consider it to be a bloated single-user application. If you do agree that it is a network service, then it should listen if explicitly installed. If there was enough developer time, I'm sure it would be rewritten to use privilege separation.
Where to report package bugs?
I've looked around the web site and FAQ's. There are ports related lists and info for reporting bugs, but I didn't see anything about reporting bugs in packages. Where do we report package bugs? Thanks in advance. -- Will Backman - Network Administrator Coastal Enterprises, Inc. http://www.ceimaine.org
Re: Lifecycle question
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Theo de Raadt > Sent: Tuesday, September 06, 2005 11:43 AM > To: Stephan A. Rickauer > Cc: misc@openbsd.org > Subject: Re: Lifecycle question > > > The reason why I bother this list is that I am impressed of OpenBSD from > > the technical point of view. I like its consistency and purity. But in > > business environments or comparable organizations where money is an > > issue, one needs to think about system management very carefully, since > > it has a direct impact on money as well. That's why I can't understand > > people can really live with the 6 months lifecycle. > > I don't understand this whole conversation. > > Instead, what those vendors give people is a 5 year patch-every-month > cycle. > > That is completely unsustainable. The pieces we build upon are > advancing too fast. > > I don't buy into that method of operating system componentizatio at > all, that you can just keep patching and patching. It was not true 15 > years ago, 10 years ago, 5 years ago, and I see no proof that it will > be true ever in the future. "Familiarity breeds content" I'm scared to death just patching OpenBSD, but I just did another successful one recently and my stress levels go down every time. While I have been personally using OpenBSD for years, it was only with version 3.6 that I started using it in production. I'm sure that over time, I'll be less scared. I'm nervous when I update Linux, Windows, Novell, OSX, or OpenBSD. I think what scares me about OpenBSD is that _I_ will make a mistake due to the additional manual steps. Most other systems automate more, and I can falsely assume that people smarter than me have worked through the issues. It is hard to get a feel for the true level of risk without statistics. People can give anecdotal evidence about how a Windows security update blew out their accounting server and required a rebuild. You can get those stories for any OS. I think the lifecycle question will seem less disruptive as I become more familiar. Perhaps we should call the current OpenBSD "Version 3, Service Pack 7". In the Windows world, there are all kinds of software packages that require a recent service pack. Windows 2000 is supported for many years, but not at the original service pack level if you intend to do anything useful with it. Same thing with OSX.
Re: Sendmail nullclient
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Stephan A. Rickauer > Sent: Wednesday, September 07, 2005 8:51 AM > To: misc@openbsd.org > Subject: Sendmail nullclient > > Currently, I am struggling with sendmail. I'd like to configure it as > nullclient but all m4 files I found online wouldn't work on OpenBSD 3.7. > Playing with the one's in /usr/share/sendmail/cf/ didn't succeed. > Could someone post me his nullclient m4 file, please? > > Thanks! > Here is what I use in Linux (sendmail 8.12.10): -bash-2.05b$ more sendmail.mc include(`/usr/share/sendmail-cf/m4/cf.m4')dnl VERSIONID(`$Id$')dnl OSTYPE(`linux')dnl FEATURE(`nouucp', `reject')dnl FEATURE(`always_add_domain')dnl MASQUERADE_AS(`ceimaine.org')dnl FEATURE(`masquerade_envelope')dnl FEATURE(`mailertable')dnl FEATURE(`access_db')dnl MAILER(`smtp')dnl dnl Turn off ident querying, which is usually wrong and slows things down define(`confTO_IDENT', `0')dnl dnl Since the bastion box never delivers mail to disk or anything that dnl generally requires it to assume a user's identity, we can run it as dnl something other than root, which is very good. dnl define(`confRUN_AS_USER', `mailnull:mailnull')dnl define(`confDEF_USER_ID',``8:12'')dnl define(`confTRUSTED_USER', `smmsp')dnl dnl Sendmail defaults to giving out all kinds of useful (to hackers) dnl information in the greeting message. There are still a number of dnl ways to get Sendmail to give you that information, but this makes dnl it a little harder. define(`confSMTP_LOGIN_MSG', `')dnl dnl This disables all of the commands that would allow an outsider to dnl confirm email addresses, see who root mail is sent to, etc. define(`confPRIVACY_FLAGS', `goaway')dnl dnl Send a copy of bounce messages to the postmaster define(`confCOPY_ERRORS_TO', `postmaster')dnl
Re: Shell account cgi script
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Stuart Henderson > Sent: Wednesday, September 07, 2005 12:13 PM > To: Misc OpenBSD > Subject: Re: Shell account cgi script > > --On 07 September 2005 10:40 -0500, L. V. Lammert wrote: > > > There are always ways, .. but I would not consider recommending such > > sophisticated solutions for the basic user level of this poster. > > If it's necessary to ask questions of this nature, perhaps running a > server automatically handing out shell accounts to unknown users > signing up from a website might result in some Interesting experiences. Perhaps the OpenBSD community can at least come up with some general hints for people who wish to use OpenBSD for hosting shell accounts. Protecting a server from inside attacks is much harder, but I think OpenBSD is a good platform for this purpose. Login classes, pf user and group limits, and systrace provide a powerful set of tools for allowing untrusted shell accounts. If anyone has experience setting up these tools in a hosted shell account environment, perhaps you could give some hints. Personally, I wouldn't give shell access to someone I don't know and trust, but if I had to, is seems that OpenBSD would be a good choice.
Re: Shell account cgi script
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Mike Hernandez > Sent: Wednesday, September 07, 2005 2:47 PM > To: Adam; misc@openbsd.org > Subject: Re: Shell account cgi script > > On 9/7/05, Adam <[EMAIL PROTECTED]> wrote: > > On Wed, 7 Sep 2005 13:37:45 -0400 Mike Hernandez <[EMAIL PROTECTED]> > > wrote: > > If someone is wanting to give people "shell accounts", then they > > generally want people to be able to access more than just the shell > > itself. The whole point is to let them use the system, if you chroot > > them then they can't do anything. > > > On the contrary, they can do anything that the administrator makes it > possible for them to do. Many of the web hosting accounts I've signed > up for came with a jailed shell that I could use to work with the > files on the server but nothing more. > > Mike At least to start, a shell account should have limited access to memory, processor time, number of procs, files, disk space, etc. Also, any writable areas such as $HOME and /tmp should be on a partition with certain mount options such as no suid and maybe even noexec.
Re: Text Editor
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Antoine Jacoutot > Sent: Monday, September 12, 2005 12:50 PM > To: misc@openbsd.org > Subject: Re: Text Editor > > Michael Shalayeff wrote: > > which is relatively easy to fix > > having enough motivation... > > Well, not really, one must also have the knowledge to do it, which I > have not, unfortunately ;) The best way to encourage a knowledgeable developer to port it to another platform is to donate something cool from that platform. Want to see it on PPC? Donate a Dual G5.
Re: A question about examining pf loging data
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > stan > Sent: Monday, September 12, 2005 1:04 PM > To: OpenBSD general usage list > Subject: A question about examining pf loging data > > I've set up a transparent bridge, with pf in "pass all log" mode to > capture > data to/from a particular subnet. I am gathering data about the traffic > that passes through this gateway in order to prepare for installing a > firewall. > > I've captured a bit of data as pflog files. Then I've processed these > files > with: > > tcpdump -n -e - > > Which results in data records like this: > > 2005-09-08 20:26:40.328379 rule 5/0(match): pass out on fxp0: IP > 170.85.113.49.3 > 092 > 170.85.107.35.1500: . 1460:2920(1460) ack 1 win 63947 > > This has most of the data that I need, but it seems to be missing one > thing > that I think is important. How can I determine if the traffic is > TCP/UDP/ICMP etc? > If you have ack and window flags, then it is TCP, not UDP.
Re: Text Editor
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Antoine Jacoutot > Sent: Monday, September 12, 2005 3:45 PM > To: misc@openbsd.org > Subject: Re: Text Editor > > STeve Andre' wrote: > > Michael makes an important point here. One often does not know how to > > do something at the beginning of a project and must learn how to do the > > things needed to achieve a goal. > > I know that, but be realistic, I know _nothing_ about programming... So > I don't think saying it is only a matter of motivation is not really > true. I'm not 18 anymore and I don't have time to learn C enough to do > something like that. Well at least misc@ is a nurturing and gentle environment for the aspiring programmer.
Motorola WU830G
Just wanted to to give a dmesg for the Motorola WU830G USB2 Wireless Adapter,
in case anyone else was thinking of buying one. I picked it up for $20.
Needless to say, not much luck with this one. Chipset made by Envara, which
was bought by Intel in 2004.
# dmesg
OpenBSD 3.8-beta (GENERIC) #119: Wed Aug 24 01:47:37 MDT 2005
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: AMD Athlon(tm) XP 2600+ ("AuthenticAMD" 686-class, 512KB L2 cache) 1.92
GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,F
XSR,SSE
cpu0: AMD Powernow: FID
real mem = 267952128 (261672K)
avail mem = 237613056 (232044K)
using 3296 buffers containing 13500416 bytes (13184K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(f3) BIOS, date 04/20/04, BIOS32 rev. 0 @ 0xfbaa0
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
apm0: flags 70102 dobusy 1 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xf/0xdd84
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdcf0/144 (7 entries)
pcibios0: PCI Exclusive IRQs: 5 10 11
pcibios0: PCI Interrupt Router at 000:17:0 ("VIA VT82C596A ISA" rev 0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc/0xb000 0xcc000/0x800
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "VIA VT8378 PCI" rev 0x00
ppb0 at pci0 dev 1 function 0 "VIA VT8377 PCI-PCI" rev 0x00
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 "ATI AIW Radeon" rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
"Texas Instruments TSB43AB23 FireWire" rev 0x00 at pci0 dev 6 function 0 not
configured
xl0 at pci0 dev 7 function 0 "3Com 3c905C 100Base-TX" rev 0x74: irq 10,
address 00:50:da:19:e6:42
bmtphy0 at xl0 phy 24: Broadcom 3C905C internal PHY, rev. 6
pciide0 at pci0 dev 15 function 0 "VIA VT82C571 IDE" rev 0x06: DMA, channel 0
configured to compatibility, channel 1 configured to compatibility
wd0 at pciide0 channel 0 drive 0:
wd0: 16-sector PIO, LBA, 58644MB, 120103200 sectors
wd0(pciide0:0:0): using PIO mode 4, DMA mode 2
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: SCSI0 5/cdrom
removable
wd1 at pciide0 channel 1 drive 1:
wd1: 16-sector PIO, LBA, 4125MB, 8448300 sectors
cd0(pciide0:1:0): using PIO mode 4, DMA mode 2
wd1(pciide0:1:1): using PIO mode 4, DMA mode 2
uhci0 at pci0 dev 16 function 0 "VIA VT83C572 USB" rev 0x81: irq 11
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: VIA UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
uhci1 at pci0 dev 16 function 1 "VIA VT83C572 USB" rev 0x81: irq 11
usb1 at uhci1: USB revision 1.0
uhub1 at usb1
uhub1: VIA UHCI root hub, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
uhci2 at pci0 dev 16 function 2 "VIA VT83C572 USB" rev 0x81: irq 5
usb2 at uhci2: USB revision 1.0
uhub2 at usb2
uhub2: VIA UHCI root hub, rev 1.00/1.00, addr 1
uhub2: 2 ports with 2 removable, self powered
uhci3 at pci0 dev 16 function 3 "VIA VT83C572 USB" rev 0x81: irq 5
usb3 at uhci3: USB revision 1.0
uhub3 at usb3
uhub3: VIA UHCI root hub, rev 1.00/1.00, addr 1
uhub3: 2 ports with 2 removable, self powered
ehci0 at pci0 dev 16 function 4 "VIA VT6202 USB" rev 0x86: irq 10
usb4 at ehci0: USB revision 2.0
uhub4 at usb4
uhub4: VIA EHCI root hub, rev 2.00/1.00, addr 1
uhub4: 8 ports with 8 removable, self powered
pcib0 at pci0 dev 17 function 0 "VIA VT8237 ISA" rev 0x00
auvia0 at pci0 dev 17 function 5 "VIA VT8233 AC97" rev 0x60: irq 10
ac97: codec id 0x56494170 (VIA Technologies <70>)
ac97: codec features headphone, 18 bit DAC, 18 bit ADC, KS Waves 3D
audio0 at auvia0
vr0 at pci0 dev 18 function 0 "VIA RhineII-2" rev 0x78: irq 11 address
00:11:09:06:27:f3
ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface
ukphy0: OUI 0x004063, model 0x0032, rev. 8
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pmsi0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pmsi0 mux 0
pcppi0 at isa0 port 0x61
midi0 at pcppi0:
spkr0 at pcppi0
sysbeep0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
lm0 at isa0 port 0x290/8: W83697HF
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
biomask ef65 netmask ef65 ttymask ffe7
pctr: user-level cycle counter enabled
mtrr: Pentium Pro MTRR support
wd0: no disk label
dkcsum: wd0 matches BIOS drive 0x80
dkcsum: wd1 matches BIOS drive 0x81
root on wd1a
rootdev=0x10 rrootdev=0x310 rawdev=0x312
uhub5 at uhub1 port 2
uhub5: ALCOR Generic USB Hub, rev 1.10/3.12, addr 2
uhub5: 4 ports with 4 removable, self powered
ugen0 at uhub1 port 1
ugen0: Cybertan MOTOROLA Wirel
Re: Wireless Strangeness
> Restart the machine and if your clients still can't connect put the > wireless > interface into debug mode: Is there a recommended way to do this without a reboot?
Re: PFLogging to Syslog
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > James Mackinnon > Sent: Tuesday, September 20, 2005 9:43 AM > To: misc@openbsd.org > Subject: PFLogging to Syslog > > Good day everyone > > I have 20+ OpenBSD firewalls setup across Canada and I wanted to bring > the logs to a central server so I can make them web enabled so I can > view them in a web app > > In the past, I used checkpoint, I like pf much better but the logging > system to checkpoint was nice > > I have followed the PF: Logging section in the manaul, but I find not > everything that is going in pflog.txt is coming over to @syslogger > > Is there a better technique I should be using for 20+ firewalls logging > to a central server and then what web app would you recommend so I could > look at the logs in some type of non-console view > > Any suggestions and recommendations would be great as I would like to get > this right the first time:) > > Thanks > > James Syslog uses best-effort UDP, so all log entries are not guaranteed to get to the central server. There are other syslog servers that offer better guarantees, and you may also want to use encryption and something to thwart traffic analysis. Take a look at syslog-ng, although I cannot tell you how it performs. I have just heard people mention it in this situation.
Re: PFLogging to Syslog
> -Original Message- > From: James Mackinnon [mailto:[EMAIL PROTECTED] > Sent: Tuesday, September 20, 2005 11:48 AM > To: Will H. Backman; misc@openbsd.org > Subject: RE: PFLogging to Syslog > > yes, this is true.. Probably lose a bit as currently I am logging all in > and out on a fairly busy network all back to 1 logger. > > I will do some reading on this one as well, thanks > > You should be careful with this kind of setup. If your log host goes down, your network will get trashed by ARP "who has" broadcast requests from any firewalls on the same network as the log host. Logging every packet in real time causes enough unicast overhead, and will drive your network utilization way up if every packet passing though the firewall suddenly starts causing ARP broadcasts.
Re: is there a way to block sshd trolling?
> On 9/23/05, John Marten <[EMAIL PROTECTED]> wrote:
> > You know what i mean? Every day I get some script kiddie, or adult
> > trying to guess usernames or passwords.
> > I've installed the newest version of SSH, so i'm covered there. But
I
> > still get a dozen or 2 of the
> > "sshd Invalid user somename from ###.##.##.###"
> > "input_userauth_request: ivalid user somename"
> > "Failed password for invalid user somename"
> > "Recieved disconnect from ###.##.##.###"
> > Someone told me to add a 'block in quick on $net inet proto
{tcp,udp}
> > from ###.##.##.### to any flags S/SA'
> > entry in my pf.conf file. But if I had do that for every hacker my
> > pf.conf would be huge!
> > There's got to be a better way, and I'm open to suggestions.
> >
> >
> > John F. Marten III
> >
> > Information Technology Specialist
Change your sshd listen port? Should take care of most of the scripts.
