Re: Virtualizing firewalling scenarios in one physical OpenBSD host
out of curiosity, how would you make pf(4) only handle rules pertaining to a certain anchor depending on the process that's interfacing with them? i ask because; e.g., pfctl -sr should only show rules for that client, and other pf(4) operations need to be equally restricted. i know that originally you said that the loading of the rules is not up to the client but a periodic batch job, however that does not match CheckPoint VSX would you make the pf driver check the uid of the caller itself and spread out this code throughout every routine that fetches and set rules, or where would you place the namespacing? On Wed, Jul 4, 2012 at 5:21 AM, Henning Brauer lists-open...@bsws.de wrote: * Franco Fichtner slash...@gmail.com [2012-07-04 11:43]: No, the great catch here is that VSX offers you tools to manage up to 250 of these virtual monsters in a centralized fashion. You can also give control of these firewalls to your customers. You can put lots of OpenBSD guests on a host, but there's no way you will be happy when you are seriously thinking about deploying a VSX. ok, you've been brainwashed by marketing. this is not a question of the firewall at all, but a question of the management interface around it. as said and I repeat it again, use anchors and build sth for specific users to be able to edit specific anchor rulesets. could be as easy as a file per anchor owned by the user in question and a little cronjob that reloads your ruleset including anchors hourly or so. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: Virtualizing firewalling scenarios in one physical OpenBSD host
ok here's a more thought out idea a vpf is the same as a pf only that it has an ioctl that binds its device minor to a rule # in pf0. access to a vpf0 is the same, posix vfs permissions. (securelevel affects pf rule write-ability, but i don't think a per vpf equivalent is useful for this example). only that the bind ioctl can be done by root exclusively if you want more vpfs, you need more device minors. that way the user interfaces are already there (pfctl, systat states), and the pf device protocol is already there, but the rules are now partitioned which was the true purpose from the start On Wed, Jul 4, 2012 at 11:11 AM, Andres Perera andre...@zoho.com wrote: out of curiosity, how would you make pf(4) only handle rules pertaining to a certain anchor depending on the process that's interfacing with them? i ask because; e.g., pfctl -sr should only show rules for that client, and other pf(4) operations need to be equally restricted. i know that originally you said that the loading of the rules is not up to the client but a periodic batch job, however that does not match CheckPoint VSX would you make the pf driver check the uid of the caller itself and spread out this code throughout every routine that fetches and set rules, or where would you place the namespacing? On Wed, Jul 4, 2012 at 5:21 AM, Henning Brauer lists-open...@bsws.de wrote: * Franco Fichtner slash...@gmail.com [2012-07-04 11:43]: No, the great catch here is that VSX offers you tools to manage up to 250 of these virtual monsters in a centralized fashion. You can also give control of these firewalls to your customers. You can put lots of OpenBSD guests on a host, but there's no way you will be happy when you are seriously thinking about deploying a VSX. ok, you've been brainwashed by marketing. this is not a question of the firewall at all, but a question of the management interface around it. as said and I repeat it again, use anchors and build sth for specific users to be able to edit specific anchor rulesets. could be as easy as a file per anchor owned by the user in question and a little cronjob that reloads your ruleset including anchors hourly or so. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: mojibake
On Sun, Jul 1, 2012 at 12:30 PM, Anthony J. Bentley anthonyjbent...@gmail.com wrote: So again, the complaint was that there was mojibake gibberish in Ingo's presentation, because the character encoding isn't specified but defaults to UTF-8 in modern browsers, while the page is actually iso-8859-1 encoded. Actually, modern browsers do not default to a particular encoding (in fact, this violates the HTML standard). Instead, they attempt to autodetect the charset. Sometimes this works, and sometimes it doesn't -- I've seen UTF-8 pages incorrectly detected as ISO-8859-1, and in particularly bad cases, vice versa. i would consider firefox a modern browser, and it does not default to autodetect. it defaults to iso-8859-1 however, the gui does not allow per html doctype default charset, so a management configured browser would apply default charset to html1, 4, ... n there should be no case where this is a problem. all pages should be html 4 to avoid these silly exchanges. it would be nice if some sort of style guide clearly stated pages in www/ are html4, charset explicitly set to iso-8859-1. in the absence of that, we have these discussions. having a www/STYLE doc does not require committing to a particular templating language so hopefully it's a realistic short-term goal
Re: OpenBSD's webpage desing
imo the issue has more to do with one page using a completely different scheme than all the others. that happens when you copy-paste massive tags at the beginning of every doc instead of using your preferred flavor of #include. you could of course go another route and try to justify it by saying it's html1 unlike the rest, but that's just as useless as fixating on the charset On Thu, Jun 28, 2012 at 9:17 AM, Dave Anderson d...@daveanderson.com wrote: On Thu, 28 Jun 2012, Stuart Henderson wrote: On 2012-06-28, ropers rop...@gmail.com wrote: On 28 June 2012 01:17, Andres Perera andre...@zoho.com wrote: A http://www.openbsd.org/papers/bsdcan11-mandoc-openbsd.html that page is encoded iso 8859-1, doesn't state so anywhere, breaks with browsers configured to default to utf8 in the absence of encoding qualifiers $ telnet www.openbsd.org 80 Trying 142.244.12.42... Connected to www.openbsd.org. Escape character is '^]'. GET /papers/bsdcan11-mandoc-openbsd.html HTTP/1.1 Host: www.openbsd.org HTTP/1.1 200 OK Date: Wed, 27 Jun 2012 23:59:19 GMT Server: Apache Last-Modified: Sat, 18 Jun 2011 11:11:28 GMT ETag: 65f60c9352dee7ec594696cdfb681e86316269ef Accept-Ranges: bytes Content-Length: 32754 Content-Type: text/html HTML BODY ... Okay, this could transmit Content-Type: text/html; charset=iso-8859-1 but doesn't, but that's ok, we can do this on a page-by-page basis with a META tag, which ought to be ignored by browsers that don't understand it: IMO if it's worth doing this at all, it needs doing to *all* pages that need it, in one go, consistently. Anything else is likely to be way too much pain for the translators. Using META is _ugly_, especially for specifying a charset (since the page will be read up through the META element using the charset specified in the real header or assumed by the browser -- and that charset could be incompatible with the actual encoding.) Why not just use the AddDefaultCharset directive to ensure that a charset is specified in the real header for all pages? Or is this known to break some browsers that are still in use? Dave -- Dave Anderson d...@daveanderson.com
Re: OpenBSD's webpage desing
On Thu, Jun 28, 2012 at 3:45 PM, Dave Anderson d...@daveanderson.com wrote: On Thu, 28 Jun 2012, frantisek holop wrote: hmm, on Thu, Jun 28, 2012 at 09:47:00AM -0400, Dave Anderson said that Using META is _ugly_, especially for specifying a charset (since the page will be read up through the META element using the charset specified in the real header or assumed by the browser -- and that charset could be incompatible with the actual encoding.) Why not just use the AddDefaultCharset directive to ensure that a charset is specified in the real header for all pages? Or is this known to break some browsers that are still in use? because AddDefaultCharset is a braindead concept. No, just one that needs to be applied only when appropriate. The truly braindead idea is that of partially parsing a file in order to find out what charset you should have been using in doing that parsing. This only mostly works because, for the typical page content from the beginning through any META elements, the encoding specified by most charset values happens to match the encoding specified by 8859-1. [...] the cool thing about tags is that you can access; e.g., local man pages through file:// and have a properly decoded page. no need for a server most charsets coincide with the first 127 characters of ascii, so what's the problem anyway. yea some browsers will reread the whole html but it's a minimal cost if you place the meta tag at the beginning
Re: OpenBSD's webpage desing
On Wed, Jun 27, 2012 at 5:29 PM, Peter Laufenberg open...@laufenberg.ch wrote: Speaking personally, I wouldn't mind if OpenBSD's website were updated. Just no one has volunteered yet to do the dirty work of actually coming up with a functional design and then updating the HTML. Talk is cheap. I'm willing to indirectly donate to OpenBSD by paying a professional graphic designer to redo parts of OpenBSD's visual design. His portfolio: that would be cool to presence as a bystander pay the dude regardless of what anybody says, and have him send the patches to a public mailing list would've been even more interesting if you told nobody that he was getting payed for the patches
Re: OpenBSD's webpage desing
On Wed, Jun 27, 2012 at 5:55 PM, Peter Laufenberg open...@laufenberg.ch wrote: On Wed, Jun 27, 2012 at 5:29 PM, Peter Laufenberg open...@laufenberg.ch wrote: I'm willing to indirectly donate to OpenBSD by paying a professional graphic designer to redo parts of OpenBSD's visual design. His portfolio: that would be cool to presence as a bystander No te entiendo tío! i rarely see people talking about the site layout on these lists, and i think it would be funny to see a typical designer dealing with; e.g., www/build/mirrors.pl it would be entertaining to follow the thread of patch submissions and developer reactions :) having said that, i think the site is ok
Re: OpenBSD's webpage desing
On Wed, Jun 27, 2012 at 5:55 PM, john slee indig...@oldcorollas.org wrote: Do you think that if the reader finds reading to be optimal at a particular column width, that said reader may well adjust their browser window to suit? sorry but that's complete bs. you are essentially expecting users to re-size the window according to each site, since it's impossible for all sites to display optimally under fixed browser-window dimensions without conceding to capped text width... and that's a situation where worst case happens to match the usual case the 60-72 cap train took off ages ago. i don't read books like it's a chinese fortune string, nor do i subject my newspaper leisure ours to the same torture
Re: OpenBSD's webpage desing
On Wed, Jun 27, 2012 at 6:10 PM, Nick Holland n...@holland-consulting.net wrote: Other than boring, no one has actually STATED a problem of the OpenBSD website. What message are we not getting across? If there is a PROBLEM you see that makes getting its information to you difficult, please state it and indicate what could be done better. i.e., saying, what you did to the faq/index.html page for this release makes no sense to me as I'm blind and using a screen reader would be constructive and useful (and I have no freaking idea what to do about it, and in fact, I've just made myself feel really guilty, as if someone WERE to say that to me, I don't want to undo it...) ok concretely, the man and webcvs pages do not have links back to openbsd.org good design would be to make the openbsd logo at the top left corner be the link that's a big nono in site layout. you should make the site as browseable as possible (see how you can talk about design without talking about aesthetics) another thing is, talking with a professional designer will reveal many problems like these, the difference being that you'll get information in meaningful chunks instead of little updates such as this mail
Re: OpenBSD's webpage desing
On Wed, Jun 27, 2012 at 6:18 PM, Ingo Schwarze schwa...@usta.de wrote: Hi, Matthew Dempsky wrote on Wed, Jun 27, 2012 at 01:53:09PM -0700: On Wed, Jun 27, 2012 at 1:41 PM, Ted Unangst t...@tedunangst.com wrote: Here's something I think would be a *major* improvement. Fix magicpoint to export slides in a format better than jpg. That's not the only thing that could be fixed about magicpoint; however, fixing magicpoint is not a job for the fainthearted. The only time i used it so far (ironically, to present about mandoc), i ended up publishing the slides in plain HTML, with heavy manual postprocessing: http://www.openbsd.org/papers/bsdcan11-mandoc-openbsd.html that page is encoded iso 8859-1, doesn't state so anywhere, breaks with browsers configured to default to utf8 in the absence of encoding qualifiers all those little things add up, man
Re: OpenBSD's webpage desing
On Wed, Jun 27, 2012 at 7:43 PM, Philip Guenther guent...@gmail.com wrote: On Wed, Jun 27, 2012 at 4:17 PM, Andres Perera andre...@zoho.com wrote: ... that page is encoded iso 8859-1, doesn't state so anywhere, breaks with browsers configured to default to utf8 in the absence of encoding qualifiers Those browsers are violating the HTTP/1.1 standard. RFC 2616, section 3.7.1, paragraph 4: The charset parameter is used with some media types to define the character set (section 3.4) of the data. When no explicit charset parameter is provided by the sender, media subtypes of the text type are defined to have a default charset value of ISO-8859-1 when received via HTTP. Data in character sets other than ISO-8859-1 or its subsets MUST be labeled with an appropriate charset value. See section 3.4.1 for compatibility problems. firefox and ie are nice enough to assume iso-8859-1. that's not the case with management configured browsers, where RFCs don't mean a damn And then there's section 3.4.1: 3.4.1 Missing Charset Some HTTP/1.0 software has interpreted a Content-Type header without charset parameter incorrectly to mean recipient should guess. Senders wishing to defeat this behavior MAY include a charset parameter even when the charset is ISO-8859-1 and SHOULD do so when it is known that it will not confuse the recipient. Unfortunately, some older HTTP/1.0 clients did not deal properly with an explicit charset parameter. HTTP/1.1 recipients MUST respect the charset label provided by the sender; and those user agents that have a provision to guess a charset MUST use the charset from the content-type field if they support that charset, rather than the recipient's preference, when initially displaying a document. See section 3.7.1. Wait, was that a warning that an explicit charset parameter broke some older browsers? Huh... wtf? a charset parameter is present in www/index.html so i guess that particular page isn't catering to an unrealistic section of an rfc i sense some conflicting interests here Philip Guenther
Re: OpenBSD's webpage desing
that patch is not a solution a good solution is use m4 or another macro language (maybe cpp since apparently line-based macro languages are liked by mandoc freaks) to add an include to all pages in the www/* repository also, a commit hook that ensures that newly added or modified pages meet a set of requirements On Wed, Jun 27, 2012 at 8:55 PM, ropers rop...@gmail.com wrote: On 28 June 2012 01:17, Andres Perera andre...@zoho.com wrote: http://www.openbsd.org/papers/bsdcan11-mandoc-openbsd.html that page is encoded iso 8859-1, doesn't state so anywhere, breaks with browsers configured to default to utf8 in the absence of encoding qualifiers $ telnet www.openbsd.org 80 Trying 142.244.12.42... Connected to www.openbsd.org. Escape character is '^]'. GET /papers/bsdcan11-mandoc-openbsd.html HTTP/1.1 Host: www.openbsd.org HTTP/1.1 200 OK Date: Wed, 27 Jun 2012 23:59:19 GMT Server: Apache Last-Modified: Sat, 18 Jun 2011 11:11:28 GMT ETag: 65f60c9352dee7ec594696cdfb681e86316269ef Accept-Ranges: bytes Content-Length: 32754 Content-Type: text/html HTML BODY ... Okay, this could transmit Content-Type: text/html; charset=iso-8859-1 but doesn't, but that's ok, we can do this on a page-by-page basis with a META tag, which ought to be ignored by browsers that don't understand it: $ diff -u 'bsdcan11-mandoc-openbsd.html' 'bsdcan11-mandoc-openbsd.html.new' --- bsdcan11-mandoc-openbsd.html 2012-06-28 02:12:19.0 +0200 +++ bsdcan11-mandoc-openbsd.html.new 2012-06-28 02:07:54.0 +0200 @@ -1,4 +1,7 @@ HTML +HEAD +META http-equiv=Content-Type content=text/html; charset=iso-8859-1 / +HEAD/ BODY H1A HREF=http://www.bsdcan.org/2011/schedule/events/230.en.html;Mandoc in OpenBSD/A/H1 Generally speaking, I find that on misc@ the words you should make are taken far less seriously than even the most pitiful of diffs. regards, ropers
Re: Following -current through a semi-automatic process: a strategy for encouraging user involvement?
sorry, but i never sold nm as the sole step granting immunity. i explicitly presented it as an example. nevertheless, the full list of things i do do not cover all of possible changes you pointed out. i constructed it in a way that also works with snapshots: diff include/sys/syscall{args,}.h with previous db (a la sysmerge); double check with with nm /bsd. syscallargs changing returns false whether or not nm shows the same set of calls. (i don't currently diff /sys/* in hopes of finding new or changed bitmap flags) diff include/sys/ioctl.h and header-includes with previous db. i don't attempt to detect new includes, this is fragile and is covered by acting on sys/* the rest of files are predictable sets of other kernel apis. i don't look at net/pfvar or anything outside sys even though i should as flaky as it can be, it works most of the time and it's better than let the user decide On Wed, Jun 20, 2012 at 12:59 AM, Matthew Dempsky matt...@dempsky.org wrote: On Tue, Jun 19, 2012 at 9:34 PM, Andres Perera andre...@zoho.com wrote: all of the calls in syscalls.master map to a unique function, and all of them start with sys_. it's true that nm won't tell me about argument changes. i just risk it a little by assuming no one's that evil Okay, granted nm will tell you when new syscall entry points get added... but you won't know about new syscall flags, new ioctls, new device nodes, new sysctls, new behavior, etc. Not saying you can't use nm as a backup sanity check, but it's not something I'd recommend relying on by default. Our userland is really not designed to run on older kernels.
Re: Following -current through a semi-automatic process: a strategy for encouraging user involvement?
On Wed, Jun 20, 2012 at 1:40 AM, Andres Perera andre...@zoho.com wrote: sorry, but i never sold nm as the sole step granting immunity. i explicitly presented it as an example. nevertheless, the full list of things i do do not cover all of possible changes you pointed out. i constructed it in a way that also works with snapshots: diff include/sys/syscall{args,}.h with previous db (a la sysmerge); double check with with nm /bsd. syscallargs changing returns false whether or not nm shows the same set of calls. (i don't currently diff /sys/* in hopes of finding new or changed bitmap flags) i am talking about include/sys, not the kernel source repository diff include/sys/ioctl.h and header-includes with previous db. i don't attempt to detect new includes, this is fragile and is covered by acting on sys/* the rest of files are predictable sets of other kernel apis. i don't look at net/pfvar or anything outside sys even though i should as flaky as it can be, it works most of the time and it's better than let the user decide On Wed, Jun 20, 2012 at 12:59 AM, Matthew Dempsky matt...@dempsky.org wrote: On Tue, Jun 19, 2012 at 9:34 PM, Andres Perera andre...@zoho.com wrote: all of the calls in syscalls.master map to a unique function, and all of them start with sys_. it's true that nm won't tell me about argument changes. i just risk it a little by assuming no one's that evil Okay, granted nm will tell you when new syscall entry points get added... but you won't know about new syscall flags, new ioctls, new device nodes, new sysctls, new behavior, etc. Not saying you can't use nm as a backup sanity check, but it's not something I'd recommend relying on by default. Our userland is really not designed to run on older kernels.
Re: Following -current through a semi-automatic process: a strategy for encouraging user involvement?
ultimately naive/incomplete approach never mind the premise that snapshots contain changes not found in the trees, you state things to the effect of user chooses wether or not to reboot to new kernel. didn't even bother; e.g., comparing nm outputs
Re: Following -current through a semi-automatic process: a strategy for encouraging user involvement?
all of the calls in syscalls.master map to a unique function, and all of them start with sys_. it's true that nm won't tell me about argument changes. i just risk it a little by assuming no one's that evil On Tue, Jun 19, 2012 at 9:22 PM, Matthew Dempsky matt...@dempsky.org wrote: On Tue, Jun 19, 2012 at 5:44 PM, Andres Perera andre...@zoho.com wrote: didn't even bother; e.g., comparing nm outputs Er, what are you expecting to divine by comparing nm output?
Re: Following -current through a semi-automatic process: a strategy for encouraging user involvement?
since packages are done in synch with snapshots, i do not use the trees because i rather use packages it's not clear whether or not changes in snapshots are allowed to make the packages incompatible with what you find in the repositories. perhaps i would be able to retract what i said as silly (and benefit from knowing exactly what is it i'm running at the same time) On Tue, Jun 19, 2012 at 9:24 PM, Theo de Raadt dera...@cvs.openbsd.org wrote: never mind the premise that snapshots contain changes not found in the trees, you state things to the effect of user chooses wether or not to reboot to new kernel. didn't even bother; e.g., comparing nm outputs well, hang on. quite often those diffs in snapshots are not yet commited for a reason. those diffs are being tested by people brave enough to test snapshots. of course, if people are brave enough to test snapshots, and any last minute bugs are found in those diffs and fixed.. and everyone will be able to run those juicy bits earlier. the diffs in snaps are chosen by me to try to advance so that i can help that process ahead (but at the same time not drive myself insane). after all, if i pick the wrong diffs at the wrong time, i going break all of the build machines at the same time...
Re: Following -current through a semi-automatic process: a strategy for encouraging user involvement?
and that will be an exception that i'll have to deal with, which is entirely reasonable given that they rarely do change another rare exception i could skirt around would be white space changes that would deter me from diffing syscalls.master instead of `nm /bsd` during automation, but the problem doesn't even come to that with snapshots, since i don't have a source referral; i only have the binary interface of the symbol list On Wed, Jun 20, 2012 at 12:18 AM, Philip Guenther guent...@gmail.com wrote: On Tue, Jun 19, 2012 at 9:34 PM, Andres Perera andre...@zoho.com wrote: all of the calls in syscalls.master map to a unique function, and all of them start with sys_. it's true that nm won't tell me about argument changes. i just risk it a little by assuming no one's that evil Heh. *Yesterday* tedu asked me to add some backwards compat to a diff I set around that did exactly that, changing the argument list for an existing syscall. I guess I'm winning the evil contest with tedu! Philip Guenhter
Re: About wine ?
On Mon, Jun 11, 2012 at 1:30 PM, Peter Laufenberg open...@laufenberg.ch wrote: On Mon, Jun 11, 2012 at 3:49 PM, Peter Laufenberg open...@laufenberg.ch wrote: Qemu seems like a good project given the flack it gets on wikipedia (very Cartesian, I know), how well can it run on OpenBSD? what's holding it back? which kernel improvements/patches will help? if all VM is counter-security, why? Where do we come from and is there life after death? I demand to know. Qemu is fine on OpenBSD, but slow, because for some time already it's without KVM in OpenBSD. Probably one of the reasons for www.bitrig.org I see. Lofty goals with a questionable fork rationale. Maybe removing doc references to floppies and tapes would improve the modernity perception. they also removed code makefiles really arent set up for mass edits. it's hard to do static checks From Jiri: Why don't you first search archives? - digressions into exotic sports cars? - marketing plugs? - out of date? -- p
Re: Large (3TB) HDD support
On Sun, Jun 3, 2012 at 9:18 PM, Peter Kay syllops...@syllopsium.co.uk wrote: Can we please differentiate GPT from EFI. GPT may be part of the EFI specification, but it's a standalone piece - implementing GPT is not going to restrict anyone's freedom to do what they want with a machine. Some possibilities EFI offers are more contentious.. GPT is a foregone conclusion unless you are blind to the future. The only alternative is OS specific disk hackery, and that does no-one any favours. Single disk 2TB+ partitions will not even attract comment inside the next 5 years. it doesn't make sense to put my boot files / os on a 2tb file system. whether or not this will eventually become a non-issue, i don't see any oses significantly moving in the opposite direction. not even windows 7 shys away from having a small boot partition. there's also no os out there that benefits from having 2tb to move about the boot partition, let alone to house system files. that could change but not any time soon, and most definitely not in the next 5 years
Re: File descriptor - name?
that will potentially show up more than one file, not the one that was opened On Sat, May 5, 2012 at 3:49 AM, Stuart Henderson s...@spacehopper.org wrote: On 2012-05-05, Andres Perera andre...@zoho.com wrote: not in obsd plan 9/linux keep the name as it was opened think about hardlinks, unlinking and how the kernel only stores the inode # find(1) can search by inode number, so if you can identify that via ktrace and if the file still exists, you can use find /root/of/fs -inum 1234
Re: File descriptor - name?
not in obsd plan 9/linux keep the name as it was opened think about hardlinks, unlinking and how the kernel only stores the inode # On Fri, May 4, 2012 at 11:44 PM, Alan Corey ab...@devio.us wrote: Is there a way to get the name of a file that's open when all you've got is a file descriptor? I'm working on porting something, that I didn't write. with directories full of source. B I'm seeing a problem with an ioctl being the wrong type, but I'm looking at the code where it happens, I can't see what the file descriptor passed in is pointing to. B Seems like there should be a way. B Alan
Re: OpenBSD 5.1 SSD
doesn't support trim. i remember reading somewhere, maybe a freebsd mailing list, that calculating when to do trim is tricky because it can only work on a specific width On Sat, Apr 14, 2012 at 2:08 PM, Laurence Rochfort laurence.rochf...@gmail.com wrote: Hi, I'm considering purchasing a domestic SSD for my laptop. Does OpenBSD 5.1 support SSDs and the TRIM command if needed? Regards, Laurence Rochfort
Re: pf anchor strange bihavior
On Thu, Apr 12, 2012 at 9:25 PM, Michel Blais mic...@targointernet.com wrote: Just saw something strange with inline anchor rule and macro : if I set a anchor rule with a macro inside of it and do pfctl -vnf, only the first value of the macro seem to have the anchor rule following. Every other value will be without bracket and anchor rules. Exemple : in the pf.conf net={ em0, em1 } anchor in on $net proto tcp to !server port { 22, 8181, 4000, 4001, 4002 } { B B B B block in quick on $ext_if1 to public_router B B B B pass B in quick on $ext_if1 to 216.*.*.0/24 B B B B pass B in quick on $ext_if1 to 216.*.*.0/24 B B B B pass B in quick on $ext_if2 to 96.*.*.0/24 B B B B pass B in quick on $ext_if1 to 207.*.*.130 B B B B pass B in quick on $ext_if1 to 207.*.*.128/29 B B B B pass B in quick on $ext_if1 to 207.*.*.136/29 B B B B block in B quick B B B B block out quick } pfctl -vnf give me this : anchor in on em0 proto tcp from any to ! server port = ssh { B block drop in quick on em0 from any to public_antenna B pass in quick on em0 inet from any to 216.*.*.0/24 flags S/SA B pass in quick on em0 inet from any to 216.*.*.0/24 flags S/SA B pass in quick on em0 inet from any to 207.*.*.130 flags S/SA B pass in quick on em0 inet from any to 207.*.*.128/29 flags S/SA B pass in quick on em0 inet from any to 207.*.*.136/29 flags S/SA B pass in quick on em1 inet from any to 96.*.*.0/24 flags S/SA B block drop in quick all B block drop out quick all } anchor in on em0 proto tcp from any to ! server port = 8181 anchor in on em0 proto tcp from any to ! server port = 4000 anchor in on em0 proto tcp from any to ! server port = 4001 anchor in on em0 proto tcp from any to ! server port = 4002 anchor in on em1 proto tcp from any to ! server port = ssh anchor in on em1 proto tcp from any to ! server port = 8181 anchor in on em1 proto tcp from any to ! server port = 4000 anchor in on em1 proto tcp from any to ! server port = 4001 anchor in on em1 proto tcp from any to ! server port = 4002 Is this a limitation of PF, a unanticiped situation or it's just cosmetic ? Maybe I'm misinterpreted it. the lines directly after the braced block also trigger the braced block it's cosmetic Thanks Michel
Re: How to have more than 15 pflog interfaces?
altering the max might have consequences i don't know about: grep -nC5 PFLOGIFS_MAX /sys/net/if_pflog.h 27-#ifndef _NET_IF_PFLOG_H_ 28-#define _NET_IF_PFLOG_H_ 29- 30-#include net/pfvar.h 31- 32:#define PFLOGIFS_MAX16 33- 34-struct pflog_softc { 35- struct ifnetsc_if; /* the interface */ 36- int sc_unit; 37- LIST_ENTRY(pflog_softc) sc_list; what i do know is that the actual bug is netstart unhelpfully redirecting errors to dev null on ifconfig create if it didn't, you would have seen ifconfig: SIOCIFCREATE: Invalid argument On Tue, Apr 10, 2012 at 12:46 AM, Siju George sgeorge@gmail.com wrote: Hi, I have /etc/hostname.pflog files from 1-25. but only till 15 is available through ifconfig pflog15: flags=41UP,RUNNING mtu 33152 B B B B priority: 0 how do I get till pflog25? Thanks Siju
Re: LiveUSB OpenBSD and LiveCD-OpenBSD site updated
On Tue, Apr 10, 2012 at 1:53 AM, Mihai Popescu mih...@gmail.com wrote: Andres Perera wrote: read very slowly if they don't use the following to boot: * bootp (requires more than one system) * a cd (requires an optical drive) * a floppy (requires a floppy drive) then they boot from hdd. it doesn't matter if it's usb, sata or what have you I think you are making a confusion between usb mass storage device and usd attached hdd device. there's no distinction for the bios, which is the key part in booting a system. on x86 it looks for specific data which is common in mass storage media and hdd, *different* to cd boot and floppy boot there are no official boot images for hdd. nick is aware of this, and so are the rest of the developers Yes, they do, since there is no such thing like images for hdd. I let you try to define one. hah, dd your raw hard drive device to a usb key. you have an hdd image. moreover, several projects either offer those, or an alternatively crafted iso which can be used for usb boot because it doesn't just have el torito boot you are wa over your head son, yet you keep insisting
Re: LiveUSB OpenBSD and LiveCD-OpenBSD site updated
On Mon, Apr 9, 2012 at 11:26 AM, Mihai Popescu mih...@gmail.com wrote: B Andres Perera wote: B i don't understand why is such a simple problem turning into drama It is not. As for the understanding part, you need to identify what is stopping you in the first place - is it that english is not your first language and you don't have enough of it, or is it that you read between lines, or any other thing. Once you will find it, you can asjust it and come to an understanding. Eventually. that's outside the conditions. i am talking about a real world situation where i had ONE COMPUTER and it did not have a cd drive Nick, the FAQ and a bunch of internet out there ARE TALKING about the same thing. Didn't you really see this? that's it. there's no other way to look at it Says who? Take a look at soekris.com stuff and believe this boards are able to get OpenBSD installed on them and run it successfully. And guess what? Only ONE COMPUTER is involved to prepare the OS. read very slowly if they don't use the following to boot: * bootp (requires more than one system) * a cd (requires an optical drive) * a floppy (requires a floppy drive) then they boot from hdd. it doesn't matter if it's usb, sata or what have you there are no official boot images for hdd. nick is aware of this, and so are the rest of the developers the faq requires that you boot with bsd.rd and use that environment to install to usb media you cannot do that with a single computer that can only boot from usb hdd with the official media, so you need to install to qemu you are obviously not talking about the same situation, and neither is the other dude. more than that, you've never encountered this problem or else you'd be familiar with the requirements you are a humongous idiot Excuse my intervention, please, but your answers keep remainding me of someone I work with, who got a habit of telling people around him how they CAN'T accomplish something. Pretty useless.
Re: LiveUSB OpenBSD and LiveCD-OpenBSD site updated
nope, not all bioses like that my hp mini's bios is only willing to do hdd emulation on usb sticks, so a dd'd iso or floppy image will not suffice (and hey, this inability isn't uncommon either) On Mon, Apr 9, 2012 at 6:38 PM, Ted Unangst t...@tedunangst.com wrote: On Mon, Apr 09, 2012, Andres Perera wrote: if they don't use the following to boot: * bootp (requires more than one system) * a cd (requires an optical drive) * a floppy (requires a floppy drive) then they boot from hdd. it doesn't matter if it's usb, sata or what have you there are no official boot images for hdd. nick is aware of this, and so are the rest of the developers Copy the floppy (or cd, for that matter) image onto a USB stick. B Boot from it. B Problem solved.
Re: sending hex string to /dev/ttyU1
funny how so many perl people and online shellcode tutorials are ok with that contrived syntax i recommend perl -e 'print pack i, 0x8800612a' it'll adjust to endianess as needed if you are truly interested in sending hex *strings* then it's not of much help On Sun, Apr 8, 2012 at 4:25 PM, Ted Unangst t...@tedunangst.com wrote: On Sun, Apr 08, 2012, edasky wrote: rs232 -d /dev/ttyUSB1-s'\h 2A 61 00 06 88 01 20 87 3E \r -r8 -hex Now I need to achieve the same result under OpenBSD (5.0) Anybody got an idea how to send such a hex string in /dev/ttyU1 ? Maybe something like perl -e 'print \x2a\x61\x00\x88' /dev/ttyU1 You may need to use stty to set the speed and such first.
Re: LiveUSB OpenBSD and LiveCD-OpenBSD site updated
i don't understand why is such a simple problem turning into drama On Sat, Apr 7, 2012 at 2:10 PM, Nick Holland n...@holland-consulting.net wrote: On 04/06/12 07:35, Dan Shechter wrote: Hi, Sorry for the newbe question, but what is wrong with what he is doing? Best regards, Dan First of all, OpenBSD is completely free software. B we can not, nor do we want to stop anyone from making their own project (or product) based on OpenBSD. B That doesn't mean we always like it. The problem comes in when people create things that are no longer OpenBSD, then the users come to our lists and developers expecting help. B Or develop an opinion of OpenBSD based on these non-OpenBSD projects. This is often due to lack of maintenance on the part of those projects -- they put something together because they feel they need it, they think, this is pretty cool, set up a website, make a logo, and ta-da, a project is born...and often, that's how it stays. We also don't like misinformation...for example, this from another part of the thread: can't install in the first place if your only bootable media can be usb sticks. the alternative to downloading premade images is making them in qemu, which is more work for little gain That's ONE alternative. B Roughly equivalent to turning right by turning left three times (reverse for Drive-on-Left countries). B You can take your USB stick and an OpenBSD CD to any same-platform computer in the world that can boot from CD and has a USB port and build an install device there using standard processes...and you know what you have and how you got it. that's outside the conditions. i am talking about a real world situation where i had ONE COMPUTER and it did not have a cd drive that's it. there's no other way to look at it
Re: LiveUSB OpenBSD and LiveCD-OpenBSD site updated
On Fri, Apr 6, 2012 at 2:17 AM, Mihai Popescu mih...@gmail.com wrote: Andres Perera andres.p () zoho ! com if you cant install through network because you only got one machine So you can't install OpenBSD but you CAN download the pre-made OpenBSD images? need another machine for bootp and feel that guerrilla overwriting your mbr after installing the locks within another os in order to do a hdd boot is too risky, you're left with this I've used OpenBSD in a multiboot and it was working perfectly fine, no guerilla there. can't install in the first place if your only bootable media can be usb sticks. the alternative to downloading premade images is making them in qemu, which is more work for little gain the page you linked does not provide that It does not, since the page is for a specific purpose. If you take your time and go back to the root of FAQ you may find what you are looking for. But I guess is nicer for you to spread crazy thing on the list.
Re: LiveUSB OpenBSD and LiveCD-OpenBSD site updated
? he is hosting *pre-made* bootable usb images if you cant install through network because you only got one machine, don't have a cd drive (e.g. netbook), and feel that guerrilla overwriting your mbr after installing the locks within another os in order to do a hdd boot is too risky, you're left with this the page you linked does not provide that On Mon, Apr 2, 2012 at 1:26 AM, Jan Stary h...@stare.cz wrote: On Apr 01 21:30:58, Girish Venkatachalam wrote: After a long long time. Sigh. Please stop spreading this. All it does is give wrong instruction and diverts people who should instead read http://www.openbsd.org/faq/faq14.html#flashmemLive
Re: Is nginx to complement or replace apache?
On Thu, Mar 29, 2012 at 4:30 PM, Otto Moerbeek o...@drijf.net wrote: On Thu, Mar 29, 2012 at 01:31:17PM -0430, Andres Perera wrote: On Thu, Mar 29, 2012 at 11:29 AM, Otto Moerbeek o...@drijf.net wrote: On Thu, Mar 29, 2012 at 10:54:48AM -0430, Andres Perera wrote: On Thu, Mar 29, 2012 at 10:38 AM, Paul de Weerd we...@weirdnet.nl wrote: On Thu, Mar 29, 2012 at 10:24:27AM -0430, Andres Perera wrote: | Instead, you'll crank your file limits to... let me guess, unlimited? | | And when you hit the system-wide limit, then what happens? | | Then it is our systems problem, isn't it. | | | i am not sure if you're a suggesting that each program do getrlimit | and acquire resources based on that, because it's a pita Gee whiz, writing programs is hard! B Let's go shopping! | what they could do is offer a reliable estimate (e.g. 5 open files per | tab required) Or just try to open a file, *CHECK THE RETURNED ERROR CODE* and (if any) *DEAL WITH IT* but we're only talking about one resource and one error condition write wrappers for open, malloc, etc avoiding errors regarding stack limits is not as easy There are very few programs that actually hit stack limits. MOst cases it's unbounded recursion, signalling an error. doesn't change the fact that preempting it takes modifying your compiler's typical function prelude (and slowing down each call) additionally, anticipating FSIZE would greatly slow done each write so no, you can't just be correct all the time and pat your self on the back obviously there's no reason for: a. every application replicating these wrappers (how many xmallocs have you seen, honest?) and b. the system not providing a consistent api Nah, you cannot create a apifor this stuff, proper error handling and adaptation to recousrce limits is a program specfic thing. well, if including logic that gracefully handles the stack limit is not important on the basis of most application's needs, then i don't see how the reverse relation couldn't justify a library with xmalloc and similar. *most* applications that implement this function copy paste the same fatal version. see also `#define MIN/MAX` You just seem to argue for the sake of it. Anyway A lot of programs have a *static* limit on stack depth, so those programs do not have that problem. For programs where the stack depth is a functon of the input (for e.g. parser and expression evaluation), there are well known techniques to control the maxium depth. Most of these programs actually have their own parse stack management and do not use the function stack for that. In my experience, I only have seen programs hitting stacks limit when the stack limit was very low, like 64k or so. Hitting the stack limit is not a real world problem. Our default stack limit is 4M: big enough for virtually any program, and small enough to catch unbounded recursion before it will eat all vm. Hitting mem or fd limit *is* as real world problem. Beacuse both memory and fd usage can build up, even in a well written program. In contrast to stack usage. in my system, hitting fd limit is completely an artificial problem. i have 8 gigs of memory and struct file is 120 bytes on amd64. the default low limit is as silly as would be a 64k stack limit. if i were designing a browser for machines like these, i wouldn't waste time optimizing fd usage even if i had access to the same browser you guys use, which magically multiplexes a single socket over all connections, including ipc with child processes that house tabs and plugins like google chrome, i could afford not to give a shit when tiny fds go to waste whenever i tried the bloated alternatives And just using xmalloc or similar for those cases is often not a solution, epsecially not for daemon programs. Handling resource exhaustion is a difficult problem that cannot be solved by just quiting your program, even if a lot of program do so. B B B B -Otto
Re: Is nginx to complement or replace apache?
On Wed, Mar 28, 2012 at 4:42 PM, Theo de Raadt dera...@cvs.openbsd.org wrote: Seeing the work that is done on nginx as Daily changelog shows I was thinking the same, that eventualy nginx will replace httpd (it cannot replace apache). About that too many files open, I run it this once, but Stuart Henderson suggested to alter the values in /etc/login.conf. I was expecting some decent values there, but I found out from FAQ that the default file has the corespondent values for the minimal hardware system OpenBSD is able to run on, so the giant machines need adjusting. On Wed, Mar 28, 2012 at 11:44 PM, Theo de Raadt dera...@cvs.openbsd.org wrote: Balony. If software cannot cope intelligently with soft resource limits, then such software is probably broken. Otherwise, let's just remove the entire resource limit subsystem, ok? No need to remove it I think, because the sole usage of it has a purpose since you've put it there from the start. I can't call xxxterm as being probably broken because my knowledge and position don't allow me to do that. This package asks for minimum 1024 file descriptors What happens if it opens 1025 files? and recommands 2048. What happens if it opens 2049 files? I modified openfiles-max in login.conf. That was the closest place I found to fulfill the request. The other application is shotwell, it crashes when you try to open in thumbnails mode a direcotry full of pictures. I don't know why the developers used the opening all files at once approach. So you crank your limits. What happens if it opens 1 file more than your limits? You crank the limits, again. What happens if it opens 1 file more than your new limits? When do you realize that you are the problem, because you don't tell the developers to fix their software so that it works in the resource limits allocated to it? Instead, you'll crank your file limits to... let me guess, unlimited? And when you hit the system-wide limit, then what happens? Then it is our systems problem, isn't it. i am not sure if you're a suggesting that each program do getrlimit and acquire resources based on that, because it's a pita what they could do is offer a reliable estimate (e.g. 5 open files per tab required)
Re: Is nginx to complement or replace apache?
On Thu, Mar 29, 2012 at 10:38 AM, Paul de Weerd we...@weirdnet.nl wrote: On Thu, Mar 29, 2012 at 10:24:27AM -0430, Andres Perera wrote: | Instead, you'll crank your file limits to... let me guess, unlimited? | | And when you hit the system-wide limit, then what happens? | | Then it is our systems problem, isn't it. | | | i am not sure if you're a suggesting that each program do getrlimit | and acquire resources based on that, because it's a pita Gee whiz, writing programs is hard! B Let's go shopping! | what they could do is offer a reliable estimate (e.g. 5 open files per | tab required) Or just try to open a file, *CHECK THE RETURNED ERROR CODE* and (if any) *DEAL WITH IT* but we're only talking about one resource and one error condition write wrappers for open, malloc, etc avoiding errors regarding stack limits is not as easy obviously there's no reason for: a. every application replicating these wrappers (how many xmallocs have you seen, honest?) and b. the system not providing a consistent api after you're done writing all the wrappers for your crappy browser, what do you do? notify the user that no resources can be allocated, try pushing the soft limit first, whatever. they still have to re-exec with higher limits why even bother? Note that on a busy system, the ulimit is not the only thing holding you back. B You may actually run into the maximum number of files the system can have open at any given time (sure, that's also tweakable). Just doing getrlimit isn't going to be sufficient... doesn't matter Paul 'WEiRD' de Weerd -- [++-]+++.+++[---].+++[+ +++-].++[-]+.--.[-] B B B B B B B B http://www.weirdnet.nl/
Re: Is nginx to complement or replace apache?
On Thu, Mar 29, 2012 at 11:29 AM, Otto Moerbeek o...@drijf.net wrote: On Thu, Mar 29, 2012 at 10:54:48AM -0430, Andres Perera wrote: On Thu, Mar 29, 2012 at 10:38 AM, Paul de Weerd we...@weirdnet.nl wrote: On Thu, Mar 29, 2012 at 10:24:27AM -0430, Andres Perera wrote: | Instead, you'll crank your file limits to... let me guess, unlimited? | | And when you hit the system-wide limit, then what happens? | | Then it is our systems problem, isn't it. | | | i am not sure if you're a suggesting that each program do getrlimit | and acquire resources based on that, because it's a pita Gee whiz, writing programs is hard! B Let's go shopping! | what they could do is offer a reliable estimate (e.g. 5 open files per | tab required) Or just try to open a file, *CHECK THE RETURNED ERROR CODE* and (if any) *DEAL WITH IT* but we're only talking about one resource and one error condition write wrappers for open, malloc, etc avoiding errors regarding stack limits is not as easy There are very few programs that actually hit stack limits. MOst cases it's unbounded recursion, signalling an error. doesn't change the fact that preempting it takes modifying your compiler's typical function prelude (and slowing down each call) additionally, anticipating FSIZE would greatly slow done each write so no, you can't just be correct all the time and pat your self on the back obviously there's no reason for: a. every application replicating these wrappers (how many xmallocs have you seen, honest?) and b. the system not providing a consistent api Nah, you cannot create a apifor this stuff, proper error handling and adaptation to recousrce limits is a program specfic thing. well, if including logic that gracefully handles the stack limit is not important on the basis of most application's needs, then i don't see how the reverse relation couldn't justify a library with xmalloc and similar. *most* applications that implement this function copy paste the same fatal version. see also `#define MIN/MAX` after you're done writing all the wrappers for your crappy browser, what do you do? notify the user that no resources can be allocated, try pushing the soft limit first, whatever. they still have to re-exec with higher limits why even bother? Stop using the crappy program. We prefer to apply back pressure to crappy programming instead of accommodating it. B B B B -Otto Note that on a busy system, the ulimit is not the only thing holding you back. B You may actually run into the maximum number of files the system can have open at any given time (sure, that's also tweakable). Just doing getrlimit isn't going to be sufficient... doesn't matter Paul 'WEiRD' de Weerd -- [++-]+++.+++[---].+++[+ +++-].++[-]+.--.[-] B B B B B B B B B B B B B B B B http://www.weirdnet.nl/
Re: Is nginx to complement or replace apache?
On Thu, Mar 29, 2012 at 12:53 PM, Claudio Jeker cje...@diehard.n-r-g.com wrote: On Thu, Mar 29, 2012 at 10:54:48AM -0430, Andres Perera wrote: On Thu, Mar 29, 2012 at 10:38 AM, Paul de Weerd we...@weirdnet.nl wrote: On Thu, Mar 29, 2012 at 10:24:27AM -0430, Andres Perera wrote: | Instead, you'll crank your file limits to... let me guess, unlimited? | | And when you hit the system-wide limit, then what happens? | | Then it is our systems problem, isn't it. | | | i am not sure if you're a suggesting that each program do getrlimit | and acquire resources based on that, because it's a pita Gee whiz, writing programs is hard! B Let's go shopping! | what they could do is offer a reliable estimate (e.g. 5 open files per | tab required) Or just try to open a file, *CHECK THE RETURNED ERROR CODE* and (if any) *DEAL WITH IT* but we're only talking about one resource and one error condition OMG. System calls can fail. I'm shocked. How can anything work?! write wrappers for open, malloc, etc Why wrappers? Just check the freaking return value and design your program to behave in case something goes wrong. guess what, if you do this more than once in your program you have a wrapper candidate avoiding errors regarding stack limits is not as easy Yes, so embrace them, design with failure in mind. obviously there's no reason for: a. every application replicating these wrappers (how many xmallocs have you seen, honest?) and b. the system not providing a consistent api xmalloc is a dumb interface, since it terminates the process as soon as the first malloc fails. Sure it is the right thing for process with limited memory needs but browsers are such pigs today that you should be better then just showing a Oups, something went wrong page on next startup. after you're done writing all the wrappers for your crappy browser, what do you do? notify the user that no resources can be allocated, try pushing the soft limit first, whatever. they still have to re-exec with higher limits Maybe you could also close some of those 999 keep-alive sessions and pre-load sessions you have open and retry. Seriously why does a webbrowser need 1024 file descriptors to be open at the same time? Are you concurrently reading 500 homepages? you are not expected to read 500 homepages at the same time, but you *are* expected to switch to any tab at any time, and the price of a system call to reopen the pertaining file descriptors is unacceptable why even bother? because the modern browser suck. They suck big time. They assume complete ownership of the system and think that consuming all resources just to show the latest animated gif from 4chan is the right thing. Note that on a busy system, the ulimit is not the only thing holding you back. B You may actually run into the maximum number of files the system can have open at any given time (sure, that's also tweakable). Just doing getrlimit isn't going to be sufficient... doesn't matter your attitude is the reason why we need multi-core laptops with 8GB of ram to play one game of tic-tac-toe. until now it's been about the interface. glad that someone decided to be honest by saying they have bias towards the default low limits (and fitting oses in floppy disks, etc) :) -- :wq Claudio
Re: Is nginx to complement or replace apache?
On Thu, Mar 29, 2012 at 3:46 PM, Ted Unangst t...@tedunangst.com wrote: On Thu, Mar 29, 2012, Andres Perera wrote: Maybe you could also close some of those 999 keep-alive sessions and pre-load sessions you have open and retry. Seriously why does a webbrowser need 1024 file descriptors to be open at the same time? Are you concurrently reading 500 homepages? you are not expected to read 500 homepages at the same time, but you *are* expected to switch to any tab at any time, and the price of a system call to reopen the pertaining file descriptors is unacceptable What retarded browser are you using that needs to reopen file descriptors to switch tabs? B And what retarded OS are you running where system calls are so expensive they're user noticable? none of firefox, chrome micromanage to this extent, that's exactly the point as for the second question, it's conveniently ignoring keep-alive and *anything* interactive. re-aquiring fds *and* emptying the queue of pending actions is the cost, not the mere syscall apparently you or claudio came up with a scheduler that guesses which tabs are more important, swaps to disk the ones that aren't, and pretends their ongoing transmissions don't mean anything
Re: ksh's HISTFILE
that makes it awkward to use across sessions (defeating the point of the file) even though it does not appear to have options regarding this, bash does have a crap ton of settings regarding history handling whatever the route, i would prefer if ksh didn't have new flags added to it, but instead sensible behavior by default On Tue, Mar 13, 2012 at 9:35 PM, Claus Assmann ca+openbsd_m...@esmtp.org wrote: On Tue, Mar 13, 2012, Hugo Villeneuve wrote: On Mon, Mar 12, 2012 at 01:03:54PM +0200, lilit-aibolit wrote: export HISTFILE=~/.sh_history Because last time I tried, it was unusable if you ran more than two session concurently, as both shell would use the same file directly Maybe try something like this? HISTFILE=${HOME%/}/.ksh_hist.$$
Re: SSH, root can repeat commands with up arrow, others cannot
On Sun, Mar 11, 2012 at 3:32 PM, Tobias Ulmer tobi...@tmux.org wrote: On Sun, Mar 11, 2012 at 02:43:42PM -0500, Chris Bennett wrote: This started for me a while back. Login as root, I can repeat older commands with up down arrows. History command shows history. su -l otheruser Cannot use up down arrows to access history. History command shows correct history. You most likely set EDITOR to something containing vi. ksh parses that and switches to vi mode. IMO it's a disgusting feature, but that appears to be just me. set -o emacs set +o vi after `set -o emacs`, the final line is redundant Login remotely as otheruser. Same problem. Chris Bennett
Re: pgt firmware ...
On Mon, Feb 27, 2012 at 7:52 AM, Janne Johansson icepic...@gmail.com wrote: 2012/2/27 David Walker davidianwal...@gmail.com: Thank you Peter. I still get the same error message (error line wrapped): pkg_add ./pgt-firmware-1.2p2.tgz Bad pkg_db: No such file or directory at [...] Somethings wrong with my environment but what ... Yes, the thing that makes it impossible for you to run exactly what we tell you to, and instead you add ./name-of-package when pkg_add takes URLs directly. but that couldn't possibly make a difference so why do you keep repeating Now exactly what in your environment is doing that, I can't really tell. -- B To our sweethearts and wives. B May they never meet. -- 19th century toast
Re: FR: Make it possible to turn off untrusted users ability to read cmdline arguments of processes they don't own
they're not necessarily the arguments see setproctitle(3) and the behaviour of; e.g., sendmail, dhclient, etc On Wed, Feb 1, 2012 at 7:00 PM, Paul Dejean p...@officegps.com wrote: Even though it's bad practice, a lot of commonly programs will request passwords or similar sensitive information as command line arguments. For instance, curl, svn, useradd... There will usually be a way to work around doing things this way (curl can read from a config file for instance), but doing so is a hassle (have to write a new config file for each request). I would really like some way to turn the access unprivileged users have to this information on and off. Ideally I'd like it off by default in OpenBSD (secure by default). Also I would like to add, that even if you folks shoot down this FR as being an awful idea. It's good that there's an operating system community where I feel comfortable bringing up this request, where I wouldn't hear things like: You have untrusted users on your system? What a n00b All security features are off by default, why should it be our responsibility to protects admins from their stupid mistakes? omg why should you care. hunting for sensitive information? it's not like anyone actually does that
Re: looking for hardware recommendations, x86 or otherwise.
On Thu, Feb 2, 2012 at 4:38 PM, Lars nore...@z505.com wrote: Anon wrote: Obviously you don't live in a 3rd world country. I do and nothing is 50 bucks here except the women. Nobody throws anything out except dead cats and PCs cost about 350 USD for a new build based on 3-5 year old NOS parts the Americans dumped on the market after they went obsolete. Well you can get computers in Canada for under 50 dollars, so it would require shipping them. B If you do it in massive bulk (palettes or containers) it only adds about 5-10 dollars extra shipping cost to each computer. B And if you do it in massive bulk, it means the computer is no longer 50 dollars but a bulk discount is applied so only about $40 dollars. I have shipped containers across the ocean to other countries before with hundreds of computers across Atlantic ocean. If you do not order them in bulk then it costs too much to ship them (more to ship them than the price of the computer itself!). It's all about bulk and quantity. So the third world country would have to gather all their funds together, and do a bulk purchase, rather than each person purchasing individually. i have to agree with troll here some countries have control de cambio which means that it's ilegal to buy dollars/selected foreign currency past a certain extent on a periodic basis really, don't speculate about other places unless you know for sure The advantage of the raspberry pi is that you might be able to shove it inside a bubble padded envelope, whereas desktop computers need to be packed up on palettes and containers. Still, you need to buy LCD monitors or CRT, so the lightweight raspberry pi is a moot point, since LCD's and CRT's are heavy. Unless you already have LCD/CRT monitors and just need the PC part.
Re: use trap command in a script
signal(3): Except for the SIGKILL and SIGSTOP signals, the signal() function allows for any signal to be caught, to be ignored, or to generate an interrupt. On Thu, Jan 19, 2012 at 8:17 AM, Wesley M. open...@e-solutions.re wrote: Hi, I want to see a message on console when i send signal like HUP KILL INT and TERM using for example in a script manageprocess: #!/bin/ksh trap 'echo Kill detected!' 9 trap 'ctrl-c detected!' 2 run it with sudo sh manageprocess No message appear Therefore if i run manually this : trap 'ctrl-c detected!' 2 it works. But trap 'echo Kill detected!' 9 doesn't work. Why ? Why i can't use it in a script? Any idea ? Thank you very much.
Re: Install without the DNS domain name from DHCP
On Sun, Jan 1, 2012 at 4:22 PM, bofh goodb...@gmail.com wrote: On Sun, Jan 1, 2012 at 2:47 PM, Josh Jevosh jev...@gmail.com wrote: Hello. I'm installing OpenBSD 5.0. When I configure the networking to DHCP it goes ahead and sets the DNS domain name to something that it got from my ISP. I would like to only use the short name that I specified as the hostname as the entire hostname excluding the rest of it that comes from my ISP. How do I do that? You want to play with the options in /etc/dhclient.conf. B I have supersede host-name and supersede domain-name in mine. B However, I don't know if you can use supersede domain-name ; this constantly comes up on the list for some reason. it shouldn't because it doesn't do anything once you actually test it, you'll see that setting an option to the empty string is the same as not setting the option at all (so dhclient fallsback to defaults) maybe it needs to be documented somewhere... as a valid option. B The better way is probably to include a search line in resolv.conf for the domain you are going to use (or the domain your ISP gives you). B Or get a free one from dyndns.org (or any other free ones). Everyone should really use FQDN - short names suck and make people lazy. -- http://www.glumbert.com/media/shift http://www.youtube.com/watch?v=tGvHNNOLnCk This officer's men seem to follow him merely out of idle curiosity. -- Sandhurst officer cadet evaluation. Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted. B -- Gene Spafford learn french: B http://www.youtube.com/watch?v=30v_g83VHK4
Re: PF Snort tutorial
2012/1/3 Bentley, Dain dbent...@nas.edu I've been looking around for a good tutorial on implementing snort with PF and everything I see is old, does anyone know of or have implemented a solution using an IDS/IPS with PF on the same box? If possible I'd like snort of some other IDS inspect packets and have pf drop them based on the fact they match certain signatures. Thanks in advance. Implimenting that is really a Pain in the hell out..I did it on a 4.9, i need to do it from sources, there is no complete tutorial, it works on 4.9, not implemented with PF tought... Greetings... -- Atentamente Andris Genovez Tobar / Tecnico Elastix ECE - Linux LPI-1 - Novell CLA - Apple ACMT http://www.puntonet.ec
Re: ccd(4) hangs system on two IDE disks concatenation attempt
that's interesting raises a couple of questions: is softraid to have functions found in generic volume managers such as zfs and lvm? the answer doesn't really matter because it's a fact that crypto isn't a raid discipline given that, is softraid a poor name for what it offers? On Mon, Dec 12, 2011 at 5:28 AM, Stuart Henderson s...@spacehopper.org wrote: On 2011-12-12, Pavel Shvagirev pavel.shvagi...@gmail.com wrote: You are right. The more better way would be buying a bigger storage, or writing a concatenation backend for softraid(4). softraid_raid0.c would be a good starting point.
Re: What is wrong with this pf config
On Sun, Dec 11, 2011 at 3:29 PM, John Tate j...@johntate.org wrote: I am not replying to every thread on the list. You either have me confused with someone else or there is some kind of imposter or person with a similar name. I'm confused I should say. This was something constructive to say regardless, it was an idea. I remember last time I was using OpenBSD (I had a hiatus) and mmap changes broke a lot of ports. There is supposed to be an emphasis on security, not your scripts. OpenBSD warns about mistakes, it emails you about your mistakes, and it could point out this mistake as well. not having block as default isn't really a mistake, unless pfctl can read your mind if you don't have daemons listening then what's the point of blocking ports? just an example of many situations that could occur On Mon, Dec 12, 2011 at 5:55 AM, James Shupe jsh...@osre.org wrote: No. Modifying a general purpose tool for a specific (albeit common) use case is stupid. Any properly implemented warning would cause pfctl to exit non-zero, which would break automated scripts that check the exit code of pfctl. You would have to add a whole new option to ignore your specific use case, and even that would require modifying existing scripts. I wish they would ban you from this list already. I'm sick of seeing your reply to every thread when you never have anything constructive to say. I am not replying to every thread on the list. You either have me confused with someone else or there is some kind of imposter or person with a similar name. I'm confused I should say. This was something constructive to say regardless, it was an idea. I remember last time I was using OpenBSD (I had a hiatus) and mmap changes broke a lot of ports. There is supposed to be an emphasis on security, not your scripts. OpenBSD warns about mistakes, it emails you about your mistakes, and it could point out this mistake as well. Perhaps it could be for security(8) to do instead actually. I don't know, I didn't design the fucking system, it was just a suggestion. On Mon, 2011-12-12 at 05:43 +1100, John Tate wrote: It's just whining! Perhaps if should only do it if it has an Internet IP address not a LAN or WAN one involved. On Mon, Dec 12, 2011 at 5:17 AM, Janne Johansson icepic...@gmail.com wrote: 2011/12/11 John Tate j...@johntate.org So I have a suggestion worth considering, if the line block in all does not appear pfctl -nf should perhaps spit out a warning. Much like you've done with your pretty compilers over there. There are still lots of reasons to run PF even if you don't want block in all for a default, so whining on all the other uses you couldn't imagine would not be very productive. -- B To our sweethearts and wives. B May they never meet. -- 19th century toast -- www.johntate.org
Re: What is wrong with this pf config
On Sun, Dec 11, 2011 at 4:29 PM, John Tate j...@johntate.org wrote: On Mon, Dec 12, 2011 at 7:47 AM, Andres Perera andre...@zoho.com wrote: On Sun, Dec 11, 2011 at 3:29 PM, John Tate j...@johntate.org wrote: I am not replying to every thread on the list. You either have me confused with someone else or there is some kind of imposter or person with a similar name. I'm confused I should say. This was something constructive to say regardless, it was an idea. I remember last time I was using OpenBSD (I had a hiatus) and mmap changes broke a lot of ports. There is supposed to be an emphasis on security, not your scripts. OpenBSD warns about mistakes, it emails you about your mistakes, and it could point out this mistake as well. not having block as default isn't really a mistake, unless pfctl can read your mind if you don't have daemons listening then what's the point of blocking ports? If you don't have deamons listening then why the hell are you using an operating system with so much security on networks. because i might be a desktop user i use obsd on my main machine and a netbook the netbook normally doesn't have any daemons listening outside localhost, but i still use pf for other reasons, such as managing routing domains pf has queue and logging functions aswell... not every config is going to center around acl even for those that have daemons facing hostile networks, their admins may choose a black list policy instead just an example of many situations that could occur On Mon, Dec 12, 2011 at 5:55 AM, James Shupe jsh...@osre.org wrote: No. Modifying a general purpose tool for a specific (albeit common) use case is stupid. Any properly implemented warning would cause pfctl to exit non-zero, which would break automated scripts that check the exit code of pfctl. You would have to add a whole new option to ignore your specific use case, and even that would require modifying existing scripts. I wish they would ban you from this list already. I'm sick of seeing your reply to every thread when you never have anything constructive to say. I am not replying to every thread on the list. You either have me confused with someone else or there is some kind of imposter or person with a similar name. I'm confused I should say. This was something constructive to say regardless, it was an idea. I remember last time I was using OpenBSD (I had a hiatus) and mmap changes broke a lot of ports. There is supposed to be an emphasis on security, not your scripts. OpenBSD warns about mistakes, it emails you about your mistakes, and it could point out this mistake as well. Perhaps it could be for security(8) to do instead actually. I don't know, I didn't design the fucking system, it was just a suggestion. On Mon, 2011-12-12 at 05:43 +1100, John Tate wrote: It's just whining! Perhaps if should only do it if it has an Internet IP address not a LAN or WAN one involved. On Mon, Dec 12, 2011 at 5:17 AM, Janne Johansson icepic...@gmail.com wrote: 2011/12/11 John Tate j...@johntate.org So I have a suggestion worth considering, if the line block in all does not appear pfctl -nf should perhaps spit out a warning. Much like you've done with your pretty compilers over there. There are still lots of reasons to run PF even if you don't want block in all for a default, so whining on all the other uses you couldn't imagine would not be very productive. -- B To our sweethearts and wives. B May they never meet. -- 19th century toast -- www.johntate.org -- www.johntate.org
Re: OpenBSD PF tables
the documentation is pretty clear by saying that tables can only hold addresses, not a random set of numbers On Thu, Dec 8, 2011 at 6:41 AM, John Tate j...@johntate.org wrote: Misc, I have sucessfully got an OpenBSD machine to connect via ADSL and forward packets, I am gradually upgrading my pf.conf. I am having trouble with this configuration (ignore some obvious bugs related to table names where tables are defined and the rules I have seen them). At the moment I am working on doing some things as tables. I want tables to hold the ports, but it appears perhaps they can only hold IP addresses. The following tables do not work from line 10-11... table etcpserv { 22 } table itcpserv { 22, 53 } The whole thing is here: http://pastebin.com/VuLNW9Ph John Tate -- www.johntate.org
Re: OpenBSD PF tables
define the list of ports as a macro and use pfctl -D not much adding as it is replacing the whole list: $ echo 'pass proto udp from port $pl' | pfctl -nvf- -Dpl='{1 2 3}' pass proto udp from any port = 1 to any pass proto udp from any port = 2 to any pass proto udp from any port = 3 to any On Thu, Dec 8, 2011 at 6:45 AM, John Tate j...@johntate.org wrote: Is there a way to have it so I can add ports from the command line if I can't use tables? On Thu, Dec 8, 2011 at 10:14 PM, Peter Hessler phess...@theapt.org wrote: Yes, tables in PF only support IP addresses. On 2011 Dec 08 (Thu) at 22:11:19 +1100 (+1100), John Tate wrote: :At the moment I am working on doing some things as tables. I want tables to :hold the ports, but it appears perhaps they can only hold IP addresses. The :following tables do not work from line 10-11... -- Renning's Maxim: B B B B Man is the highest animal. B Man does the classifying. -- www.johntate.org
Re: OpenBSD PF tables
i would concur that anchors are cleaner than redefining macros, but they do require rewriting rules On Thu, Dec 8, 2011 at 7:23 AM, Bret S. Lambert bret.lamb...@gmail.com wrote: Take a look at pf anchors. On Thu, Dec 08, 2011 at 10:21:14PM +1100, John Tate wrote: Is there a way to control ports on a filter from the command line? I guess I just have manually adding and deleting rules. On Thu, Dec 8, 2011 at 10:19 PM, Andres Perera andre...@zoho.com wrote: the documentation is pretty clear by saying that tables can only hold addresses, not a random set of numbers On Thu, Dec 8, 2011 at 6:41 AM, John Tate j...@johntate.org wrote: Misc, I have sucessfully got an OpenBSD machine to connect via ADSL and forward packets, I am gradually upgrading my pf.conf. I am having trouble with this configuration (ignore some obvious bugs related to table names where tables are defined and the rules I have seen them). At the moment I am working on doing some things as tables. I want tables to hold the ports, but it appears perhaps they can only hold IP addresses. The following tables do not work from line 10-11... table etcpserv { 22 } table itcpserv { 22, 53 } The whole thing is here: http://pastebin.com/VuLNW9Ph John Tate -- www.johntate.org -- www.johntate.org
Re: RAM seen vs. RAM available HP ML 570 G2
On Tue, Dec 6, 2011 at 11:18 PM, Stefan Johnson tigerphoenixdra...@gmail.com wrote: Hello all. B Today I replaced OpenSuSE with OpenBSD 5.0 on my HP ML 570 G2 server. well, you should have searched for openbsd and PAE :) i don't think they're going to bother at this point, but don't take my word for it The system includes to memory boards for RAM. B One board has 8 gigs, and the other has 4. The power on self test sees 12 and initializes 12, but after the server boots, OpenBSD appears to only see 4. B I believe this relates to 32 vs 64 bit, but I'm not positive. The version I installed was i386, not amd64. B The processors are Xeon MP 2.2Ghz which only have 32 bit instruction sets, which is why I chose i386. B Here is a link to the processor specs that show this: http://ark.intel.com/products/27300/Intel-Xeon-Processor-2_20-GHz-2M-Cache-40 0-MHz-FSB The FAQ mentions a trick for utilizing more RAM when all of the RAM isn't seen using boot.conf at this link: http://www.openbsd.org/faq/faq4.html#InstProb However, this is for such a small amount of RAM in the given example, that I'm not sure this would work for me. B Can anyone confirm that I'm pretty much stuck with only being able to utilize 1/3 of the full potential, or whether the above trick might actually work (using appropriate size values, of course)? Thanks for any help on this! Stefan Johnson Below is dmesg and sysctl output for my box with the GENERIC MP kernel: OpenBSD 5.0 (GENERIC.MP) #59: Wed Aug 17 10:19:44 MDT 2011 B B dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Intel(R) Xeon(TM) MP CPU 2.20GHz (GenuineIntel 686-class) 2.20 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID,xTPR real mem B = 4026036224 (3839MB) avail mem = 3950120960 (3767MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 12/31/99, BIOS32 rev. 0 @ 0xf, SMBIOS rev. 2.3 @ 0xec000 (92 entries) bios0: vendor HP version P32 date 04/26/2005 bios0: HP ProLiant ML570 G2 acpi0 at bios0: rev 0 acpi0: sleep states S0 S4 S5, can't enable ACPI mpbios0 at bios0: Intel MP Specification 1.4 cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 99MHz cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Xeon(TM) MP CPU 2.20GHz (GenuineIntel 686-class) 2.20 GHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID,xTPR cpu2 at mainbus0: apid 4 (application processor) cpu2: Intel(R) Xeon(TM) MP CPU 2.20GHz (GenuineIntel 686-class) 2.20 GHz cpu2: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID,xTPR cpu3 at mainbus0: apid 6 (application processor) cpu3: Intel(R) Xeon(TM) MP CPU 2.20GHz (GenuineIntel 686-class) 2.20 GHz cpu3: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID,xTPR mpbios0: bus 0 is type PCI mpbios0: bus 1 is type PCI mpbios0: bus 5 is type PCI mpbios0: bus 9 is type PCI mpbios0: bus 13 is type PCI mpbios0: bus 16 is type ISA ioapic0 at mainbus0: apid 8 pa 0xfec0, version 11, 16 pins ioapic1 at mainbus0: apid 9 pa 0xfec01000, version 11, 16 pins ioapic2 at mainbus0: apid 10 pa 0xfec02000, version 11, 16 pins ioapic3 at mainbus0: apid 11 pa 0xfec03000, version 11, 16 pins bios0: ROM list: 0xc/0x8000 0xc8000/0x4000! 0xee000/0x2000! pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 ServerWorks CMIC-HE rev 0x22 pchb1 at pci0 dev 0 function 1 ServerWorks CMIC-HE rev 0x00 pci1 at pchb1 bus 1 ppb0 at pci1 dev 2 function 0 IBM 133 PCIX-PCIX rev 0x03 pci2 at ppb0 bus 2 ciss0 at pci2 dev 4 function 0 Compaq Smart Array 64xx rev 0x01: apic 8 int 15 ciss0: 3 LDs, HW rev 1, FW 2.84/2.84, 64bit fifo scsibus0 at ciss0: 3 targets sd0 at scsibus0 targ 0 lun 0: HP, LOGICAL VOLUME, 2.84 SCSI2 0/direct fixed sd0: 69459MB, 512 bytes/sector, 142253280 sectors sd1 at scsibus0 targ 1 lun 0: HP, LOGICAL VOLUME, 2.84 SCSI2 0/direct fixed sd1: 70001MB, 512 bytes/sector, 143363040 sectors sd2 at scsibus0 targ 2 lun 0: HP, LOGICAL VOLUME, 2.84 SCSI2 0/direct fixed sd2: 140006MB, 512 bytes/sector, 286734240 sectors Compaq PCI Hotplug rev 0x14 at pci1 dev 30 function 0 not configured pchb2 at pci0 dev 0 function 2 ServerWorks CMIC-HE rev 0x00 pci3 at pchb2 bus 9 Creative Labs SoundBlaster Audigy LS rev 0x00 at pci3 dev 1 function 0 not configured pchb3 at pci0 dev 0 function 3 ServerWorks CMIC-HE rev 0x00 Compaq Netelligent ASMC rev 0x00 at pci0 dev 2 function 0 not configured fxp0 at pci0 dev 4 function 0 Intel 8255x rev 0x08, i82559: apic 8 int 10, address 00:12:79:cc:74:78 inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4 piixpm0 at pci0 dev 15 function 0 ServerWorks CSB5 rev
Re: Short adsuck guide (local resolver setup)
i don't get why are you setting nameservers in resolv.conf since dhclient will eventually override those? On Mon, Dec 5, 2011 at 8:39 AM, Sime Ramov s...@ramov.com wrote: http://ramov.com/doc/adsuck.html Let me know if you notice anything amiss. -Sime
Re: Short adsuck guide (local resolver setup)
afaik, _PATH_RESCONF is harcoded into the resolver functions i guess adsuck ships with its own duplicated routines On Mon, Dec 5, 2011 at 10:12 AM, E ime Ramov s...@ramov.com wrote: i don't get why are you setting nameservers in resolv.conf since dhclient will eventually override those? That's `/var/adsuck/files/resolv.conf`, not the main one.
Re: Narcicism?
2011/12/1 John Tate j...@johntate.org On Thu, Dec 1, 2011 at 7:20 PM, Scott McEachern sc...@blackstaff.ca wrote: On 12/01/11 02:28, John Tate wrote: I think I've found a bug in the OpenBSD crowd. They bug the hell out of me and my little mistakes. I am not talking about people who actually have a solution, but I can't seem to ask anything on this list without parrots coming along picking on me. I think some people just hang out here because it's the most anal bunch of hackers ever, in recorded history. What are your experiences? I'm 24 years old. I was a Linux hacker since I was 13. I am a bit of a guru and do my own Kerberos and such on an all BSD/Linux network. OpenBSD and Debian Linux. I love OpenBSD, I'm a bit weird because I use bash. I can put up with being made fun of. At 13 I didn't just start learning Linux I started learning C++ as well. I failed to apprehend it properly at that age, but at an older age I relearned it well. I am the guru sort of guy, I know a hell of a lot but I'm still connecting it and in that sense still learning. One thing to point it out: When you are a real Hacker, you don`t call yourself one, people do. When you are a real Guru, you don`t call yourself one, people do. I dont have a big knowledge of OpenBSD, i must say i am just starting, but the first lesson I learneddon`t make stupid questions on a list or i will get a paybackIn some way i understand your frustration... Peace. Is it true that occasionally we attract people who either love bullying or are just lazy and pretending to be one of the clever? Well I get messages that are worthless and seem to be insults. It just figures some of these people sit on the list, and email you poorly researched crap with no answers contain. If you hate a question, it truly doesn't belong, bug me. But if you just can't answer a question, ignore it. John Tate. Note: Yes, it's not my list. John, if you don't mind, I'll give you some advice: Do your homework before posting to the list. Your basic instinct is to click Send instead of thinking first. I've lost count of how many of your posts were retracted by yourself, with a big oops, my bad or were replied to with RTFM-type responses. I got a kick out of one retraction where you said something like Sorry, I was drunk. You're obviously new here. Sure, it's a tough crowd at times, but that only happens when people don't bother reading the FAQ, or the man pages, or trying things out for themselves. A lot of people have asked stupid questions or said something dumb -- myself included -- and got painful responses. I've had my share of facepalm experiences and had my ass handed to me plenty of times, but I deserved it. But you know what? I try to not make a regular occasion of it. It seems you do. I help a lot of people off-list, and I know for a fact many others do the same. I've found through years of experience there are two kinds of people on this list: those that need a little help and pointed in the right direction, and those that need their hands held for every step. Guess which category I put you in? And that's exactly why I've helped you a grand total of zero times. Now you have the gall to come on this list and insult the people that are trying to help you. I don't think there's anyone on this list that sits idly, waiting for an opportunity to pick on or bully someone. Get a grip, get some thicker skin, and most of all, RTFM first. I guarantee that if you take my advice, you'll find this list to be a very, very valuable resource. Remember, there is a difference between *reading* and *comprehension*. Work a little harder on the latter and I think you'll find you won't be picked on. Stop playing the victim. You're not the first and it's old. -- Scott McEachern https://www.blackstaff.ca -- www.johntate.org -- Atentamente Andris Genovez Tobar / Tecnico Elastix ECE - Linux LPI-1 - Novell CLA - Apple ACMT http://www.puntonet.ec
Re: Narcicism?
http://johntate.org/fact/johntate I now have 7 years of experience in FreeBSD/OpenBSD On Thu, Dec 1, 2011 at 2:58 AM, John Tate j...@johntate.org wrote: I think I've found a bug in the OpenBSD crowd. They bug the hell out of me and my little mistakes. I am not talking about people who actually have a solution, but I can't seem to ask anything on this list without parrots coming along picking on me. I think some people just hang out here because it's the most anal bunch of hackers ever, in recorded history. What are your experiences? Is it true that occasionally we attract people who either love bullying or are just lazy and pretending to be one of the clever? It just figures some of these people sit on the list, and email you poorly researched crap with no answers contain. If you hate a question, it truly doesn't belong, bug me. But if you just can't answer a question, ignore it. John Tate. Note: Yes, it's not my list. -- www.johntate.org
Re: how to find dependencies when building a new kernel
On Tue, Nov 29, 2011 at 4:35 AM, T. Valent tmp...@4ss.de wrote: Hi! I'm trying to build a new kernel. However, while compiling I get complaints about undefined references like this: ld -Ttext 0xD0200120 -e start -N --warn-common -S -x -o bsd ${SYSTEM_HEAD} vers.o ${OBJS} machdep.o(.text+0x2791): In function `sys_sigreturn': : undefined reference to `fpu_mxcsr_mask' andres@pote:~ $ grep -rw fpu_mxcsr_mask /sys/arch/i386 ... /sys/arch/i386/include/npx.h:extern uint32_tfpu_mxcsr_mask; /sys/arch/i386/isa/npx.c:uint32_t fpu_mxcsr_mask; ... andres@pote:~ $ grep -rw npx /sys/arch/i386/conf/files.i386 /sys/arch/i386/conf/files.i386:device npx /sys/arch/i386/conf/files.i386:attach npx at isa /sys/arch/i386/conf/files.i386:file arch/i386/isa/npx.c npx needs-flag The above line is just an example. I have poked around with more or less guessing what could be missing, but after 2 days I'm quite sure I need a general solution to finding the dependencies instead of guessing. I have no skills in kernel coding. I wonder if there's a good way to find out which part I am missing in the config file(s). note how the grep commands required no kernel coding skills This is what I do: edit /usr/src/sys/conf/GENERIC I'm fine with this so far. Now to edit /usr/src/sys/arch/i386/conf/GENERIC I do dmassage -t i might be wrong, but is this really aggressive auto spelling corrector for dmesg? and make sure all the hardware I need is included in my config file. I'm quite sure I've included everything I need, I get the above mentioned problems, which I understand as dependencies. However, I just don't know how to find out which line of the config file I have to include to solve this. I know I am recommended to use the generic kernel. I need the kernel for an embedded device where the hardware is well known in detail, it is always the same, will not change and memory is very limited. So I need to get rid of the unnecessary stuff in the kernel. Thanks in advance! T.
Re: how to find dependencies when building a new kernel
reading the npx(4) gives out a really strong clue as to why you shouldn't custom compile until you're familiar with everything: The npx driver is required for proper system functioning regardless of whether or not an NPX is present. so there's no 1:1 mapping between the devices you have and the ones you may need included in the kernel config. could potentially apply to other drivers, so why waste time figuring out which ones fall under this category and which ones don't? as for your searches, they don't include the struct definition i can't recall the name of the doc (possibly hosted at openbsd.org) that explains the layout, but basically, you got the base /sys/conf/files and arch-specific ones. you are only searching in arch specific files so far you have many factors contributing against you being able to custom compile: - don't know c - don't know the kernel source file layout - doesn't bother looking at official documentation regarding kernel compilation process On Tue, Nov 29, 2011 at 7:06 AM, T. Valent tmp...@4ss.de wrote: Andres, may I kindly ask one more question, I'm sure after that I'll get it right myself. See: # make ld -Ttext 0xD0200120 -e start -N --warn-common -S -x -o bsd ${SYSTEM_HEAD} vers.o ${OBJS} acpi_machdep.o(.text+0xcf): In function `acpi_sleep_machdep': : undefined reference to `mem_range_softc' [...] # grep -rw mem_range_softc /sys/arch/i386 [...] /sys/arch/i386/i386/mem.c:struct mem_range_softc mem_range_softc; [...] # grep -rw mem /sys/arch/i386/conf/files.i386 /sys/arch/i386/conf/files.i386:file B B arch/i386/i386/mem.c Still I don't know which option/line is missing. There is no such thing as i386 in GENERIC, from which I derive my config. Thanks in advance. T.
Re: Kernel without INET6 error on pipex.c
On Thu, Nov 24, 2011 at 6:42 AM, Rod Whitworth glis...@witworx.com wrote: On Thu, 24 Nov 2011 10:09:31 +, Julien Crapovich wrote: Hello. Absolutely, but compiling without INET6 is not supposed to generate error. I've just disabled INET6 on GENERIC file, not other hack. You are the only one who knows exactly what you did. B Maybe. Why should we waste time guessing? It's a pretty damn stupid thing to do anyway when it is so easy to block v6 traffic using GENERIC and, BTW, your kernel is NOT GENERIC. It doesn't matter that you were too ignorant to change the name... i don't understand what does renaming the kernel has to do with anything the op is right in that rmoption INET6 is broken, end of whether that define was meant for developers only or not is another matter R/ *** NOTE *** Please DO NOT CC me. I am subscribed to the list. Mail to the sender address that does not originate at the list server is tarpitted. The reply-to: address is provided for those who feel compelled to reply off list. Thankyou. Rod/ --- This life is not the real thing. It is not even in Beta. If it was, then OpenBSD would already have a man page for it.
Re: DNS Google ?
On Tue, Nov 22, 2011 at 2:56 PM, Lars Hansson romaby...@gmail.com wrote: On Wed, Nov 23, 2011 at 3:14 AM, patrick keshishian pkesh...@gmail.com wrote: Unless I'm misreading you, what you say doesn't make much sense. It makes perfect sense and is in fact also the recommended way to run BIND. not only recommended by bind books -- djbdns/cache forces a minimum of two processes bind tries to do everything at once... The setup you suggest is more involved. Two servers: one resolving, and the other dealing w/the authoritative responses. They don't have to be two different servers, just two different processes on the same server. --- Lars
Re: What is wrong with this pf config
On Mon, Nov 21, 2011 at 3:45 AM, John Tate j...@johntate.org wrote: I am having troubles with this pf configuration, it seems when loaded nothing can access my server on the internal interface for the LAN, I cannot see why, and it's pretty much based off the very standard example in the OpenBSD faq. assuming your internal net is connected to int_if: none of your rules even mention your local network and you block by default, so yeah if int_if isn't part of the int net, please rename the macro to avoid confusion When I unload the configuration, I can access the DNS server on the firewall running this configuration. It seems to forward everything through to the Internet, but blocks DNS which makes it pretty useless. I've looked at it at least five times... [john@baal ~$ cat /etc/pf.conf int_if=xl0 ext_if=tun0 rothbard=10.0.0.10 baal=10.0.0.2 smass=10.0.0.1 tcp_services={22} icmp_types=echoreq set block-policy return set loginterface $ext_if set skip on lo match out on egress inet from !(egress:network) to any nat-to (egress:0) you're not passing these packets block in log pass out quick antispoof quick for { lo $int_if } pass in on egress inet proto tcp from any to (egress) \ B B B B port $tcp_services i highly doubt you are setting up a public dns server intentionally. if this is the case, make it clear that you are #After this goes forwarded ports... Probably just use ssh tunnels. pass in inet proto icmp all icmp-type $icmp_types What is wrong? you need to read the docs on pf. your rules make no sense Also can you tell me how to do this so it only needs to load once, and not be loaded by a shell script after userland pppoe successfully connects? -- www.johntate.org
Re: Giving java apps more memory
you can patch the apps to use setrlimit() you can write a small sh wrapper that sets ulimits and execs your app you can also set your defaults in /etc/login.conf or ~/.profile depends on what you want i use gimp and ff so login.conf/.profile is really more sensible than wrapping all the monster apps On Fri, Nov 18, 2011 at 10:42 PM, John Tate j...@johntate.org wrote: Netbeans crashes with this... john@rothbard ~$ netbeans # # A fatal error has been detected by the Java Runtime Environment: # # java.lang.OutOfMemoryError: requested 32784 bytes for Chunk::new. Out of swap space? # # B Internal Error (allocation.cpp:272), pid=17843, tid=8647815168 # B Error: Chunk::new # # JRE version: 7.0 # Java VM: OpenJDK 64-Bit Server VM (20.0-b03 mixed mode bsd-amd64 compressed oops) # An error report file with more information is saved as: # /home/john/hs_err_pid17843.log # # If you would like to submit a bug report, please visit: # B http://java.sun.com/webapps/bugreport/crash.jsp # Abort trap (core dumped) Eclipse crashes with this... [john@rothbard ~$ eclipse # # A fatal error has been detected by the Java Runtime Environment: # # java.lang.OutOfMemoryError: requested 1565456 bytes for Chunk::new. Out of swap space? # # B Internal Error (allocation.cpp:272), pid=30120, tid=8844312576 # B Error: Chunk::new # # JRE version: 7.0 # Java VM: OpenJDK 64-Bit Server VM (20.0-b03 mixed mode bsd-amd64 compressed oops) # An error report file with more information is saved as: # /home/john/hs_err_pid30120.log # # If you would like to submit a bug report, please visit: # B http://java.sun.com/webapps/bugreport/crash.jsp # How should I proceed? -- www.johntate.org
Re: I want copy pf.conf from FreeBSD 8.2 to OpenBSD 5 and use it
On Sun, Nov 13, 2011 at 9:22 AM, David Walker davidianwal...@gmail.com wrote: On 13/11/2011, Mostaf Faridi mostafafar...@gmail.com wrote: Can I optimiz this pf.conf? Thanks in advance I do not open up the truth to one who is not eager to get knowledge, nor help out any one who is not anxious to explain himself. When I have presented one corner of a subject to any one, and he cannot from it learn the other three, I do not repeat my lesson. http://en.wikiquote.org/wiki/Confucius http://blogs.nasa.gov/cm/wiki/?id=2738#gen6 i like your style :) Best wishes.
Re: bash script problem
On Fri, Nov 11, 2011 at 9:10 AM, John Tate j...@johntate.org wrote: I put a comment in before the line with a problem, I don't understand why it's not working. bash# for x in 1 2 3 4; do time dd if=/dev/random of=/home/test$x bs=1k count=64k done \ while [ $V -eq 0 ]; \ do \ #why the hell is this such a problem! because it breaks the line continuation (`\') there's no need to use that here anyway, presuming this isn't part of a makefile V = 0 \ clear \ echo -n Jobs running... \ if jobs 4; then; echo -n last job running!; else; echo -n last job stopped; B env V=1; fi \ sleep 1 \ done time cat secure1 secure2 secure3 secure4 secure_t.vnd \ time rm secure1 secure2 secure3 secure4 John Tate. -- www.johntate.org
Re: systat colors?
readelf -d `which systat` ... 0x0001 (NEEDED) Shared library: [libcurses.so.12.1] ... On Fri, Nov 11, 2011 at 8:08 PM, STeve Andre' and...@msu.edu wrote: On 11/11/11 18:58, Stuart Henderson wrote: On 2011-11-10, STeve Andre'and...@msu.edu B wrote: On 11/10/11 16:41, Ted Unangst wrote: On Thu, Nov 10, 2011, Joe wrote: Has anyone already modified systat to support colored text? No, nor will they. B colorized utilities are not particularly welcome. (i mean, you can do it, but don't expect such patches to be accepted.) But such a systat could live in ports, quite happily. B See colorls. Not all that happily. It will keep getting out of sync with the OS. OK, point taken. B But if the 'color systat' was a post-processor it could take the output and add color escape sequences. That then leaves syncing problems for changes in systat's output itself, which while happening, isn't that common. --STeve Andre'
Re: OpenBSD and shebang line to a script not supported?
how does linux handle that without going into infinite loops? On Mon, Oct 31, 2011 at 6:55 PM, Mikolaj Kucharski miko...@kucharski.name wrote: Hi, Attached archive has small testing scripts to be extracted in /tmp. There are 2 tests (exec1 and exec2) with 2 scripts each (4 scripts total): test#1, openbsd: $ /tmp/exec1.sh exec1.sh executed test#1, linux: # /tmp/exec1.sh /tmp/exec1.pl executed exec1.sh executed test#2, openbsd: $ /tmp/exec2.pl /tmp/exec2.pl[3]: use: not found /tmp/exec2.pl[4]: use: not found /tmp/exec2.pl[6]: syntax error: `(' unexpected test#2, linux: # /tmp/exec2.pl exec2.sh executed exec2.sh executed exec2.sh executed ^C What I see is that OpenBSD doesn't support scripts in shebang line and executes /bin/sh instead. Am I correct here? PS. Please CC me in replies. Thanks. -- best regards q# [demime 1.01d removed an attachment of type application/x-tar-gz]
Re: dhclient, resolv.conf
the dhclient in base, and possibly the isc one, interprets options set to the empty string as unset On Sun, Oct 23, 2011 at 1:38 PM, sc...@web.de wrote: Jurjen Oskam jur...@osk.am wrote: supersede domain-name-servers 192.168.1.1; supersede domain-name ; My dhclient completely ignores B supersede domain-name ; and sets an unwanted search line given by the server. Indeed you must give B supersede domain-name .; To obtain B search . in resolv.conf, what seems to be no problem. Rod.
Re: do not understand how to upgrade to-CURRENT
nisiquiera en espanol escribes bien 2011/10/22 Zantgo zan...@gmail.com: No entiendo como actualizar a -current, que manual tengo que seguir: http://www.openbsd.org/faq/faq5.html (es decir seguir exactamente lo que eice ahi y una vez haya constroido el sistema desde la fuente, ya estare ocupando -current) http://www.openbsd.org/faq/current.html (siguiendo esto exactamente, obtendre automaticamente un -current) Porfavor lo unico que quiero es actualizar a current, pero no se como. PD: en todos los casos anteriores tengo que estar ocupando un snapshots B?Cierto? PD2: http://www.openbsd.org/faq/current.html, esta obsoleto Zantgo
Re: Dennis Ritchie
2011/10/13 David Coppa dco...@gmail.com Today is a sad sad day :( Rest in Peace. Without you, we would never be here. Cheers, David People who change the world, unfortunately do not last forever, forever missed, but his legacy will last forever Andres. -- Atentamente Andris Genovez Tobar / Tecnico Elastix ECE - Linux LPI-1 - Novell CLA - Apple ACMT http://www.puntonet.ec
Re: microsoft wireless keyboard and mouse
i don't have much to add right now besides confirming the problem with Microsoft Wireless Desktop Receiver 3.1A(0x00f1), Microsft(0x045e), rev 0.02, wireless mous e/keyboard combo 2000 i think that the mouse calibration could be an easy problem to sort out after spending a weekend on it
Re: Why I uninstalled OpenBSD???
On Sun, Oct 2, 2011 at 12:14 AM, Nick Holland n...@holland-consulting.net wrote: On 10/01/11 23:08, Christiano F. Haesbaert wrote: Not again people, please. Stop feeding. Yes. Yet another never-heard-from-before-or-again loser (and *always* using a gmail account...isn't that interesting?) posting a link to that loser's site (which is hosted on google, and MX records point to google). B $0.50 says it's the same loser who writes that dribble and posts the link here. well, you narrowed down the list of suspects to the gazillion of people that use gmail And then a bunch of people who should know better jump all over him, not unjustifiably, but include the link of the crap in their reply, giving more advertising to the site and higher search engine ratings. B Mission accomplished. IF you have to reply to someone posting a stupid link (even an UNINTENTIONALLY stupid link...you know, the well-intended ones that provide bddd advice), do the world a favor and remove the link from your reply... Nick.
Re: Group ownership of files at creation time
S_ISGID bits on a directory are meaningful in sysv, whereas on bsd open(2) acts as if they were always on
Pear Version (2008-08-23) Updated to version: pear-1.7.2
Hi friends, I am having a lot of problems with the standard version of PEAR that ships with OpenBSD, the last i can get is (2008-08-23) Updated to version: pear-1.7.2 But the system insists it require version 1.8, please can anybody give me a guide, how can I update Pear? Thanks for any help!* * -- Atentamente Andris Genovez Tobar / Tecnico Elastix ECE - Linux LPI-1 - Novell CLA - Apple ACMT http://www.puntonet.ec
Installing Image_Canvas
Hello, A little question, if anyone can help I am using OpenBSD 4.8 GENERIC I am using pear-1.7.2.tgz http://openbsd.mirror.frontiernet.net/pub/OpenBSD/4.8/packages/i386/pear-1.7 .2.tgz But when i try to install this, i get this error # pear install Image_Graph-0.7.2 Did not download dependencies: pear/PEAR, pear/Image_Canvas, use --alldeps or --onlyreqdeps to download automatically pear/Image_Graph requires package pear/PEAR (version = 1.3.1) pear/Image_Graph requires package pear/Image_Canvas (version = 0.3.0) No valid packages found install failed # Can someone give me a guidance? Thanks! -- Atentamente Andris Genovez Tobar / Tecnico Elastix ECE - Linux LPI-1 - Novell CLA - Apple ACMT http://www.puntonet.ec
Re: Load average question
On Mon, Aug 8, 2011 at 1:04 PM, STeve Andre' and...@msu.edu wrote: On 08/08/11 12:59, Theo de Raadt wrote: Nick, this is probably the single most frequently asked question... :-) No, it is not. B In the modern world of search engines, this question lands at the same level as trolling. B If a person's first gut reaction isn't go type 3 words into a search engine, and instead they craft a 500 line email message to a list, that is trolling. Rikky, here is a diff which solves the problem you are facing: --- w.c Sat Jul 30 15:17:12 2011 +++ w.c.new B B Mon Aug B 8 10:57:34 2011 @@ -430,7 +430,7 @@ B B B B B B B B for (i = 0; i B (sizeof(avenrun) / sizeof(avenrun[0])); i++) { B B B B B B B B B B B B if (i B 0) B B B B B B B B B B B B B B B B (void)printf(,); - B B B B B B B B B B B (void)printf( %.2f, avenrun[i]); + B B B B B B B B B B B (void)printf( %.2f, 0.001); B B B B B B B B } B B B B B B B B (void)printf(\n); B B B B } Hmmm. B Wrap that around an #ifdef looking for an environment variable B (LOADAV) B and if it isn't set to IUNDERSTAND Theo's diff is what's shown. cpp can't look for environment variables I'm not being entirely facetious. how facetious are you being, on a scale from 1 to 10? --STeve Andre'
HOY PUEDE EDITAR SUS LIBROS-julio 2011-
Ediciones Pasisn de Escritores Impresisn sobre demanda Impresiones cortas Reediciones HOY PUEDE EDITAR SU OBRA EL MEJOR PRECIO DEL MERCADO Promocisn julio-2011 Tamaqo: 14 x 20 Tapas a 4 colores Sobre papel ilustracisn de 300g Laminado en opp brillante Interior Blanco y negro En papel Obra 75/80g extra blanco Encuadernacisn Binder 50Libros de 60paginas: Precio final de impresisn$ 540.- Solicite presupuesto en formatos: 14x2015x215.5x23 16x2417x2520x2821x28 Nuestros servicios Ediciones sobre demanda Reedicisn de publicaciones desde 25 ejemplares Prueba de galera Tramitacisn sin cargo del ISBN - Tasa a cargo del escritor Tramitacisn sin cargo - Ley 11723 - Tasa a cargo del escritor Servicios opcionales Diseqo de tapas Servicio de correccisn Maquetado Nuestras ediciones se abonan en 3 cuotas Solicite informacisn a: consultaedic...@pasiondeescritores.com.ar www.pasiondeescritores.com.ar NOTA IMPORTANTE: Si no desea recibir informacisn en el futuro, le rogamos enviar un mail para ser removido. Este mail no es un SPAMpues incluye un medio de remocisn, conforme las disposiciones del Decreto 5.1618 . Tmtulo 3 #, aprobado por el Congreso base de las normativas internacionales sobre SPAM. [demime 1.01d removed an attachment of type image/jpeg which had a name of logofirma.jpg]
Re: pf rule?
ifconfig pflog1 create touch /var/log/pfblocklog pflogd -ipflog1 -f$_ pf.conf: l = log (to pflog1) block return $l block ... $l to keep the pfctl rule output readable, match and tag the packets instead and have a single block + log rule (at the expense of no quick) On Wed, Jul 20, 2011 at 3:39 AM, fqui nonez fquinon...@gmail.com wrote: Hello I have a sshd/ftpd/httpd server box, 4.9 stable; and I want to log all blocked packets, and send them to /var/log/pfblocklog to be read with tcpdump. What and where should be the rule? # B B B $OpenBSD: pf.conf,v 1.49 2009/09/17 06:39:03 jmc Exp $ # set skip on lo ### Agregadas por mi: (added by me) block return pass in quick log on rl0 proto tcp from any to port 22 pass out quick on rl0 to any pass in quick log on rl0 proto tcp from any to port 21 pass in quick log on rl0 proto tcp from any to port 80 ### Fin. (end) # filter rules and anchor for ftp-proxy(8) anchor ftp-proxy/* pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021 pass B B B B B B # to establish keep-state # By default, do not permit remote connections to X11 block in on ! lo0 proto tcp to port 6000:6010 Thanks for your attention.
Re: pf rule?
now for the problems in your rules: On Wed, Jul 20, 2011 at 3:39 AM, fqui nonez fquinon...@gmail.com wrote: # B B B $OpenBSD: pf.conf,v 1.49 2009/09/17 06:39:03 jmc Exp $ # set skip on lo ### Agregadas por mi: (added by me) block return pass in quick log on rl0 proto tcp from any to port 22 pass out quick on rl0 to any pass in quick log on rl0 proto tcp from any to port 21 pass in quick log on rl0 proto tcp from any to port 80 from any/ to any is implied ### Fin. (end) # filter rules and anchor for ftp-proxy(8) anchor ftp-proxy/* pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021 pass B B B B B B # to establish keep-state this negates rule #0 # By default, do not permit remote connections to X11 block in on ! lo0 proto tcp to port 6000:6010 redundant if #0 works Thanks for your attention.
Re: pf rule?
On Wed, Jul 20, 2011 at 8:49 AM, fqui nonez fquinon...@gmail.com wrote: 2011/7/20 Wesley MOUEDINE ASSABY open...@e-solutions.re: Also, you can see a sample on http://mouedine.net/ruleset49.aspx Wesley. On Wed, 20 Jul 2011 14:27:27 +0400, Wesley MOUEDINE ASSABY open...@e-solutions.re wrote: Hi, Try this: block log return Cheers, Wesley. On Wed, 20 Jul 2011 01:09:09 -0700, fqui nonez fquinon...@gmail.com wrote: Hello I have a sshd/ftpd/httpd server box, 4.9 stable; and I want to log all blocked packets, and send them to /var/log/pfblocklog to be read with tcpdump. What and where should be the rule? Thanks for your attention. Hello I changed it to: # B B $OpenBSD: pf.conf,v 1.49 2009/09/17 06:39:03 jmc Exp $ # set skip on lo ### Agregadas por mi: (added by me) block log pass out quick on rl0 antispoof quick for rl0 pass in log on rl0 proto tcp from any to port 22 pass in log on rl0 proto tcp from any to port 21 pass in log on rl0 proto tcp from any to port 80 replace all three by: pass in log on rl0 proto tcp to port { 21 22 80 } ### Fin. (end) # filter rules and anchor for ftp-proxy(8) anchor ftp-proxy/* pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021 you already pass these packets before. redundant rules make pfctl output hard to read, so change it to: match in proto tcp to port ftp rdr-to localhost port 8021 Thank so much both. How does it look?
Re: openbsd 4.9 based UTM
On Tue, Jul 19, 2011 at 6:04 AM, citoyen citoyen cccito...@gmail.com wrote: Hi, I'm about starting a project of building my own High secure UTM based on the last openbsd flower 4.9, i can do all system and network configs B needed by myself B but I'm wondering what language to use in order to get my UTM configurable from a web browser. any pointers or help are welcome. i built a similar UTM project using openbsd as firewall and freedos for fileserver (raw device access is way faster than mucking around in userland) the web interface should be coded in js js would generate m4 macros that generate pf rules, spamd rules, etc low complexity: js - m4 - pf preprocessor - pf the m4 macros look like this: divert(-1) define(`pu',`pushdef($@)') define(`po',`popdef($@)') define(`m4pf_blockrule', `p(`P', `$1')' `p(`F', `$2')' `p(`T', `$3')' `block proto P from F to T'`' `po(`P',`F',`T')') divert(0)dnl the idea is to replicate the pf.conf syntax in m4 and js so that i can use the webinterface to do the configuration and users don't need to learn pf.conf, but they need to learn my interface instead. i thought of just serving the contents of pf.conf initially, but that's too complicated and you've seem to have discarded that anyway
Re: How does OpenBSD compare to Ubuntu Server?
On Mon, Jul 11, 2011 at 7:46 PM, J Sisson sisso...@gmail.com wrote: On Mon, Jul 11, 2011 at 6:58 PM, Juan Miscaro jmisc...@gmail.com wrote: On 7 July 2011 15:06, jirib ji...@devio.us wrote: Are you kidding? Ubuntu? Where installed daemons are running by default, where there is no command to disable shitty upstart daemons? Which daemons are those again? apt-get install some_insecure_daemon Oh look, some_unsecure_daemon is running before I have a chance to configure it and lock it down the way I see fit. B sarcasmGood thing we all know those Ubuntu/Debian guys are so damned smart and all.../sarcasm why would you install a daemon and not run it? how is it any different than X listening on localhost by default in obsd? if you install a daemon in debian/ubuntu and it listens on 0.0.0.0 by default, the package isn't following distro policy
Re: How does OpenBSD compare to Ubuntu Server?
On Mon, Jul 11, 2011 at 8:48 PM, J Sisson sisso...@gmail.com wrote: On Mon, Jul 11, 2011 at 7:36 PM, Andres Perera andre...@zoho.com wrote: why would you install a daemon and not run it? how is it any different than X listening on localhost by default in obsd? if you install a daemon in debian/ubuntu and it listens on 0.0.0.0 by default, the package isn't following distro policy Why would you start a daemon before you have had a chance to configure it for your environment?B Is it really that hard to run update-rc.d after you edit a config file? that wouldn't be any different than sending a HUP signal or restarting through rc.d, assuming listening on localhost is ok. for exceptional situations where it would be not ok, like increasingly rare truly multi-user systems, you can turn it off globally for newly installed packages OpenBSD asks if X should run by default when you install the system. On top of that, the default firewall rules explicitly block traffic to X. It's quite different in fact. it does not offer granularity covering both running X and X accepting connections from localhost, just like the debian package policy concerning network daemons Policy?B Well thank heavens for that...I guess I should run Ubuntu on all of my critical infrastructure...their policy will protect me.
Re: How does OpenBSD compare to Ubuntu Server?
On Mon, Jul 11, 2011 at 9:40 PM, patrick keshishian pkesh...@gmail.com wrote: On Mon, Jul 11, 2011 at 5:36 PM, Andres Perera andre...@zoho.com why would you install a daemon and not run it? how is it any different than X listening on localhost by default in obsd? Just because you install something doesn't mean you want it run by default. fingerd, ftpd, rshd, popa3d, tftpd, ntalkd, ntpd, bind, lpd, sshd, etc. are installed on OpenBSD, but not necessarily enabled by default. one trait that all of these programs have in common is their inclusion in base, which is meant to be a general purpose system. that's a whole other story from debian and ubuntu. both of these linux distributions have tags such as essential or required reserved for crucial packages; anything else is optional. the packages that brandish the required tag differ significantly from obsd's criteria. suffice to say, httpd does not qualify as indispensable in debian world added daemons have different connotations from those included in obsd base, and this also applies to debian and derivatives. the closest parallel would be packages built from ports and the automation pkg_add performs on installing them When software thinks too much for the operator is when trouble begins. --patrick
Re: How does OpenBSD compare to Ubuntu Server?
On Mon, Jul 11, 2011 at 11:43 PM, patrick keshishian pkesh...@gmail.com wrote: you failed at making any point. i'll rebrand it into convenient twitter format: debian splits packages to the point where a single service is a associated to a single top level package, meaning that there's never a reason for unused installed services openbsd limitations do not apply 1:1 to other systems unless they happen to be openbsd. in the previous sentence, openbsd can be replaced by any word
Re: Recompile OpenBSD without built-in Apache 1.3
see SKIPDIR in mk.conf(5) add usr.sbin/httpd On Tue, Jun 28, 2011 at 9:01 PM, Tito Mari Francis EscaC1o titomarifran...@gmail.com wrote: Good day! Is it possible to recompile the whole system while excluding the built-in Apache 1.3 web server? I was hoping to save a few more megabytes off the base installation of the system. In case it's not advisable, can you please discuss the bad side effects of doing so? Thanks in advance.
Re: Can command-line options be specified in any place?
On Wed, Jun 22, 2011 at 7:19 AM, Tobias Ulmer tobi...@tmux.org wrote: The getopt(3) function is inconsistent amongst operating systems and could use some polish in my opinion. Maybe there are technical reasons why this feature can't be implemented, but this discussion has certainly extinguished my curiosity about it. inconsistent implementations are not the problem at all if the system getopt is patched to always use FLAG_PERMUTE like getopt_long, then scripts that expect the old behaviour would have to be changed. for example, /etc/rc.d/rc.subr: -rcexec=su -l -c ${daemon_class} -s /bin/sh ${daemon_user} -c +rcexec=su -l -c ${daemon_class} -s /bin/sh -- ${daemon_user} -c going through all the scripts is a bigger problem than some other os using another implementation with remarkably different semantics
Re: Can command-line options be specified in any place?
you can compile gnu coreutils the reason posix and bsd dont allow options after operands is because it complicates the implementation of getopt and it introduces ambiguity, specially with options that take arguments the gnu getopt has to look at the first characters of every argv member unless -- is used, which is inconvenient in interactive shells On Tue, Jun 21, 2011 at 7:09 PM, vadi...@gmail.com wrote: Hi, I'm considering migrating my desktop from Linux to OpenBSD but the main feature that kept me away from *BSD world for over a decade since I've first tried FreeBSD was the one that options must only be specified after command before any arguments. (At least that is true for basic commands). For example on Linux a command B ls -l foo -h will print the foo's size with suffix (K, M, G, etc.). On *BSD (including Mac OS X) I get error message: B ls: -h: No such file or directory Is there an easy way to get the desired behavior on OpenBSD? If that can only be achieved by patching system's sources is there a standard way to maintain my personal set of patches so that they will be automatically applied every time I upgrade system? Best regards, Vadim.
Re: vmmap: bad software everywhere
i'm sure you could fathom the idea that some people care more about streaming video on their browsers than address randomization, the same way some people care more about speedier local lookups to a stationary sync db than making sure a package has correct @want-lib by trashing the ftp server on every query some of these people may even call the alternative they're not using stupid what does that do? nothing On Sun, Jun 5, 2011 at 9:47 AM, Marc Espie es...@nerim.net wrote: On Sun, Jun 05, 2011 at 09:46:48AM -0400, Nico Kadel-Garcia wrote: On Fri, Jun 3, 2011 at 6:26 PM, Marc Espie es...@nerim.net wrote: On Fri, Jun 03, 2011 at 06:11:31PM -0400, Nico Kadel-Garcia wrote: On Tue, May 31, 2011 at 6:51 AM, Marc Espie es...@nerim.net wrote: How comes nobody in other OSes noticed ? Well, people probably did, and tweaked their allocators to work, by using preferably the low address space, and having addresses that increase slowly, so that a lot of pointers are below 4GB, and a lot of pointer diffs are under 4GB. Or you could just be engaging in an ad hominem attack without actually looking at their implementations and assuming they're not doing it right because they're not you or your favorite platform. But hey, we don't know anyone who'd do *that* in the OpenBSD community. Right? Wrong. An ad hominem attack would require me asserting all this for a fact, which is not what I'm doing. Notice the probably ? it makes all the difference in the world. No, I'm afraid it really doesn't require asserting the truth. To quote from Wikipedia, An ad hominem (Latin: to the man), short for argumentum ad hominem, is an attempt to link the truth of a claim to a negative characteristic or belief of the person advocating it It's what I just did to you, in turn. How's it feel? An example or two would have lent powerful credence to your claim. The fix for mono, which Marc Espie notes in this thread, is a very powerful such indicator. I tend to publish findings early, when I don't have THAT many built examples yet. There's also some teamwork, specifically, I don't personally oversee everything in OpenBSD. Nobody does. But we do notice trends, and do some design work based on that. You can call that ad hominem if you wish, do any kind of rhethoric. For me, putting a probably in front of a working hypothesis is enough to go forward. I expect the facts to be disputed, I don't care much for the rhethoric part o it... I would even venture this is a fundamental activity for us to go forward. If you lose yourself in gruntwork, you don't see the bigger picture. Sometimes, we do have the luxury of saying this is complete shit, it shouldn't work, and then we break bad software. On the other hand, secure by default, runs GENERIC is the other tenet of our culture - reproducible defaults, no need to tinker with configs to get things to work, and also, proceed cautiously, do not invent stupid APIS when we don't need to.
Re: Theo's Birthday, have you done anything?
A little late, but big greetings from Ecuador - South America. 2011/5/19 Mayuresh Kathe mayur...@kathe.in Hey, it's Theo's birthday today, have you done anything? Yeah, you could wish him, but, how about a small gift? How about donating US$10 to the project today? -- Atentamente Andris Genovez Tobar / Tecnico Elastix ECE - Linux LPI-1 - Novell CLA - Apple ACMT http://www.puntonet.ec
Re: Fallback ruleset loaded at boot time
Yes you was right i fixed the domain entries in pf.conf and also some inconsistency with queue configuration on the internal interface and then everything was great. Thanks a lot! 2011/4/24 Henning Brauer lists-open...@bsws.de * Andres Chavez fluxboxtrem...@gmail.com [2011-04-24 05:44]: I'm wondering why the rc script is loading the fallback ruleset instead of mine. because loading yours failed. pfctl -nf /etc/pf.conf it's OK And if i manually load it with pfctl -f /etc/pf.conf all is going as expected so you have something in there relying on something not available early enough on the boot process. primarily suspect is dns. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting -- *Andris Chavez IT System / Network Administrator CPF FreeBSD Server Administrator http://www.andreschavez.com.ve*
Fallback ruleset loaded at boot time
Hi guys I'm wondering why the rc script is loading the fallback ruleset instead of mine. I'd set the ruleset as usual at /etc/pf.conf but OpenBSD seems to be loading the fallback for some reason. Everything looks good. # grep ^pf /etc/rc* /etc/rc.conf:pf=YES # Packet filter / NAT /etc/rc.conf:pf_rules=/etc/pf.conf # Packet filter rules file /etc/rc.conf:pflogd_flags= # add more flags, e.g. -s 256 Permisiones ls -l /etc/pf.conf -rw--- 1 root wheel 6517 Apr 25 21:39 /etc/pf.conf pfctl -nf /etc/pf.conf it's OK And if i manually load it with pfctl -f /etc/pf.conf all is going as expected Well i'd left my pf.conf file attached if you want to take a look, using OpenBSD 4.8 Release Cheers -- [demime 1.01d removed an attachment of type application/octet-stream which had a name of pf.conf]
Best advice for a link aggregation setup
Hello misc.. im currently helping a friend on a link aggregation setup based on 4.8 with 2 links from the same ISP, so we have followed a bunch of faqs/how-to's but the fact is that we're in the middle of a bunch questions too. So it would be nice if you guys can help us to clear some doubs, take the right actions if required to. 1) What do we actually need to make sure a link aggregation setup will work?, you should know that we got a server HP proliant with only 1 pci port so the nic is an Intel Dual Gbit port (em0/em1) the nic facing the LAN is the onboard one and use the bge driver (bge0), and from the same ISP we got two ADSL links of 2048 mb each 2) Must the two ADSL links support a special feature like bonding or something like that? Cheers.. -- * *
Re: pkg_add -L localbase
it's a complete noop since it will remove the package regardless of localbase specified with -L. it looks under PKG_DBDIR/spec/+CONTENTS to learn about localbase, as always. in effect, it does not work because it's ignored adding to that, it would've been immediately obvious to anyone testing delete -L str that it was without effect, so the lack of the description assumed the commit was tested anyhoo, aslong as everyone reading understands the real reason why it wasn't placed in PkgAdd.pm xoxo
Re: pkg_add -L localbase
about AddCreateDelete.pm r1.15 1. -L was never there (adding back? had to go through the entire log for the file to verify adding back) 2. PkgCreate.pm declared it separately, and still does 3. PkgDelete.pm doesn't work with -L, and if it ever did, it wasn't documented is pkg_delete not working with -L now considered a bug, since the commit portrays that it should work with -L? if so, is the lack of documentation for the new flag also considered a bug? hard to tell
Re: pkg_add -L localbase
On Sat, Mar 19, 2011 at 7:35 AM, Marc Espie es...@nerim.net wrote: On Sat, Mar 19, 2011 at 07:20:33AM -0430, Andres Perera wrote: about AddCreateDelete.pm r1.15 1. -L was never there (adding back? had to go through the entire log for the file to verify adding back) Of course it was not. you'll have to check the whole history of the tools to figure out what happened. fair enough 2. PkgCreate.pm declared it separately, and still does Yep, should remove that as well. 3. PkgDelete.pm doesn't work with -L, and if it ever did, it wasn't documented doesn't work. Doesn't mean anything here. What doesn't work ? what do you get for error messages ? what are you doing ? it's a complete noop since it will remove the package regardless of localbase specified with -L. it looks under PKG_DBDIR/spec/+CONTENTS to learn about localbase, as always. in effect, it does not work because it's ignored
Re: pkg_add -L localbase
On Fri, Mar 18, 2011 at 3:45 AM, Gregory Edigarov g...@bestnet.kharkov.ua wrote: Hello, Is this working ever? Yesterday I was trying to add a certain packages and wanted them to reside in the very separate base (/usr/opt) so them will be easilly removed after my trial of them. I did 'pkg_add -L /usr/opt/package name B package' and got: pkg_add: Unknown option -L Usage: pkg_add [-acIinqrsUuvxz] [-A arch] [-B pkg-destdir] [-D name[=value]] [-L localbase] [-l file] [-P type] [-Q quick-destdir] pkg-name [...] What am I missing? --- usr/src/usr.sbin/pkg_add/OpenBSD/PkgAdd.pm Mon Jan 3 14:31:04 2011 +++ usr/libdata/perl5/OpenBSD/PkgAdd.pm Fri Mar 18 12:51:28 2011 @@ -68,7 +68,7 @@ sub handle_options { my $state =3D shift; - $state-SUPER::handle_options('aruUzl:A:P:Q:', + $state-SUPER::handle_options('aruUzl:A:L:P:Q:', '[-acIinqrsUuvxz] [-A arch] [-B pkg-destdir] [-D name[=3Dvalue]= ]', '[-L localbase] [-l file] [-P type] [-Q quick-destdir] pkg-name [...]'); -- With best regards, B B B B Gregory Edigarov
nl_langinfo(3) and possibly redundant #include
the synopsis section says #include nl_types.h #include langinfo.h char * nl_langinfo(nl_item item); however, nl_types.h is included by langinfo.h which one is at fault? should the man page be corrected or should the header not pull nl_types.h?
Re: what is the “Online Certificate Status Protocol”
On Wed, Mar 9, 2011 at 9:27 AM, Joachim Schipper joac...@joachimschipper.nl wrote: On Wed, Mar 09, 2011 at 01:30:39AM -0800, erikmccaskey64 wrote: I use privoxy. In the user.action file i have a redirect rule and a few websites: { +redirect{s@http://@https://@} } .twitter.com .facebook.com Ok! it's working great, e.g.: if i visit any *twitter.com URL it gets redirected to HTTPS! But: with wireshark i can see some OCSP packets [ http://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol ] Question: What are these packets? Why aren't there in HTTPS? Is my redirection method with privoxy is secure? The keys to legitimate certificates may fall in the hands of bad guys (e.g. when they hack a HTTPS server). This would allow the bad guys to redirect your HTTPS connections to their own machines without you seeing any warnings until the stolen certificates are no longer valid (which should allow them something like a year to steal your credit card). In order to prevent this, your computer asks a special server whether the certificate has been revoked. This is done over the OCSP protocol (there are other solutions); the connection is not encrypted, but the OCSP server's responses are digitally signed. So yes, your setup seems to work just fine (or as well as SSL does in the first place). The HTTPS Everywhere Firefox extension would be a less hacky solution, though. i'm curious as to why do you say that. afaik, https everywhere also works by rewriting the uri, just like privoxy or squid would, while not being limited to one browser, not being unable to log actions, not being unable to scale for a whole site instead of a single system, etc. B B B B B B B B Joachim -- PotD: biology/bioperl - perl tools for bioinformatics http://www.joachimschipper.nl/
Re: OT: Risks of CAs (Re: Your web development opinions)
On Wed, Feb 23, 2011 at 9:21 AM, Olivier Mehani sht...@ssji.net wrote: Just some OT thoughts. On Wed, Feb 23, 2011 at 07:35:19AM -0600, Chris Bennett wrote: CA's cannot be trusted to even pay attention to carefully securing your certificate. B Here in the US, the government can simply ask for your certificate and get it ( and possibly even use it to impersonate you) The government would have the certificate, but not the private key, so I'm not sure how they can impersonate you with it. it's a little more detailed than that they gov could say revoke his cert on the crl, and assign the next iteration to me with my arbitrary req generated with my arbitrary key at that point it would not matter if they don't have *his* private key if he controls the ca, then the gov/whoever is forced to do true mitm the big problem with the first is that chances are that your ca company is american/european (no bullet proof host), and they will give in like paypal wrt wikileaks However, they can just get their own key to *any* shoddy CA included in browsers, and get a certificate linking that key to your services without much problem. The problem is not really whether there is a trust relationship between your CA provider and you, it's whether at least *one* CA is laxist enough that they give out certificates without thorough checking. Even with your self-signed approach, somebody could get a CA to issue a certificate that their key is good for your website, and impersonate it to any of your new-coming customers who haven't been exposed to your official key yet. I may also be wrong in my analysis, but as far as my understanding goes, it's correct. -- Olivier Mehani sht...@ssji.net PGP fingerprint: 4435 CF6A 7C8D DD9B E2DE B F5F9 F012 A6E2 98C6 6655 [demime 1.01d removed an attachment of type application/pgp-signature]