Re: Virtualizing firewalling scenarios in one physical OpenBSD host

[Andres Perera]

out of curiosity, how would you make pf(4) only handle rules
pertaining to a certain anchor depending on the process that's
interfacing with them? i ask because; e.g.,  pfctl -sr should only
show rules for that client, and other pf(4) operations need to be
equally restricted. i know that originally you said that the loading
of the rules is not up to the client but a periodic batch job, however
that does not match CheckPoint VSX

would you make the pf driver check the uid of the caller itself and
spread out this code throughout every routine that fetches and set
rules, or where would you place the namespacing?

On Wed, Jul 4, 2012 at 5:21 AM, Henning Brauer lists-open...@bsws.de wrote:
 * Franco Fichtner slash...@gmail.com [2012-07-04 11:43]:
 No, the great catch here is that VSX offers you tools to manage up
 to 250 of these virtual monsters in a centralized fashion. You can
 also give control of these firewalls to your customers. You can put
 lots of OpenBSD guests on a host, but there's no way you will be
 happy when you are seriously thinking about deploying a VSX.

 ok, you've been brainwashed by marketing.

 this is not a question of the firewall at all, but a question of the
 management interface around it.

 as said and I repeat it again, use anchors and build sth for specific
 users to be able to edit specific anchor rulesets. could be as easy as
 a file per anchor owned by the user in question and a little cronjob
 that reloads your ruleset including anchors hourly or so.

 --
 Henning Brauer, h...@bsws.de, henn...@openbsd.org
 BS Web Services, http://bsws.de, Full-Service ISP
 Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully 
 Managed
 Henning Brauer Consulting, http://henningbrauer.com/

Re: Virtualizing firewalling scenarios in one physical OpenBSD host

[Andres Perera]

ok here's a more thought out idea

a vpf is the same as a pf only that it has an ioctl that binds its
device minor to a rule # in pf0. access to a vpf0 is the same, posix
vfs permissions. (securelevel affects pf rule write-ability, but i
don't think a per vpf equivalent is useful for this example). only
that the bind ioctl can be done by root exclusively

if you want more vpfs, you need more device minors. that way the user
interfaces are already there (pfctl, systat states), and the pf device
protocol is already there, but the rules are now partitioned which was
the true purpose from the start

On Wed, Jul 4, 2012 at 11:11 AM, Andres Perera andre...@zoho.com wrote:
 out of curiosity, how would you make pf(4) only handle rules
 pertaining to a certain anchor depending on the process that's
 interfacing with them? i ask because; e.g.,  pfctl -sr should only
 show rules for that client, and other pf(4) operations need to be
 equally restricted. i know that originally you said that the loading
 of the rules is not up to the client but a periodic batch job, however
 that does not match CheckPoint VSX

 would you make the pf driver check the uid of the caller itself and
 spread out this code throughout every routine that fetches and set
 rules, or where would you place the namespacing?

 On Wed, Jul 4, 2012 at 5:21 AM, Henning Brauer lists-open...@bsws.de wrote:
 * Franco Fichtner slash...@gmail.com [2012-07-04 11:43]:
 No, the great catch here is that VSX offers you tools to manage up
 to 250 of these virtual monsters in a centralized fashion. You can
 also give control of these firewalls to your customers. You can put
 lots of OpenBSD guests on a host, but there's no way you will be
 happy when you are seriously thinking about deploying a VSX.

 ok, you've been brainwashed by marketing.

 this is not a question of the firewall at all, but a question of the
 management interface around it.

 as said and I repeat it again, use anchors and build sth for specific
 users to be able to edit specific anchor rulesets. could be as easy as
 a file per anchor owned by the user in question and a little cronjob
 that reloads your ruleset including anchors hourly or so.

 --
 Henning Brauer, h...@bsws.de, henn...@openbsd.org
 BS Web Services, http://bsws.de, Full-Service ISP
 Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully 
 Managed
 Henning Brauer Consulting, http://henningbrauer.com/

Re: mojibake

[Andres Perera]

On Sun, Jul 1, 2012 at 12:30 PM, Anthony J. Bentley
anthonyjbent...@gmail.com wrote:
 So again, the complaint was that there was mojibake gibberish in
 Ingo's presentation, because the character encoding isn't specified
 but defaults to UTF-8 in modern browsers, while the page is actually
 iso-8859-1 encoded.

 Actually, modern browsers do not default to a particular encoding (in
 fact, this violates the HTML standard). Instead, they attempt to autodetect
 the charset. Sometimes this works, and sometimes it doesn't -- I've seen
 UTF-8 pages incorrectly detected as ISO-8859-1, and in particularly bad
 cases, vice versa.

i would consider firefox a modern browser, and it does not default to
autodetect. it defaults to iso-8859-1

however, the gui does not allow per html doctype default charset, so a
management configured browser would apply default charset to html1, 4,
... n

there should be no case where this is a problem. all pages should be
html 4 to avoid these silly exchanges. it would be nice if some sort
of style guide clearly stated pages in www/ are html4, charset
explicitly set to iso-8859-1. in the absence of that, we have these
discussions. having a www/STYLE doc does not require committing to a
particular templating language so hopefully it's a realistic
short-term goal

Re: OpenBSD's webpage desing

[Andres Perera]

imo the issue has more to do with one page using a completely
different scheme than all the others. that happens when you copy-paste
massive tags at the beginning of every doc instead of using your
preferred flavor of #include. you could of course go another route
and try to justify it by saying it's html1 unlike the rest, but that's
just as useless as fixating on the charset

On Thu, Jun 28, 2012 at 9:17 AM, Dave Anderson d...@daveanderson.com wrote:
 On Thu, 28 Jun 2012, Stuart Henderson wrote:

On 2012-06-28, ropers rop...@gmail.com wrote:
 On 28 June 2012 01:17, Andres Perera andre...@zoho.com wrote:
 A http://www.openbsd.org/papers/bsdcan11-mandoc-openbsd.html


 that page is encoded iso 8859-1, doesn't state so anywhere, breaks
 with browsers configured to default to utf8 in the absence of encoding
 qualifiers

 $ telnet www.openbsd.org 80
 Trying 142.244.12.42...
 Connected to www.openbsd.org.
 Escape character is '^]'.
 GET /papers/bsdcan11-mandoc-openbsd.html HTTP/1.1
 Host: www.openbsd.org

 HTTP/1.1 200 OK
 Date: Wed, 27 Jun 2012 23:59:19 GMT
 Server: Apache
 Last-Modified: Sat, 18 Jun 2011 11:11:28 GMT
 ETag: 65f60c9352dee7ec594696cdfb681e86316269ef
 Accept-Ranges: bytes
 Content-Length: 32754
 Content-Type: text/html

HTML
BODY
 ...


 Okay, this could transmit Content-Type: text/html;
 charset=iso-8859-1 but doesn't, but that's ok, we can do this on a
 page-by-page basis with a META tag, which ought to be ignored by
 browsers that don't understand it:

IMO if it's worth doing this at all, it needs doing to *all* pages
that need it, in one go, consistently.

Anything else is likely to be way too much pain for the translators.

 Using META is _ugly_, especially for specifying a charset (since the
 page will be read up through the META element using the charset
 specified in the real header or assumed by the browser -- and that
 charset could be incompatible with the actual encoding.)  Why not just
 use the AddDefaultCharset directive to ensure that a charset is
 specified in the real header for all pages?  Or is this known to break
 some browsers that are still in use?

        Dave

 --
 Dave Anderson
 d...@daveanderson.com

Re: OpenBSD's webpage desing

[Andres Perera]

On Thu, Jun 28, 2012 at 3:45 PM, Dave Anderson d...@daveanderson.com wrote:
 On Thu, 28 Jun 2012, frantisek holop wrote:

hmm, on Thu, Jun 28, 2012 at 09:47:00AM -0400, Dave Anderson said that
 Using META is _ugly_, especially for specifying a charset (since the
 page will be read up through the META element using the charset
 specified in the real header or assumed by the browser -- and that
 charset could be incompatible with the actual encoding.)  Why not just
 use the AddDefaultCharset directive to ensure that a charset is
 specified in the real header for all pages?  Or is this known to break
 some browsers that are still in use?

because AddDefaultCharset is a braindead concept.

 No, just one that needs to be applied only when appropriate.  The truly
 braindead idea is that of partially parsing a file in order to find out
 what charset you should have been using in doing that parsing.  This
 only mostly works because, for the typical page content from the
 beginning through any META elements, the encoding specified by most
 charset values happens to match the encoding specified by 8859-1.

[...]

the cool thing about tags is that you can access; e.g., local man
pages through file:// and have a properly decoded page. no need for a
server

most charsets coincide with the first 127 characters of ascii, so
what's the problem anyway. yea some browsers will reread the whole
html but it's a minimal cost if you place the meta tag at the
beginning

Re: OpenBSD's webpage desing

[Andres Perera]

On Wed, Jun 27, 2012 at 5:29 PM, Peter Laufenberg open...@laufenberg.ch
wrote:
 Speaking personally, I wouldn't mind if OpenBSD's website were
 updated.  Just no one has volunteered yet to do the dirty work of
 actually coming up with a functional design and then updating the
 HTML.

 Talk is cheap.

 I'm willing to indirectly donate to OpenBSD by paying a professional graphic
designer to redo parts of OpenBSD's visual design. His portfolio:

that would be cool to presence as a bystander

pay the dude regardless of what anybody says, and have him send the
patches to a public mailing list

would've been even more interesting if you told nobody that he was
getting payed for the patches

Re: OpenBSD's webpage desing

[Andres Perera]

On Wed, Jun 27, 2012 at 5:55 PM, Peter Laufenberg open...@laufenberg.ch
wrote:
On Wed, Jun 27, 2012 at 5:29 PM, Peter Laufenberg open...@laufenberg.ch
wrote:
 I'm willing to indirectly donate to OpenBSD by paying a professional
 graphic
designer to redo parts of OpenBSD's visual design. His portfolio:

that would be cool to presence as a bystander

 No te entiendo tío!

i rarely see people talking about the site layout on these lists, and
i think it would be funny to see a typical designer dealing with;
e.g., www/build/mirrors.pl

it would be entertaining to follow the thread of patch submissions and
developer reactions :)

having said that, i think the site is ok

Re: OpenBSD's webpage desing

[Andres Perera]

On Wed, Jun 27, 2012 at 5:55 PM, john slee indig...@oldcorollas.org wrote:
 Do you think that if the reader finds reading to be optimal at a
 particular column width, that said reader may well adjust their
 browser window to suit?

sorry but that's complete bs. you are essentially expecting users to
re-size the window according to each site, since it's impossible for
all sites to display optimally under fixed browser-window dimensions
without conceding to capped text width... and that's a situation where
worst case happens to match the usual case

the 60-72 cap train took off ages ago. i don't read books like it's a
chinese fortune string, nor do i subject my newspaper leisure ours to
the same torture

Re: OpenBSD's webpage desing

[Andres Perera]

On Wed, Jun 27, 2012 at 6:10 PM, Nick Holland
n...@holland-consulting.net wrote:

 Other than boring, no one has actually STATED a problem of the OpenBSD
 website.  What message are we not getting across?  If there is a PROBLEM
 you see that makes getting its information to you difficult, please
 state it and indicate what could be done better.  i.e., saying, what
 you did to the faq/index.html page for this release makes no sense to me
 as I'm blind and using a screen reader would be constructive and useful
 (and I have no freaking idea what to do about it, and in fact, I've just
 made myself feel really guilty, as if someone WERE to say that to me, I
 don't want to undo it...)

ok

concretely, the man and webcvs pages do not have links back to openbsd.org

good design would be to make the openbsd logo at the top left corner be the
link

that's a big nono in site layout. you should make the site as
browseable as possible

(see how you can talk about design without talking about aesthetics)

another thing is, talking with a professional designer will reveal
many problems like these, the difference being that you'll get
information in meaningful chunks instead of little updates such as
this mail

Re: OpenBSD's webpage desing

[Andres Perera]

On Wed, Jun 27, 2012 at 6:18 PM, Ingo Schwarze schwa...@usta.de wrote:
 Hi,

 Matthew Dempsky wrote on Wed, Jun 27, 2012 at 01:53:09PM -0700:
 On Wed, Jun 27, 2012 at 1:41 PM, Ted Unangst t...@tedunangst.com wrote:

 Here's something I think would be a *major* improvement.
 Fix magicpoint to export slides in a format better than jpg.

 That's not the only thing that could be fixed about magicpoint;
 however, fixing magicpoint is not a job for the fainthearted.

 The only time i used it so far (ironically, to present about
 mandoc), i ended up publishing the slides in plain HTML,
 with heavy manual postprocessing:

  http://www.openbsd.org/papers/bsdcan11-mandoc-openbsd.html


that page is encoded iso 8859-1, doesn't state so anywhere, breaks
with browsers configured to default to utf8 in the absence of encoding
qualifiers

all those little things add up, man

Re: OpenBSD's webpage desing

[Andres Perera]

On Wed, Jun 27, 2012 at 7:43 PM, Philip Guenther guent...@gmail.com wrote:
 On Wed, Jun 27, 2012 at 4:17 PM, Andres Perera andre...@zoho.com wrote:
 ...
 that page is encoded iso 8859-1, doesn't state so anywhere, breaks
 with browsers configured to default to utf8 in the absence of encoding
 qualifiers

 Those browsers are violating the HTTP/1.1 standard.  RFC 2616, section
 3.7.1, paragraph 4:

   The charset parameter is used with some media types to define the
   character set (section 3.4) of the data. When no explicit charset
   parameter is provided by the sender, media subtypes of the text
   type are defined to have a default charset value of ISO-8859-1 when
   received via HTTP. Data in character sets other than ISO-8859-1 or
   its subsets MUST be labeled with an appropriate charset value. See
   section 3.4.1 for compatibility problems.

firefox and ie are nice enough to assume iso-8859-1. that's not the
case with management configured browsers, where RFCs don't mean a damn



 And then there's section 3.4.1:

 3.4.1 Missing Charset

   Some HTTP/1.0 software has interpreted a Content-Type header without
   charset parameter incorrectly to mean recipient should guess.
   Senders wishing to defeat this behavior MAY include a charset
   parameter even when the charset is ISO-8859-1 and SHOULD do so when
   it is known that it will not confuse the recipient.

   Unfortunately, some older HTTP/1.0 clients did not deal properly with
   an explicit charset parameter. HTTP/1.1 recipients MUST respect the
   charset label provided by the sender; and those user agents that have
   a provision to guess a charset MUST use the charset from the
   content-type field if they support that charset, rather than the
   recipient's preference, when initially displaying a document. See
   section 3.7.1.


 Wait, was that a warning that an explicit charset parameter broke some
 older browsers?  Huh...

wtf? a charset parameter is present in www/index.html so i guess that
particular page isn't catering to an unrealistic section of an rfc

i sense some conflicting interests here



 Philip Guenther

Re: OpenBSD's webpage desing

[Andres Perera]

that patch is not a solution

a good solution is use m4 or another macro language (maybe cpp since
apparently line-based macro languages are liked by mandoc freaks) to
add an include to all pages in the www/* repository

also, a commit hook that ensures that newly added or modified pages
meet a set of requirements

On Wed, Jun 27, 2012 at 8:55 PM, ropers rop...@gmail.com wrote:
 On 28 June 2012 01:17, Andres Perera andre...@zoho.com wrote:
  http://www.openbsd.org/papers/bsdcan11-mandoc-openbsd.html


 that page is encoded iso 8859-1, doesn't state so anywhere, breaks
 with browsers configured to default to utf8 in the absence of encoding
 qualifiers

 $ telnet www.openbsd.org 80
 Trying 142.244.12.42...
 Connected to www.openbsd.org.
 Escape character is '^]'.
 GET /papers/bsdcan11-mandoc-openbsd.html HTTP/1.1
 Host: www.openbsd.org

 HTTP/1.1 200 OK
 Date: Wed, 27 Jun 2012 23:59:19 GMT
 Server: Apache
 Last-Modified: Sat, 18 Jun 2011 11:11:28 GMT
 ETag: 65f60c9352dee7ec594696cdfb681e86316269ef
 Accept-Ranges: bytes
 Content-Length: 32754
 Content-Type: text/html

 HTML
 BODY
 ...


 Okay, this could transmit Content-Type: text/html;
 charset=iso-8859-1 but doesn't, but that's ok, we can do this on a
 page-by-page basis with a META tag, which ought to be ignored by
 browsers that don't understand it:

 $ diff -u 'bsdcan11-mandoc-openbsd.html' 'bsdcan11-mandoc-openbsd.html.new'
 --- bsdcan11-mandoc-openbsd.html        2012-06-28 02:12:19.0
+0200
 +++ bsdcan11-mandoc-openbsd.html.new    2012-06-28 02:07:54.0
+0200
 @@ -1,4 +1,7 @@
  HTML
 +HEAD
 +META http-equiv=Content-Type content=text/html; charset=iso-8859-1 /
 +HEAD/
  BODY
  H1A
HREF=http://www.bsdcan.org/2011/schedule/events/230.en.html;Mandoc
  in OpenBSD/A/H1

 Generally speaking, I find that on misc@ the words you should make
 are taken far less seriously than even the most pitiful of diffs.

 regards,
 ropers

Re: Following -current through a semi-automatic process: a strategy for encouraging user involvement?

[Andres Perera]

sorry, but i never sold nm as the sole step granting immunity. i
explicitly presented it as an example. nevertheless, the full list of
things i do do not cover all of possible changes you pointed out. i
constructed it in a way that also works with snapshots:

diff include/sys/syscall{args,}.h with previous db (a la sysmerge);
double check with with nm /bsd. syscallargs changing returns false
whether or not nm shows the same set of calls.

(i don't currently diff /sys/* in hopes of finding new or changed bitmap
flags)

diff include/sys/ioctl.h and header-includes with previous db. i don't
attempt to detect new includes, this is fragile and is covered by
acting on sys/*

the rest of files are predictable sets of other kernel apis. i don't
look at net/pfvar or anything outside sys even though i should

as flaky as it can be, it works most of the time and it's better than
let the user decide

On Wed, Jun 20, 2012 at 12:59 AM, Matthew Dempsky matt...@dempsky.org
wrote:
 On Tue, Jun 19, 2012 at 9:34 PM, Andres Perera andre...@zoho.com wrote:
 all of the calls in syscalls.master map to a unique function, and all
 of them start with sys_. it's true that nm won't tell me about
 argument changes. i just risk it a little by assuming no one's that
 evil

 Okay, granted nm will tell you when new syscall entry points get
 added... but you won't know about new syscall flags, new ioctls, new
 device nodes, new sysctls, new behavior, etc.

 Not saying you can't use nm as a backup sanity check, but it's not
 something I'd recommend relying on by default.  Our userland is really
 not designed to run on older kernels.

Re: Following -current through a semi-automatic process: a strategy for encouraging user involvement?

[Andres Perera]

On Wed, Jun 20, 2012 at 1:40 AM, Andres Perera andre...@zoho.com wrote:
 sorry, but i never sold nm as the sole step granting immunity. i
 explicitly presented it as an example. nevertheless, the full list of
 things i do do not cover all of possible changes you pointed out. i
 constructed it in a way that also works with snapshots:

 diff include/sys/syscall{args,}.h with previous db (a la sysmerge);
 double check with with nm /bsd. syscallargs changing returns false
 whether or not nm shows the same set of calls.

 (i don't currently diff /sys/* in hopes of finding new or changed bitmap
flags)

i am talking about include/sys, not the kernel source repository


 diff include/sys/ioctl.h and header-includes with previous db. i don't
 attempt to detect new includes, this is fragile and is covered by
 acting on sys/*

 the rest of files are predictable sets of other kernel apis. i don't
 look at net/pfvar or anything outside sys even though i should

 as flaky as it can be, it works most of the time and it's better than
 let the user decide

 On Wed, Jun 20, 2012 at 12:59 AM, Matthew Dempsky matt...@dempsky.org
wrote:
 On Tue, Jun 19, 2012 at 9:34 PM, Andres Perera andre...@zoho.com wrote:
 all of the calls in syscalls.master map to a unique function, and all
 of them start with sys_. it's true that nm won't tell me about
 argument changes. i just risk it a little by assuming no one's that
 evil

 Okay, granted nm will tell you when new syscall entry points get
 added... but you won't know about new syscall flags, new ioctls, new
 device nodes, new sysctls, new behavior, etc.

 Not saying you can't use nm as a backup sanity check, but it's not
 something I'd recommend relying on by default.  Our userland is really
 not designed to run on older kernels.

Re: Following -current through a semi-automatic process: a strategy for encouraging user involvement?

[Andres Perera]

ultimately naive/incomplete approach

never mind the premise that snapshots contain changes not found in the
trees, you state things to the effect of user chooses wether or not
to reboot to new kernel. didn't even bother; e.g., comparing nm
outputs

Re: Following -current through a semi-automatic process: a strategy for encouraging user involvement?

[Andres Perera]

all of the calls in syscalls.master map to a unique function, and all
of them start with sys_. it's true that nm won't tell me about
argument changes. i just risk it a little by assuming no one's that
evil

On Tue, Jun 19, 2012 at 9:22 PM, Matthew Dempsky matt...@dempsky.org wrote:
 On Tue, Jun 19, 2012 at 5:44 PM, Andres Perera andre...@zoho.com wrote:
 didn't even bother; e.g., comparing nm
 outputs

 Er, what are you expecting to divine by comparing nm output?

Re: Following -current through a semi-automatic process: a strategy for encouraging user involvement?

[Andres Perera]

since packages are done in synch with snapshots, i do not use the
trees because i rather use packages

it's not clear whether or not changes in snapshots are allowed to make
the packages incompatible with what you find in the repositories.
perhaps i would be able to retract what i said as silly (and benefit
from knowing exactly what is it i'm running at the same time)

On Tue, Jun 19, 2012 at 9:24 PM, Theo de Raadt dera...@cvs.openbsd.org
wrote:
 never mind the premise that snapshots contain changes not found in the
 trees, you state things to the effect of user chooses wether or not
 to reboot to new kernel. didn't even bother; e.g., comparing nm
 outputs

 well, hang on.  quite often those diffs in snapshots are not yet
 commited for a reason.

 those diffs are being tested by people brave enough to test snapshots.
 of course, if people are brave enough to test snapshots, and any last
 minute bugs are found in those diffs and fixed.. and everyone will be
 able to run those juicy bits earlier.

 the diffs in snaps are chosen by me to try to advance so that i can
 help that process ahead (but at the same time not drive myself
 insane).  after all, if i pick the wrong diffs at the wrong time, i
 going break all of the build machines at the same time...

Re: Following -current through a semi-automatic process: a strategy for encouraging user involvement?

[Andres Perera]

and that will be an exception that i'll have to deal with, which is
entirely reasonable given that they rarely do change

another rare exception i could skirt around would be white space
changes that would deter me from diffing syscalls.master instead of
`nm /bsd` during automation, but the problem doesn't even come to that
with snapshots, since i don't have a source referral; i only have the
binary interface of the symbol list

On Wed, Jun 20, 2012 at 12:18 AM, Philip Guenther guent...@gmail.com wrote:
 On Tue, Jun 19, 2012 at 9:34 PM, Andres Perera andre...@zoho.com wrote:
 all of the calls in syscalls.master map to a unique function, and all
 of them start with sys_. it's true that nm won't tell me about
 argument changes. i just risk it a little by assuming no one's that
 evil

 Heh.  *Yesterday* tedu asked me to add some backwards compat to a diff
 I set around that did exactly that, changing the argument list for an
 existing syscall.  I guess I'm winning the evil contest with tedu!


 Philip Guenhter

Re: About wine ?

[Andres Perera]

On Mon, Jun 11, 2012 at 1:30 PM, Peter Laufenberg open...@laufenberg.ch
wrote:
On Mon, Jun 11, 2012 at 3:49 PM, Peter Laufenberg open...@laufenberg.ch
wrote:
 Qemu seems like a good project given the flack it gets on wikipedia (very
Cartesian, I know), how well can it run on OpenBSD? what's holding it back?
which kernel improvements/patches will help? if all VM is counter-security,
why? Where do we come from and is there life after death? I demand to know.

Qemu is fine on OpenBSD, but slow, because for some time already it's
without KVM in OpenBSD. Probably one of the reasons for www.bitrig.org

 I see. Lofty goals with a questionable fork rationale. Maybe removing doc
references to floppies and tapes would improve the modernity perception.

they also removed code

makefiles really arent set up for mass edits. it's hard to do static checks


 From Jiri:
Why don't you first search archives?

 - digressions into exotic sports cars?
 - marketing plugs?
 - out of date?

 -- p

Re: Large (3TB) HDD support

[Andres Perera]

On Sun, Jun 3, 2012 at 9:18 PM, Peter Kay syllops...@syllopsium.co.uk wrote:
 Can we please differentiate GPT from EFI. GPT may be part of the EFI
 specification, but it's a standalone piece - implementing GPT is not going
 to restrict anyone's freedom to do what they want with a machine. Some
 possibilities EFI offers are more contentious..

 GPT is a foregone conclusion unless you are blind to the future. The only
 alternative is OS specific disk hackery, and that does no-one any favours.
 Single disk 2TB+ partitions will not even attract comment inside the next 5
 years.

it doesn't make sense to put my boot files / os on a 2tb file system.
whether or not this will eventually become a non-issue, i don't see
any oses significantly moving in the opposite direction. not even
windows 7 shys away from having a small boot partition. there's also
no os out there that benefits from having 2tb to move about the boot
partition, let alone to house system files. that could change but not
any time soon, and most definitely not in the next 5 years

Re: File descriptor - name?

[Andres Perera]

that will potentially show up more than one file, not the one that was opened

On Sat, May 5, 2012 at 3:49 AM, Stuart Henderson s...@spacehopper.org wrote:
 On 2012-05-05, Andres Perera andre...@zoho.com wrote:
 not in obsd

 plan 9/linux keep the name as it was opened

 think about hardlinks, unlinking and how the kernel only stores the inode #

 find(1) can search by inode number, so if you can identify that via ktrace
 and if the file still exists, you can use find /root/of/fs -inum 1234

Re: File descriptor - name?

[Andres Perera]

not in obsd

plan 9/linux keep the name as it was opened

think about hardlinks, unlinking and how the kernel only stores the inode #

On Fri, May 4, 2012 at 11:44 PM, Alan Corey ab...@devio.us wrote:
 Is there a way to get the name of a file that's open when all you've got is
 a file descriptor?

 I'm working on porting something, that I didn't write. with directories
full
 of source. B I'm seeing a problem with an ioctl being the wrong type, but
I'm
 looking at the code where it happens, I can't see what the file descriptor
 passed in is pointing to. B Seems like there should be a way.

 B Alan

Re: OpenBSD 5.1 SSD

[Andres Perera]

doesn't support trim. i remember reading somewhere, maybe a freebsd
mailing list, that calculating when to do trim is tricky because it
can only work on a specific width

On Sat, Apr 14, 2012 at 2:08 PM, Laurence Rochfort
laurence.rochf...@gmail.com wrote:
 Hi,

 I'm considering purchasing a domestic SSD for my laptop.

 Does OpenBSD 5.1 support SSDs and the TRIM command if needed?

 Regards,
 Laurence Rochfort

Re: pf anchor strange bihavior

[Andres Perera]

On Thu, Apr 12, 2012 at 9:25 PM, Michel Blais mic...@targointernet.com
wrote:
 Just saw something strange with inline anchor rule and macro :

 if I set a anchor rule with a macro inside of it and do pfctl -vnf, only
the
 first value of the macro seem to have the anchor rule following. Every
other
 value will be without bracket and anchor rules.

 Exemple :

 in the pf.conf
 net={ em0, em1 }
 anchor in on $net proto tcp to !server port { 22, 8181, 4000, 4001, 4002
}
 {
 B  B  B  B block in quick on $ext_if1 to public_router
 B  B  B  B pass B in quick on $ext_if1 to 216.*.*.0/24
 B  B  B  B pass B in quick on $ext_if1 to 216.*.*.0/24
 B  B  B  B pass B in quick on $ext_if2 to 96.*.*.0/24
 B  B  B  B pass B in quick on $ext_if1 to 207.*.*.130
 B  B  B  B pass B in quick on $ext_if1 to 207.*.*.128/29
 B  B  B  B pass B in quick on $ext_if1 to 207.*.*.136/29
 B  B  B  B block in B quick
 B  B  B  B block out quick
 }

 pfctl -vnf give me this :
 anchor in on em0 proto tcp from any to ! server port = ssh {
 B block drop in quick on em0 from any to public_antenna
 B pass in quick on em0 inet from any to 216.*.*.0/24 flags S/SA
 B pass in quick on em0 inet from any to 216.*.*.0/24 flags S/SA
 B pass in quick on em0 inet from any to 207.*.*.130 flags S/SA
 B pass in quick on em0 inet from any to 207.*.*.128/29 flags S/SA
 B pass in quick on em0 inet from any to 207.*.*.136/29 flags S/SA
 B pass in quick on em1 inet from any to 96.*.*.0/24 flags S/SA
 B block drop in quick all
 B block drop out quick all
 }
 anchor in on em0 proto tcp from any to ! server port = 8181
 anchor in on em0 proto tcp from any to ! server port = 4000
 anchor in on em0 proto tcp from any to ! server port = 4001
 anchor in on em0 proto tcp from any to ! server port = 4002
 anchor in on em1 proto tcp from any to ! server port = ssh
 anchor in on em1 proto tcp from any to ! server port = 8181
 anchor in on em1 proto tcp from any to ! server port = 4000
 anchor in on em1 proto tcp from any to ! server port = 4001
 anchor in on em1 proto tcp from any to ! server port = 4002

 Is this a limitation of PF, a unanticiped situation or it's just cosmetic ?
 Maybe I'm misinterpreted it.

the lines directly after the braced block also trigger the braced block

it's cosmetic


 Thanks

 Michel

Re: How to have more than 15 pflog interfaces?

[Andres Perera]

altering the max might have consequences i don't know about:

grep -nC5 PFLOGIFS_MAX /sys/net/if_pflog.h
27-#ifndef _NET_IF_PFLOG_H_
28-#define _NET_IF_PFLOG_H_
29-
30-#include net/pfvar.h
31-
32:#define  PFLOGIFS_MAX16
33-
34-struct pflog_softc {
35- struct ifnetsc_if;  /* the interface */
36- int sc_unit;
37- LIST_ENTRY(pflog_softc) sc_list;

what i do know is that the actual bug is netstart unhelpfully
redirecting errors to dev null on ifconfig create

if it didn't, you would have seen ifconfig: SIOCIFCREATE: Invalid argument

On Tue, Apr 10, 2012 at 12:46 AM, Siju George sgeorge@gmail.com wrote:
 Hi,

 I have /etc/hostname.pflog files from 1-25.
 but only till 15 is available through ifconfig


 pflog15: flags=41UP,RUNNING mtu 33152
 B  B  B  B priority: 0

 how do I get till pflog25?

 Thanks

 Siju

Re: LiveUSB OpenBSD and LiveCD-OpenBSD site updated

[Andres Perera]

On Tue, Apr 10, 2012 at 1:53 AM, Mihai Popescu mih...@gmail.com wrote:
 Andres Perera wrote:
 read very slowly
 if they don't use the following to boot:

 * bootp (requires more than one system)
 * a cd (requires an optical drive)
 * a floppy (requires a floppy drive)

 then they boot from hdd. it doesn't matter if it's usb, sata or what have you

 I think you are making a confusion between usb mass storage device and
 usd attached hdd device.

there's no distinction for the bios, which is the key part in booting
a system. on x86 it looks for specific data which is common in mass
storage media and hdd, *different* to cd boot and floppy boot


 there are no official boot images for hdd. nick is aware of this, and
 so are the rest of the developers

 Yes, they do, since there is no such thing like images for hdd. I
 let you try to define one.

hah, dd your raw hard drive device to a usb key. you have an hdd
image. moreover, several projects either offer those, or an
alternatively crafted iso which can be used for usb boot because it
doesn't just have el torito boot

you are wa over your head son, yet you keep insisting

Re: LiveUSB OpenBSD and LiveCD-OpenBSD site updated

[Andres Perera]

On Mon, Apr 9, 2012 at 11:26 AM, Mihai Popescu mih...@gmail.com wrote:
 B Andres Perera wote:
 B i don't understand why is such a simple problem turning into drama

 It is not. As for the understanding part, you need to identify what is
 stopping you in the first place - is it that english is not your first
 language and you don't have enough of it, or is it that you read
 between lines, or any other thing. Once you will find it, you can
 asjust it and come to an understanding. Eventually.

 that's outside the conditions. i am talking about a real world
 situation where i had ONE COMPUTER and it did not have a cd drive

 Nick, the FAQ and a bunch of internet out there ARE TALKING about the
 same thing. Didn't you really see this?

 that's it. there's no other way to look at it

 Says who? Take a look at soekris.com stuff and believe this boards are
 able to get OpenBSD installed on them and run it successfully. And
 guess what? Only ONE COMPUTER is involved to prepare the OS.

read very slowly

if they don't use the following to boot:

* bootp (requires more than one system)
* a cd (requires an optical drive)
* a floppy (requires a floppy drive)

then they boot from hdd. it doesn't matter if it's usb, sata or what have you

there are no official boot images for hdd. nick is aware of this, and
so are the rest of the developers

the faq requires that you boot with bsd.rd and use that environment to
install to usb media

you cannot do that with a single computer that can only boot from usb
hdd with the official media, so you need to install to qemu

you are obviously not talking about the same situation, and neither is
the other dude. more than that, you've never encountered this problem
or else you'd be familiar with the requirements

you are a humongous idiot


 Excuse my intervention, please, but your answers keep remainding me of
 someone I work with, who got a habit of telling people around him how
 they CAN'T accomplish something. Pretty useless.

Re: LiveUSB OpenBSD and LiveCD-OpenBSD site updated

[Andres Perera]

nope, not all bioses like that

my hp mini's bios is only willing to do hdd emulation on usb sticks,
so a dd'd iso or floppy image will not suffice (and hey, this
inability isn't uncommon either)

On Mon, Apr 9, 2012 at 6:38 PM, Ted Unangst t...@tedunangst.com wrote:
 On Mon, Apr 09, 2012, Andres Perera wrote:
 if they don't use the following to boot:

 * bootp (requires more than one system)
 * a cd (requires an optical drive)
 * a floppy (requires a floppy drive)

 then they boot from hdd. it doesn't matter if it's usb, sata or what have
you

 there are no official boot images for hdd. nick is aware of this, and
 so are the rest of the developers

 Copy the floppy (or cd, for that matter) image onto a USB stick. B Boot
 from it. B Problem solved.

Re: sending hex string to /dev/ttyU1

[Andres Perera]

funny how so many perl people and online shellcode tutorials are ok
with that contrived syntax

i recommend perl -e 'print pack i, 0x8800612a'

it'll adjust to endianess as needed

if you are truly interested in sending hex *strings* then it's not of much help

On Sun, Apr 8, 2012 at 4:25 PM, Ted Unangst t...@tedunangst.com wrote:
 On Sun, Apr 08, 2012, edasky wrote:
 rs232 -d /dev/ttyUSB1-s'\h 2A 61 00 06 88 01 20 87 3E \r -r8 -hex

 Now I need to achieve the same result under OpenBSD (5.0)

 Anybody got an idea how to send such a hex string in /dev/ttyU1 ?

 Maybe something like perl -e 'print \x2a\x61\x00\x88'  /dev/ttyU1

 You may need to use stty to set the speed and such first.

Re: LiveUSB OpenBSD and LiveCD-OpenBSD site updated

[Andres Perera]

i don't understand why is such a simple problem turning into drama

On Sat, Apr 7, 2012 at 2:10 PM, Nick Holland
n...@holland-consulting.net wrote:
 On 04/06/12 07:35, Dan Shechter wrote:
 Hi, Sorry for the newbe question, but what is wrong with what he is doing?

 Best regards,
 Dan

 First of all, OpenBSD is completely free software. B we can not, nor do
 we want to stop anyone from making their own project (or product)
 based on OpenBSD. B That doesn't mean we always like it.

 The problem comes in when people create things that are no longer
 OpenBSD, then the users come to our lists and developers expecting help.
 B Or develop an opinion of OpenBSD based on these non-OpenBSD projects.
 This is often due to lack of maintenance on the part of those projects
 -- they put something together because they feel they need it, they
 think, this is pretty cool, set up a website, make a logo, and ta-da,
 a project is born...and often, that's how it stays.

 We also don't like misinformation...for example, this from another part
 of the thread:

 can't install in the first place if your only bootable media can be
 usb sticks. the alternative to downloading premade images is making
 them in qemu, which is more work for little gain

 That's ONE alternative. B Roughly equivalent to turning right by turning
 left three times (reverse for Drive-on-Left countries). B You can take
 your USB stick and an OpenBSD CD to any same-platform computer in the
 world that can boot from CD and has a USB port and build an install
 device there using standard processes...and you know what you have and
 how you got it.

that's outside the conditions. i am talking about a real world
situation where i had ONE COMPUTER and it did not have a cd drive

that's it. there's no other way to look at it

Re: LiveUSB OpenBSD and LiveCD-OpenBSD site updated

[Andres Perera]

On Fri, Apr 6, 2012 at 2:17 AM, Mihai Popescu mih...@gmail.com wrote:
 Andres Perera andres.p () zoho ! com

 if you cant install through network because you only got one machine

 So you can't install OpenBSD but you CAN download the pre-made OpenBSD images?

need another machine for bootp


and feel that guerrilla overwriting your mbr after installing the locks 
within another os in
 order to do a hdd boot is too risky, you're left with this

 I've used OpenBSD in a multiboot and it was working perfectly fine, no
 guerilla there.

can't install in the first place if your only bootable media can be
usb sticks. the alternative to downloading premade images is making
them in qemu, which is more work for little gain


 the page you linked does not provide that

 It does not, since the page is for a specific purpose. If you take
 your time and go back to the root of FAQ you may find what you are
 looking for. But I guess is nicer for you to spread crazy thing on the
 list.

Re: LiveUSB OpenBSD and LiveCD-OpenBSD site updated

[Andres Perera]

?

he is hosting *pre-made* bootable usb images

if you cant install through network because you only got one machine,
don't have a cd drive (e.g. netbook), and feel that guerrilla
overwriting your mbr after installing the locks within another os in
order to do a hdd boot is too risky, you're left with this

the page you linked does not provide that

On Mon, Apr 2, 2012 at 1:26 AM, Jan Stary h...@stare.cz wrote:
 On Apr 01 21:30:58, Girish Venkatachalam wrote:
 After a long long time. Sigh.

 Please stop spreading this. All it does is give wrong
 instruction and diverts people who should instead read
 http://www.openbsd.org/faq/faq14.html#flashmemLive

Re: Is nginx to complement or replace apache?

[Andres Perera]

On Thu, Mar 29, 2012 at 4:30 PM, Otto Moerbeek o...@drijf.net wrote:
 On Thu, Mar 29, 2012 at 01:31:17PM -0430, Andres Perera wrote:

 On Thu, Mar 29, 2012 at 11:29 AM, Otto Moerbeek o...@drijf.net wrote:
  On Thu, Mar 29, 2012 at 10:54:48AM -0430, Andres Perera wrote:
 
  On Thu, Mar 29, 2012 at 10:38 AM, Paul de Weerd we...@weirdnet.nl
wrote:
   On Thu, Mar 29, 2012 at 10:24:27AM -0430, Andres Perera wrote:
   |  Instead, you'll crank your file limits to... let me guess,
unlimited?
   | 
   |  And when you hit the system-wide limit, then what happens?
   | 
   |  Then it is our systems problem, isn't it.
   | 
   |
   | i am not sure if you're a suggesting that each program do getrlimit
   | and acquire resources based on that, because it's a pita
  
   Gee whiz, writing programs is hard! B Let's go shopping!
  
   | what they could do is offer a reliable estimate (e.g. 5 open files
per
   | tab required)
  
   Or just try to open a file, *CHECK THE RETURNED ERROR CODE* and (if
   any) *DEAL WITH IT*
 
  but we're only talking about one resource and one error condition
 
  write wrappers for open, malloc, etc
 
  avoiding errors regarding stack limits is not as easy
 
  There are very few programs that actually hit stack limits. MOst cases
  it's unbounded recursion, signalling an error.

 doesn't change the fact that preempting it takes modifying your
 compiler's typical function prelude (and slowing down each call)

 additionally, anticipating FSIZE would greatly slow done each write

 so no, you can't just be correct all the time and pat your self on the
back

 
 
  obviously there's no reason for: a. every application replicating
  these wrappers (how many xmallocs have you seen, honest?) and b. the
  system not providing a consistent api
 
  Nah, you cannot create a apifor this stuff, proper error handling and
  adaptation to recousrce limits is a program specfic thing.

 well, if including logic that gracefully handles the stack limit is
 not important on the basis of most application's needs, then i don't
 see how the reverse relation couldn't justify a library with xmalloc
 and similar. *most* applications that implement this function copy
 paste the same fatal version. see also `#define MIN/MAX`

 You just seem to argue for the sake of it. Anyway

 A lot of programs have a *static* limit on stack depth, so those
 programs do not have that problem.

 For programs where the stack depth is a functon of the input (for e.g.
 parser and expression evaluation), there are well known techniques to
 control the maxium depth. Most of these programs actually have their
 own parse stack management and do not use the function stack for
 that.

 In my experience, I only have seen programs hitting stacks limit when
 the stack limit was very low, like 64k or so. Hitting the stack limit
 is not a real world problem. Our default stack limit is 4M: big enough
 for virtually any program, and small enough to catch unbounded
 recursion before it will eat all vm.

 Hitting mem or fd limit *is* as real world problem. Beacuse both
 memory and fd usage can build up, even in a well written program. In
 contrast to stack usage.

in my system, hitting fd limit is completely an artificial problem. i
have 8 gigs of memory and struct file is 120 bytes on amd64. the
default low limit is as silly as would be a 64k stack limit. if i were
designing a browser for machines like these, i wouldn't waste time
optimizing fd usage

even if i had access to the same browser you guys use, which magically
multiplexes a single socket over all connections, including ipc with
child processes that house tabs and plugins like google chrome, i
could afford not to give a shit when tiny fds go to waste whenever i
tried the bloated alternatives


 And just using xmalloc or similar for those cases is often not a
 solution, epsecially not for daemon programs. Handling resource
 exhaustion is a difficult problem that cannot be solved by just
 quiting your program, even if a lot of program do so.

 B  B  B  B -Otto

Re: Is nginx to complement or replace apache?

[Andres Perera]

On Wed, Mar 28, 2012 at 4:42 PM, Theo de Raadt dera...@cvs.openbsd.org wrote:
  Seeing the work that is done on nginx as Daily changelog shows I was
  thinking the same, that eventualy nginx will replace httpd (it cannot
  replace apache).
  About that too many files open, I run it this once, but Stuart
  Henderson suggested to alter the values in /etc/login.conf. I was
  expecting some decent values there, but I found out from FAQ that the
  default file has the corespondent values for the minimal hardware
  system OpenBSD is able to run on, so the giant machines need
  adjusting.
 

 On Wed, Mar 28, 2012 at 11:44 PM, Theo de Raadt dera...@cvs.openbsd.org 
 wrote:
  Balony.
 
  If software cannot cope intelligently with soft resource limits,
  then such software is probably broken.
 
  Otherwise, let's just remove the entire resource limit subsystem, ok?

 No need to remove it I think, because the sole usage of it has a
 purpose since you've put it there from the start.
 I can't call xxxterm as being probably broken because my knowledge and
 position don't allow me to do that. This package asks for minimum 1024
 file descriptors

 What happens if it opens 1025 files?

 and recommands 2048.

 What happens if it opens 2049 files?

 I modified openfiles-max in
 login.conf. That was the closest place I found to fulfill the request.
 The other application is shotwell, it crashes when you try to open in
 thumbnails mode a direcotry full of pictures. I don't know why the
 developers used the opening all files at once approach.

 So you crank your limits.

 What happens if it opens 1 file more than your limits?

 You crank the limits, again.

 What happens if it opens 1 file more than your new limits?

 When do you realize that you are the problem, because you don't
 tell the developers to fix their software so that it works in the
 resource limits allocated to it?

 Instead, you'll crank your file limits to... let me guess, unlimited?

 And when you hit the system-wide limit, then what happens?

 Then it is our systems problem, isn't it.


i am not sure if you're a suggesting that each program do getrlimit
and acquire resources based on that, because it's a pita

what they could do is offer a reliable estimate (e.g. 5 open files per
tab required)

Re: Is nginx to complement or replace apache?

[Andres Perera]

On Thu, Mar 29, 2012 at 10:38 AM, Paul de Weerd we...@weirdnet.nl wrote:
 On Thu, Mar 29, 2012 at 10:24:27AM -0430, Andres Perera wrote:
 |  Instead, you'll crank your file limits to... let me guess, unlimited?
 | 
 |  And when you hit the system-wide limit, then what happens?
 | 
 |  Then it is our systems problem, isn't it.
 | 
 |
 | i am not sure if you're a suggesting that each program do getrlimit
 | and acquire resources based on that, because it's a pita

 Gee whiz, writing programs is hard! B Let's go shopping!

 | what they could do is offer a reliable estimate (e.g. 5 open files per
 | tab required)

 Or just try to open a file, *CHECK THE RETURNED ERROR CODE* and (if
 any) *DEAL WITH IT*

but we're only talking about one resource and one error condition

write wrappers for open, malloc, etc

avoiding errors regarding stack limits is not as easy

obviously there's no reason for: a. every application replicating
these wrappers (how many xmallocs have you seen, honest?) and b. the
system not providing a consistent api

after you're done writing all the wrappers for your crappy browser,
what do you do? notify the user that no resources can be allocated,
try pushing the soft limit first, whatever. they still have to re-exec
with higher limits

why even bother?



 Note that on a busy system, the ulimit is not the only thing holding
 you back. B You may actually run into the maximum number of files the
 system can have open at any given time (sure, that's also tweakable).
 Just doing getrlimit isn't going to be sufficient...

doesn't matter


 Paul 'WEiRD' de Weerd

 --
[++-]+++.+++[---].+++[+
 +++-].++[-]+.--.[-]
 B  B  B  B  B  B  B  B  http://www.weirdnet.nl/

Re: Is nginx to complement or replace apache?

[Andres Perera]

On Thu, Mar 29, 2012 at 11:29 AM, Otto Moerbeek o...@drijf.net wrote:
 On Thu, Mar 29, 2012 at 10:54:48AM -0430, Andres Perera wrote:

 On Thu, Mar 29, 2012 at 10:38 AM, Paul de Weerd we...@weirdnet.nl wrote:
  On Thu, Mar 29, 2012 at 10:24:27AM -0430, Andres Perera wrote:
  |  Instead, you'll crank your file limits to... let me guess,
unlimited?
  | 
  |  And when you hit the system-wide limit, then what happens?
  | 
  |  Then it is our systems problem, isn't it.
  | 
  |
  | i am not sure if you're a suggesting that each program do getrlimit
  | and acquire resources based on that, because it's a pita
 
  Gee whiz, writing programs is hard! B Let's go shopping!
 
  | what they could do is offer a reliable estimate (e.g. 5 open files per
  | tab required)
 
  Or just try to open a file, *CHECK THE RETURNED ERROR CODE* and (if
  any) *DEAL WITH IT*

 but we're only talking about one resource and one error condition

 write wrappers for open, malloc, etc

 avoiding errors regarding stack limits is not as easy

 There are very few programs that actually hit stack limits. MOst cases
 it's unbounded recursion, signalling an error.

doesn't change the fact that preempting it takes modifying your
compiler's typical function prelude (and slowing down each call)

additionally, anticipating FSIZE would greatly slow done each write

so no, you can't just be correct all the time and pat your self on the back



 obviously there's no reason for: a. every application replicating
 these wrappers (how many xmallocs have you seen, honest?) and b. the
 system not providing a consistent api

 Nah, you cannot create a apifor this stuff, proper error handling and
 adaptation to recousrce limits is a program specfic thing.

well, if including logic that gracefully handles the stack limit is
not important on the basis of most application's needs, then i don't
see how the reverse relation couldn't justify a library with xmalloc
and similar. *most* applications that implement this function copy
paste the same fatal version. see also `#define MIN/MAX`



 after you're done writing all the wrappers for your crappy browser,
 what do you do? notify the user that no resources can be allocated,
 try pushing the soft limit first, whatever. they still have to re-exec
 with higher limits

 why even bother?

 Stop using the crappy program. We prefer to apply back pressure to
 crappy programming instead of accommodating it.

 B  B  B  B -Otto


 
 
  Note that on a busy system, the ulimit is not the only thing holding
  you back. B You may actually run into the maximum number of files the
  system can have open at any given time (sure, that's also tweakable).
  Just doing getrlimit isn't going to be sufficient...

 doesn't matter

 
  Paul 'WEiRD' de Weerd
 
  --
 [++-]+++.+++[---].+++[+
  +++-].++[-]+.--.[-]
  B B B B B B B B B B B B B B B B http://www.weirdnet.nl/

Re: Is nginx to complement or replace apache?

[Andres Perera]

On Thu, Mar 29, 2012 at 12:53 PM, Claudio Jeker
cje...@diehard.n-r-g.com wrote:
 On Thu, Mar 29, 2012 at 10:54:48AM -0430, Andres Perera wrote:
 On Thu, Mar 29, 2012 at 10:38 AM, Paul de Weerd we...@weirdnet.nl wrote:
  On Thu, Mar 29, 2012 at 10:24:27AM -0430, Andres Perera wrote:
  |  Instead, you'll crank your file limits to... let me guess, unlimited?
  | 
  |  And when you hit the system-wide limit, then what happens?
  | 
  |  Then it is our systems problem, isn't it.
  | 
  |
  | i am not sure if you're a suggesting that each program do getrlimit
  | and acquire resources based on that, because it's a pita
 
  Gee whiz, writing programs is hard! B Let's go shopping!
 
  | what they could do is offer a reliable estimate (e.g. 5 open files per
  | tab required)
 
  Or just try to open a file, *CHECK THE RETURNED ERROR CODE* and (if
  any) *DEAL WITH IT*

 but we're only talking about one resource and one error condition

 OMG. System calls can fail. I'm shocked. How can anything work?!

 write wrappers for open, malloc, etc

 Why wrappers? Just check the freaking return value and design your program
 to behave in case something goes wrong.

guess what, if you do this more than once in your program you have a
wrapper candidate


 avoiding errors regarding stack limits is not as easy

 Yes, so embrace them, design with failure in mind.

 obviously there's no reason for: a. every application replicating
 these wrappers (how many xmallocs have you seen, honest?) and b. the
 system not providing a consistent api

 xmalloc is a dumb interface, since it terminates the process as soon as
 the first malloc fails. Sure it is the right thing for process with
 limited memory needs but browsers are such pigs today that you should be
 better then just showing a Oups, something went wrong page on next
 startup.

 after you're done writing all the wrappers for your crappy browser,
 what do you do? notify the user that no resources can be allocated,
 try pushing the soft limit first, whatever. they still have to re-exec
 with higher limits

 Maybe you could also close some of those 999 keep-alive sessions and
 pre-load sessions you have open and retry. Seriously why does a
 webbrowser need 1024 file descriptors to be open at the same time?
 Are you concurrently reading 500 homepages?

you are not expected to read 500 homepages at the same time, but you
*are* expected to switch to any tab at any time, and the price of a
system call to reopen the pertaining file descriptors is unacceptable


 why even bother?

 because the modern browser suck. They suck big time. They assume complete
 ownership of the system and think that consuming all resources just to
 show the latest animated gif from 4chan is the right thing.


 
 
  Note that on a busy system, the ulimit is not the only thing holding
  you back. B You may actually run into the maximum number of files the
  system can have open at any given time (sure, that's also tweakable).
  Just doing getrlimit isn't going to be sufficient...

 doesn't matter

 your attitude is the reason why we need multi-core laptops with 8GB of ram
 to play one game of tic-tac-toe.

until now it's been about the interface. glad that someone decided to
be honest by saying they have bias towards the default low limits (and
fitting oses in floppy disks, etc)

:)


 --
 :wq Claudio

Re: Is nginx to complement or replace apache?

[Andres Perera]

On Thu, Mar 29, 2012 at 3:46 PM, Ted Unangst t...@tedunangst.com wrote:
 On Thu, Mar 29, 2012, Andres Perera wrote:
 Maybe you could also close some of those 999 keep-alive sessions and
 pre-load sessions you have open and retry. Seriously why does a
 webbrowser need 1024 file descriptors to be open at the same time?
 Are you concurrently reading 500 homepages?

 you are not expected to read 500 homepages at the same time, but you
 *are* expected to switch to any tab at any time, and the price of a
 system call to reopen the pertaining file descriptors is unacceptable

 What retarded browser are you using that needs to reopen file
 descriptors to switch tabs? B And what retarded OS are you running
 where system calls are so expensive they're user noticable?


none of firefox, chrome micromanage to this extent, that's exactly the point

as for the second question, it's conveniently ignoring keep-alive and
*anything* interactive. re-aquiring fds *and* emptying the queue of
pending actions is the cost, not the mere syscall

apparently you or claudio came up with a scheduler that guesses which
tabs are more important, swaps to disk the ones that aren't, and
pretends their ongoing transmissions don't mean anything

Re: ksh's HISTFILE

[Andres Perera]

that makes it awkward to use across sessions (defeating the point of the file)

even though it does not appear to have options regarding this, bash
does have a crap ton of settings regarding history handling

whatever the route, i would prefer if ksh didn't have new flags added
to it, but instead sensible behavior by default

On Tue, Mar 13, 2012 at 9:35 PM, Claus Assmann
ca+openbsd_m...@esmtp.org wrote:
 On Tue, Mar 13, 2012, Hugo Villeneuve wrote:
 On Mon, Mar 12, 2012 at 01:03:54PM +0200, lilit-aibolit wrote:

  export HISTFILE=~/.sh_history

 Because last time I tried, it was unusable if you ran more than two
 session concurently, as both shell would use the same file directly

 Maybe try something like this?

 HISTFILE=${HOME%/}/.ksh_hist.$$

Re: SSH, root can repeat commands with up arrow, others cannot

[Andres Perera]

On Sun, Mar 11, 2012 at 3:32 PM, Tobias Ulmer tobi...@tmux.org wrote:
 On Sun, Mar 11, 2012 at 02:43:42PM -0500, Chris Bennett wrote:
 This started for me a while back.
 Login as root, I can repeat older commands with up down arrows.
 History command shows history.

 su -l otheruser

 Cannot use up down arrows to access history.
 History command shows correct history.

 You most likely set EDITOR to something containing vi. ksh parses that
 and switches to vi mode. IMO it's a disgusting feature, but that
 appears to be just me.

 set -o emacs
 set +o vi

after `set -o emacs`, the final line is redundant



 Login remotely as otheruser.
 Same problem.

 Chris Bennett

Re: pgt firmware ...

[Andres Perera]

On Mon, Feb 27, 2012 at 7:52 AM, Janne Johansson icepic...@gmail.com wrote:
 2012/2/27 David Walker davidianwal...@gmail.com:
 Thank you Peter.
 I still get the same error message (error line wrapped):

 pkg_add ./pgt-firmware-1.2p2.tgz
 Bad pkg_db: No such file or directory at
 [...]
 Somethings wrong with my environment but what ...

 Yes, the thing that makes it impossible for you to run exactly what we
 tell you to, and instead you add ./name-of-package when pkg_add
 takes URLs directly.

but that couldn't possibly make a difference so why do you keep repeating

 Now exactly what in your environment is doing that, I can't really tell.

 --
 B To our sweethearts and wives. B May they never meet. -- 19th century
toast

Re: FR: Make it possible to turn off untrusted users ability to read cmdline arguments of processes they don't own

[Andres Perera]

they're not necessarily the arguments

see setproctitle(3) and the behaviour of; e.g., sendmail, dhclient, etc

On Wed, Feb 1, 2012 at 7:00 PM, Paul Dejean p...@officegps.com wrote:
 Even though it's bad practice, a lot of commonly programs will request
 passwords or similar sensitive information as command line arguments.
 For instance, curl, svn, useradd... There will usually be a way to
 work around doing things this way (curl can read from a config file
 for instance), but doing so is a hassle (have to write a new config
 file for each request).

 I would really like some way to turn the access unprivileged users
 have to this information on and off. Ideally I'd like it off by
 default in OpenBSD (secure by default).

 Also I would like to add, that even if you folks shoot down this FR as
 being an awful idea. It's good that there's an operating system
 community where I feel comfortable bringing up this request, where I
 wouldn't hear things like:
 You have untrusted users on your system? What a n00b
 All security features are off by default, why should it be our
 responsibility to protects admins from their stupid mistakes?
 omg why should you care. hunting for sensitive information? it's not
 like anyone actually does that

Re: looking for hardware recommendations, x86 or otherwise.

[Andres Perera]

On Thu, Feb 2, 2012 at 4:38 PM, Lars nore...@z505.com wrote:
 Anon wrote:
 Obviously you don't live in a 3rd world country. I do and nothing is 50
 bucks here except the women. Nobody throws anything out except dead cats
 and PCs cost about 350 USD for a new build based on 3-5 year old NOS parts
 the Americans dumped on the market after they went obsolete.




 Well you can get computers in Canada for under 50 dollars, so it would
 require shipping them. B If you do it in massive bulk (palettes or
 containers) it only adds about 5-10 dollars extra shipping cost to each
 computer. B  And if you do it in massive bulk, it means the computer is no
 longer 50 dollars but a bulk discount is applied so only about $40
 dollars.

 I have shipped containers across the ocean to other countries before with
 hundreds of computers across Atlantic ocean. If you do not order them in
 bulk then it costs too much to ship them (more to ship them than the price
 of the computer itself!). It's all about bulk and quantity.

 So the third world country would have to gather all their funds together,
 and do a bulk purchase, rather than each person purchasing individually.

i have to agree with troll here

some countries have control de cambio which means that it's ilegal
to buy dollars/selected foreign currency past a certain extent on a
periodic basis

really, don't speculate about other places unless you know for sure


 The advantage of the raspberry pi is that you might be able to shove it
 inside a bubble padded envelope, whereas desktop computers need to be
 packed up on palettes and containers.

 Still, you need to buy LCD monitors or CRT, so the lightweight raspberry
 pi is a moot point, since LCD's and CRT's are heavy. Unless you already
 have LCD/CRT monitors and just need the PC part.

Re: use trap command in a script

[Andres Perera]

signal(3):

Except for the SIGKILL and SIGSTOP signals, the signal() function
allows for any signal to be caught, to be ignored, or to generate an
interrupt.

On Thu, Jan 19, 2012 at 8:17 AM, Wesley M. open...@e-solutions.re wrote:
 Hi,

 I want to see a message on console when i send signal like HUP
 KILL INT and TERM

 using for example in a script manageprocess:


 #!/bin/ksh
 trap 'echo Kill detected!' 9
 trap 'ctrl-c detected!' 2

 run
 it with sudo sh manageprocess
 No message appear

 Therefore if i run
 manually this : trap 'ctrl-c detected!' 2
 it works. But trap 'echo Kill
 detected!' 9 doesn't work.
 Why ? Why i can't use it in a script?

 Any idea
 ?

 Thank you very much.

Re: Install without the DNS domain name from DHCP

[Andres Perera]

On Sun, Jan 1, 2012 at 4:22 PM, bofh goodb...@gmail.com wrote:
 On Sun, Jan 1, 2012 at 2:47 PM, Josh Jevosh jev...@gmail.com wrote:
 Hello.

 I'm installing OpenBSD 5.0. When I configure the networking to DHCP it
goes
 ahead and sets the DNS domain name to something that it got from my ISP. I
 would like to only use the short name that I specified as the hostname as
 the entire hostname excluding the rest of it that comes from my ISP. How
do
 I do that?

 You want to play with the options in /etc/dhclient.conf. B I have
 supersede host-name and supersede domain-name in mine. B However, I
 don't know if you can use

 supersede domain-name ;

this constantly comes up on the list for some reason. it shouldn't
because it doesn't do anything

once you actually test it, you'll see that setting an option to the
empty string is the same as not setting the option at all (so dhclient
fallsback to defaults)

maybe it needs to be documented somewhere...


 as a valid option. B The better way is probably to include a search
 line in resolv.conf for the domain you are going to use (or the domain
 your ISP gives you). B Or get a free one from dyndns.org (or any other
 free ones).

 Everyone should really use FQDN - short names suck and make people lazy.


 --
 http://www.glumbert.com/media/shift
 http://www.youtube.com/watch?v=tGvHNNOLnCk
 This officer's men seem to follow him merely out of idle curiosity.
 -- Sandhurst officer cadet evaluation.
 Securing an environment of Windows platforms from abuse - external or
 internal - is akin to trying to install sprinklers in a fireworks
 factory where smoking on the job is permitted. B -- Gene Spafford
 learn french: B http://www.youtube.com/watch?v=30v_g83VHK4

Re: PF Snort tutorial

[Andres Genovez]

2012/1/3 Bentley, Dain dbent...@nas.edu

 I've been looking around for a good tutorial on implementing snort with PF
 and
 everything I see is old, does anyone know of or have implemented a solution
 using an IDS/IPS with PF on the same box?  If possible I'd like snort of
 some
 other IDS inspect packets and have pf drop them based on the fact they
 match
 certain signatures.  Thanks in advance.


Implimenting that is really a Pain in the hell out..I did it on a 4.9,
i need to do it from sources, there is no complete tutorial, it works on
4.9, not implemented with PF tought...

Greetings...



--
Atentamente

Andris Genovez Tobar / Tecnico
Elastix ECE - Linux  LPI-1 - Novell CLA - Apple ACMT
http://www.puntonet.ec

Re: ccd(4) hangs system on two IDE disks concatenation attempt

[Andres Perera]

that's interesting

raises a couple of questions: is softraid to have functions found in
generic volume managers such as zfs and lvm? the answer doesn't really
matter because it's a fact that crypto isn't a raid discipline

given that, is softraid a poor name for what it offers?

On Mon, Dec 12, 2011 at 5:28 AM, Stuart Henderson s...@spacehopper.org wrote:
 On 2011-12-12, Pavel Shvagirev pavel.shvagi...@gmail.com wrote:
 You are right. The more better way would be buying a bigger storage,

 or writing a concatenation backend for softraid(4).

 softraid_raid0.c would be a good starting point.

Re: What is wrong with this pf config

[Andres Perera]

On Sun, Dec 11, 2011 at 3:29 PM, John Tate j...@johntate.org wrote:
 I am not replying to every thread on the list. You either have me confused
 with someone else or there is some kind of imposter or person with a
 similar name. I'm confused I should say. This was something constructive to
 say regardless, it was an idea. I remember last time I was using OpenBSD (I
 had a hiatus) and mmap changes broke a lot of ports. There is supposed to
 be an emphasis on security, not your scripts. OpenBSD warns about mistakes,
 it emails you about your mistakes, and it could point out this mistake as
 well.

not having block as default isn't really a mistake, unless pfctl can
read your mind

if you don't have daemons listening then what's the point of blocking ports?

just an example of many situations that could occur


 On Mon, Dec 12, 2011 at 5:55 AM, James Shupe jsh...@osre.org wrote:

 No. Modifying a general purpose tool for a specific (albeit common) use
 case is stupid. Any properly implemented warning would cause pfctl to
 exit non-zero, which would break automated scripts that check the exit
 code of pfctl. You would have to add a whole new option to ignore your
 specific use case, and even that would require modifying existing
 scripts.

 I wish they would ban you from this list already. I'm sick of seeing
 your reply to every thread when you never have anything constructive to
 say.


 I am not replying to every thread on the list. You either have me confused
 with someone else or there is some kind of imposter or person with a
 similar name. I'm confused I should say. This was something constructive to
 say regardless, it was an idea. I remember last time I was using OpenBSD (I
 had a hiatus) and mmap changes broke a lot of ports. There is supposed to
 be an emphasis on security, not your scripts. OpenBSD warns about mistakes,
 it emails you about your mistakes, and it could point out this mistake as
 well.

 Perhaps it could be for security(8) to do instead actually. I don't know, I
 didn't design the fucking system, it was just a suggestion.


 On Mon, 2011-12-12 at 05:43 +1100, John Tate wrote:
  It's just whining! Perhaps if should only do it if it has an Internet IP
  address not a LAN or WAN one involved.
 
  On Mon, Dec 12, 2011 at 5:17 AM, Janne Johansson icepic...@gmail.com
 wrote:
 
   2011/12/11 John Tate j...@johntate.org
  
  
   So I have a suggestion worth considering, if the line block in all
 does
   not appear pfctl -nf should perhaps spit out a warning. Much like
 you've
   done with your pretty compilers over there.
  
  
   There are still lots of reasons to run PF even if you don't want
 block in
   all for a default, so whining on all the other uses you couldn't
 imagine
   would not be very productive.
  
   --
   B To our sweethearts and wives. B May they never meet. -- 19th century
 toast




 --
 www.johntate.org

Re: What is wrong with this pf config

[Andres Perera]

On Sun, Dec 11, 2011 at 4:29 PM, John Tate j...@johntate.org wrote:


 On Mon, Dec 12, 2011 at 7:47 AM, Andres Perera andre...@zoho.com wrote:

 On Sun, Dec 11, 2011 at 3:29 PM, John Tate j...@johntate.org wrote:
  I am not replying to every thread on the list. You either have me
  confused
  with someone else or there is some kind of imposter or person with a
  similar name. I'm confused I should say. This was something constructive
  to
  say regardless, it was an idea. I remember last time I was using OpenBSD
  (I
  had a hiatus) and mmap changes broke a lot of ports. There is supposed
  to
  be an emphasis on security, not your scripts. OpenBSD warns about
  mistakes,
  it emails you about your mistakes, and it could point out this mistake
  as
  well.

 not having block as default isn't really a mistake, unless pfctl can
 read your mind

 if you don't have daemons listening then what's the point of blocking
 ports?

 If you don't have deamons listening then why the hell are you using an
 operating system with so much security on networks.

because i might be a desktop user

i use obsd on my main machine and a netbook

the netbook normally doesn't have any daemons listening outside
localhost, but i still use pf for other reasons, such as managing
routing domains

pf has queue and logging functions aswell... not every config is going
to center around acl

even for those that have daemons facing hostile networks, their admins
may choose a black list policy instead



 just an example of many situations that could occur

 
  On Mon, Dec 12, 2011 at 5:55 AM, James Shupe jsh...@osre.org wrote:
 
  No. Modifying a general purpose tool for a specific (albeit common) use
  case is stupid. Any properly implemented warning would cause pfctl to
  exit non-zero, which would break automated scripts that check the exit
  code of pfctl. You would have to add a whole new option to ignore your
  specific use case, and even that would require modifying existing
  scripts.
 
  I wish they would ban you from this list already. I'm sick of seeing
  your reply to every thread when you never have anything constructive to
  say.
 
 
  I am not replying to every thread on the list. You either have me
  confused
  with someone else or there is some kind of imposter or person with a
  similar name. I'm confused I should say. This was something constructive
  to
  say regardless, it was an idea. I remember last time I was using OpenBSD
  (I
  had a hiatus) and mmap changes broke a lot of ports. There is supposed
  to
  be an emphasis on security, not your scripts. OpenBSD warns about
  mistakes,
  it emails you about your mistakes, and it could point out this mistake
  as
  well.
 
  Perhaps it could be for security(8) to do instead actually. I don't
  know, I
  didn't design the fucking system, it was just a suggestion.
 
 
  On Mon, 2011-12-12 at 05:43 +1100, John Tate wrote:
   It's just whining! Perhaps if should only do it if it has an Internet
   IP
   address not a LAN or WAN one involved.
  
   On Mon, Dec 12, 2011 at 5:17 AM, Janne Johansson icepic...@gmail.com
  wrote:
  
2011/12/11 John Tate j...@johntate.org
   
   
So I have a suggestion worth considering, if the line block in
all
  does
not appear pfctl -nf should perhaps spit out a warning. Much like
  you've
done with your pretty compilers over there.
   
   
There are still lots of reasons to run PF even if you don't want
  block in
all for a default, so whining on all the other uses you couldn't
  imagine
would not be very productive.
   
--
B To our sweethearts and wives. B May they never meet. -- 19th
century
  toast
 
 
 
 
  --
  www.johntate.org
 




 --
 www.johntate.org

Re: OpenBSD PF tables

[Andres Perera]

the documentation is pretty clear by saying that tables can only hold
addresses, not a random set of numbers

On Thu, Dec 8, 2011 at 6:41 AM, John Tate j...@johntate.org wrote:
 Misc,

 I have sucessfully got an OpenBSD machine to connect via ADSL and forward
 packets, I am gradually upgrading my pf.conf. I am having trouble with this
 configuration (ignore some obvious bugs related to table names where tables
 are defined and the rules I have seen them).

 At the moment I am working on doing some things as tables. I want tables to
 hold the ports, but it appears perhaps they can only hold IP addresses. The
 following tables do not work from line 10-11...

 table etcpserv { 22 }
 table itcpserv { 22, 53 }

 The whole thing is here: http://pastebin.com/VuLNW9Ph

 John Tate

 --
 www.johntate.org

Re: OpenBSD PF tables

[Andres Perera]

define the list of ports as a macro and use pfctl -D

not much adding as it is replacing the whole list:
$ echo 'pass proto udp from port $pl' | pfctl -nvf- -Dpl='{1 2 3}'
pass proto udp from any port = 1 to any
pass proto udp from any port = 2 to any
pass proto udp from any port = 3 to any

On Thu, Dec 8, 2011 at 6:45 AM, John Tate j...@johntate.org wrote:
 Is there a way to have it so I can add ports from the command line if I
 can't use tables?

 On Thu, Dec 8, 2011 at 10:14 PM, Peter Hessler phess...@theapt.org wrote:

 Yes, tables in PF only support IP addresses.


 On 2011 Dec 08 (Thu) at 22:11:19 +1100 (+1100), John Tate wrote:
 :At the moment I am working on doing some things as tables. I want tables
 to
 :hold the ports, but it appears perhaps they can only hold IP addresses.
 The
 :following tables do not work from line 10-11...

 --
 Renning's Maxim:
 B  B  B  B Man is the highest animal. B Man does the classifying.




 --
 www.johntate.org

Re: OpenBSD PF tables

[Andres Perera]

i would concur that anchors are cleaner than redefining macros, but
they do require rewriting rules

On Thu, Dec 8, 2011 at 7:23 AM, Bret S. Lambert bret.lamb...@gmail.com wrote:
 Take a look at pf anchors.

 On Thu, Dec 08, 2011 at 10:21:14PM +1100, John Tate wrote:
 Is there a way to control ports on a filter from the command line? I guess
 I just have manually adding and deleting rules.

 On Thu, Dec 8, 2011 at 10:19 PM, Andres Perera andre...@zoho.com wrote:

  the documentation is pretty clear by saying that tables can only hold
  addresses, not a random set of numbers
 
  On Thu, Dec 8, 2011 at 6:41 AM, John Tate j...@johntate.org wrote:
   Misc,
  
   I have sucessfully got an OpenBSD machine to connect via ADSL and forward
   packets, I am gradually upgrading my pf.conf. I am having trouble with
  this
   configuration (ignore some obvious bugs related to table names where
  tables
   are defined and the rules I have seen them).
  
   At the moment I am working on doing some things as tables. I want tables
  to
   hold the ports, but it appears perhaps they can only hold IP addresses.
  The
   following tables do not work from line 10-11...
  
   table etcpserv { 22 }
   table itcpserv { 22, 53 }
  
   The whole thing is here: http://pastebin.com/VuLNW9Ph
  
   John Tate
  
   --
   www.johntate.org
  
 



 --
 www.johntate.org

Re: RAM seen vs. RAM available HP ML 570 G2

[Andres Perera]

On Tue, Dec 6, 2011 at 11:18 PM, Stefan Johnson
tigerphoenixdra...@gmail.com wrote:
 Hello all. B Today I replaced OpenSuSE with OpenBSD 5.0 on my HP ML 570 G2
 server.

well, you should have searched for openbsd and PAE :)

i don't think they're going to bother at this point, but don't take my
word for it

 The system includes to memory boards for RAM. B One board has 8 gigs, and
 the other has 4.
 The power on self test sees 12 and initializes 12, but after the server
 boots, OpenBSD appears
 to only see 4. B I believe this relates to 32 vs 64 bit, but I'm not
 positive.

 The version I installed was i386, not amd64. B The processors are Xeon MP
 2.2Ghz which only have
 32 bit instruction sets, which is why I chose i386. B Here is a link to the
 processor specs that
 show this:

http://ark.intel.com/products/27300/Intel-Xeon-Processor-2_20-GHz-2M-Cache-40
0-MHz-FSB

 The FAQ mentions a trick for utilizing more RAM when all of the RAM isn't
 seen using boot.conf
 at this link:
 http://www.openbsd.org/faq/faq4.html#InstProb
 However, this is for such a small amount of RAM in the given example, that
 I'm not sure this would
 work for me. B Can anyone confirm that I'm pretty much stuck with only
being
 able to utilize 1/3 of
 the full potential, or whether the above trick might actually work (using
 appropriate size values, of
 course)?

 Thanks for any help on this!

 Stefan Johnson



 Below is dmesg and sysctl output for my box with the GENERIC MP kernel:

 OpenBSD 5.0 (GENERIC.MP) #59: Wed Aug 17 10:19:44 MDT 2011
 B  B dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
 cpu0: Intel(R) Xeon(TM) MP CPU 2.20GHz (GenuineIntel 686-class) 2.20 GHz
 cpu0:

FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID,xTPR
 real mem B = 4026036224 (3839MB)
 avail mem = 3950120960 (3767MB)
 mainbus0 at root
 bios0 at mainbus0: AT/286+ BIOS, date 12/31/99, BIOS32 rev. 0 @ 0xf,
 SMBIOS rev. 2.3 @ 0xec000 (92 entries)
 bios0: vendor HP version P32 date 04/26/2005
 bios0: HP ProLiant ML570 G2
 acpi0 at bios0: rev 0
 acpi0: sleep states S0 S4 S5, can't enable ACPI
 mpbios0 at bios0: Intel MP Specification 1.4
 cpu0 at mainbus0: apid 0 (boot processor)
 cpu0: apic clock running at 99MHz
 cpu1 at mainbus0: apid 2 (application processor)
 cpu1: Intel(R) Xeon(TM) MP CPU 2.20GHz (GenuineIntel 686-class) 2.20 GHz
 cpu1:

FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID,xTPR
 cpu2 at mainbus0: apid 4 (application processor)
 cpu2: Intel(R) Xeon(TM) MP CPU 2.20GHz (GenuineIntel 686-class) 2.20 GHz
 cpu2:

FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID,xTPR
 cpu3 at mainbus0: apid 6 (application processor)
 cpu3: Intel(R) Xeon(TM) MP CPU 2.20GHz (GenuineIntel 686-class) 2.20 GHz
 cpu3:

FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID,xTPR
 mpbios0: bus 0 is type PCI
 mpbios0: bus 1 is type PCI
 mpbios0: bus 5 is type PCI
 mpbios0: bus 9 is type PCI
 mpbios0: bus 13 is type PCI
 mpbios0: bus 16 is type ISA
 ioapic0 at mainbus0: apid 8 pa 0xfec0, version 11, 16 pins
 ioapic1 at mainbus0: apid 9 pa 0xfec01000, version 11, 16 pins
 ioapic2 at mainbus0: apid 10 pa 0xfec02000, version 11, 16 pins
 ioapic3 at mainbus0: apid 11 pa 0xfec03000, version 11, 16 pins
 bios0: ROM list: 0xc/0x8000 0xc8000/0x4000! 0xee000/0x2000!
 pci0 at mainbus0 bus 0: configuration mode 1 (bios)
 pchb0 at pci0 dev 0 function 0 ServerWorks CMIC-HE rev 0x22
 pchb1 at pci0 dev 0 function 1 ServerWorks CMIC-HE rev 0x00
 pci1 at pchb1 bus 1
 ppb0 at pci1 dev 2 function 0 IBM 133 PCIX-PCIX rev 0x03
 pci2 at ppb0 bus 2
 ciss0 at pci2 dev 4 function 0 Compaq Smart Array 64xx rev 0x01: apic 8
 int 15
 ciss0: 3 LDs, HW rev 1, FW 2.84/2.84, 64bit fifo
 scsibus0 at ciss0: 3 targets
 sd0 at scsibus0 targ 0 lun 0: HP, LOGICAL VOLUME, 2.84 SCSI2 0/direct
 fixed
 sd0: 69459MB, 512 bytes/sector, 142253280 sectors
 sd1 at scsibus0 targ 1 lun 0: HP, LOGICAL VOLUME, 2.84 SCSI2 0/direct
 fixed
 sd1: 70001MB, 512 bytes/sector, 143363040 sectors
 sd2 at scsibus0 targ 2 lun 0: HP, LOGICAL VOLUME, 2.84 SCSI2 0/direct
 fixed
 sd2: 140006MB, 512 bytes/sector, 286734240 sectors
 Compaq PCI Hotplug rev 0x14 at pci1 dev 30 function 0 not configured
 pchb2 at pci0 dev 0 function 2 ServerWorks CMIC-HE rev 0x00
 pci3 at pchb2 bus 9
 Creative Labs SoundBlaster Audigy LS rev 0x00 at pci3 dev 1 function 0
 not configured
 pchb3 at pci0 dev 0 function 3 ServerWorks CMIC-HE rev 0x00
 Compaq Netelligent ASMC rev 0x00 at pci0 dev 2 function 0 not configured
 fxp0 at pci0 dev 4 function 0 Intel 8255x rev 0x08, i82559: apic 8 int
 10, address 00:12:79:cc:74:78
 inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4
 piixpm0 at pci0 dev 15 function 0 ServerWorks CSB5 rev 

Re: Short adsuck guide (local resolver setup)

[Andres Perera]

i don't get why are you setting nameservers in resolv.conf since
dhclient will eventually override those?

On Mon, Dec 5, 2011 at 8:39 AM, Sime Ramov s...@ramov.com wrote:
 http://ramov.com/doc/adsuck.html

 Let me know if you notice anything amiss.

 -Sime

Re: Short adsuck guide (local resolver setup)

[Andres Perera]

afaik, _PATH_RESCONF is harcoded into the resolver functions

i guess adsuck ships with its own duplicated routines

On Mon, Dec 5, 2011 at 10:12 AM, E ime Ramov s...@ramov.com wrote:
 i don't get why are you setting nameservers in resolv.conf since
 dhclient will eventually override those?

 That's `/var/adsuck/files/resolv.conf`, not the main one.

Re: Narcicism?

[Andres Genovez]

2011/12/1 John Tate j...@johntate.org

 On Thu, Dec 1, 2011 at 7:20 PM, Scott McEachern sc...@blackstaff.ca
 wrote:

  On 12/01/11 02:28, John Tate wrote:
 
  I think I've found a bug in the OpenBSD crowd. They bug the hell out of
 me
  and my little mistakes.
 
  I am not talking about people who actually have a solution, but I can't
  seem to ask anything on this list without parrots coming along picking
 on
  me. I think some people just hang out here because it's the most anal
  bunch
  of hackers ever, in recorded history. What are your experiences?
 
 
 I'm 24 years old. I was a Linux hacker since I was 13. I am a bit of a guru
 and do my own Kerberos and such on an all BSD/Linux network. OpenBSD and
 Debian Linux. I love OpenBSD, I'm a bit weird because I use bash. I can put
 up with being made fun of. At 13 I didn't just start learning Linux I
 started learning C++ as well. I failed to apprehend it properly at that
 age, but at an older age I relearned it well. I am the guru sort of guy, I
 know a hell of a lot but I'm still connecting it and in that sense still
 learning.


One thing to point it out:

When you are a real Hacker, you don`t call yourself one, people do.
When you are a real Guru, you don`t call yourself one, people do.

I dont have a big knowledge of OpenBSD, i must say i am just starting, but
the first lesson I learneddon`t make stupid questions on a list or i
will get a paybackIn some way i understand your frustration...

Peace.



 
  Is it true that occasionally we attract people who either love bullying
 or
  are just lazy and pretending to be one of the clever?
 
  Well I get messages that are worthless and seem to be insults.

 
  It just figures some of these people sit on the list, and email you
 poorly
  researched crap with no answers contain.
 
  If you hate a question, it truly doesn't belong, bug me.
 
  But if you just can't answer a question, ignore it.
 
  John Tate.
 
  Note: Yes, it's not my list.
 
 
  John, if you don't mind, I'll give you some advice:  Do your homework
  before posting to the list.  Your basic instinct is to click Send
 instead
  of thinking first.  I've lost count of how many of your posts were
  retracted by yourself, with a big oops, my bad or were replied to with
  RTFM-type responses.  I got a kick out of one retraction where you said
  something like Sorry, I was drunk.
 
  You're obviously new here.  Sure, it's a tough crowd at times, but that
  only happens when people don't bother reading the FAQ, or the man pages,
 or
  trying things out for themselves.  A lot of people have asked stupid
  questions or said something dumb -- myself included -- and got painful
  responses.  I've had my share of facepalm experiences and had my ass
 handed
  to me plenty of times, but I deserved it.
 
  But you know what?  I try to not make a regular occasion of it.  It seems
  you do.
 
  I help a lot of people off-list, and I know for a fact many others do the
  same.  I've found through years of experience there are two kinds of
 people
  on this list: those that need a little help and pointed in the right
  direction, and those that need their hands held for every step.  Guess
  which category I put you in?  And that's exactly why I've helped you a
  grand total of zero times.
 
  Now you have the gall to come on this list and insult the people that are
  trying to help you.  I don't think there's anyone on this list that sits
  idly, waiting for an opportunity to pick on or bully someone.  Get a
  grip, get some thicker skin, and most of all, RTFM first.
 
  I guarantee that if you take my advice, you'll find this list to be a
  very, very valuable resource.  Remember, there is a difference between
  *reading* and *comprehension*.  Work a little harder on the latter and I
  think you'll find you won't be picked on.
 
  Stop playing the victim.  You're not the first and it's old.
 
  --
  Scott McEachern
 
  https://www.blackstaff.ca
 
 


 --
 www.johntate.org




--
Atentamente

Andris Genovez Tobar / Tecnico
Elastix ECE - Linux  LPI-1 - Novell CLA - Apple ACMT
http://www.puntonet.ec

Re: Narcicism?

[Andres Perera]

http://johntate.org/fact/johntate

I now have 7 years of experience in FreeBSD/OpenBSD

On Thu, Dec 1, 2011 at 2:58 AM, John Tate j...@johntate.org wrote:
 I think I've found a bug in the OpenBSD crowd. They bug the hell out of me
 and my little mistakes.

 I am not talking about people who actually have a solution, but I can't
 seem to ask anything on this list without parrots coming along picking on
 me. I think some people just hang out here because it's the most anal bunch
 of hackers ever, in recorded history. What are your experiences?

 Is it true that occasionally we attract people who either love bullying or
 are just lazy and pretending to be one of the clever?

 It just figures some of these people sit on the list, and email you poorly
 researched crap with no answers contain.

 If you hate a question, it truly doesn't belong, bug me.

 But if you just can't answer a question, ignore it.

 John Tate.

 Note: Yes, it's not my list.

 --
 www.johntate.org

Re: how to find dependencies when building a new kernel

[Andres Perera]

On Tue, Nov 29, 2011 at 4:35 AM, T. Valent tmp...@4ss.de wrote:
 Hi!

 I'm trying to build a new kernel. However, while compiling I get
 complaints about undefined references like this:

 ld -Ttext 0xD0200120 -e start -N --warn-common -S -x -o bsd
 ${SYSTEM_HEAD} vers.o ${OBJS}
 machdep.o(.text+0x2791): In function `sys_sigreturn':
 : undefined reference to `fpu_mxcsr_mask'

andres@pote:~ $ grep -rw fpu_mxcsr_mask /sys/arch/i386
...
/sys/arch/i386/include/npx.h:extern uint32_tfpu_mxcsr_mask;
/sys/arch/i386/isa/npx.c:uint32_t   fpu_mxcsr_mask;
...
andres@pote:~ $ grep -rw npx /sys/arch/i386/conf/files.i386
/sys/arch/i386/conf/files.i386:device   npx
/sys/arch/i386/conf/files.i386:attach   npx at isa
/sys/arch/i386/conf/files.i386:file arch/i386/isa/npx.c
 npx needs-flag


 The above line is just an example. I have poked around with more or less
 guessing what could be missing, but after 2 days I'm quite sure I need a
 general solution to finding the dependencies instead of guessing.

 I have no skills in kernel coding. I wonder if there's a good way to
 find out which part I am missing in the config file(s).

note how the grep commands required no kernel coding skills


 This is what I do:
 edit /usr/src/sys/conf/GENERIC
 I'm fine with this so far.

 Now to edit

 /usr/src/sys/arch/i386/conf/GENERIC

 I do

 dmassage -t

i might be wrong, but is this really aggressive auto spelling
corrector for dmesg?


 and make sure all the hardware I need is included in my config file. I'm
 quite sure I've included everything I need, I get the above mentioned
 problems, which I understand as dependencies. However, I just don't know
 how to find out which line of the config file I have to include to solve
 this.

 I know I am recommended to use the generic kernel. I need the kernel for
 an embedded device where the hardware is well known in detail, it is
 always the same, will not change and memory is very limited. So I need
 to get rid of the unnecessary stuff in the kernel.

 Thanks in advance!

 T.

Re: how to find dependencies when building a new kernel

[Andres Perera]

reading the npx(4) gives out a really strong clue as to why you
shouldn't custom compile until you're familiar with everything:

The npx driver is required for proper system functioning regardless
of whether or not an NPX is present.

so there's no 1:1 mapping between the devices you have and the ones
you may need included in the kernel config. could potentially apply to
other drivers, so why waste time figuring out which ones fall under
this category and which ones don't?

as for your searches, they don't include the struct definition

i can't recall the name of the doc (possibly hosted at openbsd.org)
that explains the layout, but basically, you got the base
/sys/conf/files and arch-specific ones. you are only searching in arch
specific files

so far you have many factors contributing against you being able to
custom compile:
- don't know c
- don't know the kernel source file layout
- doesn't bother looking at official documentation regarding kernel
compilation process

On Tue, Nov 29, 2011 at 7:06 AM, T. Valent tmp...@4ss.de wrote:
 Andres,

 may I kindly ask one more question, I'm sure after that I'll get it
 right myself.

 See:
 
 # make
 ld -Ttext 0xD0200120 -e start -N --warn-common -S -x -o bsd
 ${SYSTEM_HEAD} vers.o ${OBJS}
 acpi_machdep.o(.text+0xcf): In function `acpi_sleep_machdep':
 : undefined reference to `mem_range_softc'
 [...]

 # grep -rw mem_range_softc /sys/arch/i386

 [...]
 /sys/arch/i386/i386/mem.c:struct mem_range_softc mem_range_softc;
 [...]

 # grep -rw mem /sys/arch/i386/conf/files.i386
 /sys/arch/i386/conf/files.i386:file B  B  arch/i386/i386/mem.c
 

 Still I don't know which option/line is missing. There is no such thing
 as i386 in GENERIC, from which I derive my config.

 Thanks in advance.
 T.

Re: Kernel without INET6 error on pipex.c

[Andres Perera]

On Thu, Nov 24, 2011 at 6:42 AM, Rod Whitworth glis...@witworx.com wrote:
 On Thu, 24 Nov 2011 10:09:31 +, Julien Crapovich wrote:

Hello.
Absolutely, but compiling without INET6 is not supposed to generate error.
I've just disabled INET6 on GENERIC file, not other hack.

 You are the only one who knows exactly what you did. B Maybe.
 Why should we waste time guessing?

 It's a pretty damn stupid thing to do anyway when it is so easy to
 block v6 traffic using GENERIC and, BTW, your kernel is NOT GENERIC.
 It doesn't matter that you were too ignorant to change the name...

i don't understand what does renaming the kernel has to do with anything

the op is right in that rmoption INET6 is broken, end of

whether that define was meant for developers only or not is another matter


 R/

 *** NOTE *** Please DO NOT CC me. I am subscribed to the list.
 Mail to the sender address that does not originate at the list server is
tarpitted. The reply-to: address is provided for those who feel compelled to
reply off list. Thankyou.

 Rod/
 ---
 This life is not the real thing.
 It is not even in Beta.
 If it was, then OpenBSD would already have a man page for it.

Re: DNS Google ?

[Andres Perera]

On Tue, Nov 22, 2011 at 2:56 PM, Lars Hansson romaby...@gmail.com wrote:
 On Wed, Nov 23, 2011 at 3:14 AM, patrick keshishian pkesh...@gmail.com 
 wrote:
 Unless I'm misreading you, what you say doesn't make much sense.

 It makes perfect sense and is in fact also the recommended way to run BIND.

not only recommended by bind books -- djbdns/cache forces a minimum of
two processes

bind tries to do everything at once...


 The setup you suggest is more involved. Two servers: one resolving,
 and the other dealing w/the authoritative responses.

 They don't have to be two different servers, just two different
 processes on the same server.

 ---
 Lars

Re: What is wrong with this pf config

[Andres Perera]

On Mon, Nov 21, 2011 at 3:45 AM, John Tate j...@johntate.org wrote:
 I am having troubles with this pf configuration, it seems when loaded
 nothing can access my server on the internal interface for the LAN, I
 cannot see why, and it's pretty much based off the very standard
 example in the OpenBSD faq.

assuming your internal net is connected to int_if: none of your rules
even mention your local network and you block by default, so yeah

if int_if isn't part of the int net, please rename the macro to avoid
confusion


 When I unload the configuration, I can access the DNS server on the
 firewall running this configuration. It seems to forward everything
 through to the Internet, but blocks DNS which makes it pretty useless.
 I've looked at it at least five times...

 [john@baal ~$ cat /etc/pf.conf
 int_if=xl0
 ext_if=tun0

 rothbard=10.0.0.10
 baal=10.0.0.2
 smass=10.0.0.1

 tcp_services={22}
 icmp_types=echoreq

 set block-policy return
 set loginterface $ext_if
 set skip on lo

 match out on egress inet from !(egress:network) to any nat-to (egress:0)

you're not passing these packets


 block in log
 pass out quick

 antispoof quick for { lo $int_if }

 pass in on egress inet proto tcp from any to (egress) \
 B  B  B  B port $tcp_services

i highly doubt you are setting up a public dns server intentionally.
if this is the case, make it clear that you are

 #After this goes forwarded ports... Probably just use ssh tunnels.

 pass in inet proto icmp all icmp-type $icmp_types

 What is wrong?

you need to read the docs on pf. your rules make no sense


 Also can you tell me how to do this so it only needs to load once, and
 not be loaded by a shell script after userland pppoe successfully
 connects?

 --
 www.johntate.org

Re: Giving java apps more memory

[Andres Perera]

you can patch the apps to use setrlimit()

you can write a small sh wrapper that sets ulimits and execs your app

you can also set your defaults in /etc/login.conf or ~/.profile

depends on what you want

i use gimp and ff so login.conf/.profile is really more sensible than
wrapping all the monster apps

On Fri, Nov 18, 2011 at 10:42 PM, John Tate j...@johntate.org wrote:
 Netbeans crashes with this...

 john@rothbard ~$ netbeans
 #
 # A fatal error has been detected by the Java Runtime Environment:
 #
 # java.lang.OutOfMemoryError: requested 32784 bytes for Chunk::new.
 Out of swap space?
 #
 # B Internal Error (allocation.cpp:272), pid=17843, tid=8647815168
 # B Error: Chunk::new
 #
 # JRE version: 7.0
 # Java VM: OpenJDK 64-Bit Server VM (20.0-b03 mixed mode bsd-amd64
 compressed oops)
 # An error report file with more information is saved as:
 # /home/john/hs_err_pid17843.log
 #
 # If you would like to submit a bug report, please visit:
 # B  http://java.sun.com/webapps/bugreport/crash.jsp
 #
 Abort trap (core dumped)

 Eclipse crashes with this...
 [john@rothbard ~$ eclipse
 #
 # A fatal error has been detected by the Java Runtime Environment:
 #
 # java.lang.OutOfMemoryError: requested 1565456 bytes for Chunk::new.
 Out of swap space?
 #
 # B Internal Error (allocation.cpp:272), pid=30120, tid=8844312576
 # B Error: Chunk::new
 #
 # JRE version: 7.0
 # Java VM: OpenJDK 64-Bit Server VM (20.0-b03 mixed mode bsd-amd64
 compressed oops)
 # An error report file with more information is saved as:
 # /home/john/hs_err_pid30120.log
 #
 # If you would like to submit a bug report, please visit:
 # B  http://java.sun.com/webapps/bugreport/crash.jsp
 #

 How should I proceed?


 --
 www.johntate.org

Re: I want copy pf.conf from FreeBSD 8.2 to OpenBSD 5 and use it

[Andres Perera]

On Sun, Nov 13, 2011 at 9:22 AM, David Walker davidianwal...@gmail.com wrote:
 On 13/11/2011, Mostaf Faridi mostafafar...@gmail.com wrote:
 Can I optimiz this pf.conf?
 Thanks in advance

 I do not open up the truth to one who is not eager to get knowledge,
 nor help out any one who is not anxious to explain himself. When I
 have presented one corner of a subject to any one, and he cannot from
 it learn the other three, I do not repeat my lesson.

 http://en.wikiquote.org/wiki/Confucius

 http://blogs.nasa.gov/cm/wiki/?id=2738#gen6


i like your style :)


 Best wishes.

Re: bash script problem

[Andres Perera]

On Fri, Nov 11, 2011 at 9:10 AM, John Tate j...@johntate.org wrote:
 I put a comment in before the line with a problem, I don't understand
 why it's not working.

 bash# for x in 1 2 3 4; do time dd if=/dev/random of=/home/test$x
 bs=1k count=64k  done \
 while [ $V -eq 0 ]; \
 do \
 #why the hell is this such a problem!

because it breaks the line continuation (`\')

there's no need to use that here anyway, presuming this isn't part of a
makefile

 V = 0 \
 clear \
 echo -n Jobs running...  \
 if jobs 4; then; echo -n last job running!; else; echo -n last job
stopped;
 B env V=1; fi \
 sleep 1 \
 done
 time cat secure1 secure2 secure3 secure4  secure_t.vnd \
 time rm secure1 secure2 secure3 secure4

 John Tate.

 --
 www.johntate.org

Re: systat colors?

[Andres Perera]

readelf -d `which systat`
...
 0x0001 (NEEDED) Shared library: [libcurses.so.12.1]
...

On Fri, Nov 11, 2011 at 8:08 PM, STeve Andre' and...@msu.edu wrote:
 On 11/11/11 18:58, Stuart Henderson wrote:

 On 2011-11-10, STeve Andre'and...@msu.edu B wrote:

 On 11/10/11 16:41, Ted Unangst wrote:

 On Thu, Nov 10, 2011, Joe wrote:

 Has anyone already modified systat to support colored text?

 No, nor will they. B colorized utilities are not particularly welcome.
 (i mean, you can do it, but don't expect such patches to be accepted.)


 But such a systat could live in ports, quite happily. B See
 colorls.

 Not all that happily. It will keep getting out of sync with the OS.


 OK, point taken. B But if the 'color systat' was a post-processor
 it could take the output and add color escape sequences.
 That then leaves syncing problems for changes in systat's
 output itself, which while happening, isn't that common.

 --STeve Andre'

Re: OpenBSD and shebang line to a script not supported?

[Andres Perera]

how does linux handle that without going into infinite loops?

On Mon, Oct 31, 2011 at 6:55 PM, Mikolaj Kucharski
miko...@kucharski.name wrote:
 Hi,

 Attached archive has small testing scripts to be extracted in /tmp.
 There are 2 tests (exec1 and exec2) with 2 scripts each (4 scripts
 total):

 test#1, openbsd:
 $ /tmp/exec1.sh
 exec1.sh executed

 test#1, linux:
 # /tmp/exec1.sh
 /tmp/exec1.pl executed
 exec1.sh executed


 test#2, openbsd:
 $ /tmp/exec2.pl
 /tmp/exec2.pl[3]: use: not found
 /tmp/exec2.pl[4]: use: not found
 /tmp/exec2.pl[6]: syntax error: `(' unexpected

 test#2, linux:
 # /tmp/exec2.pl
 exec2.sh executed
 exec2.sh executed
 exec2.sh executed
 ^C


 What I see is that OpenBSD doesn't support scripts in shebang line and
 executes /bin/sh instead. Am I correct here?


 PS. Please CC me in replies. Thanks.

 --
 best regards
 q#

 [demime 1.01d removed an attachment of type application/x-tar-gz]

Re: dhclient, resolv.conf

[Andres Perera]

the dhclient in base, and possibly the isc one, interprets options set
to the empty string as unset

On Sun, Oct 23, 2011 at 1:38 PM,  sc...@web.de wrote:
 Jurjen Oskam jur...@osk.am wrote:

 supersede domain-name-servers 192.168.1.1;
 supersede domain-name ;

 My dhclient completely ignores

 B  supersede domain-name ;

 and sets an unwanted search line given by the server. Indeed
 you must give

 B  supersede domain-name .;

 To obtain

 B  search .

 in resolv.conf, what seems to be no problem.

 Rod.

Re: do not understand how to upgrade to-CURRENT

[Andres Perera]

nisiquiera en espanol escribes bien

2011/10/22 Zantgo zan...@gmail.com:
 No entiendo como actualizar a -current, que manual tengo que seguir:

 http://www.openbsd.org/faq/faq5.html (es decir seguir exactamente lo que eice
 ahi y una vez haya constroido el sistema desde la fuente, ya estare ocupando
 -current)

 http://www.openbsd.org/faq/current.html (siguiendo esto exactamente, obtendre
 automaticamente un -current)

 Porfavor lo unico que quiero es actualizar a current, pero no se como.

 PD: en todos los casos anteriores tengo que estar ocupando un snapshots
 B?Cierto?

 PD2: http://www.openbsd.org/faq/current.html, esta obsoleto

 Zantgo

Re: Dennis Ritchie

[Andres Genovez]

2011/10/13 David Coppa dco...@gmail.com

 Today is a sad sad day :(

 Rest in Peace.
 Without you, we would never be here.

 Cheers,
 David


People who change the world, unfortunately do not last forever, forever
missed, but his legacy will last forever

Andres.


--
Atentamente

Andris Genovez Tobar / Tecnico
Elastix ECE - Linux  LPI-1 - Novell CLA - Apple ACMT
http://www.puntonet.ec

Re: microsoft wireless keyboard and mouse

[Andres Perera]

i don't have much to add right now besides confirming the problem with
Microsoft Wireless Desktop Receiver 3.1A(0x00f1), Microsft(0x045e),
rev 0.02, wireless mous
e/keyboard combo 2000

i think that the mouse calibration could be an easy problem to sort
out after spending a weekend on it

Re: Why I uninstalled OpenBSD???

[Andres Perera]

On Sun, Oct 2, 2011 at 12:14 AM, Nick Holland
n...@holland-consulting.net wrote:
 On 10/01/11 23:08, Christiano F. Haesbaert wrote:
 Not again people, please.

 Stop feeding.

 Yes.
 Yet another never-heard-from-before-or-again loser (and *always* using a
 gmail account...isn't that interesting?) posting a link to that loser's
 site (which is hosted on google, and MX records point to google). B $0.50
 says it's the same loser who writes that dribble and posts the link here.

well, you narrowed down the list of suspects to the gazillion of
people that use gmail


 And then a bunch of people who should know better jump all over him, not
 unjustifiably, but include the link of the crap in their reply, giving
 more advertising to the site and higher search engine ratings. B Mission
 accomplished.

 IF you have to reply to someone posting a stupid link (even an
 UNINTENTIONALLY stupid link...you know, the well-intended ones that
 provide bddd advice), do the world a favor and remove the link from
 your reply...

 Nick.

Re: Group ownership of files at creation time

[Andres Perera]

S_ISGID bits on a directory are meaningful in sysv, whereas on bsd
open(2) acts as if they were always on

Pear Version (2008-08-23) Updated to version: pear-1.7.2

[Andres Genovez]

Hi friends,

I am having a lot of problems with the standard version of PEAR that ships
with OpenBSD, the last i can get is (2008-08-23) Updated to version:
pear-1.7.2

But the system insists it require version 1.8, please can anybody give me a
guide, how can I update Pear?

Thanks for any help!*
*
--
Atentamente

Andris Genovez Tobar / Tecnico
Elastix ECE - Linux  LPI-1 - Novell CLA - Apple ACMT
http://www.puntonet.ec

Installing Image_Canvas

[Andres Genovez]

Hello,

A little question, if anyone can help

I am using OpenBSD 4.8 GENERIC

I am using

pear-1.7.2.tgz
http://openbsd.mirror.frontiernet.net/pub/OpenBSD/4.8/packages/i386/pear-1.7
.2.tgz


But when i try to install this, i get this error

# pear install Image_Graph-0.7.2
Did not download dependencies: pear/PEAR, pear/Image_Canvas, use --alldeps
or --onlyreqdeps to download automatically
pear/Image_Graph requires package pear/PEAR (version = 1.3.1)
pear/Image_Graph requires package pear/Image_Canvas (version = 0.3.0)
No valid packages found
install failed
#

Can someone give me a guidance?

Thanks!


--
Atentamente

Andris Genovez Tobar / Tecnico
Elastix ECE - Linux  LPI-1 - Novell CLA - Apple ACMT
http://www.puntonet.ec

Re: Load average question

[Andres Perera]

On Mon, Aug 8, 2011 at 1:04 PM, STeve Andre' and...@msu.edu wrote:
 On 08/08/11 12:59, Theo de Raadt wrote:

 Nick, this is probably the single most frequently asked question... :-)

 No, it is not. B In the modern world of search engines, this question
 lands at the same level as trolling. B  If a person's first gut reaction
 isn't go type 3 words into a search engine, and instead they craft a
 500 line email message to a list, that is trolling.

 Rikky, here is a diff which solves the problem you are facing:

 --- w.c Sat Jul 30 15:17:12 2011
 +++ w.c.new B  B  Mon Aug B 8 10:57:34 2011
 @@ -430,7 +430,7 @@
 B  B  B  B  B  B  B  B for (i = 0; i B (sizeof(avenrun) /
sizeof(avenrun[0]));
 i++) {
 B  B  B  B  B  B  B  B  B  B  B  B if (i B 0)
 B  B  B  B  B  B  B  B  B  B  B  B  B  B  B  B (void)printf(,);
 - B  B  B  B  B  B  B  B  B  B  B  (void)printf( %.2f, avenrun[i]);
 + B  B  B  B  B  B  B  B  B  B  B  (void)printf( %.2f, 0.001);
 B  B  B  B  B  B  B  B }
 B  B  B  B  B  B  B  B (void)printf(\n);
 B  B  B  B }



 Hmmm. B Wrap that around an #ifdef looking for an environment
 variable B (LOADAV) B and if it isn't set to IUNDERSTAND Theo's
 diff is what's shown.

cpp can't look for environment variables


 I'm not being entirely facetious.

how facetious are you being, on a scale from 1 to 10?


 --STeve Andre'

HOY PUEDE EDITAR SUS LIBROS-julio 2011-

[Andres Rodriguez]

Ediciones Pasisn de Escritores

Impresisn sobre demanda  Impresiones cortas Reediciones

 

HOY PUEDE EDITAR  SU OBRA

EL MEJOR PRECIO DEL MERCADO

 

Promocisn  julio-2011

 

Tamaqo: 14 x 20

Tapas a 4 colores

Sobre papel ilustracisn de 300g

Laminado en opp brillante

Interior 

Blanco y negro

En papel Obra 75/80g extra blanco

Encuadernacisn Binder

50Libros de 60paginas:

Precio final de impresisn$ 540.-

 

Solicite presupuesto  en formatos:  

14x2015x215.5x23

16x2417x2520x2821x28

 

Nuestros servicios

Ediciones sobre demanda

Reedicisn de publicaciones desde 25 ejemplares

Prueba de galera

Tramitacisn sin cargo del ISBN  - Tasa a cargo del escritor

Tramitacisn sin cargo - Ley 11723 - Tasa a cargo del escritor

 

Servicios opcionales

Diseqo de tapas

Servicio de correccisn

Maquetado

 

Nuestras ediciones se abonan en 3 cuotas

Solicite informacisn a:

consultaedic...@pasiondeescritores.com.ar

www.pasiondeescritores.com.ar

NOTA IMPORTANTE: Si no desea recibir informacisn en el futuro, le rogamos
enviar
un mail para ser removido. Este mail no es un SPAMpues incluye un medio de
remocisn, conforme las disposiciones del Decreto 5.1618 . Tmtulo 3 #, aprobado
por el Congreso base de las normativas internacionales sobre SPAM.

[demime 1.01d removed an attachment of type image/jpeg which had a name of 
logofirma.jpg]

Re: pf rule?

[Andres Perera]

ifconfig pflog1 create
touch /var/log/pfblocklog
pflogd -ipflog1 -f$_

pf.conf:

l = log (to pflog1)

block return $l
block ... $l

to keep the pfctl rule output readable, match and tag the packets
instead and have a single block + log rule (at the expense of no
quick)

On Wed, Jul 20, 2011 at 3:39 AM, fqui nonez fquinon...@gmail.com wrote:
 Hello

 I have a sshd/ftpd/httpd server box, 4.9 stable; and I want to log all
 blocked packets, and send them to /var/log/pfblocklog to be read with
 tcpdump. What and where should be the rule?

 # B  B  B  $OpenBSD: pf.conf,v 1.49 2009/09/17 06:39:03 jmc Exp $
 #

 set skip on lo

 ### Agregadas por mi: (added by me)
 block return

 pass in quick log on rl0 proto tcp from any to port 22
 pass out quick on rl0 to any
 pass in quick log on rl0 proto tcp from any to port 21
 pass in quick log on rl0 proto tcp from any to port 80

 ### Fin. (end)

 # filter rules and anchor for ftp-proxy(8)
 anchor ftp-proxy/*
 pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021

 pass B  B  B  B  B  B # to establish keep-state

 # By default, do not permit remote connections to X11
 block in on ! lo0 proto tcp to port 6000:6010

 Thanks for your attention.

Re: pf rule?

[Andres Perera]

now for the problems in your rules:

On Wed, Jul 20, 2011 at 3:39 AM, fqui nonez fquinon...@gmail.com wrote:
 # B  B  B  $OpenBSD: pf.conf,v 1.49 2009/09/17 06:39:03 jmc Exp $
 #

 set skip on lo

 ### Agregadas por mi: (added by me)
 block return

 pass in quick log on rl0 proto tcp from any to port 22
 pass out quick on rl0 to any
 pass in quick log on rl0 proto tcp from any to port 21
 pass in quick log on rl0 proto tcp from any to port 80

from any/ to any is implied


 ### Fin. (end)

 # filter rules and anchor for ftp-proxy(8)
 anchor ftp-proxy/*
 pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021

 pass B  B  B  B  B  B # to establish keep-state

this negates rule #0


 # By default, do not permit remote connections to X11
 block in on ! lo0 proto tcp to port 6000:6010

redundant if #0 works


 Thanks for your attention.

Re: pf rule?

[Andres Perera]

On Wed, Jul 20, 2011 at 8:49 AM, fqui nonez fquinon...@gmail.com wrote:
 2011/7/20 Wesley MOUEDINE ASSABY open...@e-solutions.re:
 Also,
 you can see a sample on http://mouedine.net/ruleset49.aspx

 Wesley.

 On Wed, 20 Jul 2011 14:27:27 +0400, Wesley MOUEDINE ASSABY
 open...@e-solutions.re wrote:
 Hi,

 Try this:
 block log return

 Cheers,

 Wesley.

 On Wed, 20 Jul 2011 01:09:09 -0700, fqui nonez fquinon...@gmail.com
 wrote:
 Hello

 I have a sshd/ftpd/httpd server box, 4.9 stable; and I want to log all
 blocked packets, and send them to /var/log/pfblocklog to be read with
 tcpdump. What and where should be the rule?



 Thanks for your attention.

 Hello

 I changed it to:

 # B  B $OpenBSD: pf.conf,v 1.49 2009/09/17 06:39:03 jmc Exp $
 #

 set skip on lo

 ### Agregadas por mi: (added by me)
 block log

 pass out quick on rl0

 antispoof quick for rl0

 pass in log on rl0 proto tcp from any to port 22
 pass in log on rl0 proto tcp from any to port 21
 pass in log on rl0 proto tcp from any to port 80

replace all three by:
pass in log on rl0 proto tcp to port { 21 22 80 }


 ### Fin. (end)

 # filter rules and anchor for ftp-proxy(8)
 anchor ftp-proxy/*
 pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021

you already pass these packets before. redundant rules make pfctl
output hard to read, so change it to:
match in proto tcp to port ftp rdr-to localhost port 8021


 Thank so much both. How does it look?

Re: openbsd 4.9 based UTM

[Andres Perera]

On Tue, Jul 19, 2011 at 6:04 AM, citoyen citoyen cccito...@gmail.com wrote:
 Hi,
 I'm about starting a project of building my own High secure UTM based on
the
 last openbsd flower 4.9,
 i can do all system and network configs B needed by myself B but I'm
wondering
 what language to use in order to get
 my UTM configurable from a web browser.
 any pointers or help are welcome.


i built a similar UTM project using openbsd as firewall and freedos
for fileserver (raw device access is way faster than mucking around in
userland)

the web interface should be coded in js

js would generate m4 macros that generate pf rules, spamd rules, etc

low complexity:

js - m4 - pf preprocessor - pf

the m4 macros look like this:

divert(-1)

define(`pu',`pushdef($@)')
define(`po',`popdef($@)')

define(`m4pf_blockrule',
`p(`P', `$1')'
`p(`F', `$2')'
`p(`T', `$3')'
`block proto P from F to T'`'
`po(`P',`F',`T')')

divert(0)dnl

the idea is to replicate the pf.conf syntax in m4 and js so that i can
use the webinterface to do the configuration and users don't need to
learn pf.conf, but they need to learn my interface instead. i thought
of just serving the contents of pf.conf initially, but that's too
complicated and you've seem to have discarded that anyway

Re: How does OpenBSD compare to Ubuntu Server?

[Andres Perera]

On Mon, Jul 11, 2011 at 7:46 PM, J Sisson sisso...@gmail.com wrote:
 On Mon, Jul 11, 2011 at 6:58 PM, Juan Miscaro jmisc...@gmail.com wrote:

 On 7 July 2011 15:06, jirib ji...@devio.us wrote:

 Are you kidding? Ubuntu? Where installed daemons are running by default,
  where there is no command to disable shitty upstart daemons?

 Which daemons are those again?

 apt-get install some_insecure_daemon

 Oh look, some_unsecure_daemon is running before I have a chance to
 configure it and lock it down the way I see fit. B sarcasmGood thing we
all
 know those Ubuntu/Debian guys are so damned smart and all.../sarcasm


why would you install a daemon and not run it? how is it any different
than X listening on localhost by default in obsd? if you install a
daemon in debian/ubuntu and it listens on 0.0.0.0 by default, the
package isn't following distro policy

Re: How does OpenBSD compare to Ubuntu Server?

[Andres Perera]

On Mon, Jul 11, 2011 at 8:48 PM, J Sisson sisso...@gmail.com wrote:
 On Mon, Jul 11, 2011 at 7:36 PM, Andres Perera andre...@zoho.com wrote:

 why would you install a daemon and not run it? how is it any different
 than X listening on localhost by default in obsd? if you install a
 daemon in debian/ubuntu and it listens on 0.0.0.0 by default, the
 package isn't following distro policy

 Why would you start a daemon before you have had a chance to
 configure it for your environment?B  Is it really that hard to run
 update-rc.d after you edit a config file?

that wouldn't be any different than sending a HUP signal or restarting
through rc.d, assuming listening on localhost is ok. for exceptional
situations where it would be not ok, like increasingly rare truly
multi-user systems, you can turn it off globally for newly installed
packages


 OpenBSD asks if X should run by default when you install the system.
 On top of that, the default firewall rules explicitly block traffic to X.
 It's quite different in fact.

it does not offer granularity covering both running X and X
accepting connections from localhost, just like the debian package
policy concerning network daemons


 Policy?B  Well thank heavens for that...I guess I should run Ubuntu on
 all of my critical infrastructure...their policy will protect me.

Re: How does OpenBSD compare to Ubuntu Server?

[Andres Perera]

On Mon, Jul 11, 2011 at 9:40 PM, patrick keshishian pkesh...@gmail.com wrote:
 On Mon, Jul 11, 2011 at 5:36 PM, Andres Perera andre...@zoho.com

 why would you install a daemon and not run it? how is it any different
 than X listening on localhost by default in obsd?

 Just because you install something doesn't mean you want it run by default.

 fingerd, ftpd, rshd, popa3d, tftpd, ntalkd, ntpd, bind, lpd, sshd,
 etc. are installed on OpenBSD, but not necessarily enabled by default.

one trait that all of these programs have in common is their inclusion
in base, which is meant to be a general purpose system. that's a whole
other story from debian and ubuntu. both of these linux distributions
have tags such as essential or required reserved for crucial
packages; anything else is optional. the packages that brandish the
required tag differ significantly from obsd's criteria. suffice to
say, httpd does not qualify as indispensable in debian world

added daemons have different connotations from those included in obsd
base, and this also applies to debian and derivatives. the closest
parallel would be packages built from ports and the automation pkg_add
performs on installing them


 When software thinks too much for the operator is when trouble begins.

 --patrick

Re: How does OpenBSD compare to Ubuntu Server?

[Andres Perera]

On Mon, Jul 11, 2011 at 11:43 PM, patrick keshishian pkesh...@gmail.com wrote:

 you failed at making any point.

i'll rebrand it into convenient twitter format:

debian splits packages to the point where a single service is a
associated to a single top level package, meaning that there's never a
reason for unused installed services

openbsd limitations do not apply 1:1 to other systems unless they
happen to be openbsd. in the previous sentence, openbsd can be
replaced by any word

Re: Recompile OpenBSD without built-in Apache 1.3

[Andres Perera]

see SKIPDIR in mk.conf(5)

add usr.sbin/httpd

On Tue, Jun 28, 2011 at 9:01 PM, Tito Mari Francis EscaC1o
titomarifran...@gmail.com wrote:
 Good day!
 Is it possible to recompile the whole system while excluding the built-in
 Apache 1.3 web server? I was hoping to save a few more megabytes off the
 base installation of the system. In case it's not advisable, can you please
 discuss the bad side effects of doing so?
 Thanks in advance.

Re: Can command-line options be specified in any place?

[Andres Perera]

On Wed, Jun 22, 2011 at 7:19 AM, Tobias Ulmer tobi...@tmux.org wrote:

 The getopt(3) function is inconsistent amongst operating systems and
 could use some polish in my opinion. Maybe there are technical reasons
 why this feature can't be implemented, but this discussion has certainly
 extinguished my curiosity about it.


inconsistent implementations are not the problem at all

if the system getopt is patched to always use  FLAG_PERMUTE like
getopt_long, then scripts that expect the old behaviour would have to
be changed. for example, /etc/rc.d/rc.subr:

-rcexec=su -l -c ${daemon_class} -s /bin/sh ${daemon_user} -c
+rcexec=su -l -c ${daemon_class} -s /bin/sh -- ${daemon_user} -c

going through all the scripts is a bigger problem than some other os
using another implementation with remarkably different semantics

Re: Can command-line options be specified in any place?

[Andres Perera]

you can compile gnu coreutils

the reason posix and bsd dont allow options after operands is because
it complicates the implementation of getopt and it introduces
ambiguity, specially with options that take arguments

the gnu getopt has to look at the first characters of every argv
member unless -- is used, which is inconvenient in interactive shells

On Tue, Jun 21, 2011 at 7:09 PM,  vadi...@gmail.com wrote:
 Hi,

 I'm considering migrating my desktop from Linux to OpenBSD but the
 main feature that
 kept me away from *BSD world for over a decade since I've first tried
 FreeBSD was the
 one that options must only be specified after command before any
 arguments. (At least
 that is true for basic commands). For example on Linux a command

 B ls -l foo -h

 will print the foo's size with suffix (K, M, G, etc.). On *BSD
 (including Mac OS X) I get error
 message:

 B ls: -h: No such file or directory

 Is there an easy way to get the desired behavior on OpenBSD? If that
 can only be achieved
 by patching system's sources is there a standard way to maintain my
 personal set of
 patches so that they will be automatically applied every time I upgrade
system?

 Best regards,
 Vadim.

Re: vmmap: bad software everywhere

[Andres Perera]

i'm sure you could fathom the idea that some people care more about
streaming video on their browsers than address randomization, the same
way some people care more about speedier local lookups to  a
stationary sync db than making sure a package has  correct @want-lib
by trashing the ftp server on every query

some of these people may even call the alternative they're not using stupid

what does that do? nothing

On Sun, Jun 5, 2011 at 9:47 AM, Marc Espie es...@nerim.net wrote:
 On Sun, Jun 05, 2011 at 09:46:48AM -0400, Nico Kadel-Garcia wrote:
 On Fri, Jun 3, 2011 at 6:26 PM, Marc Espie es...@nerim.net wrote:
  On Fri, Jun 03, 2011 at 06:11:31PM -0400, Nico Kadel-Garcia wrote:
  On Tue, May 31, 2011 at 6:51 AM, Marc Espie es...@nerim.net wrote:
 
   How comes nobody in other OSes noticed ? Well, people probably did, and
   tweaked their allocators to work, by using preferably the low address 
   space,
   and having addresses that increase slowly, so that a lot of pointers 
   are below
   4GB, and a lot of pointer diffs are under 4GB.
 
  Or you could just be engaging in an ad hominem attack without actually
  looking at their implementations and assuming they're not doing it
  right because they're not you or your favorite platform. But hey, we
  don't know anyone who'd do *that* in the OpenBSD community. Right?
 
  Wrong.
 
  An ad hominem attack would require me asserting all this for a fact, which
  is not what I'm doing. Notice the probably ? it makes all the difference
  in the world.

 No, I'm afraid it really doesn't require asserting the truth. To
 quote from Wikipedia, An ad hominem (Latin: to the man), short for
 argumentum ad hominem, is an attempt to link the truth of a claim to a
 negative characteristic or belief of the person advocating it It's
 what I just did to you, in turn. How's it feel?

 An example or two would have lent powerful credence to your claim. The
 fix for mono, which Marc Espie notes in this thread, is a very
 powerful such indicator.

 I tend to publish findings early, when I don't have THAT many built
 examples yet. There's also some teamwork, specifically, I don't personally
 oversee everything in OpenBSD. Nobody does. But we do notice trends, and do
 some design work based on that.

 You can call that ad hominem if you wish, do any kind of rhethoric. For me,
 putting a probably in front of a working hypothesis is enough to go forward.
 I expect the facts to be disputed, I don't care much for the rhethoric part o
 it...

 I would even venture this is a fundamental activity for us to go forward.
 If you lose yourself in gruntwork, you don't see the bigger picture.
 Sometimes, we do have the luxury of saying this is complete shit, it 
 shouldn't
 work, and then we break bad software.

 On the other hand, secure by default, runs GENERIC is the other tenet of
 our culture - reproducible defaults, no need to tinker with configs to get
 things to work, and also, proceed cautiously, do not invent stupid APIS when
 we don't need to.

Re: Theo's Birthday, have you done anything?

[Andres Genovez]

A little late, but big greetings from Ecuador - South America.

2011/5/19 Mayuresh Kathe mayur...@kathe.in

 Hey, it's Theo's birthday today, have you done anything?
 Yeah, you could wish him, but, how about a small gift?
 How about donating US$10 to the project today?




--
Atentamente

Andris Genovez Tobar / Tecnico
Elastix ECE - Linux  LPI-1 - Novell CLA - Apple ACMT
http://www.puntonet.ec

Re: Fallback ruleset loaded at boot time

[Andres Chavez]

Yes you was right i fixed the domain entries in pf.conf and also some
inconsistency with queue configuration on the internal interface and then
everything was great.

Thanks a lot!

2011/4/24 Henning Brauer lists-open...@bsws.de

 * Andres Chavez fluxboxtrem...@gmail.com [2011-04-24 05:44]:
  I'm wondering why the rc script is loading the fallback ruleset instead
 of
  mine.

 because loading yours failed.

  pfctl -nf /etc/pf.conf  it's OK
 
  And if i manually load it with pfctl -f /etc/pf.conf all is going as
  expected

 so you have something in there relying on something not available
 early enough on the boot process. primarily suspect is dns.

 --
 Henning Brauer, h...@bsws.de, henn...@openbsd.org
 BS Web Services, http://bsws.de
 Full-Service ISP - Secure Hosting, Mail and DNS Services
 Dedicated Servers, Rootservers, Application Hosting




--
*Andris Chavez
IT System / Network Administrator CPF
FreeBSD Server Administrator
http://www.andreschavez.com.ve*

Fallback ruleset loaded at boot time

[Andres Chavez]

Hi guys

I'm wondering why the rc script is loading the fallback ruleset instead of
mine.
I'd set the ruleset as usual at /etc/pf.conf but OpenBSD seems to be loading
the fallback for some reason.

Everything looks good.

# grep ^pf /etc/rc*
/etc/rc.conf:pf=YES # Packet filter / NAT
/etc/rc.conf:pf_rules=/etc/pf.conf  # Packet filter rules file
/etc/rc.conf:pflogd_flags=  # add more flags, e.g. -s
256

Permisiones

ls -l /etc/pf.conf
-rw---  1 root  wheel  6517 Apr 25 21:39 /etc/pf.conf

pfctl -nf /etc/pf.conf  it's OK

And if i manually load it with pfctl -f /etc/pf.conf all is going as
expected

Well i'd left my pf.conf file attached if you want to take a look, using
OpenBSD 4.8 Release

Cheers --

[demime 1.01d removed an attachment of type application/octet-stream which had 
a name of pf.conf]

Best advice for a link aggregation setup

[Andres Chavez]

Hello misc.. im currently helping a friend  on a link aggregation setup
based on 4.8 with 2 links from the same ISP, so we have followed a bunch of
faqs/how-to's but the fact is that we're in the middle of a bunch  questions
too. So it would be nice if you guys can help us to clear some doubs, take
the right actions if required to.

1) What do we actually need to make sure a link aggregation setup will
work?,  you should know that we got a server HP proliant with only 1 pci
port so the nic is an Intel Dual Gbit port (em0/em1) the nic facing the LAN
is the onboard one and use the bge driver (bge0), and from the same ISP we
got two ADSL links of 2048 mb each

2) Must the two ADSL links support a special feature like bonding or
something like that?

Cheers..

-- 
*
*

Re: pkg_add -L localbase

[Andres Perera]

 it's a complete noop since it will remove the package regardless of
 localbase specified with -L. it looks under PKG_DBDIR/spec/+CONTENTS
 to learn about localbase, as always. in effect, it does not work
 because it's ignored

adding to that, it would've been immediately obvious to anyone testing
delete -L str that it was without effect, so the lack of the
description assumed the commit was tested

anyhoo, aslong as everyone reading understands the real reason why it
wasn't placed in PkgAdd.pm

xoxo

Re: pkg_add -L localbase

[Andres Perera]

about AddCreateDelete.pm r1.15

1. -L was never there (adding back? had to go through the entire log
for the file to verify adding back)

2. PkgCreate.pm declared it separately, and still does

3. PkgDelete.pm doesn't work with -L, and if it ever did, it wasn't documented

is pkg_delete not working with -L now considered a bug, since the
commit portrays that it should work with -L? if so, is the lack of
documentation for the new flag also considered a bug?

hard to tell

Re: pkg_add -L localbase

[Andres Perera]

On Sat, Mar 19, 2011 at 7:35 AM, Marc Espie es...@nerim.net wrote:
 On Sat, Mar 19, 2011 at 07:20:33AM -0430, Andres Perera wrote:
 about AddCreateDelete.pm r1.15

 1. -L was never there (adding back? had to go through the entire log
 for the file to verify adding back)
 Of course it was not. you'll have to check the whole history of the tools
 to figure out what happened.

fair enough



 2. PkgCreate.pm declared it separately, and still does
 Yep, should remove that as well.

 3. PkgDelete.pm doesn't work with -L, and if it ever did, it wasn't 
 documented
 doesn't work. Doesn't mean anything here. What doesn't work ? what do you
 get for error messages ? what are you doing ?


it's a complete noop since it will remove the package regardless of
localbase specified with -L. it looks under PKG_DBDIR/spec/+CONTENTS
to learn about localbase, as always. in effect, it does not work
because it's ignored

Re: pkg_add -L localbase

[Andres Perera]

On Fri, Mar 18, 2011 at 3:45 AM, Gregory Edigarov
g...@bestnet.kharkov.ua wrote:
 Hello,

 Is this working ever?
 Yesterday I was trying to add a certain packages and wanted them to
 reside in the very separate base (/usr/opt) so them will be easilly
 removed after my trial of them.
 I did 'pkg_add -L /usr/opt/package name B package' and got:
 pkg_add: Unknown option -L
 Usage: pkg_add [-acIinqrsUuvxz] [-A arch] [-B pkg-destdir] [-D
 name[=value]] [-L localbase] [-l file] [-P type] [-Q quick-destdir]
 pkg-name [...]

 What am I missing?

--- usr/src/usr.sbin/pkg_add/OpenBSD/PkgAdd.pm  Mon Jan  3 14:31:04 2011
+++ usr/libdata/perl5/OpenBSD/PkgAdd.pm Fri Mar 18 12:51:28 2011
@@ -68,7 +68,7 @@
 sub handle_options
 {
my $state =3D shift;
-   $state-SUPER::handle_options('aruUzl:A:P:Q:',
+   $state-SUPER::handle_options('aruUzl:A:L:P:Q:',
'[-acIinqrsUuvxz] [-A arch] [-B pkg-destdir] [-D name[=3Dvalue]=
]',
'[-L localbase] [-l file] [-P type] [-Q quick-destdir]
pkg-name [...]');

 --
 With best regards,
 B  B  B  B Gregory Edigarov

nl_langinfo(3) and possibly redundant #include

[Andres Perera]

the synopsis section says
 #include nl_types.h
 #include langinfo.h

 char *
 nl_langinfo(nl_item item);

however, nl_types.h is included by langinfo.h

which one is at fault? should the man page be corrected or should the
header not pull nl_types.h?

Re: what is the “Online Certificate Status Protocol”

[Andres Perera]

On Wed, Mar 9, 2011 at 9:27 AM, Joachim Schipper
joac...@joachimschipper.nl wrote:
 On Wed, Mar 09, 2011 at 01:30:39AM -0800, erikmccaskey64 wrote:
 I use privoxy. In the user.action file i have a redirect rule and a few
websites:


 { +redirect{s@http://@https://@} }
 .twitter.com
 .facebook.com


 Ok! it's working great, e.g.: if i visit any *twitter.com URL it gets
redirected to HTTPS!


 But: with wireshark i can see some OCSP packets [
http://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol ]


 Question: What are these packets? Why aren't there in HTTPS?


 Is my redirection method with privoxy is secure?

 The keys to legitimate certificates may fall in the hands of bad guys
 (e.g. when they hack a HTTPS server). This would allow the bad guys to
 redirect your HTTPS connections to their own machines without you seeing
 any warnings until the stolen certificates are no longer valid (which
 should allow them something like a year to steal your credit card).

 In order to prevent this, your computer asks a special server whether
 the certificate has been revoked. This is done over the OCSP protocol
 (there are other solutions); the connection is not encrypted, but the
 OCSP server's responses are digitally signed.

 So yes, your setup seems to work just fine (or as well as SSL does in
 the first place). The HTTPS Everywhere Firefox extension would be a
 less hacky solution, though.

i'm curious as to why do you say that. afaik, https everywhere also
works by rewriting the uri, just like privoxy or squid would, while
not being limited to one browser, not being unable to log actions, not
being unable to scale for a whole site instead of a single system,
etc.


 B  B  B  B  B  B  B  B Joachim

 --
 PotD: biology/bioperl - perl tools for bioinformatics
 http://www.joachimschipper.nl/

Re: OT: Risks of CAs (Re: Your web development opinions)

[Andres Perera]

On Wed, Feb 23, 2011 at 9:21 AM, Olivier Mehani sht...@ssji.net wrote:
 Just some OT thoughts.

 On Wed, Feb 23, 2011 at 07:35:19AM -0600, Chris Bennett wrote:
 CA's cannot be trusted to even pay attention to carefully securing
 your certificate. B Here in the US, the government can simply ask for
 your certificate and get it ( and possibly even use it to impersonate
 you)

 The government would have the certificate, but not the private key, so
 I'm not sure how they can impersonate you with it.

it's a little more detailed than that

they gov could say revoke his cert on the crl, and assign the next iteration
to
me with my arbitrary req generated with my arbitrary key

at that point it would not matter if they don't have *his* private key

if he controls the ca, then the gov/whoever is forced to do true mitm

the big problem with the first is that chances are that your ca company is
american/european (no bullet proof host), and they will give in like paypal
wrt
wikileaks


 However, they can just get their own key to *any* shoddy CA included in
 browsers, and get a certificate linking that key to your services
 without much problem.

 The problem is not really whether there is a trust relationship between
 your CA provider and you, it's whether at least *one* CA is laxist
 enough that they give out certificates without thorough checking.

 Even with your self-signed approach, somebody could get a CA to issue a
 certificate that their key is good for your website, and impersonate it
 to any of your new-coming customers who haven't been exposed to your
 official key yet.

 I may also be wrong in my analysis, but as far as my understanding goes,
 it's correct.

 --
 Olivier Mehani sht...@ssji.net
 PGP fingerprint: 4435 CF6A 7C8D DD9B E2DE B F5F9 F012 A6E2 98C6 6655

 [demime 1.01d removed an attachment of type application/pgp-signature]