Re: Android (MTP) with OpenBSD: Tiny success story

2019-06-14 Thread carlos albino garcia grijalba 
great thanks for sharing.

From: owner-m...@openbsd.org  on behalf of IL Ka 

Sent: Thursday, April 19, 2018 3:06 AM
To: OpenBSD General Misc
Subject: Android (MTP) with OpenBSD: Tiny success story

I just connected my Android device to OpenBSD, and since
I did not find any article on this subject, I want to share my experience.

OpenBSD supports USB Mass Storage Device  (used in usb drives)
with umass(4).

But Android uses MTP (file-level protocol, not block-level like umass),
So OpenBSD launched ugen(4) to give user-space tools access
to some unknown USB device.

I installed ``simple-mtpfs`` package that uses fuse (user-space fs).

$ mtp-connect
$ simple-mtpfs /mnt

and it worked! You only need to be sure that your screen is unlocked.
For some reason my Android does not allow to connect to it.

There is also ``devel/adb`` port to debug and install .apk, but
I haven't tried it yet.

LibC openBSD affected ?

2016-12-06 Thread carlos albino garcia grijalba 
its openbsd affected by http://tinyurl.com/js2vd28 ?

Vulnerability Note VU#548487 - BSD libc contains a buffer overflow
vulnerability
tinyurl.com
The BSD libc library is vulnerable to a classic buffer overflow.

Re: OpenBSD mailserver success stories ?

2016-04-26 Thread carlos albino garcia grijalba 
i have been using OBSD mail server for 12 years its medium but it just works
no problem at all with mail server i dont think you will have any problem by
the way im using postfix as mta

> Date: Tue, 26 Apr 2016 12:32:22 -0400
> From: st...@panix.com
> To: misc@openbsd.org
> Subject: OpenBSD mailserver success stories ?
>
> WE are in the early engineering stages of building a replacement system for
> one that we installed about 25 years ago that has served us well, and aged
> gracefully. However it is tied to some commercial software for a vendor
that
> long ago fell into the back hole of commercial software vendors. Yep, no
> source code.
>
> So, I am doing some soul searching. Our OS decision tree that is a legacy
> from that time is as follows:
>
> if faces the outside world, or is network curious (DNS for example) OS =
> OpenBSD
>
> else if OS need fancy GUI, or commercial software is involve OS = Linux
>
> els OS = FreeBSD
>
> this has served us well for many years, but it has been a long time since
> we did anteing involving FreeBSD. Granted I still have solid machines
> protected by modern OpenBSD fireballs, but ... I am thinking I may want to
> go down to  2 choices for OS's.
>
> Given that, most of the things we are doing with FreeBSD,  Apache, Samba,
> NFS etc, do not concern me as to doing them with OpenBSD. but I am a bit
> concerned about the mailserver. We use it for internal mail, and it gets
mail
> from a large variety of systems, and devices, not all of which are modern.
> also I offer our users many options for retrieving their mail. With this in
> mid, I'd like to hear the experience of others using OpenBSD for
> mailserver.
>
> Thanks.
>
> --
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
> A: Top-posting.
> Q: What is the most annoying thing in e-mail?

Re: mail server on rental server ,cannot send mail

2015-06-23 Thread carlos albino garcia grijalba 
Log when sending and receiving to see what is happening i have postfix,
dovecot, amavisd and works ok!

> Date: Tue, 23 Jun 2015 05:22:36 -0500
> Subject: Re: mail server on rental server ,cannot send mail
> From: matt.a.mar...@gmail.com
> To: nakajin.fu...@gmail.com
> CC: misc@openbsd.org
>
> On 6/23/15, Tuyosi Takesima  wrote:
> > thanks  Matthew Martin.
> > you give me important hints .
> >
> > i rewrite main.cf
> > 
> > /etc/postfix/main.cf
> > myhostname = abc.vs.sakura.ne.jp
> > mydomain = vs.sakura.ne.jp
> > myorigin = $myhostname
> > inet_interfaces = all
> > home_mailbox = Maildir/
> > relay_domains = $mydestination #<-
> > relayhost = #<-
> > mynetworks = 127.0.0.0/8#<-
> > mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
#<-
> > queue_directory = /var/spool/postfix
> > command_directory = /usr/local/sbin
> > daemon_directory = /usr/local/libexec/postfix
> > data_directory = /var/postfix
> > mail_owner = _postfix
> > inet_protocols = all
> > unknown_local_recipient_reject_code = 550
> > debug_peer_level = 2
> > debugger_command =
> >  PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
> >  ddd $daemon_directory/$process_name $process_id & sleep 5
> > sendmail_path = /usr/local/sbin/sendmail
> > newaliases_path = /usr/local/sbin/newaliases
> > mailq_path = /usr/local/sbin/mailq
> > setgid_group = _postdrop
> > html_directory = /usr/local/share/doc/postfix/html
> > manpage_directory = /usr/local/man
> > sample_directory = /etc/postfix
> > readme_directory = /usr/local/share/doc/postfix/readme
> > smtp_sasl_auth_enable = yes
> > smtp_sasl_password_maps = hash:/etc/postfix/isp_auth
> > smtp_sasl_security_options = noanonymous
> > disable_dns_lookups = yes
> >
> > then i can send the srver via KEITAI(pocket phone ?)
> > but i cannot send mail by PC .
> >
> > i guess the cause of not sending  mail is company's router
> >
> > beause
> > /var/log/maillog says
> > -
> > Jun 23 15:15:47 abc postfix/smtpd[20788]: lost connection
> > after UNKNOWN from p123.akita.ocn.ne.jp[123.189.32.456]
> >
> > Jun 23 15:15:47 abc postfix/smtpd[20788]: disconnect from
> > p123.akita.ocn.ne.jp[123.189.32.456] unknown=0/1
> > commands=0/1
> >
> > Jun 23 15:16:32 abc dovecot: imap-login: Login:
> > user=,
> > method=PLAIN, rip=123.189.32.456, lip=160.16.114.201, mpid=16847, TLS,
> > session=
> >
> > ---
> > regards
> >
> >
>
> I really don't know anything about Postfix. And right now their
> webserver seems down and I can't see their documentation. Have you
> tried OpenSMTPD? :)
>
> p123.akita.ocn.ne.jp's IP is different now, and still seems
> impossible. .456? I'm not familiar enough with postfix/sasl/etc... to
> help with anything else, but that IP can't be correct. Octets only go
> up to 255. I'd see what's going on with that before looking at
> anything else.

Re: wildcard poisoning

2014-09-11 Thread carlos albino garcia grijalba 
i think that this is not something related with OBSD security but with the
correct use of the shell of course this is something that could happen

> Date: Tue, 9 Sep 2014 21:21:30 -0700
> Subject: Re: wildcard poisoning
> From: pkesh...@gmail.com
> To: stur...@hotmail.com
> CC: misc@openbsd.org
>
> On 9/9/14, Stefan Olsson  wrote:
> > I came across an interesting article on wildcards in shell:
> >
http://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt
> >
> >
> > Tested some of the above in pdksh on a current OpenBSD-host:
> > $ mkdir test
> > $ cd test
> > $ touch file1 file2 file3 "-rf"
> > $ mkdir DIR1 DIR2
> > $ ls -al
> > total 16
> > -rw-r--r--   1 sturban  sturban 0 Sep 10 04:26 -rf
> > drwxr-xr-x   4 sturban  sturban   512 Sep 10 04:26 ./
> > drwxr-xr-x  10 sturban  sturban  1024 Sep 10 04:25 ../
> > drwxr-xr-x   2 sturban  sturban   512 Sep 10 04:26 DIR1/
> > drwxr-xr-x   2 sturban  sturban   512 Sep 10 04:26 DIR2/
> > -rw-r--r--   1 sturban  sturban 0 Sep 10 04:26 file1
> > -rw-r--r--   1 sturban  sturban 0 Sep 10 04:26 file2
> > -rw-r--r--   1 sturban  sturban 0 Sep 10 04:26 file3
> > $ rm *
> > $ ls -al
> > total 8
> > -rw-r--r--   1 sturban  sturban 0 Sep 10 04:26 -rf
> > drwxr-xr-x   2 sturban  sturban   512 Sep 10 04:26 ./
> > drwxr-xr-x  10 sturban  sturban  1024 Sep 10 04:25 ../
>
> $ touch file1 file2 file3 "-rf"
> $ mkdir DIR1 DIR2
> $ ls -al
> total 16
> -rw-r--r--  1 sidster  wheel 0 Sep  9 21:19 -rf
> drwxr-xr-x  4 sidster  wheel   512 Sep  9 21:19 ./
> drwxrwxrwt  8 root wheel  1024 Sep  9 21:19 ../
> drwxr-xr-x  2 sidster  wheel   512 Sep  9 21:19 DIR1/
> drwxr-xr-x  2 sidster  wheel   512 Sep  9 21:19 DIR2/
> -rw-r--r--  1 sidster  wheel 0 Sep  9 21:19 file1
> -rw-r--r--  1 sidster  wheel 0 Sep  9 21:19 file2
> -rw-r--r--  1 sidster  wheel 0 Sep  9 21:19 file3
> $ rm ./*
> rm: ./DIR1: is a directory
> rm: ./DIR2: is a directory
> noir $ ls -al
> total 16
> drwxr-xr-x  4 sidster  wheel   512 Sep  9 21:20 ./
> drwxrwxrwt  8 root wheel  1024 Sep  9 21:19 ../
> drwxr-xr-x  2 sidster  wheel   512 Sep  9 21:19 DIR1/
> drwxr-xr-x  2 sidster  wheel   512 Sep  9 21:19 DIR2/
>
> be smarter than that.
>
> --patrick

Re: uvm_mapent_alloc: out of static map entries

2014-01-20 Thread carlos albino garcia grijalba 
i have been seeing this on the server for some time and i thought this will be
corrected on last releases but i was wrong i could not find a solution on
archives but (correct me if am wrong) it seems that this is just a message and
that the system auto increase this when this occurs, better explanation on
archives

> Date: Mon, 20 Jan 2014 11:37:46 +0200
> From: bil...@edu.physics.uoc.gr
> To: misc@openbsd.org
> Subject: uvm_mapent_alloc: out of static map entries
>
> Hi,
>
> I've had today this message
> uvm_mapent_alloc: out of static map entries
> in my quite current 5.4 GENERIC.MP#193 i386 (Mon Jan  6)
>
> When it begun I've also had e-mails from mrtg failing to contact snmpd.
>
> I've found an old post and a site
>
http://www.saigonist.com/content/openbsd-uvmmapentalloc-out-static-map-entrie
s
>
> telling to play with
> NKMEMPAGES_MAX, NKMEMPAGES, MAX_KMAPENT
>
> Should I bother with these tips or not?
>
> Thanks
>
> G

Re: Transparent proxy with Squid on OpenBSD 5.4

2014-01-08 Thread carlos albino garcia grijalba 
ok but why do u need the bridge? i think that u want it to be there for
intercept the web and let all pass but u can do this without the bridge part
intercepting the web requests and then letting all the other go to router not
sure if the bridge can do this because its function its to be there but the
packets does not know that it is there i mean as far as i know (correct me if
i am wrong) they operate in layer 2 so it never reach higher leves where
interception works

> From: romain.fab...@alienconsulting.net
> To: genesi...@hotmail.com; grazzol...@gmail.com; cremator.li...@gmail.com
> CC: misc@openbsd.org
> Subject: RE: Transparent proxy with Squid on OpenBSD 5.4
> Date: Thu, 9 Jan 2014 00:18:43 +0100
>
> In fact here is the topology I had in mind :
>
> Computers <=> Switch <=> Webfiltering bridge <=> Router <=> Internet
>
> Since I want my system to do both :
> - the bridge role
> - webfiltering
>
> ... without adding a network (I mean adding a network and make the
> Webfiltering box route beetween the two subnets)
>
> I think it is necessary to build a bridge...
> And that the design should work...
>
> But I'm still strugling on this matter.
>
>
> -Message d'origine-
> De : owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] De la part de
> carlos albino garcia grijalba
> Envoyé : mercredi 8 janvier 2014 21:29
> À : Romain FABBRI - Alien Consulting; grazzol...@gmail.com; 'Cremator'
> Cc : 'Misc OpenBSD'
> Objet : Re: Transparent proxy with Squid on OpenBSD 5.4
>
> i agree with giancarlo why do u need the bridge function? for transparent
> proxy u dont need the bridge
>
> > From: romain.fab...@alienconsulting.net
> > To: grazzol...@gmail.com; cremator.li...@gmail.com
> > CC: misc@openbsd.org
> > Subject: Re: Transparent proxy with Squid on OpenBSD 5.4
> > Date: Fri, 3 Jan 2014 17:57:37 +0100
> >
> > I didn't investigate the bridge in itself since it seems to be working
> > as a bridge...
> >
> > #===
> > # Bridge configuration
> > #===
> >
> > #vi /etc/hostname.bge0
> > up
> >
> > #vi /etc/hostname.bge1
> > up
> >
> > #vi /etc/hostname.vether0
> > inet 192.168.200.253 255.255.255.0 192.168.200.255
> >
> > #vi /etc/hostname.bridge0
> > add vether0
> > add bge0
> > add bge1
> > up
> >
> > #vi /etc/mygate
> > 192.168.200.254
> >
> > #===
> > # PF configuration
> > #===
> > # Macros & Tables
> > ext_if="bge0"
> > int_if="bge1"
> >
> > # Options
> > set reassemble yes no-df
> >
> > # Redirect www to our transparent squid proxy pass in quick log on
> > $int_if inet proto tcp from 192.168.200.0/24 to port
> 80
> > divert-to 127.0.0.1 port 3129
> > pass out quick on $int_if inet from 192.168.200.0/24 divert-reply
> >
> > # Allow TerminalServer
> > pass quick inet proto tcp from any to any port 3389 keep state
> >
> > # Allow SSH
> > pass quick inet proto tcp from any to 192.168.200.253 port ssh
> >
> > # NTP
> > pass out quick proto udp from $int_if to any port 123 keep state
> >
> > # Allow mail
> > pass out quick proto tcp from $int_if to any port { 25, 143, 993, 995
> > }
> keep
> > state
> >
> > # Allow Ping/Traceroute/DNS
> > pass quick inet proto udp from any to any port domain pass quick inet
> > proto tcp from any to any port domain flags S/SA synproxy state pass
> > quick inet proto icmp all icmp-type { echoreq, unreach } keep state
> >
> >
> > #===
> > # Squid configuration
> > #===
> >
> > # Only usefull for Squid 2.7
> > #acl localhost src 127.0.0.1/32
> > #acl manager proto cache_object
> > #acl all src 0.0.0.0/0.0.0.0
> >
> > # Interfacage avec SquidGuard
> > url_rewrite_program /usr/local/bin/squidGuard -c
> > /etc/squidguard/squidguard.conf
> >
> > # Number of redirector processes to spawn url_rewrite_children  5
> >
> > # To prevent loops, don't send requests from localhost to the redirector
> > url_rewrite_accessdeny  localhost
> >
> > # Only allow cachemgr access from localhost http_access allow
> > localhost manager http_access deny manager
> >
> > # Define sources
> > acl localnet src 192.168.200.0/24
> >
> > # Define ports
> > acl SSL_ports port 443
> >

Re: Transparent proxy with Squid on OpenBSD 5.4

2014-01-08 Thread carlos albino garcia grijalba 
i agree with giancarlo why do u need the bridge function? for transparent
proxy u dont need the bridge

> From: romain.fab...@alienconsulting.net
> To: grazzol...@gmail.com; cremator.li...@gmail.com
> CC: misc@openbsd.org
> Subject: Re: Transparent proxy with Squid on OpenBSD 5.4
> Date: Fri, 3 Jan 2014 17:57:37 +0100
>
> I didn't investigate the bridge in itself since it seems to be working as a
> bridge...
>
> #===
> # Bridge configuration
> #===
>
> #vi /etc/hostname.bge0
> up
>
> #vi /etc/hostname.bge1
> up
>
> #vi /etc/hostname.vether0
> inet 192.168.200.253 255.255.255.0 192.168.200.255
>
> #vi /etc/hostname.bridge0
> add vether0
> add bge0
> add bge1
> up
>
> #vi /etc/mygate
> 192.168.200.254
>
> #===
> # PF configuration
> #===
> # Macros & Tables
> ext_if="bge0"
> int_if="bge1"
>
> # Options
> set reassemble yes no-df
>
> # Redirect www to our transparent squid proxy
> pass in quick log on $int_if inet proto tcp from 192.168.200.0/24 to port
80
> divert-to 127.0.0.1 port 3129
> pass out quick on $int_if inet from 192.168.200.0/24 divert-reply
>
> # Allow TerminalServer
> pass quick inet proto tcp from any to any port 3389 keep state
>
> # Allow SSH
> pass quick inet proto tcp from any to 192.168.200.253 port ssh
>
> # NTP
> pass out quick proto udp from $int_if to any port 123 keep state
>
> # Allow mail
> pass out quick proto tcp from $int_if to any port { 25, 143, 993, 995 }
keep
> state
>
> # Allow Ping/Traceroute/DNS
> pass quick inet proto udp from any to any port domain
> pass quick inet proto tcp from any to any port domain flags S/SA synproxy
> state
> pass quick inet proto icmp all icmp-type { echoreq, unreach } keep state
>
>
> #===
> # Squid configuration
> #===
>
> # Only usefull for Squid 2.7
> #acl localhost src 127.0.0.1/32
> #acl manager proto cache_object
> #acl all src 0.0.0.0/0.0.0.0
>
> # Interfacage avec SquidGuard
> url_rewrite_program /usr/local/bin/squidGuard -c
> /etc/squidguard/squidguard.conf
>
> # Number of redirector processes to spawn
> url_rewrite_children  5
>
> # To prevent loops, don't send requests from localhost to the redirector
> url_rewrite_accessdeny  localhost
>
> # Only allow cachemgr access from localhost
> http_access allow localhost manager
> http_access deny manager
>
> # Define sources
> acl localnet src 192.168.200.0/24
>
> # Define ports
> acl SSL_ports port 443
> acl Safe_ports port 80  # http
> acl Safe_ports port 21  # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70  # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
>
> # Deny requests to certain unsafe ports
> http_access deny !Safe_ports
>
> # Deny CONNECT to other than secure SSL ports
> http_access deny CONNECT !SSL_ports
>
> # Example rule allowing access from your local networks.
> # Adapt localnet in the ACL section to list your (internal) IP networks
> # from where browsing should be allowed
> http_access allow localnet
> http_access allow localhost
>
> # We strongly recommend the following be uncommented to protect innocent
> # web applications running on the proxy server who think the only
> # one who can access services on "localhost" is a local user
> #http_access deny to_localhost
>
> # And finally deny all other access to this proxy
> http_access deny all
>
> # Squid normally listens to port 3128
> http_port 3128
> http_port 127.0.0.1:3129 tproxy
>
> # Real squid memory cache
> cache_mem 1500 MB
> maximum_object_size_in_memory 8 MB
>
> # Squid disk cache cache_dir ufs /var/squid/cache 1500 16 64
> minimum_object_size 3 KB
> maximum_object_size 8 MB
>
> # Uncomment and adjust the following to add a disk cache directory.
> cache_dir ufs /var/squid/cache 200 16 256
>
> # IP & DNS names memory cache
> ipcache_size 5120
> fqdncache_size 5120
>
> # File descriptor number
> #max_filedescriptors 4096
>
> # Public exposed hostname
> visible_hostname openfw.local
>
> # Added to footer of error pages.
> cache_mgr em...@test.net
>
> # Log client request activities
> access_log /var/squid/logs/access.log squid
>
> # Log information about the cache's behavior
> cache_log /var/squid/logs/cache.log
>
> # Leave coredumps in the first cache dir
> coredump_dir /var/squid/cache
>
> # Add any of your own refresh_pattern entries above these.
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320

Re: Bizarre pf/sendmail interaction

2013-12-18 Thread carlos albino garcia grijalba 
i think that u will have to track down the packets
tcpdump can be the solution, or disable blocking while u find the offensive
rule then fix it!


> Date: Tue, 17 Dec 2013 17:56:33 +
> To: misc@openbsd.org
> Subject: Re: Bizarre pf/sendmail interaction
> From: skin...@britvault.co.uk
>
> On 2013-12-17 Tue 17:05 PM |, Tethys wrote:
> > On Tue, Dec 17, 2013 at 4:43 PM, Craig R. Skinner
> >  wrote:
> >
> > > I guess you have net.inet.forwarding=1 in /etc/sysctl.conf
> >
> > Yes, I do. I can browse the web etc from inside the firewall without
problems.
> >
> > > Does the firewall also know where to forward external traffic to your
> > > internal mail server? (NON-NAT)
> >
> > I have:
> >
> > pass in on $ext inet proto tcp from $mx to $loki_ext port smtp
> > rdr-to $riva port smtp keep state
> >
> > $ext is the firewall's external interface. $mx expands to the IP
> > addresses of my MX servers. $loki_ext is the external IP address of my
> > firewall, and $riva is my internal mail server.
> >
>
> There might be some other rule later on that's blocking it.
>
> Scan through the output of:
> $ sudo pfctl -sr

Re: Blocking facebook.com: PF or squid?

2013-10-22 Thread carlos albino garcia grijalba 
host file its good but does not stop web proxy's

> From: stefan.wol...@web.de
> To: misc@openbsd.org
> Subject: Re: Blocking facebook.com: PF or squid?
> Date: Mon, 21 Oct 2013 18:26:57 +0200
>
> Hi Sico!
> Hi list!
>
> >[stuff deleted for brevity]
> >
> >>> I am in a similar situation (squid at home) and I simply have a
> >>> blacklist with lines like these:
> >>>
> >>> doubleclick
> >>> facebook
> >>> scorecardresearch
> >>>
> >>> Works like a charm for me, and no need to look up IP address blocks
> >>> or anything like that. And since I am the only user here there's no
> >>> collateral damage. ;-)
> >>
> >> Well: I am personally liable for what leaves my network so this kind of
> >> 'collateral damage' is what I intentionally try to achieve :-) (see the
> >> reply to myself a few minutes ago)
> >
> > Uhm, squid only filters incoming traffice...
>
> Doesn't this actually answer my original question: If only incoming traffic
is filtered by squid stealth outflows towards FB is not catched by the proxy.
Obviously then only PF serves my needs for a reason.
>
> >> May I ask a follow-up question: Did you set up the blacklist within
> >> squid.conf or did you reference to a separate file?
> >
> > A bit of both really, I use a seperate file and reference it in
squid.conf:
> >
> > sico@siem2:~>grep blacklist /etc/squid/squid.conf
> > acl blacklist url_regex "/etc/squid/blacklist.acl"
> > http_access deny blacklist
> > sico@siem2:~>
>
> Thanks for this. This brings an idea to me: I will try this with the full
list of 'nasty addresses' from http://winhelp2002.mvps.org/hosts.htm.
Shouldn't this then have the same effect on all clients served by the
squid-server as if I'd go around and update the individual hosts-files?
>
> > The "url_regex" allows me to specify facebook instead of facebook.com
etc.
>
> That is good to know!
>
> > CU, Sico.
>
> Thanks again and
> have a nice week,
>
> STEFAN

Re: OpenBSD crypto and NSA/Bruce Schneier

2013-09-11 Thread carlos albino garcia grijalba 
full agree with John look gov its gov they have the power to do things, they
have the money to do it, they have the law protecting them and if all of this
its not enough they have people that can close  your business if u dont
cooperate so go to china or any other country that are not going to cooperate
build your own devices, and software with strong crypto and no security
problems and maybe u will have a good channel to check out  your facebook or
chat with grandma

> Date: Wed, 11 Sep 2013 14:00:38 +
> From: codeb...@inbox.lv
> To: misc@openbsd.org
> Subject: Re: OpenBSD crypto and NSA/Bruce Schneier
>
> On Wed, Sep 11, 2013 at 10:49:46AM +0200, Martin Schr?der wrote:
> > 2013/9/11 Marc Espie :
> > > Second, low hanging fruit.
> > >
> > > There's so much crappy software and hardware out there that you have to
be
> > > REALLY paranoid to think the NSA would target us. I mean, come on,
there
> >
> > You think openssh isn't a valuable target?
>
> You think they need to target protocols? There are much easier ways of
doing
> things. Strong crypto works if you do all the management stuff. Most people
> have no idea what's involved with that. Like Espie says there's plenty low
> hanging fruit. If you're somebody they want to know about the methods they
> use don't have anything to do with technology.
>
> > You think openbsd isn't used in commercial firewall/vpn appliances?
>
> You think that government doesn't cultivate "healthy" relationships with
> "security" product vendors that makes whatever protocol or OS they claim to
> run irrelevant? Do you really believe they only got google, yahoo, gmx,
> msn/hotmail/aol/skype to open up their services but not router and vpn and
> appliance vendors? Don't be so naive... any company that has an office in
> the U.S. that wants to stay in business is going to bend over. How many
> Lavabit stories did we read about where somebody had the integrity to say
NO
> and lose his ass? Exactly one. Guess what happened to the rest.
>
> You want security, run OpenBSD on a Chinese router or SBC or fab your own
> chips and build your own hardware. And stay the hell off the net.
>
> > Think again.
>
> Your turn.
>
> /jl
>
> --
> ASCII ribbon campaign ( ) Powered by Lemote Fuloong
>  against HTML e-mail   X  Loongson MIPS and OpenBSD
>and proprietary/ \http://www.mutt.org
>  attachments /   \  Code Blue or Go Home!
>  Encrypted email preferred  PGP Key 2048R/DA65BC04

Re: Why I abandoned OpenBSD, and why you should too...

2013-07-05 Thread carlos albino garcia grijalba 
Totally agree with Marko the same for me but i do make a mistake and the BAND
a lot answers even theo answered to kick my ass! by the way dont u have some
uvm_alloc situation on your server?

> Date: Fri, 5 Jul 2013 09:05:11 +0200
> From: marko.cu...@mimar.rs
> To: misc@openbsd.org
> Subject: Re: Why I abandoned OpenBSD, and why you should too...
>
> I find it sad that it is now third day that noone responded to my
> call for help with system hang, at least something like "ask on bugs
> list", while threads like this get 15 responses in a matter of hours :(

Re: OpenBSD Doesn't Support 64-Bit Intel

2013-07-03 Thread carlos albino garcia grijalba 
hello florenz!

u are wright! i was a wrong and try to defend myself by answering back but i
check again to what jash was saying and then bang he was Wright, Damm  even
worse, but ok i learn the lesson, usually y try to internet and then on
archives but this time i got confused on supports from 32 bits and 64 and
answered too quick trying to defend OpenBSD what derived on a very strong
correction by some folks even theo participate but ok i learned and thanks
sometimes it is better to learn the hard way

--by the way first time that many help me jeje and first time theo send me a
mail :) --

> Subject: Re: OpenBSD Doesn't Support 64-Bit Intel
> From: f...@well.com
> Date: Wed, 3 Jul 2013 10:11:21 +0200
> To: genesi...@hotmail.com
>
> hello Carlos,
>
> On Jul 2, 2013, at 6:15 PM, carlos albino garcia grijalba wrote:
> > LOL ok im the rude guy dude! but ok im the dummy what its really funny its
that when i ask the list
> > for some nobody answer but when i write something that someone feel its
rude then bang i have
> > answers!!! LOL
>
> actually, I answered not because I felt your statement was so wrong it was
not even funny anymore.
>
> look at this thread:
http://listserv.sap.com/pipermail/linux.general/2005-December/004843.html
> then you might realize that IA64 vs. AMD64 was a topic I found quite
interesting some years ago.
>
> So that's the way the misc works. It's easier to critique on style rather
than on substance, and
> critique makes most feel superior - probably including me. Don't be one of
the people doing it,
> ignore the noise, and listen to the helpful people. There are quite some on
misc, and about once or
>  twice a week you will see a very helpful tip.
>
> here is some free advice:
> 1) now that you feel properly welcomed by having your error corrected in
public, try to pay it back by
> doing your homework. Never before was technical and non-technical
information available as free and
> fast as today. Use it. There is no excuse for not searching the
documentation, and the internet.
>
> 2) Stay away from opinion, and stick to the facts. Opinion goes best with a
beer, and time to waste.
>
> 3) Show some respect by investing time and effort in your language and
writing style. At the moment,
> you are giving the impression of a 15-year-old. The concept of respect is
well-known in the spanish
> hemisphere, my friends from Spain and Protugal tell me. Show some to others
be making yourself appear
> more mature. Incidentally, it makes it easier to read for yourself, too.
Same as wearing a tie to the
>
> have a nice day :-)
> Florenz

Re: OpenBSD Doesn't Support 64-Bit Intel

2013-07-02 Thread carlos albino garcia grijalba 
 jash as u have seen i have really being kicked even theo kick my ass so i was
totally wrong im the guy who needs to read i was totally confused since im a
dummy i tought that amd64 mean all 64 bits arch either by AMD or INTEL but NO
it seems that i was the guy who need to read and dig on it sorry dude i sure
not and never answer nothing until i really REALLY know all of it! have a nice
day.



> From: genesi...@hotmail.com
> To: jash.seffer...@gmail.com; misc@openbsd.org; s...@openbsd.org
> Subject: Re: OpenBSD Doesn't Support 64-Bit Intel
> Date: Mon, 1 Jul 2013 14:48:10 +
>
> IA64 its the name of the arch for the processor created originali by AMD
and
> INTEL copied so support for AMD64 mean INTEL64 too! dont complain if u
really
> dont read all of the info (i understand now why my questions are not
answered
> LOL)
>
> > Date: Mon, 1 Jul 2013 00:06:05 -0400
> > Subject: OpenBSD Doesn't Support 64-Bit Intel
> > From: jash.seffer...@gmail.com
> > To: misc@openbsd.org; s...@openbsd.org
> >
> > Hi guys.
> >
> > I’m a civil engineer by day and use OpenBSD at night, but I’m trying to
do
> > high-end CAD on my home PC and OpenBSD doesn’t support 64-bit Intel
chips.
> >
> > Don't believe me? It says very clearly at the OpenBSD/amd64 page: “All
> > versions of the AMD Athlon 64 processors and their clones are supported.”
> > But does not mention or list any Intel chips. Not one.
> >
> > Wtf? I can do CAD on my i7-980X under Windows 7 SP 1, but I’d rather
> > use something secure and responsibly coded like OpenBSD. Except that I
> > can't.
> >
> > Why for the life of this platform are we not on the only future direction
> > for the platform? And I mean that literally. Neither AMD nor Intel sells
> > 32-bit chips anymore. If OpenBSD remains stuck at 32 bits, people will
stop
> > using and developing for it.
> >
> > Who makes the decision to keep OpenBSD off of 64-bit Intel? And why the
> > hell are they doing so?
> >
> > -jash

Re: OpenBSD Doesn't Support 64-Bit Intel

2013-07-02 Thread carlos albino garcia grijalba 
ok i got the message and yes i need the blessing and yes im a dummy with work,
maybe i dont have the correct english or tech writing for trying to defend
this project that i really like i mainly try to just implement OpenBSD and
trying really hard to know more about processor arch's and all of that but
what i feel it is really bad sorry guys REALLY bad it is that when i just post
a normal or simple or advanced question or any question nobody i men NOBODY ok
maybe some folks some times answer but usually no answer and now i have a lot
of answers but just to tell me that i need blessing LOL

YES! for the first time i GOT an answer  BY THEO!! to kick my ass but great
thanks and congrats for the OBSD! nice day all of u that enlighten this silly
mind

> From: dera...@cvs.openbsd.org
> To: slash...@gmail.com
> CC: genesi...@hotmail.com; s...@openbsd.org; jash.seffer...@gmail.com;
misc@openbsd.org
> Subject: Re: OpenBSD Doesn't Support 64-Bit Intel
> Date: Tue, 2 Jul 2013 11:04:25 -0600
>
> > Le 2 juil. 2013 17:58, "carlos albino garcia grijalba" <
> > genesi...@hotmail.com> a écrit :
> >
> > >
> > > IA64 its the name of the arch for the processor created originali by
AMD
> > and
> > > INTEL copied so support for AMD64 mean INTEL64 too! dont complain if u
> > really
> > > dont read all of the info (i understand now why my questions are not
> > answered
> > > LOL)
> > >
> > No ia64 is *not* the 64bits x86 arch. ia64 is the arch for itanium
> > processors a completely different architecture.
> >
> > amd64 (and the Intel clone emt64) are an extension of the ia32 arch,
> > sometimes called x86-64, it was first introduced by amd, which explain
why
> > most OS, like openbsd, brand their support as amd64.
>
> No, kidding.
>
> Carlos, if you can't even type "ia64" into a search engine and
> find yourself on pages about Itanium, then you can't be taken
> seriously.
>
> God bless the people who employ you, they need the blessing.

Re: OpenBSD Doesn't Support 64-Bit Intel

2013-07-02 Thread carlos albino garcia grijalba 
I mean OBSD it does support 64 intel dude!

> Date: Mon, 1 Jul 2013 09:12:15 -0700
> Subject: Re: OpenBSD Doesn't Support 64-Bit Intel
> From: matt...@dempsky.org
> To: genesi...@hotmail.com
> CC: jash.seffer...@gmail.com; misc@openbsd.org; s...@openbsd.org
>
> On Mon, Jul 1, 2013 at 7:48 AM, carlos albino garcia grijalba
>  wrote:
> > IA64 its the name of the arch for the processor created originali by AMD
and
> > INTEL copied so support for AMD64 mean INTEL64 too!
>
> No, IA-64 refers to the Itanium architecture, which is very different
> from AMD64/Intel 64.

Re: OpenBSD Doesn't Support 64-Bit Intel

2013-07-01 Thread carlos albino garcia grijalba 
IA64 its the name of the arch for the processor created originali by AMD and
INTEL copied so support for AMD64 mean INTEL64 too! dont complain if u really
dont read all of the info (i understand now why my questions are not answered
LOL)

> Date: Mon, 1 Jul 2013 00:06:05 -0400
> Subject: OpenBSD Doesn't Support 64-Bit Intel
> From: jash.seffer...@gmail.com
> To: misc@openbsd.org; s...@openbsd.org
>
> Hi guys.
>
> I’m a civil engineer by day and use OpenBSD at night, but I’m trying to do
> high-end CAD on my home PC and OpenBSD doesn’t support 64-bit Intel chips.
>
> Don't believe me? It says very clearly at the OpenBSD/amd64 page: “All
> versions of the AMD Athlon 64 processors and their clones are supported.”
> But does not mention or list any Intel chips. Not one.
>
> Wtf? I can do CAD on my i7-980X under Windows 7 SP 1, but I’d rather
> use something secure and responsibly coded like OpenBSD. Except that I
> can't.
>
> Why for the life of this platform are we not on the only future direction
> for the platform? And I mean that literally. Neither AMD nor Intel sells
> 32-bit chips anymore. If OpenBSD remains stuck at 32 bits, people will stop
> using and developing for it.
>
> Who makes the decision to keep OpenBSD off of 64-bit Intel? And why the
> hell are they doing so?
>
> -jash

Re: uvm_mapent_alloc: out of static map entries

2013-05-28 Thread carlos albino garcia grijalba 
it is a server on production m a  little concerned about fail after upgrade
from 4.8 to 5.3 has some services on it

> Date: Tue, 28 May 2013 11:19:18 -0700
> From: ch...@nmedia.net
> To: genesi...@hotmail.com
> CC: misc@openbsd.org
> Subject: Re: uvm_mapent_alloc: out of static map entries
>
> carlos albino garcia grijalba [genesi...@hotmail.com] wrote:
> > ok problem of mine again i run again on a fast solution since i have just
seen that there have been a lot of changes on uvm lets go 4.8 -> 4.9 -> 5.0 ->
5.1 -> 5.2 -> 5.3 ant thanks this is actually an aswer will do that and let
folks know what happen
> >
> >
>
> Just install 5.3. You don't need to upgrade to each version.

Re: uvm_mapent_alloc: out of static map entries

2013-05-28 Thread carlos albino garcia grijalba 
ok let u know what happen thank u very much actually u are the only folk that
answer all my other mails have been kicked by the way where do i have to send
mail to know why my laptop has to be rebooted so that the fan work on the
first boot i just never work

> Date: Tue, 28 May 2013 11:39:53 -0700
> From: ch...@nmedia.net
> To: genesi...@hotmail.com
> CC: misc@openbsd.org
> Subject: Re: uvm_mapent_alloc: out of static map entries
>
> carlos albino garcia grijalba [genesi...@hotmail.com] wrote:
> > it is a server on production m a  little concerned about fail after
upgrade from 4.8 to 5.3 has some services on it
>
> Just upgrade to 5.3, pkg_add -r, and fix the fallout from ports changes.
Read the faq/current.html too

Re: uvm_mapent_alloc: out of static map entries

2013-05-28 Thread carlos albino garcia grijalba 
ok problem of mine again i run again on a fast solution since i have just seen
that there have been a lot of changes on uvm lets go 4.8 -> 4.9 -> 5.0 -> 5.1
-> 5.2 -> 5.3 ant thanks this is actually an aswer will do that and let folks
know what happen

> Date: Tue, 28 May 2013 09:54:00 -0700
> From: ch...@nmedia.net
> To: genesi...@hotmail.com
> CC: misc@openbsd.org
> Subject: Re: uvm_mapent_alloc: out of static map entries
>
> Carlos,
>
> We are now on OpenBSD 5.3 and going forward. Please try that first.
>
> carlos albino garcia grijalba [genesi...@hotmail.com] wrote:
> > i have read on archives but too many opinions on this subject since 4 and
many
> > of them are saying to restart server, restart process, wait to be fixed a
big
> > diff but the problem its that the diff its for 4.3 and i have 4.8 and of
> > course i have the problem any new info about this and i havent found the
> > solution to this.
> >
> > P.D.
> > "Oh lord listen to my prays i hope the folks on openbsd misc can please
> > enlighten me as i am a dummy and leave me a message at least whatever
message
> > will be well something"
>
> --
> I'm not being defensive. Maybe you're the one
> that's being defensive. Maybe you should look
> at yourself once in awhile.

uvm_mapent_alloc: out of static map entries

2013-05-28 Thread carlos albino garcia grijalba 
i have read on archives but too many opinions on this subject since 4 and many
of them are saying to restart server, restart process, wait to be fixed a big
diff but the problem its that the diff its for 4.3 and i have 4.8 and of
course i have the problem any new info about this and i havent found the
solution to this.

P.D.
"Oh lord listen to my prays i hope the folks on openbsd misc can please
enlighten me as i am a dummy and leave me a message at least whatever message
will be well something"

Re: pf queueing and nat

2013-04-16 Thread carlos albino garcia grijalba 
as far as i remember in the man page of pf there are places where u can
usually put the queueing rules so nat rules :)

> Date: Wed, 17 Apr 2013 03:32:52 +1000
> Subject: pf queueing and nat
> From: j...@johntate.org
> To: misc@openbsd.org
>
> I am adding queueing to my pf based nat for my home network. Since there
> isn't a complete example involving nat and queuing I am not entirely sure
> where to put things. I've read the manual and I think I put things before
> the rdr-to rules. I also have a transparent ftp and http proxy. I am not
> entirely sure if I put it before or after the divert-to rules. I just need
> someone to show me where in the pf.conf I've already done I should put
> things.
>
> I need to add the lines like these...
> block out on $ext_if all
> pass out on $ext_if inet proto tcp from ($ext_if) queue (std_out,
> tcp_ack_out)
> (And so on, including for incoming traffic on $int_if)
>
> My current pf.conf...
> # grep -v '^#' /etc/pf.conf
>
> int_if="fxp0"
> ext_if="pppoe0"
>
> murphy="10.0.0.2"
> fekete="10.0.0.3"
>
> murphy_ports = "{ 8333 }"
> fekete_ports = "{ 17001, 39191, 5938,  }"
>
> tcp_services="{ 22 }"
> icmp_types="echoreq"
>
> set skip on lo
>
> pass in quick on $int_if inet proto tcp to port http divert-to 127.0.0.1
> port 3128
>
> anchor "ftp-proxy/*"
> pass in quick on $int_if inet proto tcp to port ftp divert-to 127.0.0.1
> port 8021
>
>
> match out on egress inet from !(egress:network) to any nat-to (egress:0)
>
> pass# to establish keep-state
>
>
>
>
> block in on ! lo0 proto tcp to port 6000:6010
>
> block in log
> pass out quick
>
> antispoof quick for { lo $int_if }
>
> pass in on egress inet proto tcp from any to (egress) \
> port $tcp_services
>
> pass in on $ext_if proto tcp to port 21
> pass in on $ext_if proto tcp to port > 49151
>
> pass in on egress inet proto tcp to (egress) port $murphy_ports rdr-to
> $murphy
> pass in on egress inet proto tcp to (egress) port $fekete_ports rdr-to
> $fekete
>
> pass in inet proto icmp all icmp-type $icmp_types
>
> pass in on $int_if
>
>
> --
> www.johntate.org

Fan Not working laptop until reboot

2013-02-15 Thread carlos albino garcia grijalba 
hi folks, does any one know why i have to reboot OpenBSD in order to start up
the Fan of my laptop witch is Compaq nx6325 i mean if i start up the machine
the fan does not work and it shut down to protect the cpu but if i reboot the
machine everything works fine (the fan)dmesg:OpenBSD 5.2 (GENERIC.MP) #368:
Wed Aug  1 10:04:49 MDT 2012
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MPreal mem =
938278912 (894MB)avail mem = 890986496 (849MB)mainbus0 at rootbios0 at
mainbus0: SMBIOS rev. 2.4 @ 0xfbbe2 (23 entries)bios0: vendor Hewlett-Packard
version "68TT2 Ver. F.06" date 12/21/2006bios0: Hewlett-Packard HP Compaq
nx6325 (RJ361LA#ABM)acpi0 at bios0: rev 2acpi0: sleep states S0 S3 S4 S5acpi0:
tables DSDT FACP SLIC APIC MCFG TCPA SSDT SSDTacpi0: wakeup devices C079(S4)
C0E5(S4) C229(S5) C0E6(S0) C118(S3) C11E(S3) C123(S3) C22E(S3) C22F(S3)
C239(S5) C23A(S5)acpitimer0 at acpi0: 3579545 Hz, 32 bitsacpimadt0 at acpi0
addr 0xfee0: PC-AT compatcpu0 at mainbus0: apid 0 (boot processor)cpu0:
AMD Turion(tm) 64 X2 Mobile Technology TL-50, 1596.25 MHzcpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,MMX,FXSR,SSE,SSE2,HTT,SSE3,CX16,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW,LAHF,CMPLE
G,SVM,EAPICSP,AMCR8cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way
D-cache, 256KB 64b/line 16-way L2 cachecpu0: ITLB 32 4KB entries fully
associative, 8 4MB entries fully associativecpu0: DTLB 32 4KB entries fully
associative, 8 4MB entries fully associativecpu0: apic clock running at
199MHzcpu1 at mainbus0: apid 1 (application processor)cpu1: AMD Turion(tm) 64
X2 Mobile Technology TL-50, 1596.00 MHzcpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,MMX,FXSR,SSE,SSE2,HTT,SSE3,CX16,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW,LAHF,CMPLE
G,SVM,EAPICSP,AMCR8cpu1: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way
D-cache, 256KB 64b/line 16-way L2 cachecpu1: ITLB 32 4KB entries fully
associative, 8 4MB entries fully associativecpu1: DTLB 32 4KB entries fully
associative, 8 4MB entries fully associativeioapic0 at mainbus0: apid 2 pa
0xfec0, version 21, 24 pinsioapic0: misconfigured as apic 0, remapped to
apid 2acpimcfg0 at acpi0 addr 0xe000, bus 0-255acpiprt0 at acpi0: bus 1
(C07A)acpiprt1 at acpi0: bus 2 (C0E5)acpiprt2 at acpi0: bus 0 (C079)acpiec0 at
acpi0acpicpu0 at acpi0: PSSacpicpu1 at acpi0: PSSacpipwrres0 at acpi0:
C22Dacpipwrres1 at acpi0: C1F7acpipwrres2 at acpi0: C204acpipwrres3 at acpi0:
C221acpipwrres4 at acpi0: C360acpipwrres5 at acpi0: C361acpipwrres6 at acpi0:
C362acpipwrres7 at acpi0: C363acpitz0 at acpi0: critical temperature is 105
degCacpitz1 at acpi0: critical temperature is 100 degCacpitz2 at acpi0:
critical temperature is 100 degCacpibat0 at acpi0: C1C5 model "Primary" serial
03515 2007/01/23 type LIon oem "Hewlett-Packard"acpibat1 at acpi0: C1C4 not
presentacpiac0 at acpi0: AC unit onlineacpibtn0 at acpi0: C266acpibtn1 at
acpi0: C267acpivideo0 at acpi0: C07Bcpu0: PowerNow! K8 1596 MHz: speeds: 1600
800 MHzpci0 at mainbus0 bus 0mem address conflict 0xd4408000/0x4000pchb0 at
pci0 dev 0 function 0 "ATI RS480 Host" rev 0x10ppb0 at pci0 dev 1 function 0
"ATI RS480 PCIE" rev 0x00pci1 at ppb0 bus 1vga1 at pci1 dev 5 function 0 "ATI
Radeon XPRESS 200M" rev 0x00wsdisplay0 at vga1 mux 1: console (80x25, vt100
emulation)wsdisplay0: screen 1-5 added (80x25, vt100 emulation)ppb1 at pci0
dev 4 function 0 "ATI RS480 PCIE" rev 0x00: msipci2 at ppb1 bus 16ppb2 at pci0
dev 5 function 0 "ATI RS480 PCIE" rev 0x00: msipci3 at ppb2 bus 32ppb3 at pci0
dev 6 function 0 "ATI RX480 PCIE" rev 0x00: msipci4 at ppb3 bus 48bwi0 at pci4
dev 0 function 0 "Broadcom BCM4311" rev 0x01: apic 2 int 18, address
00:1a:73:54:1b:ebpciide0 at pci0 dev 18 function 0 "ATI SB400 SATA" rev 0x80:
DMApciide0: using apic 2 int 16 for native-PCI interruptpciide0: port 0:
device present, speed: 1.5Gb/swd0 at pciide0 channel 0 drive 0: wd0: 16-sector PIO, LBA48, 76319MB, 156301488
sectorswd0(pciide0:0:0): using BIOS timings, Ultra-DMA mode 5ohci0 at pci0 dev
19 function 0 "ATI SB400 USB" rev 0x80: apic 2 int 19, version 1.0, legacy
supportohci1 at pci0 dev 19 function 1 "ATI SB400 USB" rev 0x80: apic 2 int
19, version 1.0, legacy supportehci0 at pci0 dev 19 function 2 "ATI SB400
USB2" rev 0x80: apic 2 int 19usb0 at ehci0: USB revision 2.0uhub0 at usb0 "ATI
EHCI root hub" rev 2.00/1.00 addr 1piixpm0 at pci0 dev 20 function 0 "ATI
SB400 SMBus" rev 0x81: SMIiic0 at piixpm0admtemp0 at iic0 addr 0x4c:
adm1032spdmem0 at iic0 addr 0x50: 512MB DDR2 SDRAM non-parity PC2-5300CL5
SO-DIMMspdmem1 at iic0 addr 0x52: 512MB DDR2 SDRAM non-parity PC2-4200CL5
SO-DIMMpciide1 at pci0 dev 20 function 1 "ATI SB400 IDE" rev 0x80: DMA,
channel 0 configured to compatibility, channel 1 wired to
compatibilityatapiscsi0 at pciide1 channel 0 drive 0scsibus0 at atapiscsi0: 2
targetscd0 at scsibus0 targ 0 lun 0:  ATAPI
5/cdrom removablecd0(pciide1:0:0): using PIO mode 4, DMA mode 2azalia0 at pci0
dev 20 function 2 "ATI

Re: OpenBSD is just an OS, not a firewall...

2012-06-08 Thread carlos albino garcia grijalba 
totally agree
> From: cei...@primealliancesolutions.com
> To: misc@openbsd.org
> Subject: Re: OpenBSD is just an OS, not a firewall...
> Date: Fri, 8 Jun 2012 19:48:45 +
>
> From the g+ spew:
>
>
>
> "I grew up and got a life!
>
>
>
> "You boys need a good beating with the clue stick:
>
> Hacking configuration files directly does not give you better security.
>
> Hacking configuration files directly does not make you better at security.
>
>
>
> "And the converse is true:
>
> Using a GUI to make firewall changes does not give you worse security
>
> Using a GUI to make firewall changes does not make you worse at security.
>
>
>
> "You still need to know what you are doing!
>
>
>
> "Any view contrary to this is borne of pure ignorance, prejudice and
incompetence."
>
>
>
>
>
> So, if there were some distro with a GUI front end for this "security
professional" with OpenBSD in the background, with some other name and
distributed as a bootable DVD -- call it DoucheWall -- OpenBSD would all of a
sudden become a "firewall"?
>
>
>
> -Original Message-
>
> From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of
Chris Smith
>
> Sent: Friday, June 08, 2012 12:56 PM
>
> To: OpenBSD-Misc
>
> Subject: OpenBSD is just an OS, not a firewall...
>
>
>
> ... if you really want a firewall you need pfSense.
>
>
>
> Also if you " walk into any security experts convention and claim that
>
> raw OpenBSD is "a firewall", you will get laughed out of the room for
>
> lack of clue."
>
>
>
> Guess I've been wrong all these years: see the comments to
>
> https://plus.google.com/u/0/104027218792812194992/posts/K3NsGE2UrCe

Re: IPSEC newbie looking to replace vpnc with Openbsd built-in IPSEC vpn

2012-06-01 Thread carlos albino garcia grijalba 
not having any practive with cisco ASA but searching the web have seen several
post about openbsd-ipsec + cisco asa and from another mails i have seen it
seems pretty easy as long as u have the same crypto transforms in the sides

> Date: Fri, 1 Jun 2012 15:48:37 -0400
> From: s.casw...@protocol6.com
> To: misc@openbsd.org
> Subject: IPSEC newbie looking to replace vpnc with Openbsd built-in IPSEC
vpn
>
> Hi all,
>
> I am currently using vpnc to connect to a client site (which has an CISCO
ASA firewall/vpn endpoint)
> This setup works, but everytime I use vpnc from my server it breaks other
networking, especially the openvpn tunnels I maintain to other sites.
>
> I'd prefer to use the built-in IPSEC software in OpenBSD to establish the
tunnel instead (and terminate it locally on a tun or tap interface)
>
> All my attempts so far have failed and I must admit I'm an IPSEC newbie, at
least with the OpenBSD tools.
>
> My vpc.conf file is very simple:
>
> ---
> IPSec gateway ww.xx.yy.zz
> IPSec ID somevpn
> IPSec secret somesecretString
> IKE Authmode psk
> ---
>
> Is there an equivalent config for ipsecctl (and/or isakmpd) that is known to
work with remote ASA firewalls?
>
> Any help or suggestions would be greatly appreciated.
>
> Thanks in advance.
>
> :-)
>
> Sarah

ipsec routing with cisco over adsl connections

2012-06-01 Thread carlos albino garcia grijalba 
i agree lets try again!
hi folks

> Date: Fri, 1 Jun 2012 10:55:09 -0700
> From: tyl...@tradetech.net
> To: genesi...@hotmail.com
> Subject: Re: ipsec routing dinamic ip over adsl
>
> On 5/31/2012 7:31 PM, carlos albino garcia grijalba wrote:

i have the following problem
remote office connect to my vpn server in  order to connect to the internals
over the ipsec tunnel the office has ip
phones
 to connect to call manager over the 192.168.0.0/16 the ip phone
192.168.30.2/28 so the ip phone connect correct but thereis another ip
client a watch the people wants to excract info from the watch who is
over the net 172.1.100.1 th PC that whants to connect to runs over the
10.0.0.89 but i can  reach the watch and the watch can not ping over the
 172 address space the clientit is a cisco router over ADSL line so
DInamic public IP is  on172.1.100.1 --X192.168.30.2--OK

vpn openbsd server
ipsec.conf
ike passive esp from any to {192.168.0.0/16, 10.0.0.0/16, 172.1.0.0/16} peer
any \
main auth hmac-sha1 enc aes-128 group modp1024 \
quick auth hmac-sha1 enc aes-128 psk 1234ABC

ike passive from {192.168.0.0/16, 10.0.0.0/16, 172.1.0.0/16} to any \
main auth hmac-sha1 enc aes-128 group modp1024 \
quick auth hmac-sha1 enc aes-128 psk 1234ABC
ifconfig
bge0: flags=8843 mtu 1500
lladdr 00:11:85:f1:cb:6b
priority: 0
groups: egress
media: Ethernet autoselect (1000baseT full-duplex)
status: active
inet A.B.C.D netmask 0xff00 broadcast 148.235.89.255
inet6 fe80::211:85ff:fef1:cb6b%bge0 prefixlen 64 scopeid 0x1
re0: flags=8843 mtu 1500
lladdr 00:22:6b:bd:8a:1e
priority: 0
media: Ethernet autoselect (1000baseT full-duplex)
status: active
inet 10.0.0.1 netmask 0xff00 broadcast 10.0.0.255
inet6 fe80::222:6bff:febd:8a1e%re0 prefixlen 64 scopeid 0x2
rl0: flags=8843 mtu 1500
lladdr 00:50:bf:05:3f:6b
priority: 0
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.100.210 netmask 0xff00 broadcast 192.168.100.255
inet6 fe80::250:bfff:fe05:3f6b%rl0 prefixlen 64 scopeid 0x3
enc0: flags=0<>
priority: 0
groups: enc
status: active

ipsecctl -sall
FLOWS:
flow esp in from 192.168.30.0/28 to 192.168.0.0/16 peer 187.131.59.237 srcid
148.235.89.18/32 dstid 187.131.59.237/32 type use
flow
 esp out from 192.168.0.0/16 to 192.168.30.0/28 peer 187.131.59.237
srcid 148.235.89.18/32 dstid 187.131.59.237/32 type require

SAD:
esp tunnel from 187.131.59.237 to 148.235.89.18 spi 0xbed90da8 auth hmac-sha1
enc aes
esp tunnel from 148.235.89.18 to 187.131.59.237 spi 0xda01bfaa auth hmac-sha1
enc aes

netstat -nr -f encap
Routing tables

Encap:
Source Port  DestinationPort  Proto
SA(Address/Proto/Type/Direction)
192.168.30.0/280 192.168/16 0 0
187.131.59.237/esp/use/in
192.168/16 0 192.168.30.0/280 0
187.131.59.237/esp/require/out

ipsec routing dinamic ip over adsl

2012-05-31 Thread carlos albino garcia grijalba 
hi folksi have the following problemremote office connect to my vpn server in
order to connect to the internals over the ipsec tunnel the office has ip
phonesto connect to call manager over the 192.168.0.0/16 the ip phone
192.168.30.2/28 so the ip phone connect correct but thereis another ip client
a watch the people wants to excract info from the watch who is over the net
172.1.100.1 th PC that whants to connect to runs over the 10.0.0.89 but i can
reach the watch and the watch can not ping over the 172 address space the
clientit is a cisco router over ADSL line so DInamic public IP is
on172.1.100.1 --X192.168.30.2--OKvpn openbsd server ipsec.confike passive esp
from any to {192.168.0.0/16, 10.0.0.0/16, 172.1.0.0/16} peer any \main auth
hmac-sha1 enc aes-128 group modp1024 \quick auth hmac-sha1 enc aes-128 psk
1234ABC3344ike passive from {192.168.0.0/16, 10.0.0.0/16, 172.1.0.0/16} to any
\main auth hmac-sha1 enc aes-128 group modp1024 \quick auth hmac-sha1 enc
aes-128 psk 1234ABC3344ipsecctl -sallFLOWS:flow esp in from 192.168.30.0/28 to
192.168.0.0/16 peer 187.131.59.237 srcid x.x.x.x/32 dstid 187.131.59.237/32
type useflow esp out from 192.168.0.0/16 to 192.168.30.0/28 peer
187.131.59.237 srcid x.x.x.x/32 dstid 187.131.59.237/32 type requireSAD:esp
tunnel from 187.131.59.237 to x.x.x.x spi 0x4a135abc auth hmac-sha1 enc aesesp
tunnel from x.x.x.x to 187.131.59.237 spi 0x96591035 auth hmac-sha1 enc
aesifconfigbge0: flags=8843 mtu 1500
lladdr 00:11:85:f1:cb:6bpriority: 0groups: egress
media: Ethernet autoselect (1000baseT full-duplex)status: active
inet x.x.x.x netmask 0xff00 broadcast 148.235.89.255inet6
fe80::211:85ff:fef1:cb6b%bge0 prefixlen 64 scopeid 0x1re0:
flags=8843 mtu 1500lladdr
00:22:6b:bd:8a:1epriority: 0media: Ethernet autoselect
(1000baseT full-duplex)status: activeinet 10.0.0.1 netmask
0xff00 broadcast 10.0.0.255inet6 fe80::222:6bff:febd:8a1e%re0
prefixlen 64 scopeid 0x2rl0:
flags=8843 mtu 1500lladdr
00:50:bf:05:3f:6bpriority: 0media: Ethernet autoselect
(100baseTX full-duplex)status: activeinet 192.168.100.210
netmask 0xff00 broadcast 192.168.100.255inet6
fe80::250:bfff:fe05:3f6b%rl0 prefixlen 64 scopeid 0x3enc0: flags=0<>
priority: 0groups: encstatus: activenetstat -nf -f
encapRouting tablesEncap:Source Port  DestinationPort
Proto SA(Address/Proto/Type/Direction)192.168.30.0/280 192.168/16
0 0 187.131.59.237/esp/use/in192.168/16 0 192.168.30.0/28
0 0 187.131.59.237/esp/require/outany ideas?

Re: OpenBSD insecure OS?

2010-02-24 Thread carlos albino garcia grijalba 
Folks i dont mean obsd is insecure i love obsd, ive been using it for 5 years
i just want the community to read the history
sorry.

> Date: Wed, 24 Feb 2010 12:20:03 -0700
> From: dwchand...@stilyagin.com
> To: genesi...@hotmail.com
> CC: misc@openbsd.org
> Subject: Re: OpenBSD insecure OS?
>
> On Wed, Feb 24, 2010 at 07:02:15PM +, carlos albino garcia grijalba
wrote:
> > I foud this:
> > http://allthatiswrong.wordpress.com/2010/01/20/the-insecurity-of-openbsd/
> >
> > so ?
>
> http://marc.info/?t=12641295802&r=1&w=2
>
> So.
>
> --
> Darrin Chandler|  Phoenix BSD User Group  |  MetaBUG
> dwchand...@stilyagin.com   |  http://phxbug.org/  |
http://metabug.org/
> http://www.stilyagin.com/  |  Daemons in the Desert   |  Global BUG
Federation

_
Hotmail: Trusted email with powerful SPAM protection.
https://signup.live.com/signup.aspx?id=60969

OpenBSD insecure OS?

2010-02-24 Thread carlos albino garcia grijalba 
I foud this:
http://allthatiswrong.wordpress.com/2010/01/20/the-insecurity-of-openbsd/

so ?

_
Hotmail: Trusted email with Microsofts powerful SPAM protection.
https://signup.live.com/signup.aspx?id=60969