Re: Recommend T1 Card for 4.6

[steve szmidt]

On Wednesday 06 January 2010, Brandan Rowley wrote:
> Is there anyone using a T1 card for data on 4.6?  Perhaps a T1 to
> Ethernet converter?  I'm interested to find out how others have resolved
> this and what hardware was used.  We're using a Soekris 5501.

Never tried it. Sangoma is the best quality and support option available. I've 
installed in hundreds of Linux server. Though I've never tried it under OBSD.

-- 

Steve Szmidt

"They that would give up essential liberty for temporary safety 
deserve neither liberty nor safety."
Benjamin Franklin

Re: cron problem

[steve szmidt]

On Thursday 02 July 2009, Chris Bennett wrote:
> I had an odd problem with cron.
>
> I made three perl scripts: LWP4.pl, LWP5.pl and LWP6.pl
>
> During testing, I put the following entry in cron:
>
> 33   *   *   *   *   *   LWP4.pl; LWP5.pl; LWP6.pl;
>
>
> When it ran, I got 6 versions of each of these scripts running
> concurrently and in order also.
> They didn't start at exact same time, but as if LWP4.pl, then another
> and another, etc.
>
> When first version of LWP4.pl finished, then first version of LWP5.pl etc.
>
> These scripts get a web page, extract values from matches, update
> database, sleep, repeat for new pages until done with list of search
> values.
>
>
> Chris Bennettf

Just off hand, are there not too many time parameters?

-- 

Steve Szmidt

"They that would give up essential liberty for temporary safety 
deserve neither liberty nor safety."
Benjamin Franklin

Re: Patching a SSH 'Weakness'

[steve szmidt]

On Saturday 13 September 2008, johan beisser wrote:
> On Sep 13, 2008, at 5:49 AM, steve szmidt wrote:
> > Yes, the US had it for a while but a recent ruling has reversed that.
>
> Really? I never heard of it ever being passed in the first place.
>
> If it's the case I'm thinking of, the key couldn't be compelled from
> the guy due to how they were trying to get the key, forcing him to
> incriminate or testify against himself.

Yeah, you might be right. But the Patriot Act gives them carte blanche to 
invade our privacy in the name of national security.


-- 

Steve Szmidt

"They that would give up essential liberty for temporary safety 
deserve neither liberty nor safety."
Benjamin Franklin

Re: Patching a SSH 'Weakness'

[steve szmidt]

On Saturday 13 September 2008, Jonathan Schleifer wrote:

>
> I don't know a single country where you are forced to hand over keys,
> but not to hand over passwords
>
> --
> Jonathan

Yes, the US had it for a while but a recent ruling has reversed that.


-- 

Steve Szmidt

"They that would give up essential liberty for temporary safety 
deserve neither liberty nor safety."
Benjamin Franklin

Re: OBSD hacks at ruxcon

[steve szmidt]

On Wednesday 05 March 2008, Ted Unangst wrote:
> On 3/5/08, steve szmidt <[EMAIL PROTECTED]> wrote:
> > Looks like the malloc is addressed. Anything on the other attack vectors?
>
> Do you have a particular concern or are you asking for a 53 slide
> response presentation?

25 would be enough. :)

I know that there is a lot of ongoing work and I figured that you would be 
quite familiar with what what Hawkes said, and would be able to say Oh yes, 
we closed those doors three releases ago, or some such. 

All the firewalls I build use OBSD, I tell my clients to buy it etc. Naturally 
if there was some particular scenario which he discovered that had not been 
resolved it's in my best interest to know about it. (I'm not concerned about 
things that require physical access.)

Not being able to keep up with all that goes on I try to chase down those that 
I do run into. Thus my question. 

The only things I use on these is pf and ssh, so I'm not concerned over some 
third party app with whatever holes in the app. However it is still not a 
default config. 
-- 

Steve Szmidt

"They that would give up essential liberty for temporary safety 
deserve neither liberty nor safety."
Benjamin Franklin

Re: OBSD hacks at ruxcon

[steve szmidt]

On Tuesday 04 March 2008, David Higgs wrote:

> >  I'm curious what the developers think about the attack angles Ben Hawkes
> > put forth at Ruxcon in 2006. I did manage to find a note in an archive
> > suggesting that these doors were closed, but I could not tell if they
> > are?

> http://marc.info/?t=11602591855&r=1&w=2

Looks like the malloc is addressed. Anything on the other attack vectors?


-- 

Steve Szmidt

"They that would give up essential liberty for temporary safety 
deserve neither liberty nor safety."
Benjamin Franklin

OBSD hacks at ruxcon

[steve szmidt]

Hi,

I'm curious what the developers think about the attack angles Ben Hawkes put 
forth at Ruxcon in 2006. I did manage to find a note in an archive suggesting 
that these doors were closed, but I could not tell if they are?

Ref:
http://ruxcon.org.au/files/hawkes_openbsd.pdf
Exploiting OpenBSD
by Ben Hawkes
-- 

Steve Szmidt

"They that would give up essential liberty for temporary safety 
deserve neither liberty nor safety."
Benjamin Franklin

Re: Cold Boot Attacks on Encryption Keys

[steve szmidt]

On Thursday 21 February 2008, Marti Martinez wrote:
> The paper you mentioned has some info on possible countermeasures. The
> best (IMO) is physically securing your RAM. This seems to fit in best
> with OpenBSD's philosophy, which has never been to put much time into
> thwarting attacks that require physical access to the box -- if you
> have that, there are MANY avenues of attack, most of which don't
> benefit much from immersing components in liquid N_2.

Certainly someone w physical access can do just about anything which is very 
possible to succeed. If you have a laptop physical protection is pretty key. 
It all comes back to Schneier's balance. Security vs easy of use/practical.

Stealing a server or desktop that has very valuable information should not be 
an easy option. It would NEVER go into a laptop. 

In the end it's good to know they can recover data from your RAM but in 
reality it will not affect many of us. Unless they could recover it hours 
later it's only going to be a problem in an organized attack. At which point 
it falls right back to physical security.

-- 

Steve Szmidt

"They that would give up essential liberty for temporary safety 
deserve neither liberty nor safety."
Benjamin Franklin

Re: Marry Christmas!

[steve szmidt]

On Sunday 23 December 2007, Maxim Bourmistrov wrote:
>  to you all, religious or not!
>
> P.S. and Happy New Year!
>
> //Santa

Very thoughtful, the same to you! :)

-- 

Steve Szmidt

"They that would give up essential liberty for temporary safety 
deserve neither liberty nor safety."
Benjamin Franklin

Re: linux kills laptop hard drive... how does obsd behave?

[steve szmidt]

On Saturday 27 October 2007, Pau Amaro-Seoane wrote:
> I don't think he's asking for a solution to his problems but whether
> openbsd also has such a problem... which I don't think... but I don't
> have arguments

Hey, I'm sure you are totally right! It just struck me a bit silly sounding, 
and since he's a self proclaimed newbee, and me being willing to 
constructively help others, I thought it be good to know that there's a 
simple way around the issue.

I never ran into it, mostly because I don't really like to have to deal with 
typical laptop issues, and so my laptop mostly collects dust on a shelf.

Then blanket generalities like Linux kills laptops seems too far fetched 
whatever you feel about Linux, or any other O/S. It did not strike me as a 
very informed comment. More like what a reporter would say.

I love both Linux and OpenBSD and I also hate them. That's to say there are 
things that drive me batty about both and things that I would not want to be 
without. I saw the new MAC the other day and for the few minutes I spent on  
it it came across as a very slick user interface. 

The point being that not having in depth familiarity with things _can_ give 
you an overall wrong impression. I don't care one iota what he uses, but as a 
techie I give people information so that they can make better decisions.

My hat, if you want, is to give them viable solutions to problems. Then they 
can make the policy of which way to go without having to know all about it.

The same applies to our friend here who might never look at whatever O/S's he 
might have left behind him. 
-- 

Steve Szmidt

"They that would give up essential liberty for temporary safety 
deserve neither liberty nor safety."
Benjamin Franklin

Re: linux kills laptop hard drive... how does obsd behave?

[steve szmidt]

On Saturday 27 October 2007, Adliger Martinez von der Unterschicht wrote:
> Hi,
>
> I am a total amateur and new to the list. I moved recently from linux
> and I am running openbsd usually (not on this system) because of a
> number of things (I guess I don't need to be eloquent here).
>
> Now, a friend of mine has found a big problem:
>
> http://www.linux-hero.com/rant/explanation-ubuntu-hard-drive-wear-and-tear

And the same link shows the solution:

1) I added the following lines to my hdparm.conf:
 /dev/sda {
   apm = 255
 }
2) I created a file /etc/acpi/resume.d/99-stop-hitachi-madness.sh
 with the following contents:
 #!/bin/sh
 hdparm -B 255 /dev/sda


-- 

Steve Szmidt

"They that would give up essential liberty for temporary safety 
deserve neither liberty nor safety."
Benjamin Franklin

Re: [newbie] ssh and sftp timing out

[steve szmidt]

On Monday 08 October 2007 21:57, Tony Bruguier wrote:
> Hi all,
>
> Thanks for all the help so far. I successfully installed OpenBSD today. I
> can access my machine via ssh and sftp provided I am on the same subnet.
> But as soon as I go home, then I can't anymore.
>
> Any pointers?
>
> Tony

If you configured the firewall it probably is not configured to allow access 
from an external IP. If someone is at your house you can have them attempt to 
reach your bsd box, and if you have executed 
tcpdump -nei pflog0

then it will show your home IP as a deny (provided the blocks have the log 
parameter.) 

Provided pf is running, there needs to be a PASS rule. Something like:

WAN=xl0
Home=nn.nnn.nn.nnn

pass in log on $WAN proto tcp from $Home to $WAN port 22 

That would allow you and only you in. Of course if you have a dynamic IP then 
it will change. If that's the case you can use dyndns.net or .com(?) to 
always track which IP you have at home.

-- 

Steve Szmidt

"They that would give up essential liberty for temporary safety 
deserve neither liberty nor safety."
Benjamin Franklin

Re: How can I install 4 OS'es on one disk?

[steve szmidt]

On Sunday 07 October 2007 14:08, Nick Guenther wrote:
> On 10/7/07, stan <[EMAIL PROTECTED]> wrote:
> > I have a new laptop that I would like to set up to have 4 different OS's

> Well all the OSes you listed can just boot directly from the MBR (see
> biosboot(8) and FAQ #4 http://www.openbsd.org/faq/faq4.html), and as
> luck would have it 4 is the exact maximum number of primary partitions
> that a DOS/MBR-based system can boot.

Well that is a bit misleading. 

It's true that you can only have four primary partitions. But you may want to 
have a swap drive and others. Which is not a problem as you can actually have 
64 partitions by using extended partitions.

I had a similar setup except I also had several versions of Linux (which 
shared the swap drive) as well. The total was something like 10 different 
O/S's. All managed very well by GRUB.

The trickiest is Windows which wants the first partition on the first drive, 
which GRUB can fake with a simple command.

Unless you have some really old H/W you will not have a problem booting from 
anywhere on the disk. (I did this 2-3 years ago.)

Then depending on your purpose you may want to do things like separating /var 
so it always have the log space it needs, and so on. In the end there's 
probably no reason why you can't put as many partitions as you want.  

-- 

Steve Szmidt

"They that would give up essential liberty for temporary safety 
deserve neither liberty nor safety."
Benjamin Franklin

Re: The Atheros story in much fewer words

[steve szmidt]

On Thursday 13 September 2007 16:19, Theo de Raadt wrote:
> > > Reyk can take them to court over this, but he must do it before the
> > > year 2047.
> >
> > Except he took most of it from Sam Leffler who said it is OK to license
> > under the GPL. So while it's good to see you defending your code, it was
> > not entirely yours to start with.
>
> Reyk's work (the replacement HAL) is in seperate files -- it is a
> seperately copyrighted work.

OK, I see that Reyk wrote it after Sam would not release it. I see that Sam 
seemed happy to dual license it. Though it looks clear that Jiri Slaby was 
wrong in stripping the license, which subsequently was not accepted by any 
repository.

This action does not however represent the "GPL community" from what I can 
see. Stealing work from one or the other has not been evident other than some 
people being confused as to what came from where. Which is the chicken and 
which is the egg kind of thing.

It is generalities which has bunches of people up in arms which of course 
happens when there is not enough specificity. It is pretty safe to say that 
most people are honest, but where misunderstanding can occur, it will.


-- 

Steve Szmidt

"They that would give up essential liberty for temporary safety 
deserve neither liberty nor safety."
Benjamin Franklin

Re: The Atheros story in much fewer words

[steve szmidt]

On Wednesday 12 September 2007 22:57, Theo de Raadt wrote:

> Reyk can take them to court over this, but he must do it before the
> year 2047.

Except he took most of it from Sam Leffler who said it is OK to license under 
the GPL. So while it's good to see you defending your code, it was not 
entirely yours to start with.

Thus you see all the "horrible" GPL community "rip" you off. 

-- 

Steve Szmidt

"They that would give up essential liberty for temporary safety 
deserve neither liberty nor safety."
Benjamin Franklin

Re: route command

[steve szmidt]

On Saturday 18 August 2007 22:19, steve wrote:

Hmm, I had added the route commands to rc.local and with each edit executed 
sh netstart which of course does not read rc.local.

-- 

Steve Szmidt

"They that would give up essential liberty for temporary safety 
deserve neither liberty nor safety."
Benjamin Franklin

Re: pf - drop or return - is stealth mode overrated?

[steve szmidt]

On Tuesday 24 April 2007 18:36, Chris Smith wrote:
> Hello,
>
> Using openbsd as a firewall in several cases - a few small businesses, and
> also for home use. Some websites, such as grc.com, stress that "stealth
> mode" (which openbsd handles with ease) is the safest. But I've also read
> that using 'return' instead of 'drop' is good netizenship. So I'm wondered
> how others are handling this and what recommendations you might have.
>
> Thanks,
>
> Chris

Stealth airplanes are pretty cool, so it gives that stealth mode must be cool 
too! :)

Though in this nefarious Internet it's not likely to add too much since you 
probably still browse and use email which is far more likely to bring 
undesired code into your computer. Having said that, my LAN is not part of 
any valuable network where it is of any value to respond to others, and there 
are annoying attempts by various people to gain access, so I drop as a 
default. 

-- 

Steve Szmidt

"They that would give up essential liberty for temporary safety 
deserve neither liberty nor safety."
Benjamin Franklin

Re: OpenBSD 4.0 dvd case

[steve szmidt]

On Saturday 03 March 2007 14:04, Tom Van Looy wrote:
> Some people thought the current 4.0 artwork was to childish for a
> corporate environment. I created a more simple and clean looking dvd
> case. You can download it at http://puffy.ctors.net/
>
> If you have some comments about this, please let me know.

It's always nice to see someone exercising artistic efforts. But as far as 
this effort goes, in the end I think corporate environments are often too 
solid to the point of being counter productive. 

Fortunately not all corporations try to suppress the lighter side of life. 
It's one thing to unprofessional, rude, crude etc. But another to enjoy 
working in a real team where everyone enjoys doing what they do.

I prefer work to have the settings of a good game. Something where you band 
together to overcome the barriers facing the company. Indeed, spirit of play 
is the best attitude to be productive in. Seriousness have nothing to do with 
important or responsible. But is often used to cover up the lack of poor 
responsibility or lack of competence.

OpenBSD's CD covers represents to me the same spirit of play attitude, and the 
pursuits of the enemies on your network. 

-- 

Steve Szmidt

"They that would give up essential liberty for temporary safety 
deserve neither liberty nor safety."
Benjamin Franklin

Re: pf

[steve szmidt]

On Saturday 09 December 2006 04:43, David B. wrote:
> I've looked an man pf, and it's way too confusing; I'm using smoothwall as
> a standalone firewall, and it pretty much works the way I want it to;
> however, I've found a reason to block a an IP range, particularly
> 216.87.0.0/17; is there an equivalent to an iptables command I can use to
> simply
> drop all traffic coming from that range?
>
> like go into a file, and have a command in the form of: 'drop all from
> 216.87.0.0/17'?
>
> oh, and does anyone have any comments on Labrea? as a honeypot?  it looks
> pretty good, and it comes for openbsd, or is openbsd simply best left
> alone?

OBSD is for anyone who wants to use it. However, making changes to a computer 
which is connected directly to the Internet can be a liability as you may 
open yourself up to being hacked.

Having enough experience to at least be able to follow the instructions on how 
to set up a firewall is so basic that without it you are "a sitting duck".

This is of course applicable to any O/S.

A good OBSD book to read is Absolute Openbsd by Lucas, No Starch Press.

BSD's begs to be worked on and used. Getting an understanding of pf is really 
not that hard as things go. Following the steps in:
http://openbsd.org/faq/faq6.html
are really very simple. 

OBSD is different than Linux. It's similar but different. All unix based O/S 
have a certain number of things in common. But each have their own direction 
and specific ways. Reading a book like the above is a good start for those 
new to it and will get you the conceptual understanding needed.

A line in pf.conf along this line may stop traffic from an IP. I say may 
because again not knowing what you are doing you can undo it elsewhere.

block in quick on $ext_if from 216.87.0.0/17 to any

Pf.conf is really very very flexible and able to handle any situation. But 
again, you must have a clue of what you are doing. The best rule is probably 
to know that when looking at a firewall, realize it does not know which side 
is on the inside or outside. It simply looks at packets either coming into or 
exiting.

You normally only filter on one interface, the external one.

Best practice is usually to start by blocking everything, and then opening 
ports/addresses as needed. On that interface you can not only block all 
inbound, but also all outbound. This will give you control on what your 
computer and or network can do.

The above FAQ example uses a block all inbound and allow all outbound policy, 
if I recall correctly. This is a good start. But sometimes it might be needed 
to also control which external services can be accessed, at least by port. 
(Since there are many workarounds by using commonly used ports like www, port 
80.)

One of the really nice things about pf is that you can use variables. So you 
can say friends="{ ip ip ip ip ip }" and then later say:

allow in on $ext_if from $friends to any

Or, if you have a LAN and want to let friends reach a computer (192.168.0.10 
on a specific number of ports like 2000,2002,2012):

my_comp="192.168.0.10"
my_ports="{ 2000 2002 2012 }"
allow in on $ext_if from $friends to $my_comp port $my_ports

The variable names are of course whatever you choose them to be. Descriptive 
names are usually best. 

OpenBSD have pretty decent documentation. Just remember not to go past words 
or definitions you don't understand. When an unknown term is used chase it 
down on google, for example, before going on. Make sure it makes sense before 
going on. This is key in learning anything. Otherwise you'll get stuck.

I had a friend that used to program in assembler (machine code) and just enter 
the hex values into the computer. He could never really debug what he wrote, 
but he could write a new program just like that. He said the key was that he 
had complete understanding of all the commands and the environment. There 
were nothing misunderstood.
-- 

Steve Szmidt

"To enjoy the right of political self-government, men must be 
capable of personal self-government - the virtue of self-control. 
A people without decency cannot be secure in its liberty.
From the Declaration Principles

Re: dns working but problem w etherape

[steve szmidt]

On Monday 27 November 2006 05:46, Craig Skinner wrote:

> > Running on a LAN machine it works fine, the problem is only when run on
> > the dns server.
>
> Are processes on the localhost permitted to use named?

Thanks, good point. But does not make any difference. No doubt the problem is 
in etherape as I can do manual queries just fine.

-- 

Steve Szmidt

"To enjoy the right of political self-government, men must be 
capable of personal self-government - the virtue of self-control. 
A people without decency cannot be secure in its liberty.
From the Declaration Principles

dns working but problem w etherape

[steve szmidt]

I thought I'd check to see if anyone here have been here...

OK, having gotten X up, etherape installed, I'm getting a complaint that "No 
nameservers defined. I've tested the local dns every way but Sunday, and it 
all seem to work just fine. 

I got a local LAN under RFC1918. I can do both forward and reverse lookups on 
local and external addresses. Both named-checkconf and named-checkzone passes 
fine. 

I got caching on and master of my third level subdomain (to separate from the 
ISP hosted 2nd level domain). 

Obviously etherape is trying to do some lookup and fails, but I've got no idea 
where... If I start etherape without name resolution it works, so it seems
to be a dns problem. :(

Running on a LAN machine it works fine, the problem is only when run on the 
dns server.

(Running OBSD 3.9)

-- 

Steve Szmidt

"To enjoy the right of political self-government, men must be 
capable of personal self-government - the virtue of self-control. 
A people without decency cannot be secure in its liberty.
From the Declaration Principles

Re: Version 4.0 release

[steve szmidt]

On Monday 09 October 2006 17:44, you wrote:
> I see 4.0 is coming out, and yet, no hardware raid support, no fixes for
> raidframe,
> and still no SMP support, for sparc64 on Ultrasparc II machines.

Imagine saying something like, sorry but we have too much of a backlog to be 
able to get to that. Of course if you know someone who can help that would be 
very welcome!

I know that is very a very far fetched thing to say. So we'll just pour out a 
bunch of comments that frankly shows our best side.


Little did you know, when you clicked on that send button, that you had just 
entered, the twilight zone! Where good and bad is mixed up and never clear! 
At least to you...

-- 

steve "the slime" szmidt

"The best four letter word is to hurt others. Never fail to put someone down 
when given an opportunity! Yeah, your mother is ugly! Haha! 

Re: Self Restraint (Was: Re: GPL = BSD + DRM [Was: Re: Intel's Open Source Policy Doesn't Make Sense])

[steve szmidt]

On Monday 09 October 2006 03:52, Marius Van Deventer - Umzimkulu wrote:

> > You know what I can't stand... Bullying! That's what's going on
> > here.

Eh, no doubt you are right. I've not followed the thread, but I know that if 
people are not bullied here something is wrong. This is by far the worst list 
I've been on, but I hang on inspite of it. Being close to pulse has it's 
advantages... 

Having lived in Cape Town for a few years I know you guys are probably tough 
Boers, and either way can take care of yourselves. Which is really all you 
can hope for here. Learn to swim with sharks...

-- 

Steve Szmidt

"To enjoy the right of political self-government, men must be 
capable of personal self-government - the virtue of self-control. 
A people without decency cannot be secure in its liberty.
From the Declaration Principles

Re: Asterisk Voip

[steve szmidt]

On Monday 25 September 2006 03:37, J.A. Bal wrote:
> Hi all,
>
> I've seen in the archieves there has been some discussion about using
> asterisk on OpenBSD. I'm trying to build an PABX with asterisk, but don't
> even seem to get the deamon running. Can someon supply me with a
> asterisk.conf file to get me started?
>
> Thanks a lot.
>
> Jasper

http://www.voip-info.org/wiki-Asterisk
-- 

Steve Szmidt

"To enjoy the right of political self-government, men must be 
capable of personal self-government - the virtue of self-control. 
A people without decency cannot be secure in its liberty.
From the Declaration Principles

Re: Asterisk Voip

[steve szmidt]

On Monday 25 September 2006 03:37, J.A. Bal wrote:
> Hi all,
>
> I've seen in the archieves there has been some discussion about using
> asterisk on OpenBSD. I'm trying to build an PABX with asterisk, but don't
> even seem to get the deamon running. Can someon supply me with a
> asterisk.conf file to get me started?
>
> Thanks a lot.
>
> Jasper

You're on the wrong list. Subscribe to the users list under asterisk.

A couple of years ago some did get it to run, but I never tried myself.
-- 

Steve Szmidt

"To enjoy the right of political self-government, men must be 
capable of personal self-government - the virtue of self-control. 
A people without decency cannot be secure in its liberty.
From the Declaration Principles

Re: Upgrading 3.7 -> 3.9

[steve szmidt]

On Tuesday 19 September 2006 21:08, ICMan wrote:
> Thank you for the advice, everyone.  I don't want to lose my current 
> configuration, so I think I will give the double upgrade a try.

Of course you'll back up your config files...
-- 

Steve Szmidt

"To enjoy the right of political self-government, men must be 
capable of personal self-government - the virtue of self-control. 
A people without decency cannot be secure in its liberty.
From the Declaration Principles

Re: Launching the Internet

[steve szmidt]

On Saturday 16 September 2006 19:56, Juan Pablo Feria Gomez wrote:
> looks like [EMAIL PROTECTED] are only for gurus who born knowing everything...
>
> giving the new users the pointers where to start (as shane message) is
> enough...
>
> or just ignore the message...

Well in this case it's pretty clear it's not a real call for help, otherwise 
you are of course right. (I did reply to it off line).

-- 

Steve Szmidt

"To enjoy the right of political self-government, men must be 
capable of personal self-government - the virtue of self-control. 
A people without decency cannot be secure in its liberty.
From the Declaration Principles

Re: Low priority or real coders

[steve szmidt]

On Friday 15 September 2006 14:09, you wrote:
> It's pretty funny that it's taken this long for another religious
> discussion on text editors to pop up on misc.  With all the faith,
> I would have expected it more often.
>
> My faith in the non-Improved vi is reinforced every time I see
> someone using vim with color syntax highlighting.  Highlighting
> makes source code impossible to read to someone who isn't used
> to it.  I'm really perplexed about how people think that having
> each line of source code in six different colors somehow makes
> things clearer.

Hehe, that might be a good point. Though I must say I usually like it. Maybe 
it's the break in monotony, pretty colors. Guess what I like about color is 
being able to spot something at a glance. 

It is funny to because many people are set in their ways and don't want to 
learn something new. Some are pround to have mastered something and don't 
want to join the masses who, by using some new tool, can do it faster and 
maybe better than the old method.

I see doctors who spend ten years learning something. The last thing they want 
to hear is that their knowledge is now obsolete. Which is always the risk in 
any high tech industry like ours.

-- 

Steve Szmidt

"To enjoy the right of political self-government, men must be 
capable of personal self-government - the virtue of self-control. 
A people without decency cannot be secure in its liberty.
From the Declaration Principles

Re: Low priority or real coders

[steve szmidt]

On Thursday 14 September 2006 16:54, Paul Irofti wrote:
> I use both on a daily basis, but I'll use vim every time I get the
> chance because it's simply faster than vi when it comes to editing.

Well it's certanly been that for me too. Of course, I even still remember some 
of the control keys for Wordstar, for those old enough to remember. And then 
ther was that line editor in VMS. The hrm, good old days!

-- 

Steve Szmidt

"To enjoy the right of political self-government, men must be 
capable of personal self-government - the virtue of self-control. 
A people without decency cannot be secure in its liberty.
From the Declaration Principles

Re: Low priority or real coders

[steve szmidt]

On Thursday 14 September 2006 11:49, Matthew Jenove wrote:
> steve szmidt <[EMAIL PROTECTED]> wrote:
> > Maybe I'm different in that I like change.
>
> Who cares?
>
> Why is this thread still being discussed?  Install ViM and bash, and
> alias "ifconfig" to "ifconfig -A", and /you/ have /your/ perfect
> system.
>
> -mj

You missed the point. But as you said, who cares?
-- 

Steve Szmidt

"To enjoy the right of political self-government, men must be 
capable of personal self-government - the virtue of self-control. 
A people without decency cannot be secure in its liberty.
From the Declaration Principles

Re: Low priority or real coders

[steve szmidt]

On Thursday 14 September 2006 07:16, you wrote:

> > * Defaulting to bash, easier to use - Implemented.
>
> that one shows the research you did, which would usually save me from
> feeling any reason to respond...

True, it was just a silly assumption when I all of a sudden had keyboard 
scroll buffer after an upgrade. When I build boxes I try to make minimum 
changes and though I certainly could replace things and customers would not 
complain, I tend to keep each O/S as they come. 

But when I was faced with not having a scrolling through previous commands I 
usually loaded bash to get it. Now it's there so I just use the default 
shell.

> > * Out of date vi, harder to navigate and use, poor visual feedback.
>
> ...'cept of all the responses on this, people seem to have missed a few
> key reasons why vim is not and should not be part of OpenBSD, even if it
> was really vi.
>
> $ ls -l /usr/local/bin/vim /usr/bin/vi
> $ ldd /usr/local/bin/vim /usr/bin/vi
> $ ls -l /usr/local/lib/libiconv.so.4.0 /usr/local/lib/libintl.so.3.0
>
> *oink*

Good points.

> Now, to an emacs user, vim may look pretty lean.
>
> However, OpenBSD is a multi-platform OS.  Not everyone has an amd64 or even
> the "legacy" i386 platform.  A bloated editor is NOT AT ALL FUN on a slower
> machine, such as a mac68k or mvme88k.  When you call up an editor, it
> should just come up, not start chugging...  Splash screens aren't too cool,
> either, for system stuff.

True.

> Take the time to learn real vi.  You might just like it.  vi is on every

Hehe, same assumption. I've been using it on a daily basis for the last 11 
years. 

> For the record: I maintain the FAQ using vi.  I write scripts using vi.
> When I stick my nose into code, I use vi.  When I am teaching someone,
> I teach them vi.  vi is very capable.  It does NOT limit what you
> accomplish.

Quite true. I heard of a magazine where they all used vi to typeset with... 

> I've had people encourage me to try vim.  I've tried it.  I didn't like
> it...in part, because it was too close to real vi, but clearly not real
> vi, so I started using it like vi, and it didn't "work".  Plus, I found
> some operational modes "quirky" and unexpected.  Probably I could turn
> knobs and make it work like I expect...but then, I've now got a
> non-standard editor running in a non-standard way.  No joy in that for
> me...
>
> Nick.

I can certainly appreciate your view. Thanks for the feedback.

-- 

Steve Szmidt

"To enjoy the right of political self-government, men must be 
capable of personal self-government - the virtue of self-control. 
A people without decency cannot be secure in its liberty.
From the Declaration Principles

Re: Low priority or real coders

[steve szmidt]

On Thursday 14 September 2006 07:48, Adriaan wrote:
> On 9/14/06, steve szmidt <[EMAIL PROTECTED]> wrote:
> > * Out of date vi, harder to navigate and use, poor visual feedback.
>
> Use an .exrc file
>
> set number
> set ruler
> set verbose
> set showmode
> set showmatch
> set shiftwidth=4

Thanks for the tip!
-- 

Steve Szmidt

"To enjoy the right of political self-government, men must be 
capable of personal self-government - the virtue of self-control. 
A people without decency cannot be secure in its liberty.
From the Declaration Principles

Re: Low priority or real coders

[steve szmidt]

On Thursday 14 September 2006 00:10, you wrote:
> On Wed, 13 Sep 2006 22:53:04 -0400, "steve szmidt" <[EMAIL PROTECTED]>
>
> said:
> > * Defaulting to bash, easier to use - Implemented.
>
> OMG, not this again
> If you like bash install it.

It was simply a perception. I have not even checked but was surprised when the 
default shell included the keyboard command buffer.

> > VI is proabably the worst as it gets a lot of use. It requires a lot more
> > keystrokes than it's newer versions. It also requires a lot more
> > attention to track the mode it is in. The newer VI is more like an
> > typical editor and yet retained it's power.
>
> This makes no sense. Vi is vi.
> You're not confusing vi with vim, are you?

Yes, as noted in the earlier email. :)

-- 

Steve Szmidt

"To enjoy the right of political self-government, men must be 
capable of personal self-government - the virtue of self-control. 
A people without decency cannot be secure in its liberty.
From the Declaration Principles

Re: Low priority or real coders

[steve szmidt]

On Wednesday 13 September 2006 23:38, you wrote:
> steve szmidt <[EMAIL PROTECTED]> wrote:
> > * Not showing all I/F's by default in ifconfig, requiring -A.
>
> This is a good thing.  Do you really want every command to just list any
> possible information in a huge mess?  Personally, I like to just get the
> info I ask for.

No, as you can see I was referring to ifconfig. When I use it I usually want 
to see all the interfaces. Otherwise I agree, moderation is a good thing.

> > * Defaulting to bash, easier to use - Implemented.
>
> This never happened.  And the default shell has always been up to you,
> it asks you when you run adduser.  Its just root's default shell that
> changed to ksh, not bash.

Of course it's up to the user. Theough personally, I love that I can now type 
ifconfig and it does not require -a to list.

> > * Out of date vi, harder to navigate and use, poor visual feedback.
>
> No idea what this is about.  If you are used to vim, you might like vim.
> But alot of people expect vi to be vi, and nvi is a much better vi than
> vim.  Vim doesn't even paste correctly.  If you want vim, install it
> and alias vi=vim (not for root).

Hmm, never heard of nvi. 
Of course you can install whatever you want. But you may notice that was not 
my point. 

> > Some things are probably left with earlier versions
>
> Its not a question of newer versions, you are talking about using
> different software altogether, or adding extra "features" that many
> people would consider either not needed, or just plain bad.

Of course it is. Nah, though in the case of vim I _did_ forget it's really vim 
not vi you get, OBSD is evolving like anything else. Things gets improved 
upon as each release rolls out. Not keeping up with the internal development 
I was curious to see about those little changes being made to ease the use.

And no, it's not a bitter complaint about this and that. OBSD is plenty good 
the way it is. I have my preferences as to what I like, and others theirs. 
Fortunately we can all pretty much have our own ways for a little effort.


-- 

Steve Szmidt

"To enjoy the right of political self-government, men must be 
capable of personal self-government - the virtue of self-control. 
A people without decency cannot be secure in its liberty.
From the Declaration Principles

Re: Low priority or real coders

[steve szmidt]

On Thursday 14 September 2006 02:11, Otto Moerbeek wrote:
> On Wed, 13 Sep 2006, steve szmidt wrote:
> > Over the years one gets used to some small things that makes life easier
> > but is only slowly catching up on OBSD. I'm curious as why this is. Is it
> > that real coders don't need some of them, or is it just something like a
> > matter of being a lower priority?
>
> When we do not need things, they become low priority by itself. When
> we do not want them, they get zero priority or active resistance.
>
> I won't go into details, others have covered them. But you'll have to
> take into account the history. BSD systems exist for a long time.
> Personally I learned Unix 22 years ago on a BSD system. I have some
> expectations of a Unix system based on that experience. When I log
> into a BSD system, I feel at home. When I log into a typical Linux
> distro, I feel alienated. I will strongly resist changes that only
> cater for certain users, who just ignore history and only know the
> Linux way of doing things, and draw wrong conclusions from that.
>
>   -Otto
OK. I know what you mean. I learned it some two, three decades ago myself. 
Worked on SCO, SUN and SGI on and off. It was very easy moving between the 
platforms, and annoying when you found things different than what you 
expected. But when I eventually ran into Linux in mid -90's. I liked a lot 
about it. It certainly has its problems, but as a desktop grew with my desire 
for a "better" window manager, and I simply did not want to be dependent on 
MS on my desktop even though they really tried to make a good desktop.

Maybe I'm different in that I like change. Not drastic undo all you know kind 
of change, but I like it when something is done in a way that makes it 
easier, pretty, with new functionalities, and so on. If it can then muster in 
good reliability, or at least hope of improved reliablity, well I'm 
interested to see what is going on.

At the same time I don't think there's one close to perfect O/S that does all.
What gets silly are those O/S wars like we used to have between MAC and 
windows people in the -90's. Recognize what each do well and use them for all 
they got! For example; I love the security spearheading OBSD is doing. I love 
checking out the new KDE releases. The new integrated development tools, 
multimedia and so on. It's fun and help my productivity.

(Say what you will about Linux being inferior in ways, it managed to do what 
no other Unice did for all that time -- captured a mainstream. A lot of 
development is being done benefitting most if not all Open Source platforms 
because of the attention coming down the Linux shute. So in the end we all 
win regardless of the O/S.)

The underlying O/S, well I don't care too much what it is, as long as I have 
faith in the developers keeping a future there for me to invest in. MS ruined 
their former good name by being arrogant and not caring about their users. 
There's a lesson there we could all learn from.

-- 

Steve Szmidt

"To enjoy the right of political self-government, men must be 
capable of personal self-government - the virtue of self-control. 
A people without decency cannot be secure in its liberty.
From the Declaration Principles

Re: Low priority or real coders

[steve szmidt]

On Thursday 14 September 2006 08:18, Terry wrote:
> On Wed, Sep 13, 2006 at 11:49:29PM -0400, steve szmidt wrote:
> 
>
> > I'm
> > curious to see how many not equally hard core users prefer vi over vim
> > when having a choice.
>
> I'm definately not a "hard core user" but I prefer vi over vim in most
> cases. I do install vim and use it with mutt for my emails.

Interesting, is that because of your familiarity of vi, or...?
-- 

Steve Szmidt

"To enjoy the right of political self-government, men must be 
capable of personal self-government - the virtue of self-control. 
A people without decency cannot be secure in its liberty.
From the Declaration Principles

Re: Low priority or real coders

[steve szmidt]

On Thursday 14 September 2006 04:28, Stuart Henderson wrote:
> On 2006/09/13 23:49, steve szmidt wrote:
> > My reference to coding with vi/vim means usually working on scripts, and
> > config files.
>
> If you use it more, you'll find the differences get pretty
> annoying when you have to switch between them. I particularly
> dislike how the combination of `u' and `.' work on vim.

Actually I've been using both on a daily basis over the last ten years. Unless 
you mean I don't fully use all the features of vi, which might be true. 

-- 

Steve Szmidt

"To enjoy the right of political self-government, men must be 
capable of personal self-government - the virtue of self-control. 
A people without decency cannot be secure in its liberty.
From the Declaration Principles

Re: Low priority or real coders

[steve szmidt]

On Wednesday 13 September 2006 23:23, Bob Beck wrote:
> ... [various other misinformed half truths] ...

Not so, maybe you did not read it...

> > * Out of date vi, harder to navigate and use, poor visual feedback.
>
>   vi is completely current.  I believe you are thinking of "vim" which
> a bunch of linux distros install, and stupidly, alias to vi - it's not
> the same thing. It is in ports, and you can install it on openbsd
> quite well. Quite a number of developers who are in all other ways I
> consider perfectly sane and normal individuals even use it.

Ah, yes of course. Right you are! That link to vim can be misleading.

>   vi has 25 years of history behind it. When I'm a sysadmin and type
> vi, I want vi with all it's ususal idiosyncracies so that it's
> basically the same no matter what system I'm using, OpenBSD, Solaris,
> AIX, HP/UX, RiscOS, etc. etc. etc.  (except Dead Rat Linux derivatives

That's probably as good an answer I can get why many use it. 
But, I prefer the occational ease of use when vim is available. Especially 
since it does not create any problem for me skipping between different 
vi/vim. I've not found it anything but a boon when I'm being a sysadmin.

My reference to coding with vi/vim means usually working on scripts, and 
config files. In those scenarios I'll use what get's the job done the 
easiest, unless it's a security risk like telnet. 

The core part of the OBSD community is pretty hardcore which is good. But as 
one can see in the threads there are a lot of other users including even 
windows people who have never heard of vi before trying out some Unice. 

I don't get very emotional about either one and try to keep things simple. I'm 
curious to see how many not equally hard core users prefer vi over vim when 
having a choice.
-- 

Steve Szmidt

"To enjoy the right of political self-government, men must be 
capable of personal self-government - the virtue of self-control. 
A people without decency cannot be secure in its liberty.
From the Declaration Principles

Low priority or real coders

[steve szmidt]

Over the years one gets used to some small things that makes life easier but 
is only slowly catching up on OBSD. I'm curious as why this is. Is it that 
real coders don't need some of them, or is it just something like a matter of 
being a lower priority?

* Not needing -a on ifconfig - Now implemented.
* Not showing all I/F's by default in ifconfig, requiring -A.
* Defaulting to bash, easier to use - Implemented.
* Command prompt buffer not clearing but leaving at least one entry on the 
line and not clearing with arrow down.
* Out of date vi, harder to navigate and use, poor visual feedback.

VI is proabably the worst as it gets a lot of use. It requires a lot more 
keystrokes than it's newer versions. It also requires a lot more attention to 
track the mode it is in. The newer VI is more like an typical editor and yet 
retained it's power.

Some things are probably left with earlier versions due to priority, license 
issues and no doubt some developers just plain like some things not to 
change. What's on the horizon?
-- 

Steve Szmidt

"To enjoy the right of political self-government, men must be 
capable of personal self-government - the virtue of self-control. 
A people without decency cannot be secure in its liberty.
From the Declaration Principles

Re: pf table confusion

[steve szmidt]

On Sunday 10 September 2006 11:15, Stuart Henderson wrote:

> > I was until I finally got it that the rules are looking at IP's after -
> > not before, NAT. :)
>
> well, same applies when you use tables :)

Yes, that's what was going on, but it took a while for me to get it. 

> > > If you prefer simpler and lower resource-use and don't need
> > > caching, tinyproxy works nicely.
> >
> > I'm not sure how fine grained the control is. It needs to define allowed
> > sites for different user groups (by IP). Something like this:
> > 192.168.0.0/26 can access (list of web sites)
> > 192.168.0.65/27 can access (list of web sites)
> > 192.168.0.97/28 can access (any web site)
>
> You can do it with a couple of copies running and some creative
> configuration (rdr to different instances of tinyproxy depending on
> source address and abusing upstream proxy support), but for more
> complex needs squid's probably easier. Or of course httpd has
> mod_proxy and is in base and is somewhere between the two in
> terms of config flexibility.

Thanks, I came to the conclusion that squid will be the best fit.
-- 

Steve Szmidt

"To enjoy the right of political self-government, men must be 
capable of personal self-government - the virtue of self-control. 
A people without decency cannot be secure in its liberty.
From the Declaration Principles

Re: pf table confusion

[steve szmidt]

On Sunday 10 September 2006 10:32, Stuart Henderson wrote:
> On 2006/09/10 09:08, steve szmidt wrote:
> > > Maybe it would help to post pfctl -sr -vv with the direct entry
> > > (i.e. working) and table (i.e. not-working). Perhaps pfctl -sT -v
> > > too.
> >
> > Since pflog0 tells me which rule was used I only include that rule. The
> > first one is working and 2nd not.
> >
> > pass out log on $WAN proto tcp from any to any port $Web keep state
>
> oh, I thought you were putting the addresses in there (instead of
> loading from a table), not "any".

I was until I finally got it that the rules are looking at IP's after - not 
before, NAT. :)

>
> If you prefer simpler and lower resource-use and don't need
> caching, tinyproxy works nicely.

I'm not sure how fine grained the control is. It needs to define allowed sites 
for different user groups (by IP). Something like this:
192.168.0.0/26 can access (list of web sites)
192.168.0.65/27 can access (list of web sites) 
192.168.0.97/28 can access (any web site) 

-- 

Steve Szmidt

"To enjoy the right of political self-government, men must be 
capable of personal self-government - the virtue of self-control. 
A people without decency cannot be secure in its liberty.
From the Declaration Principles

Re: pf table confusion

[steve szmidt]

On Saturday 09 September 2006 19:06, Stuart Henderson wrote:

> So,
>
> - the only difference in pf.conf between working and not-working
> is that working uses addresses directly in the rules, and not-working
> uses tables;
>
> - your tables did load correctly and show the addresses with -Ts

Lists all tables

> Maybe it would help to post pfctl -sr -vv with the direct entry
> (i.e. working) and table (i.e. not-working). Perhaps pfctl -sT -v
> too.

Since pflog0 tells me which rule was used I only include that rule. The first 
one is working and 2nd not.

pass out log on $WAN proto tcp from any to any port $Web keep state

@16 pass out log on bge0 proto tcp from any to any port = www keep state
  [ Evaluations: 2 Packets: 23Bytes: 5873States: 
0 ]
  [ Inserted: uid 0 pid 27950 ]


pass out log on $WAN proto tcp from  to any port $Web keep state

@7 block drop out log on bge0 all
  [ Evaluations: 6 Packets: 1 Bytes: 64  States: 
0 ]
  [ Inserted: uid 0 pid 31006 ]

-pa-r-  admins
-pa---  customers
-pa-r-  extadmin
-pa-r-  http-operators
--a-r-  managers
-pa-r-  operators

> well, by listing numeric addresses, it will work as soon as DNS
> unbreaks - by listing names, if just one entry fails to resolve,
> the whole file will not be loaded.

Ah, yes. That would not be good. Squid would be better in that regard.

-- 

Steve Szmidt

"To enjoy the right of political self-government, men must be 
capable of personal self-government - the virtue of self-control. 
A people without decency cannot be secure in its liberty.
From the Declaration Principles

Re: pf table confusion

[steve szmidt]

On Saturday 09 September 2006 17:59, Stuart Henderson wrote:
> On 2006/09/09 16:40, steve szmidt wrote:
> > I also added proper data to all table files to ensure it does not mess
> > things up. Though the persist command should allow for empty files.
>
> Do your tables actually load? Check pfctl -t tablename -Ts.
> If not, does pfctl -vvt tablename -Tr -f /path/to/file offer clues?

Yes, running fine. 

> > pass out log on $WAN proto tcp from  to  port
> > $Web
>
> Remember the DNS lookup happens only when the rules are loaded.
> Is it acceptable to lose access to these sites when they change
> address? Also by listing names right in PF config or tables
> you're relying on working DNS to load the rules correctly.

Of course. But without DNS it does not work anyway...

> Consider whether using an http proxy might be a better choice...
True, proxy can be a good solution. But I still want to have the table working 
properly.

-- 

Steve Szmidt

"To enjoy the right of political self-government, men must be 
capable of personal self-government - the virtue of self-control. 
A people without decency cannot be secure in its liberty.
From the Declaration Principles

Re: pf table confusion

[steve szmidt]

On Saturday 09 September 2006 15:21, Steve Welham wrote:
> > I'm stuck on some obvious pf table error but I can't see it.
>
> 
>
> > ## Tables   (File content shown in brackets)
> > table  file "/etc/tAdmins" ( 192.168.0.3 )
> > table  file "/etc/tManagers" (192.168.0.2)
> > table  file "/etc/tOperators" (192.168.0.128)
> > table  file "/etc/tHttp-managers" (google.com)
> > table  file "/etc/tHttp-operators" (10.1.0.34)
> > table  file "/etc/tCustomers" ( )
> > table  file "/etc/tExtadmin" ( )
>
> Use curly braces {} to define tables.
>
> SteveW

Not on a file statement. The brackets (as noted above) was only included to 
show content.
-- 

Steve Szmidt

"To enjoy the right of political self-government, men must be 
capable of personal self-government - the virtue of self-control. 
A people without decency cannot be secure in its liberty.
From the Declaration Principles

Re: pf table confusion

[steve szmidt]

On Saturday 09 September 2006 15:21, you wrote:
> I would only filter traffic on ONE interface, as is often recommended
> in applicable documentation -- e.g. just filter traffic on your $WAN
> interface. It's very hard to get things right when filtering on two
> interfaces.

Agreed. Oops, the pass in on $LAN was just a test to see if it made a 
difference. It's not there anymore.

> So I would default deny (block all), then pass quick on 
> $LAN and then pass on $WAN as required.

Since I'm not blocking on LAN I did not bother, but I included it to see if it 
helps. It does not.

> Also, you don't seem to be passing proto tcp, port 80 traffic from
>  (ie. 192.168.0.2) to the 10.1.0.34 box on the $WAN
> interface?  Keep in mind that  contains only google.com

Ah, an out of date note I forgot to update during my testing. 

> and  is empty.

I also added proper data to all table files to ensure it does not mess things 
up. Though the persist command should allow for empty files.

> You're passing traffic from 10.1.0.34 to any
> port 80 on the $LAN interface, but not on the $WAN one. I think
> there's your reason you can't websurf to 10.1.0.34.

That's what "pass out log on $WAN proto tcp from  to  
port $Web keep state" is supposed to do. 

Managers contain 192.168.0.2, which I'm testing from, and http-managers 
contain google.com. If I replace the  statement with 192.168.0.2 it 
works. 

> As for google.com, I'm not sure, but I think it might have something
> to do with the fact that google.com resolves to multiple IPs in a
> round robin fashion -- and your  only resolves to just

Nah, that does not seem to be a problem. But I added openbsd.com.

>
> cheers,
> Jens

-- UPDATED --

## Macros
# Interfaces
WAN="bge0"
LAN="xl0"
LANip="192.168.0.0/24"
RFC1918="{ 127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/24 }"
#RFC1918="{ 127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8  }"

Web="{ 80, 443 }"
Web-server="192.168.0.10"
Ftp="21"
Ftp-server="192.168.0.11"

## Tables
table  persist file "/etc/tAdmins"
#table  persist file "/etc/tManagers"
table  { 192.168.0.2 }
table  persist file "/etc/tOperators"
#table  persist file "/etc/tHttp-managers"
table  { google.com, openbsd.com }
table  persist file "/etc/tHttp-operators"
table  persist file "/etc/tCustomers"
table  persist file "/etc/tExtadmin"

## Options

## Traffic Normalization
scrub in all

## Bandwidth Management
# External Queues we usually have 1000Mb internal, 4Mb on cable, and 3Mb on 
DSL
altq on $WAN cbq bandwidth 3000Kb queue { ssh, http-out, http-in, ftp-in, 
mail, dns, ftp, misc }
#queue LOCAL bandwidth 98456Kb cbq(borrow)

queue ftp-in bandwidth 12% priority 4 cbq(borrow red)
queue http-in bandwidth 13% priority 4 cbq(borrow red)
queue http-out bandwidth 25% priority 3 cbq(borrow red) { develusers, 
normalusers }
queue  develusers bandwidth 50% cbq(borrow)
queue  normalusers bandwidth 50% cbq(borrow)
queue mail bandwidth 10% priority 1 cbq(borrow ecn)
queue dns bandwidth 5% priority 5 cbq(borrow ecn)
queue ftp bandwidth 15% priority 2 cbq(borrow ecn)
queue ssh bandwidth 10% priority 6 cbq(borrow) { ssh_interactive, ssh_bulk }
queue  ssh_interactive bandwidth 50% cbq(borrow)
queue  ssh_bulk bandwidth 50% cbq(borrow)
queue misc bandwidth 10% cbq(borrow,default)

## Translations
#special = "{ 10.2.1.10 }"
#no nat on $WAN from $special to any
#nat on $WAN from $LAN to any -> $WAN
#binat on $WAN from $special to any -> $WAN
nat on $WAN from $LAN:network to any -> $WAN

## Redirection

## Packet Filtering
# Allow all loopback traffic.
pass quick on lo0
pass quick   on $LAN

# Allow all loopback traffic.
pass quick on lo0

# Pass all on LAN i/f
pass quick on $LAN

# Default deny.
block in  log quick on $WAN from $RFC1918
block in  log on $WAN
block out log on $WAN

# Allow basic networking communication
pass in  log on $WAN proto icmp from any to any keep state
pass out log on $WAN inet proto icmp all icmp-type 8 code 0 keep state

# Allow dns and ntp out
pass out log on $WAN proto udp from any to any port 53 keep state
pass out log on $WAN proto udp from any to any port 123 keep state

# Allow ssh in and out
pass in  log on $WAN proto tcp from any to any port 22 keep state
pass out log on $WAN proto tcp from any to any port 22 keep state

# Allow web out based on tables
pass out log on $WAN proto tcp from  to any port $Web keep state
pass out log on $WAN proto tcp from  to  port $Web 
keep state
pass out log on $WAN proto tcp from  to  port $Web 
keep state

# Allow web and ftp in based on table
#pass in log on $WAN proto tcp from  to $Web-server port $Web
#pass in log on $WAN proto tcp from  to $Ftp-server port $Ftp
-- 

Steve Szmidt

"To enjoy the right of political self-government, men must be 
capable of personal self-government - the virtue of self-control. 
A people without decency cannot be secure in its liberty.
From the Declaration Principles

pf table confusion

[steve szmidt]

Hi,

I'm stuck on some obvious pf table error but I can't see it. 

I got a small test subnet 192.168.0.0 under my own subnet 10.1.0.0, where I 
test this firewall.

Internet--[firewall]--10.1.0.0--[this test firewall]--192.168.0.0

Queues are not active yet, nor are web or ftp servers. 
I added a test machine IP (192.138.0.2) to the managers table file, and 
google.com to http-managers as allowed web sites for testing purposes.

I can ping them by both IP and domain name, but not browse. ipflog0 shows that 
rule #6 catches the packets. (block drop out log on bge0 all)

Testing using a table or not, seem to narrow it down to the use of tables. 
Without the table ref it works. 

I've tried adding a blank line to the bottom but nothing seems to make a 
difference as far as the content.

I tried replacing  and  lines with:
table  { 192.168.0.2 }
table  { google.com }

But it still fails (caught on: block drop out log on bge0 all). I'd appreciate 
a hand with this one.

- - - - - - - - - 
## Macros
# Interfaces
WAN="bge0"
LAN="xl0"
LANip="192.168.0.0/24"
#RFC1918="{ 127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8  }"
RFC1918="{ 127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/24 }"

Web="{ 80, 443 }"
Web-server="192.168.0.10"
Ftp="21"
Ftp-server="192.168.0.11"

## Tables   (File content shown in brackets)
table  file "/etc/tAdmins" ( 192.168.0.3 )
table  file "/etc/tManagers" (192.168.0.2)
table  file "/etc/tOperators" (192.168.0.128)
table  file "/etc/tHttp-managers" (google.com)
table  file "/etc/tHttp-operators" (10.1.0.34)
table  file "/etc/tCustomers" ( )
table  file "/etc/tExtadmin" ( )

## Options

## Traffic Normalization
scrub in all

## Bandwidth Management
altq on $WAN cbq bandwidth 3000Kb queue { ssh, http-out, http-in, ftp-in, 
ftp-out, mail, dns, misc }
#queue LOCAL bandwidth 98456Kb cbq(borrow)

queue ftp-in bandwidth 12% priority 4 cbq(borrow red)
queue ftp-out bandwidth 15% priority 2 cbq(borrow ecn)
queue http-in bandwidth 13% priority 4 cbq(borrow red)
queue http-out bandwidth 25% priority 3 cbq(borrow red) { develusers, 
normalusers }
queue  develusers bandwidth 50% cbq(borrow)
queue  normalusers bandwidth 50% cbq(borrow)
queue mail bandwidth 10% priority 1 cbq(borrow ecn)
queue dns bandwidth 5% priority 5 cbq(borrow ecn)
queue ssh bandwidth 10% priority 6 cbq(borrow) { ssh_interactive, ssh_bulk }
queue  ssh_interactive bandwidth 50% cbq(borrow)
queue  ssh_bulk bandwidth 50% cbq(borrow)
queue misc bandwidth 10% cbq(borrow,default)

## Translations
#special = "{ 10.2.1.10 }"
#no nat on $WAN from $special to any
#nat on $WAN from $LAN to any -> $WAN
#binat on $WAN from $special to any -> $WAN

nat on $WAN from $LAN:network to any -> $WAN 

## Redirection

## Packet Filtering
# Allow all loopback traffic.
pass quick on lo0

# Default deny.
block in  log quick on $WAN from $RFC1918
block in  log on $WAN 
block out log on $WAN

# Allow basic networking communication 
pass in  log on $WAN proto icmp from any to any keep state  
pass out log on $WAN inet proto icmp all icmp-type 8 code 0 keep state 

# Allow dns and ntp out
pass out log on $WAN proto udp from any to any port 53 keep state
pass out log on $WAN proto udp from any to any port 123 keep state

# Allow ssh in and out 
pass in  log on $WAN proto tcp from any to any port 22 keep state  
pass out log on $WAN proto tcp from any to any port 22 keep state  

# Allow web out based on tables
pass in  log on $LAN proto tcp from  to any port $Web keep state 
pass out log on $WAN proto tcp from  to any port $Web keep state
pass out log on $WAN proto tcp from  to  port $Web 
keep state
pass out log on $WAN proto tcp from  to  port $Web 
keep state

# Allow web and ftp in based on table
#pass in log on $WAN proto tcp from  to $Web-server port $Web 
#pass in log on $WAN proto tcp from  to $Ftp-server port $Ftp
- - - - - - - - - 

pass quick on lo0 all
block drop in log quick on bge0 inet from 127.0.0.0/8 to any
block drop in log quick on bge0 inet from 192.168.0.0/16 to any
block drop in log quick on bge0 inet from 172.16.0.0/12 to any
block drop in log quick on bge0 inet from 10.0.0.0/24 to any
block drop in log on bge0 all
block drop out log on bge0 all
pass in log on bge0 proto icmp all keep state
pass out log on bge0 inet proto icmp all icmp-type echoreq code 0 keep state
pass out log on bge0 proto udp from any to any port = domain keep state
pass out log on bge0 proto udp from any to any port = ntp keep state
pass in log on bge0 proto tcp from any to any port = ssh keep state
pass out log on bge0 proto tcp from any to any port = ssh keep state
pass in log on xl0 proto tcp from  to any port = www keep state
pass in log on xl0 proto tcp from  to any port = https keep state
pass out log on bge0 proto tcp from  to any port = www keep state
pass out log on bge0 proto tcp from  to any port = https keep state
pass out log on bge0 proto tcp from  to  port = www 
keep state
pass out log on bge0 proto tcp from  to  port = https 
keep state
pass o

Re: It's not about the money

[steve szmidt]

No Theo, I've never asked anyone here to write something for me. I tend to do 
my own coding. When I saw you were in trouble back then I simply offered to 
see if I could help because I like your product. I know, it was ignorant of 
me. I should have known better. 

And you're quite right these threads have really not done anything for anyone, 
except maybe give some a bit more insight into human follyness.

>"Altruism is a sham. Selflessness does not exist. The reason you offered to
> help is beacause you felt good practicing your society's morals--you are
> egotistical. This is not a bad thing, but such a dissection would deviate
> too far from the scope of misc."   

Yes Travers, I can tell you're experienced in life. I'm glad you took the 
opportunity to share your insights with me and my silly society's morals.

> "So, you asked what you could do, right?  

No Jacob not really, actually not at all, but it's water under the bridge. 

> "See, that's the problem.  Just go raise the money _on your own_.  There are
> plenty of "good ideas" in the misc@ archives. 

Yes, I've since realized how futile and stupid it was of me to have such an 
idea. I promise it won't happen again. It's probably a good bet that these 
threads have made a few people realize some of their futilities too. So it's 
sort of like a blessing in disguise. I'm sure you will not hear anything on 
the subject for a good while now after getting it all out in the open.


-- 

Steve Szmidt

"For evil to triumph all that is needed is for good men to do nothing.
Edmund Burke

Re: It's not about the money

[steve szmidt]

On Saturday 25 March 2006 17:33, you wrote:

> Have you ever read [EMAIL PROTECTED] I mean actually read it? The only people
> that get slammed are those that deserve it. You're supposed to do your
> own homework - there is no hand holding because hand holding takes
> away time from more productive things, like code. The community as a
> whole spends a great deal of effort clearly documenting everything and
> those that choose to ignore that effort get the brunt of the flames. I
> have never seen, in my four years on this list, anyone getting flamed
> by a developer or well-known community member that didn't absolutely
> deserve it.

Hmm. The last time money was short I unselfishly offered my time to help raise 
money, because I wanted to help. Help those who had helped me. I figured it 
would be a nice thing for me to do.

I got ripped so badly in a stream of four letter words I thought I was back in 
boot camp. My kind was not needed and such. Of course it was entirely in 
someones mind who I was as it sure as heck was not known. 

Yeah, it was not done on the list. But never the less by what you call a key 
member. Several others have shared their experiences with me. Maybe because 
I've offered a kind word after some public abuse.

Jim Snyder, and others is dead on, but some people simply don't see it. It's 
invisible to a whole bunch, which is really sad. Personally I had not heard 
such fould language since boot camp.

Your judgement as to what constitutes "deserve" is not on par with most others 
outside this list. Heck, this list is infamous for toasting people. 

> Blah blah blah, enough with the tired cliches. The problem is exactly
> too many selfish whiners. They want more and more, without having to

Tired cliche?!? 

He's, like most of us, really grateful for the code, and pay in kind by buying 
a copy every six months. Often times I get new people to buy it too. 

> support the project, and then they want everyone to hold their hand
> through it. "Why doesnt my laptop touchpad work?" "When are you going
> to support Adaptec cards? FreeBSD supports it!" These people have zero
> understanding of OpenBSD or open source in general; and the sad part
> is, they don't even know it. Consider OpenBSD is doing them a favor by
> giving them a harsh reality check. One can only hope it will do them
> some good.

This is not Jim whining...

> Vendors do care. They have to care exactly because OpenSSH is the
> world standard. It would cost them far more to develop in house talent
> to maintain and extend the current codebase than it would to simply
> drop a $10K check to the project.

That has never been questioned. And not related to Jim's comment.

> Blah blah blah, more tired cliches. The culture here is exactly what
> made the code "beautiful". So kindly, STFU (-:

There are very few places indeed where people retain customers after being 
verbally abused. It speaks droves of how good your code is. Imagine the 
support if your attitude matched your code!

You are burning bridges left right and center with those who'd be happy to 
contribute, had it not been for the holier than thou attitude. It's 
absolutely amazing people donate at all. Imagine if you had competition that 
were nice! Anyone who'd spent any time on the list would go elsewhere.

It's not like anyone is suggesting you go celebate, or wear weird clothes or 
something. People just like being treated nicely. I'm sure you would not mind 
if someone threw a few nice words your way...

-- 

Steve Szmidt

"For evil to triumph all that is needed is for good men to do nothing.
Edmund Burke

Re: openbsd and the money

[steve szmidt]

On Thursday 23 March 2006 15:54, you wrote:
> > thankless?  you sir, are the most thankless project leader
> > i have ever seen in my life.
>
> We thank with code.  We don't come shower people with nice words.
> We write code.

Oh, dear. 


Frantisek,

The dichotomies are only too obvious. As dumb as it may seem, pleasantries are 
what greases the wheels of human interaction. Nothing short of magical, what 
it can do.

Speaking for myself, I used to be one arrogant son-of-a-bitch. Knew it all, or 
almost. One day a customer pointed out that my technical skills where superb, 
by my personal PR with his employees were so bad he did not want to use me.

My immediate thought was screw him! But after a while I realized that I really 
LOVE producing solutions. I never cared if someone liked me or not. But that 
not caring got so bad that I got a bad reputation too. If people don't like 
me, helping them becomes so much harder to do. Never mind what it does to my 
income.

I still don't care too much as long as I'm happy with me. But I temper that 
with evaluating what kinds of effects do I produce on people I get in contact 
with. I like to think people are doing and feeling better after I help them. 
That produces goodwill, and more income.

Is this what you mean?
-- 

Steve Szmidt

"For evil to triumph all that is needed is for good men to do nothing.
Edmund Burke

Re: openbsd and the money

[steve szmidt]

On Thursday 23 March 2006 09:36, you wrote:
> This is what I see:
>
> Community - [EMAIL PROTECTED]
>
> and as far as I can remember non of devs has ever told me what I'm nobody.

Good for you.

> On Thursday 23 March 2006 15:09, frantisek holop wrote:
> > just before i order my 3.9:
> >
> > this is what i feel sometimes, and i think sometimes more of you do.

It is very unfortunate that this is the case. Sometimes bad attitudes (and who 
knows what) get's in the way. We can also pretend nobody get's flamed for 
being a newbe or asking a stupid question.

There's an old adage - hat, don't hit. (Or educate, for those not familiar 
with the use of hat.)

When you have sufficient misunderstandings, you go blank. True, some people 
are too lazy to look things up themselves, and like it served on a silver 
platter. But most are simply dumbed down from not knowing enough after 
staring at too many incomprehensible things.

As long as people fry those who know less, it will supress community growth 
because it will also be noticed by those with enough compassion, who don't 
like seing people get fried, regardless of who's fried.

If someone here has the gall, or ignorance, to say that members of the "team" 
don't let their misemotions flare up on, or from, this list - we'll, you'll 
put a smile on this author's face. 

Goodwill must be earned. Which the technical merits of OBSD supplies whenever 
noticed. But it goes away and is more hard earned each time anyone in 
"official" positions shows a "poor" choice of words and turns a poor sole 
into a crisp one.

An old friend of mine once stated that people's emotional baggage is like 
walking around with one of those big black garbage bags over your shoulder. 
With a hole in it. 

Where ever you go you leave some...

One thing having character means is to hold oneself back from striking out, 
however justified, and just respond with kind words. It also takes guts. But 
in the long run is always paid back with interest.

If someone feels singled out by this, I can assure you that would be a 
coincident as this is entirely fictional... at least for some.

Now, try to go in peace.
-- 

Steve Szmidt

"For evil to triumph all that is needed is for good men to do nothing.
Edmund Burke

Re: home VPN

[steve szmidt]

On Monday 13 March 2006 10:55, you wrote:
> Joachim Schipper wrote:
> > On Sat, Mar 11, 2006 at 09:03:21PM -0300, Gustavo Rios wrote:
> >> Dear folks,
> >>
> >> i live in brazil, and it is a common practice for local
> >> corporation/institutions to monitor our phone calls, internet access
> >> and personal email. I would like to be able to access Internet by
> >> means of a proxy. My initial ideia is to get some peer (personnel)
> >> outside brazil that would allow me to connect through it.

With all the illegal and then not so smart activities of people that often 
becomes the solution in any country.

> I wanted to be able to access the web and surf
> without the Nazi admin checking the firewall logs
> to see what I am doing.

Oh, nice. Figure out how to bypass company security policy and put them all at 
risk. Then call the guy who's job it is to keep it all working a Nazi. Mmm, 
impressive.

Hopefully you are not running on a windows machine thus opening a door to 
making it a cinch to hack your company network through your eh, 
inventiveness.

-- 

Steve Szmidt

"For evil to triumph all that is needed is for good men to do nothing.
Edmund Burke

Re: ssh

[steve szmidt]

On Monday 16 May 2005 16:43, you wrote:
> On Mon, 16 May 2005 23:25:29 +0300, Kaj Mdkinen <[EMAIL PROTECTED]>
>
> wrote:
> >Is there any way to configure ssh to allow root access from private
> >network address.
> >and at the same time allow ssh-access from outside for other users (not
> >root) ?
>
> What part of the words "Do *NOT* login as root" have you failed to
> understand?

And who made you God? Using root may be a security risk in a number of 
environments, but certainly not something that cannot be done when 
appropriate. 

WHEN?!! You instantly ask, clearly with froth running down the face. Well 
let's see. I have a LAN which is used to test configurations, pf.conf and so 
on. It does not have WAN access. The few of us who have physical access to 
that rack, trust each other. When we modify something on that LAN box I only 
use root.

Sure, most situations can be said to have a *potential* liability.

But, putting up some shitty attitude does not exactly educate people either. 
And even if, it's still everyones prerogative to do so if they decide to.

Just because you *might* know more than others, you feel you *need* to hit 
some poor guy who's not familiar with security. You may feel good spitting it 
out, but it's no help to anyone. 

Robotic education is not education either. You can train a dog that way, but 
few humans will do well with it. Understanding is the key word. 

Oh, some unnamed people here have a four letter word in every sentence when 
they feel like it. They are nicely justified too. 

Still, that kind of attitude only makes the perpetrator look bad. And helped 
no one.


-- 

Steve Szmidt

"They that would give up essential liberty for temporary safety 
deserve neither liberty nor safety."
Benjamin Franklin