Re: mutiple pptp pass-through PF

Beavis wrote: > ... I'm trying to run multiple pptp > connections behind my 2 PF/carp firewalls. ... You should not be using PPTP. You have your choice, IPsec with encryption or SSL with encryption: http://www.vpnc.org/vpn-standards.html Allowing PPTP inside your LAN is to encourage use

Re: Compromising a host with pf enabled?

Chris Zakelj wrote: Greg Thomas wrote: It does say "single" rule. Yes, but at that point it becomes a rather useless system. It's likely to break in curious ways, since anything using the 127.0.0.1 loopback will, I think, either become unresponsive or start throwing errors. Ok, I'm in brai

Re: Compromising a host with pf enabled?

Chris Zakelj wrote: Clint Pachl wrote: Is it possible for a cracker to compromise or root a machine on a network that has pf enabled with the single rule "block all in"? I suspect you're just fishing, but in the interests of spirited debate - Is "block in all" the first rule, the last rule,

Re: Compromising a host with pf enabled?

Greg Thomas wrote: It does say "single" rule. Yes, but at that point it becomes a rather useless system. It's likely to break in curious ways, since anything using the 127.0.0.1 loopback will, I think, either become unresponsive or start throwing errors. Social engineering? Usually the w

Re: Compromising a host with pf enabled?

On Nov 19, 2007 6:37 PM, Chris Zakelj <[EMAIL PROTECTED]> wrote: > Clint Pachl wrote: > > Is it possible for a cracker to compromise or root a machine on a > > network that has pf enabled with the single rule "block all in"? > I suspect you're just fishing, but in the interests of spirited debate..

ftp-proxy not working properly

Hello Gurus, I'm having a problem with ftp proxy... I am using the OpenBSD machine as my router and I'm trying to connect to public ftp addresses which I can but the problem is i cannot list, put, or get any files from any remote hosts?? After I establish the connection to the remote server I see

Re: Compromising a host with pf enabled?

Clint Pachl wrote: Is it possible for a cracker to compromise or root a machine on a network that has pf enabled with the single rule "block all in"? I suspect you're just fishing, but in the interests of spirited debate - Is "block in all" the first rule, the last rule, or somewhere in bet

Revision on Macbook Guide

Hello everyone, I have had quite a few requests to come up with a new guide for the Macbook and OpenBSD. I haven't really thought that there was that much to update, so I haven't been doing too much on it. However, since there is a new -RELEASE out, I figured that I ought to at least bring thin

Re: OpenCon broadcasting.

On Nov 19, 2007 10:58 PM, Marc Balmer <[EMAIL PROTECTED]> wrote: > Siju > > > Papers and slides are usually made available on the OpenBSD website > shortly after any conference, so you might try your luck there. > Thanks Marc, will do that :-) kind regards Siju

Re: can't change password with passwd comand

Jumping Mouse wrote: When I try to change a user password I get an error. I do this: # passwd username enter a new password and get: pwd_mkdb: corrupted entrypwd_mkdb: at line #24pwd_mkdb: /etc/ptmp: Innapropriate file type or formatpasswd: etc/master.passwd unchanged how can I fix this?

Compromising a host with pf enabled?

Is it possible for a cracker to compromise or root a machine on a network that has pf enabled with the single rule "block all in"?

Re: how best to handle DNS on firewalled home network?

On 2007/11/19 23:46, Jonathan Thornburg wrote: > One person also mentioned that s/he uses uses opendns.com > instead of ISP nameservers. N.B. by default they will return a positive response for non- existent domains (for typo correction) and bogus responses to provide warnings about phishing s

Re: how best to handle DNS on firewalled home network?

In message , I wrote: > I'm setting up a home firewall, intended to (try to) protect "client" > machines (mostly family members' MS-Windoze laptops) from misc internet > threats. [[...]] > My plan is to have the firewall run its own dhcpd on i

Re: securing OpenBSD wireless network

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/19/07 2:36 PM, Tonnerre LOMBARD wrote: > Salut, > > On Mon, Nov 19, 2007 at 02:20:54PM -0800, David Newman wrote: >> There is some layer-2 stuff that happens before layer-3 handshaking >> begins -- 802.11 association and deassociation, possibly

can't change password with passwd comand

When I try to change a user password I get an error. I do this: # passwd username enter a new password and get: pwd_mkdb: corrupted entrypwd_mkdb: at line #24pwd_mkdb: /etc/ptmp: Innapropriate file type or formatpasswd: etc/master.passwd unchanged how can I fix this? http://messenger.msn.clic

Re: securing OpenBSD wireless network

Marco S Hyman <[EMAIL PROTECTED]> wrote: > Very true. The only time I consider turning on WEP is when I notice > a neighbor is connecting to my net more often than not. Yes, by accident. And downloading his mail with unencrypted POP3 for all to see... You can use IPsec to discourage that, too

Re: securing OpenBSD wireless network

Salut, On Mon, Nov 19, 2007 at 02:20:54PM -0800, David Newman wrote: > There is some layer-2 stuff that happens before layer-3 handshaking > begins -- 802.11 association and deassociation, possibly layer-2 > learning, and 802.1X authentication if that's used. IPSec will not and > cannot secure any

Re: Hoststated and randomly dropped connections

Thanks much, I'll start digging into the sysctls. I'm reasonably certain it isn't something with the app servers, because in the tcpdump output I can see the conversation between the load balancer and the app server complete successfully (all aspects of the request/response even), it's just from

Re: lost root account

Ok the issue was solved! mount -s -uw / vipw I typed the missing root account line back in and saved the file and can now log back in as root. this then invoked pwd_mkdb to do all the rest. thanks everyone. only issue now is that if I try to change another users account password I get the foll

Re: securing OpenBSD wireless network

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/19/07 8:16 AM, Tonnerre LOMBARD wrote: > Personally, I use IPsec to secure my WLAN, and I can only recommend that > to others. It is very effective. IPSec can be an effective safeguard -- for IP headers and the upper-layer protocols and payload

Re: lost root account

On Mon, Nov 19, 2007 at 04:20:22PM -0500, Nick Holland wrote: > > /etc/ptmp isn't documented in vipw (it probably should be), but it is > covered in passwd(1). It should also be documented in faq8.html, I'll > try to fix that this evening. :) > cvs up! that is to say, i agree, and just added

Re: securing OpenBSD wireless network

Marco S Hyman <[EMAIL PROTECTED]> writes: > Very true. The only time I consider turning on WEP is when I notice > a neighbor is connecting to my net more often than not. Yes, by accident. > Typically because their AP went down and needed to be reset and they hadn't > noticed. Not sure what the

Re: system not using second entry in $PKG_PATH

On 2007/11/19 22:35, christian widmer wrote: > ask yourself why do you use ':' as a separator? see pkg_add(8) about PKG_PATH

Re: system not using second entry in $PKG_PATH

> On Monday 19 November 2007 14.21:17 Juan Miscaro wrote: > > On two OpenBSD 4.2 systems I have a (master) system that contains > two > > repositories - one of regular packages and one of packages derived > from > > ports. On the client (slave) system I have a script with a > PKG_PATH > > containi

Re: spamdb output

* RW <[EMAIL PROTECTED]> [2007-11-11 22:39]: > It seems that the migrated database works but new entries go on the end > - no SORT of order, and SPAMTRAP entries (that I entered using a > script) ended up showing in two bunches in the midst of other unordered > entries. > > My question is: Is thi

Re: securing OpenBSD wireless network

Tor Houghton writes: > On Mon, Nov 19, 2007 at 07:59:17AM -0800, David Newman wrote: > > > > Well, if you want to prevent someone from accidentally connecting to your > > > network, yes. > > > > WEP keys can be captured is less than one minute: > > This fact is immaterial in context of m

Re: system not using second entry in $PKG_PATH

ask yourself why do you use ':' as a separator? you have ':' in you PKG_PATH_LAN1 and PKG_PATH_LAN2. this is by the way the reason why you can't do what you're trying to. On Monday 19 November 2007 14.21:17 Juan Miscaro wrote: > On two OpenBSD 4.2 systems I have a (master) system that contains

Re: securing OpenBSD wireless network

On Mon, Nov 19, 2007 at 07:59:17AM -0800, David Newman wrote: > > Well, if you want to prevent someone from accidentally connecting to your > > network, yes. > > WEP keys can be captured is less than one minute: > This fact is immaterial in context of my statement. Tor

Re: lost root account

Jumping Mouse wrote: Hi there, I have inherited an openBSD machine with no root account. When I boot up in single user mode boot -s and do a cat /etc/master.passwd | root I presume there's a "grep" missing in there. :) the only thing I get is: daemon:*:1:1::0:0:The devil himself:/root:

Re: system not using second entry in $PKG_PATH

--- Nick Guenther <[EMAIL PROTECTED]> wrote: > On 11/19/07, Juan Miscaro <[EMAIL PROTECTED]> wrote: > > --- Marc Espie <[EMAIL PROTECTED]> wrote: > > > > > On Mon, Nov 19, 2007 at 08:21:17AM -0500, Juan Miscaro wrote: > > > > However the second one (PKG_PATH_LAN2) is never consulted. If > I > > >

Re: lost root account

thanks Juan, faq8.1 shows me how to reset my root passord but i could not find anything on recreating the root account. Perhaps I am missing something? > Date: Mon, 19 Nov 2007 14:36:18 -0500> From: [EMAIL PROTECTED]> Subject: Re: lost root account> To: [EMAIL PROTECTED]; misc@openbsd.org> > >

Re: lost root account

Hi Marcus, I thought it was enough to add the root account through vipw. that this edits the master.passwd file and would automatically update everything else? how would I use pwd_mkdb, i don't want to delete any other accounts from the master.passwd file. thanks > Date: Mon, 19 Nov 2007 1

Re: lost root account

--- Jumping Mouse <[EMAIL PROTECTED]> wrote: > Hi there, I have inherited an openBSD machine with no root account. > When I > boot up in single user mode boot -s and do a cat > /etc/master.passwd | root > the only thing I get is: daemon:*:1:1::0:0:The devil > himself:/root:/sbin/nologin I c

Re: system not using second entry in $PKG_PATH

On 11/19/07, Juan Miscaro <[EMAIL PROTECTED]> wrote: > --- Marc Espie <[EMAIL PROTECTED]> wrote: > > > On Mon, Nov 19, 2007 at 08:21:17AM -0500, Juan Miscaro wrote: > > > However the second one (PKG_PATH_LAN2) is never consulted. If I > > remove > > > the first one then packages are found and inst

Re: lost root account

Boot your machine in single user mode (boot -s) and use plain vi and pwd_mkdb soon after that. There's no need to use vipw when running in boot -s. On Nov 19, 2007 5:18 PM, Jumping Mouse <[EMAIL PROTECTED]> wrote: > Hi there, I have inherited an openBSD machine with no root account. When I > bo

Re: lost root account

On Mon, Nov 19, 2007 at 08:18:47PM +0100, Jumping Mouse wrote: > Hi there, I have inherited an openBSD machine with no root account. When I > boot up in single user mode boot -s and do a cat /etc/master.passwd | root > the only thing I get is: daemon:*:1:1::0:0:The devil > himself:/root:/sbi

Re: system not using second entry in $PKG_PATH

--- Marc Espie <[EMAIL PROTECTED]> wrote: > On Mon, Nov 19, 2007 at 08:21:17AM -0500, Juan Miscaro wrote: > > On two OpenBSD 4.2 systems I have a (master) system that contains > two > > repositories - one of regular packages and one of packages derived > from > > ports. On the client (slave) syst

lost root account

Hi there, I have inherited an openBSD machine with no root account. When I boot up in single user mode boot -s and do a cat /etc/master.passwd | root the only thing I get is: daemon:*:1:1::0:0:The devil himself:/root:/sbin/nologin I can't seem to make changes to the master.passwd account by

Re: system not using second entry in $PKG_PATH

On Mon, Nov 19, 2007 at 08:21:17AM -0500, Juan Miscaro wrote: > On two OpenBSD 4.2 systems I have a (master) system that contains two > repositories - one of regular packages and one of packages derived from > ports. On the client (slave) system I have a script with a PKG_PATH > containing both re

Re: hoststated(8): DNS Relay uses unexpected source IP address

On Nov 19, 2007 6:35 PM, Reyk Floeter <[EMAIL PROTECTED]> wrote: > please try to configure the following: ... > so the proposed solution is to always use "listen on 0.0.0.0 port 53" > with DNS relays for now. Your proposal indeed solves the problem in my multi-homed setup, and makes my work-around

Re: mount_cd9660 options

On Mon, Nov 19, 2007 at 05:46:59PM +0100, frantisek holop wrote: > > there are sub-headings in some man pages (e.g. ksh(1)), perhaps > that could be doable, somewhere lower in DESCRIPTION, e.g. > >A fitting subtitle > Certain filesystems acquire flags based on their type and > con

Re: mutiple pptp pass-through PF

hi! On Mon, Nov 19, 2007 at 11:24:59AM -0600, Beavis wrote: > hi folks, > > any pf folks available? I'm trying to run multiple pptp > connections behind my 2 PF/carp firewalls. i was only successful to > pass just 1 client and the rest gets denied for some weird reason. my > pf.conf is below

Re: hoststated(8): DNS Relay uses unexpected source IP address

On Sat, Nov 17, 2007 at 04:01:51PM +0100, Rolf Sommerhalder wrote: > relay dnsRelay { > listen on $yellow port 53 > protocol dnsProto > forward to $white port 53 > #forward to $dnsHost port 53 > timeout 60 > } > as theo mentioned, the problem is related to the use of the bind() call for the

Re: securing OpenBSD wireless network

Tonnerre LOMBARD wrote: Salut, On Mon, Nov 19, 2007 at 07:59:17AM -0800, David Newman wrote: OpenBSD supports WEP. Does it even matter? Well, if you want to prevent someone from accidentally connecting to your network, yes. WEP keys can be captured is less than one minute: http://eprint.i

Re: OpenCon broadcasting.

Siju Is there any chance of broadcasting OpenCon 2007 through metabug ( http://metabug.org/ )? It would be of great help for people who cannot make it to "Venice" due to several reasons. (Sadly I cannot afford that travel cost currently :-( so will be many ) As somebody struggling to "make sens

mutiple pptp pass-through PF

hi folks, any pf folks available? I'm trying to run multiple pptp connections behind my 2 PF/carp firewalls. i was only successful to pass just 1 client and the rest gets denied for some weird reason. my pf.conf is below nat on $exT_if inet from any to any -> $ext_if block in all block out

Re: mount_cd9660 options

hmm, on Tue, Nov 13, 2007 at 09:58:20AM +, Jason McIntyre said that > On Mon, Nov 12, 2007 at 10:00:13PM +0100, frantisek holop wrote: > > > > > > if you mount a cd9660 filesystem w/ -R (no rockridge extensions) you get > > > norrip in the output. i don;t think you can specify this as a mount

Re: securing OpenBSD wireless network

In my state, WEP is useful as a legal matter -- "borrowing" unsecured wireless connectivity is not illegal, whereas "stealing" secured access is. Sometimes the technical issues are not the only important ones. Marti On Nov 19, 2007 8:59 AM, David Newman <[EMAIL PROTECTED]> wrote: > -BEGIN PG

Re: securing OpenBSD wireless network

Salut, On Mon, Nov 19, 2007 at 07:59:17AM -0800, David Newman wrote: > >>> OpenBSD supports WEP. > >>> > >> Does it even matter? > >> > > > > Well, if you want to prevent someone from accidentally connecting to your > > network, yes. > > WEP keys can be captured is less than one minute: > > http:/

Re: securing OpenBSD wireless network

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/19/07 3:18 AM, Tor Houghton wrote: > On Sun, Nov 18, 2007 at 10:51:49PM -0700, Clint Pachl wrote: >>> OpenBSD supports WEP. >>> >> Does it even matter? >> > > Well, if you want to prevent someone from accidentally connecting to your > network,

OpenCon broadcasting.

Hi, Is there any chance of broadcasting OpenCon 2007 through metabug ( http://metabug.org/ )? It would be of great help for people who cannot make it to "Venice" due to several reasons. (Sadly I cannot afford that travel cost currently :-( so will be many ) As somebody struggling to "make sense"

Re: Helping with Softraid testing

On Nov 19, 2007 5:12 AM, Ray Percival <[EMAIL PROTECTED]> wrote: > On Nov 18, 2007, at 3:34 PM, Siju George wrote: > > > > > I know I cannot escape recompiling the kernel because it is necessary > > for updates. But as far as possible I would like to stay away from it > > on production machines :-

Re: Helping with Softraid testing

Nah, single disk is fine. On Mon, Nov 19, 2007 at 01:12:29PM +, Edd Barrett wrote: > On 19/11/2007, Marco Peereboom <[EMAIL PROTECTED]> wrote: > > sparc > > > > Preferable I'd like to see the testing using real disks. > > Do the slices need to be on different disks to make useful testing? I >

system not using second entry in $PKG_PATH

On two OpenBSD 4.2 systems I have a (master) system that contains two repositories - one of regular packages and one of packages derived from ports. On the client (slave) system I have a script with a PKG_PATH containing both repositories: PKG_PATH_LAN1=ftp://$MASTER/$VERSION/packages/ PKG_PATH_L

Re: Helping with Softraid testing

On 19/11/2007, Marco Peereboom <[EMAIL PROTECTED]> wrote: > sparc > > Preferable I'd like to see the testing using real disks. Do the slices need to be on different disks to make useful testing? I ask because my sparc(64) box has a single FCAL (Fibre Channel) disk, and these things are not easy to

Re: ipsec.conf and AES 256

On Mon, Nov 19, 2007 at 12:26:16PM +0100, Mitja Mu?eni? wrote: > As far as I can tell, currently in ipsec.conf there is no way to use AES > with KEY_LENGHT=256. Is anybody working on adding this? Otherwise I might > try it when the time permits. > > I'm thinking that isakmpd should first learn ab

Re: securing OpenBSD wireless network

On Nov 19, 2007 1:51 PM, Clint Pachl <[EMAIL PROTECTED]> wrote: > Does it even matter? If you want to connect to networks that are using WEP, yes. --- Lars Hansson

Re: Helping with Softraid testing

On Mon, Nov 19, 2007 at 12:54:04AM +, Stuart Henderson wrote: > Marco, what arch are you missing reports for now? That is the best question to ask :-) The arches that I want more testing on are: alpha armish hp300 hppa landisk luna88k ma68k mvme68k mvme88k sgi sparc vax zaurus Preferable I'd

Re: Helping with Softraid testing

On Mon, Nov 19, 2007 at 05:04:53AM +0530, Siju George wrote: > On Nov 18, 2007 7:46 PM, Marco Peereboom <[EMAIL PROTECTED]> wrote: > > On Sun, Nov 18, 2007 at 04:32:58AM +0530, Siju George wrote: > > > Thank you so much > > > > > > > Most of your questions are around rebuild or derivatives. This d

Re: Subversion/Apache Mod dav

Hi, are you trying to use the subversion port, are you trying to roll your own? dlg On 13/11/2007, at 3:14 PM, Duncan Patton a Campbell wrote: On Mon, 12 Nov 2007 20:49:08 -0600 Duncan Patton a Campbell <[EMAIL PROTECTED]> wrote: Howdy? I'm trying to install mod_dav_svn and mod_authz_sv

ipsec.conf and AES 256

As far as I can tell, currently in ipsec.conf there is no way to use AES with KEY_LENGHT=256. Is anybody working on adding this? Otherwise I might try it when the time permits. I'm thinking that isakmpd should first learn about a new default transform, let's say AES256 - then adding that into ips

Re: securing OpenBSD wireless network

On Sun, Nov 18, 2007 at 10:51:49PM -0700, Clint Pachl wrote: > > > >OpenBSD supports WEP. > > > > Does it even matter? > Well, if you want to prevent someone from accidentally connecting to your network, yes. Tor

Re: Helping with Softraid testing

On 2007/11/19 10:27, Edd Barrett wrote: > On 19/11/2007, Stuart Henderson <[EMAIL PROTECTED]> wrote: > > On 2007/11/19 05:04, Siju George wrote: > > > One all the features in your mind has been implemented to softraid > > > will it make RAIDFRAME redundant? > > > > This is all future stuff, I think

Re: Helping with Softraid testing

On 19/11/2007, Stuart Henderson <[EMAIL PROTECTED]> wrote: > On 2007/11/19 05:04, Siju George wrote: > > One all the features in your mind has been implemented to softraid > > will it make RAIDFRAME redundant? > > This is all future stuff, I think I'm right in saying that what's > needed first and

Re: Hoststated and randomly dropped connections

hi! are you sure that the apaches are not dropping the connections when you reach a specific limit of max connections? i've seen problems like this with apache2+linux webservers. - make sure that you tuned some sysctls for hoststated. for example kern.maxfiles, kern.somaxconn, kern.maxclusters, n

Re: FAM issue; how to fix

On Sat, 2007-11-17 at 07:56 -0800, badeguruji wrote: > Nov 16 22:43:23 myopenbsdpc famd[1183]: kqueue can't monitor more than 886 > files Setting 'kern.maxfiles=1' in sysctl.conf has solved that issue in my case. (But I still have problems with files on mounted ext3 partitions.)

Hoststated and randomly dropped connections

We have been trying to migrate from an Apache proxy balancer to hoststated and have run into a couple issues, one of which I have asked about and the I write about now. We are using 4.2-stable: OpenBSD mesh1 4.2 GENERIC.MP#1378 amd64 This particular issue is rather odd, such that I'm afraid my de