On Tue, 4 Sep 2018 13:16:26 -0400
Daniel Jakots wrote:
> On Tue, 4 Sep 2018 12:05:01 -0500, "Karl O. Pinc"
> wrote:
>
> > Ssh in OpenBSD 6.3 (stable), and I presume 6.2, is vulnerable
> > to username existance checking by remote systems.
>
> It was a
Hi,
Ssh in OpenBSD 6.3 (stable), and I presume 6.2, is vulnerable
to username existance checking by remote systems.
OpenBSD current has a patch.
https://github.com/openbsd/src/commit/779974d35b4859c07bc3cb8a12c74b43b0a7d1e0
Demonstration code is found here:
https://bugfuzz.com/stuff/ssh-check
On Tue, 20 Oct 2015 01:08:42 -0600
Devin Reade wrote:
>
>
> > On Oct 19, 2015, at 18:26, Karl O. Pinc wrote:
>
> > But if you write DNS names into your pf.conf
> > file then step 2 can be eliminated. All
> > that's required is to reload the rules.
>
On Mon, 19 Oct 2015 12:47:46 -0600
Theo de Raadt wrote:
> > > The supplied patch allows the rc.conf(8) pf
> > > variable to be set to MINIMAL (in addition to
> > > the current YES and NO). A setting of MINIMAL
> > > loads the rc(8) default pf ruleset and enables
> > > pf. MINIMAL means that rc(
Well, since there's no attachments,
I am including the patches inline.
On Mon, 19 Oct 2015 10:27:16 -0500
"Karl O. Pinc" wrote:
> Attached are 3 patches to -current for your
> consideration. Apply with:
>
> cd /usr/src
> patch -p1 ...
>
> The first,
Hello,
Attached are 3 patches to -current for your
consideration. Apply with:
cd /usr/src
patch -p1 ...
The first, expose-default-pf-rules.patch, lets
the sysadm use the rc(8) constructed default pf
ruleset. This ability was, in a sense,
compromised when 5.8 eliminated the pf_rules
variabl
On 11/15/2010 06:35:38 PM, Nick Holland wrote:
> On 11/15/10 15:54, Karl O. Pinc wrote:
> > I've an old HP Vectra, with 64MB RAM. When I try to upgrade
> > from 4.7 to 4.8 the bsd.rd hangs --
> >
> > Where should I go from here?
>
> try a snapshot, or do
Hi,
I've an old HP Vectra, with 64MB RAM. When I try to upgrade
from 4.7 to 4.8 the bsd.rd hangs -- the boot
sequence gets as far as "softraid0 at root"
and then stops. There is no response to
ctrl-alt-del and the system must be power
cycled.
Appended is the output from a serial console
booting
On 11/12/2010 12:41:41 AM, Vivien MOREAU wrote:
> Thursday 11 Nov 2010 23:51 (-0600), Karl O. Pinc wrote :
>
> > I just upgraded from 4.7-stable to 4.8-stable
>
> How did you upgrade? Did you follow instructions at
> <http://www.openbsd.org/faq/upgrade48.html>?
H
Hi,
I just upgraded from 4.7-stable to 4.8-stable
and tried to rebuild the GENERIC i386 kernel
and 'make depend' failed. Figuring that maybe
I'd done something wrong updating the source with
cvs I tried removing /usr/src and replacing it
with the 4.8 tarballs and I had the same
problem.
Here's t
On 11/01/2010 10:02:28 AM, Theo de Raadt wrote:
> We are pleased to announce the official release of OpenBSD 4.8.
I notice that the Errata link on the OpenBSD home page
gets a 404. Are there no errata?
Thanks for all the great work.
Karl
Free Software: "You don't pay back, you pay forward."
On 07/23/2009 05:52:38 AM, Henning Brauer wrote:
* hu st [2009-07-23 12:35]:
> AFAIK pf has only a ftp-proxy anchor.
it has userland helpers for the most relevant protocols.
Is there a list of these anywhere? ftp-proxy is the only
one that comes to mind, of those where the protocol is
stu
On 06/18/2009 05:52:44 PM, Daniel Ouellet wrote:
Hi, here is a few ideas for you.
A few things to think about here depending on what issue you really
try to solved.
First a good ISP after you actually reach them have built redundancy
on their
network, so unless you try a cheap one, then you sho
On 06/18/2009 06:01:36 PM, tico wrote:
The number of networks that filter prefixes smaller than /22 don't
appear to be that numerous IMHO, but if they do, your /24 will
still be reachable as they'll see the larger /19 or whatever from
your provider that it's carved out of.
But not from the 2nd
On 06/18/2009 03:49:08 PM, tico wrote:
Karl O. Pinc wrote:
On 06/18/2009 01:50:17 PM, Pete Vickers wrote:
stop trying to bodge it, and get some PI space.
I'd love but, how can I justify to ARIN a large enough address
block that it won't be dropped by BGP administrators?
The o
On 06/18/2009 01:50:17 PM, Pete Vickers wrote:
On 18. juni. 2009, at 19.45, Karl O. Pinc wrote:
What's the best way to solve this problem?
stop trying to bodge it, and get some PI space.
I'd love but, how can I justify to ARIN a large enough address
block that it won'
Hello,
In order to minimize Internet connectivity downtime
I am looking at obtaining connections from 2 ISPs
and running BGP. However I won't have a publicly
routeable IP block from ARIN. Each ISP will
allocate some of their addresses and the LAN's
rfc1918 addresses will be NATted.
This presen
On 06/15/2009 06:58:33 AM, Claudio Jeker wrote:
On Sun, Jun 14, 2009 at 11:28:31PM -0500, Karl O. Pinc wrote:
> Hi,
>
> It occurs to me that multipath routing
> (http://www.openbsd.org/faq/faq6.html#Multipath)
> might not play nicely with ftp-proxy on a firewall
> because pa
Hi,
It occurs to me that multipath routing
(http://www.openbsd.org/faq/faq6.html#Multipath)
might not play nicely with ftp-proxy on a firewall
because passive ftp sessions could multiplex the
data and control connections via different ISPs.
My assumption here is that if you're using
multipath rou
On 02/11/2009 04:55:34 PM, Karl O. Pinc wrote:
On 02/08/2009 08:23:44 PM, Ariane van der Steldt wrote:
On Sun, Feb 01, 2009 at 10:07:49PM -0600, Karl O. Pinc wrote:
> I seem to have a problem where 4.4 hangs writing to swap.
Chances are its fixed in -current.
I just upgraded to a snaps
On 02/08/2009 08:23:44 PM, Ariane van der Steldt wrote:
On Sun, Feb 01, 2009 at 10:07:49PM -0600, Karl O. Pinc wrote:
> I seem to have a problem where 4.4 hangs writing to swap.
Chances are its fixed in -current.
I just upgraded to a snapshot and the problem seems
to have gone away. Tha
Hello,
I seem to have a problem where 4.4 hangs writing to swap.
I can run: stress --vm 5 --vm-bytes 5M --vmhang 5 --timeout 1m
under 4.3 but under 4.4 the machine hangs. Here's the background.
I'm ran nothing but bind (+ cron etc.) on a 586 with 48M of RAM
(machine A, the problem machine). Af
On 07/14/2008 12:47:40 PM, Karl O. Pinc wrote:
I've an OpenBSD box that's been running postfix for a few
years, strictly as a "send-only" mta, and every night the
box gets rebooted. Every couple of months postfix does
not come up on reboot.
For the record, it seems the p
Hi,
I've an OpenBSD box that's been running postfix for a few
years, strictly as a "send-only" mta, and every night the
box gets rebooted. Every couple of months postfix does
not come up on reboot.
All that shows up in the logs is:
postfix/postfix-script[3005]: fatal: Postfix integrity check
f
On 11/08/2007 10:54:20 AM, Soner Tari wrote:
On Wed, 2007-11-07 at 13:45 -0500, Steve Shockley wrote:
> Try using cdbr as the boot record in no emulation, and put cdboot in
the
> root directory of the CD.
I've tried as you suggested,
and
it works
...
For the archives here's a mkisofs comman
On 07/06/2007 06:46:26 PM, Chris Smith wrote:
I assume the problem is not enough RAM because when I
add more RAM everything works fine.
Repeatable? Sure you've ruled out a seating problem?
Yes, repeatable.
I didn't try to reseat the nic (or the ram), but it worked
fine booting from the bsd.r
FYI,
Running OpenBSD 4.0 stable, 32MB RAM, 3 identical
nics.
One symptom of running out of RAM is getting a
panic on boot. The system boots fine with bsd.rd,
but try to boot with the bsd image and you get
(from handwritten notes):
bmtphy1 at dcl phy1; BCM5201 10/100, rev. 2
dc2 at pci0 dev 12
On 07/01/2007 12:53:59 PM, Camiel Dobbelaar wrote:
On Sun, 1 Jul 2007, Karl O. Pinc wrote:
> The basic idea is to modify ftp-proxy so it adds binat
> rules to it's anchors.
You cannot use port in binat rules, so that would not work.
I think this problem can only be fixed i
On 03/22/2007 03:17:00 PM, Stuart Henderson wrote:
One thing to watch out for with binat: you can't use it with
ftp-proxy(8), since binat is of higher priority than the rdr or
nat rules which are added to the anchor. The workaround there
is to list nat and rdr separately.
I just figured this o
On 03/16/2007 02:51:35 PM, Karel Kulhavy wrote:
On Fri, Mar 16, 2007 at 01:26:39PM +, Karl O. Pinc wrote:
> It's actually really easy. Follow the first 2 steps in "man
release".
Unfortunately these instructions fail with not being clear if I should
use
OPENBSD_4_0_BASE
Thanks very much for taking the time to respond.
On 03/16/2007 02:33:28 PM, Kian Mohageri wrote:
I'm not saying that you're unappreciative, just that it seemed that
way.
That is why when I write suggestions, I usually find something to
thank the
person for too, just so they don't feel unde
On 03/16/2007 02:51:48 AM, Kian Mohageri wrote:
Expectations aside, being condescending is never warranted.
Both
Karl and Martin did just that.
I did not intend to be condesending and apologise if it
was taken that way.
Karl <[EMAIL PROTECTED]>
Free Software: "You don't pay back, you pay fo
I apologise to the list for responding to
the flames. I made my point and went beyond
into unproductiveness.
I'm sorry and I'll stop now.
Karl <[EMAIL PROTECTED]>
Free Software: "You don't pay back, you pay forward."
-- Robert A. Heinlein
On 03/16/2007 12:40:57 AM, Daniel Ouellet wrote:
And what are the developers doing with their time? They give it to
you and you have the got to complain on top of it!
So next time I shouldn't post when I see a problem?
That'll help, not.
Karl <[EMAIL PROTECTED]>
Free Software: "You don't pa
On 03/15/2007 11:55:44 PM, Kian Mohageri wrote:
Security isn't about receiving notifications to your Inbox in a timely
fashion. It is about being proactive yourself. You should be the one
taking measures to secure your systems, and you should be the one
ACTIVELY
LOOKING for problems. Watching
On 03/16/2007 12:09:46 AM, Theo de Raadt wrote:
>> I looked for your name on the donations list. I don't see it.
>
>I only buy CDs and stuff occasionally, and generally
>invest time in what I hope are productive ways.
I think you bought one CD.
I think I've bought 4 over the last 5 years.
I w
On 03/15/2007 11:29:22 PM, Theo de Raadt wrote:
I looked for your name on the donations list. I don't see it.
I only buy CDs and stuff occasionally, and generally
invest time in what I hope are productive ways.
How much do I need to donate to keep from having to
waste my time in unproductive
On 03/15/2007 11:04:49 PM, Jeremy Huiskamp wrote:
That's what I was going to say. If you did things properly,
you would have had this patch applied before you knew that it
was a remote hole.
You have a valid point: any bug is a security problem.
However, the topic is not my management practic
On 03/15/2007 10:48:49 PM, Ray Percival wrote:
On Mar 15, 2007, at 7:31 PM, Karl O. Pinc wrote:
I rely on having a clear channel for security related
problems.
The only communication problem here is that you don't look
at the information that the project puts out there for you.
On 03/15/2007 10:24:31 PM, Tony Abernethy wrote:
Karl O. Pinc wrote:
>
> On 03/14/2007 09:13:19 AM, Martin Schrvder wrote:
> > 2007/3/13, Theo de Raadt <[EMAIL PROTECTED]>:
> >> This means everyone should have our latest patches installed.
>
> > Just a re
On 03/14/2007 09:13:19 AM, Martin Schrvder wrote:
2007/3/13, Theo de Raadt <[EMAIL PROTECTED]>:
This means everyone should have our latest patches installed.
Just a reminder: security-announce exists for messages like this. Use
it or delete it.
While the bug is bad, the handling of it is eve
Hi,
I've applied patch 009_timezone.patch to update
the tzfiles for the US DST change. (OpenBSD 4.0)
Are the libraries clever enough to know that
the files changed or do processes need to
be restarted.
It's simple enough to reboot
the entire box but I'm curious,
and it's aesthetically pleasing
On 01/01/2007 04:08:49 PM, Ingo Schwarze wrote:
The default is:
- everything except / is nodev
- everything except /sbin /usr /usr/bin /usr/sbin /usr/libexec
/usr/libexec/* /usr/local /usr/local/* /usr/X11R6 /usr/X11R6/bin
is nosuid
- noexec is not used by default
Thanks to everybody
Is the "stock" fstab documented anywhere? That is,
the fstab that you get if you use the recommended
partitions that the install program sets up for you.
I've been shuffling partitions around and would like
something to compare against with regards to
mounting "noexec" "nosuid" etc.
Thanks.
Ka
Hi,
I was wondering why /usr/local/sbin was not in
the $PATH of the default section of /etc/login.conf.
Since /usr/local/bin is in there I can think of no
reason not to also have /usr/local/sbin.
Regards,
Karl <[EMAIL PROTECTED]>
Free Software: "You don't pay back, you pay forward."
On 12/25/2006 06:25:44 AM, Reyk Floeter wrote:
hi,
On Sun, Dec 24, 2006 at 09:44:46PM +, Karl O. Pinc wrote:
> I was just messing about upgrading some boxes from 3.8
> and I shut a router down for a while and the bridge
> it was plugged into hung. No response to pings and
> no
Hi,
I was just messing about upgrading some boxes from 3.8
and I shut a router down for a while and the bridge
it was plugged into hung. No response to pings and
no response to the keyboard. The only thing I noticed
was that the 3 keyboard lights were all blinking off
and on together at about a
Hi,
I just installed my shiny new OpenBSD 4.0 cd on a i386 box
and went through the release(8) process to bring
the system up to 4.0-stable as of Nov 4. I notice a lot
of lint warnings somewhat early-on in the process
that happens after the install of the new kernel and the
reboot.
Have I done
On 02/04/2006 01:05:17 AM, veins wrote:
I think you are missing the point, cgd and salting are two different
and
unrelated things. It's not because cgd isn't making it into OpenBSD,
that salting won't make it into svnd. I'd explain, but frankly after a
night at work i'd rather go and sleep whi
On 01/03/2006 09:45:02 PM, Ted Unangst wrote:
On 1/3/06, kami petersen <[EMAIL PROTECTED]> wrote:
> on a related subject: what's keeping that diff you did to add
salting to
> vnconfig from hitting the tree? (or something like it)
i don't believe that the people asking for cgd really even inten
On 01/02/2006 03:31:10 AM, Marco Pfatschbacher wrote:
Although it's rather hypothetical to have two broken switches
at the same time, your assumptions are correct.
The backup will not take over.
It is rather hypothetical, but perhaps not as much as you
might think. I have already, during peri
On 01/01/2006 03:09:03 PM, Marco Pfatschbacher wrote:
On Sun, Jan 01, 2006 at 12:28:42AM +, Karl O. Pinc wrote:
[...]
> Suppose I have 2 firewalls, one failing over to the
> other with carp. (net.inet.carp.preempt=1 on
> both firewalls.) Each has 3 interfaces, internet,
> lan, a
On 01/01/2006 11:35:19 AM, Jon Hart wrote:
The BNF seems to indicate that what you are trying to do is legal
syntax-wise. At one point I had an ifstated.conf that did something
similiar with a master "switch state" that was the target of
init-state
-- it would help determine what the correct in
man 5 ifstated.conf says:
"The init block is used
to initialise the state and is executed each time the
state is entered."
But this does not seem to be true if you use 'init-state'
to enter the state. Or maybe there's something else
wrong with my config below, or with ifstated when there's
no b
Hi,
Sorry, but I just can't seem to get (all of)
net.inet.carp.preempt from the man pages.
I could set this up and test it, but I know that
somebody's done it already and a quick search of
the list archives fails me.
Suppose I have 2 firewalls, one failing over to the
other with carp. (net.inet.
On 12/23/2005 09:24:09 AM, Jason Crawford wrote:
On 12/23/05, Karl O. Pinc <[EMAIL PROTECTED]> wrote:
> Hi,
>
> I just did a 3.6 -> 3.7 -> 3.8 upgrade and
> looking through the /etc/security mailing
> I see that I don't have /etc/disklabls/
> or /etc/isakmpd/.
FYI, FWIW,
While it's on my mind, I get bit by this whenever I
upgrade.
For whatever reason, whenever I look at /etc/sysctl.conf
I think that I'm looking at the system defaults commented
out, like /etc/ssh/sshd_config. Instead, they are the
opposite of the defaults.
#net.inet.ip.forwarding=1
On 12/23/2005 05:22:28 AM, Kilaru Sambaiah wrote:
I need to do the following:
1) Allow only ssh to firewall
2) Allow 80, 443 fron net to web server through binat
3) Allow 25 and 143 to mail server
Rdr may do what you want (maybe along with some natting
too but my brain is full at the moment a
Hi,
I just did a 3.6 -> 3.7 -> 3.8 upgrade and
looking through the /etc/security mailing
I see that I don't have /etc/disklabls/
or /etc/isakmpd/. These directories do
not seem to be in etc38.tgz, although they
do show up on a system I did a clean 3.8
install on. (3.8 patched to stable as
of De
On 12/23/2005 05:22:28 AM, Kilaru Sambaiah wrote:
I have a question regarding pf and binat.
I need to protect mail server and web server behind firewall. I am
planning to run
pf with binat rules. I need to do the following:
1) Allow only ssh to firewall
2) Allow 80, 443 fron net to web serve
On 09/15/2005 10:31:44 PM, j knight wrote:
Karl O. Pinc wrote:
On 09/13/2005 05:16:38 PM, j knight wrote:
Best bet if this track is
taken is to involve pf's load balancing features
(http://www.openbsd.org/faq/pf/pools.html and pf.conf(5)).
What happens when this technique is used an
On 09/13/2005 05:16:38 PM, j knight wrote:
--- Quoting Darrin Chandler on 2005/09/13 at 13:56 -0700:
> You might also want to read
> http://www.inetdaemon.com/columns/ask/internet-load-balancing.shtml,
> which will try to talk you out of using BGP for load balancing and
> present a simpler alte
On 09/13/2005 05:16:38 PM, j knight wrote:
--- Quoting Darrin Chandler on 2005/09/13 at 13:56 -0700:
> which will try to talk you out of using BGP for load balancing and
> present a simpler alternative.
Best bet if this track is
taken is to involve pf's load balancing features
(http://www.op
I may be wrong here but it seems to me that either
http://www.openbsd.org/faq/pf/pools.html#outexample
is wrong in it's route-to syntax or the grammer
in pf.conf(5) has a bug.
http://www.openbsd.org/faq/pf/pools.html#outexample
has 4 statements that contain route to, vis:
pass out on $ext_if1 rou
In the BNF grammer it says:
route = "fastroute" |
( "route-to" | "reply-to" | "dup-to" )
( routehost | "{" routehost-list "}" )
[ pooltype ]
Shouldn't it be:
route = "fastroute" |
On 09/12/2005 08:02:24 PM, Arthur Bebak wrote:
Can anybody help and point me in the right direction? Also I should
note that I'm trying to get glibc on an amd64 architecture.
You're probably better off with a package than a port,
something like this might be what you want:
ftp://ftp3.usa.openbs
Hi,
Our goal is uptime/redundancy, in pursuit of that
we're looking to get another T1 (maybe less,
radio or laser link to compliment our T1 wire) and peer. If
we can get increased bandwidth that'd be
very desireable too. Right now we're supporting
about 150 users. With an extensive pf rule set
67 matches
Mail list logo