Re: sudo won't work with login_fingerprint

[Nick Guenther]

omg we have finger print reader support??? !

I installed the port and I'm playing with it. Can you post your full
config? The login_fingerprint docs are short on the troubleshooting. I
can enroll my fingers and I've got su asking me for finger swipes but
whenever I do it says "invalid swipe" or "login incorrect".

I see the same result as you with sudo. Annoying. Sudo must not be
feeding it correctly right, but perhaps login_fingerprint is expecting
wrongly.

It would be a neat gimmick if we could get this working!

-Nick

On 23/04/2009, LEVAI Daniel  wrote:
> Hi!
>
> I've set up this login_fingerprint port and it is working fine in console
> logins and with `su`, but with sudo I can't seem to get it to work.
> I've modified my /etc/login.conf like this:
> # Default allowed authentication styles
> auth-defaults:auth=-fingerprint,passwd,skey:\
> :x-fingerprint=7:
>
> I've just added the fingerprint stuff. Now when running sudo, and typing in
> my
> password 3 times:
>
> $ sudo -l
> -fingerprint: challenge not supported
> sudo password(daniell):
> -fingerprint: response not supported
> Sorry, try again.
> -fingerprint: challenge not supported
> sudo password(daniell):
> -fingerprint: response not supported
> Sorry, try again.
> -fingerprint: challenge not supported
> sudo password(daniell):
> -fingerprint: response not supported
> Sorry, try again.
> sudo: 3 incorrect password attempts
>
> With `sudo -a` I can specify the "passwd" type, and can sudo with my
> password,
> so no big problem, I'm just wondering what special configuration is needed
> for sudo to work with this auth type.
>
> Any idead would be appreciated, thanks!
>
> Daniel
>
> --
> LIVAI Daniel
> PGP key ID = 0x4AC0A4B1
> Key fingerprint = D037 03B9 C12D D338 4412  2D83 1373 917A 4AC0 A4B1

Re: question about net.inet.carp.preempt

[Imre Oolberg]

Hallo!

Thanks for the reply! I am also aware that one popular use of 
net.inet.carp.preempt is to control how the computer system as a whole 
reacts to errors like one physical interface goes dead.


'man carp' says about net.inet.carp.preempt:

Allow virtual hosts to preempt each other. It is also used to failover 
carp interfaces as a group.  When the option is enabled and one of the 
carp enabled physical interfaces goes down, advskew is changed to 240 on 
allcarp interfaces.  See also the first example. Disabled by default.


What i was interested in mainly this time is the so to say practical 
meaning of the first sentence, in case how pair of carp interfaces in a 
carp group behave while .carp.preempt is not set or is set.


I decided to dig a little bit deeper because sometimes i cant predict 
events when i add another vlan and carp interface to the running system 
(master for that particular carp device appears on the wrong side etc). 
It could be easily said to me that if your are so interested use the 
source but i am sorri the source is not much help for me, i am more 
about just a user.



Imre


Felipe Alfaro Solana wrote:

On Thu, Apr 23, 2009 at 12:05 PM, Imre Oolberg  wrote:


Hallo!

I would like to confirm my understanding of how carp works and if the
following holds generally true.

After having on all participating nodes set to

 # sysctl -w net.inet.carp.preempt=0



AFAIK CARP preempt has meaning only in the context of the machine to which
it applies. When CARP preempt is enabled, in a machine with multiple CARP
interfaces, whenever one CARP interface fails over, all other CARP
interfaces in the machine fail over too.

I'm using this on my 2-firewall configuration (active-passive) where each
machine has two CARP interfaces: internal interface and Internet-facing
interface. Whenever one of the interfaces failover, the other does too. This
way, both interfaces are either master or backup, at the same time. This
avoids the case where the internal interface is master and the
Internet-facing interface is backup (or the opposite).



one could change advskew value and actually no carp takeover takes place
automatically until issuing on the becoming master node

 # ifconfig carp-interface-name state master

or on becoming backup node

 # ifconfig carp-interface-name state backup

After that the carp master and backup change roles.

On the other hand, if all participating nodes are set to

 # sysctl -w net.inet.carp.preempt=1

then under similar changes in advskew carp takeover happes automatically
.i.e master and backup change roles and 'state master' or 'state backup'
aint needed to be issued manually. (As merriam-webster says in one case for
preemtive being 'marked by the seizing of the initiative; initiated by
oneself')


Imre

PS The scope of this experiment is takeover within paticular carp group
(practically between two physical interfaceses) and not for all carp groups
as in case with firewall with several physical interfaces.

Re: sudo won't work with login_fingerprint

[LEVAI Daniel]

On Friday 24 April 2009 09.28.34 you wrote:
> omg we have finger print reader support??? !
>
> I installed the port and I'm playing with it. Can you post your full
> config? The login_fingerprint docs are short on the troubleshooting. I
> can enroll my fingers and I've got su asking me for finger swipes but
> whenever I do it says "invalid swipe" or "login incorrect".
You need to enroll_fingerprint(8) as the target (root) user too, so root will
have a ~/.fprint directory too.

> I see the same result as you with sudo. Annoying. Sudo must not be
> feeding it correctly right, but perhaps login_fingerprint is expecting
> wrongly.
>
> It would be a neat gimmick if we could get this working!
I just followed /usr/local/share/doc/login_fingerprint/README:
$ enroll_fingerprint -f 7
It has populated a ~/.fprint/ dir with the scanned fingerprint, and after the
login.conf modify I could login on the console and do `su`. Only sudo seems
to need the '-apasswd' option to force it to use the passwd auth type instead
of the -fingerprint type. But grepping thru sudo's source I couldn't find
this error message anywhere :\

My modifications in login.conf is only the following:
--- /var/backups/etc_login.conf.backup  Thu Apr 16 16:06:00 2009
+++ /etc/login.conf Thu Apr 23 17:15:23 2009
@@ -23,7 +23,8 @@
 #

 # Default allowed authentication styles
-auth-defaults:auth=passwd,skey:
+auth-defaults:auth=-fingerprint,passwd,skey:\
+   :x-fingerprint=7:

 # Default allowed authentication styles for authentication type ftp
 auth-ftp-defaults:auth-ftp=passwd:


Daniel

> On 23/04/2009, LEVAI Daniel  wrote:
[...]
> > $ sudo -l
> > -fingerprint: challenge not supported
> > sudo password(daniell):
> > -fingerprint: response not supported
> > Sorry, try again.
> > -fingerprint: challenge not supported
> > sudo password(daniell):
> > -fingerprint: response not supported
> > Sorry, try again.
> > -fingerprint: challenge not supported
> > sudo password(daniell):
> > -fingerprint: response not supported
> > Sorry, try again.
> > sudo: 3 incorrect password attempts
[...]

--
LIVAI Daniel
PGP key ID = 0x4AC0A4B1
Key fingerprint = D037 03B9 C12D D338 4412  2D83 1373 917A 4AC0 A4B1

Re: Upgrade to -current

[LEVAI Daniel]

On Friday 24 April 2009 08.50.11 you wrote:
> Currently I am using 4.2 stable and I am willing to upgrade to -current
> because of some new features which i need.
> According to faq (http://www.openbsd.org/faq/faq5.html#Bld) I should first
> upgrade to closest binary, which means upgrade from 4.2 to 4.3 and then to
> 4.4 ( Latest snapshot ) and finally Fetch & build *-current.
>
> Above process as you know will be a highly time consuming process and I
> prefer stick to my current 4.2 rather than going through that. why not just
> Fetch & build -cuurent directly?  what is your recommended approach for
> upgrading to -cuurent ?
Upgrading thru the binary releases is not that tedious, and you could upgrade
to a binary snapshot of -current after the latest binary release have been
installed. No need to compile -current AFAIK.

Daniel

--
LIVAI Daniel
PGP key ID = 0x4AC0A4B1
Key fingerprint = D037 03B9 C12D D338 4412  2D83 1373 917A 4AC0 A4B1

Re: autowhitelister for spamd needs testing

[Gregory Edigarov]

Aaron Mason wrote:

On Fri, Apr 24, 2009 at 11:01 AM, Dan Harnett  wrote:
  

On top of that, if VeriSign could be tricked into signing a fake
Microsoft ActiveX key, can you really trust the authorities?
  

Are you implying SPF records are validated somewhere and signed by a
trusted third party?  They're not.  They're provided by the bad guys.  A
more proper analogy would be that you received an ActiveX control signed
by "The Bad Guys Who Do Bad Things".  They were nice enough to sign it,
so you accept it.




I was implying no such thing.  I was referring to using WHOIS to block
spammers on the basis of the date the domain was registered.

  

asfjsakf1359.com TXT "v=spf1 a:mail.asfjsakf1359.com ip4:0.0.0.0/0 ~all"



Ok, now that gives us a pointer by which to block fraudulent folk.
That record means anyone and everyone can send an email using that
domain name.  A proper SPF record wouldn't have an all-encompassing IP
range.  In fact, who in the world would have anything more than a /7
block?

However that alone wouldn't deter any spammer - just limit the range
to what's accepted and you're in.  And any limit you set will only
cause more dramas.  Sure you could limit it to /24 and smaller, or
even to single addresses, but what about those select folk who have
been assigned /8 classless subnets?  That's a whole lotta SPF records
for one subdomain.

No solution is perfect, but a small group of imperfect solutions is a
far cry better than no solutions at all and our mailboxes being
inundated with spam.  The problem's here to stay, all we can do is
deal with it as best we can.
  

well nobody's  perfect. and there is no solution perfect.
And i do not even pretend that i made a perfect solution.
It still require /dev/brain, /dev/eyes, and /dev/hands...   
Ok, thank you all, for the interesting discussion. I think I could develop
more advanced solution that will check  blocks  found  by spf  lookup 
through whois lookup...


--
With best regards,
Gregory Edigarov

Re: rt.fm ftp server dumps core

[Paul Irofti]

On Thu, Apr 23, 2009 at 03:37:00PM -0600, Jeff Ross wrote:
> Hi,
>
> For a while now I've been getting segmentation faults when I try to 
> download snapshots from rt.fm
>
> ftp> mget *tgz
> mget base45.tgz? all
> Prompting off for duration of mget.
> local: base45.tgz remote: base45.tgz
> 150 Opening BINARY mode data connection for 'base45.tgz' (48267043 bytes).
> 100% |**| 47135 KB00:41
> 226 Transfer complete.
> 48267043 bytes received in 41.35 seconds (1.11 MB/s)
> local: comp45.tgz remote: comp45.tgz
> 150 Opening BINARY mode data connection for 'comp45.tgz' (90067409 bytes).
> 100% |**| 87956 KB01:12
> 421 Service not available, remote server has closed connection.
> Segmentation fault (core dumped)

I'm running a similar command now on pub/OpenBSD/snapshots/i386. Is that
what you're doing? Also, it would've been nice to include a trace from
the core.

Re: Problem with slow disk I/O

[Jan Stary]

> First on Ubuntu:
> /dev/sda2 on / type ext3 (rw,relatime,errors=remount-ro)
> ~$ time (tar -zxf ports.tar.gz && sync)
> real  0m47.784s

> Then the same commands on OpenBSD:
> /dev/wd0k on /home type ffs (local, nodev, nosuid, softdep)
> $ time (tar -zxf ports.tar.gz && sync)
> 1m2.62s real 0m1.15s user 0m7.15s system

> >>>So you have ~52 seconds on ext3 mounted  'realtime' (whatever that 
> >>>means),
> >>>versus ~63 seconds on ffs mounted with 'softdep'.

Replying to myself,

'realtime' implies noatime, says http://lwn.net/Articles/244829/
(Isn't "once upon atime" an amusing title?)

And https://help.ubuntu.com/community/Fstab says that 'async'
is the default for Ubuntu ext3 mounts. Is your ext3 mounted
async? The mount line doesn't say so - but is that hidden
under 'realtime', too?

> Also, doesn't ext2/3 run with everything mount async?
> A quick test with ffs in async mode (instead of, or added to softdep) 
> would also be worth running, in order to see how much "grossly insecure 
> I/O" lessens the perceived time.
> I am one of those who like to keep my 
> files, so I wont recommend USING async, but for the sake of argument 
> here, such a test might be in order.

softdep and async are mutually exclusive.

This is what happens with and without noatime (+ softdep, of course),
and with async replacing softdep, on my machine:

# uname -a
OpenBSD stary.dhcp.fjfi.cvut.cz 4.4 GENERIC.MP#2 i386

# mount
/dev/wd0a on / type ffs (local)
/dev/wd0d on /usr type ffs (local, nodev, softdep)
/dev/wd0e on /var type ffs (local, nodev, nosuid, softdep)
/dev/wd0f on /var/log type ffs (local, nodev, nosuid, softdep)
/dev/wd0g on /var/mail type ffs (local, nodev, nosuid, softdep)
/dev/wd0h on /tmp type ffs (local, nodev, nosuid, softdep)
/dev/wd0i on /home type ffs (local, nodev, nosuid, softdep)
/dev/wd0k on /dload type ffs (local, nodev, nosuid, softdep)
/dev/wd0j on /backup type ffs (local, nodev, nosuid, softdep)

# cd /backup
# ls -l ports.tar.gz
-rw-r--r--  1 root  wheel  14583699 Aug  9  2008 ports.tar.gz

# time { tar xzf ports.tar.gz ; sync ; }
1m5.51s real 0m0.00s user 0m0.00s system
# time rm -rf ports
0m13.88s real 0m0.20s user 0m1.56s system

# cd
# umount /backup
# mount -o nodev,nosuid,softdep,noatime /dev/wd0j /backup
# cd /backup

# time { tar xzf ports.tar.gz ; sync ; }
1m6.85s real 0m0.00s user 0m0.00s system
# time rm -rf ports
0m14.72s real 0m0.16s user 0m1.33s system

# cd
# umount /backup
# mount -o nodev,nosuid,async /dev/wd0j /backup
# cd /backup

# time { tar xzf ports.tar.gz ; sync ; }
0m39.44s real 0m0.00s user 0m0.01s system
# time rm -rf ports
0m6.80s real 0m0.19s user 0m1.45s system


Jan

Re: DHCP versus PPPoE for ADSL.

[David Walker]

From:  Claudio Jeker
> The main encapsulation over ADSL is PPPoE or PPPoA only lately, with the
> spread of IPTV and VDSL, EFM (Ethernet First Mile) is used by some telcos.
> So it totaly depends on what your provider is giving you.

Hi Claudio.
Maybe I didn't explain myself or perhaps I am trying to explain
something that doesn't make sense.
I understand there are differing methods of getting the packets from
the exchange to the premises, etcetera.
Considering the existing popular method of PPPoE is there more than
one way to collect those packets at the first adapter after the modem?

My current scenario:
DSLAM<-PPPoE->Modem<-TCP/IP->Router
In this case, the relevant adapter on the router gets an IP address
from the modem's DHCP server. All the PPPoE to IP transactions occur
within the modem.
The hostname.if file on the router:
DHCP none none none

The other scenario:
DSLAM<-PPPoE->Modem<-PPPoE->Router
In this case the relevant adapter on the router recieves PPPoE
encapsulated packets from the modem exactly as they are sent from the
exchange.
The modem does not do any PPPoE to IP conversion.
The hostname.if file on the router merely says "up".
There is also an /etc/hostname.pppoe0 file on the router.

This "other scenario" seems to be the intent of pppoe(4):
 This is often used to connect a router via a DSL modem to an access con-
 centrator.  The pppoe interface does not by itself transmit or receive
 frames, but needs an Ethernet interface to do so.  This Ethernet inter-
 face is connected to the pppoe interface via ifconfig(8).  The Ethernet
 interface needs to be marked UP, but does not need to have an IP address.

So it is quite different from my "current scenario" - no IP address for a start.

Am I reading all this correctly?

Best wishes.

Transparent Firewall (bridge) with DMZ + LAN

[openbsder]

I'm currently interested in setting up a three-legged network, using OBSD+PF
as the firewall. Originally, I had jus

Transparent firewall (bridge) with DMZ + LAN

[openbsder]

I am currently interested in setting up a three-legged network topology,
using OBSD+PF as the firewall appliance. Originally, I was going to simply
have the firewall equipped with three network cards: one for DMZ, one for
LAN, the other for EXT/WAN/Internet (whatever you call this). The idea was
for a switch to be used on both DMZ and LAN, providing NAT on both segments.
Pretty straight forward.

Recently, it has been suggested that a transparent firewall implementation
is ideal where possible. But as far as I understand, transparency is only
available when the firewall acts as a bridge between TWO networks. How would
I keep my DMZ and LAN both while using a bridging firewall. Is it even
possible?

Re: sudo won't work with login_fingerprint

[Nick Guenther]

On Fri, Apr 24, 2009 at 3:38 AM, LEVAI Daniel  wrote:
> On Friday 24 April 2009 09.28.34 you wrote:
>> omg we have finger print reader support??? !
>>
>> I installed the port and I'm playing with it. Can you post your full
>> config? The login_fingerprint docs are short on the troubleshooting. I
>> can enroll my fingers and I've got su asking me for finger swipes but
>> whenever I do it says "invalid swipe" or "login incorrect".
> You need to enroll_fingerprint(8) as the target (root) user too, so root
will
> have a ~/.fprint directory too.

When I say "su" I actually meant I'm running "su $USER".

>> I see the same result as you with sudo. Annoying. Sudo must not be
>> feeding it correctly right, but perhaps login_fingerprint is expecting
>> wrongly.
>>
>> It would be a neat gimmick if we could get this working!
> I just followed /usr/local/share/doc/login_fingerprint/README:
> $ enroll_fingerprint -f 7
> It has populated a ~/.fprint/ dir with the scanned fingerprint, and after
the
> login.conf modify I could login on the console and do `su`. Only sudo seems
> to need the '-apasswd' option to force it to use the passwd auth type
instead
> of the -fingerprint type. But grepping thru sudo's source I couldn't find
> this error message anywhere :\
>
> My modifications in login.conf is only the following:
> --- /var/backups/etc_login.conf.backup  Thu Apr 16 16:06:00 2009
> +++ /etc/login.conf Thu Apr 23 17:15:23 2009
> @@ -23,7 +23,8 @@
>  #
>
>  # Default allowed authentication styles
> -auth-defaults:auth=passwd,skey:
> +auth-defaults:auth=-fingerprint,passwd,skey:\
> +   :x-fingerprint=7:
>
>  # Default allowed authentication styles for authentication type ftp
>  auth-ftp-defaults:auth-ftp=passwd:
>

I followed the README too but it told me to add this:
#
# The fingerprint login class allows the fingerprint and passwd
# authentication methods and checks your 7th (right index) finger.
#
fingerprint:
:auth=-fingerprint,passwd:\
:x-fingerprint=7:\
:tc=default:

and I had to do "sudo usermod -L fingerprint $USER" to get "su $USER"
to start asking me to swipe. Do we maybe have different versions (I
should probably shyly mention here that I'm on -CURRENT right now)?

Why are we writing "-fingerprint" instead of "fingerprint"?
login.conf(8) is hazy on what this means. It doesn't seem to matter
espcially which is chosen.

I suspect my problem is a driver issue. I have a 1600 chip (as linux
tells me... dunno why OpenBSD) but the driver is written for 1610
chips. Until I can at least use su with my finger I'm not sure I can
help you.

-Nick

Re: sudo won't work with login_fingerprint

[LEVAI Daniel]

On Friday 24 April 2009 12.27.50 you wrote:
> On Fri, Apr 24, 2009 at 3:38 AM, LEVAI Daniel  wrote:
> > On Friday 24 April 2009 09.28.34 you wrote:
> >> omg we have finger print reader support??? !
> >>
> >> I installed the port and I'm playing with it. Can you post your full
> >> config? The login_fingerprint docs are short on the troubleshooting. I
> >> can enroll my fingers and I've got su asking me for finger swipes but
> >> whenever I do it says "invalid swipe" or "login incorrect".
> >
> > You need to enroll_fingerprint(8) as the target (root) user too, so root
> > will have a ~/.fprint directory too.
>
> When I say "su" I actually meant I'm running "su $USER".
Then you must run enroll_fingerprint as $USER, to make the
$USER_HOMEDIR/.fprint/ directory and the corresponding files.

>
> >> I see the same result as you with sudo. Annoying. Sudo must not be
> >> feeding it correctly right, but perhaps login_fingerprint is expecting
> >> wrongly.
> >>
> >> It would be a neat gimmick if we could get this working!
> >
> > I just followed /usr/local/share/doc/login_fingerprint/README:
> > $ enroll_fingerprint -f 7
> > It has populated a ~/.fprint/ dir with the scanned fingerprint, and after
> > the login.conf modify I could login on the console and do `su`. Only sudo
> > seems to need the '-apasswd' option to force it to use the passwd auth
> > type instead of the -fingerprint type. But grepping thru sudo's source I
> > couldn't find this error message anywhere :\
> >
> > My modifications in login.conf is only the following:
> > --- /var/backups/etc_login.conf.backup  Thu Apr 16 16:06:00 2009
> > +++ /etc/login.conf Thu Apr 23 17:15:23 2009
> > @@ -23,7 +23,8 @@
> >  #
> >
> >  # Default allowed authentication styles
> > -auth-defaults:auth=passwd,skey:
> > +auth-defaults:auth=-fingerprint,passwd,skey:\
> > +   :x-fingerprint=7:
> >
> >  # Default allowed authentication styles for authentication type ftp
> >  auth-ftp-defaults:auth-ftp=passwd:
>
> I followed the README too but it told me to add this:
> #
> # The fingerprint login class allows the fingerprint and passwd
> # authentication methods and checks your 7th (right index) finger.
> #
>
> fingerprint:
> :auth=-fingerprint,passwd:\
> :x-fingerprint=7:\
> :tc=default:
>
I've done the same thing except I've added this to the default class, so I
don't have to change the already made classes (which are
including "auth-defaults").

> and I had to do "sudo usermod -L fingerprint $USER" to get "su $USER"
> to start asking me to swipe. Do we maybe have different versions (I
> should probably shyly mention here that I'm on -CURRENT right now)?
I'm using -current too, but in this case it doesn't matter; the login classes
we use are not the same, but that's all.

> Why are we writing "-fingerprint" instead of "fingerprint"?
> login.conf(8) is hazy on what this means. It doesn't seem to matter
> espcially which is chosen.
man login.conf:
 Local authentication styles may be added by creating a login script for
 the style (see below).  To prevent collisions with future official BSD
 Authentication style names, all local style names should start with a
 dash (-).

^^^ That is why the -fingerprint; also:
# ls -l /usr/libexec/auth/
[...]
login_-fingerprint
[...]

> I suspect my problem is a driver issue. I have a 1600 chip (as linux
> tells me... dunno why OpenBSD) but the driver is written for 1610
> chips. Until I can at least use su with my finger I'm not sure I can
> help you.
What does `ls -lR /home/$USER/.fprint/` tells you? Do you have the proper
scanned fingerprints there? Do you have the $USER in the fingerprint class
(if you've followed the README file with login_fingerprint)?

Daniel

--
LIVAI Daniel
PGP key ID = 0x4AC0A4B1
Key fingerprint = D037 03B9 C12D D338 4412  2D83 1373 917A 4AC0 A4B1

RadiusClient

[Bruno Galindro da Costa]

Hi all

What is the radius client packge for OpenBSD? What I need to do is
provide pptpd auth with radius. My Radius Server is a Windows Server 2003.
On Ubuntu and Debian tha name of package is radiusclient downloadable via
apt-get.

--
Att.
Bruno Galindro da Costa
bruno.galin...@gmail.com
Florianspolis - SC

Re: Upgrade to -current

[Neal Hogan]

On Fri, Apr 24, 2009 at 1:50 AM, MANI  wrote:
> Currently I am using 4.2 stable and I am willing to upgrade to -current
> because of some new features which i need.
> According to faq (http://www.openbsd.org/faq/faq5.html#Bld) I should first
> upgrade to closest binary, which means upgrade from 4.2 to 4.3 and then to
> 4.4 ( Latest snapshot ) and finally Fetch & build *-current.
>
> Above process as you know will be a highly time consuming process and I
> prefer stick to my current 4.2 rather than going through that. why not just
> Fetch & build -cuurent directly?  what is your recommended approach for
> upgrading to -cuurent ?

As has already been said, the less tedious way is to go through a
binary upgrade of each version. Checkout:
http://www.openbsd.org/faq/upgrade44.html for guidance through the
upgrade from 4.3 -> 4.4. The other upgrades will be similar. There are
links at the top of the page that will help you through other
upgrades.

-Neal


> thanks,
> Mani
> *
>
>



--
www.nealhogan.net  www.lambdaserver.com

Re: autowhitelister for spamd needs testing

[Dan Harnett]

On Fri, Apr 24, 2009 at 02:16:57PM +1000, Aaron Mason wrote:
> On Fri, Apr 24, 2009 at 11:01 AM, Dan Harnett  wrote:
> >> On top of that, if VeriSign could be tricked into signing a fake
> >> Microsoft ActiveX key, can you really trust the authorities?
> >
> > Are you implying SPF records are validated somewhere and signed by a
> > trusted third party?  They're not.  They're provided by the bad guys.  A
> > more proper analogy would be that you received an ActiveX control signed
> > by "The Bad Guys Who Do Bad Things".  They were nice enough to sign it,
> > so you accept it.
> >
> 
> I was implying no such thing.  I was referring to using WHOIS to block
> spammers on the basis of the date the domain was registered.

Then your analogy didn't even make sense.  No one is being tricked.  I
can recycle old domains as well.  You don't get it.

> > asfjsakf1359.com TXT "v=spf1 a:mail.asfjsakf1359.com ip4:0.0.0.0/0 ~all"
> 
> Ok, now that gives us a pointer by which to block fraudulent folk.
> That record means anyone and everyone can send an email using that
> domain name.  A proper SPF record wouldn't have an all-encompassing IP
> range.  In fact, who in the world would have anything more than a /7
> block?

That is a proper SPF record.  So, in addition to filtering e-mail,
you're going to start using complicated filters to screen out SPF
records because you're dumb enough to whitelist everything the spammer
tells you to?  Go for it.  Have fun with that.

> However that alone wouldn't deter any spammer - just limit the range
> to what's accepted and you're in.  And any limit you set will only
> cause more dramas.  Sure you could limit it to /24 and smaller, or
> even to single addresses, but what about those select folk who have
> been assigned /8 classless subnets?  That's a whole lotta SPF records
> for one subdomain.

I gave you the simplest and quickest example that came to mind.  If you
have even half a brain, then you'd realize how trivial it would be to
list single IP addresses.  I can even obfuscate it to the point of
nested 'include:'s to keep the TXT records a decent size.  Spammers have
always been one step ahead.  Anything like auto-whitelisting SPF records
would be picked up rather fast and abused easily if it gained widespread
acceptance.  They don't even need to go as far as my example did.  They
just need to whitelist their own little spam haven, which you'll happily
do.

> No solution is perfect, but a small group of imperfect solutions is a
> far cry better than no solutions at all and our mailboxes being
> inundated with spam.  The problem's here to stay, all we can do is
> deal with it as best we can.

You're auto-whitelisting whatever the spammer tells you to and you think
that is preventing spam?  LOL.  The only hinderance here is the brief
moment greylisting was working until you whitelisted the entire
internet.  I think you still don't get it.

Re: RadiusClient

[Jasper Valentijn]

2009/4/24 Bruno Galindro da Costa :
> Hi all
>
>What is the radius client packge for OpenBSD? What I need to do is
> provide pptpd auth with radius. My Radius Server is a Windows Server 2003.
> On Ubuntu and Debian tha name of package is radiusclient downloadable via
> apt-get.
>



Search for radius...

--
We spend the first twelve months of our children's lives teaching
them to walk and talk and the next twelve telling them to sit down and
shut up.

Re: RadiusClient

[Paul Irofti]

On Fri, Apr 24, 2009 at 09:05:32AM -0300, Bruno Galindro da Costa wrote:
> Hi all
> 
> What is the radius client packge for OpenBSD? What I need to do is
> provide pptpd auth with radius. My Radius Server is a Windows Server 2003.
> On Ubuntu and Debian tha name of package is radiusclient downloadable via
> apt-get.

$ pkg_info -Q radius

Re: sudo won't work with login_fingerprint

[Nick Guenther]

On Fri, Apr 24, 2009 at 7:14 AM, LEVAI Daniel  wrote:
> On Friday 24 April 2009 12.27.50 you wrote:
>>
>> I followed the README too but it told me to add this:
>> #
>> # The fingerprint login class allows the fingerprint and passwd
>> # authentication methods and checks your 7th (right index) finger.
>> #
>>
>> fingerprint:
>> :auth=-fingerprint,passwd:\
>> :x-fingerprint=7:\
>> :tc=default:
>>
> I've done the same thing except I've added this to the default class, so I
> don't have to change the already made classes (which are
> including "auth-defaults").
>
>> and I had to do "sudo usermod -L fingerprint $USER" to get "su $USER"
>> to start asking me to swipe. Do we maybe have different versions (I
>> should probably shyly mention here that I'm on -CURRENT right now)?
> I'm using -current too, but in this case it doesn't matter; the login
classes
> we use are not the same, but that's all.
>
>> Why are we writing "-fingerprint" instead of "fingerprint"?
>> login.conf(8) is hazy on what this means. It doesn't seem to matter
>> espcially which is chosen.
> man login.conf:
> Local authentication styles may be added by creating a login script for
> the style (see below).  To prevent collisions with future official BSD
> Authentication style names, all local style names should start with a
> dash (-).
>
> ^^^ That is why the -fingerprint; also:
> # ls -l /usr/libexec/auth/
> [...]
> login_-fingerprint
> [...]

Ah. login_fingerprint is installed to two places. Under /usr/local/
it's "login_fingerprint", which is why I was confused.

>> I suspect my problem is a driver issue. I have a 1600 chip (as linux
>> tells me... dunno w
hy OpenBSD) but the driver is written for 1610
>> chips. Until I can at least use su with my finger I'm not sure I can
>> help you.
> What does `ls -lR /home/$USER/.fprint/` tells you? Do you have the proper
> scanned fingerprints there? Do you have the $USER in the fingerprint class
> (if you've followed the README file with login_fingerprint)?
>

The fingerprint files exist alright. The only thing I thought it might
be is that -CURRENT broke login_fingerprint somehow, but if you're
running the same code it must be the driver.
http://reactivated.net/fprint/wiki/Aes1610 sort of suggests that the
reader isn't great to begin with and if mine's a version off I
wouldn't be surprised it's b0rked.

-Nick

Recipient Validation & Design Opinions

[Mario Vega]

Hello,

We are putting together an OpenBSD-based border email server to replace 
an aging Linux box.  On the current system, Postfix performs a call 
ahead to two internal boxes for recipient validation.  I'm interested in 
recommendations on how to perform validation with the base sendmail.


The two internal servers use several different domains and accept a 
variety of different name formats.  In addition, some users have one or 
more aliases.  Furthermore, only the primary address is published in 
LDAP.  One server serves approximately 1k users and the other 
approximately 20.


I have been researching milters to perform this task, specifically Eland 
System's scam-backscatter.  Our current average load, though I expect it 
to decrease with the use of spamd, is approximately 270k connections per 
day, 115k of which are rejected as invalid.  Does anyone have experience 
with scam-backscatter or are there other solutions we should be 
investigating?


I'm also interested in opinions on the overall design of the solution 
thus far.  As stated previously, our current system is a Linux box 
running Postfix, amavis, clamav and spamassassin.  Due to the nature of 
the store and scan system, we've noticed a tendency for the system to 
become swamped under heavy load and take several hours to clear out. 
Furthermore, we're quarantining viruses and and obvious spam in the 
neighborhood of 89k a day, which I would rather leave at the door.


The OpenBSD system would be running spamd, the base sendmail, 
smtp-vilter, clamav and spamassassin.


To prevent outgoing email from being tagged as spam and to conserve 
resources, I had planned to run sendmail on two different ports.  The 
standard port would handle incoming connections and a second, 
non-standard port, would be restricted with pf for outgoing email.  We 
would then run two instances of smtp-vilter, one which ran spamassassin 
and one which did not.  Use of sendmail's DAEMON_OPTIONS 
InputMailFilters would determine which vilter to run.


In our test environment, using smtpsend, we're seeing approximately 45 
messages/second through smtp-vilter with clamd.  The smtp-vilter 
instance which adds spamassassin is running 5-6 messages/second.


Any recommendations for recipient validation or suggestions on improving 
the system are greatly appreciated.


Thank you,
Mario

[no subject]

[Anon Y. Mous]

Re: Unable to mount CD/DVD-RW drive in OpenBSD 4.4/i386.

[Anon Y. Mous]

I have attached a .txt file indicating what <#disklabel cd0> returned.



--- On Thu, 4/23/09, minsai0...@yahoo.com  wrote:

> From: minsai0...@yahoo.com 
> Subject: Unable to mount CD/DVD-RW drive in OpenBSD 4.4/i386.
> To: misc@openbsd.org
> Date: Thursday, April 23, 2009, 12:13 PM
> I am unable to get OpenBSD 4.4/i386
> to see my OptiArc DVD+/-RW AD-5540 drive on a Dell Inspiron
> 6400 (E1505) notebook.
>
> Everything else is functional on this system.
>
> Neither /dev/cd0a nor /dev/cd0c work as /etc/fstab
> entries.
>
> The kernel returns: Device not configured.
>
> I also tried /dev/rcd0[n] (where n = a - p) as an
> /etc/fstab entry and it returned an error stating: Device
> block required.
>
> Below is an attachment of my dmesg file and /etc/fstab
> table.
>
> -minsai
>
>
>  
# /dev/rcd0c:
type: ATAPI
disk: ATAPI CD-ROM
label: fictitious
flags:
bytes/sector: 2048
sectors/track: 100
tracks/cylinder: 1
sectors/cylinder: 100
cylinders: 1901
total sectors: 190050
rpm: 300
interleave: 1
trackskew: 0
cylinderskew: 0
headswitch: 0   # microseconds
track-to-track seek: 0  # microseconds
drivedata: 0 

0 partitions:
#size   offset  fstype [fsize bsize  cpg]

Re: Upgrade to -current

[L. V. Lammert]

On Fri, 24 Apr 2009, MANI wrote:

> Currently I am using 4.2 stable and I am willing to upgrade to -current
> because of some new features which i need.
> According to faq (http://www.openbsd.org/faq/faq5.html#Bld) I should first
> upgrade to closest binary, which means upgrade from 4.2 to 4.3 and then to
> 4.4 ( Latest snapshot ) and finally Fetch & build *-current.
>
> Above process as you know will be a highly time consuming process and I
> prefer stick to my current 4.2 rather than going through that. why not just
> Fetch & build -cuurent directly?  what is your recommended approach for
> upgrading to -cuurent ?
>
A far better approach would be to backup the current machine, do a fresh
install of 4.5 [from the CDs you pre-ordered], and then restore any needed
files. Moving from 4.5 to -current should be much simpler.

Lee

==
 Leland V. Lammertl...@omnitec.net
  Chief ScientistOmnitec Corporation
 Network/Internet Consultants www.omnitec.net
==

Re: DHCP versus PPPoE for ADSL.

[Stuart Henderson]

On 2009-04-24, David Walker  wrote:
> From:  Claudio Jeker
>> The main encapsulation over ADSL is PPPoE or PPPoA only lately, with the
>> spread of IPTV and VDSL, EFM (Ethernet First Mile) is used by some telcos.
>> So it totaly depends on what your provider is giving you.
>
> Maybe I didn't explain myself or perhaps I am trying to explain
> something that doesn't make sense.
> I understand there are differing methods of getting the packets from
> the exchange to the premises, etcetera.
> Considering the existing popular method of PPPoE is there more than
> one way to collect those packets at the first adapter after the modem?
>
> My current scenario:
> DSLAM<-PPPoE->Modem<-TCP/IP->Router

so with this, the modem is terminating the PPP session, and passing the
address on over DHCP. some router vendors call this "half bridge" or
"dhcp spoofing". I'm not sure if it's still subject to the restriction
of ethernet MTU, but if it is, the modem will usually hide this by
clamping MSS, the same way "match scrub (max-mss 1400)" or whatever
does.

> The other scenario:
> DSLAM<-PPPoE->Modem<-PPPoE->Router
> In this case the relevant adapter on the router recieves PPPoE
> encapsulated packets from the modem exactly as they are sent from the
> exchange.

that's what I normally do when the ISP and ADSL backhaul support PPPoE;
the modem acts as a dumb bridge and the PPP session is terminated at the
router using pppoe(4). this lets you do things like use IPv6-over-PPP
where supported. (some networks allow you to use either PPPoA or PPPoE
for example the standard ADSL connections in the UK with BT backhaul;
I normally run these as PPPoE unless using them with carp).

>> Can someone let me know if I am correct in assuming that if I want
>> PPPoE in client mode only that PPPoE(4) is the way to go?

usually.

>> Probably a more important question is what, if any, are the advantages
>> or disadvantages compared to DHCP? 

with one vendor implementation of this, it saves you from having a huge
bunch of entries in your arp table... otherwise: control over the PPP
session, maybe better logging, maybe access to ipv6 or multicast which
could be a problem with some CPE modem/routers, and it puts most of
the "per user" settings into the firewall, so it may make it easier
to maintain spare modems/routers for a bunch of lines that you can
just swap-out without reconfiguring. if you need that sort of thing.

Jamais en ligne sur msn ?

[manon]

  Salut,

   J'ai vu ton annonge mais quand je t'icris ga revient en erreur ? j'essais
donc de ripondre ` ton annonce une nouvelle fois car la 1er fois j'ai regu un
message qui disait "mail delivery failed" Est ce que misc@openbsd.org c'est
bien ton adresse et est ce que c'est ton msn ? je t'ai rentri dans mes
contacts mais ga marche pas, t'es jamais en ligne en tout cas.

  Je voulais savoir ce que tu cherchais comme rencontre,
on habite pas tris loin l'un de l'autre et t'es dans la tranche d'age que je
recherche. Pour ma part j'aime pas me dicrire en chiffre mais je suis inscrite
sur un site ou tu pourras si tu le veux consulter une capture vidio faite avec
ma webcam et mes photos sous pseudo "manonmatu" j'ai fait cette annonge sur le
site qui s'appelle www.sexorlove.fr ( je pense que ga te donnera une idie plus
pricise de ce que je recherche).

  Autant te dire que je recherche une relation ipisodique et
simple sans prise de tete, j'ai envie de vivre, j'aimerais seulement que tu ne
me juge pas trop vite, je ne suis pas ce que tu crois, dans ma vidio je dis
que je cherche un homme grand beau et riche pour "riche" c'itait pour
plaisanter je m'en fou completement j'ai un tris bon job et j'ai tout ce qu'il
me faut, je ne suis pas vinale...Je t'en dirai plus si tu m'icris. Si tu veux
laisse moi un msn qui est valide si misc@openbsd.org n'est pas le bon, soit
sur mon email ou soit sur ma boite aux lettres du site, c'est gratuit dans les
deux cas. A bientot peut etre dis moi ce que tu as pensi de mes petites
captures vidios. Bisous Manon









Pour ne plus recevoir directement de riponses sur votre email ou si il y a une
erreur et que votre adresse email n'est pas associie ` une fiche que vous
auriez vous meme initii vous pouvez ` tout moment vous disinscrire de la
maling list en envoyant  "STOP" uniquement avec l'email qui a regu cette
riponse (sinon votre demande ne sera pas prise en compte) ` l'adresse
suivante. ad...@sexorlove.fr  et votre adresse email sera retirie de la
mailing list et vous ne recevrez plus d'alertes.

Re: rt.fm ftp server dumps core

[Jeff Ross]

Paul Irofti wrote:

On Thu, Apr 23, 2009 at 03:37:00PM -0600, Jeff Ross wrote:

Hi,

For a while now I've been getting segmentation faults when I try to 
download snapshots from rt.fm


ftp> mget *tgz
mget base45.tgz? all
Prompting off for duration of mget.
local: base45.tgz remote: base45.tgz
150 Opening BINARY mode data connection for 'base45.tgz' (48267043 bytes).
100% |**| 47135 KB00:41
226 Transfer complete.
48267043 bytes received in 41.35 seconds (1.11 MB/s)
local: comp45.tgz remote: comp45.tgz
150 Opening BINARY mode data connection for 'comp45.tgz' (90067409 bytes).
100% |**| 87956 KB01:12
421 Service not available, remote server has closed connection.
Segmentation fault (core dumped)


I'm running a similar command now on pub/OpenBSD/snapshots/i386. Is that
what you're doing? Also, it would've been nice to include a trace from
the core.



Yes, that's what I've been trying to do.

I rm-ed the core file--I thought that there was a problem with the server 
itself but I couldn't find a email contact for the person in charge of the mirror.


Since I posted I've tried another 4 or 5 times and it's been working great.

Jeff

Re: Transparent firewall (bridge) with DMZ + LAN

[Felipe Alfaro Solana]

On Fri, Apr 24, 2009 at 12:12 PM, openbsder  wrote:

> I am currently interested in setting up a three-legged network topology,
> using OBSD+PF as the firewall appliance. Originally, I was going to simply
> have the firewall equipped with three network cards: one for DMZ, one for
> LAN, the other for EXT/WAN/Internet (whatever you call this). The idea was
> for a switch to be used on both DMZ and LAN, providing NAT on both
> segments.
> Pretty straight forward.
>
> Recently, it has been suggested that a transparent firewall implementation
> is ideal where possible. But as far as I understand, transparency is only
> available when the firewall acts as a bridge between TWO networks. How
> would
> I keep my DMZ and LAN both while using a bridging firewall. Is it even
> possible?


What do you mean? Whether OpenBSD supports bridging? Whether PF supports
L2-based filtering? Whether you can have two interfaces in a bridge and
have, at the same time, L2-based filtering and L3-based filtering?

By L2-based filtering I mean having the firewall inspect frames/packets from
interfaces that are bridged together that do not have an IP address
configured (i.e. L2-switching).

-- 
http://www.felipe-alfaro.org/blog/disclaimer/

Re: sudo won't work with login_fingerprint

[Todd C. Miller]

login_fingerprint only supports login auth, not support challenge/response
mode which is what sudo (and other things) uses.

 - todd

European orders(Sweden) - nohup.se

[Maxim Bourmistrov]

Hello misc@,
it has been almost a week since I sent an invoice for OpenBSD 4.5 CD/t- 
shirt to nohup.se.
Well, there is no answer so far and the webpage is outdated and  
promoting old releases.


Any one from Sweden has ever successfully ordered anything from this  
site lately?

Any other (successful) paths available?

//maxim

T1 card compatible with 4.4

[(private) HKS]

I'm looking for a T1 card compatible with 4.4.

There were a fair number of recommendations for Sangoma's a101 a few
years ago, followed by threads describing major problems and Sangoma
yanking support for OpenBSD. What alternatives work decently under
OpenBSD?

-HKS

Re: autowhitelister for spamd needs testing

[Bob Beck]

>   i think part of the success i experience using SPF as a means to create
>   whitelists is in the fact that i maintain the list of domains i fancy
>   whitelisting.  unfortunately, it would be trivial for someone to take
>   advantage of an spf-based automatic whitelist to slip right on thru
>   spamd(8).
> 
>   it's a pisser.
> 

Spam Permitted From is broken as designed. It is most
commonly deployed on throwaway spam domains.  What a surprise!

-Bob

Re: aucat's volume-sharing algorithm

[Thomas Pfaff]

On Fri, 24 Apr 2009 11:29:02 -0400
Nick Guenther  wrote:
> I'm playing with the new aucat. Or rather, running it, since unlike
> every other soundserver it doesn't require endless tweaking to just
> work. There is one issue I'm having, and I'm not sure if it's on
> purpose or not. Whenever (say) pidgin (or anything else) plays sound
> my music dims in volume. It makes sense the clients have to be turned
> down so two playing at 100% don't blow the speakers, but the trouble
> is the dip in sound is -really obvious-.

I also think the current "algorithm" is too aggressive; the output
volume is calculated by dividing the maximum volume by the number of
streams (or clients).  While this does guarantee that there will be
no clipping, it means the change in volume is indeed very audible.

Excerpts from /usr/src/usr.bin/aucat/aproc.c:

  n = 0;
  LIST_FOREACH(buf, &p->ibuflist, ient) {
  n++;
  }
  LIST_FOREACH(buf, &p->ibuflist, ient) {
  weight = ADATA_UNIT / n;
  [...]
  buf->mixeight = weight;
  }

Mixing two (or more) streams is not likely to cause any clipping
(sample value out of range) as most samples are not exactly at
peak values all the time.  I don't have a better solution, but I
think something should be done about the current approach; it
just doesn't sound right to me.

I wonder what the other sound daemons do ...

Interpreting strange pflog output

[Aner Perez]

Hi,

We have an older OpenBSD 3.9 firewall which we will be upgrading to 4.5 and as a part of the upgrade, we will be locking 
down our outgoing connections.  As a first step, we have added some extra rules to log outgoing connections that are not 
specifically allowed by our current rule set.


While monitoring the pflog output, I occasionally see output that looks like 
this:

Apr 24 09:49:46.420762 rule 150/(match) pass in on fxp1: 107.6.96.0 > 
73.243.0.0: at-#0 18
Apr 24 09:49:46.420851 rule 150/(match) pass in on fxp1: 108.6.96.0 > 
73.37.0.0: at-#0 21
Apr 24 09:49:46.420901 rule 150/(match) pass in on fxp1: 108.6.96.0 > 
73.126.0.0: at-#0 15
Apr 24 09:49:46.420990 rule 150/(match) pass in on fxp1: 85.8.96.0 > 
73.229.0.0: at-#0 18
Apr 24 09:49:46.546277 rule 150/(match) pass in on fxp1: 106.8.96.0 > 
73.229.0.0: at-#0 96
Apr 24 09:49:46.551653 rule 150/(match) pass in on fxp1: 55.4.96.0 > 
73.174.0.0: at-#0 99

What first jumps out at me is the IP addresses which are not part of our network.  The second thing that jumps out is 
the "at-#0 18" notation.  What does this mean?  I'm assuming the number at the end is the packet size.  What is the 
"at-#0"?  Has anybody seen traffic like this?  Should I be worried?


Also, this output comes from "tcpdump -n -e -ttt -i pflog0 ifname fxp1".  Is there a way I can see the MAC address on 
these logged connections without doing a tcpdump on the physical interface?


This is on "3.9 GENERIC#617 i386" with pf turned on, NTP server enabled and an 
OpenVPN server running.

- Aner

--
Aner Perez
NCS Technologies, Inc

Re: DHCP versus PPPoE for ADSL.

[Chris Tankersley]

Honestly, I think it is going to depend on your ISP. For example, Embarq 
a few years ago switched their 'Embarq' ISP to using a hybrid DHCP setup:


(Whatever the DSLAM connects to)<--PPPoE-->DSLAM<--DHCP-->Modem<--DHCP->

So when you set the modem to 'Bridge' whatever was behind it was set to 
DHCP, not PPPoE. PPPoE no longer worked because the DSLAM took care of 
the PPPoE connection, not the modem anymore.


If you were on someone who resold Embarq, then that reseller had to use 
PPPoE so that it routed back to the reseller correctly.


Chris

David Walker wrote:

From:  Claudio Jeker

The main encapsulation over ADSL is PPPoE or PPPoA only lately, with the
spread of IPTV and VDSL, EFM (Ethernet First Mile) is used by some telcos.
So it totaly depends on what your provider is giving you.


Hi Claudio.
Maybe I didn't explain myself or perhaps I am trying to explain
something that doesn't make sense.
I understand there are differing methods of getting the packets from
the exchange to the premises, etcetera.
Considering the existing popular method of PPPoE is there more than
one way to collect those packets at the first adapter after the modem?

My current scenario:
DSLAM<-PPPoE->Modem<-TCP/IP->Router
In this case, the relevant adapter on the router gets an IP address
from the modem's DHCP server. All the PPPoE to IP transactions occur
within the modem.
The hostname.if file on the router:
DHCP none none none

The other scenario:
DSLAM<-PPPoE->Modem<-PPPoE->Router
In this case the relevant adapter on the router recieves PPPoE
encapsulated packets from the modem exactly as they are sent from the
exchange.
The modem does not do any PPPoE to IP conversion.
The hostname.if file on the router merely says "up".
There is also an /etc/hostname.pppoe0 file on the router.

This "other scenario" seems to be the intent of pppoe(4):
 This is often used to connect a router via a DSL modem to an access con-
 centrator.  The pppoe interface does not by itself transmit or receive
 frames, but needs an Ethernet interface to do so.  This Ethernet inter-
 face is connected to the pppoe interface via ifconfig(8).  The Ethernet
 interface needs to be marked UP, but does not need to have an IP address.

So it is quite different from my "current scenario" - no IP address for a start.

Am I reading all this correctly?

Best wishes.





--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

aucat's volume-sharing algorithm

[Nick Guenther]

I'm playing with the new aucat. Or rather, running it, since unlike
every other soundserver it doesn't require endless tweaking to just
work. There is one issue I'm having, and I'm not sure if it's on
purpose or not. Whenever (say) pidgin (or anything else) plays sound
my music dims in volume. It makes sense the clients have to be turned
down so two playing at 100% don't blow the speakers, but the trouble
is the dip in sound is -really obvious-.

I found
 -v volume
 Software volume attenuation of the playback stream.  The value
 must be between 1 and 127, corresponding to -42dB and -0dB atten-
 uation.  In server mode, clients inherit this parameter.  Reduc-
 ing the volume in advance reduces a client's dynamic range, but
 allows client volume to stay independent from the number of
 clients as long as their number is small enough.  A good compro-
 mise is to use -4dB attenuation (12 volume units) for each addi-
 tional client expected (115 if 2 clients are expected, 103 for 3
 clients, and so on).
which I interpret as saying that if I run aucat as "aucat -l -v 50" it
should predim the volume of any client that connects so that the dip
doesn't happen. If I'm right about that (which I'm not at all sure
that I am) then aucat is behaving badly because I even tried giving
"-v 1" and heard no change at all.


OpenBSD 4.5-current (GENERIC.MP) #80: Mon Apr 20 12:59:56 MDT 2009
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Intel(R) Core(TM)2 CPU U7600 @ 1.20GHz ("GenuineIntel" 686-class) 1.20 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,xTPR
real mem  = 1064202240 (1014MB)
avail mem = 1020690432 (973MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 10/30/07, BIOS32 rev. 0 @
0xfcb25, SMBIOS rev. 2.4 @ 0xec000 (40 entries)
bios0: vendor TOSHIBA version "Version 1.50" date 10/30/2007
bios0: TOSHIBA PORTEGE R500
acpi0 at bios0: rev 0
acpi0: tables DSDT FACP SSDT APIC MCFG HPET TCPA SLIC SSDT SSDT
acpi0: wakeup devices USB1(S3) USB3(S3) USB4(S3) EHCI(S3) GLAN(S4)
WLAN(S4) LID_(S4) PWRB(S4) HS87(S4) HS86(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 133MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Core(TM)2 CPU U7600 @ 1.20GHz ("GenuineIntel" 686-class) 1.20 GHz
cpu1: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,xTPR
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins
ioapic0: misconfigured as apic 0, remapped to apid 1
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 3 (PCIB)
acpiprt2 at acpi0: bus 1 (PEX1)
acpiprt3 at acpi0: bus 2 (MPEX)
acpitz0 at acpi0: critical temperature 102 degC
acpicpu0 at acpi0
acpicpu1 at acpi0
acpibtn0 at acpi0: LID_
acpibat0 at acpi0: BAT1 model "G71C00086210" serial 000796 type
Li-ION   oem "0"
acpibtn1 at acpi0: PWRB
acpiac0 at acpi0: AC unit offline
acpidock at acpi0 not configured
acpivideo at acpi0 not configured
bios0: ROM list: 0xc/0x1 0xe/0x1!
cpu0: unknown Enhanced SpeedStep CPU, msr 0x060b090e0600090e
cpu0: using only highest and lowest power states
cpu0: Enhanced SpeedStep 1200 MHz (924 mV): speeds: 1200, 800 MHz
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
extent `pciio' (0x0 - 0x), flags=0
 0xaf10 - 0xaf1f
 0xaf24 - 0xaf2f
 0xaf34 - 0xaf9f
 0xafe0 - 0xbfff
 0xcff8 - 0xcfff
extent `pcimem' (0x0 - 0x), flags=0
 0x0 - 0x9
 0xe - 0x3fff
 0xe000 - 0xefff
 0xfec0 - 0xfec17fff
 0xfec2 - 0xfec27fff
 0xfed0 - 0xfed003ff
 0xfed14000 - 0xfed19fff
 0xfed1c000 - 0xfed8
 0xfeda - 0xfedb
 0xfee0 - 0xfee00fff
 0xff60 - 0xff8f
 0xff98 - 0xffbf
 0xffc3b800 - 0x
pchb0 at pci0 dev 0 function 0 "Intel 82945GM Host" rev 0x03
vga1 at pci0 dev 2 function 0 "Intel 82945GM Video" rev 0x03
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
intagp0 at vga1
agp0 at intagp0: aperture at 0xe000, size 0x1000
inteldrm0 at vga1: apic 1 int 16 (irq 10)
drm0 at inteldrm0
"Intel 82945GM Video" rev 0x03 at pci0 dev 2 function 1 not configured
azalia0 at pci0 dev 27 function 0 "Intel 82801GB HD Audio" rev 0x02:
apic 1 int 22 (irq 11)
azalia0: codecs: Realtek ALC262
audio0 at azalia0
ppb0 at pci0 dev 28 function 0 "Intel 82801GB PCIE" rev 0x02
pci1 at ppb0 bus 1
extent `ppb0 pciio' (0x0 - 0x), flags=0
 0x0 - 0xafff
 0xbfe0 - 0x
extent `ppb0 pcimem' (0x0 - 0x), flags=0
 0x0 - 0xff7ff

Re: Transparent firewall (bridge) with DMZ + LAN

[Tyler Mace]

Sorry for the confusion. I understand that bridging is possible under
OpenBSD but it's also my understanding that if I have interfaces A, B, and
C, I can bridge A to either B or C, but not both. Is this correct?

Referring to this topology:
http://upload.wikimedia.org/wikipedia/commons/6/6f/DMZ_network_diagram_1_firewall.svg

I would like to use this setup but with bridging on the firewall if at all
possible. Am I able to keep my firewall acting as the choke point between
all three segments (DMZ, LAN, EXT) while using bridges for transparency?
Hope this makes a little more sense.

On Fri, Apr 24, 2009 at 8:49 AM, Felipe Alfaro Solana <
felipe.alf...@gmail.com> wrote:

> On Fri, Apr 24, 2009 at 12:12 PM, openbsder  wrote:
>
> > I am currently interested in setting up a three-legged network topology,
> > using OBSD+PF as the firewall appliance. Originally, I was going to
> simply
> > have the firewall equipped with three network cards: one for DMZ, one for
> > LAN, the other for EXT/WAN/Internet (whatever you call this). The idea
> was
> > for a switch to be used on both DMZ and LAN, providing NAT on both
> > segments.
> > Pretty straight forward.
> >
> > Recently, it has been suggested that a transparent firewall
> implementation
> > is ideal where possible. But as far as I understand, transparency is only
> > available when the firewall acts as a bridge between TWO networks. How
> > would
> > I keep my DMZ and LAN both while using a bridging firewall. Is it even
> > possible?
>
>
> What do you mean? Whether OpenBSD supports bridging? Whether PF supports
> L2-based filtering? Whether you can have two interfaces in a bridge and
> have, at the same time, L2-based filtering and L3-based filtering?
>
> By L2-based filtering I mean having the firewall inspect frames/packets
> from
> interfaces that are bridged together that do not have an IP address
> configured (i.e. L2-switching).
>
> --
> http://www.felipe-alfaro.org/blog/disclaimer/

Re: Upgrade to -current

[MANI]

*>> **Toma:** **It depends where you use OpenBSD ( desktop or server )*
*Actually the system is a Desktop on my laptop, but I am highly dependent on
it for my programming's work.*

*>> michael & Neal :  You should try and search the archives for that, it is
answered*
*>> thorougly a couple of times.*
*Actually I read all of FAQs (and searched the archives) about this and I
know what's the recommended approach is but that's so time consuming and I
was looking for a shortcut to that!*


*>> michael: Recommends: exercise, eat healthy, reboot once in a while, and
upgrade*
*>> regularly:)*
*I agree with all of that except upgrading regularly! I only upgrade or
patch If there is security patch or highly needed feature, that's all about
OpenBSD's approach to life IMHO! :)*


*>> **Jan:** **Which new features are these and why do you need -current for
that?*
*Actually I am pretty happy with 4.2 but every now and then I have some
problems because of being out of date (e.g daylight saving time). About new
features I specially like ifconfig access point scanning capabilities which
is quiet important for me & having access to latest ports collection because
some ports I need is not available on 4.2.*


>> Lammert  : A far better approach would be to backup the current machine,
do a fresh
>> install of 4.5 [from the CDs you pre-ordered], and then restore any
needed
>> files. Moving from 4.5 to -current should be much simpler
*But then I have to install OpenOffice, eclipse, netbeans, firefox and all
other ports from scratch right?*


*>> **LEVAI : **Upgrading thru the binary releases is not that tedious*
*I hope that's the case because my guess is I have to go along with the
upgrade guidance and upgrade 4.2 > 4.3 > 4.4 and finally 4.5.*

*thanks for help guys.*

Re: DHCP versus PPPoE for ADSL.

[David Walker]

From:  Stuart Henderson
> with one vendor implementation of this, it saves you from having a huge
> bunch of entries in your arp table... otherwise: control over the PPP
> session, maybe better logging, maybe access to ipv6 or multicast which
> could be a problem with some CPE modem/routers, and it puts most of
> the "per user" settings into the firewall, so it may make it easier
> to maintain spare modems/routers for a bunch of lines that you can
> just swap-out without reconfiguring. if you need that sort of thing.

Thanks for answering all my questions.

That's pretty much the implication of the man pages except for the IP6
which I haven't bumped into yet. :]
My ISP is the first in Oz to implement dual stack and the only one so far.
Of course that's neither here nor there as there are no domestic grade
modems or routers that do native yet anyway. Everyone is tunneling in
except for big business.
It's all a crying shame really - RFC @ 1998 (year).
Still if I can do IP6 from my router straight to PPPoE ...
I will have to read some more on encapsulation.

From:  Chris Tankersley
> Honestly, I think it is going to depend on your ISP.

Fortunately my ISP is very geek oriented. There would be nerds in
their office tipping keyboards upside down and breaking pencils if
they ever did this:

> So when you set the modem to 'Bridge' whatever was behind it was set to DHCP, 
> > not PPPoE. PPPoE no longer worked because the DSLAM took care of the > 
> PPPoE connection, not the modem anymore.

After we got over the initial shock we might wonder if it really matters.
I don't expect it does. Presumably this is what happens when people do
that last mile as gigabit.
http://www.internode.on.net/business/internet/corporate_internet/internode_ethernet/

Still, we are going FTTP here. Starts next year. So I expect to be
running 100Mbps by around 2020. Right when native IP6 kicks in. :]
http://www.pm.gov.au/media/Release/2009/media_release_0903.cfm

Thanks fellers. That's plenty of food for thought.

Best wishes.

Re: Can't install OpenOffice3 - pkg_add and make install fail on 4.5 -current

[Tomáš Bodžár]

Hmmm,

I upgraded to 23.4. snapshot and all dependencies are installed
now,but I can't still make OpenOffice3.
Have someone same problem?

Checking DLL ../unxobsd.pro/lib/check_libuno_sal.so.3
.../usr/obj/ports/openoffice-3.0.1/OOO300_m15/solver/300/unxobsd.pro/bin/chec
kdll:../unxobsd.pro/lib/check_libuno_sal.so.3:
undefined symbol '__gxx_personality_v0'
: ERROR: Cannot load specified object
dmake:  Error code 1, while making '../unxobsd.pro/lib/libuno_sal.so.3'

And error for pkg_add is still the same :

Can't install openoffice-3.0.1p3: lib not found ICE.8.1

Don't know how to resolve this,because I upgraded to actual snapshot
this morning and all other dependecies
are installed on the system trough ports after make install in
/usr/ports/editors/openoffice3

Dne 22. duben 2009 15:31 TomC!E! BodE>C!r  napsal(a):
> I found another mirror for this file.Mirror which is in list for this
> packages is somewhat broken for me.
>
> Dne 22. duben 2009 15:16 TomC!E! BodE>C!r 
napsal(a):
>> Can't get it either trough curl.It stops on same place everytime
>>
>> $ curl --retry 10 -o /usr/distfiles/xalan-j_2_7_0-bin.tar.gz
http://archive.ap>
>> B % Total B  B % Received % Xferd B Average Speed B  Time B  B Time B  B 
Time B Current
>> B  B  B  B  B  B  B  B  B  B  B  B  B  B  B  B  Dload B Upload B  Total B 
Spent B  B Left B Speed
>> B 36 12.8M B  36 4808k B  B 0 B  B  0 B 57667 B  B  B 0 B 0:03:54 B 0:01:25
B 0:02:29 60439
>> curl: (18) transfer closed with 8593310 bytes remaining to read
>> $ curl -v --retry 10 -o /usr/distfiles/xalan-j_2_7_0-bin.tar.gz
http://archive>
>> * About to connect() to archive.apache.org port 80 (#0)
>> * B  Trying 140.211.11.130... connected
>> * Connected to archive.apache.org (140.211.11.130) port 80 (#0)
>>> GET /dist/xml/xalan-j/xalan-j_2_7_0-bin.tar.gz HTTP/1.1
>>> User-Agent: curl/7.19.4 (i386-unknown-openbsd4.5) libcurl/7.19.4
OpenSSL/0.9.8
>> k zlib/1.2.3 libidn/1.11
>>> Host: archive.apache.org
>>> Accept: */*
>>>
>> B % Total B  B % Received % Xferd B Average Speed B  Time B  B Time B  B 
Time B Current
>> B  B  B  B  B  B  B  B  B  B  B  B  B  B  B  B  Dload B Upload B  Total B 
Spent B  B Left B Speed
>> B 0 B  B  0 B  B 0 B  B  0 B  B 0 B  B  0 B  B  B 0 B  B  B 0 --:--:--
--:--:-- --:--:-- B  B  0<
>> HTTP/1.1 200 OK
>> < Date: Wed, 22 Apr 2009 13:12:08 GMT
>> < Server: Apache/2.2.9 (Unix)
>> < Last-Modified: Mon, 08 Aug 2005 04:26:02 GMT
>> < ETag: "9a24e2-ce3f9e-3fdcb71f1ea80"
>> < Accept-Ranges: bytes
>> < Content-Length: 13516702
>> < Content-Type: application/x-tar
>> <
>> { [data not shown]
>> B 36 12.8M B  36 4765k B  B 0 B  B  0 B 57153 B  B  B 0 B 0:03:56 B 0:01:25
B 0:02:31 44244*
>> transfer closed with 8593310 bytes remaining to read
>> B 36 12.8M B  36 4808k B  B 0 B  B  0 B 57250 B  B  B 0 B 0:03:56 B 0:01:25
B 0:02:31 50560*
>> Closing connection #0
>>
>> curl: (18) transfer closed with 8593310 bytes remaining to read
>> $
>>
>> 2009/4/22 Jacob Meuser :
>>> On Wed, Apr 22, 2009 at 01:05:59PM +0200, Tom?? Bod??r wrote:
>>>
 >> (SHA256) xalan-j_2_7_0-bin.tar.gz: FAILED
 >> Checksum mismatch for xalan-j_2_7_0-bin.tar.gz. (sha256)
 Make sure the Makefile and checksum file
(/usr/ports/devel/jdk/1.5/distinfo)
 are up to date. B If you want to fetch a good copy of this
 file from the OpenBSD main archive, type
 "make REFETCH=true [other args]".
 *** Error code 1
>>>
>>> make sure you're getting the whole file by checking that the size
>>> matches what's expected (in the distinfo file). B iirc, I had to use
>>> wget to fetch that or else I'd end up with a short file.
>>>
>>> --
>>> jake...@sdf.lonestar.org
>>> SDF Public Access UNIX System - http://sdf.lonestar.org
>>>
>>>
>>
>>
>>
>> --
>> http://www.openbsd.org/lyrics.html
>>
>
>
>
> --
> http://www.openbsd.org/lyrics.html
>



--
http://www.openbsd.org/lyrics.html

Re: RadiusClient

[Bruno Galindro da Costa]

Hi,

# pkg_info -Q radius
freeradius-2.0.5
freeradius-iodbc-2.0.5
freeradius-ldap-2.0.5
freeradius-mysql-2.0.5
freeradius-pgsql-2.0.5
mod_auth_radius-1.5.7p4
p5-Authen-Radius-0.05p1
p5-Net-Radius-1.56
radiusd-cistron-1.6.7p1
radiusd-lucent-2.1p8
radiusniff-0.2
radiusreport-0.3b6p0

Can I use freeradius-2.0.5 to do wath I want? This package contains the
radius client?

Thank4s

2009/4/24 Paul Irofti 

> On Fri, Apr 24, 2009 at 09:05:32AM -0300, Bruno Galindro da Costa wrote:
> > Hi all
> >
> > What is the radius client packge for OpenBSD? What I need to do is
> > provide pptpd auth with radius. My Radius Server is a Windows Server
> 2003.
> > On Ubuntu and Debian tha name of package is radiusclient downloadable via
> > apt-get.
>
> $ pkg_info -Q radius
>



--
Att.
Bruno Galindro da Costa
bruno.galin...@gmail.com
Florianspolis - SC

Re: Yahoo videos on OpenBSD

[Tomáš Bodžár]

It works really great.Thanks for the tip.
Why I have gnash :-)

2009/4/20 Matthew Szudzik :
> On Mon, Apr 20, 2009 at 07:46:42PM +0200, Tom Bodr wrote:
>> someone is watching Yahoo videos on OpenBSD?
>
> I use
> B http://keepvid.com
> to download the video, then play it with mplayer.
>
>



--
http://www.openbsd.org/lyrics.html

ftp-proxy IPSEC clients?

[Cameron Schaus]

Hello Misc,

I have an OpenBSD 4.4 firewall with some clients connecting via IPSEC.  
Some clients have flows established to servers not on the local LAN, and 
these clients are natted through the internet interface to access these 
servers.  It's a bit convoluted, but things work, except of course for ftp.


I configured the ftp-proxy for clients on the local lan and openvpn 
clients (tun0), but I cannot appear to use ftp-proxy with IPSEC clients 
(enc0).


I want to use a line such as:
rdr on enc0 proto tcp from any to any port 21 -> 127.0.0.1 port 8021

When this is in place, IPSEC clients cannot even connect to the ftp 
server.  I suspect there are some problems with this approach, since the 
man pages show matching with ipencap, but you can't do tcp port 
redirects with only ip encapsulated matching.


I am at a bit of a loss here, and I'm wondering if there's anything I 
can do to proxy the IPSEC ftp traffic, or if there are any other options 
I have at this point.


Thanks,
Cam

Re: DHCP versus PPPoE for ADSL.

[David Walker]

Konnichiwa.

That is too easy.
Took me all of two minutes to bridge my modem - "RFC2684 BRIDGING"
instead of "PPPoE BRIDGING" - and do the /etc file changes.
Happy as Larry (possibly happier) using pppoe(4).

All I need to work out is hostname.pppoe0 INET6 wildcards. Especially
what to export as the route.
Any pointers on that eligible for smilies. :]

Still I have a static IP, I'm sure I can plug that in.

Best wishes.

Re: ftp-proxy IPSEC clients?

[Matthew Dempsky]

On Fri, Apr 24, 2009 at 12:17 PM, Cameron Schaus  wrote:
> I have an OpenBSD 4.4 firewall with some clients connecting via IPSEC.
 Some
> clients have flows established to servers not on the local LAN, and these
> clients are natted through the internet interface to access these servers.
>  It's a bit convoluted, but things work, except of course for ftp.

The IPsec flow is between the FTP client and the FTP server?  Then by
design, any intermediary will not be able to eavesdrop or alter
packets in transit.

> I am at a bit of a loss here, and I'm wondering if there's anything I can
do
> to proxy the IPSEC ftp traffic, or if there are any other options I have at
> this point.

If you're okay with allowing arbitrary outgoing TCP connections and
can live with only allowing clients to use passive FTP (I believe the
default nowadays), then you shouldn't need ftp-proxy at all.

[ot] Re: sudo won't work with login_fingerprint

[Matthias Kilian]

On Fri, Apr 24, 2009 at 03:28:34AM -0400, Nick Guenther wrote:
> omg we have finger print reader support??? !

yes, and it's really cool, since i've some quite sharp knifes.

(scnr)

E220 as 3G Internet Access

[don cipo]

Unfortunately you can't use OpenBSD yet to connect to Vodafone's 3G internet
mobile even if there is already an Huawei E220 shiny new driver. That is
because OBSD has an archaic pppd implementation (ver. 2.3.5) wich lacks some
important parameters like usepeerdns, noipv6, etc. Ask the developers to
update pppd at latest version 2.4.4 so we can all enjoy our favorite OS with
Vodafone's 3G. Cheers !

Re: Upgrade to -current

[Neal Hogan]

On Fri, Apr 24, 2009 at 11:57 AM, MANI  wrote:
> *>> **Toma :** **It depends where you use OpenBSD ( desktop or server )*
> *Actually the system is a Desktop on my laptop, but I am highly dependent
on
> it for my programming's work.*
>
> *>> michael & Neal :  You should try and search the archives for that, it
is
> answered*
> *>> thorougly a couple of times.*
> *Actually I read all of FAQs (and searched the archives) about this and I
> know what's the recommended approach is but that's so time consuming and I
> was looking for a shortcut to that!*

Sorry, I misspoke When I used the term 'binary'. I was merely
suggesting the way that I linked you to . . .the  "kernel method" =
update by d'loading and booting bsd.rd and perhaps update the packages
as you go. As others have said, that is a rather quick and painless
way of going about it.

>
>
> *>> michael: Recommends: exercise, eat healthy, reboot once in a while, and
> upgrade*
> *>> regularly:)*
> *I agree with all of that except upgrading regularly! I only upgrade or
> patch If there is security patch or highly needed feature, that's all about
> OpenBSD's approach to life IMHO! :)*
>
>
> *>> **Jan:** **Which new features are these and why do you need -current
for
> that?*
> *Actually I am pretty happy with 4.2 but every now and then I have some
> problems because of being out of date (e.g daylight saving time). About new
> features I specially like ifconfig access point scanning capabilities which
> is quiet important for me & having access to latest ports collection
because
> some ports I need is not available on 4.2.*
>
>
>>> Lammert  : A far better approach would be to backup the current machine,
> do a fresh
>>> install of 4.5 [from the CDs you pre-ordered], and then restore any
> needed
>>> files. Moving from 4.5 to -current should be much simpler
> *But then I have to install OpenOffice, eclipse, netbeans, firefox and all
> other ports from scratch right?*
>
>
> *>> **LEVAI : **Upgrading thru the binary releases is not that tedious*
> *I hope that's the case because my guess is I have to go along with the
> upgrade guidance and upgrade 4.2 > 4.3 > 4.4 and finally 4.5.*
>
> *thanks for help guys.*
>
>



--
www.nealhogan.net  www.lambdaserver.com

Re: question about net.inet.carp.preempt

[(private) HKS]

On Fri, Apr 24, 2009 at 3:32 AM, Imre Oolberg  wrote:
> Hallo!
>
> Thanks for the reply! I am also aware that one popular use of
> net.inet.carp.preempt is to control how the computer system as a whole
> reacts to errors like one physical interface goes dead.
>
> 'man carp' says about net.inet.carp.preempt:
>
> Allow virtual hosts to preempt each other. It is also used to failover carp
> interfaces as a group.  When the option is enabled and one of the carp
> enabled physical interfaces goes down, advskew is changed to 240 on allcarp
> interfaces.  See also the first example. Disabled by default.
>
> What i was interested in mainly this time is the so to say practical
meaning
> of the first sentence, in case how pair of carp interfaces in a carp group
> behave while .carp.preempt is not set or is set.
>
> I decided to dig a little bit deeper because sometimes i cant predict
events
> when i add another vlan and carp interface to the running system (master
for
> that particular carp device appears on the wrong side etc). It could be
> easily said to me that if your are so interested use the source but i am
> sorri the source is not much help for me, i am more about just a user.
>
>
> Imre


Manual failover is simplified:

node1 is master with advskew 0 and node2 is backup with advskew 100

Without carp.preempt, you have to take the master down or (I haven't
tested this) increase it's demotion counter. With carp.preempt, you
can just change its advskew to 150 and watch node2 take over.

-HKS

Re: ftp-proxy IPSEC clients?

[Cameron Schaus]

Matthew Dempsky wrote:

The IPsec flow is between the FTP client and the FTP server?  Then by
design, any intermediary will not be able to eavesdrop or alter
packets in transit.
  
The IPSec flow is between the FTP Client and a LAN, and the packets are 
then NAT'd to the internet and send to the FTP server.  I want to put an 
IPSEC link between the LAN and the FTP server, but I can't get this in 
place yet.  If I could get this link setup, then there is no issue with 
the ftp, since there won't be any NAT taking place.



If you're okay with allowing arbitrary outgoing TCP connections and
can live with only allowing clients to use passive FTP (I believe the
default nowadays), then you shouldn't need ftp-proxy at all.
  
This is correct, passive ftp does work.  Active doesn't work because the 
client puts their IP address into the PORT command, and the server can't 
connect back to this address.  Unfortunately for me their custom 
application cannot use passive ftp.


Cam

svnd is incredible slow... somebody else notice that?

[sebastian . rother]

I notice it for a while now that SVND is incredible slow related to WRITE
SPEED. Also I do see a lot of "biowait" with top related to newfs for
example.


vnconfig -cK  -S saltfile /dev/sd0d /dev/svnd1c
disklabel -E svnd1
-> a a
-> r
-> w
-> q
newfs /dev/rsvnd1a

If you've serval houndret GBs that gonna take a lng time.
Also you can not restore a backup quickly because of the uberproor write
performance (it feels like being slower then PIO 3..).

On the other hand softraid can not handle partitions.
At least it wont do it...

bioctl -c C -l /dev/sd0d softraid0

Heyho "invalid metadata format"..

So what other choices does a OpenBSD user have to encrypt a HDD?
Also: Did nobody else notice that? Don't others use these functions? :-)

And as a side note to softraid:
Also it might be clever to add MORE then 1 softraid device.
Some people might have more then 1 HDD... :-)

Kind regards,
Sebastian

Re: Interpreting strange pflog output

[Philip Guenther]

On Fri, Apr 24, 2009 at 7:53 AM, Aner Perez  wrote:
...
> While monitoring the pflog output, I occasionally see output that looks
like
> this:
>
> Apr 24 09:49:46.420762 rule 150/(match) pass in on fxp1: 107.6.96.0 >
73.243.0.0: at-#0 18
> Apr 24 09:49:46.420851 rule 150/(match) pass in on fxp1: 108.6.96.0 >
73.37.0.0: at-#0 21
...
> What first jumps out at me is the IP addresses which are not part of our
> network.  The second thing that jumps out is the "at-#0 18" notation.  What
> does this mean?  I'm assuming the number at the end is the packet size.
>  What is the "at-#0"?  Has anybody seen traffic like this?  Should I be
> worried?

Those are Appletalk (Ethertalk) packets.  "107.6.96.0" and such are
Appletalk phase II addresses (with DDP protocol) and *not* IP
addresses.  Seems you have old Macs or Apple hardware on your net
still doing the old stuff...


Philip Guenther

Re: DHCP versus PPPoE for ADSL.

[Stuart Henderson]

On 2009-04-24, David Walker  wrote:
> Konnichiwa.
>
> That is too easy.
> Took me all of two minutes to bridge my modem - "RFC2684 BRIDGING"
> instead of "PPPoE BRIDGING" - and do the /etc file changes.
> Happy as Larry (possibly happier) using pppoe(4).
>
> All I need to work out is hostname.pppoe0 INET6 wildcards. Especially
> what to export as the route.
> Any pointers on that eligible for smilies. :]
>
> Still I have a static IP, I'm sure I can plug that in.
>
> Best wishes.
>
>

I just added the address assigned to me into hostname.pppoe0:

inet6 2001:4b10:1002:ff::1 64
!/sbin/route add -inet6 default 2001:4b10:1002:ff::1

I think you're "supposed" to do rtsol, but we don't support that on a
device configured as a router. There is afaik no IPv6 address discovery
mechanism done by PPP.

You might have some "fun" with fragmentation, scrub max-mss is your
friend. Sometimes.

Re: Interpreting strange pflog output

[Stuart Henderson]

On 2009-04-24, Aner Perez  wrote:
> Hi,
>
> We have an older OpenBSD 3.9 firewall which we will be upgrading to 4.5 and 
> as a part of the upgrade, we will be locking 
> down our outgoing connections.  As a first step, we have added some extra 
> rules to log outgoing connections that are not 
> specifically allowed by our current rule set.
>
> While monitoring the pflog output, I occasionally see output that looks like 
> this:
>
> Apr 24 09:49:46.420762 rule 150/(match) pass in on fxp1: 107.6.96.0 > 
> 73.243.0.0: at-#0 18
> Apr 24 09:49:46.420851 rule 150/(match) pass in on fxp1: 108.6.96.0 > 
> 73.37.0.0: at-#0 21
> Apr 24 09:49:46.420901 rule 150/(match) pass in on fxp1: 108.6.96.0 > 
> 73.126.0.0: at-#0 15
> Apr 24 09:49:46.420990 rule 150/(match) pass in on fxp1: 85.8.96.0 > 
> 73.229.0.0: at-#0 18
> Apr 24 09:49:46.546277 rule 150/(match) pass in on fxp1: 106.8.96.0 > 
> 73.229.0.0: at-#0 96
> Apr 24 09:49:46.551653 rule 150/(match) pass in on fxp1: 55.4.96.0 > 
> 73.174.0.0: at-#0 99
>
> What first jumps out at me is the IP addresses which are not part of our 
> network.  The second thing that jumps out is 
> the "at-#0 18" notation.  What does this mean?  I'm assuming the number at 
> the end is the packet size.  What is the 
> "at-#0"?  Has anybody seen traffic like this?  Should I be worried?

looks like appletalk. (grep at- /usr/src/usr.sbin/tcpdump/*).

> Also, this output comes from "tcpdump -n -e -ttt -i pflog0 ifname fxp1".  Is 
> there a way I can see the MAC address on 
> these logged connections without doing a tcpdump on the physical interface?

I don't think so, but you may get some additional clues if you increase
the snaplen and view the packet data, maybe try "-s 1500 -vX".

Re: svnd is incredible slow... somebody else notice that?

[Jonathan Thornburg]

sebastian.rother () jpberlin ! de wrote
> I notice it for a while now that SVND is incredible slow related to WRITE
> SPEED. Also I do see a lot of "biowait" with top related to newfs for
> example.
> 
> 
> vnconfig -cK  -S saltfile /dev/sd0d /dev/svnd1c
> disklabel -E svnd1
> -> a a
> -> r
> -> w
> -> q
> newfs /dev/rsvnd1a

There is certainly some slowdown for the encryption and extra filesystem
overhead, but you can minimize it by making both filesystems (the "upper"
one that sees plaintext, and the lower one that provides the underlying
storage) ffs/ffs2 mounted softdep.  softdep gives a *big* speedup on
writes!  Mounting with noatime as well may also help things a bit.

I have been running laptops (Lenovo Thinkpad T42) with /home mounted
this way for 6 months or so, and in ordinary use I don't notice any
particular slowdown relative to my previous laptop system.  (Though
I haven't made any quantitative tests.)

ciao,

-- 
-- "Jonathan Thornburg [remove -animal to reply]" 

   Dept of Astronomy, Indiana University, Bloomington, Indiana, USA
   "Washing one's hands of the conflict between the powerful and the
powerless means to side with the powerful, not to be neutral."
  -- quote by Freire / poster by Oxfam

Re: E220 as 3G Internet Access

[Fred Crowson]

On 4/24/09, don cipo  wrote:
> Unfortunately you can't use OpenBSD yet to connect to Vodafone's 3G internet
> mobile even if there is already an Huawei E220 shiny new driver. That is
> because OBSD has an archaic pppd implementation (ver. 2.3.5) wich lacks some
> important parameters like usepeerdns, noipv6, etc. Ask the developers to
> update pppd at latest version 2.4.4 so we can all enjoy our favorite OS with
> Vodafone's 3G. Cheers !
>
>
Where's your evidence? I'm not convinced your right [1] error messages
and configuration files that caused the failure might help get the
issue fixed - if there is one.

Fred

[1] http://marc.info/?l=openbsd-misc&w=2&r=1&s=E220&q=b
--
http://www.crowsons.com/puters/E169.htm

Re: svnd is incredible slow... somebody else notice that?

[Ted Unangst]

On Fri, Apr 24, 2009 at 6:12 PM,   wrote:
> If you've serval houndret GBs that gonna take a lng time.
> Also you can not restore a backup quickly because of the uberproor write
> performance (it feels like being slower then PIO 3..).

crypto is slow.  what else is new?

> So what other choices does a OpenBSD user have to encrypt a HDD?
> Also: Did nobody else notice that? Don't others use these functions? :-)

Has nobody noticed that in the history of disk encryption with
openbsd, the features have never been developed by people with a
pressing need for the feature?  And that the people who seem to need
the feature have contributed nothing but whining?

> And as a side note to softraid:
> Also it might be clever to add MORE then 1 softraid device.
> Some people might have more then 1 HDD... :-)

So what if they do?

Re: RadiusClient

[Stuart Henderson]

On 2009-04-24, Bruno Galindro da Costa  wrote:
> # pkg_info -Q radius
> freeradius-2.0.5
> freeradius-iodbc-2.0.5
> freeradius-ldap-2.0.5
> freeradius-mysql-2.0.5
> freeradius-pgsql-2.0.5
> mod_auth_radius-1.5.7p4
> p5-Authen-Radius-0.05p1
> p5-Net-Radius-1.56
> radiusd-cistron-1.6.7p1
> radiusd-lucent-2.1p8
> radiusniff-0.2
> radiusreport-0.3b6p0
>
> Can I use freeradius-2.0.5 to do wath I want? This package contains the
> radius client?

no, that's a server. I've got a work-in-progress port of freeradius-client,
but it's not ready for public consumption yet.

DCBSDCon 2009 Videos

[Jason Dixon]

As announced on Undeadly, the speaker videos for DCBSDCon 2009 are now
available on YouTube and the conference website.

http://undeadly.org/cgi?action=article&sid=20090424204748
http://www.youtube.com/profile?user=bsdconferences&view=videos&query=dcbsdcon
http://www.dcbsdcon.org/speakers/videos/

Will Backman (bsdtalk) has also posted audio from the conference.

http://cisx1.uma.maine.edu/~wbackman/bsdtalk/DCBSDCon2009/

I'd like to also express my gratitude to Todd Fries (todd@) for his
assistance with encoding videos in OpenBSD.  Needless to say I won't be
doing any more multimedia work in OS X.  :)

-- 
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/

Re: svnd is incredible slow... somebody else notice that?

[Marco Peereboom]

You are right about how awful all this stuff is. Man it seems like you  
should use an os that suits your goals a little better. I have heard  
that Linux offers awesome performance.


On Apr 24, 2009, at 17:12, sebastian.rot...@jpberlin.de wrote:

I notice it for a while now that SVND is incredible slow related to  
WRITE

SPEED. Also I do see a lot of "biowait" with top related to newfs for
example.


vnconfig -cK  -S saltfile /dev/sd0d /dev/svnd1c
disklabel -E svnd1
-> a a
-> r
-> w
-> q
newfs /dev/rsvnd1a

If you've serval houndret GBs that gonna take a lng time.
Also you can not restore a backup quickly because of the uberproor  
write

performance (it feels like being slower then PIO 3..).

On the other hand softraid can not handle partitions.
At least it wont do it...

bioctl -c C -l /dev/sd0d softraid0

Heyho "invalid metadata format"..

So what other choices does a OpenBSD user have to encrypt a HDD?
Also: Did nobody else notice that? Don't others use these  
functions? :-)


And as a side note to softraid:
Also it might be clever to add MORE then 1 softraid device.
Some people might have more then 1 HDD... :-)

Kind regards,
Sebastian

Re: [Way OT] Roadtrip...

[Diana Eichert]

On Fri, 24 Apr 2009, Nick Bender wrote:


Apologies to most people who won't give a shit but I'm finally moving
to New Mexico and am posting updates at http://nbender.com more
or less daily as we make our way across the country.

Regards,
-N


OMG!!!  You're moving to New Mexico, Osta no less.  Next thing I know
you'll be spouting crazy things about hearing some hum.

diana

How to disable output to speakers if I use headphones on azalia?

[Tomáš Bodžár]

Hi all,

someone now how to disable sound ouput to speakers if I use headphones?
I have sound from both sources and if I rise outputs.master both sources are
louder which is bad if I'm at work.I can't find usefull switch in
mixerctl -v and
Google doesn't help yet

$ mixerctl -v
outputs.hp_source=dac  [ dac dac2 mix2 ]
outputs.hp_boost=off  [ off on ]
outputs.mic_dir=input-vr80  [ none input input-vr0 input-vr50 input-vr80 ]
outputs.spkr_source=dac  [ dac dac2 mix2 ]
outputs.mic2_dir=input-vr80  [ none input input-vr0 input-vr50 input-vr80 ]
outputs.line_source=dac  [ dac dac2 mix2 ]
inputs.dac_mute=off  [ off on ]
inputs.dac=140,140
inputs.dac2_mute=off  [ off on ]
inputs.dac2=126,126
inputs.sel_source=dac  [ dac dac2 mix2 ]
inputs.mix2_source=dac,dac2,sel2,sel3  { dac dac2 sel2 sel3 }
inputs.mix2_dac=120,120
inputs.mix2_dac2=120,120
inputs.mix2_sel2=120,120
inputs.mix2_sel3=120,120
inputs.sel2_source=mic  [ mic mic2 ]
outputs.sel2=85,85
inputs.sel3_source=mic  [ mic mic2 ]
outputs.sel3=85,85
record.adc_source=sel2  [ sel2 mix2 mic3 ]
record.adc_mute=off  [ off on ]
record.adc=119,119
record.adc2_source=sel3  [ sel3 mix2 mic3 ]
record.adc2_mute=off  [ off on ]
record.adc2=119,119
inputs.beep_mute=off  [ off on ]
inputs.beep=85
outputs.hp_sense=plugged  [ unplugged plugged ]
outputs.mic_sense=unplugged  [ unplugged plugged ]
outputs.mic2_sense=unplugged  [ unplugged plugged ]
outputs.line_sense=unplugged  [ unplugged plugged ]
outputs.master=140,140
outputs.master.mute=off  [ off on ]
outputs.master.slaves=dac  { dac dac2 mic3 sel2 sel3 beep }
record.volume=119,119
record.volume.mute=off  [ off on ]
record.volume.slaves=adc,adc2  { adc adc2 }
$

$ audioctl
name=HD-Audio
version=1.0
config=azalia0
encodings=slinear_le:16,slinear_le:20,slinear_le:24
properties=full_duplex,independent
full_duplex=0
fullduplex=0
blocksize=17536
hiwat=2
lowat=1
output_muted=0
monitor_gain=0
mode=
play.rate=44100
play.channels=2
play.precision=16
play.encoding=slinear_le
play.gain=140
play.balance=32
play.port=0x0
play.avail_ports=0x0
play.seek=0
play.samples=0
play.eof=0
play.pause=0
play.error=0
play.waiting=0
play.open=0
play.active=0
play.buffer_size=65536
play.block_size=17536
play.errors=0
record.rate=48000
record.channels=2
record.precision=16
record.encoding=slinear_le
record.gain=119
record.balance=32
record.port=0x0
record.avail_ports=0x0
record.seek=0
record.samples=0
record.eof=0
record.pause=0
record.error=0
record.waiting=0
record.open=0
record.active=0
record.buffer_size=65536
record.block_size=9600
record.errors=0
$


$ dmesg | grep azalia
azalia0 at pci0 dev 27 function 0 "Intel 82801I HD Audio" rev 0x03:
apic 2 int 21 (irq 11)
azalia0: codecs: IDT 92HD71B7, Intel/0x2802, using IDT 92HD71B7
audio0 at azalia0
$

-- 
http://www.openbsd.org/lyrics.html

Re: How to disable output to speakers if I use headphones on azalia?

[Jacob Meuser]

On Sat, Apr 25, 2009 at 05:59:29AM +0200, Tom?? Bod??r wrote:
> Hi all,
> 
> someone now how to disable sound ouput to speakers if I use headphones?
> I have sound from both sources and if I rise outputs.master both sources are
> louder which is bad if I'm at work.I can't find usefull switch in
> mixerctl -v and
> Google doesn't help yet
> 
> $ mixerctl -v
> outputs.hp_source=dac  [ dac dac2 mix2 ]

> outputs.spkr_source=dac  [ dac dac2 mix2 ]

> inputs.dac_mute=off  [ off on ]

> inputs.dac2_mute=off  [ off on ]

> outputs.master.slaves=dac  { dac dac2 mic3 sel2 sel3 beep }

$ mixerctl outputs.spkr=dac2
$ mixerctl outputs.dac2_mute=on

the second command probalby isn't really needed.

-- 
jake...@sdf.lonestar.org
SDF Public Access UNIX System - http://sdf.lonestar.org

Re: How to disable output to speakers if I use headphones on azalia?

[Tomáš Bodžár]

Great.Second command is not needed.
Those shortcuts are still somewhat cryptic :-) I wasn't sure about it.

Are they described somewhere in man?They aren't described in
mixerctl(1),audio(4) or audio(9).Or I can't see them in format of
mixerctl output

2009/4/25 Jacob Meuser :
> On Sat, Apr 25, 2009 at 05:59:29AM +0200, Tom?? Bod??r wrote:
>> Hi all,
>>
>> someone now how to disable sound ouput to speakers if I use headphones?
>> I have sound from both sources and if I rise outputs.master both sources
are
>> louder which is bad if I'm at work.I can't find usefull switch in
>> mixerctl -v and
>> Google doesn't help yet
>>
>> $ mixerctl -v
>> outputs.hp_source=dac B [ dac dac2 mix2 ]
>
>> outputs.spkr_source=dac B [ dac dac2 mix2 ]
>
>> inputs.dac_mute=off B [ off on ]
>
>> inputs.dac2_mute=off B [ off on ]
>
>> outputs.master.slaves=dac B { dac dac2 mic3 sel2 sel3 beep }
>
> $ mixerctl outputs.spkr=dac2
> $ mixerctl outputs.dac2_mute=on
>
> the second command probalby isn't really needed.
>
> --
> jake...@sdf.lonestar.org
> SDF Public Access UNIX System - http://sdf.lonestar.org
>
>



--
http://www.openbsd.org/lyrics.html

Re: How to disable output to speakers if I use headphones on azalia?

[Jacob Meuser]

On Sat, Apr 25, 2009 at 06:55:12AM +0200, Tom?? Bod??r wrote:
> Great.Second command is not needed.
> Those shortcuts are still somewhat cryptic :-) I wasn't sure about it.
> 
> Are they described somewhere in man?They aren't described in
> mixerctl(1),audio(4) or audio(9).Or I can't see them in format of
> mixerctl output

there really has never been strict naming of the mixer controls, but
audio(4) does suggest some guidelines, which the drivers mostly follow.

there are also some hints in mixerctl.conf(5).

> 2009/4/25 Jacob Meuser :
> > On Sat, Apr 25, 2009 at 05:59:29AM +0200, Tom?? Bod??r wrote:
> >> Hi all,
> >>
> >> someone now how to disable sound ouput to speakers if I use headphones?
> >> I have sound from both sources and if I rise outputs.master both sources
> are
> >> louder which is bad if I'm at work.I can't find usefull switch in
> >> mixerctl -v and
> >> Google doesn't help yet
> >>
> >> $ mixerctl -v
> >> outputs.hp_source=dac B [ dac dac2 mix2 ]
> >
> >> outputs.spkr_source=dac B [ dac dac2 mix2 ]
> >
> >> inputs.dac_mute=off B [ off on ]
> >
> >> inputs.dac2_mute=off B [ off on ]
> >
> >> outputs.master.slaves=dac B { dac dac2 mic3 sel2 sel3 beep }
> >
> > $ mixerctl outputs.spkr=dac2
> > $ mixerctl outputs.dac2_mute=on
> >
> > the second command probalby isn't really needed.
> >
> > --
> > jake...@sdf.lonestar.org
> > SDF Public Access UNIX System - http://sdf.lonestar.org
> >
> >
> 
> 
> 
> --
> http://www.openbsd.org/lyrics.html
> 

-- 
jake...@sdf.lonestar.org
SDF Public Access UNIX System - http://sdf.lonestar.org

Re: svnd is incredible slow... somebody else notice that?

[Jacob Yocom-Piatt]

Marco Peereboom wrote:
You are right about how awful all this stuff is. Man it seems like you 
should use an os that suits your goals a little better. I have heard 
that Linux offers awesome performance.





based on the manner in which you routinely complain and provide zero 
deliverables, i must say that marco's suggestion is spot on. please join 
the ranks of all the rest of the feature-hungry talentless morons and 
just give up. if you have not figured out that you are a member of this 
group already you need to flash your brain bios so there is some hope of 
working around the parts that are obviously not working right.


if you send another whining email about things that have already been 
discussed on this list i worry that you will break the misc@openbsd.org 
mailserver. don't be that guy.




On Apr 24, 2009, at 17:12, sebastian.rot...@jpberlin.de wrote:

I notice it for a while now that SVND is incredible slow related to 
WRITE

SPEED. Also I do see a lot of "biowait" with top related to newfs for
example.


vnconfig -cK  -S saltfile /dev/sd0d /dev/svnd1c
disklabel -E svnd1
-> a a
-> r
-> w
-> q
newfs /dev/rsvnd1a

If you've serval houndret GBs that gonna take a lng time.
Also you can not restore a backup quickly because of the uberproor write
performance (it feels like being slower then PIO 3..).

On the other hand softraid can not handle partitions.
At least it wont do it...

bioctl -c C -l /dev/sd0d softraid0

Heyho "invalid metadata format"..

So what other choices does a OpenBSD user have to encrypt a HDD?
Also: Did nobody else notice that? Don't others use these functions? :-)

And as a side note to softraid:
Also it might be clever to add MORE then 1 softraid device.
Some people might have more then 1 HDD... :-)

Kind regards,
Sebastian