[bret.lamb...@gmail.com: Re: Filtering based on MAC adress]

[Bret S. Lambert]

Actually, it doesn't mention brconfig anymore (or is my memory
failing me, and it never did? quite possible)

In any case, sorry for the unneeded snark.

- Forwarded message from "Bret S. Lambert"  -

Date: Sat, 20 Feb 2010 13:42:42 +0100
From: "Bret S. Lambert" 
To: Jean-Francois 
Cc: misc@openbsd.org
Subject: Re: Filtering based on MAC adress

On Sat, Feb 20, 2010 at 01:19:14PM +0100, Jean-Francois wrote:
> Le Samedi 20 Fivrier 2010 12:21:14, Bret S. Lambert a icrit :
> > On Sat, Feb 20, 2010 at 11:49:54AM +0100, Jean-Francois wrote:
> > > Good morning,
> > >
> > > Is it possible to do filtering through pf or blocking traffic based of
> > > MAC adress recognition ?
> > >
> > > We want to identify the machines on the internal network based on their
> > > MAC adress and filter.
> > >
> > > Can tools like pf fo this (not in my actual searches) ? another way ?
> >
> > Although pf cannot filter on mac addresses, you can set up a
> > bridge interface to add tags to packets, which pf can then
> > act upon.
> >
> > > Regards
> 
> Hello Bret,
> 
> Can you please briefly explain the principle. I can see ifconfig(8) mentions
> also that however it is still not clear.

PS - ifconfig also mentions brconfig, so you should probably have been able to
 find that manpage yourself
> 
> I need to make a subnet with a local dhcp server and to filter on this side. I
> believe I will do some NAT.
> 
> Regards.
> 

- End forwarded message -

Re: [bret.lamb...@gmail.com: Re: Filtering based on MAC adress]

[Peter N. M. Hansteen]

"Bret S. Lambert"  writes:

> Actually, it doesn't mention brconfig anymore (or is my memory
> failing me, and it never did? quite possible)

If you're on -current, brconfig doesn't exist anymore (merged into
ifconfig).  That's likely what you're seeing. It also means bridge
configs will need some adjustments when upgrading to 4.7.

- P
-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: Traffic control

[Han Boetes]

Rod Whitworth wrote:
> *** NOTE *** Please DO NOT CC me. I  subscribed to the list.
> Mail to the sender address that does not originate at the list server is 
> tarpitted. The reply-to: address is provided for those who feel compelled to 
> reply off list. Thankyou.

You're a smart fellow, you'll figure out what this does.

# You don't want to miss you are CC-ed after all. You just don't
# want them in your maildir.
if ( /^(Cc|To).*(openbsd|misc|tech|bugs|gnats|source-changes)@/)
{
to $R/cc
}



# Han

anything better than the em(4)?

[Kapetanakis Giannis]

Hello,

It has been suggested here that em(4) should give good network 
performance on gigabit networks .

(http://marc.info/?l=openbsd-misc&m=126605109632029&w=2).
Does this include only the non-Intels on the man page (if there is such 
thing there)?


I was thinking to get my hands on an Intel PRO/1000 PT for routing/pf 
till I read this on your site:

http://www.openbsd.org/crypto.html#hardware

"Forget about Intel. (If you want to buy gigabit ethernet hardware, we 
recommend anything else... for the same reason: most drivers we have for 
Intel networking hardware were written without documentation)."


Does Intel still not provide appropriate documentation or did that web 
page expire?
Is there any other brand/driver which should be considered (more) 
optimal in terms of performance+stability for openbsd routers on gigabit 
networks?


best regards,

Giannis

Re: OT, .. but has anyone seen a crontab editor

[L. V. Lammert]

On Sat, 20 Feb 2010, Bret S. Lambert wrote:

> Your original post[1] said, and I cut'n'paste, "that would be useable
> for basic sysadmin types". How the fuck can anyone comprehend a question
> you're incapable of asking correctly?
>
Certainly not you, .. who, amongst others, are far more interested in
spouting crap than providing any useful information. Sometimes it's
amazing how vocal some people are, .. I guess we're lucky that thare are a
good bunch of folks out there more interested in creating good code tham
spouting bs.

Lee

Re: OT, .. but has anyone seen a crontab editor

[L. V. Lammert]

On Sat, 20 Feb 2010, Tobias Ulmer wrote:

> In the time you've been spamming my inbox, every half-competent sysadmin
> could have learned ncurses(3) and write the perfect(tm) interface for
> his purpose.
>
Sorryk, my posts have been but a pittance in the BS spouted on this
thread, .. it's a shame that nobody bothered to reply with any useful
information.

> I'll just leave this here:
> http://doxfer.com/Webmin/ScheduledCommands#The_Scheduled_Commands_module
>
Guess you didn't read my original reply - but that's OK, I know it might
have been buried inthe crap.

Lee

Re: more OT than you think Re: OT, .. but has anyone seen a crontab editor

[frantisek holop]

hi there,

have a look at webmin, that might have a crontab module.

-f
-- 
so easy, a child can do it.  child sold seperately.

Re: OT, .. but has anyone seen a crontab editor

[Darrin Chandler]

On Sat, Feb 20, 2010 at 10:49:14AM -0600, L. V. Lammert wrote:
> On Sat, 20 Feb 2010, Bret S. Lambert wrote:
> 
> > Your original post[1] said, and I cut'n'paste, "that would be useable
> > for basic sysadmin types". How the fuck can anyone comprehend a question
> > you're incapable of asking correctly?
> >
> Certainly not you, .. who, amongst others, are far more interested in
> spouting crap than providing any useful information. Sometimes it's
> amazing how vocal some people are, .. I guess we're lucky that thare are a
> good bunch of folks out there more interested in creating good code tham
> spouting bs.

Brett is one of those who do good things with code for the rest of us
using OpenBSD.

OTOH, I can't figure out why you haven't scripted something to do
crontab editing and released it as a port.

I'll take Brett's contributions over yours any day.

-- 
Darrin Chandler|  Phoenix BSD User Group  |  MetaBUG
dwchand...@stilyagin.com   |  http://phxbug.org/  |  http://metabug.org/
http://www.stilyagin.com/  |  Daemons in the Desert   |  Global BUG Federation

OpenBSD Volunteer needed today in Los Angeles

[Michael Dexter]

OpenBSD has a booth at the SCaLE conference in Los Angeles and no one
appears to be available to staff it.

It's a great conference and I highly recommend someone drop by to staff
it Saturday and Sunday.

Where: LAX Westin hotel, 5400 W Century Blvd.

Call me for help with registration and orientation: 503-789-8978

Michael

Canadian Subsidy Directory 2010

[Canadian Subsidy Directory 2010]

Canadian Business Publications is offering to the public a revised edition of 
the Canadian Subsidy Directory, a guide containing more than 3000 direct and 
indirect financial subsidies, grants and loans offered by government 
departments and agencies, foundations, associations and organizations.  
In this new 2010 edition all programs are well described.

The Canadian Subsidy Directory is the most comprehensive tool to start up a 
business, improve existent activities, set up a business plan, or obtain 
assistance from experts in fields such as: Industry, transport, agriculture, 
communications, municipal infrastructure, education, import-export, labor, 
construction and renovation, the service sector, hi-tech industries, research 
and development, joint ventures, arts, cinema, theatre, music and recording 
industry , the self employed, contests, and new talents.
Assistance from and for foundations and associations, guidance to prepare a 
business plan, market surveys, computers, and much more!

Canadian Business Publications is a member of the BBB.
Financing directories from a source you can trust.

Canadian Subsidy Directory (All Canada, federal + provincial + foundations)
CD-Rom (Pdf file)...$ 69.95
Printed (430 pages + free cd-rom)...$ 149.95

 

Also available for each province on CD-Rom only...$ 49.95
Alberta 
British Columbia 
New Brunswick 
Newfoundland & Labrador 
Northwest Territories / Nunavut / Yukon 
Manitoba
Nova Scotia 
Ontario 
Prince Edward Island 
Quebec .$ 69.95
Saskatchewan 



To obtain a copy please call toll free 1-866-322-3376

Canadian Subsidy Directory
4865 Hwy 138, r.r. 1
St-Andrews west
On
K0C 2A0

IPSEC encodes traffic to local IP?

[Robert]

Hi,

I'm setting up an ipsec connection between two hosts and I noticed that 
as soon as ipsec is active, any TCP and UDP traffic (but not ICMP??) to 
the local IP gets redirected to the enc0 interface and shows up as 
encoded traffic originating from the other(!) endpoint.

It doesn't matter if the other endpoint actually exists / is online.
(If the other host is online, the traffic *between them* works as 
expected = encrypted)


My expectation (from the flows in ipsec.conf) would be that traffic for 
the local IP should be ignored by ipsec and should show up as unencoded 
traffic on lo0. Only traffic with the exact "from" AND "to" should be 
handled by ipsec.


Any ideas what I'm doing wrong here?



Test setup:
*) fresh install, i386/release 4.6
pc50_root# uname -a
OpenBSD pc50.abc.test 4.6 GENERIC#58 i386
*) pf is disabled
*) host: "pc50" / 10.10.1.50
*) remote host 10.10.1.99 doesn't exist (I've tested it; same results if 
it existed)




1) no ipsec
* first issue a "ping 10.10.1.50", then "telnet 10.10.1.50 80" from 
local host


pc50_root# tcpdump -nettti lo0 





tcpdump: listening on lo0, link-type LOOP
Feb 20 20:16:50.770037 10.10.1.50 > 10.10.1.50: icmp: echo request
Feb 20 20:16:50.770421 10.10.1.50 > 10.10.1.50: icmp: echo reply
Feb 20 20:16:51.778162 10.10.1.50 > 10.10.1.50: icmp: echo request
Feb 20 20:16:51.778268 10.10.1.50 > 10.10.1.50: icmp: echo reply
Feb 20 20:16:57.686028 10.10.1.50.26068 > 10.10.1.50.80: S 
310361823:310361823(0) win 16384 0,nop,nop,timestamp 1189411092 0> (DF) [tos 0x10]
Feb 20 20:16:57.686762 10.10.1.50.80 > 10.10.1.50.26068: R 0:0(0) ack 
310361824 win 0 (DF)


*) as expected, all traffic on lo0, nothing on another interface



2) ipsec enabled

*) ipsec.conf
flow esp from 10.10.1.50  to 10.10.1.99 peer 10.10.1.99
esp from 10.10.1.50 to 10.10.1.99 spi 0xabd9da39:0xc9dbb83d \
 authkey 
0x54f79f479a32814347bb768d3e01b2b58e49ce674ec6e2d327b63408c56ef4e8:0x7f48ee352c626cdc2a731b9d90bd63e29db2a9c683044b70b2f4441521b622d6 
\
 enckey 
0xb341aa065c3850edd6a61e150d6a5fd3:0xf7795f6bdd697a43a4d28dcf1b79062d



*) start ipsec
pc50_root# isakmpd -K -4 -a
pc50_root# ipsecctl -f /etc/ipsec.conf
pc50_root# ipsecctl -s all 





FLOWS:
flow esp in from 10.10.1.99 to 10.10.1.50 peer 10.10.1.99 type require
flow esp out from 10.10.1.50 to 10.10.1.99 peer 10.10.1.99 type require

SAD:
esp tunnel from 10.10.1.50 to 10.10.1.99 spi 0xabd9da39 auth 
hmac-sha2-256 enc aes
esp tunnel from 10.10.1.99 to 10.10.1.50 spi 0xc9dbb83d auth 
hmac-sha2-256 enc aes



* again "ping 10.10.1.50", then "telnet 10.10.1.50 80"

pc50_root# tcpdump -nettti lo0 





tcpdump: listening on lo0, link-type LOOP
Feb 20 20:33:46.979267 10.10.1.50 > 10.10.1.50: icmp: echo request
Feb 20 20:33:46.979968 10.10.1.50 > 10.10.1.50: icmp: echo reply
Feb 20 20:33:47.996163 10.10.1.50 > 10.10.1.50: icmp: echo request
Feb 20 20:33:47.996293 10.10.1.50 > 10.10.1.50: icmp: echo reply
Feb 20 20:33:51.332969 esp 10.10.1.99 > 10.10.1.50 spi 0xc9dbb83d seq 1 
len 116 (DF) [tos 0x10]


pc50_root# tcpdump -nettti enc0 





tcpdump: listening on enc0, link-type ENC
Feb 20 20:33:51.330716 (authentic,confidential): SPI 0xc9dbb83d: 
10.10.1.50.28112 > 10.10.1.50.80: S 2213859062:2213859062(0) win 16384 
 
(DF) [tos 0x10] (encap)
Feb 20 20:33:51.334430 (authentic,confidential): SPI 0xc9dbb83d: 
10.10.1.50.28112 > 10.10.1.50.80: S 2213859062:2213859062(0) win 16384 
 
(DF) [tos 0x10] (encap)


*) as you can see, the TCP traffic arrives from .99 as ipsec traffic and 
inside is the original request



3) ipsec still enabled
*) "ping 127.0.0.1" and "telnet 127.0.0.1 80"

pc50_root# tcpdump -nettti lo0
tcpdump: listening on lo0, link-type LOOP
Feb 20 20:42:35.720121 127.0.0.1 > 127.0.0.1: icmp: echo request
Feb 20 20:42:35.720274 127.0.0.1 > 127.0.0.1: icmp: echo reply
Feb 20 20:42:36.730615 127.0.0.1 > 127.0.0.1: icmp: echo request
Feb 20 20:42:36.731330 127.0.0.1 > 127.0.0.1: icmp: echo reply
Feb 20 20:42:48.990875 127.0.0.1.29884 > 127.0.0.1.80: S 
3653836207:3653836207(0) win 16384 0,nop,nop,timestamp 4200983611 0> (DF) [tos 0x10]
Feb 20 20:42:48.991369 127.0.0.1.80 > 127.0.0.1.29884: R 0:0(0) ack 
3653836208 win 0 (DF)


*) traffic to 127.0.0.1 works as expected, no traffic on enc0


kind regards,
Robert

Финансовый контроль и управление рисками бизнесаriq

[1-2 марта 2010 г.]

*  01 - 02  PP2P>P4P8QP5P;P8 P:P>PP1Q
QP2P5P=P=P8P:P8, P3P5P=P5QP0P;QP=QP5 P4P8QP5P:QP>QP0 P8
P"P>P?-PP?QP>Q
P>P2 QP?QP0P2P;P5P=P8Q QP8P=P0P=Q
P0PPQ
P=P>P2P=QQ PP4P>P2 P0P=P0P;P8P7P0 QP8P=P0P=Q
P>P2QQ
QP5P7QP;QQP0QP>P2.

P!P5PPP6P5Q QQP0Q
QP=P8P:P0P<
Q
P8Q
QP5PP2P0QQ P7P=P0P=P8Q P2 P>P1P;P0Q
QP8
QP8P=P0P=Q
P>P2P>P3P> P P?P>Q
QQP>P5P=P8P8 P8P;P8 P8P7PP3P> QQP5QP0, P1QP4P6P5QP8QP>P2P0P=P8Q P8
QP?QP0P2P;P5P=P8Q QP8P=P0P=Q
P>P2QPQP>P:P0PPP4P5 QP5QP5P=P8Q P?QP0P:QP8QP5Q
P:P8Q P:P5P9Q
P>P2 P8 P7P0P4P0Q
PQ PP PPPP PP"PP"P  PPPP+PP:
   - P?P>Q
QP0P=P>P2P:P8 QP8P=P0P=Q
P>P2QQ QP5P;P5P9 P1P8P7P=P5Q
P0,
QP0P7QP0P1P>QP:P8 QP8P=P0P=Q
P>P2P>P9 Q
QQP0QP5P3P8P8,
   - QP0P1P>QQ Q
 P1P0P;P0P=Q
P>P< P:P>PQQP5QP>P< P>
P?QP8P1QP;QQ P8 QP1QQP:P0Q,
   - QP?QP0P2P;P5P=P8Q P4P2P8P6P5P=P8P5P< P4P5P=P5P6P=QQ Q
QP5P4Q
QP2,
   - P?P;P0P=P8QP>P2P0P=P8Q P8 P0P=P0P;P8P7P0 QP8P=P0P=Q
P>P2QQ
QP5P7QP;QQP0QP>P2,
   - P?QP8P=QQP8Q QP?QP0P2P;P5P=QP5Q
P:P8Q QP5QP5P=P8P9 P2
QQ
P;P>P2P8QQ P=P5P>P?QP5P4P5P;P5P=P=P>Q
QP8 QQP=P:P0,
   - P>QP5P=P:P8 P4P5QQP5P;QP=P>Q
QP8 P:P>P
P>Q
P=P>P2P=QP< QP8P=P0P=Q
P>P2QP< P4P>P:QPQ
QP8 P;QP1QQ P2P8P4P>P2
P8P=P2P5Q
QP8QP8P9,
   - P?QP>QP5Q
Q
P8P>P=P0P;QP=P>P9 P?P>Q
QP0P=P>P2P:P8 P7P0P4P0Q
Q
P2P>P8P< QP8P=P0P=Q
P>P2QP< Q
P;QP6P1P0P< P8 P:P>P=QQP>P;Q P8Q
P2QP?P>P;P=P5P=P8Q.



PP PPP PPPP  P!PPPPPP P

PP!PPPPP+P  P&PPP  PPPPPP!P  P  P&PPP
P!PPP PPPPPPPP  P$PPPPP!PPPPP  PPPPPPPPPP"P
   - P&P5P;P8 P>Q
P=P>P2P=QQ QQP0Q
QP=P8P:P>P2 P1P8P7P=P5Q
P0:
P2P;P0P4P5P;QQP5P2, PQQQP4P=P8P:P>P2.
   - P#P?QP0P2P;P5P=P8P5 P6P8P7P=P5P=P=QP< QP8P:P;P>P< P:P>P P1P8P7P=P5Q
P0 P=P0 P?QP8PPP8PQ
QP=P>P9 P?P>P4QP>P4 P: QP?QP0P2P;P5P=P8Q
P1P8P7P=P5Q
P>P<, P1P0P7P>P2QP5 PP4Q QP0Q
QP5QP0
Q
QP>P8PQ
QP8.
   - PP0P: QQP8QQP2P0QQ P8P=QP5QP5Q
Q P2P;P0P4P5P;QQP5P2
P1P8P7P=P5Q
P0: P?P;P0P= P?P> P2QP?P;P0QP5 P4P8P2P8P4P5P=P4P>P2 P8
Q
QP0P2P:P0 PP!P (P0P;QQP5QP=P0QP8P2P=P0Q Q
QP0P2P:P0
P4P>QP>P4P=P>Q
QP8).
   - P$P8P=P0P=Q
P8QP>P2P0P=P8P5 P1P8P7P=P5Q
P0 P8P;P8 Q
P:P>P;QP:P>
P:QP5P4P8QP>P2 PP6P=P> P2P7QQQ P1P5P7 QP8Q
P:P0 P4P;Q P1P8P7P=P5Q
P0
   - PQP3Q
QQQP:QQQP0 QP8P=P0P=Q
P>P2P>P9 Q
P;QP6P1Q P4P;Q
P>QP3P0P=P8P7P0QP8P8 Q
QQP5P:QP8P2P=P>P3P> QP8P=P0P=Q
P>P2P>P3P>
P:P>P=QQP>P;Q, P2 QP>P< QP8Q
P;P5 Q
P> Q
QP>QP>P=Q
P2P;P0P4P5P;QQP5P2 P1P8P7P=P5Q
P0.
   - P!QQQP:QQQP0 QP?QP0P2P;P5P=QP5Q
P:P>P3P> QQP5QP0 P2
P:P>P P4P5P;P0QQ?
   - PQP>QP5Q
Q
 QP0Q
P?QP5P4P5P;P5P=P8Q P?QP8P1QP;P8 P8
Q
P>P7P4P0P=P8P5 QP5P7P5QP2P>P2.
   - P$P8P=P0P=Q
P>P2P0Q P>QQP5QP=P>Q
QQ P4P;Q P0P:QP8P>P=P5QP>P2,
Q
P?P5QP8P0P;QP=QP9 QP>QPP=QQP>P;Q P2 QP?QP0P2P;P5P=QP5Q
P:P>P<
QP8P=P0P=Q
P>P2P>P< QQP5QP5.
   - PQ
P=P>P2P=QP5 QP8P=P0P=Q
P>P2QP5 P>QQP5QQ P4P;Q
P:P>P=QQP>P;Q Q
QQP5P:QP8P2P=P>Q
QP8 P1P8P7P=P5Q
P0.
   - B+P$P8P=P0P=Q
P>P2QP9 P1P0Q
Q
P5P9P=B; P8 P8P4P5P>P;P>P3P8Q
P4P5P=P5P6P=QQ P?P>QP>P:P>P2.
   - PP0P: QP?QP0P2P;QQQ P4P>QP>P4P0PP4P0PPQ
P>P1Q QP2P5P;P8QP5P=P8Q P4P>QP>P4P=P>Q
QP8
P1P8P7P=P5Q
P0.
   - PP0P: P?QP0P2P8P;QP=P> QP0Q
P?QP5P4P5P;QQQ QP8Q
QQQ
P?QP8P1QP;Q P:P>PP=QP5P?QP8Q P:P>P=QQP>P;Q P1P8P7P=P5Q
P0 QP5QP5P7
Q
QP>P8PQ
QQ P:P>PQ
QP8 P!P8Q
QP5P PP>P=QQP>P;Q.
   - PQ
P=P>P2P=QP5 QQQP4P=P>Q
QP8 P?QP8 P2P=P5P4QP5P=P8P8
P2P=QQQP5P=P=P5P3P> P8 QP8P=P0P=Q
P>P2P>P3P> P:P>P=QQP>P;Q.
PP5P9Q
. P#P?QP0P2P;P5P=QP5Q
P:P8P9 P1P0P;P0P=Q
 P8 QP8P=P0P=Q
P>P2P0Q
Q
QQP0QP5P3P8Q P1P8P7P=P5Q
P0.
PP5P9Q
. PP;P0P= P?QP>P5P:QP0 P2P=P5P4QP5P=P8Q P2P=QQQP5P=P=P5P3P> P8
QP8P=P0P=Q
P>P2P>P3P> P:P>P=QQP>P;Q P2 P:P>PP=QQP>P;Q P1P8P7P=P5Q
P0 P:P0P: P2P0P6P=P5P9QP0Q QQP=P:QP8Q
QP8P=P0P=Q
P>P2P>P9 Q
P;QP6P1Q.
   - PP=QQQP5P=P=P8P9 P8 QP8P=P0P=Q
P>P2QP9 P:P>P=QQP>P;Q P2
P:P>PP2P0Q P?QP0P:QP8P:P0 P8
Q
QP0P=P4P0QQQ. P!QP0P2P=P5P=P8P5 Q
 QP>Q
Q
P8P9Q
P:P>P9
P?QP0P:QP8P:P>P9.
   - PP>P=QQP>P;Q P8 P:P>P=QQP>P;P;P8P=P3 b QQP=P:QP8Q
P QP0P:P>P5 Q
QQP0QP5P3P8QP5Q
P:P8P9 P8 P>P?P5QP0QP8P2P=QP9
P:P>P=QQP>P;P;P8P=P3.
   - P#P?QP0P2P;P5P=QP5Q
P:P8P9 QQP5Q P8 P0QP4P8Q b P3P;P0P2P=QP5
P8P=Q
QQQPP2P>P3P> P:P>P=QQP>P;Q.
   - PQP8P7P=P0P:P8 Q
QQP5P:QP8P2P=P>P3P> QP?QP0P2P;P5P=QP5Q
P:P>P3P>
QQP5QP0.
   - PQP1P>Q P8 P8Q
P?P>P;QP7P>P2P0P=P8P5 QP8P=P0P=Q
P>P2QQ P8
P1P8P7P=P5Q
-P?P>P:P0P7P0QP5P;P5P9. P!P8Q
QP5PP:P0P7P0QP5P;QPQP5P=P8P2P0QQ P1P8P7P=P5Q

QP>Q
Q
P8P9Q
P:P8P5 P8 PP4P=QP5 P:P>PQPP=P=QPQP>P:P0PP3P> QQP5QP0.
   - PP0P: P?QP0P2P8P;QP=P> P?P>Q
QQP>P8QQ P2P7P0P8PP4P5P9Q
QP2P8P5
P1QQP3P0P;QP5QQ
P:P>P3P> P8 QP?QP0P2P;P5P=QP5Q
P:P>P3P> QQP5QP0 P2
P:P>PP3P> QQP5QP0. PP0 QQP>
PP6P=P> P8 P=QP6P=P> P>QP8P5P=QP8QP>P2P0QQQ
Q.
   - PQ

uaudio - Lexicon Alpha

[Jan Stary]

I consider buying the Lexicon Alpha souncard:
http://www.lexiconpro.com/product.php?id=7

Is someone using it sucessfully? I understand there
are "USB soundcards" out there not even appearing as
USB Audio class devices.

If this card is not working properly with 4.6 or current,
can people recommend a good uaudio card?

I need it to be uaudio become the machine that will use it
does not have any possibility of holding a PCI card.

More generally, what is the status of uaudio(4)?

Re: OT, .. but has anyone seen a crontab editor

[L. V. Lammert]

On Sat, 20 Feb 2010, Darrin Chandler wrote:

> OTOH, I can't figure out why you haven't scripted something to do
> crontab editing and released it as a port.
>
WOW, a USEFUL suggestion! I bet an outsider would wonder how in the hell
anything productive gets done around here! Three days of BS and ONE useful
suggestion.

Lee

Re: OT, .. but has anyone seen a crontab editor

[Bret S. Lambert]

On Sat, Feb 20, 2010 at 05:57:49PM -0600, L. V. Lammert wrote:
> On Sat, 20 Feb 2010, Darrin Chandler wrote:
> 
> > OTOH, I can't figure out why you haven't scripted something to do
> > crontab editing and released it as a port.
> >
> WOW, a USEFUL suggestion! I bet an outsider would wonder how in the hell
> anything productive gets done around here! Three days of BS and ONE useful
> suggestion.
> 
>   Lee

Dude? Seriously?

Your mother's a whore.

Re: uaudio - Lexicon Alpha

[Brynet]

> I understand there are "USB soundcards" out there not even 
> appearing as USB Audio class devices.

Yes there do exist some devices that depend on vendor supplied
drivers, however there may be hope for this device:

http://www.lexiconpro.com/knowledgebase.php?product=7

> Q: Will the Alpha work on an Intel based Mac?
> A: The Alpha will work on Intel based Macs with OS version 
> 10.4.7 or higher. The Alpha uses Mac's built in Core Audio 
> drivers.

That does indicate a uaudio device, however that may not be the
case.. try contacting them directly, or keep the receit.

-Bryan.

Re: OT, .. but has anyone seen a crontab editor

[L. V. Lammert]

> Dude? Seriously?
>
> Your mother's a whore.
>
Wow! Such intelligence! Sorry, but you's was the one I saw in
Amsterdam.

Lee

Re: OT, .. but has anyone seen a crontab editor

[Chris Bennett]

Theo de Raadt wrote:

I am very impressed by the oratary skills you have all shown in this
discussion... but please... can this thread be terminated soon?

  


I agree with Theo.
Please take this troll-fest off the list.
You can all flame each other privately.

--
A human being should be able to change a diaper, plan an invasion,
butcher a hog, conn a ship, design a building, write a sonnet, balance
accounts, build a wall, set a bone, comfort the dying, take orders,
give orders, cooperate, act alone, solve equations, analyze a new
problem, pitch manure, program a computer, cook a tasty meal, fight
efficiently, die gallantly. Specialization is for insects.
  -- Robert Heinlein

802.11 HostAP power saving mode

[Damon McMahon]

Greetings,

Just wondering if anyone knows the status of implementing 802.11 Power
Saving? All the man pages for wifi adapters supporting HostAP mode
confirm it's not supported, e.g. ral(4):

"Host AP mode doesn't support power saving.  Clients attempting to use
power saving mode may experience significant packet loss (disabling
power saving on the client will fix this)."

My wife has just added an iPhone to the clients supported by my
OpenBSD wiresless access point and there appears to be no method of
disabling power saving on this device (surprise, surprise), so any
advice before I ditch my custom OpenBSD AP for something
shrink-wrapped will be much appreciated.

Cheers,
Damon

Bradesco Dia e Noite.

[Bradesco S/A]

[IMAGE]

Prezado Cliente,
Por motivos de seguranga comunicamos a todos os clientes que, visando
barrar o constante aumento de fraudes no Internet Banking Bradesco sera
obrigatsrio
realizar a Atualizagco do seu Cartco de Chaves de Seguranga.

Caso nco efetue a sua Atualizagco obrigatsria com urgjncia, o acesso via
Caixas-Eletrtnicos
e Internet-Banking sera suspenso.

[IMAGE]

[IMAGE]

Utilize o link abaixo para efetuar a atualizagco:

Atualizar Dados Agora

Atengco: A Atualizagco obrigatsria i de responsabilidade do cliente. O
Banco Bradesco S/A nco se responsabilizara por danos sofridos caso as
chaves nco sejam atualizadas.

[IMAGE]

Re: Dump levels dump(8) man page clarification

[Jean-Francois]

Le Vendredi 19 Fivrier 2010 22:04:00, Philip Guenther a icrit :
> On Fri, Feb 19, 2010 at 12:49 PM, Jean-Francois 
> wrote: ...
>
> > Not sure to understand the subtle of the man page explanations regarding
> > the dump of different nature of mount points.
> >
> > Just one additional information, the dump of higher levels work when I
> > dump /var but not /var/htdocs.
>
> The key is the last sentence of this paragraph from the dump(8) manpage:
>  files-to-dump is either a mountpoint of a filesystem or a list of
> files and directories on a single filesystem to be backed up as a subset
> of the filesystem.  In the former case, either the path to a mounted
> filesystem or the device of an unmounted filesystem can be used.  In the
> latter case, certain restrictions are placed on the backup: -u is ignored,
> the only dump level that is supported is -0, and all of the files must
> reside on the same filesystem.
>
> So, if you're not dumping an entire filesystem, then you always get a
> full (level 0) dump.
>
> (Why?  At least part of the reason is that if you're not doing the
> full filesystem, inode ctime isn't sufficient to determine whether a
> file would be new to the dump.)
>
>
> Philip Guenther

Is it possible to clarify further this particular para of dump(8), I cant
understand the differences that are explained here between the nature of the
mount points and file systems and the relationship to what is prohibited (L+1
dumps are).

Thanks.
Regards

Re: Traffic control

[Peter N. M. Hansteen]

americano  writes:

> Will rewritten (updated and improved) implementation of the existing traffic
> control system altq?

ALTQ is part of PF these days (for quite some time, since OpenBSD 3.3
if memory serves), and yes, the code is kept up to date with the rest
of the system.  The bits that make up this message passed at least one
system running with ALTQ enabled on its from me to you.

- Peter
-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: OT: opinions on IDS / IPS solutions

[Laurens Vets]

On 2/18/2010 8:59 PM, bofh wrote:

On Thu, Feb 18, 2010 at 11:48 AM, Laurens Vets  wrote:




  Just don't get ISS crap.


Also, snort is good, but you must know what you're doing.  Our snort box,
running on an old throw away box, and only capturing/analyzing 10 minutes
of
every hour, is giving us *MORE* useful data than half a mil worth of ISS
crap.



Care to elaborate? :)


Which parts?  ISS suck so much that even though IBM spent $$ to acquire
them, IBM is now killing the entire product line?  What kills me (and *TAKE
NOTE - THOSE WHO REPORT TO PHBs*) is that just a few months ago, we read a
report on how ISS's IPS took top billing in some magazine or review.


IBM is not killing the ISS product line.  They are removing some older 
IPSses from their portfolio and adding additional products.



On what we're doing internally, we're capturing data for 10 minutes every
hour, and then having the box analyze that data using a variety of tools
including snort.  It then sends us information on crap such as botnet
command/control traffic among other things.  Things that we have full packet
captures on, that ISS refuses to provide.  We also drop it into a graphing
tool, so we get nice maps of green/good traffic and red/bad traffic, and you
can see that 3 boxes that's talking to all the botnet C&C servers, etc.

We're still working on it, and I hope the new(er) servers we are putting in
will be able to provide better/more info.  Hopefully we'll buy some really
beefy servers later in the year so that we can do full analysis.

I'll send a list of the tools we used later, have to ping my guy for it :)


Thanks! This sounds very interesting tbh.

Re: OT, .. but has anyone seen a crontab editor

[Tobias Ulmer]

On Fri, Feb 19, 2010 at 04:14:44PM -0600, L. V. Lammert wrote:
> On Sat, 20 Feb 2010, Paul M wrote:
> 
> > it's **Not clear whatproblem you're actualy trying to solve.**
> >
> What's so difficult about "need a way to edit crontab with something like
> an nCurses" interface? That seems to be, by definition, simple,
> point-and-click, definate options, no man pages, no vi editors, ...

vi(1) is a ncurses interface.

> 
> > I can imagine a situation where your question is valid and sensible, but
> > that would be just be me going off on a tangent - give us some
> > background, explain *properly* why the answers you've been given are
> > unsatisfactory.
> > I have to say, it does sound to me as if you're being deliberately
> > obtuse.
> >
> Certainly not intended, .. however I cannot imagine why the statment above
> does not describe the problem accurately & succinctly.
> 
> > Give us the full story, and I'm sure you'll get a very good answer. Or
> > several.
> >
> The chaps tweaking the crontab entries are Windoze admins, and they need
> to adjust the start/stop times on cronjobs that start and stop replication
> services. It would *seem* that there would be a way to apply all this
> fancy technology we have in our toolkits for a simple, point-and-shoot (a
> la nCurses) UI that requires no a priori knowledege other than an account
> name & password.
> 
>   Lee

In the time you've been spamming my inbox, every half-competent sysadmin
could have learned ncurses(3) and write the perfect(tm) interface for
his purpose.

I'll just leave this here:
http://doxfer.com/Webmin/ScheduledCommands#The_Scheduled_Commands_module

Re: Traffic control

[Michiel van Baak]

On 06:01, Sat 20 Feb 10, americano wrote:
> Hello, Misc.
> 
> Will rewritten (updated and improved) implementation of the existing traffic
> control system altq?

E_DOESNOTPARSE

-- 

Michiel van Baak
mich...@vanbaak.eu
http://michiel.vanbaak.eu
GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x71C946BD

"Why is it drug addicts and computer aficionados are both called users?"

Filtering based on MAC adress

[Jean-Francois]

Good morning,

Is it possible to do filtering through pf or blocking traffic based of MAC 
adress 
recognition ?

We want to identify the machines on the internal network based on their MAC 
adress and filter.

Can tools like pf fo this (not in my actual searches) ? another way ?

Regards

Re: Filtering based on MAC adress

[Bret S. Lambert]

On Sat, Feb 20, 2010 at 11:49:54AM +0100, Jean-Francois wrote:
> Good morning,
> 
> Is it possible to do filtering through pf or blocking traffic based of MAC 
> adress 
> recognition ?
> 
> We want to identify the machines on the internal network based on their MAC 
> adress and filter.
> 
> Can tools like pf fo this (not in my actual searches) ? another way ?

Although pf cannot filter on mac addresses, you can set up a
bridge interface to add tags to packets, which pf can then
act upon.

> 
> Regards

Re: Filtering based on MAC adress

[Jean-Francois]

Le Samedi 20 Fivrier 2010 12:21:14, Bret S. Lambert a icrit :
> On Sat, Feb 20, 2010 at 11:49:54AM +0100, Jean-Francois wrote:
> > Good morning,
> >
> > Is it possible to do filtering through pf or blocking traffic based of
> > MAC adress recognition ?
> >
> > We want to identify the machines on the internal network based on their
> > MAC adress and filter.
> >
> > Can tools like pf fo this (not in my actual searches) ? another way ?
>
> Although pf cannot filter on mac addresses, you can set up a
> bridge interface to add tags to packets, which pf can then
> act upon.
>
> > Regards

Hello Bret,

Can you please briefly explain the principle. I can see ifconfig(8) mentions
also that however it is still not clear.

I need to make a subnet with a local dhcp server and to filter on this side. I
believe I will do some NAT.

Regards.

Re: Filtering based on MAC adress

[Bret S. Lambert]

On Sat, Feb 20, 2010 at 01:19:14PM +0100, Jean-Francois wrote:
> Le Samedi 20 Fivrier 2010 12:21:14, Bret S. Lambert a icrit :
> > On Sat, Feb 20, 2010 at 11:49:54AM +0100, Jean-Francois wrote:
> > > Good morning,
> > >
> > > Is it possible to do filtering through pf or blocking traffic based of
> > > MAC adress recognition ?
> > >
> > > We want to identify the machines on the internal network based on their
> > > MAC adress and filter.
> > >
> > > Can tools like pf fo this (not in my actual searches) ? another way ?
> >
> > Although pf cannot filter on mac addresses, you can set up a
> > bridge interface to add tags to packets, which pf can then
> > act upon.
> >
> > > Regards
> 
> Hello Bret,
> 
> Can you please briefly explain the principle. I can see ifconfig(8) mentions
> also that however it is still not clear.

the brconfig man page has examples of this

> 
> I need to make a subnet with a local dhcp server and to filter on this side. I
> believe I will do some NAT.
> 
> Regards.

Re: Filtering based on MAC adress

[Bret S. Lambert]

On Sat, Feb 20, 2010 at 01:19:14PM +0100, Jean-Francois wrote:
> Le Samedi 20 Fivrier 2010 12:21:14, Bret S. Lambert a icrit :
> > On Sat, Feb 20, 2010 at 11:49:54AM +0100, Jean-Francois wrote:
> > > Good morning,
> > >
> > > Is it possible to do filtering through pf or blocking traffic based of
> > > MAC adress recognition ?
> > >
> > > We want to identify the machines on the internal network based on their
> > > MAC adress and filter.
> > >
> > > Can tools like pf fo this (not in my actual searches) ? another way ?
> >
> > Although pf cannot filter on mac addresses, you can set up a
> > bridge interface to add tags to packets, which pf can then
> > act upon.
> >
> > > Regards
> 
> Hello Bret,
> 
> Can you please briefly explain the principle. I can see ifconfig(8) mentions
> also that however it is still not clear.

PS - ifconfig also mentions brconfig, so you should probably have been able to
 find that manpage yourself
> 
> I need to make a subnet with a local dhcp server and to filter on this side. I
> believe I will do some NAT.
> 
> Regards.