Re: perlish question
On Tue, Aug 07, 2018 at 05:40:21pm -0500, Edgar Pettijohn III wrote:
> I am attempting to create and verify password hashes from within perl. The
> easiest way I saw was to use Inline::C like this:
>
> __C__
>
> int checkpass(const char *p, const char *h) {
> printf("%s: %s\n", p, h);
> return (crypt_checkpass(p, h));
> }
Why not
perl -e 'print( crypt( $p, $h ), "\n" );'
--
Best regards,
Ed http://www.s5h.net/
Re: i386 "panic: pci_make_tag: bad request" after acpi sleep states
On Mon, 28 Dec 2020 13:20:29 -0500 Ian Darwin wrote: > Boot used Kernel FromResult > pxeboot bsd.rd tftpOK > pxeboot bsd hd0aOK (via > tftpboot/etc/conf) boot bsd > hd0a panic > > I.e., Boots fine with pxeboot "set device hd0a", but booting exact > same kernel off same disk via /boot causes panic. Hi seems booting process after installation should be straight forward. Suggest file a bug report.
OpenCON 2007 // Call for Sponsors
Dear ladies and gentlemen, OpenCON is the only conference fully dedicated to OpenBSD. Last year edition was a great success and featured also the party for OpenBSD 10th birthday, with project leader Theo de Raadt and a lot of developers. http://www.opencon.org/06/register-stat.php http://gallery.guly.org/main.php?g2_itemId=10182 We would like to be able to meet your expectations and go beyong them this year too! As usual the conference will be in Venice, and this year we plan to have one additional day for tutorials: 30 November 2007 - tutorial day 1-2 December 2007 - conference We organized previous editions of the conference with a FREE ENTRANCE policy, and to do so this year too we are looking for SPONSORS. Sponsors: we would be happy to discuss any type of agreement, such as distribution of merchandising, appearance of your logo, t-shirts, and everything you may imagine. Obviously we can provide a valid EU receipt for your tax duties. Just write an email to ed()bsd.it with OpenCON in the subject line and tell us about your ideas! Please spread the word among your friends, OpenBSD friendly companies, ISPs that offers OpenBSD servers for rent or hosting, and any big company that you think should sponsor the event. Don't wait, do it now :) Thanks!
OpenCON 2007 // Call for Papers
Dear ladies and gentlemen, OpenCON is the only conference fully dedicated to OpenBSD. Last year edition was a great success and featured also the party for OpenBSD 10th birthday, with project leader Theo de Raadt and a lot of developers. More info here: http://2006.opencon.org/ The OpenCON program committee is inviting speakers to submit innovative, original, and interesting talks on apps, architecture, implementation, performance and security of OpenBSD. Speeches and slides must be in english. Topics of interest for OpenCON 2007 include, but are not limited to: - kernel hacking - embedded application development and deployment - device drivers - security and safe coding practices - system administration: techniques and tools of trade - operational and economic aspects The extended abstract should explain clearly what are the topics and the aims of the speech. Submissions accompanied by a non-disclosure agreement will be rejected. Authors of accepted submissions have to provide a full paper for publication in the conference proceedings and allow the organizers to publish the results in the printed proceedings and on the conference web site. To submit your proposal fill in the dedicated form: http://www.opencon.org/papers/new As usual the conference will be in Venice, and this year we plan to have one additional day for tutorials: 30 November 2007 - tutorial day 1-2 December 2007 - conference See you there? P.S. We are still looking for sponsors. HELP! Please spread the word among your friends, OpenBSD friendly companies, ISPs that offers OpenBSD servers for rent or hosting, and any big company that you think should sponsor the event. Don't wait, do it now :)
driver request
Hello, I do not know how to find out if there is driver support for this card in OpenBSD: FarSync WAN T-Series cards - X.21 / V.35 / RS5303 The problem is that I'm looking to replace a Cisco 2600 with a couple of openbsd boxes with carp/pfsync, which I can't do just yet be cause the telco provider uses x.21 intefaces at the NTU. If someone could suggest either someone to speak to who develops these drivers at/for OpenBSD or a card which provides x.21 for an OpenBSD kernel I would be very grateful. -- Regards, Ed.
Re: Pf rule for carp and round-robin
On Thu, 8 Sep 2005 16:07:27 -0400
"Monah Baki" <[EMAIL PROTECTED]> wrote:
> { $web_srvr1, $web_srvr2 } round-robin sticky-address
Try
rdr on $ext_if proto tcp from any to $carp5 port 80 \
-> { $web_srvr1, $web_srvr2 } round-robin source-hash
The above may be incorrect so you should check out the load balance
section of the FAQ, I am not sure off the top of my head if the
round-robin and source-hash will conflict, as the default action
when you specify greater than one address to forward to is to
round-robin anyway.
--
http://edd.link9.net - http://irc.is-cool.net
Re: OpenBSD website Design.
On Fri, 09 Sep 2005 22:12:03 +0200 Alexander Hall <[EMAIL PROTECTED]> wrote: > What about http://www.openbsd.org/cgi-bin/cvsweb/www/ ? :-) I was taking a look at that, and it seems I am either getting behind with OpenBSD versions or something in ospfd development has torn a vortex in the rift of space time and 3.8 has popped through from the future creating the file 38.html, released in November 2005. http://www.openbsd.org/cgi-bin/cvsweb/www/38.html Does it come complete with instructions for building your own flux capacitor, or am I just being silly? -- http://edd.link9.net - http://irc.is-cool.net
Re: two inetrnet connexion
On Sat, 10 Sep 2005 20:10:45 - "KOUADIO Thiodore KOUASSI " <[EMAIL PROTECTED]> wrote: > I have a seriouse problem with my inetrnet connexion. > I have two line of connexion with inetrnet > 1213.X.X.X > and 196.X.X.X > my problem is the gatway when can use. Where can declar then? echo 213.1.1.1 > /etc/mygate sh /etc/netstart -- http://edd.link9.net - http://irc.is-cool.net
Re: test
On Sun, 11 Sep 2005 01:13:38 -0500 "Jeffrey Roach" <[EMAIL PROTECTED]> wrote: > test Tested. > http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ What's wrong with http://gaim.sf.net? -- http://edd.link9.net - http://irc.is-cool.net
pflog
Does pflog use a lot of CPU in comparison to pf itself? -- http://edd.link9.net - http://irc.is-cool.net
Re: A question about examining pf loging data
On Mon, 12 Sep 2005 13:26:19 -0400 "Will H. Backman" <[EMAIL PROTECTED]> wrote: > > > > This has most of the data that I need, but it seems to be missing > > one thing > > that I think is important. How can I determine if the traffic is > > TCP/UDP/ICMP etc? > > > If you have ack and window flags, then it is TCP, not UDP. What should I use to see packets at the ethernet level, such as ARP? -- http://edd.link9.net - http://irc.is-cool.net
Re: A question about examining pf loging data
Thats good, thanks, I thought tcpdump was IP layer only, because of the name. On Tue, 13 Sep 2005 14:38:09 +0300 Huzeyfe Onal <[EMAIL PROTECTED]> wrote: > try #tcpdump arp to see only arp packages. > wants to get link-level header? Add -e option.. > > > 2005/9/12, ed <[EMAIL PROTECTED]>: > > On Mon, 12 Sep 2005 13:26:19 -0400 > > "Will H. Backman" <[EMAIL PROTECTED]> wrote: > > > > > > > > > > This has most of the data that I need, but it seems to be > > > > missing one thing > > > > that I think is important. How can I determine if the traffic is > > > > TCP/UDP/ICMP etc? > > > > > > > If you have ack and window flags, then it is TCP, not UDP. > > > > What should I use to see packets at the ethernet level, such as ARP? -- http://edd.link9.net - http://irc.is-cool.net
Re: shell script generator?
On Wed, 14 Sep 2005 16:52:29 -0500 <[EMAIL PROTECTED]> wrote: > 1) make package/port list in a text file > 2) run script in one terminal window to capture all the > extraneous configuration-related executables i have to run > 3) take diffs of my final configuration file contents against > the defaults post-package/port adding > 4) sanitize the script output and paste together dd if=/dev/rwd0 ? or tar cvf ./backup /etc I believe that you will find the configure.out file in the ports directory which contains the output of the configure arguments. Although that said, how do you know a later version will not be different. What you are suggesting should work, but it would be very dependant on the version of the ports used, you're better off using a method that is flexible, which is hard with source builds. .debs are a little easier to manage, dpkg --get-selections makes it a little easier to rebuild a system from deb, unfortunately life is a little harder in openbsd land. -- http://edd.link9.net - http://irc.is-cool.net
Re: Developer Tools
On Sat, 17 Sep 2005 15:11:34 -0700 Darrin Chandler <[EMAIL PROTECTED]> wrote: > A questions to any programmers reading this: what's your development > environment? Which editor do you like? Do you use integrated compile, > or do you go back the the shell prompt? Do you use any lint-like > tools? Please mention anything that you find makes your programming > life easier. And if you would briefly mention why you like what you > use then all the better. TIA. vim, vim-gtk, and aterm. vim is great, syntax highlighting, indents spaces etc, I can set vim up exactly as I like it the moment I get on a box by copying the single config. Vim is great, it's light weight and works through many slow connections, and above all, it's included in many default installations. I also use firefox when looking up function/method calls. -- www.bsdwarez.net
Re: DNS
On Sat, 17 Sep 2005 21:08:20 -0700 Steve B <[EMAIL PROTECTED]> wrote: > I'm a little confused on the topic of running Bind on OBSD. I've read > the Secure Architectures book, some material at > http://www.aei.ca/~pmatulis/pub/obsd_pf.html and a few other places. > My goal is to provide DNS to my local LANs and probably act as a > caching/forwarding DNS. What confuses me is 1) where to put my > db.wired and db.1.168.192 files, 2) what to add to named.conf to put > these files to use, and 3) how to configure named.conf for > caching/forwarding. > > Some articles I've read via Google say the default named.conf is > configured as a caching nameserver and to simply start the named > daemon, while others say the forwarders first and forwarders options > must be entered. Could someone with a little more experience on this > topic please point me in the right direction? Try dnscache part of djbdns from http://cr.yp.to, its very good and efficient, also rather secure compared to BIND (Buggy Internet Name Daemon). -- http://www.usenix.org.uk - http://irc.is-cool.net
Re: is there a way to block sshd trolling?
On Fri, 23 Sep 2005 21:55:12 +0200 Tomasz Baranowski <[EMAIL PROTECTED]> wrote: > You can change the port number in /etc/ssh/sshd_config . It's 100% > effective against that kind of bots. Some intelligent scripts look at tcp responses to port scans, ssh responds with SSH-2.0, which isn't too hard to identify. I don't know if changing the greeting would break the protocol, but I suspect it might break certain clients. -- A horse is a horse, of course, of course, And no one can talk to a horse, of course, Unless, of course, the horse, of course, Is the famous Mr. Ed! http://www.usenix.org.uk - http://irc.is-cool.net
Re: passive ftp-ssl client behind OpenBSD 3.7 NAT/pf
On Fri, 23 Sep 2005 13:45:45 -0700 (PDT)
Daniel Smereka <[EMAIL PROTECTED]> wrote:
> Is it possible to get such a client running in passive mode using pf
> rdr/rules?
>
> I understand that I can't use ftp-proxy for this b/c the PORT command
> coming back from the FTP server is encrypted. Is there any way to do
> this? thanks
The whole idea of passive ftp is that it is the client initiating both
control and data connections, so ftp or ftpssl there should be no need
for additional nat fw rules.
If the server is behind the NAT then you need to set a rdr rule for the
high port numbers and the ftp server must masquerade as the nat's ip
address.
rdr on $ext_if from any to $ftp port {6:65535} -> $local_ftp
for example.
--
A horse is a horse, of course, of course, And no one can talk to a
horse, of course, Unless, of course, the horse, of course, Is the famous
Mr. Ed! http://www.usenix.org.uk - http://irc.is-cool.net
Re: is there a way to block sshd trolling?
On Fri, 23 Sep 2005 21:24:26 -0700
Ray Percival <[EMAIL PROTECTED]> wrote:
> Yeah. This is only a threat against *really* weak boxes. Having said
> that I've seen a lot of posts talking about changing ports. That's a
> line that I won't cross. I refuse to hide from the bots and it's not
> even a speedbump against somebody who is a real threat. But that just
> my personalline in the sand.
I agree, but I've personally been the victim of such an attack, it's a
pain in the ass when you can't su to root, or login on the console.
What they did was to exploit gzip, I'm fairly certain. I could not
apt-get of course and thus left helpless. I no longer have faith in user
passwords. I do my best to prevent people using common user names
(besides myself who uses 'ed' of course, but with a descent password).
The account abused was dominic/dominic, at the time this account was
created the box did not have ssh open, and it was never an idea to, but
then the service was opened and about 6 weeks later it was thoroughly
shafted.
I use the following now:
rdr pass on $ext_if proto tcp from any to 1.2.3.4 port {22,3389} ->
10.10.10.10
block quick drop from abuse_src
pass in on $ext_if proto tcp from any to $range port {22,3389} keep
state ( max-src-conn 3, max-src-conn-rate 2/5, overload flush global )
After several weeks I have accumulated a list of about 60 IP blocks. I
am wondering if block quick drop from abuse_src/24 is possible? But most
the IP addresses are not sequential.
--
A horse is a horse, of course, of course, And no one can talk to a
horse, of course, Unless, of course, the horse, of course, Is the famous
Mr. Ed! http://www.usenix.org.uk - http://irc.is-cool.net
Re: Which SATA controller to purchase
On Tue, 27 Sep 2005 06:28:14 -0400 Jason Dixon <[EMAIL PROTECTED]> wrote: > Theo doesn't want or need your talk. The project needs users of > their code to help out by purchasing a CD, shirt, maybe even a > poster. Nag your buddy who you usually lend your CD to, or that > downloads via FTP, to skip this month's copy of Gamer's L33t Monthly > and buy a CD. No amount of DHTML or AJAX is going to affect the > number of orders placed. I've been in the OpenBSD users scene for a year or two now. I took the following route, 1) bought a cd+book off ebay (legitimate copy of each). I did this as it was cheap, I wanted the book, but the cd was the great 3.5 with fantastic inlay. 2) later bought Jacek Artymiaks's book. However, CD sales can't be that good, I want a hard copy of material, it would be better business sense to have Jacek publish for OpenBSD, then sell the book with the CD with each release. That surely is better sense than buying a new tshirt every six months. Or, why not publish the FAQ on paper, the pf section would certainly be of great interest to firewall design/admins. Way to go KD85, I've been waiting flipping ages for my 3.5 t-shirt. The songs are great. -- A horse is a horse, of course, of course, And no one can talk to a horse, of course, Unless, of course, the horse, of course, Is the famous Mr. Ed! http://www.usenix.org.uk - http://irc.is-cool.net
Re: OpenBSD 3.8 song
On Tue, 27 Sep 2005 23:01:10 +0200 Han Boetes <[EMAIL PROTECTED]> wrote: > Matthias Kilian wrote: > > $ man -k god > > god: nothing appropriate > Heh, you don't know `God save the queen' from the sex pistols :-) I have the album if anyone wants it... #8, I'm bored of it, it's very 80's UK punk. I don't think associating OpenBSD with this type of music is at all a good idea. I kinda like the current pleasant style. -- Regards, Ed http://www.usenix.org.uk - http://irc.is-cool.net ~ ~ :wq
Re: PF story, happy ending.
On Sat, 1 Oct 2005 09:05:47 -0600 (MDT) Diana Eichert <[EMAIL PROTECTED]> wrote: > So now my buddy, realizing it was one of his Windows systems, becomes > very contrite and apologizes for interupting me at the office. I beg to differ, as nice as it is to know the windows box caused the many states, its the firewall admins fault for not increasing the state limit. A small limit is good, so you know something has created many states, but even so, the reason the firewall failed to pass traffic was the state limit, not because the windows box had anything to do with it. -- Regards, Ed http://www.usenix.org.uk - http://irc.is-cool.net ~ ~ :wq
Linux expo - London
Hello, Is OpenBSD doing anything at the linux conference and expo this week at the London Olympia? -- Regards, Ed http://www.openbsdhacker.com
Re: PF story, happy ending.
On Sat, 1 Oct 2005 12:27:56 -0600 (MDT) Diana Eichert <[EMAIL PROTECTED]> wrote: > So Dweeb, what you recommend is upping the state table so we can > increase the amount of crap that's leaking out from the Windows > system? Brilliant, next time there's a Windows worm polluting the > network I'll just think "Wow, it's not a Windows problem, I just need > to buy hardware that can handle greater traffic." Then by this token we should all set a state limit of 1 state per host, correct, if there's something using more states it must be compromised. Nice theory. Why not just block the single host causing the problem, when you have a high state limit, try shell commands to count the states used every few minutes and then add the excessive hosts to a table, rather than choke the network. Oh and don't resort to name calling, it makes the rest of the post look childish, even if there is content of technical merit. -- Regards, Ed http://www.usenix.org.uk
Re: CARP+Pfsync+Bind
On Thu, 6 Oct 2005 16:55:05 +0400 Vladimir Potapov <[EMAIL PROTECTED]> wrote: > We have 1 server on which running firewall and DNS master service. And > we planned to install another server for load balancing and redudancy. > 2 servers(each have running PF and BIND) will balancing load (or one > will master and other slave) for DNS and PF. > Does anyone protect DNS service via CARP and PFsync? Does it work? > Whether there can be problems(for example, with zones transfers, dns > queries Zone transfers are on tcp/53, DNS lookups are 53/udp, so: pass in on $ext_if proto udp from any to $DNS port 53 keep state and if required: pass in on $ext_if proto tcp from $ext_net to $DNS port 53 keep state I use TinyDNS here, so we don't really need to transfer zones as its handled with a single data file. CARP can be good with DNS. -- Regards, Ed http://www.usenix.org.uk
Re: CARP+Pfsync+Bind
On Thu, 6 Oct 2005 15:49:02 -0400 "Dave Anderson" <[EMAIL PROTECTED]> wrote: > That's not quite the whole story: 53/tcp is also used when the > response to a query is too big for a single UDP packet (the resolver > sends a UDP query and gets a 'truncated' UDP reply, so the resolver > retries the query using TCP) -- you should always pass both UDP and > TCP for port 53 to avoid occasional obscure failures. Works fine on on the 2 domains where it's been implemented, of which I handled the conversion from BIND style to djbdns. No problems on UDP lookups alone, including some deep CNAMEs, which are just not required, but I'll deal with those at a later date. I haven't seen any problems since the change. Lookup times have improved, I can't state if this is due to the lack of TCP or the file system overheads with zone files, but I expect a mixture of the two. -- Regards, Ed http://www.usenix.org.uk
Re: CARP+Pfsync+Bind
On Thu, 6 Oct 2005 15:07:23 -0500 eric <[EMAIL PROTECTED]> wrote: > On Thu, 2005-10-06 at 14:04:20 +0100, ed proclaimed... > > > I use TinyDNS here, so we don't really need to transfer zones as its > > handled with a single data file. CARP can be good with DNS. > > 53/tcp *is* required to answer normal queries. TCP for for DNS lookups are probably going to incur latency. I'd rather just block that off and ensure that the DNS being provided does not leak excess > 512 bytes. This might cause some problems with huge round robin lists, but we can all use pf round robin at the level should we require a huge address list. > Since you're drinking djb's koolaid, see > > <http://cr.yp.to/djbdns/tcp.html#why> > > 512-bytes uncommon or a "mistake"? I think not. DJB woke a large portion of the world when he released djbdns, I'd not knock it, and it's pretty good advice at the above URL. -- Regards, Ed http://www.usenix.org.uk
Re: CARP+Pfsync+Bind
On Thu, 6 Oct 2005 19:52:31 -0400 "Dave Anderson" <[EMAIL PROTECTED]> wrote: > Responses long enough so that required information is truncated should > be rare, so perhaps you've been lucky and not encountered any yet. I understand fully what you are saying, but I just don't want to serve DNS via TCP. I'm as sure as I can be that no replies exceed 512 bytes. If it ever becomes a problem I'll use tcpserver to provide it, but it's been fine for a long time, and it's safe, at least in my case, to assume TCP is for zone transfers, YMMV. -- Regards, Ed http://www.usenix.org.uk
Re: Add a PF rule from the command line
On Sun, 09 Oct 2005 14:59:36 -0400 Roy Morris <[EMAIL PROTECTED]> wrote: > I would like to be able to add/remove a rule from > the command line on those systems which > may have only a ram drive and or read only > pf.conf. Anyone know how to do it, or would > you need to create a new pf.conf in memory > someplace and then load it? It's not like iptables where you can load rules at the CLI. The best you can hope for is to look at all your rules with a set of parameters and attempt to make a structure that resembles any type of rule. Then read your pf.conf into the array of structures and then re-write that array as a new pf.conf. If you do the job very well you can use those structures write the rules out in many different formats and perhaps have yourself a firewall builder. Perhaps you could look at some existing firewall builders and sculpt them into something that suits your requirements. Let us know how you get on, I think the two previous answers are workable for what you are trying to do. You could, if the rules are just pass/block, use a table, which you can access from the command line. -- Regards, Ed http://www.usenix.org.uk
Re: RAID for dummies
On Tue, 11 Oct 2005 21:55:30 +1000 "Rod.. Whitworth" <[EMAIL PROTECTED]> wrote: > RAID 1 (or any RAID really) is NOT a backup. It is a high availability > system. > High availability does NOT mean never unavailable. Hello again Rod, I've been looking at ways to make a redundant and load balanced SAN. As you put it, it's not high reliability, once you get a problem with RAID, or the box that it's attached to, you can consider the data 'unknown'. The best solution that I have seen is, although a bit of overkill, AFS (Andrew File System). It's kerberos based authentication on a token basis. Although I have not implemented it I see that it falls short because the tokens (if used) expire after 10 hours, which might require a cron job (if that fails does hell break loose?). Because it is limited to a single read/write node per volume, I see that a volume would be required for every directory that might take more than a few minutes to replicate to the read only nodes to avoid hammering the read/write node. All the other network distributed file systems seem under developed or unstable. FWIW there is something called DRBD which is considered the closest thing to RAID-0 over a network, it can fail sometimes with flaky results in testing. I have found it to be troublesom when problems occur during sync. Do you or anyone else know of anything that works better? -- Regards, Ed http://www.usenix.org.uk
Re: RAID for dummies
On Tue, 11 Oct 2005 23:58:27 +0200 Joachim Schipper <[EMAIL PROTECTED]> wrote: > On Tue, Oct 11, 2005 at 08:07:49PM +0100, ed wrote: > > FWIW there is something called DRBD which is considered the closest > > thing to RAID-0 over a network, it can fail sometimes with flaky > > results in testing. I have found it to be troublesom when problems > > occur during sync. > > > > Do you or anyone else know of anything that works better? > > DRBD is RAID-1, actually (with n-way replication under development > last time I checked). I assume that was just a typo. ;-) Yeah was just a brain fart. > I can't say much more. Testing showed that running DRBD is possible > and replication does occur, under fairly non-loaded 'lab' conditions > and only testing failover in case of manually failing drives. However, > I ultimately decided not to pursue DRBD further. > > I haven't looked at AFS too much, but seem to recall not looking into > it further after realizing the Kerberos auth issue you mentioned. AFS client's don't need Kerberos, I think there's some means of turning it off at the bosserver, but I havn't yet got a lab set up just yet, unfortunately AFS demands a lot of setup before you can really know what you're doing. FWIW don't bother getting the Managing Andrew File System book, Esther Filderman does not recommend it, and she's probably the most famous person on the subject. I you know any good distributed file system software let me know please, it's quite a nagging hole for me. -- Regards, Ed http://www.usenix.org.uk
Re: scponly vs. vsftpd
On Sun, 16 Oct 2005 18:32:24 +0100 Gaby vanhegan <[EMAIL PROTECTED]> wrote: > On 16 Oct 2005, at 15:47, Wijnand Wiersma wrote: > > I thought scponly has chroot functionality builtin. > > Yes it does, and you can't link outside of that chroot. Also, you > have to setup the chroot to have all the files you need, but there is > > a script provided to do this. There is a port available on my site: > > http://vanhegan.net/software/ > > Although I don't have an up to date version. The ports download on > there would let you build a version for 3.7 or 3.8 quite happily. I believe that scponlyc has a possible root exploit caused through a race condition, there's a mention of it in one of the readmes, generally it's not a good idea, shame though as numerous people get problems with passive/active FTP transfers. -- Regards, Ed http://www.usenix.org.uk - http://irc.is-cool.net A TCP/IP stack was the worst feature windows ever got ~ ~ :wq
Re: Help on pkg_add error
On Sat, 29 Oct 2005 11:47:45 -0700 (PDT) PARAMVIR DHINDSA <[EMAIL PROTECTED]> wrote: > #pkg_add gnome-desktop-2.8.1.tgz > gnome-desktop-2.8.1: Can't find libiconv-1.9.2 > /usr/sbin/pkg_add: libiconv-1.9.2: Fatal error. Try pkg_add http://downloads.planetmirror.com/pub/OpenBSD/3.7/packages/i386/gnome-desktop-2.8.1.tgz I think the problem might be that you downloaded the package to a location on your file system but pkg_add doesn't know where to get the dependencies. -- Regards, Ed http://www.usenix.org.uk - http://irc.is-cool.net A TCP/IP stack was the worst feature windows ever got ~ ~ :wq
Re: rdr clarification
On Fri, 28 Oct 2005 13:14:16 -0400 Chris Smith <[EMAIL PROTECTED]> wrote: > rdr pass on $ext_if proto tcp from to $ext_ad3 port > ldap -> $server_1 port ldap > > ...where $server_1 is on the other side of $int_if, still needs a pass > out rule on $int_if. The "rdr pass" does not extend through to the > destination but only through the interface the rdr rule is applied to. I think this depends on your block rules. If you have a block rule else where, it may not permit the return packets. -- Regards, Ed http://www.usenix.org.uk - http://irc.is-cool.net A TCP/IP stack was the worst feature windows ever got ~ ~ :wq
Re: DNS
On Thu, 27 Oct 2005 15:18:42 -0700 (PDT) Mpumi Nu Siyaya <[EMAIL PROTECTED]> wrote: > im located in SA , Johannebsurg > there is site i can no longer open , pls help it's : www.gwomen.co.za > > i was wondering if u can provide me with a solution You might want to have a read through DJB's pages, http://cr.yp.to/djbdns.html for help with DNS, it offers a good explanation, although not related to the default install of OpenBSD, it's still good background. Check your /etc/resolve.conf has a valid nameserver. If not either install BIND or dnscache. -- Regards, Ed http://www.usenix.org.uk - http://irc.is-cool.net A TCP/IP stack was the worst feature windows ever got ~ ~ :wq
Re: OpenBSD related wallpaper
On Sun, 18 Dec 2005 23:50:02 -0800 (PST) Viktor Berke <[EMAIL PROTECTED]> wrote: > I've found some nice wallpapers here: > > http://www.bsdnexus.com/wallpapers.htm Hummm it promotes bad code: http://www.bsdnexus.com/wallpapers/carry_code_single.jpg Should never allocate memory within the function. At worst, pass the pointer to need_coffee and free the pointer after need_coffee returns. I suppose some might say its possible to do that anyway, but it's just bad practise. -- Regards, Ed http://www.usenix.org.uk - http://irc.is-cool.net :%s/Open Source/Free Software/g
low priority, pf rule set debugging
Hello, Just a stab in the dark, does anyone have advise/experience/suggestions for debugging firewall problems? Every now and then I do something which is just brain dead but takes a while to figure out, its usually a typo in my rule set, but just wondering if there's any tools out there to help show where a given packet will go though the path of the firewall... You're all probably going to tell me this is possible already with some discipline and pfctl -sa. -- Regards, Ed http://www.usenix.org.uk - http://irc.is-cool.net :%s/Open Source/Free Software/g
Re: switching IPs
On Wed, 28 Dec 2005 15:26:56 -0500 "Roy Morris" <[EMAIL PROTECTED]> wrote: > What's the best way to switch between say three static ip locations > and one dhcp? I could write a quick script that changes them unless > I am missing something obvious? If a script is the answer then when > is the best time to run it? > > Location 1: > ip profile (xl0) > Location 2: > ip profile (xl0) > Location 3: > ip profile (xl0) > Location 4: (wireless) > dchp If it were me, I'd make three or four scripts called 'home.sh', 'work.sh' etc and just call them when required. -- Regards, Ed http://www.usenix.org.uk - http://irc.is-cool.net :%s/Open Source/Free Software/g
pf failover state problem
Hello,
I have the following pf.conf on two identical firewalls, which combine
two external ISP connections to a single RFC1819 network, providing
complete failover if the ISP drops off the edge of the world.
However, I notice that when I force the firewall to fail over that the
states do not appear to function any longer, new states can be
established just fine though. I am wondering if this is related to the
tagging, or that the firewall has no default gateway, but neither seem
to be definite causes.
(As most of the rules repeat I have cut the config to just three IP
addresses).
int_network="172.22.96.0/24"
int_if="bge0"
ext_network1="12.22.96.0/24"
ext_if1="dc0"
ext_gw1="12.22.96.1"
ext_network2="94.143.189.0/24"
ext_if2="dc1"
ext_gw2="94.143.189.1"
pri_network="192.168.250.0/24"
pri_if="xl0"
int_carp0="carp0"
ext_carp1="carp1"
ext_carp2="carp2"
outboundports="{ 20,21,22,25,43,53,80,443,,11500,6:65535 }"
mailports="{ 25 }"
webports="{ 80, 443 }"
webmailports="{ 25,80,110,143,443 }"
dnsports="{ 53 }"
webftpports="{ 20,21,80,443,6:65535 }"
fdlports="{ 25,80,11000 }"
table
set limit states 10
scrub in
nat on $ext_if2 inet proto { tcp,icmp,udp } from 172.22.96.15 to any ->\
94.143.189.15
nat on $ext_if2 inet proto { tcp,icmp,udp } from 172.22.96.16 to any ->\
94.143.189.16
nat on $ext_if2 inet proto { tcp,icmp,udp } from 172.22.96.17 to any ->\
94.143.189.17
rdr on $ext_if1 proto tcp from any to 212.22.96.15 port $webports -> \
172.22.96.15
rdr on $ext_if2 proto tcp from any to 194.143.189.15 port $webports -> \
172.22.96.15
rdr on $ext_if1 proto tcp from any to 212.22.96.17 port $webports -> \
172.22.96.17
rdr on $ext_if2 proto tcp from any to 194.143.189.17 port $webports -> \
172.22.96.17
block drop log all
block quick on { $ext_if1, $ext_if2 } from
pass out keep state
pass in log on $ext_if1 proto { tcp } from any to 172.22.96.15 port \
$webports tag EXT_IF1 keep state
pass in log on $ext_if2 proto { tcp } from any to 172.22.96.15 port \
$webports tag EXT_IF2 keep state
pass in log on $ext_if1 proto { tcp } from any to 172.22.96.17 port \
$webports tag EXT_IF1 keep state
pass in log on $ext_if2 proto { tcp } from any to 172.22.96.17 port \
$webports tag EXT_IF2 keep state p
pass in log on $int_if route-to { ( $ext_carp2 $ext_gw2 ) } proto { \
tcp, udp } from $int_network to !$int_network port $outboundports keep \
state
pass in log on $int_if route-to { ( $ext_carp2 $ext_gw2 ) } proto icmp \
from $int_network to !$int_network keep state
pass out log on $int_if reply-to ( $ext_carp1 $ext_gw1 ) tagged EXT_IF1\
keep state pass out log on $int_if reply-to ( $ext_carp2 $ext_gw2 ) \
tagged EXT_IF2 keep state
pass out log on { $ext_if1, $ext_carp1 } route-to ( $ext_carp2 $ext_gw2\
) from { $ext_if2, $ext_carp2 } to any
pass out log on { $ext_if2, $ext_carp2 } route-to ( $ext_carp1 $ext_gw1\
) from { $ext_if1, $ext_carp1 } to any
###
### carp/pfsync specific, must be here like this in order for the
failover to work pass quick on $pri_if proto pfsync
pass quick on { $ext_if1, $ext_if2, $int_if } proto carp keep state
###
### private interface, this is the emergency rule to contact the other
### box should the private/public interface be blocked for some reason,
### we should have this as a reserve
pass quick on $pri_if from $pri_network
pass quick on { lo }
--
Regards, Ed http://www.usenix.org.uk - http://irc.is-cool.net
:%s/Open Source/Free Software/g
Re: propolice
On Thu, 29 Dec 2005 23:33:48 +0100
[EMAIL PROTECTED] wrote:
> #include
#include
> char *src = "sehr langer string";
>
> void foo( char * src )
> {
> char dst[5];
> strcpy( dst, src );
strncpy( dst, src, 4 );
dst[5] = '\0';
> }
--
Regards, Ed http://www.usenix.org.uk - http://irc.is-cool.net
:%s/Open Source/Free Software/g
Re: pf failover state problem
On Thu, 29 Dec 2005 23:04:02 -0700 j knight <[EMAIL PROTECTED]> wrote: > When you compare "pfctl -ss" on either firewall, do you see state > information being replicated? > > The addresses that you're NATing to, are those the carp IPs or the IPs > on the physical interfaces? Yes those IP's are all CARP, each physical interface has it's own IP, but these are not used publicly for NATing. The CARP IP on the bge0 network is 172.22.96.1, which is where the responses go (it's the default route for that network). I am away from the firewalls till Tuesday, when I will get the pfctl -ss output. -- Regards, Ed http://www.usenix.org.uk - http://irc.is-cool.net :%s/Open Source/Free Software/g
Re: Two internet connections, one intranet server.
On Sat, 31 Dec 2005 01:29:16 +0100 Gilles LAMIRAL <[EMAIL PROTECTED]> wrote: > I have 2 internet connections. > Each one is handled by an Openbsd system. > Each one has an intERnet address. > Each one is doing NAT for the intRAnet hosts. > I have a smtp server (not openbsd) inside the intRAnet, > its ip address is for example 192.168.35.3. > I want the smtp server be contacted by both > public adresses on the internet. > What can I do ? You should consider getting more public IP addresses as you need three public addresses on each external connection, ideally. > I want c1 be able to connect "directly" to the smtp1 host > via ob1 or via ob2 depending on the ip used (ob1 or ob2). > > ++ ++ > | c1 |__|Internet| > ++ ++ >| | >| | +--+ | carp if | +--+ >| | > +-++-+ > | ob1 || ob2 | > +-++-+ | | +--+ | carp if | +--+ > |__| >| > +---+ > | smtp1 | > +---+ You could look at the pf I posted a couple of days ago, there is one slight problem with it and sending existing states, but everything else appears ok. http://archives.neohapsis.com/archives/openbsd/2005-12/1829.html You will also need to publish the address of the SMTP server on two different DNS server IPS, one reachable on the first connection, and one reachable on the second. This will ensure that when one connection fails you are still reachable. -- Regards, Ed http://www.usenix.org.uk - http://irc.is-cool.net :%s/Open Source/Free Software/g
Re: learning to code - suggestions needed
On Tue, 03 Jan 2006 14:35:12 -0800 Joe S <[EMAIL PROTECTED]> wrote: > Do you have any recommendations on how I should get started? > * Community college courses? > * College courses? Always helpful, if you're not in full time employment. > * Self-study books? Probably the best source of information. Choose UNIX environment programming books, they're the most informative. I like this one currently: http://www.amazon.co.uk/exec/obidos/ASIN/0131411543, covers lots, probably not much good to a beginner, so if it's C you're interested in, try this: http://www.amazon.co.uk/exec/obidos/ASIN/0393969452 College courses can be a bit useless unless it covers what you really want to know. Otherwise you will spend three years on a degree course to just learn to code, and that sounds like a waste of time to me. If you want to learn programming, spend 30 mins on the loo with a good book in your hands, it's worth 10 hours in the class room (added geek points if you have a wireless network and it's the pdf). -- Regards, Ed http://www.usenix.org.uk - http://irc.is-cool.net :%s/Open Source/Free Software/g
Re: pf failover state problem
On Thu, 29 Dec 2005 23:04:02 -0700 j knight <[EMAIL PROTECTED]> wrote: > When you compare "pfctl -ss" on either firewall, do you see state > information being replicated? Yep, I can confirm the states are being copied just fine. I hope someone is still watching this thread! -- Regards, Ed http://www.usenix.org.uk - http://irc.is-cool.net :%s/Open Source/Free Software/g
Re: LCD
On Sat, 21 Jan 2006 00:16:01 -0200 Ricardo Lucas <[EMAIL PROTECTED]> wrote: > Hello all, > I know that is not a question for thist forum but, anyone here knows a > serial controller or wathever to use with an old EPSON EG9007D-NS12 > LCD Display? There should be a controller in x.org, according to this: http://www.thinkwiki.org/wiki/CT-65545. If this article is correct, it suggests the ThinkPad 701 used the same chipset, so I imagine you will have a lot of trouble finding just a controller chip to use the display. -- Regards, Ed http://www.usenix.org.uk :%s/Open Source/Free Software/g
XFCE menu does not load with keyboard shortcut
Hi, I have an issue with XFCE on OpenBSD 6.6 and current on an amd64 system. XFCE works fine except for accessing the applications menu with the Alt + F1 keyboard shortcut. Instead of loading the menu it gets highlighted in grey and nothing happens. Clicking the menu loads it straight away. The shortcut is defined in the keyboard settings as the default for xfce4-popup-applicationsmenu which is different from the shortcut for the desktop menu. Sometimes in another application such as firefox when I press Alt + F1 a second time I get the desktop menu appear, even though firefox is maximised and I'm not on the desktop. I can't confirm at the moment if it is specific to OpenBSD or XFCE in general. Does anyone else have this problem? Regards Ed Gray
Re: XFCE menu does not load with keyboard shortcut
You're right Dumitru, this is an old bug: https://gitlab.xfce.org/xfce/xfce4-panel/-/issues/201 I have been using XFCE for a very long time and in the past there was always a keyboard shortcut to open the applications menu on the panel directly. There is a separate shortcut to open the desktop menu (which Robb at y42 mentioned). I suppose we just have to wait for it to be fixed upstream. The .xsession-errors file was the right place to look which was helpful for me so thanks for that Robb. Regards Ed Gray On Wed, 24 Jun 2020 at 09:07, Dumitru Moldovan wrote: > On Tue, Jun 23, 2020 at 07:33:20PM +0100, Ed Gray wrote: > >Hi, > > > >I have an issue with XFCE on OpenBSD 6.6 and current on an amd64 system. > >XFCE works fine except for accessing the applications menu with the Alt + > >F1 keyboard shortcut. Instead of loading the menu it gets highlighted in > >grey and nothing happens. Clicking the menu loads it straight away. > > > >The shortcut is defined in the keyboard settings as the default for > >xfce4-popup-applicationsmenu which is different from the shortcut for the > >desktop menu. Sometimes in another application such as firefox when I > press > >Alt + F1 a second time I get the desktop menu appear, even though firefox > >is maximised and I'm not on the desktop. > > > >I can't confirm at the moment if it is specific to OpenBSD or XFCE in > >general. > > > >Does anyone else have this problem? > > Have seen this on Void Linux as well. Family member needed Netflix on > her laptop, so I couldn't push OpenBSD, even though it ran fine. (Had > to check, and by the way, it was surprising to see how much slower it > ran compared to Alpine or Void.) > > But this is an older Xfce bug, I remember having similar issues when > I last gave it a shot. This used to work reliably in older versions > though, back when Xfce was based on GTK+ 2.x. > > To end in a positive note, one thing I learned on my OpenBSD adventure > is "the best desktop is no desktop". cwm never fails to open its > menus. Keep it stupid simple. > >
Using ports and updates to the release
Hi, I'm still fairly new to openbsd and the idea of using ports in general rather than binary packages. Is it necessary to keep the ports tree updated if using a release version of openbsd e.g. pulling the stable tree from CVS before building new software? Regards Ed Fray
Re: kernel reordering and config -e
On Mon, 20 Nov 2017, Theo de Raadt wrote:
If someone wants to solve this fully there have been some proposals
for keeping track of the instruction sequence, and attempting to
reapply it upon each relink in the build directory. There just hasn't
been any scripting changes to do that from anyone, and it isn't on my
radar as important.
How about making reorder_kernel do something like:
$ if test -f /etc/ukc.conf; then
Hmm... I can't seem to find a patch in there anywhere.
No patch from OP yet, so how about this: for someone needing config -e
it's probably sufficient if /usr/libexec/reorder_kernel checks for
a post-processing script, and invokes it if present and executable.
If the patch is acceptable, I'll post a sample post-processing script
that, for config -f -e, should only need one parameter change for
specific needs.
Patch (against 6.2 stable):
--- usr/libexec/reorder_kernel.orig Tue Oct 3 23:13:27 2017
+++ usr/libexec/reorder_kernel Wed Nov 22 09:30:27 2017
@@ -30,6 +30,8 @@
LOGFILE=$COMPILE_DIR/$KERNEL/relink.log
PROGNAME=${0##*/}
SHA256=/var/db/kernel.SHA256
+# optional local postprocessing, e.g. config -e
+POSTPROC=/etc/after-karl
# Create kernel compile dir and redirect stdout/stderr to a logfile.
mkdir -m 700 -p $COMPILE_DIR/$KERNEL
@@ -55,6 +57,11 @@
cd $COMPILE_DIR/$KERNEL
make newbsd
make newinstall
+
+# optional local postprocessing, e.g. config -e
+if [[ -f $POSTPROC && -x $POSTPROC ]]; then
+ "$POSTPROC" /bsd "$SHA256" /dev/stdout
+fi
echo "\nKernel has been relinked and is active on next reboot.\n"
cat $SHA256
no video on resume
Hi, I just managed to setup OpenBSD on my system (MSI mini itx with A8-7600 AMD APU, Kaveri) I setup the apm with flag "-A" on /etc/rc.local.conf and apmd runs after boot. , the problem is that there is no video - same result under X or virtual terminal even when no X was loaded- after the system resumes , its working, as I can type -in "blind" mode- so I can reboot the system. Do I need to setup any extra params on conf files? many thanks ed
Re: Using ports and updates to the release
Hi Marc, Thanks for your reply. I think maybe this belongs to ports more than misc. But it's a general query about releases and ports as well. My question was actually about updating the ports tree from an older release version before trying to use it rather than whether to use ports or packages. I installed 6.2 release I believe and later upgraded to 6.6 release. I pulled the release version of ports at some point and later tried to build a port which failed due to an outdated dependency. My version of the ports tree was outdated but even the newer 6.6 stable version was also outdated. When I sent my original email 6.6 was still one of the supported releases along with 6.7. I guess my question is if I run 6.x release and want to build port xyz can I expect a port to build using the ports tree that came with the 6.x release or must I always use at least the stable version of the ports tree? The following question is then if I have a problem building a port due to an outdated dependency on a supported release should I report it as an issue with the port even if a newer release of openbsd does not have the issue? Regards Ed Gray On Wed, 28 Oct 2020, 7:07 am Marc Espie, wrote: > On Sun, Oct 11, 2020 at 09:12:13PM +0200, Ingo Schwarze wrote: > > Hi Ed, > > > > Ed Gray wrote on Sun, Oct 11, 2020 at 07:21:32PM +0100: > > > > > I'm still fairly new to openbsd and the idea of using ports > > > in general rather than binary packages. > > > > You are usually better off using packages than using ports, > > especially as a new user. > > > > Even as an experienced user doing lots of development and minor > > amounts of ports development, i use packages most of the time. > > As one of the persons *responsible* for keeping the ports system > working, I do use packages all the time. > > Ports are on my development setup. > > The machine I write this mail from uses packages, > with about 3 ports that are just there because not committed yet. >
Re: Using ports and updates to the release
Thanks Stuart, That was quite a complete answer. I think in my case to be certain any errors I might find using ports are not due to something outdated on my system I should follow your instructions and pull the updated CVS first especially after doing a release upgrade. Regards Ed Gray On Thu, 29 Oct 2020, 10:35 am Stuart Henderson, wrote: > On 2020-10-28, Ed Gray wrote: > > Hi Marc, > > > > Thanks for your reply. I think maybe this belongs to ports more than > misc. > > But it's a general query about releases and ports as well. > > > > My question was actually about updating the ports tree from an older > > release version before trying to use it rather than whether to use ports > or > > packages. > > The ports tree does not install things directly, it *always* builds > packages. > "make install" runs pkg_add to install the locally built package. Unless > you > modify the ports or there's some non-deterministic build behaviour (which > would > usually be considered a bug in the port) there's no difference whether you > build it yourself or use a pre-built package, just an increased chance of > frustration if things don't work (and there are more things that can go > wrong). > > > I installed 6.2 release I believe and later upgraded to 6.6 release. I > > pulled the release version of ports at some point and later tried to > build > > a port which failed due to an outdated dependency. My version of the > ports > > tree was outdated but even the newer 6.6 stable version was also > outdated. > > When I sent my original email 6.6 was still one of the supported releases > > along with 6.7. > > > > I guess my question is if I run 6.x release and want to build port xyz > can > > I expect a port to build using the ports tree that came with the 6.x > > release or must I always use at least the stable version of the ports > tree? > > If you run release X.Y then the supported options are to use a ports tree > with > cvs tag OPENBSD_X_Y_BASE (the tree at the time of release) or OPENBSD_X_Y > (-stable). > > > The following question is then if I have a problem building a port due to > > an outdated dependency on a supported release should I report it as an > > issue with the port even if a newer release of openbsd does not have the > > issue? > > Excepting minor problems (not usually seen for releases but sometimes seen > in > -current) the tree at a particular checkout should be internally > consistent, > the dependencies needed are in that tree. We build complete sets of > packages > on the faster architectures several times a week so problems with this > would > show up. > > If you mean an outdated dependency *on your system* rather than in the > ports > tree then that would be because you haven't updated installed packages > first. > (There will also likely be a mixture of library versions that will cause > conflicts if you build ports with the system in this stage). > > If you really want to build from ports to update your system then you > either > need to deal with figuring out which to build first to avoid incorrect > combinations (noting that some ports cannot be built, or cannot be > *correctly* > built, while an older version of themselves is already installed), or > uninstall > all packages and build the complete set that you want. > > Otherwise the standard procedure is update base, pkg_add -u, cvs up the > ports > tree for the branch that matches the OpenBSD version you're running, and > then > you can expect that versions of dependencies are usually correct (special > case: > if you run a slow architecture with -current snapshots, the package > snapshot > might be too old to be useful, in that case you will need to build a bunch > more yourself). > > >
Re: Supported PCI USB 3 cards
Has there been a lot of work on this in the last two releases? I cannot provide further details at the moment but with 6.6 I was unable to use a Samsung 1TB USB3 HDD with the onboard USB 3 ports on my desktop and had to use USB 2.0 instead. The drive was not picked up in dmesg output at all. Looks like it has an NEC chip: xhci0 at pci4 dev 0 function 0 "NEC xHCI" rev 0x03: msi, xHCI 0.96 usb0 at xhci0: USB revision 3.0 uhub0 at usb0 configuration 1 interface 0 "NEC xHCI root hub" rev 3.00/1.00 addr 1 Motherboard is ZOTAC 880GA-ITX-AE. Which is an AMD AM3 board with "AMD RS880 Host" and "AMD RS780 PCIE". I know it's rather old hardware now and a bit specialist being ITX but I would expect these NEC chips to be bundled on quite a few boards. Regards Ed Gray On Wed, 9 Dec 2020, 8:51 am Nils Blomqvist, wrote: > On 27 Nov 2020, at 17:12, Theo de Raadt wrote: > > > Nils Blomqvist wrote: > > > >> I need a PCI card with USB 3 ports. Something like this is what I > >> had in mind: https://amzn.to/2V8NgtT (SEDNA - PCI Express USB 3.1). > >> > >> Can anyone point me in the right direction for finding out if a > >> particular card is supported, or a list of supported ones? > > > > All PCI USB cards should work fine. > > Follow-up: I got the above mentioned card which worked without a hitch. > >
Installation overwritten... Accidental disklabel and newfs
Hi, So I was upgrading my box to 6.8 and managed to accidentally overwrite my disklabel and filesystems. I ran install instead of upgrade and stopped after the filesystem creation when I realized my mistake (see ending paragraphs). The new disklabel was different due to auto allocation changes and newfs has written new data on the disk but the install went no further. I cannot work out exactly where /usr should start because I adjusted some of the auto allocations in the past and I don't therefore know what positions the volumes start at. I have backups and will probably not have lost anything important but I just wondered if anyone had any suggestions as to whether this is fixable and what steps to take before I give up and re-install? I followed a how-to I found which suggested using scan_ffs to rebuild my disklabel but it's finding some of the volumes and not all of them. I am running testdisk as I believe it supports UFS and disklabels and might detect the starting positions of my filesystems if not the data itself. I have also read the FAQ on data recovery. I know this is an odd question but it might help someone in future as well. For background wanting to upgrade 6.7 to 6.8 I was running bsd.rd with the intention of resizing /usr because it became full. On running disklabel sd0 I found my disk was not available and I know from past experience that the installer picks up my SATA HDD but I can't access it until that happens. I ran the install program intending to stop after disk detection and when it got to the disklabel creation I forgot that pressing q results in continuation of the install rather than cancelling the process. I know this is by design in disklabel itself and I should have remembered to press x instead but maybe I'm not the first to try this approach. In my case I wanted to see the disklabel allocation for comparison. I suppose I at least didn't run "rm -rf *"... Regards Ed Gray
Re: Installation overwritten... Accidental disklabel and newfs
Okay, thanks Stuart. I have left testdisk running a deep scan and will see if it finds my /var. I know I'll still have to mount the partitions and I don't know if an fsck would be able to fix any damage done by newfs. I think at this point I'm better off starting again as like others I've done many upgrades. It's probably not worth trying to fix for the sake of getting a few configuration files and settings back and maybe some files I have elsewhere. I would be interested in finding out a way to access my SATA HDD (sd0) with disklabel and other tools on the ramdisk without first running the install or upgrade programs. Regards Ed Gray On Wed, 10 Feb 2021, 8:33 am Stuart Henderson, wrote: > On 2021-02-09, Ed Gray wrote: > > I have backups and will probably not have lost anything important but I > > just wondered if anyone had any suggestions as to whether this is fixable > > and what steps to take before I give up and re-install? I followed a > how-to > > I found which suggested using scan_ffs to rebuild my disklabel but it's > > finding some of the volumes and not all of them. > > If you were able to recover /var, check in /var/backups where you will > hopefully find some disklabel.* files. > > scan_ffs does not support FFS2, previously used only for large > filesystems but on newer installations now used for all filesystems. > > >
Re: Installation overwritten... Accidental disklabel and newfs
Hi Otto, Thanks for your reply. This is what I see on a shell from bad.rd when I try to access the first SATA HDD. # disklabel sd0 disklabel: /dev/rsd0: no such file or directory # disklabel sd0c disklabel: /dev/rsd0c: no such file or directory Same for rsd0 and rsd0c. The device nodes don't exist until the install or upgrade program detects the disk and creates them. Likewise for wd0 as although outdated for ahci disks. Dmesg identifies the disk as: sd0 at scsibus0 targ0 lun0 ATA ST1000DM003... sd0 953869mb This is why I had to run the install program and accidentally went too far. It would be helpful to be able to use disklabel and other tools such as newfs, growfs without running through the installer. In my case I forgot that the installer continues automatically with the next command and also used the wrong switch to disklabel. It's a good thing I take backups seriously nowadays. Regards Ed Gray On Wed, 10 Feb 2021, 3:52 pm Otto Moerbeek, wrote: > On Wed, Feb 10, 2021 at 03:35:06PM +, Ed Gray wrote: > > > Okay, thanks Stuart. > > > > I have left testdisk running a deep scan and will see if it finds my > /var. > > I know I'll still have to mount the partitions and I don't know if an > fsck > > would be able to fix any damage done by newfs. > > > > I think at this point I'm better off starting again as like others I've > > done many upgrades. It's probably not worth trying to fix for the sake of > > getting a few configuration files and settings back and maybe some files > I > > have elsewhere. > > > > I would be interested in finding out a way to access my SATA HDD (sd0) > with > > disklabel and other tools on the ramdisk without first running the > install > > or upgrade programs. > > If you starft a shell on the initial prompt of a bsd.rd boot you get a > shell and a fine selection of commands that are useful for recovery. > > -Otto > > > > > Regards > > Ed Gray > > > > On Wed, 10 Feb 2021, 8:33 am Stuart Henderson, > wrote: > > > > > On 2021-02-09, Ed Gray wrote: > > > > I have backups and will probably not have lost anything important > but I > > > > just wondered if anyone had any suggestions as to whether this is > fixable > > > > and what steps to take before I give up and re-install? I followed a > > > how-to > > > > I found which suggested using scan_ffs to rebuild my disklabel but > it's > > > > finding some of the volumes and not all of them. > > > > > > If you were able to recover /var, check in /var/backups where you will > > > hopefully find some disklabel.* files. > > > > > > scan_ffs does not support FFS2, previously used only for large > > > filesystems but on newer installations now used for all filesystems. > > > > > > > > > >
Re: Installation overwritten... Accidental disklabel and newfs
Thanks for the answers. I will make a note of this command. I have now installed 6.8 and am gradually getting my settings and software back. Regards Ed Gray https://www.linkedin.com/in/ed-gray-55079422 On Wed, 10 Feb 2021 at 19:25, Ian Darwin wrote: > > The device nodes don't exist until the install or upgrade program detects > > the disk and creates them. > > > > Likewise for wd0 as although outdated for ahci disks. > > > > Dmesg identifies the disk as: > > sd0 at scsibus0 targ0 lun0 ATA ST1000DM003... > > sd0 953869mb > > > > This is why I had to run the install program and accidentally went too > far. > > > > It would be helpful to be able to use disklabel and other tools such as > > newfs, growfs without running through the installer. > > > When booted into the installer, just do CTRL/C to kill the install script > Then do: > cd /dev; sh MAKEDEV sd0 wd0 sd1 # or whatever devices you need > Porblem solved: you can now do "disklabel and other tools" without > risk of destroying your filesystesms. At least, not having the installer > do it. With these tools most people are quite capable of destroying > filesystems. >
Zotac 880GITX-A-E amd64 Onboard NEC USB3 does not work.
TI SB700 USB 0:22:2: ATI SB700 USB2 0:24:0: AMD 10h HyperTransport 0:24:1: AMD 10h Address Map 0:24:2: AMD 10h DRAM Cfg 0:24:3: AMD 10h Misc Cfg 0:24:4: AMD 10h Link Cfg 1:5:0: ATI Radeon HD 4250 1:5:1: ATI Radeon HD 4200 HD Audio 2:0:0: Atheros AR9285 3:0:0: Realtek 8168 4:0:0: NEC xHCI pcidump -v Error after 3:0:0: Realtek 8168: pcidump: PCIOCGETVPD: Input/output error 00 00 00 00 00 00 00 00 00\^@\^@\^@\^C 00 00 00 00\^@\^@\M^@ 00 00 00 00 2c: [|vpd] 4:0:0: NEC xHCI 0x: Vendor ID: 1033, Product ID: 0194 0x0004: Command: 0106, Status: 0010 0x0008:Class: 0c Serial Bus, Subclass: 03 USB, Interface: 30, Revision: 03 0x000c: BIST: 00, Header Type: 00, Latency Timer: 00, Cache Line Size: 10 0x0010: BAR mem 64bit addr: 0xfe9fe000/0x2000 0x0018: BAR empty () 0x001c: BAR empty () 0x0020: BAR empty () 0x0024: BAR empty () 0x0028: Cardbus CIS: 0x002c: Subsystem Vendor ID: Product ID: 0x0030: Expansion ROM Base Address: 0x0038: 0x003c: Interrupt Pin: 01 Line: 07 Min Gnt: 00 Max Lat: 00 0x0050: Capability 0x01: Power Management State: D0 0x0070: Capability 0x05: Message Signalled Interrupts (MSI) Enabled: yes 0x0090: Capability 0x11: Extended Message Signalled Interrupts (MSI-X) Enabled: no; table size 8 (BAR 0:4096) 0x00a0: Capability 0x10: PCI Express Link Speed: 5.0 / 5.0 GT/s, Link Width: x1 / x1 0x0100: Enhanced Capability 0x01: Advanced Error Reporting 0x0140: Enhanced Capability 0x03: Device Serial Number Serial Number: 0x0150: Enhanced Capability 0x18: Latency Tolerance Reporting Controller /dev/usb0: addr 01: 1033: NEC, xHCI root hub Controller /dev/usb1: addr 01: 1002: ATI, EHCI root hub Controller /dev/usb2: addr 01: 1002: ATI, EHCI root hub addr 02: 1a40:0101 Terminus Technology, USB 2.0 Hub addr 03: 05e3:0608 Genesys Logic, USB2.0 Hub addr 04: 1bcf:0005 Sunplus, USB Optical Mouse addr 05: 046d:c31b Logitech, Logitech USB Keyboard Controller /dev/usb3: addr 01: 1002: ATI, EHCI root hub Controller /dev/usb4: addr 01: 1002: ATI, OHCI root hub Controller /dev/usb5: addr 01: 1002: ATI, OHCI root hub Controller /dev/usb6: addr 01: 1002: ATI, OHCI root hub Controller /dev/usb7: addr 01: 1002: ATI, OHCI root hub usbdevs -v Controller /dev/usb0: addr 01: 1033: NEC, xHCI root hub super speed, self powered, config 1, rev 1.00 driver: uhub0 Regards Ed Gray https://www.linkedin.com/in/ed-gray-55079422
Re: Zotac 880GITX-A-E amd64 Onboard NEC USB3 does not work.
D: Product ID: 0x0030: Expansion ROM Base Address: 0x0038: 0x003c: Interrupt Pin: 01 Line: 07 Min Gnt: 00 Max Lat: 00 0x0050: Capability 0x01: Power Management State: D0 0x0070: Capability 0x05: Message Signalled Interrupts (MSI) Enabled: yes 0x0090: Capability 0x11: Extended Message Signalled Interrupts (MSI-X) Enabled: no; table size 8 (BAR 0:4096) 0x00a0: Capability 0x10: PCI Express Link Speed: 5.0 / 5.0 GT/s, Link Width: x1 / x1 0x0100: Enhanced Capability 0x01: Advanced Error Reporting 0x0140: Enhanced Capability 0x03: Device Serial Number Serial Number: 0x0150: Enhanced Capability 0x18: Latency Tolerance Reporting If anyone is able to help me try to find a solution to this issue please contact me directly and I will copy the list. I have a current system that I can test with as well but it needs upgrading to the latest snapshot. In the meantime I think I will try connecting other USB devices to confirm if anything at all is detected as I have so far only used the USB 3.0 ports with this drive. If the firmware is the issue I would be interested in any suggestions as to where I might search for an official firmware download as I cannot find one from renasas or NEC. Regards Ed Gray https://www.linkedin.com/in/ed-gray-55079422 On Wed, 10 Feb 2021 at 21:43, Ed Gray wrote: > > Hi, > > My main OpenBSD system is a Mini-ITX PC that I built myself using the > Zotac 880GITX-A-E amd64 AM3 motherboard. It is running an AMD Phenom > II X2 555 processor and AMD RS880 / RS780 chipset. > > The onboard NEC USB3 PCI-E chip does not work. I have tested it with a > Samsung M3 1TB external USB3 HDD. I have been unable to use this hard > drive with any version of OpenBSD from 6.1 to 6.8 on USB3. The drive > works fine plugged into a USB2 port. The drive powers up but is > undetected by usbdevs or dmesg. USB3 is enabled in the system BIOS / > UEFI. > > dmesg, pcidump and usbdevs below: > > OpenBSD 6.8 (GENERIC.MP) #4: Mon Jan 11 10:35:56 MST 2021 > > r...@syspatch-68-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP > real mem = 8304394240 (7919MB) > avail mem = 8037658624 (7665MB) > random: good seed from bootblocks > mpath0 at root > scsibus0 at mpath0: 256 targets > mainbus0 at root > bios0 at mainbus0: SMBIOS rev. 2.5 @ 0x9f800 (49 entries) > bios0: vendor American Megatrends Inc. version "080015" date 04/13/2011 > bios0: ZOTAC RS880P > acpi0 at bios0: ACPI 4.0 > acpi0: sleep states S0 S1 S3 S4 S5 > acpi0: tables DSDT FACP APIC MCFG SLIC OEMB SRAT HPET SSDT > acpi0: wakeup devices PCE2(S4) PCE3(S4) PCE4(S4) PCE5(S4) PCE7(S4) > PCE9(S4) PCEA(S4) SBAZ(S4) P0PC(S4) UHC1(S4) UHC2(S4) USB3(S4) > UHC4(S4) USB5(S4) UHC6(S4) UHC7(S4) [...] > acpitimer0 at acpi0: 3579545 Hz, 24 bits > acpimadt0 at acpi0 addr 0xfee0: PC-AT compat > cpu0 at mainbus0: apid 0 (boot processor) > cpu0: AMD Phenom(tm) II X2 555 Processor, 3200.42 MHz, 10-04-03 > cpu0: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,3DNOW2,3DNOW,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,ITSC > cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB > 64b/line 16-way L2 cache, 6MB 64b/line 48-way L3 cache > cpu0: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative > cpu0: DTLB 48 4KB entries fully associative, 48 4MB entries fully associative > cpu0: AMD erratum 721 detected and fixed > cpu0: smt 0, core 0, package 0 > mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges > cpu0: apic clock running at 199MHz > cpu0: mwait min=64, max=64, IBE > cpu1 at mainbus0: apid 1 (application processor) > cpu1: AMD Phenom(tm) II X2 555 Processor, 3200.00 MHz, 10-04-03 > cpu1: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,3DNOW2,3DNOW,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,ITSC > cpu1: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB > 64b/line 16-way L2 cache, 6MB 64b/line 48-way L3 cache > cpu1: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative > cpu1: DTLB 48 4KB entries fully associative, 48 4MB entries fully associative > cpu1: AMD erratum 721 detected and fixed > cpu1: smt 0, core 1, package 0 > ioapic0 at mainbus0: apid 2 pa 0xfec0, version 21, 24 pins > acpimcfg0 at acpi0 > acpimcfg0: addr 0xe000, bus 0-255 > acpihpet0 at acpi0: 14318180 Hz > acpiprt0 at acpi0: bus 0 (PCI0) > acpiprt1 at acpi0: bus 1 (P0P1) > acpiprt2 at acpi0: bus -1 (PCE2) > acpiprt3 at acpi0:
OpenBSD NTFS experience
Hi, Has anyone had experience using NTFS with OpenBSD and if so any pointers particularly around performance and any problems encountered? I realise NTFS is probably not used by many people but I have an external drive which is formatted with it. It would be useful to know if anyone is using the read-only NTFS driver or ntfs-3g port successfully and if there are any known bugs with these. Regards Ed Gray https://www.linkedin.com/in/ed-gray-55079422
Re: OpenBSD NTFS experience
Thanks for your reply Maurice, I tried the read-only driver on an earlier version maybe 6.6 and it crashed. I wasn't able to debug it myself but I suppose it could have been my external hard drive, the NTFS version or a particular file that caused that issue as it happened with a large data copy and a particularly large file (multiple GB). I'm finding poor performance with USB drives on 6.8 with a hard disk and a card reader. It could be ntfs-3g with the hard drive but the card is FAT32. I am wondering if it's to do with the default shm kernel variables or maxfiles and such. It causes various hangs in thunar file manager. I previously had increased shm variables because of a KDE application recommending it for lots of file accesses. I know ntfs-3g is using FUSE rather than a native driver. Regards Ed Gray On Sun, 21 Feb 2021, 6:51 pm Maurice McCarthy, wrote: > Native read-only support is excellent. > I find writing with ntfs-3g quite a lot slower than native Windows > Best >
Re: OpenBSD NTFS experience
My latest issue with NTFS was that my external drive stopped responding and caused Thunar to hang. After this my entire session hung until I killed it with Ctrl + Alt+ backspace. It seems the rsync data copy I did completely properly but the mount stopped responding after some time of the PC being unused. Any attempts to access the mounted directory caused a hang of the terminal or process. I can now see with atactl that my USB hard drive supports power management and looks to be in standby mode when not in use. I am wondering if maybe the drive goes into standby or powers down and that causes the mount to stop working or if it is a bug in NTFS-3G support or something else. This time I am going to run ntfs-3g with the debug mode enabled in no_detach to determine if there are any errors when the drive is left connected but unused. It outputs the following on successful mount: Version 2017.3.23 external FUSE 26 Mounted /dev/sd2i (Read-Write, label "SAMSUNG", NTFS 3.1) Cmdline options: no_detach Mount options: allow_other,nonempty,relatime,fsname=/dev/sd2i,blkdev,blksize=4096 Ownership and permissions disabled, configuration type 1 Regards Ed Gray https://www.linkedin.com/in/ed-gray-55079422 On Sun, 21 Feb 2021 at 19:15, Ed Gray wrote: > > Thanks for your reply Maurice, > > I tried the read-only driver on an earlier version maybe 6.6 and it crashed. > I wasn't able to debug it myself but I suppose it could have been my external > hard drive, the NTFS version or a particular file that caused that issue as > it happened with a large data copy and a particularly large file (multiple > GB). > > I'm finding poor performance with USB drives on 6.8 with a hard disk and a > card reader. It could be ntfs-3g with the hard drive but the card is FAT32. I > am wondering if it's to do with the default shm kernel variables or maxfiles > and such. It causes various hangs in thunar file manager. > > I previously had increased shm variables because of a KDE application > recommending it for lots of file accesses. > > I know ntfs-3g is using FUSE rather than a native driver. > > Regards > Ed Gray > > On Sun, 21 Feb 2021, 6:51 pm Maurice McCarthy, wrote: >> >> Native read-only support is excellent. >> I find writing with ntfs-3g quite a lot slower than native Windows >> Best
Re: OpenBSD NTFS experience
ere: myname# mount /dev/sd0a on / type ffs (local) /dev/sd0k on /home type ffs (local, nodev, nosuid) /dev/sd0d on /tmp type ffs (local, nodev, nosuid) /dev/sd0f on /usr type ffs (local, nodev) /dev/sd0g on /usr/X11R6 type ffs (local, nodev) /dev/sd0h on /usr/local type ffs (local, nodev, wxallowed) /dev/sd0j on /usr/obj type ffs (local, nodev, nosuid) /dev/sd0i on /usr/src type ffs (local, nodev, nosuid) /dev/sd0e on /var type ffs (local, nodev, nosuid) fusefs on /mnt/local/hdd type fuse (local) myname# disklabel -p m /dev/sd2c # /dev/sd2c: type: SCSI disk: SCSI disk label: M3 Portable duid: flags: bytes/sector: 512 sectors/track: 63 tracks/cylinder: 255 sectors/cylinder: 16065 cylinders: 121601 total sectors: 1953525168 # total bytes: 953869.7M boundstart: 0 boundend: 1953525168 drivedata: 0 16 partitions: #size offset fstype [fsize bsize cpg] c:953869.7M0 unused i:720201.0M 64NTFS j:233667.0M 1474971648 MSDOS atactl reports: myname# atactl sd2 Model: ST1000LM025 HN-M101ABB, Rev: 2BA30003, Serial #: E7663G94AA5CEY Device type: ATA, fixed Cylinders: 16383, heads: 16, sec/track: 63, total sectors: 1953525168 Device capabilities: ATA standby timer values IORDY operation IORDY disabling Device supports the following standards: ATA-1 ATA-2 ATA-3 ATA-4 ATA-5 ATA-6 ATA-7 ATA-8 Master password revision code 0xfffe Device supports the following command sets: NOP command READ BUFFER command WRITE BUFFER command Host Protected Area feature set Read look-ahead Write cache Power Management feature set Security Mode feature set SMART feature set Flush Cache Ext command Flush Cache command Device Configuration Overlay feature set 48bit address feature set Automatic Acoustic Management feature set Set Max security extension commands Set Features subcommand required Power-up in standby feature set Advanced Power Management feature set DOWNLOAD MICROCODE command IDLE IMMEDIATE with UNLOAD FEATURE SMART self-test SMART error logging Device has enabled the following command sets/features: NOP command READ BUFFER command WRITE BUFFER command Host Protected Area feature set Read look-ahead Write cache Power Management feature set SMART feature set Flush Cache Ext command Flush Cache command Device Configuration Overlay feature set 48bit address feature set Set Features subcommand required DOWNLOAD MICROCODE command Regards Ed Gray https://www.linkedin.com/in/ed-gray-55079422 On Mon, 22 Feb 2021 at 17:26, Ed Gray wrote: > > My latest issue with NTFS was that my external drive stopped > responding and caused Thunar to hang. After this my entire session > hung until I killed it with Ctrl + Alt+ backspace. > > It seems the rsync data copy I did completely properly but the mount > stopped responding after some time of the PC being unused. Any > attempts to access the mounted directory caused a hang of the terminal > or process. > > I can now see with atactl that my USB hard drive supports power > management and looks to be in standby mode when not in use. I am > wondering if maybe the drive goes into standby or powers down and that > causes the mount to stop working or if it is a bug in NTFS-3G support > or something else. > > This time I am going to run ntfs-3g with the debug mode enabled in > no_detach to determine if there are any errors when the drive is left > connected but unused. > > It outputs the following on successful mount: > > Version 2017.3.23 external FUSE 26 > Mounted /dev/sd2i (Read-Write, label "SAMSUNG", NTFS 3.1) > Cmdline options: no_detach > Mount options: > allow_other,nonempty,relatime,fsname=/dev/sd2i,blkdev,blksize=4096 > Ownership and permissions disabled, configuration type 1 > > Regards > Ed Gray > https://www.linkedin.com/in/ed-gray-55079422 > > On Sun, 21 Feb 2021 at 19:15, Ed Gray wrote: > > > > Thanks for your reply Maurice, > > > > I tried the read-only driver on an earlier version maybe 6.6 and it > > crashed. I wasn't able to debug it myself but I suppose it could have been > > my external hard drive, the NTFS version or a particular file that caused > > that issue as it happened with a large data copy and a particularly large > > file (multiple GB). > > > > I'm finding poor performance with USB drives on 6.8 with a hard disk and a > > card reader. It could be ntfs-3g with the hard drive but the card is FAT32. > > I am wondering if it's to do with the default shm kernel variables or > > maxfiles and such. It causes various hangs in thunar file manager. > > > > I previously had increased shm variables because of a KDE application > > recommending it for lots of file accesses. > > > > I know ntfs-3g is using FUSE rather than a native driver. > > > > Regards > > Ed Gray > > > > On Sun, 21 Feb 2021, 6:51 pm Maurice McCarthy, wrote: > >> > >> Native read-only support is excellent. > >> I find writing with ntfs-3g quite a lot slower than native Windows > >> Best
Re: Window Manager performance impact on applications
Hi Mihai, What do you mean by slow moving? Are window operations like moving the window, maximizing, iconify slow or is Firefox slow performing? If it's Firefox, I have not had any issues on 6.8 but perhaps check the pkg-readme file if you haven't already for Cwm and Firefox. I don't know any security reason not to run fvwm 2 although it's older than others. Maybe worth confirming if this just an issue with the last snapshot and providing more details. Different window managers can certainly provide better general performance especially with low memory or older hardware but I'm not aware of any technical reasons why Firefox should be significantly faster with one rather than another. You'd still be using gtk either way I imagine. Regards Ed Gray On Wed, 3 Mar 2021, 3:48 pm Mihai Popescu, wrote: > Hello, > > Technically speaking, is it possible for a window manager to have a > performance impact on running applications in the GUI area? > > Real case: i had to run firefox very fast on a fresh snapshot install, so i > used the default fvwm instead of cwm. The graphical response is instant, > much much better than cwm. I tried twm, firefox was slow moving too. The > configuration for firefox is the same on all WM. > Is it possible, or is it my imagination? > > If that's the case, is it advisable to run fvwm from base? Is it too old > and should be avoided? > > Thank you/ >
Re: 6.8 with gnome boots to xterm after upgrade
Hi Sivan, I think you need to provide more details on your problem if you want some help at least a log from X and what is in your .xsession file. You also mentioned errors but don't say what they are. Did you upgrade the packages each time you upgraded the system? Regards Ed Gray On Wed, 3 Mar 2021, 5:12 pm Sivan !, wrote: > After sysupgrade -s, during which there were two or more automatic > reboots, freebsd, upgraded to 6.9 booted after asking password for ssh key, > and started with xvterm console. Startx attempted to switch to gui, but > returned errors. > > Please advise. > > Thank you >
Re: 6.8 with gnome boots to xterm after upgrade
Hi Sivan, Sorry I've not had chance to look at everything you sent. Firstly the message about SSH keys sounds normal as this is part of a normal X session startup. I suspect you have a key that has changed or needs a passphrase entered and it's just picking it up when you try to start X. The command history looks strange, you're running shutdown and reboot and then other commands, unless these are from another session? Openbsd needs the -h option to both shutdown and power off the machine or -r for reboot. Where is your startx program and is it a custom program? If you have done unintended upgrades and your /usr is also full it's going to cause all sorts of problems. I would recommend reinstalling a release from scratch if you can. Alternatively when the boot program runs you can choose bad.rd to get the installer ramdisk and manually repair from there but it's a rather complex process. On my system I had to boot bad.rd, type s for shell, run the MAKEDEV script in /dev to create device nodes and then run disklabel manually to rearrange volumes to make space. You would also need to grow or shrink the volumes. Regarding further troubleshooting of X sessions I would recommend moving .xsession to .xsession.bak and starting with a fresh configuration. I would need to understand more about how you are starting gnome like more details of any changes you made to the standard installation. Regards Ed Gray On Fri, 5 Mar 2021, 12:03 am Sivan !, wrote: > Dear Stuart Henderson. > > I ran sysmerge. > > I posted, earlier in this thread, 11 images in response to Ed Gray's > comment that I had not shared sufficient details. In addition there > are four more images attached here that I think are important. > > One of these four images show the output of sysmerge and startx commands. > Another is a screenshot of a strange prompt that appears before boot, > it asks for the ssh password - not an encryption password, which > might be understandable, if I had an encrypted disk, I haven't > encrypted -- so why does it ask for the ssh password, before asking > for a login password in X Term? > Two more pictures show the reboot sequence that is some sort of a loop > when shutdown now command is issued as user or root, from x Term, then > the main screen command line is seen flashing the status, and > invariably reboots the system in X Term. This happened in gnome (or > gde) before the accidental upgrade to 6.9 beta and happens in x Term > in 6.9 beta. > > Thank you. > > On Thu, 4 Mar 2021 at 14:10, Stuart Henderson wrote: > > > > On 2021-03-03, Sivan ! wrote: > > > After sysupgrade -s, during which there were two or more automatic > > > reboots, freebsd, upgraded to 6.9 booted after asking password for ssh > key, > > > and started with xvterm console. Startx attempted to switch to gui, but > > > returned errors. > > > > > > Please advise. > > > > > > Thank you > > > > > > > Make sure you have run sysmerge. > > > > If that doesn't help then we need more than just "returned errors" - > *what* errors? > > >
Re: 6.8 with gnome boots to xterm after upgrade
Hi Sivan, If you have a separate issue it's best to write a new email to the list with an appropriate subject, then it will make more sense to those reading or following. It does sound like you have a few different issues here and I'm not sure I understand your configuration. I also think you might benefit from reading the documentation particularly the INSTALL file, the FAQs and afterboot man page. It seems like you don't understand some of the fundamental differences between Openbsd and other systems. Particularly the disk layout. Regards Ed Gray On Mon, 8 Mar 2021, 7:27 pm Sivan !, wrote: > Thank you. One unresolved issue. While running fetch, there was an > error pop up that said /usr directory is out of space, though an > entire 250 GB nvme is for OpenBSD, almost with no user files, except > for the ports tree that was being downloaded b the fetch command. > When installing OpenBSD in a 250 GB nvme, I chose GPT and let the > installer decide on partitions. But something went wrong. > > My bios shows this in the hard disk list: > > line No 1: UEFI OS (samsung SSD EVO 970 Plus 250 GB) > line No 2: Samsung SSD 970 EVO Plus 250 GB (238476 MB) > (line No 3 : SATA ... # this is Ubunu > line No 4: SATA # this is CentOS) > > In BIOS if I choose item 1, it boots to OpenBSD > If I choose item 2, it shows a blank boot screen shows a one line > error message that says "no active partition" that is it. > > I ran gparted after booting the UEFI OS > > It started with the warning: Not all of the space available to > /dev/nvme0n1 appears to be used, you can fix the GPT to use all the > space (an extra 30 blocks) or > continue with the current setting? > > I chose "ignore", because I suspected that gparted probably saw the > UEFI boot content of (250 GB - 238476 MB) as 30 blocks of "unused" > space. > > Gparted shows: > > EFI System Area fat 16 > /dev/nvme0n1p2 480 KiB > Efi Sstem Aea Used 292 KiB > /dev/ nvme0n1p4 OpenBSD Area 232.89 GiB > > Does this imply that the 232.89 GiB is OpenBSD area, but somehow with > "no active partition" which is perhaps the reason why there was an > error message during fetch that said /usr directory is low on disk > space ? > > Thank you. > > > On Sun, 7 Mar 2021 at 15:54, Ed Gray wrote: > > > > Glad you solved it. > > > > I would recommend running sysupgrade with the -n switch if you are using > the system. > > > > E.g. sysupgrade -s -n > > > > This delays the reboot but still prepares the upgrade. > > > > Upgrades are now completely automated but you still have to update > packages and your ports tree as well as the base system to keep everything > working properly. > > > > Regards > > Ed Gray > > > > On Sat, 6 Mar 2021, 6:19 pm Sivan !, wrote: > >> > >> Solved. > >> sysupgrade -s > >> (after reboot, gnome loaded) > >> bash-5.0# uname -r > >> 6.9 > >> > >> On Sat, 6 Mar 2021 at 22:53, Sivan ! wrote: > >> > > >> > /use/x11/ports/gnome make install didn't work. Images attached. > >> > > >> > On Sat, Mar 6, 2021, 22:12 Sivan ! wrote: > >> >> > >> >> > >> >> dear Ed, > >> >> > >> >> It wasn't complicated at all in till the unintended upgrade, and I > wish to try and resolve this, even though I a person with copy&paste skills > in command line. OpenBSD 6.8 was booting fine with gnome, but now stuck in > xterm. > >> >> > >> >> Now in xsession cd/use/pets/gnome, typed make, it is making, will > report what happens. > >> >> > >> >> Thank you. > >> >> > >> >> > >> >> On Fri, 5 Mar 2021 at 23:23, Ed Gray wrote: > >> >> > > >> >> > Hi Sivan, > >> >> > > >> >> > Sorry I've not had chance to look at everything you sent. > >> >> > > >> >> > Firstly the message about SSH keys sounds normal as this is part > of a normal X session startup. I suspect you have a key that has changed or > needs a passphrase entered and it's just picking it up when you try to > start X. > >> >> > > >> >> > The command history looks strange, you're running shutdown and > reboot and then other commands, unless these are from another session? > >> >> > > >> >> > Openbsd needs the -h option to both shutdown and power off the > machine or -r for reboot. > >> >> > > &g
Re: 6.8 with gnome boots to xterm after upgrade
Sivan, On the boot problem I would suggest you check your BIOS settings for legacy boot and UEFI options in the boot or disk settings. The manual for your system / motherboard should explain. These can have several names like compatibility mode or CSM. I would expect to either use legacy BIOS / CSM boot or UEFI not both but I don't know how well it is supported on OpenBSD. Regards Ed Gray On Wed, 10 Mar 2021, 1:53 am Sivan !, wrote: > Thank you. Please see inline: > > On Tue, 9 Mar 2021 at 13:03, Stuart Henderson wrote: > > > > On 2021-03-08, Sivan ! wrote: > > > Thank you. One unresolved issue. While running fetch, there was an > > > error pop up that said /usr directory is out of space, though an > > > entire 250 GB nvme is for OpenBSD, almost with no user files, except > > > for the ports tree that was being downloaded b the fetch command. > > > When installing OpenBSD in a 250 GB nvme, I chose GPT and let the > > > installer decide on partitions. But something went wrong. > > > > The disk is split into partitions. Run df -h to see what's free. > > This is what I see: > > bash-5.0$ df -h > Filesystem SizeUsed Avail Capacity Mounted on > /dev/sd2a 986M128M809M14%/ > /dev/sd2l 168G5.2G155G 3%/home > /dev/sd2d 3.9G324M3.4G 9%/tmp > /dev/sd2f 5.8G5.1G432M92%/usr > /dev/sd2g 986M239M697M26%/usr/X11R6 > /dev/sd2h 19.4G4.9G 13.5G26%/usr/local > /dev/sd2k 5.8G116M5.4G 2%/usr/obj > /dev/sd2j 1.9G2.0K1.8G 0%/usr/src > /dev/sd2e 15.3G 36.5M 14.5G 0%/var > > > > > > To convert "marketing capacity" for a drive (given in "decimal GB") into > > usable capacity in binary GB (some people call this GiB), use this > > calculation: > > > > (97696368+(1953504*(capacity-50)))/2048 > > > > (The formula is from IDEMA LBA1-03 plus a conversion from 512-byte LBA > > blocks to GB) > > > > So for 250GB > > > > (97696368+(1953504*(250-50)))/2048 = 238475.1796875 > > Thank you. The issue is that in the bios I see two entries, the entry > that is listed as > "Samsung SSD 970 EVO Plus 250 GB (238476 MB)" is sometimes > automatically selected to boot, the boot process halts with a one line > "No active partition error. Then I have to get into bios to choose the line > that says "line No 1: UEFI OS (samsung SSD EVO 970 Plus 250 GB)" This > is why I raised the 30 blocks / GB-MB issue. > > > > > Then there's a little extra used for filesystem structures. > > > > > > > It started with the warning: Not all of the space available to > > > /dev/nvme0n1 appears to be used, you can fix the GPT to use all the > > > space (an extra 30 blocks) or > > > continue with the current setting? > > > > 30 blocks is nothing. Leave this alone. > > Yes, I will leave the 30 blocks alone. > > > > > Does this imply that the 232.89 GiB is OpenBSD area, but somehow with > > > "no active partition" which is perhaps the reason why there was an > > > error message during fetch that said /usr directory is low on disk > > > space ? > > > > You filled the partition holding /usr when you ran "make" in > > /usr/ports/x11/gnome. Remove the build files with "rm -r /usr/ports/pobj" > > (or remove /usr/ports completely if you don't need it). > > Before removing I looked for "pobj" under /usr/ports but did not find it: > > bash-5.0$ cd /usr/ports/ > bash-5.0$ ls > CVS cad games mathprint > Makefilechinese geo meta > productivity > README comms graphicsmiscsecurity > archivers converters infrastructure multimedia shells > astro databases inputmethodsnet sysutils > audio devel japanesenewstelephony > benchmarks editors javaplan9 tests > biology education korean plist textproc > books emulators langports.pub www > bulkfonts mailports.sec x11 > > Is there a way of expanding the space in the /usr directory? > > > > > The default auto-partitioning sizes do not give enough space to place > > ports under /usr and build anything other than the smallest ports. > > > > > >
Re: help debug NFS
Hi Maxim, I cannot help you fix this as I don't have a similar set-up but I can tell you this isn't normal behaviour for NFS. You should not need to tweak anything to get a stable mount at least in my experience. It sounds like a bug somewhere to me. You could try using the gnu watch command or similar while loop to run an ls of the share from the client to confirm if it hangs after non use or after five minutes regardless of use or non-use. You could also try testing the network connection between the two machines to make sure there is no connectivity or cable problem. You could use the same while loop to run rpcinfo or showmount commands from the client and server to see if it stops working after the same delay. Someone with more knowledge of NFS might suggest some better debugging steps... Regards Ed Gray On Sun, 11 Apr 2021, 10:07 am Родин Максим, wrote: > Hello > I have an NFS server on OpenBSD 6.8 stable > which exports a folder with default settings. > I have a linux mint client which mounts a share from this NFS server > with these settings: > sudo mount -o wsize=8192,rsize=8192 192.168.1.65:/big > /home/user/store > which gives a decent speed at about 50-60MB/s both sides which seem ok > for me. > The problem is: when the mount point is not used for a while (5 minutes > and more) the share becomes unresponsive and the only way to unmount the > share is to do > sudo umount -lf /home/user/store > After that I can mount the share once again. > When I imitate using the share on client using > while :; do ls /home/user/store/ && echo "OK" && sleep 3 ; done; > the share remains responsive all the time and shows no problems. > > What tweaks(settings) on the client(server) am I missing in my setup > to keep the mount point responsive? > -- > Best regards > Maksim Rodin > >
Re: Realtek ALC887 on OpenBSD 5.7 current
On 05/11/15 15:00, Stan Gammons wrote: module-console-kit.c: Unable to contact D-Bus system bus: org.freedesktop.DBus.Error.FileNotFound: Failed to connect to socket /var/run/dbus/system_bus_socket: No such file or directory May need to start dbus?
PPPoE Dropping
Good Morning, I've recently migrated to a new ISP (Zen UK), from BT, and am facing an annoying problem - head banging against a brick-wall has started - it is the same broadband product, i.e VDSL2/FTTC, just a different ISP. For the last 3 years my current setup has functioned on BT, since the migration to Zen things seem to have gone a bit wonky - the Zen aspect may or may not be related. I have an OpenBSD 5.7 router connected to either an HG612 or ECI modem, via a switch the PPPoE interface is on a VLAN and in its own rdomain, I encounter the same problem with both. The problem? PPPoE (kernel) drops frequently between 1 - 15 minutes of connected time and reconnects, then repeats, the modem sync is not dropping. The router has an OpenVPN (UDP) VPN connection that routes all traffic to the OpenVPN server in the DC. I should add, I still have another line still with BT with the exact same setup and this does not encounter the problem and has been up for some 70 days. Between migrating from BT -> Zen, the only thing that changed on the OpenBSD router was the PPPoE username/password. From the moment the migration occurred, this problem started occurring. Thing's I have ruled out: - Cabling, no errors on switch ports but all cables have been replaced - Not HG612 or ECI modem related, that I can see, problem happens with both. Initially thought it could be the HG612 bug with UDP/VPNs, however the modem is unlocked and running the latest release. The trick of unplugging and reseating the eth cable doesn't make any difference. - OpenBSD config, there is minimal kernel PPPoE config same setup works with BT and continues to work - OpenBSD OS versions (tried 3 different releases, 5.5, 5.6 and 5.7) - Rolled back RFC4638 setup, i.e for MTU 1500. The Max Payload is negotiated successfully during the connection process, so I don't believe this is the issue but have tried without anyway. - LCP echo/replies are all being sent and responded to in a timely manner, there are no ignore/dropped echos/replies before the 'term-req' is received' Enabled debug on the OpenBSD pppoe interface and it seems to me, that Zen are sending 'term-req' - although I need to make sure my reading of the logs is correct i.e 'lcp input' is the ISP/Zen? However, the below logs also show 'Down event (carrier loss)' but there is no carrier loss (the modem stays in sync) and all ethernet ports between the modem/switch/router stay up, no errors, etc - although this could be because the term-req has already been received and the disconnection is in process. ### Jun 28 21:15:56 rtr00 /bsd: pppoe0 (8864) state=3, session=0x2eb output -> 84:26:2b:a2:3c:da, len=139 Jun 28 21:15:56 rtr00 /bsd: pppoe0 (8864) state=3, session=0x2eb output -> 84:26:2b:a2:3c:da, len=139 Jun 28 21:15:56 rtr00 /bsd: pppoe0: lcp input(opened): Jun 28 21:15:56 rtr00 /bsd: pppoe0: lcp opened->stopping Jun 28 21:15:56 rtr00 /bsd: pppoe0: phase terminate Jun 28 21:15:56 rtr00 /bsd: pppoe0: ipcp down(opened) Jun 28 21:15:56 rtr00 /bsd: pppoe0: ipcp opened->starting Jun 28 21:15:56 rtr00 /bsd: pppoe0: ipcp close(starting) Jun 28 21:15:56 rtr00 /bsd: pppoe0: ipcp starting->initial Jun 28 21:15:56 rtr00 /bsd: pppoe0: lcp send terminate-ack Jun 28 21:15:56 rtr00 /bsd: pppoe0: lcp output Jun 28 21:15:56 rtr00 /bsd: pppoe0 (8864) state=3, session=0x2eb output -> 84:26:2b:a2:3c:da, len=12 Jun 28 21:16:06 rtr00 /bsd: pppoe0: lcp TO(stopping) rst_counter = 0 Jun 28 21:16:06 rtr00 /bsd: pppoe0: lcp stopping->stopped Jun 28 21:16:06 rtr00 /bsd: pppoe0: phase dead Jun 28 21:16:06 rtr00 /bsd: pppoe0: timeout Jun 28 21:16:06 rtr00 /bsd: pppoe0: disconnecting Jun 28 21:16:06 rtr00 /bsd: pppoe0: lcp down(stopped) Jun 28 21:16:06 rtr00 /bsd: pppoe0: lcp stopped->starting Jun 28 21:16:06 rtr00 /bsd: pppoe0: phase establish Jun 28 21:16:06 rtr00 /bsd: pppoe0 (8863) state=1, session=0x0 output -> ff:ff:ff:ff:ff:ff, len=18 Jun 28 21:16:06 rtr00 /bsd: pppoe0: Down event (carrier loss), taking interface down.<7>pppoe0: lcp close(starting) Jun 28 21:16:06 rtr00 /bsd: pppoe0: lcp starting->initial Jun 28 21:16:06 rtr00 /bsd: pppoe0: phase dead Jun 28 21:16:06 rtr00 /bsd: pppoe0 (8863) state=2, session=0x0 output -> 84:26:2b:a2:3c:da, len=38 Jun 28 21:16:06 rtr00 /bsd: pppoe0: session 0x2ee connected Jun 28 21:16:06 rtr00 /bsd: pppoe0: lcp open(initial) Jun 28 21:16:06 rtr00 /bsd: pppoe0: lcp initial->starting Jun 28 21:16:06 rtr00 /bsd: pppoe0: phase establish Jun 28 21:16:06 rtr00 /bsd: pppoe0: lcp up(starting) Jun 28 21:16:06 rtr00 /bsd: pppoe0: lcp starting->req-sent Jun 28 21:16:06 rtr00 /bsd: pppoe0: lcp output Jun 28 21:16:06 rtr00 /bsd: pppoe0 (8864) state=3, session=0x2ee output -> 84:26:2b:a2:3c:da, len=22 Jun 28 21:16:06 rtr00 /bsd: pppoe0: lcp input(req-sent): ### .. If anyone has any suggestions, or seen anything similar previously, I'm all ears. Going to open a case with the ISP as well. Thanks, Ed
Re: PPPoE Dropping
> I think that's correct, but you could double-check by running tcpdump
> on the parent interface ("pppoedev") and use -e to show MAC addresses.
> (I'd use something like -nevvs1500).
Will do, thanks - the LCP echo's come on the input, so I was assuming
the term-req also coming on the input would be from the ISP/BT/Zen.
But will certainly double-check using tcpdump.
> FWIW I'm using pppoe(4) to connect to zen without problem here (-current
> with one of their tg589vn configured as a bridge), I'm not using rdomain
> though I don't *think* that's related to what you're seeing.
I've connected my OpenBSD box up to the TG589 handling the PPPoE, this
has been up for a few hours now with no drops so the actual line seems
to be sound. Out of curiosity, do use MTU 1500 on the pppoedev to
take advantage of RFC4638?
The aspect that has me stuck, is that same modem/config/physical
router/ports/etc works fine consistently on my other BT FTTC
connection.
> Yep that's worth finding out what if anything they see from their side..
>
> Have you tried rebooting or fully re-creating the pppoe interface
> (ifconfig pppoeX destroy; sh /etc/netstarter pppoeX) since changing
> across? If not then that might be worth a go.
I've asked a few times if they can shed any light on the matter, but
it gets silently ignored, they've confirmed that what they see from
the BT stats the drops are PPP related. Am going to leave the TG589
up for a day or so handling PPPoE, then go back to them to see if they
can dig any further on their end. The 'funky' aspects to my setup
are:
- rdomain
- vlan pppoedev
- re(4) patches to enable jumbo frames (use this in conjunction with
RFC4638 so I can get 1508 on the physical NIC, then 1500 on the
pppoedev).
- MTU 1500 on pppoedev
Will build a -current image for the router and see what happens as
well, although this will (I'm assuming) include the re(4) patches, but
then I did also try going back to OpenBSD 5.5 which would negate these
patches being a cause and a reboot/recreate of the pppoe interface.
On 29 June 2015 at 17:38, Stuart Henderson wrote:
> On 2015-06-29, Ed Stout wrote:
>> Good Morning,
>>
>> I've recently migrated to a new ISP (Zen UK), from BT, and am facing
>> an annoying problem - head banging against a brick-wall has started -
>> it is the same broadband product, i.e VDSL2/FTTC, just a different
>> ISP. For the last 3 years my current setup has functioned on BT,
>> since the migration to Zen things seem to have gone a bit wonky - the
>> Zen aspect may or may not be related.
>>
>> I have an OpenBSD 5.7 router connected to either an HG612 or ECI
>> modem, via a switch the PPPoE interface is on a VLAN and in its own
>> rdomain, I encounter the same problem with both. The problem? PPPoE
>> (kernel) drops frequently between 1 - 15 minutes of connected time and
>> reconnects, then repeats, the modem sync is not dropping. The router
>> has an OpenVPN (UDP) VPN connection that routes all traffic to the
>> OpenVPN server in the DC. I should add, I still have another line
>> still with BT with the exact same setup and this does not encounter
>> the problem and has been up for some 70 days.
>>
>> Between migrating from BT -> Zen, the only thing that changed on the
>> OpenBSD router was the PPPoE username/password. From the moment the
>> migration occurred, this problem started occurring.
>>
>> Thing's I have ruled out:
>>
>> - Cabling, no errors on switch ports but all cables have been replaced
>> - Not HG612 or ECI modem related, that I can see, problem happens with
>> both. Initially thought it could be the HG612 bug with UDP/VPNs,
>> however the modem is unlocked and running the latest release. The
>> trick of unplugging and reseating the eth cable doesn't make any
>> difference.
>> - OpenBSD config, there is minimal kernel PPPoE config same setup
>> works with BT and continues to work
>> - OpenBSD OS versions (tried 3 different releases, 5.5, 5.6 and 5.7)
>> - Rolled back RFC4638 setup, i.e for MTU 1500. The Max Payload is
>> negotiated successfully during the connection process, so I don't
>> believe this is the issue but have tried without anyway.
>> - LCP echo/replies are all being sent and responded to in a timely
>> manner, there are no ignore/dropped echos/replies before the
>> 'term-req' is received'
>>
>> Enabled debug on the OpenBSD pppoe interface and it seems to me, that
>> Zen are sending 'term-req' - although I need to make sure my reading
>> of the logs is correct i.e 'lcp input' is the ISP/Zen?
>
> I think that'
Re: DHCPv6 server - send_packet6: Network is unreachable
> From: Claus Lensbøl > I am running openbsd 5.6 GENERIC.MP#333 amd64. > Using isc-dhcp-server 4.3.0. I had no route to host w/ ISC DHCP 4.3.0 on OpenBSD 4.9 -- the patch at end of message got it working. Hint was need for '%' using ping6. I applied the patch on OpenBSD 5.5 w/o checking whether it's needed -- still works. I don't know about 5.6 (as he ducks his head). NOTE: patch applies to ISC tar archive -- I did not start from ports, so I don't know if it'll apply to patched ports source. Try it if you like. Good luck. -Ed # BEGIN PATCH diff -u -r dhcp-4.3.0-orig/common/socket.c dhcp-4.3.0/common/socket.c --- dhcp-4.3.0-orig/common/socket.c Fri Jan 31 14:20:49 2014 +++ dhcp-4.3.0/common/socket.c Tue Aug 18 15:11:42 2015 @@ -787,9 +787,19 @@ memcpy(&dst, to, sizeof(dst)); m.msg_name = &dst; m.msg_namelen = sizeof(dst); + /* +* For OpenBSD 4.9, needing interface index: this works in +* my usage on small LAN; might not be complete or correct +* Works w/ OpenBSD 5.5 -- did not check if still needed! +* The preprocessor test is added . . . +*/ +#if defined(__OpenBSD__) + dst.sin6_scope_id = ifindex = if_nametoindex(interface->name); +#else /* ! defined(__OpenBSD__) */ ifindex = if_nametoindex(interface->name); if (no_global_v6_socket) dst.sin6_scope_id = ifindex; +#endif /* ! defined(__OpenBSD__) */ /* * Set the data buffer we're sending. (Using this wacky
Re: DHCPv6 server - send_packet6: Network is unreachable
[ I tried sending this Monday morning; I just a DSN for failure -- so trying again, from different address. ] On Mon, 24 Aug 2015, Claus Lensbøl wrote: > On 18-08-2015 21:32, Ed Hynan wrote: >> >>> From: Claus Lensbøl >>> I am running openbsd 5.6 GENERIC.MP#333 amd64. >>> Using isc-dhcp-server 4.3.0. >> >> I had no route to host w/ ISC DHCP 4.3.0 on OpenBSD 4.9 -- the >> patch at end of message got it working. Hint was need for >> '%' using ping6. >> >> I applied the patch on OpenBSD 5.5 w/o checking whether >> it's needed -- still works. I don't know about 5.6 (as he >> ducks his head). >> >> NOTE: patch applies to ISC tar archive -- I did not start from >> ports, so I don't know if it'll apply to patched ports source. >> Try it if you like. Good luck. >> >> -Ed >> >> # BEGIN PATCH >> diff -u -r dhcp-4.3.0-orig/common/socket.c dhcp-4.3.0/common/socket.c >> --- dhcp-4.3.0-orig/common/socket.cFri Jan 31 14:20:49 2014 >> +++ dhcp-4.3.0/common/socket.cTue Aug 18 15:11:42 2015 >> @@ -787,9 +787,19 @@ >> memcpy(&dst, to, sizeof(dst)); >> m.msg_name = &dst; >> m.msg_namelen = sizeof(dst); >> +/* >> + * For OpenBSD 4.9, needing interface index: this works in >> + * my usage on small LAN; might not be complete or correct >> + * Works w/ OpenBSD 5.5 -- did not check if still needed! >> + * The preprocessor test is added . . . >> + */ >> +#if defined(__OpenBSD__) >> +dst.sin6_scope_id = ifindex = if_nametoindex(interface->name); >> +#else /* ! defined(__OpenBSD__) */ >> ifindex = if_nametoindex(interface->name); >> if (no_global_v6_socket) >> dst.sin6_scope_id = ifindex; >> +#endif /* ! defined(__OpenBSD__) */ >> >> /* >> * Set the data buffer we're sending. (Using this wacky > Hi Ed > > Where is this patch from? Me. > And could you give me some building guidelines? I haven't tried building on > OpenBSD before. OpenBSD ports(7) -- get ports source, cd to package dir, then # make patch then, substituting suitably # ( cd /usr/ports/pobj// && patch -p 1 < $PATCHFILE ) then, if patch applied cleanly[*] # make update [* else get source from ISC, extract, cd , # patch -p 1 < $PATCHFILE then edit bind/bind-9.9.5/lib/isc/random.c and comment out line 'arc4random_addrandom((u_char *) &seed, sizeof(isc_uint32_t));' then preferably configure with install --prefix other than /usr/local. # make && make install ] > > Thank you! > Claus > You're welcome, Ed -- Constantly choosing the lesser of two evils is still choosing evil. - Jerry Garcia, Rolling Stone magazine, November 30, 1989
login.conf default openfiles
Saturday morning, saw this in /var/log/messages:
"Aug 2 08:29:12 lucy su: default: setting resource limit openfiles: Invalid
argument"
That's from /etc/weekly, which uses 'su -m nobody' for locate db update
on line 52. The log message can be produced by hand with, e.g.:
# echo /bin/echo FOO | SHELL=/bin/sh nice -5 su -m nobody
invoked by root.
Checking userinfo nobody shows no login class, so presumably default:
applies.
I installed the original login.conf from etc55.tgz. Same message;
anyway, I hadn't edited default:.
The default: entry has openfiles-cur, but not -max. According to
login.conf(5) resource limit entries without -{cur,max} will specify
both, but using -{cur,max} specifies that limit individually. So,
using only foo-cur leaves foo-max unspecified.
Adding openfiles-max and checking again, no message is logged.
BTW, I jumped from 4.9 to 5.5 so the 4.9 login.conf is the most
recent I have handy. The 4.9 login.conf likewise has only
openfiles-cur in default:, but I don't think I've seen that log
message before. Some verbosity recently added?
-Ed
--
The rights you have are the rights given you by this Committee [the
House Un-American Activities Committee]. We will determine what rights
you have and what rights you have not got.
-- J. Parnell Thomas
Re: login.conf default openfiles
On Mon, 4 Aug 2014, Philip Guenther wrote: On Sat, Aug 2, 2014 at 7:06 AM, Ed Hynan wrote: Saturday morning, saw this in /var/log/messages: "Aug 2 08:29:12 lucy su: default: setting resource limit openfiles: Invalid argument" (BTW, I quoted a line I produced by hand: the time is wrong, should have been approx. 03:30. The rest is the same.) That indicates that the requested -cur value was greater than the requested -max value, if any, or the current -max value if no change to the max was requested. Yes... -cur in the default class is 512, and ... # echo "ulimit -n" | su -m nobody 256 # echo "ulimit -nH" | su -m nobody 384 I'm running the commands in a root shell. I set openfiles-cur=256 and openfiles-max=384 for the daemon class, which is root's class according to userinfo root. [*] So, after putting the original login.conf in place, and su - root again on another pty, ulimit -nH is 768 (although the value 768 does not appear in the original login.conf). Soft limit is 128. OK, it seems I've triggered the log message by reducing openfiles-max in the daemon class, which is root's, but the interesting thing is that the su command succeeds. That's from /etc/weekly, which uses 'su -m nobody' for locate db update on line 52. The log message can be produced by hand with, e.g.: # echo /bin/echo FOO | SHELL=/bin/sh nice -5 su -m nobody invoked by root. Hmm, I'm unable to reproduce that on my 5.6 system. Compare the output of ulimit -nH and the openfiles-cur value in the login.conf. On my system, the normal hard (i.e., -max) limit is 1024; is that not the case on yours? If so, where is the smaller value coming from? The root .profile? Some other system config file? Inherited from a lower limit on your personal account when you su'ed to root? See above. [*] why such limits, you may ask. Simply old and limited hardware, in the role of home lan gateway router. I wanted to try tighter limits, and use so far suggests they are not a problem for the daemons in use. Last uptime before switch to 5.5: 408 days, but would have been about 3 years if not for power failures outlasting the UPS. So, I feel confident in those limits. Actually, those limits were in place before 4.9, but I forget when. They seem OK. BTW, I jumped from 4.9 to 5.5 so the 4.9 login.conf is the most recent I have handy. The 4.9 login.conf likewise has only openfiles-cur in default:, but I don't think I've seen that log message before. Some verbosity recently added? The setrlimit() syscall was changed to comply with POSIX and return an error instead of (iirc) silently clamping the soft limit to the hard limit. OK, I see the message is logged in lib/libc/gen/login_cap.c::gsetrl() after setrlimit() fails (gsetrl() then returns -1). Thanks for pointing that out; message is clear now. setusercontext(3) does not fail at the gsetrl() failure; it proceeds anyway. That explains why the log message is the only symptom and the /etc/weekly job succeeds. So, the absence openfiles-max in the original login.conf is intentional? Before that log message, I was never prompted to think this through this far. -Ed
Re: login.conf default openfiles
On Tue, 5 Aug 2014, Philip Guenther wrote: On Tue, Aug 5, 2014 at 6:49 AM, Ed Hynan wrote: Failure to set the resource limits isn't considered fatal for setusercontext(). It would be Bad if a typo there could leave you unable to login or su to root... Agreed. My case is a less drastic example: it's good that that su succeeded so the job could run. The new log message is good too, I'm glad I saw it and could respond. BTW, setusercontext(3) does not mention that setting resource failure is not fatal. So, the absence openfiles-max in the original login.conf is intentional? Before that log message, I was never prompted to think this through this far. It wasn't necessary to set them, so why over-specify them? IIRC, we had actually increased the defaults not too long ago to handle the increased demands of stuff like gnome and firefox. If we wrote out all the limits, then upgrades would be more painful as more lines would have to change. I suppose higher limits are easier all around, particularly re. the sort of software you mention. I recall changing menus to use a wrapper script because firefox was exceeding a files soft limit (NetBSD 2.0 I think, but that's beside the point). OTOH, lower limits expose more bad code. Just mentioning that, not suggesting OpenBSD shouldn't increase limits. -Ed
OpenSSL static
The latest openssl patch was announced on the announce list. Do any of the system's static binaries use lib(ssl|crypto).a? -Ed
Re: OpenSSL static
On Mon, 11 Aug 2014, Theo de Raadt wrote: Do any of the system's static binaries use lib(ssl|crypto).a? A few use -lcrypto: iked isakmpd dc ftp Only one uses -lssl and -lcrypto: ftp Thanks for the prompt reply. dc! That caught me by surprise. -Ed
dlsym(): same symbols in prog and lib, segfault
This is with 5.5 release on i386 (32 bit).
When main program has more than one function pointer declared
with the *same names* as functions in a shared library, and
initializes one (at least) with the symbol from that library
with dlsym(), and references the second in some way (take
address, dereference/call. etc.), and the shared library
calls the second function, then the program segfaults at
the point of the lib making that call, but after ld.so has
printed messages like:
"WARNING: symbol(fn_02) size mismatch, relink your program"
apparently one for each reference to that symbol in either the
main program or library.
This is reliably repeatable, and is probably easier to understand
in code than in my description, so a near-minimal program and
Makefile are appended to this message.
For the test prog try:
# bug
% make clean; make
# workaround 1 -- initialize symbol in main prog
% make clean; make fix
# workaround 2 -- do not reference symbol in prog
% make clean; make fix2
# still bug, different output (FPIC defaults empty)
% make clean; make FPIC="-fPIC"
I'm sure this was not a problem with OpenBSD 4.9 because
the code that raised the issue was fine on that.
-Ed
FILES:
/** BEGIN dltst.c */
#include
#ifdef BUILDPROG
#ifdef LOADRUNTIME
#include
void (*fn_01)();
#if FIXHACK == 1
void (*fn_02)() = 0;
#else
void (*fn_02)();
#endif
void loadsyms()
{ /*
* RTLD_LAZY reorders "size mismatch, relink your program"
* message and backtrace is different, but segfaults IAC
*/
void* handle = dlopen(DLTST_SONAME, RTLD_NOW);
fn_01 = dlsym(handle, "fn_01");
/* a reference to fn_02 (here and main()) will trigger bug */
#if FIXHACK != 2
fn_02 = dlsym(handle, "fn_02");
#endif
}
#else /* LOADRUNTIME */
void fn_01();
void fn_02();
void loadsyms()
{
}
#endif /* LOADRUNTIME */
int main()
{
loadsyms();
/* look at addresses *of* and *in* pointers */
printf("From main prog; fn_01 at %p points to %p\n", &fn_01, fn_01);
#if FIXHACK != 2
printf("From main prog; fn_02 at %p points to %p\n", &fn_02, fn_02);
#endif
/* call 1st func only; it calls the 2nd within so */
fn_01();
return 0;
}
#else /* BUILDPROG */
/* this section compiles for shared lib */
void fn_02()
{
void (*p)() = fn_02;
/* look at this func address */
printf("From shared lib; %s at %p\n", __FUNCTION__, p);
}
void fn_01()
{
void (*p)() = fn_01;
/* look at this func address */
printf("From shared lib; %s at %p\n", __FUNCTION__, p);
p = fn_02;
/* look at *2nd* func address; before segfault */
printf("From shared lib; %s -- fn_02 is at %p\n", __FUNCTION__, p);
fn_02();
}
#endif /* BUILDPROG */
/** END dltst.c */
## BEGIN Makefile
NAME = dltst
SONAME = lib$(NAME)
SRC = $(NAME).c
SOSRC = so_$(NAME).c
PROG = $(NAME)_lt
PROGRT = $(NAME)_rt
SO = $(SONAME).so
# not for OpenBSD, but others use -ldl
#LIBS = -ldl
LIBS =
# pic difference? yes, but still gets message and segfault
#FPIC = -fPIC
FPIC =
# default: build and run program w/ runtime loading that will segfault
all: run_rt
# 1st run prog w/o runtime loading (no core), then as above
both check compare: run_lt run_rt
# workaround: initialize (assign 0) pertinent global symbol: no segfault
fix:
rm -f $(PROGRT)
make CFLAGS="$(CFLAGS) -DFIXHACK=1" run_rt
# workaround: declare but do not reference pertinent global symbol: no segfault
fix2:
rm -f $(PROGRT)
make CFLAGS="$(CFLAGS) -DFIXHACK=2" run_rt
run_rt: $(PROGRT)
@echo === running $(PROGRT) -- runtime load
LD_LIBRARY_PATH=$$PWD ./$(PROGRT)
run_lt: $(PROG)
@echo === running $(PROG) -- implicit link
LD_LIBRARY_PATH=$$PWD ./$(PROG)
$(SO) mk_so: $(SOSRC)
$(CC) $(CFLAGS) -shared $(FPIC) -o $(SO) $(SOSRC)
$(PROG) mk_prog_lt: $(SRC) $(SO)
$(CC) $(CFLAGS) -DBUILDPROG -o $(PROG) $(SRC) $(LIBS) -L$$PWD -l$(NAME)
# make program using runtime loading
$(PROGRT) mk_prog_rt: $(SRC) $(SO)
$(CC) $(CFLAGS) -DBUILDPROG -DLOADRUNTIME -DDLTST_SONAME=\"$(SO)\" -o
$(PROGRT) $(SRC) $(LIBS)
# copy source to new name for so; this is for clarity in gdb
$(SOSRC): $(SRC)
@rm -f $@; cp -p $(SRC) $@
clean:
rm -f $(PROG) $(PROGRT) $(SO) $(SOSRC) *.core core
## END Makefile
Re: ifconfig command for IPv6 tunnel
On Tue, 19 Aug 2014, Charles Musser wrote: Hi, I'm experimenting with using IPv6 via a tunnel broker provided by an ISP. The tunnel works, but I want to confirm my understanding of the commands they gave me to set it up. These are the commands: ifconfig gif0 tunnel 50.1.94.112 72.52.104.74 ifconfig gif0 inet6 alias 2001:470:1f04:204::2 2001:470:1f04:204::1 prefixlen 128 route -n add -inet6 default 2001:470:1f04:204::1 The first and third commands make sense to me; they set up an IPv4 tunnel interface and a default route for IPv6. After reading the ifconfig(8) man page) I think I sort of understand what the second one does. Side note: the two IPv6 addresses provided by the tunnel broker are defined, in their terminology, as follows: ::1 is the "server IPv6 address" and ::2 is the "client IPv6 address". Given that, I think the following is true: - ::1 is the local address of the interface on the IPv6 network. No, *::2 is local. - The "alias" parameter is superfluous in this case. I tried it without that and got the same result: an operating tunnel. If it works, ifconfig is being smart, but why not make your intent explicit? The tunnel is across the ip4 addresses; this command adds aliases, or close enough. - Because gif0 is a point-to-point interface, ::2 (the server IP) is interpreted as the "dest_address" parameter mentioned in the ifconfig(8) man page. It's ambiguous when you write "the server IP" because the remote end of the tunnel is a server, and if you're configuring a router rather than a host then that's a server too. Addr *:2 is local in that it's an address of your gif(4) interface. The ifconfig(8) synopsis is simpler than gif configuration, but yes *::2 is like "dest_address". Addr *::1 is remote. Try 'netstat -nvrf inet6 | grep 2001:' and find that *::1 has the G (gateway) flag, and host *::2 has a route to *::1. Also look at something using the interface, maybe ntpd. Look at the address with 'netstat -nvf inet6 | grep 123' (no -r there), and see that *::2 is local. HE likely provided you a /64 prefix for your use, or maybe you have to request it (I have an HE tunnel but don't remember all details; their website is helpful). Those addrs would be in a different /48 than the tunnel addrs. If you're setting up a router your assigned /64 prefix can be assigned to an internal interface with "alias" like 'inet6 alias 64'. Then point rtadvd at that interface. -Ed
Re: ifconfig command for IPv6 tunnel
On Wed, 20 Aug 2014, Charles Musser wrote:
On Aug 20, 2014, at 4:15 AM, Ed Hynan wrote:
On Tue, 19 Aug 2014, Charles Musser wrote:
- ::1 is the local address of the interface on the IPv6
network.
No, *::2 is local.
Ah, yes. Despite my best efforts at copyediting, I had the meanings of *::1 and
*::2 reversed.
- The "alias" parameter is superfluous in this case. I tried it without
that and got the same result: an operating tunnel.
If it works, ifconfig is being smart, but why not make your intent
explicit? The tunnel is across the ip4 addresses; this command adds
aliases, or close enough.
Stated another way: the alias keyword doesn't do any harm here, but
using it makes things harder to understand because this isn't actually an
alias; it's a local address and a remote address and this pair comprises
the endpoints of a point-to-point link.
Although this is a little more complex on gif than e.g. an ethernet interface,
alias is at least similar. On a more straightforward type interface, alias
is used adding additional addresses (BTW, not OpenBSD specific, the alias
keyword is similar for {Net,Free}BSD; and, apparently dissimilar on Linux).
Think of the IPv6 addrs as 'additional' after IPv4 tunnel addrs for
conceptual satisfaction.
It's ambiguous when you write "the server IP" because the remote end
of the tunnel is a server, and if you're configuring a router rather
than a host then that's a server too. Addr *:2 is local in that it's
an address of your gif(4) interface. The ifconfig(8) synopsis is
simpler than gif configuration, but yes *::2 is like "dest_address".
Just to clarify, this setup is currently a host, not a router. Given all that,
::2 is the local address and ::1 is remote. Doesn't that make ::1 the
"dest_address"?
Note: possible beating of dead horse here. Feel free to say: "stop
obsessing over the syntax of this command, dummy."
Yes, *::1 is like dest_address; I miswrote and should have said
*::2 is like "address" in the synopsis (had just woke up). IAC *::2
is local, software on the machine may have that as source address,
not *::1.
Addr *::1 is remote. Try 'netstat -nvrf inet6 | grep 2001:' and find
that *::1 has the G (gateway) flag, and host *::2 has a route to *::1.
Output of that is:
default2001:470:1f04:204::1 UGS6
146 - 8 gif0
2001:470:1f04:204::1 2001:470:1f04:204::2 UH 1
0 - 4 gif0
2001:470:1f04:204::2 link#6 UHL0
0 - 4 lo0
This is different than what you describe, but it makes sense. I think.
Is it different? Your output shows what I intended to describe.
Line 1 with G flag shows that 'gateway' addr *::1 is default route
and line 2 with H flag shows 'host' addr *::2 has/is a route to *::1
(didn't I suggest that clearly on my 1st coffee? I think I did).
Also look at something using the interface, maybe ntpd. Look at the
address with 'netstat -nvf inet6 | grep 123' (no -r there), and
see that *::2 is local.
Output is:
Active Internet connections
Proto Recv-Q Send-Q Local Address Foreign Address(state)
tcp6 0 0 2001:470:1f04:204::2.32069
2001:200:dff:fff1:216:3eff:feb1:44d7.80 ESTABLISHED
tcp6 0 0 2001:470:1f04:204::2.7
2001:200:dff:fff1:216:3eff:feb1:44d7.80 ESTABLISHED
tcp6 0 0 2001:470:1f04:204::2.30221
2001:200:dff:fff1:216:3eff:feb1:44d7.80 ESTABLISHED
tcp6 0 0 2001:470:1f04:204::2.3173
2001:200:dff:fff1:216:3eff:feb1:44d7.80 ESTABLISHED
tcp6 0 0 2001:470:1f04:204::2.27980
2001:200:dff:fff1:216:3eff:feb1:44d7.80 ESTABLISHED
tcp6 0 0 2001:470:1f04:204::2.48945
2001:200:dff:fff1:216:3eff:feb1:44d7.80 ESTABLISHED
This seems to confirm what you said. The local endpoint is indeed *::2.
Looks good. Since this is a host never mind rtadvd (I had mentioned
that). You'll want to handle IPv6 in pf generally. Since you
didn't mention it I suppose you're not strictly firewalling; you
would have mentioned allowing proto 41 for the ip4 remote endpoint
or maybe you've got that all set.
-Ed
--
Today's weirdness is tomorrow's reason why.
-- Hunter S. Thompson
4.2 upgrade "make build" fails
"Cookbooked" the procedure from openbsd.org/faq/upgrade42.html.
'rm -Rf' for /usr/src/* /usr/obj/*
Downloaded all .tgz files from the 4.2/amd64 folder on ftp.openbsd.org
Ran the 'tar -C / -xzphf' command on everything except etc42.tgz as directed.
Installed the bsd.mp kernel. Updated /etc by extracting to /tmp and merging
the files manually as recommended.
Rebooted and CVS'd the 4.2 stable branch with 'cvs -q get -r OPENBSD_4_2 -P
src'.
Made the objects links and started the 'make build'
I get the following build crash:
PATH="/bin:/usr/bin:/sbin:/usr/sbin" INSTALL_PROGRAM="install -c -s" CC="cc"
CXX="c++" CFLAGS="-O2 '-pipe' " CXXFLAGS="-O2 '-pipe' " /bin/sh
/usr/src/gnu/lib/libstdc++/libstdc++/configure --prefix=/usr --disable-nls
--enable-shared --disable-multilib --with-gnu-ld
--with-gxx-include-dir=/usr/include/g++ && touch config.status
creating cache ./config.cache
checking host system type... x86_64-unknown-openbsd4.2
checking target system type... x86_64-unknown-openbsd4.2
checking build system type... x86_64-unknown-openbsd4.2
checking for Cygwin environment... no
checking for mingw32 environment... no
checking for gawk... no
checking for mawk... no
checking for nawk... nawk
checking whether ln -s works... yes
checking for gcc... cc
checking whether we are using GNU C... yes
checking whether cc accepts -g... yes
checking for c++... c++
checking whether we are using GNU C++... yes
checking whether c++ accepts -g... yes
checking for GCC version number... 3.3.5
checking for strerror in -lcposix... no
checking for as... as
checking for ar... ar
checking for ranlib... ranlib
checking for a BSD compatible install... /usr/bin/install -c
checking whether to enable maintainer-specific portions of Makefiles... no
CPU config directory is cpu/i486
OS config directory is os/bsd/openbsd
checking whether build environment is sane... yes
checking whether make sets ${MAKE}... yes
checking for working aclocal... missing
checking for working autoconf... missing
checking for working automake... missing
checking for working autoheader... missing
checking for working makeinfo... found
checking for ld used by GCC... /usr/bin/ld
checking if the linker (/usr/bin/ld) is GNU ld... yes
checking for /usr/bin/ld option to reload object files... -r
checking for BSD-compatible nm... /usr/bin/nm -B
checking how to recognise dependant libraries... unknown
checking for object suffix... configure: error: installation or configuration
problem; compiler does not work
*** Error code 1
Stop in /usr/src/gnu/lib/libstdc++ (line 59 of
/usr/src/gnu/lib/libstdc++/Makefile.bsd-wrapper).
*** Error code 1
Stop in /usr/src/include (line 82 of Makefile).
*** Error code 1
Stop in /usr/src (line 73 of Makefile).
I know I had to have missed something, I'm just not sure what...
Thanks.
Installing apsfilter package fails
I have an OpenBSD 4.2 box without X installed, and I'm trying to install apsfilter to set up printing. Apsfilter fails with the following message: # pkg_add apsfilter-7.2.8p0.tgz Can't install gettext-0.14.6p0: lib not found expat.8.0 Dependencies for gettext-0.14.6p0 resolve to: libiconv-1.9.2p3 Full dependency tree is libiconv-1.9.2p3 Can't install a2ps-4.13bp4-letter: can't resolve gettext-0.14.6p0 Can't install apsfilter-7.2.8p0: can't resolve a2ps-4.13bp4-letter What am I doing wrong??? Thanks, Ed
Re: Installing apsfilter package fails
Thank you Preston. You said, "If I remember correctly, you need to have the x-base package installed for the libiconv / gettext dependencies to be met. It's an issue with 4.2." How did you know that? Is there a "source" that I should reference that I'm not aware of to "keep up" on the latest idiosyncrasies, bugs, etc.??? Thanks, Ed
Setting up an HP laserjet with apsfilter "unknown printer" error
Hi folks, I'm using apsfilter on OBSD 4.2, and trying to set up an HP LaserJet printer. I have an HP P2015DN and a 4240n, so printing to either one would be fine with me. After running apsfilter SETUP, here's my /etc/printcap file: lp|PSgs;r=300x300;q=medium;c=mono;p=letter;m=auto:\ :lp=:\ :rm=192.168.1.15:\ :rp=raw:\ :if=/etc/apsfilter/basedir/bin/apsfilter:\ :sd=/var/spool/lpd/lp:\ :lf=/var/spool/lpd/lp/log:\ :af=/var/spool/lpd/lp/acct:\ :mx#0:\ :sh: When I try and print a testpage, this is what I get: Printing test page... -rw-r--r-- 1 root wheel 924020 Mar 20 08:46 /tmp/apsfilter20397/test_page.aps lpr: [EMAIL PROTECTED]: unknown printer 0m0.00s real 0m0.00s user 0m0.00s system [ press RETURN to continue ] Can someone give me some tips on setting up a network printer? I thought setting up a network printer would be a snap with apsfilter, but it's not as easy as I thought. :-) Thanks, Ed
Would OpenBSD and Squid be considered a "Proxy Firewall"?
Hi folks, I'm reading a book on network security and it mentions "proxy firewalls", so I'm wondering if an OpenBSD box with Squid installed would fit this description? Or, are there other "proxy firewalls" the author is referring to? The book mentions that although "proxy firewalls" tend to slow traffic down, they are much more secure than a typical, "statefull packet filtering" firewall. He says they will ignore the typical "network discovery" methods, i.e. nmap, etc., etc. As a matter of curiosity, has anyone ran an nmap scan against an OpenBSD box with Squid? What did the scan results indicate? Thank you, Ed
Re: Would OpenBSD and Squid be considered a "Proxy Firewall"?
I have not yet fully researched the PF functionality of OpenBSD, so I'm therefore guessing that the PF feature adds "stateful packet inspection" to an OpenBSD box. With that assumption, I guess I'm thinking PF and Squid (which works at the application layer of the OSI stack) would make a pretty formidable firewall. I wonder if PF would analyze the incoming data stream first and then Squid, or would that be Squid first and then PF? Ed On Sat, Mar 22, 2008 at 6:05 AM, Denise H. G. <[EMAIL PROTECTED]> wrote: > > "Ed Flecko" <[EMAIL PROTECTED]> writes: > > > Hi folks, > > I'm reading a book on network security and it mentions "proxy > > firewalls", so I'm wondering if an OpenBSD box with Squid installed > > would fit this description? Or, are there other "proxy firewalls" the > > author is referring to? > > > > The book mentions that although "proxy firewalls" tend to slow traffic > > down, they are much more secure than a typical, "statefull packet > > filtering" firewall. He says they will ignore the typical "network > > discovery" methods, i.e. nmap, etc., etc. > > > > As a matter of curiosity, has anyone ran an nmap scan against an > > OpenBSD box with Squid? What did the scan results indicate? > > I have an ancient box, which is an AMD K6 266MHz with 64M RAM, running > OBSD 4.2 + pf + squid. I use it as a home router + firewall + WWW cache. > Since it is running smooth, quiet and well, it just sits in one corner > without my further investigations. But I don't know how `proxy' plus > `firewall' would enhance security issues. Would you elaborate on it? > > > > > > > Thank you, > > Ed > > -- > Denise H. G.
Re: Would OpenBSD and Squid be considered a "Proxy Firewall"?
The book is called "Counter Hack Reloaded: A Step-by-Step Guide to Computer Attacks and Effective Defenses (2nd Edition)" - http://www.amazon.com/Counter-Hack-Reloaded-Step-Step/dp/0131481045/ref=pd_bb s_1?ie=UTF8&s=books&qid=1206284032&sr=8-1 The author makes several references to "proxy firewalls" and implies they are more secure than "traditional" firewalls because they ignore typical reconnaissance, probing attempts like nmap, etc. because they function at the application layer. Ed On Sat, Mar 22, 2008 at 7:38 AM, Lars Noodin <[EMAIL PROTECTED]> wrote: > Ed Flecko wrote: > > I'm reading a book on network security and it mentions "proxy > > firewalls" ... are there other "proxy firewalls" the > > author is referring to? > > Which book? Title, author, ISBN would help. Or send a link to a review. > > > > As a matter of curiosity, has anyone ran an nmap scan against an > > OpenBSD box with Squid? What did the scan results indicate? > > The results depend entirely on how you have Squid set up and how PF is > configured. > > Regards, > -Lars
Re: Would OpenBSD and Squid be considered a "Proxy Firewall"?
In one section of the book (Page 301) the author contrasts nmap to "Firewalk". He says, "nmap cannot differentiate between what is open on an end machine and what is being firewalled. Firewalk, on the other hand, can determine if a given port is allowed through a packet-filtering device.With this information, Firewalk allows an attacker to determine your firewall rule set." I get the impression he thinks Firewalk is superior to nmap (although he doesn't come right out and SAY that). He then shortly thereafter says, "Firewalk even works against traditional and stateful packet filters, which both just decrement the TTL by one. However, Firewalk does not work against proxy based firewalls, because proxies do not forward packets. Instead, a proxy application absorbs packets on one side of the gateway and creates a new connection on the other side, destroying all TTL information in the process. Packet filters actually forward the same packets, after applying filtering rules, keeping the TTL relatively intact (albeit decremented by one). So, although Firewalk is a highly effective technique against packet filter firewalls, it does not work at all against proxy firewalls. For services that the firewall is proxying, Firewalk reports that the associated ports are closed." Statements like this are what started me thinking I'd ask some of you (who probably know a whole lot more about this than I do :-)) your opinion about an OpenBSD with Squid. It sounds like a powerful combination to me! :-) Ed On Sun, Mar 23, 2008 at 1:42 PM, System Administrator <[EMAIL PROTECTED]> wrote: > On 23 Mar 2008 at 7:58, Ed Flecko wrote: > > > The book is called "Counter Hack Reloaded: A Step-by-Step Guide to > > Computer Attacks and Effective Defenses (2nd Edition)" - > > http://www.amazon.com/Counter-Hack-Reloaded-Step-Step/dp/0131481045/re > > f=pd_bb > > s_1?ie=UTF8&s=books&qid=1206284032&sr=8-1 > > > > The author makes several references to "proxy firewalls" and implies > > they are more secure than "traditional" firewalls because they > > ignore > > typical reconnaissance, probing attempts like nmap, etc. because > > they > > function at the application layer. > > Assuming you have correctly understood the author's intent, then he is > completely wrong. There is no difference in the abilities of either > proxy or packet-filtering firewalls to block probing (reconnaissance) > attempts. In fact, it is much much easier to configure a stealthy (or > "invisible") firewall with a powerful packet filtering engine like > OpenBSD's pf. > > The main argument about proxy firewalls being more secure focuses on > the ease of configuration, or more specifically on the fact that it is > fairly easy for a novice to mis-configure a packet-filter wide open, > whereas a well designed application gateway will preclude such a faux- > pas. > > The second half of the same argument has to do with content analysis -- > application gateways (proxies) by definition operate at the application > layer and have an inherent ability to analyze the application specific > data content and react accordingly, including extensive data re-writing > and manipulation. A properly designed packet filter operates only on > TCP/IP headers and is oblivious of the payload (data content). This is > the reason OpenBSD's pf(4) requires the support of ftp-proxy(8) to > allow FTP data transfers across the firewall. For a thorough discussion > of this issue (payload manipulation on the firewall) please check the > list archives -- there has been a number of excellent threads recently. > > If you've come from Linux world or have looked at some Linux-based > commercial firewalls, you have probably seen the term "deep packet > inspection". That is an ugly hack whereby the packet filter uses > various special cases to examine the payload of the packets passing the > firewall. While at first glance this approach seems to provide more > control than generic packet header filtering, it still falls way short > of the capabilities and reliability of a true proxy -- after all, it > still operates on individual packets and will miss many things due to > normal or malicious fragmentation. > > So, to bring it back to your original question, a typical SOHO OpenBSD > firewall is a packet filtering firewall even with a Squid Cache > running. After all, which part of the firewall actually implements the > security policy and handles the traffic control? > > BTW, even if you were to add some application gateways to your OpenBSD > firewall, you would only have a "hybrid" firewall, i.e. one that > combines t
Simple OBSD/Samba sharing/restart question
Hi folks, I'm running OpenBSD 4.2, I've installed and configured Samba. I have a shared directory on the OBSD box that I store some backup log files stored in. I want to be able to read the log files (or any other files as well) from the shared directory, but I'm not able to do so. Here's my smb.conf file : [global] workgroup = PROXYBOX server string = Samba Server security = share [homes] comment = Home Directories browseable = no writable = yes [printers] comment = All Printers path = /var/spool/samba browseable = no guest ok = no writable = no printable = yes [shared] comment = Shared directory on the proxy server path = /var/squid/logs/squid_logs read only = no browseable = yes guest ok = yes public = yes For testing purposes, I've set the permissions on the squid_logs directory to: 777 I can map the drive from a Windows box and even create files/folders...but I can copy files from it to the Windows box or read files. O.K., I'm stumped; what am I overlooking??? Also, once you've made changes to your smb.conf file, how do you stop/restart Samba??? Thank you, Ed
Re: Wireless PCI card recommendation needed
> Thomas Mullins wrote: > > We are going to build a wireless network using OpenBSD. I have looked > > at http://www.openbsd.com/i386.html#hardware to see the supported > > wireless PCI cards. Could someone please recommend an 802.11g card that > > has a stronger transmit power? Or another card they have had good > > success with? > > If you can't find a card with the transmit power you want, you may be > able to get the range you're looking for from antenna gain and type. > I'm using the Linksys WMP54G v4 wireless card with the ral driver. I had problems with weak signal. I improved it greatly by using the Hawking HSB2 Signal Booster, along with a Linksys high gain antenna. It now runs in 802.11g mode at 54Mb Now I have a decently supported card, with reasonable range and am satisfied with the performance. Ed
4.3 /-current and xenocara
Since there seems to be a bug with cvs checkouts (dies with: cvs [server aborted]: out of memory; can not allocate 2937909 bytes on x86 32-bit platforms, cvs [server aborted]: out of memory; can not reallocate 5242880 bytes on amd64 64-bit platforms and cvs [server aborted]: out of memory; can not reallocate 5242880 bytes on Windows CVS GUI clients) is there anywhere I can download a tarball of the latest snapshot? -- Ed V. 3 April 2008 14:28:24 I gather, young man, that you wish to be a Member of Parliament. The first lesson that you must learn is, when I call for statistics about the rate of infant mortality, what I want is proof that fewer babies died when I was Prime Minister than when anyone else was Prime Minister. That is a political statistic. - Sir Winston Leonard Spencer Churchill
"Correctly" uninstall default Apache and install Apache 2.2.4?
Hi folks, For a variety of reasons and features, I'd like to install the apache-httpd-2.2.4.tgz package. As a side note, I tried to install it on OpenBSD 4.2, and there are a few package dependencies it apparently is missing (at least on my box, which runs 4.2 without X) because the install fails. Anyway, 1.) Is there a "correct" way to uninstall the default Apache 1.3 that ships with OpenBSD? I can't use a "pkg_delete..." can I? 2.) Maybe I don't need to? If I don't uninstall the original Apache, will the new version overwrite the 1.3 version? 3.) Do I need to chroot the Apache 2.2.4 or will the "default" install set it up that way? Thank you, Ed
My ntpd isn't starting on OBSD 4.3?
Hi folks, O.K., I'm stumped. I've just installed 4.3, and I have the typical: ntpd_flags="-s" entry in /etc/rc.conf.local and # sync to a single server 128.9.176.30 # use a random selection of 8 public stratum 2 servers # see http://support.ntp.org/bin/view/Servers/NTPPoolServers # servers pool.ntp.org in /etc/ntpd.conf, and ntpd isn't starting on boot. Am I missing something unique to 4.3? Thank you.
Re: My ntpd isn't starting on OBSD 4.3?
Yep, that was it. Thanks guys. :-) On Thu, May 1, 2008 at 1:21 PM, Martin Toft <[EMAIL PROTECTED]> wrote: > On Thu, May 01, 2008 at 01:06:41PM -0700, Ed Flecko wrote: > > > Hi folks, > > O.K., I'm stumped. > > > > I've just installed 4.3, and I have the typical: > > > > ntpd_flags="-s" entry in /etc/rc.conf.local > > > > and > > > > # sync to a single server > > 128.9.176.30 > > AFAIK, you need "server" before the address, i.e.: > > > > server 128.9.176.30 > > > # use a random selection of 8 public stratum 2 servers > > # see http://support.ntp.org/bin/view/Servers/NTPPoolServers > > # servers pool.ntp.org > > > > in /etc/ntpd.conf, and ntpd isn't starting on boot. > > > > Am I missing something unique to 4.3? > > > > Thank you.
How do I set up personal web sites for users?
Hi folks, I have a few questions about how to set up users on my OBSD 4.3 box. I've created a user (Stephanie) on the box, and I've added her to the /etc/ftpchroot file so she can upload stuff to her directory; now I just want her to be able to reach whatever she uploads (which probably will be just a bunch of files) via Apache and that's where I'm stumped. I was expecting to be able to reach her stuff via the typical *nix http://server/~stephanie, but that didn't work. 1.) Can someone tell me what I'm doing wrong? 2.) Inside the /var/www directory, there's a "user" directory. What's that for? 3.) Do I need to, or would it be advantageous to, modify the httpd.conf file? What sort of entries might be helpful? Thank you, Ed
How do I use digest authentication to allow/deny directory access
Hi folks, I'm trying to use digest authentication and require a visitor to supply a password in order to be able to access a certain subdirectory. Here's my scenario: I have a directory called download which is located at: /var/www/htdocs/stephanie/download. I've created a file called "digest" which is located at: /var/www/conf/digest using the following command: # htdigest -c /var/www/conf/digest Private guest Then, I've created an entry in my httpd.conf file that looks like this: AuthType Digest AuthName "Pssst...what's the password?" AuthUserFile /var/www/conf/digest Require user guest I've then stopped and restarted Apache. I'm apparently missing something because I can get to the home page fine, but I get a "Internet Explorer cannot display the webpage" if even try and get to http://servername/stephanie Suggestions? Thank you, as always. Ed
Re: How do I use digest authentication to allow/deny directory access
Thanks, Adam Yeah, I'm still chrooted. Also, I forgot to mention before that I've tried both modules: LoadModule digest_auth_module /usr/lib/apache/modules/mod_auth_digest.so LoadModule digest_module /usr/lib/apache/modules/mod_digest.so and neither seems to work. In fact, if I enable either module, I can't even access the stephanie directory with the referenced entries to my httpd.conf file. That really puzzzles me. Suggestions? Ed On Tue, May 6, 2008 at 2:31 PM, Adam Patterson <[EMAIL PROTECTED]> wrote: > Ed Flecko wrote: > > > <...snip...> > > > > > > > > AuthType Digest > > AuthName "Pssst...what's the password?" > > AuthUserFile /var/www/conf/digest > > Require user guest > > > > > > Ed > > > > > > > If you are still chrooted you need to make sure thats the right directory. > If you disabled the chroot then its obviously another issue.
Re: How do I use digest authentication to allow/deny directory access
It seems like, from what I see on the web, that I should be using: AuthDigestFile instead of AuthUserFile however when I do that, save the httpd.conf and restart Apache, I get the following error message: Syntax error on line 61 of /var/www/conf/httpd.conf: Invalid command 'AuthDigestFile', perhaps mis-spelled or defined by a module not included in the server configuration /usr/sbin/apachectl start: httpd could not be started Suggestions??? Ed
Re: How do I use digest authentication to allow/deny directory access
Thanks, Adam. To test even "Basic" authentication, I created a file named "passwords" in the htdocs directory to confirm that Apache could reach it. :-) Then I made this entry in the httpd.conf file: AuthType Basic AuthName "Private" AuthUserFile /var/www/htdocs/passwords Require user stephanie Unfortunately, all I get is an "Internet Explorer cannot display the webpage" error message. I don't get any dialog box to sign in. I'm stumped. Suggestions? Ed
