Re: SSH extremely quickly dropped from T-Mobile phone hotspot
You can also just set client keepalives. Set TCPKeepAlive in ~/.ssh/config. This has solved a bunch of random timeout problems due to carrier NAT or similar. On Sat, Sep 15, 2018 at 15:36 Constantine A. Murenin wrote: > On 15 September 2018 at 09:50, Chris Bennett < > cpb_m...@bennettconstruction.us> wrote: > > > I am using my phone's hotspot, which may or may not be secure, but is > > not censoring my choice of sites to visit. Public WiFi in the USA does > > so all over the place. Worse, when I lived in Washington State, I was > > next to a Naval Air Station, which certainly eavesdrops, not OK, but > > this is the land of the free? Now I am living in the Capital of Texas, > > Austin which also leaves public WiFi under the same problems > > (legislature meets here). > > > > I cannot maintain an SSH connection unattended long enough to go to the > > bathroom and get a cup of coffee without the connection being dropped > > halfway through reading my email. > > > > Is autossh the right choice or is there a better way? > > The flow of data seems to be the problem. A static page disconnects. > > > > Thanks, > > Chris Bennett > > > > I also have T-Mobile US, and I cannot reproduce your problem. > > In fact, because my laptop gets a public IPv6 address from T-Mobile US — a > standard feature in Android 7.1.1, where you get at least a whole /64 from > the carrier — I can put it to sleep, disable AndroidAP, go get coffee, > lunch, dinner, or attend a meetup, or all of the above, come back home, > turn AndroidAP back on, turn my laptop on, and my vanilla ssh connection > will come back to live after a single keystroke (provided the phone was > never turned off and didn't itself lose network connectivity, e.g., still > has the same /64 assigned to itself). > > I did have to configure my laptop to `sysctl -w > net.inet6.ip6.prefer_tempaddr=0`, and also make sure I'm not running > something that'd be constantly refreshing the screen of the terminal I'm > accessing through ssh, e.g., you definitely do have to disconnect tmux with > the timestamp before you attempt this, and doing socks proxying would > obviously interfere with it as well if any connections remain open when you > attempt to turns things off like that, and — viola, problem solved. > > So, my suggestion — move to IPv6 for the killer features, and stop worrying > about the disconnects. > > But if you don't have a public IP address on your laptop and do get your > internet through NAT/CGNAT and/or a stateful firewall, then you might have > to play with `-oServerAliveInterval=480` or some such, as per > http://mdoc.su/o/ssh_config.5, but, otherwise, this option is actually not > only unnecessary, but is, in fact, harmful, as it may "detect" brief > periods of connectivity loss that you don't necessarily care about. > > P.S. Another option, if you don't necessarily care about scrolling, and/or > already use tmux within your ssh, is to use http://ports.su/net/mosh. > Personally, I prefer straight ssh through IPv6 to mosh, although sometimes > it does cause me to use my AndroidAP even in venues where the public > internet is available. > > Cheers, > Constantine.SU. >
Re: rtsol with IPv6 forwarding turned on
On Tue, May 14, 2013 at 3:13 PM, Stuart Henderson wrote: > On 2013-05-14, Mattias Lindgren wrote: >> Hello, >> >> I'm using a OpenBSD 5.3 (release) machine as my router connecting >> to Comcast. Comcast provides native IPv6 access, however it does >> so a little bit differently than what is probably best practice. >> I use wide-dhcpv6-20080615p2 from ports to get an address on my >> outside interface, as well as a prefix which gets assigned to my >> inside interface. However, the default route is announced via Route >> Advertisements. > > That is pretty common practice for ISPs doing IPv6 (see RFC 6204), > but OpenBSD doesn't support it at present. I tried to use the DHCPv6 client but found it didn't quite work right (no assigned IP to the interface). Rtsold gets the prefix and gateway just fine, but Comcast assigns a /64 prefix to my firewall. But, the DHCPv6 server won't actually issue me a V6 IP (as of yet..) I've assigned an arbitrary IPv6 address to my firewall, and it can reach out over Comcast's network with no problem. I started to look at setting up an internal local network before getting distracted by paying work. >> However since I would also like for my router to forward >> IPv6 packets, I'm not sure of how to make it work. Rtsol states that >> net.inet6.ip6.forwarding=0. I've tried running rtsol with forwarding >> set to 1, but it complains and does not grab a default route. The other >> option would be to manually set the v6 default route, but I'd prefer to >> not have to do that. Does anyone know of a workaround for this issue? > > Manually setting the route is the only current workaround afaik. I might give that a shot. The RA (at least the one near me) gives a link local advert (fe80::) with a /64 prefix. > > FreeBSD turned accept_rtadv into a per-interface flag which can be > set (only) on the "upstream" interface so you can continue to send > adv's on the "downstream" interfaces. That seems to be a good solution, but not necessarily the "right" one.
Re: Fuse on OpenBSD
On Jul 3, 2013, at 20:23, Brad Smith wrote: > On 03/07/13 11:07 PM, openda...@hushmail.com wrote: >> Why do we need FUSE anyway? > > To be able to utilize FUSE based filesystems. > Fuse is a terrible hack. But, a useful one that solves all kinds of problems. Sent form my iFoe.
Re: new topic: blind support for OpenBSD.
On Jul 6, 2013, at 21:53, Nick Holland wrote: > > Feel free to take this off list with me if you prefer. > I kind of hope you keep this on list, actually. While I'm not affected by the problem, I'm interested in the problem and solutions.
Re: OpenBSD pxe automated install
read the FAQ, Loic. http://openbsd.org/faq/faq4.html#site Site*.tgz, install.site and upgrade.site are a good starting point. On Mon, Aug 12, 2013 at 11:59 AM, Loïc BLOT wrote: > Hello @misc. > > Today i'm working on automated deploy with PXE. I have successful found > and made automated PXE install on Debian with pxelinux. > > I know OpenBSD have a pxe boot image to netinstall the system > http://www.cyberciti.biz/faq/openbsd-boot-install-using-pxe-preboot-execution > -environment/ > > Is there any options to automate the installation ? > I want a machine to boot on bsd.rd, read a configuration file (url > passed by etc/boot.conf, for example) and install with the read > parameters. > Is there any issue to do this or i do it myself ? > > Thanks for advance > -- > Best regards, > Loïc BLOT, > UNIX systems, security and network expert > http://www.unix-experience.fr > > [demime 1.01d removed an attachment of type application/pgp-signature which > had a name of signature.asc]
Re: OpenBSD pxe automated install
Please read the FAQ entry I sent you, pay close attention to install.site and upgrade.site. Both of those are scripts that are executed by the installer. Fully automatic installs have been done, usually by modifying the installer script or root's .profile. Basically: automatic, unattended installation of openbsd is possible, but you have to build the glue for it. Sent form my iFoe. On Aug 12, 2013, at 12:52, Loïc BLOT wrote: > Hello, > thanks for your reply Johan, but this is not why i want. site.tgz > contain a set of preconfigured files to deploy with other sets to deploy > similar machines. > > My need is to install a clean OpenBSD with an automated mean: > The server boot in PXE and install OpenBSD, configure network, hostname, > disk, install sets by network and reboots without any human > intervention. After, the server can use siteXX.tgz, yes, but this is not > the main problem here > > -- > Best regards, > Loïc BLOT, > UNIX systems, security and network expert > http://www.unix-experience.fr > > > Le lundi 12 août 2013 à 12:09 -0700, Johan Beisser a écrit : >> read the FAQ, Loic. >> >> http://openbsd.org/faq/faq4.html#site >> >> Site*.tgz, install.site and upgrade.site are a good starting point. >> >> On Mon, Aug 12, 2013 at 11:59 AM, Loïc BLOT >> wrote: >>> Hello @misc. >>> >>> Today i'm working on automated deploy with PXE. I have successful found >>> and made automated PXE install on Debian with pxelinux. >>> >>> I know OpenBSD have a pxe boot image to netinstall the system > http://www.cyberciti.biz/faq/openbsd-boot-install-using-pxe-preboot-execution >>> -environment/ >>> >>> Is there any options to automate the installation ? >>> I want a machine to boot on bsd.rd, read a configuration file (url >>> passed by etc/boot.conf, for example) and install with the read >>> parameters. >>> Is there any issue to do this or i do it myself ? >>> >>> Thanks for advance >>> -- >>> Best regards, >>> Loïc BLOT, >>> UNIX systems, security and network expert >>> http://www.unix-experience.fr >>> >>> [demime 1.01d removed an attachment of type application/pgp-signature > which had a name of signature.asc] > > [demime 1.01d removed an attachment of type application/pgp-signature which > had a name of signature.asc]
Re: OpenBSD pxe automated install
On Tue, Aug 13, 2013 at 9:48 AM, Marian Hettwer wrote: > Hi Loic, > > > Am 13.08.13 15:43, schrieb � Blot: > >> Hello Marian, >> i think you are right, because bsd.rd is required for last chance to >> repair system, among others. >> > > right. And I'd like to leave it untouched. This hopefully also increases the > possibility that whatever we come up with might get added upstream... ;) There's nothing preventing you from building your own installer within the RAMDISK kernel. I've done it in the past to handle some personalized extensions. > I agree that the most pressing point is automatic network configuration in > order to be able to download additional configs, like disk config, package > config, ... It's doable within the base tools, if you assemble things correctly. No reason to not have these stuff off of NFS or TFTP to pull in the config. > > PS.: personal opinion: I like FAI (www.fai.org) much more then debians > preseed.cfg... check it out ;) http://fai-project.org/ is the correct URL. I've had some interesting problems with FAI in the past. Once it's working, it's quite wonderful.
Re: DNS Proxy
DNS proxy uses less bandwidth on your end. There are a dozen DNS proxy services out there for media, they all work on the same basic principle. On Sun, Sep 15, 2013 at 4:55 AM, Monah Baki wrote: > Hi all, > > > I'm running OpenBSD 5.2 with squid for a friend who owns an ISP outside the > U.S and uses my OpenBSD squid proxy to access netflix. I've been told this > can be also accomplished via DNS Proxy. Is it true? > > If yes which one do you recommend? > > > Thanks
Re: DNS Proxy
Use the D option in ssh(1) and the SOCKS proxy will do lookups through the tunnel. Make sure you use version 5 (OpenSSH supports 4 and 5). On Sun, Sep 15, 2013 at 12:42 PM, Joel Wirāmu Pauling wrote: > Also given dns is a user of UDP by default you need to use some other tunnel > mechanism other than ssh. > > -Joel > > > Johan Beisser wrote: >> >> DNS proxy uses less bandwidth on your end. >> >> There are a dozen DNS proxy services out there for media, they all >> work on the same basic principle. >> >> On Sun, Sep 15, 2013 at 4:55 AM, Monah Baki wrote: >>> >>> Hi all, >>> >>> >>> I'm running OpenBSD 5.2 with squid for a friend who owns an ISP outside >>> the >>> U.S and uses my OpenBSD squid proxy to access netflix. I've been told >>> this >>> can be also accomplished via DNS Proxy. Is it true? >>> >>> If yes which one do you recommend? >>> >>> >>> Thanks >> >> > > -- > Sent from my Android phone with K-9 Mail. Please excuse my brevity.
Re: new queueing subsystem
> On Oct 16, 2013, at 8:05, Otto Moerbeek wrote: > This will not be in 5.4, it wil be in 5.5. If you see shortcomings in > the docs explain in more detail. I just read the QUEUEING section in the man page. Seems fairly clear to me, and in some ways more clear. One thing I'd like to see is a suggestion for how to figure out your actual bandwidth, to better define the queues. For example, I've got a 10Mbit outbound link, and three priority queues. The only reason I define a total bandwidth is that "altq" requires it, so I've set it at 9.5Mbit. With the move to HFSC, do I have to break down major queues, and the children? Or cam I still just do very basic priority queueing in 5.5?
Re: new queueing subsystem
On Wed, Oct 16, 2013 at 11:04 AM, Norman Golisz wrote:
> On Wed Oct 16 2013 08:54, Johan Beisser wrote:
>> Or cam I still just do very basic priority queueing in 5.5?
>
> See pf.conf(5), 'set prio'. This doesn't even require you to define
> queues, etc.
Right. I guess if I want to define multiple queues for matching
traffic, I need to either redo the filter rules to use tagging*, or
simply do it per outbound bit of traffic.
The change is a pretty powerful one.
*
match on FOO inet proto tcp from BAR to BAZ port {X,Y} tag PRIO_Z
[...]
pass out on egress tagged PRIO_X set prio 4
pass out on egress tagged PRIO_Z set prio (3, 7)
Re: why icmp timestamping is enabled by default ?
> On Oct 21, 2013, at 2:57, Henning Brauer wrote: > > * Илья Шипицин [2013-10-11 04:52]: >> I was just curious why that timestamping is enabled by default. > > 'cause there is no reason to disable it. > > why is tcp enabled by default? > Everyone knows that TCP, like IP, and the Internet is just a passing fad.
Re: smb protocol not supported error using konqueror on 4.4 with samba package
You need the KDE Samba package. http://www.openbsd.org/4.4_packages/i386/kdesamba-3.5.9.tgz-long.html On Dec 21, 2008, at 10:41 PM, Siju George wrote: Hi, I am running 4.4 and have both kdebase package and samba package installed. $ uname -a OpenBSD risen.hifxchn2.local 4.4 GENERIC#1021 i386 $ pkg_info |grep samba samba-3.0.31SMB and CIFS client and server for UNIX $ $ pkg_info |grep kde kdebase-3.5.9p0 K Desktop Environment, basic applications kdegraphics-3.5.9p1 K Desktop Environment, graphic applications kdelibs-3.5.9p1 K Desktop Environment, libraries qimageblitz-3.94.0 image effects for kde $ When I try to access SMB shares on other computers using the URL scheme smb://IP_ADDRESS from konqueror it gives an error "Protocol not supported smb" What more should I do to get smb support added to konqueror? Thank you so much Kind Regards Siju
Re: CARP with a single public IP address
On Dec 22, 2008, at 12:27 PM, Henning Brauer wrote: * Todd T. Fries [2008-12-05 13:27]: Ironically, IPv6 cannot solve this scenario either, since by definition using ipv6 tends to require a tunnel a few ISPs here (too many) are stupid enough to deal with v6 to the extend of handing out v6 to customers natively. I don't know a single one in the US who gives out space to residential customers. Including in the Bay Area.
Re: CARP with a single public IP address
On Dec 22, 2008, at 5:25 PM, Henning Brauer wrote: yurop is different And one day, the US might stop playing ketchup.
Re: Trouble ticket system suggestions
I don't think any are bankrupt due to RT. On 12/23/08, Ted Unangst wrote: > On Tue, Dec 23, 2008 at 6:44 PM, bofh wrote: >> Here's a vote for RT. I've installed it, and also used it at F100 >> companies. > > Faint praise considering how many F100 companies are bankrupt. :)
Re: ftp from script
On Jan 3, 2009, at 7:27 AM, Ed Ahlsen-Girard wrote: You're right. You're so right, in fact, that I'd already changed the code; even I noticed that my original was bad practice. You're doing this in perl, and not using Net::FTP? But my real problem was getting the download to work inside a script, and none of the presented ideas so far have helped that. from ftp(1): Note: mget and mput are not meant to transfer entire directory subtrees of files. That can be done by transferring a tar(1) archive of the subtree (in binary mode).
Re: REPLY ME IMMEDIATELY
On Jan 13, 2009, at 6:42 AM, Dan Colish wrote: On Tue, Jan 13, 2009 at 8:11 AM, Arno Kumpel wrote: I have a new email address!You can now email me at: arkump...@yahoo.com *- I have the sum of $8.5USD for offshore investment*. I will appreciate it so immersely if you could give details and be patient for us to build good relationship. Regards, Arno. Kumpel Geez, times must be bad when even spam is poor. The economy's been rough on everyone. Even spammers.
Re: Port ZFS to OpenBSD
On Jan 15, 2009, at 9:38 AM, Sevan / Venture37 wrote: The hammer FS seems promising from the BSDtalk Will & Matthew did. Outside of a single person who's doing porting (to an unknown OS), there's not been much in the way of updates on the status. It's a BETA filesystem at best, and still being tested with the 2.0 release of DragonFly. 2.1 seems promising, but HAMMER doesn't seem as well developed as one might hope. http://gitweb.dragonflybsd.org/dragonfly.git?a=search&h=HEAD&st=commit&s=HAMMER FWIW, there's no license restriction I spotted in DragonflyBSD that would prevent it being ported, if one were motivated to.
Re: Virtualization, OpenBSD as host
On Jan 16, 2009, at 11:00 AM, Allie Daneman wrote: I need to run Java on the guest...hence the reason Qemu doesn't work for me. T need virtualization software that runs java on an XP guest. The version of OpenBSD doesn't matter ;) I've been running it since 2.8 and am running current today as a serverwhich is what I want to change. Look, do you know how to run virtualization software like virtualbox or to have qemu do what I need (run java in an XP guest) ? If you can't, then let's let others answer my question. My initial thought is that you're screwed. Virtualization is expensive, difficult, and just never going to be all that quick under OpenBSD. At least until someone really does horrible things to the OpenBSD kernel to make that work. Sure, you could do: OpenBSD -> kQemu -> WinXP -> JVM -> jApp. But wouldn't: OpenBSD -> JVM -> jApp be faster? Depending on the app, there's a variety of reasons for wanting the XP VM. I get that. It's also just not going to perform all that well. Pretty much to the point of utter failure or uselessness.
Re: Virtualization, OpenBSD as host
On Jan 16, 2009, at 12:05 PM, Allie Daneman wrote: BingoI don't run this stuff voluntarily...I have to for work. If work is all SAE, and you have metric and SAE tools, do you bring your metric tools on the job site? No, because for the most part they won't fit, and you might strip the bolt, nut, or hex socket you're trying to adjust. OpenBSD is a tool. Forcing a wedge case to accomplish your job isn't going to make you or anyone else happy, and may even break things in unexpected ways. Install XP on a different system, natively.
Re: hoststated status ?
A little more googling would have introduced you to relayd(8). On 2/8/09, Xavier Beaudouin wrote: > Hello, > > Just a quick question, what is the status of hoststated ? > > I ran into http://www.openbsd.org/papers/eurobsdcon07/pyr- > loadbalancing/ and I found that a quite exiting projet. > > Unfortunalty it doesn't seems to be into 4.4 or even on snapshots... > > Is there any replacements ? drawbacks or anything that explain it is > not yet supported by stable releases? > > Thanks; > /Xavier
Re: usr.sbin/wake removal
I'd gladly trade look(1) for wake(8). That's almost 8k right there. On 2/9/09, Emilio Perea wrote: > On Mon, Feb 09, 2009 at 09:05:13PM +1300, Richard Toohey wrote: >> On 9/02/2009, at 6:31 PM, Thomas Pfaff wrote: >> >>> I think this could use some explaining for those of us that are not >>> intimately involved in development or have been around here for that >>> long. Keeping it small and simple by saying no to adding one file >>> at 7.2K? I'd really like to know the rationale on this one. >>> >>> Thanks. >> >> My guess would be that I want this 10K util, you want that 7.2K util, >> Fred wants that 20K util, and every Tom, Dick, and Harry wants >> their n K ... who gets to make the rules, who gets to administer it, >> etc.? >> (Who gets to listen to everyone arguing why this or that should go in?) >> >> And guess there may be ramifications for install media? > > If there is no room in base, it would be nice to have it in ports. Or > is there something else in ports already that does the same thing? I've > found wake extremely useful for turning on remote desktop computers from > the Soekris firewall rather than leaving them on all the time.
Re: OT: NFS or SAMBA ?
On Feb 13, 2009, at 11:41 AM, Jean-Frangois wrote: I am mounting network drives. Would you recommand the use of NFS or SAMBA for home use ? What would you be serving to? PC Boxen? MacOS X? Linux? Another OpenBSD box? Both protocols are appropriate for similar - but not entirely the same - setups. For both performance and security, please advise your recommandations. NFS is horribly insecure. By default it's just bad with little to no authentication for the user outside of standard UNIX permissions. It's fairly fast though, limited more by the capability of your network than by the protocol itself. Samba, while somewhat more secure than NFS, is very slow. While I don't like it, I do use it very heavily since it's supported by all OSs and all systems I have to interact with on the IT side of things.
Re: NFS or SAMBA ?
On Feb 13, 2009, at 12:10 PM, Jean-Frangois wrote: Hi, It's for sharing btw Linux / OpenBSD. Last one is server. Probably other than Linux client one day. However for Windowd there are ways to install NFS client. And, all of those ways suck. Sadly, to windows Samba is about the best method there is. I'm not speaking about network bandwith limitations but about the efficiency of the protocol which sometimes might be preventing from going fast on fast networks. NFS is a clear winner there. About security this is an internal network for the moment but it might also be accessible from the net later on. Make IPSec or other tunneling for the NFS packets your friend now, then. Thanks for your advises ... sorry there's no good news.
Re: user-friendliness and netbsd
On Mon, Feb 23, 2009 at 10:48 AM, Dave Wilson wrote: > On the contrary, I find OpenBSD remarkably user-friendly. Almost > everything I want is already in base, most things are set up with > intelligent and safe defaults, I can't even remember the last time I had > to even *have* an xorg.conf, let alone delve into mode line hell, I > could go on. I reinstalled and rebuilt my home firewall in about 3 hours last night. This included a new pf ruleset from scratch, using altq, and setting up dhcp on the internal interface(s). Nothing complicated, but doing it from scratch does take a bit of effort. The soekris does well for this purpose. But, what makes the soekris shine is OpenBSD.
Re: NAT, Firewall & pf
Comments inline.
On Feb 23, 2009, at 5:58 PM, Hilco Wijbenga wrote:
Hi all,
I've been trying to get a simple firewall system up-and-running in
OpenBSD. I have "The Book of PF" and "Secure Architectures
with OpenBSD" so I thought it would be very simple. Well, we're two
weeks later now and still no firewall. :-) The pf rules I found in
those books don't seem to work as I expected them to work.
The PF FAQ and the man page for pf.conf(5) should cover everything you
need. The books are a nice addition, though.
Before I list my current pf.conf, let me give a few more details. My
firewall will be running a few services for my network (DHCP, NTP, and
DNS). I need to use NAT to get my own network Internet access. DHCP
works. I seem to have managed to get DNS (maradns on lo0 and sk1) and
ICMP working.
So, you need to set net.inet.ip.forward to 1 to ensure packets go out.
/etc/pf.conf
01 ext_if = "sk0"
02 int_if = "sk1"
03 localnet = $int_if:network
04 internet = $ext_if:network
05 udp_services = "{ domain, ntp }"
06 icmp_types = "{ echoreq, unreach }"
07
08 nat log on $ext_if from $localnet to any -> ($ext_if)
09
10 block log all
11
12 pass quick inet proto { tcp, udp } from $internet to any port
$udp_services
13 pass quick inet proto { tcp, udp } from $localnet to any port
$udp_services
14 pass quick inet proto { tcp, udp } from $lo0:network to any port
$udp_services
15
16 pass inet proto icmp all icmp-type $icmp_types
17 pass from { lo0, $localnet } to any keep state
First, no traffic will go out with these rules as is. Unless states
and flows match perfectly, it won't happen.
a. Why do I need 12? I had expected 13 (which I don't seem to need).
Wouldn't 12 be for incoming requests from the Internet?
I'm not sure what you're trying to do with 12 or 13. The ports (domain
and ntp) will be the only traffic permitted to enter any interface on
the firewall.
b. Given that ping works from my network (so that presumably routing
is okay), why doesn't anything else work? HTTP seems blocked by the
firewall.
Don't presume. Think. You're passing ICMP types inward (req, unreach).
That's it. I suspect you're not passing that traffic outbound otherwise.
c. How can I get pflog to flush immediately? I noticed I have to wait
a minute or so before logged lines show up.
What syntax are you using to monitor it?
d. Any other pointers?
Start over.
I make no claims this works or will work for you. It's a simple
rewrite of what you claimed to want (NAT for outbound traffic, for
example).
ext_if="sk0"
int_if="sk1"
udp_services="{ domain, ntp}"
set skip on lo
set block-policy return
scrub in
nat on $ext_if from $int_if:network to any ->($ext_if)
block log
pass out quick from $int_if to $int_if:network
pass out quick from $ext_if to any
pass in quick on $ext_if proto {tcp, udp} from any to ($ext_if) port
$udp_services
pass in quick on $int_if from $int_if:network to any
Re: NAT, Firewall & pf
On Feb 23, 2009, at 9:11 PM, patrick keshishian wrote: why all the "quick" stuff? This is supposed to be a very simple set up. Granted we don't exactly understand what the OP wants to do, but from what I gather, he most likely wants to allow all outbound traffic with NAT and everything else gets blocked and logged. Habit more than anything else.
Re: the power of one
On Feb 27, 2009, at 3:36 AM, Mihai Popescu B.S. wrote: I don't want to be a smart ass, but I was a little bit confused about some answers on undeadly.org message post by me. Basicaly, I was saying that even 1 euro matters for the donations. I was thinking that thousands of OpenBSD users donating at least 1 euro will bring thousands of euro for the project urgent needs. Surprisingly, this worked really well for Livestrong Foundation fundraising. When they first started doing the $1 US fundraising, professionals in the non-profit development world scoffed. Now, you'll see it all over, heavily used and somewhat abused, but usually fairly successful. Some people like me likes to think that it doesn't worth the effort to send a small amount of money. But it does ! Step by step the project can be funded. I took my time and donated more than 1 euro. Keep it on with donations. This reminds me, I should donate.
Re: SSH "Honey Keys" Security
Don’t. Generally, these things should be used to alert if an internal service has been compromised (akin to using Canary Tokens), and the key copied. It is, at best, a way to hear someone knocking. On Wed, May 8, 2019 at 15:59 Stefan R. Filipek wrote: > There's a blog post going around that has an interesting use of SSH > authorized_keys restrict + command: > https://kulinacs.com/ssh-honey-keys/ > > If you don't want to follow the link, it basically uses the > well-documented authorized_keys feature to restrict a login for an ssh > key to invoking a single binary which logs the access attempt: > > restrict,command="/usr/local/bin/honeypot_logger" ssh-rsa 1C8...32Tv== > honeypot_...@example.com > > Without devolving into an argument about the efficacy of honey keys or > honey pots in general, I'm wondering if this is truly safe from a > security perspective to run on a regular server (not a dedicated honey > pot). Is there anything that an attacker can control that 'restrict' > does not cover, assuming the targeted command is a shell script? > Perhaps with a malicious SSH client as well? By the man page, > 'restrict' turns on all restrictions available to the authorized_keys > configuration, but it's not clear if that is really sufficient for > this attack scenario. > > Apologies if you feel this is off-topic for the mailing list, but > there's no general OpenSSH discussion list anymore listed on the > openssh site. > > -Stefan > > -- Semt form my Apqle iPhnoe 4s and gMal Mobble.
Re: is what this guy is saying even anywhere close to reasonable, about ssh everywhere?
no. Sent form my iFoe. > On Jan 4, 2015, at 05:34, bofh wrote: > > https://medium.com/@shazow/ssh-how-does-it-even-9e43586e4ffc > > -- > http://www.glumbert.com/media/shift > http://www.youtube.com/watch?v=tGvHNNOLnCk > "This officer's men seem to follow him merely out of idle curiosity." -- > Sandhurst officer cadet evaluation. > "Securing an environment of Windows platforms from abuse - external or > internal - is akin to trying to install sprinklers in a fireworks factory > where smoking on the job is permitted." -- Gene Spafford > learn french: http://www.youtube.com/watch?v=30v_g83VHK4
Re: The little ssh that (sometimes) couldn't
On Oct 28, 2012, at 8:02, pe...@bsdly.net (Peter N. M. Hansteen) wrote: > I stumbled across this little gem of a blog post, I think this deserves > a wider audience, via my twitter feed: > http://mina.naguib.ca/blog/2012/10/22/the-little-ssh-that-sometimes-couldnt.html > > To be filed under "tcpdump is your friend" and I must say I admire their > perseverance in finding the root cause of the problem. Wow. That's a bit past perseverance and in to being obsessive. Fascinating read. Thank you. > "Remember to set the evil bit on all malicious network traffic" > delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. Imagine if this had flipped the evil bit! How would we know if the packet was evil or not? Ugly.
Re: Low latency High Frequency Trading
On Thu, Nov 8, 2012 at 4:12 AM, Dan Shechter wrote: > Hi All, > > > A windows 2008 server is receiving TCP traffic from a stock exchange > and sends it, almost as is, using UDP multicast to automated high > frequancy traders. > > StockExchange --TCP---> windows2008 ---MCAST-UDP> > > On average, the time it take to do the TCP to UDP translation, using > winsock, is 240 micro seconds. It can even be as high as 60,000 micro > seconds. > > > > 1. Use port mirroring to get the TCP data sent to a dedicated OpenBSD > box with two NICs. One for the TCP, the other for the multicast UDP. You'll incur an extra penalty offloading to the kernel. Winsock is already doing that, though. > 2. Put the TCP port in a promiscuous mode. Why? You can just set up the right bits to listen to on the network, and pull raw frames to be processed. Or, just let the network stack behave as it should. > 3. Write my TCP->UDP logic directly into ether_input.c Any reason to not use pf for this translation? > > > Now for the questions: > 1. Am I on the right track? or in other words how crazy is my idea? Pretty crazy. You may want to see if there's hardware accelerated or on NIC TCP off-load options instead. > 2. What would be the latency? Can I achieve 50 microseconds between > getting the interrupt and until sending the new packet through the > NIC? See above. You'll end up having to do some tuning. > 3. Which NIC/CPU/Memory should I use? Money is not a problem. Custom order a few NICs, hire a developer to write a driver to offload TCP/UDP on the NIC, and enable as little kernel interference as possible. Money's not a problem, right?
Re: Low latency High Frequency Trading
On Thu, Nov 8, 2012 at 9:58 AM, Ariel Burbaickij wrote: > If money is not a problem -- go buy high-trading on the chip solutions and > have sub-microsecond resolution. > > http://lmgtfy.com/?q=high+frequency+trading+FPGA I'd love to see PF offloading on to something like that. Not that I can justify the expense for my work, but it'd be useful.
Re: Unified BSD?
On Mon, Nov 12, 2012 at 5:14 PM, Greg 'groggy' Lehey wrote: > - Then DragonflyBSD split from FreeBSD. Mainly personality driven > AFAICT. Again, this doesn't imply any criticism of the founder of > the new project. There were some very valid technical reasons at the time as well, IMHO.
Re: Unified BSD?
On Tue, Nov 13, 2012 at 2:45 AM, Ignatios Souvatzis wrote: > At least a sixth, IIRC. You left out MirBSD from your distribution list. > Also, you could argue that Minix, with its NetBSD compatibility, > is a seventh and MacOS-X, with its partially (Free-/Net-)BSD compatible > userland, an eighth. OS X has benefitted greatly from FreeBSD, Apple hiring former FreeBSD core team members. And indirectly from OpenBSD as well, with modern versions of OS X, 10.7+, have pf. Cross pollination is a huge benefit to the BSD community.
Re: openbsd clusters
On Sat, Dec 22, 2012 at 7:43 PM, Nick Holland wrote: > On 12/22/12 07:54, Friedrich Locke wrote: > ... >> But for other services i don't have now what i could use. A example: i need >> a file system that must expand by adding more machine in the network in a >> simple way. > > in plain English: "I'm not thinking out the design carefully, so I'm > going to rely on fancy shit to haul my ass out of the fire when the > predictable (and not so predictable) happens. Yes and no. Yes, the design is important. No, I actually do have a need for linear storage that can be easily expanded upon. I could use a NetApp or similar setup, but then I can't throw more CPU at the other side of the problem: using the stored data. So the bigger problem isn't storage space (disk is cheap, after all), rather than being able to slice and dice the data that's stored on the system. Processing huge files is much easier when when you have a dozen nodes to do it on. I fully agree that being able to later extract and migrate away from any storage solution is important. Along with that comes migration paths to new hardware, software, and simple failure recovery (bad disks, broken node, etc). Big data takes quite a bit of planning, but it's gotten much easier. Good thing I don't need to do this quickly...
Re: Running OpenBSD on Raspberry Pi
On Dec 30, 2012, at 8:31, pe...@bsdly.net (Peter N. M. Hansteen) wrote: > A case in point: one of the firewalls I maintain for old friends is a > Pentium III box with a whopping 512 MB of RAM, 8GB hard drive, you get > the idea. As in, seriously, you'll get better hardware for free or the > price of a bus ticket. 486DX2, 64mb of ram, 1gb of disk. It's my firewall at home. Has been reliably pushing packets since 2000.
Re: Running OpenBSD on Raspberry Pi
On Fri, Jan 4, 2013 at 4:41 PM, Aaron Mason wrote: > On Sat, Jan 5, 2013 at 7:58 AM, Dan Shechter wrote: >> You have all failed to mention that the ALIX devices come with Swiss >> chocolates in the package! >> > > I've ordered direct from PCEngines before and never got that. Perhaps you should ask more pleasantly.
Re: PF filtering on MAC address
On Thu, Jan 10, 2013 at 6:54 PM, Erling Westenvik wrote: > Is it possible to have PF filter on MAC address on a machine with only > one physical nic? I'm aware that MAC filtering can only be done on a > machine configured as a bridge, but how to configure such a bridge? Add the single interface to the bridge. Tag the packets from a specific MAC. Filter the tag. > ---8<--- > # /etc/hostname.bridge0 > add bge0 > add > rule pass in on bge0 src f8:db:7f:4d:bb:10 tag WWW > rule pass in on bge0 src 00:08:02:85:6c:90 tag SSH > rule pass in on bge0 src 00:16:ea:b3:65:d0 tag SSH > --->8--- > > Regards, > > Erling
Re: Still possible to get OpenBSD onto Soekris net5501 via qemu install to flashcard?.
I just upgrade in place via bsd.rd on my net4501. Guess I could do the other methods as well. Sent form my iFoe. On Jan 14, 2013, at 10:59, Nick Holland wrote: > On 01/14/2013 10:15 AM, Sarah Caswell wrote: >> Hi all, >> >> I'm having a frustrating problem getting OpenBSD-current (or >> snapshot) to run on my Soekris net5501. >> >> With previous versions of OBSD I was able to use qemu to install to a >> compact flashcard directly, by connecting the flashcard to my laptop >> and then starting qemu like so: >> >> sudo qemu -hda /dev/sd0i -cdrom install52.iso -boot d (and many >> variations of this command mostly pertaining to the /dev/sd0 >> section) > > funny definition of "directly". > ... >> P.S.: I know there are other ways to get OpenBSD running on a >> Soekris but I've always liked the utter simplicity of the qemu-based >> install. > > using an emulator = simple? > If you don't understand the tools well enough to troubleshoot the problem, I > really don't believe your assessment there. I don't know much about qemu, but > I see a problem in the command line. > > This is what *I* call simple: > Take your USB flash card reader to a free machine with a USB port. Put an > OpenBSD CD in it. Boot off CD. Install to CF device. Use DUIDs. Create a > /etc/hostname.vr0 (or whatever your soekris uses for its primary NIC), and do > other network configuration as needed. Put flash device in Soekris. Done. > "direct", "simple", bare minimum of extra tools. Machine doesn't even have > to be able to boot from the USB port, though you can't test it before > installing on soekris if it isn't. > > (variation: install bare minimum system on flash drive, move to Soekris, at > the boot> prompt, tell it bsd.rd and re-install exactly as you wish. If *I* > were doing that, I could do it from an installed OpenBSD machine of the same > platform without taking down the machine or booting from a CD. I'd call that > simple, but I understand some basic tools that we try to keep normal people > from having to use. The info for figuring out how to do that is all in the > OpenBSD FAQ, though not in recipe form.) > > Nick.
Re: Android mobile - OpenBSD IPSEC
Are you using just ipsec, or L2TP? On Wed, Jan 23, 2013 at 11:48 PM, Jan Lambertz wrote: > Hi, > > Running OpenBSD 5.2 AMD64 release as homeserver. > Got Andoid 2.3 Samsung Mobile. > Want to connect via vpn IPSEC. > Config: > ike passive esp tunnel from any to any \ > main auth hmac-sha1 enc des \ > quick auth hmac-sha1 enc des \ > srcid dstid (testted different things here without effect) \ > psk "test123" > > > Also changed any to any to more concise settings, without effect. > local ip and peer any didnt help, too. > > > Jan 24 08:41:37 puffy isakmpd[10830]: attribute_unacceptable: > ENCRYPTION_ALGORITHM: got 3DES_CBC, expected DES_CBC > Jan 24 08:41:37 puffy isakmpd[10830]: attribute_unacceptable: > ENCRYPTION_ALGORITHM: got 3DES_CBC, expected DES_CBC > Jan 24 08:41:38 puffy isakmpd[10830]: responder_recv_HASH_SA_NONCE: peer > proposed invalid phase 2 IDs: initiator id 10.166.112.90, responder id > 178.26.160.62 > Jan 24 08:41:38 puffy isakmpd[10830]: dropped message from 89.204.138.90 > port 51210 due to notification type INVALID_ID_INFORMATION > Jan 24 08:41:50 puffy isakmpd[10830]: responder_recv_HASH_SA_NONCE: peer > proposed invalid phase 2 IDs: initiator id 10.166.112.90, responder id > 178.26.160.62 > Jan 24 08:41:50 puffy isakmpd[10830]: dropped message from 89.204.138.90 > port 51210 due to notification type INVALID_ID_INFORMATION > Jan 24 08:41:58 puffy isakmpd[10830]: responder_recv_HASH_SA_NONCE: peer > proposed invalid phase 2 IDs: initiator id 10.166.112.90, responder id > 178.26.160.62 > Jan 24 08:41:58 puffy isakmpd[10830]: dropped message from 89.204.138.90 > port 51210 due to notification type INVALID_ID_INFORMATION > > > 89.204.138.90 seems to be the mobile > 10.166.112.90 ?? whats this ? > > btw. im using the standard vpn client built in android. before i can > connect i have to enter a username / pw (not psk). is ipsec about username > / pw stuff ? could find it anywhere in the manuals. > > > thanks
Re: CARP best practices
On Wed, Jan 30, 2013 at 8:56 AM, System Administrator wrote: > I finally got to deploy a CARP firewall cluster (HA failover for now). > Using only the official OpenBSD.org documentation, everything went very > smoothly even though the setup is not quite trivial (14 carp addresses > on 6 active interfaces). I even got system replication going using > rdist(1). > > While testing the failover and trying to ssh to a carp address I got > hit with the server key mismatch; hence this email. What is considered > best practice wrt ssh keys in a carp cluster -- install the same keys > on all member nodes to avoid the alerts or just live with the > occasional mismatch? Don't monitor SSH on the CARP address.
Re: CARP best practices
On Wed, Jan 30, 2013 at 9:44 AM, System Administrator wrote: > On 30 Jan 2013 at 9:29, Johan Beisser wrote: > >> > While testing the failover and trying to ssh to a carp address I got >> > hit with the server key mismatch; hence this email. What is considered >> > best practice wrt ssh keys in a carp cluster -- install the same keys >> > on all member nodes to avoid the alerts or just live with the >> > occasional mismatch? >> >> Don't monitor SSH on the CARP address. > > Sorry, I'm not following you Do you need to be able to ssh in to the firewall(s) via the CARP addresses? If the answer is yes, share the host keys between them. Or set up a redirect for the CARP addresses that goes to an alternate sshd port from port 22. Which uses the same host keys between the systems.
Re: CARP best practices
On Wed, Jan 30, 2013 at 2:03 PM, Jiri B wrote: > On Wed, Jan 30, 2013 at 09:29:42AM -0800, Johan Beisser wrote: >> Don't monitor SSH on the CARP address. > > Doesn't it depend on the purpose of this SSH service? > If it is to manage individual boxes, then sshd should not listen > on CARP ip address. Maybe. Or, perhaps you have a pool of servers that are essentially identical, and the failover service runs over SSH. In that case, having identical host keys would clear up that specific error. But, if a host fails out of the pool, you may not know right away. > If it is authentication for external users like authpf, > file uploads, I would create another sshd instance which would > flow between boxes sharing same key, still keeping individual > sshd for each box. We were doing this for a file upload cluster, > though that was not OpenBSD but the issue about the key and "virtual" > ip is the same. Yes. I covered that in a later email. But, that's defined by the function you're trying to use. The orginal complaint was "I'm sshing in to the CARP address, and the host keys keep changing making SSH throw an error." Like any doctor who gets a complaint of "it hurts when I do this!", the first answer is "well, don't do that." Until you get more information, and can actually help the person out.
Re: Microsoft VPN PPTP
On Thu, Jan 31, 2013 at 4:06 PM, Aaron Mason wrote: > If you can, change to a different type of VPN. Not because of the storm, > but because PPTP has been broken security-wise. Good results have been > achieved with OpenVPN. I'm having remarkable success with npppd(8) and L2TP. I'm using it with MacOS and iOS clients, no problems. I'll be testing with Linux ones later this week (including Android, etc). Outside of the tun(4) bug that bit me, it's been rock solid.
Re: npppd not communicating in 5.2
I had a problem with tun interfaces and npppd. Try the pppx interface instead. Sent form my iFoe. On Mar 5, 2013, at 13:35, Jason Markowitz wrote: > Hello, > > > I'm receiving the following errors when attempting to establish a vpn > session via l2tp, the ipsec side works fine and phase 1 authenticates > perfectly, i dont see pf blocking anything in pf log (egress wide > open, inbound is set to block in log all, with holes opened for the > appropriate ports for vpn and ssh) > > 2013-03-05 16:26:10:NOTICE: Starting npppd pid=5729 version=5.0.0 > 2013-03-05 16:26:10:NOTICE: Load configuration > from='/etc/npppd/npppd.conf' successfully. > 2013-03-05 16:26:10:WARNING: write() failed in in_route0 on RTM_ADD : > File exists > 2013-03-05 16:26:10:INFO: tun0 Started ip4addr=10.101.0.1 > 2013-03-05 16:26:10:INFO: Listening /var/run/npppd_ctl (npppd_ctl) > 2013-03-05 16:26:10:INFO: Added 2 routes for new pool addresses > 2013-03-05 16:26:10:INFO: Loading pool config successfully. > 2013-03-05 16:26:10:INFO: realm name=local(local) Loaded users > from='/etc/npppd/npppd-users.csv' successfully. 1 users > 2013-03-05 16:26:10:INFO: l2tpd Listening 0.0.0.0:1701/udp (L2TP LNS) [L2TP] > 2013-03-05 16:26:10:INFO: l2tpd Listening [::]:1701/udp (L2TP LNS) [L2TP] > 2013-03-05 16:26:10:INFO: tun0 is using ipcp=default(1 pools). > 2013-03-05 16:26:19:NOTICE: l2tpd ctrl=1 logtype=Started RecvSCCRQ > from=x.x.x.247:65028/udp tunnel_id=1/15 protocol=1.0 winsize=4 > hostname=Jasons-MacBook-Air.local vendor=(no vendorname) firm= > 2013-03-05 16:26:19:INFO: l2tpd ctrl=1 SendSCCRP > 2013-03-05 16:26:21:NOTICE: l2tpd ctrl=2 logtype=Started RecvSCCRQ > from=x.x.x.252.247:65028/udp tunnel_id=2/15 protocol=1.0 winsize=4 > hostname=Jasons-MacBook-Air.local vendor=(no vendorname) firm= > 2013-03-05 16:26:21:INFO: l2tpd ctrl=2 SendSCCRP > 2013-03-05 16:26:25:NOTICE: l2tpd ctrl=3 logtype=Started RecvSCCRQ > from=x.x.x..247:65028/udp tunnel_id=3/15 protocol=1.0 winsize=4 > hostname=Jasons-MacBook-Air.local vendor=(no vendorname) firm= > 2013-03-05 16:26:25:INFO: l2tpd ctrl=3 SendSCCRP > 2013-03-05 16:26:29:NOTICE: l2tpd ctrl=4 logtype=Started RecvSCCRQ > from=x.x.x.247:65028/udp tunnel_id=4/15 protocol=1.0 winsize=4 > hostname=Jasons-MacBook-Air.local vendor=(no vendorname) firm= > 2013-03-05 16:26:29:INFO: l2tpd ctrl=4 SendSCCRP > 2013-03-05 16:26:31:NOTICE: l2tpd ctrl=1 timeout waiting ack for ctrl packets. > 2013-03-05 16:26:31:NOTICE: l2tpd ctrl=1 logtype=Finished > 2013-03-05 16:26:33:NOTICE: l2tpd ctrl=5 logtype=Started RecvSCCRQ > from=xx.x.x.247:65028/udp tunnel_id=5/15 protocol=1.0 winsize=4 > hostname=Jasons-MacBook-Air.local vendor=(no vendorname) firm= > 2013-03-05 16:26:33:INFO: l2tpd ctrl=5 SendSCCRP > 2013-03-05 16:26:33:NOTICE: l2tpd ctrl=2 timeout waiting ack for ctrl packets. > 2013-03-05 16:26:33:NOTICE: l2tpd ctrl=2 logtype=Finished > 2013-03-05 16:26:37:NOTICE: l2tpd ctrl=6 logtype=Started RecvSCCRQ > from=xxx.x.x.247:65028/udp tunnel_id=6/15 protocol=1.0 winsize=4 > hostname=Jasons-MacBook-Air.local vendor=(no vendorname) firm= > 2013-03-05 16:26:37:INFO: l2tpd ctrl=6 SendSCCRP > 2013-03-05 16:26:37:NOTICE: l2tpd ctrl=3 timeout waiting ack for ctrl packets. > 2013-03-05 16:26:37:NOTICE: l2tpd ctrl=3 logtype=Finished > 2013-03-05 16:26:41:NOTICE: l2tpd ctrl=4 timeout waiting ack for ctrl packets. > 2013-03-05 16:26:41:NOTICE: l2tpd ctrl=4 logtype=Finished > > > > npppd.conf: > > interface_list: tun0 > interface.tun0.ip4addr: 10.101.0.1 > > # IP Address Pool > pool.dyna_pool: 10.101.0.0/25 > pool.pool: 10.101.0.128/25 > > # local file auth > auth.local.realm_list: local > auth.local.realm.acctlist: /etc/npppd/npppd-users.csv > realm.local.concentrate: tun0 > > lcp.mru:1400 > lcp.timeout:18 > auth.method:mschapv2 > # auth.method: mschapv2 chap pap > ipcp.assign_fixed: true > ipcp.assign_userselect:true > > pptpd.enabled: false > pptpd.ip4_allow:0.0.0.0/0 > #pptpd.listener_in: PPTP 192.168.0.1 > > # L2TP daemon > l2tpd.enabled: true > l2tpd.ip4_allow:0.0.0.0/0 > #l2tpd.listener_in: L2TP 10.101.0.1 > l2tpd.purge_ipsec_sa: false > l2tpd.require_ipsec:true > l2tpd.accept_dialin:true > > pipex.enabled: true > > > Any Thoughts? System is amd64 running 5.2
Re: NFS cluestick needed
Back in the day I'd abuse lndir(1) to link to the nfs mounted source
directory.
http://www.openbsd.org/cgi-bin/man.cgi?query=lndir&sektion=1
Sent form my iFoe.
On Mar 31, 2013, at 7:48, David Higgs wrote:
> In trying to avoid multiple copies of OpenBSD source on my VMs, I am
> trying to use NFS; however, permissions don't seem to be working
> right. I would very much appreciate help in figuring out what I'm
> doing wrong, and am also interested in tips on how to compile from
> read-only source trees.
>
> Thanks in advance,
>
> --david
>
> SERVER VM
>
> [vm@vm ~]$ dmesg | head
> OpenBSD 5.2 (GENERIC) #2: Mon Nov 5 10:42:07 EST 2012
>root@vm.localdomain:/usr/src/sys/arch/i386/compile/GENERIC
> cpu0: Intel(R) Core(TM)2 Duo CPU T7700 @ 2.40GHz ("GenuineIntel"
> 686-class) 2.45 GHz
> cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,NXE,LONG,SSE3,SSSE3,CX16,LAHF
> real mem = 267907072 (255MB)
> avail mem = 252665856 (240MB)
> mainbus0 at root
> bios0 at mainbus0: AT/286+ BIOS, date 09/20/12, BIOS32 rev. 0 @
> 0xfd780, SMBIOS rev. 2.4 @ 0xe0010 (364 entries)
> bios0: vendor Phoenix Technologies LTD version "6.00" date 09/20/2012
> bios0: VMware, Inc. VMware Virtual Platform
>
> [vm@vm ~]$ cat /etc/exports
> # $OpenBSD: exports,v 1.2 2002/05/31 08:15:44 pjanzen Exp $
> #
> # NFS exports Database
> # See exports(5) for more information. Be very careful: misconfiguration
> # of this file can result in your filesystems being readable by the world.
> /usr/src /usr/ports /usr/xenocara -maproot=root:wheel
> -network=172.16.223.0 -mask=255.255.255.0
>
> [vm@vm ~]$ showmount -a
> All mount points on localhost:
> 172.16.223.129:/usr/ports
> 172.16.223.129:/usr/src
> 172.16.223.129:/usr/xenocara
>
> CLIENT VM
>
> # dmesg | head
> OpenBSD 5.2-stable (GENERIC) #2: Wed Dec 26 12:19:49 EST 2012
>root@vm.localdomain:/usr/src/sys/arch/amd64/compile/GENERIC
> real mem = 267321344 (254MB)
> avail mem = 237985792 (226MB)
> mainbus0 at root
> bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xe0010 (364 entries)
> bios0: vendor Phoenix Technologies LTD version "6.00" date 09/20/2012
> bios0: VMware, Inc. VMware Virtual Platform
> acpi0 at bios0: rev 2
> acpi0: sleep states S0 S1 S4 S5
>
> # mount
> /dev/wd0a on / type ffs (local, softdep)
> /dev/wd0f on /home type ffs (local, noatime, nodev, nosuid, softdep)
> /dev/wd0d on /tmp type ffs (local, nodev, nosuid, softdep)
> /dev/wd0g on /usr type ffs (local, noatime, nodev, softdep)
> /dev/wd0e on /var type ffs (local, nodev, nosuid, softdep)
> 172.16.223.128:/usr/src on /usr/src type nfs (noatime, nodev, noexec,
> nosuid, v3, udp, timeo=100, retrans=101)
> 172.16.223.128:/usr/ports on /usr/ports type nfs (noatime, nodev,
> noexec, nosuid, v3, udp, timeo=100, retrans=101)
> 172.16.223.128:/usr/xenocara on /usr/xenocara type nfs (noatime,
> nodev, noexec, nosuid, v3, udp, timeo=100, retrans=101)
>
> # id
> uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty),
> 5(operator), 20(staff), 31(guest)
>
> # ls -la /usr/src/sys/arch/amd64/compile/
> total 16
> drwxr-xr-x 3 root wheel 512 Feb 27 2009 .
> drwxr-xr-x 10 root wheel 512 Nov 29 2010 ..
> -rw-r--r-- 1 root wheel 38 Jun 25 2004 .cvsignore
> drwxr-xr-x 2 root wheel 512 Mar 30 16:37 CVS
>
> # mkdir /usr/src/sys/arch/amd64/compile/GENERIC
> mkdir: /usr/src/sys/arch/amd64/compile/GENERIC: Permission denied
Re: new OpenSSL flaws
On Thu, Jun 5, 2014 at 5:09 PM, Giancarlo Razzolini wrote: > Em 05-06-2014 20:45, Eric Furman escreveu: >> I predict that within a year OpenSSL will go the way of IPF. >> For much the same reason... >> > IPF? Care to elaborate? Well, in 2001 there was this drama around Darren Reed's IPF, that caused it to be removed from OpenBSD's source code. This removal and license problem directly to the development of OpenBSD's pf firewall by Daniel Hartmeier. And the rest, as they say, is history.
Re: maybe OT 10 year anniversay of Chuck Yerkes death
Man. Thanks for the reminder. +1 Sent form my iFoe. > On Aug 27, 2014, at 16:21, Diana Eichert wrote: > > I don't think it's off topic but others might. I'm writing this post to > remember Chuck Yerkes, a long time contributor to the misc@openbsd list. > While riding his motorcycle 10 years ago Chuck was involved in an accident > and passed away as a result of his injuries. > > http://web.archive.org/web/20041012235249/http://www.contracostatimes.com/mld/cctimes/news/9511974.htm > http://marc.info/?l=openbsd-misc&m=109385676632581&w=2 > http://web.archive.org/web/20040901013204/http://www.adownie.net:/vqwiki/jsp/Wiki?ChuckStories > > Just wanted to remember you Chuck, take it easy wherever you are. > > diana
Re: Is Soekris OpenBSD friendly?
I'm not sure what you mean by "too slow to route." I've a net4501 with 64mb of RAM that's handling all of my IP traffic at home. Biggest problem is swapping taking out available interrupts. Modern networks are actually just too fast for the hardware these days. It works fine for home stuff. On Fri, Nov 15, 2013 at 5:39 PM, jordon wrote: > I have an old net4511 running 5.4. It’s too old/slow to route but it’s too > fun to not have running because how many other OS’es can run on a 486 100MHz > with 32MB RAM? > > > > > On Nov 15, 2013, at 6:03 PM, SmithS wrote: > >> Greetings misc@. After coming across a link[1] to make an OpenBSD >> router using a "Soekris" device, I think I will make one. Does anyone >> else have this hardware and can verify all the components work? >> I think Intel NICs are good, but everything else? I have never heard >> of this brand before so I want to be safe before buying. The model >> number[2] is "6501-30" >> >> [1] http://www.bsdnow.tv/tutorials/openbsd-router >> [2] https://soekris.com/products/net6501/net6501-30-board-case.html >> >> greetz, >> SmithS
Re: Is Soekris OpenBSD friendly?
On Fri, Nov 15, 2013 at 9:00 PM, jordon wrote: > A few years back I put m0n0wall (FreeBSD-based) on it, hooked it up to 2 > machines (1 WAN, 1 LAN) and pushed a file through it. Its max bandwidth was > well under my Internet connection speed. > > It was replaced with a net5501. > It's not below mine. I can saturate it, but my inbound is still well below what the hardware can handle. I'll upgrade eventually.
Re: Where can I find a list of error codes in smtpd?
http://www.faqs.org/rfcs/rfc821.html (1982) Section 4.2.1. https://www.ietf.org/rfc/rfc2821.txt (2001) Section 4.2.1 defines the groups, and 4.2.2.x defines specific codes. https://www.rfc-editor.org/rfc/rfc2487.txt (1999) Secure SMTP over TLS. On Thu, Jan 30, 2014 at 3:19 AM, STeve Andre' wrote: > So far, I'm not finding them. I'm interested in learning more > about "150 IO error" and "442 i/o error 5", but a general list > of them would be good. I know I'm missing something... > > Thanks, STeve Andre'
Re: Where can I find a list of error codes in smtpd?
I feel like a bit of a jackass for the response. Check smtpd/smtp_session.c http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/smtpd/smtp_session.c?rev=1.192 On Thu, Jan 30, 2014 at 7:41 AM, Johan Beisser wrote: > http://www.faqs.org/rfcs/rfc821.html (1982) > > Section 4.2.1. > > https://www.ietf.org/rfc/rfc2821.txt (2001) > > Section 4.2.1 defines the groups, and 4.2.2.x defines specific codes. > > https://www.rfc-editor.org/rfc/rfc2487.txt (1999) > > Secure SMTP over TLS. > > > On Thu, Jan 30, 2014 at 3:19 AM, STeve Andre' wrote: >> So far, I'm not finding them. I'm interested in learning more >> about "150 IO error" and "442 i/o error 5", but a general list >> of them would be good. I know I'm missing something... >> >> Thanks, STeve Andre'
Re: where are translated web-pages?
http://marc.info/?l=openbsd-cvs&m=139637003025491&w=2 You did. On Thu, Apr 17, 2014 at 3:08 PM, Alex Naumov wrote: > Hello, > > I just want to ask about "not English" (translated) pages. I can't find > these. > Also translation.html and steelix are not avaliable. > Did I missed something? > > Thank you, > Alex
Re: where are translated web-pages?
On Thu, Apr 17, 2014 at 3:18 PM, Alex Naumov wrote: > Thank you for link, but... why? I mean, we are not going to continue work on > translation anymore? Reason? Read this thread on the topic from earlier this month. http://marc.info/?t=13965139876&r=1&w=2
Re: Multihoming with carp possible? and ipsec failover?
On Tue, May 13, 2014 at 4:58 AM, Magnus wrote: > Hello Misc-Users, > > I'm looking in to the possibility to do multihoming (more than one isp) > on a Carp setup. > To do live failover if one isp goes down, the other takes over. > Just as carp does if one of the routers goes down. You can do this with OpenBGPd, but CARP can only fail out between two routers sharing the same IP (at its most basic setup, more complicated setups are possible, obviously). If both ISPs are routing to the same netblock, then you can fail in the way you want. Otherwise, take a look at ifstated(8), and modify your routing tables or do dynamic routing. > I'm thinking that in combination with ifstated it might be possible, but > have yet to find someone that has actually done it sofar. A solution I've used in the past is a controlled endpoint that represents the exit for the network. The ISPs acted as pure transit for the external network, the VPN carried to a common end point(s). > Next issue if the first one is possible. > > The proposed router in question is a IPSEC gateway, with several nodes > connected to it. > Fail over here with just the carp and one isp is no issues. > But if the remote node, has only one isp, and it has no carp or such, > its just a plain obsd box running a site-to-site tunnel, > routing everything (0.0.0.0/0) over the tunnel. > How would one manage to do a failover to the second isp of the above > box, without loss of the tunnel during fail over. Take a look at sasyncd(8).
Re: Strange route entry from China
>> On May 13, 2014, at 18:47, Stuart McMurray wrote: >> >> >> And, 163data.com.cn is a large source of shady activity. I blocked the bulk of China and Asia outright at the router. Quick solution, if not clean.
Re: Strange route entry from China
On Tue, May 13, 2014 at 10:31 PM, Johan Ryberg wrote:
> Yes, it's related to a SSH brute force attack.
>
> I have just never seen the the "client" IP in the routing table before. My
> IP does not exist in the routing table when I SSH to the host.
The IP shouldn't be there, at all. But, according to the route flags
('D' in this case), it's in there due to a redirect.
> I have a hard time to understand the mechanism that added the IP to the
> table.
>
> Is this something that can be explained?
My assumption is there was an ICMP redirect that added the IP to your table.
Check to see if you're accepting redirects. By default, OpenBSD has them as off.
Re: Strange route entry from China
On Tue, May 13, 2014 at 11:57 PM, Otto Moerbeek wrote: > > Op 14 mei 2014 om 07:48 heeft Johan Beisser het volgende > geschreven: > > > There are more reasons dynamic route entries are createf. For example to > record results of mtu path discovery. That implies a successful TCP connection to the router itself, doesn't it?
Re: Strange route entry from China
On Wed, May 14, 2014 at 12:40 AM, Kevin Lyda wrote: > > On 14 May 2014 08:20, "Johan Beisser" wrote: >> >> On Tue, May 13, 2014 at 11:57 PM, Otto Moerbeek wrote: >> > >> > Op 14 mei 2014 om 07:48 heeft Johan Beisser het >> > volgende geschreven: >> > >> > There are more reasons dynamic route entries are createf. For example to >> > record results of mtu path discovery. >> >> That implies a successful TCP connection to the router itself, doesn't it? >> > > Sure. But connecting to port 22 in order to fail to auth is a successful TCP > connection. Yes. Path MTU implies the connection is held open for larger packets than just during the handshake and SSH negotiation. Or am I misunderstanding when MTU is negotiated?
Re: Cell Phone as Modem
On Apr 16, 2009, at 2:08 PM, Fred Crowson wrote: Plug it in and if /var/log/messages has a line like: Apr 16 21:57:45 x41 /bsd: ucom0 at umodem0 You might be in luck. You may want to check that your provider permits tethering as a modem. Some do, quite a few don't. If they do, make sure you don't have a surcharge for the data passed through the phone this way. Several major providers in the US (Sprint and Verizon, off the top of my head) are pushing data plans with USB, ExpressCard, and Cardbus based Cellular Broadband Modems as an additional line, and disabling tethering through the phone. I know Sprint will re-enable the tethering if you ask nicely, but in my experience most phones do not present themselves as a ucomm modem. The cell broadband modems are built by the same collection of companies - Sierra Wireless and Novatel - and present themselves as standard USB modems which just dial up to the data channel on the cell tower. These accounts seem to have usage caps around 5Gb per month no matter who the provider is. They run at high modem speeds to real "broadband DSL speeds." Reliability in my experience isn't bad, depending on the network you're on and how fast you're traveling. For example, my ssh sessions don't drop while I'm on a train doing 80mph, and a coworker regularly uses RDP while a passenger in a car. Coverage varies by provider.
Re: sendmail vs. other MTAs
On Mon, May 11, 2009 at 3:54 PM, Dan wrote: > So it seems like the goal is for it to be as good or better than qmail > if it's going to be smaller, easier to maintain, secure, etc. Then > where's the problem? Saying qmail has good design is a firm hand you've not actually really worked with it or maintained a large installation of it before. > Who was complaining? There's a difference between suggesting a good > design, such as qmail's and complaining. No, that's bitching about something with an uninformed viewpoint.
Re: sendmail vs. other MTAs
On Wed, May 13, 2009 at 2:38 PM, Renaud Allard wrote: > Sounds like you never tried exim, or at least v4. Currently, no other MTA is > able to do what exim does. Its licence may not be the best one, but it is > able to do more than any other existing MTA. Such as? I please ignorance, I haven't ever used exim.
Re: Help with PKG_PATH=
On Thu, May 14, 2009 at 10:41 AM, Jose Perez Rodriguez wrote: > Today i was installing OpenBSD 4.5 and i type: > export PKG_PATH=ftp://tp.openbsd.org/pub/OpenBSD/4.5/packages/i386/ "tp.openbsd.org"?
Re: pf, altq, packet rate
On Wed, May 27, 2009 at 11:04 AM, SJP Lists wrote: > How do you shape traffic that you have already received? Or to put it > another way, how do you alter the past? I've always just assigned inbound traffic to the existing outbound queues. My assumption is that the responding traffic would use the queues appropriately, and the results (watched via pftop) seem to bear this out. Then again I'm just using priq at home.
Re: 4.5 on Thinkpad 600x issue
On Wed, May 27, 2009 at 10:26 AM, STeve Andre' wrote: > I've never tried installing OpenBSD on a 600x but I'm a little surprised that > it isn't working fine. You're in for a few surprises when you do then. It should work fine, but there's some ACPI issues that have never been addressed. > Since you are new to OpenBSD, how did you get OpenBSD, and also how > (where) did you get the packages? You MUST get the packages that > match the version of OpenBSD. More than one person has gotten a > release CD and then gotten the packages in snapshots/packages/i386 > which is "-current", the wip stuff that will be a part of the next release. The 600x has a CDRom/DVD drive in it. It comes standard. > Also, it would be good to post the contents of /var/run/dmesg.boot, to > see what the kernel thinks of the hardware. Thats a start. I'll include something I sent to Donald Allen, edited to make things a little more contextually relevant: "The key problem would keep happening [the freezing/slowdown]. Mostly due to IRQ 11 being shared between USB, keyboard and PCMCIA. Large amounts of traffic through that IRQ would cause locking issues in the kernel. It really is a hardware issue with that specific model of laptop; I had them with FreeBSD [5.2], OpenBSD [4.1, 4.2, and 4.3], and Linux [2.6.10]." It's a problem I presumed was just with my 600x, but some of my research has shown it's a model issue, related to IRQ assignment in kernel. The only OS that hasn't had a problem with the hardware is Windows XP. Whether that's due to the OS masking it or knowing something more intimately about the odd hybrid of ACPI and APM the BIOS presents, I can't say. I'm just not surprised the problem still exists in 4.5.
Re: pf, altq, packet rate
On Wed, May 27, 2009 at 12:02 PM, SJP Lists wrote: > Thanks Lars and Johan, > > I was trying to highlight to irix that once traffic is received, it is > too late to alter the bandwidth it already used coming in. > > In other words, doing it on the incoming is pointless. Thus, as in > your examples, the logic behind shaping only on the outbound. You can always inform the other end that your window is smaller than it is (pf.conf(5) red/rio/ecn on the queue). Or, simply randomly drop some incoming packets for that protocol to force retransmission (see pf.conf(5) "probability" flag for a given line) which should cause the remote end renegotiate its link to you as unreliable, and retransmit. A probability of 5% would prevent inbound connections from fully saturating. > i.e.You can easily delay sending something you have, but you have > little to no control over the ingress traffic of a link where only the > local host you have control of. Bingo.
Re: pf, altq, packet rate
On Wed, May 27, 2009 at 10:44 PM, SJP Lists wrote: > I know this is an option, but forcing the resending of traffic doesn't > seem to be the most efficient method to me, when I could instead just > shape that same traffic when it leaves another interface. It's a horrible option, but it's what was being requested. You're better off assigning inbound traffic to your normal outbound queues and using ECN/RIO/RED to handle your congestion and notification instead. Combined with HFSC or CBQ, it's a powerful tool for shaping the behavior of the remote end sending you data. Properly, if you're getting saturated, you should send ICMP type 4 (squench) to notify that your sender should back off on how fast they're transmitting traffic, instead of forcing retransmits of the missing packets during the window.
Re: Fan mail!
On Mon, Jun 8, 2009 at 6:43 AM, Anton Parol wrote: > I still can't believe that I saw mpf@ on my train this morning. I thought I > remembered his face from hackathon pics, but then he pulls out his thinkpad > and I see the blue console messages come up. I was like, woah, very cool. > Thats a good start to the week! Stalker mail! :)
Re: /var/db/dhcpd.leases
2009/6/9 Thanasis : > They are not static, but they are fixed and they actually get assigned They're fixed then. Yes, it's normal behavior because they're not considered a lease, and rather viewed as what they are: assigned and reserved. > So in this case is it normal, not having any entries in > /var/db/dhcpd.leases ? Again, yes.
Re: MySQL and ulimit
On Tue, Jun 9, 2009 at 2:50 PM, Ted Unangst wrote: > The short answer is that you can't use more than 1GB of memory. Out of curiosity, what's the long answer?
Re: Narcicism?
On Thu, Dec 1, 2011 at 8:02 AM, Rares Aioanei wrote: > As a citizen of an English-speaking country AND a guru, John, you should > at least know how to spell. David's right, you know. You don't need to know how to spell. People have spell checkers these days.
Re: OpenVPN issues on 5.0
On Wed, Dec 14, 2011 at 5:54 PM, Erling Westenvik wrote: > After upgrading (re-installing from scratch) my firewall from 4.6 (or > 4.7) to 5.0, I have not been able to get OpenVPN back working. Please > forgive me for asking here at misc but I have spent two days Googling, > reading tons of HOWTO's and trying out different solutions, but without > being able to solve the issue. What are your current pf.conf rules? Did you check that the syntax is right? Have you checked it for errors? Have you looked at the output for pflog? What's your current routing table? Does that look correct?
Re: CF Card setup
On Tue, Dec 20, 2011 at 2:41 PM, Jannik Pruitt wrote: > Hi everyone. > i am brand new purchased my open bsd 5.0 on 11 Nov 2011. > > I booted the CD on another computer installed every thing on a 32GB CF card. > Placed in my old thin client and it booked. > > But the network card does not work. > It did work on the other computer after the install. > > Is there a way to make the setup come up again? You really didn't provide enough information for anyone to help you. Let's start with what's missing. - dmesg - what hardware you're running - did you check your hostname.if in /etc matches the interface? - have you read the FAQ? (http://www.openbsd.org/faq) - did you check man pages?
Where do I buy Lemote Loongson/Godson MIPS hardware? (was Re: Longsoon/Godson MIPS boxes, where to buy?)
On Tue, Dec 27, 2011 at 10:09 AM, Dave U. Random wrote: > Are the Longson/Godson MIPS boxes available over the counter yet? If so > where is the best place to order one? Thanks. A brief search of the archives gives a few resources. Spelling the architecture right helps, but searching for "lemote" does wonders. Start reading here: http://openbsd.org/loongson.html Relevant threads on misc@: http://marc.info/?l=openbsd-misc&w=2&r=1&s=lemote&q=b http://marc.info/?l=openbsd-misc&w=2&r=1&s=loongson&q=b Acquiring hardware: International: http://www.aliexpress.com/wholesale?SearchText=loongson&catId=0 http://www.aliexpress.com/wholesale?SearchText=lemote&catId=0 In China (drop shipment to a forwarder may be necessary): http://loogson.taobao.com/ In Europe: http://www.tekmote.nl In the US, Amazon has a direct sales from Freedom Included. Prime eligible. http://www.amazon.com/s?ie=UTF8&search-alias=computers&field-manufacturer=Lemote http://freedomincluded.com/ Compiled for the archives, YMMV.. Special thanks to Miod, Diana and others for their postings.
Re: Longsoon/Godson MIPS boxes, where to buy?
On Mon, Jan 2, 2012 at 10:59 AM, ropers wrote: > On 2 January 2012 18:10, Nomen Nescio wrote: >> I don't rely on anyone's work. > > Ladies and gentlemen: The great American delusion. Randian delusion. It's not purely American, and never has been.
Re: smartphones and managing openbsd servers
On Sun, Feb 19, 2012 at 7:14 AM, Luke Tymowski wrote: > I use iSSH on an iPhone. But only in an emergency when I don't have > anything else. I wouldn't make regular use of it. (ie, twice in the > last year) I've grown to like Panic's Prompt, and found it does really well with tmux, etc as well. On the iPad, it's almost a pleasure to use. It works really well off of the iPhone as well. http://itunes.apple.com/us/app/prompt/id421507115?mt=8
Re: smartphones and managing openbsd servers
On Sun, Feb 19, 2012 at 9:14 AM, Anonymous wrote: > BlackBerry has built in VPN and you can also buy a few different SSH and > SFTP apps. If you're cheap, there's also BBSSH. While it's not perfect, it is under active -if slow- development. As of November 2011, the developer claims there's an scp client coming as well. When I still had a Blackberry, I pretty actively used the app for emergency work. My only real complaint was the small type. http://bbssh.org/
Re: smartphones and managing openbsd servers
On Sat, Feb 18, 2012 at 3:06 PM, Marcos Ariel Laufer wrote: > What newer smartphones do you recommend for using also as a tool for > managing OpenBSD servers (maybe windogs too) ? What experiences had you had > with smartphones and OpenBSD managing? Your experience really depends on a few things: the phone network's bandwidth, CPU speed, and the ability to read the returned output without strain. Everything else is just extras and features. Bandwidth and lag can make your session unusable. Almost all modern smartphones have WiFi capability built in, which helps reduce your data rate during the SSH session, and decreases lag. That throughput will also make a big difference in receiving data from the server. In my experience if there's any amount of retransmission happening due to packet loss, the clients hang up abruptly. So, ideally, the client will emulate a modern terminal well enough to use tmux or screen really well. Most modern phones have more than enough CPU power to handle SSH. The problem is that few have the ability to offload the crypto from the CPU, and so SSH chews up already precious battery time. To help offset typing lag some clients permit you to queue a longer string to send to the session. The advantage of this is that fewer packets are sent, and the block of data can be sent out as (hopefully) a single chunk. I believe some Android Market clients support this feature, and I know at least one SSH client on blackberry has it, and at least two of the clients on iOS (iPhone/iPad) have the ability to assign shortcuts. Phone form-factor is a major issue you should consider. I know a few people who regularly use their phones for SSH, and are unwilling to up a physical keyboard. Slider and flip configurations permit you to use most of the screen real estate for your session, but the overall market is moving toward the touchscreen candybar configuration. Because of this, the SSH client has to be able to either 'shadow' the keyboard, allowing you to look through it, or permit you to hide the keyboard and read scrollback easily. As far as what's superior? None of them are really any better than the others. What works for you will matter more. Most modern smartphones are roughly the same, just with a different level of hype or features people want.* - jb * although, I'll be damned if I could find a GSM/LTE, CDMA and wifi capable Android phone with a physical keyboard that didn't utterly suck. I settled on an iPhone 4s, with a decent SSH client.
Re: smartphones and managing openbsd servers
On Feb 20, 2012, at 8:49, Jan Stary wrote: > On Feb 20 10:19:48, Daniel mora wrote: >> I've worked with several different OS and phone brands (Nokia/Symbian, >> iPhone, HTC/Android). >> The one I feel more comfortable is the Nokia N900 it runs Maemo 5, is >> a Debian like Linux, you can use it as a normal Linux machine. Maybe >> another phones running Maemo could bring a similar experience. >> >> The cons... >> I Really don't know if Nokia is going to continue supporting Maemo. > > Correction: > >I Really don't know if Nokia is going to continue Nokia already said they'd kill Maemo and Symbian. I've heard the n900 has some stability issues. Any truth to this?
Re: Snappy Answers to Stupid Questions - WTF?
Sent form my iFoe. On Mar 9, 2012, at 10:19, Nick Holland wrote: > > > Hey, if having an OS which takes the quality of its product -- and not much else! -- seriously is important to you, this would be a good time to make a donation to the project. Make Theo smile! > Theo never smiles. Not once.
Re: My OpenBSD 5.0 installation experience (long rant)
On Sat, Mar 10, 2012 at 9:15 AM, Nico Kadel-Garcia wrote: > With multiple drives, especially for bulky softraid setups, it might get > overwhelming pretty fast. > > The idea is interesting, and especially helpful if the machine was > previously built and the drives ordered differently in a different OS or > BIOS configuration, changes in hardware RAID or drive controller > manipulation in the BIOS, or the drives were installed in a different > machine. I don't see why it's hard to shell out. ! # dmesg | grep [hs]d[0-9] # exit
Re: Recent DELL hardware support
Dell has an ugly habit of changing components even within the same model year of hardware. You can't predict how well supported something is based on "PowerEdge R410" until you have your specific one in front of you. On Wed, Apr 4, 2012 at 1:14 PM, Kostas Zorbadelos wrote: > Hello all, > > we are about to engage a procurement procedure of servers. There is a > high probability to purchase DELL hardware. I want OpenBSD to be > supported on the hardware. I have 2 broad options > > - Go with PowerEdge R410 > - Go with PowerEdge R620 (latest generation of servers) > > The first option has only a single PCIe slot so I cannot have hot > swappable disks AND Intel Ethernet interfaces (preferred from Broadcom > but unfortunately Broadcom is on-board and I cannot get rid of them). > > The second option has the disadvantages of recent hardware (= can be > unsupported). My main concerns are the PERC controller, where I saw that > PERC 310 is supported in mfi(4) and the Intel NICs (these servers come > with Intel Ethernet I350, still unsupported from what I saw, they are on > the hardware wanted list). > > The machines will be bought and put to use in at least 6 months from > now, one or two OpenBSD releases will have been made. What do you think? > Will the hardware be supported by then? > > As you can tell I do not control the procurement procedure, but I can > ask for specific DELL hardware. > > Regards, > > Kostas > > -- > Kostas Zorbadelos > twitter:@kzorbadelos http://gr.linkedin.com/in/kzorba > > () www.asciiribbon.org - against HTML e-mail & proprietary attachments > /\
Re: Mosh? seems dangerous!
On Wed, Apr 11, 2012 at 11:02 AM, Christian Weisgerber wrote: > Gilles Chehade wrote: > This must be satire. Right? > I mean, "local-echo mode"? What is this? 1975? In lossy or high latency environments I find a local echo to be really useful. To the point I occasionally dump stdout through my ssh tunnel locally instead of trying to run an interactive shell.
Re: DynDNS client
On Mon, Apr 16, 2012 at 9:00 AM, Laurence Rochfort wrote: > Hello, > > Is there a DynDNS client for OpenBSD? Rolled my own in Python a while back. There are a few that're utter overkill for "simple updater." You could do it in shell with tools in base with a little bit of scripting effort. http://dyn.com/support/developers/api/
Re: DynDNS client
On Mon, Apr 16, 2012 at 9:43 AM, Ingo Schwarze wrote: > Hi, > > Johan Beisser wrote on Mon, Apr 16, 2012 at 09:18:22AM -0700: >> On Mon, Apr 16, 2012 at 9:00 AM, Laurence Rochfort >> wrote: > >>> Is there a DynDNS client for OpenBSD? > >> Rolled my own in Python a while back. There are a few that're utter >> overkill for "simple updater." > > If IP changes are rare for you and just want to update your IP manually > now and then, using the web interface most providers offer is probably > sufficient, and you don't even need your own script. Mine are rare, but referencing the developer site ( http://dyn.com/support/developers/api/ ) does give you enough information to avoid having your client blocked, and how to make it comply with their TOS. > If you want to run the client as a daemon, i'd advise against > rolling your own. Most providers block accounts that update too > frequently, and getting the logic right to prevent excessive > updates is tricky. Not really. It's dead simple: check against a state file that has the last known IP, compare to the interface or a web site that returns the external IP address, and update if that changes. If there's a change, update dyn.com, update your state file, and exit. I run mine every 5 minutes or so from cron. If nothing else, it's a good scripting exercise and a very basic one as well. Dyn.com offers up testing DNS entries for developers to test their code against. > My experience is mostly with ddclient; i have contributed a few > patches that were accepted upstream. The maintainer is a nice > guy, not very actively supporting ddclient, but not letting it > rot completely either. For home use, it is clearly good enough. > For enterprise use, it is usable (if you are willing to help > and fix the occasional bug), but certainly not great. > > However, the code quality is positively revolting. I have rarely > seen Perl code looking that ugly. Still, as it is a small code base, > you can find your way around it. But hacking into it is not fun, > and if you value reliability a lot, you should probably look into > other options, too, and compare. All the more reason to write your own updater. You get to know what features you really need, vs the ugly crap that people include in their scripts.
Re: VPN on OpenBSD: OpenSSH or OpenVPN?
On Tue, Apr 24, 2012 at 6:07 AM, Otto Bretz wrote: > On Tue, Apr 17, 2012 at 21:20, mxb wrote: >> I rolled out L2TP/IPSec (npppd) on OpenBSD-current with RADIUS-auth. >> Used mostly by OSX and Win7. Stable and works without any additional >> third-party software. > > If you could write an article for undeadly (or only some short notes) > on how you did this, it would be much appreciated. I'm sure there are > lots of people besides me that are interested in this topic. Count me in for those notes. I haven't had time to properly set up a VPN service for myself, and want something compatible with everything I deploy and use.
Re: Is there a L2TP daemon port?
No. After searching around, playing with PoPToP, and trying various other solutions, I settled on OpenVPN. The advantages are pretty well spelled out. OpenVPN supports just about ever OS out there. My only complaint is a lack of privsep. > Hi, > > I have been thinking to set up a VPN on my OpenBSD server using L2TP > over IPsec... the IPsec stuff seem to be built-in and good... but what > about L2TP? Is there a L2TP daemon or LNS in the ports tree somewhere? > Or am I missing something? No. After searching around, playing with PoPToP, and trying various other solutions, I settled on OpenVPN. The advantages are pretty well spelled out. OpenVPN supports just about ever OS out there. My only complaint is a lack of privsep. > I like to set it up so less-technical users on a Win or Mac laptop and > come and connect to my VPN. There are a multitude of guides and tutorials on how to have a simple install package for OpenVPN for less technical users. Good luck.
Re: Is there a L2TP daemon port?
On Dec 22, 2007, at 6:57 PM, Sunnz wrote: Yes I have tried an OpenVPN client on a Mac before... it feels kind of hackish to be honest... haven't tried the Windows one yet... but if that's the only thing that works then I don't have a choice I guess. I can understand that. What's worked really well, for me on 10.4 and 10.5, has been tunnelblick. Pop your config in to ~/Library/openvpn, provide a path to your keys, and it "just works." Even has a handy little icon on upper bar. On the back end, OpenBSD supports it beautifully. I have a system supporting two different VPN tunnels extremely well. Thanks for the advice! Not a problem. I recently went through a hunt for an L2TP daemon that would work with OpenBSD, and after a week of fruitless searching started hacking with IPsec for other routing/tunneling needs. Even with ipsecctl/ipsec.conf, I found things lacking. One of the biggest problems was a lack of fine tuned control between routers and clients. OpenVPN suffered none of these difficulties. Quick examples: - I could have the tunnel and the route through the tunnel, as separate and not related. - Another issue with NAT traversal was immediately solved. - The PF firewall could now be applied to a specific tun interface, and not tied to the enc0 interface (when running 2 or 3 tunnels each having different access needs, this counts for a fair amount). - complexity of setting up clients and server was reduced. I have to say I started in the same boat as yourself. I wanted simple L2TP tunneling to an OpenBSD server.
Re: Is there a L2TP daemon port?
On Dec 23, 2007, at 1:42 AM, scott wrote: RE: tunnelblick you should look at ssh -w tun0:tun0 ... option; it's comparatively new and a tad under documented but works nicely, albeit on tcp. My complaint with the "-w" option is not a lack of it working (works great), but lack of support through every OS out there; you need to have a tun driver, also be able to configure the remote side interface, not to mention the local one. Then there are the additional protocol resend problems due to it using tcp for a transport layer. For short, non-lossy, hops, this isn't a big deal. For lossy environments (wireless, long distances, satellite, asymmetrical routes, etc), the resending of tcp packets due to packet loss and fragmentation makes it a non-viable solution. At least, for anything that's going to be constant or continually used. I'd also not use that with clients who're less technically adept.
Re: pf + wii
On Dec 24, 2007, at 12:34 AM, Lord Sporkton wrote: i could be wrong but here is my 2 cents: ive seen something like this related to upnp, i would venture to guess your 2 friends have routers which support upnp and so far as i know openbsd does not support upnp. I would suggest either consulting the guitar hero manual or a tcpdump for the required ports for this game and try a static pat translation to your public ip. upnp allows the wii to request certain ports from the nat device be opened for it, in this case it sounds like you wii needs certain ports open to allow the server to connect to it, normally upnp would take care of it dynamically, but you dont have upnp, so you have to static assign the pat. UPnPd for OpenBSD.. http://www.tateoka.org/~tate/doc/openbsd-upnp.html http://miniupnp.free.fr/ Personally, I've yet to need anything like this.
Re: Postfix(chroot) and Postgresql
On Dec 25, 2007, at 12:57 PM, badeguruji wrote: I want to setup postfix and dovecot. i want to authenticate my users thru ldap. for that i have installed openldap server package. Is there a place where i can find some 'ponited' help on how to build such an 'email users' database? i do not want to have unix logins for them. i am searching on google and have not found anything yet. i am therefore looking into generic ldap manuals. (i do not want to be a ldap guru) http://wiki.dovecot.org/VirtualUsers http://wiki.dovecot.org/AuthDatabase/SQL I think everything you asked about is documented right there.
Re: Ethernet jumbo frames?
On Dec 29, 2007, at 10:41 PM, Girish Venkatachalam wrote: What on earth is this? http://www.cyberciti.biz/faq/rhel-centos-debian-ubuntu-jumbo-frames-configuration/ Jumbo frames. Ethernet frames with more than 1500 bytes of payload/ larger MTU than 1500.. I was under the impression that Ethernet frames can never be more than 1500 bytes. Unless they're jumbo frames, yes. Or is it some kind of stupid linux hack? Or does it have any meaning? It's permitted in IEEE 802.3, if not encouraged. Is there real value in this? Fewer frames get corrupted, means less processing overhead per frame. Outside of that, the remaining advantage is fewer frames going over the line. It's not recommended on the same LAN as systems not using jumbo frames.
Re: Using PF to QoS on tun interface
On Jan 2, 2008, at 10:17 AM, Nick Golder wrote:
I inherited a system that is attempting (poorly) to QoS traffic going
across a tun interface (which is being used by OpenVPN). Examples,
books, and ML suggest to tag on the internal interface ingress traffic
and QoS on the external interface egress traffic.
Treat the tun interface as a "normal" one. I recently had the same
issue, and simply adapted TCP ACK priority to the interface, and found
that worked fine. I'm currently testing a smaller MTU to help with
fragmentation.
Scrub, by the way, also seems to work quite well.
Since the traffic that I want to QoS doesn't really have an egress
interface to QoS on, I am trying to figure out a way to properly QoS
the traffic.
Here is a quick map on the traffic:
rl0 <--> tun0 <--> OpenVPN <--> rl1 <--> Internet
i think you're missing a tunneling interface somewhere.
The traffic I want to QoS on is ingress on rl0 which in turn is also
ingress on tun0. By the time it hits rl1, it is OpenVPN traffic.
Could you explain this again?
I've been doing foolish interface setup for a while now. My own
"privacy VPN" I have running to a co-located box looks a bit like this:
[internet] <--> [external interface] <--> [tun0] <--> [openvpn] <-->
[external interface]
I also have a LAN to colo box setup, using openvpn on a different port.
Any recommendations on how to handle this?
Treat tun0 as a normal altq interface. So far, there's not been any
"real" issues with it co-existing with my normal altq rules for non-
VPN traffic on the router. The one thing I've not had is a "interface
speed conflict", since I arbitrarily reduced the bandwidth to somewhat
less than my external interface.
For my soekris LAN gateway:
altq on tun0 priq bandwidth 400Kb queue { vpn_tcp_ack, vpn_def,
vpn_null }
queue vpn_tcp_ack priority 7
queue vpn_def priority 1 priq(default)
queue vpn_null priority 0
pass out quick on tun0 proto tcp from ($int_if:network) to any \
queue (vpn_def, vpn_tcp_ack)
pass out quick on tun0 proto { udp icmp } from ($int_if:network) to
any \
queue vpn_def
Re: Improving disk reliability
On Jan 2, 2008, at 4:29 PM, Erik Wikstrvm wrote: The preferable way to solve this would probably be to use two disks but that is not an option for me. So I was wondering if it is possible to instead split the disk in two parts, the first is used to install OpenBSD on, and the rest is split in two and setup in a mirror configuration using RAIDframe or something similar. If this is possible, will it buy me any additional protection against dataloss, or is it more likely that my disk crashes all together? If the disk develops errors, no amount of replication on the same hard disk device will prevent potential dataloss. You'd be better off mirroring on two completely separate devices. Perhaps copying the same data to another system or service may work.
Re: Richard Stallman...
On Jan 5, 2008, at 6:31 AM, Richard Stallman wrote: I doubt I would have looked at the AROS web site myself. To find out the status of the BSD systems, recently, I asked the FSF staff to check for me. Wait, you have someone else do the research, and this persons opinions get reflected in what you say? You don't have someone else factcheck, or double check these facts yourself?
Re: Richard Stallman...
[slight legibility edit] On Jan 5, 2008, at 9:39 AM, Marco Peereboom wrote: On Sat, Jan 05, 2008 at 07:30:36AM -0800, johan beisser wrote: On Jan 5, 2008, at 6:31 AM, Richard Stallman wrote: I doubt I would have looked at the AROS web site myself. To find out the status of the BSD systems, recently, I asked the FSF staff to check for me. Wait, you have someone else do the research, and this persons opinions get reflected in what you say? You don't have someone else factcheck, or double check these facts yourself? That's clearly a rhetorical question. I've gathered that. I'm hoping for a proper answer.
Re: OT YAG Re: delete deleted data
On Jan 5, 2008, at 8:06 AM, Shane J Pearson wrote: I think the first computers I witnessed in a work place, were actually analog computers (Navy). Where a mix of humans, transistors, valves, gears and three-phase motors/sensors, got the job done.;-) They're still in use as of the late 90s.
Re: Richard Stallman...
On Jan 5, 2008, at 4:56 PM, Rui Miguel Silva Seabra wrote: Yes. But even if it's legally redistributable, the question remains wether it's free software or not. Fortunately OpenBSD is Free Software. Unfortunately it recommends and distributes proprietary software on it's servers (and it wasn't because some user wrote some text on a wiki page). "Recommends?" Where does it "recommend?" Please, show me a single URL where OpenBSD "recommends" software that's not in the base system. If you said "makes available" I'd probably not bothered having responded to your ongoing drivel. Only if they were using it like those sissy pseudo-fans of Free Software which changed to Apple MacOS X just because it's "unix" (erms...) and pretty, and works and has the apps. That is: they'd use it without any soul. Actually, I like OS X just fine. "non-free" and all. As a workstation, it's hard to beat. Especially since fighting to make KDE or GNOME "just work" for me in all aspects I need has proven tiresome and annoying. Darwin, for what it's worth, is just as 'free' as Linux or gNewsense. Due to some licensing by Apple, parts of it are not as "free" as OpenBSD. Then again, I know I don't have a soul. I like stuff that "just works" with out having to "fight to make it work." There needs to be "soul" into the decision, or else it's just like choosing clothing. Does she use OpenBSD because she wants to use a Free Software operating system? If so, what have you done to help her get rid of her dependency on proprietary software? Explain "soul." As in "be a 'soul' into the decision." I see you whip another four letter word out, and I suspect it may have a different meaning, much like your odd definition of "free." For what it's worth, I've always interpreted OpenBSD's usage of "free" as "Free as in Liberty." You're "free" to take it, change it, make it your own, and do what you want. You're also "free" to not return your contributions to a derivative to OpenBSD. So far, nothing you've said that I've read has related to this definition of "free." It's always "Free as in Costs Nothing," "Free as in Comes Without Warranty," and "Free, except not really free." All I can speak for, is for myself: if I use OpenBSD because I like its feature set, and if I deploy it as I can... that's the kind of user you want to go away? I'd say you're better off cancelling the project, if it depended on you. Actually, I think the "Go Away" was more of a "shut up you silly little wanker." That doesn't stop you from being in the userbase, it's just a nice way to ask you to keep your trap shut until you have something really useful to say.
