Re: Community-driven OpenBSD tutorials wiki?

[Mehma Sarja]

I think what Jan is saying is sometimes we go to the hardware store for a
particular task, like weather proofing the home. And sometimes we go to the
store just to see what they have and you might want without a particular
project in mind.

Man pages, as opposed to woman pages, help one accomplish a task. A wiki
might give you ideas that did not occur to you.

Yudhvir

Re: Community-driven OpenBSD tutorials wiki?

[Mehma Sarja]

It is meant as a play on words, a light hearted comment. I see too many
"shit" and "fuck" comments in posts these days from people trying to sound
important when the subject matter is not.

Mehma
---



On Mon, Apr 16, 2018, 1:20 AM Stuart Henderson  wrote:

> On 2018-04-14, Mehma Sarja  wrote:
> > Man pages, as opposed to woman pages, help one accomplish a task.
>
> What do you mean, "as opposed to woman pages"?
>
> In this context it is simply short for "manual".
>
>
>

OpenBSD install on a g5 imac power pc

[Mehma Sarja]

Installed openbsd on a model A1058, imac g5. The install was uneventful.
However, I cannot boot to it. I've tried what the documentation says for
booting off the HD using open prom and the error is that /bsd does not
exist. I'm going off memory now.

Is anyone running off a g5?

Yudhvir

Re: Are there open source firewall distributions which are built on top of OpenBSD?

[Mehma Sarja]

> Are there open source firewall distributions which are built on top
>
> In the remote past, some existed and died, i'm not aware of any
>
> Also, wasting time on so-called "distributions" is discouraged


Used to run pfsense for many years and once you get used to pf by itself,
it just makes sense using pf on it's native OpenBSD instead of FreeBSD.
pfsense is built on FreeBSD and always playing catch-up with both the OS
and with pf. If you look at the rule set that pfsense creates via the web
GUI, it is very simple. Once you go command line, a whole world opens up.
It does take a leap of faith to do it though. It took me many years to
trust myself to take the plunge. And I've managed an OpenBSD/pf firewall on
a 225 user network.

My current setup is basic firewall with DHCP, NAT and routing. But there is
power in the simplicity. When something goes wrong -and it has happened
twice due to power failures, there is so much less to deal with to bring
the box back up.

Yudhvir

old and new pf tandem test ---help

[mehma sarja]

I want to test two pf firewalls in-line - an old openBSD (3.7 #50, i386) is
on the 'outside' and a new FreeBSD (7.2 #0 amd64) is on the 'inside.' Here
is the setup
INTERNET ===[outside port bridged to inside port OLD pf] === [outside port
bridged to inside port NEW pf] === LAN

I took the old pf.conf and am using it in the new machine. The setup blocks
smpts and https verifiably. Perhaps also imaps and pop3s. Any help will be
taken as grateful relief.

Question:  Is a tandem two-firewall setup doable? Meaning, is this a real
test? If not, I can test the new pf by itself.

Yudhvir

Re: old and new pf tandem test ---help

[mehma sarja]

Ingo,

Thanks for a detailed response, really. It is my fault that I did not set
the context and here it is:
a.  The old firewall is in production and is running as expected - blocking
and passing as we need.
b.  I am in the process of replacing it with a new one. It happens that
OpenBSD was inconvenient on the hardware we have, so the new firewall is
implemented on FreeBSD. I copied most stuff over and tested it within our
network - which is not a complete test.
c.  So, one test is to put these two firewalls in tandem - just for testing.
The idea being that the inside firewall will catch stuff going out and we
can see it in the logs and the outside firewall will catch stuff coming in
and we can see that as well. They should not have anything in the logs for
stuff going the other ways. if you know what I mean.

d.  Why are we performing a test like this?  We are replacing a production
firewall and want to test the new one for about a month before taking the
old one away. Is there a better way to test out the functionality over an
extended period of time - without setting up a separate environment?

e.  The tandem configuration got hooked in and everything (by 'everything, I
mean this is our single pipe in and out of our organization and we have a
lot of other services we provide) works except smpts, https and maybe imaps
and pop3s (we did not test for these since we quickly reverted back when we
found out that some services were being blocked)

OLD FIREWALL - smtps
pfctl -s rules|grep 465
pass in log quick on em0 inet proto tcp from any to 128.114.23.233 port =
465 flags S/SA modulate state
pass in log quick on em0 inet proto tcp from any to 128.114.23.234 port =
465 flags S/SA modulate state
pass in log quick on em0 inet proto tcp from any to 128.114.22.166 port =
465 flags S/SA modulate state
pass in log quick on em0 inet proto tcp from 66.59.235.49 to 128.114.23.218
port = 465 flags S/SA modulate state

em0 is the outside port of the bridge

NEW FIREWALL - smtps
pfctl -s rules|grep smtps
pass in log quick on em0 inet proto tcp from any to 128.114.23.233 port =
smtps flags S/SA modulate state
pass in log quick on em0 inet proto tcp from any to 128.114.23.234 port =
smtps flags S/SA modulate state
pass in log quick on em0 inet proto tcp from any to 128.114.22.166 port =
smtps flags S/SA modulate state
pass in log quick on em0 inet proto tcp from 66.59.235.49 to 128.114.23.218
port = smtps flags S/SA modulate state

OLD FIREWALL and NEW FIREWALL imaps DATA is the same
pfctl -s rules|grep imaps
pass in log quick on em0 inet proto tcp from any to 128.114.23.233 port =
imaps flags S/SA modulate state
pass in log quick on em0 inet proto tcp from any to 128.114.23.234 port =
imaps flags S/SA modulate state

OLD FIREWALL and NEW FIREWALL https DATA is the same
pfctl -s rules|grep https
pass in log quick on em0 inet proto tcp from any to 128.114.23.233 port =
imaps flags S/SA modulate state
pass in log quick on em0 inet proto tcp from any to 128.114.23.234 port =
imaps flags S/SA modulate state

OLD FIREWALL and NEW FIREWALL pop3s DATA is the same
pfctl -s rules|grep pop3s
pass in log quick on em0 inet proto tcp from any to 128.114.23.233 port =
pop3s flags S/SA modulate state
pass in log quick on em0 inet proto tcp from any to 128.114.23.234 port =
pop3s flags S/SA modulate state

Yudhvir
===
On Sun, May 17, 2009 at 11:09 AM, Ingo Schwarze  wrote:

> mehma sarja wrote on Sun, May 17, 2009 at 10:35:27AM -0700:
>
> > I want to test two pf firewalls in-line - an old openBSD (3.7 #50,
>
> That makes absolutely no sense.  Don't run real servers with historical
> software.  Run 4.5.
>
> > i386) is on the 'outside' and a new FreeBSD (7.2 #0 amd64) is on
> > the 'inside.'
>
> Using an external and an internal router with a border net (DMZ)
> in between is *the* standard way to run a firewall.  Certainly,
> there are other possibilities, but's that's what you usually do
> when you have the resources.
>
> > Here is the setup INTERNET ===[outside port bridged to inside
> > port OLD pf] === [outside port bridged to inside port NEW pf] === LAN
>
> That doesn't sound well.  Bridging should definitely not be involved.
> In a traditional internal/external firewall setup, bridging is
> particularly counter-productive.
>
> > I took the old pf.conf and am using it in the new machine.
> > The setup blocks smpts and https verifiably.
> > Perhaps also imaps and pop3s.
>
> That does not sound well.  "Perhaps" should not be involved when setting
> up a firewall.  Pay attention to use a default-deny policy.
>
> > Any help will be taken as grateful relief.
>
> Start by reading a standard textbook about firewall design.
>
> Yours,
>   Ingo

Re: old and new pf tandem test ---help

[mehma sarja]

Ingo and the rest of OpenBSD pf-ers,
Thanks Ingo for your thoughts. Let me ask a simpler question, is there
something wrong with the following line on a FreeBSD 7.2 pf?

pass in log quick on em0 inet proto tcp from any to 121.209.23.121 port =
imaps flags S/SA modulate state

Yudhvir

Re: old and new pf tandem test ---help

[mehma sarja]

Ingo et all,
I suspect "modulate state" may be the culprit. Here is what the manual says:

modulate state - works only with TCP. PF will generate strong Initial
Sequence Numbers (ISNs) for packets matching this rule.

So we have 2 machines generating ISNs for the same connection. Could this be
the problem?

Yudhvir
===

On Sun, May 17, 2009 at 6:13 PM, mehma sarja  wrote:

> Ingo and the rest of OpenBSD pf-ers,
> Thanks Ingo for your thoughts. Let me ask a simpler question, is there
> something wrong with the following line on a FreeBSD 7.2 pf?
>
> pass in log quick on em0 inet proto tcp from any to 121.209.23.121 port =
> imaps flags S/SA modulate state
>
> Yudhvir

Re: old and new pf tandem test ---help

[mehma sarja]

Otto, Henning and Stuart to-the-point answers. Thanks guys. I have taken
the post over to FreeBSD list. However, Henning, I am curious why you call
pf on anything but OpenBSD a "starter drug?" Is the performance difference
that huge? pf on FreeBSD 7.2 is version 4.1.

You have piqued my interest and may convince me to switch to OpenBSD. Keep
the posts coming.

Yudhvir

Re: old and new pf tandem test ---help

[mehma sarja]

Wow, I appreciate your insights.

Yudhvir
===

On Tue, May 19, 2009 at 7:23 AM, Jason Dixon  wrote:

> On Tue, May 19, 2009 at 02:52:03PM +0200, I?igo Ortiz de Urbina wrote:
> > On Tue, May 19, 2009 at 2:37 PM, Stuart Henderson 
> wrote:
> > > On 2009-05-19, Iqigo Ortiz de Urbina  wrote:
> > >> Mehma,
> > >>
> > >> You can find more info on the performance boost, and how developers
> > >> achieved it, in this article. You can go through all of it as its
> > >> really interesting IMHO:
> > >>
> > >> http://www.onlamp.com/pub/a/bsd/2007/11/01/whats-new-in-bsd-42.html
> > >>
> > >> Hope it helps you feel the need of trying pf _at home_ :)
> > >
> > > That is a good start, but there have been other changes since.
> > > Not only pf, but also pfsync, nic drivers, and more.
> > >
> > > -current has some nice extras (added after 4.5) for ruleset sanity
> > > too. For example, "match" rules, which are absolutely great when
> > > combined with tags.
> >
> > Indeed, and the active-active setup.
> >
> > For those interested, here's more info on the subject:
> >
> > Lecture: http://www.youtube.com/watch?v=cBxDgevQpCg
> > Paper, part1 : http://undeadly.org/cgi?action=article&sid=20090220014805
>
> This will get you all of the related stories:
>
> http://undeadly.org/cgi?action=search&mode=&thres=&method=and&sort=revtime&query=redesign+pfsync
>
>
> --
> Jason Dixon
> DixonGroup Consulting
> http://www.dixongroup.net/

Re: Can someone tell me if my disk is dying...

[mehma sarja]

Does OpenBSD have the camcontrol package? If so, try

camcontrol defects sd0 -f phys -p
camcontrol defects sd0 -f phys -g


Yudhvir

Re: Something similar to Soekris boards, for server applications

[Mehma Sarja]

I'm putting a Supermicro Atom D510 in the field as a SSD-based firewall 
and boot server for 158 users. And a Supermicro D525 as a file server 
with a 1 TB drive. Where they are going, they have power issues and 
low-power systems, with a UPS, might just survive. Each is maxed out 
with 4GB RAM. And I am also keeping one application per machine for 
simple maintenance and 'safeguard' performance.


Mehma
===

On 11/30/11 10:12 AM, Bentley, Dain wrote:

I second that. I run an atom 330 with two gigs of RAM and two 500gig drives in
a raid for development server at home is a 1u case. It performs great and its
low power

Re: Narcicism?

[Mehma Sarja]

On 12/1/11 7:25 AM, John Tate wrote:

I'm 24 years old. I was a Linux hacker since I was 13. I am a bit of a guru

[snip]

age, but at an older age I relearned it well. I am the guru sort of guy, I


A guru is someone who knows stuff.


Mehma

Re: n00b questions -- keyboard messed up

[Mehma Sarja]

On 1/22/12 9:47 PM, John Doe wrote:

Excuse my good old-fashioned American turkeyness of last year, but if it's not
secure by default, it does indeed belong on the website.  Why can't we set
machdep.allowaperture=1 for n00bs whose first priority is to use X Windows
without getting hacked in the kernel from all those stray pointers escaping
from
Firefox?  Sure, ASLR helps, but I want a basic browser capable of running
Javascript
securely in a thread-safe jail without crashing on double frees,
running out of
memory, and selling more cookies than the Girl Scouts, that
somehow manages to
maintain more hidden access logs than a Swiss bank on MY
personal computer,
regardless of the privacy settings I choose.  Is surf a
better browser, or are there
other suggestions?

Surely OpenBSD would not be
accused of antitrust for integrating a browser into
the operating system, or
at least coming up with or pointing users toward a decent
port if there is
one. Maybe it's just wishful thinking, but what I'm getting at is that I
want/need a secure standards-compliant graphical client for web access.
- Original Message -
From: Tomas Bodzar
To:
John Doe
Cc: "w...@openbsd.org";
OpenBSD-misc list
Sent: Sunday, January 22, 2012 8:47 PM
Subject: Re: n00b questions -- keyboard messed up

On Sun, Jan 22, 2012 at
7:16 PM, John Doe  wrote:

The keyboard mapping in the

kernel is getting correpted when I use X Windows

Version 11 Release 6

Xenocara.  I am using a Microsoft(R) Digital Media

Keyboard 3000.  How do I

map the extra keys? and would it help if I used

machdep.allowaperture=1

instead of 2?  Also kbd can change the keyboard

mapping as a regular user,

but it cannot list the available keyboard mappings

without being r00t, and

it doesn't take effect until I log out and back in to

X-Windows. Why is

this, and how do I type diacritical marks like circumflex

carets and other

accents, umlauts, ruotsalainen o, etc. in OpenBSD?
This thread belongs to
misc@ and not www@

post your dmesg, /etc/X11/xorg.conf and
/var/log/Xorg.0.log

for mapping keys in X see man xmodmap

Why
machdep.allowaperture and what is done by this setting see
http://www.openbsd.org/cgi-bin/man.cgi?query=xf86&sektion=4 (man xf86)

I LOVE this guy... "turkeyness" "Girl Scouts" "Swiss bank" - that's what 
I call a good old fashioned blue blooded American perkiness! In fact, 
the lingo kept me reading and now I'm actually interested in this 
browser he is looking for.r


Mehmasarja

Re: How to deal with DDoS ?

[Mehma Sarja]

On 2/22/12 12:39 AM, Roger S. wrote:

On Tue, Feb 21, 2012 at 9:51 PM, Joachim Schipper
  wrote:

Just the most obvious idea, since you mention that this sort-of-works if
you put "block drop in quick from !": does it handle
this load if you turn off pf, or only include one or two trivial rules?

Hi,

I don't know nothing about nothing but someone once said as I was 
struggling with a Snort and country block setup, "why don't you put them 
on different machines?" As I am sure you have thought about this, can 
you reduce the volume of attacks with a different machine so your pf 
machine can handle the rest?


Mehma

Re: Upgrading OpenBSD

[Mehma Sarja]

On 5/21/12 9:34 PM, Matthew Weigel wrote:

On 21.05.2012 22:45, Richards, Toby wrote:


Granted: I do hold an MCSE certification, but I don't need it.
The upgrade just works. Well... despite occasional BSOD's ;)


I admit this kind of made me chuckle:
http://www.linkedin.com/pub/toby-richards/37/71a/474

Oy vey,

And this guy holds a degree from Santa Clara Univ? Toby, $40K/ year for 
this?



Mehma

Re: OpenBSD in April's issue of the CACM

[Mehma Sarja]

On 5/29/12 4:35 PM, Theo de Raadt wrote:
However, I myself will not send them a letter. If an organization with 
the size and reputation of ACM cannot self-police their own authors 
before publishing, then they do not have a high reputation after all, 
and it is not worth my time writing a dispute to them. However, others 
might want to... I want to make it very clear that we tried very hard 
to get this resolved correctly with the right organizations. They left 
no leeway. 
Thanks for the long post - it is obvious what happened and a good 
history lesson. This changes something for me - over the next few 
months, I will make a willful change away from Linux and FreeBSD where 
possible and towards an OS which champions something we all should hold 
precious, OpenBSD. I can see migrating file servers and firewall/boot 
server over. The application server may be a bit difficult.


--
Yudhvir
`(/`)
`('`(5`)`(0

ssh connections load on a server - NEWBIE question

[mehma sarja]

What do you call an OpenBSD network admin? The answer is at the end of this
message.

What kind of server load will 62 sshfs connections have on an Atom server
with 4GB RAM? The connections will last a workday. I am assuming that a
sshfs connection is basically a ssh connection and hence the post on this
list. Yes I did look through the archives w/o luck, and no I cannot easily
create a test environment to measure what I want. If some soul has a similar
experience, please share it.

Mehma
p.s. The answer is OB-WAN

Re: How does OpenBSD compare to Ubuntu Server?

[Mehma Sarja]

On 7/11/11 10:48 PM, Andres Perera wrote:

On Mon, Jul 11, 2011 at 11:43 PM, patrick keshishian  wrote:

you failed at making any point.

i'll rebrand it into convenient twitter format:

debian splits packages to the point where a single service is a
associated to a single top level package, meaning that there's never a
reason for unused installed services

openbsd limitations do not apply 1:1 to other systems unless they
happen to be openbsd. in the previous sentence, "openbsd" can be
replaced by any word

OK, I got the first paragraph but not the second. Could you please 
"rebrand" it so people like me can unnerstand? I just got off the boat. 
To be clear, which is my thing today, here is how I read the "openbsd 
limitations..." sentence: OpenBSD limitations apply only to OpenBSD. As 
my 4-year old would say, "Hello..." Your last sentence is equally 
baffling. I understand you may be mad at some responders, but the lack 
of clarity makes us haze over your argument and take the topic off on a 
tangent that you do not like. And that makes you mad, it is a Type A 
thing - we understand.


Simple, clear sentences sting the most.

Mehma

Re: Mac Mini Server

[Mehma Sarja]

On 7/13/11 11:15 AM, Francois Pussault wrote:

hi,
of course it makes sense, it is done to make you talk about it, so that
works.


Try loading an OpenBSD VM on the machine first to see if there are any 
surprises.


Mehma

Re: What should I do with a remote AIX machine if I accidentally "chmod "/usr/bin/ksh"?

[Mehma Sarja]

On 8/30/11 6:15 PM, Marcos Ariel Laufer wrote:

I didn't mean evangelizing, but you never know who might be a future
donator, after all OpenBSD needs donations

Donor, not donator.

Mehma

Re: Detect APC UPS is on battery

[Mehma Sarja]

On 10/19/11 1:57 AM, Benny Lofgren wrote:

On 2011-10-19 10.23, Paul de Weerd wrote:

| I think your methodology is fllawed. think of the situations when you
| have power loss, then shutdown is started and then power is back.
| or situations where you starting machine after blackout and then there
| is a blackout again...
| With good ups you at least have 'switch off after some time is gone"
| option.

You can build a lot of logic in the way you do this, including 'switch
off after some time is gone'.  Really the only thing you get with
'good ups' is an indication of how long your battery is going to last,
which might even resemble something close to reality if you're lucky.

Don't get me wrong: 'proper' upses have a lot of benefits, but that's
mostly related to the ease of doing this controlled power down in case
of blackouts.

Well, Gregory is right in a way. The one flaw there is with my "poor man's
UPS watchdog" is that there is no way to get the server going again if
power is restored after the script decides to shut the server down but
before the UPS runs out of battery juice and actually shuts off the
power to the server.

In that case, when power is restored the server will never have had its
power cycled, so can never turn back on again even if you set its bios to
boot when power is applied regardless of its state before power outage.

What we can do in that case is to "almost" power it off, that is, shut
down all services, get down to single user mode, unmount all volumes
except for root which is remounted read-only, and then just wait.

Either the server will eventually die, in which case it will boot back up
as good as new when power is next applied, or the power will get back on
in which case the script can detect that and simply do a reboot.


Regards,
/Benny

I like Benny's concept - go down to single user mode and wait... simple. 
It is also a good solution for a remote setup.


Mehma

Re: USB mouse

[Mehma Sarja]

On 10/26/11 5:19 PM, Scott McEachern wrote:

On 10/26/11 20:05, Christiano F. Haesbaert wrote:

On 26 October 2011 20:52, Zantgo  wrote:

How I can run USB mouse?

Zantgo



It should work just by plugging it, have you tried ?



Oh that's just pie-in-the-sky craziness.

The next thing you'll be saying is that USB keyboards should "just work".

Steve Jobs kept saying that .."It should just work" and look where he 
ended up! Zani, please be careful else all this "advice" from novices 
will lead you to a DEAD end. I would install the usb-mouse package 
before plugging in the mouse.


Mehma

Re: I want copy pf.conf from FreeBSD 8.2 to OpenBSD 5 and use it

[Mehma Sarja]

On 11/8/11 4:25 AM, Mostaf Faridi wrote:

Thanks
My problem is this I do not enough time to start from scratch and make new
rule .in my work place , my boss find another person can do internet
sharing with Windows 2008 and ISA and this person say he can make best
internet sharing server ,
I said before my my pf.conf in FreeBSD work good , but sometimes some user
lost internet and they can not browse web pages , but they can chat with
paltalk , after reboot or disbable or enable PF this problem solve . I
think I have mistakes or problems in my PF.conf . So after search in Google
, I see PF version in FreeBSD is so old , so I decided move from FreeBSD to
openBSD .
I wish my PF work good in OpenBSD
Thanks in advance.


Yo Most...

You have selected the wrong product for your little project. If you 
don't have the time, don't have a lot of expertise - don't select a 
high-end system to implement. Let me suggest a smoother path for you... 
pfSense. It is pf, based on FreeBSD and is web-based. It should ease you 
into this pf world and get you going fairly fast. Throw away the pf.conf 
you keep wagging and start from scratch ... even in pfSense. It gets you 
going very fast. And the pfSense community (mailing list) is much more 
aligned to help a newbie such as yourself.


Mehma

Re: selling bsd in cd for profit??

[mehma sarja]

Yea for Steve!

Mehma
===

On Fri, Feb 26, 2010 at 6:37 PM, STeve Andre'  wrote:

> On Friday 26 February 2010 21:25:51 Richard Toohey wrote:
> > On 27/02/2010, at 3:04 PM, Joel Wiramu Pauling wrote:
> > > Let me clear on this.
> > >
> > > Yes you can.
> > >
> > > Follow the BSD licence terms (none of which say anything about for
> > > profit) and you are fine.
> > >
> > > There is absolutely zero legal reason you cannot put together a cd of
> > > OpenBSD and sell it. The official CD has some further licencing
> > > restrictions, so if you were to copy it verbatim it would constitute a
> > > breach of these terms.
> > >
> > > But if you create your own and sell it. No problem.
> >
> > "No problem"?  Maybe not (I don't know) a legal/licence problem, but you
> > are biting the hand that feeds / killing the golden goose.
> >
> > http://www.openbsd.org/
> >
> > "The project pays for the development environment and developer events by
> > selling CDs ... These finances ensure that OpenBSD will continue to exist
> > ..."
> >
> > But I sense another troll ...
>
> I don't.  A lot of people are genuinely confused & curious about this BSD
> thing, the operating system and license.  The number of times I've
> explained
> (or tried to) the BSD license vs. GPL numbers in the dozens now.
>
> People here are far too quick to label questions like this as trolling.
>  Sure,
> there are people who like to stir the pot up, but there are a lot more
> clueless people out there--clueless meaning not understanding, where
> we all were, at one point.
>
> --STeve Andre'
>
> >
> > > On 27 February 2010 13:44, Citra Cool  wrote:
> > >> Can I selling openBSD in CD for profit??

Re: Sun Fire 880 phantom disks

[mehma sarja]

That's spare change. If you change the 'm' to a 'r', then you can have mine.

Mehma
===

On Mon, Mar 1, 2010 at 3:25 PM, Kenneth R Westerback  wrote:

> On Mon, Mar 01, 2010 at 10:58:31PM +0100, Pete Vickers wrote:
> > Hi,
> >
> > The 880 is stock from Sun. I've done no hardware plumbing on it.
> >
> > According to
> http://docs.sun.com/app/docs/doc/806-7338-10/6jg7hm79b?a=view
> >
> > "You can use multipathing software to switch I/O operations from one I/O
> controller to another to prepare for DR operations. With a combination of DR
> and multipathing software, you can remove, replace, or deactivate a PCI
> controller card with no interruption to system operation. Note that this
> requires redundant hardware; that is, the system must contain an alternate
> I/O controller that is connected to the same device(s) as the card being
> removed or replaced"
> >
> > So the disk bus is connected to two controllers for redundancy, and
> Solaris obviously deals with this accordingly. I guess I should config> a
> controller away to stop OpenBSD seeing it ? In the longer term perhaps
> OpenBSD scsi layer could examine disk serial numbers, and avoid assigning
> device IDs to subsequent disks with the same serial number ?
>
> OpenBSD already has the beginning of multi-path support, but it is
> early days. man mpath(4) on -current. But at the moment if the box is
> configured to allow both ports to see all the disks then you will
> have to take manual action of some kind to suppress the 2nd set.
>
>  Ken
>
> >
> >
> > {2} ok devalias
> > cdrom/p...@8,70/s...@1/d...@6,0:f
> > tape /p...@8,70/s...@1/t...@4,0
> > scsix/p...@8,70/s...@1
> > disk /p...@8,60/SUNW,q...@2/f...@0,0/d...@0,0
> > disk0/p...@8,60/SUNW,q...@2/f...@0,0/d...@0,0
> > disk1/p...@8,60/SUNW,q...@2/f...@0,0/d...@1,0
> > disk2/p...@8,60/SUNW,q...@2/f...@0,0/d...@2,0
> > disk3/p...@8,60/SUNW,q...@2/f...@0,0/d...@3,0
> > disk4/p...@8,60/SUNW,q...@2/f...@0,0/d...@4,0
> > disk5/p...@8,60/SUNW,q...@2/f...@0,0/d...@5,0
> > disk6/p...@8,60/SUNW,q...@2/f...@0,0/d...@8,0
> > disk7/p...@8,60/SUNW,q...@2/f...@0,0/d...@9,0
> > disk8/p...@8,60/SUNW,q...@2/f...@0,0/d...@a,0
> > disk9/p...@8,60/SUNW,q...@2/f...@0,0/d...@b,0
> > disk10   /p...@8,60/SUNW,q...@2/f...@0,0/d...@c,0
> > disk11   /p...@8,60/SUNW,q...@2/f...@0,0/d...@d,0
> > scsi /p...@8,60/SUNW,q...@2
> > net  /p...@9,70/netw...@1,1
> > gem  /p...@8,60/netw...@1
> > flash/p...@9,70/e...@1/flashp...@0,0
> > idprom   /p...@9,70/e...@1/i...@1,500030/idp...@0,a0
> > nvram/p...@9,70/e...@1/i...@1,500030/nv...@0,a0
> > i2c3 /p...@9,70/e...@1/i...@1,500030
> > i2c2 /p...@9,70/e...@1/i...@1,50002e
> > bbc1 /p...@9,70/e...@1/b...@1,50
> > i2c1 /p...@9,70/e...@1/i...@1,30
> > i2c0 /p...@9,70/e...@1/i...@1,2e
> > bbc0 /p...@9,70/e...@1/b...@1,0
> > rsc-console  /p...@9,70/e...@1/rsc-cons...@1,3083f8
> > rsc-control  /p...@9,70/e...@1/rsc-cont...@1,3062f8
> > ttyb /p...@9,70/e...@1/ser...@1,40:b
> > ttya /p...@9,70/e...@1/ser...@1,40:a
> > pci9b/p...@9,70
> > pci9a/p...@9,60
> > pci8b/p...@8,70
> > pci8a/p...@8,60
> > ebus /p...@9,70/e...@1
> > name aliases
> >
> >
> >
> >
> > /Pete
> >
> >
> >
> >
> > On 1. mars 2010, at 19.40, Kenneth R Westerback wrote:
> >
> > > On Mon, Mar 01, 2010 at 03:56:22PM +0100, Pete Vickers wrote:
> > >> Hei,
> > >>
> > >>
> > >> Upon booting either 4.6-RELEASE or 4.7-BETA on my SunFire 880 causes
> the
> > >> kernel it to 'see' twice the correct number of physical disk. Further
> if I
> > >> install the o/s  using bsd.rd on to sd0, then upon reboot the kernel
> can't
> > >> find the root disk. However if I install on sd12 then booting etc is
> fine.
> > >>
> > >> the machine has physically 12 disks (36GB FC-AL), which appear to be
> > >> duplicated as sd0-sd11 and sd12-23.
> > >
> > > Do you have the disk in a loop that includes both ports on the 2200?
> That
> > > could explain why the disks are seen twice. And I believe only one WWN
> > > is saved from the boot so if it sees the same disk on the other port
> > > it may be lost.
> > >
> > >  Ken
> > >
> > >>
> > >>
> > >> r...@sf880 ~>sysctl hw.disknames
> > >

Re: RouterBOARD RB600A support

[mehma sarja]

Good post Mark,

[snip]

> If anybody is interested and willing to donate a
> development board or a hackable product based on these chips, please
> contact me.

Let's have a mini rally around providing a board here - I'm in for twenty
USD. I am sure 10-15 people can do the trick.

[snip]

> To guarantee the availability of releases and snapshots, Theo really
> needs a machine.
>
I'm in for another twenty USD. I went to that router place and the board he
is looking at is a couple of cinos. That's another 10 or so people.

Mehma

Re: RouterBOARD RB600A support

[mehma sarja]

I'l up my bid from 40 to 80 USD.

Mehma

Re: Hardening OpenBSD : Just delete!

[mehma sarja]

hadly hadened (Boston dialect) if Guido is not watching it.

Mehma
===

On Sun, Mar 14, 2010 at 10:07 PM, Han Boetes  wrote:

> Chris Bennett wrote:
> > You people have no sense of where security really lies at!
> > If you don't remove the hard drive, there is no security at all!
>
> I simply put my servers into armored concrete. After that I dump
> them somewhere in the middle of the ocean where the level is at
> least 3 km. That's hardening sir!
>
>
>
> # Han

Re: OpenBSD culture?

[mehma sarja]

Zack et all,

The OpenBSD community is neither rude nor anti-newbies - they just take
their work personally. I am a newbie and have used this group without any
negative responses. The gruff talk people are referring to is based purely
on lazy questions.

Mehma

Re: Wildest Africa Tour

[Mehma Sarja]

On 4/5/11 9:07 AM, Stuart Henderson wrote:

On 2011-04-04, Stuart VanZee  wrote:

Don't be silly.  While Lions do provide excelent physical security
they don't provide any data security at all.

I love animals: I'm always talking about animals, I love 'em. But
the thing is that, you know, whenever you see animals on the telly,
it's always the show-off animals. Yeah? It's always the leopards
and panthers and crocodiles. Lions milling about, going "Oh, I'm
very good, I'm on everything", and it really makes me annoyed, you
know? Because what about the English animals, you know? The British
mammals, yeah? Hah, what about the muskrat, or the tiny northern
root-vole, with his little banjo and hat made of elastic bands,
yeah? Who's representing them, eh? No-one, that's who.

You had a good buildup and even some suspense. Oh what a letdown! What 
British animals? You've got to be kidding. Isn't everybody over there 
all civilized an stuff? Take your little poodle and pony show and move 
it along down the road.


Mehma

Don't go over to the dark side

[Mehma Sarja]

On 4/19/11 8:27 AM, Amit Kulkarni wrote:

->  Keeps me from taking that cushy Microsoft job

Theo,
Don't go over to the dark side. Stay aloof and kick everybody's ass.
If Windows were not consistently, inherently and congenitally insecure - 
there would not be such a great need for OpenBSD.


Mehma

Re: For me, OpenBSD is the operating system that "just works".

[Mehma Sarja]

On 4/27/11 6:43 PM, Amit Kulkarni wrote:

So it turns out I had this spyware. None of the AVs detected it.


cut

I tried a Mac, but ultimately had the same problem, without all the crashing.
Just removed 11 viruses, that I know of, from my mac laptop. That's 
called a Mac attack.


Mehma

Re: Need Suggestion: To limit the access of root account

[Mehma Sarja]

On 4/28/11 7:52 PM, Stefan N wrote:

Hi All,

I would need some suggestions from you. Currently I am setting up OpenBSD
Firewall using PF at my working place.
However, some of my colleagues are not so familiar with the OpenBSD and we would
like to take turn to do that. I have the intention that I would like to limit
the usage and access the root account.

I have intention to give them the 'more than enough' access for them to do daily
administrative tasks as firewall admin like:
1.View/Configure IP Address, Subnet of network interface,VLAN and CARP
2.View/Configure default gateway and static route
3.View/Change the entry of DNS Server IP
4.Configure Syslog
5.Add/Remove PF rule
6.Backup/Restore
8.Viewing traffic using tcpdump

Is that possible to make some CLI Menu which will appear to the fw admin after
the login as long as they can do their job.
Example:

OpenBSD/i386

login:bob
password:

Please select the task below:

1>View/Configure IP Address, Subnet of network interface,VLAN and CARP
2>View/Configure default gateway and static route
3>View/Change the entry of DNS Server IP
4>Configure Syslog
5>Add/Remove PF rule
6>Backup/Restore
7>Viewing traffic using tcpdump
8>Logout

Or is there a better way to limit the usage and access of root account by fw
admin?

My intention is: I would like to give enough access for the fw admin to do their
job using a simple way.

Thank you in advance.

Regards,
Stefan

If you are new to pf - try pfsense.org - although that's based on 
FreeBSD. It has nice web GUI and gobs of functionality.


mehma

Re: 64bit (or better) memory reads in i386

[Mehma Sarja]

On 6/12/11 12:28 AM, Otto Moerbeek wrote:
> On Sun, Jun 12, 2011 at 04:19:01PM +0930, Giridhari wrote:
>
>> Your criticism is welcome- it gives me perspective of what I am
>> looking at, and how to tackle this. You've told me to think and what
>> to think about. I am not trying to get out of work I will have to do
>> anyway, I just wasn't sure where to look at this from, and you've
>> given me exactly that. I do not consider you my free slaves!
>> Seriously, I have a very high regard for OpenBSD, and it's
>> developers and supporters.
>>
>>
>> Basically I have concluded I may have to write a custom tool that
>> performs bulk memcopys or similar that is ideally Assembly
>> optimised.
>> Thankyou for your prompt attention. It is most appreciated.
>>
>> Giridhari
> What a strange conclusion from what we've said.
>
>   -Otto
>
This character's been here before...

"From: Giridhari
Sent: Thursday, February 04, 2010 7:28 AM
To:dera...@theos.com  
Subject: pico and/or nano in the releases and snapshots


Hare Krsna Mr. DeRaadt.

I am trying to write a new security implementation for OpenBSD, but find vi to
be clumsy and hampering"


Mehma

Re: dhcpd knob

[Mehma Sarja]

On 6/19/10 10:08 AM, Theo de Raadt wrote:

anyone is welcome to run the official isc stuff if they want.  they're
also welcome to drink the water in india.  we don't mind when other people
take risks with their own lives.
   

I can vouch for the water in India.

Mehma

Re: dhcpd knob

[Mehma Sarja]

On 6/20/10 6:43 AM, Jacob Yocom-Piatt wrote:

Rod Whitworth wrote:

On Sat, 19 Jun 2010 23:38:10 -0700, Mehma Sarja wrote:


I can vouch for the water in India.

Which is no doubt the reason that Mr Tata supplied us with crates of
bottled water when we were working there? So you could vouch for it?

We were instructed not to even use tap water in the Taj Residency to
brush our teeth...




why would someone not want to drink water from the ganges? the charred 
semi-decomposed bits of corpses really brings out the rest of the 
flavors.



OK people,

I meant to say that I can vouch that the water is bad. If someone wants 
to read otherwise, it's a free country. I found the comparison apt and 
thus commented.


Mehma

Re: DVD burning software besides cdrecord/growisofs

[mehma sarja]

My dmesg shows:
cd0 at scsibus0 targ 0 lun 0:  ATAPI
5/cdrom removable
It is some sort of new fangled dvd writer - super multi by LG.

I struggled with this for a while and finally the light shone bright as
follows:

FIRST, as root, type
# disklabel cd0

SECOND, this reports, among other things the device name to use:
# /dev/rcd0c
My device is actually /dev/cd0a, but let that not bother you until it's time
for mounting.

THIRD, type
# growisofs -Z /dev/rcd0c -R -J /home/sidhu/seema_mac

They say you can keep adding data with the same command as above, just
change the last "/home" directory. Keep all the other options the same.

FOURTH, close the burn
# growisofs -M /dev/rcd0c=/dev/zero

FINALLY, mount it
# mount -o ro /dev/cd0a /mnt

See, that cd0a from dmesg does come handy.

Mehma

Re: hw.sensors jumping up and down

[mehma sarja]

On Sun, Jan 3, 2010 at 6:22 PM, frantisek holop  wrote:

> hi there,
>
> i have noticed that my hw sensors ouput is changing
> in a disturbing way (notice temp0):
>
> day 1:
> hw.sensors.it0.temp0=255.00 degC
> hw.sensors.it0.fan0=5625 RPM
> hw.sensors.it0.fan1=0 RPM
> hw.sensors.it0.fan2=0 RPM
>
> day 2:
> hw.sensors.it0.temp0=0.00 degC
> hw.sensors.it0.fan0=5625 RPM
> hw.sensors.it0.fan1=0 RPM
> hw.sensors.it0.fan2=0 RPM
>
> day 3:
> hw.sensors.it0.temp0=255.00 degC
> hw.sensors.it0.fan0=5443 RPM
> hw.sensors.it0.fan1=0 RPM
> hw.sensors.it0.fan2=0 RPM
>
> should i be worried?
>
>
> I see two of three fans dead. And 255 deg C is not believable.

Mehma
===

Re: GNOBSD-Project introduction

[mehma sarja]

> > Stefan Rinkes
> > wrote:
> > > Hello,
> > >
> > > My name is Stefan Rinkes. I'm from munich in germany
> > and I want to introduce my OpenBSD-Project.
>



> Stefan, you seem like a programmer dude looking to contribute to The Cause.
> Would you be interested in contributing your skills to OpenBSD?
>
> Mehma
> ===

Re: Books on reverse engineering?

[mehma sarja]

I second that notion.

Mehma
===

On Thu, Jan 21, 2010 at 2:19 PM, Owain Ainsworth wrote:

> As someone who went from "knowing a small amount of C " to hacking the
> kernel, i call bullshit on your assumptions here.
>
> On 1/21/10, Tobias Ulmer  wrote:
> > On Wed, Jan 20, 2010 at 05:52:52PM -0800, James Hozier wrote:
> >> With every single laptop I've bought/been given over the years, I
> >> was able to run OpenBSD on them almost flawlessly save a few
> >> quick/simple hacks to make anything that didn't work, work.
> >>
> >> The one main issue I've had with ALL of them was the wireless
> >> card...maybe I was just unlucky to have gotten ones with crappy
> >> chipsets (like this Broadcom I have now which is totally useless...
> >> I want to stomp on it real badly) but nonetheless it pisses me off.
> >>
> >> I want to try and help solve my own problems as well as for the OBSD
> >> community who might also have this particular issue, so I'm looking
> >> to research on how to reverse engineer these things and write drivers
> >> for them.
> >>
> >> I know it's not easy, even though I don't understand how hard it is
> >> because I've never done it before, but I do hear that if there's a
> >> hell, it's a place where people are sent to do this for eternity.
> >>
> >> So with that reference in mind, would anyone experienced care to point
> >> me in some correct direction? (Which texts to read, which programming
> >> language(s) to focus on, etc.)
> >
> > - C
> > - any intro/boot to x86 assembly; to get the basics
> > - intel cpu pdfs
> > - ida pro / ollydbg
> > - something on computer architecture.
> > - windows ddk to get an idea how drivers work on windows, possibly book
> >   on same topic.
> > - BSD basics (McKusick, Bach, etc) + whatever you can get your hands on
> > - Device is connected via a BUS to CPU -> docs.
> > - IEEE standards
> > - any other docs.
> > - more of the same
> > - Read lots of code.
> > - supertanker sized amounts of experience
> > - ability to research stuff yourself, without asking on a ml
> > - etc
> >
> > Your question is naive. If you were up to it, you wouldn't have to ask
> > the equivalent of "How do I become an awesome hacker?".
> >
> > Writing this up was and is a waste of time, it will never happen.
> >
> >
>
> --
> Sent from my mobile device

Re: PowerEdge 850 for a small office firewall

[mehma sarja]

I am running an embedded 533 MHz with 256 MB memory and it is woefully
inadequate for an office setting. Even for a home setting which wants stuff
like snort running as well. I would WAG atleast a 2 GB memory and the Atoms
max out at that...? If the firewall will be doing other stuff like snort,
vpn, dns, dhcp, nat, (I am talking pfSense here), then 2 GB is rather short
and I'd like to see a beefier CPU as well. So, the question really is what
all are you going to be doing with it?

Mehma
===

On Tue, Jan 26, 2010 at 1:46 PM, Martin Schrvder  wrote:

> 2010/1/26  :
> > The hardware I'm considering is a Dell PowerEdge 850 server with four GbE
> NICs (two built-in and two on an expansion card)
> >
> > We have 25 people on a private IP subnet NATed to a handful of public IPs
> >
> > We'll be using a high-speed cable modem connection - 50 Mbps down/10Mbps
> up - as our primary Internet link, with a slower aDSL link as a backup.
> >
> > In addition to the PF firewall I want to use the box as an (bridged)
> OpenVPN endpoint for 3-5 folks.
>
> I'm curious if this
>
>
http://www.lannerinc.com/Network_Application_Platforms/Desktop-Fanless_Applia
nces/FW-7530
> would be enough for this.
>
> Best
> Martin

Re: Fw: pico and/or nano in the releases and snapshots

[mehma sarja]

He's not asking you to do it, it is all up to the LordKrsna in this
case.

Mehma
===

On Wed, Feb 3, 2010 at 4:35 PM, Scott McEachern  wrote:

> Giridhari wrote:
>
> blah blah
>
>> pico or nano
>>
> blah blah
>
>> part of the distribution.
>>
> and more blah blah blah.
>
> All that because you find 'pkg_add pico" or "pkg_add nano" too difficult to
> type?
>
> --
>
> -RSM
>
> http://www.erratic.ca

Re: OT: opinions on IDS / IPS solutions

[mehma sarja]

 Don't bypass Snort because PFSense package makes it so easy to install and
configure. A a one-click install of Snort and the only thing left to do was
register and select what you want it to do.

Mehma
===
On Wed, Feb 17, 2010 at 8:28 PM, Johan Beisser  wrote:

> On Wed, Feb 17, 2010 at 7:59 PM, Jason Beaudoin 
> wrote:
> > From a compliance perspective, I don't have much choice. From the
> > costs, infrastructure, and administrative perspectives, I am currently
> > evaluating whether or not I should be leaning towards and IDS or IPS
> > solution, and of course which system/vendor. My understanding is that
> > something like snort requires a fair bit of maintenance and
> > IT-attention, the trade-off being cost, so I am leaning away from
> > this. Between detection and prevention, preventing break-ins seems a
> > bit sillier than trying to actively monitor what's going on and to
> > then look for threats, so this pushes me more towards IDS over IPS.
>
> I agree with you. High rates of false positives, but fairly low rates
> of false negatives. Once the care and feeding is taken care of
> (turning off everything and gradually fine tuning to your current
> traffic helps), they're useful for alerting against unusual traffic
> leaving your network; not so much against automated attacks coming in
> the network. My own deployments are specifically to monitor for odd
> outbound traffic from my office. It's a rapid way to find out about
> the latest trojan, worm, or other infection my users have brought in
> on their laptops.
>
> That said, the usefulness of an IDP is specifically preventing most
> automated and known attacks from passing in to your network. By using
> one of the commercial systems, you gain support, tuning, and the fact
> that you don't have to spend as much time with the care and feeding or
> writing/testing new rulesets against your current version.
>
> As a compliance feature, I've found most administrators put them in
> place and promptly turn the reporting off due to the high rate of
> false positives reducing the signal from the noise.
>
> jb

Re: OT: opinions on IDS / IPS solutions

[mehma sarja]

Jason,

I was trying to communicate my very small and limited experience with Snort
on a PFSense appliance (FreeBSD + pf). The install and configuration is
easy. I cannot speak to on-going maintenance on a big network.

Mehma
===


On Thu, Feb 18, 2010 at 6:30 AM, Jason Beaudoin wrote:

> On Wed, Feb 17, 2010 at 11:47 PM, mehma sarja 
> wrote:
> >  Don't bypass Snort because PFSense package makes it so easy to install
> and
> > configure. A a one-click install of Snort and the only thing left to do
> was
> > register and select what you want it to do.
> >
> > Mehma
>
> Hi Mehma,
>
> I'm hoping you can expand on this - maybe it is just me, but I'm not
> quite sure what you're trying to say or communicate.

Re: nfsv4?

[Mehma Sarja]

On 10/27/10 1:58 PM, James A. Peltier wrote:

Now, that said, is there anything that you could recommend instead of NFSv4 for 
offering secure file services to multiple platforms?  My research only led me 
to NFSv4 and AFS, and AFS would have been a much, much larger project for us 
than a move to NFSv4 from NFSv3 w/Samba re-shares.
   

I wonder how stable sshfs is under heavy useage. Anyone know?

Mehma

Re: help

[Mehma Sarja]

On 11/8/10 4:29 AM, Ed Ahlsen-Girard wrote:

From:   Armando
Date:   2010-11-08 12:00:56
   

  On 11/08/2010 12:49 PM, Scott McEachern wrote:
 

On 11/08/10 06:40, Gaby Vanhegan wrote:
   

On 8 Nov 2010, at 11:33, Joe Warren-Meeks wrote:

 

On 8 November 2010 10:46, steve   wrote:
   

help
 

I need somebody.
   

help...

 

Not just anybody.

   

help..
 

You know I need someone

   

Help me if you can

Re: Donations

[Mehma Sarja]

On 12/9/10 4:54 AM, Chandrakant Kumar wrote:

On Thursday 09 December 2010 05:39 PM, Hugo Osvaldo Barrera wrote:

On 05/12/10 23:04, Adam M. Dutko wrote:

I hope that one day due process is denied you.


I am wondering what type of due process should be granted to these
individuals.  What basis/jurisdiction of law are we talking about?  
Natural
human rights? US law? International Law?  I'm just wondering because 
I think
it's critical to the whole discussion.  Julian Assange isn't a US 
citizen so
the US Government probably feels justified doing whatever they want 
even if
it is "unethical", yet many think he should be protected by some of 
the US

justice code/process.  Is due process universal?



If I kill a cow, should I be deported to India, and processed there 
for that crime?  (Note that in most parts of india, it IS a crime).
Oh, I live in Argentina, the largest exporter of cow-meat.  Maybe we 
should all be deported there.


--
Hugo Osvaldo Barrera



We are waiting for you here in India ;)

That's why Americans call cowburgers hamburgers, for fear of 
repercussions from the holy land. But seriously, re-incarnation takes 
care of all that. Meaning, if you kill a cow in this life, you come back 
as a cow and someone can kill you. It's the Indian version of an eye for 
an eye.


Mehma

Re: OpenBSD-capable, fanless, diskful computer with ECC RAM

[Mehma Sarja]

On 12/9/10 4:47 PM, Joe S wrote:

On Fri, Oct 29, 2010 at 5:14 PM, Damien Miller  wrote:
   

Hi,

Can anyone recommend a small, fanless computer that will accept a HD (perhaps
a 2.5" drive) that uses ECC RAM? Needless to say, it must run OpenBSD.

Being 64 bit, having accellerated crypto and/or supporting multiple drives
would be bonus points, but are not required.

 

Did you ever find a suitable system? I want to do the same for home.
I'm leaning towards one of the supermicro atom based boards in a
mini-itx case.

   
I have a supermicro atom(D510) system with a 32 GB SSD in it running 
pfsense (FreeBSD) and IPMI - 4 GB RAM MAX. It is not fanless but that 
can be easily remedied with a fanless PS. Habey is putting out an Atom 
(D252) server which looks competitive($260) with DDR3 RAM (2GB max) but 
I don't know it's track record - 
http://www.linuxfordevices.com/c/a/News/Habey-EPC6566/


Mehma

Re: Please help me decide: OpenWrt vs. OpenBSD

[Mehma Sarja]

On 1/20/11 1:32 PM, Aaron Glenn wrote:

On Thu, Jan 20, 2011 at 9:07 PM, Stuart Henderson  wrote:
   

[stuff]

it took a full 8 replies to get to the correct response?
now I understand why enlightened people find misc@ complete noise with
negligible signal.

   
I find the list very informative. But then "sometimes I sits and thinks 
and sometimes I just sits."


Mehma