release and patch/errata info in (easily) machine readable format?

[openbsd-misc]

I mostly follow -stable, and have scripts/tools that enable me to (re)build
stable from source with minimal human intervention.

To further automate this process, it would be helpful to have the current
release number and (at least) the most current patch number.

Obviously this information is clearly documented in various web pages, and if
absolutely necessary,
I could extend my toolset to scrape this info from the website and/or the www
directory in CVS,
but I am wondering if this information is already available somewhere as
data?

I've found that www/build/Makefile contains:

STABLE_VERSION= 5.8

So that is one place I could look, although I am not excited about having to
parse a Makefile either, but I haven’t yet
found anyplace where the patch numbers are available as non-html data.

One approach would be to scrape http://www.openbsd.org/errata.html
, and figure out the release numbers, and
then scrape the errata page of a particular release to obtain the patch
numbers.

Is this information available somewhere in the tree in some easily parseable
format (YAML, JSON, etc) ?

If not, I’ll proceed to scrape this info.

It seems to me that the errata.html and errata.html files could be
generated from the kind of data source
I’m describing, and that both the resulting html files AND the data source
file could then be statically served from the website.
If this isn’t the way these files are generated today, and if there were
interest in migrating to this approach, I would
be willing to develop and contribute the code to implement that…

Re: release and patch/errata info in (easily) machine readable format?

[openbsd-misc]

> On Dec 5, 2015, at 11:51 AM, trondd  wrote:
>
> On Sat, December 5, 2015 2:20 pm, openbsd-m...@clark-communications.com
> wrote:
>> I mostly follow -stable, and have scripts/tools that enable me to
>> (re)build
>> stable from source with minimal human intervention.
>>
>> To further automate this process, it would be helpful to have the current
>> release number and (at least) the most current patch number.
>
> What is your build process?  The machine doing the build is running the
> same version it's building, right?  Does 'uname -r' not work for you?

My build process begins outside of OpenBSD itself, so if I do not have a
machine running the current release version,
a machine running that release needs to be created.  There are several ways to
make that happen, and currently
I spin up a virtual machine.  At the moment, this is not an automated part of
my process, but I would like to make it so...

> As for the patch number, someone can correct me if I am wrong, but I don't
> believe it is recorded anywhere else.  I used to parse the errata page but
> to be kinder to the server, I started parsing my local mirror which I
> actually found to be easier to get the info from.

Yes, if I end up writing a scraper, I will very likely obtain the html pages
from the www directory of my local CVS mirror, rather than making http
requests
of the OpenBSD website.  In addition to reducing bandwidth demands of the
website, getting the information from my local mirror might lower the risk
that the website is more recent that my local mirror….

Another nice piece of data to have about a patch level would be the revision
number in CVS for that patch.
At present, the only place I see that information is inside the patch.sig
file, e.g.


http://ftp.openbsd.org/pub/OpenBSD/patches/5.8/common/004_smtpd.patch.sig

If I had that, i could ensure that the release I am about to build actually
contains the changes indicated by the patch level.
I am not looking forward to parsing these .sig files either :-(

> I maintain a "patchlevel" file on each system to keep track of what patch
> I have applied and I check it against the patches on my mirror in
> daily.local so I keep getting notified of out of date systems.  I also add
> it to the motd so I see it when I log in, as well.
>
> I prefer this slightly manual intervention because I like to know what is
> changing on my systems.  I'm already patching manually, so also
> maintaining the patchlevel file is minor.

My approach is to build an entire new release for the current patch level.
I understand this is way overkill, but given that is is a (mostly) automated
process, I prefer this
approach to manually applying and rebuilding….

I don’t apply patches to running systems, I re-install them from scratch,
and automated
configuration management restores the system to where it should be.

I do not now, nor envision, that the re-imaging of a machine would happen
automatically.

I can imagine that at some point I can have my build system send me a
notification that a new patch is available, and a bit later,
that a new release has been built and is available for installation, if/when I
so choose.

Your idea of a patch level file and adding that to motd is great,  I will add
that to my configuration management, just to make it obvious when shelling
into a server.
A follow-on addition to that idea is to add a “patch level fact” to ones
configuration management tool of choice, so that the patch level is
reported….

Re: Multiple obsd installations on one harddrive

[openbsd misc]

> -Urspr|ngliche Nachricht-
> Von: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org]
> Im Auftrag von Ingo Schwarze
> Gesendet: Freitag, 27. Mdrz 2009 03:12
> An: Volpers, Hagen
> Cc: misc@openbsd.org
> Betreff: Re: Multiple obsd installations on one harddrive
>
> Volpers, Hagen wrote on Fri, Mar 27, 2009 at 01:56:07AM +0100:
>
> > But I think there is a misunderstanding. I was talking about, mmhh,
> > let's say fdisk partitions. I want to create two absolut independent
> > installations. My problem is, that disklabel always uses the whole
> > disc (c:), I'm not able to switch between the
> fdisk-partitions (wd0 /
> > rwd0c is always the same).
>
> According to the disklabel(8) manual, the disklabel refers to
> the whole
> disk.  I never heard that anybody tried to trick a disk into
> having one
> disklabel for its first part and a second disklabel for its
> second part.
> Also, i see no point in that.  That disklabel just cuts the disk into
> slices to put filesystems in.  In any case, you will only mount those
> filesystems that you want to work with right now.  It does no harm if
> the disklabel contains some more slices you don't use.  Why would you
> want to split the disklabel into two parts?  In my eyes, that
> would seem
> to be an unnessessary complication and obfuscation.
>
> > If I got you right you created something like this:
> >
> > wd0a: /root1
> > wd0b: "shared" swap
> > wd0d: /root2
> > [...]
>
> Yes.
>
> If you install once to wd0a and once to wd0d, these two installations
> *are* completely independent - even if you share /tmp and /home.
> Of course, pay attention not to share /usr (for obvious reasons)
> or /var (think of /var/db/pkg!).
>
> > That means that you only switch the mount-point during installation,
> > keeping the partitions untouched, right?
>
> Yes.

Ok, tried it, but disklabel always want to use wd0a as root-partition. That's
what disklabel(8) says:

"By convention, the `a' partition of the boot disk is the root
partition, and the `b' partition of the boot disk is the swap partition,
but all other letters can be used in any order for any other partitions
as desired."

How did you do the install?

Another problem is the bootloader. AFAIK you can only define the hd and
fdisk-partition, not the disklabel-partition to boot from.

Could you please give me some more informations about your setup?

Regards
  Hagen Volpers

Re: Multiple obsd installations on one harddrive

[openbsd misc]

> -Urspr|ngliche Nachricht-
> Von: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org]
> Im Auftrag von Mike Erdely
> Gesendet: Freitag, 27. Mdrz 2009 20:25
> An: misc(at)openbsd.org
> Cc: misc@openbsd.org
> Betreff: Re: Multiple obsd installations on one harddrive
>
> On Fri, Mar 27, 2009 at 12:38:27AM +0100, misc(at)openbsd.org wrote:
> > I have a question regarding openbsd and partitions. I want
> to have more
> > than one obsd installation on one harddrive. The idea behind that
> > question ist to be able to install a newer release in
> parallel, chroot
> > into it, compile stuff, install packages etc and boot into that
> > partition when it's done. I want to avoid onside
> reinstallations (and I
> > don't want to have several old versions of libs, in short,
> the default
> > patch-way).
> > I don't know if that is a good idea, perhaps there is a
> much easier way.
>
> Here's how I did it:
> http://erdelynet.com/tech/openbsd/2nd-install-1-disk/
>

That's what I was looking for, thanks a lot.

Regards
  Hagen Volpers

Re: European orders

[openbsd misc]

Damn, this is degenerating into mud slinging bollocks, what with

"full value", owed for CD Sales , transfers of undisclosed amounts -
some clear facts would be nice, this sounds like waffle.

 1. There appear to be no contracts, so Theo and Wim or the bodies
they represent or act for, have no written agreement as to what the
involved parties were supposed to do, if that is true then that is a major
 governance short coming and whoever let this situation come to pass
 needs a good kicking, in essence you've gotten the fucking mess
 you deserve and who ever is responsible for openbsd's legal governance
(if anyone) should stand up and take the blame and sort it out.

 2. Because there is no contract, now we descend into
 He said, I said and other equivalent bollocks that really no-one can verify
 or substantiate as there appear to be no documents or agreements
or contracts that we can verify against.

 3. If KD85 is delinquent in payments - who are the amounts owed to. is it ?

 a) The Computer Store for the supply of goods. Which I assumed are covered
by some terms and conditions and invoice terms.
 b) Some legal entity that represents Openbsd, which is owed money for
something,
 what for, it is not exactly clear - is it a revenue share from
T-Shirts, Posters, fsking plush toys ?
. And where is the agreement covering the terms of this. ?
 c) Theo personally for something.

 4. Donations - I would have assumed they are property of the legal
entity which is
 Openbsd's foundation, so if that entity doesn't account clearly for
donations and
doesn't maintain some financial accounts that reflect where,who,when
and what it was used for - then you fucking well deserve this mess.

*years* in paying the full value - what the hell does this mean
?,full-value ??? ,surely there is a declared invoice value which gets
paid, you can't really retrospectively
change the invoices.


If the Computer store is owed money , then there should be outstanding
invoice amounts -
so either there are outstanding amounts
or there are not-
if this is some weirdo retrospective thing where one party wants to now get
extra payment for something that was never invoiced for
and is not covered by something verfiable , then good luck to you.

This is a mess and worse it's a stupid mess, and forming up
blindly to support one party or the other is stupid too.

No agreements, less then clear facts, mud slinging == a recipe for disaster

Someone get in the middle and mediate, someone who both parties trust,
and get it
sorted as this is going downhill fast.

Re: where to order now ?

[openbsd misc]

On Thu, Apr 2, 2009 at 11:48 PM, Theo de Raadt  wrote:
>> I see OpenBSDEurope appear to advertise the CDs for about 30 euro a
>> pop: http://www.openbsdeurope.com/45.htm
>>
>> Other sellers offer the CDs for the usual 50 euro.
>> Does the lower price @ openbsdeurope mean they have smaller margins or
>> OpenBSD.org gets less money, or both?
>
> It means they intend to operate with smaller margins.
>
> I never did understands Wim's math.
>
>
Well I'm glad we can easily order CD's again - I've just placed my
order and as well as the lower CD set price, I thought for once the
international shipping was very reasonable at eur 1.75.

Re: Transparent firewall (bridge) with DMZ + LAN

[openbsd misc]

> You can either read the code or listen to somebody who has.  I don't
> know you either, but I know Henning and I know the bridge code, and
> the short version is he's right.
>
>
Has anyone noticed

 That if you substitute BIble for code , in the section quoted above-
its like listening to someone who believes in a technical
high-priesthood - all blessed with the doctrine of technical
infallibility
which is great if you like dogma and blind faith. For  Me the
occasional rational explanation for why not to do something with a
little concrete technical backup to support the assertion, is usually
more useful.

;)

Re: OT: 10GbE Physical Network Taps

[openbsd misc]

On Wed, May 6, 2009 at 3:42 PM, Diana Eichert  wrote:
> On Wed, 6 May 2009, J.C. Roberts wrote:
>
>> I need to collect raw throughput statistics without increasing latency
>> or reducing bandwidth on 10GbE fiber links, so most of the typical
>> methods are out of the question (i.e. like bridging, SPAN sessions on a
>> switch, ...). As far as my understanding allows, I believe the best way
>> to do this is with a physical network tap connected to monitoring
>> equipment. I figure folks running/maintaining OpenBSD firewalls might
>> be familiar with using physical network taps for deploying IDS/IPS since
>> using bridges on such systems is a "Bad Idea" (R)(TM).
>>
>> I've found one company [1] which offers what I need, but I was wondering
>> if anyone can recommend a vendor of physical network taps?
>>
>> Thanks,
>> jcr
>>
>>
>> [1] http://www.networktaps.com/products/index.html
>>
>> --
>> J.C. Roberts
>
> JC
>
> We use physical taps at work, when I get the chance I'll take a look at
> the vendor.
>
> Also, you really think you can capture 10GE? Chuckle, good luck.
>
> diana
>
>


   NSA,MI(x)/GCHQ,ASIO and their vendor friends would beg to differ.

 I can't see any  black helicopters and my Tin Foil hat fits fine
thanks for asking.

Atheros AR9001U chipset - maybe Otus driver ?

[openbsd misc]

 I was given a AVM FRITZ!WLAN USB Stick N and I found some references to it in
a man page for otus driver (rel 1.3 and 1.4).

 However searching the man pages
via openbsd.org I can't find any mention of a released otus driver at
least in 4.5 (as
per my official CD).

Also I noticed this line in the web page for changes between 4.5 and -current
"Enabled otus(4) on amd64 and i386 GENERIC kernels."
 But clicking on the otus(4)  link,
gives me Sorry, no data found for `otus(4)'.

Can anyone shed any light on what the odds are of getting this device working ?


If I plug it in to my old t22 Thinkpad  (usb 1.1 I'm guessing) it
picks it up as a mass storage device

Thanks

uname  4.5 Generic 1749 i386



dmesg

SR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE
real mem  = 267874304 (255MB)
avail mem = 250728448 (239MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 02/28/02, BIOS32 rev. 0 @
0xfd820, SMBIOS rev. 2.3 @ 0xfff (46 entries)
bios0: vendor IBM version "16ET29WW (1.09 )" date 02/28/2002
bios0: IBM 26474EG
apm0 at bios0: Power Management spec V1.2
apm0: battery life expectancy 46%
apm0: AC off, battery charge high, estimated 0:33 hours
acpi at bios0 function 0x0 not configured
pcibios0 at bios0: rev 2.1 @ 0xfd7b0/0x850
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdee0/208 (11 entries)
pcibios0: PCI Interrupt Router at 000:07:0 ("Intel 82371FB ISA" rev 0x00)
pcibios0: PCI bus #5 is the last bus
bios0: ROM list: 0xc/0xc000 0xcc000/0x1800 0xdc000/0x4000! 0xe/0x1
cpu0 at mainbus0: (uniprocessor)
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 "Intel 82443BX AGP" rev 0x03
intelagp0 at pchb0
agp0 at intelagp0: aperture at 0xf800, size 0x400
ppb0 at pci0 dev 1 function 0 "Intel 82443BX AGP" rev 0x03
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 "S3 Savage/IX-MV" rev 0x13
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
cbb0 at pci0 dev 2 function 0 "TI PCI1450 CardBus" rev 0x03: irq 11
cbb1 at pci0 dev 2 function 1 "TI PCI1450 CardBus" rev 0x03: irq 11
fxp0 at pci0 dev 3 function 0 "Intel 8255x" rev 0x0c, i82550: irq 11,
address 00:03:47:7b:6d:1e
inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4
"AT&T/Lucent LTMODEM" rev 0x01 at pci0 dev 3 function 1 not configured
clcs0 at pci0 dev 5 function 0 "Cirrus Logic CS4280/46xx CrystalClear"
rev 0x01: irq 11
reset_codec: AC97 inputs slot ready timeout
clcs0: AC97 write fail (DCV!=0) for add=0x26 data=0x
clcs0: AC97 write fail (DCV!=0) for add=0x00 data=0x
clcs0: AC97 write fail (DCV!=0) for add=0x00 data=0x
clcs0: AC97 write fail (DCV!=0) for add=0x00 data=0x
clcs0: AC97 write fail (DCV!=0) for add=0x00 data=0x
clcs0: AC97 write fail (DCV!=0) for add=0x02 data=0x8000
clcs0: AC97 write fail (DCV!=0) for add=0x06 data=0x8000
clcs0: AC97 write fail (DCV!=0) for add=0x20 data=0x
clcs0: AC97 write fail (DCV!=0) for add=0x04 data=0x8000
clcs0: AC97 write fail (DCV!=0) for add=0x38 data=0x8080
clcs0: AC97 write fail (DCV!=0) for add=0x36 data=0x8080
clcs0: AC97 write fail (DCV!=0) for add=0x36 data=0x8080
clcs0: AC97 write fail (DCV!=0) for add=0x36 data=0x8080
clcs0: AC97 write fail (DCV!=0) for add=0x36 data=0x8080
clcs0: AC97 write fail (DCV!=0) for add=0x08 data=0x0f0f
clcs0: AC97 write fail (DCV!=0) for add=0x0a data=0x
clcs0: AC97 write fail (DCV!=0) for add=0x0c data=0x8008
clcs0: AC97 write fail (DCV!=0) for add=0x0e data=0x8008
clcs0: AC97 write fail (DCV!=0) for add=0x0e data=0x8008
clcs0: AC97 write fail (DCV!=0) for add=0x20 data=0x
clcs0: AC97 write fail (DCV!=0) for add=0x10 data=0x8808
clcs0: AC97 write fail (DCV!=0) for add=0x12 data=0x8808
clcs0: AC97 write fail (DCV!=0) for add=0x14 data=0x8808
clcs0: AC97 write fail (DCV!=0) for add=0x16 data=0x8808
clcs0: AC97 write fail (DCV!=0) for add=0x18 data=0x8808
clcs0: AC97 write fail (DCV!=0) for add=0x1a data=0x
clcs0: AC97 write fail (DCV!=0) for add=0x1c data=0x8000
clcs0: AC97 write fail (DCV!=0) for add=0x1e data=0x8000
clcs0: AC97 write fail (DCV!=0) for add=0x20 data=0x
clcs0: AC97 write fail (DCV!=0) for add=0x20 data=0x
clcs0: AC97 write fail (DCV!=0) for add=0x22 data=0x
clcs0: AC97 write fail (DCV!=0) for add=0x22 data=0x
clcs0: AC97 write fail (DCV!=0) for add=0x26 data=0x
clcs0: AC97 write fail (DCV!=0) for add=0x2a data=0x
clcs0: AC97 read prob. (DCV!=0) for add=0x7c
clcs0: AC97 read prob. (DCV!=0) for add=0x7e
clcs0: AC97 read prob. (DCV!=0) for add=0x00
ac97: codec id not read
clcs0: AC97 read prob. (DCV!=0) for add=0x28
clcs0: AC97 read prob. (DCV!=0) for add=0x02
clcs0: AC97 write fail (DCV!=0) for add=0x02 data=0x
clcs0: AC97 read prob. (DCV!=0) for add=0x18
clcs0: AC97 write fail (DCV!=0) for add=0x18 data=0x0808
clcs0: AC97 read prob. (DCV!=0) for add=0x1c
clcs0: AC97 write fail (DCV!=0) for add=0x1c data=0x
clcs0: AC97 read prob. (DCV!=0) for add=0x1a
clcs0: AC97 write fail (DCV!=0) fo

Re: Atheros AR9001U chipset - maybe Otus driver ?

[openbsd misc]

lk-Only
scsibus1 at umass0: 2 targets, initiator 0
cd1 at scsibus1 targ 1 lun 0:  ATAPI
5/cdrom removable
cd1 detached
scsibus1 detached
umass0 detached
otus0 at uhub0 port 1 "AVM Berlin FRITZ!WLAN USB Stick N" rev 2.00/4.03 addr
2
otus0: could not load init firmware
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=13
RX status=6
otus0 detached
umass0 at uhub0 port 1 configuration 1 interface 0 "AVM Berlin
FRITZ!WLAN USB Stick N" rev 2.00/4.03 addr 2
umass0: using ATAPI over Bulk-Only
scsibus1 at umass0: 2 targets, initiator 0
cd1 at scsibus1 targ 1 lun 0:  ATAPI
5/cdrom removable
cd1 detached
scsibus1 detached
umass0 detached
otus0 at uhub0 port 1 "AVM Berlin FRITZ!WLAN USB Stick N" rev 2.00/4.03 addr
2
otus0: could not load init firmware




On Wed, May 13, 2009 at 1:23 PM, Stuart Henderson 
wrote:
> try -current.
>
>
> On 2009-05-13, openbsd misc  wrote:
>>  I was given a AVM FRITZ!WLAN USB Stick N and I found some references to it
in
>> a man page for otus driver (rel 1.3 and 1.4).
>>
>>  However searching the man pages
>> via openbsd.org I can't find any mention of a released otus driver at
>> least in 4.5 (as
>> per my official CD).
>>
>> Also I noticed this line in the web page for changes between 4.5 and
-current
>> "Enabled otus(4) on amd64 and i386 GENERIC kernels."
>>  But clicking on the otus(4)  link,
>> gives me Sorry, no data found for `otus(4)'.
>>
>> Can anyone shed any light on what the odds are of getting this device
working ?
>>
>>
>> If I plug it in to my old t22 Thinkpad  (usb 1.1 I'm guessing) it
>> picks it up as a mass storage device
>>
>> Thanks
>>
>> uname  4.5 Generic 1749 i386
>>
>>
>>
>> dmesg
>>
>> SR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE
>> real mem  = 267874304 (255MB)
>> avail mem = 250728448 (239MB)
>> mainbus0 at root
>> bios0 at mainbus0: AT/286+ BIOS, date 02/28/02, BIOS32 rev. 0 @
>> 0xfd820, SMBIOS rev. 2.3 @ 0xfff (46 entries)
>> bios0: vendor IBM version "16ET29WW (1.09 )" date 02/28/2002
>> bios0: IBM 26474EG
>> apm0 at bios0: Power Management spec V1.2
>> apm0: battery life expectancy 46%
>> apm0: AC off, battery charge high, estimated 0:33 hours
>> acpi at bios0 function 0x0 not configured
>> pcibios0 at bios0: rev 2.1 @ 0xfd7b0/0x850
>> pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdee0/208 (11 entries)
>> pcibios0: PCI Interrupt Router at 000:07:0 ("Intel 82371FB ISA" rev 0x00)
>> pcibios0: PCI bus #5 is the last bus
>> bios0: ROM list: 0xc/0xc000 0xcc000/0x1800 0xdc000/0x4000!
0xe/0x1
>> cpu0 at mainbus0: (uniprocessor)
>> pci0 at mainbus0 bus 0: configuration mode 1 (bios)
>> pchb0 at pci0 dev 0 function 0 "Intel 82443BX AGP" rev 0x03
>> intelagp0 at pchb0
>> agp0 at intelagp0: aperture at 0xf800, size 0x400
>> ppb0 at pci0 dev 1 function 0 "Intel 824

Re: What is our ultimate goal??

[openbsd misc]

> -Urspr|ngliche Nachricht-
> Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> Im Auftrag von Tony Abernethy
> Gesendet: Sonntag, 17. Februar 2008 13:20
> An: 'Mayuresh Kathe'; 'OpenBSD-Misc'
> Betreff: Re: What is our ultimate goal??
>
> Mayuresh Kathe wrote:
> >
> > OpenBSD is an OS with amazing security and stability, but it has too
> > few modern features.
> >
> H   related?
>
>

E.g. wpa[2] is one of the features I miss because I want to use OpenBSD as
Firewall / Access Point (SOHO customers)... VPN is not an option, because
windowsclients need network at startup.

>From my POV there are not many features missing, but I don't use OpenBSD as
desktop-system.


Regards
  Hagen Volpers

Re: What is our ultimate goal??

[openbsd misc]

> -Urspr|ngliche Nachricht-
> Von: David Higgs [mailto:[EMAIL PROTECTED]
> Gesendet: Sonntag, 17. Februar 2008 16:54
> An: openbsd misc
> Cc: OpenBSD-Misc
> Betreff: Re: What is our ultimate goal??
>
> On Feb 17, 2008 7:36 AM, openbsd misc
> <[EMAIL PROTECTED]> wrote:
> > > -Urspr|ngliche Nachricht-
> > > Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> > > Im Auftrag von Tony Abernethy
> > > Gesendet: Sonntag, 17. Februar 2008 13:20
> > > An: 'Mayuresh Kathe'; 'OpenBSD-Misc'
> > > Betreff: Re: What is our ultimate goal??
> >
> > >
> > > Mayuresh Kathe wrote:
> > > >
> > > > OpenBSD is an OS with amazing security and stability,
> but it has too
> > > > few modern features.
> > > >
> > > H   related?
> > >
> > >
> >
> > E.g. wpa[2] is one of the features I miss because I want to
> use OpenBSD as
> > Firewall / Access Point (SOHO customers)... VPN is not an
> option, because
> > windowsclients need network at startup.
>
> If WPA2 is considered secure and widespread, it will likely be added
> to OpenBSD at some point.  Even more likely if it's been added to a
> relatively unmodified portion of NetBSD or FreeBSD.
>
> Is IPSEC an option for your SOHO customers?
>
> VPN could be an option, though it's definitely not as simple.  OpenVPN
> clients are available for both Windows and OS X.  You could distribute
> binaries and keys via USB drive or a local SSL-enabled webserver.
> There's been other discussions on-list about reducing your exposure to
> wireless sniffers.
>
> --david
>

Hello,

this is not an option to me. My customers don't have administration rights -
AFAIK you can't use openvpn without admin rights, the only solution is to run
openvpn as service. Therefore I need to configure openvpn to poll all possible
locations - I don't think that's the way it should go.
My POV is: there are two "standards" (I know that wpa isn't a real standard,
but AFAIK wpa2 is) to secure wireless lan. It's the easiest configuration
because even an non-administrative user can configure it. I accept that there
are better or more secure ways, but I need a handy solution, too. Some
customers use the AP for there private PCs, too - I don't want to administer
every private device using wireless lan and my customers don't want 20 boxes
@home.
I'm not a developer so I'm not able to do the task on my own - I asked if I
can help with hardware or something like that so the development will start
(or go on?) but it looks like none of the developers (currently) needs
wpa[1/2] :(

Regards
  Hagen Volpers

Re: Regarding MTU values on 802.1q trunked physical interfaces (and more)

[openbsd misc]

> -Urspr|ngliche Nachricht-
> Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> Im Auftrag von George Paschos
> Gesendet: Donnerstag, 6. Mdrz 2008 11:47
> An: misc@openbsd.org
> Betreff: Regarding MTU values on 802.1q trunked physical
> interfaces (and more)
>
> Hello all,
>
> I am a bit confused regarding the MTU value of the physical ethernet
> interfaces when there are vlan child interfaces configured,
> in regard to
> avoid unneeded fragmentation:
>
> "ifconfig" shows an MTU of 1500 for both the parent and the vlan
> interface. Should I increase by hand the mtu of the physical parent
> interface to accommodate the extra bytes for the vlan tags or this is
> taken care from the operating system someway when you define
> a physical
> interface as parent to a vlan one?
>
> Also as an extension to the previous question:
> When using IPSEC tunnels under openbsd, is there a need to
> increase the
> physical interface's MTU to accommodate ipsec overhead? And
> if yes, what
> would be that "magic" value from your experience?
> enc0 reports an MTU of 1536 which sounds logical, but that wouldnt
> prevent fragmentation if the interface that the ipsec traffic
> originates/terminates is at 1500.
> Ofc regarding the above, the rest of networking equipment between the
> ipsec endpoints (switches, routers, etc) has been configured to handle
> correctly the bigger mtu values.
>
> Thanks in advance on any insight
>
> Regards,
> George
>
>

Hello,

AFAIK the VLAN "overhead" should be handled by your nic (driver) - the mtu set
to 1500 is the packet size without (jumbo frame) extensions - my understanding
is, that it is the same for ipsec - as long as the frame that should go
through the tunnel has a size <= 1500 fragmentation will not take place, the
ipsec interface itself need the overhead (1536 - 1500) for the ipsec tunnel.
You see the difference because it's software, not nic/driver ...

Correct my, if I'm wrong ... ;)

Regards
  Hagen Volpers

P.S.: Sorry for my bad english ...

Re: Limit ssh bandwidth

[openbsd misc]

Hello,

perhaps this helps:

man scp:

 -l limit
 Limits the used bandwidth, specified in Kbit/s.

Regards
  Hagen Volpers

> -Urspr|ngliche Nachricht-
> Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> Im Auftrag von Marc Rene Arns
> Gesendet: Montag, 10. Mdrz 2008 19:30
> An: misc@openbsd.org
> Betreff: Limit ssh bandwidth
>
> Hi,
>
> for my client I have set up an mini sftp-Server (on Windows
> in their Intranet)
> and on my webserver (FreeBSD) there is a cronjob looking for
> new files to
> load them via sftp/ssh to the webserver.
>
> Now we need to limit the bandwidth of the sftp-uploads (ADSL).
>
> For several reasons it would be better, if I could limit the
> traffic on the
> webserver side. I thought, I would configure pf with altq to
> limit the
> bandwidth of the ssh-client.
>
>
> 
> Intranet   |   | Webserver
> sftpd   ==> ssh-client (cron)
> limited|   |  pf / altq
> upload bw   |   |
> |  | 
>
> Now the idea was to force the sftpd to use less bandwidth by
> limiting the
> bandwidth of the ssh-client (via pf).
>
> As I read on http://www.openbsd.org/faq/pf/queueing.html altq
> limits by
> dropping packets. So I am not sure if this would cause the
> sftpd to send less
> packets. I would even expect that the sftpd would send more
> packets to
> compensate the lost ones and therefor use even more bandwidth.
>
> Or is it part of the ssh protocol to agree on a lower
> bandwidth based on the
> number of lost packets?
>
> Perhaps there is a way for the ssh-client to tell the sftpd
> how much bandwith
> to use?
>
> Is there a way to solve this without QoS on the sftpd side?
>
> Regards,
> Benny

Re: What is WPA status in OpenBSD

[openbsd misc]

Hello,

I there a way to support as non-developer ... Unfortunally I'm not a developer
so I can't help code, but if I can do something else let me know.

Regards
  Hagen Volpers


> -Urspr|ngliche Nachricht-
> Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> Im Auftrag von Damien Bergamini
> Gesendet: Mittwoch, 12. Mdrz 2008 19:49
> An: Dominik Zalewski
> Cc: misc@openbsd.org
> Betreff: Re: What is WPA status in OpenBSD
>
> I still have plans to continue the WPA work in the near future.
> No estimated time of arrival though, especially as I tend to
> become lazy
> as I get older.
>
> Damien
>
>
> | Dear All,
> |
> | I would love to use OpenBSD on my laptop but the problems
> is that most of
> | my work places use WPA encrypted wireless networks
> |
> | So what is a status of WPA support in OpenBSD? I know that
> a lot of people
> | ask about this.
> |
> | Last cvs commit I found with some work done with WPA is
> from 2007/08/22
> |
> | http://marc.info/?l=openbsd-cvs&m=118781535213730&w=2
> |
> | No active work with WPA  in OpenBSD 4.3 or -current?
> |
> | P.S. I'm not waiting for a kind of reply like: "WPA is bad - use VPN
> | tunnels" ;)
> |
> | Thank you,
> |
> | -
> | Dominik Zalewski | System Administrator
> | OpenCraft
> | t- +2 02 3336 0003
> | w- http://www.open-craft.com

Re: soekris/pcenginges and RO mounting

[openbsd misc]

Hello,

I use flashdist:

http://www.nmedia.net/flashdist/

It's easy to use and easy to customize.

Regards
  Hagen Volpers


> -Urspr|ngliche Nachricht-
> Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> Im Auftrag von Martin Marcher
> Gesendet: Sonntag, 23. Mdrz 2008 15:18
> An: misc@openbsd.org
> Betreff: soekris/pcenginges and RO mounting
>
> Hello,
>
> being relatively new to obsd I have the problem of finding
> the right doc parts.
>
> What I'm looking for are starting points to read about what to do when
> RO mounting the root fs (and all other parts) especially on CF-media.
>
> So my ultimate target would be to:
>
>  * mount as much as possible RO
>  * still have system logging available (nfs mounting, logserver,
> whatever suits best - any pointers welcome)
>  * main concern is exhaustion of write cycles on CF media
>
> usage of the box will be a home router in the first place and probably
> expanding to a file server and pxe boot server with usb drives
> attached to it for storage.
>
> I am familiar with general (linux) process of RO mounting partitions
> but I don't have any experience with CF cards and read that it's
> probably best to RO mount CF-media. Forgive me the missing/wrong
> terminology but I found just too much infos/howtos with differing tips
> on wether to care about write cycles or not, or special needs to take
> care of with CF media.
>
> Hope it makes sense what I ask for
>
> thanks
> martin
>
> --
> http://tumblr.marcher.name
> https://twitter.com/MartinMarcher
> http://www.xing.com/profile/Martin_Marcher
> http://www.linkedin.com/in/martinmarcher
>
> You are not free to read this message,
> by doing so, you have violated my licence
> and are required to urinate publicly. Thank you.

Re: sshd.config and AllowUsers

[openbsd misc]

Hello,

everything is commented because these are the default settings. If you want to
change a setting you'll have to uncomment and change it.


Regards
  Hagen Volpers

-Urspr|ngliche Nachricht-
Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von
Jerome Santos
Gesendet: Montag, 26. Mdrz 2007 19:33
An: misc@openbsd.org
Betreff: sshd.config and AllowUsers

I have a few seperate users on my server, one user for which I want to
dissallow ssh login. Now I've read the man page for sshd and I've read a lot
of the documentation on this, but I'm still not clear one one point. By
default, /etc/ssh/sshd.config shows all entries are commented out. I want to
add something like this:

AllowUsers user1, user2, user3

I added that in but also with an # in front like all the other entries. Now
I find that I can still ssh to the box with a user acct that I didn't
include in the entry. Should it be in there without the #? And if so, do I
also then have to uncomment all the other entries??

Thanks

Re: Problem using flashboot (openBSD based), can't get it to boot

[openbsd misc]

Hello,

I'm not a guru, but I'm working with openbsd and wrap systems for one
year ... ;-)

>> The ";" at the end here means that the WRAP BIOS said it could not do
>> LBA reads, so biosboot fell back to CHS reads.
>>
>>
>>> No O/S
>>>
>>
>> And since you installed on a different machine, the geometry was
>> almost certainly different, so the operating system wouldnt be at
>> the same place (cylinder/head/sector), hence it's not found.
>>
>> No idea how you can fix it, though.
>>
>> Tom
>>
>
> Thanks anyway, it's a clue at least.
> Maybe some of the gurus here know it?

You can set the bios to lba mode (press s during mem-test to access
bios). Btw, openbsd is the only OS having that problem ... LBA mode on
wrap systems means fix geometry (C/H/S x/32/63 - while the cylinder
count defines the size), so you can use fdisk with the geometry
parameters to configure your cf correctly.

I have another problem with openbsd 4.1 and wrap systems. I create an
image using flashdist and the wrapper script (incl. some modification,
but that should make any difference). For openbsd 4.0 everything works
fine, but doesn't for openbsd 4.1. I think the problem is related to the
geometry problem descriped abouve. To create an image I defined C/H/S to
118/32/63 (none of the systems I have has less than 128MB) for fdisk and
disklabel. First time I created an image file that worked fine until
vnconfig -u. After attaching the image again (vnconfig -c) I wasn't able
to mount the partitions. The geometry was completly different. So I
added the -i option to fdisk and the -r option disklabel. Afterwards I
was able to mount everything again after detaching /attaching the image
file.
After writing the image to a cf card everything works fine on openbsd
4.1.

Now here is the problem: The boot loader is not able to access the cf:

disk: hd0*
>> OpenBSD/i386 BOOT 2.13
open(hd0a:/etc/boot.conf): Invalid argument
boot> ls
stat(hd0a:/.): Invalid argument
boot> machine diskinfo
DiskBIOS#   TypeCylsHeads   SecsFlags   Checksum
hd0 0x80label   126 32  63  0x0 0xd8c3c6b3

I think that fdisk is the problem. disklabel runs after fdisk, but
disklabel defines the geometry (geometry options are set for fdisk but
it looks like they are ignored?!) - remember the -r option - I don't
know what fdisk exactly does (perhaps telling the boot-loader something
about the geometry during setup?!).

I hope someone has an answer or can give hints. The behavior shows a
different between openbsd 4.0-release and openbsd 4.1-stable, but I
wasn't able to find anything in changelog that could explain the
bahavior and more important how to fix it.

I hope my english isn't too bad, please let me know if something isn't
clear ...

Regards
  Hagen Volpers

Re: Problem using flashboot (openBSD based), can't get it to boot

[openbsd misc]

Hello,

> Boudewijn Ector wrote:
>> Boudewijn Ector wrote:
 The ";" at the end here means that the WRAP BIOS said it could not
do
 LBA reads, so biosboot fell back to CHS reads.


> No O/S
>

 And since you installed on a different machine, the geometry was
 almost certainly different, so the operating system wouldnt be at
 the same place (cylinder/head/sector), hence it's not found.

 No idea how you can fix it, though.

 Tom

>>>
>>> Thanks anyway, it's a clue at least.
>>> Maybe some of the gurus here know it?
>>>
>> Okay, I assume I need to set LBA in bios, and change the CHS settings
of
>> the microdrive.
>> This can be done using fdisk , but how to determine the correct
values?
>>
>> At second, someone attended me on the fact that I'm creating the
image
>> using a USB-based cardreader(thus scsi like) and running it as an IDE

>> device (at Linux , hda) on my board.
>> different kind of bootsection? Can someone confirm this?
>
> google for WRAP, flashboot, and PXE.
>
> the 'easiest' way to install is to use the WRAP's own bios & a bsd.rd
to
> get enough stuff up & running to download the .gz image over FTP &
write
> directly onto the card.
>
> i've done this on a soekris easily, wrap should be similar.
>
> i'll look for some link-rotted urls later & if i can find them, email
> offlist
>
> a+
> scorch

it's not easy because of a bios bug. You first have to update the bios.
I wrote a small howto in a forum thread:

http://www.bsdforen.de/archive/index.php/t-15259.html

It's german, let me know if you need an english translation.

For the geometry question: You missed my replay I wrote yesterday?

Regards
  Hagen Volpers

Re: Embedded system - which ?

[openbsd misc]

Hello,

have a look at www.visionsystems.de

I bought some systems there and everything is working fine. It's a german
company, but I don't think that this is a problem, only shipping might be
expensive.

Regards
  Hagen Volpers


-Urspr|ngliche Nachricht-
Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Uwe
Dippel
Gesendet: Freitag, 1. Juni 2007 16:56
An: misc@openbsd.org
Betreff: Embedded system - which ?

2 questions:

First, we are looking for an embedded system (that is, inclusive casing),
that works with OpenBSD.
Low power, fanless, booting from CF (4GB).
It needs to have a 'full' COM-port (RTS, CTS, DSR, DTR) aside of the serial
console, a full PCI-slot, USB, 1 NIC.
Soekris doesn't fit; neither do the current Infotek offers (though we will
try a sample of the latter).
Any recommendations ?

Secondly, we contacted quite a lot of manufacturers. One promising brand:
Devon. But their answer was quite horrible:
"Our units should run OpenBSD but we do not have any experience using it.
Also, the warranty would be invalid if you install the other OS."
Does anyone have a nice template to write to them, and tell them that it
would be to their advantage if they worked with us, instead of threatening
me ? If I write one myself, I am afraid, I might come across as rude and
arrogant.
Anyone with diplomatic abilities ? Their gear sounds interesting: Actually,
something like  IT - Server-Based Computing for the Modern BusinessNTA 6030A
is slightly below Soekris, price-wise, for us. 1GHz Eden; could be more than
enough for a great OpenBSD server/workstation.

Uwe

Re: WRAP stalling at kernel entry point via pxeboot/tftp

[openbsd misc]

Hello,

your boot.conf should look like this:

set tty com0
stty com0 38400
set timeout 5

Last time I booted wrap via pxe was 3.9, but this should work.


Regards
  Hagen Volpers

-Urspr|ngliche Nachricht-
Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von
mgb
Gesendet: Donnerstag, 7. Juni 2007 12:51
An: misc@openbsd.org
Betreff: WRAP stalling at kernel entry point via pxeboot/tftp

List,

I am attempting to get pxeboot working on a WRAP board with openbsd 4.1
generic however the loading of either kernel, bsd or bsd.rd, is stalling.

I've search around the archives and have taken the steps mentioned here:

http://marc.info/?l=openbsd-misc&m=117978591113386&w=2

I have updated the BIOS on the wrap board with a PXE.BIN downloaded from
rom-o-matic.net which uses etherboot 5.4.3 and the NIC type natsemi:dp83815.

below is the output from the wrap board:

PC Engines WRAP.2B/2C v1.11
640 KB Base Memory
130048 KB Extended Memory

01F0 - no drive found !
ROM segment 0xe000 length 0x8000 reloc 0x
Etherboot 5.4.3 (GPL) http://etherboot.org
Drivers: NATSEMI   Images: NBI ELF Multiboot a.out PXE   Exports: PXE
Protocols: DHCP TFTP
Relocating _text from: [0008bb80,0009fd90) to [07eebdf0,07f0)
Boot from (N)etwork (D)isk or (Q)uit? N

Probing pci nic...
[dp83815]
natsemi_probe: MAC addr 00:0D:B9:04:47:F8 at ioaddr 0X1000
natsemi_probe: Vendor:0X100B Device:0X0020
dp83815: Transceiver default autoneg. enabled, advertise 100 full duplex.
dp83815: Transceiver status 7869 advertising 05E1
dp83815: Setting full-duplex based on negotiated link capability.
Searching for server (DHCP).
Me: 192.168.1.200, DHCP: 192.168.1.1, TFTP: 192.168.1.1, Gateway 192.168.1.1
Loading 192.168.1.1:pxeboot ...(PXE)done
probing: pc0 com0 pci pxe![2.1] mem[640K 125M a20=on]
disk:
net: mac 00:0d:b9:04:47:f8, ip 192.168.1.200, server 192.168.1.1
 >> OpenBSD/i386 PXEBOOT 1.11
boot> bsd1.rd
booting tftp:bsd.rd: 4679892+742564 [52+169536+154918]=0x57b288
dp83815: Setting full-duplex based on negotiated link capability.
entry point at 0x200120

the loading stalls at this point, tcpdump shows the following:

11:48:27.321421 IP 192.168.1.1.32831 > 192.168.1.200.2905: UDP, length 222
[EMAIL 
PROTECTED]@.U..?.Y..&0.nchrdev.ex_ca.ieee80211_merge_print_intvl.mf
i_get_info.ep_eisa_ca.ath_power.aue_cd.cac_shutdown.piix_pci_icu.re_pci_devic
es.af2rtafidx.pciide_ca.fddprint.natsemi_pci_intr.rtw_ioctl.pciide_chansetup.
qsphy_ca.shmmaxpgs.
11:48:28.319634 IP 192.168.1.1.32831 > 192.168.1.200.2905: UDP, length 222
[EMAIL 
PROTECTED]@.U..?.Y..&0.nchrdev.ex_ca.ieee80211_merge_print_intvl.mf
i_get_info.ep_eisa_ca.ath_power.aue_cd.cac_shutdown.piix_pci_icu.re_pci_devic
es.af2rtafidx.pciide_ca.fddprint.natsemi_pci_intr.rtw_ioctl.pciide_chansetup.
qsphy_ca.shmmaxpgs.
11:48:30.319653 IP 192.168.1.1.32831 > 192.168.1.200.2905: UDP, length 222
[EMAIL 
PROTECTED]@.U..?.Y..&0.nchrdev.ex_ca.ieee80211_merge_print_intvl.mf
i_get_info.ep_eisa_ca.ath_power.aue_cd.cac_shutdown.piix_pci_icu.re_pci_devic
es.af2rtafidx.pciide_ca.fddprint.natsemi_pci_intr.rtw_ioctl.pciide_chansetup.
qsphy_ca.shmmaxpgs.
11:48:34.319901 IP 192.168.1.1.32831 > 192.168.1.200.2905: UDP, length 222
[EMAIL 
PROTECTED]@.U..?.Y..&0.nchrdev.ex_ca.ieee80211_merge_print_intvl.mf
i_get_info.ep_eisa_ca.ath_power.aue_cd.cac_shutdown.piix_pci_icu.re_pci_devic
es.af2rtafidx.pciide_ca.fddprint.natsemi_pci_intr.rtw_ioctl.pciide_chansetup.
qsphy_ca.shmmaxpgs.
11:48:42.320416 IP 192.168.1.1.32831 > 192.168.1.200.2905: UDP, length 222
[EMAIL 
PROTECTED]@.U..?.Y..&0.nchrdev.ex_ca.ieee80211_merge_print_intvl.mf
i_get_info.ep_eisa_ca.ath_power.aue_cd.cac_shutdown.piix_pci_icu.re_pci_devic
es.af2rtafidx.pciide_ca.fddprint.natsemi_pci_intr.rtw_ioctl.pciide_chansetup.
qsphy_ca.shmmaxpgs.
11:48:47.320663 arp who-has 192.168.1.200 tell 192.168.1.1
..Ze
11:48:48.320728 arp who-has 192.168.1.200 tell 192.168.1.1
..Ze
11:48:49.320787 arp who-has 192.168.1.200 tell 192.168.1.1
..Ze
11:48:58.325352 arp who-has 192.168.1.200 tell 192.168.1.1
..Ze
11:48:59.325417 arp who-has 192.168.1.200 tell 192.168.1.1
..Ze
11:49:00.325480 arp who-has 192.168.1.200 tell 192.168.1.1

I have used a boot.conf which contains this:

set tty pc0

I have tried com0 and the output freezes whilst I type bsd.rd

Many thanks for your time

Re: pxeboot hanging on WRAP board

[openbsd misc]

> On 2007/06/22 12:15, Heinrich Rebehn wrote:
>> Stuart Henderson wrote:
>>> On 2007/06/22 09:59, Heinrich Rebehn wrote:
 i am trying to get my new WRAP board to boot via pxe. pxeboot loads
fine
 but seems to stall at the point where memory should be probed.
>>> enable the serial console in $TFTPROOT/etc/boot.conf.
>>
>> I tried that, but the WRAP does not even try to access etc/boot.conf
at this
>> time (according to tcpdump(1) on the server). Also, pxeboot hangs in
the
>> middle of the "probing:..." line.
>
> Try a new etherboot from rom-o-matic.net then, you'll need to piece
> it together with the files from wbios11.zip on pcengines.ch and xmodem
> it across. You'll need to use the options detailed in README.TXT in
> rom-o-matic (they're in a different order to listed now, the console
> ones are at the bottom of the web page).
>
> I have successfully booted pxeboot from 4.1 on a WRAP.1E with
> Etherboot 5.4.3

Correct, check this thread, it should answer all questions (I think
german isn't a problem, right ;-)):

http://www.bsdforen.de/archive/index.php/t-15259.html

Regards
  Hagen Volpers

Re: hardware problem?! strangely ssh error

[openbsd misc]

> misc(at)openbsd.org wrote:
>> Hello,
>>
>> I have a system with openbsd 4.1 installed. Everything works fine
(lynx
>> / ping / ...) but I'm not able to connect to another system via ssh.
I'm
>> not able to connect to the system, too.
>> The error I got:
>>
>> 2: Bad packet length 
>>
>> I googled a bit, but I wasn't able to find out what exactly is wrong.
>> Here are the informations from dmesg about the nics:
>>
>> sis0 at pci0 dev 8 function 0 "NS DP83815 10/100" rev 0x00, DP83816A:
>> irq 11, address 00:02:b6:33:50:dd
>>
>> Btw, I'm talking about a fresh 4.1 installation, completly untouched.
>>
>> Has anyone an idea for me? Driver problem? Unsupported hardware? The
>> hardware was checked twice by producer (and I don't have the problems
>> using linux), I don't think that is a hardware defect.
>>
>> Thanks.
>>
>> Regards
>>   Hagen Volpers
>>
>
> Have you tried:
>
> ssh -vvv host.to.connect.to
>
> That might give some clues.
>
> HTH
> Fred
> --
> http://www.crowsons.com/puters/x41.htm

Hello,

here are the last lines:

debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent

followed by the error mentioned in my first mail.

Does that help? Do you need more informations?

Regards
  Hagen Volpers

Re: hardware problem?! strangely ssh error

[openbsd misc]

> On Thu, 19 Jul 2007, openbsd misc wrote:

>> > misc(at)openbsd.org wrote:
>> >> Hello,
>> >>
>> >> I have a system with openbsd 4.1 installed. Everything works fine
>> (lynx
>> >> / ping / ...) but I'm not able to connect to another system via
ssh.
>> I'm
>> >> not able to connect to the system, too.
>> >> The error I got:
>> >>
>> >> 2: Bad packet length 
>> >>
>> >> I googled a bit, but I wasn't able to find out what exactly is
wrong.
>> >> Here are the informations from dmesg about the nics:
>> >>
>> >> sis0 at pci0 dev 8 function 0 "NS DP83815 10/100" rev 0x00,
DP83816A:
>> >> irq 11, address 00:02:b6:33:50:dd
>> >>
>> >> Btw, I'm talking about a fresh 4.1 installation, completly
untouched.
>> >>
>> >> Has anyone an idea for me? Driver problem? Unsupported hardware?
The
>> >> hardware was checked twice by producer (and I don't have the
problems
>> >> using linux), I don't think that is a hardware defect.
>> >>
>> >> Thanks.
>> >>
>> >> Regards
>> >>   Hagen Volpers
>> >>
>> >
>> > Have you tried:
>> >
>> > ssh -vvv host.to.connect.to
>> >
>> > That might give some clues.
>> >
>> > HTH
>> > Fred
>> > --
>> > http://www.crowsons.com/puters/x41.htm
>>
>> Hello,
>>
>> here are the last lines:
>>
>> debug1: SSH2_MSG_NEWKEYS sent
>> debug1: expecting SSH2_MSG_NEWKEYS
>> debug2: set_newkeys: mode 0
>> debug1: SSH2_MSG_NEWKEYS received
>> debug1: SSH2_MSG_SERVICE_REQUEST sent
>>
>> followed by the error mentioned in my first mail.
>>
>> Does that help? Do you need more informations?
>>
>> Regards
>>   Hagen Volpers
>
> Try to determine where the error occurs. For example: is this a
network
> driver issue? To find out put another type network card into the
> machine and try to use ssh over it.
>
> Another test would be to connect to another machine (running a
> different version of sshd?), to test if this is a ssh protcol problem
> on the local or remote side.
>
> Can you ssh INTO the machine?
>
> Make notes of what works and what not, etc.  Try to be smart and rule
> out possible causes, this enable you to zoom in into the real problem.

>
>   -Otto

Hello,

unfortunately I'm not able to test another nic, the system doesn't have
a pci slot (we are talking about a all-in-one board - e.g.
http://www.visionsystems.de/1_2_5_4.html). I already did all the other
tests you mentioned, except changing the ssh protocol - lynx / ping
works, ssh from to machine to different machines doesn't work (I can
connect from other systems without any problem), ssh to the machine
doesn't work, too.

Any other ideas?

Regards
  Hagen Volpers

Re: hardware problem?! strangely ssh error

[openbsd misc]

Hello,

putting that one back to list, it's not silly ;-)

I tried ssh [EMAIL PROTECTED] -> same result.

So the nic isn't the problem ... I looked into dmesg again, the bios is
mentioned as AT/286+ there?! Is that normal?

Btw, the IP-Address is unique ;-)

Are there known bugs on VIA-CPUs? Which informations do I need to provide?
(dmesg is hard, I have to write it up, but if that helps, let me know and I'll
do it).

Regards
  Hagen Volpers

-Urspr|ngliche Nachricht-
Von: Maxim Belooussov [mailto:[EMAIL PROTECTED]
Gesendet: Donnerstag, 19. Juli 2007 21:38
An: openbsd misc
Betreff: Re: hardware problem?! strangely ssh error

Hi Hagen,

Doing this off-the list in case I sound too silly.

For starters, have you tried to ssh [EMAIL PROTECTED] This would give a
clue where the problem could be.

Further make sure that there is no machine with the same ip on your
net - I've seen before that some connections were 'dying' all over
sudden when another (linux) box with same IP was closing 'illegal'
connection.

Hope it helps,

Maxim


> > On Thu, 19 Jul 2007, openbsd misc wrote:
>
> >> > misc(at)openbsd.org wrote:
> >> >> Hello,
> >> >>
> >> >> I have a system with openbsd 4.1 installed. Everything works fine
> >> (lynx
> >> >> / ping / ...) but I'm not able to connect to another system via
> ssh.
> >> I'm
> >> >> not able to connect to the system, too.
> >> >> The error I got:
> >> >>
> >> >> 2: Bad packet length 
> >> >>
> >> >> I googled a bit, but I wasn't able to find out what exactly is
> wrong.
> >> >> Here are the informations from dmesg about the nics:
> >> >>
> >> >> sis0 at pci0 dev 8 function 0 "NS DP83815 10/100" rev 0x00,
> DP83816A:
> >> >> irq 11, address 00:02:b6:33:50:dd
> >> >>
> >> >> Btw, I'm talking about a fresh 4.1 installation, completly
> untouched.
> >> >>
> >> >> Has anyone an idea for me? Driver problem? Unsupported hardware?
> The
> >> >> hardware was checked twice by producer (and I don't have the
> problems
> >> >> using linux), I don't think that is a hardware defect.
> >> >>
> >> >> Thanks.
> >> >>
> >> >> Regards
> >> >>   Hagen Volpers
> >> >>
> >> >
> >> > Have you tried:
> >> >
> >> > ssh -vvv host.to.connect.to
> >> >
> >> > That might give some clues.
> >> >
> >> > HTH
> >> > Fred
> >> > --
> >> > http://www.crowsons.com/puters/x41.htm
> >>
> >> Hello,
> >>
> >> here are the last lines:
> >>
> >> debug1: SSH2_MSG_NEWKEYS sent
> >> debug1: expecting SSH2_MSG_NEWKEYS
> >> debug2: set_newkeys: mode 0
> >> debug1: SSH2_MSG_NEWKEYS received
> >> debug1: SSH2_MSG_SERVICE_REQUEST sent
> >>
> >> followed by the error mentioned in my first mail.
> >>
> >> Does that help? Do you need more informations?
> >>
> >> Regards
> >>   Hagen Volpers
> >
> > Try to determine where the error occurs. For example: is this a
> network
> > driver issue? To find out put another type network card into the
> > machine and try to use ssh over it.
> >
> > Another test would be to connect to another machine (running a
> > different version of sshd?), to test if this is a ssh protcol problem
> > on the local or remote side.
> >
> > Can you ssh INTO the machine?
> >
> > Make notes of what works and what not, etc.  Try to be smart and rule
> > out possible causes, this enable you to zoom in into the real problem.
>
> >
> >   -Otto
>
> Hello,
>
> unfortunately I'm not able to test another nic, the system doesn't have
> a pci slot (we are talking about a all-in-one board - e.g.
> http://www.visionsystems.de/1_2_5_4.html). I already did all the other
> tests you mentioned, except changing the ssh protocol - lynx / ping
> works, ssh from to machine to different machines doesn't work (I can
> connect from other systems without any problem), ssh to the machine
> doesn't work, too.
>
> Any other ideas?
>
> Regards
>   Hagen Volpers

Re: hardware problem?! strangely ssh error

[openbsd misc]

input: USBPS2 as /class/input/input1
input: USB HID v1.00 Mouse [USBPS2] on usb-:00:07.2-2
usbcore: registered new interface driver usbhid
drivers/usb/input/hid-core.c: v2.6:USB HID core driver
sl811: driver sl811-hcd, 19 May 2005
ieee1394: Initialized config rom entry `ip1394'
ieee1394: sbp2: Driver forced to serialize I/O (serialize_io=1)
ieee1394: sbp2: Try serialize_io=0 for better performance
libata version 2.00 loaded.
device-mapper: ioctl: 4.10.0-ioctl (2006-09-14) initialised:
[EMAIL PROTECTED]
md: raid0 personality registered for level 0
md: raid1 personality registered for level 1
md: raid10 personality registered for level 10
JFS: nTxBlock = 3966, nTxLock = 31734
Intel(R) PRO/1000 Network Driver - version 7.2.9-k4
Copyright (c) 1999-2006 Intel Corporation.
scsi 0:0:0:0: CD-ROMIOMEGA   CDRW86522EXT3-B  QOP3 PQ: 0 ANSI: 0
sr0: scsi3-mmc drive: 40x/40x writer cd/rw xa/form2 cdda tray
Uniform CD-ROM driver Revision: 3.20
sr 0:0:0:0: Attached scsi CD-ROM sr0
usb-storage: device scan complete
ISO 9660 Extensions: Microsoft Joliet Level 3
Unable to load NLS charset iso8859-1
Unable to load NLS charset iso8859-1
ISO 9660 Extensions: RRIP_1991A
Real Time Clock Driver v1.12ac
natsemi dp8381x driver, version 2.1, Sept 11, 2006
  originally by Donald Becker <[EMAIL PROTECTED]>
  http://www.scyld.com/network/natsemi.html
  2.4.x kernel port by Jeff Garzik, Tjeerd Mulder
PCI: setting IRQ 11 as level-triggered
PCI: Found IRQ 11 for device :00:08.0
natsemi eth0: NatSemi DP8381[56] at 0xd000 (:00:08.0),
00:02:b6:33:50:dd, IRQ 11, port TP.
PCI: setting IRQ 12 as level-triggered
PCI: Found IRQ 12 for device :00:09.0
natsemi eth1: NatSemi DP8381[56] at 0xdfffe000 (:00:09.0),
00:02:b6:33:50:de, IRQ 12, port TP.
PCI: setting IRQ 9 as level-triggered
PCI: Found IRQ 9 for device :00:0a.0
natsemi eth2: NatSemi DP8381[56] at 0xdfffd000 (:00:0a.0),
00:02:b6:33:50:df, IRQ 9, port TP.
PCI: Found IRQ 10 for device :00:0b.0
PCI: Sharing IRQ 10 with :00:07.2
natsemi eth3: NatSemi DP8381[56] at 0xdfffc000 (:00:0b.0),
00:02:b6:33:50:e0, IRQ 10, port TP.
natsemi dp8381x driver, version 2.1, Sept 11, 2006
  originally by Donald Becker <[EMAIL PROTECTED]>
  http://www.scyld.com/network/natsemi.html
  2.4.x kernel port by Jeff Garzik, Tjeerd Mulder
natsemi eth0: NatSemi DP8381[56] at 0xd000 (:00:08.0),
00:02:b6:33:50:dd, IRQ 11, port TP.
natsemi eth1: NatSemi DP8381[56] at 0xdfffe000 (:00:09.0),
00:02:b6:33:50:de, IRQ 12, port TP.
natsemi eth2: NatSemi DP8381[56] at 0xdfffd000 (:00:0a.0),
00:02:b6:33:50:df, IRQ 9, port TP.
natsemi eth3: NatSemi DP8381[56] at 0xdfffc000 (:00:0b.0),
00:02:b6:33:50:e0, IRQ 10, port TP.
sr 0:0:0:0: Attached scsi generic sg0 type 5
eth1: DSPCFG accepted after 0 usec.
eth3: DSPCFG accepted after 0 usec.
eth2: DSPCFG accepted after 0 usec.
eth0: DSPCFG accepted after 0 usec.
eth0: link up.
eth0: Setting full-duplex based on negotiated link capability.
eth3: remaining active for wake-on-lan
eth1: remaining active for wake-on-lan
eth0: remaining active for wake-on-lan
fbsplash: console 0 using theme 'livecd-2006.1'
eth2: remaining active for wake-on-lan
fbsplash: switched splash state to 'on' on console 0
eth2: DSPCFG accepted after 0 usec.
eth0: DSPCFG accepted after 0 usec.
eth0: link up.
eth0: Setting full-duplex based on negotiated link capability.
eth3: DSPCFG accepted after 0 usec.
eth1: DSPCFG accepted after 0 usec.

Regards
  Hagen Volpers


-Urspr|ngliche Nachricht-----
Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von
openbsd misc
Gesendet: Donnerstag, 19. Juli 2007 22:19
An: misc@openbsd.org
Cc: Maxim Belooussov
Betreff: Re: hardware problem?! strangely ssh error

Hello,

putting that one back to list, it's not silly ;-)

I tried ssh [EMAIL PROTECTED] -> same result.

So the nic isn't the problem ... I looked into dmesg again, the bios is
mentioned as AT/286+ there?! Is that normal?

Btw, the IP-Address is unique ;-)

Are there known bugs on VIA-CPUs? Which informations do I need to provide?
(dmesg is hard, I have to write it up, but if that helps, let me know and
I'll
do it).

Regards
  Hagen Volpers

-Urspr|ngliche Nachricht-----
Von: Maxim Belooussov [mailto:[EMAIL PROTECTED]
Gesendet: Donnerstag, 19. Juli 2007 21:38
An: openbsd misc
Betreff: Re: hardware problem?! strangely ssh error

Hi Hagen,

Doing this off-the list in case I sound too silly.

For starters, have you tried to ssh [EMAIL PROTECTED] This would give a
clue where the problem could be.

Further make sure that there is no machine with the same ip on your
net - I've seen before that some connections were 'dying' all over
sudden when another (linux) box with same IP was closing 'illegal'
connection.

Hope it helps,

Maxim


> > On Thu, 19 Jul 2007, openbsd misc wrote:
>
> >> > misc(at)openbsd.org wrote:
> >> >> Hello,
> &

Re: hardware problem?! strangely ssh error

[openbsd misc]

> openbsd misc wrote:
>> Hello again,
>>
>> I tested the gentoo live cd. I was able to ssh to another machine, so
I was
>> able to get a complete (linux) dmesg output. Hope that helps:
>>
>> [...]
>>
>> Regards
>>   Hagen Volpers
>>
>>
>> -Urspr|ngliche Nachricht-
>> Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im
Auftrag von
>> openbsd misc
>> Gesendet: Donnerstag, 19. Juli 2007 22:19
>> An: misc@openbsd.org
>> Cc: Maxim Belooussov
>> Betreff: Re: hardware problem?! strangely ssh error
>>
>> Hello,
>>
>> putting that one back to list, it's not silly ;-)
>>
>> I tried ssh [EMAIL PROTECTED] -> same result.
>>
>> So the nic isn't the problem ... I looked into dmesg again, the bios
is
>> mentioned as AT/286+ there?! Is that normal?
>>
>> Btw, the IP-Address is unique ;-)
>>
>> Are there known bugs on VIA-CPUs? Which informations do I need to
provide?
>> (dmesg is hard, I have to write it up, but if that helps, let me know
and
>> I'll
>> do it).
>>
>> Regards
>>   Hagen Volpers
>
> Can you ftp the dmesg out?
>
> My answer to all dodgy hardware at the moment is enable acpi via boot
-c
>
> HTH
> --
> http://www.crowsons.com/puters/x41.htm


Hello,

acpi0 was disabled, but enabling it doesn't make any difference. Here is
the openbsd dmesg output (after enableing acpi using config - forgot the
good old apache, easier than setting up an ftp server on another machine
;-)):

OpenBSD 4.1 (GENERIC) #1435: Sat Mar 10 19:07:45 MST 2007
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: VIA Nehemiah ("CentaurHauls" 686-class) 1 GHz
cpu0: FPU,V86,DE,PSE,TSC,MSR,CX8,SEP,MTRR,PGE,CMOV,PAT,MMX,FXSR,SSE
cpu0: RNG AES
real mem  = 528052224 (515676K)
avail mem = 474099712 (462988K)
using 4278 buffers containing 26525696 bytes (25904K) of memory
User Kernel Config
UKC> find acpi0
386 acpi0 at mainbus0 bus -1 flags 0x0
UKC> quit
Continuing...
mainbus0 (root)
bios0 at mainbus0: AT/286+ BIOS, date 11/27/03, BIOS32 rev. 0 @ 0xfdb30,
SMBIOS rev. 2.3 @ 0xf0630 (24 entries)
bios0: American Megatrends Inc. Uknown
pcibios0 at bios0: rev 2.1 @ 0xf/0x1
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf8920/192 (10 entries)
pcibios0: PCI Interrupt Router at 000:07:0 ("VIA VT82C686 ISA" rev 0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc/0xc000 0xcc000/0x1000 0xcd000/0x1000
0xce000/0x1000 0xcf000/0x1000
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "VIA VT8601 PCI" rev 0x05
ppb0 at pci0 dev 1 function 0 "VIA VT82C601 AGP" rev 0x00
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 "Trident CyberBlade i1" rev 0x6a
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
pcib0 at pci0 dev 7 function 0 "VIA VT82C686 ISA" rev 0x40
pciide0 at pci0 dev 7 function 1 "VIA VT82C571 IDE" rev 0x06: ATA100,
channel 0 configured to compatibility, channel 1 configured to
compatibility
wd0 at pciide0 channel 0 drive 0: 
wd0: 16-sector PIO, LBA, 39205MB, 80293248 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
pciide0: channel 1 disabled (no drives)
uhci0 at pci0 dev 7 function 2 "VIA VT83C572 USB" rev 0x1a: irq 10
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: VIA UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
viaenv0 at pci0 dev 7 function 4 "VIA VT82C686 SMBus" rev 0x40
sis0 at pci0 dev 8 function 0 "NS DP83815 10/100" rev 0x00, DP83816A:
irq 11, address 00:02:b6:33:50:dd
nsphyter0 at sis0 phy 0: DP83815 10/100 PHY, rev. 1
sis1 at pci0 dev 9 function 0 "NS DP83815 10/100" rev 0x00, DP83816A:
irq 12, address 00:02:b6:33:50:de
nsphyter1 at sis1 phy 0: DP83815 10/100 PHY, rev. 1
sis2 at pci0 dev 10 function 0 "NS DP83815 10/100" rev 0x00, DP83816A:
irq 9, address 00:02:b6:33:50:df
nsphyter2 at sis2 phy 0: DP83815 10/100 PHY, rev. 1
sis3 at pci0 dev 11 function 0 "NS DP83815 10/100" rev 0x00, DP83816A:
irq 10, address 00:02:b6:33:50:e0
nsphyter3 at sis3 phy 0: DP83815 10/100 PHY, rev. 1
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: 
spkr0 at pcppi0
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
biomask e5e5 netmask ffe5 ttymask ffe7
pctr: user-level cycle counter enabled
uhidev0 at uhub0 port 2 configuration

Re: hardware problem?! strangely ssh error - SOLVED

[openbsd misc]

> -Urspr|ngliche Nachricht-
> Von: Stuart Henderson [mailto:[EMAIL PROTECTED]
> Gesendet: Freitag, 20. Juli 2007 01:22
> An: openbsd misc
> Betreff: Re: hardware problem?! strangely ssh error
>
> On 2007/07/20 00:02, Stuart Henderson wrote:
> > If there might be crypto hardware onboard, try sysctl
> kern.usercrypto=0
>
> The chip is detected as supporting AES, which gets used for
> ssh with default ciphers. Definitely try this sysctl (takes effect
> straight away) and if it helps please report back on misc@, if
> AES is detected incorrectly it would be useful to work out a
> way to identify and disable it..
>
>

Thanks a lot, that solved the problem.

Regards
  Hagen Volpers

WPA support / creating a cf image

[openbsd misc]

Hello together,

I hope this is the right place for my questions.
At the moment I'm playing around with OpenBSD on a WRAP system.
I want it to be a firewall, reverse-proxy (for Outlook Web Access)
and as VPN Gateway. My problem is, that I'm only able to
install openbsd on an compact flash card using pxeboot
or something like flashdist -> I always need an openbsd-system
in place. I'm looking for a way to create an image that can
be flashed to a cf card with windows (or other systems).
As far as I know for know there is a problem with sectors,
tracks etc (I'm not that familiar with these topics). My
question is, if there is a way to create such an image. For
me it looks like an openbsd specific problem as it is
posible with freebsd (www.m0n0.ch/wall). Perhaps here is
someone who is an idea.

I also plan to use such systems for home office situations
(I want to replace linksys, draytek etc.). They should
provide a vpn to head office. The problem is, that many
customers want wireless lan at home. We are talking about
windows xp systems that need to be online at boot time
(startup scripts etc). That means that WEP / Mac access
control is not a solution. I need WPA. I wasn't able to
find a status about that topic. Is there a timeline or
did the openbsd team decide not to implement WPA/WPA2?

Hope my english isn't that bad (I'm german) and my
questions are in the right place. If not let me know
and I'll place my questions somewhere else :-).

Regards
  Hagen Volpers

Re: WPA support / creating a cf image

[openbsd misc]

Hello,

that's exacly what I'm doing at the moment... :-) But that doesn't create an
image. The problem is in short: C/H/S. But it looks like I already answered my
question within the question ;-). m0n0wall is using phydiskwrite (which was
written to be able to flash cf cards under windows):

*   FreeBSD:
gzcat net45xx-xxx.img | dd of=/dev/rad[n] bs=16k
where n = the ad device number of your CF card (check dmesg); use
net48xx-xxx.img for net4801 and wrap-xxx.img for WRAP instead
(ignore the warning about trailing garbage - it's because of the digital
signature)
*   Linux:
gunzip -c net45xx-xxx.img | dd of=/dev/hdX bs=16k
where X = the IDE device name of your CF card (check with hdparm -i /dev/hdX)
- some adapters, particularly USB, may show up under SCSI emulation as
/dev/sdX
(ignore the warning about trailing garbage - it's because of the digital
signature)
*   Windows:
physdiskwrite net45xx-xxx.img

I'll try to create an image using flashdist (some modifications needed, but I
hope that's not to hard ;-)), gzip it and then I'll try to write it to an cf
card using windows.

Regards
 Hagen Volpers




Von: Ryan Corder [mailto:[EMAIL PROTECTED]
Gesendet: Do 03.08.2006 14:41
An: openbsd misc
Cc: misc@openbsd.org
Betreff: Re: WPA support / creating a cf image



On Wed, 2006-08-02 at 23:23 +0200, openbsd misc wrote:
> My question is, if there is a way to create such an image. For
> me it looks like an openbsd specific problem as it is
> posible with freebsd (www.m0n0.ch/wall). Perhaps here is
> someone who is an idea.

quite possible and easy to do, check out flashdist:
http://www.nmedia.net/~chris/soekris

[...]

WG: WPA support / creating a cf image

[openbsd misc]

Sorry, wrong recipient. ;-) see below...



Von: openbsd misc
Gesendet: Do 03.08.2006 16:15
An: Shane J Pearson
Betreff: AW: WPA support / creating a cf image


Hello,

my problem is, that I need the vpn at bootime. I cannot build a vpn from
client to server, only from openbsd to headoffice. I'm not a fan of wireless
lan, but my customers want it... The only way is to put an access point next
to the wrap system, but I want an all-in-one solution, because it has to be
customer-friendly.
Are there any reasons why wpa is not implemented for now?



Von: [EMAIL PROTECTED] im Auftrag von Shane J Pearson
Gesendet: Do 03.08.2006 15:27
An: misc Misc
Betreff: Re: WPA support / creating a cf image



On 2006.08.03, at 10:41 PM, Ryan Corder wrote:

> First, get past the notion of "secure" wireless...it doesn't
> exist.  The best solution for a "more secure" wireless network
> is for you to implement a WEP-encrypted environment and establish
> a VPN over it.

What about an open wireless network, which does not allow anything to
be routed out of the OpenBSD WAP unless it is authpf authorised. Then
only VPN traffic.

This couldn't be considered secure enough?


Shane

Re: WPA support / creating a cf image

[openbsd misc]

Ok, that didn't work. You can create an image. But image will only work on 
identical
cf-cards (same C/H/S). Is that an openbsd specific problem (bootloader) or how 
can
I get rid of that?
I need an image that works on every cf-card. Any idea? I don't want to switch to
freebsd...

Regards
  Hagen Volpers


-Urspr|ngliche Nachricht-
Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von openbsd misc
Gesendet: Donnerstag, 3. August 2006 16:13
An: [EMAIL PROTECTED]
Cc: misc@openbsd.org
Betreff: Re: WPA support / creating a cf image

Hello,

that's exacly what I'm doing at the moment... :-) But that doesn't create an
image. The problem is in short: C/H/S. But it looks like I already answered my
question within the question ;-). m0n0wall is using phydiskwrite (which was
written to be able to flash cf cards under windows):

*   FreeBSD:
gzcat net45xx-xxx.img | dd of=/dev/rad[n] bs=16k
where n = the ad device number of your CF card (check dmesg); use
net48xx-xxx.img for net4801 and wrap-xxx.img for WRAP instead
(ignore the warning about trailing garbage - it's because of the digital
signature)
*   Linux:
gunzip -c net45xx-xxx.img | dd of=/dev/hdX bs=16k
where X = the IDE device name of your CF card (check with hdparm -i /dev/hdX)
- some adapters, particularly USB, may show up under SCSI emulation as
/dev/sdX
(ignore the warning about trailing garbage - it's because of the digital
signature)
*   Windows:
physdiskwrite net45xx-xxx.img

I'll try to create an image using flashdist (some modifications needed, but I
hope that's not to hard ;-)), gzip it and then I'll try to write it to an cf
card using windows.

Regards
 Hagen Volpers




Von: Ryan Corder [mailto:[EMAIL PROTECTED]
Gesendet: Do 03.08.2006 14:41
An: openbsd misc
Cc: misc@openbsd.org
Betreff: Re: WPA support / creating a cf image



On Wed, 2006-08-02 at 23:23 +0200, openbsd misc wrote:
> My question is, if there is a way to create such an image. For
> me it looks like an openbsd specific problem as it is
> posible with freebsd (www.m0n0.ch/wall). Perhaps here is
> someone who is an idea.

quite possible and easy to do, check out flashdist:
http://www.nmedia.net/~chris/soekris

[...]

Re: WPA support / creating a cf image

[openbsd misc]

My plan is to build a default flashdist. Afterwards I want to build
tgz to install additional files. But that all doesn't make sense as
long as you aren't able to create a simple image that can be written
to every CF card running on every system (as long as the kernel
supports the hardware).
I found this comment in flashdist.sh:

# This script contains a stupid method which occasionally works to make this
# media bootable on a destination which uses a different c/h/s translation
# than the host system.  Of course, this is really just a hack.  This
# hack is no longer necessary with OpenBSD's newer LBA MBR, but left in place
# because it does no harm.

At the moment I try to figure out how to change the image MBR to LBA.
I hope that's the correct way.

Regards
  Hagen Volpers


-Urspr|ngliche Nachricht-
Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Ryan Corder
Gesendet: Donnerstag, 3. August 2006 21:08
An: Jeff Quast
Cc: misc@openbsd.org
Betreff: Re: WPA support / creating a cf image

On Thu, 2006-08-03 at 14:47 -0400, Jeff Quast wrote:
> I understand this is a problem of target systems translating C/H/S
> values differently. There is no problem in dynamicly using OpenBSD's
> idea of C/H/S values at build time. However, OpenBSD on two different
> machines can provide completely different C/H/S values on the exact
> same card. Correct me if im wrong.
>
> I don't think rolling your own would help in this way.
>
> I've heavily modified flashdist.sh to work in a different manner... I
> don't like the idea of building a "complete system" thats a mangled
> version of OpenBSD that needs to be maintained and provided for you.
> This is the common 'giving the people what they want' distrobution
> format, and making those of us who want to modify it even the
> slightest bit work that much harder.
>
> I've changed the format of flashdist to accept an "overlay/"
> directory, containing any /etc/, /bsd, /usr/local, etc. additions or
> changes to overlay over the target CF card after a default install
> (extracting basesets).

that's exactly where I was going with it.  I too have heavily modified
flashdist.sh for my own needs and my stuff sounds similar to yours...an
overlay type of setup.

the problem that the original poster is facing is that the script he is
using does everything for him...including setting up and partitioning
the CF.  What would be nice is for similar script or program that just
gathered everything up that is required for the system to run and create
an image out of that.  Let the user handle setting up the individual CF
cards and just provide an image of the "hard drive" contents to be
flashed over via dd.

--
Ryan Corder <[EMAIL PROTECTED]>
Systems Engineer, NovaSys Health LLC.
501-219- ext. 646

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: WPA support / creating a cf image

[openbsd misc]

Thanks for that tip. I wrote a bootsector to my cf card and booted. But it 
looks like biosboot isn't able to use lba (; instead of .), even if I change 
wrap bios setting to lba. I wasn't able to figure out why. At the moment I'm 
playing around with grub and lilo to find out if these have the same problem 
with the wrap system.
I'll ask on the m0n0wall mailinglist how they solved that issue, perhaps I can 
find a solution there... :/

Regards
  Hagen Volpers

-Urspr|ngliche Nachricht-
Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Stuart Henderson
Gesendet: Donnerstag, 3. August 2006 22:00
An: misc@openbsd.org
Betreff: Re: WPA support / creating a cf image

On 2006/08/03 14:47, Jeff Quast wrote:
> values differently. There is no problem in dynamicly using OpenBSD's
> idea of C/H/S values at build time. However, OpenBSD on two different
> machines can provide completely different C/H/S values on the exact

yes, this was a bit of a pain for this type of thing until
biosboot(8) got changed to use LBA a couple of years ago.

Re: WPA support / creating a cf image

[openbsd misc]

Hello Jeff,

> Misc,

first of all: my name is Hagen... :-) I have one account for every
mailing list and I cannot change display name
(exchange disadvantage)... ;-)

> Please make sure to update the firmware on your wrap, as you hadn't
> mentioned it. pcengines.ch walks through this. It is quite simple. The
> tinybios revision is usually (..always) out of date. Some features
> listed in the tinybios that come on the wrap don't always work, or
> work correctly.

Thanks for your tip, but I have tinyBios 1.11 installed (the last
one mentioned on pcengines site). I created a new etherboot image
because of an pxeboot bug. So everything should be up to date. I
created mbr several times on two cf cards - fdisk / installboot.
I wasn't able to change to lba mode. I don't know why (I changed
wrap bios settings also). There is always the ;... :/
I don't where I made a mistake (if there is one). I haven't found
a site where someone was able to boot a wrap system without using
C/H/S. Looks like openbsds bootloader isn't able to boot a wrap
system in lba mode. I'm only wondering why freebsd / linux seems
to be able to.
I'll go ahead building my system (basing on flashdist), perhaps
I'll try to get rid of the C/H/S problem afterwards.

> Good luck, let us know how it works out?

I think I'll need that... ;-) Let me know if you have further
tips / ideas. I'll let you know if I found a solution.

> Jeffrey Quast

Regards
  Hagen Volpers

Re: WPA support / creating a cf image

[openbsd misc]

>> I understand this is a problem of target systems translating C/H/S
>> values differently. There is no problem in dynamicly using OpenBSD's
>> idea of C/H/S values at build time. However, OpenBSD on two different
>> machines can provide completely different C/H/S values on the exact
>> same card. Correct me if im wrong.

> [...]
> 
> Just because flashdist asks for C/H/S doesn't mean that the image be
applied
> to a card with that exact C/H/S.  This was the case before OpenBSD
switched
> to the LBA based MBR.  Now, as long as the CF image fits on the card,
it should
> boot.

It should boot, but it doesn't.  I'm using a WRAP system and:

[...]
Using drive 0, partition 3;
Loading;.
[...]

For some reason I cannot use LBA (even if I switch in WRAP bios). I
wasn't able to figure out how. If I use your script everything is
working...
What I don't understand is, why other systems work (m0n0wall for
example).
Any idea?

Regards
  Hagen Volpers

Re: WPA support / creating a cf image (SOLVED)

[openbsd misc]

I got it working now. Looks like the wrap system simulates some kind
of C/H/S in lba mode. OpenBSD is still telling me that I'm in C/H/S
mode:

Using drive 0, partition 3;
Loading;.

But more important is that:

01F0 Master 848A SAMSUNG CF/ATA
Phys C/H/S 1010/16/63 Log C/H/S 505/32/63

The log values seems to be identical on every CF card (except Cylinder).
My two CF cards are totally different:

128MB - C/H/S 498/16/32
512MB - C/H/S 1010/16/63

I'm able to boot both cards with the sme image (created with the
flashdist
wrapper script - gzip image - written with phydiskwrite under windows).

I set cylinders to 60 to get an 60MB image and everything is working
fine now.

Btw, why do I not need to change the bios setting for the m0n0wall
image?
Any idea?

Regards
  Hagen Volpers

>> I understand this is a problem of target systems translating C/H/S
>> values differently. There is no problem in dynamicly using OpenBSD's
>> idea of C/H/S values at build time. However, OpenBSD on two different
>> machines can provide completely different C/H/S values on the exact
>> same card. Correct me if im wrong.

> [...]
> 
> Just because flashdist asks for C/H/S doesn't mean that the image be
applied
> to a card with that exact C/H/S.  This was the case before OpenBSD
switched
> to the LBA based MBR.  Now, as long as the CF image fits on the card,
it should
> boot.

It should boot, but it doesn't.  I'm using a WRAP system and:

[...]
Using drive 0, partition 3;
Loading;.
[...]

For some reason I cannot use LBA (even if I switch in WRAP bios). I
wasn't able to figure out how. If I use your script everything is
working...
What I don't understand is, why other systems work (m0n0wall for
example).
Any idea?

Regards
  Hagen Volpers

Re: Smallest OpenBSD box

[openbsd misc]

Hello,

> Hi,
> 
> I would like to know that is the smallest box ( in terms of size )
> that can be used to Install OpenBSD and used as a firewall. It should
> have a hard disk also, and atleast 2 NIC Interfaces.

The smallest box I know is a WRAP system (www.pcengines.ch). It's
15x15cm,
up to 3 nics, one or two mini-pci slots, and one serial port.

> Thankyou so much

no problem... ;-)

> Kind Regards
> 
> Siju 

Regards
  Hagen Volpers

Re: Apache proxy settings not working

[openbsd misc]

Hello,

> No it's reverse. I want all incoming requests from the Internet to a 
> certain virtual host (in this case webmail.sendmail.tv) to be
redirected 
> to an internal host running the webmail app server (on 10.10.33.3 port

> 81). For some reason, the proxy in OpenBSD's httpd doesn't take the 
> 10.10.33.3 portion and replaces it with 0.0.0.0. So this request 
> fails...I saw another poster post a similar bug (on the same arch -
SPARC).

Did you try it with a dns name? I'm using /var/www/etc/hosts (httpd is
chrooted per default) for that.

> Warm regards,

Regards
  Hagen Volpers

Re: broadcast IPs in a public /29 block

[openbsd misc]

Hello,

> while mucking around with reverse DNS for a /29 public netblock i use,
i noticed
> that my ISP, SBC, had only aliased 6 of the 8 IPs in the /29 block for
use with
> rDNS. after seeing this, i did a bit of homework and found graham
toal's
> explanation of the "missing" IPs ( http://www.gtoal.com/subnet.html )
which
> presents this issue quite clearly. this did leave me with some
additional
> questions though.

it's very important to understand how ip subnetting and routing is
working. Many
people didn't understand (like dns). That's why even companies like
microsoft
have problems in there networks / dns. Read it carefully and think
about.
Having a deeper look into the RFCs is also a got idea.

> i have been hosting websites on these reserved boundary IPs in the /29
block
> with no trouble using binat. should i not be doing this since these
are reserved
> IPs for broadcast? i have moved one domain from the boundary already
since it
> needed rDNS setup. how regularly are these reserved broadcast
addresses at the
> beginning and end of the netblock used and for what sorts of services?

These reserved ip-addresses are needed so it's very regular. Using binat
is a
way to avoid loosing ip-addresses but it's unusual. There is no problem
in using
them (like you did) but it's also normal that you cannot set rdns
entries for
those. Normaly you route a net and do not binat them, therefore the two
reversed ip-adresses are needed.
Talk to you isp and ask him if he can set your rdns entries manually. 

> cheers,
> jake

Regards
  Hagen Volpers

Re: Apache proxy settings not working

[openbsd misc]

> openbsd misc wrote:
> 
> > Did you try it with a dns name? I'm using /var/www/etc/hosts (httpd
is
> > chrooted per default) for that.
> 
> Bingo!

;-)

> # mkdir /var/www/etc/
> # cp /etc/hosts /var/www/etc/hosts
> # chown -R www:www /var/www/etc/hosts

Your chown is not a good idea. Should be:

chown root:wheel /var/www/etc/hosts
chmod 644 /var/www/etc/hosts

Never give write right to a webserver... ;-)

> It works!! Thank you

No problem... ;-)

Regards
  Hagen Volpers

Re: Smallest OpenBSD box

[openbsd misc]

That's true. He didn't write his requirements. I'm handling everything
on ramdisks (dnscache from djbdns, squid, log-files) and it's working
fine (for a small environment). Soekris are more expensive, but they
have advantages... :-)
Openbrick could also be an option. I bought some machines here: 
http://www.visionsystems.de/ (Embedded Systems)
It's a german company but I think they ship to other countries, too.

Regard
  Hagen Volpers

> The wrap does not support HDD's, CF only. You'll be better off with a
soekris:
> 
> http://www.soekris.com/
> 
> Cheers z0mbix
> 
> On 08/08/06, openbsd misc <[EMAIL PROTECTED]> wrote:
> > Hello,
> >
> > > Hi,
> > >
> > > I would like to know that is the smallest box ( in terms of size )
> > > that can be used to Install OpenBSD and used as a firewall. It
should
> > > have a hard disk also, and atleast 2 NIC Interfaces.
> >
> > The smallest box I know is a WRAP system (www.pcengines.ch). It's
> > 15x15cm,
> > up to 3 nics, one or two mini-pci slots, and one serial port.
> >
> > > Thankyou so much
> >
> > no problem... ;-)
> >
> > > Kind Regards
> > >
> > > Siju
> >
> > Regards
> >   Hagen Volpers

smtp proxy

[openbsd misc]

Hello,

I'm looking for a smtp proxy. The idea is, that the proxy checks the
smtp session (if everything is valid and forward the information to an
exchange-server). The forwards should happen step-by-step (the smtp
proxy should be able to drop to be able to deny the recipient). The mail
itself should be streamed (because the proxy should run in memory only).
Does someone know such a solution?

Regards
  Hagen Volpers

Re: smtp proxy

[openbsd misc]

> > openbsd misc schrieb:
> > Hello,
> >
> > I'm looking for a smtp proxy. The idea is, that the proxy checks the
> > smtp session (if everything is valid and forward the information to
an
> > exchange-server). The forwards should happen step-by-step (the smtp
> > proxy should be able to drop to be able to deny the recipient). The
mail
> > itself should be streamed (because the proxy should run in memory
only).
> > Does someone know such a solution?
> >
> > Regards
> >   Hagen Volpers
> >
> >
> 
> Hi,
> 
> use a standard smtp daemon (sendmail, postfix or whatever) and put the
> spooling directory in a ramdisk  :-)
> 
> 
> guido

Hi,

the problem is, that the smtp proxy should not be allowed to queue a
message,
else the size of the ramdisk would set the maximum message size. To
avoid
that, I need a solution that streams the mail after checking the
envelope
(smtp session) informations. It should also drop the connection if the
exchange server is down.
Without that problem I would take qmail.

Regards
  Hagen Volpers

Re: smtp proxy

[openbsd misc]

>> Hi,
>> 
>> use a standard smtp daemon (sendmail, postfix or whatever) and put
the
>> spooling directory in a ramdisk  :-)
> 
> 
>   Don't bother with the ramdisk. disk is cheap and fast compared
> to smtp.
> 
> 
>   OpenBSD spamd in front of a cluster of sendmail/postfix running
> boxes which have the valid list of recipients, and where the mail ends
> up (i.e. which exchange server[s]). Not hard to do, and scales almost
> infinetely.  spamd box does greylisting and then round robins the smtp
> connections to a cluster of recieve/process boxes. Those boxes have 
> the list of valid users, and if you want can do some sort of mail
> filtering/processing (i.e. spamassassin, clamav, etc. etc.) whatever
> gets through that is forwarded on to MmmSexChange.
> 
>   Fooling around with ramdisk/passthough stuff is more trouble
> than it is worth.

The only thing I can use is a ramdisk. I want it to run on a wrap
system. Writing to the cf card is not an option, and all I have
are 128MB RAM. There are only two options:

- forward 25 -> exchange (not a good one... I think you know why ;-))
- checking envelope informations -> forward to exchange, stream the
  message

I hope that makes it clearer (my mistake in my first mails ;-))

>   -Bob
Regards
  Hagen Volpers

pf - strange behavior

[openbsd misc]

Hello,

I have a problem I have no explanation for. Here's the situation: I have
a Windows XP client pinging (ping -t) an internet host (nat through my
obsd testsystem). That's my pf.conf:

# cat /etc/pf.conf
ext_if="pppoe0"
int_if="sis1"
set block-policy return
set skip on lo
scrub in
nat on $ext_if from !($ext_if) -> ($ext_if:0)
block in
pass out keep state
antispoof quick for { lo $int_if }
pass in on $ext_if inet proto tcp from any to ($ext_if) port { 22 }
flags S/SA keep state
pass in inet proto icmp all icmp-type echoreq keep state
pass in quick proto { tcp, udp } from { 192.168.122.0/24 } to
192.168.122.2 port { 53 }
pass quick on $int_if

After rebooting my obsd system (while ping is running), then ping
cannot get through when the system comes up again. The obsd system
sends out icmp packages without nat. The source ip address is
192.168.122.128, but it should be the public ip-address of the
obsd system (first line):


# pfctl -ss
all icmp 192.168.122.128:512 -> 193.99.144.85   0:0
all udp 84.60.163.18:3790 -> 194.88.212.200:123   MULTIPLE:MULTIPLE
all udp 84.60.163.18:33159 -> 131.174.122.206:123
MULTIPLE:MULTIPLE
all udp 84.60.163.18:40242 -> 83.229.141.2:123   MULTIPLE:MULTIPLE
all udp 84.60.163.18:31316 -> 83.67.64.230:123   MULTIPLE:MULTIPLE
all udp 84.60.163.18:9757 -> 82.165.43.21:123   MULTIPLE:MULTIPLE
all udp 84.60.163.18:17612 -> 72.1.138.113:123   MULTIPLE:MULTIPLE
all udp 84.60.163.18:24708 -> 69.182.190.97:123   MULTIPLE:MULTIPLE
all udp 84.60.163.18:42679 -> 69.59.178.92:123   MULTIPLE:MULTIPLE
all icmp 192.168.122.16:512 -> 84.60.163.18:34545 -> 193.99.144.85
0:0
all tcp 84.60.163.18:22 <- 212.46.125.234:2840
ESTABLISHED:ESTABLISHED
all tcp 192.168.122.16:52556 -> 84.60.163.18:55884 -> 212.227.15.161:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52557 -> 84.60.163.18:54733 -> 212.227.15.161:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52558 -> 84.60.163.18:53237 -> 151.189.21.113:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52559 -> 84.60.163.18:55113 -> 212.227.85.5:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52562 -> 84.60.163.18:58754 -> 212.227.85.5:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52563 -> 84.60.163.18:54019 -> 212.227.85.5:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52569 -> 84.60.163.18:62152 -> 212.227.85.5:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52570 -> 84.60.163.18:61073 -> 212.227.85.5:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52574 -> 84.60.163.18:51917 -> 212.227.15.161:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52575 -> 84.60.163.18:53399 -> 212.227.15.161:110
FIN_WAIT_2:FIN_WAIT_2


The really strange thing is the windows server 2003 (192.168.122.16).
He's also running the ping all the time. His packages get caught by the
nat rule correctly.
If I stop the ping on the windows xp system, wait 10sec (icmp.error
value)
and ping again, everything is working fine:

after 10sec:
all icmp 192.168.122.128:512 -> 84.60.163.18:5939 -> 193.99.144.85
0:0


And here's my question: WHY? =) As you can see the windows server
created several connections. I think that the icmp packages get
caught by nat because he creates other connections, too.

Btw, I'm using kernel based pppoe (using spppcontrol) to get a
connection to my isp.

Before you ask, here some more informations =):

# pfctl -sa
TRANSLATION RULES:
nat on pppoe0 from ! (pppoe0) to any -> (pppoe0:0)

FILTER RULES:
scrub in all fragment reassemble
block return in all
pass out all keep state
block drop in quick on ! lo inet from 127.0.0.0/8 to any
block drop in quick on ! lo inet6 from ::1 to any
block drop in quick inet from 127.0.0.1 to any
block drop in quick inet6 from ::1 to any
block drop in quick on lo0 inet6 from fe80::1 to any
block drop in quick on ! sis1 inet from 192.168.122.0/24 to any
block drop in quick inet from 192.168.122.2 to any
block drop in quick on sis1 inet6 from fe80::20d:b9ff:fe04:5ea5 to any
pass in on pppoe0 inet proto tcp from any to (pppoe0) port = ssh flags
S/SA keep state
pass in inet proto icmp all icmp-type echoreq keep state
pass in quick inet proto tcp from 192.168.122.0/24 to 192.168.122.2 port
= domain
pass in quick inet proto udp from 192.168.122.0/24 to 192.168.122.2 port
= domain
pass quick on sis1 all
No queue in use

STATES:
all udp 84.60.163.18:3790 -> 194.88.212.200:123   MULTIPLE:MULTIPLE
all udp 84.60.163.18:33159 -> 131.174.122.206:123
MULTIPLE:MULTIPLE
all udp 84.60.163.18:40242 -> 83.229.141.2:123   MULTIPLE:MULTIPLE
all udp 84.60.163.18:31316 -> 83.67.64.230:123   MULTIPLE:MULTIPLE
all udp 84.60.163.18:9757 -> 82.165.43.21:123   MULTIPLE:MULTIPLE
all udp 84.60.163.18:17612 -> 72.1.138.113:123   MULTIPLE:MULTIPLE
all udp 84.60.163.18:24708 -> 69.182.190.97:123   MULTIPLE:MULTIPLE
all udp 84.60.163.18:42679 -> 69.59.178.92:123   MULTIPLE:MULTIPLE
all icmp 192.168.122.16:512 -> 84.60.163.18:34545 -> 193.99.144.85
0:0
all tcp 84.60.163.18:22 <- 212.46.125.234:2840

WG: pf - strange behavior

[openbsd misc]

Hello,

nobody has an answer for that? :/ Or was my explanation not english enough? =) 
Please let me know if something is ambiguous.

Regards
  Hagen Volpers

-Urspr|ngliche Nachricht-
Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von openbsd misc
Gesendet: Donnerstag, 10. August 2006 23:31
An: OpenBSD Misc
Betreff: pf - strange behavior

Hello,

I have a problem I have no explanation for. Here's the situation: I have
a Windows XP client pinging (ping -t) an internet host (nat through my
obsd testsystem). That's my pf.conf:

# cat /etc/pf.conf
ext_if="pppoe0"
int_if="sis1"
set block-policy return
set skip on lo
scrub in
nat on $ext_if from !($ext_if) -> ($ext_if:0)
block in
pass out keep state
antispoof quick for { lo $int_if }
pass in on $ext_if inet proto tcp from any to ($ext_if) port { 22 }
flags S/SA keep state
pass in inet proto icmp all icmp-type echoreq keep state
pass in quick proto { tcp, udp } from { 192.168.122.0/24 } to
192.168.122.2 port { 53 }
pass quick on $int_if

After rebooting my obsd system (while ping is running), then ping
cannot get through when the system comes up again. The obsd system
sends out icmp packages without nat. The source ip address is
192.168.122.128, but it should be the public ip-address of the
obsd system (first line):


# pfctl -ss
all icmp 192.168.122.128:512 -> 193.99.144.85   0:0
all udp 84.60.163.18:3790 -> 194.88.212.200:123   MULTIPLE:MULTIPLE
all udp 84.60.163.18:33159 -> 131.174.122.206:123
MULTIPLE:MULTIPLE
all udp 84.60.163.18:40242 -> 83.229.141.2:123   MULTIPLE:MULTIPLE
all udp 84.60.163.18:31316 -> 83.67.64.230:123   MULTIPLE:MULTIPLE
all udp 84.60.163.18:9757 -> 82.165.43.21:123   MULTIPLE:MULTIPLE
all udp 84.60.163.18:17612 -> 72.1.138.113:123   MULTIPLE:MULTIPLE
all udp 84.60.163.18:24708 -> 69.182.190.97:123   MULTIPLE:MULTIPLE
all udp 84.60.163.18:42679 -> 69.59.178.92:123   MULTIPLE:MULTIPLE
all icmp 192.168.122.16:512 -> 84.60.163.18:34545 -> 193.99.144.85
0:0
all tcp 84.60.163.18:22 <- 212.46.125.234:2840
ESTABLISHED:ESTABLISHED
all tcp 192.168.122.16:52556 -> 84.60.163.18:55884 -> 212.227.15.161:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52557 -> 84.60.163.18:54733 -> 212.227.15.161:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52558 -> 84.60.163.18:53237 -> 151.189.21.113:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52559 -> 84.60.163.18:55113 -> 212.227.85.5:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52562 -> 84.60.163.18:58754 -> 212.227.85.5:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52563 -> 84.60.163.18:54019 -> 212.227.85.5:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52569 -> 84.60.163.18:62152 -> 212.227.85.5:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52570 -> 84.60.163.18:61073 -> 212.227.85.5:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52574 -> 84.60.163.18:51917 -> 212.227.15.161:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52575 -> 84.60.163.18:53399 -> 212.227.15.161:110
FIN_WAIT_2:FIN_WAIT_2


The really strange thing is the windows server 2003 (192.168.122.16).
He's also running the ping all the time. His packages get caught by the
nat rule correctly.
If I stop the ping on the windows xp system, wait 10sec (icmp.error
value)
and ping again, everything is working fine:

after 10sec:
all icmp 192.168.122.128:512 -> 84.60.163.18:5939 -> 193.99.144.85
0:0


And here's my question: WHY? =) As you can see the windows server
created several connections. I think that the icmp packages get
caught by nat because he creates other connections, too.

Btw, I'm using kernel based pppoe (using spppcontrol) to get a
connection to my isp.

Before you ask, here some more informations =):

# pfctl -sa
TRANSLATION RULES:
nat on pppoe0 from ! (pppoe0) to any -> (pppoe0:0)

FILTER RULES:
scrub in all fragment reassemble
block return in all
pass out all keep state
block drop in quick on ! lo inet from 127.0.0.0/8 to any
block drop in quick on ! lo inet6 from ::1 to any
block drop in quick inet from 127.0.0.1 to any
block drop in quick inet6 from ::1 to any
block drop in quick on lo0 inet6 from fe80::1 to any
block drop in quick on ! sis1 inet from 192.168.122.0/24 to any
block drop in quick inet from 192.168.122.2 to any
block drop in quick on sis1 inet6 from fe80::20d:b9ff:fe04:5ea5 to any
pass in on pppoe0 inet proto tcp from any to (pppoe0) port = ssh flags
S/SA keep state
pass in inet proto icmp all icmp-type echoreq keep state
pass in quick inet proto tcp from 192.168.122.0/24 to 192.168.122.2 port
= domain
pass in quick inet proto udp from 192.168.122.0/24 to 192.168.122.2 port
= domain
pass quick on sis1 all
No queue in use

STATES:
all udp 84.60.163.18:3790 -> 194.88.212.200:123   MULTIPLE:MULTIPLE
all udp 84.60.163.18:33159 -> 131.174.122.206:123
MULTIPLE:MULTIPLE
all udp 

Re: pf - strange behavior

[openbsd misc]

> On 8/19/06, openbsd misc <[EMAIL PROTECTED]> wrote:
>> Hello,
>>
>> nobody has an answer for that? :/ Or was my explanation not english
enough? =) Please let me know if something is ambiguous.
>>
>> Regards
>>   Hagen Volpers
>>
>
> Hi,
Hello,

> I do not know about pf, but maybe I can help anyway. Did you
> investigate why these two states look different?
> all icmp 192.168.122.128:512 -> 193.99.144.85   0:0
> all icmp 192.168.122.16:512 -> 84.60.163.18:34545 -> 193.99.144.85 0:0

That's exacly my question. ;-) These states should not be different,
but they are...

> Also, have you tried looking at the state table _after_ restarting the
> pings? Does it look the same or different?

Yes. It looks different (like the other line) if you wait for 10 seconds
(udp timeout) before starting the ping again.

I think this behavior is not correct (or my pf.conf isn't). I wasn't
able
to figure out why this happens.

I had these problems on a WRAP system (i386).

> -Nick

Regards
  Hagen Volpers

Re: pf - strange behavior

[openbsd misc]

On 8/19/06, openbsd misc <[EMAIL PROTECTED]> wrote:
> > > On 8/19/06, openbsd misc <[EMAIL PROTECTED]> wrote:
> > >> Hello,
> > >>
> > >> nobody has an answer for that? :/ Or was my explanation not
english
> > enough? =) Please let me know if something is ambiguous.
> > >>
> > >> Regards
> > >>   Hagen Volpers
> > >>
> > >
> > > Hi,
> > Hello,
> >
> > > I do not know about pf, but maybe I can help anyway. Did you
> > > investigate why these two states look different?
> > > all icmp 192.168.122.128:512 -> 193.99.144.85   0:0
> > > all icmp 192.168.122.16:512 -> 84.60.163.18:34545 -> 193.99.144.85
0:0
> >
> > That's exacly my question. ;-) These states should not be different,
> > but they are...
> >
> > > Also, have you tried looking at the state table _after_ restarting
the
> > > pings? Does it look the same or different?
> >
> > Yes. It looks different (like the other line) if you wait for 10
seconds
> > (udp timeout) before starting the ping again.
> 
> Okay, so clearly the answer is here.
> 
> The one that works is being set up to redirect through 84.60.163.18 (I
> assume this is your router?). The one that doesn't is sending directly
> to the outside world.
> 
> 
Hello,

as you can see both should be kept by the same rules:

# cat /etc/pf.conf
ext_if="pppoe0"
int_if="sis1"
set block-policy return
set skip on lo
scrub in
nat on $ext_if from !($ext_if) -> ($ext_if:0)
block in
pass out keep state
antispoof quick for { lo $int_if }
pass in on $ext_if inet proto tcp from any to ($ext_if) port { 22 }
flags S/SA keep state
pass in inet proto icmp all icmp-type echoreq keep state
pass in quick proto { tcp, udp } from { 192.168.122.0/24 } to
192.168.122.2 port { 53 }
pass quick on $int_if

The public ip address you mentioned is the one on pppoe interface. There
are no other entries that could make any changes (I wrote the rc script
on my own =)).

> 
> I don't know what that printout means! It's not documented in the
> manpage. Probably have to check the source to see what it is... Here
> that source is, from /sbin/pfctl/pf_print_state.c:
> void
> print_state(struct pf_state *s, int opts)
> {
>   struct pf_state_peer *src, *dst;
>   struct protoent *p;
>   int min, sec;
> 
>   if (s->direction == PF_OUT) {
>   src = &s->src;
>   dst = &s->dst;
>   } else {
>   src = &s->dst;
>   dst = &s->src;
>   }
>   printf("%s ", s->u.ifname);
>   if ((p = getprotobynumber(s->proto)) != NULL)
>   printf("%s ", p->p_name);
>   else
>   printf("%u ", s->proto);
>   if (PF_ANEQ(&s->lan.addr, &s->gwy.addr, s->af) ||
>   (s->lan.port != s->gwy.port)) {
>   print_host(&s->lan, s->af, opts);
>   if (s->direction == PF_OUT)
>   printf(" -> ");
>   else
>   printf(" <- ");
>   }
>   print_host(&s->gwy, s->af, opts);
>   if (s->direction == PF_OUT)
>   printf(" -> ");
>   else
>   printf(" <- ");
>   print_host(&s->ext, s->af, opts);
> 
>   printf("");
> if (s->proto != IPPROTO_ICMP && src->state < PFOTHERS_NSTATES &&
>   dst->state < PFOTHERS_NSTATES) {
>   /* XXX ICMP doesn't really have state levels */
>   const char *states[] = PFOTHERS_NAMES;
> 
>   printf("   %s:%s\n", states[src->state],
states[dst->state]);
>   }
> 
> 
> It would seem that, for some reason, on the one that doesn't work,
> PF_ANEQ(&s->lan.addr, &s->gwy.addr, s->af fails (and presumably the
> other test in that if fails because ICMP lacks ports). Yeah. Um, still
> confused. Too bad PF_ANEQ is a macro, so not in the manpages. Perhaps
> grep the tree for it?

Unfortunately I'm not a developer... :(


> -Nick

Regards
  Hagen Volpers

Re: pf - strange behavior

[openbsd misc]

> On 8/20/06, openbsd misc <[EMAIL PROTECTED]> wrote:
> > On 8/19/06, openbsd misc <[EMAIL PROTECTED]> wrote:
> > > > > On 8/19/06, openbsd misc <[EMAIL PROTECTED]> wrote:
> > > > >> Hello,
> > > > >>
> > > > >> nobody has an answer for that? :/ Or was my explanation not
> > english
> > > > enough? =) Please let me know if something is ambiguous.
> > > > >>
> > > > >> Regards
> > > > >>   Hagen Volpers
> > > > >>
> > > > >
> > > > > Hi,
> > > > Hello,
> > > >
> > > > > I do not know about pf, but maybe I can help anyway. Did you
> > > > > investigate why these two states look different?
> > > > > all icmp 192.168.122.128:512 -> 193.99.144.85   0:0
> > > > > all icmp 192.168.122.16:512 -> 84.60.163.18:34545 ->
193.99.144.85
> > 0:0
> > > >
> > > > That's exacly my question. ;-) These states should not be
different,
> > > > but they are...
> > > >
> > > > > Also, have you tried looking at the state table _after_
restarting
> > the
> > > > > pings? Does it look the same or different?
> > > >
> > > > Yes. It looks different (like the other line) if you wait for 10
> > seconds
> > > > (udp timeout) before starting the ping again.
> > >
> > > Okay, so clearly the answer is here.
> > >
> > > The one that works is being set up to redirect through
84.60.163.18 (I
> > > assume this is your router?). The one that doesn't is sending
directly
> > > to the outside world.
> > >
> > >
> > Hello,
> >
> > as you can see both should be kept by the same rules:
> 
> This is the router machine?

Yes, it is.

> > # cat /etc/pf.conf
> > ext_if="pppoe0"
> > int_if="sis1"
> > set block-policy return
> > set skip on lo
> > scrub in
> > nat on $ext_if from !($ext_if) -> ($ext_if:0)
> > block in
> > pass out keep state
> > antispoof quick for { lo $int_if }
> > pass in on $ext_if inet proto tcp from any to ($ext_if) port { 22 }
> > flags S/SA keep state
> > pass in inet proto icmp all icmp-type echoreq keep state
> > pass in quick proto { tcp, udp } from { 192.168.122.0/24 } to
> > 192.168.122.2 port { 53 }
> > pass quick on $int_if
> >
> > The public ip address you mentioned is the one on pppoe interface.
There
> > are no other entries that could make any changes (I wrote the rc
script
> > on my own =)).
> 
> misc@ might yell at you for this. I think it's neat, and I like how
> OpenBSD is so simple and clean that I understand I could do that
> completely. However, rc does a lot of stuff, and it's best not to
> tamper with. It also invokes side scripts like netstart. Use rc.local
> and rc.local.conf instead.

I thought that I had a problem in my rc script, too. The installation
bases on flashdist. That's why I'm not able to put back the old rc
script (to many commands are missing). The point is, that two
machines are treated different. I don't think that is problem can
be found in my rc script. I copied the stuff from netstart and the
pf start is identical to rc script.
I think there can be only two reasons for this:
- a bug
- a missconfiguration in my pf.conf

> Try putting the old rc back and see if it fixes things. If it does,
> great. If you still have some time maybe go through and diff it to
> your version and figure out what changed.
> 
> 
> 
> The key point I found in the source was this:
> 
> > >   if (PF_ANEQ(&s->lan.addr, &s->gwy.addr, s->af) ||
> > >   (s->lan.port != s->gwy.port)) {
> > >   print_host(&s->lan, s->af, opts);
> > >   if (s->direction == PF_OUT)
> > >   printf(" -> ");
> > >   else
> > >   printf(" <- ");
> > >   }
> 
> Because it is that which causes the intermediate host to be printed
> for the state which works.
> 
> > > It would seem that, for some reason, on the one that doesn't work,
> > > PF_ANEQ(&s->lan.addr, &s->gwy.addr, s->af fails (and presumably
the
> > > other test in that if fails because ICMP lacks ports). Yeah. Um,
still
> > > confused. Too bad PF_ANEQ is a macro, so not in the manpages.
Perhaps
> > > grep the tree for it?
> >
> > Unfortunately I'm not a developer... :(
> >
> 
> Neither am I. I found this by going to http://www.openbsd.org,
> clicking "Getting Source"->"Web" and finding the code for pfctl. I
> don't have a working OpenBSD system right now to check out the source
> on, and I was hoping you could. See
> <http://www.openbsd.org/anoncvs.html>
> 
> Or do you mean "I don't know C"?

Yes, I do... =)

> -Nick

Regards
  Hagen Volpers

Volume manager

[openbsd misc]

Hello,

I'm looking for a volume manager comparable to LVM. Is there
a well-tended solution for openbsd? I want to be able to
create / resize partitions at runtime, raid functionality
is not needed.

Regards
  Hagen Volpers

Re: ssh auth

[openbsd misc]

Hiho,

> i have a small problem with a ssh authentification, hope i
misunderstood
> it, but.
> 
> i try to copy a file with scp from server to another and scp doesn't
ask
> me for a password. problem, i don't setup any key on this box ...
> 
> here the details:
> 
> soekris4801:touche$ ls ~/.ssh
> authorized_keys   known_hosts
> soekris4801:touche$ touch test
> soekris4801:touche$ scp test [EMAIL PROTECTED]:/tmp/
> test   100%0
>  0.0KB/s   00:00
> 
> if debug:
> debug1: kex: server->client aes128-cbc hmac-md5 none
> debug1: kex: client->server aes128-cbc hmac-md5 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> debug1: Host 'file' is known and matches the RSA host key.
> debug1: Found key in /home/touche/.ssh/known_hosts:1
> debug1: ssh_rsa_verify: signature correct
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug1: SSH2_MSG_NEWKEYS received
> debug1: SSH2_MSG_SERVICE_REQUEST sent
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug1: Authentications that can continue:
> publickey,password,keyboard-interactive
> debug1: Next authentication method: publickey
> debug1: Offering public key: rsa-key-xxx
> debug1: Server accepts key: pkalg ssh-rsa blen 148
> debug1: Authentication succeeded (publickey).
> 
> the key (rsa-key-xxx) exist but, as seen before, not on soekris4801
(no
> id_(dsa|rsa))
> public key is not in authorized_keys (that's another)
> known_hosts if for hosts keys so ...
> 
> how can it offer this public key ???

I think you connected to your soekris by using a private key. SSH can
forward that key to authorize to another host (your soekris box provided
the key you used to authorize to your soekris box).


> thanks
> Regards
> 
>   Julien

Regards
  Hagen Volpers

Re: Apache-problem

[openbsd misc]

> Hello!
Hello,

> I have just enabled and tested some stuff with the 3.9-apache server.
The
> predefined "It Worked!"-page works as expected. I have added one more
> directory by adding
> 
> 
> Options MultiViews
> AllowOverride None
> Order allow,deny
> Allow from all
> 
> 
> to my httpd.conf

This option is only needed to change directory setting (e.g. Security).
In 
this case it is not needed, because the directory belongs to your
document
root.

> the directory my_test is a mount point where I mount my www-drive

Why not mounting it to /var/www/htdocs?

> Accessing this directory from internet works as expected, but if I
access
> it from the internal (192.168.1.*) network the returned address is my
> hostname (which can not be looked up in any DNS). I would like the
servers
> local IP-adress to be returned instead (just as when i access the "It
> Worked!"-page).

That doesn't make sense (and can't be) as long as you haven't added a
virtual host. Please add your changes to httpd.conf...

> Since the "It Worked!"-page works without tricks with virtual hosts i
> expect to solve this without using them. How can this be done?

What do you need the virtual host for? I did not understand what you
want to do.

> --
> <>
> Jon Sjvstedt
> 
> d00jon()dtek,chalmers!se jonsjostedt[]hotmail:com
> 

Regards
  Hagen Volpers

Re: Apache-problem

[openbsd misc]

> > it from the internal (192.168.1.*) network the returned address is
my
> > hostname (which can not be looked up in any DNS).
> 
> Set ServerName to the IP address, or fix your DNS.
> 

Depends on his setup and what he wants to do. I think he wants to use
different names to access the same page (internet and intranet). In this
case it makes more sense to set UseCanonicalName Off (and use
ServerAlias if you want a virtual host to react on two names).

Regards
  Hagen Volpers

Re: OpenBSD Wireless Router

[openbsd misc]

> On Fri, Sep 08, 2006 at 05:00:16AM +1000, John Tate wrote:
> > I am constantly disappointed with the lack of freedom out-of-the-box
> > wireless routers provide. I am interested in a solution on OpenBSD,
because
> 
> I haven't used any Soekris device yet but you may be interested in
> this:
> 
> http://www.soekris.com/net4511.htm
> 

A WRAP system could also be an option www.pcengines.ch

I haven't tried wireless lan with openbsd because it does not support
WPA.

Regards
  Hagen Volpers

XEN

[openbsd misc]

Hi all,

I wasn't able to figure out if it is possible to run openbsd
as xen guest system. Does anyone know?

Regards
  Hagen Volpers

Slow Wireless, Fast Copper

[OpenBSD Misc]

Hi.  I'm at my wits end.

My original configuration:
I have a laptop (HP Pavillion dv9700).  It comes with an integrated Intel
Wireless WiFi Link 4965AGN adapter and is running Vista Home Premium.  I
have a D-Link DWL-2200AP wireless access point.  I have an old Gateway
computer with a P3 processor running at 650 MHz and five NICs that was
running FreeBSD 7.  I have a Westell DSL modem with 3000/768 service through
Verizon.  The Gateway is set up as a firewall with ipf.  The notebook
connects wirelessly to the WAP, which is cabled into a NIC in the firewall,
which is cabled to the DSL modem through a different NIC.

The problem:
I noticed that my wireless was running slowly.  Verizon has a speed testing
website, so I test my speed with it.  My upload speed nearly maxes out at
>700 Kbps no matter what my configuration is.  My download speed doesn't
typically get above 90 Kbps.  BUT, I have a PC running Windows XP Pro
connected to a third NIC in the firewall, and the speed test nearly maxes
out both upload and download speeds.

What I did:
Okay, something's wrong with the wireless link.  I connect the WAP directly
to the DSL modem and retest my speed.  I'm running at FULL speed, so the
problem isn't with the wireless connection between the laptop and the WAP.
So I reconnect the WAP to the firewall with a different (new, prefab,
unopened) ethernet cable and retest.  Download speed sucks again; it's not a
cabling issue.  So I move to a different NIC and retest.  Download speed
still sucks; it's not the NIC.  So I move to the NIC to which my XP PC was
connected (which got fast download speeds) and retested.  Download speed
STILL sucks.  I buy a D-Link DAP-1522 wireless access point and replace the
DWL-2200AP.  I retest and get sucky download speeds.  I've been wanting to
move to OpenBSD and pf for some time now, so I install OpenBSD 4.3 on the
firewall, set up my DSL connection, DNS service, and DHCP service.  I
configure pf with a minimal configuration that basically lets all outbound
traffic pass and blocks all inbound traffic from the internet.  I test
connectivity, and my Vista laptop and XP PC both connect to the Internet and
can talk to each other.  The firewall can talk to everything.  I put all
cables back to their original configuration; everything's connected as it
was when I first noticed the problem except for the new WAP, the new OS, and
the new cable.  I retest my speeds.  I'm back where I started: XP PC gets
full speed internet service, laptop gets sucky download speeds through the
wireless link.  So with OpenBSD on the Gateway I retry everything I just
described above with the new WAP and new cable and get the same results.  I
put everything back to the original configuration again except the WAP, OS,
and cable.  I test the speed over the wireless link again and get sucky
download speeds.  I copy a large file from my XP PC to my laptop (which is
still connected to the firewall wirelessly all this time) and I get GREAT
transfer speeds.

Conclusion:
So I can talk through my WAP and through my firewall to anything else on my
side of the internet connection at full speed, and everything that's not
wireless can talk through the firewall to the internet at full speed.  But I
cannot talk through my WAP and through my firewall to the Internet at full
speed.  I can talk through my WAP to the Internet (not through the firewall)
at full speed.

Can anyone please offer some assistance?

Thank you...


Additional information:
The three NICs in the firewall that I tried use the vr, xl, and ne drivers.
The vr has a VIA Rhine or RhineII chipset.  The xl is a 3Com 3c905, and the
ne is a generic card using the Realtek 8029 chipset.


pf.conf:
# Network interfaces
inet_if = "tun0"
home_if = "vr0"
wlan_if = "xl0"
dmz_if = "rl0"

# Miscellanous macros
localnets = "{ vr0:network, xl0:network, rl0:network }"

# Enable NAT on the internet interface
nat on $inet_if from $localnets to any -> ($inet_if)

block all
pass inet proto tcp from { $inet_if, $localnets } to any
pass inet proto udp from { $inet_if, $localnets } to any
pass inet proto icmp from { $inet_if, $localnets } to any


ifconfig:
lo0: flags=8049 mtu 33208
groups: lo
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7
inet 127.0.0.1 netmask 0xff00
vr0: flags=8843 mtu 1500
lladdr 00:50:ba:e6:73:4c
description: home
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::250:baff:fee6:734c%vr0 prefixlen 64 scopeid 0x1
inet 192.168.55.1 netmask 0xff00 broadcast 192.168.55.255
xl0: flags=8843 mtu 1500
lladdr 00:60:08:5a:14:38
description: wlan
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::260:8ff:fe5a:1438%xl0 prefixlen 64 scopeid 0x2
inet 192.168.56.1 netmask 0xff00 broadcast 192.168.56.255
rl0: flags=8843 mtu 1500
lladdr 00:48:54:4b:bd:32
description: dmz
media: Ethernet autoselect (100baseTX full-duplex)

Re: Redirect traffic based on sub-domain?

[openbsd misc]

> -Urspr|ngliche Nachricht-
> Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> Im Auftrag von Markus Bergkvist
> Gesendet: Sonntag, 27. April 2008 23:45
> An: OpenBSD Misc
> Betreff: Redirect traffic based on sub-domain?
>
> Hi,
>
> Is it possible to have PF redirecting traffic based on
> sub-domains? I.e.
> I want traffic to a.mydomain.nu to be redirected to machine 'a and
> traffic to b.mydomain.nu to be redirected to machine 'b'.'
>
> /Markus
>
>

Hi,

that's not possible because the dns-name is not transmitted. It's only used
for ip-lookup (http is IMHO the only exception).

Regards
  Hagen Volpers

Re: WPA in -current

[openbsd misc]

http://www.openbsd.org/plus.html

"Enter wpa-psk(8), a tool to generate WPA-PSK keys from the ssid and
passphrase."

http://www.openbsd.org/cgi-bin/man.cgi?query=wpa-psk&apropos=0&sektion=0&manp
ath=OpenBSD+Current&arch=i386&format=html


Regards
  Hagen Volpers


> -Urspr|ngliche Nachricht-
> Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> Im Auftrag von Jonathan
> Gesendet: Sonntag, 11. Mai 2008 06:04
> An: misc@openbsd.org
> Betreff: WPA in -current
>
> OpenBSD 4.3-current (GENERIC) #853: Fri May  2 04:37:23 MDT 2008
> [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
>
> Hardware Info:
>
> ral0 at pci0 dev 9 function 0 "Ralink RT2561S" rev 0x00: irq 5,
> address 00:0e:2e:xx:xx:xx
> ral0: MAC/BBP RT2561C, RF RT2527
>
> # ifconfig ral0
> ral0: flags=8843 mtu 1500
> lladdr 00:0e:2e:xx:xx:xx
> groups: wlan egress
> media: IEEE802.11 autoselect hostap (autoselect mode
> 11b hostap)
> status: active
> ieee80211: nwid obsd_wpa chan 8 bssid 00:0e:2e:xx:xx:xx wpapsk
>  wpaprotos wpa1,wpa2 wpaakms psk,802.1x wpaciphers
> tkip,ccmp wpagroupcipher tkip 100dBm
> inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255
>
> /etc/hostname.ral0
> inet 192.168.1.1 255.255.255.0 NONE media autoselect \
> mediaopt hostap nwid obsd_wpa chan 8\
> wpa wpapsk 
>
> I have tried connect from a Mac running Leopard, but it is always
> saying "Connection Timeout" after input of the pass-phrase. I have
> tried to connect from a Windows XP box manually selecting WPA-PSK and
> tried both (TKIP and AES), but was still unable to connect. It does
> seem like it is getting connected, since it is saying acquiring
> network address, but it just cycles through acquiring network and not
> connected. I tried to look at the tcpdump but the packets it prints
> are all in hexadecimal.
>
> Jonathan

Re: in-kernel pppoe problems

[openbsd misc]

Hello,

sorry, version 4.1 and 4.2. Thanks for your reply, I'll check that.

Regards
  Hagen Volpers

> -Urspr|ngliche Nachricht-
> Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> Im Auftrag von Pierre Riteau
> Gesendet: Samstag, 14. Juni 2008 00:28
> An: misc(at)openbsd.org
> Cc: misc@openbsd.org
> Betreff: Re: in-kernel pppoe problems
>
> On Fri, Jun 13, 2008 at 11:24:32PM +0200, misc(at)openbsd.org wrote:
> > Hello,
> >
> > it looks like the in-kernel pppoe causes systems to hang up
> sometimes. I
> > testet with two systems (completly different hardware) and
> two different
> > dsl-modems (I'm from germany - standard tcom modems).
> > Did someone else notice such problems?
> >
> > Here is my hostname.pppoe0:
> > #cat /etc/hostname.pppoe0
> > inet 0.0.0.0 255.255.255.255 NONE \
> > pppoedev bge1 authproto pap \
> > authname 'USERNAME' authkey 'PASSWORD' up
> > dest 0.0.0.1
> > !/sbin/route add default 0.0.0.1
> >
> > # cat /etc/hostname.bge1
> > up
> >
> > Here is the output from the kernel panic:
> >
> > cached lines from terminal server:
> > ddb{0}> 
> > <13/6/2008 11:49:39>pppoe0: LCP keepalive timeout
> > <13/6/2008 11:49:39>kernel: page fault trap, code=0
> > <13/6/2008 11:49:41>Stopped at  softclock+0x2d: movl
> > %edx,0x4(%eax)
> > <13/6/2008 11:49:41>ddb{0}>
> > <13/6/2008 18:29:27>ddb{0}>
> > 
>
> You don't provide information about which version of OpenBSD you are
> running. Anyway, this seems identical to PR 5794 which was fixed in
> -current on May 17.

carp / routing question (multiple lines)

[openbsd misc]

Hello,

I hope I can avoid try'n error this way ;-) I have two firewall systems
with carp enabled (running obsd 4.3). These gateways have two internet
connections (dsl 6000 and symmetric 4000 provided by a router with an
/29 transport net).
The symmetric line should be used for vpn and vor mail and http(s) if
the dsl line is not available.
I tried to google about this topic, but I didn't find much helpful.
Someone mentioned http://marc.info/?l=openbsd-misc&m=120665186412690&w=2
yesterday. Looks like a good starting point because the pf.conf manpage
doesn't say much about route-to and reply-to syntax.

Every connect should find his way back the same way (same route, using
the ip-address the SYN came to).

Does someone have a link for me how to set the correct routes and
pf-rules? The symmetric line should be set as default route with a
higher metric but the source ip should be the carp ip if used. I think
my biggest problem is carp, because I don't know how to set up pf
corretly with carp in use. As you know pf uses the phisical interface,
not the virtual interface, so I think I have to define the source ip,
too?

I hope someone understand my english ;-) and can give me some links /
documentation / examples ...

Thanks and regards
  Hagen Volpers

Re: carp / routing question (multiple lines)

[openbsd misc]

Hello,

I totally agree, that's why I wrote to mailing list and not copied the example
;-) It's not the first time I'm working with pf, but the first time with two
external connections. Thanks for the link, I missed that because of the topic
(I'm not looking for load balancing).
But I didn't find out how to set this up correctly:
- normaly the choosen link is rule (pf) based
- the other line should be used if one is down (how to do that with pf?)
- how must I read the route-to / reply-to syntax?
for example:
pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any

Till now I wasn't able to get into that, still looking for the
click-aha-effect ;-)

Thanks for your help.

Regards
  Hagen Volpers

> -Urspr|ngliche Nachricht-
> Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> Im Auftrag von Stuart Henderson
> Gesendet: Donnerstag, 26. Juni 2008 01:47
> An: misc@openbsd.org
> Betreff: Re: carp / routing question (multiple lines)
>
> On 2008-06-25, openbsd misc <[EMAIL PROTECTED]> wrote:
> > I hope I can avoid try'n error this way ;-) I have two
> firewall systems
> > with carp enabled (running obsd 4.3). These gateways have
> two internet
> > connections (dsl 6000 and symmetric 4000 provided by a
> router with an
> > /29 transport net).
> > The symmetric line should be used for vpn and vor mail and
> http(s) if
> > the dsl line is not available.
> > I tried to google about this topic, but I didn't find much helpful.
> > Someone mentioned
> http://marc.info/?l=openbsd-misc&m=120665186412690&w=2
> > yesterday. Looks like a good starting point because the
> pf.conf manpage
> > doesn't say much about route-to and reply-to syntax.
>
> Try http://www.openbsd.org/faq/pf/pools.html#outgoing for an
> introduction, the syntax of route-to and reply-to is given in the
> BNF section at the bottom of pf.conf(5) - everyone writing PF
> configuration files should learn how to read this section.
> Everyone copying-and-pasting PF configs from samples really
> should too...
>
> You should also get acquainted with running tcpdump on different
> interfaces, including pflog0 (with the relevant "log" in PF rules),
> it's very useful when you need to debug PF and in particular any
> complicated NAT/route-to configuration.
>
> > Does someone have a link for me how to set the correct routes and
> > pf-rules? The symmetric line should be set as default route with a
> > higher metric but the source ip should be the carp ip if used.
>
> You set the source address of outgoing packets with NAT rules.
> You direct packets out the relevant interface with route-to.
> And you direct return packets for an *incoming* connection
> with reply-to.
>
> Forget metrics/route priority for now, that won't help you direct
> packets out of one or other connection based on port number, you
> need PF rules to classify traffic if you want that.
>
> > I think
> > my biggest problem is carp, because I don't know how to set up pf
> > corretly with carp in use. As you know pf uses the phisical
> interface,
> > not the virtual interface, so I think I have to define the
> source ip,
> > too?
>
> Where you have to define an interface, use the physical interface
> (vlan/trunk count as physical interface for this purpose).
>
> Where you have to specify an address, use whichever is correct for
> what you're trying to do, carp/physical/both.

Re: Actual BIND error - Patching OpenBSD 4.3 named ?

[openbsd misc]

http://cr.yp.to/djbdns/run-cache.html
http://www.ro.kde.org/djbdns/mywork/jumbo/index.html

I never understood the mix of authoritive server and resolver ... Use dnscache
as resolver and you you're (AFAIK)  save.

Regards
  Hagen Volpers


> -Urspr|ngliche Nachricht-
> Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> Im Auftrag von Ted Unangst
> Gesendet: Mittwoch, 9. Juli 2008 20:10
> An: Steve Tornio
> Cc: misc
> Betreff: Re: Actual BIND error - Patching OpenBSD 4.3 named ?
>
> On 7/9/08, Steve Tornio <[EMAIL PROTECTED]> wrote:
>
> > > I don't think this actually accomplishes much.  It still
> lets poisoned
> > > replies back in on the previous port number.
> > >
> > >
> >
> >  But does it allow a poisoned reply from the spoofed address?
>
> oh, right.  I think I forgot even UDP packets have IP addresses. :(

Re: pfctl

[openbsd misc]

Hi,

interessting point. How about dumping it to a file or something so you are
able to check what was loaded last time (e.g. a file with 400 under
/var/whatever)?

Regards
  Hagen Volpers


> -Urspr|ngliche Nachricht-
> Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> Im Auftrag von Stuart Henderson
> Gesendet: Freitag, 25. Juli 2008 17:15
> An: Charlie Clark
> Cc: misc@openbsd.org
> Betreff: Re: pfctl
>
> On 2008/07/25 14:53, Charlie Clark wrote:
> > Stuart Henderson wrote:
> >> On 2008-07-25, Charlie Clark <[EMAIL PROTECTED]> wrote:
> >>
> >>> Hi,
> >>>
> >>> I have noticed that you are unable to view the currently loaded
> >>> options for pf using pfctl, even 'pfctl -sa' doesn't show the
> >>> options eg. set skip on tun0.
> >>> Is this going to be implemented soon or is it there and
> I'm missing
> >>> something?
> >>>
> >>> Regards,
> >>>
> >>>
> >>
> >> Someone asked about this recently.
> >> http://marc.info/?l=openbsd-misc&w=2&r=1&s=set+skip+pfctl&q=b
> >>
> >>
> >>
> > Yes sorry I posted this by accident, I still haven't got a valid
> > solution for this though.
>
> "set XX" options are a mix of directives to pf and to pfctl,
> the pfctl directives don't get stored anywhere so you can't
> retrieve them later. The ones affecting pf are available but
> in a different format.

Re: pfctl

[openbsd misc]

Hehe, I knew I'll get this reply. ;-) The question was which configuration is
active, not what will be activated by pfctl -f /etc/pf.conf, that's the
difference.
I think that could help some people in multi-admin environments ;-)

Regards
  Hagen Volpers


> -Urspr|ngliche Nachricht-
> Von: Paul de Weerd [mailto:[EMAIL PROTECTED]
> Gesendet: Freitag, 25. Juli 2008 22:37
> An: openbsd misc
> Cc: misc@openbsd.org
> Betreff: Re: pfctl
>
> On Fri, Jul 25, 2008 at 10:16:21PM +0200, openbsd misc wrote:
> | Hi,
> |
> | interessting point. How about dumping it to a file or
> something so you are
> | able to check what was loaded last time (e.g. a file with 400 under
> | /var/whatever)?
>
> GREAT IDEA !
>
> How about /etc/pf.conf ?
>
> Cheers !
>
> Paul 'WEiRD' de Weerd
>
> | Regards
> |   Hagen Volpers
> |
> |
> | > -Urspr|ngliche Nachricht-
> | > Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> | > Im Auftrag von Stuart Henderson
> | > Gesendet: Freitag, 25. Juli 2008 17:15
> | > An: Charlie Clark
> | > Cc: misc@openbsd.org
> | > Betreff: Re: pfctl
> | >
> | > On 2008/07/25 14:53, Charlie Clark wrote:
> | > > Stuart Henderson wrote:
> | > >> On 2008-07-25, Charlie Clark <[EMAIL PROTECTED]> wrote:
> | > >>
> | > >>> Hi,
> | > >>>
> | > >>> I have noticed that you are unable to view the
> currently loaded
> | > >>> options for pf using pfctl, even 'pfctl -sa' doesn't show the
> | > >>> options eg. set skip on tun0.
> | > >>> Is this going to be implemented soon or is it there and
> | > I'm missing
> | > >>> something?
> | > >>>
> | > >>> Regards,
> | > >>>
> | > >>>
> | > >>
> | > >> Someone asked about this recently.
> | > >> http://marc.info/?l=openbsd-misc&w=2&r=1&s=set+skip+pfctl&q=b
> | > >>
> | > >>
> | > >>
> | > > Yes sorry I posted this by accident, I still haven't got a valid
> | > > solution for this though.
> | >
> | > "set XX" options are a mix of directives to pf and to pfctl,
> | > the pfctl directives don't get stored anywhere so you can't
> | > retrieve them later. The ones affecting pf are available but
> | > in a different format.
> |
>
> --
> >[<++>-]<+++.>+++[<-->-]<.>+++[<+
> +++>-]<.>++[<>-]<+.--.[-]
>  http://www.weirdnet.nl/

Re: pfctl

[openbsd misc]

I was only an idea regarding the question. Sorry for sharing thoughts ... I'm
already using such a script because of that, would be great to have that job
done by pfctl because everyone whould have this "feature" and you can not pass
it by pfctl -f ...
As I said this is only an idea. We should stop this discussion :)

Regards
  Hagen Volpers

> -Urspr|ngliche Nachricht-
> Von: Paul de Weerd [mailto:[EMAIL PROTECTED]
> Gesendet: Samstag, 26. Juli 2008 00:00
> An: openbsd misc
> Cc: misc@openbsd.org
> Betreff: Re: pfctl
>
> On Fri, Jul 25, 2008 at 11:38:40PM +0200, openbsd misc wrote:
> | Hehe, I knew I'll get this reply. ;-) The question was
> which configuration is
> | active, not what will be activated by pfctl -f
> /etc/pf.conf, that's the
> | difference.
> | I think that could help some people in multi-admin environments ;-)
>
> If you can't organize a proper way to keep loaded rules and rulefile
> in sync, you may want to have a talk with the other admins.
>
> Given that, you may want to create a script that does exactly what you
> want. It's OpenBSD. It's open source, the tools are there, you can see
> how this stuff works, you know what you want - create what you need by
> yourself. A simple script that copies your pf.conf to
> /var/whatever/last.loaded is just a few keystrokes away.
>
> Cheers,
>
> Paul 'WEiRD' de Weerd
>
> | Regards
> |   Hagen Volpers
> |
> |
> | > -Urspr|ngliche Nachricht-
> | > Von: Paul de Weerd [mailto:[EMAIL PROTECTED]
> | > Gesendet: Freitag, 25. Juli 2008 22:37
> | > An: openbsd misc
> | > Cc: misc@openbsd.org
> | > Betreff: Re: pfctl
> | >
> | > On Fri, Jul 25, 2008 at 10:16:21PM +0200, openbsd misc wrote:
> | > | Hi,
> | > |
> | > | interessting point. How about dumping it to a file or
> | > something so you are
> | > | able to check what was loaded last time (e.g. a file
> with 400 under
> | > | /var/whatever)?
> | >
> | > GREAT IDEA !
> | >
> | > How about /etc/pf.conf ?
> | >
> | > Cheers !
> | >
> | > Paul 'WEiRD' de Weerd
> | >
> | > | Regards
> | > |   Hagen Volpers
> | > |
> | > |
> | > | > -Urspr|ngliche Nachricht-
> | > | > Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> | > | > Im Auftrag von Stuart Henderson
> | > | > Gesendet: Freitag, 25. Juli 2008 17:15
> | > | > An: Charlie Clark
> | > | > Cc: misc@openbsd.org
> | > | > Betreff: Re: pfctl
> | > | >
> | > | > On 2008/07/25 14:53, Charlie Clark wrote:
> | > | > > Stuart Henderson wrote:
> | > | > >> On 2008-07-25, Charlie Clark
> <[EMAIL PROTECTED]> wrote:
> | > | > >>
> | > | > >>> Hi,
> | > | > >>>
> | > | > >>> I have noticed that you are unable to view the
> | > currently loaded
> | > | > >>> options for pf using pfctl, even 'pfctl -sa'
> doesn't show the
> | > | > >>> options eg. set skip on tun0.
> | > | > >>> Is this going to be implemented soon or is it there and
> | > | > I'm missing
> | > | > >>> something?
> | > | > >>>
> | > | > >>> Regards,
> | > | > >>>
> | > | > >>>
> | > | > >>
> | > | > >> Someone asked about this recently.
> | > | > >>
> http://marc.info/?l=openbsd-misc&w=2&r=1&s=set+skip+pfctl&q=b
> | > | > >>
> | > | > >>
> | > | > >>
> | > | > > Yes sorry I posted this by accident, I still
> haven't got a valid
> | > | > > solution for this though.
> | > | >
> | > | > "set XX" options are a mix of directives to pf and to pfctl,
> | > | > the pfctl directives don't get stored anywhere so you can't
> | > | > retrieve them later. The ones affecting pf are available but
> | > | > in a different format.
> | > |
> | >
> | > --
> | > >[<++>-]<+++.>+++[<-->-]<.>+++[<+
> | > +++>-]<.>++[<>-]<+.--.[-]
> | >  http://www.weirdnet.nl/
> |
>
> --
> >[<++>-]<+++.>+++[<-->-]<.>+++[<+
> +++>-]<.>++[<>-]<+.--.[-]
>  http://www.weirdnet.nl/

Re: Rails & https?

[openbsd misc]

Hi,

you didn't define a protocoll. Change your configuration to

ProxyPass / http://127.0.0.1:3000
ProxyPassReverse / http://127.0.0.1:3000

You should also set
NoCache *

(for more information on favicon: http://en.wikipedia.org/wiki/Favicon - some
browser request the icon even if it's not defined)

Regards
  Hagen Volpers


> -Urspr|ngliche Nachricht-
> Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> Im Auftrag von DrGadget
> Gesendet: Freitag, 25. Juli 2008 23:50
> An: misc@openbsd.org
> Betreff: Rails & https?
>
> Been testing redmine [OBSD4,3 + Rails 2.0.2] for project
> tracking, but I'm
> running into an issue creating an https proxy for it to run
> behind. Figured
> out the proxy config:
>
> LoadModule proxy_module /usr/lib/apache/modules/libproxy.so
>
>  ProxyPass / 127.0.0.1:3000
>  ProxyPassReverse / 127.0.0.1:3000
>
> however this doesn't seem to work:
>
> [Fri Jul 25 16:14:10 2008] [warn] [client 206.197.251.1]
> proxy: No protocol
> handler was valid for the URL /favicon.ico. If you are using
> a DSO version
> of mod_proxy, make sure the proxy submodules are included in the
> configuration using LoadModule.
>
> Did I miss something on the proxy config, or is there a
> different way to do it?
>
>   TIA,
>
>   Lee

sasyncd / pfsync / carp question

[openbsd misc]

Hi,

I'm running two obsd 4.4-current boxes as firewall / vpn-endpoints
hot-standby (no balancing). I configured carp like this:

Master:
carp3: flags=8843 mtu 1500
lladdr 00:00:5e:00:01:01
carp: MASTER carpdev vlan32 vhid 1 advbase 1 advskew 9
groups: carp
inet6 fe80::200:5eff:fe00:101%carp3 prefixlen 64 scopeid 0xc
inet XX.XX.XX.XX netmask 0xfff8 broadcast XX.XX.XX.XX

Slave:
carp3: flags=8843 mtu 1500
lladdr 00:00:5e:00:01:01
carp: BACKUP carpdev vlan32 vhid 1 advbase 1 advskew 100
groups: carp
inet6 fe80::200:5eff:fe00:101%carp3 prefixlen 64 scopeid 0xc
inet XX.XX.XX.XX netmask 0xfff8 broadcast XX.XX.XX.XX

I'm running pfsync and it's working fine (did several tcp / ping tests
switching several time). But if the master boots it will become master
before sasyncd is able to sync status and all ipsec connections get
dropped (ATM I have three monowall www.m0n0.ch/wall endpoints).

The question is how I have to handle this setup. Do I have to play with
advbase? I don't think it's a good idea to trust delays hoping that
sasyncd will do it's job before the first machine becomes master again.
Is there a way to wait for sasyncd or something like that?

Here's the exact version:

# sysctl kern.version
kern.version=OpenBSD 4.4-beta (GENERIC) #987: Wed Jul 23 15:39:48 MDT
2008
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC

Please let me know if you need further informations.

Regards
  Hagen Volpers

Re: OT: Old School Unix vs. Modern Day Support "Professionals" - was (Defending OpenBSD Performance)

[openbsd misc]

  >Fact of the matter is that I have
> become convinced that those that know how to actually TROUBLESHOOT
> problems are in the very small minority in this industry.

   I think this is really the crux of the matter, I find the ability
to troubleshoot multi-vendor complexity is getting to be a  rare
commodity, its something thats very hard to interview people for.
Nowadays people are so proud of their certification and specialized
domain knowledge
that they actively avoid learning or thinking about stuff outside of
their specialized area.

Hosted CI with OpenBSD targets

[Derek (openbsd-misc)]

Hi!

Wondering if anyone has experience with hosted CI services that 
support OpenBSD targets for building + tests.  I haven't been 
successful finding any.


Looking to add native OpenBSD support to a project's CI, hoping 
to draw on the community's experience.


Would also prefer to run a service, rather than self-host.

Thanks!
Derek

Bad fonts in pdf

[openbsd-misc-nospam]

Here is screenshot: https://screenshots.firefox.com/LyKbRyGMRT3sDHbu/null

I had this problem in the past, but can't remeber what font should I install?

Thanks!

How to open new window/pane in the current working directory in tmux?

[openbsd-misc-nospam]

I have next options in tmux.conf:

bind '"' split-window -c "#{pane_current_path}"
bind % split-window -h -c "#{pane_current_path}"
bind c new-window -c "#{pane_current_path}"

But it doesn't work anymore. And I can't find working options in Google. I tried
all suggestions from stackexchange and it doesn't work either. What working 
options
for OpenBSD 6.6?

Thanks!

Impact of 002_icmp6.patch

[js-openbsd-misc]

Hi!

I just saw 
https://ftp.openbsd.org/pub/OpenBSD/patches/6.8/common/002_icmp6.patch.sig, 
however, it's unclear from the description and the context around the patch if 
this is a read after free or write after free (or both).

In the case of a write after free, would this change "Only two remote holes in 
the default install, in a heck of a long time!" to three? Or does it need more 
than IPv6 being configured?

-- 
Jonathan

Re: Impact of 002_icmp6.patch

[js-openbsd-misc]

> Am 30.10.2020 um 01:28 schrieb Theo de Raadt :
> 
> js-openbsd-m...@webkeks.org wrote:
> 
>> I just saw
>> https://ftp.openbsd.org/pub/OpenBSD/patches/6.8/common/002_icmp6.patch.sig,
>> however, it's unclear from the description and the context around the
>> patch if this is a read after free or write after free (or both).
> 
> I think it is fair you can study the code yourself and make your own
> factual determination.

As said, it is not immediately obvious to me if this is just read-after-free or 
also write-after-free. Hence I was hoping someone who either wrote the fix or 
who is more familiar with the code than me could enlighten me. It's not one of 
those obvious fixes where you see the buffer overflow just below.

>> In the case of a write after free, would this change "Only two remote
>> holes in the default install, in a heck of a long time!" to three? Or
>> does it need more than IPv6 being configured?
> 
> First off, is ipv6 deployment really part of the default install?  No,
> not really it takes some effort to configure v6, it is not natural.

The same could be said for v4 though, so is networking not considered part of 
the default install? How did the 2 remote holes happen without network then, 
though? Please help me understand, because the installer asked me for IPv6 just 
as it did for IPv4, so I would consider them both equally default.

> It is active on the loopback, but then that's not remote..

What about link-local IPv6? That's active by default, isn't it?

In any case, are you saying just removing the inet6 address from all interfaces 
would be a sufficient workaround if an immediate update is not possible? (Of 
course, only as a workaround until it's possible)

> But there's a bigger assumption in your mail:
> 
> We've released the errata as security because it is possibly exploitable
> or could cause a crash, and we have a rapid fix release process.  It was
> released without even seeing any evidence of a remote crash, nor any
> evidence of a remote exploit.  Incorrect code gets fixed, and if we
> judge it important we release a fix to the public in expedited fashion,
> and apparently get judged for doing so.

And that is good. But it still does not help in determining the impact, i.e.: 
Was this just a remote DoS (read-after-free) or a potential RCE 
(write-after-free)? For the latter, I would just update, for the former, time 
to reinstall my machines.

> Now that the fix is released and deployed by most openbsd users, we
> quickly become uncurious and head back to other work.  The only
> conversations related to this are asking how we can harden the mbuf
> layer to avoid similar issues in the future.

Which seems like a good strategy, but still, don't you think it's valuable to 
know what the maximum impact was in the worst-case? I fully agree with being 
over cautious and calling something an RCE rather than a DoS when it's unclear 
(a write-after-free could look like a DoS at first and turn out to be RCE, 
after all), but some things are limited in impact (a read-after-free usually 
isn't more than a DoS).

> I guess many other operating systems would wait weeks or months to
> collect all the "facts" and make a fancy disclosure, but we shipped
> source and binary fixes in just over 24 hours.

Again, I think that time is better spent fixing it fast than writing a fancy 
disclosure. I am merely curious if this was just read-after-free or 
write-after-free (or both) to make my own risk determination.

> So, is it a remote crash?  Possibly, but we'd like to see a packet
> that causes it.
> 
> Next after that, is it a remote exploit?
> 
> I think it is fair to wait for facts.

So, what you're saying is, it is only tagged as a security out of caution, not 
because it necessarily is exploitable?

> I also think you are a troll.

Not everybody trying to understand the impact of a security bug is a troll ;).

I merely brought up the 2 remote holes because I was wondering if this could be 
used as a signal that it's not remotely exploitable, as it's still 2.

-- 
Jonathan

Re: Impact of 002_icmp6.patch

[js-openbsd-misc]

To close this thread, I found this: 
https://twitter.com/m00nbsd/status/1321524807473782784

> Am 30.10.2020 um 11:15 schrieb js-openbsd-m...@webkeks.org:
> 
>> Am 30.10.2020 um 01:28 schrieb Theo de Raadt :
>> 
>> js-openbsd-m...@webkeks.org wrote:
>> 
>>> I just saw
>>> https://ftp.openbsd.org/pub/OpenBSD/patches/6.8/common/002_icmp6.patch.sig,
>>> however, it's unclear from the description and the context around the
>>> patch if this is a read after free or write after free (or both).
>> 
>> I think it is fair you can study the code yourself and make your own
>> factual determination.
> 
> As said, it is not immediately obvious to me if this is just read-after-free 
> or also write-after-free. Hence I was hoping someone who either wrote the fix 
> or who is more familiar with the code than me could enlighten me. It's not 
> one of those obvious fixes where you see the buffer overflow just below.
> 
>>> In the case of a write after free, would this change "Only two remote
>>> holes in the default install, in a heck of a long time!" to three? Or
>>> does it need more than IPv6 being configured?
>> 
>> First off, is ipv6 deployment really part of the default install?  No,
>> not really it takes some effort to configure v6, it is not natural.
> 
> The same could be said for v4 though, so is networking not considered part of 
> the default install? How did the 2 remote holes happen without network then, 
> though? Please help me understand, because the installer asked me for IPv6 
> just as it did for IPv4, so I would consider them both equally default.
> 
>> It is active on the loopback, but then that's not remote..
> 
> What about link-local IPv6? That's active by default, isn't it?
> 
> In any case, are you saying just removing the inet6 address from all 
> interfaces would be a sufficient workaround if an immediate update is not 
> possible? (Of course, only as a workaround until it's possible)
> 
>> But there's a bigger assumption in your mail:
>> 
>> We've released the errata as security because it is possibly exploitable
>> or could cause a crash, and we have a rapid fix release process.  It was
>> released without even seeing any evidence of a remote crash, nor any
>> evidence of a remote exploit.  Incorrect code gets fixed, and if we
>> judge it important we release a fix to the public in expedited fashion,
>> and apparently get judged for doing so.
> 
> And that is good. But it still does not help in determining the impact, i.e.: 
> Was this just a remote DoS (read-after-free) or a potential RCE 
> (write-after-free)? For the latter, I would just update, for the former, time 
> to reinstall my machines.
> 
>> Now that the fix is released and deployed by most openbsd users, we
>> quickly become uncurious and head back to other work.  The only
>> conversations related to this are asking how we can harden the mbuf
>> layer to avoid similar issues in the future.
> 
> Which seems like a good strategy, but still, don't you think it's valuable to 
> know what the maximum impact was in the worst-case? I fully agree with being 
> over cautious and calling something an RCE rather than a DoS when it's 
> unclear (a write-after-free could look like a DoS at first and turn out to be 
> RCE, after all), but some things are limited in impact (a read-after-free 
> usually isn't more than a DoS).
> 
>> I guess many other operating systems would wait weeks or months to
>> collect all the "facts" and make a fancy disclosure, but we shipped
>> source and binary fixes in just over 24 hours.
> 
> Again, I think that time is better spent fixing it fast than writing a fancy 
> disclosure. I am merely curious if this was just read-after-free or 
> write-after-free (or both) to make my own risk determination.
> 
>> So, is it a remote crash?  Possibly, but we'd like to see a packet
>> that causes it.
>> 
>> Next after that, is it a remote exploit?
>> 
>> I think it is fair to wait for facts.
> 
> So, what you're saying is, it is only tagged as a security out of caution, 
> not because it necessarily is exploitable?
> 
>> I also think you are a troll.
> 
> Not everybody trying to understand the impact of a security bug is a troll ;).
> 
> I merely brought up the 2 remote holes because I was wondering if this could 
> be used as a signal that it's not remotely exploitable, as it's still 2.
> 
> -- 
> Jonathan
> 

Re: Impact of 002_icmp6.patch

[js-openbsd-misc]

> Honestly, as one of the devs involved with this security fix, I can tell
> you that I don't know. It is a use-after-free in some situations.
> Is it reachable from remote? I don't know.
> Is it reachable from local? Maybe.
> Is the use-after-free exploitable? Damn hard to tell, it is for sure not easy.
> Was there a PoC exploit? No, there was no PoC.
> I will not invest hours of my time to figure out something that does not
> really interest me. The fix is out, everyone can update.

Thx, that was the answer I was hoping for! :)

-- 
Jonathan

Re: OpenLDAP w/o bdb okay?

[dan-openbsd-misc]

Henning Brauer(lists-open...@bsws.de)@2009.01.06 14:42:09 +0100:
> I am not aware of any. Lack of options doesn't make openldap better.

There is an option for people who have very basic LDAP needs - tinyldap
from fefe.de. It's high quality but lacks many features at the time.

Re: Please explain this disk (?) error

[eric-list-openbsd-misc]

On Fri, 2008-01-11 at 16:05:49 +0100, jere proclaimed...

> I suddenly got this error (while surfing the web in default Gnome 
> session) on OpenBSD 4.2 release (patched up to patch_004, including it).
> 
> Is it a disk error or something else ? Please help.
> 

This is just a soft disk error; you may have problems with your hard disk in
the future, but if you're only seeing a small number, I wouldn't worry
muchyet.

Dobar dan!

- Eric

Re: new home box for secure data storage

[eric-list-openbsd-misc]

On Thu, 2008-10-30 at 10:45:20 -0400, Douglas A. Tutty proclaimed...

> Yes.

Then keep it off a computer. Otherwise look for solutions that have already
been presented...because they work.

- Eric

kernel hiccups with two OpenVPN tunnels

[travis+ml-openbsd-misc]

So a few releases ago, I found that if I had OpenVPN running on an
OpenBSD box as a hub, and I did a large transfer from one client to
another, the OpenBSD box would occasionally kernel panic - something
about mbufs, I can pull the kernel stack traces up if desired.  The
hosting company said they saw this quite often with OpenBSD boxes.

As of 4.8, I notice that if I do a similar large transfer, the system
just stops responding to all network traffic for a period of time,
perhaps around 10 minutes or longer.  During this time it's unpingable and
won't
forward any packets.  It eventually recovers, which is WAY better than
a kernel panic (the mbuf corruption actually corrupted my root disk on
more than one occasion).

Before I go digging into this, I was wondering if anyone else has had
this experience, and how I should consider troubleshooting it.
--
http://www.subspacefield.org/~travis/
"What do you call this music?" "Hadouken" "Hadouken?" "It's down right
fierce"
If you are a spammer, please email j...@subspacefield.org to get blacklisted.

[demime 1.01d removed an attachment of type application/pgp-signature]

miscellaneous unofficial OpenBSD ports

[travis+ml-openbsd-misc]

http://www.subspacefield.org/~travis/OpenBSD/

Need to be updated - last update was for 4.1
--
A Weapon of Mass Construction
My emails do not have attachments; it's a digital signature that your mail
program doesn't understand. | http://www.subspacefield.org/~travis/
If you are a spammer, please email j...@subspacefield.org to get blacklisted.

[demime 1.01d removed an attachment of type application/pgp-signature]

openvpn & openbsd = kernel lockups

[travis+ml-openbsd-misc]

Hey there,

I have been asked to help a friend whose system is used as a VPN hub.

It used to be an older OpenBSD, possibly 4.5 or 4.6, and he got many
kernel panics around some buffer routines (possibly mbuf) that led to
disk corruption.

It's now OpenBSD 4.8 amd64, and if the system has transit traffic -
going from one leaf through the hub to another - in excess of 100MB at
200kB/s or more, the system stops responding to network traffic for a
minute or three.  During this time, it becomes unpingable, and the VPN
basically stops working temporarily.  Often it will start up again,
but if the connection is lossy (like a wifi connection), then it
sometimes won't recover.

Before I investigate further, does anyone have a clue as to what my be
going on here?

If not, what would be the suggested method for investigating?
--
Effing the ineffable since 1997. | http://www.subspacefield.org/~travis/
My emails do not usually have attachments; it's a digital signature
that your mail program doesn't understand.
If you are a spammer, please email j...@subspacefield.org to get blacklisted.

[demime 1.01d removed an attachment of type application/pgp-signature]

host(1) oddities

[travis+ml-openbsd-misc]

Hey all,

I ran "host www.google.com" on a new OpenBSD 4.8 install and got this:

13:50:28.132052 127.0.0.1.41209 > 127.0.0.1.48830: udp 31
13:50:28.132081 127.0.0.1 > 127.0.0.1: icmp: 127.0.0.1 udp port 48830
unreachable
13:50:29.133552 ::1.38033 > ::1.48830: udp 31
13:50:29.133577 ::1 > ::1: icmp6: ::1 udp port 48830 unreachable
13:50:34.143471 127.0.0.1.41209 > 127.0.0.1.48830: udp 31

What gives?  Nothing's on port 48830; should there be something there?
--
Effing the ineffable since 1997. | http://www.subspacefield.org/~travis/
My emails do not usually have attachments; it's a digital signature
that your mail program doesn't understand.
If you are a spammer, please email j...@subspacefield.org to get blacklisted.

[demime 1.01d removed an attachment of type application/pgp-signature]

Re: equivalent of Linux "mount -o bind"

[travis+ml-openbsd-misc]

On Fri, Jan 28, 2011 at 03:52:53PM -0800, Travis H. wrote:
> So I'm curious if there's something in OpenBSD that's similar to the
> "mount -o bind /dir1 /dir2" to make dir1 appear where dir2 is.

For those who asked, one sample use is for something like this:

Starting with the 2.4-series Linux kernels, it has been possible to
mount a filesystem simultaneously in two different places. "Aha!" you
might think, as I did. "Then surely we can mount the backups read-only
in /snapshot, and read-write in /root/snapshot at the same time!"

Alas, no. Say your backups are on the partition /dev/hdb1. If you run
the following commands,

mount /dev/hdb1 /root/snapshot
mount --bind -o ro /root/snapshot /snapshot

then (at least as of the 2.4.9 Linux kernel--updated, still present in
the 2.4.20 kernel), mount will report /dev/hdb1 as being mounted
read-write in /root/snapshot and read-only in /snapshot, just as you
requested. Don't let the system mislead you!

In the example above, the second mount call will cause both of the
mounts to become read-only, and the backup process will be unable to
run. Scratch this one.

Update: I have it on fairly good authority that this behavior is
considered a bug in the Linux kernel, which will be fixed as soon as
someone gets around to it. If you are a kernel maintainer and know
more about this issue, or are willing to fix it, I'd love to hear from
you!
--
Effing the ineffable since 1997. | http://www.subspacefield.org/~travis/
My emails do not usually have attachments; it's a digital signature
that your mail program doesn't understand.
If you are a spammer, please email j...@subspacefield.org to get blacklisted.

[demime 1.01d removed an attachment of type application/pgp-signature]