Any advice on a dedicated remote access server
Well, I screwed up things by taking a long break from everything and leaving things on auto-pilot. The company which had earlier bought the server company I use shut down the server service. I'm located right now in Washington state in the US. But I'm also concerned about how much the quacks in power here are trying to screw up Internet access and working against encryption. So I'm seriously thinking that getting something outside of the US would be a good thing. I run very little traffic, web server, email, PostgreSQL. So I want something cheap, don't want any management, definitely 2 IP's but would like to be able to add a few more for https. I apologize for this message probably coming out at a hideous width, but I am using the horrible Godaddy email service which is my emergency email in cases of disaster. Thanks for any help. Chris Bennett
Re: Any advice on a dedicated remote access server
> Original Message > Subject: Re: Any advice on a dedicated remote access server > From: Karsten Horsmann > Date: Thu, November 23, 2017 12:14 pm > To: Martin_Schröder > Cc: OpenBSD general usage list > > > Hi Martin and hello List, > > I use an ovh / soyoustart dedicated server and they include an ipv6 /64 and > one ipv4. > > As "playground" its okay for me. > > Kind regards > > Am 23.11.2017 10:18 vorm. schrieb "Martin Schröder" : > > 2017-11-23 5:26 GMT+01:00 : > > https://www.soyoustart.com/us/essential-servers/ > > IPv4 only. They are going to allow me to install OpenBSD myself, but not support the custom software. I'm happy! Chris
Can't get X to work on laptop Acer Aspire E 15 E5-575-33BM
It has Windows 10 Home pre-installed.
I am trying to work off of USB flash drive.
BIOS has UEFI or legacy option. I have to use legacy option.
Won't finish booting unless I disable inteldrm
I also allowed the aperture to be set at 2. didn't help.
Boots OK, but it is slow.
And no X. Says no screens found.
Many options in the BIOS are simply unchangeable and network boot likes
to turn
itself on occasionally.
There is also an option for a GPT.
Booting off of Innostor PenDrive
Thanks,
Chris Bennett
here is the dmesg:
OpenBSD 6.2 (GENERIC.MP) #166: Tue Oct 3 19:58:05 MDT 2017
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
RTC BIOS diagnostic error 80
cpu0: Intel(R) Core(TM) i3-7100U CPU @ 2.40GHz ("GenuineIntel"
686-class) 2.40 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,PAGE1GB,LONG,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,SGX,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,SENSOR,ARAT
real mem = 2294411264 (2188MB)
avail mem = 2236338176 (2132MB)
User Kernel Config
UKC> disable inteldrm
250 inteldrm* disabled
UKC> exit
Continuing...
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: date 05/26/17, BIOS32 rev. 0 @ 0xef725, SMBIOS rev.
3.0 @ 0xe6380 (32 entries)
bios0: vendor Insyde Corp. version "V1.27" date 05/26/2017
bios0: Acer Aspire E5-575
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP UEFI MSDM SSDT SSDT ASF! BOOT HPET MCFG LPIT
SSDT SSDT DBG2 SSDT SSDT TPM2 ASPT APIC WSMT DBGP DMAR UEFI SSDT SSDT
SSDT SSDT DBGP FPDT
acpi0: wakeup devices XHC_(S3) XDCI(S4) HDAS(S4) PXSX(S4) RP01(S4)
PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) PXSX(S4) RP04(S4) PXSX(S4) RP05(S4)
PXSX(S4) RP06(S4) PXSX(S4) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpihpet0 at acpi0: 2399 Hz
acpimcfg0 at acpi0 addr 0xe000, bus 0-255
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 23MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4.1.1.1, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Core(TM) i3-7100U CPU @ 2.40GHz ("GenuineIntel"
686-class) 2.40 GHz
cpu1:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,PAGE1GB,LONG,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,SGX,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,SENSOR,ARAT
cpu2 at mainbus0: apid 1 (application processor)
cpu2: Intel(R) Core(TM) i3-7100U CPU @ 2.40GHz ("GenuineIntel"
686-class) 2.40 GHz
cpu2:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,PAGE1GB,LONG,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,SGX,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,SENSOR,ARAT
cpu3 at mainbus0: apid 3 (application processor)
cpu3: Intel(R) Core(TM) i3-7100U CPU @ 2.40GHz ("GenuineIntel"
686-class) 2.40 GHz
cpu3:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,PAGE1GB,LONG,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,SGX,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,SENSOR,ARAT
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 120 pins
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (RP01)
acpiprt2 at acpi0: bus -1 (RP02)
acpiprt3 at acpi0: bus -1 (RP03)
acpiprt4 at acpi0: bus -1 (RP04)
acpiprt5 at acpi0: bus -1 (RP05)
acpiprt6 at acpi0: bus -1 (RP06)
acpiprt7 at acpi0: bus -1 (RP07)
acpiprt8 at acpi0: bus -1 (RP08)
acpiprt9 at acpi0: bus 1 (RP09)
acpiprt10 at acpi0: bus -1 (RP10)
acpiprt11 at acpi0: bus 2 (RP11)
acpiprt12 at acpi0: bus 3 (RP12)
acpiprt13 at acpi0: bus -1 (RP13)
acpiprt14 at acpi0: bus -1 (RP14)
acpiprt15 at acpi0: bus -1 (RP15)
acpiprt16 at acpi0: bus -1 (RP16)
acpiprt17 at acpi0: bus -1 (RP17)
acpiprt18 at acpi0: bus -1 (RP18)
acpiprt19 at acpi0: bus -1 (RP19)
acpiprt20 at acpi0: bus -1 (RP20)
acpiprt21 at acpi0: bus -1 (RP21)
acpiprt22 at acpi0: bus -1 (RP22)
acpiprt23 at acpi0: bus -1 (RP23)
acpiprt24 at acpi0: bus -1 (RP24)
acpiec0 at acpi0
acpicpu0 at acpi0: C3(200@1034 mwait.1@0x60), C2(200@151 mwait.1@0x33),
C1(1000@1 mwait.1), PSS
acpicpu1 at acpi0: C3(200@1034
Re: Can't get X to work on laptop Acer Aspire E 15 E5-575-33BM
I waited on purpose to make a change back to default X setup. inteldrm disabled. aperture at 2. Oddly, I did not get exactly the same response as before. No xorg.conf This time it briefly brought up the X background before failing Xorg.0.log: [ 577.721] (--) checkDevMem: using aperture driver /dev/xf86 [ 577.734] (--) Using wscons driver on /dev/ttyC4 [ 577.790] X.Org X Server 1.18.4 Release Date: 2016-07-19 [ 577.790] X Protocol Version 11, Revision 0 [ 577.790] Build Operating System: OpenBSD 6.2 i386 [ 577.790] Current Operating System: OpenBSD flower.my.domain 6.2 GENERIC.MP#166 i386 [ 577.790] Build Date: 03 October 2017 08:22:13PM [ 577.790] [ 577.790] Current version of pixman: 0.34.0 [ 577.790]Before reporting problems, check http://wiki.x.org to make sure that you have the latest version. [ 577.790] Markers: (--) probed, (**) from config file, (==) default setting, (++) from command line, (!!) notice, (II) informational, (WW) warning, (EE) error, (NI) not implemented, (??) unknown. [ 577.791] (==) Log file: "/var/log/Xorg.0.log", Time: Tue Nov 28 05:14:11 2017 [ 577.811] (==) Using system config directory "/usr/X11R6/share/X11/xorg.conf.d" [ 577.818] (==) No Layout section. Using the first Screen section. [ 577.820] (==) No screen section available. Using defaults. [ 577.820] (**) |-->Screen "Default Screen Section" (0) [ 577.820] (**) | |-->Monitor "" [ 577.825] (==) No monitor specified for screen "Default Screen Section". Using a default monitor configuration. [ 577.825] (==) Disabling SIGIO handlers for input devices [ 577.825] (==) Automatically adding devices [ 577.825] (==) Automatically enabling devices [ 577.825] (==) Not automatically adding GPU devices [ 577.828] (==) Max clients allowed: 256, resource mask: 0x1f [ 577.902] (==) FontPath set to: /usr/X11R6/lib/X11/fonts/misc/, /usr/X11R6/lib/X11/fonts/TTF/, /usr/X11R6/lib/X11/fonts/OTF/, /usr/X11R6/lib/X11/fonts/Type1/, /usr/X11R6/lib/X11/fonts/100dpi/, /usr/X11R6/lib/X11/fonts/75dpi/ [ 577.902] (==) ModulePath set to "/usr/X11R6/lib/modules" [ 577.902] (II) The server relies on wscons to provide the list of input devices. If no devices become available, reconfigure wscons or disable AutoAddDevices. [ 577.905] (II) Loader magic: 0x36576000 [ 577.905] (II) Module ABI versions: [ 577.905]X.Org ANSI C Emulation: 0.4 [ 577.905]X.Org Video Driver: 20.0 [ 577.905]X.Org XInput driver : 22.1 [ 577.905]X.Org Server Extension : 9.0 [ 577.908] (--) PCI:*(0:0:2:0) 8086:5916:1025:1094 rev 2, Mem @ 0xb000/16777216, 0xa000/268435456, I/O @ 0x4000/64 [ 577.908] (II) LoadModule: "glx" [ 577.923] (II) Loading /usr/X11R6/lib/modules/extensions/libglx.so [ 578.004] (II) Module glx: vendor="X.Org Foundation" [ 578.004]compiled for 1.18.4, module version = 1.0.0 [ 578.004]ABI class: X.Org Server Extension, version 9.0 [ 578.004] (==) AIGLX enabled [ 578.007] (==) Matched modesetting as autoconfigured driver 0 [ 578.007] (==) Matched vesa as autoconfigured driver 1 [ 578.007] (==) Assigned the driver to the xf86ConfigLayout [ 578.007] (II) LoadModule: "modesetting" [ 578.008] (II) Loading /usr/X11R6/lib/modules/drivers/modesetting_drv.so [ 578.012] (II) Module modesetting: vendor="X.Org Foundation" [ 578.012]compiled for 1.18.4, module version = 1.18.4 [ 578.012]Module class: X.Org Video Driver [ 578.012]ABI class: X.Org Video Driver, version 20.0 [ 578.012] (II) LoadModule: "vesa" [ 578.013] (II) Loading /usr/X11R6/lib/modules/drivers/vesa_drv.so [ 578.016] (II) Module vesa: vendor="X.Org Foundation" [ 578.016]compiled for 1.18.4, module version = 2.3.4 [ 578.016]Module class: X.Org Video Driver [ 578.016]ABI class: X.Org Video Driver, version 20.0 [ 578.017] (II) modesetting: Driver for Modesetting Kernel Drivers: kms [ 578.017] (II) VESA: driver for VESA chipsets: vesa [ 578.017] (EE) open /dev/drm0: Device not configured [ 578.017] (WW) Falling back to old probe method for modesetting [ 578.017] (EE) open /dev/drm0: Device not configured [ 578.017] (EE) Screen 0 deleted because of no matching config section. [ 578.017] (II) UnloadModule: "modesetting" [ 578.017] (II) Loading sub module "vbe" [ 578.017] (II) LoadModule: "vbe" [ 578.024] (II) Loading /usr/X11R6/lib/modules/libvbe.so [ 578.028] (II) Module vbe: vendor="X.Org Foundation" [ 578.028]compiled for 1.18.4, module version = 1.1.0 [ 578.028]ABI class: X.Org Video Driver, version 20.0 [ 578.028] (II) Loading sub module "int10" [ 578.028] (II) LoadModule: "int10" [ 578.029] (II) Loading /usr/X11R6/lib/modules/libint10.so [ 578.043] (II) Module int10: vendor="X.Org Foundation" [ 578.043]compiled for 1.18.4, module version = 1.0.0 [ 578.043]ABI class: X.Org Video Driver, version
Re: Can't get X to work on laptop Acer Aspire E 15 E5-575-33BM
I waited on purpose to make a change back to default X setup. inteldrm disabled. aperture at 2. Oddly, I did not get exactly the same response as before. No xorg.conf This time it briefly brought up the X background before failing Xorg.0.log: [ 577.721] (--) checkDevMem: using aperture driver /dev/xf86 [ 577.734] (--) Using wscons driver on /dev/ttyC4 [ 577.790] X.Org X Server 1.18.4 Release Date: 2016-07-19 [ 577.790] X Protocol Version 11, Revision 0 [ 577.790] Build Operating System: OpenBSD 6.2 i386 [ 577.790] Current Operating System: OpenBSD flower.my.domain 6.2 GENERIC.MP#166 i386 [ 577.790] Build Date: 03 October 2017 08:22:13PM [ 577.790] [ 577.790] Current version of pixman: 0.34.0 [ 577.790]Before reporting problems, check http://wiki.x.org to make sure that you have the latest version. [ 577.790] Markers: (--) probed, (**) from config file, (==) default setting, (++) from command line, (!!) notice, (II) informational, (WW) warning, (EE) error, (NI) not implemented, (??) unknown. [ 577.791] (==) Log file: "/var/log/Xorg.0.log", Time: Tue Nov 28 05:14:11 2017 [ 577.811] (==) Using system config directory "/usr/X11R6/share/X11/xorg.conf.d" [ 577.818] (==) No Layout section. Using the first Screen section. [ 577.820] (==) No screen section available. Using defaults. [ 577.820] (**) |-->Screen "Default Screen Section" (0) [ 577.820] (**) | |-->Monitor "" [ 577.825] (==) No monitor specified for screen "Default Screen Section". Using a default monitor configuration. [ 577.825] (==) Disabling SIGIO handlers for input devices [ 577.825] (==) Automatically adding devices [ 577.825] (==) Automatically enabling devices [ 577.825] (==) Not automatically adding GPU devices [ 577.828] (==) Max clients allowed: 256, resource mask: 0x1f [ 577.902] (==) FontPath set to: /usr/X11R6/lib/X11/fonts/misc/, /usr/X11R6/lib/X11/fonts/TTF/, /usr/X11R6/lib/X11/fonts/OTF/, /usr/X11R6/lib/X11/fonts/Type1/, /usr/X11R6/lib/X11/fonts/100dpi/, /usr/X11R6/lib/X11/fonts/75dpi/ [ 577.902] (==) ModulePath set to "/usr/X11R6/lib/modules" [ 577.902] (II) The server relies on wscons to provide the list of input devices. If no devices become available, reconfigure wscons or disable AutoAddDevices. [ 577.905] (II) Loader magic: 0x36576000 [ 577.905] (II) Module ABI versions: [ 577.905]X.Org ANSI C Emulation: 0.4 [ 577.905]X.Org Video Driver: 20.0 [ 577.905]X.Org XInput driver : 22.1 [ 577.905]X.Org Server Extension : 9.0 [ 577.908] (--) PCI:*(0:0:2:0) 8086:5916:1025:1094 rev 2, Mem @ 0xb000/16777216, 0xa000/268435456, I/O @ 0x4000/64 [ 577.908] (II) LoadModule: "glx" [ 577.923] (II) Loading /usr/X11R6/lib/modules/extensions/libglx.so [ 578.004] (II) Module glx: vendor="X.Org Foundation" [ 578.004]compiled for 1.18.4, module version = 1.0.0 [ 578.004]ABI class: X.Org Server Extension, version 9.0 [ 578.004] (==) AIGLX enabled [ 578.007] (==) Matched modesetting as autoconfigured driver 0 [ 578.007] (==) Matched vesa as autoconfigured driver 1 [ 578.007] (==) Assigned the driver to the xf86ConfigLayout [ 578.007] (II) LoadModule: "modesetting" [ 578.008] (II) Loading /usr/X11R6/lib/modules/drivers/modesetting_drv.so [ 578.012] (II) Module modesetting: vendor="X.Org Foundation" [ 578.012]compiled for 1.18.4, module version = 1.18.4 [ 578.012]Module class: X.Org Video Driver [ 578.012]ABI class: X.Org Video Driver, version 20.0 [ 578.012] (II) LoadModule: "vesa" [ 578.013] (II) Loading /usr/X11R6/lib/modules/drivers/vesa_drv.so [ 578.016] (II) Module vesa: vendor="X.Org Foundation" [ 578.016]compiled for 1.18.4, module version = 2.3.4 [ 578.016]Module class: X.Org Video Driver [ 578.016]ABI class: X.Org Video Driver, version 20.0 [ 578.017] (II) modesetting: Driver for Modesetting Kernel Drivers: kms [ 578.017] (II) VESA: driver for VESA chipsets: vesa [ 578.017] (EE) open /dev/drm0: Device not configured [ 578.017] (WW) Falling back to old probe method for modesetting [ 578.017] (EE) open /dev/drm0: Device not configured [ 578.017] (EE) Screen 0 deleted because of no matching config section. [ 578.017] (II) UnloadModule: "modesetting" [ 578.017] (II) Loading sub module "vbe" [ 578.017] (II) LoadModule: "vbe" [ 578.024] (II) Loading /usr/X11R6/lib/modules/libvbe.so [ 578.028] (II) Module vbe: vendor="X.Org Foundation" [ 578.028]compiled for 1.18.4, module version = 1.1.0 [ 578.028]ABI class: X.Org Video Driver, version 20.0 [ 578.028] (II) Loading sub module "int10" [ 578.028] (II) LoadModule: "int10" [ 578.029] (II) Loading /usr/X11R6/lib/modules/libint10.so [ 578.043] (II) Module int10: vendor="X.Org Foundation" [ 578.043]compiled for 1.18.4, module version = 1.0.0 [ 578.043]ABI class: X.Org Video Driver, version
Re: OpenBSD Puffy Stickers
> Original Message > Subject: Re: OpenBSD Puffy Stickers > From: Rupert Gallagher > Date: Thu, November 30, 2017 1:30 pm > To: Ingo Schwarze , Jay Williams > Cc: misc@openbsd.org > > > Don't give up on marketing. > Really? I can count on one hand the number of people since I started using it that would let me boot OpenBSD off of a USB stick. OpenBSD users and developers wander in on their own accord. There is just something to fall in love with seeing things like code audit, security, cryptography that the US wants to stop. The website is all the marketing that's needed. Feeling secure, Chris Bennett
Re: Integrating "safe" languages into OpenBSD?
> Original Message > Subject: Re: Integrating "safe" languages into OpenBSD? > From: Nick Holland > Date: Mon, December 04, 2017 7:45 am > To: misc@openbsd.org > > > On 12/03/17 20:19, bytevolc...@safe-mail.net wrote: > > I've always subscribed to the idea that too much safety results in too > > may idiots, and the same is true for all these "safe" programming > > languages. "Oh I don't have to write any form of bounds-checking, > > because the language will do it for me." > > > > To add further insult to injury, if the language's bounds checking kicks > > in first your program may do something worse than just corrupting its > > own memory. In my experience, apps written in these "safe" languages > > (usually web apps or bloatware) actually have been the most bug-ridden > > and bloated. > > Idiots who shouldn't be coding, coding. > "safe" languages being trusted to be safe when in the hands of idiots. > Like you said. > > The more I see of "safe" languages, the more I love assembly. Most > people who call themselves programmers...shouldn't. > > Nick. The issue of being in base has been raised. Pretty important. Who would really want to spend such enormous amounts of time to add in yet another language? C is in base. Assembly is in base. But Perl is also in base. I don't think anyone would want to change all of the fantastic pkg_* tools into either C or assembly. None of these three are "safe" languages. A while ago I was told that moving to a newer version of Perl was being held up by needing to deal with mod_perl. That's obviously been dealt with. I like Perl's way of flowing and doing things. I tried learning some assembly on my own, really to just get a better idea of what was going on with different C commands and variables. But the developers kept adding little changes, for good reasons, that made compiling with NASM changing. Plus i386 vs. amd vs. hardware I don't have a bit too much to deal with. Personally, I would like to learn to properly program in C for OpenBSD. Yet with so many changes, it's a bit of a constantly moving target. (Hurrah!) But as my attempts previously didn't work out too well, I see a problem for me and others in my position. I don't want to hold up any active developers from doing their work. I really don't think I can get good enough without some hand holding to get to a good enough understanding of OpenBSD's usage of C, since there are so many points that one needs to be able to tie together to "get it". I do not have enough money to go back to school to learn C in a class. C itself seems pretty simple to use, but hard to put into useful contributions. Perl has a nice collection of modules that do really useful stuff on CPAN. I would guess that OpenBSD has basically the same thing going on in C in the src tree. Every time I've tried to follow the chain along I just find myself lost and overwhelmed by too much to follow down the rabbit hole. Is there anyone(s) who, preferably both not busy with active development who would genuinely be both willing and capable of helping follow down the rabbit hole? I would not be capable of doing that myself if the position were reversed. I just don't have the patience and personality to keep up with some idiot like me. I realize that if a hundred people jump up and ask for the same thing, maybe two will really mean it and perhaps one will actually follow through. If someone(s) would like to help, please let me know on or off list. But let's not waste each others time. I don't want to exchange 20 emails and then get ignored. Or vice versa. As far as the topic being discussed, I think that nothing needs to be changed. Lowest level to high level we have is just fine. Assembly -> C -> Perl I don't see any need to add to base. It's a good, strong foundation. Chris Bennett
Re: Integrating "safe" languages into OpenBSD?
> Original Message > Subject: Re: Integrating "safe" languages into OpenBSD? > From: Nick Holland > Date: Mon, December 04, 2017 7:45 am > To: misc@openbsd.org > > > On 12/03/17 20:19, bytevolc...@safe-mail.net wrote: > > I've always subscribed to the idea that too much safety results in too > > may idiots, and the same is true for all these "safe" programming > > languages. "Oh I don't have to write any form of bounds-checking, > > because the language will do it for me." > > > > To add further insult to injury, if the language's bounds checking kicks > > in first your program may do something worse than just corrupting its > > own memory. In my experience, apps written in these "safe" languages > > (usually web apps or bloatware) actually have been the most bug-ridden > > and bloated. > > Idiots who shouldn't be coding, coding. > "safe" languages being trusted to be safe when in the hands of idiots. > Like you said. > > The more I see of "safe" languages, the more I love assembly. Most > people who call themselves programmers...shouldn't. > > Nick. The issue of being in base has been raised. Pretty important. Who would really want to spend such enormous amounts of time to add in yet another language? C is in base. Assembly is in base. But Perl is also in base. I don't think anyone would want to change all of the fantastic pkg_* tools into either C or assembly. None of these three are "safe" languages. A while ago I was told that moving to a newer version of Perl was being held up by needing to deal with mod_perl. That's obviously been dealt with. I like Perl's way of flowing and doing things. I tried learning some assembly on my own, really to just get a better idea of what was going on with different C commands and variables. But the developers kept adding little changes, for good reasons, that made compiling with NASM changing. Plus i386 vs. amd vs. hardware I don't have a bit too much to deal with. Personally, I would like to learn to properly program in C for OpenBSD. Yet with so many changes, it's a bit of a constantly moving target. (Hurrah!) But as my attempts previously didn't work out too well, I see a problem for me and others in my position. I don't want to hold up any active developers from doing their work. I really don't think I can get good enough without some hand holding to get to a good enough understanding of OpenBSD's usage of C, since there are so many points that one needs to be able to tie together to "get it". I do not have enough money to go back to school to learn C in a class. C itself seems pretty simple to use, but hard to put into useful contributions. Perl has a nice collection of modules that do really useful stuff on CPAN. I would guess that OpenBSD has basically the same thing going on in C in the src tree. Every time I've tried to follow the chain along I just find myself lost and overwhelmed by too much to follow down the rabbit hole. Is there anyone(s) who, preferably both not busy with active development who would genuinely be both willing and capable of helping follow down the rabbit hole? I would not be capable of doing that myself if the position were reversed. I just don't have the patience and personality to keep up with some idiot like me. I realize that if a hundred people jump up and ask for the same thing, maybe two will really mean it and perhaps one will actually follow through. If someone(s) would like to help, please let me know on or off list. But let's not waste each others time. I don't want to exchange 20 emails and then get ignored. Or vice versa. As far as the topic being discussed, I think that nothing needs to be changed. Lowest level to high level we have is just fine. Assembly -> C -> Perl I don't see any need to add to base. It's a good, strong foundation. Chris Bennett
Serious design defects with Acer Aspire E 15 E5-575-33BM Don't buy
Although I haven't gotten X to properly work, there are some hardware defects that are serious, as in breaking things and with usability. The power card has a round device that reduces certain types of "noise" in the power. However, they put it to fall directly underneath the right hand USB port. This has already damaged one of my USB flash drives and it will eventually break the USB port/motherboard. The connection of the power cord into the laptop has a defective design somehow and is very difficult to insert. Once again, unnecessary stress on motherboard and a bit frustrating to have to struggle with. The two USB 3 ports on the left side are so close together that you can't use both at the same time. In fact, the HDMI port is also way to close to them that I doubt that it could be used when the USB 3 port next to it is used. Full sized HDMI port, not micro. Deeply disturbing is the fact that the BIOS makes changes on itself. It constantly turns on network booting after I disable it. It is also a tremendous effort to boot off of USB without repeatedly fiddling with the BIOS many times, moving the flash around, unplugging the laptop, etc. And I am talking about EVERY time, not just once in a while. I'm returning it to Amazon and getting a refund. If anyone wants me to do anything with it before that, please let me know. I'll compile, test, whatever you like before I ship it back. Intel i3-7100U Intel HD graphics 620 USB 3.0 USB 3.1 type C connector port inteldrm won't even boot. it has a spot inside for an SSD drive You get what you pay for. Of course, what you can't pay for, you can't get! Chris Bennett
FAQ's duplicating file systems, both methods fail to reproduce correctly
Forgive problems with this email. I saw how my emails showed up on marc.info Scary. This is just temporary. OK. I've tried to use both methods and just don't get true duplication. tar It can't work with file and directory names that are OK in filesystem, but too long for itself. Quite a while back I lost a lot of unimportant files and directories that had absolute paths too long. Why is this happening with tar? Can this be fixed? If not, I'd like to add a note about that to the FAQ. dump I had to move /usr/local to a bigger partition. growfs, etc. I kept the /usr/local untouched and then dumped it to the new partition, expecting a true duplication. Nope. It changed all of the program symlinks permissions. Why is dump doing this? Can this be fixed? Otherwise, a note about this should be added to the FAQ also. Question: Can dd be used to do what I did with dump or tar? Smaller partition copied to a bigger partition. I'm willing to try and help out, but I'm going through both laptop and server hell at the moment. Thanks, Chris Bennett
Re: FAQ's duplicating file systems, both methods fail to reproduce correctly
I'm not able to try it right now, but would gtar accomplish what that our tar doesn't for this? As in maybe pull something out of it into our tar? Chris Bennett
Re: FAQ's duplicating file systems, both methods fail to reproduce correctly
> > 'pax' and 'tar' are actually the same binary so they have the same > limitation from the file formats that are supported, as well as any purely > internal limitations. "pax -rw" actually has file format limitations by > design, so it doesn't automagically free you from those limitations. > > > > On Sun, Dec 10, 2017 at 7:03 PM, wrote: > ... > > > OK. I've tried to use both methods and just don't > > > get true duplication. > > > > > > tar > > > It can't work with file and directory names > > > that are OK in filesystem, but too long for itself. > > > Quite a while back I lost a lot of unimportant files > > > and directories that had absolute paths too long. > > > Why is this happening with tar? Can this be fixed? > > > If not, I'd like to add a note about that to the FAQ. > > tar/pax should have emitted warnings about such files when generating the > archive; if that didn't happen it's a bug and we should fix it. > Depending on the exact failure you hit there may be ways to fix what you > hit. Yes, I got warnings, I was pulling all of the files off of five failing hard drives. Luckily, the files were just some pr0n videos, but it could have been really bad if the hard drive was on it's very last run. > > > > dump > > > I had to move /usr/local to a bigger partition. growfs, > > > etc. I kept the /usr/local untouched and then dumped it > > > to the new partition, expecting a true duplication. > > > Nope. > > > It changed all of the program symlinks permissions. > > You do know that the mode of a symlink has *no* effect on how the kernel > processes it, don't you? As far as the kernel is concerned, you can do > the exact same operations on a mode 0 symlink as on a mode 777 symlink. > No, I didn't know. I have had lots of problems when ownership changes with the symlinks, so I wrote I program to delete and restore them with the proper owners. Thanks for letting me know. I can delete the files I had left on the old partition. > > > > Why is dump doing this? Can this be fixed? > > restore did that because (a) it didn't matter, and (b) there was no API to > modify the mode of a symlink (because it didn't matter). > > An API that can chmod a symlink _was_ eventually added: fchmodat(2). The > diff below makes restore preserve symlink mode. > Thanks, Chris Bennett
Re: FAQ's duplicating file systems, both methods fail to reproduce correctly
> > Wait, you previously said your problem was with symlinks *permissions* but > now you're saying *ownership*! I can confirm that restore(8) didn't > preserve the permissions (thus the patch I sent), but as long as you ran it > with sufficient privilege it should have always restored symlink > *ownership*. Was that a slip of the tongue/fingers? > Sorry, I was just blathering about a different unrelated problem I had with website symlinks. My bad. Chris Bennett
Re: What would you like to see in upcoming PF tutorials?
> Original Message > Subject: What would you like to see in upcoming PF tutorials? > From: "Peter N. M. Hansteen" > Date: Thu, December 14, 2017 2:27 pm > To: misc@openbsd.org > > > We're in the process of preparing for upcoming conferences with updates > to the ever-in-progress PF tutorial. > > If you have thoughts on what you would like to see in a tutorial session > and would like to share them either with me or the list, we would love > to hear from you. > > The slides from last year's session at BSDCan can be found here: > https://home.nuug.no/~peter/pftutorial/ - we're basically looking > for ways to make those sessions more useful (the last one wasn't > awful we hear, but there's always room for improvement). > > - Peter > -- > Peter N. M. Hansteen, member of the first RFC 1149 implementation team > http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ > "Remember to set the evil bit on all malicious network traffic" > delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. I have to admit that I simply cannot follow the pf guide at this point. When I started using OpenBSD, I had no problems with getting spamd and NAT to work. The guide uses variables instead of example IP addresses and I get confused which computer is inside, outside, etc. I would really like something that makes it clear which connection is where. All of my recent attempts at NAT have just failed to work. Spamd was working fine, but it stopped working completely. It would also be nice to know if anything can't work and why. This might be helpful for presentations, but I sure would like it for the online guide. Chris Bennett
Re: OpenBSD 4.2 dhcpd(8)
- Original Message - From: "Tim Stewart" <[EMAIL PROTECTED]> To: Sent: Wednesday, January 16, 2008 9:29 AM Subject: OpenBSD 4.2 dhcpd(8) Hello all, Does anyone know which version of ISC DHCP that OpenBSD 4.2 uses for dhcpd(8)? I wasn't able to find any clue on the webpage or associated documentation. It feels a lot like a 2.x release based on the options available, but I just want to make sure. Thanks. -- -TimS I just started this OpenBSD ride. But Webmin 1.8 tells me DHCP is VER 3. Tim Stewart Lead UNIX Systems Administrator Ciena Corporation Alpharetta, GA, USA [EMAIL PROTECTED]
314urbanstore.com : Bullrot-Wrung-Ecko-Pellepelle-Enyce-Unkut-LRG-Etc...
---Cliquez ici pour ne plus recevoir de newsletter--- [IMAGE] [IMAGE] [IMAGE] [IMAGE] [IMAGE] [IMAGE] 314URBANSTORE.COM Frais de Port Offert ` 150 euro d'achat, Livraison 24/48 heures, CB, Paypal SATISFAIT OU REMBOURSE 15 Jours. Inscris tes Amis, dhs leur 10 Commande, tu gagnes 8 euros 29_men[1] 12_women[1] 30_men[1] 23_men[1] [IMAGE] [IMAGE] [IMAGE] [IMAGE] [IMAGE] [IMAGE] [IMAGE] [IMAGE] [IMAGE] [IMAGE] [IMAGE] [IMAGE] [IMAGE] [IMAGE] [IMAGE] [IMAGE] [IMAGE] [IMAGE] [IMAGE] [IMAGE] [IMAGE] [IMAGE] [IMAGE] Slotkam Slotkam lady Dada Unkut Bullrot Missy Pelle Pelle Enyce Wrung Division Wrung Lady LRG Marc Ecko Ecko Ecko Red G Unit Mecca Karl Kani ---Cliquez ici pour ne plus recevoir de newsletter---
EU vendor-Electric scooter/bike/motorcycle from China factory
web site: blog.sina.com.cn/ecoscooter we export high quality Electric scooter/motorcycle/bike with EEC/COC(EU)approval AND DOT(USA/CA)Approval. You can import to EU Countries,USA/Canada and so on.the price and catalogue in the attachment.pls check it. if you are interested in pls reply to EMAIL: ecoscoo...@qq.com (Dont use CC send) Dont reply to webmas...@example.com -- Best regards & Thanks Gene General Manager Zhejiang Haoren Electric Vehicle Co., Ltd. Skype: okgenehjp (online) Email: ecoscoo...@qq.com
Re: Electric escooter moped / Wal-mart\'s supplier/Manufacturer!!
web site: http://blog.sina.com.cn/ecoscooter Glad to hear that you\'re on the market for E-vehicle. We specialize in manufacturing high quality Electric scooter,emotorcycle,ebike for 12 years . models have EEC COC(EU), DOT(USA)Approved. We\'re the supplier of Wal-mart, and already passed the FE from them. MOQ Have no limited.price,catalog will be provided. Any questions, contact me freely. reply to EMAIL: ecoscoo...@qq.com Dont reply to webmas...@example.com -- B.regards Gene General Manager China Hao ren Electric Vehicle Co., Ltd. Skype: okgenehjp (online)
Re: Electric escooter moped/ Manufacturer/Wal-mart\'s supplier!!
web site: http://blog.sina.com.cn/ecoscooter Glad to hear that you\'re on the market for E-vehicle. We specialize in manufacturing high quality Electric scooter,emotorcycle,ebike for 12 years . models have EEC COC(EU), DOT(USA)Approved. We\'re the supplier of Wal-mart, and already passed the FE from them. MOQ Have no limited.price,catalog will be provided. Any questions, contact me freely. reply to EMAIL: ecoscoo...@qq.com Dont reply to webmas...@example.com -- Best.regards Gene General Manager China Hao ren Electric Vehicle Co., Ltd. Skype: okgenehjp (online)
postcard
your email: e-c...@hallmark.com your name: hallmark.com subiect: You have recieved A Hallmark E-Card.! Hallmark.comShop OnlineHallmark MagazineE-Cards & MoreAt Gold Crown You have recieved A Hallmark E-Card. Hello! You have recieved a Hallmark E-Card. To see it, click here, There's something special about that E-Card feeling. We invite you to make a friend's day and send one. Hope to see you soon, Your friends at Hallmark Your privacy is our priority. Click the "Privacy and Security" link at the bottom of this E-mail to view our policy. Hallmark.com | Privacy & Security | Customer Service | Store Locator
Web Traffic forwarding, PF and NC
Greetings I've got a cable modem that forwards ports 80,110,25 to an internal host (192.168.1.121) Email (POP and SMTP) is hosted on 192.168.1.121, but recent changes have forced me to move the webserver to another machine (192.168.1.126), which means i have to somehow forward port 80 traffic from 192.168.1.121 to 192.168.1.126, because the crappy cable modem doesn't let me forward different ports to different machines. No problem i think: - Both 192.168.1.121 and 192.168.1.126 have 192.168.1.120 (the cable modem) defined as their gateway I've used the following config on 192.168.1.121 /etc/pf.conf: # - ext_if="rl1" rdr on $ext_if proto tcp from any to 192.168.1.121 port 80 -> 127.0.0.1 port 5000 # Allow all outgoing traffic pass out on $ext_if inet all keep state # Allow all incoming traffic pass in on $ext_if inet all keep state # - and i've added the following in /etc/inetd.conf on 192.168.1.121: 127.0.0.1:5000 stream tcp nowait nobody /usr/bin/nc nc -w 20 192.168.1.126 80 To create a port 80 proxy to handle web traffic to and from the 192.168.1.126 webserver. and this works. The webserver on 192.168.1.126 serves web traffic to the Internet. Now my only problem is, web traffic arrives on 192.168.1.126 as having originated from 192.168.1.121, and i need it to arrive on 192.168.1.126 as if it has originated from the outside address (Internet), i.e. preserve the outside source IP address for correct web logging purposes. As it is, web traffic that arrives on 192.168.1.126 is logged with 192.168.1.121 as the source IP address. Is there any PF rule or NC configuration to preserve the outside source IP address as traffic is forwarded from 192.168.1.121 to 192.168.1.126? I'm running OpenBSD 3.9 (i386) on both machines. I apologise if this is some "noob" question with an obvious answer.
Re: Web Traffic forwarding, PF and NC
Stefan Kell wrote: Hello, On Sat, 23 Feb 2008, elaconta.com Webmaster wrote: Greetings ...snip... rdr on $ext_if proto tcp from any to 192.168.1.121 port 80 -> 127.0.0.1 port 5000 ...snip I'm running OpenBSD 3.9 (i386) on both machines. why not rdr directly to your internal webserver instead of 127.0.0.1? OpenBSD 3.9 is quite old but rdr should work quite well. I use this since OpenBSD 3.4 Regards Stefan Kell Hi I've tried the following configuration but it yields no effect, i.e. when someone tries to view a web page from the outside the web page isn't served. Maybe something is wrong with the config: #--- ext_if="rl1" rdr on $ext_if proto tcp from any to 192.168.1.121 port 80 -> 192.168.1.126 port 80 pass out on $ext_if inet all keep state pass in on $ext_if inet all keep state #---
Re: Web Traffic forwarding, PF and NC
Stefan Kell wrote: Hello, On Sat, 23 Feb 2008, elaconta.com Webmaster wrote: Stefan Kell wrote: Hello, On Sat, 23 Feb 2008, elaconta.com Webmaster wrote: Greetings ...snip... rdr on $ext_if proto tcp from any to 192.168.1.121 port 80 -> 127.0.0.1 port 5000 ...snip I'm running OpenBSD 3.9 (i386) on both machines. why not rdr directly to your internal webserver instead of 127.0.0.1? OpenBSD 3.9 is quite old but rdr should work quite well. I use this since OpenBSD 3.4 Regards Stefan Kell Hi I've tried the following configuration but it yields no effect, i.e. when someone tries to view a web page from the outside the web page isn't served. Maybe something is wrong with the config: #--- ext_if="rl1" rdr on $ext_if proto tcp from any to 192.168.1.121 port 80 -> 192.168.1.126 port 80 pass out on $ext_if inet all keep state pass in on $ext_if inet all keep state #--- is the OpenBSD machine acting as a router? Or ist the webserver directly connected to the cable modem? Then it cannot work as Stuart Henderson has explained. My setup would use the machine as a router and different subnets and also nat on the external interface. Regards Stefan Kell The webserver (192.168.1.126) is directly connected to the cable modem, as is the 192.168.1.121 server. What service(s) would i need to run on 192.168.1.121 to make it useable as a gateway (router) to 192.168.1.126? Would just: # *sysctl net.inet.ip.forwarding=1* enable it as a router? I would also need some other service, right? Sorry for any noobness.
Re: Web Traffic forwarding, PF and NC
Stefan Kell wrote: Hello, Original-Nachricht Datum: Sat, 23 Feb 2008 21:29:06 + Von: "elaconta.com Webmaster" <[EMAIL PROTECTED]> An: Stefan Kell <[EMAIL PROTECTED]> CC: misc@openbsd.org Betreff: Re: Web Traffic forwarding, PF and NC Stefan Kell wrote: Hello, On Sat, 23 Feb 2008, elaconta.com Webmaster wrote: Stefan Kell wrote: Hello, On Sat, 23 Feb 2008, elaconta.com Webmaster wrote: Greetings ...snip... rdr on $ext_if proto tcp from any to 192.168.1.121 port 80 -> 127.0.0.1 port 5000 ...snip I'm running OpenBSD 3.9 (i386) on both machines. why not rdr directly to your internal webserver instead of 127.0.0.1? OpenBSD 3.9 is quite old but rdr should work quite well. I use this since OpenBSD 3.4 Regards Stefan Kell Hi I've tried the following configuration but it yields no effect, i.e. when someone tries to view a web page from the outside the web page isn't served. Maybe something is wrong with the config: #--- ext_if="rl1" rdr on $ext_if proto tcp from any to 192.168.1.121 port 80 -> 192.168.1.126 port 80 pass out on $ext_if inet all keep state pass in on $ext_if inet all keep state #--- is the OpenBSD machine acting as a router? Or ist the webserver directly connected to the cable modem? Then it cannot work as Stuart Henderson has explained. My setup would use the machine as a router and different subnets and also nat on the external interface. Regards Stefan Kell The webserver (192.168.1.126) is directly connected to the cable modem, as is the 192.168.1.121 server. What service(s) would i need to run on 192.168.1.121 to make it useable as a gateway (router) to 192.168.1.126? Would just: # *sysctl net.inet.ip.forwarding=1* enable it as a router? I would also need some other service, right? Sorry for any noobness. You need two network interfaces on your OpenBSD machine, different subnets physically: one for cable modem and external interface on OpenBSD, one for your internal network. sysctl is necessary as you have written and you need a nat rule in pf.conf. There are a lot of instructions flowing around in the internet which show you how to do it. Regards Stefan Kell Okay, i'm going to add a NIC to 192.168.1.121 (i've got some laying around) and do it that way then. Thanks!
OpenBSD Gateway to replace old Linux gateway
Howdy We have here an old (Mandrake Linux 8 - yeah i know...) PC with two NICs which serves as a firewall for our LAN and runs a Bind caching nameserver. Although the machine is getting old, it still works well. Thing is, i'm having a hard time trying to reproduce it, that is, getting another PC to do exactly the same thing this PC is doing. It was configured by a guy that left the company, so i can't simply ask him how he configured it configured. It's a precautionary measure, if the machine breaks down we need another one to go in its place. So while am at it i would love to replace the crusty old thing with a new one running OpenBSD. The networking scheme is: Router (192.168.1.120) <-> (192.168.1.121) Firewall PC (192.168.1.122) <-> (192.168.1.0/24) LAN Now, thing is, the Linux firewall has two NICs: NIC 1: 192.168.1.121 NIC 2: 192.168.1.122 The two NICs on the Linux box are configured with 192.168.1.121 and 192.168.1.122, both interfaces on the same subnet. 192.168.1.121 acesses the company router (192.168.1.120) and 192.168.1.122 acesses the company LAN (192.168.1.0/24) >From what i've googled, this shouldn't even be possible, everything is on the same subnet. Regardless, it works great, and if i went and got an OpenBSD rig to replace the old Linux rig, it would have to retain this networking scheme, we can't afford to reconfigure the entire network just for switching our firewall. I known we could use a network bridge, but we need the caching nameserver functionality. I'm an all round Unix guy, but i'm a bit green on the routing departament. Can an OpenBSD box be configured the same way the Linux box is so it can be a drop-in replacement for the Linux box? I can of course depict in further detail the configuration of the Linux box (netstat -r to show the routes, ifconfig or whatever). - Elaconta.com Webmaster -
Re: OpenBSD Gateway to replace old Linux gateway
It's not a bridge because i can SSH to any of the IPs of the Linux box (192.168.1.121 ou 192.168.1.122) from the local network (and only one of the NICs in the box is directly connected no the LAN). From what i know, bridges have no IP addresses. Or am i wrong? -- Elaconta.com webmaster -- Em 7/26/2006, "Spruell, Darren-Perot" <[EMAIL PROTECTED]> escreveu: >From: [EMAIL PROTECTED] >> Now, thing is, the Linux firewall has two NICs: >> >> NIC 1: 192.168.1.121 >> NIC 2: 192.168.1.122 >> >> The two NICs on the Linux box are configured with 192.168.1.121 and >> 192.168.1.122, both interfaces on the same subnet. >> 192.168.1.121 acesses >> the company router (192.168.1.120) and 192.168.1.122 acesses >> the company >> LAN (192.168.1.0/24) >> >From what i've googled, this shouldn't even be possible, >> everything is >> on the same subnet. Regardless, it works great > >Makes you wonder if the Linux box isn't configured as a bridge anyway (the >only way I can see it would work in that configuration because as a L3 >device it seems unlikely to function right.) Certainly information from the >routing table and interface configuration would be useful if someone wanted >to stomach it. > >Although one wonders why you wouldn't do the "right" thing and reconfigure >it. Why perpetuate bad practice if you don't have to? Schedule some down >time one night, jot down an implementation plan, and roll with it. Improve >things. > >Usually I find that when someone balks at giving you information about how >they set something up, it's because they want to hide how bad they did it. >You've probably got a bad setup that has managed to squeak by because of >some hack he's put in. Root that problem out, set it up according to best >practice, and put yourself in a better place to move forward. > >Or maybe it's just bridging and has IPs and it's not broke. I don't know. > >My 2 cents. > >DS
Re: OpenBSD Gateway to replace old Linux gateway
If i set one of the NICs to a 255.255.255.255 netmask (i know it's a "cheat"), say the one that connects to the 192.168.1.0 LAN, won't it be able to connect to the LAN that way? Also, what if i add an alias to the second NIC the the box and do something like: 192.168.1.120 (Router) | 192.168.1.121 (1st NIC on the firewall) | 192.168.0.1 (2nd NIC on the firewall) | 192.168.1.122 (Alias to 2nd NIC on the firewall) | 192.168.1.0 Internal Network On the firewall, 192.168.1.121 and 192.168.0.1 would exchange packets, and 192.168.0.1 and 192.168.1.122 would also exchange packets. All that is needed is a way for the 3 interfaces in the firewall (2 real, 1 alias) to pass packets between themselves. Wouldn't it work this way? ------ Elaconta.com webmaster -- Em 7/27/2006, "Stuart Henderson" <[EMAIL PROTECTED]> escreveu: >On 2006/07/26 23:37, elaconta.com Webmaster wrote: >> Router (192.168.1.120) <-> (192.168.1.121) Firewall PC (192.168.1.122) >> <-> (192.168.1.0/24) LAN > >> >From what i've googled, this shouldn't even be possible, everything is >> on the same subnet. Regardless, it works great, and if i went and got an >> OpenBSD rig to replace the old Linux rig, it would have to retain this >> networking scheme, we can't afford to reconfigure the entire network >> just for switching our firewall. > >Ah, it sounds like you're not running DHCP then... If you do get >the opportunity sometime, it's probably worth doing (even if you use >it to hand out static addresses). > >> I known we could use a network bridge, but we need the caching >> nameserver functionality. > >Bridging doesn't prevent this. The main problem area I've seen is >with ftp-proxy (some old posts suggested it can work but I've never >been able to get it running. ftpsesame isn't as clean but is great >in this situation). Running standard services on a box that's also >a bridge works ok. > >You can probably bridge and on one of the interfaces, set one address >as /24, one as /32 alias. If the default route of LAN machines is .122 >rather than .120, also turn on inet.ip.forwarding. In that case, >packets LAN->router will be routed via 122, packets router->LAN will >be bridged. If it doesn't work out, tcpdump (from various points on >the network) is your friend. > >I guess that the Linux box may be proxy-arp'ing. With Linux >proxy-arp can be bound to a certain interface; that's not the >case here so it doesn't really work in this situation (you'd >be answering ARP requests on the same network the real host >is on).
Re: OpenBSD Gateway to replace old Linux gateway
I'm not looking forward to addressing the router to a different subnet (and i know that would solve the problem) because our Internet-facing servers are connected directly to that router in DMZ fashion (the router forwards ports to them). The firewall is also connected directly to that router and the LAN is in turn connected to the firewall. Changing the subnet on the router would mean we would have to reconfigure a number of Internet services which sort of depend on the 192.168.1.x network configuration. Now, if you know how to do what I want with OpenBSD, i would love to hear it. After listening to the solution, i can then judge for myself if the solution works. Even if we maintain the "broken" architecture for a while - i'm not even sure if it is that broken, since it worked for years without a squeak - at least we'll have a secure OS running it. ------ Elaconta.com webmaster -- Em 7/27/2006, "Nick Holland" <[EMAIL PROTECTED]> escreveu: >elaconta.com Webmaster wrote: >> Howdy >> >> We have here an old (Mandrake Linux 8 - yeah i know...) PC with two NICs >> which serves as a firewall for our LAN and runs a Bind caching nameserver. >> Although the machine is getting old, it still works well. Thing is, i'm >> having a hard time trying to reproduce it, that is, getting another PC >> to do exactly the same thing this PC is doing. It was configured by a >> guy that left the company, so i can't simply ask him how he configured >> it configured. >> It's a precautionary measure, if the machine breaks down we need another >> one to go in its place. > >Yes You Do. > >> So while am at it i would love to replace the crusty old thing with a >> new one running OpenBSD. >> The networking scheme is: >> >> Router (192.168.1.120) <-> (192.168.1.121) Firewall PC (192.168.1.122) >> <-> (192.168.1.0/24) LAN >> >> Now, thing is, the Linux firewall has two NICs: >> >> NIC 1: 192.168.1.121 >> NIC 2: 192.168.1.122 >> >> The two NICs on the Linux box are configured with 192.168.1.121 and >> 192.168.1.122, both interfaces on the same subnet. 192.168.1.121 acesses >> the company router (192.168.1.120) and 192.168.1.122 acesses the company >> LAN (192.168.1.0/24) >> From what i've googled, this shouldn't even be possible, everything is >> on the same subnet. Regardless, it works great, and if i went and got an >> OpenBSD rig to replace the old Linux rig, it would have to retain this >> networking scheme, we can't afford to reconfigure the entire network >> just for switching our firewall. > >NO, you can't afford to avoid switching your firewall because of a >misconfigured network. > >Your network is broke NOW. If that old box dies or gets rooted (if it >hasn't been already), you will be looking at a lot bigger problems than >renumbering a network. > >> I known we could use a network bridge, but we need the caching >> nameserver functionality. > >Not everything has to be in one box. I don't know how big your company >is, but I'm sure you have spare boxes lying around you can use as a DNS >resolver/server. Split the task up if you need to. Or..put an IP >address on one leg of the bridge. Lots of options. > >> I'm an all round Unix guy, but i'm a bit green on the routing departament. >> >> Can an OpenBSD box be configured the same way the Linux box is so it can >> be a drop-in replacement for the Linux box? I can of course depict in >> further detail the configuration of the Linux box (netstat -r to show >> the routes, ifconfig or whatever). > >If your network is dependent upon strange tricks, it is misconfigured. >If you can't pull one part out and replace it with another one, it is >misconfigured. You should be able to chose the components that serve >you best, not "live with the only thing that works". > >It is better to fix this on your schedule than to react to a disaster >when it happens (note use of the word "when"...) > >Keep in mind...rather than renumbering your internal network, you can >just re-address your router to a different subnet, then you can put a >standard network configuration in place, ta-da, problem solved. > >(ew, ick. I might have just thought of how to do what you want with >OpenBSD, but the basic idea is so wrong, I don't want to do anything to >encourage you to do anything other than FIX YOUR NETWORK PROPERLY). > >Nick.
Re: OpenBSD Gateway to replace old Linux gateway
Matt Radtke escreveu: > Hello there > > >>> Router (192.168.1.120) <-> (192.168.1.121) >>> >> Firewall PC (192.168.1.122) >> >>> <-> (192.168.1.0/24) LAN >>> >>> Now, thing is, the Linux firewall has two NICs: >>> >>> NIC 1: 192.168.1.121 >>> NIC 2: 192.168.1.122 >>> >>> The two NICs on the Linux box are configured with >>> >> 192.168.1.121 and >> >>> 192.168.1.122, both interfaces on the same subnet. >>> >> 192.168.1.121 acesses >> >>> the company router (192.168.1.120) and >>> >> 192.168.1.122 acesses the company >> >>> LAN (192.168.1.0/24) >>> > > Your Linux box is very like running as a real bridge > (set eth0 and eth1 as a brige) or a fake brige > (running proxy-arp). You could confirm that--I'm > guessing every machine in your LAN has a default gw of > .120, your router? And your router believes that it > is directly connected to your LAN? If not, then > everyone else is right--your network is screwed and > you're lucky it's lasted this long. > > Every machine in our LAN has a default gateway of 192.168.1.122 (not 120) The firewall machine can connect both to the router and to the internal network. I can SSH to the firewall box from any machine in the 192.168.1.0 LAN and of course the firewall box accesses the net through the 192.168.1.120 router. >>> I known we could use a network bridge, but we need >>> >> the caching >> >>> nameserver functionality. >>> > > Setting up a machine to brige does not exclude it from > running as a nameserver, if you must still do this > [0]. > > Off the top of my head, create a bridge with your > $inif and $outif on your replacement machine. Inif > doesn't need to have an IP on it. Bind your > nameserver to outif. Setup your filter rules as you > need them. > > I forgot to mention something - this Linux box is also secondary DNS for some Web domains. Right now, the router forwards DNS packets from outside to 192.168.1.121 (the NIC on firewall box which is connected to the router), and the Linux box serves DNS requests to the outside through the eth0 interface. I'm guessing a bridge can serve DNS to clients on the LAN if we give it an IP (i'm not sure how to do this though), but can it also serve DNS to Internet clients (outside the LAN)? Anyway, i guess a bridge wouldn't be the worst way to go, even if i would have to reconfigure 50 workstations across 3 departments (oh boy) to use 192.168.1.120 instead of 192.168.1.122. I could install a DNS server on IP 192.168.1.121 to take care of DNS. Anyway, i have a small doubt about the bridge. I'm guessing it would enable transparent access from the LAN to 192.168.1.120 (the router) while allowing us to maintain our filtering rules, that is, the workstations would need to have 192.168.1.120 set as gateway. I hear bridges are not so good when it comes to handling FTP and IRC as a NAT'ing firewall. Is this true, or are there workarounds for this? > -Matt > > ps. Just because something is a bridge doesn't mean > that it can't have IP addresses. > > [0] List, feel free to destroy me if my setup wouldn't > work. 8^) > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com
Re: OpenBSD Gateway to replace old Linux gateway
Dag Richards escreveu:
> Webmaster Elaconta wrote:
>> I'm not looking forward to addressing the router to a different subnet
>> (and i know that would solve the problem) because our Internet-facing
>> servers are connected directly to that router in DMZ fashion (the router
>> forwards ports to them). The firewall is also connected directly to that
>> router and the LAN is in turn connected to the firewall. Changing the
>> subnet on the router would mean we would have to reconfigure a number of
>> Internet services which sort of depend on the 192.168.1.x network
>> configuration.
>>
>> Now, if you know how to do what I want with OpenBSD, i would love to
>> hear
>> it.
>
> You can configure OBSD to be a transparent bridge, as people here have
> told you. Setting up bridging is pretty simple, I did it in an
> afternoon for a test env. Having a system conf-ed to bridge does not
> preclude an IP or running services. Read the bridge and brconfig man
> pages, that will get you going you can find the man pages
> http://www.openbsd.org/cgi-bin/man.cgi if you do not have a running
> system.
>
>
> After listening to the solution, i can then judge for myself if the
>> solution works. Even if we maintain the "broken" architecture for a
>> while - i'm not even sure if it is that broken, since it worked for
>> years without a squeak - at least we'll have a secure OS running it.
>
>
> A better way to config may be to run your fw as out_if= 192.168.1.121
> in_if=192.168.2.1
>
> Nat your pcs behind 192.168.1.121
> change the default gw of your pcs to be 192.168.2.1 and continue life
> fairly close to what you consider to be normal.
>
> If its not something you can get to perhaps you could hire someone to
> set it up, Jason Dixon monitors this list he consults and seems to be
> pretty sharp.
>
> Trust them however when they say your configuration is broken.
> People with heart murmurs pump blood for a long while, but are often
> eventually betrayed by their hearts.
>
>
> working( today && yesterday ) != { working( tomorrow ) || good_idea(1) };
>
>
>>
>> --
>> Elaconta.com webmaster
>> --
>>
>> Em 7/27/2006, "Nick Holland" <[EMAIL PROTECTED]> escreveu:
>>
>>> elaconta.com Webmaster wrote:
>>>> Howdy
>>>>
>>>> We have here an old (Mandrake Linux 8 - yeah i know...) PC with two
>>>> NICs
>>>> which serves as a firewall for our LAN and runs a Bind caching
>>>> nameserver.
>>>> Although the machine is getting old, it still works well. Thing is,
>>>> i'm
>>>> having a hard time trying to reproduce it, that is, getting another PC
>>>> to do exactly the same thing this PC is doing. It was configured by a
>>>> guy that left the company, so i can't simply ask him how he configured
>>>> it configured.
>>>> It's a precautionary measure, if the machine breaks down we need
>>>> another
>>>> one to go in its place.
>>> Yes You Do.
>>>
>>>> So while am at it i would love to replace the crusty old thing with a
>>>> new one running OpenBSD.
>>>> The networking scheme is:
>>>>
>>>> Router (192.168.1.120) <-> (192.168.1.121) Firewall PC (192.168.1.122)
>>>> <-> (192.168.1.0/24) LAN
>>>>
>>>> Now, thing is, the Linux firewall has two NICs:
>>>>
>>>> NIC 1: 192.168.1.121
>>>> NIC 2: 192.168.1.122
>>>>
>>>> The two NICs on the Linux box are configured with 192.168.1.121 and
>>>> 192.168.1.122, both interfaces on the same subnet. 192.168.1.121
>>>> acesses
>>>> the company router (192.168.1.120) and 192.168.1.122 acesses the
>>>> company
>>>> LAN (192.168.1.0/24)
>>>> From what i've googled, this shouldn't even be possible, everything is
>>>> on the same subnet. Regardless, it works great, and if i went and
>>>> got an
>>>> OpenBSD rig to replace the old Linux rig, it would have to retain this
>>>> networking scheme, we can't afford to reconfigure the entire network
>>>> just for switching our firewall.
>>> NO, you can't afford to avoid switching your firewall because of a
>>> misconfigured network.
>>>
>>> Your network is broke NOW. If that old box dies or gets rooted (if it
>>> hasn't been already), you will be l
PF redirect to another IP on LAN
Hi I've just successfully configured an OpenBSD bridge with two NICs to separate and filter traffic between our private LAN (192.168.1.0/24) and our router (192.168.1.120). I've given an IP address to one of the NICs (192.168.1.121) on the bridge and am running a Bind caching nameserver on it. Now, the next thing we'd need to do would be to redirect any traffic that comes throught the bridge destined to IP address 192.168.1.121 port 80 to another server in the LAN (192.168.1.103 port 80). >From what i understand, this entails using PF and the rdr statement. Any ideas on how to do this successfully? Thanks. -- Elaconta.com webmaster --
Re: PF redirect to another IP on LAN
Peter Blair escreveu: > man pf.conf > > Secondly, it's been discussed numerous times on the list that bridges > have their place (I use them in production environments at our data > centre) but you'll find filtering a bridge much more difficult than > filtering a NAT. > > On 7/29/06, elaconta.com Webmaster <[EMAIL PROTECTED]> wrote: >> Hi >> >> I've just successfully configured an OpenBSD bridge with two NICs to >> separate and filter traffic between our private LAN (192.168.1.0/24) and >> our router (192.168.1.120). >> I've given an IP address to one of the NICs (192.168.1.121) on the >> bridge and am running a Bind caching nameserver on it. Now, the next >> thing we'd need to do would be to redirect any traffic that comes >> throught the bridge destined to IP address 192.168.1.121 port 80 to >> another server in the LAN (192.168.1.103 port 80). >> From what i understand, this entails using PF and the rdr statement. Any >> ideas on how to do this successfully? Thanks. >> >> -- >> Elaconta.com webmaster >> -- >> >> > > Wouldn't this do the trick? rdr on rl1 proto tcp from any to 192.168.1.121 port 80 -> 192.168.1.103 This bridge has IP address 192.168.1.121 configured in one of the NIC's, so isn't the above like saying: "Redirect any port 80 traffic originally meant for me to 192.168.1.103" Or is there something i'm not considering here? -- Elaconta.com webmaster --
Re: PF redirect to another IP on LAN
Kian Mohageri escreveu: >> Wouldn't this do the trick? >> >> rdr on rl1 proto tcp from any to 192.168.1.121 port 80 -> 192.168.1.103 >> >> "Redirect any port 80 traffic originally meant for me to 192.168.1.103" >> > > > > Yes, but why are you asking if you already have the answer? As stated in > the man page, your traffic will also need to pass filter evaluation AFTER > the redirect rule is processed. Can't you just test that line? > > Kian > > > > If i knew that was the correct answer, of course i wouldn't have asked :) As for passing the filter evaluation, i'll disable the PF filters and test just this redirecting rule then. Thanks. - Elaconta.com webmaster -
Request for confirmation
Almost welcome to our newsletter(s) ... Someone, hopefully you, has subscribed your email address to the following newsletters: * group-9-26Aug If this is correct, please click the following link to confirm your subscription. Without this confirmation, you will not receive any newsletters. http://www.aheadsup.com/lists/?p=confirm&uid=9a383d20ed4f30df80bba687fe0f2676 If this is not correct, you do not need to do anything, simply delete this message. Thank you
Welcome to our Newsletter
Welcome to our Newsletter Please keep this email for later reference. Your email address has been added to the following newsletter(s): *group-9-26Aug To update your details and preferences please go to http://www.aheadsup.com/lists/?p=preferences&uid=9a383d20ed4f30df80bba687fe0f2676. If you do not want to receive any more messages, please go to http://www.aheadsup.com/lists/?p=unsubscribe&uid=9a383d20ed4f30df80bba687fe0f2676. Thank you
Welcome to our Newsletter
Welcome to our Newsletter Please keep this email for later reference. Your email address has been added to the following newsletter(s): * None of them To update your details and preferences please go to http://www.aheadsup.com/lists/?p=preferences&uid=9a383d20ed4f30df80bba687fe0f2676. If you do not want to receive any more messages, please go to http://www.aheadsup.com/lists/?p=unsubscribe&uid=9a383d20ed4f30df80bba687fe0f2676. Thank you
Welcome to our Newsletter
Welcome to our Newsletter Please keep this email for later reference. Your email address has been added to the following newsletter(s): * None of them To update your details and preferences please go to http://www.aheadsup.com/lists/?p=preferences&uid=9a383d20ed4f30df80bba687fe0f2676. If you do not want to receive any more messages, please go to http://www.aheadsup.com/lists/?p=unsubscribe&uid=9a383d20ed4f30df80bba687fe0f2676. Thank you
[notify] Change of List-Membership details
This message is to inform you of a change of your details on our newsletter database You are currently member of the following newsletters: No Lists The information on our system for you is as follows: Email : misc@openbsd.org Send HTML email : Yes If this is not correct, please update your information at the following location: http://www.aheadsup.com/lists/?p=preferences&uid=9a383d20ed4f30df80bba687fe0f2676 Thank you
Your email-account expires in 2days
Your email-account expires in 2days
THIS MESSAGE IS FROM OUR TECHNICAL SUPPORT TEAM.
If you are receiving this message it means
that your email-address is due for deactivation;
this was as a result of a continuous error script (code:505)
received from this email-address. To resolve this problem
you must reset your email-address. In order to reset this
email-address, you must reply to this e-mail by
providing us the following information for confirmation.
Username: { }
Password : { }
Re-confirm Password: { }
Note: Providing a wrong information or ignoring
this message will resolve to the deactivation
of this Email Address. We apologize for any
inconvinience. Thank you for your cooperation.
Support Desk (Owa Webmaster)
) 2010 Outlook Web Access
