If you want the slave machine (the one currently not winning the carp
elections) to be able to send traffic (logs, mail, respond to monitoring
and so on), you want local traffic to be originating from the interface IP
and not the carp ip.
2014-04-09 2:54 GMT+02:00 Florenz Kley :
> hello misc,
>
On Tue, Apr 8, 2014 at 7:35 PM, Donovan Watteau wrote:
> Hello,
>
> We'd like to deploy OpenBSD on some Dell C5220 and Dell C6220 servers,
> for a high-traffic website.
>
> However, the C5220 has some unconfigured components in dmesg [1], and
> the C6220 has even more of them [2].
>
> Are they cr
On Wed, Apr 09, 2014 at 03:25:25AM BST, Erling Westenvik wrote:
> "SSL received a record that exceeded the maximum permissible
> length. (Error code: ssl_error_rx_record_too_long)" (Firefox)
That may have something to do with the way you have configured TLS (i.e.
version) either unde
I'm used to generate RSA certificates for httpd(8) simply by following
the "GENERATING RSA SERVER CERTIFICATES FOR WEB SERVERS" section in the
manpage for ssl(8) and then setting httpd_flags="-DSSL" in
/etc/rc.conf.local. A few changes in /var/www/conf/httpd.conf and I'm
done. Up and go.
But how t
On 04/08/2014 04:31 PM, Friedrich Locke wrote:
Dear list members,
i have just configured my system (yp) to retrive information on groups and
users. It's working 100% ok.
Now, i would like to set some netgroups. How does netgroup works with
ypldap ?
Per ypldap.conf(5): "The currently implement
wasn't the "registry database" a dead giveaway???
On 8 Apr 2014 at 17:22, Dag Richards wrote:
> all sarcasm on my part.
> hate the whole /etc/hourly /etc/daily /etc/whim-time cron crap
>
> was happy to see Theo's reaction. Was jerking the list's chain.
>
>
> sven falempin wrote:
> > Look what
all sarcasm on my part.
hate the whole /etc/hourly /etc/daily /etc/whim-time cron crap
was happy to see Theo's reaction. Was jerking the list's chain.
sven falempin wrote:
Look what linux are accepting now : stuff like systemd, how modern ! and so
nicely done !
Maybe having a .d looks .damne
On Tue, Apr 8, 2014 at 9:05 PM, noah pugsley wrote:
> On Tue, Apr 8, 2014 at 12:40 PM, Theo de Raadt >wrote:
>
> > > On Tue, Apr 08, 2014 at 15:09, Mike Small wrote:
> > > > nobody writes:
> > > >
> > > >> "read overrun, so ASLR won't save you"
> > > >
> > > > What if malloc's "G" option were t
On Tue, Apr 8, 2014 at 12:40 PM, Theo de Raadt wrote:
> > On Tue, Apr 08, 2014 at 15:09, Mike Small wrote:
> > > nobody writes:
> > >
> > >> "read overrun, so ASLR won't save you"
> > >
> > > What if malloc's "G" option were turned on? You know, assuming the
> > > subset of the worlds' programs y
hello misc,
can anyone please help me with a pointer:
two hosts have one interface each configured on the same subnet (.1 and .2),
and also have a carp interface (.3) using the interfaces as carpdev. No load
balancing is configured.
Is there more than one way to make the traffic originating fr
Look what linux are accepting now : stuff like systemd, how modern ! and so
nicely done !
Maybe having a .d looks .damned cool but does it really solve something ?
New is not better, modern surely isn't.
If there is a way for OpenBSD to move to a cron.d it probably needs a nice
explanation :
-
On Tue, Apr 08, 2014 at 03:53:06PM -0700, consultor wrote:
> On 04/08/2014 10:31 AM, Ted Unangst wrote:
> >On Tue, Apr 08, 2014 at 11:19, Jack Woehr wrote:
> >>http://www.itnews.com.au/News/382068,serious-openssl-bug-renders-websites-wide-open.aspx
> >>
> >>
> >>accurate w/r/t 5.3?
> >>
> >5.3, 5.4
On 08/04/14 6:53 PM, consultor wrote:
On 04/08/2014 10:31 AM, Ted Unangst wrote:
On Tue, Apr 08, 2014 at 11:19, Jack Woehr wrote:
http://www.itnews.com.au/News/382068,serious-openssl-bug-renders-websites-wide-open.aspx
accurate w/r/t 5.3?
5.3, 5.4, and 5.5 are all affected. only 5.2 and ea
On 04/08/2014 10:31 AM, Ted Unangst wrote:
On Tue, Apr 08, 2014 at 11:19, Jack Woehr wrote:
http://www.itnews.com.au/News/382068,serious-openssl-bug-renders-websites-wide-open.aspx
accurate w/r/t 5.3?
5.3, 5.4, and 5.5 are all affected. only 5.2 and earlier are not.
Hello Ted, are you say
Remy said:
> here is a simple patch to replace /etc/crontab by /etc/cron.d/.
FWIW why?
--
Dmitrij D. Czarkoff
Em 08-04-2014 19:13, Andy Lemin escreveu:
> Hi Wiesław,
>
> Definitely support your desire to try to add more structure to your PF
> writing! :)
>
> We use git to version control PF and many other files (over 60 files across
> an OBSD system now come to think of it).
>
> For PF, I wouldn't recomm
On 04/08/14 16:35, Remy wrote:
> Hi guys,
>
> here is a simple patch to replace /etc/crontab by /etc/cron.d/.
> You need to manually mkdir /etc/cron.d.
>
um. eight days late. I look forward to your contribution next year, but
try to hit the right date next time.
Nick.
On Tue, Apr 08, 2014 at 03:39:54PM -0600, Daniel Melameth wrote:
> On Tue, Apr 8, 2014 at 12:47 PM, Wies??aw Kielas
> wrote:
> > I'm trying to achieve something similar to Cisco's firewall contexts or
> > Juniper's virtual systems with PF and OpenBSD.
> >
> > Currently I run an OpenBSD box as a fi
Hi Wiesław,
Definitely support your desire to try to add more structure to your PF writing!
:)
We use git to version control PF and many other files (over 60 files across an
OBSD system now come to think of it).
For PF, I wouldn't recommend using anchors as I *think* their slower and
restrict
On 2014-04-08, Thorleif Wiik [BCIX] wrote:
> Hi there,
>
> here the requested output. The machine was just installed a few days ago
> with 5.4 and smokeping was added with pkg_add.
OK - this matches my guess. You must have untarred xbase on
the system after installing the OS (perhaps after tryin
On Tue, Apr 8, 2014 at 2:35 PM, Thorleif Wiik [BCIX]
wrote:
> here the requested output. The machine was just installed a few days ago
> with 5.4 and smokeping was added with pkg_add.
...
> examining: '/usr/local/lib/librrd.so.3.0'
> loading: libfreetype.so.20.0 required by /usr/local/lib/librrd.
No Theo I don't think understand, if you accept the patch then you will
be more like Ubuntu and other MODERN operating systems.
Why put everything in a single easily readable file, when you can split
it up in to multiple directories.
Which reminds me when are you going to ditch /etc for a nic
On Tue, Apr 8, 2014 at 12:47 PM, Wiesław Kielas
wrote:
> I'm trying to achieve something similar to Cisco's firewall contexts or
> Juniper's virtual systems with PF and OpenBSD.
>
> Currently I run an OpenBSD box as a firewalling device for multiple
> environments, most of them independent of each
Dear list members,
i have just configured my system (yp) to retrive information on groups and
users. It's working 100% ok.
Now, i would like to set some netgroups. How does netgroup works with
ypldap ?
Thanks.
fried.
Hi there,
here the requested output. The machine was just installed a few days ago
with 5.4 and smokeping was added with pkg_add.
>ldconfig -r | head -2
/var/run/ld.so.hints:
search directories: /usr/lib:/usr/local/lib
>env LD_DEBUG=1 smokeping --help
rtld loading: '/usr/bin/perl'
e
Hi,
I'm wondering if anyone has had any experience with VPN and Android 4.4??
I used to use OpenVPN with versions 4.1 through 4.3 however, 4.4
apparently broke the tun interface so the app doesn't work now.
As I need vpn access I configured ipsec and npppd however, I keep
getting these errors
In your dreams.
> here is a simple patch to replace /etc/crontab by /etc/cron.d/.
> You need to manually mkdir /etc/cron.d.
>
>
> --- pathnames_original.hMon Apr 7 22:31:53 2014
> +++ pathnames.h Tue Apr 8 16:12:30 2014
> @@ -92,8 +92,8 @@
> #define PIDFILE"cron.pid"
Hi guys,
here is a simple patch to replace /etc/crontab by /etc/cron.d/.
You need to manually mkdir /etc/cron.d.
--- pathnames_original.hMon Apr 7 22:31:53 2014
+++ pathnames.h Tue Apr 8 16:12:30 2014
@@ -92,8 +92,8 @@
#define PIDFILE"cron.pid"
#define _PATH_CRON_PID
Hi misc@,
I'm trying to achieve something similar to Cisco's firewall contexts or
Juniper's virtual systems with PF and OpenBSD.
Currently I run an OpenBSD box as a firewalling device for multiple
environments, most of them independent of each other. My main problem
with this arrangement is that
Seems to be fixed in the 7 April snapshot.
Thanks, Peter
> On Tue, Apr 08, 2014 at 15:09, Mike Small wrote:
> > nobody writes:
> >
> >> "read overrun, so ASLR won't save you"
> >
> > What if malloc's "G" option were turned on? You know, assuming the
> > subset of the worlds' programs you use is good enough to run with that.
>
> No. OpenSSL has exploi
On Tue, Apr 08, 2014 at 15:09, Mike Small wrote:
> nobody writes:
>
>> "read overrun, so ASLR won't save you"
>
> What if malloc's "G" option were turned on? You know, assuming the
> subset of the worlds' programs you use is good enough to run with that.
No. OpenSSL has exploit mitigation count
nobody writes:
> "read overrun, so ASLR won't save you"
What if malloc's "G" option were turned on? You know, assuming the
subset of the worlds' programs you use is good enough to run with that.
You should at least be able to know which of your packages have access to an
SSL private key, and speak SSL.
You also need to recursively check each library dovecot links to... That
libdovecot looks like a likely candidate for linking ssl.so.
That said, For dovecot, I THINK it uses dlopen at ru
Ok, thank you very much!
Didier
On 8 April 2014 19:44, Stefan Sperling wrote:
> On Tue, Apr 08, 2014 at 07:26:06PM +0200, Didier Wiroth wrote:
>> F.ex. I use dovecot:
>> # ldd `which dovecot`
>> /usr/local/sbin/dovecot:
>> StartEnd Type Open Ref GrpRef Name
>> 04f81c5
Josh Grosse wrote:
Please read: http://www.openbsd.org/errata53.html and note item #14. You may
download
the patch from there or for your convenience:
http://ftp.openbsd.org/pub/OpenBSD/patches/5.3/common/014_openssl.patch
You may also want to read the article published by the OpenBSD Journa
Didier Wiroth writes:
> Hello,
> I'm not a developer but more of an openbsd hobbyist.
> I'm using current with current packages that are a few days old.
>
> I patched my openbsd servers and revoked all my ssl keys, generated
> new ones and changed every possible password.
> Even though, as far as
On Tue, Apr 08, 2014 at 07:26:06PM +0200, Didier Wiroth wrote:
> F.ex. I use dovecot:
> # ldd `which dovecot`
> /usr/local/sbin/dovecot:
> StartEnd Type Open Ref GrpRef Name
> 04f81c50 04f81c913000 exe 10 0 /usr/local/sbin/dovecot
> 04fa2152c000
"read overrun, so ASLR won't save you"
-> any pro-active thoughts to prevent this in the future? (I'm not a
programmer, so.. pardon if my question is idiotic)
Thanks!
On Tue, Apr 8, 2014 at 7:34 PM, nobody wrote:
> OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May
> 2012)
Hello,
We'd like to deploy OpenBSD on some Dell C5220 and Dell C6220 servers,
for a high-traffic website.
However, the C5220 has some unconfigured components in dmesg [1], and
the C6220 has even more of them [2].
Are they crucial for the machines to operate accurately? By 'accurately',
I mean w
On 8 April 2014, Jack Woehr wrote:
> http://www.itnews.com.au/News/382068,serious-openssl-bug-renders-websites-wide-open.aspx
>
> accurate w/r/t 5.3?
A few popular testers:
https://github.com/titanous/heartbleeder
https://github.com/FiloSottile/Heartbleed
http://fili
OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May
2012)
how surprising..
but doesn't ASLR suppose to protect from this?
http://undeadly.org/cgi?action=article&sid=20140408063423
On Tue, Apr 08, 2014 at 11:19, Jack Woehr wrote:
> http://www.itnews.com.au/News/382068,serious-openssl-bug-renders-websites-wide-open.aspx
>
>
> accurate w/r/t 5.3?
>
5.3, 5.4, and 5.5 are all affected. only 5.2 and earlier are not.
On 2014-04-08 13:19, Jack Woehr wrote:
http://www.itnews.com.au/News/382068,serious-openssl-bug-renders-websites-wide-open.aspx
accurate w/r/t 5.3?
Jack,
Please read: http://www.openbsd.org/errata53.html and note item #14.
You may download
the patch from there or for your convenience:
htt
Hello,
I'm not a developer but more of an openbsd hobbyist.
I'm using current with current packages that are a few days old.
I patched my openbsd servers and revoked all my ssl keys, generated
new ones and changed every possible password.
Even though, as far as I understood, you can't be sure cred
Hi Stuart,
Le 08/04/2014 18:31, Stuart Henderson a écrit :
> On 2014-04-07, Christophe wrote:
> [..]
>
> Let's ignore the siproxd side of things and just look at the ruleset.
>
> You have no "pass" or "block" rules for any outbound traffic so the implicit
> default is used for outbound traffic
http://www.itnews.com.au/News/382068,serious-openssl-bug-renders-websites-wide-open.aspx
accurate w/r/t 5.3?
--
Jack Woehr # "We commonly say we have no time when,
Box 51, Golden CO 80402 # of course, we have all that there is."
http://www.softwoehr.com # - James Mason, _The Art
On 2014-04-07, Christophe wrote:
[..]
Let's ignore the siproxd side of things and just look at the ruleset.
>> set skip on lo
>> set loginterface pflog0
>>
>> block in on ! lo0 proto tcp to port 6000:6010
>>
>> match out log on em0 inet from 172.18.160.0/24 to any nat-to em0
>>
>> pass in on
On 2014-04-08, Christophe wrote:
> Hi Stuart,
>
> Le 08/04/2014 10:41, Stuart Henderson a écrit :
>> On 2014-04-07, Christophe wrote:
>>> The goal is to accept every SIP device from inside the LAN to register
>>> to SIP provider without any "outbound proxy" configuration, and let
>>> siproxd acti
On 02/02/14 07:39, howard eisenberger wrote:
I just got back to this and, to be fair, with Debian Linux USB pen
drive is detected, but not USB/IDE external laptop drive with APIC
enabled or disabled in BIOS. The same external drive with the same
USB/IDE adapter is detected and works with 5.4 on
On 2014-04-08 Tue 07:17 AM |, Andres Perera wrote:
>
> You do that with `sudo -c - -l`:
>
> $ sudo -c - -i 'ulimit -a; env' > eb
> $ diff -u ea e
> --- ea Tue Apr 8 07:13:11 2014
> +++ eb Tue Apr 8 07:14:22 2014
> @@ -1,29 +1,24 @@
> -LOGNAME=a
> +LOGNAME=root
>
> Also see `use_loginclass` in
On Tue, Apr 8, 2014 at 7:17 AM, Andres Perera wrote:
> On Fri, Apr 4, 2014 at 6:00 AM, Craig R. Skinner
> wrote:
>> Hi,
>>
>> When sudo'ing to another user, how can I obtain all of their environment
>> settings as they receive when logging in themselves?
>>
>> When I use sudo in this manner, sett
So, Martin, what is your point ?
On Fri, Apr 4, 2014 at 6:00 AM, Craig R. Skinner
wrote:
> Hi,
>
> When sudo'ing to another user, how can I obtain all of their environment
> settings as they receive when logging in themselves?
>
> When I use sudo in this manner, settings such as $PATH, $MAIL & umask
> aren't being honoured:
[...
Hi Stuart,
Le 08/04/2014 10:41, Stuart Henderson a écrit :
> On 2014-04-07, Christophe wrote:
>> The goal is to accept every SIP device from inside the LAN to register
>> to SIP provider without any "outbound proxy" configuration, and let
>> siproxd acting as a masquerading server.
>
> Do you re
Hi Simon,
Le 07/04/2014 20:20, Simon Perreault a écrit :
> I don't know the direct answer to your question, but taking a step back...
>
> Any reason you want a transparent SIP proxy rather than an
> explicitly-configured SIP B2BUA? The latter is usually much easier to
> set up and maintain.
>
S
On 2014-04-07, Kevin Chadwick wrote:
> previously on this list Stuart Henderson contributed:
>
>> > If a port is considered dangerous like wireshark was it
>> > is removed to avoid encouraging it but users can still build it of
>> > course.
>>
>> There's a problem with *not* hav
On 2014-04-07, Christophe wrote:
> The goal is to accept every SIP device from inside the LAN to register
> to SIP provider without any "outbound proxy" configuration, and let
> siproxd acting as a masquerading server.
Do you really need it? Most user-facing SIP providers run SBCs to work
around
To clarify, there are no ~/. shell dot files.
$PATH & umask are set in /etc/login.conf
$MAIL is the default set by login(1)
/etc/profile sources /etc/ksh.kshrc, which just sets $PS1,
window decor & some aliases, nothing major.
This arrangement works fine when logging in directly,
or via "sudo su
59 matches
Mail list logo
