Re: OpenBSD 4.2 RAIDFrame mirror

ce after getting burned multiple times from the infamous IBM deathstar series than from all other vendors combined, and they are usually hotter than from other vendors ) --knitti

Re: RAIDFrame inconsistancy and server will not boot!

more often. You didn't mount your filesystem async, did you? > And lastly, is it possible in the worst case scenario if one of my > disks is completely fsck'ed up is it possible to run the system on 1 > of the raid 1 disks until a second comes? yes. as long as this one doesn't break ;-) BTW: if you use RAID to keep your system up, get familiar with what it does and doesn't. Most problems arise not from hardware or system failure, but from admin failure. Do backups. --knitti

Re: Custom Kernel for 4.2 upgrade

nd sweating through a source upgrade (OK, I wasn't *that* hard). Upgrading by source is like going from -release to -current (just not to _current_ "-current" ;-) - you have to expect to deal with the unforeseen. --knitti

Re: Trouble ftp'ing out of network, already running ftpproxy for internal ftp server, need to ftp out

-proxy on a different port should work, just look at the manpages pf.conf(5) ftp-proxy(8) --knitti

Re: Trouble ftp'ing out of network, already running ftpproxy for internal ftp server, need to ftp out

w to configure my packet > filtering (pf) to work with the second instance of ftp-proxy and allow > me to connect to outside (public) ftp servers look at your pf.conf, you have commented out the line. you should change it to about this: rdr pass on $int_if proto tcp from any to !$ftp_server port ftp -> 127.0.0.1 port 8022 of course i didn#t test this, but you get the idea --knitti

Re: Building a custom kernel error

On 11/8/07, 23e7 <[EMAIL PROTECTED]> wrote: > I missing some option? did you read the FAQ? do you know what you are doing? why do you need a custom kernel? --knitti

Re: Building a custom kernel error

On 11/8/07, 23e7 <[EMAIL PROTECTED]> wrote: > yes, I know. > > On 11/8/07, knitti <[EMAIL PROTECTED]> wrote: > > > > On 11/8/07, 23 $B9f (B <[EMAIL PROTECTED]> wrote: > > > I missing some option? > > > > did you read the FAQ? > > d

Re: detecting bad disks

something else is not. Try a different cable, look for faulty RAM or a dying PSU. Put the disk into another machine and look whether you can read everything fine. --knitti

Re: Trouble ftp'ing out of network, already running ftpproxy for internal ftp server, need to ftp out

dd to the > pf rules? Should I modify mine to also say that? no, I *think* I made some wrong assumptions about your network (obviously didn't read your first mail carefully enough) and I can't figure out now why I suggested that. Sorry about that. --knitti

Re: Security Comparisons

oherency) and thus maintainability to the list. I end up having less to do for OpenBSD Servers to keep them happy running than for some Debian boxes, and Debian _is_ damn well maintainable. --knitti

Re: identifying sparse files and get ride of them trick available?

file, scp the archive and then tar -xzf the file in place in the other side. this should also create a new sparse file. of course, you lose the rsyncabilty and you have to identify your sparse file in advance. But 16GB of nothing should compress very well ;) --knitti

Re: HP Procurve or Soekris w. OpenBSD ?

ve to test for yourself if it fits your needs, and your performance depends a lot on your setting. --knitti

Re: Slow Performance on Encrypted svnd

Instead of e.g. /dev/sd0a try /dev/rsd0a. I didn't try with svnd, but when copying partitions with dd I use this. --knitti

Re: Slow Performance on Encrypted svnd

On 11/14/07, Clint Pachl <[EMAIL PROTECTED]> wrote: > knitti wrote: > > Instead of e.g. /dev/sd0a try /dev/rsd0a. I didn't try with svnd, but > > when copying partitions with dd I use this. > > > > I tried that, but like I said fdisk complained when the sv

Re: how best to handle DNS on firewalled home network?

) including dhcpd, named and ntpd very well. --knitti

Re: Configuring sendmail openbsd 4.2

for a reason, and you *have* to know what you are doing, because some day something goes wrong, and *you* will have to troubleshoot it. And in this very (possible trivial) moment it pays having read the docs at least *once* before, just to roughly know where you can find which information. --knitti

Re: Configuring sendmail openbsd 4.2

t locally? - try putting the MAILER lines last. - Why would you accept mail to unresolvable domains? - consider adding a define(`confPRIVACY_FLAGS', . ) --knitti

Re: : rouge IPs / user

r half-closed sockets don't get stale. BUT perhaps I didn't get it at all and this makles no sense ;) --knitti

Re: BIND and the measure of system entropy (randomness?)

fely ignore > > the above messages. > BIND needs /dev/arandom for some stuff like generating random IDs. on OpenBSD it doesn't. There was a mail from Theo regarding exactly this error message, stating that on OpenBSD BIND doesn't use (or need) this. You could search the archives... --knitti

Re: : rouge IPs / user

gt; CLOSE_WAIT is the state where the network stack waits for > the application (httpd) to close the connection after receiving > the client's FIN. oh sorry, then I was wrong. So when client's FIN is already in, then (depending on how long it takes), is it normal behaviour of httpd or could it be considered a bug? --knitti

Re: : rouge IPs / user

te?) btw: I might be going off topic here, but I think it applies to OpenBSDs httpd. I won't sent any further mail to this thread you tell me to shut up. --knitti

Re: : rouge IPs / user

On 12/12/07, Daniel Ouellet <[EMAIL PROTECTED]> wrote: > knitti wrote: > > HTTP keep alives have nothing to do with it. If the socket is in > > CLOSE_WAIT, the TCP connection can't be reused, the server > > has sent its FIN and the client its FIN/ACK, but the serv

Re: : rouge IPs / user

ion is still up. Translation: the server didn't close its socket for some reason or non-reason. For that to find out I'll have to read some code, which may or may not turn up something (interesting for me). --knitti

Re: : : rouge IPs / user

which ap_bclose() gets called on a different socket than intended (thus shutting down another connection as a side effect). BUT since the whole code doesn't run threaded, I can't come up with something which would actually suggest that. I would appreciate if someone told me whether my interpretation is rather wrong or rather right ;) --knitti

Re: : no 4.2-stable package updates??

o updated package or updated port available? > > > > That is correct. > > > > Now, this will prevent me from upgrading to 4.2. > It isn't so that any pre-4.2-stable will be updated, so you lose nothing by upgrading. very often you can backport from -current ports without any change. --knitti

Re: : no 4.2-stable package updates??

nsible maintainer, you cannot expect any updates to -stable for the foreseeable future. Although some updates might happen, -stable should be considered unmaintained." --knitti

Re: : : rouge IPs / user

P keep alives > Again, are you sure all the RFC process was done? Who is waiting on who > here? Also, I think you may be confusing a few things here. httpd not > closing a socket and having "KeepAlive is in effect" are contradictory. in theory, they are simply not related, because on different protocol layers. Practically there seems to be a correlation by implementation. --knitti

Re: : : rouge IPs / user

a half-closed one. There are perfectly legit reasons for long open half-closed TCP connections. > My point with PF here was that it would reduce the possible numbers of > close_wait state you could possibly see in the first place, witch is one > of the original goal of the question. Why? --knitti

Re: : : rouge IPs / user

On 12/12/07, Daniel Ouellet <[EMAIL PROTECTED]> wrote: > knitti wrote: > > The problem would be to "forget" calling ap_bclose() after ending a > > connection, either because all data has been sent or the connection has > > been aborted. What I can read wi

Re: : : rouge IPs / user

st place? If so, then I stand corrected and I was/am > wrong about that part of my suggestions. So, is it the case then? Yes. Random example: http://www4.informatik.uni-erlangen.de/Projects/JX/Projects/TCP/tcpstate.html --knitti

swap encryption Re: Putting partition in RAM

Gilbert, Douglas, swap encryption on OpenBSD is done different than what you advise. just use a sysctl for vm.swapencrypt.enable. Much less maintenance headaches. an yes, don't complain about being reminded that this is not a netbsd / linux support list. --knitti

Re: Monty "Python 3000" Thread

== wooosh ===>(your humour) O(my head) --knitti

Re: come, help me with something more productive

n effort to get used to the new procedures. The best intentions are worthless, if key people don't like it. --knitti

Re: cvsweb browsing out of sync with latest src?

gt; Go to >http://www.openbsd.org/cgi-bin/cvsweb/src/gnu/usr.bin/sudo/sudo/Attic/ > > find "tgetpass.c" > > click revision number ("1.15") > > ta-daa! :-) this seems to be the case for every file in the Attic throughout the tree. I didn't try _every_ file, but quite some on very different places in the tree. --knitti

Re: Problem with disk Western Digital

s you should simply get it exchanged with a new one). It is kaputt. --knitti

Re: Improving disk reliability

yet completely unreadable get remapped. Vaulting a DVD or a HDD for five years or more leaves you in both cases with the real possibility of data loss. --knitti

Re: Improving disk reliability

On 1/4/08, Nick Guenther <[EMAIL PROTECTED]> wrote: > On 1/3/08, knitti <[EMAIL PROTECTED]> wrote: > > this is becoming OT, but I can't recommend storing HDDs as "real" > > backup solution either. HDDs _do_ have bitrot, and one should at least, > > s

Re: avoiding a mac address filter

On 1/7/08, Targus Neoprene <[EMAIL PROTECTED]> wrote: > is there a way to surpass the mac filter and get an ip? most likely yes and yes. man ifconfig --knitti

Re: Richard Stallman...

If if walks like a duck and talks like a duck an f... - wait a minute. Ouch. > I have never seen anyone on this list fuck a duck with a tape. Ever. > WARNING. Do not look at the duck with the remaining eye. --knitti

Re: Improving disk reliability

rms. I prefer it to amanda, because (at least as I had to find a suitable solution 1.5 years ago) it was the only one which could do multi-volume-backups. It also works flawless with disk-based backups, simple tape drive and larger tape libraries. --knitti

Re: Suggested PF Setup when using BitTorrent?

reason why. (Yes I know, there's this new evil data retention law, but the providers don't even know what exactly they have to log and they are not exactly keen on implementing it). --knitti

Re: building a kernel for net4801 from dmassage

e of net4501 (100MHz/64MB RAM) since 3.5 which are perfectly fine with GENERIC > 2) Under what circumstances (generally) would one encounter a situation > where it would strongly desirable to have a custom kernel? RAID? development: break stuff, fix stuff ? --knitti

Re: OpenBSD 4.2 firewall freezing, even after patch 004 and 005

mp. What am I doing wrong? [...] > > OpenBSD 4.2 (NAVARONE-4.2) #0: Wed Jan 16 23:18:21 PST > 2008 > > [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/NAVARONE-4.2 http://openbsd.org/faq/faq5.html#Why --knitti

Re: sendmail setup mail server error

h appreciated. Thanks. please read about the DOMAIN macro. I don't think I does what you think it does. --knitti

Re: sendmail setup mail server error

On 1/29/08, knitti <[EMAIL PROTECTED]> wrote: > On 1/29/08, Chris <[EMAIL PROTECTED]> wrote: > > vi mydomain.mc > > > > divert(0)dnl > > VERSIONID(`@(#)mydomain.mc $Revision: 1.11 $')dnl > > OSTYPE(openbsd)dnl > > DOMAIN(mydomain.com)dnl &

Re: need some help with base httpd

ctive into the conf/admins.conf, thus moving the include statement outside the --knitti

Re: What is our ultimate goal??

eveloper, who would in principle be open to the idea, you have to show her that it is worth the hassle. But you don't even know what you're talking about. If *I* were a developer, I would be offended by the notion that AnotherSolution is *that* *much* *better* (as you imply) _without_ showing any evidence. --knitti

Re: Cold Boot Attacks on Encryption Keys

erent media and ensuring it takes as long as possible to move the RAM (this would be a plus also for the disks) physically. Physical security _is needed_ anyways. Soekris boxes also have soldered RAM. --knitti

9GB Wide SCSI HDDs useful?

OpenBSD developer community can use them, I would ship them anywhere in the EU, preferrably in Germany. greetings, knitti

Re: Tool for HD analyzing

hich tools exist for OpenBSD, but if you're on x86/AMD64 and are OK with a DOS bootdisk, search for MHDD. This is a really nice tool. Or just burn yourself an "ultimate boot cd" (ultimatebootcd.com), which also includes MHDD and a ton of other diagnosis and repair tools. greetings, knitti

Re: ms exchange replacement

and performance left and right. but if you have mail trouble, you can look at the underlaying smtp and imap servers and actually fix things, much more transparent than exchange (of which i also have some instances to look after) greetings, knitti

Re: firewall is very slow, something's wrong

7;d post a dmesg. gretings, knitti

4.2 on H8SSL-I2: acpi at mainbus0 not configured

i0: USB revision 1.0 uhub1 at usb1: ServerWorks OHCI root hub, rev 1.00/1.00, addr 1 usb2 at ohci1: USB revision 1.0 uhub2 at usb2: ServerWorks OHCI root hub, rev 1.00/1.00, addr 1 dkcsum: wd0 matches BIOS drive 0x80 dkcsum: wd1 matches BIOS drive 0x81 root on wd0a swap on wd0b dump on wd0b greeting, knitti

Re: 4.2 on H8SSL-I2: acpi at mainbus0 not configured

isa0 port 0x61 midi0 at pcppi0: spkr0 at pcppi0 fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec usb1 at ohci0: USB revision 1.0 uhub1 at usb1: ServerWorks OHCI root hub, rev 1.00/1.00, addr 1 usb2 at ohci1: USB revision 1.0 uhub2 at usb2: ServerWorks OHCI root hub, rev 1.00/1.00, addr 1 dkcsum: wd0 matches BIOS drive 0x80 dkcsum: wd1 matches BIOS drive 0x81 root on wd0a swap on wd0b dump on wd0b greetings, knitti

Re: Wasting our Freedom

three words into a web search can find the discussions for years to come. If you have read these, and you still post this then no answer in the world will make you change your mind. So, you made you statement, you got your attention, now go back playing. --knitti

Re: Server just freeze with no reason

any processes which can explode in RAM usage or massive forks? I saw once a system run out of mem, with no swap space exhibiting the same beviour. I could imagine (disclaimer: _didn't_ see that one) a system behave similiar after not being aber to fork anymore. --knitti

Re: all kernels except i386 MP high cpu in interrupt -- was: 4.2 on H8SSL-I2: acpi at mainbus0 not configured

d64/UP: 11-12 MB/s (about 19MB/s without ping -f) i386/MP: 52-56 MB/s i386/UP: 8- 9 MB/s --knitti

Re: making a release with 4.1 Sept 24 snapshot

mpiler. Wish I had my > CDs, too... I replied to Juan off-list, my bad. Read this: http://www.openbsd.org/faq/faq5.html snapshot is not release, but some point in time of -currrent. 4.2 and current diverged in august. What you have to do is in the FAQ. --knitti

all kernels except i386 MP high cpu in interrupt -- was: 4.2 on H8SSL-I2: acpi at mainbus0 not configured

On 10/11/07, knitti <[EMAIL PROTECTED]> wrote: > Hi, > > after some sleep and coffee I am embarrassed to realize I made two mistakes: > - I didn't provide a GENERIC(.MP) dmesg > - I booted off the non-acpi-enabled kernel > Sorry for that. Below you can see two

RaidFrame woes on 4.2 (RAIDFRAME: failed rf_ConfigureDisks with 2)

ServerWorks OHCI root hub, rev 1.00/1.00, addr 1 usb2 at ohci1: USB revision 1.0 uhub2 at usb2: ServerWorks OHCI root hub, rev 1.00/1.00, addr 1 Kernelized RAIDframe activated dkcsum: wd0 matches BIOS drive 0x80 dkcsum: wd1 matches BIOS drive 0x81 root on wd0a swap on wd0b dump on wd0b --knitti

Re: RaidFrame woes on 4.2 (RAIDFRAME: failed rf_ConfigureDisks with 2)

d0d, wd1d, which both exist and were not in use. --knitti

SOLVED Re: RaidFrame woes on 4.2 (RAIDFRAME: failed rf_ConfigureDisks with 2)

On 10/14/07, Greg Oster <[EMAIL PROTECTED]> wrote: > knitti writes: > > raidlookup on device: /dev/wd3d failed ! > ^ > I suspect you have an extra space after "wd3d" in the config file... > And, unfortunately, that annoying litt

Re: A (pf?) puzzler -- a single device invisible on the other side of an IPsec tunnel

to them at great length and got > pretty much nowhere: "We don't support JetDirect over WAN connections." look with tcpdump, whether the packets of the printserver look like you expect. perhaps it only has a ttl of 1 or 2 ;-) --knitti

Re: openbsd on virtual machine

27;s a dual-boot situation, but you just have to make sure, the bootloader hits the right pbr. no magic. --knitti

Re: openbsd on virtual machine

On 6/5/06, knitti <[EMAIL PROTECTED]> wrote: - 2nd partition ffs sorry, thats slightly wrong, this partition held openbsd, which had a single disk slice with a ffs. But I didn't see any limitation that there could be more than one. knitti

Re: openbsd on virtual machine

t vmware player is not as configurable through the gui, but the configuration is a text file, so it should be possible to achieve this (as in vmware created volumes are compatible with vmware player) hth, knitti

Re: "ssh" attacks

he vpn port. for users of micosoft vpn or similiar, we have them authenticate first against authpf, so the port is not available to anon users. and using authpf can be as simple a one click on a link using putty (or similiar) with the right ssh key. --knitti

Re: ntp on soekris

in my experience. whether this is a problem is something you have to decide, do you need more precision? if yes, change the hardware, else don't worry --knitti

Re: ntp on soekris

On 6/8/06, Peter <[EMAIL PROTECTED]> wrote: --- knitti <[EMAIL PROTECTED]> wrote: > the soekris are not very good at time keeping, in my experience. > whether this is a problem is something you have to decide, do > you need more precision? if yes, change the hardware, els

Re: wikipedia article

te some instllations around, more than a few dev-kits. the same with file systems (e.g. zfs, reiser4) (...rest of rant deleted, it's already off topic...) oh, and don't tell me i shall participate. --knitti

Re: Hifn policy on documentation

fully documented, so you can test any output except that of the RNG against a 'known good' implementation --knitti

Re: mounting two times

ulated or broken out into a shell, a chroot would help al lot ;) --knitti

Re: mounting two times

On 6/19/06, Lars Hansson <[EMAIL PROTECTED]> wrote: On Monday 19 June 2006 19:09, knitti wrote: > protocol attacks on the application which talks to mysql? Uhm, and using a domain socket is different how? ouch, snafu. sorry, I misunderstood. I don't think there's any

Re: Crashes and HDD params

s and so on. Changing wd to 0xffc (pio 4) does fix it. this doesn't neccessarily mean the controller or disk is buggy, it could just be a bad cable, which works, if not used at top speed (or, more correctly, frequency). I have seen this multiple times with almost any os (that supports udma) --knitti

Re: Kernel pppoe (and the german ISP Hansenet)

On 7/6/06, knitti <[EMAIL PROTECTED]> wrote: I'd suspect some different issues than just blaming the implementation of the daemon sorry, this is of course not about the daemon, but the rest still applies --knitti

Re: Kernel pppoe (and the german ISP Hansenet)

ur CPU is maxed out. also sometimes ISPs sell you some gigantic *theoretical maximum* adsl, which doesn't work of because of poor line quality etc. also, I think an up/down ratio of about 1:22 does sound like you'll only max out your downstream on some special applications, e.g. udp-streams (video) --knitti

Re: hints for scanning msdosfs patters?

such exist for OpenBSD: In any case, the more fragmented the FAT was, the less is the chance of reviving something meaningful. --knitti

Re: Kernel pppoe (and the german ISP Hansenet)

sted there)). well, unless you serve a ppp access point, there's no point in looking into the performance of ppp_d_ --knitti

Re: How to make fsck run faster?

nd the more memory is consumed by the fsck --knitti

Re: sokeris output

nel? I have a couple of net4501 running with some slightly older OpenBSDs (3.4, 3.5, 3.7) which Just Work (TM). Is the net4801 that different? --knitti

Re: problem with sendmail on obsd. .com.au turned into com.au.com.au

working again, it tried adding in an entry to /etc/hosts pointing int-firewall.sbisolutions.com.au.com.au to 127.0.0.1 This didn't work as I guess sendmail doesn't use /etc/hosts. I _think_ this depends on your resolv.conf --knitti

Re: sendmail

email is supposed to be on the server, and then how to look at it. read and understand in this order: man afterboot /usr/share/sendmail/README documentation on sendmail.org this _will_ serve you far better than any step-through-howto --knitti

Re: OpenBSD and high availability

onect cable directly between the boxes. while I would do it with rsync (I know, depends on what you want to do), I don't see any reason why ccd'ing two large nfs-exposed files shouldn't work. But I think this would be more ugly and complicated than rsyncing every x minutes... --knitti

Re: Tuning OpenBSD network throughput

you want 150 mbit with tiny 40 bytes packets or with jumbo frames (huge difference) and, in any case, search the archives about "tuning openbsd". --knitti

Re: spamd and TLS on port 25

rted by exchange, should work with spamd and all sane MUAs or MTAs. --knitti

Re: Hacking a mail server

On 9/26/06, Carlos A. Garcia G. <[EMAIL PROTECTED]> wrote: can someone external to the network get a copy of all the mail that are getting to a mail server??? ?? short answer: no long answer: yes please clarify your question. also, why sould this be related to openbsd? --knitti

Re: Hacking a mail server

[I reordered the text, so your answer is below my question, I think this is more readable] On 9/26/06, Carlos A. Garcia G. <[EMAIL PROTECTED]> wrote: knitti escribis: > On 9/26/06, Carlos A. Garcia G. <[EMAIL PROTECTED]> wrote: >> can someone external to the network get a

Re: Hacking a mail server

es are those which you expect. sniff your servers traffic. finding whether a box was compromised ist not trivial, especially if you don't find any evidence. if you can afford to do it, better reinstall from scratch and look where you can tighten up the security. --knitti

Re: Version 4.0 release

but _come on_ i just can't see why you can whine that much about a status quo, yet not making any effort to use the better part of your hardware. otoh if your company can spend that much on hardware idling for years without it being a problem, why don't just fund one or two of the developers to do the task? --knitti

Re: Version 4.0 release

cause after all, OpenBSD's networking is great. Outside these areas OpenBSD is just too slow and doesn't support enough hardware. sez who? a troll --knitti

Re: pppoe slow on openbsd

ems ever in the future like the 99% of all other OSes (even those that are not deticated to networking as OpenBsd) CAN? OR NOT? your question is pointless, as openbsd does this already --knitti

Re: OpenBSD AJAX

of object orientation c) nor sense for code maintenance and d) really good stuff spaghetti style --knitti

Re: OpenBSD AJAX

On 10/25/06, knitti <[EMAIL PROTECTED]> wrote: [OT comment] sorry for this, it was off topic and slightly offensive --knitti

Re: java on openbsd

ving someone mail you the source on cd, or use kaffe (don't know how useful it is for your purposes). --knitti

Re: OpenBSD as WLAN AP (Who use it?)

l, if all you say is "this doesn't work". So post some actual useful data, perhaps then someone has an idea what goes wrong. This isn't some paid support hotline, where everyone is happy to pull the needed pieces of information out of your nose. --knitti

Re: OpenBSD as WLAN AP (Who use it?)

enbsd.org. come the packets in? do they go out? where do they go out?) beware www.openbsd.org != openbsd.org --knitti

Re: OpenBSD as WLAN AP (Who use it?)

eset. If that works, add rules one by one until it breaks. the smallest ruleset in your case would be the nat rule for wifi and "pass all". besides, do have have the clients behind xl0 full connectivity? --knitti

Re: zope apache chroot

requests with > mod_rewrite and mod_proxy. The Zope site (and the Plone site) have a > several example configurations. thats exactly true. take the config samples from zope.org to have apache proxy and rewrite your urls. take your stock openbsd apache. it just works. --knitti

Re: 3.7-stable i386 crash

configuration. http://openbsd.org/faq/faq5.html#Why --knitti

Re: HA firewall

f_purge_timeout(d05ab72c,5305,3,0,0) at pf_purge_timeout+0x15 > ... (the ddb log stop here) > > Is there someone that used OpenBSD in a similar configuration ? no one knows your configuration. http://www.openbsd.org/faq/faq2.html#Bugs --knitti

  1   2   >