gmane.os.openbsd.misc

pf faq [was Re: (unknown)]

Stuart Henderson — 2012-05-26T12:30:25

Probably an incomplete conversion of the faq when the default was changed
to stateful. If someone wants to carefully go over faq/pf/ (or at least going
over one whole page rather than just parts of a page), check/update things
and send a diff, that would be very nice and there's a good chance it would
get committed..

Re: openups

Stuart Henderson — 2012-05-26T12:18:06

Might be interesting to have USB UPS report as a sensor for some simple
sensorsd-based shutdown control... (but if that's done it would be useful
if libusb can still access them, or at least forcibly detach them from the
driver at runtime, so people don't need kernel changes to run things like
NUT if they prefer that).

It might also be interesting for sensorsd to be able to pick up sensors
on another machine, with some nice easy syntax if the other machine runs
snmpd(8), or some basic support for simple SNMP OID gets to pull data
from non-OpenBSD sources (temp sensors on routers/switches etc).

(unknown)

Jan Stary — 2012-05-26T11:47:11

The "Passing Traffic" example at
http://www.openbsd.org/faq/pf/filter.html
doesn't seem to be completely accurate.

# Pass traffic in on dc0 from the local network, 192.168.0.0/24,
# to the OpenBSD machine's IP address 192.168.0.1. Also, pass the
# return traffic out on dc0.
pass in  on dc0 from 192.168.0.0/24 to 192.168.0.1
pass out on dc0 from 192.168.0.1 to 192.168.0.0/24

It's the "return" that bugs me: the first rule alone
makes the _return_ traffic be passed. The second
rule allows traffic that originates (creates state)
on the way out. Right?

Re: German Government claims to be able to break PGP and SSH

Peter Laufenberg — 2012-05-26T08:45:47

They still cast a wide net: on ccc.de there's a detailed report of one target
wanking to phone-sex.


I just read the PDF, in 2010 they dumped a raw IP stream from which they
extracted individual emails (90% spam) in which they searched for words like
"bomb". High-tech stuff. The one-sentence answer about PGP has so many
qualifiers that only an idiot would read it as a blanket success claim, the
gov official was probably puzzled by the question's "half-pregnant"
formulation.

Golem seem to have buried their story in an embarrassed rush; whoever came up
with the title must be flipping BratwC<rste right now.

Re: Recent BIND ports

Stuart Henderson — 2012-05-26T08:33:49

There are searchable mailing list archives, you know...

Re: spamd greylisting: false positives

Stuart Henderson — 2012-05-26T08:32:37

do you have spamlogd running?


yes, you do, various large sites use either pools of senders with a
shared queue, or senders behind large nats, or bad retry cycles
etc. you really need something like the dnswl list (only available
by dns lookup for the mos part).

one thing that can help is to restrict spamd to only affecting
windows hosts (using 'from any os "windows"' in pf rules).

Re: Recent BIND ports

Stuart Henderson — 2012-05-26T08:26:41

yes, agreed this is needed, we also want the DNS64 support.

I started a port of newer BIND but became unstuck adding back the
privsep code we have in BIND in base. Anyone want to help with that
or should I just not bother for the port?


so sad that this got added. ISC were some of the first and most
vocal opponents of this mess when netsol started doing it, even
added an option to BIND to filter it per-zone...

openups

bofh — 2012-05-26T03:41:46

Have anyone seen this?  I just saw it, and even though there's only
windows app available right now, I'm hoping this can tickle some
developer's fancy :)

http://www.mini-box.com/OpenUPS

--
http://www.glumbert.com/media/shift
http://www.youtube.com/watch?v=tGvHNNOLnCk
"This officer's men seem to follow him merely out of idle curiosity."

Re: spamd greylisting: false positives

David Diggles — 2012-05-26T03:19:38

Ok........ I am still not getting emails from
lists.openbsd.org (so please if you reply, cc to me).

I restarted spamd at this time after deleting /var/db/spamd and
clearing the bypass tables in pf at this time:

2012-05-26 02:13:12 # /usr/libexec/spamd

Here is the last message to make it to sendmail from misc:

fgrep from= /var/log/maillog|fgrep owner-misc|tail -1|awk '{print $1,$2,$3}'
May 26 01:54:35

The pf rules for spamd I have are taken from the default pf.conf:

pass in on egress inet proto tcp from any to any port = 25 flags S/SA rdr-to 127.0.0.1 port 8025
pass in on egress proto tcp from <nospamd> to any port = 25 flags S/SA
pass in log on egress proto tcp from <spamd-white> to any port = 25 flags S/SA
pass out log on egress proto tcp from any to any port = 25 flags S/S

It is currently Sat May 26 12:54:31 EST 201

Times of passed smtp connections for May 26:

tcpdump -n -e -ttt -r /var/log/pflog 2>&1|fgrep ".25:"|\
fgrep 'May 26'|awk '{print $3}'
01:14:53.793995
04:17:11.846707
05:00:19.443080
05

AMA PROFESSIONAL NEWSLETTER 53

AMA — 2012-05-26T01:08:43

Dear Sir, Madam,

Art Media Agency (AMA) is delighted to send you, free of charge, N053 of its Professional Newsletter. The Professional Newsletter gives its readers an overview of the week's news, whilst providing them with a detailed insight into the market trends.

The readership of AMA's Professional Newsletter continues to grow and we are proud to announce that after only one year, we now have more than 70,000 subscribers.
If you would like to advertise with us, do not hesitate to contact Art Rigie at www.artregie.com.

If you have any comments or suggestions on how to develop the service, we would be glad to hear from you.


Yours sincerely,


Art Media Agency.


If you wish to unsubscribe to the Professional Newsletter, please reply to this email with UNSUBSCRIBE in the subject field.

[demime 1.01d removed an attachment of type application/octet-stream]

Re: spamd greylisting: false positives

David Diggles — 2012-05-26T01:40:14

Thanks for also replying directly.  Since I cleared <nospamd>
override table in pf, I am no longer receiving emails from misc.


Some emails did not get through at all.  I didn't check for whitelist
entries or number of attempts at the time.


Ok, I have returned the greylist settings to default now and I will
go through the pf log and try find out why lists.openbsd.org is
once again not making it to my inbox.


I am not trying to "help", I am reproducing the problem by reverting
to the original conditions.  Now it's the weekend, I have time to spend
on solving it.


I restarted spamd and flushed all the pf tables almost 10 hours ago now.
Still nothing from lists.openbsd.org.


The spamd pf rules I am using are simply uncommented from the
default OpenBSD pf.conf file.

I will audit pf rules and ensure I don't have other rules interfering
with spamd.


Thanks for googling that one for me.

I must have a misconfiguration.

My apologies for dumping on the list, wasting peoples time etc.

Re: German Government claims to be able to break PGP and SSH

Christian Weisgerber — 2012-05-26T00:09:05


But that's for targeted surveillance.  The original article refers
to a bulk grep of 16,400 search terms over 37 million e-mail messages.
I would not in the least be surprised if a caesar chiffre successfully
defended against this.

Re: Prosze o odpowiedz Szybki

Mrs. Y Ishii — 2012-05-25T23:10:25

Witam,
My Name Is Pani Y. Ishii Taro, jestem z Japonii msj ojciec byl w
nieruchomosci biznes najmu, zanim zmarl w 2004 roku. Ja skontaktowac
ty w zwiazku z faktem, ze bedziemy z wielka pomoca dla
siebie jak madry rozwsj serdeczne stosunki. My self wzdluz
z moja siostra prsbowac ukrywac warte miliony dolarsw w gotswce w naszym
garaz uniknac okolo 27,8 milionsw dolarsw w podatkach od spadksw w Japonii.
Mam 2,061,681,295.50 JPY Odpowiednik Yen Japonia do $ 25,448,300.00 USD
Dolarsw amerykanskich, ktsre zamierzalem wykorzystac w celach inwestycyjnych
za granica.
Te pieniadze i zapisywane w prywatnym wzniesiony Bezpieczna Firma
bezpieczenstwa. To
to msj prawnik i moje ja, ze ??wiem, gdzie pieniadze sa przechowywane. Ze
wzgledu na
Obecna sytuacja w moim kraju o attitude rzadu
wobec mojej rodziny, stalo sie zupelnie niemozliwe dla nas do wykorzystania
z tych pieniedzy w ten spossb, staramy sie pomoc do przeniesienia tej
pieniadze z Japonii. Majac na uwadze, ze potrzebna jest pomoc
przeniesienie tego funduszu, propo

Re: Documentation for Apache-SSL key creation

Nicolai — 2012-05-25T22:15:33

Note that we prioritize ECDSA keys by default in SSH, even though RSA keys
are created.

This handy guide has some equivalents:

  http://www.nsa.gov/business/programs/elliptic_curve.shtml

It shows RSA-3072 to be equivalent to 128-bit symmetric or 256-bit ECC.
So RSA-3072 is equivalent to other cryptographic defaults in the system
(256-bit ECDSA, 128-bit AES-CTR).

2048 is an acceptable default, and 3072 is preferable IMO.  4096 is
expensive... but that's RSA.

Nicolai

Re: Documentation for Apache-SSL key creation

Jason McIntyre — 2012-05-25T21:49:26

i wish you'd commented earlier then ;(

would you like it shifted to 2048?

jmc

Re: Documentation for Apache-SSL key creation

Christian Weisgerber — 2012-05-25T21:25:29


RSA-4096 is really excessive.  RSA-2048 is the general recommendation
and what we use by default for SSH and IKE host keys.

Re: Unbound

Chris Smith — 2012-05-25T20:56:31

At least in the simple cases I use it's pretty straightforward.

NSD is pure authoritative. Unbound is resolver/cache plus it can serve
up "local data", that is data that we configure it serve up, it does
not retrieve it from elsewhere. The local data has some limitations (I
don't believe it serves up all record types for one) but it can be
sufficient in many cases. If one needs more complicated authoritative
data, with referrals, wildcards, CNAME/DNAME support, or DNSSEC
authoritative service then use a stub-zone.

You can run NSD for the outside world, and Unbound can serve up the
local data or you can run another copy of NSD for your inside data if
your needs are greater than Unbound's local data (I don't serve
authoritative data to the outside world so I only use one copy of NSD
- could probably get away with Unbound only these days as its local
data serving has really improved).

Quick overview:

Unbound serves local data directly:
======================================
local-data: "host10.myinternal.c

Re: Documentation for Apache-SSL key creation

Jason McIntyre — 2012-05-25T20:28:42

changes committed, thanks.
jmc

Re: Recent BIND ports

Simon Perreault — 2012-05-25T19:37:38

I am running a hand-compiled BIND 9.9 right now for the DNS64 feature. 
I'd like to have an up to date port. I don't one to contribute, so I 
shut up and endure.


I'd guess that rthreads will play a big role, but this is only a guess.

Simon

Re: Recent BIND ports

Kostas Zorbadelos — 2012-05-25T19:33:53


Yes, I have understood that. The question remains: what do you think of
ports for recent BIND versions?
I am trying to make a case for OpenBSD in a demanding resolving setup of
a conservative ISP. OpenBSD is a big step on its own. Replacing BIND is
quite a leap in this environment.


Regards,
Kostas

PS: Initial tests with Nominum's resperf tool are not encouraging. My
guess is that it has to do with the lack of threading support
(in-kernel) for OpenBSD 5.1. Situation could be improved with the coming
rthreads? Of course this is a subject of a different thread when I have
more test data.

Recordatorio para el curso de "Mercadotecnia Moderna de las 4 "P" a las 4 "C" Ultimo día

Antonio Medina M. — 2012-05-25T19:24:40

!Muy Importante!
Si no puede visualizar correctamente este correo, le pedimos que lo arrastre a
su Bandeja de Entrada

Apreciable Ejecutivo:

TIEM de Mixico
Empresa Lmder en Capacitacisn y Actualizacisn de Capital Humano

Le Recuerda que el excelente curso denominado:
Mercadotecnia Moderna de las 4 "P" a las 4 "C"

Esta programado en la Ciudad de Mixico, el dma  30 de Mayo 2012

Inscrmbase a mas tardar el lunes 28 de mayo y obtenga un descuento del 15% con
Inversisn Inmediata
No deje pasar esta oportunidad e Invierta en su Desarrollo Personal y
Profesional

En las zltimas dicadas se ha estado hablando sobre las "4 P's" de la
mercadotecnia desarrolladas por Jerome McArthy (Producto, Promocisn, Precio y
Plaza). Sin embargo, unos innovadores de la Universidad de Northwestern han
visto que istas ya no se adecuan al nuevo entorno competitivo.

No obstante, lo mas difmcil y doloroso en un negocio es la administracisn del
cambio al igual que del crecimiento, ya que romper un paradigma, cambiar una
fsrmula o modific