From spork at bway.net Fri Feb 1 12:21:06 2008 From: spork at bway.net (Charles Sprickman) Date: Fri, 1 Feb 2008 12:21:06 -0500 (EST) Subject: [nycbug-talk] MS, the Yahoo buyout, and FreeBSD Message-ID: http://www.bloomberg.com/apps/news?pid=newsarchive&sid=ajQT8oZ96Yas So how much of the FreeBSD infrastructure is donated by Yahoo! these days? It seems like in general they are pretty quiet about their FreeBSD support. Will this be another Hotmail, with MS slowly turning off BSD boxes and putting Windows boxes in their place? C From eksffa at freebsdbrasil.com.br Fri Feb 1 12:41:26 2008 From: eksffa at freebsdbrasil.com.br (Patrick Tracanelli) Date: Fri, 01 Feb 2008 15:41:26 -0200 Subject: [nycbug-talk] MS, the Yahoo buyout, and FreeBSD In-Reply-To: References: Message-ID: <47A359C6.7020900@freebsdbrasil.com.br> Charles Sprickman escreveu: > http://www.bloomberg.com/apps/news?pid=newsarchive&sid=ajQT8oZ96Yas > > So how much of the FreeBSD infrastructure is donated by Yahoo! these days? > It seems like in general they are pretty quiet about their FreeBSD > support. > > Will this be another Hotmail, with MS slowly turning off BSD boxes and > putting Windows boxes in their place? I was asking myself the same questions. As a Y! investor I am happy to see this offer, but as a FreeBSD professional I am not. And saying 'NO' to this offer, right after Y! announced such that big layoffs, is psichologically difficult to believe, from an investor perspective. There is also the good "marketing" that Yahoo! represents to FreeBSD, wether they are still very relevant to the project as donators or not. For example, Yahoo! + FIFA world cup partnership marketed FreeBSD as the main OS in the world cup internet infra-structure, etc, etc. What else and how negative would it be to the Project? I hope not much. -- Patrick Tracanelli FreeBSD Brasil LTDA. Tel.: (31) 3516-0800 316601 at sip.freebsdbrasil.com.br http://www.freebsdbrasil.com.br "Long live Hanin Elias, Kim Deal!" From nycbug-list at 2xlp.com Fri Feb 1 13:40:01 2008 From: nycbug-list at 2xlp.com (Jonathan Vanasco) Date: Fri, 1 Feb 2008 13:40:01 -0500 Subject: [nycbug-talk] MS, the Yahoo buyout, and FreeBSD In-Reply-To: <47A359C6.7020900@freebsdbrasil.com.br> References: <47A359C6.7020900@freebsdbrasil.com.br> Message-ID: <46D92037-E2CA-4166-8D00-E57E2E2328E8@2xlp.com> On Feb 1, 2008, at 12:41 PM, Patrick Tracanelli wrote: > I was asking myself the same questions. As a Y! investor I am happy to > see this offer, but as a FreeBSD professional I am not. And saying > 'NO' > to this offer, right after Y! announced such that big layoffs, is > psichologically difficult to believe, from an investor perspective. > > There is also the good "marketing" that Yahoo! represents to FreeBSD, > wether they are still very relevant to the project as donators or not. > For example, Yahoo! + FIFA world cup partnership marketed FreeBSD > as the > main OS in the world cup internet infra-structure, etc, etc. What else > and how negative would it be to the Project? I hope not much. Yahoo are also big proponents of the LAMP stack, particularly PHP & MySQL Even with the resources behind the 1BN MySQL buyout, a lot of the 'enterprise' performance and engineering improvements & knowledge have been coming from large-scale deployments like Yahoo's. Converting to SQLserver could be a painful loss. Converting to .NET could be a nightmare too. // Jonathan Vanasco w. http://findmeon.com/user/jvanasco e. jonathan at findmeon.com | Founder/CEO - FindMeOn, Inc. | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | FindMeOn.com - The cure for Multiple Web Personality Disorder | Privacy Minded Web Identity Management and 3D Social Networking | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | Founder - RoadSound.com | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | RoadSound.com - Tools For Bands, Stuff For Fans | Collaborative Online Management And Syndication Tools | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - From george at ceetonetechnology.com Fri Feb 1 20:41:48 2008 From: george at ceetonetechnology.com (George Rosamond) Date: Fri, 01 Feb 2008 20:41:48 -0500 Subject: [nycbug-talk] MS, the Yahoo buyout, and FreeBSD In-Reply-To: <46D92037-E2CA-4166-8D00-E57E2E2328E8@2xlp.com> References: <47A359C6.7020900@freebsdbrasil.com.br> <46D92037-E2CA-4166-8D00-E57E2E2328E8@2xlp.com> Message-ID: <47A3CA5C.4000707@ceetonetechnology.com> Jonathan Vanasco wrote: > On Feb 1, 2008, at 12:41 PM, Patrick Tracanelli wrote: > >> I was asking myself the same questions. As a Y! investor I am happy to >> see this offer, but as a FreeBSD professional I am not. And saying >> 'NO' >> to this offer, right after Y! announced such that big layoffs, is >> psichologically difficult to believe, from an investor perspective. >> >> There is also the good "marketing" that Yahoo! represents to FreeBSD, >> wether they are still very relevant to the project as donators or not. >> For example, Yahoo! + FIFA world cup partnership marketed FreeBSD >> as the >> main OS in the world cup internet infra-structure, etc, etc. What else >> and how negative would it be to the Project? I hope not much. > Hmmm. . . Not particularly a soccer fan myself Patrick, but did they mention FBSD in their marketing? > Yahoo are also big proponents of the LAMP stack, particularly PHP & > MySQL > > Even with the resources behind the 1BN MySQL buyout, a lot of the > 'enterprise' performance and engineering improvements & knowledge > have been coming from large-scale deployments like Yahoo's. > Converting to SQLserver could be a painful loss. Converting to .NET > could be a nightmare too. I'm sure I'm not the only one to remember back to the Hotmail Microsoft purchase, and that controversial white paper. . . http://www.securityoffice.net/mssecrets/hotmail.html I think on the whole it's bad for technology, regardless of the players. There are of course a laundry list of negatives for BSD land. . . all those servers hosted by Yahoo. . . the fact that it's Yahoo responsible for a huge proportion of BSD hosts out there in terms of numbers. . . If this does happen, I'm really not looking forward to the dualopoly of MS and Google in so many arenas. My gut feeling is that with the delay in a full response from Yahoo, it's a likely thing. Who knows, maybe this will mean we'll have MS as a sponsor for the con (dumb joke:) g From george at ceetonetechnology.com Sat Feb 2 19:40:10 2008 From: george at ceetonetechnology.com (George Rosamond) Date: Sat, 02 Feb 2008 19:40:10 -0500 Subject: [nycbug-talk] more on the MS and Yahoo Message-ID: <47A50D6A.7030702@ceetonetechnology.com> This is kinda funny. . . and contains more than a grain of truth. http://tinyurl.com/2vydl7 George From george at ceetonetechnology.com Sat Feb 2 19:52:50 2008 From: george at ceetonetechnology.com (George Rosamond) Date: Sat, 02 Feb 2008 19:52:50 -0500 Subject: [nycbug-talk] more on the BSD Certification Message-ID: <47A51062.2050204@ceetonetechnology.com> This is from Dru. . . needless to say, we'll work out the details on this for NYCBSDCon on Oct 11/12. * * * The BSDA certification exam is available at the following locations in February: SCALE: Los Angeles, California Saturday, February 9 at 11:00 or 15:30 Seating is limited to 40 per exam session (2 sessions in total). FOSDEM: Brussels, Belgium Saturday, February 23 at 14:30 or 16:30 Sunday, February 24 at 10:00 or 13:00 or 15:00 Seating is limted to 15 per exam session (5 sessions in total). Registration and URLs for more information regarding the conference locations can be found here: https://register.bsdcertification.org//register/events Pre-registration is required. Don't wait til the last minute as you'll need a BSDCG ID first and that can take up to 24 hours to receive. Also, as exam sessions are filled, they will disappear from the drop down menu from which you choose the exam location and time. If an exam time appears to be missing, that is the reason why. The exam costs $75 USD to take; those who participated in the 2007 Beta program are eligible for a 50% discount. Myself and Jim Brown will be proctoring in Los Angeles. Axel Gruner and Tille Garrels will be proctoring in Brussels. There will be BSD booths at both conferences--if you're not ready to take the exam now, stop by anyways to say hi and learn more about BSD certification. For those wondering what is coming down the pipe, Linux-Tage in Chemnitz, Germany has been confirmed for March. We will also be at Flourish in Chicago in April--more details will be available once we know the size and location of the room. Cheers, Dru From jpb at sixshooter.v6.thrupoint.net Mon Feb 4 11:32:31 2008 From: jpb at sixshooter.v6.thrupoint.net (Jim Brown) Date: Mon, 4 Feb 2008 11:32:31 -0500 Subject: [nycbug-talk] Trouble reaching www.openbsd.org? Message-ID: <20080204163231.GA90085@sixshooter.v6.thrupoint.net> Having trouble getting the web page today. I can traceroute all the way to from my connection to: ... 14 gsb175-c7507-1-3-169.backbone.ualberta.ca (129.128.3.169) 96.851 ms 96.345 ms 96.742 ms 15 gsb175-c6509-3-129.backbone.ualberta.ca (129.128.3.129) 95.508 ms 104.254 ms 94.568 ms 16 129.128.3.201 (129.128.3.201) 94.262 ms 94.466 ms 114.591 ms and that's where things stop. Anyone else seeing this? Jim B. From dan at langille.org Mon Feb 4 11:58:32 2008 From: dan at langille.org (Dan Langille) Date: Mon, 4 Feb 2008 11:58:32 -0500 (EST) Subject: [nycbug-talk] Trouble reaching www.openbsd.org? In-Reply-To: <20080204163231.GA90085@sixshooter.v6.thrupoint.net> References: <20080204163231.GA90085@sixshooter.v6.thrupoint.net> Message-ID: <33678.74.239.169.41.1202144312.squirrel@nuts.unixathome.org> On Mon, February 4, 2008 11:32 am, Jim Brown wrote: > > Having trouble getting the web page today. > > I can traceroute all the way to > from my connection to: > > ... > 14 gsb175-c7507-1-3-169.backbone.ualberta.ca (129.128.3.169) 96.851 ms > 96.345 ms 96.742 ms > 15 gsb175-c6509-3-129.backbone.ualberta.ca (129.128.3.129) 95.508 ms > 104.254 ms 94.568 ms > 16 129.128.3.201 (129.128.3.201) 94.262 ms 94.466 ms 114.591 ms > > > and that's where things stop. > > Anyone else seeing this? I was. But now it is working. FYI, I suspect www.openbsd.org and openbsd.org are different servers. -- Dan Langille - http://www.langille.org/ From jbaltz at 3phasecomputing.com Mon Feb 4 16:21:46 2008 From: jbaltz at 3phasecomputing.com (Jerry B. Altzman) Date: Mon, 04 Feb 2008 16:21:46 -0500 Subject: [nycbug-talk] building home firewalls out of soekris boxen Message-ID: <47A781EA.4080104@3phasecomputing.com> Howdy, Anyone local here spend much time *still* with Soekris boxes? I'm thinking of building a new firewall or two for the home, I'd like to try something OTHER than OpenWRT (since I already have a nice wireless gateway, thankyouverymuch...) and the little boxes just ... appeal to me. Comments? Praises? Brickbats? Either post here, or send to me & I'll summarize back. Thanks! //jbaltz -- jerry b. altzman jbaltz at 3phasecomputing.com +1 718 763 7405 From lego at therac25.net Mon Feb 4 16:34:27 2008 From: lego at therac25.net (Andy Michaels) Date: Mon, 4 Feb 2008 16:34:27 -0500 (EST) Subject: [nycbug-talk] building home firewalls out of soekris boxen In-Reply-To: <47A781EA.4080104@3phasecomputing.com> References: <47A781EA.4080104@3phasecomputing.com> Message-ID: On Mon, 4 Feb 2008, Jerry B. Altzman wrote: > Howdy, > > Anyone local here spend much time *still* with Soekris boxes? I'm I did a few months ago :) > thinking of building a new firewall or two for the home, I'd like to try > something OTHER than OpenWRT (since I already have a nice wireless > gateway, thankyouverymuch...) and the little boxes just ... appeal to me. > > Comments? Praises? Brickbats? > There are lots of options. you can subscribe to the soekris mailing lists at http://lists.soekris.com/mailman/listinfo/soekris-tech and http://lists.soekris.com/mailman/listinfo/soekris-announce Also, there is a decent wiki underway at http://wiki.soekris.info I've had good experiences with OpenBSD and Debian on Soekrii. -Andy > Either post here, or send to me & I'll summarize back. > > Thanks! > > //jbaltz > -- > jerry b. altzman jbaltz at 3phasecomputing.com +1 718 763 7405 > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > From bschonhorst at gmail.com Mon Feb 4 16:38:46 2008 From: bschonhorst at gmail.com (Brad Schonhorst) Date: Mon, 4 Feb 2008 16:38:46 -0500 Subject: [nycbug-talk] building home firewalls out of soekris boxen In-Reply-To: <47A781EA.4080104@3phasecomputing.com> References: <47A781EA.4080104@3phasecomputing.com> Message-ID: <7708fd680802041338j5e85db4co9cbafece3c54df48@mail.gmail.com> On Feb 4, 2008 4:21 PM, Jerry B. Altzman wrote: > Howdy, > > Anyone local here spend much time *still* with Soekris boxes? I'm > thinking of building a new firewall or two for the home, I'd like to try > something OTHER than OpenWRT (since I already have a nice wireless > gateway, thankyouverymuch...) and the little boxes just ... appeal to me. > > Comments? Praises? Brickbats? > > Either post here, or send to me & I'll summarize back. > > Thanks! Hi Jerry- I have played around with these quite a bit. Lately I haven't had as much time to tinker and decided I just wanted something easy to manage. I've been using PFSense and its worked out great. Its based on m0n0wall, another good option. These are both great if you are looking for minimal setup time. PF Sense http://www.pfsense.com/ mOnOwall http://m0n0.ch/wall/ -Brad From lavalamp at spiritual-machines.org Mon Feb 4 16:47:38 2008 From: lavalamp at spiritual-machines.org (Brian A. Seklecki) Date: Mon, 4 Feb 2008 16:47:38 -0500 (EST) Subject: [nycbug-talk] building home firewalls out of soekris boxen In-Reply-To: <47A781EA.4080104@3phasecomputing.com> References: <47A781EA.4080104@3phasecomputing.com> Message-ID: <20080204164247.G61212@arbitor.digitalfreaks.org> On Mon, 4 Feb 2008, Jerry B. Altzman wrote: > Howdy, > > Anyone local here spend much time *still* with Soekris boxes? I'm > thinking of building a new firewall or two for the home, I'd like to try > something OTHER than OpenWRT (since I already have a nice wireless > gateway, thankyouverymuch...) and the little boxes just ... appeal to me. I was working with Jeff Rizzo and NetBSD on some pre-compiled CF images for Soekris boxes. We were 99% of the way there -- but because I dont have a Soekris, we were playing tag with rebuiling custom kernerls. There were from http://code.google.com/p/bsd-appliance/ Which model were you hoping to use? The latest image was: http://digitalfreaks.org/~lavalamp/image_cf.200712302122.snapshot0.NetBSD_4.0_BETA2_i386.bz2 ~BAS > Comments? Praises? Brickbats? > > Either post here, or send to me & I'll summarize back. > > Thanks! > > //jbaltz > -- From spork at bway.net Mon Feb 4 17:06:03 2008 From: spork at bway.net (Charles Sprickman) Date: Mon, 4 Feb 2008 17:06:03 -0500 (EST) Subject: [nycbug-talk] building home firewalls out of soekris boxen In-Reply-To: <47A781EA.4080104@3phasecomputing.com> References: <47A781EA.4080104@3phasecomputing.com> Message-ID: On Mon, 4 Feb 2008, Jerry B. Altzman wrote: > Howdy, > > Anyone local here spend much time *still* with Soekris boxes? Never played with them, but I have a PCEngines Alix box on the way to setup with pfsense for a client: http://www.netgate.com/product_info.php?cPath=60&products_id=492 It seemed like a much better value than Soekris. Just thought I'd throw that out there. Thanks, Charles > I'm thinking of building a new firewall or two for the home, I'd like to > try something OTHER than OpenWRT (since I already have a nice wireless > gateway, thankyouverymuch...) and the little boxes just ... appeal to > me. > > Comments? Praises? Brickbats? > > Either post here, or send to me & I'll summarize back. > > Thanks! > > //jbaltz > -- > jerry b. altzman jbaltz at 3phasecomputing.com +1 718 763 7405 > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > From nikolai at fetissov.org Mon Feb 4 17:07:57 2008 From: nikolai at fetissov.org (nikolai) Date: Mon, 4 Feb 2008 17:07:57 -0500 (EST) Subject: [nycbug-talk] building home firewalls out of soekris boxen Message-ID: <47201.204.153.88.2.1202162877.squirrel@www.geekisp.com> > Howdy, > > Anyone local here spend much time *still* with Soekris boxes? I'm thinking of building a new firewall or two for the home, I'd like to try something OTHER than OpenWRT (since I already have a nice wireless gateway, thankyouverymuch...) and the little boxes just ... appeal to me. > > Comments? Praises? Brickbats? > > Either post here, or send to me & I'll summarize back. > My net4801 access point is running aging OpenBSD-4.2 GENERIC snap. Instead of playing with flashboot/flashdist, I mess with mount points at install vs runtime, then build devices in a separate prototype dir. After that the flash card is read-only, everything else is on mfs. And, of course, I had the card partitioned at some point. /etc/fstab: /dev/wd0a / ffs ro 1 1 /dev/wd0b none swap sw 0 0 /dev/wd0g /home ffs ro,nodev,nosuid 1 2 /dev/wd0d /usr ffs ro,nodev 1 2 swap /tmp mfs rw,nodev,nosuid,-s=16386 0 0 swap /var mfs rw,nodev,nosuid,-P=/dev/wd0e 0 0 swap /dev mfs rw,noexec,nosuid,-P=/proto/dev 0 0 The box runs everything default + dhcpd on wireless interface + simple forwarding bind. No problems. -- Nikolai From dan at langille.org Mon Feb 4 17:11:49 2008 From: dan at langille.org (Dan Langille) Date: Mon, 04 Feb 2008 17:11:49 -0500 Subject: [nycbug-talk] building home firewalls out of soekris boxen In-Reply-To: References: <47A781EA.4080104@3phasecomputing.com> Message-ID: <47A78DA5.8070406@langille.org> Charles Sprickman wrote: > Never played with them, but I have a PCEngines Alix box on the way to > setup with pfsense for a client: > > http://www.netgate.com/product_info.php?cPath=60&products_id=492 > > It seemed like a much better value than Soekris. > > Just thought I'd throw that out there. $180? What is involved in transforming that hardware to a running computer? What OS? -- Dan Langille - http://www.langille.org/ BSDCan - The Technical BSD Conference: http://www.bsdcan.org/ PGCon - The PostgreSQL Conference: http://www.pgcon.org/ From george at ceetonetechnology.com Mon Feb 4 17:22:00 2008 From: george at ceetonetechnology.com (George Rosamond) Date: Mon, 04 Feb 2008 17:22:00 -0500 Subject: [nycbug-talk] building home firewalls out of soekris boxen In-Reply-To: <47A781EA.4080104@3phasecomputing.com> References: <47A781EA.4080104@3phasecomputing.com> Message-ID: <47A79008.3000105@ceetonetechnology.com> Jerry B. Altzman wrote: > Howdy, > > Anyone local here spend much time *still* with Soekris boxes? I'm > thinking of building a new firewall or two for the home, I'd like to try > something OTHER than OpenWRT (since I already have a nice wireless > gateway, thankyouverymuch...) and the little boxes just ... appeal to me. > > Comments? Praises? Brickbats? > > Either post here, or send to me & I'll summarize back. I still think they're great boxes. . . I have a 4801 with FBSD 6-something doing monitoring with a 2 gig CF card. It's a bit of a hassle with the new CF cards out there. . . the 4801 only supports type I and II. . . and good luck finding out which "type" a CF card is on the package. I know some people have migrated over to PC Engines stuff. . . http://www.pcengines.ch/order1.php?c=4 Anyone have positive experiences with the alix* boxes? They are cheap. . . even with an enclosure. George From lego at therac25.net Mon Feb 4 17:23:19 2008 From: lego at therac25.net (Andy Michaels) Date: Mon, 4 Feb 2008 17:23:19 -0500 (EST) Subject: [nycbug-talk] building home firewalls out of soekris boxen In-Reply-To: <47A78DA5.8070406@langille.org> References: <47A781EA.4080104@3phasecomputing.com> <47A78DA5.8070406@langille.org> Message-ID: On Mon, 4 Feb 2008, Dan Langille wrote: > Charles Sprickman wrote: > >> Never played with them, but I have a PCEngines Alix box on the way to >> setup with pfsense for a client: >> >> http://www.netgate.com/product_info.php?cPath=60&products_id=492 >> >> It seemed like a much better value than Soekris. >> >> Just thought I'd throw that out there. > > $180? What is involved in transforming that hardware to a running > computer? What OS? > PFSense is a good choice if you want the least hassle and want it up quickly (so I've heard, I haven't installed it myself). I am a fan of OpenBSD or debian on these things you'll need a little extra hardware, perhaps a cf card reader, or a null-modem cable, depending on which route you go for the install. -andy > -- > Dan Langille - http://www.langille.org/ > BSDCan - The Technical BSD Conference: http://www.bsdcan.org/ > PGCon - The PostgreSQL Conference: http://www.pgcon.org/ > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > From spork at bway.net Mon Feb 4 17:39:43 2008 From: spork at bway.net (Charles Sprickman) Date: Mon, 4 Feb 2008 17:39:43 -0500 (EST) Subject: [nycbug-talk] building home firewalls out of soekris boxen In-Reply-To: <47A78DA5.8070406@langille.org> References: <47A781EA.4080104@3phasecomputing.com> <47A78DA5.8070406@langille.org> Message-ID: On Mon, 4 Feb 2008, Dan Langille wrote: > Charles Sprickman wrote: > >> Never played with them, but I have a PCEngines Alix box on the way to setup >> with pfsense for a client: >> >> http://www.netgate.com/product_info.php?cPath=60&products_id=492 >> >> It seemed like a much better value than Soekris. >> >> Just thought I'd throw that out there. > > $180? What is involved in transforming that hardware to a running computer? > What OS? I bought a CF card reader for $5 at monoprice, that should be it. The above price includes the Alix board w/3 10/100 ethernet, 1 mini PCI slot, 256MB RAM, 500MHz Geode processor, 2 USB ports, power supply and the enclosure. We couldn't justify the Soekris at that price. I'm putting the embedded version of pfsense on there (FreeBSD + PF + very sophisticated web interface). If I were to try and emulate some of the stuff pfsense does with QoS without the GUI, I would surely fail. :) I know a number of people running pfsense and they are very happy with it. http://www.pfsense.com/ Charles > -- > Dan Langille - http://www.langille.org/ > BSDCan - The Technical BSD Conference: http://www.bsdcan.org/ > PGCon - The PostgreSQL Conference: http://www.pgcon.org/ > From george at galis.org Tue Feb 5 11:56:29 2008 From: george at galis.org (George Georgalis) Date: Tue, 5 Feb 2008 11:56:29 -0500 Subject: [nycbug-talk] building home firewalls out of soekris boxen In-Reply-To: References: <47A781EA.4080104@3phasecomputing.com> <47A78DA5.8070406@langille.org> Message-ID: <20080205165629.GA9630@run.duo> On Mon, Feb 04, 2008 at 05:39:43PM -0500, Charles Sprickman wrote: >On Mon, 4 Feb 2008, Dan Langille wrote: > >> Charles Sprickman wrote: >> >>> Never played with them, but I have a PCEngines Alix box on the way to setup >>> with pfsense for a client: >>> >>> http://www.netgate.com/product_info.php?cPath=60&products_id=492 >>> >>> It seemed like a much better value than Soekris. >>> >>> Just thought I'd throw that out there. >> >> $180? What is involved in transforming that hardware to a running computer? >> What OS? > >I bought a CF card reader for $5 at monoprice, that should be it. > >The above price includes the Alix board w/3 10/100 ethernet, 1 mini PCI >slot, 256MB RAM, 500MHz Geode processor, 2 USB ports, power supply and the >enclosure. We couldn't justify the Soekris at that price. > >I'm putting the embedded version of pfsense on there (FreeBSD + PF + very >sophisticated web interface). If I were to try and emulate some of the >stuff pfsense does with QoS without the GUI, I would surely fail. :) Mine is slightly different, has audio and vga and 1 10/100. I've got a dual Gb net adapter in the pci. http://article.gmane.org/gmane.os.netbsd.devel.kernel/29160 http://www.pcengines.ch/alix1c.htm My issues is nominal, have to specify console device at boot prompt or keyboard is not recognized. seems a bug in NetBSD. My 4.0 dmesg is in the first link. // George -- George Georgalis, information system scientist < From george at ceetonetechnology.com Wed Feb 6 10:09:25 2008 From: george at ceetonetechnology.com (George Rosamond) Date: Wed, 06 Feb 2008 10:09:25 -0500 Subject: [nycbug-talk] SANS ISC post on SSH Message-ID: <47A9CDA5.7040005@ceetonetechnology.com> I think it's a relevant point for tonight's discussion. . . How does one deal with automation of remote processes over ssh? http://isc.sans.org/diary.html?storyid=3935&rss George From bonsaime at gmail.com Wed Feb 6 11:24:19 2008 From: bonsaime at gmail.com (Jesse Callaway) Date: Wed, 6 Feb 2008 11:24:19 -0500 Subject: [nycbug-talk] SANS ISC post on SSH In-Reply-To: <47A9CDA5.7040005@ceetonetechnology.com> References: <47A9CDA5.7040005@ceetonetechnology.com> Message-ID: On Wed, Feb 6, 2008 at 10:09 AM, George Rosamond wrote: > I think it's a relevant point for tonight's discussion. . . > > How does one deal with automation of remote processes over ssh? > > http://isc.sans.org/diary.html?storyid=3935&rss > > George > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > I'm particularly interested in the authorized_keys file use he mentions. I saw this while trying to set up some automated /etc backups. I am STILL setting it up because of not being able to rest regarding the automation and root access over the net. One tricky thing I've thought of, and did implement was when doing tarballs over the ssh pipe... create a random key, encrypt it with RSA. Then do a block cipher using the random key to pipe the tarball. This is just in case somebody happens to get my key and password to the key for login... all they'd get back is a "stuff this in your pipe and smoke it" But locking down the ssh login so that it ONLY does this encrypted tarball dance is what I'm really interested in learning at the meeting. -jesse From george at galis.org Wed Feb 6 12:02:14 2008 From: george at galis.org (George Georgalis) Date: Wed, 6 Feb 2008 12:02:14 -0500 Subject: [nycbug-talk] SANS ISC post on SSH In-Reply-To: References: <47A9CDA5.7040005@ceetonetechnology.com> Message-ID: <20080206170214.GA23181@run.duo> On Wed, Feb 06, 2008 at 11:24:19AM -0500, Jesse Callaway wrote: >I'm particularly interested in the authorized_keys file use he >mentions. I saw this while trying to set up some automated /etc >backups. I am STILL setting it up because of not being able to rest >regarding the automation and root access over the net. while not fool proof, one thing that can be done is run cron from an ssh-agent environment where your passphrase has been manually added. in any event I tend to keep the "SOA" in mind. Hosts that establish connections have greater value and security than hosts that receive them. eg never connect to a secure host from an insecure one, always make ssh a one way street. // George -- George Georgalis, information system scientist < From mspitzer at gmail.com Wed Feb 6 13:45:34 2008 From: mspitzer at gmail.com (Marc Spitzer) Date: Wed, 6 Feb 2008 13:45:34 -0500 Subject: [nycbug-talk] SANS ISC post on SSH In-Reply-To: References: <47A9CDA5.7040005@ceetonetechnology.com> Message-ID: <8c50a3c30802061045m13ca073dl378d2e11774c37df@mail.gmail.com> On Feb 6, 2008 11:24 AM, Jesse Callaway wrote: > > I'm particularly interested in the authorized_keys file use he > mentions. I saw this while trying to set up some automated /etc > backups. I am STILL setting it up because of not being able to rest > regarding the automation and root access over the net. > One tricky thing I've thought of, and did implement was when doing > tarballs over the ssh pipe... > create a random key, encrypt it with RSA. Then do a block cipher using > the random key to pipe the tarball. This is just in case somebody > happens to get my key and password to the key for login... all they'd > get back is a "stuff this in your pipe and smoke it" > But locking down the ssh login so that it ONLY does this encrypted > tarball dance is what I'm really interested in learning at the > meeting. I do not know as much about it as I should, but I think kerberos is worth looking at for this. At least you would get rid of the root key issue. marc > > -jesse > > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > -- Freedom is nothing but a chance to be better. Albert Camus From andy.kosela at gmail.com Wed Feb 6 15:19:53 2008 From: andy.kosela at gmail.com (Andy Kosela) Date: Wed, 6 Feb 2008 21:19:53 +0100 Subject: [nycbug-talk] SANS ISC post on SSH In-Reply-To: <47A9CDA5.7040005@ceetonetechnology.com> References: <47A9CDA5.7040005@ceetonetechnology.com> Message-ID: <3cc535c80802061219i2deecf92l62786b1932bb00e9@mail.gmail.com> On Feb 6, 2008 4:09 PM, George Rosamond wrote: > I think it's a relevant point for tonight's discussion. . . > > How does one deal with automation of remote processes over ssh? > > http://isc.sans.org/diary.html?storyid=3935&rss > I think this one can also comes in handy: http://www.hackinglinuxexposed.com/articles/20021211.html regards, Andy Kosela From brian.gupta at gmail.com Wed Feb 6 16:09:21 2008 From: brian.gupta at gmail.com (Brian Gupta) Date: Wed, 6 Feb 2008 16:09:21 -0500 Subject: [nycbug-talk] Next generation init daemon Message-ID: <5b5090780802061309g267207b6x9063425f1df7cb5a@mail.gmail.com> I was wondering if the various BSDs are standardizing on any next generation init type daemons? Some examples: 1) Ubuntu's upstart 2) Solaris's startd (SMF) 3) Mac OS X's launchd (This is the only BSD one I am aware of.) 4) InitNG Cheers, Brian -- - Brian Gupta -------------- next part -------------- An HTML attachment was scrubbed... URL: From KReiter at insidefsi.net Wed Feb 6 16:34:46 2008 From: KReiter at insidefsi.net (Kevin Reiter) Date: Wed, 6 Feb 2008 16:34:46 -0500 Subject: [nycbug-talk] ShmooCon In-Reply-To: <7765c0380711261209i8d79cdfv76dc506e68bb6c4b@mail.gmail.com> Message-ID: <0CF59C4890F7A04AAC3B1E798E6F86F3016F0136@fsi32.fsidp.insidefsi.com> I have a room at the hotel with a spare bed if anyone needs somewhere to crash for both nights (I booked it with 2 beds, the other guy bugged out.) -----Original Message----- From: talk-bounces at lists.nycbug.org [mailto:talk-bounces at lists.nycbug.org]On Behalf Of Ray Lai Sent: Monday, November 26, 2007 3:09 PM To: Isaac Levy; talk at lists.nycbug.org Subject: [nycbug-talk] ShmooCon Remember! Next round of tickets go on sale on Dec. 1 noon! -Ray- This message may contain confidential or proprietary information and is intended solely for the individual(s) to whom it is addressed. If you are not a named addressee you should not disseminate, distribute or copy this e-mail or act upon the information contained herein. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. From brian.gupta at gmail.com Wed Feb 6 17:27:53 2008 From: brian.gupta at gmail.com (Brian Gupta) Date: Wed, 6 Feb 2008 17:27:53 -0500 Subject: [nycbug-talk] OpenSSH Talk tonight. Cool ssh-agent wrapper script called "Gentoo keychain" Message-ID: <5b5090780802061427g649e32c3y1c2a398ca0799757@mail.gmail.com> I use this exclusively to manage ssh-agent even though I am not even running Gentoo Linux. http://www.gentoo.org/proj/en/keychain/ It's definitely worth checking out, and if anyone needs help setting it up, I can. Especially if there is wifi access at the bar? Cheers, Brian P.S. - I will be bringing a Mac with MacPorts installed. -- - Brian Gupta http://opensolaris.org/os/project/nycosug/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From bonsaime at gmail.com Wed Feb 6 17:35:27 2008 From: bonsaime at gmail.com (Jesse Callaway) Date: Wed, 6 Feb 2008 17:35:27 -0500 Subject: [nycbug-talk] OpenSSH Talk tonight. Cool ssh-agent wrapper script called "Gentoo keychain" In-Reply-To: <5b5090780802061427g649e32c3y1c2a398ca0799757@mail.gmail.com> References: <5b5090780802061427g649e32c3y1c2a398ca0799757@mail.gmail.com> Message-ID: On Wed, Feb 6, 2008 at 5:27 PM, Brian Gupta wrote: > I use this exclusively to manage ssh-agent even though I am not even running > Gentoo Linux. > > http://www.gentoo.org/proj/en/keychain/ > > It's definitely worth checking out, and if anyone needs help setting it up, > I can. Especially if there is wifi access at the bar? > > Cheers, > Brian > > P.S. - I will be bringing a Mac with MacPorts installed. > > -- > - Brian Gupta > > http://opensolaris.org/os/project/nycosug/ > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > > Yes, there is wireless access... I think. At least I had wireless access there at some point. I forget if there is a passphrase or not. -jesse From george at galis.org Wed Feb 6 18:05:29 2008 From: george at galis.org (George Georgalis) Date: Wed, 6 Feb 2008 18:05:29 -0500 Subject: [nycbug-talk] postbin? Message-ID: <20080206230529.GC23181@run.duo> Folks, I need to post a binary (jpg) anonymously. Not paranoid grade anonymous, just social grade enormous. In the past I've used "postbin" sites to upload various public files to share via http url. But I never bookmarked any of them and can't find any just now. Someone know one I can use? // George -- George Georgalis, information system scientist < From george at galis.org Wed Feb 6 18:16:29 2008 From: george at galis.org (George Georgalis) Date: Wed, 6 Feb 2008 18:16:29 -0500 Subject: [nycbug-talk] postbin? In-Reply-To: <20080206230529.GC23181@run.duo> References: <20080206230529.GC23181@run.duo> Message-ID: <20080206231629.GE23181@run.duo> On Wed, Feb 06, 2008 at 06:05:29PM -0500, George Georgalis wrote: >Folks, I need to post a binary (jpg) anonymously. Not >paranoid grade anonymous, just social grade enormous. In >the past I've used "postbin" sites to upload various >public files to share via http url. But I never >bookmarked any of them and can't find any just now. > >Someone know one I can use? s/enormous/anonymous/ // George -- George Georgalis, information system scientist < From george at galis.org Wed Feb 6 19:44:10 2008 From: george at galis.org (George Georgalis) Date: Wed, 6 Feb 2008 19:44:10 -0500 Subject: [nycbug-talk] postbin? In-Reply-To: <20080206231629.GE23181@run.duo> References: <20080206230529.GC23181@run.duo> <20080206231629.GE23181@run.duo> Message-ID: <20080207004410.GH23181@run.duo> On Wed, Feb 06, 2008 at 06:16:29PM -0500, George Georgalis wrote: >On Wed, Feb 06, 2008 at 06:05:29PM -0500, George Georgalis wrote: >>Folks, I need to post a binary (jpg) anonymously. Not >>paranoid grade anonymous, just social grade enormous. In >>the past I've used "postbin" sites to upload various >>public files to share via http url. But I never >>bookmarked any of them and can't find any just now. >> >>Someone know one I can use? > >s/enormous/anonymous/ Thanks all. imageshack.us did it, photobucket might also work.... // George -- George Georgalis, information system scientist < From max at neuropunks.org Wed Feb 6 20:03:13 2008 From: max at neuropunks.org (Max Gribov) Date: Wed, 06 Feb 2008 20:03:13 -0500 Subject: [nycbug-talk] ssh bruteforce hacks Message-ID: <47AA58D1.707@neuropunks.org> http://www.neuropunks.org/ssh_bruteforce.txt perl script needs some work - it wont remove temp files from /tmp for whois... From thenorthsecedes at gmail.com Wed Feb 6 20:05:33 2008 From: thenorthsecedes at gmail.com (Eric Lee) Date: Wed, 6 Feb 2008 20:05:33 -0500 Subject: [nycbug-talk] postbin? In-Reply-To: <20080207004410.GH23181@run.duo> References: <20080206230529.GC23181@run.duo> <20080206231629.GE23181@run.duo> <20080207004410.GH23181@run.duo> Message-ID: > >On Wed, Feb 06, 2008 at 06:05:29PM -0500, George Georgalis wrote: > >>Folks, I need to post a binary (jpg) anonymously. Not > >>paranoid grade anonymous, just social grade enormous. Try http://bayimg.com/ -- from the people behind thepiratebay.org regards, Eric -- http://blog.theredstick.net/ From trish at bsdunix.net Wed Feb 6 20:38:58 2008 From: trish at bsdunix.net (=?utf-8?B?U2lvYmhhbiBQYXRyaWNpYSBMeW5jaA==?=) Date: Thu, 7 Feb 2008 01:38:58 +0000 Subject: [nycbug-talk] Next generation init daemon In-Reply-To: <5b5090780802061309g267207b6x9063425f1df7cb5a@mail.gmail.com> References: <5b5090780802061309g267207b6x9063425f1df7cb5a@mail.gmail.com> Message-ID: <103250865-1202348341-cardhu_decombobulator_blackberry.rim.net-82155548-@bxe005.bisx.prod.on.blackberry> I haven't heard any talk of it - especially since FreeBSD came out with rcng very recently - SMF would be my choice though (you know why :)) -Trish -- Siobhan Patricia Lynch -----Original Message----- From: "Brian Gupta" Date: Wed, 6 Feb 2008 16:09:21 To:NYCBUG-Talk Subject: [nycbug-talk] Next generation init daemon I was wondering if the various BSDs are standardizing on any next generation init type daemons? Some examples: 1) Ubuntu's upstart 2) Solaris's startd (SMF) 3) Mac OS X's launchd (This is the only BSD one I am aware of.) 4) InitNG Cheers, Brian -- - Brian Gupta _______________________________________________ talk mailing list talk at lists.nycbug.org http://lists.nycbug.org/mailman/listinfo/talk From spork at bway.net Wed Feb 6 23:54:10 2008 From: spork at bway.net (Charles Sprickman) Date: Wed, 6 Feb 2008 23:54:10 -0500 (EST) Subject: [nycbug-talk] postbin? In-Reply-To: References: <20080206230529.GC23181@run.duo> <20080206231629.GE23181@run.duo> <20080207004410.GH23181@run.duo> Message-ID: On Wed, 6 Feb 2008, Eric Lee wrote: >>> On Wed, Feb 06, 2008 at 06:05:29PM -0500, George Georgalis wrote: >>>> Folks, I need to post a binary (jpg) anonymously. Not >>>> paranoid grade anonymous, just social grade enormous. > > Try http://bayimg.com/ -- from the people behind thepiratebay.org And don't click on that link on bayimg.com to imagefap.com. C > regards, > Eric > -- > http://blog.theredstick.net/ > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > From nikolai at fetissov.org Thu Feb 7 12:08:19 2008 From: nikolai at fetissov.org (nikolai) Date: Thu, 7 Feb 2008 12:08:19 -0500 (EST) Subject: [nycbug-talk] February 2008 meeting audio Message-ID: <22673.204.153.88.2.1202404099.squirrel@www.geekisp.com> Folks, Audio of yesterday's OpenSSH discussion is online at http://www.fetissov.org/public/nycbug/ Cheers. -- Nikolai From skreuzer at exit2shell.com Thu Feb 7 12:58:20 2008 From: skreuzer at exit2shell.com (Steven Kreuzer) Date: Thu, 7 Feb 2008 12:58:20 -0500 Subject: [nycbug-talk] ssh-agent and keychain Message-ID: <20080207175820.GB44954@scruffy.exit2shell.com> Last night, during Ike's talk about ssh-agent, a helper script that wraps around it called keychain was brought up. ( http://www.gentoo.org/proj/en/keychain/index.xml ) I have been using keychain since around July and basically forgot the problems I encountered that caused me to set this up. i went back to my notes and bookmarks and in case anyone is interested, here is a rough summary. The issue I had was that on any given day, I need to do work on thousands of machines spread out all over the world. my company's corporate and production networks are kept seperate for an additional layer of security. as a result, I am forced to first jump thorugh a proxy server, which is just a machine running ssh that only allows connections from folks that need access to the production network. Since its a pain to have to keep bouncing through one box to get to another, I setup GNU screen on the proxy server. I login in the morning, start screen, and every time I need to connect to a new host I simply hit ctrl-a, a to create a new terminal and do what I need to do. I would load all my keys into memory using ssh-agent so I could log into boxes sans password, but ssh-agent has a few limitations based on my setup. Before, I had eval `ssh-agent` in my .kshrc, so every time I could create a new screen terminal, a new instance of ssh-agent would be started and it would prompt me for the password for my keys. This was kinda wasetful and annoying. Enter keychain. In my .kshrc, I have the following: ~/bin/keychain --agents ssh -q ~/.ssh/identity source ~/.keychain/$(hostname)-sh When I first login in the morning, It will load all my keys into memory. Then I start screen, and for each new terminal I start under screen, my .kshrc is sourced, and the keychain script is executed, but sees that I already have a ssh-agent session going so it exists and then sources all the ssh variables from ~/.keychain/$(hostname)-sh Thats about it. Hopefully that clears up any questions anyone had about keychain. If not, post them here and I will do my best to answer them. In addition, IBM developerWorks had a 3 part tutorial on OpenSSH key management that also has a blurb about keychain. Part 1: http://www.ibm.com/developerworks/linux/library/l-keyc.html Part 2: http://www.ibm.com/developerworks/linux/library/l-keyc2/ Part 3: http://www.ibm.com/developerworks/linux/library/l-keyc3/ -- Steven Kreuzer http://www.exit2shell.com/~skreuzer From af.dingo at gmail.com Fri Feb 8 10:58:21 2008 From: af.dingo at gmail.com (Jeff Quast) Date: Fri, 8 Feb 2008 10:58:21 -0500 Subject: [nycbug-talk] ssh-agent and keychain In-Reply-To: <20080207175820.GB44954@scruffy.exit2shell.com> References: <20080207175820.GB44954@scruffy.exit2shell.com> Message-ID: I wrote something similar to keychain and keep it in some .profile's. It has worked on all ksh or bash machines i've been on so far. pgrep is needed, though you can hack around it. just remember to _LOCK_ your ssh agent when you're away, since your keys are loaded in memory. gnu/screen can be locked, too, if thats your poison, but it would be better to lock both. I had aliases like alias lock='ssh-add -x; xlock' or something like that. You can probobly get lost in thousands of lines of screen info pages to figure out how to make screen lock both your ssh keys and your gnu/screen with a new key-binding. Sorry of this script is redundant to the topic, but I noticed the referenced 'keychain', http://www.gentoo.org/proj/en/keychain/index.xml , is not available, as it says 'source tarballs available...' to a dead link. emerge and rpm only i guess. Typical gentoo/linux style to over-engineer and evolve into deprication while maintainers abandon ship. # point to one or more ssh keys keys="$HOME/.ssh/rsa-key*" build_keychain() { export keychain=$(ssh-add -l | awk '{ if ( $3 != "has") print $3 }') let numkeys=0 for k in $keychain; do let "numkeys++"; done export numkeys } ison_keychain() { for key in $keychain; do [ X"$key" == X"$*" ] && return 0 done return 1 } if [ -o interactive ]; then if [ X"${keys}" != X"" ]; then # start agent if not running pgrep -U $USER ssh-agent 1>/dev/null 2>&1 if [ $? -ne 0 ]; then rm -f $HOME/.ssh/agent.$(hostname) # remove stale socket eval `ssh-agent -s -a $HOME/.ssh/agent.$(hostname)` fi # export agent socket [ -r $HOME/.ssh/agent.$(hostname) ] \ && export SSH_AUTH_SOCK="$HOME/.ssh/agent.$(hostname)" # add keys not on keychain build_keychain for add_key in $keys; do if [ -f $add_key ]; then ison_keychain "$add_key" [ $? -eq 1 ] && ssh-add $add_key fi done # echo number of keys in keychain build_keychain if [ X"$keychain" == X"" ]; then echo keychain is empty else echo -n $numkeys key [ $numkeys -ge 2 ] && echo -n s echo ' in keychain' fi fi # $back becomes IP of originating SSH connection, for instance, # scp file $back: back=$(echo $SSH_CONNECTION | awk -F[=\ ] '{ print $1 }') if [ X"$keychain" != X"" ]; then echo "SSH Forwarding of authentication agent enabled" # cheap hack, (re-use 'wssh' hook from /etc/ksh.kshrc) [ alias | awk -F "['\ ]" '/^ssh/{print $2}' ] \ && alias ssh='wssh -A' \ || alias ssh='ssh -A' fi fi From lists at kittypee.com Fri Feb 8 11:20:38 2008 From: lists at kittypee.com (Lonnie Olson) Date: Fri, 08 Feb 2008 09:20:38 -0700 Subject: [nycbug-talk] ssh-agent and keychain In-Reply-To: <20080207175820.GB44954@scruffy.exit2shell.com> References: <20080207175820.GB44954@scruffy.exit2shell.com> Message-ID: <47AC8156.1040101@kittypee.com> Steven Kreuzer wrote: > Last night, during Ike's talk about ssh-agent, a helper script that > wraps around it called keychain was brought up. > ( http://www.gentoo.org/proj/en/keychain/index.xml ) > -- snip -- > Since its a pain to have to keep bouncing through one box to get to > another, I setup GNU screen on the proxy server. I login in the morning, > start screen, and every time I need to connect to a new host I simply > hit ctrl-a, a to create a new terminal and do what I need to do. > > I would load all my keys into memory using ssh-agent so I could log into > boxes sans password, but ssh-agent has a few limitations based on my > setup. Is there a reason you don't just use Agent forwarding? Just keep your key(s) on your local desktop, run ssh-agent there, and using Agent forwarding to keep key access while bouncing through the proxy server. Seems simpler to me, and keeps your keys closer to yourself, reducing risk of compromise. On a side note, you can also use ProxyCommand in your ~/.ssh/config file to define aliases that automatically bounce through the proxy without actual interaction with the proxy. http://tauware.de/blog:ssh-proxy-command --lonnie From brian.gupta at gmail.com Fri Feb 8 14:50:00 2008 From: brian.gupta at gmail.com (Brian Gupta) Date: Fri, 8 Feb 2008 14:50:00 -0500 Subject: [nycbug-talk] ssh-agent and keychain In-Reply-To: References: <20080207175820.GB44954@scruffy.exit2shell.com> Message-ID: <5b5090780802081150y2cf62713y647e4962fb7af272@mail.gmail.com> On Feb 8, 2008 10:58 AM, Jeff Quast wrote: > I wrote something similar to keychain and keep it in some .profile's. > It has worked on all ksh or bash machines i've been on so far. pgrep > is needed, though you can hack around it. > > just remember to _LOCK_ your ssh agent when you're away, since your > keys are loaded in memory. gnu/screen can be locked, too, if thats > your poison, but it would be better to lock both. I had aliases like > alias lock='ssh-add -x; xlock' or something like that. You can > probobly get lost in thousands of lines of screen info pages to figure > out how to make screen lock both your ssh keys and your gnu/screen > with a new key-binding. > > Sorry of this script is redundant to the topic, but I noticed the > referenced 'keychain', > http://www.gentoo.org/proj/en/keychain/index.xml , is not available, > as it says 'source tarballs available...' to a dead link. emerge and > rpm only i guess. Typical gentoo/linux style to over-engineer and > evolve into deprication while maintainers abandon ship. I found a NetBSD package with this the Gentoo keychain script here: http://pkgsrc.se/security/keychain and a FreeBSD port here: http://www.freshports.org/security/keychain/ and a tarball here: http://www.net-security.org/software.php?id=239 I can also verify that "keychain" works on Solaris as well as Linux and BSD. (I don't know how keychain compares to your script, but it does look good.) (Frankly it's one of those things that just works, and I suspect once they had it tested and working on most of the major platforms there was little need for further development.) # point to one or more ssh keys > keys="$HOME/.ssh/rsa-key*" > > build_keychain() { > export keychain=$(ssh-add -l | awk '{ if ( $3 != "has") print $3 > }') > let numkeys=0 > for k in $keychain; do let "numkeys++"; done > export numkeys > } > > ison_keychain() { > for key in $keychain; do > [ X"$key" == X"$*" ] && return 0 > done > return 1 > } > > if [ -o interactive ]; then > if [ X"${keys}" != X"" ]; then > # start agent if not running > pgrep -U $USER ssh-agent 1>/dev/null 2>&1 > if [ $? -ne 0 ]; then > rm -f $HOME/.ssh/agent.$(hostname) # remove stale socket > eval `ssh-agent -s -a $HOME/.ssh/agent.$(hostname)` > fi > > # export agent socket > [ -r $HOME/.ssh/agent.$(hostname) ] \ > && export SSH_AUTH_SOCK="$HOME/.ssh/agent.$(hostname)" > > # add keys not on keychain > build_keychain > for add_key in $keys; do > if [ -f $add_key ]; then > ison_keychain "$add_key" > [ $? -eq 1 ] && ssh-add $add_key > fi > done > > # echo number of keys in keychain > build_keychain > if [ X"$keychain" == X"" ]; then > echo keychain is empty > else > echo -n $numkeys key > [ $numkeys -ge 2 ] && echo -n s > echo ' in keychain' > fi > fi > # $back becomes IP of originating SSH connection, for instance, > # scp file $back: > back=$(echo $SSH_CONNECTION | awk -F[=\ ] '{ print $1 }') > > if [ X"$keychain" != X"" ]; then > echo "SSH Forwarding of authentication agent enabled" > # cheap hack, (re-use 'wssh' hook from /etc/ksh.kshrc) > [ alias | awk -F "['\ ]" '/^ssh/{print $2}' ] \ > && alias ssh='wssh -A' \ > || alias ssh='ssh -A' > fi > fi > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > -- - Brian Gupta http://opensolaris.org/os/project/nycosug/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From spork at bway.net Mon Feb 11 00:51:11 2008 From: spork at bway.net (Charles Sprickman) Date: Mon, 11 Feb 2008 00:51:11 -0500 (EST) Subject: [nycbug-talk] building home firewalls out of soekris boxen In-Reply-To: References: <47A781EA.4080104@3phasecomputing.com> Message-ID: On Mon, 4 Feb 2008, Charles Sprickman wrote: > On Mon, 4 Feb 2008, Jerry B. Altzman wrote: > >> Howdy, >> >> Anyone local here spend much time *still* with Soekris boxes? > > Never played with them, but I have a PCEngines Alix box on the way to setup > with pfsense for a client: > > http://www.netgate.com/product_info.php?cPath=60&products_id=492 Just to follow-up, it arrived this week and I just installed PFSense on it. Very neat hardware, pretty zippy too for 500MHz. The 256MB RAM seems like enough - pfsense (embedded version) throws /tmp and /var in memory filesystems. I did need to upgrade the BIOS out of the box to make FreeBSD happy, but there was an image with FreeDOS, the new BIOS and the flash utility on the PCEngines site. My only other problem was that my CF writer turned out to be junk so I had to let RatShack gouge me for a new one... If anyone has any questions about the hardware, let me know. Charles > It seemed like a much better value than Soekris. > > Just thought I'd throw that out there. > > Thanks, > > Charles > >> I'm thinking of building a new firewall or two for the home, I'd like to >> try something OTHER than OpenWRT (since I already have a nice wireless >> gateway, thankyouverymuch...) and the little boxes just ... appeal to me. >> >> Comments? Praises? Brickbats? >> >> Either post here, or send to me & I'll summarize back. >> >> Thanks! >> >> //jbaltz >> -- >> jerry b. altzman jbaltz at 3phasecomputing.com +1 718 763 7405 >> _______________________________________________ >> talk mailing list >> talk at lists.nycbug.org >> http://lists.nycbug.org/mailman/listinfo/talk >> > From trish at bsdunix.net Mon Feb 11 05:37:09 2008 From: trish at bsdunix.net (=?utf-8?B?U2lvYmhhbiBQYXRyaWNpYSBMeW5jaA==?=) Date: Mon, 11 Feb 2008 10:37:09 +0000 Subject: [nycbug-talk] building home firewalls out of soekris boxen In-Reply-To: References: <47A781EA.4080104@3phasecomputing.com> Message-ID: <1904457927-1202726236-cardhu_decombobulator_blackberry.rim.net-1712626765-@bxe028.bisx.prod.on.blackberry> We've been using Acrosser boards for our product - Soekris and the PCEngines stuff was too slow for what we're doing. (An integrated security product with what is essentially many jails running - except due to some capabilities that FreeBSD doesn't have *yet* (due in 8.0-C) we're using OpenSolaris). The Acrosser boards are celeron 1.5 GHz with 1G of onboard RAM and uses an external miniide hdd. They're not bad. -Trish -- Siobhan Patricia Lynch -----Original Message----- From: Charles Sprickman Date: Mon, 11 Feb 2008 00:51:11 To:"Jerry B. Altzman" Cc:NYCBUG Subject: Re: [nycbug-talk] building home firewalls out of soekris boxen On Mon, 4 Feb 2008, Charles Sprickman wrote: > On Mon, 4 Feb 2008, Jerry B. Altzman wrote: > >> Howdy, >> >> Anyone local here spend much time *still* with Soekris boxes? > > Never played with them, but I have a PCEngines Alix box on the way to setup > with pfsense for a client: > > http://www.netgate.com/product_info.php?cPath=60&products_id=492 Just to follow-up, it arrived this week and I just installed PFSense on it. Very neat hardware, pretty zippy too for 500MHz. The 256MB RAM seems like enough - pfsense (embedded version) throws /tmp and /var in memory filesystems. I did need to upgrade the BIOS out of the box to make FreeBSD happy, but there was an image with FreeDOS, the new BIOS and the flash utility on the PCEngines site. My only other problem was that my CF writer turned out to be junk so I had to let RatShack gouge me for a new one... If anyone has any questions about the hardware, let me know. Charles > It seemed like a much better value than Soekris. > > Just thought I'd throw that out there. > > Thanks, > > Charles > >> I'm thinking of building a new firewall or two for the home, I'd like to >> try something OTHER than OpenWRT (since I already have a nice wireless >> gateway, thankyouverymuch...) and the little boxes just ... appeal to me. >> >> Comments? Praises? Brickbats? >> >> Either post here, or send to me & I'll summarize back. >> >> Thanks! >> >> //jbaltz >> -- >> jerry b. altzman jbaltz at 3phasecomputing.com +1 718 763 7405 >> _______________________________________________ >> talk mailing list >> talk at lists.nycbug.org >> http://lists.nycbug.org/mailman/listinfo/talk >> > _______________________________________________ talk mailing list talk at lists.nycbug.org http://lists.nycbug.org/mailman/listinfo/talk From bonsaime at gmail.com Mon Feb 11 11:31:47 2008 From: bonsaime at gmail.com (Jesse Callaway) Date: Mon, 11 Feb 2008 11:31:47 -0500 Subject: [nycbug-talk] restricted login shell and ssh Message-ID: I popped my hand up and made a statement in the OpenSSH meeting recently and made a completely false assertion. Tested it this morning. I said that you could still pass commands to the shell (which shell I was thinking of, I'm not sure...) if a user has a restricted login, such as rsynconly. Hopefully nobody believed me. Anyway, using the script referenced below I made a user with a restricted login. I'm sure false or nologin would have proved it to myself more readily, but I like to take the long way to figure out I'm wrong. http://www.oreillynet.com/linux/blog/2006/05/restricting_rsync_over_ssh.html So I ran ssh sinko at server.com "ls -R" The ls -R command was passed as an argument to the rsynonly shell, and lo! I was not able to issue the command to "the shell" Duh. To beat it into my skull I ran sftp sinko at server.com Here I got the message "Received message too long " Short story is that I was assuming that sshd will pass commands on to /bin/sh no matter what. Well, it doesn't. It passes commands on to the shell specified in your login config. Here is a nice link explaining a little bit about how the subsystems (scp, sftp) are called. http://www.snailbook.com/faq/sftp-corruption.auto.html -jesse From george at galis.org Mon Feb 11 13:37:28 2008 From: george at galis.org (George Georgalis) Date: Mon, 11 Feb 2008 13:37:28 -0500 Subject: [nycbug-talk] restricted login shell and ssh In-Reply-To: References: Message-ID: <20080211183728.GK13530@run.duo> I thought the standard way was to modify the line used in authorized_keys? eg you can specify "only allow the rsync command" on the same line you put the users public key.... note I configure sshd to use /etc/ssh/auth/${USER}.pub for auth keys, since users can't normally manage that file anyway... (especially with pam disabled for ssh) the technique I describe is a free chapter from the O'Reiley openssh book. the link seems mostly for kererbos based systems // George On Mon, Feb 11, 2008 at 11:31:47AM -0500, Jesse Callaway wrote: >I popped my hand up and made a statement in the OpenSSH meeting >recently and made a completely false assertion. Tested it this >morning. I said that you could still pass commands to the shell (which >shell I was thinking of, I'm not sure...) if a user has a restricted >login, such as rsynconly. Hopefully nobody believed me. Anyway, using >the script referenced below I made a user with a restricted login. I'm >sure false or nologin would have proved it to myself more readily, but >I like to take the long way to figure out I'm wrong. > >http://www.oreillynet.com/linux/blog/2006/05/restricting_rsync_over_ssh.html > >So I ran >ssh sinko at server.com "ls -R" > >The ls -R command was passed as an argument to the rsynonly shell, and >lo! I was not able to issue the command to "the shell" Duh. > >To beat it into my skull I ran >sftp sinko at server.com > >Here I got the message "Received message too long " > >Short story is that I was assuming that sshd will pass commands on to >/bin/sh no matter what. Well, it doesn't. It passes commands on to the >shell specified in your login config. > >Here is a nice link explaining a little bit about how the subsystems >(scp, sftp) are called. > >http://www.snailbook.com/faq/sftp-corruption.auto.html > >-jesse >_______________________________________________ >talk mailing list >talk at lists.nycbug.org >http://lists.nycbug.org/mailman/listinfo/talk > -- George Georgalis, information system scientist < From george at ceetonetechnology.com Mon Feb 11 16:57:45 2008 From: george at ceetonetechnology.com (George Rosamond) Date: Mon, 11 Feb 2008 16:57:45 -0500 Subject: [nycbug-talk] upcoming NYCBUG meetings Message-ID: <47B0C4D9.3070009@ceetonetechnology.com> We have updated the outline of upcoming meetings through May. Details will be posted as details are settled. One thing to note is that we will be having FreeBSD developer Brooks Davis in NYC in March, who will do his AsiaBSDCon talk on "Building Clusters with FreeBSD." All of you planning to attend AsiaBSDCon just for his meeting should try to get refunds on your plane tickets. While we generally try to avoid meetings outside of the first Wednesday of the month, we think it's warranted in this case. George From george at galis.org Tue Feb 12 16:00:34 2008 From: george at galis.org (George Georgalis) Date: Tue, 12 Feb 2008 16:00:34 -0500 Subject: [nycbug-talk] restricted login shell and ssh In-Reply-To: References: Message-ID: <20080212210034.GT13530@run.duo> I thought the standard way was to modify the line used in authorized_keys? eg you can specify "only allow the rsync command" on the same line you put the users public key.... note I configure sshd to use /etc/ssh/auth/${USER}.pub for auth keys, since users can't normally manage that file anyway... (especially with pam disabled for ssh) the technique I describe is a free chapter from the O'Reiley openssh book. the link seems mostly for kererbos based systems // George On Mon, Feb 11, 2008 at 11:31:47AM -0500, Jesse Callaway wrote: >I popped my hand up and made a statement in the OpenSSH meeting >recently and made a completely false assertion. Tested it this >morning. I said that you could still pass commands to the shell (which >shell I was thinking of, I'm not sure...) if a user has a restricted >login, such as rsynconly. Hopefully nobody believed me. Anyway, using >the script referenced below I made a user with a restricted login. I'm >sure false or nologin would have proved it to myself more readily, but >I like to take the long way to figure out I'm wrong. > >http://www.oreillynet.com/linux/blog/2006/05/restricting_rsync_over_ssh.html > >So I ran >ssh sinko at server.com "ls -R" > >The ls -R command was passed as an argument to the rsynonly shell, and >lo! I was not able to issue the command to "the shell" Duh. > >To beat it into my skull I ran >sftp sinko at server.com > >Here I got the message "Received message too long " > >Short story is that I was assuming that sshd will pass commands on to >/bin/sh no matter what. Well, it doesn't. It passes commands on to the >shell specified in your login config. > >Here is a nice link explaining a little bit about how the subsystems >(scp, sftp) are called. > >http://www.snailbook.com/faq/sftp-corruption.auto.html > >-jesse >_______________________________________________ >talk mailing list >talk at lists.nycbug.org >http://lists.nycbug.org/mailman/listinfo/talk > -- George Georgalis, information system scientist < From bonsaime at gmail.com Tue Feb 12 19:20:19 2008 From: bonsaime at gmail.com (Jesse Callaway) Date: Tue, 12 Feb 2008 19:20:19 -0500 Subject: [nycbug-talk] restricted login shell and ssh In-Reply-To: <20080211183728.GK13530@run.duo> References: <20080211183728.GK13530@run.duo> Message-ID: whoa, wait... you put user's authorized keys files in /etc/ssh ? That's great! I only read about the ~/.ssh location for this file. ('m just going to follow the t/p to keep this consistent) -jesse On Mon, Feb 11, 2008 at 1:37 PM, George Georgalis wrote: > I thought the standard way was to modify the line > used in authorized_keys? eg you can specify "only > allow the rsync command" on the same line you put the > users public key.... note I configure sshd to use > /etc/ssh/auth/${USER}.pub for auth keys, since users > can't normally manage that file anyway... (especially > with pam disabled for ssh) the technique I describe is a > free chapter from the O'Reiley openssh book. > > the link seems mostly for kererbos based systems > > // George > > > > On Mon, Feb 11, 2008 at 11:31:47AM -0500, Jesse Callaway wrote: > >I popped my hand up and made a statement in the OpenSSH meeting > >recently and made a completely false assertion. Tested it this > >morning. I said that you could still pass commands to the shell (which > >shell I was thinking of, I'm not sure...) if a user has a restricted > >login, such as rsynconly. Hopefully nobody believed me. Anyway, using > >the script referenced below I made a user with a restricted login. I'm > >sure false or nologin would have proved it to myself more readily, but > >I like to take the long way to figure out I'm wrong. > > > >http://www.oreillynet.com/linux/blog/2006/05/restricting_rsync_over_ssh.html > > > >So I ran > >ssh sinko at server.com "ls -R" > > > >The ls -R command was passed as an argument to the rsynonly shell, and > >lo! I was not able to issue the command to "the shell" Duh. > > > >To beat it into my skull I ran > >sftp sinko at server.com > > > >Here I got the message "Received message too long " > > > >Short story is that I was assuming that sshd will pass commands on to > >/bin/sh no matter what. Well, it doesn't. It passes commands on to the > >shell specified in your login config. > > > >Here is a nice link explaining a little bit about how the subsystems > >(scp, sftp) are called. > > > >http://www.snailbook.com/faq/sftp-corruption.auto.html > > > >-jesse > >_______________________________________________ > >talk mailing list > >talk at lists.nycbug.org > >http://lists.nycbug.org/mailman/listinfo/talk > > > > -- > George Georgalis, information system scientist < > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > From george at galis.org Wed Feb 13 11:00:57 2008 From: george at galis.org (George Georgalis) Date: Wed, 13 Feb 2008 11:00:57 -0500 Subject: [nycbug-talk] restricted login shell and ssh In-Reply-To: References: <20080211183728.GK13530@run.duo> Message-ID: <20080213160057.GB12235@run.duo> yeah, like so... #AuthorizedKeysFile .ssh/authorized_keys AuthorizedKeysFile /etc/ssh/auth/%u.pub in /etc/ssh/sshd_config // George On Tue, Feb 12, 2008 at 07:20:19PM -0500, Jesse Callaway wrote: >whoa, wait... you put user's authorized keys files in /etc/ssh ? >That's great! I only read about the ~/.ssh location for this file. ('m >just going to follow the t/p to keep this consistent) > >-jesse > >On Mon, Feb 11, 2008 at 1:37 PM, George Georgalis wrote: >> I thought the standard way was to modify the line >> used in authorized_keys? eg you can specify "only >> allow the rsync command" on the same line you put the >> users public key.... note I configure sshd to use >> /etc/ssh/auth/${USER}.pub for auth keys, since users >> can't normally manage that file anyway... (especially >> with pam disabled for ssh) the technique I describe is a >> free chapter from the O'Reiley openssh book. >> >> the link seems mostly for kererbos based systems >> >> // George >> >> >> >> On Mon, Feb 11, 2008 at 11:31:47AM -0500, Jesse Callaway wrote: >> >I popped my hand up and made a statement in the OpenSSH meeting >> >recently and made a completely false assertion. Tested it this >> >morning. I said that you could still pass commands to the shell (which >> >shell I was thinking of, I'm not sure...) if a user has a restricted >> >login, such as rsynconly. Hopefully nobody believed me. Anyway, using >> >the script referenced below I made a user with a restricted login. I'm >> >sure false or nologin would have proved it to myself more readily, but >> >I like to take the long way to figure out I'm wrong. >> > >> >http://www.oreillynet.com/linux/blog/2006/05/restricting_rsync_over_ssh.html >> > >> >So I ran >> >ssh sinko at server.com "ls -R" >> > >> >The ls -R command was passed as an argument to the rsynonly shell, and >> >lo! I was not able to issue the command to "the shell" Duh. >> > >> >To beat it into my skull I ran >> >sftp sinko at server.com >> > >> >Here I got the message "Received message too long " >> > >> >Short story is that I was assuming that sshd will pass commands on to >> >/bin/sh no matter what. Well, it doesn't. It passes commands on to the >> >shell specified in your login config. >> > >> >Here is a nice link explaining a little bit about how the subsystems >> >(scp, sftp) are called. >> > >> >http://www.snailbook.com/faq/sftp-corruption.auto.html >> > >> >-jesse >> >_______________________________________________ >> >talk mailing list >> >talk at lists.nycbug.org >> >http://lists.nycbug.org/mailman/listinfo/talk >> > >> >> -- >> George Georgalis, information system scientist < >> _______________________________________________ >> talk mailing list >> talk at lists.nycbug.org >> http://lists.nycbug.org/mailman/listinfo/talk >> >_______________________________________________ >talk mailing list >talk at lists.nycbug.org >http://lists.nycbug.org/mailman/listinfo/talk > -- George Georgalis, information system scientist < From bonsaime at gmail.com Wed Feb 13 14:21:04 2008 From: bonsaime at gmail.com (Jesse Callaway) Date: Wed, 13 Feb 2008 14:21:04 -0500 Subject: [nycbug-talk] restricted login shell and ssh In-Reply-To: <20080213160057.GB12235@run.duo> References: <20080211183728.GK13530@run.duo> <20080213160057.GB12235@run.duo> Message-ID: nice. you ever use the Match blocks for anything useful? -jesse On Wed, Feb 13, 2008 at 11:00 AM, George Georgalis wrote: > > yeah, like so... > > #AuthorizedKeysFile .ssh/authorized_keys > AuthorizedKeysFile /etc/ssh/auth/%u.pub > > in /etc/ssh/sshd_config > > // George > > > > > > > > On Tue, Feb 12, 2008 at 07:20:19PM -0500, Jesse Callaway wrote: > >whoa, wait... you put user's authorized keys files in /etc/ssh ? > >That's great! I only read about the ~/.ssh location for this file. ('m > >just going to follow the t/p to keep this consistent) > > > >-jesse > > > >On Mon, Feb 11, 2008 at 1:37 PM, George Georgalis wrote: > >> I thought the standard way was to modify the line > >> used in authorized_keys? eg you can specify "only > >> allow the rsync command" on the same line you put the > >> users public key.... note I configure sshd to use > >> /etc/ssh/auth/${USER}.pub for auth keys, since users > >> can't normally manage that file anyway... (especially > >> with pam disabled for ssh) the technique I describe is a > >> free chapter from the O'Reiley openssh book. > >> > >> the link seems mostly for kererbos based systems > >> > >> // George > >> > >> > >> > >> On Mon, Feb 11, 2008 at 11:31:47AM -0500, Jesse Callaway wrote: > >> >I popped my hand up and made a statement in the OpenSSH meeting > >> >recently and made a completely false assertion. Tested it this > >> >morning. I said that you could still pass commands to the shell (which > >> >shell I was thinking of, I'm not sure...) if a user has a restricted > >> >login, such as rsynconly. Hopefully nobody believed me. Anyway, using > >> >the script referenced below I made a user with a restricted login. I'm > >> >sure false or nologin would have proved it to myself more readily, but > >> >I like to take the long way to figure out I'm wrong. > >> > > >> >http://www.oreillynet.com/linux/blog/2006/05/restricting_rsync_over_ssh.html > >> > > >> >So I ran > >> >ssh sinko at server.com "ls -R" > >> > > >> >The ls -R command was passed as an argument to the rsynonly shell, and > >> >lo! I was not able to issue the command to "the shell" Duh. > >> > > >> >To beat it into my skull I ran > >> >sftp sinko at server.com > >> > > >> >Here I got the message "Received message too long " > >> > > >> >Short story is that I was assuming that sshd will pass commands on to > >> >/bin/sh no matter what. Well, it doesn't. It passes commands on to the > >> >shell specified in your login config. > >> > > >> >Here is a nice link explaining a little bit about how the subsystems > >> >(scp, sftp) are called. > >> > > >> >http://www.snailbook.com/faq/sftp-corruption.auto.html > >> > > >> >-jesse > >> >_______________________________________________ > >> >talk mailing list > >> >talk at lists.nycbug.org > >> >http://lists.nycbug.org/mailman/listinfo/talk > >> > > >> > >> -- > >> George Georgalis, information system scientist < > >> _______________________________________________ > >> talk mailing list > >> talk at lists.nycbug.org > >> http://lists.nycbug.org/mailman/listinfo/talk > >> > >_______________________________________________ > >talk mailing list > >talk at lists.nycbug.org > >http://lists.nycbug.org/mailman/listinfo/talk > > > > -- > George Georgalis, information system scientist < > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > From george at galis.org Wed Feb 13 15:33:55 2008 From: george at galis.org (George Georgalis) Date: Wed, 13 Feb 2008 15:33:55 -0500 Subject: [nycbug-talk] restricted login shell and ssh In-Reply-To: References: <20080211183728.GK13530@run.duo> <20080213160057.GB12235@run.duo> Message-ID: <20080213203355.GI12235@run.duo> On Wed, Feb 13, 2008 at 02:21:04PM -0500, Jesse Callaway wrote: >nice. you ever use the Match blocks for anything useful? I find them interesting, but no, never found the need to use them. I suspect because of the security hierarchy I described in an earlier post, only push to hosts of lower security. The host using auth to establish an ssh connection is de facto more privileged than the one accepting the connection, in my world. // George -- George Georgalis, information system scientist < From george at galis.org Thu Feb 14 17:34:16 2008 From: george at galis.org (George Georgalis) Date: Thu, 14 Feb 2008 17:34:16 -0500 Subject: [nycbug-talk] looking for IPC API Message-ID: <20080214223416.GP12235@run.duo> I'm trying to remember the name of a package discussed here a while back (2.5 years?). Ike was into it. it was an IPC API library with a cool name. I've got to share across processes and hosts... signaling and data for parallel tasks. Hopefully this is enough to clue you into what I can't remember... I recall it was written in python but it may be a c library.... // George -- George Georgalis, information system scientist < From zperkov at gmail.com Fri Feb 15 06:25:23 2008 From: zperkov at gmail.com (zp) Date: Fri, 15 Feb 2008 06:25:23 -0500 Subject: [nycbug-talk] Anyone need a shmoo ticket? Message-ID: <8a8511800802150325o273e9a95yda4aeee346918bc@mail.gmail.com> I have the flu as well as an extra shmoo ticket. Paid 150 $. Anyone interested? Sorry flu not for sale. Regards -z -- Sent from Gmail for mobile | mobile.google.com From ike at lesmuug.org Fri Feb 15 21:43:17 2008 From: ike at lesmuug.org (Isaac Levy) Date: Fri, 15 Feb 2008 21:43:17 -0500 Subject: [nycbug-talk] Gene @ ShmooCon Message-ID: Hey All, Gene Cronc just gave a shout- he's in DC tonight @ Shmoo... and looking for NYC*BUG'ers- If anyone is there, ping him with email... Damn I'm sad not to be there... :( Rocket- .ike From jkeen at verizon.net Sat Feb 16 09:53:57 2008 From: jkeen at verizon.net (James E Keenan) Date: Sat, 16 Feb 2008 09:53:57 -0500 Subject: [nycbug-talk] Perl 5.10 build experiences on BSD Message-ID: <8029B0F3-B114-4BFA-A7E1-33306CCD3B28@verizon.net> Due to being mandated to use up vacation days, I was unable to attend this month's NYCBUG meeting. But I'd like to plug one of my own group's meetings. This month and next, Perl Seminar NY will have meetings organized around the theme, "Teach Ourselves Perl 5.10." Perl 5.10 debuted on December 18, and we're going to take some time to train ourselves on its new features and how to build/install it. It would be great if we could have participation from anyone who has installed 5.10 on any of the BSDs. Here are the details: Perl Seminar NY meet at: NYPC User Group 481 8th Ave (Ramada New Yorker) Suite 550 (btw West 34 & 35 Sts, Manhattan) Tuesday, Feb 19, 6:15 pm Complete details about format here: http://tech.groups.yahoo.com/group/perlsemny/message/788 Thank you very much. Jim Keenan From mspitzer at gmail.com Sat Feb 16 18:04:43 2008 From: mspitzer at gmail.com (Marc spitzer) Date: Sat, 16 Feb 2008 18:04:43 -0500 Subject: [nycbug-talk] schmoocon rocks Message-ID: <20080216180443.f8ca05ac.mspitzer@gmail.com> schmoocon rocks, the talks are interesting, one of the focuses was to pay attention to your clients and not only the servers. Another good one was how sometimes XSS is something worse. Great show this year. marc ps if Issac was here you would have a much better messsage, pay attention Issac. -- Marc spitzer From brian.gupta at gmail.com Sun Feb 17 19:32:08 2008 From: brian.gupta at gmail.com (Brian Gupta) Date: Sun, 17 Feb 2008 19:32:08 -0500 Subject: [nycbug-talk] [offtopic] OpenSolaris meeting 6pm Wednesday, February 20th Message-ID: <5b5090780802171632o3b9ec199pdfcce7f998bbada5@mail.gmail.com> Hi guys, in light of the fact that there is cross-pollination of various OpenSolaris technologies going into BSD (particularly ZFS and Dtrace) and vice versa, I thought you guys might be interested in this meeting. Cheers, Brian ---------------------------------------------------------------------- Message: 1 Date: Sat, 16 Feb 2008 18:39:31 -0500 From: "Isaac R." Subject: [ug-nycosug] NY OpenSolaris User Group meeting - February'08 To: opensolaris-announce at opensolaris.org, "ug-nycosug at opensolaris.org" Message-ID: <47B77433.6040800 at sun.com> Content-Type: text/plain; charset="iso-8859-1" Greetings everyone, The New York OpenSolaris User's Group (NYCOSUG) will be holding it's next monthly meeting on Wednesday, February 20th at the Sun office in midtown, New York City. We'll get started with refreshments @ 6pm. The featured topic will be a discussion of Dtrace and its applicability to solving interesting and challenging problems. We are honored to have, as the featured speaker, Brendan Gregg, who is a key OpenSolaris contributor and a core OpenSolaris developer. Brendan is notably known for creating and delivering the DTrace Toolkit, http://www.brendangregg.com/dtrace.html (among other things), is a co-author of a Dtrace techniques book, and is one of Fishworks developers - http://blogs.sun.com/brendan/) Please take a look at the agenda, venue, and please don't forget to click & RSVP ... Do it all at: http://www.opensolaris.org/os/project/nycosug/events/6/ ...We'll have some fun with raffles, too! Looking forward to a fun event. Hope you can make it! /If you're not a regular participant (or a subscriber) on our NYCOSUG mailing list, you may not have seen a copy of this announcement going out earlier. To be kept up-to-date in the future, please consider subscribing at: http://mail.opensolaris.org/mailman/listinfo/ug-nycosug / Regards, Isaac -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.opensolaris.org/pipermail/ug-nycosug/attachments/20080216/bf6fa7d2/attachment-0001.html ------------------------------ _______________________________________________ ug-nycosug mailing list ug-nycosug at opensolaris.org http://mail.opensolaris.org/mailman/listinfo/ug-nycosug End of ug-nycosug Digest, Vol 10, Issue 14 ****************************************** -- - Brian Gupta http://opensolaris.org/os/project/nycosug/ http://www.genunix.org/wiki/index.php/OpenSolaris_New_User_FAQ From lavalamp at spiritual-machines.org Sun Feb 17 20:17:08 2008 From: lavalamp at spiritual-machines.org (Brian A. Seklecki) Date: Sun, 17 Feb 2008 20:17:08 -0500 (EST) Subject: [nycbug-talk] [offtopic] OpenSolaris meeting 6pm Wednesday, February 20th In-Reply-To: <5b5090780802171632o3b9ec199pdfcce7f998bbada5@mail.gmail.com> References: <5b5090780802171632o3b9ec199pdfcce7f998bbada5@mail.gmail.com> Message-ID: <20080217201639.T83174@arbitor.digitalfreaks.org> On Sun, 17 Feb 2008, Brian Gupta wrote: > Hi guys, in light of the fact that there is cross-pollination of > various OpenSolaris technologies going into BSD (particularly ZFS and > Dtrace) and vice versa, I thought you guys might be interested in this > meeting. Take some copies of Pkgsrc[.org] to hand out on CD. ~BAS From george at galis.org Wed Feb 20 12:49:12 2008 From: george at galis.org (George Georgalis) Date: Wed, 20 Feb 2008 12:49:12 -0500 Subject: [nycbug-talk] looking for IPC API In-Reply-To: <20080214223416.GP12235@run.duo> References: <20080214223416.GP12235@run.duo> Message-ID: <20080220174912.GI1958@run.duo> On Thu, Feb 14, 2008 at 05:34:16PM -0500, George Georgalis wrote: >I'm trying to remember the name of a package discussed >here a while back (2.5 years?). Ike was into it. > >it was an IPC API library with a cool name. I've got >to share across processes and hosts... signaling and >data for parallel tasks. > >Hopefully this is enough to clue you into what I can't >remember... I recall it was written in python but it >may be a c library.... http://spread.org/ // George -- George Georgalis, information system scientist < From george at galis.org Wed Feb 20 13:09:57 2008 From: george at galis.org (George Georgalis) Date: Wed, 20 Feb 2008 13:09:57 -0500 Subject: [nycbug-talk] looking for IPC API In-Reply-To: <1803214144-1203530204-cardhu_decombobulator_blackberry.rim.net-260125065-@bxe017.bisx.prod.on.blackberry> References: <20080220174912.GI1958@run.duo> <1803214144-1203530204-cardhu_decombobulator_blackberry.rim.net-260125065-@bxe017.bisx.prod.on.blackberry> Message-ID: <20080220180957.GJ1958@run.duo> Cool, will keep that in mind. It is not for me atm, but I may give it a try anyhow. // George On Wed, Feb 20, 2008 at 05:56:33PM +0000, Siobhan Patricia Lynch wrote: >Yes I was the one who may have mentioned it - I worked with the authors for a year or so. If you need help getting it working, let me know - I'm the closest thing to 'expert' there is besides the guys at JHU :) > >-Trish >-- >Siobhan Patricia Lynch > > >-----Original Message----- >From: George Georgalis > >Date: Wed, 20 Feb 2008 12:49:12 >To:talk at lists.nycbug.org >Subject: Re: [nycbug-talk] looking for IPC API > > >On Thu, Feb 14, 2008 at 05:34:16PM -0500, George Georgalis wrote: >>I'm trying to remember the name of a package discussed >>here a while back (2.5 years?). Ike was into it. >> >>it was an IPC API library with a cool name. I've got >>to share across processes and hosts... signaling and >>data for parallel tasks. >> >>Hopefully this is enough to clue you into what I can't >>remember... I recall it was written in python but it >>may be a c library.... > > >http://spread.org/ > > >// George > > >-- >George Georgalis, information system scientist < >_______________________________________________ >talk mailing list >talk at lists.nycbug.org >http://lists.nycbug.org/mailman/listinfo/talk -- George Georgalis, information system scientist < From trish at bsdunix.net Wed Feb 20 12:56:33 2008 From: trish at bsdunix.net (=?utf-8?B?U2lvYmhhbiBQYXRyaWNpYSBMeW5jaA==?=) Date: Wed, 20 Feb 2008 17:56:33 +0000 Subject: [nycbug-talk] looking for IPC API In-Reply-To: <20080220174912.GI1958@run.duo> References: <20080214223416.GP12235@run.duo><20080220174912.GI1958@run.duo> Message-ID: <1803214144-1203530204-cardhu_decombobulator_blackberry.rim.net-260125065-@bxe017.bisx.prod.on.blackberry> Yes I was the one who may have mentioned it - I worked with the authors for a year or so. If you need help getting it working, let me know - I'm the closest thing to 'expert' there is besides the guys at JHU :) -Trish -- Siobhan Patricia Lynch -----Original Message----- From: George Georgalis Date: Wed, 20 Feb 2008 12:49:12 To:talk at lists.nycbug.org Subject: Re: [nycbug-talk] looking for IPC API On Thu, Feb 14, 2008 at 05:34:16PM -0500, George Georgalis wrote: >I'm trying to remember the name of a package discussed >here a while back (2.5 years?). Ike was into it. > >it was an IPC API library with a cool name. I've got >to share across processes and hosts... signaling and >data for parallel tasks. > >Hopefully this is enough to clue you into what I can't >remember... I recall it was written in python but it >may be a c library.... http://spread.org/ // George -- George Georgalis, information system scientist < _______________________________________________ talk mailing list talk at lists.nycbug.org http://lists.nycbug.org/mailman/listinfo/talk From spork at bway.net Tue Feb 26 23:05:16 2008 From: spork at bway.net (Charles Sprickman) Date: Tue, 26 Feb 2008 23:05:16 -0500 (EST) Subject: [nycbug-talk] FBSD network stack virtualization Message-ID: Hi all, Someone who watches the -current list sent me this thread: http://lists.freebsd.org/pipermail/freebsd-current/2008-February/083830.html Very interesting stuff - jails with a virtualized IP stack. They are looking to get it into 7.x. More info: http://imunes.tel.fer.hr/virtnet/ http://imunes.tel.fer.hr/virtnet/eurobsdcon07_tutorial.pdf Looks neat to me, I'd rather see it land in 7.mumble than 8.mumble. Charles ___ Charles Sprickman NetEng/SysAdmin Bway.net - New York's Best Internet - www.bway.net spork at bway.net - 212.655.9344 From nycbug at chrisbuechler.com Tue Feb 26 22:40:21 2008 From: nycbug at chrisbuechler.com (Chris Buechler) Date: Tue, 26 Feb 2008 22:40:21 -0500 Subject: [nycbug-talk] pfSense 1.2 released Message-ID: <47C4DBA5.3030808@chrisbuechler.com> George Rosamond suggested I send a shout out here, after sending a "heads up" to the NYC*BUG colo list of the release. Big props to George for getting us a dedicated server in the NYC*BUG rack at NYI as a mirror and backup hosting facility, and to Ike for helping facilitate. About 4,000 total downloads from that mirror alone (1 of 11 mirrors) in the first 24 hours after release. Release info: http://blog.pfsense.org/?p=170 Any interest in a pfSense talk at NYCBSDCon this year? If so, any suggestions on what you would like to hear about? Also we're having a 4 hour tutorial on pfSense at BSDCan this year. More info on that: http://blog.pfsense.org/?p=169 Scott Ullrich and I have met several NYC*BUG folks in years past, and hope to see a number of you again this year. cheers, Chris From spork at bway.net Tue Feb 26 23:38:03 2008 From: spork at bway.net (Charles Sprickman) Date: Tue, 26 Feb 2008 23:38:03 -0500 (EST) Subject: [nycbug-talk] pfSense 1.2 released In-Reply-To: <47C4DBA5.3030808@chrisbuechler.com> References: <47C4DBA5.3030808@chrisbuechler.com> Message-ID: Top posting because it's only tangentially related. Also I am in no way associated with the project, but I have no problem asking for money on their behalf since pfsense is such a great product... PFSense has a "bounty" system where people can pledge money for features they'd like to see developed. One oft-requested feature is a rewrite of the traffic shaper to include all kinds of fancy stuff like working across more than two interfaces and the like. Many pledged, work was done, not everyone followed up: http://forum.pfsense.org/index.php/topic,2718.0.html Perhaps some small donations (like mine) from random users could help compensate the developer(s) for the hard work done on this feature. That's all, C On Tue, 26 Feb 2008, Chris Buechler wrote: > George Rosamond suggested I send a shout out here, after sending a > "heads up" to the NYC*BUG colo list of the release. Big props to George > for getting us a dedicated server in the NYC*BUG rack at NYI as a mirror > and backup hosting facility, and to Ike for helping facilitate. About > 4,000 total downloads from that mirror alone (1 of 11 mirrors) in the > first 24 hours after release. > > Release info: > http://blog.pfsense.org/?p=170 > > Any interest in a pfSense talk at NYCBSDCon this year? If so, any > suggestions on what you would like to hear about? > > Also we're having a 4 hour tutorial on pfSense at BSDCan this year. More > info on that: http://blog.pfsense.org/?p=169 Scott Ullrich and I have > met several NYC*BUG folks in years past, and hope to see a number of you > again this year. > > cheers, > Chris > > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > From george at ceetonetechnology.com Wed Feb 27 00:45:21 2008 From: george at ceetonetechnology.com (George Rosamond) Date: Wed, 27 Feb 2008 00:45:21 -0500 Subject: [nycbug-talk] FBSD network stack virtualization In-Reply-To: References: Message-ID: <47C4F8F1.10509@ceetonetechnology.com> Charles Sprickman wrote: > Hi all, > > Someone who watches the -current list sent me this thread: > > http://lists.freebsd.org/pipermail/freebsd-current/2008-February/083830.html > > Very interesting stuff - jails with a virtualized IP stack. They are > looking to get it into 7.x. > > More info: > > http://imunes.tel.fer.hr/virtnet/ > http://imunes.tel.fer.hr/virtnet/eurobsdcon07_tutorial.pdf > > Looks neat to me, I'd rather see it land in 7.mumble than 8.mumble. > > Charles Very much interesting. . . I know Ike has been following this a bit, and he made me aware a while ago. It could be cool for lots of reasons. . . Let jail admins deal with firewalling themselves. Really take a huge leap into competing with other virtualized systems. Haven't gone through the presentation yet . . . but I'd rather see more strict controls on memory and disk usage (no, not just quotas) on the jails from the host first. And after going through that thread quick. . . I really don't want to see another 5.x mess for FBSD. . . g From george at ceetonetechnology.com Wed Feb 27 00:51:39 2008 From: george at ceetonetechnology.com (George Rosamond) Date: Wed, 27 Feb 2008 00:51:39 -0500 Subject: [nycbug-talk] pfSense 1.2 released In-Reply-To: <47C4DBA5.3030808@chrisbuechler.com> References: <47C4DBA5.3030808@chrisbuechler.com> Message-ID: <47C4FA6B.90107@ceetonetechnology.com> Chris Buechler wrote: > George Rosamond suggested I send a shout out here, after sending a > "heads up" to the NYC*BUG colo list of the release. Big props to George > for getting us a dedicated server in the NYC*BUG rack at NYI as a mirror > and backup hosting facility, and to Ike for helping facilitate. About > 4,000 total downloads from that mirror alone (1 of 11 mirrors) in the > first 24 hours after release. > And of course to Okan in the mix. . . > Release info: > http://blog.pfsense.org/?p=170 > > Any interest in a pfSense talk at NYCBSDCon this year? If so, any > suggestions on what you would like to hear about? no comment ;) > > Also we're having a 4 hour tutorial on pfSense at BSDCan this year. More > info on that: http://blog.pfsense.org/?p=169 Scott Ullrich and I have > met several NYC*BUG folks in years past, and hope to see a number of you > again this year. Seriously. . . I do think that a pfSense talk or bof would be of interest. I'm curious to hear about others' experiences, but especially from the developers' angles on implementations in enterprise environments. Lots of BSD distro-type things have come out. . . but pfSense has shown longevity for a reason. g From trish at bsdunix.net Wed Feb 27 05:59:03 2008 From: trish at bsdunix.net (=?utf-8?B?U2lvYmhhbiBQYXRyaWNpYSBMeW5jaA==?=) Date: Wed, 27 Feb 2008 10:59:03 +0000 Subject: [nycbug-talk] FBSD network stack virtualization Message-ID: <1813569385-1204109957-cardhu_decombobulator_blackberry.rim.net-939508782-@bxe017.bisx.prod.on.blackberry> OpenSolaris does this already. In fact we're using it in our product to facilitate routing of zones out of the global zone (host os). If FreeBSD had supported this a few months ago we might not be using OpenSolaris :( Still it'll be a while until its a stable thing on FBSD. -Trish -- Siobhan Patricia Lynch -----Original Message----- From: George Rosamond Date: Wed, 27 Feb 2008 00:45:21 To:Charles Sprickman Cc:talk at lists.nycbug.org Subject: Re: [nycbug-talk] FBSD network stack virtualization Charles Sprickman wrote: > Hi all, > > Someone who watches the -current list sent me this thread: > > http://lists.freebsd.org/pipermail/freebsd-current/2008-February/083830.html > > Very interesting stuff - jails with a virtualized IP stack. They are > looking to get it into 7.x. > > More info: > > http://imunes.tel.fer.hr/virtnet/ > http://imunes.tel.fer.hr/virtnet/eurobsdcon07_tutorial.pdf > > Looks neat to me, I'd rather see it land in 7.mumble than 8.mumble. > > Charles Very much interesting. . . I know Ike has been following this a bit, and he made me aware a while ago. It could be cool for lots of reasons. . . Let jail admins deal with firewalling themselves. Really take a huge leap into competing with other virtualized systems. Haven't gone through the presentation yet . . . but I'd rather see more strict controls on memory and disk usage (no, not just quotas) on the jails from the host first. And after going through that thread quick. . . I really don't want to see another 5.x mess for FBSD. . . g _______________________________________________ talk mailing list talk at lists.nycbug.org http://lists.nycbug.org/mailman/listinfo/talk From george at ceetonetechnology.com Wed Feb 27 17:41:13 2008 From: george at ceetonetechnology.com (George Rosamond) Date: Wed, 27 Feb 2008 17:41:13 -0500 Subject: [nycbug-talk] Jail admin Message-ID: <47C5E709.6060600@ceetonetechnology.com> We have a FreeBSD jail box in the NYCBUG colo at NYI. . . and need a decent sysadmin to manage the box for the BSD-related project (s) that utilize it. . . We need someone who can be a jail sysadmin, knows their way around this sort of stuff, and needs to be at least mildly responsible. Hit me at my first name at nycbug dot org, and let's talk. . . George From skreuzer at exit2shell.com Wed Feb 27 17:55:57 2008 From: skreuzer at exit2shell.com (Steven Kreuzer) Date: Wed, 27 Feb 2008 17:55:57 -0500 Subject: [nycbug-talk] FreeBSD 7.0-RELEASE Available Message-ID: <20080227225557.GA11980@scruffy.exit2shell.com> In case you don't subscribe to freebsd-announce@, I figured I would pass this along to the list. ----- Forwarded message from Ken Smith ----- Date: Wed, 27 Feb 2008 17:19:52 -0500 From: Ken Smith To: freebsd-announce at freebsd.org Subject: [FreeBSD-Announce] FreeBSD 7.0-RELEASE Available The FreeBSD Release Engineering Team is pleased to announce the availability of FreeBSD 7.0-RELEASE. This is the first release from the 7-STABLE branch which introduces many new features along with many improvements to functionality present in the earlier branches. Some of the highlights: - Dramatic improvements in performance and SMP scalability shown by various database and other benchmarks, in some cases showing peak performance improvements as high as 350% over FreeBSD 6.X under normal loads and 1500% at high loads. When compared with the best performing Linux kernel (2.6.22 or 2.6.24) performance is 15% better. Results are from benchmarks used to analyze and improve system performance, results with your specific work load may vary. Some of the changes that contribute to this improvement are: * The 1:1 libthr threading model is now the default. * Finer-grained IPC, networking, and scheduler locking. * A major focus on optimizing the SMP architecture that was put in place during the 5.x and 6.x branches. Some benchmarks show linear scaling up to 8 CPUs. Many workloads see a significant performance improvement with multicore systems. - The ULE scheduler is vastly improved, providing improved performance and interactive response (the 4BSD scheduler is still the default for 7.0 but ULE may become the default for 7.1). - Experimental support for Sun's ZFS filesystem. - gjournal can be used to set up journaled filesystems, gvirstor can be used as a virtualized storage provider. - Read-only support for the XFS filesystem. - The unionfs filesystem has been fixed. - iSCSI initiator. - TSO and LRO support for some network drivers. - Experimental SCTP (Stream Control Transmission Protocol) support (FreeBSD's being the reference implementation). - Much improved wireless (802.11) support. - Network link aggregation/trunking (lagg(4)) imported from OpenBSD. - JIT compilation to turn BPF into native code, improving packet capture performance. - Much improved support for embedded system development for boards based on the ARM architecture. - jemalloc, a new and highly scalable user-level memory allocator. - freebsd-update(8) provides officially supported binary upgrades to new releases in addition to security fixes and errata patches. - X.Org 7.3, KDE 3.5.8, GNOME 2.20.2. - GNU C compiler 4.2.1. - BIND 9.4.2. For a complete list of new features and known problems, please see the online release notes and errata list, available at: http://www.FreeBSD.org/releases/7.0R/relnotes.html http://www.FreeBSD.org/releases/7.0R/errata.html For more information about FreeBSD release engineering activities, please see: http://www.FreeBSD.org/releng/ Availability ------------- FreeBSD 7.0-RELEASE is now available for the amd64, i386, ia64, pc98, and powerpc architectures. The version for the sparc64 architecture will become available in a few days. Some of the package builds are still in progress. FreeBSD 7.0 can be installed from bootable ISO images or over the network; the required files can be downloaded via FTP or BitTorrent as described in the sections below. While some of the smaller FTP mirrors may not carry all architectures, they will all generally contain the more common ones, such as i386 and amd64. MD5 and SHA256 hashes for the release ISO images are included at the bottom of this message. The contents of the ISO images provided as part of the release has changed for most of the architectures. Using the i386 architecture as an example, there are ISO images named "bootonly", "disc1", "disc2", "disc3", "livefs", and "docs". The "bootonly" image is suitable for booting a machine to do a network based installation using FTP or NFS. The "disc1", "disc2", and "disc3" images are used to do a full installation that includes a basic set of packages and does not require network access to an FTP or NFS server during the installation. To boot into a "live CD-based filesystem" and system rescue mode "disc1" and "livefs" are needed. The "docs" image has all of the documentation for all supported languages. Most people will find that "disc1", "disc2" and "disc3" are all that are needed if you want to install some packages during the initial install, and just "disc1" if you prefer to install packages after the initial install is completed. FreeBSD 7.0-RELEASE can also be purchased on CD-ROM from several vendors. One of the vendors that will be offering FreeBSD 7.0-based products is: ~ FreeBSD Mall, Inc. http://www.freebsdmall.com/ BitTorrent ---------- 7.0-RELEASE ISOs are available via BitTorrent. A collection of torrent files to download the images is available at: http://torrents.freebsd.org:8080/ FTP --- The primary mirror site is: ftp://ftp.freebsd.org/pub/FreeBSD/ However before trying the primary FTP site, please check your regional mirror(s) first by going to: ftp://ftp..FreeBSD.org/pub/FreeBSD Any additional mirror sites will be labeled ftp2, ftp3 and so on. More information about FreeBSD mirror sites can be found at: http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/mirrors-ftp.html For instructions on installing FreeBSD, please see Chapter 2 of The FreeBSD Handbook. It provides a complete installation walk-through for users new to FreeBSD, and can be found online at: http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/install.html Updating Existing Systems ------------------------- An upgrade of any existing system to FreeBSD 7.0-RELEASE constitutes a major version upgrade, so no matter which method you use to update an older system you should reinstall any ports you have installed on the machine. This will avoid binaries becoming linked to inconsistent sets of libraries when future port upgrades rebuild one port but not others that link to it. This can be done with: # portupgrade -faP after updating your system. Note some of the tools to help with this or the instructions below for FreeBSD Update are not installed by default (e.g. portupgrade, gpg, or similar tools like portmaster). Updates from Source ------------------- The procedure for doing a source code based update is described in the FreeBSD Handbook: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/synching.html http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/makeworld.html The branch tag to use for updating the source is RELENG_7_0. FreeBSD Update -------------- Starting with FreeBSD 6.3, the freebsd-update(8) utility supports binary upgrades of i386 and amd64 systems systems running earlier FreeBSD releases, release candidates, and betas. Users upgrading to FreeBSD 7.0 from older releases (in particular, older than 7.0-RC1) will need to download an updated version of freebsd-update(8) that supports upgrading to a new release. # fetch http://people.freebsd.org/~cperciva/freebsd-update-upgrade.tgz Downloading and verifying the digital signature for the tarball (signed by the FreeBSD Security Officer's PGP key) is highly recommended. # fetch http://people.freebsd.org/~cperciva/freebsd-update-upgrade.tgz.asc # gpg --verify freebsd-update-upgrade.tgz.asc freebsd-update-upgrade.tgz The new freebsd-update(8) can then be extracted and run as follows: # tar -xf freebsd-update-upgrade.tgz # sh freebsd-update.sh -f freebsd-update.conf -r 7.0-RELEASE upgrade # sh freebsd-update.sh -f freebsd-update.conf install The system must be rebooted with the newly installed kernel before continuing. # shutdown -r now Next, freebsd-update.sh needs to be run again to install the new userland components, after which all ports should be recompiled to link to new libraries: # sh freebsd-update.sh -f freebsd-update.conf install # portupgrade -faP Finally, freebsd-update.sh needs to be run one last time to remove old system libraries, after which the system should be rebooted in order that the updated userland and ports will be running: # sh freebsd-update.sh -f freebsd-update.conf install # shutdown -r now For more information, see: http://www.daemonology.net/blog/2007-11-11-freebsd-major-version-upgrade.html Support ------- The FreeBSD Security Team currently plans to support FreeBSD 7.0 until February 28th, 2009. For more information on the Security Team and their support of the various FreeBSD branches see: http://www.freebsd.org/security/ Acknowledgments ---------------- Many companies donated equipment, network access, or man-hours to support the release engineering activities for FreeBSD 7.0 including The FreeBSD Foundation, FreeBSD Systems, Hewlett-Packard, Yahoo!, Network Appliances, and Sentex Communications. The release engineering team for 7.0-RELEASE includes: Ken Smith Release Engineering, amd64, i386, sparc64 Release Building, Mirror Site Coordination Robert Watson Release Engineering, Security Maxime Henrion Release Engineering Bruce A. Mah Release Engineering, Documentation George Neville-Neil Release Engineering Hiroki Sato Release Engineering, Documentation Murray Stokely Release Engineering Marcel Moolenaar ia64, powerpc Release Building Takahashi Yoshihiro PC98 Release Building Kris Kennaway Package Building Joe Marcus Clarke Package Building Erwin Lansing Package Building Mark Linimon Package Building Pav Lucistnik Package Building Colin Percival Security Officer Simon Nielsen Deputy Security Officer Peter Wemm Bittorrent Coordination Trademark --------- FreeBSD is a registered trademark of The FreeBSD Foundation. ISO Image Checksums ------------------- MD5 (7.0-RELEASE-amd64-bootonly.iso) = 60ff91f3a0851077a2c335f830e1e028 MD5 (7.0-RELEASE-amd64-disc1.iso) = 0232f1b6ffde0e3e76034c9f10791acd MD5 (7.0-RELEASE-amd64-disc2.iso) = 17be33da3bdddfce3b32e697724e021e MD5 (7.0-RELEASE-amd64-disc3.iso) = 3d001985149acc50a5857626f20ddb93 MD5 (7.0-RELEASE-amd64-docs.iso) = b0877e52f08aecd2e70ce86bd1ceb554 MD5 (7.0-RELEASE-amd64-livefs.iso) = 6fea83a3679e8ac785c685f0e446788b MD5 (7.0-RELEASE-i386-bootonly.iso) = cb4f8d05d07aa74f2038050e53673455 MD5 (7.0-RELEASE-i386-disc1.iso) = 5f185a688ef2e0db59105e8f439c8620 MD5 (7.0-RELEASE-i386-disc2.iso) = bb59156b4fc1f9c148095b8c239c827a MD5 (7.0-RELEASE-i386-disc3.iso) = 44de27d5f6bcdbf14e3db38c84f12348 MD5 (7.0-RELEASE-i386-docs.iso) = bcf16778ecc73975024a8e6450ee4ba4 MD5 (7.0-RELEASE-i386-livefs.iso) = abe6773601feda1dc56dade0022fca59 MD5 (7.0-RELEASE-ia64-bootonly.iso) = 0acd75c4c191609bd5d39428c556f59c MD5 (7.0-RELEASE-ia64-disc1.iso) = f79c20fcf15d084d1b1bc47023678ecf MD5 (7.0-RELEASE-ia64-disc2.iso) = 517ae3572002f7deba02f5f35799bcee MD5 (7.0-RELEASE-ia64-disc3.iso) = 2d6c64c4f3e166e8e329977c94c6ea72 MD5 (7.0-RELEASE-ia64-docs.iso) = 262a7dda8a7e0747807f1c32c293eb4b MD5 (7.0-RELEASE-ia64-livefs.iso) = 1b4daa26d5a89130f7e45e85fd1501a7 MD5 (7.0-RELEASE-pc98-bootonly.iso) = 0359f519b7185b1747524d3a3a433f52 MD5 (7.0-RELEASE-pc98-disc1.iso) = 90889420c8afc72d8a3dbce45c21c716 MD5 (7.0-RELEASE-pc98-livefs.iso) = 583e4d51629a0c644495e56eb899b917 MD5 (7.0-RELEASE-powerpc-bootonly.iso) = ba968855e8ccfcdfce0657cf591307fa MD5 (7.0-RELEASE-powerpc-disc1.iso) = b553330bd7ccc1683559a6507ab0e304 MD5 (7.0-RELEASE-powerpc-disc2.iso) = bb58530a5b623fad5f55d17cc382cc2d MD5 (7.0-RELEASE-powerpc-disc3.iso) = d1dd0645b24f16aa01e2e3f6c88f189a MD5 (7.0-RELEASE-powerpc-docs.iso) = 84a164f4795894b9bb247ea16c97c645 SHA256 (7.0-RELEASE-amd64-bootonly.iso) = 596bc89d0926fd15ae16d8f3c4c5735289c7553bdac8062284940830c26d2555 SHA256 (7.0-RELEASE-amd64-disc1.iso) = d3b206eb74df7559041dd9054de7352b9a67d4f350e75f433c7fb001bf4b5c6f SHA256 (7.0-RELEASE-amd64-disc2.iso) = 296e02387794b06992c294450b4c6c07cc6a5530f415901492dcd721809d96b5 SHA256 (7.0-RELEASE-amd64-disc3.iso) = 683545d8768a3f7fa1ae5a2c0f2586e88a09b43b9b1f57da384c30339fd889e5 SHA256 (7.0-RELEASE-amd64-docs.iso) = 6d69c5c27a4e5891fed9a88e5825af803558c14281257bc3b325b00a2a62a966 SHA256 (7.0-RELEASE-amd64-livefs.iso) = 596b5f69d7f2c4e17f66e0fd1306a192cc03a700b0dce3532e95abffd5e5344a SHA256 (7.0-RELEASE-i386-bootonly.iso) = 3184674f1833c7abdc687672188e1189f61d5f7239ba48df584787b8e1d0273b SHA256 (7.0-RELEASE-i386-disc1.iso) = 7480c74dda9a78805ab0d647b23eb71cac43f4afce83ff65ad9f2019423583af SHA256 (7.0-RELEASE-i386-disc2.iso) = 55c12b9c7239ee22e84594e07736c4b73e5788a6330cd76a199c1b99bd4bea51 SHA256 (7.0-RELEASE-i386-disc3.iso) = 2812afd48559c5b38338eee0697c33b25d9127f60b03eb04c77799ac6523dde0 SHA256 (7.0-RELEASE-i386-docs.iso) = 428fc1d0fc820326be04c673bd8c228fbccd0761d59e50b11dfd8e508820a661 SHA256 (7.0-RELEASE-i386-livefs.iso) = 6ca035fa860f6942b983de628fc1df829c22e7c55a7ab4d0bb342a5c53792f94 SHA256 (7.0-RELEASE-ia64-bootonly.iso) = a133c1acf597dc7a36ec0239cb4aa93ca08e85a95f47f3bad8e9eed4f494928e SHA256 (7.0-RELEASE-ia64-disc1.iso) = 1d2c1de094705f095adf5ffc76e34da3ed8a881409766e5450b22a33a3c8626e SHA256 (7.0-RELEASE-ia64-disc2.iso) = c628e4abfac5f87ea6a0ba899db023b21115ce817620d2a48a261e2af6daae56 SHA256 (7.0-RELEASE-ia64-disc3.iso) = 22b7192b52f7765a5f42fff284fe58eaaad068f2021ddcecbf11b9bd02a3db49 SHA256 (7.0-RELEASE-ia64-docs.iso) = a103f78ab620120c0fc945ad7b07b85c4a182f8e045b17dcfc8ba5faf9d21a88 SHA256 (7.0-RELEASE-ia64-livefs.iso) = 3adcd9e3afd3b52f75b1f4b0c0a02dbb6af4bcbc016b3837bd527a01702af847 SHA256 (7.0-RELEASE-pc98-bootonly.iso) = 8e6ee4327af57ed6ddb3c890c5cc8e8b051bbc51cfa7a1c7cd53bd4685dbc01d SHA256 (7.0-RELEASE-pc98-disc1.iso) = c4ec9b975f68ea7f278462fff0db8f6138d57effa462e3b20035994155e93c4b SHA256 (7.0-RELEASE-pc98-livefs.iso) = 20f6cc867590798c79716e771abf4c6880452defd5dcd0aed21161d54ab3d40e SHA256 (7.0-RELEASE-powerpc-bootonly.iso) = 86a6398f34e9f933adfd717024dd3eefd4e209f940cc3487c047cb979ec8dbfa SHA256 (7.0-RELEASE-powerpc-disc1.iso) = b75e61be2f3daac9898e61c7e00086fcc039bf894211800bd40335424e5afc7d SHA256 (7.0-RELEASE-powerpc-disc2.iso) = 69ffdea7850aa2ebd609851ca22dfe2c92d1d7606ac621e99de3b6e2998be553 SHA256 (7.0-RELEASE-powerpc-disc3.iso) = 1f1cacb35e647e3480c120ba19e8b3b55b8d02f98b7672784a5e729ced840a48 SHA256 (7.0-RELEASE-powerpc-docs.iso) = e6c2965dbced365738c7816dfaf47ab2eec450aff2dd8d9ae4ee10d015458785 ----- End forwarded message ----- -- Steven Kreuzer http://www.exit2shell.com/~skreuzer From skreuzer at exit2shell.com Thu Feb 28 13:18:31 2008 From: skreuzer at exit2shell.com (Steven Kreuzer) Date: Thu, 28 Feb 2008 13:18:31 -0500 Subject: [nycbug-talk] MySQL Database Performance on FreeBSD 7 Message-ID: <20080228181831.GD74302@scruffy.exit2shell.com> Interesting paper on MySQL performance under FreeBSD 7 http://people.freebsd.org/~kris/scaling/mysql.html In a nutshell, FreeBSD out-performed Linux by a large margin at high loads. As of Linux 2.6.22 (Fedora 8) they have fixed the most serious scaling problem but they still have 15% lower performance than FreeBSD on this workload. -- Steven Kreuzer http://www.exit2shell.com/~skreuzer From alex at pilosoft.com Thu Feb 28 13:49:22 2008 From: alex at pilosoft.com (Alex Pilosov) Date: Thu, 28 Feb 2008 13:49:22 -0500 (EST) Subject: [nycbug-talk] MySQL Database Performance on FreeBSD 7 In-Reply-To: <20080228181831.GD74302@scruffy.exit2shell.com> Message-ID: On Thu, 28 Feb 2008, Steven Kreuzer wrote: > Interesting paper on MySQL performance under FreeBSD 7 > > http://people.freebsd.org/~kris/scaling/mysql.html > > In a nutshell, FreeBSD out-performed Linux by a large margin at high > loads. As of Linux 2.6.22 (Fedora 8) they have fixed the most serious > scaling problem but they still have 15% lower performance than FreeBSD > on this workload. I'd like to see first the Linux guys' response. tests were done *by* freebsd guys who were clearly knowledgeable in fbsd configuration, but not linux configuration. give it few more weeks, as test results are propagating on interwebs, i'm sure linux guys will point out the mistake in configuration. :) -alex From alex at pilosoft.com Thu Feb 28 13:53:17 2008 From: alex at pilosoft.com (Alex Pilosov) Date: Thu, 28 Feb 2008 13:53:17 -0500 (EST) Subject: [nycbug-talk] MySQL Database Performance on FreeBSD 7 In-Reply-To: <20080228181831.GD74302@scruffy.exit2shell.com> Message-ID: On Thu, 28 Feb 2008, Steven Kreuzer wrote: > Interesting paper on MySQL performance under FreeBSD 7 > > http://people.freebsd.org/~kris/scaling/mysql.html > > In a nutshell, FreeBSD out-performed Linux by a large margin at high > loads. As of Linux 2.6.22 (Fedora 8) they have fixed the most serious > scaling problem but they still have 15% lower performance than FreeBSD > on this workload. http://ozlabs.org/~anton/linux/sysbench/ this is science, a little bit of it - the high number of contextswitches is clearly a symptom of something. most likely, mysql brokenness. there's still nobody who's smart enough to use oprofile who would do *real* science. -alex From matt at atopia.net Thu Feb 28 14:05:36 2008 From: matt at atopia.net (Matt Juszczak) Date: Thu, 28 Feb 2008 14:05:36 -0500 (EST) Subject: [nycbug-talk] MySQL Database Performance on FreeBSD 7 In-Reply-To: References: Message-ID: <20080228140440.W26622@mercury.atopia.net> > tests were done *by* freebsd guys who were clearly knowledgeable in fbsd > configuration, but not linux configuration. > > give it few more weeks, as test results are propagating on interwebs, > i'm sure linux guys will point out the mistake in configuration. :) While I agree, it will be really interesting to see what happens. A few months ago, I had an issue with MySQL on FreeBSD 6.2 with threading and had to switch to Linux for the solution. Would be nice to be able to switch back. Tried to use Linux pthreads, but these were 64 bit boxes. -Matt From dlavigne6 at sympatico.ca Thu Feb 28 14:23:35 2008 From: dlavigne6 at sympatico.ca (Dru) Date: Thu, 28 Feb 2008 14:23:35 -0500 (EST) Subject: [nycbug-talk] creating a 7.0 DVD Message-ID: <20080228142257.J632@dru.domain.org> For those of you who prefer one media to four: http://blogs.ittoolbox.com/unix/bsd/archives/creating-your-own-freebsd-70-dvd-22791 Cheers, Dru From matt at atopia.net Thu Feb 28 23:29:24 2008 From: matt at atopia.net (Matt Juszczak) Date: Thu, 28 Feb 2008 23:29:24 -0500 (EST) Subject: [nycbug-talk] Backup service Message-ID: <20080228185735.X58606@mercury.atopia.net> Hi all, Thought all of you may have an opinion on this. My offsite backup service accepts rsync/ssh/scp/sftp. I'm wondering what the best way to manage that is. Right now, I'd like to keep backups of our SVN repository and MySQL dumps+bin logs, to start. I'm thinking of just keeping it simple and using rsync with delete, and keeping a "local mirror" of backups, and rsyncing that to the backup system each night. What do you all suggest? Are there solutions for this? I'm experienced with things like duplicity, which seem to work well, but I'd like other's thoughts. Thanks! -Matt From trish at bsdunix.net Fri Feb 29 06:17:29 2008 From: trish at bsdunix.net (=?utf-8?B?U2lvYmhhbiBQYXRyaWNpYSBMeW5jaA==?=) Date: Fri, 29 Feb 2008 11:17:29 +0000 Subject: [nycbug-talk] Backup service In-Reply-To: <20080228185735.X58606@mercury.atopia.net> References: <20080228185735.X58606@mercury.atopia.net> Message-ID: <1610068742-1204283864-cardhu_decombobulator_blackberry.rim.net-602029264-@bxe017.bisx.prod.on.blackberry> What I do is create scripts to manage hourly, daily, weekly, and monthly copies and just use straight rsync. The above is done into different directories. -Trish -- Siobhan Patricia Lynch -----Original Message----- From: Matt Juszczak Date: Thu, 28 Feb 2008 23:29:24 To:talk at lists.nycbug.org Subject: [nycbug-talk] Backup service Hi all, Thought all of you may have an opinion on this. My offsite backup service accepts rsync/ssh/scp/sftp. I'm wondering what the best way to manage that is. Right now, I'd like to keep backups of our SVN repository and MySQL dumps+bin logs, to start. I'm thinking of just keeping it simple and using rsync with delete, and keeping a "local mirror" of backups, and rsyncing that to the backup system each night. What do you all suggest? Are there solutions for this? I'm experienced with things like duplicity, which seem to work well, but I'd like other's thoughts. Thanks! -Matt _______________________________________________ talk mailing list talk at lists.nycbug.org http://lists.nycbug.org/mailman/listinfo/talk From mikel.king at olivent.com Fri Feb 29 11:18:52 2008 From: mikel.king at olivent.com (Mikel King) Date: Fri, 29 Feb 2008 11:18:52 -0500 Subject: [nycbug-talk] content management Message-ID: <29224BE4-A890-4C6C-9BE8-166F57418322@olivent.com> I am canvassing the the community to see what people are doing about content management/filtering. Does anyone on this list have a recommendation? I would like to find out what's out there and what people have experience with. You know the pros vs cons of each et cetera.... Cheers, Mikel From mikel.king at olivent.com Fri Feb 29 11:20:45 2008 From: mikel.king at olivent.com (Mikel King) Date: Fri, 29 Feb 2008 11:20:45 -0500 Subject: [nycbug-talk] Intrusion Detection Solutions Message-ID: Once again I am canvassing the the community to see what people are doing about IDS. Please chime in if you have a recommendation? I would like to find out what's out there and learn the pros vs cons of each et cetera.... Cheers, Mikel From matt at atopia.net Fri Feb 29 11:21:52 2008 From: matt at atopia.net (Matt Juszczak) Date: Fri, 29 Feb 2008 11:21:52 -0500 (EST) Subject: [nycbug-talk] content management In-Reply-To: <29224BE4-A890-4C6C-9BE8-166F57418322@olivent.com> References: <29224BE4-A890-4C6C-9BE8-166F57418322@olivent.com> Message-ID: <20080229112129.F23371@mercury.atopia.net> What do you mean by content management/filtering? Managing content on a website? Filtering content on a website? Or doing end user filtering/management like a packet filter/http filter? From dave at donnerjack.com Fri Feb 29 11:27:12 2008 From: dave at donnerjack.com (David Lawson) Date: Fri, 29 Feb 2008 11:27:12 -0500 Subject: [nycbug-talk] Intrusion Detection Solutions In-Reply-To: References: Message-ID: I've always been very happy with Snort, both from an ease of use and management perspective and a performance perspective. The SourceFire rules subscription system is a bit annoying, but it's no worse than most things. --Dave On Feb 29, 2008, at 11:20 AM, Mikel King wrote: > Once again I am canvassing the the community to see what people are > doing about IDS. Please chime in if you have a recommendation? I > would like to find out what's out there and learn the pros vs cons of > each et cetera.... > > Cheers, > Mikel > > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > From dan at langille.org Fri Feb 29 11:28:29 2008 From: dan at langille.org (Dan Langille) Date: Fri, 29 Feb 2008 11:28:29 -0500 Subject: [nycbug-talk] content management In-Reply-To: <29224BE4-A890-4C6C-9BE8-166F57418322@olivent.com> References: <29224BE4-A890-4C6C-9BE8-166F57418322@olivent.com> Message-ID: On Feb 29, 2008, at 11:18 AM, Mikel King wrote: > I am canvassing the the community to see what people are doing about > content management/filtering. Does anyone on this list have a > recommendation? I would like to find out what's out there and what > people have experience with. You know the pros vs cons of each et > cetera.... Content management of what? filtering of what? -- Dan Langille -- http://www.langille.org/ dan at langille.org From matt at atopia.net Fri Feb 29 11:30:56 2008 From: matt at atopia.net (Matt Juszczak) Date: Fri, 29 Feb 2008 11:30:56 -0500 (EST) Subject: [nycbug-talk] Top Level Domain SSL Certificates Message-ID: <20080229112949.S23963@mercury.atopia.net> Hopefully this isn't going too off topic: One of my customers is interested in getting an SSL cert for his entire domain name (IE: *.bar.com instead of foo.bar.com). Other than being more expensive, and in my opinion not the best idea security wise, what are other pros/cons? Does anyone have any experience? Do these work well? Thanks! -Matt From okan at demirmen.com Fri Feb 29 11:37:40 2008 From: okan at demirmen.com (Okan Demirmen) Date: Fri, 29 Feb 2008 11:37:40 -0500 Subject: [nycbug-talk] Intrusion Detection Solutions In-Reply-To: References: Message-ID: <20080229163740.GN19874@clam.khaoz.org> On Fri 2008.02.29 at 11:20 -0500, Mikel King wrote: > Once again I am canvassing the the community to see what people are > doing about IDS. Please chime in if you have a recommendation? I > would like to find out what's out there and learn the pros vs cons of > each et cetera.... prelude. From spork at bway.net Fri Feb 29 11:40:29 2008 From: spork at bway.net (Charles Sprickman) Date: Fri, 29 Feb 2008 11:40:29 -0500 (EST) Subject: [nycbug-talk] Top Level Domain SSL Certificates In-Reply-To: <20080229112949.S23963@mercury.atopia.net> References: <20080229112949.S23963@mercury.atopia.net> Message-ID: On Fri, 29 Feb 2008, Matt Juszczak wrote: > Hopefully this isn't going too off topic: > > One of my customers is interested in getting an SSL cert for his entire > domain name (IE: *.bar.com instead of foo.bar.com). > > Other than being more expensive, and in my opinion not the best idea > security wise, what are other pros/cons? Does anyone have any experience? > Do these work well? If you have a limited budget and need to cover a dozen or so hostnames, they are great. After we got our hands on one, not only did we use it for the customer-facing stuff, but for a ton of internal sites that were previously using self-signed certs. I have had no problems with any browsers or email clients that I regularly use. Charles > Thanks! > > -Matt > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > From dan at langille.org Fri Feb 29 11:41:59 2008 From: dan at langille.org (Dan Langille) Date: Fri, 29 Feb 2008 11:41:59 -0500 Subject: [nycbug-talk] Top Level Domain SSL Certificates In-Reply-To: <20080229112949.S23963@mercury.atopia.net> References: <20080229112949.S23963@mercury.atopia.net> Message-ID: <5E1CE71B-9C48-4AB4-8886-D451CB4F9FCB@langille.org> On Feb 29, 2008, at 11:30 AM, Matt Juszczak wrote: > Hopefully this isn't going too off topic: > > One of my customers is interested in getting an SSL cert for his > entire > domain name (IE: *.bar.com instead of foo.bar.com). > > Other than being more expensive, and in my opinion not the best idea > security wise, what are other pros/cons? Does anyone have any > experience? > Do these work well? As a user and assurer for CACert perhaps using CACert is attractive. Free certs, but not necessarily recognized by all browsers. Whether or not CACert is an option for you depends up on who will be using the certs and under what circumstances. I'm not even sure if you can get a wild carded cert from CACert. But perhaps issues the certs you need, for free, is what you want instead of wildcarding. cheers -- Dan Langille -- http://www.langille.org/ dan at langille.org From lavalamp at spiritual-machines.org Fri Feb 29 11:55:02 2008 From: lavalamp at spiritual-machines.org (Brian A. Seklecki) Date: Fri, 29 Feb 2008 11:55:02 -0500 (EST) Subject: [nycbug-talk] Top Level Domain SSL Certificates In-Reply-To: <20080229112949.S23963@mercury.atopia.net> References: <20080229112949.S23963@mercury.atopia.net> Message-ID: <20080229115325.R79261@arbitor.digitalfreaks.org> On Fri, 29 Feb 2008, Matt Juszczak wrote: > Hopefully this isn't going too off topic: > > One of my customers is interested in getting an SSL cert for his entire > domain name (IE: *.bar.com instead of foo.bar.com). Yea I've played this game. Its stacked pretty well. IE6 only honors one subdomain in wildcard certificates. FF2.x honors a true wildcard. EV certs only support one CN= and one subjAltName= value, if you're lucky. No wildcards available. Grab your socks and pull. ~BAS > > Other than being more expensive, and in my opinion not the best idea > security wise, what are other pros/cons? Does anyone have any experience? > Do these work well? From eksffa at freebsdbrasil.com.br Fri Feb 29 11:56:31 2008 From: eksffa at freebsdbrasil.com.br (Patrick Tracanelli) Date: Fri, 29 Feb 2008 13:56:31 -0300 Subject: [nycbug-talk] Intrusion Detection Solutions In-Reply-To: References: Message-ID: <47C8393F.4020608@freebsdbrasil.com.br> Mikel King escreveu: > Once again I am canvassing the the community to see what people are > doing about IDS. Please chime in if you have a recommendation? I > would like to find out what's out there and learn the pros vs cons of > each et cetera.... My IDS/IPS setup is made up of Snort Inline and OSSEC HIDS. Pros, is how easy and good OSSEC is with windows monitors, feeding the main HIDS processes on FreeBSD. Doing customized rules with this tool is also easy and effective. It can also run external scripts in a framework setup it calls active response, with pre-defined scripts for firewalling, updating tcp wrappers conf and some other behaviors, as the active response actions. I also love its integration with iplog, and its ability to read and parse snort logs. However it is essencially just a HIDS, although it can take advantage of iplog for example. I run snort in inline mode because mostly I dont need just to drop (flexresp) or to start a response script. Those are limited and responsive actions. I need pro-active actions. Most rules in inline mode I have drop or sdrop action, but some other, specially p2p ones I have "reinject" actions which sends the packet back to IPFIREWALL(4) and lets me tag+pipe it. When I need a more coese setup with snort sensors I tend to run Snort with snortsam patch; but the standalone setups or the complex setups I always have snort_inline in the main strategic areas of the topology. Negative point on snort_inline is that, if, for some reason, it dies, I have a DoS on my network. So I run it under daemontools (supervise) and get notified if it dies. When it dies its the sysadmin fault who did not test a rule or some syntax. However "divert" can always be switched by "tee" action in the firewall if for some reason one believes this is not an acceptable thing. I never run with tee, always divert. For me not acceptable is using untested rules. I dont see any other negative point. Everything else is just good to me, so it makes my IDS/IPS combo of choice. > > Cheers, > Mikel > > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk -- Patrick Tracanelli FreeBSD Brasil LTDA. Tel.: (31) 3516-0800 316601 at sip.freebsdbrasil.com.br http://www.freebsdbrasil.com.br "Long live Hanin Elias, Kim Deal!" From matt at atopia.net Fri Feb 29 11:58:20 2008 From: matt at atopia.net (Matt Juszczak) Date: Fri, 29 Feb 2008 11:58:20 -0500 (EST) Subject: [nycbug-talk] Top Level Domain SSL Certificates In-Reply-To: References: <20080229112949.S23963@mercury.atopia.net> Message-ID: <20080229115804.H26056@mercury.atopia.net> > If this is just about being able to put multiple SSL virtual hosts on > a single ip address, I think it's much better to use a "unified > communications cert" that uses the X.509v3 Subject Alternative Name > extension to apply a single certificate to multiple domain names. Nope, isn't about that at all. Thanks for the suggestion though! From chsnyder at gmail.com Fri Feb 29 11:53:37 2008 From: chsnyder at gmail.com (csnyder) Date: Fri, 29 Feb 2008 11:53:37 -0500 Subject: [nycbug-talk] Top Level Domain SSL Certificates In-Reply-To: <20080229112949.S23963@mercury.atopia.net> References: <20080229112949.S23963@mercury.atopia.net> Message-ID: On Fri, Feb 29, 2008 at 11:30 AM, Matt Juszczak wrote: > Hopefully this isn't going too off topic: > > One of my customers is interested in getting an SSL cert for his entire > domain name (IE: *.bar.com instead of foo.bar.com). > > Other than being more expensive, and in my opinion not the best idea > security wise, what are other pros/cons? Does anyone have any experience? > Do these work well? > > Thanks! > > -Matt The key for that certificate is going to be extremely valuable, and your client is going to need to put a copy of it on every server in their domain that wants to use the certificate. If this is just about being able to put multiple SSL virtual hosts on a single ip address, I think it's much better to use a "unified communications cert" that uses the X.509v3 Subject Alternative Name extension to apply a single certificate to multiple domain names. -- Chris Snyder http://chxo.com/ From mikel.king at olivent.com Fri Feb 29 12:05:38 2008 From: mikel.king at olivent.com (Mikel King) Date: Fri, 29 Feb 2008 12:05:38 -0500 Subject: [nycbug-talk] content management In-Reply-To: <20080229112129.F23371@mercury.atopia.net> References: <29224BE4-A890-4C6C-9BE8-166F57418322@olivent.com> <20080229112129.F23371@mercury.atopia.net> Message-ID: <73D7A9E2-3ED5-46B6-B68A-105347D68B70@olivent.com> Content filtering of web traffic. I've been asked by a few clients lately that really would like to limit more than monitor what their staffers are accessing across the net. Unfortunately the only thing that comes to my mind immediately is squid. Thanks, m On Feb 29, 2008, at 11:21 AM, Matt Juszczak wrote: > What do you mean by content management/filtering? > > Managing content on a website? Filtering content on a website? Or > doing end user filtering/management like a packet filter/http filter? From matt at atopia.net Fri Feb 29 12:07:42 2008 From: matt at atopia.net (Matt Juszczak) Date: Fri, 29 Feb 2008 12:07:42 -0500 (EST) Subject: [nycbug-talk] content management In-Reply-To: <73D7A9E2-3ED5-46B6-B68A-105347D68B70@olivent.com> References: <29224BE4-A890-4C6C-9BE8-166F57418322@olivent.com> <20080229112129.F23371@mercury.atopia.net> <73D7A9E2-3ED5-46B6-B68A-105347D68B70@olivent.com> Message-ID: <20080229120739.I26742@mercury.atopia.net> Dan's Guardian? On Fri, 29 Feb 2008, Mikel King wrote: > Content filtering of web traffic. I've been asked by a few clients lately > that really would like to limit more than monitor what their staffers are > accessing across the net. Unfortunately the only thing that comes to my mind > immediately is squid. > > Thanks, > m > > > On Feb 29, 2008, at 11:21 AM, Matt Juszczak wrote: > >> What do you mean by content management/filtering? >> >> Managing content on a website? Filtering content on a website? Or doing >> end user filtering/management like a packet filter/http filter? > > > > !DSPAM:47c83b70266386066011467! From chsnyder at gmail.com Fri Feb 29 12:09:30 2008 From: chsnyder at gmail.com (csnyder) Date: Fri, 29 Feb 2008 12:09:30 -0500 Subject: [nycbug-talk] Backup service In-Reply-To: <20080228185735.X58606@mercury.atopia.net> References: <20080228185735.X58606@mercury.atopia.net> Message-ID: On Thu, Feb 28, 2008 at 11:29 PM, Matt Juszczak wrote: > I'm thinking of just keeping it simple and using rsync with delete, and > keeping a "local mirror" of backups, and rsyncing that to the backup > system each night. Have you considered the need to archive files, above and beyond keeping a local mirror? In other words, if a file is deleted or changed, how much time do you have to discover it before rsync changes your mirror? We use the backup feature of rsync to store the backup files by date, then prune those after a few days. Each host has its own account on the backup host. The command to back up host foobar today is: rsync -ab --delete --numeric-ids --exclude=tmp/* --backup-dir=../archive/2008-02-29 --stats -e "ssh -l foobar" /home /etc /var/log /usr/local 192.168.1.24:backup/ I looked at duplicity but deemed it overkill. It's also non-transparent; you can't just cd into the archive and pull out a file, you have to use duplicity to get it back out. -- Chris Snyder http://chxo.com/ From mikel.king at olivent.com Fri Feb 29 12:10:44 2008 From: mikel.king at olivent.com (Mikel King) Date: Fri, 29 Feb 2008 12:10:44 -0500 Subject: [nycbug-talk] Top Level Domain SSL Certificates In-Reply-To: <20080229112949.S23963@mercury.atopia.net> References: <20080229112949.S23963@mercury.atopia.net> Message-ID: On Feb 29, 2008, at 11:30 AM, Matt Juszczak wrote: > Hopefully this isn't going too off topic: > > One of my customers is interested in getting an SSL cert for his > entire > domain name (IE: *.bar.com instead of foo.bar.com). > > Other than being more expensive, and in my opinion not the best idea > security wise, what are other pros/cons? Does anyone have any > experience? > Do these work well? > > Thanks! > > -Matt > I received mine from CACert.org and for the most part everything has been pretty good. Cheers, m From matt at atopia.net Fri Feb 29 12:12:47 2008 From: matt at atopia.net (Matt Juszczak) Date: Fri, 29 Feb 2008 12:12:47 -0500 (EST) Subject: [nycbug-talk] Backup service In-Reply-To: References: <20080228185735.X58606@mercury.atopia.net> Message-ID: <20080229121103.E26756@mercury.atopia.net> > Have you considered the need to archive files, above and beyond > keeping a local mirror? In other words, if a file is deleted or > changed, how much time do you have to discover it before rsync changes > your mirror? Yes, and I verified that our backup provider backs up the actual file system of our backup system to ANOTHER system nightly :) I was originally concerned about this simply because - what if someone gets access to the backup system and rm -rf /'s it.... etc. etc. > We use the backup feature of rsync to store the backup files by date, > then prune those after a few days. Each host has its own account on > the backup host. The command to back up host foobar today is: > rsync -ab --delete --numeric-ids --exclude=tmp/* > --backup-dir=../archive/2008-02-29 --stats -e "ssh -l foobar" /home > /etc /var/log /usr/local 192.168.1.24:backup/ > > I looked at duplicity but deemed it overkill. It's also > non-transparent; you can't just cd into the archive and pull out a > file, you have to use duplicity to get it back out. Makes sense. I'll look into it but I appreciate your example. Thanks! -Matt From matt at atopia.net Fri Feb 29 12:13:08 2008 From: matt at atopia.net (Matt Juszczak) Date: Fri, 29 Feb 2008 12:13:08 -0500 (EST) Subject: [nycbug-talk] Top Level Domain SSL Certificates In-Reply-To: References: <20080229112949.S23963@mercury.atopia.net> Message-ID: <20080229121259.H26756@mercury.atopia.net> > I received mine from CACert.org and for the most part everything has been > pretty good. > > Cheers, > m Seems that it doesn't work out of box with firefox though. From KReiter at insidefsi.net Fri Feb 29 12:18:15 2008 From: KReiter at insidefsi.net (Kevin Reiter) Date: Fri, 29 Feb 2008 12:18:15 -0500 Subject: [nycbug-talk] content management In-Reply-To: <20080229120739.I26742@mercury.atopia.net> Message-ID: <0CF59C4890F7A04AAC3B1E798E6F86F3016F025B@fsi32.fsidp.insidefsi.com> On Friday, Feb 29 2008, Matt Juszczak wrote: > Dan's Guardian? On Fri, 29 Feb 2008, Mikel King wrote: > Content filtering of web traffic. I've been asked by a few clients lately > that really would like to limit more than monitor what their staffers are > accessing across the net. Unfortunately the only thing that comes to my mind > immediately is squid. > > Thanks, > m > > > On Feb 29, 2008, at 11:21 AM, Matt Juszczak wrote: > >> What do you mean by content management/filtering? >> >> Managing content on a website? Filtering content on a website? Or doing >> end user filtering/management like a packet filter/http filter? I second Dan's Guardian. It's pretty easy/quick to get working, and you can pull down updates for the blacklists with one of the numerous scripts already available. Another thing I like is that it blocks Google search results based on bad keywords/blocked sites/subjects. You can also customize the bocked-page error page, which is pretty nice. Keep in mind, if it's for commercial use, you need to buy a license, but it's free for home use. This message may contain confidential or proprietary information and is intended solely for the individual(s) to whom it is addressed. If you are not a named addressee you should not disseminate, distribute or copy this e-mail or act upon the information contained herein. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. From carton at Ivy.NET Fri Feb 29 12:18:57 2008 From: carton at Ivy.NET (Miles Nordin) Date: Fri, 29 Feb 2008 12:18:57 -0500 Subject: [nycbug-talk] Top Level Domain SSL Certificates In-Reply-To: <20080229112949.S23963@mercury.atopia.net> (Matt Juszczak's message of "Fri, 29 Feb 2008 11:30:56 -0500 (EST)") References: <20080229112949.S23963@mercury.atopia.net> <5E1CE71B-9C48-4AB4-8886-D451CB4F9FCB@langille.org> Message-ID: >>>>> "mj" == Matt Juszczak writes: >>>>> "dl" == Dan Langille writes: mj> in my opinion not the best idea security wise, I guess. my counter-opinion would be, once the browsers are accepting certs of this kind, the security compromise is already made. but I guess if you want to compartmentalize compromises within your organization, more restrictive certs would be nicer. It would be nice if certs were tied more to DNS, sort of like SPF for email, so you could limit which authorities were allowed to issue certs for a given subdomain of yours. Then the next step is to throw out the whole mess of shady credit agencies running CA's and tie it all to DNS. it's such a broken scam. dl> As a user and assurer for CACert dl> perhaps using CACert is attractive. yeah, I'm also a cacert assurer, but i can only give a small number of points. The germans were all crazy about it and signed me up. my experience with CACert is that they suck, enough that I'm slightly embarassed to publish one of their certs. People have unanswered questions on their mailing list all the time. And it seems like their sysadmin infrastructure is kind of asleep at the wheel---it's doing ok on autopilot, but everyone is afraid to touch it, and they have problems they acknowledge but don't fix for >1yr. (so i guess it should be great for BSD people, since after all their heart's in the right place. ARGH.) And finally I found some documentation on their site which is confusingly tangled and hopelessly outdated and plain wrong which basically says that wildcard certs don't work at all in IE version this-or-that and Firefox version blah, when in fact the docs are besides being unreadable, flat out wrong. and never corrected after I pointed it out. The other problem I have is that the whole assurers system and the rules of it are quite silly. It is more like a scientology loyalty-building scam than an actual part of the cert-issuing process. You can get the certificate that 99% of people actually give a shit about, the web server cert, by simply being able to receive email at a registered contact of your domain. You just get it for 6 months validity only. Then, after 5 months, go get another one. They make this big deal aobut what X.509 or subject data or whatever is in the cert, but (a) this i sjust sillyness becuase the web browser doesn't look at it, only looks at the domain name part, and (b) is not solved by the assurers system anyway and requires faxing documents around, but ``solved'' is wrong becuase of (a). The 6-month certs you get by not dealing with ``assurers'' at all are just as good for web browsers as anything else you get from them. so they have set up this whole infrastructure of human assurers checking ID's which is basically meaningless---it's only necessary for S/MIME certs and code-signing certs. For the former I think most CACert-friendly geeks are for a variety of reasons more comfortable with the PGP WoT than S/MIME and government ID's. For the latter, there are even more silly CACert rules seemingly designed to prove you are a trustworthy person to write code for running on an unsuspecting potential victim's machine, nothing about simply binding the signature to a recognizeable brand and letting the user decide how much they trust the brand when the code-execution box pops up. All around, it's like they don't understand their role clearly, nor does anyone who ``trusts'' them to perform it. which is somewhat par for any CA, but IMHO it is quite a mess with CACert. dl> not even sure if you can get a wild carded cert from CACert. dl> But perhaps issues the certs you need, for free, is what you dl> want instead of wildcarding. yes, exactly, you cannot get wildcard cetrts from CACert, but since you can get as many certs as you want for free, it's better for you to do that. I think you would rather---it was the cost that made you want wildcard in the first place. but, moving on, I would also like to buy a non-CAcert certificate that actually works in firefox and IE. Where should I go? If you think this shopping-question makes too much OT traffic, reply to me privately and I promise to post a summary. oh, also, i am interested in code-signing for Java but do not really understand how it works. so if someone can get me started reading about that, much appreciated too. :/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From matt at atopia.net Fri Feb 29 12:27:59 2008 From: matt at atopia.net (Matt Juszczak) Date: Fri, 29 Feb 2008 12:27:59 -0500 (EST) Subject: [nycbug-talk] Backup service In-Reply-To: <20080229121103.E26756@mercury.atopia.net> References: <20080228185735.X58606@mercury.atopia.net> <20080229121103.E26756@mercury.atopia.net> Message-ID: <20080229122739.S28331@mercury.atopia.net> >> rsync -ab --delete --numeric-ids --exclude=tmp/* >> --backup-dir=../archive/2008-02-29 --stats -e "ssh -l foobar" /home >> /etc /var/log /usr/local 192.168.1.24:backup/ Is this a push or pull method? From skreuzer at exit2shell.com Fri Feb 29 12:59:49 2008 From: skreuzer at exit2shell.com (Steven Kreuzer) Date: Fri, 29 Feb 2008 12:59:49 -0500 Subject: [nycbug-talk] Backup service In-Reply-To: <20080228185735.X58606@mercury.atopia.net> References: <20080228185735.X58606@mercury.atopia.net> Message-ID: <20080229175949.GA51105@scruffy.exit2shell.com> On Thu, Feb 28, 2008 at 11:29:24PM -0500, Matt Juszczak wrote: > Hi all, > > Thought all of you may have an opinion on this. My offsite backup service > accepts rsync/ssh/scp/sftp. I'm wondering what the best way to manage > that is. Right now, I'd like to keep backups of our SVN repository and > MySQL dumps+bin logs, to start. > > I'm thinking of just keeping it simple and using rsync with delete, and > keeping a "local mirror" of backups, and rsyncing that to the backup > system each night. > > What do you all suggest? Are there solutions for this? I'm experienced > with things like duplicity, which seem to work well, but I'd like other's > thoughts. > > Thanks! > > -Matt I feel that it doesn't make sense to roll your own, so we recently deployed rsnapshot, which is a perl script that wraps around rsync and uses hard links to keep multiple, full backups instantly available. The disk space required is just a little more than the space of one full backup, plus incrementals. So far its running on roughly 400 servers and we have not had any issues other then running out of inodes on our backup device ;) http://www.rsnapshot.org/ -- Steven Kreuzer http://www.exit2shell.com/~skreuzer From riegersteve at gmail.com Fri Feb 29 11:41:24 2008 From: riegersteve at gmail.com (Steve Rieger) Date: Fri, 29 Feb 2008 08:41:24 -0800 Subject: [nycbug-talk] Top Level Domain SSL Certificates In-Reply-To: <20080229112949.S23963@mercury.atopia.net> References: <20080229112949.S23963@mercury.atopia.net> Message-ID: <47C835B4.8060303@gmail.com> Matt Juszczak wrote: > Hopefully this isn't going too off topic: > > One of my customers is interested in getting an SSL cert for his entire > domain name (IE: *.bar.com instead of foo.bar.com). > > Other than being more expensive, and in my opinion not the best idea > security wise, what are other pros/cons? Does anyone have any experience? > Do these work well? > > Thanks! > > -Matt > no real cons there, they work as advertised, my advise use thawte not netsol. From matt at atopia.net Fri Feb 29 13:12:25 2008 From: matt at atopia.net (Matt Juszczak) Date: Fri, 29 Feb 2008 13:12:25 -0500 (EST) Subject: [nycbug-talk] Backup service In-Reply-To: <20080229175949.GA51105@scruffy.exit2shell.com> References: <20080228185735.X58606@mercury.atopia.net> <20080229175949.GA51105@scruffy.exit2shell.com> Message-ID: <20080229131209.G31979@mercury.atopia.net> > So far its running on roughly 400 servers and we have not had any issues other > then running out of inodes on our backup device ;) > > http://www.rsnapshot.org/ Works great, except that I need a push solution, not a pull solution =( From chsnyder at gmail.com Fri Feb 29 16:11:58 2008 From: chsnyder at gmail.com (csnyder) Date: Fri, 29 Feb 2008 16:11:58 -0500 Subject: [nycbug-talk] Backup service In-Reply-To: <20080229122739.S28331@mercury.atopia.net> References: <20080228185735.X58606@mercury.atopia.net> <20080229121103.E26756@mercury.atopia.net> <20080229122739.S28331@mercury.atopia.net> Message-ID: On Fri, Feb 29, 2008 at 12:27 PM, Matt Juszczak wrote: > >> rsync -ab --delete --numeric-ids --exclude=tmp/* > >> --backup-dir=../archive/2008-02-29 --stats -e "ssh -l foobar" /home > >> /etc /var/log /usr/local 192.168.1.24:backup/ > > Is this a push or pull method? > Push. Each host has an account on the backup server that it can access via public key, restricted to rsnyc. I would rather use pull since control and monitoring are simpler, but I don't want a backup server that has root access to all the hosts it is archiving. Trying to coordinate an initial local backup to userland before the pull makes pull much more complex. -- Chris Snyder http://chxo.com/ From andy.kosela at gmail.com Fri Feb 29 18:32:10 2008 From: andy.kosela at gmail.com (Andy Kosela) Date: Sat, 1 Mar 2008 00:32:10 +0100 Subject: [nycbug-talk] Backup service In-Reply-To: References: <20080228185735.X58606@mercury.atopia.net> <20080229121103.E26756@mercury.atopia.net> <20080229122739.S28331@mercury.atopia.net> Message-ID: <3cc535c80802291532g1033c44cmf76078a5677319c8@mail.gmail.com> I can confirm, rsnapshot works reliably and well. We are also using traditional UNIX backup utilities dump/restore. They are excellent for doing backups of whole filesystems (working nicely in FreeBSD environment because of ufs snapshots) In hybrid environments with large amount of servers I am suggesting some commercial solution like Veritas Netbackup or HP Data Protector. Regards, Andy Kosela From dan at langille.org Fri Feb 29 20:30:46 2008 From: dan at langille.org (Dan Langille) Date: Fri, 29 Feb 2008 20:30:46 -0500 Subject: [nycbug-talk] Backup service In-Reply-To: <3cc535c80802291532g1033c44cmf76078a5677319c8@mail.gmail.com> References: <20080228185735.X58606@mercury.atopia.net> <20080229121103.E26756@mercury.atopia.net> <20080229122739.S28331@mercury.atopia.net> <3cc535c80802291532g1033c44cmf76078a5677319c8@mail.gmail.com> Message-ID: <3DE7B903-E816-4AB3-A780-684A7899B14B@langille.org> On Feb 29, 2008, at 6:32 PM, Andy Kosela wrote: > I can confirm, rsnapshot works reliably and well. We are also using > traditional UNIX backup utilities dump/restore. They are excellent for > doing backups of whole filesystems (working nicely in FreeBSD > environment because of ufs snapshots) > In hybrid environments with large amount of servers I am suggesting > some commercial solution like Veritas Netbackup or HP Data Protector. Bacula: http://www.bacula.org/ disclosure: I'm a Bacula developer. -- Dan Langille -- http://www.langille.org/ dan at langille.org From matt at atopia.net Fri Feb 29 20:37:07 2008 From: matt at atopia.net (=?utf-8?B?TWF0dCBKdXN6Y3phaw==?=) Date: Sat, 1 Mar 2008 01:37:07 +0000 Subject: [nycbug-talk] Mirrors Message-ID: <485840447-1204335419-cardhu_decombobulator_blackberry.rim.net-106279721-@bxe006.bisx.prod.on.blackberry> My company, bitvenue networks, is open to hosting mirrors for projects in which they are open source and easily managed via rsync or a similar technology. We already host mirrors for monowall and DSPAM. Let me know if anyone is looking for mirrors. Matt From nikolai at fetissov.org Fri Feb 29 22:54:43 2008 From: nikolai at fetissov.org (nikolai) Date: Fri, 29 Feb 2008 22:54:43 -0500 (EST) Subject: [nycbug-talk] OpenBSD mirror Message-ID: <9227.67.86.49.123.1204343683.squirrel@www.geekisp.com> Folks, Is there anything wrong with the mirror or am I missing something? /usr/src$ cvs -q up -Pd cvs server: `/cvs/src/etc/pf.conf,v' does not appear to be a valid rcs file cvs server: `/cvs/src/etc/pf.conf,v' does not appear to be a valid rcs file cvs server: etc/pf.conf is no longer in the repository P share/man/man4/ucom.4 cvs server: `/cvs/src/sys/arch/mips64/mips64/db_machdep.c,v' does not appear to be a valid rcs file cvs server: `/cvs/src/sys/arch/mips64/mips64/db_machdep.c,v' does not appear to be a valid rcs file cvs server: sys/arch/mips64/mips64/db_machdep.c is no longer in the repository cvs server: `/cvs/src/sys/arch/sgi/sgi/autoconf.c,v' does not appear to be a valid rcs file cvs server: `/cvs/src/sys/arch/sgi/sgi/autoconf.c,v' does not appear to be a valid rcs file cvs server: sys/arch/sgi/sgi/autoconf.c is no longer in the repository cvs [server aborted]: premature end of change in /cvs/src/sys/netinet/ip_id.c,v /usr/src$ cat CVS/Root anoncvs at anoncvs.nyc.openbsd.org:/cvs /usr/src$ Thanks. -- Nikolai