| |
| |
| |
|
Comments:
<0> hmm
<0> interesting rant from mycroft
<1> netbsd is dead eh
<0> netcraft confirms it
<1> indeed
<1> i got the announcement via email
<0> mycroft's crossposted rant?
<1> no from charles
<2> charles == mycroft
<1> im talking abt netbsd
<1> ah
<1> lol
<2> mycroft@
<2> (@mit.edu)
<0> so, it seems like he's saying that setting up complicated political structures are counterproductive
<0> and that in general hard **** isn't getting done
<0> welcome to the world
<1> no structure
<0> I never liked the foundation setups that fbsd and nbsd went for
<3> huzzah
<4> heh, cuz the the0cracy is so much better
<5> Hello everyone !!!
<5> I am a new user in PF and I seem to be a bit lost :P I will explain the reason.
<5> I have gone through many tutorials etc in google but the problem is that they all do a filtering in PF using as base the network card. No one says how to do so by filtering each static ip into a box .....
<5> I want to create filtering rules for each ip separately. Can maybe someone give me a hint or 2 ?? Please ??
<6> tutorials ****. read the faq
<6> start here - http://cvs.openbsd.org/faq/pf/
<5> ahmmmm. Question : block in quick on fxp0 proto tcp from any to any port ssh
<5> In the above line if I replace the fxp0 with an ip will it work ???
<6> no
<5> or I should change the first any with the ip ?
<6> warm
<5> ??
<5> warm = correct ?
<6> listen. take 30 minutes of your life and use them the best you can if you want to learn something. start reading that faq
<5> You are right. Its just that pf is something completely different than what I new and the way it has been written this faq makes me get confused badly sometimes. I am not the kind of person that wont research first. I have written pf for my home router but for a box with dedicated ips it makes me wonder ... I love obsd and I even made a donation for this reason. Its just the faq that confuses me .....
<5> the pf faq i mean ...
<6> you know why?
<5> why friend ?
<7> if you don't know what 'from any' vs. 'to any' vs. 'on $if' means, i suggest you read the docs AGAIN
<5> Ok guys :)
<5> Gotcha
<5> I read this days at misc all about netbsd shutting down. Is this true ?
<6> ask netcraft
<6> scnr :(
<5> Its sad that a bsd system will shut down. Offcourse on the other hand after what I read about the things that did to theo and others maybe they got what they deserved ...
<6> bsdinside it's too soon to make such an ***umption if this ***umption should ever be made
<5> I used this nick not the way you understood ! But mostly for fun :P
<8> better ?????
<9> heheheh
<9> I am a total noob :)
<9> Ahm so as I can understand from the faq in order to allow inbound to a specific port this is my rule : p*** in quick on fxp0 proto tcp from any to 1.2.3.4 port ssh
<9> 1.2.3.4 will then be changed to my ip offcourse ..... so as the fxp0.....
<6> keep it going, you're on the right track
<9> :))))))))
<10> hi
<10> yes i know, and i know....... but would someone be gracious enough to help with a time sensitive mysql problem.... no rush :)
<9> for the web server port i always need this flags ???? flags S/SA synproxy state
<9> or just a keep state ?
<9> I get a very weird error. For this rule set skip on lo0 i get /etc/pf.conf:3: syntax error ?? whats wrong in this rule ? even the faq has it this way !! ...
<9> how can it be possible to have a syntax error at set skip on lo0 ??????
<11> hello. I was just wondering, if OpenBSD is using gzsig (1) to sign all packages and install sets available from ftp? google didn't tell even a bit about that
<2> no
<2> search the misc@ and ports@ archives
<11> hmm, maybe I am just bad at searching, but I couldn't find the explaination for not signing the packages
<2> http://marc.theaimsgroup.com/?l=openbsd-misc&m=103769360002468&w=2
<2> http://marc.theaimsgroup.com/?l=openbsd-misc&m=103772247129544&w=2
<2> it's been discussed
<2> i remember espie commenting on this topic, too, but can't find the reference
<11> ok, I get why signing ports/packages doesn't imply security of port/package, but I still think that signing would help against possible tampering (like the openssh trojan that happened a while ago)
<7> i think the main reason is that of all the people building official packages that go onto cds or ftp, none would actually care to check signatures themselves, they just trust the ftp servers.
<2> Madars: it takes work to implement a useful signing/checking system
<12> a lot of work
<2> espie has plenty of other things to do
<12> and most people don't want or need it anyway
<2> simply signing packages doesn't do much good
<7> not really, all it'd take is a script gzsign'ing all packages before upload to ftp ;)
<2> you need a well-thought out system
<2> dhartmei: that's signing, sure ;)
<0> then you need to check signatures
<0> and you need key distribution
<0> and key revocation
<2> but verifying, etc...and ensuring the trustworthiness of the system...
<7> you print the DSA pubkey fingerprint on the cover of the cds, done
<7> or of the 3-6 pubkeys that are in use by the different package builders, even
<0> manually checking means you're wasting time signing
<7> point is, it only protects you from compromised ftp servers, you always have to trust the machines where the packages are built
<0> nobody's going to manually check
<7> pkg_add could do that easily ;)
<0> it sounds like you're volunteering. :)
<7> i'm not building packages, it's irrelevant :)
<0> key infrastructure ****s. that's one thing I've always liked about openssh
<7> you don't need to sign anything. just run md5 over all packages before uploading to ftp, put the output file onto the cds, done.
<7> anyone not buying a cd is irrelevant, anyway
<11> I think mtree'ing (with sha1/md5/ripemd) over all packages and putting the output file on CD would really solve issues with tampering. what are chances of that being done? :)
<7> find out who is building packages and bribe them...
<13> or the person who ships the cd's
<12> well, until -stable packages are released
<12> then you can guarantee that your firefox has a security hole, but not that the patched one doesn't have a backdoor ;-)
<7> it would have to be the kind of bribe that is repeated regularly ;)
<14> dhartmei: speaking of package security - the vuxml entry on undeadly is hopelessly outdated and unmantained... maybe better remove it?
<7> yeah, then they realize it and update it again, and i can re-add it. it's fun to do that every 3 months ;)
<14> ;/
<7> i think they don't get contributions to the openbsd section, the freebsd section gets updated
<7> watch ports-changes@ and mail them, i guess :)
<14> dhartmei: it's robert@ job, he runs the cvs repository
<15> can anyone ballpark how much power i'd need for a system pushing about 1.5mbit to 10 clients... ralink 2500 chipset, and wep..
<15> would a 133mhz pentium handle the encryption load with some breathing room?
<15> with openbsd 3.9 of course..
<14> should work
Return to
#openbsd
or
Go to some related
logs:
#ubuntu
#stocks
linux26 forcedeth driver
#solaris
#computers
#gentoo
4chan nod32
#eggtcl
#politics
IRC #politics rwx
|
|