norbert's weblog

norbert's random stuffs...

Clonable pflog(4), etc.

Posted by Norbert on Thu Oct 26 23:52 PHT 2006
From the "they called it bsd, and open because its always free!" section

There are many commits to pf in the OpenBSD current source tree this past few weeks. Aside from the implicit 'flags S/SA' and 'keep state' (that can be overriden by 'no state') to a filter rule and allowing 'quick' keyword to an anchor rule, the pflog(4) device is now a clonable interface. I can now log a certain set of hosts (or a certain rule) to a certain pflog interface. For example...
block log (to pflog9) all
...
block in log (to pflog1) on $ext_if proto tcp from <banned> to $ext_if
pass in log (to pflog2) on $ext_if proto tcp from <allowed> to $ext_if
...
This is pretty cool! And I can have up to 16 pflog interfaces! I'm currently experimenting this feature now.

BTW, rthreads syscalls was commited to libc. A response to Ben Hawkes' RUXCON presentation was also commited to libc and is enabled by default.

Link | Comments

NVIDIA Blob Buffer Overflow

Posted by Norbert on Tue Oct 17 08:59 PHT 2006
From the "catching up on security issues" section

After the controversial Atheros wireless blob exploit, another blob problem was discovered. Today, its against the NVIDIA graphics blob driver for Linux, Solaris, and FreeBSD. A buffer overflow has been discovered on the NVIDIA binary graphics driver. A proof-of-concept was also included in the advisory.

http://download2.rapid7.com/r7-0025/

Blobs can pose security risks on our system since OS developers don't have direct access to the blob code (thus cannot maintain, improve, audit, and/or fix the code), and the fact is, most blobs run inside the kernel space of the host system. IMO, security-oriented operating systems (e.g. Hardened Gentoo) should have a policy not to allow any inclusion of binary blobs on their system just like what the OpenBSD project is doing.

Link | Comments

ACPI on OpenBSD/amd64

Posted by Norbert on Sun Oct 15 00:50 PHT 2006
From the "they called it bsd, and open because its always free!" section

After the massive ACPI code changes commited by jordan@ and marco@ on the current source tree, my OpenBSD/amd64 system now shuts down gracefully and powers off when pushing the power button after enabling ACPI on my kernel.
--- src/sys/arch/amd64/conf/GENERIC.orig	Wed Oct 11 00:07:37 2006
+++ src/sys/arch/amd64/conf/GENERIC	Mon Oct 15 00:27:21 2006
@@ -43,18 +43,18 @@
 isa0	at pcib?
 pci*	at mainbus0
 
-#option		ACPIVERBOSE
-#option		ACPI_ENABLE
+option		ACPIVERBOSE
+option		ACPI_ENABLE
 
-#acpi0		at mainbus?
-#acpitimer*	at acpi?
-#acpihpet*	at acpi?
-#acpiac*	at acpi?
-#acpibat*	at acpi?
-#acpibtn*	at acpi?
-#acpicpu*	at acpi?
-#acpiec*	at acpi?
-#acpitz*	at acpi?
+acpi0		at mainbus?
+acpitimer*	at acpi?
+acpihpet*	at acpi?
+acpiac*	at acpi?
+acpibat*	at acpi?
+acpibtn*	at acpi?
+acpicpu*	at acpi?
+acpiec*	at acpi?
+acpitz*	at acpi?
 
 ipmi0	at mainbus?		# IPMI

Here's a snippet of my dmesg:
$ dmesg | grep acpi
acpi0 at mainbus0: rev 0
acpi0: tables DSDT FACP SSDT MCFG APIC
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpibtn0 at acpi0: PWRB
...

Link | Comments

Tagpi, My Monster!

Posted by Norbert on Sun Oct 8 09:09 PHT 2006
From the "misc - all about my cat" section

This is "Tagpi" my cat, posing in front of the camera with the Beanie daemon.

Tagpi

He loves to jump, walk, and preen on keyboards, sleep on monitors, nibble on network cables, chase rolling discs, play with Beanie. He also chases the cursor on my screen sometimes.

By the way, he's the one who broke my WD200 and he also love tearing off Penguin stuff toys <grin>

Link | Comments

TGP on 38th

Posted by Norbert on Wed Oct 4 07:10 PHT 2006
From the "misc - fortis, voluntas, fraternitas" section

Happy 38th anniversary Tau Gamma Phi Triskelion Grand Fraternity. Greetings to my fellow Triskelions :-)

Link | Comments

The contents of this weblog are presented without warranty of any kind. This server is powered by Apache and OpenBSD.
Valid XHTML 1.1! Valid CSS! Powered by OpenBSD