port-mac68k: Troubles and questions about Q700 and NetBSD 1.5 (Feb 28 kernel)

Subject: Troubles and questions about Q700 and NetBSD 1.5 (Feb 28 kernel)
To: None <port-mac68k@netbsd.org>
From: Scott Boone <Scott@ScottBoone.com>
List: port-mac68k
Date: 03/02/2001 11:11:30

Hello all, longtime reader, first-time poster...

I took the plunge and decided to monkey with my Q700 NetBSD 1.4 install last
night. It has been running since May 2, 1999 with no problems. (You might
think, "You fool!", for playing with it.) I was getting concerned about some
of the security breaches lately, and since it is a firewall/router that runs
ftpd, BIND, dhcpd, dhclient, and telnet, and 1.4 just doesn't have ssh, I
thought it was time.

Oh boy.

In order to get the Q700 even to boot into 1.5, I had to use the Feb 28 1.5
snapshot. The release gave me that a6 db> error before single-user that some
others have seen. I didn't try the Feb 21 (or January patched kernels). Does
ANYONE have any good information about what might be the most stable here?
Does this latest snapshot include the ESP and Quadra fixes that I saw
floating around late-January?

I have been experiencing some problems, but I'm unable to attribute them to
the kernel or just trying to configure things after coming off 1.4.

One such problem seems to be:
sd0(esp0:0:0):  Check Condition on CDB: 0x0a 00 2c 10 10 00
    SENSE KEY:  Recovered Error
   INFO FIELD:  11292
 COMMAND INFO:  3604808 (0x370148)
     ASC/ASCQ:  Peripheral Device Write Fault
         SKSV:  Actual Retry Count: 1

It came up on console, so I'm not really sure if it has ever happened before
under 1.4, but I'd doubt it. Is there any way to make sure things like this
get logged to file--maybe a granulizer? I only got this once in nearly 12
hours of operation.

Another problem I am seeing (also logging to console) is this:
Bsd dhcpd: /usr/cvs/src/usr.bin/dhcp/common/dns.c(426): non-null pointer
Bsd dhcpd: if IN A  doesn't exist add 21600 IN A  10.0.0.211: resolver
failed.

It happens when DHCPD gets hit for a lease, so I've seen it three or four
times already. I never noticed it before, but again, I never saw console.

And finally, I've been wading through the changelogs looking for a good
answer to this, couldn't really find one, so I thought I'd ask: I'm running
the 1.5 release distro (base, man, text, misc); how secure am I?

To put it another way, are the "known" exploits on BIND still there? (for
example) I'm planning on kicking telnet out and running ssh, and my ftpd is
already set up with chroot and the good stuff. Should I just go ahead and
install a current binary snapshot, or wait? I'm not good (AT ALL) with
compiling things, but if ya tell me that's what I should do, I will.

Thanks.

-- 

Scott Boone
Scott@ScottBoone.com
717.860.2666