Re: Hardware recommendations for compact 1U firewall

[Hrvoje Popovski]

On 22.12.2016. 2:17, Predrag Punosevac wrote:
> As promissed in one of my earlier e-mails. OpenBSD 6.0 dmesg for
> SYS-5018A-FTN4


thank you ...

Re: rsyslog does not produce log on OpenBSD 6.0

[Gregory Edigarov]

On 20.12.16 13:47, Stuart Henderson wrote:

On 2016-12-17, Remi Locherer  wrote:

On December 17, 2016 12:07:18 PM GMT+01:00, Federico Donati 
 wrote:

Hi all,

I've a problem with an OpenBSD 6.0 box with rsyslog.

I need to send every local logs to a remote server and I can't use
syslogd, because it does not send the hostname of the server (the one
indicated in /etc/myname), but on the remote server messages come with
the PTR record of my public ip.

have you tried -h for syslogd from base?

Yep this is the easy way.


I've installed rsyslogd, but it doesn't send anything to the remote
server. And more than that, it doesn't write anything local.

Since 5.6, OpenBSD uses a special sendsyslog(2) system call for
logging. This avoids the need for a device node and available file
descriptor, which helps with chrooted programs, or if someone is
able to cause too many FDs to be opened in an attempt to prevent
logging from working.

It needs a syslogd that is able to receive these messages. It's a
fairly simple change (see src/usr.sbin/syslogd/syslogd.c r1.111)
but afaik none of the third-party log daemons support it yet.
It's quite likely that diffs to add support for this to other
daemons would be accepted for ports, maybe upstreams would accept
them too.

Workaround for this without modifying the syslog daemon:
- run normal OpenBSD syslogd in addition to the other daemon
- have the other syslog daemon bind to a specific IP address
- have OpenBSD syslogd feed the other daemon using a network socket

Or, do not run anything else then syslogd. Seriously, I can't thought 
off any case where

that wouldn't be enough.

Re: carp and squid

[Craig Skinner]

Hi Frank,

On Wed, 21 Dec 2016 12:41:43 +0100 Frank White wrote:
> Does 2 nodes clustered openbsd firewall work with squid?
> Is there any specific configuration?
> 

carp may not be needed as:
*) PAC files can list multiple proxies
*) A DNS entry can have multiple IP addresses

See the Squid FAQ:
http://wiki.squid-cache.org/SquidFaq/ConfiguringBrowsers#Redundant_Proxy_Auto-Configuration
http://wiki.squid-cache.org/SquidFaq/ConfiguringBrowsers#Fully_Automatic_Configuration

Also: http://FindProxyForURL.com/example-pac-file/

Symlink a proxy.pac file as wpad.dat

Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

console fonts

[Frank White]

Hi,
I tried the following command to change console fonts:

wsfontload -h 8 -e ibm /usr/share/misc/pcvtfonts/vt220l.808

but I have the following error:

wsfontload: WSDISPLAYIO_LDFONT: Invalid argument

???

mmap W^X violation for Node.js

[Артур Истомин]

I see messages about mmap W^X violation when trying to use Node.js

dmesg | grep violation
node(7370): mmap W^X violation
node(55720): mmap W^X violation
node(91488): mmap W^X violation
node(54743): mmap W^X violation
node(53528): mmap W^X violation
node(25967): mmap W^X violation
node(37398): mmap W^X violation
node(11170): mmap W^X violation
node(25855): mmap W^X violation
node(36100): mmap W^X violation
node(87214): mmap W^X violation
node(24759): mmap W^X violation
node(80235): mmap W^X violation
node(10150): mmap W^X violation
node(42778): mmap W^X violation
node(65703): mmap W^X violation
node(39453): mmap W^X violation
node(11269): mmap W^X violation
node(53294): mmap W^X violation
node(89304): mmap W^X violation
node(25578): mmap W^X violation

wxallowed is enabled

mount
/dev/sd1a on / type ffs (local, noatime, softdep)
/dev/sd1k on /home type ffs (local, noatime, nodev, nosuid, wxallowed, softdep)
/dev/sd1d on /tmp type ffs (local, noatime, nodev, nosuid, wxallowed, softdep)
/dev/sd1f on /usr type ffs (local, noatime, nodev, softdep)
/dev/sd1g on /usr/X11R6 type ffs (local, noatime, nodev, softdep)
/dev/sd1h on /usr/local type ffs (local, noatime, nodev, wxallowed, softdep)
/dev/sd1j on /usr/obj type ffs (local, noatime, nodev, nosuid, softdep)
/dev/sd1i on /usr/src type ffs (local, noatime, nodev, nosuid, softdep)
/dev/sd1e on /var type ffs (local, noatime, nodev, nosuid, softdep)

It is OpenBSD 6.0 and I'm using full disk encryption.

I'm doing something wrong? I mean, in addition, something needs to be more 
enabled?

Re: mmap W^X violation for Node.js

[Renaud Allard]

On 22/12/2016 18:07, Артур Истомин wrote:

I see messages about mmap W^X violation when trying to use Node.js

dmesg | grep violation
node(7370): mmap W^X violation
node(55720): mmap W^X violation


Even with wxallowed, the kernel still logs the violations. That doesn't 
mean it blocks them.

IBM Power roundup for the year: Inaction, likely due to stupid greed from budget managers

[Mikael]

Hi OpenBSD emailing list and others relating to the IBM Power platform.

IBM is on BCC here and I encourage you send a paper copy to your executives
who do have authority to donate i.e. the people who write and sign your
budgets - I guess that would be your CEO and board, however you know this
better than me - to share a third-party impression of a community member in
dealing with your company.

This is neither to fame or de-fame your company, but to share an experience
of asking for a coffee-money-size donation to enable the implementation of
support for a popular open source program for your products.

My experience provides me with nine months of constant hints that, while
members of your staff personally are well intended and would be happy to
work really well with the world, in this respect, your organization as such
is in a state of utter disability.

The really relevant people have been plugged in for about three months.
Nine months have passed and there have been no indication of any intention
of real or proactive steps to make things happen.

Please do make things happen in 2017, or competition will take over and
your community may get more of a "meh" feel about your stuff and attitudes,
leading to possible extensive and essentially-irreversible damage on your
end, which may be what you effectively intend to get in all cases, and if
so in all cases this email helps the community understand that that is what
you want, which is great.


AMD donated ten AMD64 devices in 2003. That you not have done the same
expediently has been a surprise to me, and this email is only to share that
surprise.

At some point soon I will have taken the point that your company is
disabled in those respects.


*Overview*
This email is to provide a summary of

 * Where the conversation has gone this year, with respect to me suggesting
IBM to donate some Power8 hardware for OpenBSD to implement architecture
support for it, and

 * A brief commentary on my experience, which gives me an impression that
the people planning IBM's budgets are struck by blind stupid greed, in a
way that hurts themselves and others, and hence

 * A suggestion to those same people to shape up in 2017, so that their
actually useful tech can come to actual use here and elsewhere.


*The first seven months: Talking to the wrong people, essentially total
ignorance*
I started in March. I emailed their ex-CEO, some sales guys, and their "IBM
Gives" team. None answered.

By some luck, I got to a guy at their Linux Center in Brazil who said he
was authorized to donate one device, he said they probably would be able to
donate a couple more next year but couldn't promise. Me/we clarifying we
needed at the very least four, seemed to put them off, and eventually he
said the device had gone into other use, and after that he pretty much
dropped out, suggesting I should talk to "someone else".

By pure coincidence, I got an introduction to some people a bit higher up
in the food chain, and those people essentially wouldn't give a damn.


*Eighth and ninth month: Finally getting in touch with their highest
management*
However, by continuing to talk to them and getting fairly upset at their
ignorance, I added two people refered to in an out of office email
response, and that just happened to take me to their Director of Global
Power Ecosystems and Alliances who is based in the US.

That was mid October. She was somehow taking a stand, which I found
trust-inspiring.

These people were insisting that we would use their "hosted emulator". I
reasoned that, partially considering their enormous ignorance for the past
six month, them donating is essential, as we're seeing they're extremely
slow and donating could cause a severe lag in making the architecture
support production-grade, which indeed requires real hardware.

This lady asked me to specify which specific devices I would ask to be
donated, and their extremely high up tech contacts I got, including Mr.
Stewart, graciously helped me figure which should be requested.

After about five weeks, she delegated the case to their OpenSource
Technology Development & OpenPower Enablement who is based in Australia.

Which sounded slightly unintuitive to me as I would think hardware donation
authorizations more likely would be made from the US.


*IBM staff seeming to have no authority*
I had an in-depth conversation with their highest-up technology team, and
they suggested that I greatly over-estimate how much actual Power8 hardware
they themselves are having lying around.

The ultimate question seemed to be that for them to donate, "someone needs
to pay" and therefore it needs to be put on some budget. I was suggested a
sense of problem about donating as the devices are "expensive". I find this
an interesting argument for a global corporation with 80 billion USD
turnover.

And then they gave me some nonsensical suggestions about going through some
hoops, that if I-we do this-whatever then they will be impelled to, and so
on