GPRS/EDGE modems to use with a notebook

[Daniel]

Hi!

I'm looking for a mobile device which I could use for connecting to the 
internet with a notebook. I've read the www.openbsd.org/i386.html page 
and found some devices, but those are rather hard to find here in 
Hungary. Could someone inform me about some other GPRS/EDGE capable 
devices which will work with OpenBSD? (be it a pc-card or a mobile 
phone).

Thanks!

Daniel

Re: GPRS/EDGE modems to use with a notebook

[Daniel]

On 2007. November 2. 17:56.39 John Jackson wrote:
> I've had success with the Sierra Wireless Aircard 860 on a Thinkpad
> X40. Lately though the card seems to be acting flakey and causing
> hard lockups.  That could be a combination of the firmware which on
> the Aircard and the carrier which is AT&T.  From what I've read, it's
> recommended to keep the firmware updated to keep in step with the
> carrier's infrastructure updates.  Unfortunately I haven't found a
> way to upgrade the cards firmware under OpenBSD or Linux.
>
> http://www.sierrawireless.com/estore/Default.aspx?SKU=1100521&CID=1
>
> John

Thanks John, this would be great. Only one thing bothers me:
"Attention: the AirCard 860 is in its End Of Life phase and no longer 
available. For more information, click here / from the above mentioned 
site /

>
> On Fri, Nov 02, 2007 at 05:01:16PM +0100, Daniel wrote:
> > Hi!
> >
> > I'm looking for a mobile device which I could use for connecting to
> > the internet with a notebook. I've read the
> > www.openbsd.org/i386.html page and found some devices, but those
> > are rather hard to find here in Hungary. Could someone inform me
> > about some other GPRS/EDGE capable devices which will work with
> > OpenBSD? (be it a pc-card or a mobile phone).
> >
> > Thanks!
> >
> > Daniel

Re: OpenBSD Sound

[Daniel]

On 2007. November 2. 14:23.27 Dorian B|ttner wrote:
> On Friday 02 November 2007 13:42:33 Dorian B|ttner wrote:
> > On Friday 02 November 2007 13:07:54 Jacob Meuser wrote:
> > > On Fri, Nov 02, 2007 at 12:42:29PM +0100, Dorian B?ttner wrote:
> > > > On Wednesday 31 October 2007 22:22:15 Jacob Meuser wrote:
> > > > [...]
> > > >
> > > > > probably not; at least not anytime soon.
> > > > >
> > > > > something for "newbie hackers" to work on: an ISC licensed
> > > > > audio daemon.
> > > >
> > > > Sorry for hijacking this thread, propably anyone has a quick
> > > > hint to make my audio work in kde.
> > > >
> > > > Built /usr/src/regress/sys/dev/audio/obj as described here
> > > > http://www.nabble.com/NVIDIA-MCP51-HD-Audio-azalia-problems-t46
> > > >29307.ht ml and autest -r 48000 delivers good quality tone.
> > > >
> > > > relevant dmesg seems to be this one:
> > > > azalia0 at pci0 dev 27 function 0 "Intel 82801GB HD Audio" rev
> > > > 0x02: apic 2 int
> > > > 21 (irq 10)
> > > > azalia0: host: High Definition Audio rev. 1.0
> > > > azalia0: codec: Realtek/0x0862 (rev. 0.1), HDA version 1.0
> > > > azalia0: codec: Motorola/0x3055 (rev. 7.0), HDA version 1.0
> > > > azalia0: codec[1]: No support for modem function groups
> > > > azalia0: codec[1]: No audio function groups
> > > > audio0 at azalia0
> > > >
> > > > However this doesn't seem to be a driver problem since autest
> > > > passed with success. It's just that kde doesn't detect the
> > > > device, where can I look at to nail down the problem? pkg_info
> > > > contains either esound and arts.
> > >
> > > is artsd running?
> > >
> > > $ pgrep -l artsd
> >
> > 2299 artsd
> >
> > > is the audio device opened for playback?
> > >
> > > $ audioctl play.open
> >
> > play.open=0
> > seems not to be 'yes'? it is read-only variable.
> >
> > > is it actuall artsd that has /dev/sound opened?  (artsd uses
> > > /dev/sound instead of /dev/audio)
> > >
> > > $ fstat /dev/sound
> >
> > empty table
> >
> > > if all those are yes, then see if it works:
> > >
> > > $ artscat file.wav
> > >
> > > oh, and since you have azalia, you may need to tell artsd to
> > > resample to 48kHz.  K Menu -> Settings -> Sounds & Multimedia ->
> > > Sound System In the Hardware tab.  Check "Use custom sampling
> > > rate", set it to 48000 Hz.  or manually starts artsd with 'artsd
> > > -r 48000'.
> >
> > done, but didn't help. Shouldn't artsd appear in the list of
> > available soundsystems, btw?
> >
> > THanks,
> > Dorian
>
> ok I removed the auto-suspend checkbox in the control center audio
> settings. After restarting the system I now have better values:
> $ audioctl play.rate
> play.rate=48000
> $ audioctl play.open
> play.open=1
> $ artscat testcase.wav
> plays fine :)) however kde doesn't. There seems to be the glue
> missing between the artsd and the kde sound system?

If you mean the kde system notification sounds are not working check
this:

KDE Control Center / Sound & Multimedia / System Notifications:
Bottom Right corner -> [Player Settings] button.

HTH,

Daniel

Re: GPRS/EDGE modems to use with a notebook

[Daniel]

On 2007. November 2. 19:30.56 Kevin Cheng wrote:
> Hi,
>
> these are summarized from documentation with tested or untested, up
> to 4.2+:
>
> Kevin
>
[...]

Thanks a lot! Where did you get this list?

Daniel

typo on i386.html

[Daniel]

Hi!

How does one report this kind of "bug"?

There is a typo on the http://www.openbsd.org/i386.html page:

Under the "PC Cards (PCMCIA/CardBus (B))" section:

o Serial ports, including:
[...]
  o Sony Ericsson GC89 GSM/GPRS/EGDE modems

s/EGDE/EDGE/

What is the proper way of dealing with this? Send a mail to 
[EMAIL PROTECTED], or send a diff to [EMAIL PROTECTED]

Thanks!

Daniel

/tmp permissions, I don't get this...

[Daniel]

Hi!

Case 1:
$ id
uid=1000(leva) gid=1000(leva) groups=1000(leva)
$ ls -ld /tmp/
drwxwt  4 root  wheel  512 Nov  3 13:05:03 2007 /tmp//
$ touch /tmp/test && ls -l /tmp/test
-rw-r-  1 leva  wheel  0 Nov  3 13:09:04 2007 /tmp/test
$ rm /tmp/test && ls -l /tmp/test
ls: /tmp/test: No such file or directory

I can create and remove files in and from the /tmp directory. This is 
the expected behaviour (at least for me).


Case 2 (I've added myself to the wheel group):
$ id
uid=1000(leva) gid=1000(leva) groups=1000(leva), 0(wheel)
$ ls -ld /tmp/
drwxwt  4 root  wheel  512 Nov  3 13:05:03 2007 /tmp//
$ touch /tmp/test
touch: /tmp/test: Permission denied

^^^ I can not create the file in /tmp, although I got world write 
permissions to it. It seems if I'm in the wheel group and the wheel 
group owns the directory, then only the group permissions counts? 
(sounds lame, but I can not think of other reasons).
After changing the /tmp directory's group permissions to -wx, I can 
create and remove files from it while I'm in the wheel group.

What could cause this behaviuour?

Thanks!

Daniel

Re: /tmp permissions, I don't get this...

[Daniel]

On 2007. November 3. 14:12.14 Antoine Jacoutot wrote:
> On Sat, 3 Nov 2007, Daniel wrote:
> > $ ls -ld /tmp/
> > drwxwt  4 root  wheel  512 Nov  3 13:05:03 2007 /tmp//
>
> Why is your /tmp chmod this way?
> It should be 1777

I thought this question would arise :D but I (while being completely 
respectful and polite) think this is not the point. I just want to know 
why this is working this way.

Daniel

Re: how to support Intel 965?

[Daniel]

On 2007. November 3. 12:57.07 23e7 wrote:
> Hi,
[...]
> vga1 at pci0 dev 2 function 0 "Intel 82965GM Video" rev 0x03:
[...]

Hi!

This could be a long shot, but I think you need the "intel" driver from
xorg. It's called "xf86-video-intel" and it's in xenocara. Maybe you
should try to install it?

Daniel

Re: /tmp permissions, I don't get this...

[Daniel]

On 2007. November 3. 15:13.29 Marc Espie wrote:
> On Sat, Nov 03, 2007 at 01:14:20PM +0100, Daniel wrote:
> > ^^^ I can not create the file in /tmp, although I got world write
> > permissions to it. It seems if I'm in the wheel group and the wheel
> > group owns the directory, then only the group permissions counts?
>
> Yes, that's the way Unix permissions work, and as far as I know,
> that's always been the case.
>
> Unix doesn't play `nice' tricks. The way permissions work is quite
> simple:
>
> - is your uid the same as the directory/file owner ?
> -> then only the user permission bits apply.
>
> - do you have a gid/supplementary group the same as the
> directory/file group -> then only the group permission bits apply.
>
> - otherwise, you get the other permission bits.
>
> Contrary to other systems, you don't *add* permission bits
> corresponding to various things that may apply to you. You stop at
> the most distinctive level that applies to you.


Thanks a lot!

Daniel

Re: Skype on the OpenBSD

[Daniel]

On Sun, 2 Dec 2007 16:48:14 +
Jacob Meuser <[EMAIL PROTECTED]> wrote:

> VoIP applications generally require full-duplex audio operation (or
> two soundcards, but that gets icky as far as configuration goes).
> you'll have much more luck with full-duplex audio in -current
> (or when 4.3 is released).
> 
> also see ports/telephony/pjsua in -current.
> 
Could you provide some information about which drivers provide
full-duplex audio in current?

Daniel

strange pfctl output

[Daniel]

Hi!

I'm having this problem:

# pfctl -sr |fgrep ftp
[...]
pass out on rl0 inet proto tcp from  to <__automatic_39c048b4_0>
port = ftp flags S/SA keep state

What is that automatic stuff? I wish to see the corresponding (below)
rules' entries in pfctl's output.

The corresponding rules in the pf.conf would be:
pass out on $ext_if inet proto tcp from $ip to anga.funkfeuer.at port
ftp pass out on [...] to ftp.openldap.org port ftp
pass out on [...] to ftp.postgresql.org port ftp
pass out on [...] to ftp.pureftpd.org port ftp
etc...


Daniel

[no subject]

[Daniel]

Hi!

Anyone experiencing or experienced segfaults with openldap using the bdb
backed? I'm using -current ports tree, and built the
openldap-{client,server}, dbv4 and cyrus-sasl2 packages from there.

I will certanly provide much more info, I just want to know if there
are other people out there who are experiencing this same behaviour.

Thanks!

Daniel

openldap with dbv4 crash

[Daniel]

Hi (again, sorry, now with Subject)!

Anyone experiencing or experienced segfaults with openldap using the bdb
backed? I'm using -current ports tree, and built the
openldap-{client,server}, dbv4 and cyrus-sasl2 packages from there.

I will certanly provide much more info, I just want to know if there
are other people out there who are experiencing this same behaviour.

Thanks!

Daniel

Re: openldap with dbv4 crash

[Daniel]

On Sat, 29 Dec 2007 13:41:06 -0600
Vijay Sankar <[EMAIL PROTECTED]> wrote:

> On December 29, 2007 11:23:19 am Daniel wrote:
> > Hi (again, sorry, now with Subject)!
> >
> > Anyone experiencing or experienced segfaults with openldap using
> > the bdb backed? I'm using -current ports tree, and built the
> > openldap-{client,server}, dbv4 and cyrus-sasl2 packages from there.
> >
> > I will certanly provide much more info, I just want to know if there
> > are other people out there who are experiencing this same behaviour.
> >
> > Thanks!
> >
> > Daniel
> 
> No problems here so far, my test servers are running -current as of
> Thu Dec 27 13:53:57 CST 2007. slapd and slurpd are OK and replication
> is also working well. No seg faults yet.
> 
> 
Can you tell me which FLAVOR are you using with dbv4 and openldap?

Daniel

Re: openldap with dbv4 crash

[Daniel]

On Sat, 29 Dec 2007 15:49:20 -0600
Vijay Sankar <[EMAIL PROTECTED]> wrote:

> On December 29, 2007 02:15:15 pm Daniel wrote:
> > On Sat, 29 Dec 2007 13:41:06 -0600
> >
> > Vijay Sankar <[EMAIL PROTECTED]> wrote:
> > > On December 29, 2007 11:23:19 am Daniel wrote:
> > > > Hi (again, sorry, now with Subject)!
> > > >
> > > > Anyone experiencing or experienced segfaults with openldap using
> > > > the bdb backed? I'm using -current ports tree, and built the
> > > > openldap-{client,server}, dbv4 and cyrus-sasl2 packages from
> > > > there.
> > > >
> > > > I will certanly provide much more info, I just want to know if
> > > > there are other people out there who are experiencing this same
> > > > behaviour.
> > > >
> > > > Thanks!
> > > >
> > > > Daniel
> > >
> > > No problems here so far, my test servers are running -current as
> > > of Thu Dec 27 13:53:57 CST 2007. slapd and slurpd are OK and
> > > replication is also working well. No seg faults yet.
> >
> > Can you tell me which FLAVOR are you using with dbv4 and openldap?
> >
> > Daniel
> 
> Hopefully I did not misunderstand your question.
> 
> Here is what I did: 
> 
> env FLAVOR=bdb make package
> 
> ls -l /usr/ports/packages/i386/all/openld*
> 
> -rw-r--r--  3 root  wheel  1244876 Dec 27 14:41
> openldap-client-2.3.33p0.tgz -rw-r--r--  3 root  wheel   916837 Dec
> 27 14:44 openldap-server-2.3.33p2-bdb.tgz
> 
> Then I just did a pkg_add for openldap-server-2.3.33p2-bdb.tgz. The
> db package was db-4.6.21.
> 
Same here, but I get reproducible segfault :\
And it is caused by dbv4 unfortunately.
I would have tried with a newer openldap (2.3.40), but from 2.3.39,
openldap doesn't support db-4.6, only 4.2-4.5. So I'm kind of stuck
here. I think I going to have to try out openldap 2.4.

Daniel

Re: openldap with dbv4 crash

[Daniel]

Vijay Sankar mrta:

On December 30, 2007 08:03:09 pm Stuart Henderson wrote:

On December 29, 2007 11:23:19 am Daniel wrote:

Hi (again, sorry, now with Subject)!

Anyone experiencing or experienced segfaults with openldap using
the bdb backed? I'm using -current ports tree, and built the
openldap-{client,server}, dbv4 and cyrus-sasl2 packages from there.

openldap 2.3 doesn't support newer db 4.6 versions (should fail the
regression tests).

Yes, indeed, looking at this commit:
http://www.openldap.org/devel/cvsweb.cgi/configure.diff?r1=1.598.2.40&r2=1.598.2.41&hideattic=1&sortbydate=0



there's support in 2.4 but iirc it's not a simple thing to backport.

Why should we backport the db4.6 support? We just need to use 2.4.



Thanks very much for this information. Not sure how to help, but I am not 
seeing any seg faults so far. If there is something helpful for me to do, 
please advise. It is not clear from Daniel's message as to whether there is 
any specific thing that causes the seg fault or whether slapd just simply 
does not start. 

Below I will write down how to reproduce the crash on an i386 machine,
openldap compiled from ports, with FLAVOR=bdb.

Start with a fresh database directory, use the stock DB_CONFIG options,
and of course the bdb backend. Add just the root dn, with the
domaincomponent attributes ie. "dn: dc=domain,dc=com", and a rootdn
account. Now test it with a simple ldapsearch command (eg. filter
(objectclass=*), it succeeds. Exit from slapd, then restart it, with the
same slapd.conf as before. Now do that simple ldapsearch again, and then
slapd will segfault. Doing a not so informative gdb with slapd, it shows
that it crashes with the libdb libraries. Changing the database backend
to ldbm solves the problem, what also supports this theory.
In the above example, it doesn't matter if one use TLS or not.

With openldap-2.4, one can not use the ldbm backend anymore, but there
is no need to, because the bdb backend is working with it.

[...]

Normally I use packages. But some time ago, I was able to use syncrepl with 
OpenLDAP 2.3.33 and used the following ./configure command to build from 
source.


env CPPFLAGS="-I/usr/local/include/db4 -I/usr/local/include/sasl" \ 
LDFLAGS="-L/usr/local/lib/db4 -L/usr/local/share/libtool/libltdl -L/usr/local/lib/sasl2 -L/usr/local/lib"\

./configure \
--prefix=/usr/local \
--enable-slapd \
--enable-cleartext \
--enable-crypt \
--enable-rewrite \ 
--enable-wrapper \ 
--with-cyrus-sasl=yes \

--enable-spasswd \
--enable-dnssrv \
--enable-ldap \
--enable-ldbm \
--enable-bdb \
--enable-meta \
--enable-null \
--enable-passwd \
--disable-ipv6 \
--disable-shell \
--enable-slurpd \
--enable-overlays=mod \
--with-tls \
--disable-sql

Is this correct? Should I make any changes? Please let me know.

Same here, almost.



Thanks very much,

Vijay

Re: openldap with dbv4 crash

[Daniel]

On Wed, 2 Jan 2008 11:13:26 -0600
Vijay Sankar <[EMAIL PROTECTED]> wrote:

> On December 31, 2007 06:59:06 am Vijay Sankar wrote:
> >
> > env CPPFLAGS="-I/usr/local/include/db4 -I/usr/local/include/sasl" \
> > LDFLAGS="-L/usr/local/lib/db4 -L/usr/local/share/libtool/libltdl
> > -L/usr/local/lib/sasl2 -L/usr/local/lib"\ ./configure \
> > --prefix=/usr/local \
> > --enable-slapd \
> > --enable-cleartext \
> > --enable-crypt \
> > --enable-rewrite \
> > --enable-wrapper \
> > --with-cyrus-sasl=yes \
> > --enable-spasswd \
> > --enable-dnssrv \
> > --enable-ldap \
> > --enable-ldbm \
> > --enable-bdb \
> > --enable-meta \
> > --enable-null \
> > --enable-passwd \
> > --disable-ipv6 \
> > --disable-shell \
> > --enable-slurpd \
> > --enable-overlays=mod \
> > --with-tls \
> > --disable-sql
> 
[...]
> 
> The OP said that his ./configure command was almost the same as what
> I did above but did not bother to say what the difference was. I
> followed the settings that Marc Balmer had in ports and so I wonder
> whether that is why I haven't seen any problems yet.
Okay then:

./configure \
--prefix=/usr/local --sysconfdir=/etc --localstatedir=/var \
--enable-shared --disable-static \
--enable-rewrite --without-cyrus-sasl --disable-ipv6 \
--enable-ldap --with-tls=openssl

Basically no backends were compiled in except bdb,hdb,monitor,relay and
ldap.
But really, I don't think these configure options are relevant,
because the crash happens with the db-4.6 libraries (according to gdb).

> 
> Usually, I have problems even when no one else has any issues so I am 
> surprised to not have had a crash or any problems at all when I
> should have had seg faults! I am using all the samba-related schemas
> PLUS slurpd and I am still not seeing segfaults with OpenLDAP
> 2.3.33p2 and DB 4.6.  I am not new to OpenBSD (have used it since 2.8
> and have the CD's to prove it :) but don't know whether I have
> somehow made a mistake in compiling userland or whether there is some
> other issue involved that is making use of older versions of DB4.
Can you try executing ldd(1) on slapd. Is it linked against the 4.6 db
libraries?


Daniel

sendmail in base not supporting AUTH?

[Daniel]

Hi!

I wish to use sendmail in base to use a SMART_HOST (my isp's smtp
server), and that SMART_HOST requires authentication. I was told that
sendmail must be compiled with SASL support even if it is only acting
as and smtp client when using AUTH. Is it right? Am I stuck here, and
won't be able configure sendmail to support AUTH as an smtp client?

Thanks!

Daniel

Re: cookie for the first one to port Micropolis

[Daniel]

On Tuesday 15 January 2008 19:53:10 you wrote:
> On Tue, 15 Jan 2008, Deanna Phillips wrote:
> > Thanks for testing.  The tarball has been updated with a handful
> > of changes, including a patch from kurt@ to fix the shared
> > memory leak.
> >
> > Anyone want to ok it?
> >
> > http://freedaemon.com/~deanna/micropolis.tar.gz
>
> Doesn't work at all for me. The menu starts but it
> doesn't accept mouse nor keyboard. I'm using KDE on i386.
I ran into this, and the problem was that the numlock was on. I had to 
turn it off, and than I could use the keyboard and the mouse in the 
menu.

hth,

Daniel

Acer notebook with invilink wifi

[Daniel]

Hi!

I'm looking at these acer travelmate notebooks, which claims to be 
equipped with "Acer InviLink" wireless devices. What chipset is this? 
Is this supported?
Also, I heard some rumors that it uses marvell chipset for its gigabit 
lan. What are the experiences with these notebooks (if there are any)?

Thanks!

Daniel

test, ignore it

[Daniel]

test

supported USB tv-tuner card

[Daniel]

Hi!

I'm looking for a well supported USB tv-tuner device for my laptop. I've 
read the http://www.openbsd.org/i386.html page, and noticed that the 
bktr(4) driver could help me. But I'd be glad if someone would tell me 
some experience with various devices.

Any info would be appreciated.

Thanks!

Daniel

pf control with dynamic ip

[Daniel]

Hi!

My ISP provides me ADSL service with daily changing ip. Still I must 
somehow control the access to my postgresql server, to only accept 
connections from my computer. Is it possible to specify a hostname (my 
hostname, which gets updated at every ip change) in pf.conf and somehow 
tell pf to don't try to translate it when loading the rule, but try to 
lookup the hostname on every connections attempt?
Is this sane/possible?

Thanks!

Daniel

Re: pf control with dynamic ip

[Daniel]

2007. May 6. 18:45, Berk D. Demir:
> Daniel wrote:
> > Hi!
> >
> > My ISP provides me ADSL service with daily changing ip. Still I
> > must somehow control the access to my postgresql server, to only
> > accept connections from my computer. Is it possible to specify a
> > hostname (my hostname, which gets updated at every ip change) in
> > pf.conf and somehow tell pf to don't try to translate it when
> > loading the rule, but try to lookup the hostname on every
> > connections attempt?
> >
> > Is this sane/possible?
>
> It's not possible without executing pfctl repeatedly.
>
> pf(4) operates at OSI Layers 3 and 4. Making a DNS query is a Layer 7
> operation and handled by pfctl(8), which is the userland controller
> and configuration parser for pf(4).
>
> Instead of relying on IP addresses, you can use authpf(8). Which
> won't limit you to work just from home when you can authenticate via
> ssh from anywhere.
>
> Using authpf is a more convenient and secure approach. So use it.

I would like to, but here is my problem:

I need to create a new user on the server which will have 
the /usr/sbin/authpf as it's shell. So now I have user1 (my regular 
account on that server, with a normal shell) and user1_authpf (the 
authpf account). But I'm connecting to the user1_authpf account from 
the same machine that I'm using for everything else, so after 
disconnecting with the authpf account, other connections (eg. imap, 
ftp, ssh) are closing too. I understand that authpf removes the rules 
and states related to the connecting ip address, so I think this is 
normal, but is not good for me. 
Any ideas for this?

Thanks!

Daniel

OpenBSD T-Shirt needed

[Daniel]

Hi!

I noticed that on the EU order page, the XL "Wireframe Blowfish Shirt" 
(#23) is on short supply. Anyone can recommend a place where I can get 
one of those (I'm really not that beefy to fill in the XXL ;).

Thanks!

Daniel

php5 missing the money_format() function

[Daniel]

Hi!

I'm using OpenBSD 4.1, and php5. When trying to use the money_format() 
function I get this error in my logs:
Fatal error: Call to undefined function money_format() in ...

I understand that "The function money_format() is only defined if the 
system has strfmon capabilities. For example, Windows does not, so 
money_format() is undefined in Windows."
But I'm not using that :)

Any ideas?

Thanks!

Daniel

Re: OpenTV

[daniel]

Julian Bolivar wrote:
Hi everybody, I installed a Video Streaming server using OpenBSD 3.9 and 
VideoLAN, I invite to all to visit my test page at 
"http://jbolivar.sytes.net";. All comments are welcome.


A test page isn't so intresting... can you publish some documentation 
about your setup ? :)


sand
--
Hi, I'm a .signature virus! Copy me to your .signature file and
help me propagate, thanks!

Re: OpenBSD's 10th birthday

[daniel]

Joakim Aronius wrote:

Congrats from Mongolia.



and Happy birthday from Sweden!


and Tanti Auguri from Italy, OOMPA! :)


sand

--
Hi, I'm a .signature virus! Copy me to your .signature file and
help me propagate, thanks!

Problems booting with floppyC38.fs on Latitude CPx

[daniel]

I'm unable to use floppyC38.fs to boot my laptop.
It is a Dell latitude CPx J650GT with bios A16
I've tried different floppy disks with the same results.
I've tried floppyC38.fs from 3.8 release
I've tried floppyC38.fs from snapshots date 11/2/05
Using the exact same floppy i can boot my pc just fine.
Any ideas on what i need to do to get this laptop going?


Loading;..
probing: pc0 com0 com1 apm mem[639K 510M a20=on]
disk: fd0 hd0+*
>> OpenBSD/i386 BOOT 2.10
boot>
booting fd0a:/bsd: 3306020+195116=0x356d74
entry point at 0x100120

complete freeze at this point, can't hit the caps lock button
I only got this once. All other times have been as follows.


Loading;..
probing: pc0 com0 com1 apm mem[639K 510M a20=on]
disk: fd0 hd0+*
>> OpenBSD/i386 BOOT 2.10
boot>
booting fd0a:/bsd: 3306020read text
 failed(0). will try /obsd
boot>
booting fd0a:/obsd: open fd0a:/obsd: No such file or directory
 failed(2). will try /bsd.old
boot>
booting fd0a:/bsd.old: open fd0a:/bsd.old: No such file or directory
 failed(2). will try /bsd
boot>
booting fd0a:/bsd: 3306020read text
 failed(0). will try /obsd
boot>
booting fd0a:/obsd: open fd0a:/obsd: No such file or directory
 failed(2). will try /bsd.old
boot>
booting fd0a:/bsd.old: open fd0a:/bsd.old: No such file or directory
 failed(2). will try /bsd
Turning timeout off.
boot>

Re: Preliminary: Soekris 4501 + Wistron CM9

[daniel]

On Feb 13, 2010, at 1:02 PM, Matt Bettinger wrote:

Had same issues with net 5501-70.  I use a psu from a linksys wifi  
ap and it is rock solid now.


Sent from my iPhone

On Feb 13, 2010, at 11:05 AM, daniel  wrote:

I've been using a Net 4501 for several years now (since at least  
OpenBSD 3.8) with no problems. I've recently added a mini-PCI  
Wistron CM9 (ath 5212). Very soon after bringing the interface up,  
I get all sorts of channel reset and wake up errors.


Before I start going crazy with posting all sorts of diagnostic  
info, I'm wondering if the first thing I should look at is my power  
supply. I've used a 12V 1.2A since the beginning, but have not ever  
used the PCI or mini-PCI slots.


Could my Net 4501, with the addition of the mini-PCI card, now be  
starved for electrons?


Daniel




Well, I finally dug out a couple of other power supplies (5V 2.5A and
12V 1.5A) and I'm still having problems. I've tried a few things with
no luck. Most of the time the Soekris eventually hangs, sometimes with
no messages and other times with the following repeating on the
console with the Soekris hung (until I reboot it):

  ath0: ath_reset: unable to reset hardware; hal status 3534594048
  ar5k_ar5212_nic_wakeup: failed to resume the AR5212 (again)
  ath0: ath_reset: unable to reset hardware; hal status 3534594048
  ar5k_ar5212_nic_wakeup: failed to resume the AR5212 (again)
  etc...

Here's what I've tried:
/etc/hostname.ath0 (taken directly from ath(4)):
  inet 192.168.1.1 255.255.255.0 NONE media autoselect mediaopt  
hostap nwid my_net chan 11

After reboot or "sh /etc/netstart ath0", ifconfig ath0 shows:
  ath0: flags=8863  
mtu 1500

  lladdr 00:0b:6b:de:1d:a1
  priority: 4
  groups: wlan
  media: IEEE802.11 autoselect hostap (autoselect mode 11a  
hostap)

  status: active
  ieee80211: nwid my_net chan 40 bssid 00:0b:6b:de:1d:a1
  inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255
  inet6 fe80::20b:6bff:fede:1da1%ath0 prefixlen 64 scopeid 0x1
My macbook pro can see "my_net" and I have dhcpd serving on ath0 but
never get an IP. /var/log/messages shows:
  Feb 21 23:06:10 foo /bsd: ath0: ath_chan_set: unable to reset  
channel 11 (2462 MHz)


I've also tried "ifconfig ath0 scan". It seems to see nothing and I'm in
an urban area where I generally see 10 to 12 APs.

I'm not sure what to do next to debug this. Any help will be greatly
appreciated. dmesg is below.

Thanks,

Daniel


OpenBSD 4.6 (GENERIC) #58: Thu Jul  9 21:24:42 MDT 2009
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: AMD Am486DX4 W/B or Am5x86 W/B 150 ("AuthenticAMD" 486-class)
cpu0: FPU
real mem  = 66678784 (63MB)
avail mem = 54636544 (52MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 20/80/03, BIOS32 rev. 0 @ 0xf7840
pcibios0 at bios0: rev 2.0 @ 0xf/0x1
pcibios0: pcibios_get_intr_routing - function not supported
pcibios0: PCI IRQ Routing information unavailable.
pcibios0: PCI bus #0 is the last bus
cpu0 at mainbus0: (uniprocessor)
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
elansc0 at pci0 dev 0 function 0 "AMD ElanSC520 PCI" rev 0x00: product  
0 steppin

g 1.1, CPU clock 133MHz, reset 0
gpio0 at elansc0: 32 pins
ath0 at pci0 dev 16 function 0 "Atheros AR5212" rev 0x01: irq 10
ath0: AR5213A 5.9 phy 4.3 rf5112a 3.6, FCC2A*, address 00:0b:6b:de:1d:a1
sis0 at pci0 dev 18 function 0 "NS DP83815 10/100" rev 0x00, DP83815D:  
irq 11, a

ddress 00:00:24:c1:96:70
nsphyter0 at sis0 phy 0: DP83815 10/100 PHY, rev. 1
sis1 at pci0 dev 19 function 0 "NS DP83815 10/100" rev 0x00, DP83815D:  
irq 5, ad

dress 00:00:24:c1:96:71
nsphyter1 at sis1 phy 0: DP83815 10/100 PHY, rev. 1
sis2 at pci0 dev 20 function 0 "NS DP83815 10/100" rev 0x00, DP83815D:  
irq 9, ad

dress 00:00:24:c1:96:72
nsphyter2 at sis2 phy 0: DP83815 10/100 PHY, rev. 1
isa0 at mainbus0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard
wdc0 at isa0 port 0x1f0/8 irq 14
wd0 at wdc0 channel 0 drive 0: 
wd0: 1-sector PIO, LBA, 991MB, 2030112 sectors
wd0(wdc0:0:0): using BIOS timings
pcppi0 at isa0 port 0x61
midi0 at pcppi0: 
spkr0 at pcppi0
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
biomask f1c5 netmask ffe5 ttymask 
softraid0 at root
root on wd0a swap on wd0b dump on wd0b
sis2 at pci0 dev 20 function 0 "NS DP83815 10/100" rev 0x00, DP83815D:  
irq 9, ad

dress 00:00:24:c1:96:72
nsphyter2 at sis2 phy 0: DP83815 10/100 PHY, rev. 1
isa0 at mainbus0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
com1 at isa0 port 0x2f8/8 irq 3: ns1

Need advice re: Wistron CM9 and Net 4501

[daniel]

I'm running 4.6 (release, I think) on a Soekris Net 4501. See dmesg,
below. I recently got a Wistron CM9 (ath) mini-pci card for it (I've
been running, wired-only, for 4-5 years). I'm getting a couple
different error messages while attempting to use it. I initially thought
(hoped) that the problem was an insufficient power supply (12V 1.2A). I
have since tried two other power supplies (up to 12V 2.5A) and still
have the same problems.

Most of the time the Soekris ends up hanging or otherwise becoming
completely unresponsive until I pull the plug and reboot it. Sometimes
it takes several minutes to become unresponsive.

I've tried "ifconfig ath0 scan" but it doesn't seem to see anything--
even though I can usually see 10-12 APs from other machines. Before the
Soekris hangs, I can see it from a laptop.

I'm trying to use it in hostap mode; configuring it as described in
ath(4) like this:

inet 192.168.1.1 255.255.255.0 NONE media autoselect mediaopt hostap \
nwid my_net chan 11

I've tried bringing it up/down with ifconfig to try to reset and
reconfigure it but I can't seem to get anywhere.

At various times, I see:
ath0: ath_reset: unable to reset hardware; hal status 3534594048
ar5k_ar5212_nic_wakeup: failed to resume the AR5212 (again)
continuously on the console. ath(4) says the first line should not
happen and I can't find the status code enumerated in the HAL include
file. I couldn't find anything regarding the second line,
ar5k_ar5212_nic_wakeup.

I also see a lot of:
/bsd: ath0: ath_chan_set: unable to reset channel 11 (2462 MHz)
in /var/log/messages. ath(4) says this also should not happen.


I'd really appreciate some guidance on how to debug this.

Thanks,

Daniel


OpenBSD 4.6 (GENERIC) #58: Thu Jul  9 21:24:42 MDT 2009
   dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: AMD Am486DX4 W/B or Am5x86 W/B 150 ("AuthenticAMD" 486-class)
cpu0: FPU
real mem  = 66678784 (63MB)
avail mem = 54636544 (52MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 20/80/03, BIOS32 rev. 0 @ 0xf7840
pcibios0 at bios0: rev 2.0 @ 0xf/0x1
pcibios0: pcibios_get_intr_routing - function not supported
pcibios0: PCI IRQ Routing information unavailable.
pcibios0: PCI bus #0 is the last bus
cpu0 at mainbus0: (uniprocessor)
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
elansc0 at pci0 dev 0 function 0 "AMD ElanSC520 PCI" rev 0x00: product  
0 steppin

g 1.1, CPU clock 133MHz, reset 0
gpio0 at elansc0: 32 pins
ath0 at pci0 dev 16 function 0 "Atheros AR5212" rev 0x01: irq 10
ath0: AR5213A 5.9 phy 4.3 rf5112a 3.6, FCC2A*, address 00:0b:6b:de:1d:a1
sis0 at pci0 dev 18 function 0 "NS DP83815 10/100" rev 0x00, DP83815D:  
irq 11, a

ddress 00:00:24:c1:96:70
nsphyter0 at sis0 phy 0: DP83815 10/100 PHY, rev. 1
sis1 at pci0 dev 19 function 0 "NS DP83815 10/100" rev 0x00, DP83815D:  
irq 5, ad

dress 00:00:24:c1:96:71
nsphyter1 at sis1 phy 0: DP83815 10/100 PHY, rev. 1
sis2 at pci0 dev 20 function 0 "NS DP83815 10/100" rev 0x00, DP83815D:  
irq 9, ad

dress 00:00:24:c1:96:72
nsphyter2 at sis2 phy 0: DP83815 10/100 PHY, rev. 1
isa0 at mainbus0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard
wdc0 at isa0 port 0x1f0/8 irq 14
wd0 at wdc0 channel 0 drive 0: 
wd0: 1-sector PIO, LBA, 991MB, 2030112 sectors
wd0(wdc0:0:0): using BIOS timings
pcppi0 at isa0 port 0x61
midi0 at pcppi0: 
spkr0 at pcppi0
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
biomask f1c5 netmask ffe5 ttymask 
softraid0 at root
root on wd0a swap on wd0b dump on wd0b
sis2 at pci0 dev 20 function 0 "NS DP83815 10/100" rev 0x00, DP83815D:  
irq 9, ad

dress 00:00:24:c1:96:72
nsphyter2 at sis2 phy 0: DP83815 10/100 PHY, rev. 1
isa0 at mainbus0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard
wdc0 at isa0 port 0x1f0/8 irq 14
wd0 at wdc0 channel 0 drive 0: 
wd0: 1-sector PIO, LBA, 991MB, 2030112 sectors
wd0(wdc0:0:0): using BIOS timings
pcppi0 at isa0 port 0x61
midi0 at pcppi0: 
spkr0 at pcppi0
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
biomask f1c5 netmask ffe5 ttymask 
softraid0 at root
root on wd0a swap on wd0b dump on wd0b
WARNING: / was not properly unmounted   # [ because it keeps hanging ]

Re: Need advice re: Wistron CM9 and Net 4501

[daniel]

On Feb 25, 2010, at 4:58 AM, Aaron Mason wrote:

On Thu, Feb 25, 2010 at 7:25 AM, daniel   
wrote:

I'm running 4.6 (release, I think) on a Soekris Net 4501. See dmesg,
below. I recently got a Wistron CM9 (ath) mini-pci card for it (I've
been running, wired-only, for 4-5 years). I'm getting a couple
different error messages while attempting to use it. I initially  
thought
(hoped) that the problem was an insufficient power supply (12V  
1.2A). I

have since tried two other power supplies (up to 12V 2.5A) and still
have the same problems.

Most of the time the Soekris ends up hanging or otherwise becoming
completely unresponsive until I pull the plug and reboot it.  
Sometimes

it takes several minutes to become unresponsive.

I've tried "ifconfig ath0 scan" but it doesn't seem to see anything--
even though I can usually see 10-12 APs from other machines. Before  
the

Soekris hangs, I can see it from a laptop.

I'm trying to use it in hostap mode; configuring it as described in
ath(4) like this:

  inet 192.168.1.1 255.255.255.0 NONE media autoselect mediaopt  
hostap

\
  nwid my_net chan 11

I've tried bringing it up/down with ifconfig to try to reset and
reconfigure it but I can't seem to get anywhere.

At various times, I see:
  ath0: ath_reset: unable to reset hardware; hal status  
3534594048

  ar5k_ar5212_nic_wakeup: failed to resume the AR5212 (again)
continuously on the console. ath(4) says the first line should not
happen and I can't find the status code enumerated in the HAL include
file. I couldn't find anything regarding the second line,
ar5k_ar5212_nic_wakeup.

I also see a lot of:
  /bsd: ath0: ath_chan_set: unable to reset channel 11 (2462 MHz)
in /var/log/messages. ath(4) says this also should not happen.


I'd really appreciate some guidance on how to debug this.

Thanks,

Daniel


OpenBSD 4.6 (GENERIC) #58: Thu Jul  9 21:24:42 MDT 2009
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: AMD Am486DX4 W/B or Am5x86 W/B 150 ("AuthenticAMD" 486-class)
cpu0: FPU
real mem  = 66678784 (63MB)
avail mem = 54636544 (52MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 20/80/03, BIOS32 rev. 0 @  
0xf7840

pcibios0 at bios0: rev 2.0 @ 0xf/0x1
pcibios0: pcibios_get_intr_routing - function not supported
pcibios0: PCI IRQ Routing information unavailable.
pcibios0: PCI bus #0 is the last bus
cpu0 at mainbus0: (uniprocessor)
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
elansc0 at pci0 dev 0 function 0 "AMD ElanSC520 PCI" rev 0x00:  
product 0

steppin
g 1.1, CPU clock 133MHz, reset 0
gpio0 at elansc0: 32 pins
ath0 at pci0 dev 16 function 0 "Atheros AR5212" rev 0x01: irq 10
ath0: AR5213A 5.9 phy 4.3 rf5112a 3.6, FCC2A*, address 00:0b:6b:de: 
1d:a1
sis0 at pci0 dev 18 function 0 "NS DP83815 10/100" rev 0x00,  
DP83815D: irq

11, a
ddress 00:00:24:c1:96:70
nsphyter0 at sis0 phy 0: DP83815 10/100 PHY, rev. 1
sis1 at pci0 dev 19 function 0 "NS DP83815 10/100" rev 0x00,  
DP83815D: irq

5, ad
dress 00:00:24:c1:96:71
nsphyter1 at sis1 phy 0: DP83815 10/100 PHY, rev. 1
sis2 at pci0 dev 20 function 0 "NS DP83815 10/100" rev 0x00,  
DP83815D: irq

9, ad
dress 00:00:24:c1:96:72
nsphyter2 at sis2 phy 0: DP83815 10/100 PHY, rev. 1
isa0 at mainbus0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard
wdc0 at isa0 port 0x1f0/8 irq 14
wd0 at wdc0 channel 0 drive 0: 
wd0: 1-sector PIO, LBA, 991MB, 2030112 sectors
wd0(wdc0:0:0): using BIOS timings
pcppi0 at isa0 port 0x61
midi0 at pcppi0: 
spkr0 at pcppi0
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
biomask f1c5 netmask ffe5 ttymask 
softraid0 at root
root on wd0a swap on wd0b dump on wd0b
sis2 at pci0 dev 20 function 0 "NS DP83815 10/100" rev 0x00,  
DP83815D: irq

9, ad
dress 00:00:24:c1:96:72
nsphyter2 at sis2 phy 0: DP83815 10/100 PHY, rev. 1
isa0 at mainbus0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard
wdc0 at isa0 port 0x1f0/8 irq 14
wd0 at wdc0 channel 0 drive 0: 
wd0: 1-sector PIO, LBA, 991MB, 2030112 sectors
wd0(wdc0:0:0): using BIOS timings
pcppi0 at isa0 port 0x61
midi0 at pcppi0: 
spkr0 at pcppi0
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
biomask f1c5 netmask ffe5 ttymask 
softraid0 at root
root on wd0a swap on wd0b dump on wd0b
WARNING: / was not properly unmounted   # [ because it keeps  
hanging ]





I presume this relates to the previous post where you mentioned that
you added a CM9 to

Re: Opteron 250 Overheating

[daniel]

On Mar 4, 2010, at 9:18 AM, J.C. Roberts wrote:


On Wed, 3 Mar 2010 17:57:22 -0800 "Christopher Ahrens"
 wrote:


Henning Brauer wrote:

* Jeff Ross  [2010-03-02 16:59]:

I bought a replacement supermicro motherboard off fleabay that
has dual Opteron 250 @2.4GHz.  The cpus have passive heatsinks,
it is in a supermicro 2U chassis with 4 front fans.


do you have the air shroud? this plastic thing that forms a
"tunnel" over the heatsinks? it is required.



No, the motherboard didn't come with that.  If I can find one will
that mean I don't need the active heatsinks?


that's how supermicro delivers the 2U systems, so i'd say yes, you
won't

need them.

I had this problem before, an old Cereal box + Scissors + tape fixed
it right up.  But your mileage may vary


I'm Jealous! --I've always wanted a cereal console.


I know it's only Thursday but...

On a cereal console:
- exit doesn't work; you must type cheerio
- make release involves building Cap'n Crunchgen
- the secret to attaining Cocoa Puffy privilege is using Special K
  (NOTE: you must use the Corn Pops shell)
- you can mount ISO images with Fruit Loops

OK, I'm done.

Re: OT: multiple web servers on OpenBSD (WAS: OT: vmware blah blah)

[daniel]

On Mar 8, 2010, at 11:37 AM, Marc Espie wrote:


On Mon, Mar 08, 2010 at 09:40:30AM -0600, Marco Peereboom wrote:

OMG!! running multiple daemons???  Wow why didn't I think of that??

I *love* OS overhead on misbehaving hardware emulation because it is
what "the industry" prescribes.  Don't forget the 50% hit on I/O  
speed

because that is what every enterprise needs.  And lets not forget the
windows only license servers combined with "management" tools that  
also

run only on windows and IE.  Virtualization is so awesome.



It's more that the current industry standard kind-of is apache, or  
"enterprise

shit" based on jakarta AND multiple boxen.

solutions to the web server issues, such as using fastci + nginx/ 
lighthttpd,

only start to become more or less well-spread.

And of course, all the time investment of the so-called sys-admins  
who learnt
how to configure big apache/jakarta installations would go down the  
drain.


Can't have that. They need to protect their investment.


Like many things these days, the term enterprise has been co-opted by
those with an ulterior--and often opposite--motive. Enterprise should
mean reliable, scalable and simple (otherwise known as manageable). It
has become the opposite.

VMware makes a great toy on my macbook: I can build custom RPMs for
linuxy stuff, make release when I don't have a physical machine
available. In my "enterprise", we have some Dell 1850s and a 1950 and an
xserve. I "evaluated" ESXi thinking I'd be able to build VMs on my
macbook and then deploy them on the xserve or the dells. I decided not
to screw around with converting VMs from fusion to esxi and back. The
final straw was how to intelligently manage exsi without windows/
internet exploder.

We're currently running about 15 rails, php and coldfusion apps with the
number growing almost weekly. As much as possible, each app gets its own
VM (or two) and is proxied to an outward facing web server. I use
running xen on centos. Not my first choice, but it is OK behind pf. With
a little scripting, I can create a VM and deploy an app in under 5
minutes.

We are a small non-profit and that necessarily rules out "Enterprise"
solutions.

Re: Need advice re: Wistron CM9 and Net 4501

[daniel]

Well, after _way_ too much messing around, I've determined that the
mini-pci slot on _my_ (at least) Net 4501 is pretty much useless. Both a
new Wistron CM9 and an OEM Intersil Prism (pgt) (taken from an SMC
barricade) fail. Don't quote me on these numbers, but the CM9 will draw
something like 430ma and the pgt something like 290ma and they both
behave the same way. I tried OpenBSD 4.6 (release and patch branch) and
4.7 (various snaps): the cards, once configured and/or are connected to,
cause the kernel to spew errors on the console continually and won't
stop until a reboot. I'm assuming they are starved for current.
Apparently other people have gotten mini-pci wlan cards to work in their
Net 4501s, but not me.

I'm making my employer buy me a TimeCapsule that I'll put behind my Net
4501 for now. In the future, I'll have to investigate other options like
a Net 5501 or even one of the nice RouterBoards mentioned here recently.

Thanks to all who chimed in.

Daniel

Re: Need advice re: Wistron CM9 and Net 4501

[daniel]

On Mar 18, 2010, at 3:13 PM, J.C. Roberts wrote:


On Thu, 18 Mar 2010 13:25:35 -0400 daniel 
wrote:


Well, after _way_ too much messing around, I've determined that the
mini-pci slot on _my_ (at least) Net 4501 is pretty much useless.
Both a new Wistron CM9 and an OEM Intersil Prism (pgt) (taken from an
SMC barricade) fail. Don't quote me on these numbers, but the CM9
will draw something like 430ma and the pgt something like 290ma and
they both behave the same way. I tried OpenBSD 4.6 (release and patch
branch) and 4.7 (various snaps): the cards, once configured and/or
are connected to, cause the kernel to spew errors on the console
continually and won't stop until a reboot. I'm assuming they are
starved for current. Apparently other people have gotten mini-pci
wlan cards to work in their Net 4501s, but not me.

I'm making my employer buy me a TimeCapsule that I'll put behind my
Net 4501 for now. In the future, I'll have to investigate other
options like a Net 5501 or even one of the nice RouterBoards
mentioned here recently.

Thanks to all who chimed in.

Daniel



http://marc.info/?l=openbsd-misc&w=2&r=1&s=CM9&q=b
http://marc.info/?l=openbsd-misc&m=126891871332534&w=2

Though it could be your choice of mini-pci devices, if there really  
is a

problem in your Sokris (such as the slot really is starved of power),
then talk to Sokris about it. They'll want to know one way or another
about a potential defect and could lead you through proper testing.



J.C., thanks. I agree that it is probably my choice of mini-pci devices;
I believe that mini-pci wlan cards do exist that would work in the Net
4501--I've even read of people using their Net 4501s in this way. I've
posted on the Soekris list so Soekris can comment on this if they are so
inclined. But given that this is a one-off, hobby-ish situation, the Net
4501's design is 8+ years old, mine is perhaps 5 years old and I would
need to hunt down and try several different wlan cards, I'm not inclined
to pursue this any further.

Preliminary: Soekris 4501 + Wistron CM9

[daniel]

I've been using a Net 4501 for several years now (since at least  
OpenBSD 3.8) with no problems. I've recently added a mini-PCI Wistron  
CM9 (ath 5212). Very soon after bringing the interface up, I get all  
sorts of channel reset and wake up errors.


Before I start going crazy with posting all sorts of diagnostic info,  
I'm wondering if the first thing I should look at is my power supply.  
I've used a 12V 1.2A since the beginning, but have not ever used the  
PCI or mini-PCI slots.


Could my Net 4501, with the addition of the mini-PCI card, now be  
starved for electrons?


Daniel

Re: OpenBSD/octeon on EdgeRouter PoE - my experience

[Daniel Gracia]

I'd bet there are quite more important issues related to the Octean
platform than the switch issue, so I won't expect any progress soon.

About the Lite, you'd get your three working ports.

Regards!


2017-04-29 23:34 GMT+02:00 Doggie :

> W dniu 2017-04-25 o 18:47, Daniel Gracia pisze:
>
>> EdgeRouter PoE octeon has 3 Ethernet hardware ports (it is the very same
>> platform for PoE and Lite). In the case of the PoE unit:
>>
>> * Two first ports are connected to a PHY device (so you can connect an
>> actual UTP/FTP cable).
>> * Third port is connected to an embedded hardware switch rather than a PHY
>> (so you get no cable for your cnmac2).
>>
>> So the OpenBSD kernel output seems reasonable as long as you suppose that
>> nobody has taken the job of writting the driver to enable the embedded
>> switch. Managing PoE is closely related (as this kind of hardware level
>> configuration should require its very own driver).
>>
>> Regards!
>>
>
> Sorry for delayed response and thanks for yours.
>
> In this case, can someone please let me know if there are any plans for
> making this switch supported in OpenBSD in the nearest future?
>
> I'm pretty excited about these little devices so now I'm thinking about
> buying EdgeRouter Lite where, as I understand, all 3 ports would be
> available. And 3 ports is the minimum amount required for my own purposes.
>
> --
> Cheers,
> Pawel Waga
>

Re: Packet in and out on the same eithernet port.

[Daniel Melameth]

On Tue, May 9, 2017 at 8:24 AM, Peter Fraser  wrote:
> Because of one user's misconfiguration of Microsoft's HypeV, his virtual 
> machines were not getting the results
> of arp.  As a result of that configuration all the packets going to machines 
> on the same subnetwork were going
> to the default gateway. The default gateway was an OpenBSD 6.1 server.  
> OpenBSD  very slowly forward the
> packets back out the same  if (an em0) ...

Switch to hvn(4) and your packets will fly.

Re: PF queueing confusion

[Daniel Melameth]

On Wed, May 10, 2017 at 4:47 AM, Gabriele Tozzi  wrote:
> I have a quite simple pf setup: I have defined 3 queues for my external
> interface in my pf.conf:
>
> queue ext on $Ext bandwidth 900K
> queue  normal parent ext bandwidth 386K, max 850K qlimit 10 default
> queue  high parent ext bandwidth 193K qlimit 10
> queue  low parent ext bandwidth 193K, max 540Kb qlimit 10
>
> I have noticed that the "high" queue got the wide majority of traffic,
> so I have removed all the rules referencing it from pf.conf and,
> surprisingly, this is the result after reloading the ruleset:
>
> # pfctl -s queue -v
>   [ pkts:  0  bytes:  0  dropped pkts:  0 bytes:
>  0 ]
>   [ qlength:   0/ 50 ]
> queue ext on pppoe0 bandwidth 900K qlimit 50
>   [ pkts:  0  bytes:  0  dropped pkts:  0 bytes:
>  0 ]
>   [ qlength:   0/ 50 ]
> queue normal parent ext bandwidth 386K, max 850K default qlimit 10
>   [ pkts:   1555  bytes: 130921  dropped pkts:  0 bytes:
>  0 ]
>   [ qlength:   0/ 10 ]
> queue high parent ext bandwidth 193K qlimit 10
>   [ pkts:  19303  bytes:   28319771  dropped pkts:179 bytes:
> 255401 ]
>   [ qlength:   0/ 10 ]
> queue low parent ext bandwidth 193K, max 540K qlimit 10
>   [ pkts:   4863  bytes:4044635  dropped pkts:487 bytes:
> 176124 ]
>
> Still a lot of data is sent through the "high" queue, even if no rules
> in pf.conf is referencing it. As a counter-proof, I can remove the queue
> creation line from pf.conf and reload the ruleset without triggering any
> error, so the queue is definitely not referenced.
>
> What could be wrong?

You'll have to post your pf.conf.

Re: Qubes-OS is "fake" security

[Daniel Jakots]

On Fri, 12 May 2017 03:41:05 +0200, Kim Blackwood
 wrote:

> Hi,

From: Martin Hanson 
To: misc 
Subject: Why would I need a container like Docker?!
Date: Wed, 10 May 2017 05:53:07 +0200
X-Mailer: Yamail [ http://yandex.ru ] 5.0


From: Kim Blackwood 
To: misc@openbsd.org
Subject: Qubes-OS is "fake" security
Date: Fri, 12 May 2017 03:41:05 +0200
X-Mailer: Yamail [ http://yandex.ru ] 5.0


Is it the holidays or something?

Re: Qubes-OS is "fake" security

[Daniel Ouellet]

May I suggest you go read the FAQ before you spread misinformation. Qubes 
doesn't use KVM, it's built on Xen, and calling it just a GUI is like calling 
OpenBSD just a bunch of masturbating monkeys.

> On May 12, 2017, at 2:37 PM, flipchan  wrote:
> 
> Qubes os is just linux with a gui for some kvm vms(it sux)
> 
>> On May 12, 2017 5:57:11 PM GMT+02:00, I love OpenBSD  
>> wrote:
>> 
>> Both OpenBSD and Qubes OS don't guarantee
>> perfect security.
>> Qubes OS has a different take on security
>> than OpenBSD. Both have different
>> advantages and disadvantages.
>> Physical separation is more expensive
>> and you need to transport more devices
>> from place to place.
>> Qubes OS lets you run mainstream OSes.
>> OpenBSD is a OS and is a great tool to
>> get to know Unix-like OSes. It is also
>> a great environment to practise programming
>> in C language. See "Developing Software
>> in a Hostile Environment". There is a
>> "The J for junk option", pledge(2).
> 
> -- 
> Take Care Sincerely flipchan layerprox dev

Re: Interest in POWER platform?

[Daniel Dickman]

> On May 25, 2017, at 8:28 AM, Karel Gardas  wrote:
> 
>> On Thu, May 25, 2017 at 2:05 PM, valerij zaporogeci  
>> wrote:
>> 2017-05-25 3:46 GMT+03:00, Chris Cappuccio :
>>> 
>>> OpenBSD is moving ahead on armv7, arm64, and mips64 (loongson, octeon, sgi)
>>> as viable alternatives to i386/amd64. Other platforms are not well supported
>>> usually due to lack of available hardware and, therefore, developer
>>> interest.
>>> 
>>> Chris
>>> 
>> 
>> Sorry for off-topic, but I didn't want to start a new thread, it's
>> just a small question. Is OpenBSD "moving ahead" to mips32 too under
>> this mentioned move? :) More specifically is there an effort to run it
>> on such a mips SBC like Imagination's Mips Creator CI20? I know it's
>> just a tiny mini-PC, not a sever thingy, but it's not worse than
>> Raspperry Pi by the hardware capabilies.
>> I am asking because I am trying to write an UEFI implementation on it,
>> xD and am wondering if OpenBSD had support for this board, would it
>> use efi loader approach on this architecture or not.
>> I know, there is no UEFI support for mips even in the UEFI
>> specification, that's why I am doing my attempt. :)
> 
> Search the archives, but IIRC last "message" was that mips32 is a no
> go. The reason if I'm not mistaken is some MMU thingy or limitation or
> whatever. I'm sure you will be able to find it in archive of this
> mailing list.
> 


https://www.sccs.swarthmore.edu/users/16/mmcconv1/others/miod-mips32.txt

Re: HELP! My HTTPD website keeps breaking because the custom directory/user permissions are being reverting for some reason!

[Daniel Jakots]

On Sun, 28 May 2017 19:57:41 -0400, tec...@protonmail.com wrote:

> Hi there,
> 
> I have been using httpd for quite a while now, but after a new
> project/website having to have read/write/execute permissions
> (unsafe, I do realise..) I decided to:
> 
> 1. add root to the www group,
> 2. chown -R www:www /var/www/htdocs
> 3. chmod -R 775 /var/www/htdocs
> 
> Everything was running smoothly, until I was testing out the
> functionality and realised I couldn't use php to write new
> directories or files, so I checked the permissions and for some
> reason they have all switched back to: root:daemon with permissions
> of 755.
> 
> Now, I'm guessing this is a security feature in some way, but for my
> purposes and he type of service I'm creating it is breaking
> everything. Can someone tell me what to man page to look up for this
> or something? Time is of the essence because I need this website
> runing properly by tomorrow at latest.
> 
> Many many thanks!!

Probably (not sure because you didn't care to say which version you're
running) because you upgraded to a newer snapshots. Use another
directory (one that doesn't come in the sets) if you want to do that.

Re: dokuwiki - /dev/urandom issue

[Daniel Gillen]

On 11.06.2017 19:43, Asbel Kiprop wrote:
> Hello
> After todays update my Dokuwiki just throw 500 error "There is no suitable
> CSPRNG installed on your system". Googled a bit and found out it because i
> have no /dev/urandom in my basedir,
> And this kinda obvious cuz i have httpd chrooted by default
> 
> Doku version dokuwiki-2017.02.19b installed from the OpenBSD pacjages, So
> only way is to disable chroot?
> 

Have u tried creating urandom in the httpd chroot?

In case your chroot is /var/www: mkdir /var/www/dev && cd /var/www/dev
&& /dev/MAKEDEV random

I just have no idea whether this might have any security implications.
Probably not, but maybe someone else can enlighten us on this.

-- 
Unix _IS_ user friendly - it's just
selective about who its friends are!

Re: dokuwiki - /dev/urandom issue

[Daniel Jakots]

On Sun, 11 Jun 2017 21:24:23 +0300, Asbel Kiprop 
wrote:

> Created /dev/urandom in chroot. btw
> root :: /var/www : ls -la /var/www/dev/
> 
> 
> 
> total 16
> drwxr-xr-x   2 root  wheel512 Jun 11 21:01 ./
> drwxr-xr-x  16 root  daemon   512 Jun 11 21:01 ../
> crw-r--r--   1 root  wheel45,   3 Jun 11 21:01 arandom
> crw-r--r--   1 root  wheel45,   0 Jun 11 21:01 random
> crw-r--r--   1 root  wheel45,   1 Jun 11 21:01 srandom
> crw-r--r--   1 root  wheel45,   2 Jun 11 21:01 urandom
> 
> but
> root :: /var/www : cat /var/www/dev/urandom
> 
> 
> 
> cat: /var/www/dev/urandom: Device not configured

Your partition is probably mounted with the nodev flag.

Re: X on thinkpad x270 - "Inappropriate ioctl for device"

[Daniel Jakots]

On Tue, 13 Jun 2017 08:12:00 +0200, Pau  wrote:

> em0 shows the error about "Unable to initialize the hardware". I guess
> this will be fixed in upcoming snapshots (and again, thanks for the
> hard work).

This is probably because you're multibooting. You can see my bug report
about it [1]. Since I've stopped switching to other OS, the problem
never came back.

[1]: https://marc.info/?l=openbsd-bugs&m=148093341307527&w=2

Re: Rebuilding a degraded RAID5 softraid array

[LEVAI Daniel]

 From: Karel Gardas  -- Sent: 2017.06.14 - 19:25 

> On Wed, Jun 14, 2017 at 5:23 PM, LÉVAI Dániel  wrote:
>> sd8 at scsibus4 targ 2 lun 0:  SCSI2 0/direct fixed
>> sd8: 155872MB, 512 bytes/sector, 319227056 sectors
> 
> Here is sd8 as crypto.
> 
>> So the system disks (RAID1) are there, sd7l is decrypted as sd8 (so
> 
> sd7l decrypted as sd8, well then
> 
>> that's also okay), and I'm missing the array of sd2,sd3,sd4,sd5. (no
>> worries about sd6 and sd11, that's an external drive, I've removed that
>> from the equation for now).
>>
>> Every documentation I read tells me to rebuild the array like so:
>> # bioctl -R /dev/ 
>>
>> So I guess I could run eg. `bioctl -R /dev/sd5a sd8`, if I had sd8 as a
> 
> but you can't do that as sd8 is already allocated and running as
> crypto volume. In fact I think softraid logging is fine and your RAID5
> is for whatever reason being assigned as sd7 but fails on missing
> chunk. The problem may arrise from the StoreJet USB device you have
> attached. If you unplug this then perhaps your RAID1 will become sd6
> and your RAID5 will become sd7 and you may see it and make attempt to
> rebuilt it.

Thanks Karel for pointing this out, you are in fact right, and nothing is wrong 
with the logging, I just forgot that I'm decrypting that device 'automatically' 
in rc.local. And the kernel log was from before this, hence the similar device 
names.
I still think that nonetheless I should've gotten a degraded array that I can 
work with (eg. rebuild).

As a matter of fact I removed everything from the machine, and left just the 
four drives of the array, then booted into bsd.rd from a thumb drive.

Strangest thing is, if I boot with the 'bad' (=failing) drive as part of the 
array, softraid brings the volume online (albeit degraded) and I can even 
decrypt/mount the volume and use it (only one drive being bad in the array of 
RAID5).
If I remove/replace said failing drive, I'm not getting a degraded volume, just 
the error about the missing chunk and that it refuses to bring it online.

Either I completely misunderstood the whole idea about softraid and the RAID5 
setup (I mean, removing a device - failed or not - shouldn't hinder the 
assembly of the array, right?), or I'm missing something really obvious 8-/


Daniel

Re: OpenBSD IPSec setup

[Daniel Gracia]

My two-cents:

* IPsec hardware crypto is supported for a lot more platforms than OpenVPN
out of the box, so IPsec uses to be noticeably faster. i.e, and UBNT
Edgerouter Lite will give me about 20Mbps over OpenVPN vs almost 1Gbps
(line rate) over IPsec.
* IPsec code in OpenBSD is audited, OpenVPN is a port.

Regards!


2017-06-29 12:32 GMT+02:00 Luescher Claude :

> Why are you using ipsec in the 21th century:
>
> https://serverfault.com/questions/202917/openvpn-vs-ipsec-
> pros-and-cons-what-to-use
>
> I see no pros here just cons unless you need to setup a vpn with some
> crappy old device which should be just switched out with an obsd box anyway
> :)
>
>
> On 2017-06-29 11:29, Liviu Daia wrote:
>
>> On 29 June 2017, Liviu Daia  wrote:
>> [...]
>>
>>> On the server:
>>>
>>> # iked -d
>>> ikev2_recv: IKE_SA_INIT request from initiator 89.136.163.27:500 to
>>> x.y.z.t:500 policy 'sb1' id 0, 510 bytes
>>> ikev2_msg_send: IKE_SA_INIT response from x.y.z.t:500 to
>>> 89.136.163.27:500 msgid 0, 471 bytes
>>> ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to
>>> x.y.z.t:500 policy 'sb1' id 1, 1520 bytes
>>> ikev2_msg_send: IKE_AUTH response from x.y.z.t:500 to 89.136.163.27:500
>>> msgid 1, 1440 bytes
>>> sa_state: VALID -> ESTABLISHED from 89.136.163.27:500 to x.y.z.t:500
>>> policy 'sb1'
>>> ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to
>>> x.y.z.t:500 policy 'sb1' id 2, 1520 bytes
>>> ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to
>>> x.y.z.t:500 policy 'sb1' id 2, 1520 bytes
>>> ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to
>>> x.y.z.t:500 policy 'sb1' id 2, 1520 bytes
>>> ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to
>>> x.y.z.t:500 policy 'sb1' id 2, 1520 bytes
>>>
>>> On the home router:
>>>
>>> # iked -d
>>> set_policy: could not find pubkey for /etc/iked/pubkeys/ipv4/x.y.z.t
>>> ikev2_msg_send: IKE_SA_INIT request from 89.136.163.27:500 to
>>> x.y.z.t:500 msgid 0, 510 bytes
>>> ikev2_recv: IKE_SA_INIT response from responder x.y.z.t:500 to
>>> 89.136.163.27:500 policy 'home' id 0, 471 bytes
>>> ikev2_msg_send: IKE_AUTH request from 89.136.163.27:500 to x.y.z.t:500
>>> msgid 1, 1520 bytes
>>> ikev2_recv: IKE_AUTH response from responder x.y.z.t:500 to
>>> 89.136.163.27:500 policy 'home' id 1, 1440 bytes
>>> ikev2_ike_auth_recv: unexpected auth method RSA_SIG, was expecting SIG
>>> ikev2_msg_send: IKE_AUTH request from 89.136.163.27:500 to x.y.z.t:500
>>> msgid 2, 1520 bytes
>>>
>>> The warning about pubkey doesn't go away if I copy the server's
>>> certificate to /etc/iked/pubkeys/ipv4/x.y.z.t, nor if I install it in
>>> /etc/iked/certs.  And then there's this, which doesn't look normal:
>>>
>>> ikev2_ike_auth_recv: unexpected auth method RSA_SIG, was expecting SIG
>>>
>> [...]
>>
>> Ok this post sent me on the right course:
>>
>> http://www.going-flying.com/blog/mikrotik-openbsd-ikev2.html
>>
>> Here's what I did:
>>
>> cd /etc/ssl/vpn/private
>> openssl rsa -in x.y.z.t.key -pubout -out ~/x.y.z.t
>> ... copy ~/x.y.z.t to /etc/iked/pubkeys/ipv4 on the home router.
>>
>> After that the VPN works, I can send packets from a machine at home
>> and I'm seeing them on enc0 on the remote server:
>>
>> # tcpdump -n -i enc0
>>
>> tcpdump: listening on enc0, link-type ENC
>> 05:14:04.103254 (authentic,confidential): SPI 0xd51e3910: 192.168.7.2
>> > 10.0.0.102: icmp: echo request (encap)
>> 05:14:05.134106 (authentic,confidential): SPI 0xd51e3910: 192.168.7.2
>> > 10.0.0.102: icmp: echo request (encap)
>> 05:14:06.137831 (authentic,confidential): SPI 0xd51e3910: 192.168.7.2
>> > 10.0.0.102: icmp: echo request (encap)
>> ...
>>
>> However, I'm now running into what seems to be a firewall problem,
>> an I'm getting no answer.  I do have "pass quick inet proto esp" on both
>> VPN ends.  Any idea where / how to fix this?
>>
>> Also, IPs aren't assigned automatically to the VPN ends.  I can
>> add them to hostname.enc0, but is this the right thing to do?  I tried
>> adding a line
>>
>> config address 10.0.0.102
>>
>> to /etc/iked.conf, but that's rejected as a syntax error.  A clue stick
>> again please?
>>
>> Regards,
>>
>> Liviu Daia
>>
>
>

Re: Robust ThinkPad suggestions for running OpenBSD.

[Daniel Gracia]

Should you need any horsepower I would go for a i7 X220/IPS/SSD combo; mint
examples are available with sensible prices and as far as my experience can
tell, they can get quite abuse taking only minor scratches. They are not
low-voltage machines so can get warm; fan is louder and batteries drain
fast, but its CPU is still faster than my T460s i5. I don't like X230 and
newer because feel a little like underpowered pigs.

For those price-conscious people a X200 machine is a very capable machine
(if you don't mind loosing the touchpad). I've dropped it dozens of times,
and runs smooth!

Regards!


2017-07-12 12:18 GMT+02:00 J. Misc. :

> Hello, everyone.
>
> I'm here to ask for input on a hardware purchase that I believe seasoned
> OpenBSD users could provide some valuable insight into.
>
> I am looking to purchase a ThinkPad to exclusively run OpenBSD on. The
> intent here is to have a dedicated machine to explore and play with
> OpenBSD, and eventually promote it as my primary day-to-day workstation.
>
> A little background: I own a T460s, and it's an excellent machine, but I
> feel it to be too fragile to use in harsh environments, like outdoors or
> hackerspaces with a lot of rough objects around.
>
> The factors for choosing a ThinkPad to begin with is that I own one
> already, I've heard good words about OpenBSDs support for them (apparently,
> stemming from the fact that developers use them themselves) and really, my
> inexperience with a lot of the fancy new things from other vendors.
>
> So, the characteristics I would like the machine to posses, first and
> foremost, are a strong outer shell, so it can sustain a fair beating
> (unintentional). Weight and size small enough that it doesn't become a
> burden (I also have a Dell Precision 3510, and it's so heavy/big that I
> would never purchase it myself on these factors alone).
>
> It doesn't need to come with the best and latest 7th gen Intel i7 - I
> don't plan to do extremely heavy loads on it - I have other machines for
> that. Nor does it have to have things like a fingerprint scanner and all
> the other bells and whistles. I don't care about a touch screen either. A
> decently sized ssd or spindle would be preferred. A reasonably low power
> consumption rate, or support for an extended battery, would be very
> preferential, as I travel and don't like to become stationary for charging.
> I don't abuse my equipment, so I would like it to not suffer from
> continuous hardware failures due to poor physical characteristics, like bad
> air circulation.
>
> I understand that the above description is vague and leaves a lot to the
> imagination, but that is intentional. I don't mind looking into other OEM
> products either. If anyone has personal experience to share, or point into
> the direction where I could get informed, I'm all ears.
>
> --
> J. Misc.
>
>

Re: octeon port, ubiquity edgerouter

[Daniel Gracia]

I have and spare ERPRO-8 (almost the same dual-core MIPS, 1GHz vs 800MHz,
two SFP ports) that could be included on this tests.

Regards,


2017-07-24 19:21 GMT+02:00 Peter J. Philipp :

> On Mon, Jul 24, 2017 at 07:11:32PM +0200, Doggie wrote:
> > W dniu 2017-07-24 o 14:18, Sean Murphy pisze:
> > > Whoops, you're right.  I did mention that it was an ERL in my original
> > > email, but I didn't follow the original link.  Sorry for the noise.
> >
> > All I can say is that I share the same good experience with ERL :)
> >
> > Now it would be very interesting to see dmesg coming from 8-port ER.
> >
> > --
> > Cheers,
> > Pawel Waga
>
> Hi,
>
> According to DHL the ER-8 will be delivered here tomorrow.  I'm going to
> try
> to get a dmesg on list if it's requested.  Thanks to all that made this
> hardware possible.  The guy that sent this to me has not included a console
> cable so I have only 1 Lanner FW rollover cable here, hoping it will work
> for
> this task.  The Lanner rollover cable is cisco compatible it said on their
> support website, so it should work.  Otherwise we'll have to wait about a
> day
> until I get the rollover cable that I purchased on Amazon yesterday.
>
> Cheers,
> -peter
>
>

Re: touchpad input driver: testing needed

[Daniel Gracia]

Hi there!

A ThinkPad T460s over here working like a charm; some verbose output below.

Regards,

$
$ doas wsconsctl | grep mouse
wsconsctl: Use explicit arg to view keyboard.map.
mouse.type=synaptics
mouse.rawmode=0
mouse.scale=1472,5676,1408,4762,0,45,69
mouse.tp.tapping=1
mouse.tp.scaling=0.171
mouse.tp.swapsides=0
mouse.tp.disable=0
mouse1.type=ps2
$
$ dmesg
OpenBSD 6.1-current (GENERIC.MP) #44: Thu Aug  3 12:12:07 MDT 2017
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 8304578560 (7919MB)
avail mem = 8046538752 (7673MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xcf054000 (65 entries)
bios0: vendor LENOVO version "N1CET58W (1.26 )" date 06/30/2017
bios0: LENOVO 20F9005CMS
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP TCPA SSDT SSDT TPM2 UEFI SSDT SSDT ECDT HPET APIC
MCFG SSDT DBGP DBG2 BOOT BATB SLIC SSDT SSDT MSDM DMAR ASF! FPDT UEFI
acpi0: wakeup devices LID_(S4) SLPB(S3) IGBE(S4) EXP2(S4) XHCI(S3)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpiec0 at acpi0
acpihpet0 at acpi0: 2399 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i5-6200U CPU @ 2.30GHz, 2400.00 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,SGX,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,SENSOR,ARAT
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: TSC frequency 24 Hz
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 23MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4.1.1.1, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Core(TM) i5-6200U CPU @ 2.30GHz, 2400.00 MHz
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,SGX,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,SENSOR,ARAT
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 1 (application processor)
cpu2: Intel(R) Core(TM) i5-6200U CPU @ 2.30GHz, 2400.00 MHz
cpu2:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,SGX,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,SENSOR,ARAT
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 1, core 0, package 0
cpu3 at mainbus0: apid 3 (application processor)
cpu3: Intel(R) Core(TM) i5-6200U CPU @ 2.30GHz, 2400.00 MHz
cpu3:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,SGX,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,SENSOR,ARAT
cpu3: 256KB 64b/line 8-way L2 cache
cpu3: smt 1, core 1, package 0
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 120 pins
acpimcfg0 at acpi0 addr 0xf800, bus 0-63
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (PEG0)
acpiprt2 at acpi0: bus -1 (PEG1)
acpiprt3 at acpi0: bus -1 (PEG2)
acpiprt4 at acpi0: bus 2 (EXP1)
acpiprt5 at acpi0: bus -1 (EXP2)
acpiprt6 at acpi0: bus 4 (EXP3)
acpiprt7 at acpi0: bus -1 (EXP5)
acpiprt8 at acpi0: bus -1 (RP09)
acpicpu0 at acpi0: C3(200@1034 mwait.1@0x60), C2(200@151 mwait.1@0x33),
C1(1000@1 mwait.1), PSS
acpicpu1 at acpi0: C3(200@1034 mwait.1@0x60), C2(200@151 mwait.1@0x33),
C1(1000@1 mwait.1), PSS
acpicpu2 at acpi0: C3(200@1034 mwait.1@0x60), C2(200@151 mwait.1@0x33),
C1(1000@1 mwait.1), PSS
acpicpu3 at acpi0: C3(200@1034 mwait.1@0x60), C2(200@151 mwait.1@0x33),
C1(1000@1 mwait.1), PSS
acpipwrres0 at acpi0: PUBS, resource for XHCI
acpipwrres1 at acpi0: PG00, resource for PEG0
acpipwrres2 at acpi0: PG01, resource for PEG1
acpipwrres3 at acpi0: PG02, resource for PEG2
acpipwrres4 at acpi0: WRST
acpipwrres5 at acpi0: WRST
acpitz0 at acpi0: critical temperature is 128 degC
acpibtn0 at acpi0: LID_
acpibtn1 at acpi0: SLPB
"LEN0071" at acpi0 not configured
"LEN004B" at acpi0 not configured
"INT3F0D" at acpi0 not configured
acpibat0 at acpi0: BAT0 model "00H

OpenBSD IPsec/L2TP to Android VPN?

[Daniel Mumford]

First post on mail list.  Hope I do it correctly.

Is there anyone able to assist setting up an IPsec VPN between Openbsd machine 
and an android device?

I have worked on for a week or so to no avail.  I would like to get a good 
understanding of the  necessary configuration.

Thanks in advance.
Dan

OpenBSD IPsec/L2TP to Android VPN?

[Daniel Mumford]

First post on mail list.  Hope I do it correctly.

Is there anyone able to assist setting up an IPsec VPN between Openbsd machine
and an android device?

I have worked on for a week or so to no avail.  I would like to get a good
understanding of the  necessary configuration.

Thanks in advance.
Dan

Re: OpenBSD IPsec/L2TP to Android VPN?

[Daniel Mumford]

Thanks.  The links are helpful.  I am troubleshooting through the log messages.

Thanks again.

Dan.

From: owner-m...@openbsd.org  on behalf of R0me0 *** 

Sent: Monday, August 7, 2017 1:56:41 PM
To: aaron marcher
Cc: OpenBSD Misc
Subject: Re: OpenBSD IPsec/L2TP to Android VPN?

https://www.authbsd.com/blog/?p=20

2017-08-07 14:54 GMT-03:00 aaron marcher :

> hi dan,
>
> i recently set up something like that using the following two tutorials
> (note that this is l2tp/ipsec instead of raw ipsec):
>
> - http://bluepilltech.blogspot.co.at/2017/02/openbsd-l2tp-
> over-ipsec-android-601-ios.html
> - http://blog.fuckingwith.it/2016/04/openbsd-l2tpipsec-vpn-
> for-android.html
>
> regards,
> drkhsh
>
> On 17-08-07 Mon, Daniel Mumford wrote:
> >
> > First post on mail list.  Hope I do it correctly.
> >
> > Is there anyone able to assist setting up an IPsec VPN between Openbsd
> machine and an android device?
> >
> > I have worked on for a week or so to no avail.  I would like to get a
> good understanding of the  necessary configuration.
> >
> > Thanks in advance.
> > Dan
>
> --
> web: https://drkhsh.at/ or http://drkhsh5rv6pnahas.onion/
> gpg: 0x435BF54B
>
>

Re: OpenBSD IPsec/L2TP to Android VPN?

[Daniel Mumford]

I'm up and running.  Just have to clean it up a little.

Thanks for your help.

Dan

From: Daniel Mumford
Sent: Monday, August 7, 2017 10:17:07 PM
To: aaron marcher; R0me0 ***
Cc: OpenBSD Misc
Subject: Re: OpenBSD IPsec/L2TP to Android VPN?

Thanks.  The links are helpful.  I am troubleshooting through the log messages.

Thanks again.

Dan.

From: owner-m...@openbsd.org  on behalf of R0me0 *** 

Sent: Monday, August 7, 2017 1:56:41 PM
To: aaron marcher
Cc: OpenBSD Misc
Subject: Re: OpenBSD IPsec/L2TP to Android VPN?

https://www.authbsd.com/blog/?p=20

2017-08-07 14:54 GMT-03:00 aaron marcher :

> hi dan,
>
> i recently set up something like that using the following two tutorials
> (note that this is l2tp/ipsec instead of raw ipsec):
>
> - http://bluepilltech.blogspot.co.at/2017/02/openbsd-l2tp-
> over-ipsec-android-601-ios.html
> - http://blog.fuckingwith.it/2016/04/openbsd-l2tpipsec-vpn-
> for-android.html
>
> regards,
> drkhsh
>
> On 17-08-07 Mon, Daniel Mumford wrote:
> >
> > First post on mail list.  Hope I do it correctly.
> >
> > Is there anyone able to assist setting up an IPsec VPN between Openbsd
> machine and an android device?
> >
> > I have worked on for a week or so to no avail.  I would like to get a
> good understanding of the  necessary configuration.
> >
> > Thanks in advance.
> > Dan
>
> --
> web: https://drkhsh.at/ or http://drkhsh5rv6pnahas.onion/
> gpg: 0x435BF54B
>
>

Re: OpenBSD IPsec/L2TP to Android VPN?

[Daniel Mumford]

You know...  I can connect but can't do anything else.  What is a good way to 
test my connection?  Should I be able to ping an internal IP?  Or browse my 
internal samba shares remotely?

From: Daniel Mumford
Sent: Tuesday, August 8, 2017 10:12:45 AM
To: aaron marcher; R0me0 ***
Cc: OpenBSD Misc
Subject: Re: OpenBSD IPsec/L2TP to Android VPN?

I'm up and running.  Just have to clean it up a little.

Thanks for your help.

Dan
____
From: Daniel Mumford
Sent: Monday, August 7, 2017 10:17:07 PM
To: aaron marcher; R0me0 ***
Cc: OpenBSD Misc
Subject: Re: OpenBSD IPsec/L2TP to Android VPN?

Thanks.  The links are helpful.  I am troubleshooting through the log messages.

Thanks again.

Dan.

From: owner-m...@openbsd.org  on behalf of R0me0 *** 

Sent: Monday, August 7, 2017 1:56:41 PM
To: aaron marcher
Cc: OpenBSD Misc
Subject: Re: OpenBSD IPsec/L2TP to Android VPN?

https://www.authbsd.com/blog/?p=20

2017-08-07 14:54 GMT-03:00 aaron marcher :

> hi dan,
>
> i recently set up something like that using the following two tutorials
> (note that this is l2tp/ipsec instead of raw ipsec):
>
> - http://bluepilltech.blogspot.co.at/2017/02/openbsd-l2tp-
> over-ipsec-android-601-ios.html
> - http://blog.fuckingwith.it/2016/04/openbsd-l2tpipsec-vpn-
> for-android.html
>
> regards,
> drkhsh
>
> On 17-08-07 Mon, Daniel Mumford wrote:
> >
> > First post on mail list.  Hope I do it correctly.
> >
> > Is there anyone able to assist setting up an IPsec VPN between Openbsd
> machine and an android device?
> >
> > I have worked on for a week or so to no avail.  I would like to get a
> good understanding of the  necessary configuration.
> >
> > Thanks in advance.
> > Dan
>
> --
> web: https://drkhsh.at/ or http://drkhsh5rv6pnahas.onion/
> gpg: 0x435BF54B
>
>

Re: OpenBSD fuzzy testing

[Daniel Dickman]

Hi there.

> On Aug 23, 2017, at 3:56 AM, Infoomatic  wrote:
> 
> Hi,
> As nowadays I read quite a lot of projects being fuzzy tested or 
> vulnerabilities detected by fuzzy testing, I am quite curious: what is the 
> status of OpenBSD kernel/base system concerning fuzzy testing?

yes fuzzers have been used for a very long time. if you search through the 
commit archives you'll see that one recent example is afl which has been used 
on both userland and kernel.

Some links:
http://www.undeadly.org/cgi?action=article&sid=20150121093259
http://lcamtuf.coredump.cx/afl/
https://github.com/nccgroup/TriforceOpenBSDFuzzer

other fuzzers have been used too as far as I know.

More work in this space is always welcome too.

> Is there a plan on using the Google fuzzer? thanks

to be clear, you're asking about oss-fuzz? if yes, then someone motivated 
enough might be able to get it going but it looks like a good amount of work to 
set it all up in a docker environment, etc.

I might explore... at some point... maybe.

But right now I'm personally more focused on static analysis of the kernel 
using tools like coverity.

> 
> regards,
> infoomatic
> 

SoC Intel Xeon D-1518 & D-1548

[Daniel Ouellet]

Hi,

Is there anyone that know of have one of the Intel Xeon D-1548 SoC that
works on OpenBSD?

I know the D-1518 does, I find the DMESG in the archive, but I can't
find anything at all on the D-1548.

Any clue.

Here is the D-1518
https://marc.info/?l=openbsd-misc&m=146236157518744&w=2

I am asking as I am very much interested in testing this:

http://www.lannerinc.com/network-appliances/x86-rackmount-network-appliances/?option=com_content&view=article&id=1680:nca-4010&catid=25:rackmount

Many thanks in advance for your time!

Daniel

Re: Packages security updates in -stable

[Daniel Jakots]

On Sat, 9 Sep 2017 21:16:36 +0200, Lukasz Jendrysik 
wrote:

> Similar situation with Chromium etc. All of those packages exists in 
> newer versions in -current, but it's not an option in my case.
> 
> I understand that -stable is not place for the latest packages
> available and it's expected to be rock solid, but also secure.
> So I wonder what is the policy in situation when updating to the
> newer upstream version is more than recommended due the security
> reasons.

On -stable, we backport only security (or reliability) fixes, we don't
do updates, because as Theo said, new code means new bugs. Sometimes
though, upstream are kind enough to tag a release which contains only
the patch (the latest one that comes to my mind is weechat 1.7.1), so it
can look like an update but it's not an update.

The problem is the same as everywhere, the people who can do it, don't
care (because priorities) and people who care, won't do it. If you want
to help, please send patches. About that I will just quote what sthen@
said in another thread:

> - get the ports in great shape before sending them. [...]. portcheck
> and lib-depends-check etc should either be clear or you should
> explain why not. if you're already known for sending good clean
> ports, people with a few minutes to spare will be more likely
> to look at yours rather than someone else's...

On Sat, 9 Sep 2017 23:24:38 +0200, Lukasz Jendrysik 
wrote:

> > Well the options are: Get involved and do the work, or watch.  
> How can I help in case when updated package is already in -current?

I would suggest that you begin by looking at how previous irssi
security problem were dealt with on -stable and try to do the same.

Cheers,
Daniel

Re: sendsyslog error 55

[Daniel Hartmeier]

If you are running either milter-spamd or -regex, you can try the latest
versions (from the source tarballs), which suppress noisy LOG_DEBUG
messages by default now. Previously, you'd get one syslog message per
mail body line, and I saw the "error 55" messages when large mails
arrived. After only this change, I don't see them anymore. Sorry it took
so long to trace.

Daniel

Re: sendsyslog error 55

[Daniel Hartmeier]

On Tue, Sep 26, 2017 at 10:51:00AM +0200, Tony Boston wrote:

> thanks for your response. Really appreciated. I'll check that with my boxes

To identify what process is flooding syslog messages you could do
something like this:

Temporarily add a debug log file which captures everything

  # touch /var/log/debug
  # chmod go-rwx /var/log/debug

Add a line to the top of /etc/syslog.conf like

  *.*   /var/log/debug

And activate it with

  # rcctl reload syslogd

To check how often the problem occurs and whether it occured again:

  # zgrep -h 'sendsyslog: dropped' /var/log/messages* | \
  cut -d ' ' -f 1-3 | sort -u

Wait until the message occurs the next time, then see /var/log/debug
during the same timeframe (grep for the timestamp), and you should see
the culprit(s).

HTH,
Daniel

Re: blank password w/out password prompt

[Daniel Hartmeier]

On Tue, Sep 26, 2017 at 11:18:22AM +0300, Valentine Astakhov wrote:

> login: vall
> password: [I press Enter there]
> Hallo!
> $
> 
> Can I login without password prompt?

No. But if it's a pet peeve of yours, you could patch it like this.

Also, you can use specific login programs for specific ttys, see
gettytab(5).

Daniel


Index: usr.bin/login/login.c
===
RCS file: /cvs/src/usr.bin/login/login.c,v
retrieving revision 1.68
diff -u -p -u -r1.68 login.c
--- usr.bin/login/login.c   21 Aug 2016 03:26:04 -  1.68
+++ usr.bin/login/login.c   26 Sep 2017 13:09:25 -
@@ -447,6 +447,12 @@ main(int argc, char *argv[])
backoff = (int)login_getcapnum(lc, "login-backoff", 3, 3);
 
/*
+* Don't prompt for empty password.
+*/
+   if (pwd && !pwd->pw_passwd[0])
+   fflag = 1;
+
+   /*
 * Turn off the fflag if we have an invalid user
 * or we are not root and we are trying to change uids.
 */

Re: regarding the default path for pkg_add in -current

[Daniel Jakots]

On Wed, 27 Sep 2017 20:57:10 -0600, and...@quickstick.net wrote:

> Also, after login, pkg_add is very determined to use to the same 
> ../6.2/.. directory path. For the benefit of others who might find 
> themselves in the same spot, the workaround is to use the full path 
> while using pkg_add. 

A better solution is to use pkg_add -Dsnap

Cheers,
Daniel

Re: stickers

[Daniel Gracia]

Secondary sticker sources (like Red Bubble et al) are very low quality
compared to the original art and make no money for the project; I wouldn't
waste my time on that.

I have supplies for my next two laptops, so I suppose we have a year to
persuade you on how good would be making stickers again.

Regards,


2017-10-02 5:21 GMT+02:00 Theo de Raadt :

> > Now that there are no CDs, are stickers also gone?
>
> I guess many people didn't think through what happened when CD
> production stopped.
>
> Stickers, posters, etc. were subsidized by the sales of CDs.
>
> With CDs gone, of course there isn't an efficient way to sell
> stickers, and make even a few pennies in return for producing art.
>
> Some shops now print our older stickers or newer (minimal) release
> art, and there's nothing we can do about it.  We can complain but it
> solves nothing.  The project and I don't get a single penny.
>
> Sure those of you who want the stickers benefit, but that's selfish
> isn't it.
>
> The OpenBSD Foundation never participated in making artwork.  It was
> always done by me, out of CD income.  It was a tremendous amount of
> effort twice a year, coming up with the ideas and completing them.
> When CDs stopped returning at least some income, that process had to
> stop for everything.
>
>

l2tp client

[Daniel Boyd]

I’ve just started a job where I will be working from home a bunch, so I would 
like to configure my home router as an ipsec/l2tp client and to push the routes 
from my work network to all computers on my home network.  i.e. a site-to-site 
VPN.

I have found a bunch of documentation for configuring OpenBSD as a ipsec/l2tp 
server, but not as much as a client.  

I assume I’ll need the xl2tpd package… When I connect a Mac, iOS device, or PC, 
the VPN requires a username, password and a secret.

Can anyone point me in the direction of some documentation to get started?

Thanks!

Daniel Boyd

CoDel Flows

[Daniel Melameth]

In playing around with the new CoDel/fair traffic sharing, it's not
clear to me the best way to work with this when also using the
previous queuing.  pfctl balks when I specify a flow on the root queue
with child queues present, so I only specify flows on child queues.
Will CoDel still work as expected if all my child queues have flows,
but my root queue is using "fifo" (revealed with systat queues)?
Assuming it does, if one of my child queues is just for TCP ACKs, does
it make sense to have a small quantum for this queue, but a larger
quantum for a child queue that focuses on bulk file transfers?  Or is
CoDel orthogonal of child queues and it only really works well with a
single root flow queue (and requires me to give up bandwidth control
with child queues)?

Also, the pf.conf man page says the default qlimit is 1024, but, if I
don't specify a qlimit, pfctl –vsq shows a qlength of 50 when I was
expecting it to be 1024.  What am I missing?

Thank you!

Re: CoDel Flows

[Daniel Ouellet]

> Also, the pf.conf man page says the default qlimit is 1024, but, if I
> don't specify a qlimit, pfctl –vsq shows a qlength of 50 when I was
> expecting it to be 1024.  What am I missing?

Why would you want to have a pool of 1024 oppose to the default of 50
slots for your queue?

You will increase latency when you have congestion. It's not because you
can have a 1024 limits that it make sense to use it by default.

The default is 50 and that's plenty good for most usage.

As Peter Hansteen would write, Quote

"Cranking up queue sizes here means we’re a little less likely to drop
packets when the traffic approaches the set limits, but it also means
that when the traffic shaping kicks in, we’ll see increased latency for
connections that end up in these larger than default pools."

It's a trade off, just know the impact of your choice.

As for the CoDel I will let someone that actually use it explain it
better then I could.

Hope this help some.

Daniel

Re: CoDel Flows

[Daniel Melameth]

On Thu, Oct 12, 2017 at 11:48 PM, Daniel Ouellet  wrote:
>> Also, the pf.conf man page says the default qlimit is 1024, but, if I
>> don't specify a qlimit, pfctl –vsq shows a qlength of 50 when I was
>> expecting it to be 1024.  What am I missing?
>
> Why would you want to have a pool of 1024 oppose to the default of 50
> slots for your queue?

Because CoDel works differently.

> You will increase latency when you have congestion. It's not because you
> can have a 1024 limits that it make sense to use it by default.
>
> The default is 50 and that's plenty good for most usage.
>
> As Peter Hansteen would write, Quote
>
> "Cranking up queue sizes here means we’re a little less likely to drop
> packets when the traffic approaches the set limits, but it also means
> that when the traffic shaping kicks in, we’ll see increased latency for
> connections that end up in these larger than default pools."
>
> It's a trade off, just know the impact of your choice.

While I agree with you (and Peter!), this is no longer the case with
CoDel--see the author's guidance at
https://www.reddit.com/r/openbsd/comments/6ttuhn/fq_codel_scheduling/
and send him beer to convince him to write the article he mentions.

pkgconfig not available

[Daniel Villarreal]

re: pkgconfig not available

I see pkgconfig as being available in OpenBSD 6.2 when I run pkg_mgr,
but I don't see it in several mirrors. Please advise.

Thanks,
Daniel Villarreal

Re: pkgconfig not available

[Daniel Villarreal]

I get this...
"ksh: pkgconfig: not found"

Hmm.

# apropos pkg |grep config
pkg-config(1) - fetch metadata about installed software packages

# pkg-config --help

Okay, well, something needs to be corrected somewhere, pkg_mgr was
indicating "pkgconfig" ?

Thanks

On 10/15/17 10:16, Marc Espie wrote:
> On Sun, Oct 15, 2017 at 09:55:40AM -0400, Daniel Villarreal wrote:
>> re: pkgconfig not available
>>
>> I see pkgconfig as being available in OpenBSD 6.2 when I run pkg_mgr,
>> but I don't see it in several mirrors. Please advise.
>>
>> Thanks,
>> Daniel Villarreal
> 
> Did you try running it ?
> 
> pkgconfig is part of the base system, as a complete rewrite.
> No wonder you won't find it in packages.
> 

Re: CoDel Flows

[Daniel Melameth]

On Fri, Oct 13, 2017 at 7:47 PM, Mike Belopuhov  wrote:
> On Fri, Oct 13, 2017 at 05:33 +0000, Daniel Melameth wrote:
>> In playing around with the new CoDel/fair traffic sharing, it's not
>> clear to me the best way to work with this when also using the
>> previous queuing.
>
> It's not clear to me either at least not in the generic case :-)
> I guess it depends on what you're trying to achieve.
>
>> Will CoDel still work as expected if all my child queues have flows,
>> but my root queue is using "fifo" (revealed with systat queues)?
>
> Depends on what you expect CoDel to do.  Normally the idea here is
> to set an upper bound on latency that all outgoing packets experience.
> For example if you have 10 connections and 2 are uploading data and
> other 8 are a mix of ACKs and SSH keystrokes, with FIFO you'd normally
> see bulk connections saturating the link and not leaving other 8
> connections a chance to send a packet.
>
> So you go and create those HFSC queues and try to reserve the bandwidth
> for your ACKs, SSH and whatnot.  The approach that FQ-CoDel takes is
> different.  You no longer need to reserve bandwidth as FQ-CoDel attempts
> to make the bandwidth "available" when needed -- this is what is fair
> sharing essentially.  Which in practice means that those 8 connections
> are able to send their small packets "practically" whenever they want
> without disrupting your uploads.
>
> This means that if all you want is to be able for your outgoing
> connections to fair share the bandwidth you don't need to reserve the
> bandwidth at all.
>
>> Assuming it does, if one of my child queues is just for TCP ACKs, does
>> it make sense to have a small quantum for this queue, but a larger
>> quantum for a child queue that focuses on bulk file transfers?
>
> Quantum of service just tilts the balance at the expense of extra CPU
> cycles and potentially extra overall latency.  I think you need to
> figure out the big picture first and then fine tune.
>
>> Or is
>> CoDel orthogonal of child queues and it only really works well with a
>> single root flow queue (and requires me to give up bandwidth control
>> with child queues)?
>
> "Works well this way or that way" would imply that we have enough data
> to make such a judgement.  At the moment we don't.  Last week we had it
> running with 8192 flows feeding into an LTE connection with a rather
> flaky 50Mbit/s downlink (150Mbit/s up) for about a hundred of users.
> With a few HFSC tweaks we had almost no observable SSH latency with
> ping times to 8.8.8.8 of about 25ms with fairly low variation.  This
> setup used two root queues: one on the uplink, one on the downlink.
>
>> Also, the pf.conf man page says the default qlimit is 1024, but, if I
>> don't specify a qlimit, pfctl –vsq shows a qlength of 50 when I was
>> expecting it to be 1024.  What am I missing?
>
> I've updated the man page today to address some of the concerns since
> the same question was also brought up on reddit yesterday:
>
> https://www.reddit.com/r/openbsd/comments/75ps6h/fqcodel_and_pf/
>
> The gist of it is that 1024 is not the HFSC default.  When you're
> specifying both "flows" and "bandwidth" thus requesting an FQ-CoDel
> queue manager for your HFSC queue, the HFSC default qlimit (50) is
> still applied.  It's a bit counter-intuitive I guess, so I've removed
> mention of this from the man page.

Thanks for taking the time for a detailed reply Mike.  From your
Reddit post, it seems, for those queues that use both flows and
bandwidth, it makes sense to always override the HFSC qlimit default,
but will this increase latency (in the same way a queue with no flows
will increase latency with a higher qlimit)?  I'll see what I can dig
up on CoDel and quantum outside of OpenBSD circles.

That said, I've been piloting various queuing scenarios in a Hyper-V
environment, but I haven't been able to make much progress here as, it
appears, there's some timing issue with HFSC and/or hvn(4) (thank you
for terminating my use of de(4), which was horrible under Hyper-V!); I
can never seem to reach my modest bandwidth specifications with
something like tcpbench, but perhaps this is better left for another
thread or I should just get on the vmd(8) bandwagon.

Cheers.

macppc netboot

[Daniel Boyd]

I'm attempting to install onto a G4 Cube with a busted CD-ROM drive. 
I've never done network booting before, so I'm sure I'm just missing
something.

I set up NFS and TFTP on a linux box, copied ofwboot to the TFTP share
and bsd.rd plus all the tgz files to the NFS share.

In Open Firmware, I'm setting:

default-server-ip -> ip of linux box
root-path -> "x.x.x.x:/path/to/nfs/share"
next-server -> ip of linux box

and then:

> boot enet:,ofwboot /bsd.rd

The TFTP part seems to be working.  I get:

>> OpenBSD/macppc BOOT 1.6

but then:

open(/pci@f400/ethernet:/etc/boot.conf): Unknown error: code 60
boot>
cannot open /pci@f400/ethernet:/etc/random.seed: Unknown error:
code 60
booting /pci@f400/ethernet:/bsd.rd: open
/pci@f400/ethernet:/bsd.rc: Unknown error: code 60 failed(60). will
try /bsd
boot>

..and then it fails to boot bsd

Am I required to set up a DHCP server, too?  

Re: macppc netboot

[Daniel Boyd]

OK -- from dhcpd.conf:

host cube {
next-server 192.168.60.157;
option subnet-mask 255.255.255.0;
option routers 192.168.60.1;
option root-path "/srv/obsd62";
fixed-address 192.168.60.235;
hardware ethernet 00:30:65:71:c6:e2;
}

And then in OF:
0 > boot enet:,ofwboot /bsd.rd
CLIENT: 003065571c6e2 192.168.60.235
SERVER: f 192.168.60.157
ROUTER: f 192.168.60.1
Transfer FILE: ofwboot \
TFTP-actual=fcbc TFTP-adler32=c626975c load-size=fcbc adler32=c626975c

Loading ELF
>> OpenBSD/macppc BOOT 1.6
Using IP address: 192.168.60.235
root addr=192.168.60.157 path=/srv/obsd62
callrpc: error = 2
open(/pci@f400/ethernet:/etc/boot.conf): Unknown error: code 72
boot>
Using IP address 192.168.60.235
root addr=192.168.60.157 path=/srv/obsd62
callrpc: error = 2
cannot open /pci@f400/ethernet:/etc/random.seed: Unknown error:
code 72
booting /pci@f400/ethernet:/bsd.rd Using IP address: 192.168.60.235
root addr=192.168.60.157 path=/srv/obsd62
callrcp: error = 2
open /pci@f400/ethernet:/bsd.rd: Unknown error: code 72
 failed(72). will try /bsd
...

So... DHCP is working... TFTP is working.  I just don't think NFS is
working.  I'm able to mount the nfs share on another computer, so, i'm
kind of out of ideas...

On Wed, 2017-10-18 at 14:50 +0200, Solène Rapenne wrote:
> Je 2017-10-18 00:47, Daniel Boyd skribis:
> > I'm attempting to install onto a G4 Cube with a busted CD-ROM
> > drive.
> > I've never done network booting before, so I'm sure I'm just
> > missing
> > something.
> > 
> > I set up NFS and TFTP on a linux box, copied ofwboot to the TFTP
> > share
> > and bsd.rd plus all the tgz files to the NFS share.
> > 
> > In Open Firmware, I'm setting:
> > 
> > default-server-ip -> ip of linux box
> > root-path -> "x.x.x.x:/path/to/nfs/share"
> > next-server -> ip of linux box
> > 
> > and then:
> > 
> > > boot enet:,ofwboot /bsd.rd
> > 
> > The TFTP part seems to be working.  I get:
> > 
> > > > OpenBSD/macppc BOOT 1.6
> > 
> > but then:
> > 
> > open(/pci@f400/ethernet:/etc/boot.conf): Unknown error: code 60
> > boot>
> > cannot open /pci@f400/ethernet:/etc/random.seed: Unknown error:
> > code 60
> > booting /pci@f400/ethernet:/bsd.rd: open
> > /pci@f400/ethernet:/bsd.rc: Unknown error: code 60 failed(60).
> > will
> > try /bsd
> > boot>
> > 
> > ..and then it fails to boot bsd
> > 
> > Am I required to set up a DHCP server, too?
> 
> Hello, I had the same problem 2 years ago :
> http://misc.openbsd.narkive.com/uSQMW0M5/need-help-to-install-openbsd
> -5-9-macppc-via-pxe
> 
> try with root-path "/path/to/nfs/share"
> in fact, if I remember well, the TFTP boot will use 
> $next-server:/$root-path so you don't
> need to put the ip in root-path.
> 
> 

Hyper-V Disk Performance

[Daniel Boyd]

Is there a recommended configuration for virtual disks in Hyper-V?  I
have a virtual machine that I set up recently running 6.2 that has
*very* slow disk performance.  It took well over an hour to untar
ports.tar.gz.  The host server is a few years old, but it's running 3
RAID-5 7200rpm drives, quad-core Xeon and 32 GB RAM... so not exactly a
slow machine.  And this is the only Hyper-V VM it's hosting.

I've got the virtual disk configured as IDE / VHDX / Expanding (the
Hyper-V defaults).  The controller can be IDE or SCSI.  The disk format
can be VHD or VHDX.  And the disk can be configured as fixed or
expanding.  I'm going to try converting the disk to fixed and
defragging my NTFS.

Any thoughts on IDE vs SCSI and VHD vs VHDX?

Re: Hyper-V Disk Performance

[Daniel Boyd]

Thanks for the helpful response. 

FYI, I did some more research and discovered that Hyper-V doesn’t support 
booting from virtual SCSI drives, so that solves that. 

I have another vm running on my laptop under KVM that runs substantially faster 
than the hyper-v vm.  My laptop is far below the hyper-v server in most 
respects performance-wise, but it does have an SSD.  I’d be curious to find out 
how much of that is raw disk IO performance and how much is KVM vs Hyper-V and 
openbsd’s respective drivers for each. 

I’ll give the softdeps suggestion a shot. 

Sent from my iPhone

> On Oct 23, 2017, at 7:25 PM, Nick Holland  wrote:
> 
>> On 10/23/17 17:41, Daniel Boyd wrote:
>> Is there a recommended configuration for virtual disks in Hyper-V?  I
>> have a virtual machine that I set up recently running 6.2 that has
>> *very* slow disk performance.  It took well over an hour to untar
>> ports.tar.gz.  The host server is a few years old, but it's running 3
>> RAID-5 7200rpm drives, quad-core Xeon and 32 GB RAM... so not exactly a
>> slow machine.  And this is the only Hyper-V VM it's hosting.
> 
> actually...raid5 is slow on writes (write one block = read existing
> block.  Read parity block.  Write data, write parity.  Hopefully, you
> have a write cache that's on and working), 7200rpm drives are slow by
> any standards these days.  That's a heavy-lifting drive, not anything to
> mention in the same sentence as "not slow".
> 
> (don't get me wrong, I got a lot of heavy-lifting drives.  And I'm kinda
> slow.  But I try to be realistic about it).
> 
>> I've got the virtual disk configured as IDE / VHDX / Expanding (the
>> Hyper-V defaults). 
> 
> "expanding" means not preallocating the disk, I'm guessing?  Again, not
> a performance choice.  Your file system fragments are going to be
> fragmented.
> 
>> The controller can be IDE or SCSI.  The disk format
>> can be VHD or VHDX.  And the disk can be configured as fixed or
>> expanding.  I'm going to try converting the disk to fixed and
>> defragging my NTFS.
>> 
>> Any thoughts on IDE vs SCSI and VHD vs VHDX?
> 
> Neat thing: OpenBSD doesn't care much.  You can change it at the
> hypervisor level, reboot, and see for yourself how it works. This isn't
> Windows or Linux which will have a cow if you change the disk type or
> controller type after load. (before DUIDs, you might have to change your
> /etc/fstab, but as long as you are using DUIDs, you should be in good
> shape there).
> 
> But ... for unpacking ports, make sure that file system is mounted (at
> the OpenBSD level) with softdeps.  Yes, it's really a huge difference
> for lots of tiny files, which is exactly what the ports tree is.  This
> will matter more than hypervisor knobs, I suspect.
> 
> Nick.
> 

Re: Hyper-V Disk Performance

[Daniel Boyd]

On Oct 23, 2017, at 8:57 PM, Daniel Boyd  wrote:
> 
> Thanks for the helpful response. 
> 
> FYI, I did some more research and discovered that Hyper-V doesn’t support 
> booting from virtual SCSI drives, so that solves that. 
> 
> I have another vm running on my laptop under KVM that runs substantially 
> faster than the hyper-v vm.  My laptop is far below the hyper-v server in 
> most respects performance-wise, but it does have an SSD.  I’d be curious to 
> find out how much of that is raw disk IO performance and how much is KVM vs 
> Hyper-V and openbsd’s respective drivers for each. 
> 
> I’ll give the softdeps suggestion a shot. 
> 
> Sent from my iPhone
> 
>>> On Oct 23, 2017, at 7:25 PM, Nick Holland  
>>> wrote:
>>> 
>>> On 10/23/17 17:41, Daniel Boyd wrote:
>>> Is there a recommended configuration for virtual disks in Hyper-V?  I
>>> have a virtual machine that I set up recently running 6.2 that has
>>> *very* slow disk performance.  It took well over an hour to untar
>>> ports.tar.gz.  The host server is a few years old, but it's running 3
>>> RAID-5 7200rpm drives, quad-core Xeon and 32 GB RAM... so not exactly a
>>> slow machine.  And this is the only Hyper-V VM it's hosting.
>> 
>> actually...raid5 is slow on writes (write one block = read existing
>> block.  Read parity block.  Write data, write parity.  Hopefully, you
>> have a write cache that's on and working), 7200rpm drives are slow by
>> any standards these days.  That's a heavy-lifting drive, not anything to
>> mention in the same sentence as "not slow".
>> 
>> (don't get me wrong, I got a lot of heavy-lifting drives.  And I'm kinda
>> slow.  But I try to be realistic about it).
>> 
>>> I've got the virtual disk configured as IDE / VHDX / Expanding (the
>>> Hyper-V defaults). 
>> 
>> "expanding" means not preallocating the disk, I'm guessing?  Again, not
>> a performance choice.  Your file system fragments are going to be
>> fragmented.
>> 
>>> The controller can be IDE or SCSI.  The disk format
>>> can be VHD or VHDX.  And the disk can be configured as fixed or
>>> expanding.  I'm going to try converting the disk to fixed and
>>> defragging my NTFS.
>>> 
>>> Any thoughts on IDE vs SCSI and VHD vs VHDX?
>> 
>> Neat thing: OpenBSD doesn't care much.  You can change it at the
>> hypervisor level, reboot, and see for yourself how it works. This isn't
>> Windows or Linux which will have a cow if you change the disk type or
>> controller type after load. (before DUIDs, you might have to change your
>> /etc/fstab, but as long as you are using DUIDs, you should be in good
>> shape there).
>> 
>> But ... for unpacking ports, make sure that file system is mounted (at
>> the OpenBSD level) with softdeps.  Yes, it's really a huge difference
>> for lots of tiny files, which is exactly what the ports tree is.  This
>> will matter more than hypervisor knobs, I suspect.
>> 
>> Nick.
>> 
> 

Also, out of curiosity, why is softdep not enabled by default?  Assume there 
must be some downside to having it on?

Re: is there something missing in pledge?

[Daniel Hartmeier]

On Tue, Oct 24, 2017 at 12:31:50PM +0200, Peter J. Philipp wrote:

> beta# cpio -o -F spwd.db
> /etc/spwd.db
> cpio: Unable to open /etc/spwd.db to read: Operation not permitted
> 
> This is why I asked if the pledge is too tight on cpio.

Yes, I'd say you are right.

Theo, run

  # find /etc | cpio -o >/dev/null

or

  # tar cf /dev/null /etc

Do you really expect that to fail for /etc/spwd.db?

But grep or hexdump (both pledged, too) work just fine on that file?

Daniel

Re: is there something missing in pledge?

[Daniel Hartmeier]

On Tue, Oct 24, 2017 at 01:31:32PM +0200, Sebastien Marie wrote:

> > This is why I asked if the pledge is too tight on cpio.
> 
> I agree that it could be disappointing. but cpio is pledged, so it
> couldn't open /etc/spwd.db, because we considered this operation as
> a privilegied operation.
> 
> in order to backup this file, you need another tool. someone already
> mentioned dump(8) as example.

So all an attacker has to do is call pledge() again, with LESS
permissive promises, i.e. giving up getpw?

#include 
#include 

int main()
{
if (pledge("stdio rpath getpw", NULL) == -1)
err("pledge");
printf("first fopen %s\n", fopen("/etc/spwd.db", "r") ?
"succeeded" : "failed");
if (pledge("stdio rpath", NULL) == -1)
err("pledge");
printf("second fopen %s\n", fopen("/etc/spwd.db", "r") ?
"succeeded" : "failed");
return 0;
}

first fopen failed
second fopen succeeded

Daniel

Re: Running OpenVPN as a client breaks SSH access into same box? Is it a problem with default route being changed?

[Daniel Jakots]

On Tue, 24 Oct 2017 16:25:08 -0400, "tec...@protonmail.com"
 wrote:

> It's currently a bit tricky for me getting into the box physically.
> If only I had SSH access ha!
> 
> I'm almost 100% certain that returning packets are being routed over
> the tun0 (new default route) interface instead of em0.

http://man.openbsd.org/pf.conf#reply-to should help you

> 
> >  Original Message 
> > Subject: Re: Running OpenVPN as a client breaks SSH access into
> > same box? Is it a problem with default route being changed? Local
> > Time: 24 October 2017 10:13 PM UTC Time: 24 October 2017 20:13
> > From: kgo...@gmail.com
> > To: tec...@protonmail.com 
> >
> > you are more likely to receive help if you post the output of
> > "ifconfig -a" and "netstat -nr" commands.
> >
> > On Tue, Oct 24, 2017 at 4:06 PM, tec...@protonmail.com
> > tec...@protonmail.com wrote:
> >  
> >> Hi,
> >> I have a very very basic setup. Not using any other pf rules other
> >> than what comes default with 6.2-Release and almost every other
> >> release. Running OpenVPN works without a problem - able to connect
> >> as a client to a remote OpenVPN server. Everything is properly
> >> routing, verified by checking my IP. Problem is that as soon as
> >> OpenVPN is running, I cannot SSH in to my OpenBSD machine from any
> >> other machine on the Lan. Now, I'm guessing this has something to
> >> do with the default route being changed automatically by OpenVPN
> >> but I am still a total newbie with routing and pf so I have not a
> >> clue how to fix this, especially in any sort of manner which I can
> >> safely assume it to be the correct way. Can someone tell me how to
> >> resolve this? Thank  

Mac G4 Cube Problems

[Daniel Boyd]

I'm into week 2 of trying to get OpenBSD installed on my G4 Cube.

I first tried installing via CD, but the CD-ROM drive is broken.

I then tried DHCP/TFTP/NFS booting but couldn't get that working.

I then tried attaching another IDE CD-ROM drive to the Cube, but I
couldn't get the CD to boot (tried install62.iso and cd62.iso).  

boot cd:,ofwboot /6.2/macppc/bsd.rd DISK-LABEL: read of block 0 failed
ATAPI-DISK: open of DISK-LABEL failed can't OPEN: cd:,ofwboot

I guess maybe the IDE drive is having issues reading the CD?  I have no
idea.

Abandoning that idea, I am now attempting to boot the installer from
the internal hard drive.  I read in INSTALL.macppc that the bootloader
has to be on a DOS partition (or HFS if dual booting which I'm not), so
I looked at the macppc install.md for clues as to how this works. 
Here's what I've done so far:

1) Installed OpenBSD 6.2 on old spare Dell with IDE hard drive/CD-ROM
2) Bought Torx T10 screw driver off Amazon
3) unscrewed some things to get to the IDE connector and then hooked
the Cube hard drive up to the Dell as IDE secondary master
4) copied /usr/mdec/mbr from macppc base62.tgz
5) reading from macppc install.md:
5a) dd if=/dev/zero of=/dev/rwd1c bs=1M count=1  #assume this is
wiping out the old MBR
5b) fdisk -f mbr -iy wd1 #write default macppc mbr to disk
6) newfs -t msdos wd1i
7) newfs all the openbsd partitions
8) mount dos partition and wd1a ffs partition
9) copy ofwboot to dos partition
10) copy bsd.rd and installation tgz files to ffs partition

11) Hooked the hard drive back into the Cube, powered it on and then 
typed this into OpenFirmware

0 > boot hd:,ofwboot /bsd.rd

the system added things to the end of that line after I pressed enter:
0 > boot hd:,ofwboot /bsd.rd load-size=fcbc adler32=c626975c

and...

Loading ELF
>> OpenBSD/macppc BOOT 1.6
/pci@f200/mac-io@17/ata-4@1f000/disk@0:/etc/boot.conf: line too
long
boot >
booting /pci@f200/mac-io@17/ata-4@1f000/disk@0:/bsd.rd /pci@f20
0/mac-io@17/ata-4@1f000/disk@0:/bsd.rd: Inappropriate file type or
format
 failed(12304). will try /bsd

So...what am I doing wrong?  It's finding ofwboot, but not the kernel. 
Where is ofwboot looking for bsd.rd??  I assume it shouldn't go in the
DOS partition since it's only recommended to be 1MB.

Re: NFS keeps crashing

[Daniel Bolgheroni]

On Sat, Apr 21, 2018 at 10:38:48AM +, Rupert Gallagher wrote:
> What I do not like of obsd is the negative energy of its community. We
> all have a sympatic gene and tend to mirror the social environment. We
> should be mindful of it, and try to stay positive. Another thing I do
> not like is the absence of industrial support. I mean, am I the only
> one on obsd nfs with windows 10 clients? It feels too much pioneering
> around here...

On how to report properly, please refer to:

https://www.openbsd.org/report.html

The project website has a list of vendors offering commercial,
"industrial" support.  Please refer to:

https://www.openbsd.org/support.html

-- 
db

OpenBSD 6.3 mount_smbfs missing ?!

[Daniel Santos]

Hello,

I could not find mount_smbfs in the base OS anymore, no packages like 
it?


What is currently the recommended samba share mount tool for OpenBSD?

I have tried usmb, it works but slow:

time dd bs=1M count=1000 if=/dev/zero of=/mnt/smb/big
1000+0 records in
1000+0 records out
1048576000 bytes transferred in 56.149 secs (18674606 bytes/sec)

real0m56.405s
user0m0.010s
sys 0m4.810s

While direct disk write on the samba server which is Debian Wheezy:

time dd if=/dev/zero of=big2 bs=1M count=1000
1000+0 records in
1000+0 records out
1048576000 bytes (1.0 GB) copied, 1.07052 s, 980 MB/s

real0m1.073s
user0m0.000s
sys 0m1.068s

Takes like 1 second, I have repeated the test couple of times and come 
up with the same numbers that it is almost 60x times slower to write out 
a file through samba.

Re: Wake-on-LAN from suspended state

[Daniel Melameth]

On Tue, Apr 24, 2018 at 2:11 PM, Paul de Weerd  wrote:
> I've been playing with WoL recently and found that my desktop machine
> (a Dell Optiplex 9020) can be woken up from another OpenBSD machine on
> the same network with `doas arp -W ${MAC} em1` (where ${MAC} is the
> mac address of my desktop machine).  As I'm using softraid full disk
> encryption, this doesn't help too much - I still need to be present to
> unlock the crypto volume manually.
>
> Figured I try waking the machine up from sleep mode.  This machine
> suspends fine with zzz, and also wakes perfectly from sleep by pushing
> the power button (included dmesg contains one suspend / resume cycle).
> However, in suspended state, I can't wake up the machine with the
> magic packet.
>
> Reading up on the topic of WoL shows a field full of rabbit holes.
> Does anyone know if it is possible at all to do this with OpenBSD?
> I'm guessing the NIC should be left in a state that allows it to wake
> the rest of the machine when entering suspend - perhaps that's not
> done on purpose because it's not wanted.  Can anyone shed some light
> on this matter?

If I understand you correctly, have you tried enabling WoL via ifconfig?

state-policy floating Expectations

[Daniel Melameth]

The man page defines this as "States can match packets on any
interfaces."  I understood this to mean that state created on one
interface would automatically create state, or allow a related match,
on another interface, but this is not the case.  Simple example:

Host A
10.0.0.2

Firewall
10.0.0.1 (hvn0)
10.0.1.1

Host B
10.0.1.2

/etc/pf.conf from the firewall:
block log
pass in on hvn0


With the above, traffic cannot pass from A to B.  With pf disabled on
the firewall, traffic passes.

I expected state to be created from the incoming packet, and a state
entry is, but the state is never complete/established (left as
CLOSED:SYN_SENT) and this does not work, obviously.  So, what's the
expanded definition of floating?  And how does this compare to
if-bound in the example above if it was applied to the pass rule?
I've found related threads from the past, but I'm still confused and
would appreciate a clue stick.

Thanks.

Re: Return back dhclient lease time displaying after renew an IP address manually

[Daniel Melameth]

On Thu, Apr 26, 2018 at 2:11 PM, Denis  wrote:
> After upgrading 6.2amd64 -> 6.3amd64 there is no lease time info present
> by renewing an IP address using '#sh /etc/netstart if0' command.
>
> Manually run dhclinent shows MAC address of a dhcpd server (very useful)
> but lease time has been deprecated since 6.2 (very useful for different
> dhcp servers lease time determining). Hope this helpful information will
> be returned back in additional to dhcpd server's MAC added in 6.3.

cat /var/db/dhclient.leases.?

N7260 wifi card bug (hardware or driver?)

[Daniel Camolês]

Does anyone in here happens to be running openbsd 6.3 in some machine
which has a N7260 wifi card? I have problems with mine (thinkpad
x240), and since it only happens on openbsd as far as I can tell, I
was wondering if it is some kind of driver problem. I tested ubuntu
16.04, which uses version 17 of the intel firmware, and the problem
doesn't happen. Openbsd is using version 16 of intel firmware.

The problem is that whenever I am downloading or uploading any file
bigger than a couple of megabytes, performance will degrade during the
transmission and speed will drop to a halt, often timing out. Doing
some research on the web, I was able to find users of other OS'es
complaining about a similar problem with N7260, but the reports I
found were a couple of years old, which made me think that it was
possibly a bug in the intel firmware which they probably fixed since
then.

It does not seem to be related to my wifi router nor service provider,
since the same happens with another router and provider. It also
happens not only in http transfers, but also in ssh.

I didn't try to run -current because I didn't saw any change in iwm.

Thanks in advance for any help. Below is my dmesg output:

OpenBSD 6.3 (GENERIC.MP) #1: Sat Apr 21 14:26:25 CEST 2018

r...@syspatch-63-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 3951247360 (3768MB)
avail mem = 3824422912 (3647MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xdcd3d000 (60 entries)
bios0: vendor LENOVO version "GIET92WW (2.42 )" date 02/28/2018
bios0: LENOVO 20AMS0MT00
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP SLIC DBGP ECDT HPET APIC MCFG SSDT SSDT SSDT
SSDT SSDT SSDT SSDT SSDT PCCT SSDT UEFI MSDM ASF! BATB FPDT UEFI
acpi0: wakeup devices LID_(S4) SLPB(S3) IGBE(S4) EXP2(S4) XHCI(S3) EHC1(S3)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpiec0 at acpi0
acpihpet0 at acpi0: 14318179 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i5-4300U CPU @ 1.90GHz, 1796.15 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,IBRS,IBPB,STIBP,SENSOR,ARAT,MELTDOWN
cpu0: 256KB 64b/line 8-way L2 cache
acpihpet0: recalibrated TSC frequency 2494228431 Hz
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 99MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4.1.1.1, IBE
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Core(TM) i5-4300U CPU @ 1.90GHz, 1795.84 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,IBRS,IBPB,STIBP,SENSOR,ARAT,MELTDOWN
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 1, core 0, package 0
cpu2 at mainbus0: apid 2 (application processor)
cpu2: Intel(R) Core(TM) i5-4300U CPU @ 1.90GHz, 1795.84 MHz
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,IBRS,IBPB,STIBP,SENSOR,ARAT,MELTDOWN
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 0, core 1, package 0
cpu3 at mainbus0: apid 3 (application processor)
cpu3: Intel(R) Core(TM) i5-4300U CPU @ 1.90GHz, 1795.84 MHz
cpu3: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,IBRS,IBPB,STIBP,SENSOR,ARAT,MELTDOWN
cpu3: 256KB 64b/line 8-way L2 cache
cpu3: smt 1, core 1, package 0
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 40 pins
acpimcfg0 at acpi0 addr 0xf800, bus 0-63
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (PEG_)
acpiprt2 at acpi0: bus 2 (EXP1)
acpiprt3 at acpi0: bus 3 (EXP2)
acpiprt4 at acpi0: bus -1 (EXP3)
acpicpu0 at acpi0: C3(200@506 mwait.1@0x60), C2(200@148 mwait.1@0x33),
C1(1000@1 mwait.1), PSS
acpicpu1 at acpi0: C3(200@506 mwait.1@0x60), C2(200@148 mwait.1@0x33),
C1(1000@1 mwait.1), PSS
acpicpu2 at acpi0: 

Re: Suspend on Lenovo T440

[Daniel Bolgheroni]

On Sat, May 05, 2018 at 03:14:32PM +, Ken M wrote:
> So I recently picked up a Lenovo T440 for a good price to use as my OpenBSD 
> road
> warrior and replace the aging Toshiba I was using. Everything works but 2
> things:
> 
> 1. Bluetooth of course
> 2. Resume from suspend on lid close
> 
> I am writing because of number 2. For now I have disabled suspend on lid close
> but I was wondering if other T440 users might have gotten suspend and resume 
> on
> lod close and open to work for another option on this computer.

Please check if this helps you:

https://marc.info/?l=openbsd-misc&m=152230308012611&w=2

-- 
db

Re: How to have pf filter packets on combination of incoming and outgoing interface (for packets transiting the firewall)?

[Daniel Melameth]

On Mon, May 7, 2018 at 10:40 AM, Martin Gignac  wrote:
> In Juniper SRXes and Netscreen firewalls one defines security policies
> (firewall rules) according to a "from" security zone, and a "to"
> security zone. Rules within each "from-to" combo can then focus on
> allowing or blocking individual IP subnets if required.
...

> I am looking to define firewall policies on OpenBSD where I can
> enforce something like "all traffic from lab01 to lab02 is allowed by
> default, but all traffic from lab02 to to lab01 is denied by default".
> In this case lab01 and lab02 are bound to different interfaces
> (obviously), but behind each interface is another router to which are
> attached a changing number of subnets, so I want to avoid having to
> update subnet lists in my pf rules constantly. This situation would be
> simple to deal with in Juniper/Netscreen or Linux, but I'm having a
> hard time figuring out how to achieve a similar result in pf. I
> thought about passing all traffic on ingress on the lab01 and lab02
> interfaces, tagging that traffic with a "from_lab0x" tag, and then
> having outbound rules take action based on the relevant interface and
> tag, like so:
>
>   lab01 = em1
>   lab02 = em2
>
>   set state-policy if-bound
>
>   block
>
>   pass in on $lab01 tag from_lab01
>   pass in on $lab02 tag from_lab02
>
>   pass in on $lab02 tagged from_lab01

You could also replace the above with "pass in on $lab02 received-on $lab01".

>   block out on $lab01 tagged from_lab02
>
> Does this look like it makes sense? Is using an 'if-bound'
> state-policy ill-advised? Are there any obvious problems with this
> method? If so, is there a better way to achieve my goal?

Re: How to have pf filter packets on combination of incoming and outgoing interface (for packets transiting the firewall)?

[Daniel Melameth]

On Mon, May 7, 2018 at 11:51 AM, Daniel Melameth  wrote:
> On Mon, May 7, 2018 at 10:40 AM, Martin Gignac  
> wrote:
>> In Juniper SRXes and Netscreen firewalls one defines security policies
>> (firewall rules) according to a "from" security zone, and a "to"
>> security zone. Rules within each "from-to" combo can then focus on
>> allowing or blocking individual IP subnets if required.
> ...
>
>> I am looking to define firewall policies on OpenBSD where I can
>> enforce something like "all traffic from lab01 to lab02 is allowed by
>> default, but all traffic from lab02 to to lab01 is denied by default".
>> In this case lab01 and lab02 are bound to different interfaces
>> (obviously), but behind each interface is another router to which are
>> attached a changing number of subnets, so I want to avoid having to
>> update subnet lists in my pf rules constantly. This situation would be
>> simple to deal with in Juniper/Netscreen or Linux, but I'm having a
>> hard time figuring out how to achieve a similar result in pf. I
>> thought about passing all traffic on ingress on the lab01 and lab02
>> interfaces, tagging that traffic with a "from_lab0x" tag, and then
>> having outbound rules take action based on the relevant interface and
>> tag, like so:
>>
>>   lab01 = em1
>>   lab02 = em2
>>
>>   set state-policy if-bound
>>
>>   block
>>
>>   pass in on $lab01 tag from_lab01
>>   pass in on $lab02 tag from_lab02
>>
>>   pass in on $lab02 tagged from_lab01
>
> You could also replace the above with "pass in on $lab02 received-on $lab01".

I meant "pass out on $lab02 received-on $lab01".  Obviously pass in
wouldn't work in your example and mine.

>>   block out on $lab01 tagged from_lab02
>>
>> Does this look like it makes sense? Is using an 'if-bound'
>> state-policy ill-advised? Are there any obvious problems with this
>> method? If so, is there a better way to achieve my goal?

OT: Temperature sensors suggestions?

[Daniel Ouellet]

Does anyone have a decent temperature sensors that can connect to an
OpenBSD server and be reliable and give any decent reading via either
USB or Serial port or even stand alone via Ethernet?

I asked because yes I can use the sensors on some servers, but I got a
pretty expensive router blowing up because an AC unit stop working and
in a few hours the router was history and I need something reliable so I
can graph the changes in temperature to keep track of things.

I got lucky this time as that using was providing 192 VoIP channels and
I had just moved them from PRI to full SIP like a month earlier. If I
haven't done that it would have been a disaster for me!

So, I need more then just servers sensors so I can place these at
various location to get a better idea of what's going on.

I don't understand why it is so difficult to have decent AC technician
keep AC units working properly. It's not like brain surgery, but that's
always a problem.

Anything you know or use that is reliable that you can recommend would
be very much appreciated.

I am trying to keep it simple, so using base tools in OpenBSD is a must,
no proprietary shit or Windows crap like I found tonnes of them. I have
NO Windows systems for 20+ years already and I am sure hell not going to
install any either. I try to keep it simple. Even snmp reading is find.
Simpler the better. I can grab the reading and save to a database to
graph later and what not. I got two self standing units in the pass,
nice but they get hacked and not useful obviously, so add-on to OpenBSD
is better to me. I trust that way more then all the self standing units,
records proving it...

If that's no interest for the list fell free to reply off line as well,
but I guess some might like to know too.

Thanks in advance for any suggestions...

Daniel

Re: OT: Temperature sensors suggestions?

[Daniel Ouellet]

Thanks,

That look interesting. I wonder how the wifi works on this ESP8266 module.

It's so cheap that it's nothing lost to try. (;

Will see if I get other suggestions, but that's interesting and may well
be fun to program a driver for the SHT31-D too. (;

Daniel.



On 5/18/18 5:53 PM, Base Pr1me wrote:
> I roll SHT31-Ds through ESP8266s via I2C. Of course, there is programming
> involved.
> Good hardware though, if that's what you're looking for.
> 
> On Fri, May 18, 2018 at 2:42 PM, Daniel Ouellet  wrote:
> 
>> Does anyone have a decent temperature sensors that can connect to an
>> OpenBSD server and be reliable and give any decent reading via either
>> USB or Serial port or even stand alone via Ethernet?
>>
>> I asked because yes I can use the sensors on some servers, but I got a
>> pretty expensive router blowing up because an AC unit stop working and
>> in a few hours the router was history and I need something reliable so I
>> can graph the changes in temperature to keep track of things.
>>
>> I got lucky this time as that using was providing 192 VoIP channels and
>> I had just moved them from PRI to full SIP like a month earlier. If I
>> haven't done that it would have been a disaster for me!
>>
>> So, I need more then just servers sensors so I can place these at
>> various location to get a better idea of what's going on.
>>
>> I don't understand why it is so difficult to have decent AC technician
>> keep AC units working properly. It's not like brain surgery, but that's
>> always a problem.
>>
>> Anything you know or use that is reliable that you can recommend would
>> be very much appreciated.
>>
>> I am trying to keep it simple, so using base tools in OpenBSD is a must,
>> no proprietary shit or Windows crap like I found tonnes of them. I have
>> NO Windows systems for 20+ years already and I am sure hell not going to
>> install any either. I try to keep it simple. Even snmp reading is find.
>> Simpler the better. I can grab the reading and save to a database to
>> graph later and what not. I got two self standing units in the pass,
>> nice but they get hacked and not useful obviously, so add-on to OpenBSD
>> is better to me. I trust that way more then all the self standing units,
>> records proving it...
>>
>> If that's no interest for the list fell free to reply off line as well,
>> but I guess some might like to know too.
>>
>> Thanks in advance for any suggestions...
>>
>> Daniel
>>
>>

Re: N7260 wifi card bug (hardware or driver?)

[Daniel Camoles]

Well, this problem just magically went away, and all I did was complain 
about it here and run syspatch and fw_update regularly. Are there 
any chances that someone fixed it? Or should I attribute this problem
and its solution to something else other than OpenBSD? I looked at
the changelog from 6.3 to -current but didn't see anything that could
justify this.

bit shifter, is it also fixed on your machine?


On Tue, May 01, 2018 at 01:45:53PM -0600, bit shifter wrote:
> On Tue, May 1, 2018 at 6:16 AM, Daniel Camol??s  wrote:
> > Does anyone in here happens to be running openbsd 6.3 in some machine
> > which has a N7260 wifi card? I have problems with mine (thinkpad
> > x240), and since it only happens on openbsd as far as I can tell, I
> > was wondering if it is some kind of driver problem. I tested ubuntu
> > 16.04, which uses version 17 of the intel firmware, and the problem
> > doesn't happen. Openbsd is using version 16 of intel firmware.
> >
> > The problem is that whenever I am downloading or uploading any file
> > bigger than a couple of megabytes, performance will degrade during the
> > transmission and speed will drop to a halt, often timing out. Doing
> > some research on the web, I was able to find users of other OS'es
> > complaining about a similar problem with N7260, but the reports I
> > found were a couple of years old, which made me think that it was
> > possibly a bug in the intel firmware which they probably fixed since
> > then.
> >
> > It does not seem to be related to my wifi router nor service provider,
> > since the same happens with another router and provider. It also
> > happens not only in http transfers, but also in ssh.
> >
> > I didn't try to run -current because I didn't saw any change in iwm.
> >
> > Thanks in advance for any help. Below is my dmesg output:
> 
> 
> I have the same machine, same wifi card, and definitely similar
> issues.  I'm kind of relieved to know I'm not the only one.  I've
> tried multiple access points, forced 11g mode, 5GHz band, but the
> issue persists.  I get poor speeds and stalls -- some web pages never
> finish loading.  I've also tested with iperf on my LAN and have poor
> results there as well.  In a live Antergos Linux environment, I
> achieve the full potential speed.
> 
> This issue has been ongoing for me since I installed OpenBSD 6.1 on
> this machine, and I'm now running a snapshot from April 22.  Until
> pretty recently, I've only used this machine casually, so aside from a
> little frustration, it hasn't affected me much.  I would love to be
> able to get this resolved though.
> 
> My dmesg is below.  Please let me know what other information I can
> provide or troubleshooting steps I can take.
> 
> 
> dmesg:
> 
> OpenBSD 6.3-current (GENERIC.MP) #10: Sun Apr 22 10:09:36 MDT 2018
> dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> real mem = 8447578112 (8056MB)
> avail mem = 8184410112 (7805MB)
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xdcd3d000 (60 entries)
> bios0: vendor LENOVO version "GIET88WW (2.38 )" date 02/09/2017
> bios0: LENOVO 20AMS0HH00
> acpi0 at bios0: rev 2
> acpi0: sleep states S0 S3 S4 S5
> acpi0: tables DSDT FACP SLIC DBGP ECDT HPET APIC MCFG SSDT SSDT SSDT
> SSDT SSDT SSDT SSDT SSDT PCCT SSDT UEFI POAT ASF! BATB FPDT UEFI DMAR
> acpi0: wakeup devices LID_(S4) SLPB(S3) IGBE(S4) EXP2(S4) XHCI(S3) EHC1(S3)
> acpitimer0 at acpi0: 3579545 Hz, 24 bits
> acpiec0 at acpi0
> acpihpet0 at acpi0: 14318179 Hz
> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: Intel(R) Core(TM) i5-4300U CPU @ 1.90GHz, 1796.09 MHz
> cpu0: 
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,IBRS,IBPB,STIBP,SENSOR,ARAT,MELTDOWN
> cpu0: 256KB 64b/line 8-way L2 cache
> cpu0: smt 0, core 0, package 0
> mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
> cpu0: apic clock running at 99MHz
> cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4.1.1.1, IBE
> cpu1 at mainbus0: apid 1 (application processor)
> cpu1: Intel(R) Core(TM) i5-4300U CPU @ 1.90GHz, 1795.85 MHz
> cpu1: 
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX

Re: Programming for OpenBSD

[Daniel Baumgarten]

Books related to OpenBSD: https://www.openbsd.org/books.html

If you're hacking the OpenBSD base, you'll get very good advice by
submitting patches to tech@.

You'll find that the OpenBSD community isn't overly fond of political
debate or security theater, most people just stick to technical
discussion.

NAT64 configuration issues

[Daniel Corbe]

I'm struggling with a NAT64 config for my network and hoping someone
could hit me with a clue bat.

This is going to require a bit of explanation because the IPv6 clients
are not directly behind the OpenBSD server.   So bear with me on this one.

+-+
|  Router |
| |
| |
| |
+++
|| Gi0/1: 38.87.35.97 / 2606:9c80:3:1::/64 eui-64
||
  OSPF   |
|| Vio0: 38.87.35.102 / inet6 autoconf
+++
|   OBSD Server   |
| |
| |
| |
+++
 |
 |
 |
 | Vio1: 2606:9c80:dead:beef::38.87.35.102/96
 X

Vio1 isn't actually connected to anything.   But it carries an address
with my NAT64 prefix.   OSPF is configured to redistributed connected
prefixes.

My pf.conf looks like this:

nat64# cat /etc/pf.conf
#   $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf

set skip on lo

# NAT64
pass in quick on vio1 inet6 from any to 2606:9c80:dead:beef::/96 \
  af-to inet from (egress:0) keep state rtable 0

# Default firewall state
block return# block stateless traffic
pass# establish keep-state

# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010

# Port build user does not need network
block return out log proto {tcp udp} user _pbuild

IP Forwarding is enabled:

nat64# sysctl -a | grep forwarding
net.inet.ip.forwarding=1
net.inet.ip.mforwarding=0
net.inet6.ip6.forwarding=1
net.inet6.ip6.mforwarding=0

>From other places on the network, I can ping Vio1:

--- 2606:9c80:dead:beef::38.87.35.102 ping6 statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.206/0.258/0.316/0.045 ms

And the prefix is in the routing table:

#show ipv6 route 2606:9c80:dead:beef::/96

VRF name: default
Routing entry for 2606:9c80:dead:beef::/96
Codes: C - connected, S - static, K - kernel, O3 - OSPFv3, B - BGP, R -
RIP, A B - BGP Aggregate, I L1 - ISIS level 1, I L2 - ISIS level 2, NG -
Nexthop Group Static Route

 O3   2606:9c80:dead:beef::/96 [110/20]
   via fe80::99b8:c8c1:bceb:f98f, Vlan111


But I cannot ping out:

$ ping6 2606:9c80:dead:beef::808:808
PING6(56=40+8+8 bytes) 2606:9c80:3:1:5054:ff:fea3:911b -->
2606:9c80:dead:beef::808:808
^C
--- 2606:9c80:dead:beef::808:808 ping6 statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss

But I do see traffic hitting my OpenBSD box on the NAT64 prefix:

nat64# tshark -i vio0 -f "net 2606:9c80:dead:beef::/96"
Capturing on 'vio0'
1   0.00 2606:9c80:3:1:5054:ff:fea3:911b ?
2606:9c80:dead:beef::808:808 ICMPv6 70 Echo (ping) request
id=0xd104, seq=226, hop limit=63
2   1.025972 2606:9c80:3:1:5054:ff:fea3:911b ?
2606:9c80:dead:beef::808:808

-Daniel

Re: NAT64 configuration issues

[Daniel Corbe]

So I fixed this configuration simply by removing the /64 from Vio0.   I
guess the IPv4 LAN segment can't have any preexisting IPv6 on it.

Thanks.

-Daniel

On 6/2/2018 15:51, Daniel Corbe wrote:
> I'm struggling with a NAT64 config for my network and hoping someone
> could hit me with a clue bat.
> 
> This is going to require a bit of explanation because the IPv6 clients
> are not directly behind the OpenBSD server.   So bear with me on this one.
> 
>   +-+
>   |  Router |
>   | |
>   | |
>   | |
>   +++
>   || Gi0/1: 38.87.35.97 / 2606:9c80:3:1::/64 eui-64
>   ||
>   OSPF   |
>   || Vio0: 38.87.35.102 / inet6 autoconf
>   +++
>   |   OBSD Server   |
>   | |
>   | |
>   | |
>   +++
>|
>|
>|
>| Vio1: 2606:9c80:dead:beef::38.87.35.102/96
>  X
> 
> Vio1 isn't actually connected to anything.   But it carries an address
> with my NAT64 prefix.   OSPF is configured to redistributed connected
> prefixes.
> 
> My pf.conf looks like this:
> 
> nat64# cat /etc/pf.conf
> #   $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
> #
> # See pf.conf(5) and /etc/examples/pf.conf
> 
> set skip on lo
> 
> # NAT64
> pass in quick on vio1 inet6 from any to 2606:9c80:dead:beef::/96 \
>   af-to inet from (egress:0) keep state rtable 0
> 
> # Default firewall state
> block return# block stateless traffic
> pass# establish keep-state
> 
> # By default, do not permit remote connections to X11
> block return in on ! lo0 proto tcp to port 6000:6010
> 
> # Port build user does not need network
> block return out log proto {tcp udp} user _pbuild
> 
> IP Forwarding is enabled:
> 
> nat64# sysctl -a | grep forwarding
> net.inet.ip.forwarding=1
> net.inet.ip.mforwarding=0
> net.inet6.ip6.forwarding=1
> net.inet6.ip6.mforwarding=0
> 
> From other places on the network, I can ping Vio1:
> 
> --- 2606:9c80:dead:beef::38.87.35.102 ping6 statistics ---
> 3 packets transmitted, 3 packets received, 0.0% packet loss
> round-trip min/avg/max/std-dev = 0.206/0.258/0.316/0.045 ms
> 
> And the prefix is in the routing table:
> 
> #show ipv6 route 2606:9c80:dead:beef::/96
> 
> VRF name: default
> Routing entry for 2606:9c80:dead:beef::/96
> Codes: C - connected, S - static, K - kernel, O3 - OSPFv3, B - BGP, R -
> RIP, A B - BGP Aggregate, I L1 - ISIS level 1, I L2 - ISIS level 2, NG -
> Nexthop Group Static Route
> 
>  O3   2606:9c80:dead:beef::/96 [110/20]
>via fe80::99b8:c8c1:bceb:f98f, Vlan111
> 
> 
> But I cannot ping out:
> 
> $ ping6 2606:9c80:dead:beef::808:808
> PING6(56=40+8+8 bytes) 2606:9c80:3:1:5054:ff:fea3:911b -->
> 2606:9c80:dead:beef::808:808
> ^C
> --- 2606:9c80:dead:beef::808:808 ping6 statistics ---
> 3 packets transmitted, 0 packets received, 100.0% packet loss
> 
> But I do see traffic hitting my OpenBSD box on the NAT64 prefix:
> 
> nat64# tshark -i vio0 -f "net 2606:9c80:dead:beef::/96"
> Capturing on 'vio0'
> 1   0.00 2606:9c80:3:1:5054:ff:fea3:911b ?
> 2606:9c80:dead:beef::808:808 ICMPv6 70 Echo (ping) request
> id=0xd104, seq=226, hop limit=63
> 2   1.025972 2606:9c80:3:1:5054:ff:fea3:911b ?
> 2606:9c80:dead:beef::808:808
> 
> -Daniel
> 

Re: "Halted" firewall - is it a good idea as feature? or just a fun story

[Daniel Gracia]

I'm not loving it. For silly firewalls, I'd rather prefer a FPGA with a
PHY. But then, you have managed switches with L3 routing...

2018-06-07 20:48 GMT+02:00 Jacqueline Jolicoeur :

> > Because this method does ensure that no user will ever gain controlling
> access to the firewall itself, there is definitely a huge security benefit.
>
> I do not believe this is true.
>
> > a degree in Philosophy.
>
> This firewall setup reminds me of the minimalism art movement.
>
>

Re: OpenBSD logo on my private hompage. It is allowed?

[Daniel Jakots]

On Thu, 07 Jun 2018 15:51:24 -0800, justina colmena
 wrote:

> The no-profit clause is new.

That's not true. It was added with
revision 1.8
date: 2005/03/24 01:31:13;  author: deraadt;  state: Exp;  lines: +4 -3;
note do not sell

(on github: 
https://github.com/openbsd/www/commit/46f3713db1ab0fa2183699928305b8b0a29f8683)

Re: OpenBSD logo on my private hompage. It is allowed?

[Daniel Corbe]

at 11:41 PM, Johannes Krottmayer  wrote:


But i haven't a animated GIF with "under construction" on my site. :)
Like the sites from the good old geocities. :)

On Fri, Jun 08, 2018 At 05:37:08 +0200, Johannes Krottmayer wrote:

On Thu, Jun 07, 2018 At 21:32:55 -0600, Base Pr1me wrote:

Not to be a Debbie Downer, but wasn't "under construction" banned from
the internet a couple of decades a go? ;)


LOL :)


Just make sure you embed it in a  tag.

Re: Web store

[Daniel Corbe]

at 5:52 PM, Stuart Henderson  wrote:


On 2018-06-12, Base Pr1me  wrote:

Who runs https://www.openbsdstore.com? I went to buy a couple of shirts
last Friday, but cert returns errors and paypal linking stuff is quite
broken. Also, no one is responding to the ord...@openbsdstore.com address.

Any info available? I'm in the US, so that might be the difference.


The cert is returning errors on google browsers due to their sunsetting
of certificates from certain Symantec CAs. I had a reply from Lyn in May,
"Really sorry about this, we're having issues at the moment, as the
'admin' person is no longer around, so struggling to change the cert…"


Do they not have access to their own box?   Letsencrypt is free and easy to  
set up and I’m sure any number of individuals on this list are both  
qualified and willing to lend support for system administration, hosting or  
both.


-Daniel