softraid: adding volumes, CPU requirements, RAID5

[Hugo Osvaldo Barrera]

Hi,

I'm building myself an openbsd-based fileserver, which will initially
have three disks with softraid in RAID5 mode.

I've three questions regarding softraid:

1) I intend on using a single-core 1.8Ghz Atom processor I have lying
around. Would that limit my performance too much? I'll be using this
fileserver mostly for media (movies/series/music) and some ocassional
backups. Can anyone share what CPU they've used and their experience? (I'm
clarifying my intended usage for the fileserver since I think it's quite
relevant to say if the CPU is or isn't enough).

2) How do I add additional volumes to an already created softraid
volume? I intend on adding additional disks as necessary. Is it possible?

3) The man pages report RAID5 as experimental. I'm curious, why is
this so? Is it just not-very-thoroughly tested, or is there some
missing feature? I read on a 2010 presentation that rebuild was not
implemented yet, is this still so?

Thanks,

--
Hugo Osvaldo Barrera

[demime 1.01d removed an attachment of type application/pgp-signature]

Re: softraid: adding volumes, CPU requirements, RAID5

[Hugo Osvaldo Barrera]

On 2013-05-20 07:46, Nick Holland wrote:
> On 05/20/13 00:52, Hugo Osvaldo Barrera wrote:
> > Hi,
> >
> > I'm building myself an openbsd-based fileserver, which will initially
> > have three disks with softraid in RAID5 mode.
> >
> > I've three questions regarding softraid:
> >
> > 1) I intend on using a single-core 1.8Ghz Atom processor I have lying
> > around. Would that limit my performance too much? I'll be using this
> > fileserver mostly for media (movies/series/music) and some ocassional
> > backups. Can anyone share what CPU they've used and their experience?
(I'm
> > clarifying my intended usage for the fileserver since I think it's quite
> > relevant to say if the CPU is or isn't enough).
>
> Wrong question, I think.  More than processor is memory (caching) and
> disk interface (ahci rocks), network interface, etc.

Oh, great, that's good to know. I though processor power was a very
limiting factor in this. Memory and network won't be an issue in this
case.

>
> > 2) How do I add additional volumes to an already created softraid
> > volume? I intend on adding additional disks as necessary. Is it possible?
>
> Not in the way you are likely thinking.
> Besides, your Atom board probably has a rather finite amount of
> expandability.

Hmm. That makes everything far more complicated. :/
Actually, this motherboard I've lying around has four ports, and there
are some other mini-itx one with up to seven ports.

>
> > 3) The man pages report RAID5 as experimental. I'm curious, why is
> > this so? Is it just not-very-thoroughly tested, or is there some
> > missing feature? I read on a 2010 presentation that rebuild was not
> > implemented yet, is this still so?
>
> That's really a question you will need to find out though
> experimentation before you implement (i.e., you MUST practice this
> recovery stuff before going into production), but yes, RAID5 rebuild is
> still not there, so I would NOT recommend going this route.

Yes, indeed. It's way to dangerous and I don't have the storage to create
a dump and rebuild if a disk fails.

>
> However, a nice little RAID1 system to start, hopefully leaving you two
> SATA ports for the next generation/upgrade disks.

Regrettably, I've too much data to take this route. The costs are
prohibitive, and I'd need way too many disks.

>
> Nick.
>

Thanks,

--
Hugo Osvaldo Barrera

[demime 1.01d removed an attachment of type application/pgp-signature]

Fuse on OpenBSD

[Hugo Osvaldo Barrera]

About a month ago, I followed up on tech@ that some fuse support had
been merged into the kernel, but disable by default.
(By the way, congrats and thanks to the devs for that! :D)

I'm wondering if there's any timeframe for this getting enabled by default
- I'd love to have fuse support, but I don't think I'm ready to void my
warranty just yet ;)

Is there more testing needed, or exactly what's necessary for it to
move forward?

On a somewhat related note; might this mean we might be able to port
fuse drivers (like aufs) into BSD? :D

Thanks,

--
Hugo Osvaldo Barrera

[demime 1.01d removed an attachment of type application/pgp-signature]

Re: softraid: adding volumes, CPU requirements, RAID5

[Hugo Osvaldo Barrera]

On 2013-07-02 18:53, Nick Holland wrote:
> On 07/02/13 17:07, Jean-Francois Simon wrote:
> > Le 20/05/2013 13:46, Nick Holland a écrit :
> >> On 05/20/13 00:52, Hugo Osvaldo Barrera wrote:
> ...
> >>> 3) The man pages report RAID5 as experimental. I'm curious, why
> >>> is this so? Is it just not-very-thoroughly tested, or is there
> >>> some missing feature? I read on a 2010 presentation that rebuild
> >>> was not implemented yet, is this still so?
> >> That's really a question you will need to find out though
> >> experimentation before you implement (i.e., you MUST practice this
> >> recovery stuff before going into production), but yes, RAID5
> >> rebuild is still not there, so I would NOT recommend going this
> >> route.
> >>
> >> However, a nice little RAID1 system to start, hopefully leaving you
> >> two SATA ports for the next generation/upgrade disks.
> >>
> >> Nick.
> >
> > "RAID5 rebuild is still not there" Can you please make it more clear
> > what actual state of soft raid can and what it cannot do under RAID 5
> > ... I'm not so sure to get it, thank you.
> >
> > J.-F.
> >
>
> "RAID5 rebuild is still not there" -> there's no RAID5 rebuild.  I'm not
> sure how to make it more clear...
>
> Ok, let's try this...
> Today, you take four 1TB disks, and make a 3TB RAID5 volume.  You can do
> that.  Works great.
>
> Now, a lot of people might call this "Job Done".  Not me.  The point of
> RAID isn't to build complicated systems, but to have the system keep
> your butt out of the fire when things go wrong.
>
> Next month, one of those drive fail.  That's ok, RAID5 is designed to
> keep your data usable with one drive down.  THAT is the point of RAID.
>
> You pat yourself on the back and say, "I'm glad I am using RAID5".
> You replace the failed drive and...
> ...
> um... now what?
> You have a three drive degraded RAID5 system with no remaining
> redundancy...and a new drive that is currently unused.  You have no
> ability to rebuild the function of the failed drive into the new
> drive...because the RAID5 rebuild is not there.
>
> Oh, poo.
>
> Your options?  Well,
> * you can build a NEW array on other disks (hope you have enough ports
> to plug them into), copy the data from the old one to the new one
> * you can hope your backup system is perfect, and rebuild the entire
> array and reload from backup
> * you can hope a second drive doesn't fail in your array... for the life
> of the system.
>
> Not much else I can think of.
>
> If you want to play with softraid and raid5, hey, have a blast.  You
> want to put critical data on it?  I'd not suggest that.  A job ago, I
> had some relatively large chunks of data to hash through to find some
> needles of data in and no disks handy that could do it in one
> chunk...but I had some big disk array boxes, and a lot of smallish SCSI
> disks I could stick in them (and the office space was really cold, so a
> bit of heat under my desk was not unappreciated).  I think I did them as
> softraid RAID0, but I could have done it as RAID5 with this system --
> the data is there just for analysis, not storage.  RAID5 might give me a
> few minutes to pull data off that I realized was important only after
> the drive failed, but otherwise the loss of data on this array would not
> have been catastrophic at all.
>
> Now, anyone who drops important data on any kind of RAID system without
> figuring out how to deal with disk (and controller) failures deserves
> what they get.  So if I was a nice guy, I'd have said "Go try it out on
> some spare hardware and unimportant data and answer your own question",
> but being the evil bastard that I am, I'm denying you a very important
> learning experience.
>
> Nick.
>

Indeed! I wanted to make sure I'd know how to rebuild the RAID after it
failed, and that was my initial doubt.

You can be pretty much assured that I didn't use RAID5 in the end (I
don't have anywhere to copy all my stuff while I rebuild the array).

I'm wondering though; is it *so* hard to implement the rebuildage,
or is there simply no interest on behalf of the devs?

--
Hugo Osvaldo Barrera

[demime 1.01d removed an attachment of type application/pgp-signature]

Re: Fuse on OpenBSD

[Hugo Osvaldo Barrera]

On 2013-07-03 18:55, Theo de Raadt wrote:
> > About a month ago, I followed up on tech@ that some fuse support had
> > been merged into the kernel, but disable by default.
> > (By the way, congrats and thanks to the devs for that! :D)
> >
> > I'm wondering if there's any timeframe for this getting enabled by
default
> > - I'd love to have fuse support, but I don't think I'm ready to void my
> > warranty just yet ;)
> >
> > Is there more testing needed, or exactly what's necessary for it to
> > move forward?
> >
> > On a somewhat related note; might this mean we might be able to port
> > fuse drivers (like aufs) into BSD? :D
>
> Good grief.
>
> You can enable it yourself, right now.
>
> You can test it.  You can find bugs.  You can report them.  You can
> even try to fix them.  You can communicate directly with developers
> trying to bring it to fruition.

Well yeah, and that's basically the intention of the emails; an attempt
to communicate with the devs. I do feel it is slightly OT for tech@

>
> Instead, what is your mail -- is it a rah rah please enable it
> tomorrow?  Is it a statement of "event if there is a major screw up
> hiding, enable it tomorrow please please please rah rah rah?"
>

On the contrary, I'm not demanding it be enabled or tested right now; I'm
legitimately curious about's it's status, and wondering how close it is
to completition, how safe it is to use it for everyday use, etc. I've
no issue waiting either.

> Hugo, grow up.  This is a participation community.  The process is not
> opaque.  Opportunities for participation at all levels are highly
> visible.  Participate in development, to your own form.

Well, I did say "what's necessary for it to move forward?". I was being
quite sincere about my question. If the reply is "we think it's ok,
but just need more real-world testing", then I know I can use it. Maybe
the reply would have been "it breaks ocasionally and corrupts your stuff".

>
> The email you sent above is not a form of participation.  It is at
> the level of "fanboy".
>

Let me apologize if this sounds like a "please enable it" email. It
wasn't the intention and I was being quite sinciere about what I meant.

Anyway, I'll enable it on one of my laptops, and send any feedback I
can come across.

Cheers,

--
Hugo Osvaldo Barrera

[demime 1.01d removed an attachment of type application/pgp-signature]

Re: Softraid performance: CRYPTO on top of RAID 1?

[Hugo Osvaldo Barrera]

On 2013-07-02 02:26, Erling Westenvik wrote:
> Hi folks,
>
> Anyone having any experience with putting an softraid CRYPTO partition
> on top of a softraid RAID 1? In terms of performance?

I recently built my NAS, and tried both CRYPTO and no softraid and noticed
a pretty big difference.

With cypto, speed didn't exceed 2.3MBps. Without it, speed is stable at
about 9.3MBps.
When inspecting this, CPU stays at ~100%, in both scenarios (Mostly due
to my network connection being encrypted as well).

Note that I have gigabit ethernet, and actual network speed CAN reach
faster speeds; it was purely my CPU which limited me.

Just in case, my CPU *does not* support AESNI. I'm pretty sure you
mileage *will* vary if yours does.

In the end, I used an unencrypted disk for delicate stuff, and a
non-encrypted one for non-delicate stuff (music/movies/etc).

Both tests were done with 200GB of random files (movies mostly).

>
> I'd like to build a file server that favors redundancy, availability and
> privacy over performance. The latter within limits though, hence my
> initial question. Private use only. Me, my family and ... friends.

Since privacy is a priority for you, then make sure the CPU supports
AESNI, I'm confident you'll get better performance with no privacy
drawback. I've no hardware to actually test this, but I'm pretty confident
the difference is noticable.

>
> I'm planning to use 3 x 1TB drives in RAID 1. No FDE since
> "availability" involves the possibility of unattended booting; like
> after a power outage while being abroad/out of town, in which case I'd
> have to ssh in to the box and bioctl(8) the encrypted volume. Otherwise
> the PC is an old Pentium 4 3.40GHz with 3GB RAM which as of today runs
> fine as a file server with 2 x 500GB disks in softraid RAID 1.

We mentioned this at some point off-list, but I'd like to document this in
case anybody's interesed: my OS runs of a 4GiB USB drive, which keeps as
many SATA ports as possibe available, while maintaining availability. A
RAID1 on two of these drives would be great, since they don't have the
best record when it comes to durability.

>
> Sorry if my question does not belong on @misc. I've done quite some
> homework but could not find information pertinent to my case and would
> like to hear any arguments for or against before I spend many hours on
> copying hundres of gigabytes to potentially no avail.

I did. :) Granted, it wan't fun, but it wan't too much work either,
since I left it while I was AFK, so it didn't bother me in the least.

>
> Regards,
>
> Erling
>

Cheers,

--
Hugo Osvaldo Barrera

[demime 1.01d removed an attachment of type application/pgp-signature]

ssh/sftp performance

[Hugo Osvaldo Barrera]

ISA" rev 0x00: SMI
iic0 at viapm0
spdmem0 at iic0 addr 0x51: 2GB DDR2 SDRAM non-parity PC2-6400CL5
viapm0: 24-bit timer at 3579545Hz
pchb7 at pci0 dev 17 function 7 "VIA VT8251 VLINK" rev 0x00
vr0 at pci0 dev 18 function 0 "VIA RhineII-2" rev 0x7c: irq 11, address
00:40:63:f6:ef:df
ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 10: OUI
0x004063, model 0x0032
ppb3 at pci0 dev 19 function 0 "VIA VT8251 PCIE" rev 0x00
pci4 at ppb3 bus 128
ppb4 at pci4 dev 0 function 0 "VIA VT8251 PCIE" rev 0x00
pci5 at ppb4 bus 130
ppb5 at pci4 dev 0 function 1 "VIA VT8251 PCIE" rev 0x00
pci6 at ppb5 bus 129
azalia0 at pci4 dev 1 function 0 "VIA HD Audio" rev 0x00: irq 5
azalia0: codecs: VIA/0x1708
audio0 at azalia0
usb1 at uhci0: USB revision 1.0
uhub1 at usb1 "VIA UHCI root hub" rev 1.00/1.00 addr 1
usb2 at uhci1: USB revision 1.0
uhub2 at usb2 "VIA UHCI root hub" rev 1.00/1.00 addr 1
usb3 at uhci2: USB revision 1.0
uhub3 at usb3 "VIA UHCI root hub" rev 1.00/1.00 addr 1
isa0 at mainbus0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
schsio0 at isa0 port 0x162e/2: SCH3112 rev 0x02, watchdog disabled
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
mtrr: Pentium Pro MTRR support
umass0 at uhub0 port 2 configuration 1 interface 0 "Generic USB2.0-CRW" rev
2.00/19.81 addr 2
umass0: using SCSI over Bulk-Only
scsibus1 at umass0: 2 targets, initiator 0
sd2 at scsibus1 targ 1 lun 0:  SCSI0 0/direct
removable serial.0bda011981519810
sd2: 3789MB, 512 bytes/sector, 7759872 sectors
vscsi0 at root
scsibus2 at vscsi0: 256 targets
softraid0 at root
scsibus3 at softraid0: 256 targets
root on sd2a (8cd4486d62e3d00d.a) swap on sd2b dump on sd2b

--
Hugo Osvaldo Barrera

[demime 1.01d removed an attachment of type application/pgp-signature]

Re: ssh/sftp performance

[Hugo Osvaldo Barrera]

On 2013-08-21 15:28, Christian Weisgerber wrote:
> Darren Tucker  wrote:
>
> > > I noticed my CPU supports AES, but not AESNI, so at first, I though
that
> > > that might be using up all my CPU, but that only accounts for for 48%
of
> > > CPU usage. Is there anything else I can do to improve performance?
> >
> > Try one of the faster MACs (umac...@openssh.com is probably going to be
> > the fastest one but you might want to try the others too).

Yup, I've shifted the speed up to 13.6MBps, which is quite an improvement!
I had somehow understood that the default was the fastest (my mistake).
Thanks!

>
> It's definitely the fastest.  It's even the fastest if you have
> AESNI.

Sadly, my hardware doesn't support AESNI.
Would something like a Soekris 1401(hifn) make up for that, or am I mixing
stuff up?

>
> (It might not be on 32-bit sparc.)
>
> --
> Christian "naddy" Weisgerber  na...@mips.inka.de
>

--
Hugo Osvaldo Barrera

[demime 1.01d removed an attachment of type application/pgp-signature]

Broken output from serial console

[Hugo Osvaldo Barrera]

A VT8251 VLINK" rev 0x00
vr0 at pci0 dev 18 function 0 "VIA RhineII-2" rev 0x7c: irq 11, address
00:40:63:f6:ef:df
ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 10: OUI
0x004063, model 0x0032
ppb3 at pci0 dev 19 function 0 "VIA VT8251 PCIE" rev 0x00
pci4 at ppb3 bus 128
ppb4 at pci4 dev 0 function 0 "VIA VT8251 PCIE" rev 0x00
pci5 at ppb4 bus 130
ppb5 at pci4 dev 0 function 1 "VIA VT8251 PCIE" rev 0x00
pci6 at ppb5 bus 129
azalia0 at pci4 dev 1 function 0 "VIA HD Audio" rev 0x00: irq 5
azalia0: codecs: VIA/0x1708
audio0 at azalia0
usb1 at uhci0: USB revision 1.0
uhub1 at usb1 "VIA UHCI root hub" rev 1.00/1.00 addr 1
usb2 at uhci1: USB revision 1.0
uhub2 at usb2 "VIA UHCI root hub" rev 1.00/1.00 addr 1
usb3 at uhci2: USB revision 1.0
uhub3 at usb3 "VIA UHCI root hub" rev 1.00/1.00 addr 1
isa0 at mainbus0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
schsio0 at isa0 port 0x162e/2: SCH3112 rev 0x02, watchdog disabled
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
mtrr: Pentium Pro MTRR support
umass0 at uhub0 port 1 configuration 1 interface 0 "SanDisk Extreme" rev
2.10/0.10 addr 2
umass0: using SCSI over Bulk-Only
scsibus1 at umass0: 2 targets, initiator 0
sd2 at scsibus1 targ 1 lun 0:  SCSI4 0/direct
removable serial.07815580121413523889
sd2: 15272MB, 512 bytes/sector, 31277232 sectors
uhidev0 at uhub1 port 2 configuration 1 interface 0 "Microsoft Microsoft\M-.
Digital Media Keyboard 3000" rev 2.00/2.00 addr 2
uhidev0: iclass 3/1
ukbd0 at uhidev0: 8 variable keys, 6 key codes
wskbd1 at ukbd0 mux 1
wskbd1: connecting to wsdisplay0
uhidev1 at uhub1 port 2 configuration 1 interface 1 "Microsoft Microsoft\M-.
Digital Media Keyboard 3000" rev 2.00/2.00 addr 2
uhidev1: iclass 3/0, 3 report ids
uhid0 at uhidev1 reportid 1: input=7, output=0, feature=0
uhid1 at uhidev1 reportid 3: input=1, output=0, feature=0
vscsi0 at root
scsibus2 at vscsi0: 256 targets
softraid0 at root
scsibus3 at softraid0: 256 targets
root on sd2a (8cd4486d62e3d00d.a) swap on sd2b dump on sd2b

--
Hugo Osvaldo Barrera

[demime 1.01d removed an attachment of type application/pgp-signature]

Re: Broken output from serial console

[Hugo Osvaldo Barrera]

On 2013-08-23 17:43, Stuart Henderson wrote:
> On 2013-08-23, Hugo Osvaldo Barrera  wrote:
> > Hi!
> > I've started managing a serial server through a serial console, and have
> > come into some unusual issues.
> > I followed the instrucitons on faq 7.7, and also configured by BIOS
> > accordingly.
> >
> > When I conect my PC to the server, I see BIOS and POST output properly,
> > I then see the OpenBSD bootloader properly, and all the kernel messages
come
> > out fine (ie: the white-on-blue text), however, AFTER the kernel
messages,
> > I only see the following sixteen characters and nothing else (though
> > later kernel messages like plugging in a USB are shown properly).
> >
> > In single user mode, this would be:
> > "Enter pathname o"
> >
> > In non-single user mode, this would be
> > "Automatic boot i"
> >
> > It's extremely odd. I'm cleary not having cable issues, wrong rates,
> > or anything alike, because I'm seeing kernel output just fine.
>
> This is exactly what you would see if the IRQ assignment is wrong.
> There are other possibilities too, but this is easy to check in the
> BIOS, and is a somewhat likely problem.
>
> The first port (known as com0 in OpenBSD, com1 in MSDOS) should be at
> 0x3f8 irq 4, the second should be 0x2f8 irq 3. Sometimes vendors
> (I've seen it with Jetway) have been known to screw up and reverse
> the irq assignments.

Ah, thanks! I had checked that 0x3f8 was being used, but the irqs were
mixed up (ie: they were swapped).

Oddly I'm not seeing the first bit of the bootloader any more ("Using
drive 0, partition 3..."), but I *am* seeing the important part which
is the prompt for a boot commands.

I'm curious though; why were kernel outputs being outputted
properly? Shouldn't those have failed to display as well?

>
> Some other OS take these from ISAPNP but OpenBSD hardcodes the
> standard values for a PC-compatible machine and expects the port to
> be there.

Why doesn't OpenBSD attempt to do this as well? Is there some reason to
avoid that, or is it simply because nobody's gotten around to it?

>
> > com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
> > com0: console
> > com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
>

The rebooting issue is now gone too. I had assumed they were related,
and they are.

Thanks,

--
Hugo Osvaldo Barrera

[demime 1.01d removed an attachment of type application/pgp-signature]

Re: Selecting new motherboards in the era of uefi

[Hugo Osvaldo Barrera]

On 2013-08-30 17:32, STeve Andre' wrote:
>I'm shopping around for new server hardware.  Unless someone has a
> reason to think of something else, I'm planing on a i7-4770K.  The more
> interesting question is what motherboard to get.
>
>I have my eye on the Asus Sabertooth Z87, but I see that it talks of
> uefi.  What I do not yet see, is whether the system can boot in a non-
> uefi mode or not.  Given that the motherboard is at least a little OS
> agnostic, I have some hope that it will work.
>
>But I don't know, and in general I think it might be worth talking of
> strategies for motherboard selection given the size of the marketplace.
> I wonder if this might make a new section
>
>Thoughts?
>
> --STeve Andre'
>

Hint:
The specs [1] say it supports Windows 7. Windows 7 is BIOS-only
(non-UEFI), so that means the mobo supports booting legacy BIOS.

[1] http://www.asus.com/Motherboards/SABERTOOTH_Z87/#specifications

--
Hugo Osvaldo Barrera

[demime 1.01d removed an attachment of type application/pgp-signature]

Re: update my box and Cinnamon avaible

[Hugo Osvaldo Barrera]

On 2013-09-23 12:54, Marc Espie wrote:
> On Mon, Sep 23, 2013 at 11:25:57AM +0100, James Griffin wrote:
> > * Marc Espie  [2013-09-23 12:22:47 +0200]:
> >
> > > On Mon, Sep 23, 2013 at 10:32:20AM +0100, James Griffin wrote:
> > > > To update packages: pkg_add -iu (-i is for interaction to selection
flavors of pkg's and -u is for update). Must be run with privileges, i.e. sudo
or root user.
> > >
> > > You don't need -i in most cases these days, pkg_tools default to
interactive
> > > if run on a terminal now.
> > >
> > > (-I can be used to revert to non-interactive mode)
> > >
> >
> > Cheers Marc, I wasn't aware of that. Just a habit I got into ages ago.
>
> Yeah, it's something I look at in usage patterns.
>
> Lots of people don't follow the tools development too closely,
> and so they keep using options which are no longer needed.
>
> Then they teach those to other people, thus ensuring that
> people keep thinking things are more complicated than
> they are...
>
> I'd really like a solution that didn't involve me having
> to rectify things again and again, but it's better than nothing :)
>

How about a warning or notice when the user explicitly states "-i" saying
"this is already the default and deprecated" if it's run from a tty?

--
Hugo Osvaldo Barrera

[demime 1.01d removed an attachment of type application/pgp-signature]

IPSec endpoints won't talk to each other

[Hugo Osvaldo Barrera]

Hi,

I've been experimenting a bit with IPSec and creating a VPN using it. I've
been successful, but have encountered an odd issue.

I've two hosts, linking two networks:

Host A's /etc/iked.conf:
ikev2 active esp from 172.16.0.0/16 to 172.17.0.0/16 \
  peer 174.136.104.18 psk "a-test-key"

Host B's /etc/iked.conf:
ikev2 esp from 172.17.0.0/16 to 172.16.0.0/16 \
  peer 190.210.108.249 psk "a-test-key"

(Of course those are not the real keys).

I can ssh 172.17.0.1 from the 172.16.0.0 network fine and viceversa.

So far so good.

BUT I can't establish any TCP connection from Host A to Host B's public
IP address and viceversa.

On Host A:
Browing to Host B's public IP (174.136.104.18) -> timeout
SSH into Host B's public IP -> timeout
Ping Host B -> WORKS FINE!

The same applies from Host B to Host A's public IP.
I can use the tunneled IPs fine, but I'm extremely confused.

On Host B:

$ route show | tail -n 4
Source Port  DestinationPort  Proto
SA(Address/Proto/Type/Direction)
172.17/16  0 172.16/16  0 0 elysion/esp/use/in
172.16/16  0 172.17/16  0 0
elysion/esp/require/out
default0 default0 0 none/esp/deny/out

Nothing out of the ordinary here.

$ traceroute 174.136.104.18
traceroute to 174.136.104.18 (174.136.104.18), 64 hops max, 40 byte packets
 1  customer-static-210-108-250.iplannetworks.net (190.210.108.250)  8.591 ms
10.107 ms  7.692 ms
 2  190.210.123.62 (190.210.123.62)  6.183 ms *  6.718 ms
 3  customer-static-210-110-122.iplannetworks.net (190.210.110.122)  8.996 ms
7.389 ms  7.337 ms
 4  customer-static-210-110-49.iplannetworks.net (190.210.110.49)  6.671 ms
8.518 ms  6.204 ms
 5  * customer-static-210-110-66.iplannetworks.net (190.210.110.66)  23.352 ms
10.508 ms
 6  TenGigabitEthernet8-3.ar1.EZE1.gblx.net (64.208.7.69)  30.538 ms  30.391
ms  61.912 ms
 7  po6-50G.ar4.LAX1.gblx.net (67.16.129.202)  205.788 ms  177.384 ms  189.306
ms
 8  PCCW-GLOBAL-INC.TenGigabitEthernet8-1.1200.ar4.LAX1.gblx.net
(64.211.83.226)  195.701 ms  202.521 ms  196.462 ms
 9  63-218-212-14.static.pccwglobal.net (63.218.212.14)  206.704 ms  197.595
ms  194.974 ms
10  cxa.r6.lax2.trit.net (208.75.88.19)  201.47 ms  211.301 ms  208.998 ms
11  arpnetworks-lax2-gw.cust.trit.net (208.90.34.74)  214.97 ms  254.919 ms
244.190 ms
12  elysion (174.136.104.18)  202.300 ms  198.401 ms  261.721 ms

Much like ping, traceroute works fine, which confuses me even further.

I'm probably missing something - but what?

--
Hugo Osvaldo Barrera

[demime 1.01d removed an attachment of type application/pgp-signature]

Re: IPSec endpoints won't talk to each other

[Hugo Osvaldo Barrera]

On 2013-09-24 09:44, James Griffin wrote:
> * Hugo Osvaldo Barrera  [2013-09-24 03:53:46
-0300]:
>
> > Hi,
> >
> > I've been experimenting a bit with IPSec and creating a VPN using it.
I've
> > been successful, but have encountered an odd issue.
> >
> > I've two hosts, linking two networks:
> >
> > Host A's /etc/iked.conf:
> > ikev2 active esp from 172.16.0.0/16 to 172.17.0.0/16 \
> >   peer 174.136.104.18 psk "a-test-key"
> >
> > Host B's /etc/iked.conf:
> > ikev2 esp from 172.17.0.0/16 to 172.16.0.0/16 \
> >   peer 190.210.108.249 psk "a-test-key"
> >
> > (Of course those are not the real keys).
> >
> > I can ssh 172.17.0.1 from the 172.16.0.0 network fine and viceversa.
> >
> > So far so good.
> >
> > BUT I can't establish any TCP connection from Host A to Host B's public
> > IP address and viceversa.
>
> So you can connect using internal addresses but not using public address.
Just a thought, but have you opened the necessary ports on your router? What
is your setup like?
>
> [ ... ]
>

They're both connected directly to the internet with no router in front
of them. With the tunnel disabled, everything works fine between both.

--
Hugo Osvaldo Barrera

[demime 1.01d removed an attachment of type application/pgp-signature]

Re: UEFI

[Hugo Osvaldo Barrera]

On 2013-11-05 13:39, sven falempin wrote:
> My laptop has <> BIOS.
> What do you recommend to get openBSD on it ?
>
>
> --
> () ascii ribbon campaign - against html e-mail
> /\
>

If there's really no BIOS, pop the disk onto a BIOS-based system,
install GRUB2, OpenBSD, and pop it back into the laptop.

I'm not a GRUB lover myself, but it's pretty much the only real option
I can think of.

--
Hugo Osvaldo Barrera

[demime 1.01d removed an attachment of type application/pgp-signature]

postgresql-server exiting abnormally after upgrade to -snapshot

[Hugo Osvaldo Barrera]

Hi,

I upgraded to -snapshot today, and did all the proper postgresql upgrade:
pg_dump, moved the old db out the the way, re-init'd, started, and import.

The thing is, upon receiving connections, postgres dies horribly. The log is
just this following iterating over and over:

  WARNING:  terminating connection because of crash of another server process
  DETAIL:  The postmaster has commanded this server process to roll back the
  current transaction and exit, because another server process exited
abnormally
  and possibly corrupted shared memory.
  HINT:  In a moment you should be able to reconnect to the database and
repeat
  your command.
  LOG:  all server processes terminated; reinitializing
  LOG:  database system was interrupted; last known up at 2015-02-11 17:01:00
GMT
  LOG:  database system was not properly shut down; automatic recovery in
  progress
  LOG:  record with zero length at 0/1696370
  LOG:  redo is not required
  LOG:  database system is ready to accept connections
  LOG:  autovacuum launcher started
  LOG:  server process (PID 9444) was terminated by signal 6: Abort trap
  LOG:  terminating any other active server processes

After much frustration (even building -current), I deleted all of it,
uninstall, built 9.3.4 using the old ports recipe, installed - same issue!

It's clearly not an upgrade issue, because deleting all the data files and
going back to 9.3 has the same issue.

Has anyone else has this issue, or similar issues with -snapshot/-current?
Can
someone else confirm postgres9.4 work fine on the latest -snapshot? (the
confirmation would be helpful to reafirm that it's not an issue with some
dependency or library).

Thanks,

--
Hugo Osvaldo Barrera
A: Because we read from top to bottom, left to right.
Q: Why should I start my reply below the quoted text?

[demime 1.01d removed an attachment of type application/pgp-signature]

Re: postgresql-server exiting abnormally after upgrade to -snapshot

[Hugo Osvaldo Barrera]

On 2015-02-11 19:54, Jan Stary wrote:
> On Feb 11 14:49:17, h...@barrera.io wrote:
> > Hi,
> >
> > I upgraded to -snapshot today, and did all the proper postgresql upgrade:
> > pg_dump, moved the old db out the the way, re-init'd, started, and
import.
> >
> > The thing is, upon receiving connections, postgres dies horribly. The log
is
> > just this following iterating over and over:
> >
> >   WARNING:  terminating connection because of crash of another server
process
> >   DETAIL:  The postmaster has commanded this server process to roll back
the
> >   current transaction and exit, because another server process exited
> > abnormally
> >   and possibly corrupted shared memory.
> >   HINT:  In a moment you should be able to reconnect to the database and
> > repeat
> >   your command.
> >   LOG:  all server processes terminated; reinitializing
> >   LOG:  database system was interrupted; last known up at 2015-02-11
17:01:00
> > GMT
> >   LOG:  database system was not properly shut down; automatic recovery in
> >   progress
> >   LOG:  record with zero length at 0/1696370
> >   LOG:  redo is not required
> >   LOG:  database system is ready to accept connections
> >   LOG:  autovacuum launcher started
> >   LOG:  server process (PID 9444) was terminated by signal 6: Abort trap
> >   LOG:  terminating any other active server processes
> >
> > After much frustration (even building -current), I deleted all of it,
> > uninstall, built 9.3.4 using the old ports recipe, installed - same
issue!
> >
> > It's clearly not an upgrade issue, because deleting all the data files
and
> > going back to 9.3 has the same issue.
>
> Have you stopped the DB server before performing the upgrade?
> Are you sure (pgrep -fl post) that there is no other server process
> around?
>
>   Jan
>

Yes, I did. I also did this when installing the version I built from ports
(which I also tried with no change).

I actually did the entire process a few times, with -snapshots, -current and
installing from packages.

All exhibited the same behaviour, so I'm starting to suspect the issue is not
postgres per se.

> > Has anyone else has this issue, or similar issues with
-snapshot/-current?
> > Can
> > someone else confirm postgres9.4 work fine on the latest -snapshot? (the
> > confirmation would be helpful to reafirm that it's not an issue with some
> > dependency or library).
> >
> > Thanks,
> >
> > --
> > Hugo Osvaldo Barrera
> > A: Because we read from top to bottom, left to right.
> > Q: Why should I start my reply below the quoted text?
> >
> > [demime 1.01d removed an attachment of type application/pgp-signature]

--
Hugo Osvaldo Barrera
A: Because we read from top to bottom, left to right.
Q: Why should I start my reply below the quoted text?

[demime 1.01d removed an attachment of type application/pgp-signature]

Re: postgresql-server exiting abnormally after upgrade to -snapshot

[Hugo Osvaldo Barrera]

On 2015-02-12 10:18, Stuart Henderson wrote:
> On 2015-02-11, Hugo Osvaldo Barrera  wrote:
> > Can
> > someone else confirm postgres9.4 work fine on the latest -snapshot? (the
> > confirmation would be helpful to reafirm that it's not an issue with some
> > dependency or library).
>
> Works fine on my bacula box, running 9.4.1 (and previously 9.4.0) on amd64.
>

Ok, so now I know that the issue is on my end. Which leaves me even more
confused. You're running the latest snapshots too, right? (eg: the ones from
feb 10th?).

Aside from a clean install, do you have any more changes? Perhaps login.conf?

Thanks,

--
Hugo Osvaldo Barrera
A: Because we read from top to bottom, left to right.
Q: Why should I start my reply below the quoted text?

[demime 1.01d removed an attachment of type application/pgp-signature]

Re: postgresql-server exiting abnormally after upgrade to -snapshot

[Hugo Osvaldo Barrera]

On 2015-02-13 13:20, Stuart Henderson wrote:
> On 2015-02-12, Hugo Osvaldo Barrera  wrote:
> > On 2015-02-12 10:18, Stuart Henderson wrote:
> >> On 2015-02-11, Hugo Osvaldo Barrera  wrote:
> >> > Can
> >> > someone else confirm postgres9.4 work fine on the latest -snapshot?
(the
> >> > confirmation would be helpful to reafirm that it's not an issue with
some
> >> > dependency or library).
> >>
> >> Works fine on my bacula box, running 9.4.1 (and previously 9.4.0) on
amd64.
> >>
> >
> > Ok, so now I know that the issue is on my end. Which leaves me even more
> > confused. You're running the latest snapshots too, right? (eg: the ones
from
> > feb 10th?).
> >
> > Aside from a clean install, do you have any more changes? Perhaps
login.conf?
>
> I have the login.conf section from the example in the pkg-readme,
>
> postgresql:\
> :openfiles-cur=768:\
> :tc=daemon:
>
> and this in sysctl.conf
>
> # postgresql
> kern.seminfo.semmni=256
> kern.seminfo.semmns=2048
> kern.shminfo.shmmax=50331648
>
> $ ls -l /bin/ls /usr/local/bin/postgres
> -r-xr-xr-x  1 root  bin   267968 Feb 10 23:19 /bin/ls*
> -r-xr-xr-x  1 root  bin  6508711 Feb  9 03:21 /usr/local/bin/postgres*
>
> $ sysctl kern.version
> kern.version=OpenBSD 5.7-beta (GENERIC) #797: Tue Feb 10 16:26:12 MST 2015
> t...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC
>

Thanks for all the details. It looks like almost everything is identical
except our kernels (I had a few extra fields in sysctl.conf edited for pg,
but
reverted them just to make sure they weren't screwing up).

  # sysctl kern.version
  kern.version=OpenBSD 5.7-beta (GENERIC.MP) #852: Tue Feb 10 16:31:16 MST
2015
  t...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP

I switched to the SP kernel just to discard any possible regressions that
might
be affecting this scenario, but no change.

It looks like the issue is elsewhere, but I've no idea where to look. I've so
far failed to build postgresql-server with debug symbols enabled too, but
that's just lack of knowledge on my part.

--
Hugo Osvaldo Barrera
A: Because we read from top to bottom, left to right.
Q: Why should I start my reply below the quoted text?

[demime 1.01d removed an attachment of type application/pgp-signature]

Re: postgresql-server exiting abnormally after upgrade to -snapshot

[Hugo Osvaldo Barrera]

On 2015-02-14 02:28, Abel Abraham Camarillo Ojeda wrote:
> On Sat, Feb 14, 2015 at 2:12 AM, Hugo Osvaldo Barrera 
wrote:
> > On 2015-02-13 13:20, Stuart Henderson wrote:
> >> On 2015-02-12, Hugo Osvaldo Barrera  wrote:
> >> > On 2015-02-12 10:18, Stuart Henderson wrote:
> >> >> On 2015-02-11, Hugo Osvaldo Barrera  wrote:
> >> >> > Can
> >> >> > someone else confirm postgres9.4 work fine on the latest -snapshot?
> > (the
> >> >> > confirmation would be helpful to reafirm that it's not an issue
with
> > some
> >> >> > dependency or library).
> >> >>
> >> >> Works fine on my bacula box, running 9.4.1 (and previously 9.4.0) on
> > amd64.
> >> >>
> >> >
> >> > Ok, so now I know that the issue is on my end. Which leaves me even
more
> >> > confused. You're running the latest snapshots too, right? (eg: the
ones
> > from
> >> > feb 10th?).
> >> >
> >> > Aside from a clean install, do you have any more changes? Perhaps
> > login.conf?
> >>
> >> I have the login.conf section from the example in the pkg-readme,
> >>
> >> postgresql:\
> >> :openfiles-cur=768:\
> >> :tc=daemon:
> >>
> >> and this in sysctl.conf
> >>
> >> # postgresql
> >> kern.seminfo.semmni=256
> >> kern.seminfo.semmns=2048
> >> kern.shminfo.shmmax=50331648
> >>
> >> $ ls -l /bin/ls /usr/local/bin/postgres
> >> -r-xr-xr-x  1 root  bin   267968 Feb 10 23:19 /bin/ls*
> >> -r-xr-xr-x  1 root  bin  6508711 Feb  9 03:21 /usr/local/bin/postgres*
> >>
> >> $ sysctl kern.version
> >> kern.version=OpenBSD 5.7-beta (GENERIC) #797: Tue Feb 10 16:26:12 MST
2015
> >> t...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC
> >>
> >
> > Thanks for all the details. It looks like almost everything is identical
> > except our kernels (I had a few extra fields in sysctl.conf edited for
pg,
> > but
> > reverted them just to make sure they weren't screwing up).
> >
> >   # sysctl kern.version
> >   kern.version=OpenBSD 5.7-beta (GENERIC.MP) #852: Tue Feb 10 16:31:16
MST
> > 2015
> >   t...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> >
> > I switched to the SP kernel just to discard any possible regressions that
> > might
> > be affecting this scenario, but no change.
> >
> > It looks like the issue is elsewhere, but I've no idea where to look. I've
so
> > far failed to build postgresql-server with debug symbols enabled too, but
> > that's just lack of knowledge on my part.
> >
> > --
> > Hugo Osvaldo Barrera
> > A: Because we read from top to bottom, left to right.
> > Q: Why should I start my reply below the quoted text?
> >
> > [demime 1.01d removed an attachment of type application/pgp-signature]
> >
>
>
> you should give more information about how to reproduce this problem,
> how accurately can you reproduce it, are you sending just a given query
> and it always crashes?
>

It always crashes extremely frequently. I haven't noticed a pattern, and the
server never lives more than a few senconds. No particular query seems to
trigger it, and adding log_statement showed that it may even crash *before*
any
queries are executed (see below as well).

> you should get more error context, maybe try log_statement into
postgresql.conf
> and try to log all statements and see which one crashes it...
>
> http://www.postgresql.org/docs/9.4/static/runtime-config-logging.html
>
> are you using any custom C extension?
>

Nope, this is a plain default install from snapshots with nothing extra.

> did you dump and restore database ? did you use 'custom format' or
> 'plain format' ?

My latest tests reproduce the same issue on a clean "out-of-the-box" db (eg:
not importing any data).

> there where any errors on import? - postgres just warns about some
> import errors,
> which in my opinion are severe...

This is a log with log_statement and a most logging turned on. I'd only run
the
server *once* post-initialization before this. The database was completely
empty:

http://sprunge.us/UVGj

While a query managed to get through once, the server usually crashed before
that happens.

Here's another, finer-grained log, with nothing useful (apperently) either:

http://sprunge.us/FQaJ

Thanks,

--
Hugo Osvaldo Barrera
A: Because we read from top to bottom, left to right.
Q: Why should I start my reply below the quoted text?

[demime 1.01d removed an attachment of type application/pgp-signature]

Re: postgresql-server exiting abnormally after upgrade to -snapshot

[Hugo Osvaldo Barrera]

On 2015-02-14 13:29, Stuart Henderson wrote:
> On 2015-02-14, Joel Sing  wrote:
> > The interesting/useful part is:
> >
> > LOG:  statement: SELECT ... ORDER BY c.oid
> > LOG:  server process (PID 11531) was terminated by signal 6: Abort trap
> >
> > So the server process is being sent a SIGABRT, which is causing it to
> > terminate. There is a good chance this this is coming from the stack
> > protector, which sends a SIGABRT if the stack is smashed.
>
> Oh, good call. It could also be a backwards memcpy which would show
> up in /var/log/messages (assuming usual config).
>

Yup, backward memcpy it is (from /var/log/messages):

Feb 14 12:27:34 elysion postgres: backwards memcpy
Feb 14 12:28:10 elysion last message repeated 8 times
Feb 14 12:30:19 elysion last message repeated 28 times
Feb 14 12:40:28 elysion last message repeated 128 times
Feb 14 12:50:40 elysion last message repeated 128 times
Feb 14 13:00:41 elysion last message repeated 126 times
Feb 14 13:10:42 elysion last message repeated 128 times
Feb 14 13:20:49 elysion last message repeated 126 times
Feb 14 13:30:55 elysion last message repeated 128 times
Feb 14 13:41:06 elysion last message repeated 132 times
Feb 14 13:51:10 elysion last message repeated 128 times
Feb 14 14:01:18 elysion last message repeated 128 times
Feb 14 14:08:18 elysion last message repeated 91 times

Am I mistaken in understanding that this is an issue with postgresql itself,
and not a local configuration error?

I tried building postgres with debug symbols (I added the flags described
here[1] to the ports Makefile), but the backtrace is still useless:

# sudo -u _postgresql gdb -q -c postgres.core /usr/local/bin/postgres
Core was generated by `postgres'.
Program terminated with signal 6, Aborted.
Loaded symbols for /usr/local/bin/postgres
#0  0x0bd73424292a in ?? ()
(gdb) bt
#0  0x0bd73424292a in ?? ()
#1  0x in ?? ()

Do I need any further OpenBSD-specific changes to get a useful backtrace?
(I've
to admit that I'm too familiar with debuging with gdb on any platform).

Thanks for all the feedback so far!

[1]:
https://wiki.postgresql.org/wiki/Getting_a_stack_trace_of_a_running_PostgreSQ
L_backend_on_Linux/BSD#Debugging_the_core_dump_-_example

--
Hugo Osvaldo Barrera
A: Because we read from top to bottom, left to right.
Q: Why should I start my reply below the quoted text?

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: postgresql-server exiting abnormally after upgrade to -snapshot

[Hugo Osvaldo Barrera]

On 2015-02-16 16:24, Stuart Henderson wrote:
> On 2015-02-15, Hugo Osvaldo Barrera  wrote:
> >
> > Am I mistaken in understanding that this is an issue with postgresql
itself,
> > and not a local configuration error?
>
> Correct.
>
> > I tried building postgres with debug symbols (I added the flags described
> > here[1] to the ports Makefile), but the backtrace is still useless:
>
> Please would you rebuild from the original port like this:
>
> make clean=all
> make DEBUG="-O0 -g" repackage && sudo make reinstall
>
> and see if this gives a better backtrace.
>

Thanks a lot, it did. I was unaware of make DEBUG, and had been editing the
Makefile with no success.

  (gdb) bt
  #0  0x110a2815b92a in kill () at :2
  #1  0x110a28195119 in abort () at /usr/src/lib/libc/stdlib/abort.c:53
  #2  0x110a2816a238 in memcpy (dst0=0xfb8d4, src0=0x6, length=0) at
/usr/src/lib/libc/string/memcpy.c:65
  #3  0x11080cf8d1b1 in check_ip (raddr=0x110a899f7918,
addr=0x110a899f9058, mask=0x110a899f9158) at hba.c:704
  #4  0x11080cf90a04 in check_hba (port=0x110a899f7800) at hba.c:1718
  #5  0x11080cf91d34 in hba_getauthmethod (port=0x110a899f7800) at
hba.c:2256
  #6  0x11080cf88eb3 in ClientAuthentication (port=0x110a899f7800) at
auth.c:307
  #7  0x11080d1edf5d in PerformAuthentication (port=0x110a899f7800) at
postinit.c:223
  #8  0x11080d1eeae7 in InitPostgres (in_dbname=0x110af4508c00
"virtstart-dev", dboid=0,
  username=0x110af4508be0 "virtstart-dev", out_dbname=0x0) at
postinit.c:688
  #9  0x11080d0a3eb1 in PostgresMain (argc=1, argv=0x110af4508c20,
dbname=0x110af4508c00 "virtstart-dev",
  username=0x110af4508be0 "virtstart-dev") at postgres.c:3749
  #10 0x11080d033537 in BackendRun (port=Could not find the frame base for
"BackendRun".
  ) at postmaster.c:4155
  #11 0x11080d032be8 in BackendStartup (port=0x110a899f7800) at
postmaster.c:3829
  #12 0x11080d02f2d0 in ServerLoop () at postmaster.c:1597
  #13 0x11080d02e968 in PostmasterMain (argc=3, argv=0x7f7d9658) at
postmaster.c:1244
  #14 0x11080cf96dc8 in main (argc=Could not find the frame base for
"main".
  ) at main.c:228
  Current language:  auto; currently asm

This doesn't say much to me though. I guess my best shot is to post this at
the
postgresql list, right?

Thanks,

--
Hugo Osvaldo Barrera
A: Because we read from top to bottom, left to right.
Q: Why should I start my reply below the quoted text?

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: postgresql-server exiting abnormally after upgrade to -snapshot

[Hugo Osvaldo Barrera]

On 2015-02-16 21:02, Stuart Henderson wrote:
> On 2015/02/16 17:19, Hugo Osvaldo Barrera wrote:
> >   (gdb) bt
>
> Was this backtrace from a new coredump, or was it from one created by
> the old binary? (if the latter, please could you remove the old coredump
> and get it to crash again and send a fresh backtrace?)
>

My pg_hba is the stock one (since it had also been deleted):
http://sprunge.us/ZdQI

It was a brand-new core dump, since I had deleted /var/postgresql right
before
generating it. I regenerated it just to be sure, and it's the same:

  (gdb) bt
  #0  0x110a2815b92a in kill () at :2
  #1  0x110a28195119 in abort () at /usr/src/lib/libc/stdlib/abort.c:53
  #2  0x110a2816a238 in memcpy (dst0=0xf81bf, src0=0x6, length=0) at
/usr/src/lib/libc/string/memcpy.c:65
  #3  0x11080cf8d1b1 in check_ip (raddr=0x110abc279918,
addr=0x110a899f9058, mask=0x110a899f9158) at hba.c:704
  #4  0x11080cf90a04 in check_hba (port=0x110abc279800) at hba.c:1718
  #5  0x11080cf91d34 in hba_getauthmethod (port=0x110abc279800) at
hba.c:2256
  #6  0x11080cf88eb3 in ClientAuthentication (port=0x110abc279800) at
auth.c:307
  #7  0x11080d1edf5d in PerformAuthentication (port=0x110abc279800) at
postinit.c:223
  #8  0x11080d1eeae7 in InitPostgres (in_dbname=0x110ad7782be0
"virtstart-dev", dboid=0,
  username=0x110ad7782bc0 "virtstart-dev", out_dbname=0x0) at
postinit.c:688
  #9  0x11080d0a3eb1 in PostgresMain (argc=1, argv=0x110ad7782c00,
dbname=0x110ad7782be0 "virtstart-dev",
  username=0x110ad7782bc0 "virtstart-dev") at postgres.c:3749
  #10 0x11080d033537 in BackendRun (port=Could not find the frame base for
"BackendRun".
  ) at postmaster.c:4155
  #11 0x11080d032be8 in BackendStartup (port=0x110abc279800) at
postmaster.c:3829
  #12 0x11080d02f2d0 in ServerLoop () at postmaster.c:1597
  #13 0x11080d02e968 in PostmasterMain (argc=3, argv=0x7f7d9658) at
postmaster.c:1244
  #14 0x11080cf96dc8 in main (argc=Could not find the frame base for
"main".
  ) at main.c:228
  Current language:  auto; currently asm

Thanks,

--
Hugo Osvaldo Barrera
A: Because we read from top to bottom, left to right.
Q: Why should I start my reply below the quoted text?

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: postgresql-server exiting abnormally after upgrade to -snapshot

[Hugo Osvaldo Barrera]

On 2015-02-16 20:44, Stuart Henderson wrote:
> > Thanks a lot, it did. I was unaware of make DEBUG, and had been editing
the
> > Makefile with no success.
>
> The missing piece is that, normally, binaries get stripped of their
> debug symbols in the "fake install" stage. Passing the flags in via DEBUG
> (in most cases) avoids this step.
>
> Could you let me have a copy of your pg_hba.conf please? Looking at the
> trace and code it's a bit odd and I'd like to try and replicate it here if
> I can ..
>

After submitting the backtrace upstream (eg: to the pgsql list), it would
seem
that it's an issue on the postgres codebase, triggered by the OpenBSD upgrade
(apparently), but nonetheless an issue in pg itself:

  http://www.postgresql.org/message-id/16513.1424120...@sss.pgh.pa.us

I'll post back (for posterity's sake) once I have a permanent fix.

Thanks a bunch for helping be track the issue down and getting a proper
backtrace.

--
Hugo Osvaldo Barrera
A: Because we read from top to bottom, left to right.
Q: Why should I start my reply below the quoted text?

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: postgresql-server exiting abnormally after upgrade to -snapshot

[Hugo Osvaldo Barrera]

On 2015-02-16 23:21, Jérémie Courrèges-Anglas wrote:
> j...@wxcvbn.org (Jérémie Courrèges-Anglas) writes:
>
> > Please try the diff below.  It fixes the "backwards memcpy" problem
> > easily noticeable with psql -h ::1.
>
> Updated diff. Thanks to Stuart for reminding me that netmasks sa_len
> values can be much surprising.
>
> $OpenBSD$
> --- src/backend/libpq/hba.c.orig  Mon Feb 16 21:53:21 2015
> +++ src/backend/libpq/hba.c   Mon Feb 16 23:08:38 2015
> @@ -700,8 +700,13 @@ check_ip(SockAddr *raddr, struct sockaddr * addr, stru
>   struct sockaddr_storage addrcopy,
>   maskcopy;
>
> - memcpy(&addrcopy, &addr, sizeof(addrcopy));
> - memcpy(&maskcopy, &mask, sizeof(maskcopy));
> + memcpy(&addrcopy, addr, sizeof(struct sockaddr_in));
> + /*
> +  * On some OSes, if mask is obtained from eg. getifaddrs(3), 
> sa_len
> +  * can vary wildly. We already know that addr->sa_family == 
> AF_INET,
> +  * so just use sizeof(struct sockaddr_in).
> +  */
> + memcpy(&maskcopy, mask, sizeof(struct sockaddr_in));
>   pg_promote_v4_to_v6_addr(&addrcopy);
>   pg_promote_v4_to_v6_mask(&maskcopy);
>

I can confirm that this works. The server has been up and running with no
issues during a few hours.

Will anybody be submiting this upstream?

Thanks for all your help!

--
Hugo Osvaldo Barrera
A: Because we read from top to bottom, left to right.
Q: Why should I start my reply below the quoted text?

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: Please help advertise DigitalOcean on OpenBSD Misc (again)

[Hugo Osvaldo Barrera]

On 2015-01-20 22:47, Constantine A. Murenin wrote:
> On 20 January 2015 at 18:12, Steve Shockley 
wrote:
> > On 1/19/2015 9:06 AM, openda...@hushmail.com wrote:
> >>
> >> So please stop by and give us your upvotes.
> >
> >
> > So, is this advertising or SEO?
>
> DigitalOcean is a shady provider with a lack of documentation, who
> doesn't even give you IPv6 address space across their fleet, or in
> those few locations they do, they do it in violation of all known RFCs
> and the best practices -- I've heard a rumour that they only give out
> 16 IPv6 addresses.  Why a rumour?  Because, as already mentioned, they
> completely lack the documentation!
>

For those interested, I can confirm this (copy-paste from their dev console):

Public IPv6 Network
Public IPv6 Address:2a03:b0c0:1:d0::190:c001/64
Public IPv6 Gateway:2a03:b0c0:1:d0::1
Configurable address range: 2a03:b0c0:1:d0::190:c000 -
2a03:b0c0:1:d0::190:c00f

> I don't know why you would want to run OpenBSD on it.  If you're just
> in it for the "OpenBSD" part, just go with real hardware like
> online.net -- they start at 5,99 EUR/mo, there's not much reason to
> have to rent a virtual server if dedi is that cheap.
>
> Lots of other dedi options at http://lowendcore.com/.
>
> With dedi prices that low, virtual hosting for OpenBSD is kinda dead, IMHO.
>

DO give you 100USD free if you're a student/teacher. At 5USD a month, that's
20months free. Hard to beat that, regrettably.

--
Hugo Osvaldo Barrera
A: Because we read from top to bottom, left to right.
Q: Why should I start my reply below the quoted text?

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: pf to read protocol information from /etc/services ?

[Hugo Osvaldo Barrera]

On 2015-02-27 10:30, Harald Dunkel wrote:
> On Fri, 27 Feb 2015 09:22:21 +
> "Loïc Blot"  wrote:
>
> > Hello,
> > in the first example you don't specify proto tcp.
> >
>
> Thats the point. /etc/services says
>
>   telnet 23/tcp
>
> so pf could figure this out on its own.
>

The syntax for this sort of thing (if it ever does any interst and
implemented)
would probably make more sense as "service telnet" instead of "port telnet",
since you're talking about proto+port and not just port.

--
Hugo Osvaldo Barrera
A: Because we read from top to bottom, left to right.
Q: Why should I start my reply below the quoted text?

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

httpd presenting the wrong TLS certificate

[Hugo Osvaldo Barrera]

Hi,

I've only just recently started moving from nginx to httpd (I *loved* the
config syntax by the way!).

I'm having an issue with httpd presenting the wrong TLS certificate for a
client - it seems to be defaulting always to the first entry, ignoring all
laters ones.

Here's my narrowed down test config:

server "hugo.barrera.io" {
alias "barrera.io"
listen on * tls port 1443
root "/sites/hugo.barrera.io"
tls certificate "/var/www/tls/hugo.barrera.io/chain.crt"
tls key "/var/www/tls/hugo.barrera.io/ssl.key"
}

server "calendar.barrera.io" {
listen on * tls port 1443
root "/sites/calendar.barrera.io"
tls certificate "/var/www/tls/calendar.barrera.io/chain.crt"
tls key "/var/www/tls/calendar.barrera.io/ssl.key"
}

On both scenarios, httpd is presenting the TLS certificate for
hugo.barrera.io.

Any hints? Did I do something wrong? Did I hit a bug?

Thanks,

--
Hugo Osvaldo Barrera
A: Because we read from top to bottom, left to right.
Q: Why should I start my reply below the quoted text?

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: SSL working with nginx, not with httpd. Any ideas?

[Hugo Osvaldo Barrera]

On 2015-03-14 18:41, Ezequiel Garzon wrote:
> Greetings! For some reason I'm able to set up SSL support for my domain
> using nginx, but not httpd. I have combined my certificates like this:
>
> # cat ssl.crt sub.class1.server.ca.pem ca.pem > /etc/ssl/server.crt
>
> However, if I stop nginx and start httpd I get:
>
> $ curl -I https://ezequiel-garzon.net
> curl: (60) SSL certificate problem: unable to get local issuer
> certificate
>
> I have attempted to write a minimal config file at /etc/httpd.config:
>
> server defaults {listen on egress ssl port 443}
>

Are yuo sure that's right? I don't see the "ssl" keyword anywhere in the
docs:

http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/httpd.conf.5

You also seem to be missing TLS certificate/key is you're going to use TLS.

> Any ideas on what I'm doing wrong? Thanks for your help!
>
> Cheers,
>
> Ezequiel
>

Cheers,

--
Hugo Osvaldo Barrera
A: Because we read from top to bottom, left to right.
Q: Why should I start my reply below the quoted text?

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: httpd presenting the wrong TLS certificate

[Hugo Osvaldo Barrera]

On 2015-03-14 23:34, Peter Hessler wrote:
> httpd does not yet support SNI.  You will need to either wait, use a
> wildcard SSL cert, or use different ports/IPs.
>
>

Oh, I hadn't checked that for SNI. I'll have to wait then; multiple IPv4
addresses are expensive, and CAs will charge for wildcard certs. :(

Is SNI on the roadmap already?

Thanks,

> On 2015 Mar 14 (Sat) at 19:26:31 -0300 (-0300), Hugo Osvaldo Barrera wrote:
> :Hi,
> :
> :I've only just recently started moving from nginx to httpd (I *loved* the
> :config syntax by the way!).
> :
> :I'm having an issue with httpd presenting the wrong TLS certificate for a
> :client - it seems to be defaulting always to the first entry, ignoring all
> :laters ones.
> :
> :Here's my narrowed down test config:
> :
> :server "hugo.barrera.io" {
> :alias "barrera.io"
> :listen on * tls port 1443
> :root "/sites/hugo.barrera.io"
> :tls certificate "/var/www/tls/hugo.barrera.io/chain.crt"
> :tls key "/var/www/tls/hugo.barrera.io/ssl.key"
> :}
> :
> :server "calendar.barrera.io" {
> :listen on * tls port 1443
> :root "/sites/calendar.barrera.io"
> :tls certificate "/var/www/tls/calendar.barrera.io/chain.crt"
> :tls key "/var/www/tls/calendar.barrera.io/ssl.key"
> :}
> :
> :On both scenarios, httpd is presenting the TLS certificate for
> :hugo.barrera.io.
> :
> :Any hints? Did I do something wrong? Did I hit a bug?
> :
> :Thanks,
> :
> :--
> :Hugo Osvaldo Barrera
> :A: Because we read from top to bottom, left to right.
> :Q: Why should I start my reply below the quoted text?
> :
> :[demime 1.01d removed an attachment of type application/pgp-signature which
had a name of signature.asc]
> :
>
> --
> Harrisberger's Fourth Law of the Lab:
>   Experience is directly proportional to the amount of equipment
>   ruined.

--
Hugo Osvaldo Barrera
A: Because we read from top to bottom, left to right.
Q: Why should I start my reply below the quoted text?

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: httpd presenting the wrong TLS certificate

[Hugo Osvaldo Barrera]

On 2015-03-14 19:39, Hugo Osvaldo Barrera wrote:
> On 2015-03-14 23:34, Peter Hessler wrote:
> > httpd does not yet support SNI.  You will need to either wait, use a
> > wildcard SSL cert, or use different ports/IPs.
> >
> >
>
> Oh, I hadn't checked that for SNI. I'll have to wait then; multiple IPv4
> addresses are expensive, and CAs will charge for wildcard certs. :(
>
> Is SNI on the roadmap already?
>

Oh, never mind, I found it:

  https://github.com/reyk/httpd/issues/17

Sorry for the noise.

Cheers!

> Thanks,
>
> > On 2015 Mar 14 (Sat) at 19:26:31 -0300 (-0300), Hugo Osvaldo Barrera
wrote:
> > :Hi,
> > :
> > :I've only just recently started moving from nginx to httpd (I *loved*
the
> > :config syntax by the way!).
> > :
> > :I'm having an issue with httpd presenting the wrong TLS certificate for
a
> > :client - it seems to be defaulting always to the first entry, ignoring
all
> > :laters ones.
> > :
> > :Here's my narrowed down test config:
> > :
> > :server "hugo.barrera.io" {
> > :alias "barrera.io"
> > :listen on * tls port 1443
> > :root "/sites/hugo.barrera.io"
> > :tls certificate "/var/www/tls/hugo.barrera.io/chain.crt"
> > :tls key "/var/www/tls/hugo.barrera.io/ssl.key"
> > :}
> > :
> > :server "calendar.barrera.io" {
> > :listen on * tls port 1443
> > :root "/sites/calendar.barrera.io"
> > :tls certificate "/var/www/tls/calendar.barrera.io/chain.crt"
> > :tls key "/var/www/tls/calendar.barrera.io/ssl.key"
> > :}
> > :
> > :On both scenarios, httpd is presenting the TLS certificate for
> > :hugo.barrera.io.
> > :
> > :Any hints? Did I do something wrong? Did I hit a bug?
> > :
> > :Thanks,
> > :
> > :--
> > :Hugo Osvaldo Barrera
> > :A: Because we read from top to bottom, left to right.
> > :Q: Why should I start my reply below the quoted text?
> > :
> > :[demime 1.01d removed an attachment of type application/pgp-signature
which
> had a name of signature.asc]
> > :
> >
> > --
> > Harrisberger's Fourth Law of the Lab:
> > Experience is directly proportional to the amount of equipment
> > ruined.
>
> --
> Hugo Osvaldo Barrera
> A: Because we read from top to bottom, left to right.
> Q: Why should I start my reply below the quoted text?
>
> [demime 1.01d removed an attachment of type application/pgp-signature which
had a name of signature.asc]
>

--
Hugo Osvaldo Barrera
A: Because we read from top to bottom, left to right.
Q: Why should I start my reply below the quoted text?

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: ftps?

[Hugo Osvaldo Barrera]

On 2012-11-28 14:33, Chris Smith wrote:
> On Wed, Nov 28, 2012 at 7:29 AM, Stuart Henderson  
> wrote:
>> If the control connection is encrypted as with ftp+tls, then ftp-proxy
>> *cannot* work, as it cannot read the commands. So, if this is with NAT,
>> you can't rely on ftp-proxy to fix things up, you will need ftp+tls
>> software where you can manually set the external address.
> 
> Yes, it's ftp+tls.
> This works with a standard home router (don't know what they're doing
> to allow it and ftp to work fine), but not with the OpenBSD firewall.
> It is only one server that I have to deal with so if I skip ftp-proxy
> for that one target address should it work OK then?
> 
> Thanks,
> 
> Chris
> 

Since you say this works with a standard home router, have you checked
if maybe the server software uses nat pmp or something similar for port
redirection?

-- 
Hugo Osvaldo Barrera

growfs on bsd.rd

[Hugo Osvaldo Barrera]

Hi all,

I'm curious as to why growfs is not included in bsd.rd.  Is there any 
particular reason for this? I belive it would be inmensly useful - since 
bsd.rd is the first thing one would think of when needing to grow a root 
partition (or a partition you don't want normally want to unmount).


I've googled a bit, but haven't found anything related.

Cheers,

--
Hugo Osvaldo Barrera

Re: Tricks for install OpenBSD under Virtualbox, host Windows XP

[Hugo Osvaldo Barrera]

On 2013-01-06 17:06, Steve Williams wrote:
> Hi,
> 
> After recently reading (on this list) about how OpenBSD runs under
> Virtualbox, I thought I would take it for a test drive on my laptop so I
> can work in OpenBSD while away on business & don't have access to the
> Internet.
> 
> My laptop is a Dell Latitude E6500 with a Intel(R) Core(TM)2 Duo CPU
> (P8600).  I have enabled the Virtualization support in the bios.
> 
> The host system is Windows XP.
> 
> When I start VirtualBox, I get a dialogue box that says:
> 
> -
> VT-x/AMD-V hardware acceleration has been enabled, but is not
> operational. Certain guests (e.g. OS/2 and QNX) require this feature.
> 
> Please ensure that you have enabled VT-x/AMD-V properly in the BIOS of
> your host computer.
> -
> 
> When I got this message, I disabled the "Enable VT-x/AMD-V" in the
> settings of the VM for OpenBSD, but I still get that message. It's a bit
> confusing.
> 
> 
> I am trying to install OpenBSD-current (downloaded January 6, 2013).  It
> will get various distances into installing before I get an error.  I've
> even got as far as defining the partitions and the format starting, but
> it either gives an "Illegal Instruction", or a kernel panic.
> 
> The Intel website indicates it supports VT-x
> (http://ark.intel.com/products/35569?wapkw=core+2+duo+p8400)

It does, but why didn't you try enabling VT-x in the BIOS of your host
computer, just like the dialog suggested?

> 
> Any suggestions/tricks, or am I just out of luck with this combination
> of hardware/guest OS/OpenBSD?
> 
> Thanks,
> Steve
> 



-- 
Hugo Osvaldo Barrera

Re: growfs on bsd.rd

[Hugo Osvaldo Barrera]

On 2013-01-04 00:41, Aaron Mason wrote:
> On Fri, Jan 4, 2013 at 1:28 PM, Hugo Osvaldo Barrera
>  wrote:
>> Hi all,
>>
>> I'm curious as to why growfs is not included in bsd.rd.  Is there any
>> particular reason for this? I belive it would be inmensly useful - since
>> bsd.rd is the first thing one would think of when needing to grow a root
>> partition (or a partition you don't want normally want to unmount).
>>
>> I've googled a bit, but haven't found anything related.
>>
>> Cheers,
>>
>> --
>> Hugo Osvaldo Barrera
>>
> 
> It's not too difficult to add tools to the ramdisk.
> 
> http://www.thats-too-much.info/2013/01/04/work-smarter-not-harder-roll-your-own-openbsd-ram-disk/
> 

My goal with this email was rather aimed to suggest growfs be included,
or to ask why it isn't, I've found I can easily mount /, copy growfs,
and umount / as a quick workaround anyway.

-- 
Hugo Osvaldo Barrera

Re: bootable OpenBSD USB stick from windows?

[Hugo Osvaldo Barrera]

On 2013-02-12 10:17, Scott McEachern wrote:
> On 02/12/13 08:10, Heptas Torres wrote:
>> On 2/12/13, Jan Stary  wrote:
>>> On Feb 11 23:48:09, hepta...@gmail.com wrote:
>>>> On 2/11/13, christopher sasarak  wrote:
>>>>> I had a similar situation with my laptop and found a solution in the
>>>>> FAQ:
>>>>> http://www.openbsd.org/faq/faq14.html#flashmemLive
>>>>>
>>>>> Essentially what I had to do was boot from CD on the desktop system
>>>>> (using
>>>>> an ISO for the desktop system's architecture)
>>>> That assumes that my windows machine can boot from a CD which is not
>>>> the case (I have no CD-ROM neither on my windows machine nor on the
>>>> machine where I want to install OpenBSD).
>>>>>> I only have access to a windows machine to burn an iso image, do you
>>> How do you do it then, exactly?
>>>
>> In case of Linux images with one of the tools I mentioned in one of my
>> previous messages.
>> -h
>>
> 
> Oh for pete's sake, it's 2013.  Go to your local computer store and
> spend (at most) $20 dollars on an optical drive.  Install the damn thing
> on your Winbox, follow the many directions already posted here, and be
> done with it.
> 
> It's not rocket surgery and optical drives really do come in handy. And
> they're dirt cheap.
> 
> Or, save the $20 and install VirtualBox like people have suggested.
> 
> Just end this stupid thread because you're talking in circles.
> 

$20 may sound cheap to you, but that's not cheap in every part of the
world, especially for a device you'll use only ONCE to install the OS.
It's 2013, and buying floppies/optical drives isn't the best of advices.

What's wrong PXE?

-- 
Hugo Osvaldo Barrera

Re: "offline" mail setup for road warrior

[Hugo Osvaldo Barrera]

On 2013-03-09 00:18, frantisek holop wrote:
> hi there,
> 
> i am fishing for ideas from others regarding
> how to read/send email in my current life situation
> (=being on the road all the time connecting once
> in a while with 3rd world wifi).
> 
> i have my own mail server, that i can setup as i want.
> i am travelling with my notebook.  my preferred
> setup would be something that downloads my mails
> when i am connected, then i can write answers locally
> even when being offline, and these would be sent
> automatically (through my server) when i come
> online again.  my mail client is mutt.
> 
> any road warriors living like this with a rock
> solid well tested setup?
> 
> -f
> -- 
> stop talking while i'm interrupting.
> 

I run something similar to what you need on my laptop.
I use offlineimap to sync all mails locally, mutt to read and
reply, and opensmtpd running locally.
My local smtpd relays through my actual email server (using SMTPS
and authentication) whenever I get an internet connection.
offlineimap also syncs back read/flaged statuses back up.

Good luck!

-- 
Hugo Osvaldo Barrera

Invalid checksum with 82574L (em)

[Hugo Osvaldo Barrera]

o-PCI" rev 0xe2
pci2 at ppb1 bus 2
re0 at pci2 dev 0 function 0 "Realtek 8169" rev 0x10: RTL8169/8110SB (0x1000),
apic 8 int 20, address 00:e0:52:c6:52:c3
rgephy0 at re0 phy 7: RTL8169S/8110S PHY, rev. 3
pcib0 at pci0 dev 31 function 0 "Intel NM10 LPC" rev 0x02
ahci0 at pci0 dev 31 function 2 "Intel 82801GR AHCI" rev 0x02: msi, AHCI 1.1
scsibus0 at ahci0: 32 targets
ichiic0 at pci0 dev 31 function 3 "Intel 82801GB SMBus" rev 0x02: apic 8 int
19
iic0 at ichiic0
lm1 at iic0 addr 0x2d: W83627DHG
spdmem0 at iic0 addr 0x51: 4GB DDR3 SDRAM PC3-10600 SO-DIMM
usb1 at uhci0: USB revision 1.0
uhub1 at usb1 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb2 at uhci1: USB revision 1.0
uhub2 at usb2 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb3 at uhci2: USB revision 1.0
uhub3 at usb3 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb4 at uhci3: USB revision 1.0
uhub4 at usb4 "Intel UHCI root hub" rev 1.00/1.00 addr 1
isa0 at pcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
wbsio0 at isa0 port 0x2e/2: W83627DHG-P rev 0x73
lm2 at wbsio0 port 0x290/8: W83627DHG
mtrr: Pentium Pro MTRR support
lm1: disabling sensors due to alias with lm2
umass0 at uhub0 port 3 configuration 1 interface 0 "Generic USB2.0-CRW" rev
2.00/19.81 addr 2
umass0: using SCSI over Bulk-Only
scsibus1 at umass0: 2 targets, initiator 0
sd0 at scsibus1 targ 1 lun 0:  SCSI0 0/direct
removable serial.0bda011981519810
sd0: 3789MB, 512 bytes/sector, 7759872 sectors
vscsi0 at root
scsibus2 at vscsi0: 256 targets
softraid0 at root
scsibus3 at softraid0: 256 targets
root on sd0a (7b2cce8455053ae6.a) swap on sd0b dump on sd0b
WARNING: / was not properly unmounted
re0: watchdog timeout
re0: watchdog timeout

--
Hugo Osvaldo Barrera

[demime 1.01d removed an attachment of type application/pgp-signature]

Re: Invalid checksum with 82574L (em)

[Hugo Osvaldo Barrera]

On 2013-03-21 08:51, Kapetanakis Giannis wrote:
> On 21/03/13 01:37, Hugo Osvaldo Barrera wrote:
> >I've been having a very annoying issue with an 82574L for a pretty long
> >time now.
> >
> >After the PC is turned off (either properly or due to a power failure),
> >the NIC does not work upon the next boot.
> >
> >   em0 at pci1 dev 0 function 0 "Intel PRO/1000 MT (82574L)" rev 0x00:
msiem0:
> >The EEPROM Checksum Is Not Valid
> >   em0: Unable to initialize the hardware
> >
> >I found an Intel firmware flashing utility for DOS that rebuilds the
> >checksum. After running it, however, my MAC is 00:00:00:00:00:00. I
> >need to set the mac back with it, and make it rebuild the checksum.
> >
> >After I do this, OpenBSD boots fine:
> >
> >   em0 at pci1 dev 0 function 0 "Intel PRO/1000 MT (82574L)" rev 0x00:
msi,
> >address 00:22:4d:7c:b2:76
> >
> >The NIC is an onboard one, and I've no extra PCI slots, so I can't
> >really change it.
> >
> >Here's my full dmesg in case it's of further use.
> >Please also let me know if there's anything else which may be of use.
> >
> >OpenBSD 5.2-current (GENERIC.MP) #5: Wed Dec 12 23:22:46 MST 2012
> > dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> >real mem = 4275666944 (4077MB)
> >avail mem = 4139347968 (3947MB)
> >mainbus0 at root
> >bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xeb920 (27 entries)
> >bios0: vendor Intel Corp. version "MUCDT10N.86A.0072.2012.0808.1512" date
> >08/08/2012
> >bios0: Intel Corporation D2700MUD
> >acpi0 at bios0: rev 2
> >acpi0: sleep states S0 S3 S4 S5
> >acpi0: tables DSDT FACP SSDT APIC MCFG HPET
> >acpi0: wakeup devices SLT1(S4) PS2M(S4) PS2K(S4) UAR1(S3) UAR2(S3)
USB0(S3)
> >USB1(S3) USB2(S3) USB3(S3) USB7(S3) PXSX(S4) RP01(S4) PXSX(S4) RP02(S4)
> >PXSX(S4) RP03(S4) PXSX(S4) RP04(S4) PWRB(S4)
> >acpitimer0 at acpi0: 3579545 Hz, 24 bits
> >acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> >cpu0 at mainbus0: apid 0 (boot processor)
> >cpu0: Intel(R) Atom(TM) CPU D2700 @ 2.13GHz, 2133.73 MHz
> >cpu0:
>
>FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLU
S
>
>H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,TM2,SSSE3
,
> >CX16,xTPR,PDCM,MOVBE,NXE,LONG,LAHF,PERF,ITSC
> >cpu0: 512KB 64b/line 8-way L2 cache
> >cpu0: apic clock running at 133MHz
> >cpu1 at mainbus0: apid 1 (application processor)
> >cpu1: Intel(R) Atom(TM) CPU D2700 @ 2.13GHz, 2133.41 MHz
> >cpu1:
>
>FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLU
S
>
>H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,TM2,SSSE3
,
> >CX16,xTPR,PDCM,MOVBE,NXE,LONG,LAHF,PERF,ITSC
> >cpu1: 512KB 64b/line 8-way L2 cache
> >cpu2 at mainbus0: apid 2 (application processor)
> >cpu2: Intel(R) Atom(TM) CPU D2700 @ 2.13GHz, 2133.41 MHz
> >cpu2:
>
>FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLU
S
>
>H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,TM2,SSSE3
,
> >CX16,xTPR,PDCM,MOVBE,NXE,LONG,LAHF,PERF,ITSC
> >cpu2: 512KB 64b/line 8-way L2 cache
> >cpu3 at mainbus0: apid 3 (application processor)
> >cpu3: Intel(R) Atom(TM) CPU D2700 @ 2.13GHz, 2133.41 MHz
> >cpu3:
>
>FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLU
S
>
>H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,TM2,SSSE3
,
> >CX16,xTPR,PDCM,MOVBE,NXE,LONG,LAHF,PERF,ITSC
> >cpu3: 512KB 64b/line 8-way L2 cache
> >ioapic0 at mainbus0: apid 8 pa 0xfec0, version 20, 24 pins
> >ioapic0: misconfigured as apic 0, remapped to apid 8
> >acpimcfg0 at acpi0 addr 0xe000, bus 0-63
> >acpihpet0 at acpi0: 14318179 Hz
> >acpiprt0 at acpi0: bus 0 (PCI0)
> >acpiprt1 at acpi0: bus 2 (P0P1)
> >acpiprt2 at acpi0: bus 1 (RP01)
> >acpiprt3 at acpi0: bus -1 (RP02)
> >acpiprt4 at acpi0: bus -1 (RP03)
> >acpiprt5 at acpi0: bus -1 (RP04)
> >acpicpu0 at acpi0
> >acpicpu1 at acpi0
> >acpicpu2 at acpi0
> >acpicpu3 at acpi0
> >acpibtn0 at acpi0: PWRB
> >acpibtn1 at acpi0: SLPB
> >acpivideo0 at acpi0: GFX0
> >acpivout0 at acpivideo0: DD02
> >pci0 at mainbus0 bus 0
> >pchb0 at pci0 dev 0 function 0 vendor "Intel", unknown product 0x0bf3 rev
> >0x03
> >vga1 at pci0 dev 2 function 0 vendor "Intel", unknown product 0x0be2 rev
0x09
> >wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
> >wsdisplay0: screen 1-5 added (80x25, vt1

Re: Invalid checksum with 82574L (em)

[Hugo Osvaldo Barrera]

On 2013-03-20 20:37, Hugo Osvaldo Barrera wrote:
> I've been having a very annoying issue with an 82574L for a pretty long
> time now.
>
> After the PC is turned off (either properly or due to a power failure),
> the NIC does not work upon the next boot.
>
>   em0 at pci1 dev 0 function 0 "Intel PRO/1000 MT (82574L)" rev 0x00:
msiem0:
> The EEPROM Checksum Is Not Valid
>   em0: Unable to initialize the hardware
>
> I found an Intel firmware flashing utility for DOS that rebuilds the
> checksum. After running it, however, my MAC is 00:00:00:00:00:00. I
> need to set the mac back with it, and make it rebuild the checksum.
>
> After I do this, OpenBSD boots fine:
>
>   em0 at pci1 dev 0 function 0 "Intel PRO/1000 MT (82574L)" rev 0x00: msi,
> address 00:22:4d:7c:b2:76
>
> The NIC is an onboard one, and I've no extra PCI slots, so I can't
> really change it.
>
> Here's my full dmesg in case it's of further use.
> Please also let me know if there's anything else which may be of use.
>
> OpenBSD 5.2-current (GENERIC.MP) #5: Wed Dec 12 23:22:46 MST 2012
> dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> real mem = 4275666944 (4077MB)
> avail mem = 4139347968 (3947MB)
> mainbus0 at root
> bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xeb920 (27 entries)
> bios0: vendor Intel Corp. version "MUCDT10N.86A.0072.2012.0808.1512" date
> 08/08/2012
> bios0: Intel Corporation D2700MUD
> acpi0 at bios0: rev 2
> acpi0: sleep states S0 S3 S4 S5
> acpi0: tables DSDT FACP SSDT APIC MCFG HPET
> acpi0: wakeup devices SLT1(S4) PS2M(S4) PS2K(S4) UAR1(S3) UAR2(S3) USB0(S3)
> USB1(S3) USB2(S3) USB3(S3) USB7(S3) PXSX(S4) RP01(S4) PXSX(S4) RP02(S4)
> PXSX(S4) RP03(S4) PXSX(S4) RP04(S4) PWRB(S4)
> acpitimer0 at acpi0: 3579545 Hz, 24 bits
> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: Intel(R) Atom(TM) CPU D2700 @ 2.13GHz, 2133.73 MHz
> cpu0:
>
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
>
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,TM2,SSSE3,
> CX16,xTPR,PDCM,MOVBE,NXE,LONG,LAHF,PERF,ITSC
> cpu0: 512KB 64b/line 8-way L2 cache
> cpu0: apic clock running at 133MHz
> cpu1 at mainbus0: apid 1 (application processor)
> cpu1: Intel(R) Atom(TM) CPU D2700 @ 2.13GHz, 2133.41 MHz
> cpu1:
>
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
>
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,TM2,SSSE3,
> CX16,xTPR,PDCM,MOVBE,NXE,LONG,LAHF,PERF,ITSC
> cpu1: 512KB 64b/line 8-way L2 cache
> cpu2 at mainbus0: apid 2 (application processor)
> cpu2: Intel(R) Atom(TM) CPU D2700 @ 2.13GHz, 2133.41 MHz
> cpu2:
>
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
>
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,TM2,SSSE3,
> CX16,xTPR,PDCM,MOVBE,NXE,LONG,LAHF,PERF,ITSC
> cpu2: 512KB 64b/line 8-way L2 cache
> cpu3 at mainbus0: apid 3 (application processor)
> cpu3: Intel(R) Atom(TM) CPU D2700 @ 2.13GHz, 2133.41 MHz
> cpu3:
>
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
>
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,TM2,SSSE3,
> CX16,xTPR,PDCM,MOVBE,NXE,LONG,LAHF,PERF,ITSC
> cpu3: 512KB 64b/line 8-way L2 cache
> ioapic0 at mainbus0: apid 8 pa 0xfec0, version 20, 24 pins
> ioapic0: misconfigured as apic 0, remapped to apid 8
> acpimcfg0 at acpi0 addr 0xe000, bus 0-63
> acpihpet0 at acpi0: 14318179 Hz
> acpiprt0 at acpi0: bus 0 (PCI0)
> acpiprt1 at acpi0: bus 2 (P0P1)
> acpiprt2 at acpi0: bus 1 (RP01)
> acpiprt3 at acpi0: bus -1 (RP02)
> acpiprt4 at acpi0: bus -1 (RP03)
> acpiprt5 at acpi0: bus -1 (RP04)
> acpicpu0 at acpi0
> acpicpu1 at acpi0
> acpicpu2 at acpi0
> acpicpu3 at acpi0
> acpibtn0 at acpi0: PWRB
> acpibtn1 at acpi0: SLPB
> acpivideo0 at acpi0: GFX0
> acpivout0 at acpivideo0: DD02
> pci0 at mainbus0 bus 0
> pchb0 at pci0 dev 0 function 0 vendor "Intel", unknown product 0x0bf3 rev
> 0x03
> vga1 at pci0 dev 2 function 0 vendor "Intel", unknown product 0x0be2 rev
0x09
> wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
> wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
> intagp at vga1 not configured
> azalia0 at pci0 dev 27 function 0 "Intel 82801GB HD Audio" rev 0x02: msi
> azalia0: codecs: Realtek ALC662
> audio0 at azalia0
> ppb0 at pci0 dev 28 function 0 "Intel 82801GB PCIE" rev 0x02: msi
> pci1 at ppb0 bus 1
> em0 at pci1 dev 0 function 0 "Intel PRO/1000 MT (82574L)" rev 0x00: msi,
> address 00:22:4d:7c:b2:76
> uhci0 at pci0 dev 29 functi

ARK-2120L

[Hugo Osvaldo Barrera]

Hi,

I'm intending on getting a ARK-2120L [1] to server as a gateway for my
network.
I've been doing some research as to whether or not it'll work on OpenBSD.

So far I've evaluated:

CPU (Intel Atom, should work fine).
LAN (82583V, is listed as working with "em").

However, I'm curious as to whether I should take something else into
consideration, in particular, the chipset. Do I need to check for some
other driver compatibility, or should that be it?
Do thing like the USB chipset require a specific driver, or is that sort
of stuff standard? (sorry, I'm a bit ignorant on this regard).

I'm also slightly curious about the video driver. I don't care about X,
or video acceleration, since I'll only use video for OpenBSD installation,
nothing else. Should video work for any modern video card, even if only
at a very poor resolution? Or do I still need to be careful about
driver support?

[1]
http://www.advantech.com/products/ARK-2120L/mod_BD7B04DE-B994-4D74-96DE-21CDB
3F8158B.aspx
[2][PDF]
http://cms.tempel.es//adimage.php?filename=9_0000015551.pdf&contenttype=pdf

Thanks,

--
Hugo Osvaldo Barrera

[demime 1.01d removed an attachment of type application/pgp-signature]

Re: Why does OpenBSD use CVS?

[Hugo Osvaldo Barrera]

On 2013-04-20 23:32, Nick Holland wrote:
> On 04/20/13 03:42, Alokat MacMoneysack wrote:
> > Hi,
> >
> > first, I don't want to start a flame war about why is CVS better or
> > not better than X - it's just a question.
> >
> > If you say, we use it because it just works - it's okay. :)
>
> Good, 'cause it does. :)
>
> > So why does OpenBSD still uses CVS and don't migrate to SVN or
> > something like git as other OSS projekts do?
>
> * "it works"
> * migrating - and not losing history is difficult.
> * migrating versioning systems is something you don't want to do every
> few weeks (or even every few years)...so you want to make sure it is
> really worth it if/when you do.  SVN today?  GIT next week?  something
> else next year?  Please, no.
> * Tolerable -- and in the case of opencvs, ideal -- license.
> * its glitches are hated, but known (the devil you know how to subdue,
> vs. the devil who beats the sh*t out of you)
> * relatively light weight -- runs fine on a 486, hp300, or on a modern,
> fast machine, fits nicely into existing distribution, easy to drop into
> a chroot.
> * Infrastructure exists.  To change it all would require a really good
> reason.
> * it fits the OpenBSD development model.
> * Many of the "features" of alternatives are not desired in the OpenBSD
> development model.

Out of curiosity; what are these "features"?

>
> Obviously, it is possible to build a quality-focused product of
> Operating System magnitude using CVS.  I don't think one can quite say
> CVS is the REASON for OpenBSD's quality, but it obviously hasn't hurt.
>
> Nick.
>

--
Hugo Osvaldo Barrera

[demime 1.01d removed an attachment of type application/pgp-signature]

Re: Why does OpenBSD use CVS?

[Hugo Osvaldo Barrera]

On 2013-04-20 12:15, Stuart Henderson wrote:
> On 2013-04-20, Alokat MacMoneysack  wrote:
> > Hi,
> >
> > first, I don't want to start a flame war about why is CVS better or not
better than X - it's just a question.
> >
> > If you say, we use it because it just works - it's okay. :)
> >
> > So why does OpenBSD still uses CVS and don't migrate to SVN or something
like git as other OSS projekts do?
> >
> > Regards,
> > fritjof
> >
> >
>
> my 2p: like all version control software CVS has bugs, but between us,
> developers have a reasonable idea of how to avoid them in CVS, there's
> less knowledge about other version control systems.
>
> Also having the repository stored in human-readable (ish) files is an
> advantage if there was ever any repo corruption.

Some other CVS keeps checksums of every commit, and every commit contains
the checksum of the last commit + this commits diff. This helps *prevent*
corruption (or at least prevents it from spreading).
I think that beats human-readable files to manually find corruptions
(that may well spread).

>
> You might also ask why some other OS use source control software which
> they don't even include in the base OS ;-)
>

--
Hugo Osvaldo Barrera

[demime 1.01d removed an attachment of type application/pgp-signature]

OpenSSH AESNI support

[Hugo Osvaldo Barrera]

Hi,

I've a smallish system which does a lot of SFTP work, and CPU seems to be the
bottleneck constantly (this was discussed on a previous thread over a year
ago).

I've finally decided to replace that CPU, but I'm wondering: Does OpenSSH
support/use the AESNI instruction set if available? The documentation
indicates
that access to crypto(9) is disabled for userland by default, but I'm not
sure
if AESNI access is done via crypto(9) or some other means.

Also, if it does support it, should a patch for the man page to indicate this
(for other in my scenario) be acceptable?

Thanks,

--
Hugo Osvaldo Barrera
A: Because we read from top to bottom, left to right.
Q: Why should I start my reply below the quoted text?

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: OpenSSH AESNI support

[Hugo Osvaldo Barrera]

On 2015-05-07 10:57, Christian Weisgerber wrote:
> On 2015-05-07, Hugo Osvaldo Barrera  wrote:
>
> > I've finally decided to replace that CPU, but I'm wondering: Does OpenSSH
> > support/use the AESNI instruction set if available?
>
> Yes, by way of OpenSSL/LibreSSL, which make use of AESNI if available.
>
> > if AESNI access is done via crypto(9) or some other means.
>
> The crypto(9) interface was designed for crypto accelerators that
> appear as devices separate from the CPU and require a kernel driver.
> By contrast, AESNI instructions can be directly used in userland
> code.
>
> --
> Christian "naddy" Weisgerber          na...@mips.inka.de
>

Couldn't have been clearer. Thanks.

--
Hugo Osvaldo Barrera
A: Because we read from top to bottom, left to right.
Q: Why should I start my reply below the quoted text?

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: Ubiquiti EdgeRouter Lite

[Hugo Osvaldo Barrera]

On Tue, Aug 18, 2015, at 09:11, Ted Unangst wrote:
> Predrag Punosevac wrote:
> > Dear All,
> > 
> > I am contemplating buying a new machine which will act as a router/DNS
> > caching server for my home network. Is anybody currently running OpenBSD
> > on the Ubiquiti Networks EdgeRouter LITE in that capacity? I saw that in
> > June 2015 USB support was added which allows installing to local disk on
> > machine. Can anybody point me to a work in progress documentation diff
> > for installing 5.8 octeon port.  I am reading right now
> 
> Here are my notes, which are basic, but should be enough to get you
> through if
> you're familiar with openbsd.
> http://www.tedunangst.com/flak/post/OpenBSD-on-ERL
> 

Since this runs on a USB flash drive, did you do any special
configuration to avoid write-degradation? I remember running OpenBSD on
a [cheap] USB flash drives some years ago, and they kept died on my
pretty quickly. Did you maybe disable some logging, or something alike?
Or are high-quality USB flash drives okay for this?

Thanks,

-- 
Hugo Osvaldo Barrera

SSH key encryption when using FDE

[Hugo Osvaldo Barrera]

Hi,

I've always used password-protected ssh keys, with ssh-agent, and in
recent year, I've been using full disk encryption as well.
I'm wondering if there's some redundancy here, and if using FDE
nullifies the need for password-protecting the keys, or if there's some
attack vector I'm no considering.

Keep in mind that I using ssh-agent, and unlock the keys usually as a
first action after startup (I guess *not* using ssh-agent completely
changes the scenario).

Thanks,

-- 
Hugo Osvaldo Barrera

Re: SSH key encryption when using FDE

[Hugo Osvaldo Barrera]

On Tue, Aug 2, 2016, at 22:01, Nick Holland wrote:
> On 08/02/16 01:48, Remi Locherer wrote:
> > On Mon, Aug 01, 2016 at 07:10:21PM -0300, Hugo Osvaldo Barrera
> > wrote:
> >> Hi,
> >>
> >> I've always used password-protected ssh keys, with ssh-agent,
> >> and in
> >> recent year, I've been using full disk encryption as well.
> >> I'm wondering if there's some redundancy here, and if using FDE
> >> nullifies the need for password-protecting the keys, or if
> >> there's some
> >> attack vector I'm no considering.
> >>
> >> Keep in mind that I using ssh-agent, and unlock the keys
> >> usually as a
> >> first action after startup (I guess *not* using ssh-agent
> >> completely
> >> changes the scenario).
> >
> > I still makes sense to encrypt your ssh keys. Think of a bug in a
> > browser
> > that allows a server reading your files.
>
> right.
>
> Disk Encryption protects your key and other data when your computer is
> OFF.  And only when it is off.  When your computer is active and the
> file systems available, any attacker that manages to get into your
> system through any means can see whatever they have access to.  If
> they
> grab your no-passphrase key, they now have your key.  If they
> grab your
> passphrased key...they got a jumble of funny characters.
>
> Nick.
>

Doesn't the fact that ssh-agent is running somehow make the keys
accessible anyway? Or am I making misassumptions on how it works?

--
Hugo Osvaldo Barrera

Re: Can OpenBSD access BBC Iplayer?

[Hugo Osvaldo Barrera]

On 2014-09-02 08:57, Anthony Campbell wrote:
> Greetings, list!
>
> I'm a long-standing user of Linux (currently ArchLinux) who is just
> trying out OpenBSD and so far is much impressed. I'm using a Thinkpad
> T42.
>
> The main outstanding problem at the moment is accessing BBC Iplayer,
> which insists on my having Flashplayer installed.
>
> After reading the FAQ and various lists I put libflashplayer.so in
> ~/.mozilla/plugins and installed the fedora_base package as suggested in
> the FAQ. I still can't use Iplayer.
>
> I saw somewhere that Chrome has inbuilt flashplayer but that doesn't
> seem to be the case.
>

For the record:
It's Google Chrome that has a builting PEPPER flash plugin. It's not part of
Chromium (the open source proyect), which is what actually runs on OpenBSD.

> As a workaround I can use get_iplayer to download BBC programmes but is
> it possible to get a browser to access Iplayer?
>
> Anthony
>
> --
> Anthony Campbell - a...@acampbell.org.uk
> http://www.acupuncturecourse.org.uk
> http://www.smashwords.com/profile.view/acampbell
> https://itunes.apple.com/ca/artist/anthony-campbell/id73235412
>

--
Hugo Osvaldo Barrera
A: Because we read from top to bottom, left to right.
Q: Why should I start my reply below the quoted text?

[demime 1.01d removed an attachment of type application/pgp-signature]

Nonexistant domains resolve to my local domain

[Hugo Osvaldo Barrera]

Hi,

I've having this extremely wierd issue.
My hostname is elysion.barrera.io. When I try to ping, curl, or something
alike aDomainIReallySureDoeNotExist.com, it pings/curls/whatever
my local domain. Maybe an example can me clearer:

  # ping adsfsdgasdadsfasfsdfasdf.net
  PING elysion.barrera.io (174.136.104.18): 56 data bytes
  64 bytes from 174.136.104.18: icmp_seq=0 ttl=255 time=0.032 ms
  64 bytes from 174.136.104.18: icmp_seq=1 ttl=255 time=0.081 ms

dig, however, works fine:

  # dig adsfsdgasdadsfasfsdfasdf.net
  
  ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 20200
  ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
   

I've tried changing nameserver to my ISP's, Google Public DNS, etc, the
issue is always persistant (besides, dig working makes me think it's a
local issue).

Note that ALL nonexistant domain resolve to myself, never anything
different.

Any hints on where I should be looking?

--
Hugo Osvaldo Barrera

[demime 1.01d removed an attachment of type application/pgp-signature]

Re: Nonexistant domains resolve to my local domain

[Hugo Osvaldo Barrera]

On 2014-04-10 01:16, Giancarlo Razzolini wrote:
> Em 10-04-2014 00:43, Hugo Osvaldo Barrera escreveu:
> > Hi,
> >
> > I've having this extremely wierd issue.
> > My hostname is elysion.barrera.io. When I try to ping, curl, or something
> > alike aDomainIReallySureDoeNotExist.com, it pings/curls/whatever
> > my local domain. Maybe an example can me clearer:
> >
> >   # ping adsfsdgasdadsfasfsdfasdf.net
> >   PING elysion.barrera.io (174.136.104.18): 56 data bytes
> >   64 bytes from 174.136.104.18: icmp_seq=0 ttl=255 time=0.032 ms
> >   64 bytes from 174.136.104.18: icmp_seq=1 ttl=255 time=0.081 ms
> >
> > dig, however, works fine:
> >
> >   # dig adsfsdgasdadsfasfsdfasdf.net
> >   
> >   ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 20200
> >   ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> >
> >
> > I've tried changing nameserver to my ISP's, Google Public DNS, etc, the
> > issue is always persistant (besides, dig working makes me think it's a
> > local issue).
> >
> > Note that ALL nonexistant domain resolve to myself, never anything
> > different.
> >
> > Any hints on where I should be looking?
> >
> > --
> > Hugo Osvaldo Barrera
> >
> > [demime 1.01d removed an attachment of type application/pgp-signature]
> >
> You need to elaborate on a lot of things. We could only guess on who is
> to blame here (my money is on a misconfigured dns server either be a
> transparent dns proxy at your isp or wrongly configured one in your
> networl). Post your /etc/hosts, /etc/resolv.conf and dmesg for starters
> this is the initial information required for helping solving your issue.
>
> Cheers,
>
> --
> Giancarlo Razzolini
> GPG: 4096R/77B981BC
>

As I mentioned before, I tried different nameservers including my ISPs
and Google's Public DNS (so a "misconfigured dns server" is extremely
unlikely).

I didn't mention any transparent proxies because there aren't any
either. Connection is straight to the public internet.

/etc/hosts:
::1localhost
127.0.0.1  localhost
174.136.104.18 elysion.barrera.io

/etc/resolv.conf:
nameserver 208.79.88.7
nameserver 208.79.88.9

/etc/resolv.conf (another version):
nameserver 8.8.8.8

dmesg:
OpenBSD 5.5-current (GENERIC.MP) #59: Mon Apr  7 22:49:12 MDT 2014
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 788463616 (751MB)
avail mem = 758763520 (723MB)
warning: no entropy supplied by boot loader
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xfbd3f (10 entries)
bios0: vendor QEMU version "QEMU" date 01/01/2007
acpi0 at bios0: rev 0
acpi0: sleep states S3 S4 S5
acpi0: tables DSDT FACP APIC
acpi0: wakeup devices
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
acpiprt0 at acpi0: bus 0 (PCI0)
mpbios at bios0 not configured
cpu0 at mainbus0: (uniprocessor)
cpu0: QEMU Virtual CPU version 0.9.1, 2667.13 MHz
cpu0:
FPU,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MM
X,FXSR,SSE,SSE2,SSE3,NXE,LONG,PERF
cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line
16-way L2 cache
cpu0: ITLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
cpu0: DTLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02
pcib0 at pci0 dev 1 function 0 "Intel 82371SB ISA" rev 0x00
pciide0 at pci0 dev 1 function 1 "Intel 82371SB IDE" rev 0x00: DMA, channel 0
wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: 
wd0: 16-sector PIO, LBA48, 20480MB, 41943040 sectors
atapiscsi0 at pciide0 channel 0 drive 1
scsibus1 at atapiscsi0: 2 targets
cd0 at scsibus1 targ 0 lun 0:  ATAPI 5/cdrom
removable
wd0(pciide0:0:0): using PIO mode 0, DMA mode 2
cd0(pciide0:0:1): using PIO mode 0
atapiscsi1 at pciide0 channel 1 drive 0
scsibus2 at atapiscsi1: 2 targets
cd1 at scsibus2 targ 0 lun 0:  ATAPI 5/cdrom
removable
cd1(pciide0:1:0): using PIO mode 0
uhci0 at pci0 dev 1 function 2 "Intel 82371SB USB" rev 0x01: irq 11
piixpm0 at pci0 dev 1 function 3 "Intel 82371AB Power" rev 0x03: irq 10
iic0 at piixpm0
iic0: addr 0x18 48=00 words 00= 01= 02= 03= 04= 05=
06= 07=
iic0: addr 0x1a 48=00 words 00= 01= 02= 03= 04= 05=
06= 07=
vga1 at pci0 dev 2 function 0 "Cirrus Logic CL-GD5446" rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation

Re: Nonexistant domains resolve to my local domain

[Hugo Osvaldo Barrera]

On 2014-04-10 00:43, Hugo Osvaldo Barrera wrote:
> Hi,
>
> I've having this extremely wierd issue.
> My hostname is elysion.barrera.io. When I try to ping, curl, or something
> alike aDomainIReallySureDoeNotExist.com, it pings/curls/whatever
> my local domain. Maybe an example can me clearer:
>
>   # ping adsfsdgasdadsfasfsdfasdf.net
>   PING elysion.barrera.io (174.136.104.18): 56 data bytes
>   64 bytes from 174.136.104.18: icmp_seq=0 ttl=255 time=0.032 ms
>   64 bytes from 174.136.104.18: icmp_seq=1 ttl=255 time=0.081 ms
>
> dig, however, works fine:
>
>   # dig adsfsdgasdadsfasfsdfasdf.net
>   
>   ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 20200
>   ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>
>
> I've tried changing nameserver to my ISP's, Google Public DNS, etc, the
> issue is always persistant (besides, dig working makes me think it's a
> local issue).
>
> Note that ALL nonexistant domain resolve to myself, never anything
> different.
>
> Any hints on where I should be looking?
>
> --
> Hugo Osvaldo Barrera
>

I got a few off-list replies that led me to the issue.
I've wildcard CNAME set up (which responds for any non-existant
subdomain":

  *.barrera.io IN CNAME elysion.barrera.io.

When resoling "nonexistant.net" fails, ping will seach for
"nonexistant.net.barrera.io".
And, well, the rest of it is pretty obvious.

So the issue wasn't on the nameserver I'm using to resolve, nor on my
local system, but rather a combination of existing DNS rescords, and my
search domain.

I guess the solution is getting rid of the wildcard domain - any other
alternatives?

Thanks,

--
Hugo Osvaldo Barrera

[demime 1.01d removed an attachment of type application/pgp-signature]

Re: Insight needed on new encryption feature for ssh-keygen and ssh: "ssh-keygen --protect" and a linux data protection service

[Hugo Osvaldo Barrera]

On 2014-04-14 00:28, alexander taylor wrote:
> I need advice on a contribution I'd like to make as part of my
> research with a cryptography professor at UC San Diego.  I mostly want
> to know if there are any obvious practical problems with my idea.
>
> The problem I'm trying to solve is that casual users trying to ssh
> into Github or their home / school server may not bother creating
> passphrases for their private ssh keys.  This means that they are
> probably relying on hardware security to keep their private key safe.
> However, with no added effort, these keys could be cryptographically
> protected under the user's Windows/Linux logon password in the same
> way that your saved passwords are protected in the web browser.  For
> example, Chrome on linux uses any available keychain program to
> encrypt saved passwords under the user's logon credential, if a
> keychain program is available, and uses the Data Protection API on
> Windows.

These features only work if you've all the right optional dependencies
installed, and a manager/daemon running that handles all that.
AFAIK, the GNOME and KDE implementation use d-bus, which I think would
be an unwanted dependency for SSH.

Most "popular" linux distros do disk encryption by default. Especially
those used by the less tech-inclined users.

OpenBSD users, and more tech inclined users generally know not to keep
their keys passwordless. Even if they do so, they already know the risks.

>
> More on Windows DPAPI:
> http://msdn.microsoft.com/en-us/library/ms995355.aspx
>
> My idea is to add a "--protect" (e.g.) option to ssh-keygen that
> encrypts the private key with the user's logon credential (windows or
> linux password) instead of prompting for a passphrase.  For Windows,
> it can protect the file using Windows DPAPI, but for Linux I would
> need to create a similar "data protection" service.  This "data
> protection" service is also something I want to create, with
> ssh-keygen being the main motivation.  The linux data protection
> service would generate a master key for the user, protected on disk by
> encryption under the user's password, captured by a PAM module.  The
> same PAM module decrypts and re-encrypts the master key when the user
> changes her password.  Then, the data protection service allows
> ssh-keygen to encrypt the private key using the user's master key,
> available only when logged on.  Now, ssh can use the same service to
> decrypt the key if the user is logged on (another feature I'd need to
> add).  If the user is not logged on, the private key is unusable.
>

Sounds like you'd need a way to export the keys to move them to other
computers as well. Also, what happens if root changes the password? Does
the user lose his keys?

> Using eCryptfs, hard-drive encryption, or simply making a passphrase
> and keeping it in a keyring solve the same problem, but require more
> effort by the user.
>
> More details on my research:
>
https://docs.google.com/document/d/1mibuwHRJpzCFYuQJZ30Cgw6nBjyp6qod19tZnw-Rz
v8/edit?usp=sharing

You mention gnome-keyring as an example, that can double up as an
ssh-agent, and unlocks on login with the user password. I belive this
pretty much covers the initial scenario. At most, gnome-keyring should
have (if it doesn't already), an "generate ssh keys" option, and that
would cover the problem.

>
> Thanks for any help/insights!
>
> alexander taylor
>

--
Hugo Osvaldo Barrera

[demime 1.01d removed an attachment of type application/pgp-signature]

Postscript printer: is poscript support enough to get it running?

[Hugo Osvaldo Barrera]

Hi,

I've been considering buying a printer, and after a bit of homework, I
found that postscript is the standard supported method for printing
(even though most printers nowdays do all the work on CPU rather than
themselves to cut costs).

So I looked up a model but  I really *don't* understand that much, this
is the first time *ever* I'd be buying/using/installing a printer, so
what I'd like to know is:

Is postscript support in an ethernet/USB printer enough? Or do I need to
take some other specification into consideration? If so, which? I don't
want to go out and buy a printer, only to find out that I need support
for X, for Y software for the platform where I'll use it.

As a side note, it's the HP P2055 I've been considering, and supports PS3.

Thanks


-- 
Hugo Osvaldo Barrera

Re: smartphones and managing openbsd servers

[Hugo Osvaldo Barrera]

On 2012-02-18 20:06, Marcos Ariel Laufer wrote:
> Hello list,
> This might not be OpenBSD specific, but maybe users can share their
> experiences with smartphones an managing OpenBSD servers.
> So far, my smartphone has been a very usefull tool to manage my OpenBSD
> servers. Currently i am using a Palm Treo 680 with some lousy ssh
> application to access my servers, it is usefull, but this is getting
> pretty ancient, doesn't have wifi for exaple, and i would like that
> feature on a smartphone. I also love the touch screen.
> What newer smartphones do you recommend for using also as a tool for
> managing OpenBSD servers (maybe windogs too) ? What experiences had you
> had with smartphones and OpenBSD managing?
> 
> Best regards,
> Marcos
> 

I use a Nokia N900 for this. It's a real GNU/Linux, so you you get ssh
out-of-the-box, and there's other stuff you might occasionally use (like
rsync).
It also has a pretty good hardware keyboard, which I feel is a must in
order to use ssh comfortably, and makes the real difference.
I log into OpenBSD servers on a daily basis (well, just two servers
actually), and it's pretty good.

-- 
Hugo Osvaldo Barrera

Re: Trusting the Installation

[Hugo Osvaldo Barrera]

On 2012-02-29 01:13, Nico Kadel-Garcia wrote:
> This just came up in the Scientific Linux mailing list. While checksums are
> useful, they're not helpful if both the checksum and the file itself are
> corrupted. Someone (namely me!) also pointed out the possibility of
> manipulating the FTP or HTTP transmission en route, and I pointed out the
> risk of a Trojan infested mirror, Bittorrent, or other popular network
> access source. It's why I'm happy to use Bittorrent to get ISO's in a
> speedy fashion, but *ALWAYS* check the checksums against the original
> source when download is complete.

I had never though of this.  Using torrents for the file itself, and
HTTP for the checksum seems to be quite secure (at least compared to the
alternatives).  Especially if the torrent file have hundeds of seeders.

-- 
Hugo Osvaldo Barrera

Re: Trusting the Installation

[Hugo Osvaldo Barrera]

On 2012-03-04 07:05, PP;QQ P(P8P?P8QP8P= wrote:
> if you mean public SSL certs, it's about $500/year.
> are you willing to pay for SSL certs ?
> 
> I can do the rest. I have installed tens ssl-enabled services.

Slightly OT: StartSSL offers free certificates trusted by every browser,
so you're just exagerating - a lot.

-- 
Hugo Osvaldo Barrera

Re: Trusting the Installation

[Hugo Osvaldo Barrera]

On 2012-03-05 06:08, iLXQ {IPICIN wrote:
> we tried those certs. they are not trusted by mobile devices.
> and those certificates are free only for 3 months (you are supposed to
> buy them after that).
> 
> so, it's marketing stuff, not a real deal.

That's totally wrong. They last a year, and you can get a new one
(again, for free) after they expire.
I'm not sure what mobile device distrusts them, most do.  And how often
do you download OpenBSD ISOs from mobile devices?

-- 
Hugo Osvaldo Barrera

Re: OpenBSD forked

[Hugo Osvaldo Barrera]

On 2012-06-18 02:46, Raymond Lillard wrote:
> Reason 4:  Stability
> The new project FAQ states they intend to be "less
> restrictive with the codebase when it comes to
> experimenting with features."  Maybe in the long run
> some of the new features may be introduced into OBSD,
> but in the near term I expect much instability given
> the broad range of deeply embedded things they intend
> to change.

This is very much what I'd expect: they experiment with several
features, being not-so-stable most of the the process, but maybe once
some of those features mature and become stable enough, they can be
ported back to OpenBSD.

Their work getting rid of GNU stuff will, inevitably, affect OpenBSD (if
they succeed at that anyway).

-- 
Hugo Osvaldo Barrera

OpenBSD as IPv4+6 gateway

[Hugo Osvaldo Barrera]

Hi,

I'm trying to evaluate how to set up my OpenBSD server as an internet
gateway.

I've a static IPv4 address, and a /48 IPv6 block.
I've already NATed IPv4 using PF, but I'm in doubt on how to bridge the
IPv6 part without breaking the IPv4 NAT.

I'll assume lan=eth0 and wan=eth1 to make this a bit more readable.

>From what I've managed to think up, I'd have to bridge both interfaces
(eth0/eth1), and use PF to disallow traffic to/from private IP4s on eth1.

My doubt is: if I bridge both interfaces, can I still NAT properly?
If br0 contains eth1 and eth0, can I bridge "from br0 to br0"?
This may sound odd, but br0 has actually two IPv4 addresses; the private
and public.

Also, if eth1 in bridged, I can still drop packets using pf properly,
right? (discarting private-network packets on it is what I've in mind).

Is this the proper solution?  Or is there some other way I haven't
thought of?

Cheers, thanks,

-- 
Hugo Osvaldo Barrera

Re: OpenBSD as IPv4+6 gateway

[Hugo Osvaldo Barrera]

On 2012-06-21 03:05, Jérémie Courrèges-Anglas wrote:
> Hugo Osvaldo Barrera  writes:
> 
>> Hi,
> 
> Hi.
> 
>> I'm trying to evaluate how to set up my OpenBSD server as an internet
>> gateway.
>>
>> I've a static IPv4 address, and a /48 IPv6 block.
>> I've already NATed IPv4 using PF, but I'm in doubt on how to bridge the
>> IPv6 part without breaking the IPv4 NAT.
>>
>> I'll assume lan=eth0 and wan=eth1 to make this a bit more readable.
> 
> Sadly, what should we understand here?  Are they really both ethernet
> interfaces?

I just meant to give them names to reference them more easily later on.
 Yes; they're just two ethernet interfaces.

> 
>> From what I've managed to think up, I'd have to bridge both interfaces
>> (eth0/eth1), and use PF to disallow traffic to/from private IP4s on eth1.
> 
> Bridging can be seen as an ugly solution when you only get a /64 from
> your ISP, and you have to let RAs go through.  Slightly less ugly, ndp
> proxying.  I've not tested it, though, but I believe ndp(8) could be
> used here.  But...

My ISP doesn't seem to be running any RA actually (more related info below).

> 
>> My doubt is: if I bridge both interfaces, can I still NAT properly?
>> If br0 contains eth1 and eth0, can I bridge "from br0 to br0"?
>> This may sound odd, but br0 has actually two IPv4 addresses; the private
>> and public.
>>
>> Also, if eth1 in bridged, I can still drop packets using pf properly,
>> right? (discarting private-network packets on it is what I've in mind).
>>
>> Is this the proper solution?  Or is there some other way I haven't
>> thought of?
> 
> ... how does your ISP provide you IPv6 connectivity?  I can't see why
> someone couldn't use proper subnetting, being given a /48.  You should
> also tell us how you get v4 connectivity, I think.

I get a /48 block, and a gateway I should use.  As for IPv4, I get an IP
address, and a gateway I should use.

If I subnet the IPv6 block, and set up my server as a router, wouldn't
my ISP have to now which IP is the route to my subnet?  Or is this what
you mean by ndp proxying?  I'd still don't understand how to set up pf
to forward the appropiate packets if I managed to do that.

> 
> HTH
> --
> Jérémie Courrèges-Anglas
> GPG fingerprint: 61DB D9A0 00A4 67CF 2A90 8961 6191 8FBF 06A1 1494
> 

Sorry, I should have mentioned those details in the first place.

-- 
Hugo Osvaldo Barrera

Re: OpenBSD as IPv4+6 gateway

[Hugo Osvaldo Barrera]

On 2012-06-21 04:39, Jérémie Courrèges-Anglas wrote:
> Hugo Osvaldo Barrera  writes:
> 
> [...]
> 
>>> ... how does your ISP provide you IPv6 connectivity?  I can't see why
>>> someone couldn't use proper subnetting, being given a /48.  You should
>>> also tell us how you get v4 connectivity, I think.
>>
>> I get a /48 block, and a gateway I should use.  As for IPv4, I get an IP
>> address, and a gateway I should use.
> 
> What's the address of the gateway, then?  Is it part of your /48?
> Is there an equipment furnished by your ISP involved?  C'mon, just
> provide raw information.

Sorry, I didn't mean to withhold any information;

My assigned block is  2800:40:402::0/48
My default gateway is 2800:40:402::: (it's inside my assigned
block).

I've a single static IPv4 address, and a default gateway to use with it.
Not totally relevant, but I also received a couple of DNS servers they
provide, capable of resolving IPv4 and  records fine.

They provide no DHCP, RA, etc; manual configuration must be done on the
client side.

My ISP gives me a single device (modem) with an ethernet port (and a
rj11 port on the other end that goes over to the ISP's network).
It doesn't have an IP address AFAIK, and merely bridges everything over
to the ISP's network.

> 
>> If I subnet the IPv6 block, and set up my server as a router, wouldn't
>> my ISP have to now which IP is the route to my subnet?
> 
> Probably, but see my question above.  What exact instructions were you
> given?  What's your ISP?  Are there online docs?

There are no docs, my ISP is Iplan (Argentina), and IPv6 isn't provided
mainstream, only to certain users.

> 
> I may be missing something, but still...
> 
> [...]
> 


-- 
Hugo Osvaldo Barrera

Re: OpenBSD as IPv4+6 gateway

[Hugo Osvaldo Barrera]

On 2012-06-21 09:52, Simon Perreault wrote:
> On 2012-06-21 03:46, Hugo Osvaldo Barrera wrote:
>> My assigned block is  2800:40:402::0/48
>> My default gateway is 2800:40:402::: (it's inside my assigned
>> block).
> 
> Hugo,
> 
> Friendly suggestion: read a book on IPv6. If you had understood the
> above information, you wouldn't be talking about "bridging". This makes
> me think that your question isn't about OpenBSD, it is about IPv6. You
> need to understand IPv6 first, and then when you know exactly what you
> want on a protocol level you can come back and ask how to do it in OpenBSD.
> 
> Simon
> 

I have read a great deal regarding IPv6, and IIRC, if I subnet my
network block, my ISP would have to know it has to route traffic to that
subnet through the WAN IP address of my router.

The alternative would be to proxy ndp and have OpenBSD forward packets,
yet I don't see a way to proxy an entire subnet using ndp.

Am I missing something perhaps?

-- 
Hugo Osvaldo Barrera

Re: OpenBSD as IPv4+6 gateway

[Hugo Osvaldo Barrera]

On 2012-06-21 17:22, Simon Perreault wrote:
> On 2012-06-21 15:50, Hugo Osvaldo Barrera wrote:
>> I have read a great deal regarding IPv6  and IIRC, if I subnet my
>> network block, my ISP would have to know it has to route traffic to that
>> subnet through the WAN IP address of my router.
> 
> Yes. If they don't allow that, then they don't know what they are doing.
> You're not supposed to assign a /48 to a single link. A single link gets
> a /64.

But how would they know though which single IP to route the rest of the
subnets?

I mean, if I assign:
2800:40:402:::1/64 to my router's WAN interface
(2800:40:402::: is it's default gateway)
2800:40:402::1/64 to it's LAN interface
2800:40:402::2/64 to one of my clients

Doesn't my ISP need to know that traffic to 2800:40:402::1 should be
routed through 2800:40:402:::1?

> 
>> The alternative would be to proxy ndp and have OpenBSD forward packets,
>> yet I don't see a way to proxy an entire subnet using ndp.
> 
> Right, because you shouldn't do that, especially in IPv6 with the 64
> bits of addressing for a single subnet.
> 
>> Am I missing something perhaps?
> 
> Call the support and ask them for the missing information?
> 
> You're definitely not supposed to bridge.
> 
> Simon
> 


-- 
Hugo Osvaldo Barrera

Re: OpenBSD's webpage desing

[Hugo Osvaldo Barrera]

On 2012-06-26 18:46, Pablo Velasco Fernández wrote:
> Hi. I was loolong the FreeBSD web page. And its a cool page with a cool
> desing. Maybe OpenBSD should change their own page to a most "visual" web
> page. ( Its only my opinion ) What do you think?
> 

The FreeBSD website seems optimized for really low resolution, and I've
over 50% of my monitor covered in white margins.

The OpenBSD website fills my monitor with lots of information.  The idea
of a large monitor, is, to be able to see more stuff on screen.  Yet, on
the other hand, it'll still work fine on lynx.

I don't see how FreeBSD's is an improvement.


-- 
Hugo Osvaldo Barrera

Re: basic smtpd question

[Hugo Osvaldo Barrera]

On 2012-06-19 18:29, bofh wrote:
> Found it.  Either of the following in /etc/mail/aliases will cause the
> problem
> 
> Tai:  tai
> TAI:  tai
> 
> 
> On the other hand, the following is perfectly fine:
> 
> "@.@": tai

IIRC, the local-part of en email address should be case sensitive, so
the above should be valid.

On a sort-of-related matter, I recently had an almost identical issue
creating aliases, but in my case, I had created circular aliases.

h...@somedomain.com: root
root: hugo

So it was really a PICNIC rather than a bug in my particular case, buy
something that validates aliases (similar to `smtpd -n`) might help.

-- 
Hugo Osvaldo Barrera

Re: OpenBSD's webpage desing

[Hugo Osvaldo Barrera]

On 2012-06-27 19:25, Peter Laufenberg wrote:
>> On Wed, Jun 27, 2012 at 5:29 PM, Peter Laufenberg 
>> wrote:
>>> I'm willing to indirectly donate to OpenBSD by paying a professional
> graphic
>> designer to redo parts of OpenBSD's visual design. His portfolio:
>>
>> that would be cool to presence as a bystander
> 
> No te entiendo tío!
> 
>> pay the dude regardless of what anybody says, and have him send the
>> patches to a public mailing list
> 
> Maybe if this community wasn't so resistant to change (justified or not).

I can't even see half of his website since it prompts me to download
additional software (plugins).

It might be nice to have a "prettier" website, with nicer colors, etc.
But most of the people who'd manage to do that, would also want to add
JS/CSS/flash, and other thing that would break current features (the
ability to see the website in lynx, for example).

Other thing interfiere with the devs' abilities to keep everything
up-to-date.  Change should not include breaking things, and that's what
usually happens when you accept changes right away without considering
it twice.


> 
>> would've been even more interesting if you told nobody that he was
>> getting payed for the patches
> 
> Truth is simpler.
> 
> -- p
> 


-- 
Hugo Osvaldo Barrera

Kernel panic on -current

[Hugo Osvaldo Barrera]

e 1: density unknown
usb0 at uhci0: USB revision 1.0
uhub0 at usb0 "Intel UHCI root hub" rev 1.00/1.00 addr 1
nvram: invalid checksum
mtrr: Pentium Pro MTRR support
vscsi0 at root
scsibus2 at vscsi0: 256 targets
softraid0 at root
scsibus3 at softraid0: 256 targets
root on wd0a swap on wd0b dump on wd0b
WARNING: / was not properly unmounted
clock: unknown CMOS layout
Process (pid 1) got signal 31
syncing disks... done
rebooting...
OpenBSD 5.2-beta (GENERIC) #281: Sun Jul  1 23:12:44 MDT 2012
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC
real mem = 535756800 (510MB)
avail mem = 499220480 (476MB)
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xfbd3f (10 entries)
bios0: vendor QEMU version "QEMU" date 01/01/2007
acpi0 at bios0: rev 0
acpi0: sleep states S3 S4 S5
acpi0: tables DSDT FACP APIC
acpi0: wakeup devices
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
acpiprt0 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0
mpbios at bios0 not configured
vmt0 at mainbus0
vmware: open failed, eax=564d5868, ecx=001e, edx=5658
vmt0: failed to open backdoor RPC channel (TCLO protocol)
cpu0 at mainbus0: (uniprocessor)
cpu0: QEMU Virtual CPU version 0.9.1, 2587.16 MHz
cpu0: 
FPU,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,NXE,LONG
cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 
16-way L2 cache
cpu0: ITLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
cpu0: DTLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02
pcib0 at pci0 dev 1 function 0 "Intel 82371SB ISA" rev 0x00
pciide0 at pci0 dev 1 function 1 "Intel 82371SB IDE" rev 0x00: DMA, channel 0 
wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: 
wd0: 16-sector PIO, LBA48, 10240MB, 20971520 sectors
atapiscsi0 at pciide0 channel 0 drive 1
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0:  ATAPI 5/cdrom removable
wd0(pciide0:0:0): using PIO mode 0, DMA mode 2
cd0(pciide0:0:1): using PIO mode 0
atapiscsi1 at pciide0 channel 1 drive 0
scsibus1 at atapiscsi1: 2 targets
cd1 at scsibus1 targ 0 lun 0:  ATAPI 5/cdrom removable
cd1(pciide0:1:0): using PIO mode 0
uhci0 at pci0 dev 1 function 2 "Intel 82371SB USB" rev 0x01: irq 11
piixpm0 at pci0 dev 1 function 3 "Intel 82371AB Power" rev 0x03: irq 10
iic0 at piixpm0
iic0: addr 0x4c 48=00 words 00= 01= 02= 03= 04= 05= 
06= 07=
iic0: addr 0x4e 48=00 words 00= 01= 02= 03= 04= 05= 
06= 07=
vga1 at pci0 dev 2 function 0 "Cirrus Logic CL-GD5446" rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
em0 at pci0 dev 3 function 0 "Intel PRO/1000MT (82540EM)" rev 0x03: irq 11, 
address 52:54:00:27:24:25
"Qumranet Virtio Memory" rev 0x00 at pci0 dev 4 function 0 not configured
"Qumranet Virtio Console" rev 0x00 at pci0 dev 5 function 0 not configured
isa0 at pcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: probed fifo depth: 0 bytes
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: density unknown
fd1 at fdc0 drive 1: density unknown
usb0 at uhci0: USB revision 1.0
uhub0 at usb0 "Intel UHCI root hub" rev 1.00/1.00 addr 1
nvram: invalid checksum
mtrr: Pentium Pro MTRR support
vscsi0 at root
scsibus2 at vscsi0: 256 targets
softraid0 at root
scsibus3 at softraid0: 256 targets
root on wd0a swap on wd0b dump on wd0b
clock: unknown CMOS layout

-- Hugo Osvaldo Barrera

Re: Calomel.org

[Hugo Osvaldo Barrera]

On 2012-07-27 15:41, Juan Francisco Cantero Hurtado wrote:

On Thu, Jul 26, 2012 at 05:36:38PM +1000, David Diggles wrote:

The calomel phenomenon is fascinating!

I was calomeled.

Those who have been calomeled have done the following:

1. lazily google: "openbsd tuning" (or similar)
2. click on: "Network Tuning and Performance Guide (OpenBSD) - Calomel"
(currently ranked 2 on google)


Calomel is ranked 2 on google because it has been linked several hundred
times from this list. Google doesn't know about good/bad opinions or
flamewars. Google only cares about the "reputation" of the origin of the
link.


Indeed, Calomel has lots of reputation, that's why it ranks so high.
The problem is, it has lots of *bad* reputation, and google can't 
distinguish that.




Also tens of mailing list archives include the links. So, the OpenBSD
community is the SEO of Calomel. Ironic but true.


3. lazy and in a hurry to get "it" working, apply stuff from calomel
4. lazily email misc without first searching marc.info, referring
to the calomel recipe and asking further questions

While calomel has the high rank in google, this keeps repeating.





--
Hugo Osvaldo Barrera

Re: 5.2 pre-orders are up

[Hugo Osvaldo Barrera]

On 2012-09-04 23:23, Theo de Raadt wrote:
> We've activated 5.2 pre-orders.
> 
> Yeah, we know the http://www.openbsd.org/52.html page sucks, and
> doesn't list all the stuff we've done recently.  Hopefully that
> will change.
> 

Order placed! :D

Also, there a small typo: https://https.openbsd.org/cgi-bin/order reads

"Pre-oder the upcoming Shirt and Poster", shoud read
"Pre-order the upcoming Shirt and Poster"

-- 
Hugo Osvaldo Barrera

Bibliography on IPv6

[Hugo Osvaldo Barrera]

Hi,

I intend to get my hands on an IPv6 book to deal with some of the issues
I'm having - which are mainly my lack of knowledge and expertise on the
subject.

I've seen "IPv6 Essentials", from O'Rilley mentioned a lot, and I've
heard it has a BSD-related section too.

Before I do sit down and read a book on the subject though, I'd like to
ask others here what bibliography you'd recommend for someone who needs
to administed a small IPv6 network.
Routing in particular seems to be one of my weaknesses.

Of course, I'm using OpenBSD as a gateway. :)

BTW, I did check openbsd.org/books.html, but I've found there's isn't
any book especifically dedicated to the subject.

Thanks,

-- 
Hugo Osvaldo Barrera

Re: ssh connections load on a server - NEWBIE question

[Hugo Osvaldo Barrera]

On 2011-06-23 23:18, mehma sarja wrote:

What do you call an OpenBSD network admin? The answer is at the end of this
message.

What kind of server load will 62 sshfs connections have on an Atom server
with 4GB RAM? The connections will last a workday. I am assuming that a
sshfs connection is basically a ssh connection and hence the post on this
list. Yes I did look through the archives w/o luck, and no I cannot easily
create a test environment to measure what I want. If some soul has a similar
experience, please share it.

Mehma
p.s. The answer is OB-WAN



Doesn't sound like much load if it's just keeping the connections open. 
 Depending on how much transfer, read/write, etc, you load may vary 
greatly.  But keeping the connections alive should not be an issue.

The amount of RAM may be an overkill for just this.

Consider network speed, disk read (or write) speed, and other factor.

In short, more info is needed to answer that question.  If each 
connection is loading a 2kb file every hour, you'll have a different 
load than transferring HD video to all of them.


--
Hugo Osvaldo Barrera

SMTPD broken after latest update

[Hugo Osvaldo Barrera]

I've been using SMTPD for many many months now, but after an update to 
the latest snapshots today, it seems to have broken.


I deliver mail to dovecot's LDA, which places it in my mailbox.

After today's update,
Mail delivered to this address (h...@osvaldobarrera.com.ar), is passed 
on to dovecot, but dovecot with recipient 
"osvaldobarrera.com...@osvaldobarrera.com.ar" (domain@domain).



Here's my smtpd.conf, which hasn't changed:

#
#   $OpenBSD: smtpd.conf,v 1.2 2009/11/03 22:32:10 gilles Exp $

# This is the smtpd server system-wide configuration file.
# See smtpd.conf(5) for more information.

listen on lo0
listen on em0
listen on em0 smtps enable auth #465
listen on em0 port 587 smtps enable auth

hostname "mail.hugoosvaldobarrera.com.ar"

map "aliases" { source db "/etc/mail/aliases.db" }

accept for local alias aliases deliver to mbox

accept from all for domain "osvaldobarrera.com.ar" alias aliases 
deliver to mda "/usr/local/libexec/dovecot/dovecot-lda -d

%u@%d"
accept from all for domain "hugoosvaldobarrera.com.ar" alias aliases 
deliver to mda "/usr/local/libexec/dovecot/dovecot-lda -d

h...@osvaldobarrera.com.ar"
accept  for allrelay
#

I've manually ran "/usr/local/libexec/dovecot/dovecot-lda -d
h...@osvaldobarrera.com.ar < some_old_mail", and the mails get there 
just fine.

It's the logs that prove dovecot isn't receiving them properly:



Jun 29 18:22:12 hugo-barrera smtpd[1729]: 67d42a89: 
from=, size=729, nrcpts=1, proto=ESMTP, 
relay=cpe-186-22-128-227.telecentro-reversos.com.ar [186.22.128.227]


Jun 29 18:22:12 hugo-barrera dovecot: auth: 
passwd-file(osvaldobarrera.com...@osvaldobarrera.com.ar): unknown user


Jun 29 18:22:12 hugo-barrera smtpd[674]: 67d42a89f5d29242: 
to=, delay=1, stat=Error (exited abnormally)




(please note I've created the account 
osvaldobarrera.com...@osvaldobarrera.com.ar in dovecot for now as a 
workaround to actually receive my mail, though this is not relevant really)



Here are my aliases, just in case (comments trimmed):

*
postmaster: h...@osvaldobarrera.com.ar
msn:h...@osvaldobarrera.com.ar

daemon: root
ftp-bugs: root
operator: root
uucp:   root
www:root

(lots of /dev/null account that are there by default)

*

Any hints?  I've tried looking up if there were recent changes to 
opensmtpd that require an update to smtpd.conf, but couldn't find any.


Thanks for any help in advance, hope I didn't forget to attach anything 
important. Cheers!



--
Hugo Osvaldo Barrera

Re: SMTPD broken after latest update

[Hugo Osvaldo Barrera]

On 2011-06-29 22:55, Tim van der Molen wrote:
> It is a bug in smtpd. I have run into it as well. The below diff (also
> sent to gilles@) should fix it.
> 
> Regards,
> Tim
> 
> Index: lka_session.c
> ===
> RCS file: /cvs/src/usr.sbin/smtpd/lka_session.c,v
> retrieving revision 1.7
> diff -p -u lka_session.c
> --- lka_session.c 9 Jun 2011 17:41:52 -   1.7
> +++ lka_session.c 20 Jun 2011 20:02:22 -
> @@ -557,7 +557,7 @@ lka_session_expand_format(char *buf, size_t len, struc
>   string = dlv->agent.mda.as_user;
>   break;
>   case 'u':
> - string = dlv->rcpt.domain;
> + string = dlv->rcpt.user;
>   break;
>   case 'd':
>   string = dlv->rcpt.domain;

I never even looked at the source (nor would I have found this), but the
diff makes it quite obvious where the bug was.

Thanks, great job! :)


-- 
Hugo Osvaldo Barrera

Changing to tty2 on an iBook

[Hugo Osvaldo Barrera]

On most PCs I've handled, I change across consoles using alt+ctrl+f2,
alt+ctrl+f3, etc.

I've now installed OpenBSD on an iBook G4, which doesn't quite have
f1-f12 keys.

It has a "brightness-up" key, and if I press fn+brightness_up, it works
like an f2 key.

HOWEVER, if I press ctrl+alt+fn+brightness_up, this will not switch me
over to tty2 for some reason.

Is there any workaround for this?  How have users of similar notebooks
handled this?

Thanks, cheers!

-- 
Hugo Osvaldo Barrera
O< ascii ribbon campaign - stop html mail - www.asciiribbon.org

Re: Changing to tty2 on an iBook

[Hugo Osvaldo Barrera]

On 2011-08-13 02:12, Maurice Janssen wrote:
> On 08/13/2011 06:58 AM, Hugo Osvaldo Barrera wrote:
>> On most PCs I've handled, I change across consoles using alt+ctrl+f2,
>> alt+ctrl+f3, etc.
>>
>> I've now installed OpenBSD on an iBook G4, which doesn't quite have
>> f1-f12 keys.
>>
>> It has a "brightness-up" key, and if I press fn+brightness_up, it works
>> like an f2 key.
>>
>> HOWEVER, if I press ctrl+alt+fn+brightness_up, this will not switch me
>> over to tty2 for some reason.
>>
>> Is there any workaround for this?  How have users of similar notebooks
>> handled this?
> 
> Run tmux or X.  Multiple virtual consoles are only supported on i386,
> amd64, zaurus and some alpha (according to FAQ 7.4).
> 
> Maurice

Thanks, I failed to see that when I went looking around the first time.

I didn't know some architectures didn't support serveral virtual
consoles - I actually related the issue to the wierd keyboard :P

I've been using tmux for now, and will keep on doing that, thanks :)


-- 
Hugo Osvaldo Barrera
O< ascii ribbon campaign - stop html mail - www.asciiribbon.org

Re: Problem with installing OpenBSD

[Hugo Osvaldo Barrera]

On 2011-09-28 23:07, Sales - OrangeWebsite.com wrote:

Hey,

We are experiencing problem with installing OpenBSD on our VPS servers. We'd
hope you provided us some assistance how we could fix this. You can see our
VPS details here at http://www.orangewebsite.com/docs/vps.php.


Best greetings,
- Henry K. Johannes
Orangewebsite.com - 'Your solid business partner'



In my experience, you need to disable mpbios:
http://www.cyberciti.biz/faq/kvm-virtualization-openbsd-guest-hangs-at-starting-tty-flags/

--
Hugo Osvaldo Barrera

Re: Volunteer project to implement wireless in a school

[Hugo Osvaldo Barrera]

On 2011-10-18 22:08, leona...@sympatico.ca wrote:

I have volunteered to implement a wireless network in a school. I have about 2
months (till January) to do a proof of concept and implementation will be
summer of 2012.
Initial thoughts:
School is L shaped with 20 rooms , each arm of the L is ~ 35 M (~ 110 ft) in
length, everything is on one floor.There will be between 40 and 100 clients
connected at any one time throughout the school. Clients need to stay
connected to the wireless network as they move throughout the school.
each arm would have 2 access points at ~ 12M (40 ft) and 24 M (80 ft) from the
vertex of the 2 arms, and one in the vertex ( 5 APs total) I hope to use
soekris net6501-50: 1 Ghz CPU, 1 Gbyte DDR2-SDRAM, 4 Gigabit Ethernet Ports as
the AP host, SparkLAN WMIA-199NI INDUSTRIAL GRADE WLAN 802.11n draft wifi
2.4/5Ghz dual band 3T/3R Module (Atheros AR9001 + AR9160 XSPAN) Wireless
miniPCI cardas the wireless cardProof of concept will use OpenBSD 5.0 to set
up the wireless network using hostAP to ensure the clients can stay connected
to the smae ssid throughout the school.. Production network in 2012 will
likely be openbsd 5.1

Before I invest money and time into this, does the plan sound reasonable? Are
there better wireless cards to use as access points?
Thanks for any advise, in particular on better wireless card choice, if there
is one.


Len Zaifman



I like the idea, it's quite managable, and you'll have excelente 
flexibility when it comes to network managment if you use this setup 
with OpenBSD.	


Note, however, the downside is openbsd does not support 802.11n (it DOES 
however, support 802.11n cards running on 802.g or older modes).


You also have plenty of time to spare.

As for the specific hardware you've chosen, I can't really speak, don't 
know enough on the subject really, and haven't worked too much outside 
amd64/powerpc.


--
Hugo Osvaldo Barrera

smtpd failed to start after upgrade to -current

[Hugo Osvaldo Barrera]

V,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,NXE,LONG
cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB
64b/line 16-way L2 cache
cpu0: ITLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
cpu0: DTLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02
pcib0 at pci0 dev 1 function 0 "Intel 82371SB ISA" rev 0x00
pciide0 at pci0 dev 1 function 1 "Intel 82371SB IDE" rev 0x00: DMA,
channel 0 wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: 
wd0: 16-sector PIO, LBA48, 10240MB, 20971520 sectors
atapiscsi0 at pciide0 channel 0 drive 1
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0:  ATAPI 5/cdrom
removable
wd0(pciide0:0:0): using PIO mode 0, DMA mode 2
cd0(pciide0:0:1): using PIO mode 0
atapiscsi1 at pciide0 channel 1 drive 0
scsibus1 at atapiscsi1: 2 targets
cd1 at scsibus1 targ 0 lun 0:  ATAPI 5/cdrom
removable
cd1(pciide0:1:0): using PIO mode 0
uhci0 at pci0 dev 1 function 2 "Intel 82371SB USB" rev 0x01: irq 11
piixpm0 at pci0 dev 1 function 3 "Intel 82371AB Power" rev 0x03: irq 10
iic0 at piixpm0
iic0: addr 0x4c 48=00 words 00= 01= 02= 03= 04=
05= 06= 07=
iic0: addr 0x4e 48=00 words 00= 01= 02= 03= 04=
05= 06= 07=
vga1 at pci0 dev 2 function 0 "Cirrus Logic CL-GD5446" rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
em0 at pci0 dev 3 function 0 "Intel PRO/1000MT (82540EM)" rev 0x03: irq
11, address 52:54:00:27:24:25
"Qumranet Virtio Memory" rev 0x00 at pci0 dev 4 function 0 not configured
"Qumranet Virtio Console" rev 0x00 at pci0 dev 5 function 0 not configured
isa0 at pcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: probed fifo depth: 0 bytes
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: density unknown
fd1 at fdc0 drive 1: density unknown
usb0 at uhci0: USB revision 1.0
uhub0 at usb0 "Intel UHCI root hub" rev 1.00/1.00 addr 1
nvram: invalid checksum
mtrr: Pentium Pro MTRR support
vscsi0 at root
scsibus2 at vscsi0: 256 targets
softraid0 at root
scsibus3 at softraid0: 256 targets
root on wd0a swap on wd0b dump on wd0b
clock: unknown CMOS layout


--
Hugo Osvaldo Barrera

Re: smtpd failed to start after upgrade to -current

[Hugo Osvaldo Barrera]

On 2011-10-22 18:27, Gilles Chehade wrote:
> Hi,
> 
> Your issue is very likely caused by the fact that envelope structure
> has changed between your last version of OpenSMTPD and yesterday.
> 
> How old was your previous -current ?
> 
> Gilles

A couple of weeks old.
Is there an easy way to update the structure of data inside the old pool?

-- 
Hugo Osvaldo Barrera

Re: smtpd failed to start after upgrade to -current

[Hugo Osvaldo Barrera]

On 2011-10-22 18:38, Gilles Chehade wrote:
> Nope, there is no easy way, your only way out is to downgrade to the previous
> OpenSMTPD-current to flush your queue, then upgrade again.

Ok, I'll give that a try and see how it turns out, thanks :)

Cheers,

-- 
Hugo Osvaldo Barrera

Problem with NAT and UDP packages.

[Hugo Osvaldo Barrera]

I'm using OpenBSD 4.6 at home as an access point, firewall and home
server (with pf).
I've recently had some issues trying to use pidgin's [XMPP] video
support on one of my client computers, yet, if I connect it directly
to the internet it works fine; hence the problem is the firewall
configuration (as one of the pidgin devs pointed out it might have
been).
I THINK UDP packets are being dropped, but I must really say, this
problem is a bit above my level of understanding.

I need to know how to make sure UDP packets don't get dropped on the
way to my PC, but i'm not really sure how.

I think a simple "pass in proto udp" is a bit extremist (though it would work).
Any better suggestions?

My current pf.conf file is:

-
#   $OpenBSD: pf.conf,v 1.44 2009/06/10 15:29:34 sobrado Exp $
#
# See pf.conf(5) for syntax and examples; this sample ruleset uses
# require-order to permit mixing of NAT/RDR and filter rules.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

# Skip lo
set skip on lo

#
# Variables #
#
extif = "re0"
intif = "ral0"
chaos = "172.16.1.7"
mamaquina = "172.16.1.12"

tcp_services="{ 22, 113, 80, 443 }"

icmp_types = "echoreq"
allproto = "{ tcp, udp, ipv6, icmp, esp, ipencap }"
privnets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

table  { 172.16.0.1/16 }

# Options
set loginterface $extif
match in all scrub (no-df)

###
# NAT #
###
nat on $extif from $intif:network -> ($extif)
# TODO Maybe move this down to service ports? Check first.
rdr pass log on $extif proto tcp from any to any port 1022 -> $chaos port 22

block in
pass out keep state

antispoof quick for { lo $intif }

block drop in on $extif from $privnets to any
block drop in on $extif from any to $privnets

#
# SERVICE PORTS #
#

# Open ports for local servicesAbro puerto de servicios locales
pass in on $extif inet proto tcp from any to ($extif) port
$tcp_services flags S/SA keep state

### OTHER PORTS AND OPENINGS
pass in on $extif from any to 172.16.1.7
pass in on $extif from any to 172.16.2.4

pass in on $extif proto {tcp, udp} from any to any port 53

# ICMP Traffic
pass in inet proto icmp all icmp-type $icmp_types keep state

# LAN - everything is allow in/out
pass in quick on $intif
pass out quick on $intif


### Block remote connections to the X Server
block in on ! lo0 proto tcp to port 6000:6010
-

Thanks for your time guys!

--
Hugo Osvaldo Barrera

Re: Problem with NAT and UDP packages.

[Hugo Osvaldo Barrera]

On Thu, Apr 8, 2010 at 00:54, James Shupe 
wrote:
> Use "log (all)" and tcpdump to figure out exactly what is being blocked.
>
> On 4/7/10 10:40 PM, Hugo Osvaldo Barrera wrote:
>> I'm using OpenBSD 4.6 at home as an access point, firewall and home
>> server (with pf).
>> I've recently had some issues trying to use pidgin's [XMPP] video
>> support on one of my client computers, yet, if I connect it directly
>> to the internet it works fine; hence the problem is the firewall
>> configuration (as one of the pidgin devs pointed out it might have
>> been).
>> I THINK UDP packets are being dropped, but I must really say, this
>> problem is a bit above my level of understanding.
>>
>> I need to know how to make sure UDP packets don't get dropped on the
>> way to my PC, but i'm not really sure how.
>>
>> I think a simple "pass in proto udp" is a bit extremist (though it would
work).
>> Any better suggestions?
>>
>> My current pf.conf file is:
>>
>> -
>> #   $OpenBSD: pf.conf,v 1.44 2009/06/10 15:29:34 sobrado Exp $
>> #
>> # See pf.conf(5) for syntax and examples; this sample ruleset uses
>> # require-order to permit mixing of NAT/RDR and filter rules.
>> # Remember to set net.inet.ip.forwarding=1 and/or
net.inet6.ip6.forwarding=1
>> # in /etc/sysctl.conf if packets are to be forwarded between interfaces.
>>
>> # Skip lo
>> set skip on lo
>>
>> #
>> # Variables #
>> #
>> extif = "re0"
>> intif = "ral0"
>> chaos = "172.16.1.7"
>> mamaquina = "172.16.1.12"
>>
>> tcp_services="{ 22, 113, 80, 443 }"
>>
>> icmp_types = "echoreq"
>> allproto = "{ tcp, udp, ipv6, icmp, esp, ipencap }"
>> privnets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
>>
>> table  { 172.16.0.1/16 }
>>
>> # Options
>> set loginterface $extif
>> match in all scrub (no-df)
>>
>> ###
>> # NAT #
>> ###
>> nat on $extif from $intif:network -> ($extif)
>> # TODO Maybe move this down to service ports? Check first.
>> rdr pass log on $extif proto tcp from any to any port 1022 -> $chaos port
22
>>
>> block in
>> pass out keep state
>>
>> antispoof quick for { lo $intif }
>>
>> block drop in on $extif from $privnets to any
>> block drop in on $extif from any to $privnets
>>
>> #
>> # SERVICE PORTS #
>> #
>>
>> # Open ports for local servicesAbro puerto de servicios locales
>> pass in on $extif inet proto tcp from any to ($extif) port
>> $tcp_services flags S/SA keep state
>>
>> ### OTHER PORTS AND OPENINGS
>> pass in on $extif from any to 172.16.1.7
>> pass in on $extif from any to 172.16.2.4
>>
>> pass in on $extif proto {tcp, udp} from any to any port 53
>>
>> # ICMP Traffic
>> pass in inet proto icmp all icmp-type $icmp_types keep state
>>
>> # LAN - everything is allow in/out
>> pass in quick on $intif
>> pass out quick on $intif
>>
>>
>> ### Block remote connections to the X Server
>> block in on ! lo0 proto tcp to port 6000:6010
>> -
>>
>> Thanks for your time guys!
>>
>> --
>> Hugo Osvaldo Barrera
>>
>>
>>
>
>
>

As I had supposed; pf is blocking the UDP packages:

Apr 08 01:31:58.241781 rule 1/(match) block in on re0:
.59789 > .50688: udp 56
Apr 08 01:31:58.363252 rule 1/(match) block in on re0:
.59792 > .52166: udp 56
Apr 08 01:31:58.363991 rule 1/(match) block in on re0:
.59793 > .50688: udp 56

There are several more dozen lines like this one.
However, each one uses a different port, so how can I solve the
problem?  I don't even see a predicting which ports I'd need to open
(they ARE random).

Re: Problem with NAT and UDP packages.

[Hugo Osvaldo Barrera]

On Thu, Apr 8, 2010 at 10:21, James Shupe 
wrote:
> Forgot to send to the list, twice!
>
> If it's RTP, (http://en.wikipedia.org/wiki/Real-time_Transport_Protocol),
> which some quick Googling indicates, your best bet may be to make a table
> of sending hosts with a pass ... inet proto udp ... from  to ? port
>>1024 rule.
>
> 
>> On Thu, Apr 8, 2010 at 00:54, James Shupe 
>> wrote:
>>> Use "log (all)" and tcpdump to figure out exactly what is being blocked.
>>>
>>> On 4/7/10 10:40 PM, Hugo Osvaldo Barrera wrote:
>>>> I'm using OpenBSD 4.6 at home as an access point, firewall and home
>>>> server (with pf).
>>>> I've recently had some issues trying to use pidgin's [XMPP] video
>>>> support on one of my client computers, yet, if I connect it directly
>>>> to the internet it works fine; hence the problem is the firewall
>>>> configuration (as one of the pidgin devs pointed out it might have
>>>> been).
>>>> I THINK UDP packets are being dropped, but I must really say, this
>>>> problem is a bit above my level of understanding.
>>>>
>>>> I need to know how to make sure UDP packets don't get dropped on the
>>>> way to my PC, but i'm not really sure how.
>>>>
>>>> I think a simple "pass in proto udp" is a bit extremist (though it
>>>> would
>> work).
>>>> Any better suggestions?
>>>>
>>>> My current pf.conf file is:
>>>>
>>>> -
>>>> #   $OpenBSD: pf.conf,v 1.44 2009/06/10 15:29:34 sobrado Exp $
>>>> #
>>>> # See pf.conf(5) for syntax and examples; this sample ruleset uses
>>>> # require-order to permit mixing of NAT/RDR and filter rules.
>>>> # Remember to set net.inet.ip.forwarding=1 and/or
>> net.inet6.ip6.forwarding=1
>>>> # in /etc/sysctl.conf if packets are to be forwarded between
>>>> interfaces.
>>>>
>>>> # Skip lo
>>>> set skip on lo
>>>>
>>>> #
>>>> # Variables #
>>>> #
>>>> extif = "re0"
>>>> intif = "ral0"
>>>> chaos = "172.16.1.7"
>>>> mamaquina = "172.16.1.12"
>>>>
>>>> tcp_services="{ 22, 113, 80, 443 }"
>>>>
>>>> icmp_types = "echoreq"
>>>> allproto = "{ tcp, udp, ipv6, icmp, esp, ipencap }"
>>>> privnets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
>>>>
>>>> table  { 172.16.0.1/16 }
>>>>
>>>> # Options
>>>> set loginterface $extif
>>>> match in all scrub (no-df)
>>>>
>>>> ###
>>>> # NAT #
>>>> ###
>>>> nat on $extif from $intif:network -> ($extif)
>>>> # TODO Maybe move this down to service ports? Check first.
>>>> rdr pass log on $extif proto tcp from any to any port 1022 -> $chaos
>>>> port
>> 22
>>>>
>>>> block in
>>>> pass out keep state
>>>>
>>>> antispoof quick for { lo $intif }
>>>>
>>>> block drop in on $extif from $privnets to any
>>>> block drop in on $extif from any to $privnets
>>>>
>>>> #
>>>> # SERVICE PORTS #
>>>> #
>>>>
>>>> # Open ports for local servicesAbro puerto de servicios locales
>>>> pass in on $extif inet proto tcp from any to ($extif) port
>>>> $tcp_services flags S/SA keep state
>>>>
>>>> ### OTHER PORTS AND OPENINGS
>>>> pass in on $extif from any to 172.16.1.7
>>>> pass in on $extif from any to 172.16.2.4
>>>>
>>>> pass in on $extif proto {tcp, udp} from any to any port 53
>>>>
>>>> # ICMP Traffic
>>>> pass in inet proto icmp all icmp-type $icmp_types keep state
>>>>
>>>> # LAN - everything is allow in/out
>>>> pass in quick on $intif
>>>> pass out quick on $intif
>>>>
>>>>
>>>> ### Block remote connections to the X Server
>>>> block in on ! lo0 proto tcp to port 6000:6010
>>>> -
>>>>
>>>> Thanks for your time guys!
>>>>
>>>> --
>>>> Hugo Osvaldo Barrera
>>>>
>>>>
>>>>
>>&

Re: Problem with NAT and UDP packages.

[Hugo Osvaldo Barrera]

Sorry, I too, forgot to send to misc@

On Thu, Apr 8, 2010 at 11:47, James Shupe  wrote:
> My idea is to maintain a table of RTP servers, if that is possible. RTP
> uses any unprivileged port (or a port above 1024) to send traffic on. Your
> rule would be a rule that would allow any of that unprivileged UDP traffic
> from only those hosts. It's not the perfect solution, but probably is the
> most viable one. As far as I know, there is no proxy application that can
> handle RTP, but you may want to investigate that further.
>
> pass in log inet proto udp from  to $int:network port > 1024
>
>> Effectively, it uses RTP.
>> However, I'm not sure I don't quite understand your idea.  How would
>> the table be updated with which ports to redirect?  Or do you mean it
>> to be static with the port range currently in use?
>>
>> The port used seems to be random between 5 and 6 (something I
>> have not found a reference to in anything liked to RTP).  Redirecting
>> them with a rule like "rdr pass on $extif proto udp from any to $extif
>> port 5:6 -> $mypc" should work, but this does not seem like
>> the proper solution.  Or am I wrong?  (=
>>
>> Isn't there a way to have this work so that, in future, MORE than one
>> PC can use RTP?  This isn't a  MUST right now, but I would prefer to
>> find some solution that would work in future.
>>
>> BTW James: Thank you very much, pointing out that XMPP's
>> video-conference implementation uses RTP helped me google A LOT more
>> info on the subject :)
> 
>> On Thu, Apr 8, 2010 at 10:21, James Shupe 
>> wrote:
>>> Forgot to send to the list, twice!
>>>
>>> If it's RTP,
>>> (http://en.wikipedia.org/wiki/Real-time_Transport_Protocol),
>>> which some quick Googling indicates, your best bet may be to make a
>>> table
>>> of sending hosts with a pass ... inet proto udp ... from  to ?
>>> port
>>>>1024 rule.
>>>
>>> 
>>>> On Thu, Apr 8, 2010 at 00:54, James Shupe 
>>>> wrote:
>>>>> Use "log (all)" and tcpdump to figure out exactly what is being
>>>>> blocked.
>>>>>
>>>>> On 4/7/10 10:40 PM, Hugo Osvaldo Barrera wrote:
>>>>>> I'm using OpenBSD 4.6 at home as an access point, firewall and home
>>>>>> server (with pf).
>>>>>> I've recently had some issues trying to use pidgin's [XMPP] video
>>>>>> support on one of my client computers, yet, if I connect it directly
>>>>>> to the internet it works fine; hence the problem is the firewall
>>>>>> configuration (as one of the pidgin devs pointed out it might have
>>>>>> been).
>>>>>> I THINK UDP packets are being dropped, but I must really say, this
>>>>>> problem is a bit above my level of understanding.
>>>>>>
>>>>>> I need to know how to make sure UDP packets don't get dropped on the
>>>>>> way to my PC, but i'm not really sure how.
>>>>>>
>>>>>> I think a simple "pass in proto udp" is a bit extremist (though it
>>>>>> would
>>>> work).
>>>>>> Any better suggestions?
>>>>>>
>>>>>> My current pf.conf file is:
>>>>>>
>>>>>> -
>>>>>> #   $OpenBSD: pf.conf,v 1.44 2009/06/10 15:29:34 sobrado Exp $
>>>>>> #
>>>>>> # See pf.conf(5) for syntax and examples; this sample ruleset uses
>>>>>> # require-order to permit mixing of NAT/RDR and filter rules.
>>>>>> # Remember to set net.inet.ip.forwarding=1 and/or
>>>> net.inet6.ip6.forwarding=1
>>>>>> # in /etc/sysctl.conf if packets are to be forwarded between
>>>>>> interfaces.
>>>>>>
>>>>>> # Skip lo
>>>>>> set skip on lo
>>>>>>
>>>>>> #
>>>>>> # Variables #
>>>>>> #
>>>>>> extif = "re0"
>>>>>> intif = "ral0"
>>>>>> chaos = "172.16.1.7"
>>>>>> mamaquina = "172.16.1.12"
>>>>>>
>>>>>> tcp_services="{ 22, 113, 80, 443 }"
>>>>>>
>>>>>> icmp_types = "echoreq"
>>>>>> allproto = "{ tcp, u

Re: Problem with NAT and UDP packages.

[Hugo Osvaldo Barrera]

On Thu, Apr 8, 2010 at 11:47, James Shupe 
wrote:
> My idea is to maintain a table of RTP servers, if that is possible. RTP
> uses any unprivileged port (or a port above 1024) to send traffic on. Your
> rule would be a rule that would allow any of that unprivileged UDP traffic
> from only those hosts. It's not the perfect solution, but probably is the
> most viable one. As far as I know, there is no proxy application that can
> handle RTP, but you may want to investigate that further.
>
> pass in log inet proto udp from  to $int:network port > 1024
>
>> Effectively, it uses RTP.
>> However, I'm not sure I don't quite understand your idea.  How would
>> the table be updated with which ports to redirect?  Or do you mean it
>> to be static with the port range currently in use?
>>
>> The port used seems to be random between 5 and 6 (something I
>> have not found a reference to in anything liked to RTP).  Redirecting
>> them with a rule like "rdr pass on $extif proto udp from any to $extif
>> port 5:6 -> $mypc" should work, but this does not seem like
>> the proper solution.  Or am I wrong?  (=
>>
>> Isn't there a way to have this work so that, in future, MORE than one
>> PC can use RTP?  This isn't a  MUST right now, but I would prefer to
>> find some solution that would work in future.
>>
>> BTW James: Thank you very much, pointing out that XMPP's
>> video-conference implementation uses RTP helped me google A LOT more
>> info on the subject :)
> 
>> On Thu, Apr 8, 2010 at 10:21, James Shupe 
>> wrote:
>>> Forgot to send to the list, twice!
>>>
>>> If it's RTP,
>>> (http://en.wikipedia.org/wiki/Real-time_Transport_Protocol),
>>> which some quick Googling indicates, your best bet may be to make a
>>> table
>>> of sending hosts with a pass ... inet proto udp ... from  to ?
>>> port
>>>>1024 rule.
>>>
>>> 
>>>> On Thu, Apr 8, 2010 at 00:54, James Shupe 
>>>> wrote:
>>>>> Use "log (all)" and tcpdump to figure out exactly what is being
>>>>> blocked.
>>>>>
>>>>> On 4/7/10 10:40 PM, Hugo Osvaldo Barrera wrote:
>>>>>> I'm using OpenBSD 4.6 at home as an access point, firewall and home
>>>>>> server (with pf).
>>>>>> I've recently had some issues trying to use pidgin's [XMPP] video
>>>>>> support on one of my client computers, yet, if I connect it directly
>>>>>> to the internet it works fine; hence the problem is the firewall
>>>>>> configuration (as one of the pidgin devs pointed out it might have
>>>>>> been).
>>>>>> I THINK UDP packets are being dropped, but I must really say, this
>>>>>> problem is a bit above my level of understanding.
>>>>>>
>>>>>> I need to know how to make sure UDP packets don't get dropped on the
>>>>>> way to my PC, but i'm not really sure how.
>>>>>>
>>>>>> I think a simple "pass in proto udp" is a bit extremist (though it
>>>>>> would
>>>> work).
>>>>>> Any better suggestions?
>>>>>>
>>>>>> My current pf.conf file is:
>>>>>>
>>>>>> -
>>>>>> #   $OpenBSD: pf.conf,v 1.44 2009/06/10 15:29:34 sobrado Exp $
>>>>>> #
>>>>>> # See pf.conf(5) for syntax and examples; this sample ruleset uses
>>>>>> # require-order to permit mixing of NAT/RDR and filter rules.
>>>>>> # Remember to set net.inet.ip.forwarding=1 and/or
>>>> net.inet6.ip6.forwarding=1
>>>>>> # in /etc/sysctl.conf if packets are to be forwarded between
>>>>>> interfaces.
>>>>>>
>>>>>> # Skip lo
>>>>>> set skip on lo
>>>>>>
>>>>>> #
>>>>>> # Variables #
>>>>>> #
>>>>>> extif = "re0"
>>>>>> intif = "ral0"
>>>>>> chaos = "172.16.1.7"
>>>>>> mamaquina = "172.16.1.12"
>>>>>>
>>>>>> tcp_services="{ 22, 113, 80, 443 }"
>>>>>>
>>>>>> icmp_types = "echoreq"
>>>>>> allproto = "{ tcp, udp, ipv6, icmp, esp, ipencap }"
>&

Re: Problem with NAT and UDP packages.

[Hugo Osvaldo Barrera]

On Mon, Apr 12, 2010 at 01:11, Rod Whitworth  wrote:
> On Mon, 12 Apr 2010 00:18:31 -0300, Hugo Osvaldo Barrera wrote:
> 8>< snip long message. My reply would be easy to miss in all that and
> it doesn't address lots of the thread.
>
> Caveat: I don't do pidgin etc BUT I do VoIP behind NAT with multiple
> ATAs and the audio uses RTP.
>
> I use sipproxy from packages and it handles all of the RTP NAT
> traversals without any fuss and I'd expect that you would need
> something like that.
>
> Does pidgin use SIP to set up a session? If not, what does it use?
>
> I saw http://en.wikipedia.org/wiki/Jingle_(protocol)  linked from
> http://en.wikipedia.org/wiki/Pidgin_(software) but I don't know how
> their details fit your case.
>
> IAC all these protocols that don't play nice with NAT are a royal PITA,
> introducing complexities where none are needed if you begin the design
> with the recognition that:
> a> NAT is out there in force and won't go away soon.
> b> Not everybody has enough routable addresses to have one per user.
> c> IPv6 will fix the address shortage in the future BUT you need to
> make sure you have catered for it NOW.
>
> Good luck - maybe you can use a (modified?) sip-proxy or get somebody
> to write one for pidgin.
>
> R/
>
> *** NOTE *** Please DO NOT CC me. I  subscribed to the list.
> Mail to the sender address that does not originate at the list server is
tarpitted. The reply-to: address is provided for those who feel compelled to
reply off list. Thankyou.
>
> Rod/
> ---
> This life is not the real thing.
> It is not even in Beta.
> If it was, then OpenBSD would already have a man page for it.
>
>
>

If I've understood these days' reading correctly, a SIP proxy will not help.
However, I'll seriously consider installing a TURN
(http://en.wikipedia.org/wiki/TURN) server in my gateway.  TURN is
*ALMOST* an UDP proxy in practical terms, and since I'm using an
external one, why not just use an internal one?  I'd have no external
dependency  nor the latency added by an external TURN server.

It's a shame I could not solve my problem using PF, but NAT is know to
have these sort of issues.
I believe you've helped me reach the best solution, so thank you, and
thank everyone else who gave me a hand :D
I'll post back if I have any luck with a local TURN server, in case
anyone is interested, or in case anyone may need to know this in
future :)

--
Hugo Osvaldo Barrera

Re: Your web development opinions

[Hugo Osvaldo Barrera]

On 02/23/2011 08:59 AM, Ana Zgombic wrote:
>> > you mind to turn it on sometimes? What browser do you use (lynx,
>> > firefox, chromium, ...)?
> not much choice. firefox.
> 

Regrettably, it is.

Firefox is now more about:

 * "users are too stupid to read"
 * "let's not have any buttons so user's don't click one they shouldn't"
 * "features confuse user, it's better to remove them/hide them".

The only plus side, is that standard-complaint browsers with market
share this way (a plus for web developers and standard-compliance).

I remember firefox sync used to have an encryption passphrase for
syncing data.  Now that's gone, and users are motivated to PRINT an
auto-generated one, because "they can't remember the one that they set",
and "printing it is the safest way to make sure they don't loose it".
Of course, if you CAN remember passphrases, you can't set your own any more.

This stuff is happening all the time with firefox, and I hope some
OpenBSD-like developers branch firefox some day.  "A browser for people
who can read" would be a great slogan.

-- 
Hugo Osvaldo Barrera

Re: Your web development opinions

[Hugo Osvaldo Barrera]

On 23/02/11 20:56, Andres Perera wrote:
> On Wed, Feb 23, 2011 at 5:57 PM, Hugo Osvaldo Barrera
>  wrote:
>> On 02/23/2011 10:35 AM, Chris Bennett wrote:
>>>> They're a fucking disaster security-wise.
>>>
>>> +1
>>>
>>>> In general, blocking javascript won't get you too far, because most of the
>>>> issues are not in the client, but rather in the use that's made of 
>>>> javascript.
>>>
>>> I basically block javascript to stop some adveritising and keep some sites 
>>> from crashing firefox.
>>> But many, many sites require javascript to even login (i.e. many bank 
>>> websites!)
>>>
>>>> - trying to do https and having to deal with corrupt certificate 
>>>> authorities
>>>> that don't guarantee too much in the end.
>>>
>>> CA's cannot be trusted to even pay attention to carefully securing your 
>>> certificate.
>>> Here in the US, the government can simply ask for your certificate and get 
>>> it ( and possibly even use it to impersonate you)
>>>
>>> I sign my own certificates, post a copy of serial number and correct name 
>>> and IP address on my websites using them. I explain to every customer that 
>>> I do not trust external CA's and that I am only using https for encryption 
>>> of passwords and paid content.
>>> No one has complained.

A simple man-in-the middle of that site, and replacing it's content
would open the door for every site you refer to.
If it's an SSL website, you're in and endless loop without a CA or
trusted third party.

>>>
>>> Some have told me that I am risking a man-in-the-middle attack. Perhaps. 
>>> But I see little reason to trust the CA man-at-the-end!
>>>
>>> Chris Bennett
>>>
>>
>> Supposing that's the case, the government can just request a CA a
>> certificate for your domain, and do a man-in-the middle.  User's won't
>> get any prompt for invalid cert, and the same "vulnerability" you
>> described using still exists.
>>
> 
> that's flawed because you're assuming his users are trusting equifax,
> cacert.org, and the countless of others that get bundled in certs packages for
> unix, or worse, his users are ussing a browser that comes bundled with its own
> set of certs and ssl library (firefox).

That means you'd have to physically give the certificate to every user,
with no trusted authority, or trusted third party, you have no way of
establishing a secure (authenticated) communication, except physically
being with that person.

How do you then pay your taxes?  Check your bank account, etc?  I don't
like having to trust dozens of CA and it's definitely not the best
solution, but I don't see any alternative for this sort of thing.

> 
> when you download openssh, does it come with bundled with a known hosts file?
> 
> no, you go to the site and look at their public key. if they delegated their
> public keys to a central authority they excert no control over, they don't 
> have
> the power to shutdown their site when it becomes compromised to display bogus
> public keys, or worse
> 
> simlarly, i dont feed the cert bundle to sendmail, but instead feed it a
> *single* cert that i'm vary wary of if it changes
> 
> "ssl everywhere" is a stupid concept because of this. you should only ssl
> select communications so that managing the certs is plausible
> 
>> Additionally, you have to make users accept the cert manually the first
>> time (checking it, of course).  It may not be much of a fuss, but I
>> don't see you actually fixing any security holes.
>>
>> --
>> Hugo Osvaldo Barrera
>>
>>


-- 
Hugo Osvaldo Barrera

Re: OT: Risks of CAs (Re: Your web development opinions)

[Hugo Osvaldo Barrera]

On 02/24/2011 11:59 AM, Chris Bennett wrote:
> I am going to point out another factor in my reasoning:
> Basically, there is no reason to assume that my self-signed certificate is 
> any less secure than paying someone who is in a browsers root certificates.
> 
> As a contractor in construction, one article I wrote for my potential 
> customers is how to decide if you should do the work yourself `or hire 
> someone else to do it.
> 
> In this case, if I hire someone as a CA, I have just spent money. That comes 
> straight out of my wages. I have to now earn this money back or not eat, pay 
> rent, etc.
> If I self-sign, I now get to keep that money. In fact, I may now be able to 
> spend additional time improving security on my websites and my programming. I 
> could potentially end up improving users security by NOT having to earn back 
> spent money.

http://www.startssl.com/
Why pay if you can have one for free trusted by every major browser?
Sure, the "class 2" ones are pay-for, but the free one works as well as
a self-signed one (except for the "CA sells out like paypal" idea, which
I admit is possible, though, in the US, the government can just push any
CA to give them a valid cert anyway.


> 
> It is not my fault if some users are stupid. I actually spent some time 
> making security details available to my users. If they care, they are now 
> educated, if not, what can you do?

Nothing, educating is the only solution, if they don't care, it's their
problem.

> 
> Chris Bennett
> 


-- 
Hugo Osvaldo Barrera

Re: OT: Risks of CAs (Re: Your web development opinions)

[Hugo Osvaldo Barrera]

On 02/24/2011 01:50 PM, Chris Bennett wrote:
>> http://www.startssl.com/
>> Why pay if you can have one for free trusted by every major browser?
>> Sure, the "class 2" ones are pay-for, but the free one works as well as
>> a self-signed one (except for the "CA sells out like paypal" idea, which
>> I admit is possible, though, in the US, the government can just push any
>> CA to give them a valid cert anyway.
>> -- 
>> Hugo Osvaldo Barrera
>>
> 
> That's a seemingly good idea except that they don't return any attempt to get 
> a certificate.
> So I gave up on them a long time ago.
> 

I use their web interface to generate them.  It gets stuck sometime, buy
usually works. (Yeah, it's definitely not the best).

-- 
Hugo Osvaldo Barrera

Re: OT: Risks of CAs (Re: Your web development opinions)

[Hugo Osvaldo Barrera]

On 26/02/11 19:21, Jonathan Schleifer wrote:
> Am 24.02.2011 um 18:34 schrieb Hugo Osvaldo Barrera:
> 
>> I use their web interface to generate them.  It gets stuck sometime, buy
>> usually works. (Yeah, it's definitely not the best).
> 
> Letting them generate one is a stupid idea - then they got your private key.
> Better is it to just send them a CSR.
> 
> --
> Jonathan
> 
> [demime 1.01d removed an attachment of type application/pgp-signature which 
> had a name of PGP.sig]
> 

You CAN submit the CSR through the web interface.

-- 
Hugo Osvaldo Barrera

Re: Specs for a firewall.

[Hugo Osvaldo Barrera]

On 28/02/11 21:26, Timothy Legge wrote:
> Hi list!
> 
> I'm looking to setup my first Open BSD firewall in the near future, and I
> was hoping to get a little feedback from you about ideal specs for a first
> time machine.
> 
> Below is a little about my situation.
> 
> I plan to install the firewall physically between my router (Apple Time
> Capsule) and my ADSL 2+ Modem so it can filter all traffic sent and received
> to the Internet.
> 
> As I understand it, I will be running pf to filter the traffic on each of
> the NIC's installed, and I would like to install an IDS.
> Besides this, Ill only really need to run what ever is nesacery to allow a
> secure connection to be established to that machine so I can manage it from
> within my network. (Happy to be corrected if I'm wrong, I'm still learning!)
> 
> I look forward to reading your advice, and I'm happy to provide any
> aditional information.
> 
> Tim
> 


I used an Intel D945GCLF2D for my old home access point, but you can put
a second ethernet interface on it's single PCI if you like.

It's pretty small [1], so I used a Mini-ITX case for it, and that's a
real plus, since I stuffed it somewhere I never needed to see it again.*

That model is outdated now, and there are better ones from Intel, but
small size, low cost, quiet, and energy efficiency are real pros for
this line of mobos.

Downside, is it's got just one PCI.  You should do fine with a single
DDR2 module for a home server/firewall/access point/wharever.


[1] http://www.logicsupply.com/images/photos/mainboard/d945gclf2d_big.jpg

-- 
Hugo Osvaldo Barrera

What do you guys use against spam?

[Hugo Osvaldo Barrera]

I'd never gotten ANY spam on my e-mail server directly to my mail
address (only through lists), until last night.

Since last night, I've gotten over 350 spam messages, so it's time I
implement something anti-spam.

I used mozilla's and xfce's bugzilla last night, and I suspect that my
e-mail might have been picked up by bots there :-/

Anyway, I'm not asking HOW to fight it, but rather for suggestions of
what you guys use.  I've fought this off with thunderbird's junk filter
for now, but since it has to do all it's "training", fresh installs
won't fight this, and I prefer server side stuff for my e-mail.  This is
just a quick workaround.

Most e-mails seems to have the same format, but NOT a common IP of origin.

Cheers!

-- 
Hugo Osvaldo Barrera

Re: What do you guys use against spam?

[Hugo Osvaldo Barrera]

On 03/03/11 03:44, Theo de Raadt wrote:
> Wrong mailing list to discuss this.
> 
> Please take it elsewhere.

I thought this would be the ideal place for this sort of thing.

I did forget to mention, but the mail server is running openbsd, and
smtpd, so I felt the OpenBSD community would have plenty of experience
to comment on how they deal with this sort of issues/what their
preferred setups are.

-- 
Hugo Osvaldo Barrera

Re: opensmtp

[Hugo Osvaldo Barrera]

On 03/08/2011 06:31 AM, Earin Gregor wrote:
> Hello
> 
> I haven't been following the latest openbsd development very
> closely...shame on me :-(
> 
> I just wanted to know how the current development of opensmtp is going?
> Is it ready for prime time or still considered as to early in development?
> 
> Thanks
> 

I've used it on my personal e-mail server since December, and it's
worked just fine, no issues, crashed, nothing unusual.

It also took only a very short while to configure and the doc had
everything I needed (as usual with OpenBSD).  In case you haven't read
any of it yet, the configuration is a pf-style text file.

-- 
Hugo Osvaldo Barrera

Re: Ideas for securing OpenVPN on an OpenWrt router

[Hugo Osvaldo Barrera]

On 03/08/2011 12:34 PM, erikmccaskey64 wrote:
> ok, i putted an OpenVPN server on port 1194 on an OpenWrt 10.03 router.
> https://pastebin.com/raw.php?i=xEZTvnhT
> http://pastebin.mozilla.org/1138443
> 
> 
> Questions: what could i do to increase security regarding this OpenVPN 
> server? - i mean on server side!
> 
> 
> 1 - i sed 's/1194/5/' the port number to a higher one - it's against the 
> automated robots, ok!
> 2 - iptables? i should only allow ip ranges [on the input chain] that i will 
> use in reality? - ok!
> 3 - if i don't use my router - e.g.: when i'm sleeping i just turn it off.
> 4 - ? what else?? Plese write down you're idea/solution!!!
> 
> 
> OpenWrt isn't OpenBSD, so from the "ps" command i can see that the OpenVPN is 
> runned by root. it's not so secure. How can i make it more secure?
> 

Google OpenVPN+chroot, and run it as another user as well.

This isn't related to OpenBSD in any way; OpenWRT is based on linux,
OpenVPN is someone else's product.

-- 
Hugo Osvaldo Barrera

802.11n

[Hugo Osvaldo Barrera]

I know that 802.11n is not supported yet, however, I was wondering:

Is anyone working on this?
What needs to be done to add support to "n"?  I'd like to contribute if
possible, I don't mind if it's a LOT of work, but I will probably get
stuck if it's very complicated.
Does just ieee80211(9) need to be modified, or do drivers need to be
updated as well?  (I feel modifying drivers is really out of my league
as far as programming experience goes)?


-- 
Hugo Osvaldo Barrera
Sent using my PC

Re: fdisk(8) missing from sparc64 install48.iso?

[Hugo Osvaldo Barrera]

On 03/10/2011 12:47 PM, Kent Watsen wrote:
> |
> 
> Welcome to the OpenBSD/sparc64 4.8 installation program.
> (I)nstall, (U)pgrade or (S)hell? S
> 
> # fdisk
> sh: fdisk: not found
> 
> # ls /sbin/fdisk
> ls: /sbin/fdisk: No such file or directory
> 
> # ls /sbin
> bioctl  dmesg   initmount_udf   restore
> chown   fsckmknod   newfs   route
> dhclientfsck_ffsmount   pingrtsol
> dhclient-script haltmount_cd9660ping6   sysctl
> disklabel   ifconfigmount_ffs   reboot  umount
> 
> 
> Is it missing?
> 
> 
> |
> 

No, to quote FAQ 4.5.3

"Setting up disks in OpenBSD varies a bit between platforms. For i386,
amd64, macppc, zaurus and armish, disk setup is done in two stages.
First, the OpenBSD slice of the hard disk is defined using fdisk(8),
then that slice is subdivided into OpenBSD partitions using disklabel(8)."

Cheers,

-- 
Hugo Osvaldo Barrera

Re: OpenBSD Europe

[Hugo Osvaldo Barrera]

On 03/16/2011 02:11 PM, Christiano F. Haesbaert wrote:
> On 16 March 2011 13:03, Theo de Raadt  wrote:
>> OpenBSD Europe, which is run by Liam Foy in Manchester, is also
>> now ready for pre-orders!
>>
>>
> 
> I bought from openbsdeurope last time and I'm buying again.
> They're great and also ship to South America, no extra taxes, so if
> you are in SA, thats probably your best shot.
> 

Could you be more specific; what country are you in?
I really would hate to have to pay customs, last time they said "we'll
let it pass for just $6 *this time*". (I'm in Argentina).
Suck to be here, BTW.

-- 
Hugo Osvaldo Barrera
Sent using my PC