Re: fsck fails on ext2 partition during rc

Stuart Henderson, 2024-12-16 17:13 -: > fsck_ext2fs doesn't use opendev() so it can't handle DUIDs. > > This diff may fix it. I don't have any handy devices with ext2fs that > I can add to an OpenBSD system to try it. It does fix it indeed. Will this patch go upstream? Thank you for helping

fsck fails on ext2 partition during rc

During the rc startup sequence, fsck fails to check this one ext2 partition (known as /dev/sd0i and a7e6ed0a30d39bcc.i). I had to disable fsck in fstab (set last field fs_passno to 0) to get the system up. The partition looks good: I can mount and work with it just fine. I also ran "fsck -f" agains

Re: Need some advice on C semantics.

Christian Schulte, 2024-12-12 11:54 +0100: > is there something specific for OpenBSD like style(9) but for semantics? I believe such document doesn't exist. As it's been suggested to you, reading and learning for the codebase comes closest. However, you probably will be interested in general docu

Re: pkg_info -Q: inconsistent search results

izzy Meyer, 2024-12-11 11:53 -0600: > I agree that the faq15 page should be updated to reflect this behavior. I've been told off-list that the page will be updated. > although IMHO, it should specifically mention this quirk only affects > -stable as the way mirrors architect the repositories mak

Re: pkg_info -Q: inconsistent search results

Marc, What was the rational to put "./" as the first search path in the default PKG_PATH, in particular? And include "./" in there at all, in general? * * * Yesterday on Libera Chat we debugged a related problem followed by a conversation about pkg_add, pkg_info, and default PKG_PATH. I've learne

pkg_info -Q: inconsistent search results

The FAQ page [FAQ15] suggests to use "pkg_info -Q" to search the collection of pre-compiled packages. When I search for "tcl", I get a few "nextcloud" packages only, but no Tcl: $ pkg_info -v -Q tcl PKG_PATH= nextcloud-27.1.11p0 nextcloud-28.0.11 nextcloud-28.0.12 nextcloud

PF: (max-src-conn 1, max-src-conn-rate 1/1, overload )

. Above is new modd I’d like to introduce. Not working.   Prev. rule: pass on int all keep state. ← working all good.   Any one seen this before.   Br //mxb     -- Maxim   -- Maxim

Failed sysupgrade from 6.6 to 6.7 amd64

After all these years of trouble-free upgrades, I ran into my first problem. I used sysupgrade to go from 6.6/amd64 to 6.7. The upgrade process was successful, but after bsd.upgrade did its thing and rebooted the system, the new kernel would not boot. It got to the "boot>" prompt, started loading

Re: Reboot and re-link

Why the f I have old kernel? The ONE taking care of all sh. On Thu, 20 Jun 2019 at 22:43, Maxim Bourmistrov wrote: > btw, after reboot, sys converted to 6.4 kernel. yet again > I removed all /bsd* > Do I need to rm /usr/obj* as well > > On Thu, 20 Jun 2019 at 22:12, Theo

Re: Reboot and re-link

k wrote: > > On Wed, Jun 19, 2019 at 11:29:32PM +0200, Maxim Bourmistrov wrote: > > > >> Hey, > >> > >> long story short: reboot and re-link is not practical. > >> > >> Long story: > >> Time to upgrade 6.4 to 6.5. > >> If re

Reboot and re-link

Hey, long story short: reboot and re-link is not practical. Long story: Time to upgrade 6.4 to 6.5. If re-link been active in 6.4 (don't remember) - I never noticed it. Installing via NOT RECOMMENDED WAY(following upgrade65.html) - scripting on steroides (ansible). All down. Reboot. and now I get

Re: Different sound sources interfere with each other

Hi, I was able to find another trigger for this sound glitch: dd if=/dev/zero of=/tmp/test bs=1m count=256 rm /tmp/test Sound sometimes interrupts in the middle of dd(1) call, and always interrupts at the time of rm(1) call on files larger than 200 Mb. It looks like in case of dd/rm not only sou

Re: Different sound sources interfere with each other

On Thu, Jun 14, 2018 at 08:40:56AM +0300, Максим wrote: > The first problem is: when I listen to music (cmus) and browse in the > internet (Firefox) cmus sometimes stops playing for a second. > This happens when I click a link on a page or receive some notification from > the web page (which may

Re: Upgrade 6.0 -> 6.1: ix mmba is not mem space

Yepp. I ended up with a -stable kernel and syspatch refusing to pull down patches, but this is another story. It’s up2date now. Thanks all. Br > 30 maj 2018 kl. 09:36 skrev Peter Hessler : > > Assuming 1.140 is the "problem", 1.151 should fix it.

Re: Upgrade 6.0 -> 6.1: ix mmba is not mem space

supported anymore, > and in any event, you need to include full dmesg so that others without DL360 > Gen9 have a chance at helping you. > > Maxim Bourmistrov [m...@alumni.chalmers.se] wrote: >> Hey, >> While moving one of machines from 6.0 to 6.1, I found 6.1 not able to attac

Upgrade 6.0 -> 6.1: ix mmba is not mem space

Hey, While moving one of machines from 6.0 to 6.1, I found 6.1 not able to attach ix-device. Machine is HP DL360 Gen9. ix0 at pci5 dev 0 function 0 "Intel 82599" rev 0x01: mmba is not mem space ix1 at pci5 dev 0 function 1 "Intel 82599" rev 0x01: mmba is not mem space Found this thread http://op

Re: nsd does not stop

Is nsd.conf broken? shell# nsd-checkconf /var/nsd/etc/nsd.conf > 3 maj 2018 kl. 16:27 skrev Vivek Vinod : > > Dear Misc, > > on stopping nsd from command line, nsd does not stop at all > > Config: > OpenBSD 6.3 > nsd remote control is disabled > nsd ipv6 is disabled > > $doas rcctl restart

Re: Intel X-550T 10 GbE Adapter cards

> 6 maj 2018 kl. 22:43 skrev Sebastian Benoit : > > Peter J. Philipp(p...@centroid.eu) on 2018.05.06 21:47:02 +0200: >> Hi, >> >> The ix(4) manpage mentions there is support: >> >> o Intel X550-T 10GbE Adapter (10GbaseT/1000baseT/100baseTX) >> >> However there is a X550-T1 and a X550-T2 m

Re: OSPF over gif on top of IPsec transport -current

> 13 mars 2018 kl. 11:56 skrev Marc Peters : > > On Tue, Mar 13, 2018 at 10:24:43AM +0100, Remi Locherer wrote: >>> and it is harder for traffic inside the tunnel >>> to leak out of ipsec. more specifically, gif handles 3 ip protocols, >>> ipv4, ipv6, and mpls, which are ip protocol numbers 4, 4

Re: acme-client No registration exists matching provided key

I also had to remove /etc/acme/letsencrypt-privkey.pem and re-do the process. Just updating link to pdf not helped out. > 2 feb. 2018 kl. 05:01 skrev Predrag Punosevac : > > Jordan Geoghegan wrote: > >> Hi, >> >> I recently dealt with this issue as well and the solution was quite >> silly. T

Re: Kernel panic with openbsd 6.2

As Stuart mentioned, em(4) on top of e1000 proven to be more stable. Even under higher load. Vmx starting to misbehave under high load, resulting for ex. with unstable CARP setup. //mxb > 25 jan. 2018 kl. 02:40 skrev trondd : > > On Mon, January 22, 2018 10:47 am, Mik J wrote: >> Hello Stuart,

Re: OpenBSD 6.2 (up2date with syspatch) - HANGING

rel and stable here. Eat it”. //mxb > 21 dec. 2017 kl. 23:19 skrev Maxim Bourmistrov : > > > Fixed in HEAD?! - my ass. Whom puts HEAD into prod?! Not me any more, that's > for sure. > IS LIKE DROPPING A TURBO ENGINE INTO CAR WITH NO WHEELS. > > I can dig into this

Re: OpenBSD 6.2 (up2date with syspatch) - HANGING

; 21 dec. 2017 kl. 23:07 skrev Maxim Bourmistrov : > > Solved?1 > > What abt OPTIONS in relay_http.c ? > Solved? > Maybe in HEAD.(?) > I have to hand-rolle this in src for 6.2 to have it working. > —> toread=0; > You know. > > //mxb > >> 21 dec.

Re: OpenBSD 6.2 (up2date with syspatch) - HANGING

Solved?1 What abt OPTIONS in relay_http.c ? Solved? Maybe in HEAD.(?) I have to hand-rolle this in src for 6.2 to have it working. —> toread=0; You know. //mxb > 21 dec. 2017 kl. 22:40 skrev Janne Johansson : > > 2017-12-21 21:58 GMT+01:00 Maxim Bourmistrov <mailto:m...@alu

Re: OpenBSD 6.2 (up2date with syspatch) - HANGING

I had to bypass relayd to roll prod stable. Down to apache. Taking care of http and https. By redirect. Now this setup (if I can call it) is stable. . P.S. Looks like we have to move forward from here. > 21 dec. 2017 kl. 21:58 skrev Maxim Bourmistrov : > > > Sorry, but I

Re: OpenBSD 6.2 (up2date with syspatch) - HANGING

Sorry, but I have to say Releases after 5.9 are NOT production stable. (Until all bugs are smashed within stack changes and SMP unlock). After 5.9 - cost money and effort. MONEY. //mxb > 21 dec. 2017 kl. 20:29 skrev Maxim Bourmistrov : > > Hey, > After upgrading from 6.0-stable t

Re: OpenBSD 6.2 (up2date with syspatch) - HANGING

2017 kl. 20:29 skrev Maxim Bourmistrov : > > Hey, > After upgrading from 6.0-stable to 6.2-stable (syspatch) existing setup > started to hang. > As of burst of emails from me following is known: > > Relayd is a main process to take CPU. > Also running ospfd and bgpd (for

OpenBSD 6.2 (up2date with syspatch) - HANGING

Hey, After upgrading from 6.0-stable to 6.2-stable (syspatch) existing setup started to hang. As of burst of emails from me following is known: Relayd is a main process to take CPU. Also running ospfd and bgpd (for blocklist distrib) With 6.0, relayd used to have two or more procs with high CPU

Re: IPMI still requires Java! I'm screwed.

Yepp. I have bios0: Supermicro X10DRT-PT With latest IPMI firmware and have html5. > 21 dec. 2017 kl. 12:00 skrev kasak : > > >> 21 дек. 2017 г., в 12:16, Maxim Bourmistrov >> написал(а): >> >> >> Even X10 can be upgraded to get in html5. >

Re: IPMI still requires Java! I'm screwed.

Even X10 can be upgraded to get in html5. > 21 dec. 2017 kl. 06:50 skrev kasak : > > >> 21 дек. 2017 г., в 0:03, Chris Bennett >> написал(а): >> >> I found a new server that uses IPMI and offers using it >> to setup your own custom OS. So I bought in. >> >> Damn thing requires Java. >> The

Re: Upgrade 6.1 -> 6.2: No /mnt/etc/myname

This is, indeed, a symlink. Thanks for opening my eyes. //mxb > 12 okt. 2017 kl. 01:42 skrev Steven McDonald : > > This is a complete guess, but is /etc/myname a symbolic link? If it is > a symlink to an absolute path, that is unlikely to exist in the bsd.rd > filesystem and would cause this e

Re: relayd: high CPU usage by one or two proc. of many

accommodate relayd. Am I safe to have 1+M of fds as kern.maxfiles ?? //mxb > 27 sep. 2017 kl. 21:34 skrev Maxim Bourmistrov : > > My intention with this mail is to gather more qualitative help > to, hopefully, ever solve this or to have more info so it can be provided > to someone whom

Upgrade 6.1 -> 6.2: No /mnt/etc/myname

Hey, Upgrade from 6.1 to 6.2 via bsd.rd fails. Mounting /dev/sd0a /mnt - OK No /mnt/etc/myname! # Mount of sd0a as read-only OK - shows in ’mount’ #cat /mnt/etc/myname - no such file Booting back to bsd (6.1) and file is there. 6.2 files are as of Oct 4 from ftp.eu.openbsd.org

Re: relayd: high CPU usage by one or two proc. of many

. Large does not means ”put a 1G-sized stream”. Text it is. Of cause it is not a bug report. No info, if any, states this. Let’s see what I can gather more with fstat. Thanks. Br Maxim > 27 sep. 2017 kl. 20:51 skrev Theo de Raadt : > > This probably means the process has run out of file de

Re: relayd: high CPU usage by one or two proc. of many

Hey, had to bring this up again as I’m facing the same problem. Exactly with the same ’error 35’ in trace. This time it is a 6.0-stable. Anything else can be done to track this down? Br Maxim > 24 feb. 2016 kl. 10:53 skrev Stuart Henderson : > > On 2016-02-24, mxb

OpenBSD 6.1-stable lock up

Hey, having a dual-node setup of 6.0 in prod, I decided to move forward with one of machines and upgrade to 6.1-stable. Ending up in benchmark tool ”locking” the 6.1 machine. Background: Nodes are Xeon E5-2642v3 3.4Ghz x12, 16G RAM, 64G DOM modules as hdd, 4x X540T (ix) - 2x on-board and 2x PCI-

Re: relayd l7 loadbalancing

Once connection is established, state is created in PF. Subsequent requests will be ’pipelined’. It is possible to influence this behavior by manipulating tcp.established in pf.conf, but I don’t think this is what you want. > 16 aug. 2017 kl. 10:05 skrev Mischa Peters : > > Hi All, > > I have

Re: Disk I/O performance of OpenBSD 5.9 on Xen

On Sat, Jul 16, 2016 at 6:37 AM, Mike Belopuhov wrote: > On 14 July 2016 at 14:54, Maxim Khitrov wrote: >> On Wed, Jul 13, 2016 at 11:47 PM, Tinker wrote: >>> On 2016-07-14 07:27, Maxim Khitrov wrote: >>> [...] >>>> >>>> No, the tests

rdomain and loopback ifs

Hey, Not sure if this already known, but while creating rdomain shell# ifconfig vmx5 rdomain 1 OS assumes that for this particular domain number 1, lo1 will be used as a ”glue” between domains. However, it is not checked if this loopback is already within any rdomain. I my case, it is yet anothe

Re: Limit internet connection by time of day and number of hours

Hey, I have somewhat similar situation at home. However, I never found a straight forward setup. I can do a manual BLOCK OUT with a script, and probably, if I’d link this script to a cron, I’d get some how setup you are after. I do depend on dhcpd giving out static IP to a give MAC and thus I do

Re: relayd: incomplete response from a TLS-accelerated apache

Compiling relayd with -DDEBUG=3 and watching the output gave me nothing. No errors what so ever about out of buffers or something else. However, removing 'socket buffer 65536’ solved my problem. Br > 8 maj 2017 kl. 13:27 skrev Maxim Bourmistrov : > > Hey, > I investigate a

relayd: incomplete response from a TLS-accelerated apache

Hey, I investigate a problem were TLS-asselerated machine response is incomplete. I was able to reproduce this on OpenBSD 5.9, 6.0 and 6.1. Test on 5.8 is about to be. Following env I have: relay1: relayd machine web1: apache 2.2.31 serving the request client1: requester relay1 is configured fo

Re: OpenBSD 6.1: relayd does not start more than 3 processes

> 5 maj 2017 kl. 15:55 skrev Maxim Bourmistrov : > > >> 5 maj 2017 kl. 14:41 skrev Hiltjo Posthuma : >> >> On Fri, May 05, 2017 at 12:30:56PM +0200, Maxim Bourmistrov wrote: >>> >>> Hey, >>> on OpenBSD 6.0-stable I have following configura

Re: OpenBSD 6.1: relayd does not start more than 3 processes

> 5 maj 2017 kl. 14:41 skrev Hiltjo Posthuma : > > On Fri, May 05, 2017 at 12:30:56PM +0200, Maxim Bourmistrov wrote: >> >> Hey, >> on OpenBSD 6.0-stable I have following configuration for relayd: >> >> snip——— >> interva

OpenBSD 6.1: relayd does not start more than 3 processes

Hey, on OpenBSD 6.0-stable I have following configuration for relayd: snip——— interval 10 timeout 1200 prefork 15 log all —— Respective login.conf to spawn more relayd procs: relayd:\ :maxproc-max=31:\ :maxproc-cur=15:\ :openfiles=65536:\

Relayd: session timeout

Hey list, I have following relay configured on two-node setup. Each node acts as MASTER for one IP and BACKUP for another. The opposite on the second node. tcp protocol tcp_proto { tcp { nodelay, sack, socket buffer 65536, backlog 128 } } relay rabbitmq { listen on $VIP1 port 5

Re: Playstations and PF de-fragmentation

Thanks for sharing. I’ll re-use this at home. Br > 1 maj 2017 kl. 01:43 skrev Kevin Chadwick : > > > I find that to prevent connection timeouts on playstations, the > following is required. Hopefully they will fix their packet AND > connection handling one day. > > match from ! $ps3 scrub(tcp

Re: torrent downloads

ISO is burned down to the CD you buy. To install you really just need to PXE. > 27 apr. 2017 kl. 13:55 skrev Thuban : > > Hello, > I was wondering if there is any particular reason explaining why there > is no torrent file to retrieve OpenBSD *.fs and *.iso. > > I've been looking on the list

Re: 6.1: /usr/local/bin/node: W^X binary outside wxallowed mountpoint

Thanks all for replying. The key part was 1) in Todds’ answer. Mounted /home with wxallowed already. Just needed to ’cp’ binary into it. Br > 25 apr. 2017 kl. 22:43 skrev Todd C. Miller : > > On Tue, 25 Apr 2017 16:49:36 +0200, Maxim Bourmistrov wrote: > >> Any work a

6.1: /usr/local/bin/node: W^X binary outside wxallowed mountpoint

Hey, Any work around for this one? Mount with wxallowed not working. Br

Re: Can't kill a state with pfctl?

I’m doing something like this at home. table persist ### block machines out block out quick on egress tagged BLOCK pass out quick on egress from to any nat-to (egress:0) keep state \ (max-src-conn 1, max-src-conn-rate 1/1, overload flush global) tag BLOCK Then I just add IP to , the

Re: relayd(8) relay: redirect based on URL paths

table { 192.168.10.31 } table { 192.168.10.78 } http protocol somename { tcp { nodelay, sack, backlog 1024 } match header set "Proxy" value "filtered" match header set "X-Forwarded-For" value "$REMOTE_ADDR" match header set "X-Forwarded-By" value "$REMOTE_ADDR:$SE

Re: Content filtering through pf?

privoxy will be faster I think. as well as footprint on the system. But both privoxy and squid are a bit different, especially if you’ll need to chain proxies. > 24 feb. 2017 kl. 17:39 skrev Alan Corey : > > I'm looking at privoxy although I'm not sure it's more appropriate > than squid. I'm h

Re: two ip with carp

Just create carp3 and configure it the same way as carp0, except for the password. No aliases what so ever. Later in pf.conf do a nat-to from dnz to carp3. fw1# ifconfig trunk0 trunk0: flags=8943 mtu 1500 lladdr 00:25:90:f9:74:b0 index 7 priority 0 llprio 3 trunk: trunkprot

Re: OSPFd stucks in EXCHG/EXSTA

recv_db_description: neighbor ID 10.4.255.29: seq num mismatch, bad flags > 14 feb. 2017 kl. 11:56 skrev Maxim Bourmistrov : > > >> 14 feb. 2017 kl. 11:33 skrev Jeremie Courreges-Anglas mailto:j...@wxcvbn.org>>: >> >> I have no idea why you're getting this kind of err

Re: OSPFd stucks in EXCHG/EXSTA

> 14 feb. 2017 kl. 11:33 skrev Jeremie Courreges-Anglas : > > I have no idea why you're getting this kind of error, but maybe you > can simplify your setup a bit more. Can you reproduce when using just > em1 (out of the trunk) instead of trunk1? Just bnx1? I’ll try to modd this setup. Any how

Re: OSPFd stucks in EXCHG/EXSTA

current. This will track interface MTU changes. > > > On 2017 Feb 09 (Thu) at 14:51:05 +0100 (+0100), Maxim Bourmistrov wrote: > :This actually a default setting for this switch, then you don’t configure > :jumbo at all. > :'sh running-config all’ shows this. > : > :I had

Re: OSPFd stucks in EXCHG/EXSTA

Hm, seems that I mistyped MTU in my original mail. lacp system-priority 1 rate-limit cpu direction input pps 1024 system jumbo mtu 1518 It is 1518 by default. > 9 feb. 2017 kl. 14:51 skrev Maxim Bourmistrov : > > > This actually a default setting for this switch, then you don’t con

Re: OSPFd stucks in EXCHG/EXSTA

ould > be 1518 (16 bytes for the ethernet header). > > Is it fixed if you change it to 1518, or drop that line completely? > > > > On 2017 Feb 09 (Thu) at 14:12:32 +0100 (+0100), Maxim Bourmistrov wrote: > :I see similar behavior with Cisco Nexus and 5.9-stable. > :How

Re: OSPFd stucks in EXCHG/EXSTA

I see similar behavior with Cisco Nexus and 5.9-stable. How ever not 100% sure if it is the same trigger. > 9 feb. 2017 kl. 14:08 skrev Maxim Bourmistrov : > > Hey, > > ospfd on 6.0-stable stucks in EXCHG/EXSTA while neighboring with Dell N3048 switch. > According to some do

OSPFd stucks in EXCHG/EXSTA

Hey, ospfd on 6.0-stable stucks in EXCHG/EXSTA while neighboring with Dell N3048 switch. According to some documentation around, this is due to MTU mismatch. This is not in my case. N3048: system jumbo mtu 1512 obsd: trunk1: flags=8943 mtu 1500 lladdr 00:25:90:78:62:b6 descripti

Re: Disk I/O performance of OpenBSD 5.9 on Xen

On Wed, Jul 13, 2016 at 11:47 PM, Tinker wrote: > On 2016-07-14 07:27, Maxim Khitrov wrote: > [...] >> >> No, the tests are run sequentially. Write performance is measured >> first (20 MB/s), then rewrite (12 MB/s), then read (37 MB/s), then >> seeks (95 IOPS). &g

Re: Disk I/O performance of OpenBSD 5.9 on Xen

On Wed, Jul 13, 2016 at 11:10 AM, Tinker wrote: > On 2016-07-13 22:57, Maxim Khitrov wrote: >> >> On Wed, Jul 13, 2016 at 10:53 AM, Tinker wrote: >>> >>> On 2016-07-13 20:01, Maxim Khitrov wrote: >>>> >>>> >>>> We're see

Re: Disk I/O performance of OpenBSD 5.9 on Xen

On Wed, Jul 13, 2016 at 10:53 AM, Tinker wrote: > On 2016-07-13 20:01, Maxim Khitrov wrote: >> >> We're seeing about 20 MB/s write, 35 MB/s read, and 70 IOPS > > > What do you mean 70, you mean 70 000 IOPS? Sadly, no. It was actually 95, I looked at the wrong column

Disk I/O performance of OpenBSD 5.9 on Xen

Hi all, We're seeing about 20 MB/s write, 35 MB/s read, and 70 IOPS with OpenBSD 5.9 amd64 on XenServer 7.0 (tested using bonnie++). The virtual disks are LVM over iSCSI. Linux hosts get well over 100 MB/s in both directions. I'm assuming that this is because there is no disk driver for Xen yet,

find process on other end of pipe

fstat shows address 0x0 for *all* pipes: maxim cat449241 pipe 0x0 state: [...] How can one find out which process is on the other end of a pipe? Thanks

Re: APC UPS & sensorsd - how?

On Wed, Feb 24, 2016 at 3:38 AM, lilit-aibolit wrote: > On 03/22/2015 05:44 PM, T. Ribbrock wrote: >> >> Then, I re-applied power, but that, too, was never flagged by sensorsd. >> For some reason, it looks like sensorsd only ever detects a status change >> (for these rules) when it gets started -

Re: sensorsd, upd, and state changes

On Mon, Oct 19, 2015 at 2:31 PM, David Higgs wrote: > On Mon, Oct 19, 2015 at 11:11 AM, Maxim Khitrov wrote: >> >> On Mon, Dec 8, 2014 at 3:45 PM, David Higgs wrote: >> > On Mon, Dec 8, 2014 at 3:37 PM, trondd wrote: >> >> On Mon, Dec 8, 2014 at 3:23 PM,

Re: sensorsd, upd, and state changes

On Mon, Dec 8, 2014 at 3:45 PM, David Higgs wrote: > On Mon, Dec 8, 2014 at 3:37 PM, trondd wrote: >> On Mon, Dec 8, 2014 at 3:23 PM, trondd wrote: >>> On Mon, Dec 8, 2014 at 11:47 AM, David Higgs wrote: sysctl(8) will display Off if the value is zero, and On for nonzero. So

Re: Firewall question: is using a NIC with multiple jacks considered insecure?

On Mon, Jul 27, 2015 at 11:10 AM, Quartz wrote: >> These days you have "bypass" features in hardware that allow packets >> to flow from one interface to another even if the firewall is turned >> off. > > Can you elaborate on this? Search for "intel nic bypass mode" and you'll find lots of details

Re: Firewall question: is using a NIC with multiple jacks considered insecure?

On Mon, Jul 27, 2015 at 7:37 AM, Christian Weisgerber wrote: > On 2015-07-27, Quartz wrote: > >> Some years ago I remember reading that when using OpenBSD (or any OS, >> really) as a router+firewall it was considered inadvisable from a >> security standpoint to have the different networks all att

Re: OpenBSD 5.7 Released

On Fri, May 1, 2015 at 4:00 AM, OpenBSD Store Misc wrote: > one of the master CD's was damaged in transit to the production facility The NSA agent needed more time to record an alternate version of the song.

Re: pf to read protocol information from /etc/services ?

On Fri, Feb 27, 2015 at 3:40 PM, Research wrote: > UDP is meaningless in the context of HTTP. Well, actually... https://en.wikipedia.org/wiki/QUIC Not really standard, but still. I now allow UDP on ports 80 and 443 to make Google Chrome happy.

Re: Preserving unbound cache across reboots

On Fri, Jan 30, 2015 at 12:54 PM, Ingo Schwarze wrote: > Hi, > > Maxim Khitrov wrote on Fri, Jan 30, 2015 at 10:22:23AM -0500: > >> I wrote two simple functions for rc.shutdown and rc.login that >> save/restore unbound cache when the system is restarted. Since each >

Preserving unbound cache across reboots

Hi all, I wrote two simple functions for rc.shutdown and rc.login that save/restore unbound cache when the system is restarted. Since each record has a relative TTL field, the cache can only be restored within a short time window to avoid serving stale data to clients. I set this window to 10 minu

Re: pf: question about tables derived from interface group

On Sun, Dec 28, 2014 at 9:35 AM, Harald Dunkel wrote: > On 12/28/14 13:51, Maxim Khitrov wrote: >> >> These tables are under the hidden "_pf" anchor: >> >> pfctl -a _pf -t extern -T show >> > > Thats cool. Where did you find this? Searching

Re: pf: question about tables derived from interface group

On Sun, Dec 28, 2014 at 6:38 AM, Harald Dunkel wrote: > Hi folks, > > pfctl can give me an extended list of tables showing interface > group names, "self", etc. Sample: > > # pfctl -g -sT > egress > egress:0 > extern > extern:network > intern:network

Re: OT: Does OpenBSD run on SuperMicro MicroCloud models, and may be on 5037MC-H12TRF

On Thu, May 15, 2014 at 8:51 PM, Daniel Ouellet wrote: > I was also looking at these two if the above one wasn't supported. But > if I remember the Atom SoC one is not working on OpenBSD yet, but I > could be wrong. > > SuperServer 5038MA-H24TRF > http://www.supermicro.com/products/system/3U/5038/

kernel panic when unplugging usb3 sweex harddisk enclosure from usb2 port

all() at syscall+0x279 --- syscall (number 202) --- end of kernel end trace frame: 0x1ddde40ec000, count: -7 0x1f61975a: ddb{0}> I've retyped the above manually off the glass console. Dmesg is below. Let me know how I can help to narrow this down, will test diffs. Maxim Beloouss

Support for Intel QuickAssist on Atom Rangeley CPUs?

I'm about to purchase a new Supermicro Atom board for a firewall. The decision is between Atom C2750 (Avoton) and C2758 (Rangeley) CPUs. The latter is marketed as a "communications processor" and exchanges Turbo Boost for QuickAssist, which seems to be an FPGA-type thing for accelerating certain cr

Re: When are default 'set prio' priorities set?

On Fri, Dec 20, 2013 at 4:11 PM, Maxim Khitrov wrote: > I was under the impression that the packet priority was always set to > 3 prior to the pf ruleset evaluation (ignoring VLAN and CARP for a > moment), and that 'set prio' on an inbound rule only affected > returning tr

When are default 'set prio' priorities set?

I was under the impression that the packet priority was always set to 3 prior to the pf ruleset evaluation (ignoring VLAN and CARP for a moment), and that 'set prio' on an inbound rule only affected returning traffic that matched the state entry. Here's an artificial example: pass out on $wan pass

Re: How to segregate forwarded and firewall-generated traffic in pf?

On Thu, Dec 19, 2013 at 8:33 AM, Camiel Dobbelaar wrote: > On 18/12/13 22:32, Camiel Dobbelaar wrote: >> >> On 18/12/13 14:50, Maxim Khitrov wrote: >>> >>> On Wed, Dec 18, 2013 at 8:42 AM, Camiel Dobbelaar wrote: >>>> >>>> On 18/12/13 1

Re: How to segregate forwarded and firewall-generated traffic in pf?

On Thu, Dec 19, 2013 at 7:57 AM, Giancarlo Razzolini wrote: > Em 18-12-2013 21:33, Andy Lemin escreveu: >> Fantastic! Thanks Camiel :) >> >> Sent from my iPhone >> >>> On 18 Dec 2013, at 21:32, Camiel Dobbelaar wrote: >>> >>>> On 18/12/13

Re: How to segregate forwarded and firewall-generated traffic in pf?

On Wed, Dec 18, 2013 at 8:42 AM, Camiel Dobbelaar wrote: > On 18/12/13 13:53, Maxim Khitrov wrote: >> >> When writing outbound rules in pf, is there an accepted best practice >> for only matching packets that are either forwarded or >> firewall-generated? >> >

How to segregate forwarded and firewall-generated traffic in pf?

When writing outbound rules in pf, is there an accepted best practice for only matching packets that are either forwarded or firewall-generated? The best that I could come up with is 'received-on all' as a way of identifying forwarded packets, but that option can't be negated to match packets that

Re: How to control set prio

On Wed, Aug 7, 2013 at 12:10 PM, Henning Brauer wrote: > * Михаил Швецов [2013-08-07 14:55]: >> How can i see that "set prio" works? > > it just does. Sometimes it doesn't: http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf.c#rev1.862 I got into a habit of separating prioritization from filt

Re: Should Android have used OpenBSD instead of Linux?

On Sat, Nov 30, 2013 at 6:41 PM, Mikael wrote: > > > > just like everyone else, i would love to see an openbsd > > powered "android" phone. but i think the elephant in > > the room no one is talking about is performance. > > without getting into "running bad code faster" vs > > "running good cod

Re: 10G NIC recommendation

On Wed, Aug 14, 2013 at 7:09 PM, Diana Eichert wrote: > What I want to do. > > create a netflow collector using OpenBSD by looking at > data fed from a tap > > I know which 10G NICs are supported by OpenBSD, what I'd > like to hear is a recommendation on which one of the > following to use. > > $

Re: 10GbE (Intel X540) performance on OpenBSD 5.3

On Fri, Aug 9, 2013 at 11:52 AM, Henning Brauer wrote: > * Maxim Khitrov [2013-08-09 17:47]: >> and ran iperf >> # s1: iperf -s >> # c1: iperf -c s1 -t 60 -m >> # s1: iperf -s >> # s2: iperf -s >> # c1: nc gw 1234 ; iperf -c s1 -t 60 >> # c2: nc g

Re: 10GbE (Intel X540) performance on OpenBSD 5.3

40% CPU0 usage). > On 08/08/2013 08:26 PM, Maxim Khitrov wrote: >> Active Processor Cores: All > > I would turn that off, or at least make it only dual core. No effect, results are also below. >> That's... a bit faster. The CPU in the desktops is Intel i7-3770, >> wh

Re: 10GbE (Intel X540) performance on OpenBSD 5.3

Thanks to everyone for your advice! I'll try to respond to all the questions at once and provide some more information about the testing that I did today. The BIOS on these firewalls is current. For power-saving options, when I first configured these systems I tried turning Intel EIST (SpeedStep)

Re: 10GbE (Intel X540) performance on OpenBSD 5.3

On Wed, Aug 7, 2013 at 11:44 AM, Florian Obser wrote: > On Wed, Aug 07, 2013 at 10:26:22AM -0400, Maxim Khitrov wrote: >> Hi all, >> >> I'm looking for performance measuring and tuning advice for 10 gigabit >> Ethernet. I have a pair of Lanner FW-8865 systems that

Re: 10GbE (Intel X540) performance on OpenBSD 5.3

On Wed, Aug 7, 2013 at 10:31 AM, Martin Schröder wrote: > 2013/8/7 Maxim Khitrov : >> I've read the "Network Tuning and Performance Guide" @ calomel.org, > > Ignore that site and search the list archives. Understood :) I found a number of recommendations for the

10GbE (Intel X540) performance on OpenBSD 5.3

Hi all, I'm looking for performance measuring and tuning advice for 10 gigabit Ethernet. I have a pair of Lanner FW-8865 systems that will be used as firewalls for the local network. Each one has a Xeon E3-1270v2 CPU, Intel X540 10GbE NIC (PCIe 3.0 8x), and 8GB DDR3-1600 ECC RAM. Before putting th

Outdated documentation for scrub (no-df) in pf.conf(5)?

Hi, The no-df flag can be specified in the "set reassemble" option or a "scrub" rule. From looking at the source, I don't think "scrub (no-df)" does what the man page says it does. To reassemble fragmented packets with the DF flag set, one has to use "set reassemble yes no-df" option. By the time

pf scrub options in OpenBSD 5.3

Hi all, A few questions about the operation of pf scrub options in OpenBSD 5.3: 1. In 2010 Henning advised against the use of "reassemble tcp" (link below). Is this advice still applicable and what are the known issues that this option may cause in the current implementation? http://marc.info/?l

Re: pf: inline anchor rules in not enough to keep tables in memory?

On Wed, Mar 13, 2013 at 1:59 PM, Michel Blais wrote: > I think you must specify the anchor first. Something like : > > pfctl -a ix1 -t admins -T show That doesn't work. First, it's an unnamed anchor, so I don't think you can specify it with the -a option. Second, inbound connections to port 22 ar

pf: inline anchor rules in not enough to keep tables in memory?

Hello, I was a bit surprised by the following behavior when configuring pf on OpenBSD 5.2. Non-persistent tables that are only referenced by inline anchor rules, as in the following example, are removed from memory when pf.conf is loaded. # Doesn't work (ssh connections are blocked): table {10.0

Re: Request improvement for faq 15.2

On Thu, Dec 27, 2012 at 10:10 AM, Live user wrote: > I think 15.2.2 should go before 15.1.1, since if there's no point in running > pkg_* when the PKG_PATH is empty, which is after installing using the > interactive method. > > Furthermore, using 'export PKG_PATH=' sets a volatile variable, which

  1   2   3   >