Re: About Xen: maybe a reiterative question but ..

[carlopmart]

ropers wrote:

On 23/10/2007, Jeff Quast [EMAIL PROTECTED] wrote:

I would like to vouch for openbsd working great as a guest, but my
guest has crashed a dozen times. However I think this is due to the
debian linux dom0 having broken sata code for the controller in use.
dom0's dmesg is filled with debug statements from sata related places
in the kernel that should never be printed. We're in a messy
de-centralized linux development world trying to get a stable dom0
patched together. It sucks.


This is what I meant to hint at earlier: Running an OpenBSD DomU in
connection with, say, a Linux Xen Dom0 possibly makes that OpenBSD
installation subject to bugs in the hypervisor/Dom0, and that may be
unavoidable. The question is, is that a worthwhile trade-off? Is this
a reason not to support Xen? Or should the user be given that option
regardless of the inherent limitations and consequences?

--ropers




IMHO I think that OpenBSD needs to capable to install and run as a 
paravirtualized domU guest, with some limitations if you like.


Last year I have do the same question. Then it was said that only needed NetBSD 
do the xen port, and from there just enough to carry to OpenBSD. The reality is 
that NetBSD long ago that can be installed and run as domU and OpenBSD not.


And my question is why?? i think that only one developer can't maintain this 
type of code ... needs more help. I am not developer but i can do tests if you 
needed 



--
CL Martinez
carlopmart {at} gmail {d0t} com

Re: About Xen: maybe a reiterative question but ..

[Luca Corti]

On Tue, 2007-10-23 at 01:11 +0200, ropers wrote:
 unavoidable. The question is, is that a worthwhile trade-off? Is this
 a reason not to support Xen? Or should the user be given that option
 regardless of the inherent limitations and consequences?

A proper Dom0 port of XEN to OpenBSD would solve this by removing the
linux dependency. However this would probably require a significant
effort on OpenBSD side and a XEN Hypervisor code audit.

Also from earlier discussion on the list it seems this kind of
virtualization may impact on security, which is in direct contrast with
OpenBSD goals. Can someone elaborate more on this?

ciao

Luca

Re: Biometrics

[David Vasek]

On Mon, 22 Oct 2007, Cyrus wrote:


I've been looking for some time now for biometric software for openbsd, to
work in XDM or KDM.
I need it to support Keytronic F-SCAN-K001US, if nothing exists, I guess its
back to a regular keyboard. I dont think I can run Bio-Logon 3.0 through
wine as a system proccess like that, so Im just looking for some kind of
biometric software, suite, or project that supports my keyboard/scanner.


Hi,
I found a web page of a project which has been (unfortunately) abandoned 
recently. Don't know anything more about it.


http://biomark.org.ru/en/

Regards,
David

CARP problem

[Heinrich Rebehn]

Hi All,

i am trying to setup a carp'ed pair of firewalls and am fighting with 
strange CARP behavior.

frw1 is i386, frw2 is amd64, but both run i386 OpenBSD 4.2

On each machine i have configured 4 vlans on the sk0 interface.
The carp interfaces are configured on top of the vlan interfaces (see 
attachments). Note: i had to bring down carp0 manually on frw2 to keep 
it from confusing our network. Therefore it is shown in INIT state.

What happens:
1. I boot frw1, it becomes MASTER on all carps - good.
2. I boot frw2, it becomes BACKUP on all carps except carp0, which 
becomes MASTER - bad.

Both machines think they're MASTER on carp0.
Since both are complaining about carp0: incorrect hash i have double 
checked the passwords on both machines, no diff!

I brought carp2 down on frw1 and it immediately failed over to frw2, so 
CARP in general does work.

Since all traffic is running through the same physical device and the 
problem is only on one carp interface i tend to rule out hardware problems.

Googling showed up quite a few posts of people having problems with CARP 
and the incorrect hash message, but none really helped me.

[EMAIL PROTECTED] [/etc] # pfctl -sr | grep carp
pass quick proto carp all no state

[EMAIL PROTECTED] [~] # pfctl -sr | grep carp
pass quick proto carp all no state

Any ideas?

-- 

Heinrich Rebehn

University of Bremen
Physics / Electrical and Electronics Engineering
- Department of Telecommunications -

Phone : +49/421/218-4664
Fax   :-3341
OpenBSD 4.2 (GENERIC) #1: Fri Sep 14 12:22:31 CEST 2007
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Pentium(R) 4 CPU 2.60GHz (GenuineIntel 686-class) 2.60 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID,xTPR
real mem  = 1072459776 (1022MB)
avail mem = 1029386240 (981MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 12/12/03, BIOS32 rev. 0 @ 0xf0010, SMBIOS 
rev. 2.3 @ 0xf04a0 (68 entries)
bios0: vendor American Megatrends Inc. version 080009   date 12/12/2003
bios0: ASUSTeK Computer Inc. P4P800
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
apm0: flags 30102 dobusy 0 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xf/0x1
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf5100/256 (14 entries)
pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82801EB/ER LPC rev 0x00)
pcibios0: PCI bus #2 is the last bus
bios0: ROM list: 0xc/0xc000 0xcc000/0x800
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 Intel 82865G/PE/P CPU-I/0-1 rev 0x02
ppb0 at pci0 dev 1 function 0 Intel 82865G/PE/P CPU-AGP rev 0x02
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 ATI Rage 128 Pro TF rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
uhci0 at pci0 dev 29 function 0 Intel 82801EB/ER USB rev 0x02: irq 10
uhci1 at pci0 dev 29 function 1 Intel 82801EB/ER USB rev 0x02: irq 5
uhci2 at pci0 dev 29 function 2 Intel 82801EB/ER USB rev 0x02: irq 5
uhci3 at pci0 dev 29 function 3 Intel 82801EB/ER USB rev 0x02: irq 10
ehci0 at pci0 dev 29 function 7 Intel 82801EB/ER USB2 rev 0x02: irq 11
usb0 at ehci0: USB revision 2.0
uhub0 at usb0: Intel EHCI root hub, rev 2.00/1.00, addr 1
ppb1 at pci0 dev 30 function 0 Intel 82801BA AGP rev 0xc2
pci2 at ppb1 bus 2
skc0 at pci2 dev 5 function 0 3Com 3c940 rev 0x12, Yukon (0x1): irq 11
sk0 at skc0 port A: address 00:0c:6e:d8:b0:d8
eephy0 at sk0 phy 0: Marvell 88E1011 Gigabit PHY, rev. 3
xl0 at pci2 dev 10 function 0 3Com 3c905C 100Base-TX rev 0x74: irq 11, 
address 00:04:76:a0:43:bd
bmtphy0 at xl0 phy 24: Broadcom 3C905C internal PHY, rev. 6
ichpcib0 at pci0 dev 31 function 0 Intel 82801EB/ER LPC rev 0x02: 24-bit 
timer at 3579545Hz
pciide0 at pci0 dev 31 function 1 Intel 82801EB/ER IDE rev 0x02: DMA, channel 
0 configured to compatibility, channel 1 configured to compatibility
atapiscsi0 at pciide0 channel 0 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: HL-DT-ST, DVD-ROM GDR8162B, 0015 SCSI0 5/cdrom 
removable
cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 disabled (no drives)
pciide1 at pci0 dev 31 function 2 Intel 82801EB SATA rev 0x02: DMA, channel 0 
configured to native-PCI, channel 1 configured to native-PCI
pciide1: using irq 5 for native-PCI interrupt
wd0 at pciide1 channel 1 drive 0: ST3320620AS
wd0: 16-sector PIO, LBA48, 305245MB, 625142448 sectors
wd0(pciide1:1:0): using PIO mode 4, Ultra-DMA mode 5
ichiic0 at pci0 dev 31 function 3 Intel 82801EB/ER SMBus rev 0x02: irq 11
iic0 at ichiic0
auich0 at pci0 dev 31 function 5 Intel 82801EB/ER AC97 rev 0x02: irq 11, ICH5 
AC97
ac97: codec id 0x41445375 (Analog Devices AD1985)
ac97: codec features headphone, 20 bit DAC, No 3D Stereo
audio0 at auich0
usb1 at uhci0: USB revision 1.0
uhub1 at usb1: Intel UHCI root hub, rev 1.00/1.00, addr 1
usb2 at 

Re: CARP problem

[Rui Miguel Silva Seabra]

On Tue, Oct 23, 2007 at 11:10:32AM +0200, Heinrich Rebehn wrote:
 What happens:
 1. I boot frw1, it becomes MASTER on all carps - good.
 2. I boot frw2, it becomes BACKUP on all carps except carp0, which 
 becomes MASTER - bad.
 
 Any ideas?

Do you have pass quick for carp and pfsync *before* antispoof and block
rules, and on *all* carp interfaces?

Rui

-- 
Grudnuk demand sustenance!
Today is Sweetmorn, the 4th day of The Aftermath in the YOLD 3173
+ No matter how much you do, you never do enough -- unknown
+ Whatever you do will be insignificant,
| but it is very important that you do it -- Gandhi
+ So let's do it...?

Solved: CARP problem

[Heinrich Rebehn]

Heinrich Rebehn wrote:

Hi All,

i am trying to setup a carp'ed pair of firewalls and am fighting with 
strange CARP behavior.


frw1 is i386, frw2 is amd64, but both run i386 OpenBSD 4.2

On each machine i have configured 4 vlans on the sk0 interface.
The carp interfaces are configured on top of the vlan interfaces (see 
attachments). Note: i had to bring down carp0 manually on frw2 to keep 
it from confusing our network. Therefore it is shown in INIT state.


What happens:
1. I boot frw1, it becomes MASTER on all carps - good.
2. I boot frw2, it becomes BACKUP on all carps except carp0, which 
becomes MASTER - bad.


Both machines think they're MASTER on carp0.
Since both are complaining about carp0: incorrect hash i have double 
checked the passwords on both machines, no diff!


I brought carp2 down on frw1 and it immediately failed over to frw2, so 
CARP in general does work.


Since all traffic is running through the same physical device and the 
problem is only on one carp interface i tend to rule out hardware problems.


Googling showed up quite a few posts of people having problems with CARP 
and the incorrect hash message, but none really helped me.


[EMAIL PROTECTED] [/etc] # pfctl -sr | grep carp
pass quick proto carp all no state

[EMAIL PROTECTED] [~] # pfctl -sr | grep carp
pass quick proto carp all no state

Any ideas?



It is really strange: As soon as i have posted the problem to the list, 
i seem to be able to relax and think better :-)


The solution:

On frw1:
carp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:00:5e:00:01:0a
carp: MASTER carpdev vlan0 vhid 10 advbase 1 advskew 0
groups: carp
inet6 fe80::200:5eff:fe00:10a%carp0 prefixlen 64 scopeid 0xa
inet 134.102.176.250 netmask 0xff00 broadcast 134.102.176.255
inet 134.102.176.202 netmask 0xff00 broadcast 134.102.176.255

On frw2:
carp0: flags=8802BROADCAST,SIMPLEX,MULTICAST mtu 1500
lladdr 00:00:5e:00:01:0a
carp: INIT carpdev vlan0 vhid 10 advbase 1 advskew 100
groups: carp
inet6 fe80::200:5eff:fe00:10a%carp0 prefixlen 64 scopeid 0xb
inet 134.102.176.250 netmask 0xff00 broadcast 134.102.176.255

The alias made the difference! On frw1 i had added it /etc/rc.conf.local 
because i had difficulties defining in in /etc/hostname.carp0.

This was missing on frw2!

Now it works. Apologies for the noise!

--Heinrich

Re: daap/mdns multicast problems

[Christian Weisgerber]

Jonathan Kent [EMAIL PROTECTED] wrote:

 Been trying in vain to get daap/mdns traffic through my OpenBSD 4.1
 firewall to talk to my mt-daap server.
 
 From tcpdumping I can see the multicast traffic coming into sis1
 interface but not coming out of the sis0 interface so I can only assume
 that I have missed something.

As Brian already pointed out, you need to enable multicast routing.
You also need a multicast routing daemon to perform the actual
forwarding.  mrouted(8) will do for simple purposes.  I haven't
tried dvmrpd(8).

However, the first thing you want to check is the TTL of these mdns
packets.  I suspect it's 1 and they are intended as local broadcasts,
not as routable traffic.

-- 
Christian naddy Weisgerber  [EMAIL PROTECTED]

Re: CARP problem

[Marco Pfatschbacher]

On Tue, Oct 23, 2007 at 11:10:32AM +0200, Heinrich Rebehn wrote:

 Googling showed up quite a few posts of people having problems with CARP 
 and the incorrect hash message, but none really helped me.

the most common reason for incorrect hash messages is
that your configuration isn't in sync. That includes all
IP addresses and the password.

Seems like that's the case in your setup:

 carp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
   lladdr 00:00:5e:00:01:0a
   carp: MASTER carpdev vlan0 vhid 10 advbase 1 advskew 0
   groups: carp
   inet6 fe80::200:5eff:fe00:10a%carp0 prefixlen 64 scopeid 0xa
   inet 134.102.176.250 netmask 0xff00 broadcast 134.102.176.255
   inet 134.102.176.202 netmask 0xff00 broadcast 134.102.176.255

vs.

 carp0: flags=8802BROADCAST,SIMPLEX,MULTICAST mtu 1500
   lladdr 00:00:5e:00:01:0a
   carp: INIT carpdev vlan0 vhid 10 advbase 1 advskew 100
   groups: carp
   inet6 fe80::200:5eff:fe00:10a%carp0 prefixlen 64 scopeid 0xb
   inet 134.102.176.250 netmask 0xff00 broadcast 134.102.176.255

dunno where you got 134.102.176.202 from, though...

 hostname.carp0:
 inet 134.102.176.250 255.255.255.0 134.102.176.255 vhid 10 pass xxx10 carpdev 
 vlan0 advskew 100 state backup
 

You shouldn't use state backup here.  The higher advskew is sufficient.
state is only needed for manual intervention.

Installing the latest snapshot freezes on i386

[Reza Muhammad]

Hi all,

I just recently purchased a brand new HP Pavilion
G3035L Desktop PC (spec:
http://www.anugrahpratama.com/product/21/1092/HP-Pavilion-G3035L-Desktop-PC).
 It's using Intel Core Duo processor.  I tried to
install OpenBSD's latest snapshot to this machine last
night.  The thing is it freezes and it wouldn't
install.   Here's the messages I got from my screen:

pcibios0 at bios0: rev 3.0 @ 0xf/0x1
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf5590/192
(10 entries)
pcibios0: PCI  Interrupt Router at 000:31:0 (Intel
82801GH LPC rev 0x00)
pcibios0: PCI bus #2 is the last bus
bios0: ROM list: 0xc/0xae00!
cpu0 at mainbus0
pci0 at mainbus0 bus0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 Intel 82945GP rev
0x02: rng active, 800Kb/sec
vga1 at pci0 dev 2 function 0 Intel 82945G Video rev
0x02
wsdisplay0 at vga1 mux 1: console (80x25, vt100
emulation)
Intel 82801GB HD Audio rev 0x01 at pci0 dev 27
function 0 not configured
ppb0 at pci0 dev 28 function 0 Intel 82801GB PCIE
rev 0x01
pci1 at ppb0 bus 1
re0 at pci1 dev 0 function 0 Realtek 8101E rev 0x01:
RTL8101E (0x3400), irq 19, address 00:1b:b9:85:6c:b8
rlphy0 at re0 phy 7: RTL8201L 10/100 PHY, rev 1
uhci0 at pci0 dev 29 function 0 Intel 82801GB USB
rev 0x01: irq 11
uhci1 at pci0 dev 29 function 1 Intel 82801GB USB
rev 0x01: irq 5
uhci2 at pci0 dev 29 function 2 Intel 82801GB USB
rev 0x01: irq 3
uhci3 at pci0 dev 29 function 3 Intel 82801GB USB
rev 0x01: irq 10
ehci0 at pci0 dev 29 function 7 Intel 82801GB USB
rev 0x01: irq 11
ehci0: timed out waiting for BIOS
usb0 at ehci0: USB revision 2.0

Does anyone know what the problem is?  Are some of the
hardware aren't supported by OpenBSD? What should I do
so this machine can run OpenBSD?

Thanks for the help.  I appreciate it. 

-Reza
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: About Xen: maybe a reiterative question but ..

[Per-Erik Persson]

I might be flamed for this statement but not being able to run inside a 
virtualized environment is not an option in the future.
Most servers you can buy today are to powerful for only taking care of 
one task.
It is really handy to be able to shuffle around the cpu:s to the 
virtual machine that needs it at the moment.


OpenBSD is much to powerful to be used only on soekris and wrap boxes as 
a firewall for the homeuser.
If OpenBSD doesn't adopt to the virtualization trend it will used only 
as an obscure firewall box.


If I need to run linux as Dom0 to be able to put most of my OpenBSD 
machines into one single box(well two actually if you want failover, and 
that you probably want)
The security sacrifice is OK to me, at least knowing that the option is 
to not run OpenBSD at all since I would need too many machines and to 
much electricity and force me to build a new serverroom.


The firewall and the KDC will probably not be virtualized yet, but 
everything else will soon be.


Luca Corti wrote:


On Tue, 2007-10-23 at 01:11 +0200, ropers wrote:
 


unavoidable. The question is, is that a worthwhile trade-off? Is this
a reason not to support Xen? Or should the user be given that option
regardless of the inherent limitations and consequences?
   



A proper Dom0 port of XEN to OpenBSD would solve this by removing the
linux dependency. However this would probably require a significant
effort on OpenBSD side and a XEN Hypervisor code audit.

Also from earlier discussion on the list it seems this kind of
virtualization may impact on security, which is in direct contrast with
OpenBSD goals. Can someone elaborate more on this?

ciao

Luca

OSS audio drivers

[Jan Stary]

Hi all,

this is to clarify (for me, anyway) the status of
audio drivers present in the (recently GPLed) OSS.
http://www.opensound.com/osshw.html

What is the relation of OpenBSD's audio drivers to the OSS project?
What, if anything, does opensourcing (GPL, I know) their code mean for
our audio drivers? In particular, does that mean (future) support for
the high-end soundcards such as M-Audio Delta?

Thanks

Jan

Re: About Xen: maybe a reiterative question but ..

[Lars Noodén]

Per-Erik Persson wrote:
 ... not being able to run inside a
 virtualized environment is not an option in the future.

Virtualization is available already.  See the package qemu.
http://www.openbsd.org/4.1_packages/

Or are you aiming for Xen specifically?

Keep in mind that the most significant opponent to OpenBSD has now
influence if not control over Xen:
http://www.theregister.co.uk/2006/07/18/ms_xen_partner/

Xen's developer and management time will be burned up with no result.

No business that I am aware of has yet survived such a partnership
It'd be a first if XenSource were to break the record.

-Lars

Network Time Synchronization using timed or ntpd or a Combination?

[Clint Pachl]

What is the most efficient and secure way to keep the clocks of 
servers on a network in sync?


Because OpenNTPD was designed with security in mind from the start, I 
was thinking about using ntpd only on all systems. One system would get 
time from the NTP pool and all other servers on the network would sync 
to the local server. Is this the best way?


Then I discovered timed. Does anybody use it? Is it as secure? What are 
the (dis)advantages/differences compared to ntpd?


I was was reading timed(8) and it states the following:

One way to synchronize a group of machines is to use an NTP daemon to 
synchronize the clock of one machine to a distant standard or a radio 
receiver and -F hostname to tell its timed daemon to trust only itself.


I assume that all the other machines on the network would run timed only?

How do you guys keep your clocks in-sync?

-pachl

Re: About Xen: maybe a reiterative question but ..

[Lars Hansson]

On 10/23/07, Per-Erik Persson [EMAIL PROTECTED] wrote:
 I might be flamed for this statement but not being able to run inside a
 virtualized environment is not an option in the future.

The future is not now, no-one is saying openBSD will never run in a
virtualized environment.

 Most servers you can buy today are to powerful for only taking care of
 one task.

You know that one machine can performs more than one task even without
virtualization, right?

 If OpenBSD doesn't adopt to the virtualization trend it will used only
 as an obscure firewall box.

Or perhaps future (bette) virtualizations won't require special OS
support. Xen is not a be-all-end-all.

---
Lars Hansson

Re: Network Time Synchronization using timed or ntpd or a Combination?

[Christian Weisgerber]

Clint Pachl [EMAIL PROTECTED] wrote:

 I was thinking about using ntpd only on all systems. One system would get 
 time from the NTP pool

... or from a time signal sensor...

 and all other servers on the network would sync 
 to the local server. Is this the best way?

Yes.

 Then I discovered timed.

Ancient cruft.  It will be deleted from the tree eventually.

-- 
Christian naddy Weisgerber  [EMAIL PROTECTED]

Re: em(4) - IFCAP_VLAN_MTU IFCAP_VLAN_HWTAGGING ?

[Henning Brauer]

* Tony Sarendal [EMAIL PROTECTED] [2007-10-22 18:33]:
 I didn't get that opinion from marketing.
 No matter, we disagree, lets leave it at that.

well, yeah, nontheless, I wanna point out the essence why stateful is 
better (the way we do it in OpenBSD):

1) it moves the limit where the box starts to suffer from overload quite 
   far, or, in other words, the box can handle a much larger amount of 
   traffic before it starts to drop stuff. thus it can withstand bigger 
   amounts of (D)DoS too.
2) once it gets to that point, it is more selective in dropping packets 
   than a stateless box, as it prefers established connections. this 
   behaviour cannot be valued enough in (D)DoS type of situations.

-- 
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg  Amsterdam

Re: Help! I'm having Linux foisted on me! (PF queuing woes)

[Henning Brauer]

* Brian [EMAIL PROTECTED] [2007-10-22 20:39]:
 Joshua Smith wrote:
  Out of curiosity what are these two extremely rare cases?
 [snip]
 
 One example off the top of my head (and ipsec.conf(5)) is the enc0
 interface.  You wouldn't set your state-policy to this, but each
 individual rule would use if-bound to prevent traffic from going out
 your egress when an IPsec SA is removed/expires before the state is
 removed/expires (think isakmpd and the various reasons an SA can disappear).

that is indeed one case. wether you really want ifbound for ipsec or not 
depends on teh setup, you have to think it through on a case-by-case 
basis.

the otehr case is so bizarre that I forgot the details. basically a 
case where a packet goes thru the stack 3 times instead of 2 with the 
normal forwarding. I think you could trigger that with very very very 
very very strange use of the evil route-to (which should be avoided 
wherever possible in the first place).

-- 
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg  Amsterdam

Re: About Xen: maybe a reiterative question but ..

[Henning Brauer]

* carlopmart [EMAIL PROTECTED] [2007-10-23 09:13]:
 IMHO I think that OpenBSD needs to capable to install and run as a 
 paravirtualized domU guest, with some limitations if you like.

 Last year I have do the same question. Then it was said that only needed 
 NetBSD do the xen port, and from there just enough to carry to OpenBSD. The 
 reality is that NetBSD long ago that can be installed and run as domU and 
 OpenBSD not.

 And my question is why??

easy: nobody has done the work.

I don't know how far Christoph's efforts went really - but it really 
comes down to somebody sitting down, doing teh porting work in a 
clean manner, showing dedication, willingness and ability to keep 
supporting it in future. that simple.

-- 
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg  Amsterdam

Re: About Xen: maybe a reiterative question but ..

[Lars Noodén]

Per-Erik Persson wrote:
 To get the best performance out of qemu you need to run linux.

I'm no expert in virtualization, but may I ask if you are remembering to
use kqemu ?

There is also virtual box.
http://www.virtualbox.org/
It may or may not run on an OpenBSD host, but does run OpenBSD as a
guest according to the web site.

 At least on my machines qemu is dead slow.
 I was hoping xen would perform better together with openbsd, however I
 get  a little bit worried when I google openbsd+xen
 Mostly get dead links.

Furthermore, it seems that XenSource has been sold off to Citrix, makers
of that steaming pile of crap known as Citrix:
http://www.citrixxenserver.com/Pages/default.aspx

That bodes very, very, very ill for the product.
Citrix, IMHO, will make sure that Xen will be poor at hosting non-MS
tools and will be unported from OSS hosts.
If we are lucky, the developers will leave / have left and will fork the
code.

 Xen seems to be leading the virtualization trend right now,

If you had written that a year and a half ago, I would have agreed.  Xen
was good a while back.  However, here is another article on the same topic:

http://www.theregister.co.uk/2006/07/20/ms_xen_love/page2.html

   Itbs a one-way street that favors Microsoft and
Windows running Linux. The arrangement will allow Linux
to run on future Microsoft hypervisors through translated
calls to the hypervisor when Windows is controlling the
hardware, but not the other way around; i.e. there is no
mention of Longhorn optimizations or 'enlightenments
being ported to Xen or licensed to XenSource to enable a
Xen hypervisor to run full optimizations with Longhorn
OS.

Granted that quote is from a competitor (VMware, which seems to be a
broken linux kernel) but MS has 'partnered' with XenSource and we know
what the ultimate results will be.

The choices narrow.
Can kqemu be compiled for OBSD?  Is virtualbox an option?

Regards
-Lars

Re: Update features on PF(OpenBSD4.2)

[Henning Brauer]

* Beavis [EMAIL PROTECTED] [2007-10-22 18:29]:
 hi folks,
 
I saw this performance issue with pf on a AMD64firewall: below is the link
 
 http://www.nabble.com/firewall-is-very-slow%2C-something%27s-wrong-t4572653i20.html
 
 it states that pf on 4.2 performs much better than in 4.1. having said
 this, is it possible to be able to just update pf's feature instead of
 going through the entire OS upgrade? since im really going after the
 features of pf, and happy with how 4.1 is.
 
 
 any comments are awesomely appreciated.

yes, excellent idea, that is exactly what you should do! Instead of 
doing teh boring, pretty riskless 10 minutes taking 4.2 upgrade everybody 
could easily do, you should figure out which files are pf, update them, 
figure out that the kernel doesn't build because of changes through the 
network stack, patch for a week or two until you have a kernel that 
builds, figure out pfctl, netstat and friends don't work, another 
week...

a bit (about when these boring wackos that just upgrade install 4.3) 
later when you have a kernel that boots and a userland that seems to 
work with it, you have a totally unique system! nobody else is running 
that!

ok, nobody else sees the crashes you do, but hey, they're all boring 
wackos.

-- 
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg  Amsterdam

Re: Network Time Synchronization using timed or ntpd or a Combination?

[Henning Brauer]

* Clint Pachl [EMAIL PROTECTED] [2007-10-23 12:55]:
 Because OpenNTPD was designed with security in mind from the start, I was 
 thinking about using ntpd only on all systems. One system would get time 
 from the NTP pool and all other servers on the network would sync to the 
 local server. Is this the best way?

yep.

 Then I discovered timed. Does anybody use it? Is it as secure? What are the 
 (dis)advantages/differences compared to ntpd?

I don't have the time or electrons to compile that list :)

in short, there is about zero value in timed for new installs. It is 
pretty much obsolete.

-- 
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg  Amsterdam

Re: Help! I'm having Linux foisted on me! (PF queuing woes)

[Claudio Jeker]

On Tue, Oct 23, 2007 at 02:10:43PM +0200, Henning Brauer wrote:
 * Brian [EMAIL PROTECTED] [2007-10-22 20:39]:
  Joshua Smith wrote:
   Out of curiosity what are these two extremely rare cases?
  [snip]
  
  One example off the top of my head (and ipsec.conf(5)) is the enc0
  interface.  You wouldn't set your state-policy to this, but each
  individual rule would use if-bound to prevent traffic from going out
  your egress when an IPsec SA is removed/expires before the state is
  removed/expires (think isakmpd and the various reasons an SA can disappear).
 
 that is indeed one case. wether you really want ifbound for ipsec or not 
 depends on teh setup, you have to think it through on a case-by-case 
 basis.
 
 the otehr case is so bizarre that I forgot the details. basically a 
 case where a packet goes thru the stack 3 times instead of 2 with the 
 normal forwarding. I think you could trigger that with very very very 
 very very strange use of the evil route-to (which should be avoided 
 wherever possible in the first place).
 

Everything that moves through your stack multiple times need if-bound
states or no statesi at all. I use multiple qemus with bridge(4) that show
the same problem and yes, this is a very bizarre setup.

The other case where you may need if-bound states is when doing NAT in a
multipath setup. This is another uncommon setup and you may get away with
non if-bound states.

-- 
:wq Claudio

Re: OSS audio drivers

[Edd Barrett]

Hi,

On 23/10/2007, Jan Stary [EMAIL PROTECTED] wrote:
 Hi all,

 this is to clarify (for me, anyway) the status of
 audio drivers present in the (recently GPLed) OSS.
 http://www.opensound.com/osshw.html

 What is the relation of OpenBSD's audio drivers to the OSS project?
 What, if anything, does opensourcing (GPL, I know) their code mean for
 our audio drivers? In particular, does that mean (future) support for
 the high-end soundcards such as M-Audio Delta?

OpenBSD uses an implementation of the Sun audio system, which is a
different system to OSS alltogether. I don't know where it came from,
it is probably not based upon any of sun's code due to licensing.

As for the M-audio Delta, not sure about that particular card, but I
have a M-audio mobile pre (usb), which works fine under OpenBSD. I'm
not sure if that's an indication that M-audio aim to support UNIX, or
just a coinsidence. Try dropping them an email?

In all fairness, you would be better off using a nice piece of kit
like that on Windows or MacOSX (/me ducks), because the audio editors
for NIX are slightly limited in comparison to say Cubase or Pro-tools.

Thanks

-- 
Best Regards

Edd

---
http://students.dec.bournemouth.ac.uk/ebarrett

Re: Update features on PF(OpenBSD4.2)

[Peter N. M. Hansteen]

Henning Brauer [EMAIL PROTECTED] writes:

 doing teh boring, pretty riskless 10 minutes taking 4.2 upgrade everybody 
 could easily do, 

for some combinations of crappy old hardware, too small memory size
and nonsensically large filesystems it might stretch into 20-odd
minutes, but otherwise my sentiments exactly in the parts I've
snipped.

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.datadok.no/ http://www.nuug.no/
Remember to set the evil bit on all malicious network traffic
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Systems, Oct 23 - 26, 2007, Munich, Germany

[Wim Vandeputte]

Hey,

as a reminder, you can visit the Systems expo this week in Munchen,
there is an OpenBSD/OpenSSH booth in Halle B2 110-2, run by DaN, Nikolay 
Sturm and Marco Pfatschbacher

There are of course 4.2 CDs and Tshirts, so if you did not pre-order,
this is the quickest way to get one this month.

Also, we need some helping hands for tomorrow, if somebody wants
to help out at the booth, mail me.

I'll not be able to attend

Wim.

-- 
   =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=   
https://kd85.com/notforsale.html
 --

Re: OSS audio drivers

[Theo de Raadt]

That code is not free enough for us to use, and therefore we don't
use it.

that's the whole story.

 this is to clarify (for me, anyway) the status of
 audio drivers present in the (recently GPLed) OSS.
 http://www.opensound.com/osshw.html
 
 What is the relation of OpenBSD's audio drivers to the OSS project?
 What, if anything, does opensourcing (GPL, I know) their code mean for
 our audio drivers? In particular, does that mean (future) support for
 the high-end soundcards such as M-Audio Delta?
 
   Thanks
 
   Jan

Re: Network Time Synchronization using timed or ntpd or a Combination?

[Boris Goldberg]

Hello Clint,

Tuesday, October 23, 2007, 5:42:47 AM, you wrote:

CP One  system  would  get time from the NTP pool and all other servers on
CP the network would sync to the local server.

  You  don't  really  need ntpd on all systems. One (timeserver) runs ntpd,
and others use rdate, called from cron (once a day is usually enough).

-- 
Best regards,
 Borismailto:[EMAIL PROTECTED]

Re: OSS audio drivers

[Jan Stary]

  What is the relation of OpenBSD's audio drivers to the OSS project?
  What, if anything, does opensourcing (GPL, I know) their code mean for
  our audio drivers? In particular, does that mean (future) support for
  the high-end soundcards such as M-Audio Delta?
 
 OpenBSD uses an implementation of the Sun audio system, which is a
 different system to OSS alltogether. I don't know where it came from,
 it is probably not based upon any of sun's code due to licensing.

Thanks, that explains it for me.

 As for the M-audio Delta, not sure about that particular card, but I
 have a M-audio mobile pre (usb), which works fine under OpenBSD.

Which underlying hardware driver does it use?

 I'm not sure if that's an indication that M-audio aim to support UNIX,
 or just a coinsidence. Try dropping them an email?

Looks like the only UNIX support they do is have an NDA with OSS, who
have drivers for the better M-Audio cards (and RME Hammerfall) in
their binary, nonfree drivers ...

 In all fairness, you would be better off using a nice piece of kit
 like that on Windows or MacOSX (/me ducks),

(take off your glasses and step outside, hombre)

 because the audio editors for NIX are slightly limited
 in comparison to say Cubase or Pro-tools.

True, but that's way over the level I need. Nowadays, I do my audio
work on FreeBSD using sox, ecasound, snd, and ardour - just curious
about migrating this to OpenBSD.

Thanks

Jan

writing non-ascii characters via SSH

[Juan Miscaro]

{ this is a resend }


I am currently experiencing difficulty in writing text files containing
French characters on my OpenBSD 4.0 server via SSH.

On both the FreeBSD client system and on the OpenBSD server system I
have the following: 

~/.profile:

export LANG=C
export LC_CTYPE=fr_CA.ISO8859-1
export LC_COLLATE=fr_CA.ISO8859-1

~/.inputrc:

set convert-meta Off
set editing-mode emacs
set input-meta On   
set output-meta On

Note that I am contacting the FreeBSD system from a Ubuntu Linux box.

On that system I have the same ~/.inputrc file but instead of
~/.profile I am using ~/.bashrc:

export LANG=C
export LC_CTYPE=fr_CA.ISO8859-1
export LC_COLLATE=fr_CA.ISO8859-1

All three users are using the bash shell.

The accented characters (ex: i) end up as question marks.

// juan


  Be smarter than spam. See how smart SpamGuard is at giving junk email the 
boot with the All-new Yahoo! Mail at http://mrd.mail.yahoo.com/try_beta?.intl=ca

Re: OSS audio drivers

[Edd Barrett]

On 23/10/2007, Jan Stary [EMAIL PROTECTED] wrote:
 Which underlying hardware driver does it use?

uaudio

-- 
Best Regards

Edd

---
http://students.dec.bournemouth.ac.uk/ebarrett

Re: Network Time Synchronization using timed or ntpd or a Combination?

[Rogier Krieger]

On 10/23/07, Boris Goldberg [EMAIL PROTECTED] wrote:
 You  don't  really  need ntpd on all systems. One (timeserver) runs ntpd,
 and others use rdate, called from cron (once a day is usually enough).

While your suggestion would work, it would also entail more work
without adding benefit. Upon install, you get the question of whether
you want to use ntpd. Starting with 4.2, it even asks for a specific
NTP server.

Using ntpd gets you better synchronisation without the need of setting
something up with cron. Rdate will work, but the work developers put
into (further integrating) ntpd makes rdate appear rather ...
outdated.

Cheers,

Rogier

-- 
If you don't know where you're going, any road will get you there.

NextG networking

[Andrew Dalgleish]

I've put up some notes about NextG networking on OpenBSD at
http://www.ajd.net.au/nextg/openbsd.html
including a kernel patch to suit ZTE handsets which will probably work
with other Qualcomm-based handsets.

Regards,
Andrew Dalgleish

Re: Network Time Synchronization using timed or ntpd or a Combination?

[Chris Kuethe]

On 10/23/07, Rogier Krieger [EMAIL PROTECTED] wrote:
 Using ntpd gets you better synchronisation without the need of setting
 something up with cron. Rdate will work, but the work developers put
 into (further integrating) ntpd makes rdate appear rather ...
 outdated.

Rdate provides a single valuable service: the ability to poll a device
to see what time it thinks it is (ie. probing the health of my time
servers).

For everything else, i just let openntpd take care of it.

-- 
GDB has a 'break' feature; why doesn't it have 'fix' too?

Re: Network Time Synchronization using timed or ntpd or a Combination?

[Henning Brauer]

* Boris Goldberg [EMAIL PROTECTED] [2007-10-23 15:50]:
 CP One  system  would  get time from the NTP pool and all other servers on
 CP the network would sync to the local server.
   You  don't  really  need ntpd on all systems. One (timeserver) runs ntpd,
 and others use rdate, called from cron (once a day is usually enough).

that is bad advice.
it is not only much more work to set up, it also doesn't remotely yield 
the same results. ntpd is much much better, since it doesn't rely on a 
single answer from soem server to set the clock, and because it adjusts 
the clock frequency over time.
there is not much point in using rdate at all.

-- 
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg  Amsterdam

Re: em(4) - IFCAP_VLAN_MTU IFCAP_VLAN_HWTAGGING ?

[Tony Sarendal]

On 10/23/07, Henning Brauer [EMAIL PROTECTED] wrote:

 * Tony Sarendal [EMAIL PROTECTED] [2007-10-22 18:33]:
  I didn't get that opinion from marketing.
  No matter, we disagree, lets leave it at that.

 well, yeah, nontheless, I wanna point out the essence why stateful is
 better (the way we do it in OpenBSD):

 1) it moves the limit where the box starts to suffer from overload quite
far, or, in other words, the box can handle a much larger amount of
traffic before it starts to drop stuff. thus it can withstand bigger
amounts of (D)DoS too.
 2) once it gets to that point, it is more selective in dropping packets
than a stateless box, as it prefers established connections. this
behaviour cannot be valued enough in (D)DoS type of situations.


I wish to implement things in a way where the link is the limitation,
not the box. But there is no point in re-doing that discussion.

When I have some time free I'll test it in the lab to see that difference in
behaviour. Any ideas of when you will get around to handling assymetric
traffic in a stateful way ?

/Tony

Re: Network Time Synchronization using timed or ntpd or a Combination?

[Jon Radel]

Christian Weisgerber wrote:
 Clint Pachl [EMAIL PROTECTED] wrote:
 
 I was thinking about using ntpd only on all systems. One system would get 
 time from the NTP pool
 
 ... or from a time signal sensor...
 
 and all other servers on the network would sync 
 to the local server. Is this the best way?
 
 Yes.

Depending on how many machines you have and how much you care about your
time, best practice is more likely to be to have 2 or 3 servers likely
to be up 7x24 use outside time sources and then have all internal
machines use those 2 or 3 servers as their source.  It's so easy to
remove single points of failure in this case that you might as well do so.

--Jon Radel

[demime 1.01d removed an attachment of type application/x-pkcs7-signature which 
had a name of smime.p7s]

Kernel crash after connecting NIC

[Frans Haarman]

This happend after connecting an network interface! It was previously
connected to a HP SWitch, I moved the cable to a lan port on a Cisco
PIX 501. The crash was almost instant I Think.

It happend in a test lab I am setting up. So probably some config
error on my side, but still


I typed the ddb trace over from the screen, dont hold me too it.


kernel: page fault trap, code =0
STopped at bge_encap+0xfd: movw 0x21e(%edx),%ax
ddb

bge_encap(d190d000,d7aa0800,d08d5dcc,0) at bge_encap+0xfd
bge_encap(d190d030,d08d5df4,d02023c9,30) at bge_start+0x81
bgep_initr(d190d000) at bge_intr+0xe1
Xrecurse_legacy5() at Xrecurse_legacy5+0xad
--- interrupt ---
amp_cpu_idle(c0,d0799260,7fff,d033641b) at amp_cpu_idle+0x42
idle_loop(d08d5f00,4,d08d5f18,d0333706,d08d5f00)
sleep_finish(d08d5f00,1,4,d06a1b8c,0) at sleep_finish+0x4d
tsleep(d0799260,4,d06a1b8c,0) at tsleep+0x7a
uvm_scheduler(d079923c,3,0,d0658570,2) at uvm_scheduler+0x1b
main(0,0,0,0,0) at main+0x70f


bgp02# cat aftercrash.dmesg
OpenBSD 4.2-current (GENERIC) #405: Thu Sep 13 16:06:09 MDT 2007
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Xeon(TM) CPU 3.00GHz (GenuineIntel 686-class) 3.01 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT-ID,CX16,xTPR
real mem  = 1073258496 (1023MB)
avail mem = 1030098944 (982MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 12/31/99, BIOS32 rev. 0 @
0xf, SMBIOS rev. 2.3 @ 0xec000 (73 entries)
bios0: vendor HP version P54 date 02/14/2006
bios0: HP ProLiant DL360 G4p
pcibios0 at bios0: rev 2.1 @ 0xf/0x2000
pcibios0: PCI BIOS has 7 Interrupt Routing table entries
pcibios0: PCI Interrupt Router at 000:31:0 (Intel 6300ESB LPC rev 0x00)
pcibios0: PCI bus #13 is the last bus
bios0: ROM list: 0xc/0x8000 0xc8000/0x3600! 0xcb600/0x1600 0xee000/0x2000!
acpi at mainbus0 not configured
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 Intel E7520 MCH rev 0x0c
ppb0 at pci0 dev 2 function 0 Intel MCH PCIE rev 0x0c
pci1 at ppb0 bus 13
ppb1 at pci0 dev 4 function 0 Intel MCH PCIE rev 0x0c
pci2 at ppb1 bus 6
ppb2 at pci2 dev 0 function 0 Intel PCIE-PCIE rev 0x09
pci3 at ppb2 bus 7
ppb3 at pci2 dev 0 function 2 Intel PCIE-PCIE rev 0x09
pci4 at ppb3 bus 10
ppb4 at pci0 dev 6 function 0 Intel MCH PCIE rev 0x0c
pci5 at ppb4 bus 3
ppb5 at pci0 dev 28 function 0 Intel 6300ESB PCIX rev 0x02
pci6 at ppb5 bus 2
bge0 at pci6 dev 2 function 0 Broadcom BCM5704C rev 0x10, BCM5704 B0
(0x2100): irq 5, address 00:18:fe:30:f7:08
brgphy0 at bge0 phy 1: BCM5704 10/100/1000baseT PHY, rev. 0
bge1 at pci6 dev 2 function 1 Broadcom BCM5704C rev 0x10, BCM5704 B0
(0x2100): irq 5, address 00:18:fe:30:f7:07
brgphy1 at bge1 phy 1: BCM5704 10/100/1000baseT PHY, rev. 0
uhci0 at pci0 dev 29 function 0 Intel 6300ESB USB rev 0x02: irq 5
uhci1 at pci0 dev 29 function 1 Intel 6300ESB USB rev 0x02: irq 5
Intel 6300ESB WDT rev 0x02 at pci0 dev 29 function 4 not configured
Intel 6300ESB APIC rev 0x02 at pci0 dev 29 function 5 not configured
ehci0 at pci0 dev 29 function 7 Intel 6300ESB USB rev 0x02: irq 5
usb0 at ehci0: USB revision 2.0
uhub0 at usb0: Intel EHCI root hub, rev 2.00/1.00, addr 1
ppb6 at pci0 dev 30 function 0 Intel 82801BA AGP rev 0x0a
pci7 at ppb6 bus 1
vga1 at pci7 dev 3 function 0 ATI Rage XL rev 0x27
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
Compaq iLO rev 0x01 at pci7 dev 4 function 0 not configured
Compaq iLO rev 0x01 at pci7 dev 4 function 2 not configured
ichpcib0 at pci0 dev 31 function 0 Intel 6300ESB LPC rev 0x02:
24-bit timer at 3579545Hz
pciide0 at pci0 dev 31 function 1 Intel 6300ESB IDE rev 0x02: DMA,
channel 0 configured to compatibility, channel 1 configured to
compatibility
pciide0: channel 0 disabled (no drives)
pciide0: channel 1 disabled (no drives)
pciide1 at pci0 dev 31 function 2 Intel 6300ESB SATA rev 0x02: DMA,
channel 0 configured to native-PCI, channel 1 configured to native-PCI
pciide1: using irq 7 for native-PCI interrupt
wd0 at pciide1 channel 0 drive 0: ST3250624AS
wd0: 16-sector PIO, LBA48, 238475MB, 488397168 sectors
wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 5
wd1 at pciide1 channel 1 drive 0: ST3250624AS
wd1: 16-sector PIO, LBA48, 238475MB, 488397168 sectors
wd1(pciide1:1:0): using PIO mode 4, Ultra-DMA mode 5
usb1 at uhci0: USB revision 1.0
uhub1 at usb1: Intel UHCI root hub, rev 1.00/1.00, addr 1
usb2 at uhci1: USB revision 1.0
uhub2 at usb2: Intel UHCI root hub, rev 1.00/1.00, addr 1
isa0 at ichpcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: PC speaker
spkr0 at pcppi0
npx0 at isa0 port 0xf0/16: reported by 

Re: NextG networking

[Jonathan Gray]

On Wed, Oct 24, 2007 at 12:18:36AM +1000, Andrew Dalgleish wrote:
 I've put up some notes about NextG networking on OpenBSD at
 http://www.ajd.net.au/nextg/openbsd.html
 including a kernel patch to suit ZTE handsets which will probably work
 with other Qualcomm-based handsets.
 
 Regards,
 Andrew Dalgleish

Do the ZTE phones need both device additions to umsm?

You should not mix vendor/product like that, edit
usbdevs not a generated file, like below.

And these quirks are for umodem not umsm, which device
is being attached?

Index: usbdevs
===
RCS file: /cvs/src/sys/dev/usb/usbdevs,v
retrieving revision 1.305
diff -u -p -r1.305 usbdevs
--- usbdevs 22 Oct 2007 19:37:28 -  1.305
+++ usbdevs 23 Oct 2007 14:44:58 -
@@ -1935,6 +1935,7 @@ product QTRONIX 980N  0x2011  Scorpion-98
 
 /* Qualcomm products */
 product QUALCOMM MSM_MODEM 0x3196  CDMA MSM modem
+product QUALCOMM MSM_PHONE_2   0x6000  CDMA MSM phone
 product QUALCOMM2 MSM_PHONE0x6000  CDMA MSM phone
 product QUALCOMM MSM_HSDPA 0x6613  HSDPA MSM
 
Index: umsm.c
===
RCS file: /cvs/src/sys/dev/usb/umsm.c,v
retrieving revision 1.17
diff -u -p -r1.17 umsm.c
--- umsm.c  11 Oct 2007 18:33:15 -  1.17
+++ umsm.c  23 Oct 2007 14:44:58 -
@@ -65,6 +65,7 @@ static const struct usb_devno umsm_devs[
{ USB_VENDOR_NOVATEL,   USB_PRODUCT_NOVATEL_XU870 },
{ USB_VENDOR_NOVATEL,   USB_PRODUCT_NOVATEL_ES620 },
{ USB_VENDOR_QUALCOMM,  USB_PRODUCT_QUALCOMM_MSM_HSDPA },
+   { USB_VENDOR_QUALCOMM,  USB_PRODUCT_QUALCOMM_MSM_PHONE_2 },
{ USB_VENDOR_SIERRA,USB_PRODUCT_SIERRA_EM5625 },
{ USB_VENDOR_SIERRA,USB_PRODUCT_SIERRA_AIRCARD_580 },
{ USB_VENDOR_SIERRA,USB_PRODUCT_SIERRA_AIRCARD_595 },
Index: usb_quirks.c
===
RCS file: /cvs/src/sys/dev/usb/usb_quirks.c,v
retrieving revision 1.30
diff -u -p -r1.30 usb_quirks.c
--- usb_quirks.c28 Aug 2007 09:45:46 -  1.30
+++ usb_quirks.c23 Oct 2007 14:44:58 -
@@ -97,6 +97,8 @@ const struct usbd_quirk_entry {
ANY, { UQ_ASSUME_CM_OVER_DATA }},
  { USB_VENDOR_QUALCOMM, USB_PRODUCT_QUALCOMM_MSM_MODEM,
ANY, { UQ_ASSUME_CM_OVER_DATA }},
+ { USB_VENDOR_QUALCOMM, USB_PRODUCT_QUALCOMM_MSM_PHONE_2,
+   ANY, { UQ_ASSUME_CM_OVER_DATA }},
  { USB_VENDOR_QUALCOMM2, USB_PRODUCT_QUALCOMM2_MSM_PHONE,
ANY, { UQ_ASSUME_CM_OVER_DATA }},
  { USB_VENDOR_SUNTAC, USB_PRODUCT_SUNTAC_AS64LX,

gpio support on ALIX board

[Martin Hedenfalk]

Hello list,

Is anyone working on getting the gpio pins supported on the PCEngines  
ALIX boards?
I'd like to be able to control the LEDs using gpioctl, just like on  
the WRAP.


-martin

Re: Installing the latest snapshot freezes on i386

[Brian A Seklecki (Mobile)]

On Tue, 2007-10-23 at 01:42 -0700, Reza Muhammad wrote:
 Hi all,
 
 I just recently purchased a brand new HP Pavilion
 G3035L Desktop PC (spec:
 http://www.anugrahpratama.com/product/21/1092/HP-Pavilion-G3035L-Desktop-PC).
  It's using Intel Core Duo processor.  I tried to
 install OpenBSD's latest snapshot to this machine last
 night.  The thing is it freezes and it wouldn't
 install.   Here's the messages I got from my screen:

Try interrupting boot and booting into the real-time kernel config 

[OpenBSD banner]
boot boot -c

ukc verbose
ukc enable apci0
ukc disable apm0
ukc exit

~BAS

 ehci0: timed out waiting for BIOS
 usb0 at ehci0: USB revision 2.0
 
 Does anyone know what the problem is?  Are some of the
 hardware aren't supported by OpenBSD? What should I do
 so this machine can run OpenBSD?
 
 Thanks for the help.  I appreciate it. 
 
 -Reza
 Tired of spam?  Yahoo! Mail has the best spam protection around 
 http://mail.yahoo.com 

Re: Network Time Synchronization using timed or ntpd or a Combination?

[Boris Goldberg]

Hello Rogier,

Tuesday, October 23, 2007, 9:01:32 AM, you wrote:

RK On 10/23/07, Boris Goldberg [EMAIL PROTECTED] wrote:
 You  don't  really  need ntpd on all systems. One (timeserver) runs ntpd,
 and others use rdate, called from cron (once a day is usually enough).

RK While your suggestion would work, it would also entail more work
RK without adding benefit. Upon install, you get the question of whether
RK you want to use ntpd. Starting with 4.2, it even asks for a specific
RK NTP server.

  It's always better to don't run a demon if you don't have to. :)
  Talking  about  a more work - I don't think that someone avoiding small
after  install  tuning  like  this  should  be taking care of any network
besides his home one. ;) Anyway, for the last five years no version of OBSD
(including  4.2) worked for me without tuning a kernel, so an extra line in
a crontab is nothing. :)

-- 
Best regards,
 Borismailto:[EMAIL PROTECTED]

Re: em(4) - IFCAP_VLAN_MTU IFCAP_VLAN_HWTAGGING ?

[Henning Brauer]

* Tony Sarendal [EMAIL PROTECTED] [2007-10-23 17:06]:
 I wish to implement things in a way where the link is the limitation,
 not the box.

as I said before, you cannot buy a box that can handle 100M under all 
circumstances.

 When I have some time free I'll test it in the lab to see that difference in
 behaviour. Any ideas of when you will get around to handling assymetric
 traffic in a stateful way ?

if you keep pestering me, quickly, i keep forgetting it :)
lose (or loose? i keep mixing up) it'll be

-- 
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg  Amsterdam

Re: About Xen: maybe a reiterative question but ..

[ropers]

Hi Christoph,

Right now, on the OpenBSD misc mailing list, there is this discussion:
http://www.sigmasoft.com/~openbsd/archives/html/openbsd-misc/2007-10/threads.html#01149
about OpenBSD/Xen.

We last spoke last year, when I put your BSDtalk interview transcript
online at http://ropersonline.com/openbsd/xen .

It seems to me that most people on the misc mailing list currently are
not very aware of your OpenBSD Xen port. Could I possibly ask you to
participate in the discussion? I feel that you (and Theo) are the only
guys who can provide authoritative answers on the issue.

Some of the questions that I feel are unclear are:
- Was your porting work fully completed? IIRC it was, but please clarify.
- Is your port still being maintained? Can it be run with OpenBSD
-current or 4.2?
- It seems to me that your port didn't achieve wide recognition and
acclaim because of a lack of publicity.
- AFAIK your OpenBSD/Xen port code hasn't found its way into the
official OpenBSD distribution. Is this correct?
- Are there any reasons why your code didn't go into the official
OpenBSD distro? Was it lack of awareness? Have you ever talked to Theo
and/or other central OpenBSD people?
- Is there any hope that your port might still become part of the
official OpenBSD distribution?
(Theo: Could you possibly comment as well?)

I'd personally be very interested to see your port become part of the
official distribution, but I sadly can't code myself, so all I can do
is ask and hope. :)

Once again, thanks for your hard work. :)

Many thanks in advance and kind regards,
Jens Ropers

Re: OSS audio drivers

[Jacob Meuser]

On Tue, Oct 23, 2007 at 03:32:07PM +0200, Jan Stary wrote:
   What is the relation of OpenBSD's audio drivers to the OSS project?
   What, if anything, does opensourcing (GPL, I know) their code mean for
   our audio drivers? In particular, does that mean (future) support for
   the high-end soundcards such as M-Audio Delta?
  
  OpenBSD uses an implementation of the Sun audio system, which is a
  different system to OSS alltogether. I don't know where it came from,
  it is probably not based upon any of sun's code due to licensing.
 
 Thanks, that explains it for me.

OpenBSD's audio system originaly came from NetBSD.

  As for the M-audio Delta, not sure about that particular card, but I
  have a M-audio mobile pre (usb), which works fine under OpenBSD.
 
 Which underlying hardware driver does it use?

uaudio.  the nice thing about uaudio, is that's it's based on a
standard.  uaudio is not a 100% complete implementation of USB
audio, but it is still being worked on.

  I'm not sure if that's an indication that M-audio aim to support UNIX,
  or just a coinsidence. Try dropping them an email?
 
 Looks like the only UNIX support they do is have an NDA with OSS, who
 have drivers for the better M-Audio cards (and RME Hammerfall) in
 their binary, nonfree drivers ...
 
  In all fairness, you would be better off using a nice piece of kit
  like that on Windows or MacOSX (/me ducks),
 
 (take off your glasses and step outside, hombre)
 
  because the audio editors for NIX are slightly limited
  in comparison to say Cubase or Pro-tools.
 
 True, but that's way over the level I need. Nowadays, I do my audio
 work on FreeBSD using sox, ecasound, snd, and ardour - just curious
 about migrating this to OpenBSD.

there is no Jack port for audio(4), so ardour is out.  I have a partially
working snd port, and ecasound looks doable.  you may want to consider
using audacity.  I also have a partly working pd port, if anyone is
interested in that.

note, OpenBSD does have an OSS compatability library.  but until
recently, it (and audio(4) too, really) suffered from bugs that made
it less than ideal (practically unusable) for recording/audio
production.

-- 
[EMAIL PROTECTED]
SDF Public Access UNIX System - http://sdf.lonestar.org

Re: Network Time Synchronization using timed or ntpd or a Combination?

[Rogier Krieger]

On 10/23/07, Chris Kuethe [EMAIL PROTECTED] wrote:
 Rdate provides a single valuable service: the ability to poll a device
 to see what time it thinks it is (ie. probing the health of my time servers).

Good point; I should probably add that to my monitoring setup.

Thanks for the suggestion,

Rogier.

-- 
If you don't know where you're going, any road will get you there.

Re: About Xen: maybe a reiterative question but ..

[Ted Unangst]

On 10/23/07, Per-Erik Persson [EMAIL PROTECTED] wrote:
 If OpenBSD doesn't adopt to the virtualization trend it will used only
 as an obscure firewall box.

people have been saying if openbsd doesn't do what i want it will
only be used as an obscure firewall box for years.  what else is new?

Re: Network Time Synchronization using timed or ntpd or a Combination?

[Rogier Krieger]

On 10/23/07, Boris Goldberg [EMAIL PROTECTED] wrote:
   It's always better to don't run a demon if you don't have to. :)

That sort of remark has often started endless debates. :)

For me, trusting rdate to provide time or using ntpd for it is pretty
much the same, but feel free to disagree. There are no risk-free
activities.

In my book, ntpd gets the job done with less administrative work and
it's made by the same people I trust to provide me with a sensible and
secure system.


   Talking  about  a more work

If using site.tgz this sort of thing is rather a moot point.


 Anyway, for the last five years no version of OBSD (including  4.2) worked for
 me without tuning a kernel, so an extra line in a crontab is nothing. :)

If you haven't already, it might be wise to track the issue and report
it. Most of my things requiring post-install kernel config got fixed
over the next release, so I'm a happy camper.

Cheers,

Rogier

-- 
If you don't know where you're going, any road will get you there.

Re: Network Time Synchronization using timed or ntpd or a Combination?

[Pierre-Yves Ritschard]

Boris Goldberg [EMAIL PROTECTED] wrote:
 Hello Rogier,
 
 Tuesday, October 23, 2007, 9:01:32 AM, you wrote:
 
 RK On 10/23/07, Boris Goldberg [EMAIL PROTECTED] wrote:
  You  don't  really  need ntpd on all systems. One (timeserver)
  runs ntpd, and others use rdate, called from cron (once a day is
  usually enough).
 
 RK While your suggestion would work, it would also entail more work
 RK without adding benefit. Upon install, you get the question of
 RK whether you want to use ntpd. Starting with 4.2, it even asks for
 RK a specific NTP server.
 
   It's always better to don't run a demon if you don't have to. :)
   Talking  about  a more work - I don't think that someone avoiding
 small after  install  tuning  like  this  should  be taking care of
 any network besides his home one. ;) Anyway, for the last five years
 no version of OBSD (including  4.2) worked for me without tuning a
 kernel, so an extra line in a crontab is nothing. :)
 
I hope nobody takes what you say seriously. Running rdate instead of
ntpd like you describe is wrong for many reasons which have been stated
over and over in the last few years. Please do not spread wrong
information around, and do your homework before giving others advice
on what you think is good sysadmin practice.

Re: em(4) - IFCAP_VLAN_MTU IFCAP_VLAN_HWTAGGING ?

[ropers]

On 23/10/2007, Tony Sarendal [EMAIL PROTECTED] wrote:
 On 10/23/07, Henning Brauer [EMAIL PROTECTED] wrote:
 
  * Tony Sarendal [EMAIL PROTECTED] [2007-10-22 18:33]:
   I didn't get that opinion from marketing.
   No matter, we disagree, lets leave it at that.
 
  well, yeah, nontheless, I wanna point out the essence why stateful is
  better (the way we do it in OpenBSD):
 
  1) it moves the limit where the box starts to suffer from overload quite
 far, or, in other words, the box can handle a much larger amount of
 traffic before it starts to drop stuff. thus it can withstand bigger
 amounts of (D)DoS too.
  2) once it gets to that point, it is more selective in dropping packets
 than a stateless box, as it prefers established connections. this
 behaviour cannot be valued enough in (D)DoS type of situations.


 I wish to implement things in a way where the link is the limitation,
 not the box. But there is no point in re-doing that discussion.

 When I have some time free I'll test it in the lab to see that difference in
 behaviour.

I know very little, but I would like to note that some providers (
http://www.rayservers.com/ddos-protection ) deploy OpenBSD with the
express purpose of offering dDoS protection. That has to count for
something.

OTOH, Henning's word alone would be enough for me, because AFAIK
Henning wrote actual pertinent code and knows darn friggin well what
he's talking about. Did you contribute as much code to OpenBSD/pf as
Henning? Are you sure your understanding is deeper than his? (No
offense, by the way, all in good humour.)

Cheerio,
--ropers

Re: OSS audio drivers

[Alexandre Ratchov]

On Tue, Oct 23, 2007 at 12:25:03PM +0200, Jan Stary wrote:
 
 What is the relation of OpenBSD's audio drivers to the OSS project?
 What, if anything, does opensourcing (GPL, I know) their code mean for
 our audio drivers? In particular, does that mean (future) support for
 the high-end soundcards such as M-Audio Delta?
 

There's work in progress on adding support for Delta cards (1010,
1010LT, 66, 44), and required features to make them usable (32bit
encodings, 12 channel capture, higher sample rate, etc...)

-- Alexandre

Re: About Xen: maybe a reiterative question but ..

[ropers]

On 23/10/2007, Jeff Quast [EMAIL PROTECTED] wrote:
   On 22/10/2007, carlopmart [EMAIL PROTECTED] wrote:
Hi all,
   
I know that time to time somebody do the same question, but I need to
know it: is it planned at some point to release a paravirtualized xen 
kernel
for OpenBSD 4.3 or 4.4???

 yum

Sorry Jeff, I missed the above earlier on. Is that a yes? Does that
mean that Christoph's code has gone or is going into OpenBSD current?

Thanks and regards,
--ropers

Re: Network Time Synchronization using timed or ntpd or a Combination?

[Boris Goldberg]

Hello Pierre-Yves,

Tuesday, October 23, 2007, 11:39:10 AM, you wrote:

 You  don't  really  need ntpd on all systems. One (timeserver)
 runs ntpd, and others use rdate, called from cron (once a day is
 usually enough).

PYR I hope nobody takes what you say seriously. Running rdate instead of
PYR ntpd like you describe is wrong for many reasons which have been stated
PYR over and over in the last few years. Please do not spread wrong
PYR information around, and do your homework before giving others advice
PYR on what you think is good sysadmin practice.

  The  ntpd  from  OBSD  is  raw  and lame yet. It takes days (!) to really
synchronize, adjusting time and clock frequency back and forth (even if you
start  with  -s) so it's too early to say that using it is right. It will
be right after it matures, gets more useful synchronization algorithm and
it's own ntpdate (or a parameter to synchronize and exit).

-- 
Best regards,
 Borismailto:[EMAIL PROTECTED]

Re: em(4) - IFCAP_VLAN_MTU IFCAP_VLAN_HWTAGGING ?

[Tony Sarendal]

On 10/23/07, ropers [EMAIL PROTECTED] wrote:

 On 23/10/2007, Tony Sarendal [EMAIL PROTECTED] wrote:
  On 10/23/07, Henning Brauer [EMAIL PROTECTED] wrote:
  
   * Tony Sarendal [EMAIL PROTECTED] [2007-10-22 18:33]:
I didn't get that opinion from marketing.
No matter, we disagree, lets leave it at that.
  
   well, yeah, nontheless, I wanna point out the essence why stateful is
   better (the way we do it in OpenBSD):
  
   1) it moves the limit where the box starts to suffer from overload
 quite
  far, or, in other words, the box can handle a much larger amount of
  traffic before it starts to drop stuff. thus it can withstand
 bigger
  amounts of (D)DoS too.
   2) once it gets to that point, it is more selective in dropping
 packets
  than a stateless box, as it prefers established connections. this
  behaviour cannot be valued enough in (D)DoS type of situations.
 
 
  I wish to implement things in a way where the link is the limitation,
  not the box. But there is no point in re-doing that discussion.
 
  When I have some time free I'll test it in the lab to see that
 difference in
  behaviour.

 I know very little, but I would like to note that some providers (
 http://www.rayservers.com/ddos-protection ) deploy OpenBSD with the
 express purpose of offering dDoS protection. That has to count for
 something.

 OTOH, Henning's word alone would be enough for me, because AFAIK
 Henning wrote actual pertinent code and knows darn friggin well what
 he's talking about. Did you contribute as much code to OpenBSD/pf as
 Henning? Are you sure your understanding is deeper than his? (No
 offense, by the way, all in good humour.)


Henning has committed more code than me. If you count in percent
infinetly more. Does that mean that I don't know what I'm talking about ?

I use OpenBSD because I like it, I think it is the best project I can find
on the net.
I don't belive a fan-boy attitude is an asset to the project, that is what
you
are contributing right now.

This is a view of the a external peering link where I work now:
  5 minute input rate 6165205000 bits/sec, 1036946 packets/sec
  5 minute output rate 3134466000 bits/sec, 1000242 packets/sec
One link out of many, no DDOS going on. Maybe I should stick a rayserver on
it.

Correct me if I'm wrong, but Henning needs someone to argue with him and
pester him.

/Tony

Re: Network Time Synchronization using timed or ntpd or a Combination?

[Paul de Weerd]

On Tue, Oct 23, 2007 at 12:05:58PM -0500, Boris Goldberg wrote:
|   The  ntpd  from  OBSD  is  raw  and lame yet. It takes days (!) to really
| synchronize, adjusting time and clock frequency back and forth (even if you
| start  with  -s) so it's too early to say that using it is right. It will
| be right after it matures, gets more useful synchronization algorithm and
| it's own ntpdate (or a parameter to synchronize and exit).

Without -s, you are right. Adjusting time will take a long time if
your clock is off by a large margin. Luckily, OpenNTPD starts if that
is the case, unlike some other ntp daemon. The adjusting of time and
clock frequency is to be somewhat expected with todays low quality
clockchips on peecee motherboards. However, I've found my clocks to
sync up pretty fast, no problems there as far as I can see.

And we dont need 'ntpdate'. Why would you synchronize and exit ? An
important thing about timekeeping is to provide monotonuously
incrementing time, making sure not to skip timepoints and even more
importantly, not to jump back in time. If there is a large adjustment
to be made, ntpd has -s which will sync it at boot (before other, time
sensitive, programs are run). This is the most important argument
against running rdate from a cron. And if you really, really need the
sync-and-exit behaviour of ntpdate, run rdate, it has the -n switch.

I think the synchronization algorithm in ntpd is pretty good as it is.
All my machines are in sync, they all agree on the same time when I
compare it. This is within second boundaries, yes. It has been said
before that if you need picosecond precision, then perhaps OpenNTPD is
maybe not for you (although I believe that using one of the newer time
sensors available in OpenBSD can bring pretty accurate time to your
machine too).

Cheers,

Paul 'WEiRD' de Weerd

--
[++-]+++.+++[---].+++[+
+++-].++[-]+.--.[-]
 http://www.weirdnet.nl/

[demime 1.01d removed an attachment of type application/pgp-signature]

Re: Network Time Synchronization using timed or ntpd or a Combination?

[Chris Kuethe]

On 10/23/07, Boris Goldberg [EMAIL PROTECTED] wrote:
   The  ntpd  from  OBSD  is  raw  and lame yet. It takes days (!) to really
 synchronize, adjusting time and clock frequency back and forth (even if you
 start  with  -s) so it's too early to say that using it is right. It will
 be right after it matures, gets more useful synchronization algorithm and
 it's own ntpdate (or a parameter to synchronize and exit).

Blah blah blah.

time1 and time2.srv.ualberta.ca are both running openntpd driven by
nmea(4) sensors. As is my home workstation. They wibble around within
a microsecond or two of the sensor's time, probably due to a)
interrupt handling and b) temperature changes caused by the air
conditioner or cats sleeping on the case.

If you have some reasonable, well-designed suggestions on how to
better discipline the clock, we're all ears. Other wise, quit babbling
- openntpd is doing exactly what it's supposed to: be a simple,
lightweight daemon for keeping your clocks close enough. If that's
not good enough for you, the ntp.org daemon is in ports.

CK

-- 
GDB has a 'break' feature; why doesn't it have 'fix' too?

Re: Network Time Synchronization using timed or ntpd or a Combination?

[Boris Goldberg]

Hello Paul,

Tuesday, October 23, 2007, 12:38:43 PM, you wrote:

PdW ... run rdate, it has the -n switch.

  Here we go! :D

-- 
Best regards,
 Borismailto:[EMAIL PROTECTED]

MegaRAID SAS 8204ELP not working ?

[Walter Bürger]

Hi,

just installed a MegaRAID SAS 8204ELP Controller and according to the BIOS:

LSI MegaRAID Software RAID BIOS Version M1068e.01.01021804R
LSI Logic MPT RAID Found at PCI Bus No:04 Dev No:00
SAS/SATA RAID key is Detected.
Bringing up the Controller. Please wait...
Scanning for Port 00... Responding. WDC WD800JD-75MS 75781MB
Scanning for Port 01... Responding. WDC WD800AAJS-00 75807MB
Scanning for Port 02... Not Responding.
Scanning for Port 03... Not Responding.
Scanning for Port 04... Not Responding.
Scanning for Port 05... Not Responding.
Scanning for Port 06... Not Responding.
Scanning for Port 07... Not Responding.

01 Logical drive(s) Configured.
Array#  ModeStripe Size No.Of Stripes   DriveSize   
Status
00 RAID1   64KB  02
75340MBOnline

Press CTRL-M or Enter to run LSI Logic Software RAID Setup Utility.

all goes well so far.

But:
Normally, if a logical drive is recognized by OpenBSD, there are NO two sd
(sd0, sd1) drives at scsibus0.
At this installation i had sd0 and sd1 for root disk choice at scsibus0.

Also there is no mention of a logical drive in the dmesg.

After the installation OpenBSD 4.2 booted from sd0.

From the manpage mfi(4) the MegaRAID SAS 820'8'ELP should be recognized as
mfi0,
so i thought the MegaRAID SAS 820'4'ELP should be recognized as mfi0 too.

No, the MegaRAID SAS 8204ELP is recognized as mpi0 as the following dmesg
shows.

bioctl mpi0 gives: bioctl: Can't locate mpi0 device via /dev/bio
bioctl mfi0 gives: bioctl: Can't locate mfi0 device via /dev/bio

So I think, I do not have a functioning RAID.

Why is the MegaRAID SAS 8204ELP recognized as mpi0 ?
Is there a patch to correct the assignment of MegaRAID SAS 8204ELP to mfi0 ?
(If the Controller could made to be recognized as mfi0, then I could use
bioctl :-))
What method exists to let me know if Raid works, without bioctl ?

Thanks,
Walter.


dmesg:
OpenBSD 4.2-current (GENERIC) #405: Thu Sep 13 16:06:09 MDT 2007
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Core(TM)2 CPU 6320 @ 1.86GHz (GenuineIntel 686-class) 1.87
GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,
xTPR
real mem  = 1064464384 (1015MB)
avail mem = 1021571072 (974MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 06/05/07, BIOS32 rev. 0 @ 0xf0010,
SMBIOS rev. 2.4 @ 0xf04e0 (56 entries)
bios0: vendor American Megatrends Inc. version 1004date 06/05/2007
bios0: ASUSTek Computer INC. P5L-MX
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
apm0: flags 30102 dobusy 0 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xf/0x1
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf7a50/240 (13 entries)
pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82801GB LPC rev 0x00)
pcibios0: PCI bus #4 is the last bus
bios0: ROM list: 0xc/0xae00! 0xcb000/0x1800 0xcc800/0x5000!
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 Intel 82945GP rev 0x02: rng active,
800Kb/sec
ppb0 at pci0 dev 1 function 0 Intel 82945GP PCIE rev 0x02
pci1 at ppb0 bus 4
mpi0 at pci1 dev 0 function 0 Symbios Logic SAS1068E rev 0x04: irq 11
scsibus0 at mpi0: 173 targets
sd0 at scsibus0 targ 0 lun 0: ATA, WDC WD800JD-75MS, 1E03 SCSI3 0/direct
fixed
sd0: 76293MB, 76294 cyl, 16 head, 127 sec, 512 bytes/sec, 15625 sec total
sd1 at scsibus0 targ 1 lun 0: ATA, WDC WD800AAJS-00, 6H05 SCSI3 0/direct
fixed
sd1: 76319MB, 76320 cyl, 16 head, 127 sec, 512 bytes/sec, 156301488 sec total
vga1 at pci0 dev 2 function 0 Intel 82945G Video rev 0x02: aperture at
0xe000, size 0x1000
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
ppb1 at pci0 dev 28 function 0 Intel 82801GB PCIE rev 0x01
pci2 at ppb1 bus 3
ppb2 at pci0 dev 28 function 1 Intel 82801GB PCIE rev 0x01
pci3 at ppb2 bus 2
Attansic Technology L1 rev 0xb0 at pci3 dev 0 function 0 not configured
uhci0 at pci0 dev 29 function 0 Intel 82801GB USB rev 0x01: irq 5
uhci1 at pci0 dev 29 function 1 Intel 82801GB USB rev 0x01: irq 10
uhci2 at pci0 dev 29 function 2 Intel 82801GB USB rev 0x01: irq 14
uhci3 at pci0 dev 29 function 3 Intel 82801GB USB rev 0x01: irq 15
ehci0 at pci0 dev 29 function 7 Intel 82801GB USB rev 0x01: irq 5
usb0 at ehci0: USB revision 2.0
uhub0 at usb0: Intel EHCI root hub, rev 2.00/1.00, addr 1
ppb3 at pci0 dev 30 function 0 Intel 82801BA AGP rev 0xe1
pci4 at ppb3 bus 1
re0 at pci4 dev 0 function 0 D-Link Systems DGE-528T rev 0x10: RTL8169S
(0x0400), irq 10, address 00:11:95:1c:86:e1
rgephy0 at re0 phy 7: RTL8169S/8110S PHY, rev. 0
em0 at pci4 dev 1 function 0 Intel PRO/1000MT (82540EM) rev 0x02: irq 3,
address 00:0e:0c:72:79:37
ichpcib0 at pci0 dev 31 function 0 Intel 82801GB LPC rev 0x01: PM disabled
ichiic0 at pci0 dev 31 function 3 Intel 82801GB SMBus rev 0x01: 

Re: About Xen: maybe a reiterative question but ..

[xSAPPYx]

On 10/23/07, Lars NoodC)n [EMAIL PROTECTED] wrote:
 Per-Erik Persson wrote:
  ... not being able to run inside a
  virtualized environment is not an option in the future.

 Virtualization is available already.  See the package qemu.
 http://www.openbsd.org/4.1_packages/

 Or are you aiming for Xen specifically?


fwiw, kvm works well too if Xen isn't a hard requirement
http://kvm.qumranet.com/kvmwiki

Re: About Xen: maybe a reiterative question but ..

[Nick Guenther]

On 10/23/07, Lars Noodin [EMAIL PROTECTED] wrote:
 Per-Erik Persson wrote:
  To get the best performance out of qemu you need to run linux.

 The choices narrow.
 Can kqemu be compiled for OBSD?  Is virtualbox an option?

I had this thought a couple of weeks ago and started looking through
the kqemu code but got totally lost. There's a NetBSD kqemu, so it's
certainly possible.. but someone just has to do it... and
unfortunately I'm no help.

-Nick

Re: Network Time Synchronization using timed or ntpd or a Combination?

[Darrin Chandler]

On Tue, Oct 23, 2007 at 11:49:57AM -0600, Chris Kuethe wrote:
 On 10/23/07, Boris Goldberg [EMAIL PROTECTED] wrote:
The  ntpd  from  OBSD  is  raw  and lame yet. It takes days (!) to really
  synchronize, adjusting time and clock frequency back and forth (even if you
  start  with  -s) so it's too early to say that using it is right. It will
  be right after it matures, gets more useful synchronization algorithm and
  it's own ntpdate (or a parameter to synchronize and exit).
 
 Blah blah blah.
 
 time1 and time2.srv.ualberta.ca are both running openntpd driven by
 nmea(4) sensors. As is my home workstation. They wibble around within
 a microsecond or two of the sensor's time, probably due to a)
 interrupt handling and b) temperature changes caused by the air
 conditioner or cats sleeping on the case.

And my servers are in a windowless room under a lot of concrete and
steel, so there's no good way to get GPS or radio data, and I'm using
other time servers on the internet to sync.

They keep time very well, on sparc64 and amd64, and both are in
pool.ntp.org and score quite well. In fact, they compare favorably to
servers running the more heavyweight ntp daemons.

-- 
Darrin Chandler|  Phoenix BSD User Group  |  MetaBUG
[EMAIL PROTECTED]   |  http://phxbug.org/  |  http://metabug.org/
http://www.stilyagin.com/  |  Daemons in the Desert   |  Global BUG Federation

Can anyone recommend a cheap and mature, well-supported graphics board for OpenBSD?

[ropers]

I may be able to inherit an ASROCK 775Dual-VSTA mainboard. The board
does not have on-board graphics, so I would need to buy a graphics
card. The board supports AGP, PCI, and PCI Express Graphics slots.

Can anyone recommend a graphics card?

I am looking for a mature graphics solution that's well supported on
OpenBSD, and that I should preferably be able to obtain on a
shoestring. I am not looking for shitloads of FPS.

Any comments would be welcome.
In case anyone can comment on using the aforementioned mainboard with
OpenBSD, that would be very welcome as well.

Thanks and regards,
--ropers

Re: Can anyone recommend a cheap and mature, well-supported graphics board for OpenBSD?

[ropers]

On 23/10/2007, Chris Kuethe [EMAIL PROTECTED] wrote:
 check the xorg supported hardware list... or the SEE ALSO section of Xorg(1)
(...)

Thank you. (Thanks to Dmitrij as well.)

I gather ATI and NVIDIA appear to be better supported than most
others. Is that true?

In case I end up making a (small) new purchase: Are there any vendors
who have been behaving well documentation-wise, and whom I should
reward with my custom? Has anyone been a dick who should be avoided?

Is the PF mailinglist still blocking gmail users?

[Siju George]

Hi,

Just wondering if the PF mailing list is still blocking gmail users.
Can't contact Daniel because his email ID is also on the same mail server.

Any Idea which all domains are blocked in the PF mailing list so that
I can subscribe to a free email service that is not blocked?

Thank you so much

Kind Regards

Siju

Problem with raid 1 in server dell

[José Christian Rodríguez]

Hi list,
My system was freeze and when reboot show:

/dev/rsd0a: file system is clean;not checking
/dev/rsd0d: file system is clean;not checking
/dev/rsd0e: file system is clean;not checking
/dev/rsd0g: INCORRECT BLOCK COUNT I=2699655 (20 should be 16) (CORRECTED)
PARTIALLY TRUNCATED INODE I=19268881
/dev/rsd0g:UNEXPECTED INCONSISTENCY; RUN fsck_ffs MANUALLY.
THE FOLLOWING FILE SYSTEN HAD AN UNEXPECTED INCOSISTENCY:
 ffs: /dev/rsd0g(/var)
Automatic File system check failed: help!
Enter pathname of shell or RETURN for sh:



I think this problem is for incompatibility with raid controler SAS5IR, but in
the openbsd page say this hardware is support.
I have two harddisk SATA  Raid 1

dmesg

OpenBSD 4.1-stable (GENERIC.MP) #0: Wed Oct 10 10:43:00 MDT 2007
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Intel(R) Xeon(R) CPU 3050 @ 2.13GHz (GenuineIntel 686-class) 2.14 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,
xTPR
real mem  = 2146795520 (2096480K)
avail mem = 1952034816 (1906284K)
using 4278 buffers containing 107462656 bytes (104944K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+ BIOS, date 04/04/07, BIOS32 rev. 0 @ 0xffe90,
SMBIOS rev. 2.4 @ 0xfa5b0 (48 entries)
bios0: Dell Computer Corporation PowerEdge 860
pcibios0 at bios0: rev 2.1 @ 0xf/0x1
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfba60/176 (9 entries)
pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82801GB LPC rev 0x00)
pcibios0: PCI bus #7 is the last bus
bios0: ROM list: 0xc/0x9000 0xc9000/0x1000 0xca000/0x5c00 0xd/0x1800
0xec000/0x4000!
acpi at mainbus0 not configured
ipmi0 at mainbus0: version 1.5 interface KCS iobase 0xca8/8 spacing 4
mainbus0: Intel MP Specification (Version 1.4)
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 266 MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Xeon(R) CPU 3050 @ 2.13GHz (GenuineIntel 686-class) 2.14 GHz
cpu1:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,
xTPR
mainbus0: bus 0 is type PCI
mainbus0: bus 1 is type PCI
mainbus0: bus 2 is type PCI
mainbus0: bus 3 is type PCI
mainbus0: bus 4 is type PCI
mainbus0: bus 5 is type PCI
mainbus0: bus 6 is type PCI
mainbus0: bus 7 is type PCI
mainbus0: bus 8 is type ISA
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins
ioapic0: misconfigured as apic 0, remapped to apid 2
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 Intel E7230 MCH rev 0x00
ppb0 at pci0 dev 1 function 0 Intel E7230 PCIE rev 0x00
pci1 at ppb0 bus 1
ppb1 at pci1 dev 0 function 0 Intel PCIE-PCIE rev 0x09
pci2 at ppb1 bus 2
mpi0 at pci2 dev 8 function 0 Symbios Logic SAS1068 rev 0x01: apic 2 int 16
(irq 5)
scsibus0 at mpi0: 112 targets
sd0 at scsibus0 targ 0 lun 0: Dell, VIRTUAL DISK, 1028 SCSI3 0/direct fixed
sd0: 237464MB, 237464 cyl, 16 head, 128 sec, 512 bytes/sec, 486326272 sec
total
Intel IOxAPIC rev 0x09 at pci1 dev 0 function 1 not configured
ppb2 at pci0 dev 28 function 0 Intel 82801GB PCIE rev 0x01
pci3 at ppb2 bus 3
ppb3 at pci3 dev 0 function 0 ServerWorks PCIE-PCIX rev 0xc3
pci4 at ppb3 bus 4
bnx0 at pci4 dev 0 function 0 Broadcom BCM5708 rev 0x12: apic 2 int 16 (irq
5)
ppb4 at pci0 dev 28 function 4 Intel 82801G PCIE rev 0x01
pci5 at ppb4 bus 5
bge0 at pci5 dev 0 function 0 Broadcom BCM5721 rev 0x11, BCM5750 B1
(0x4101): apic 2 int 16 (irq 5), address 00:19:b9:f7:a7:0a
brgphy0 at bge0 phy 1: BCM5750 10/100/1000baseT PHY, rev. 0
ppb5 at pci0 dev 28 function 5 Intel 82801G PCIE rev 0x01
pci6 at ppb5 bus 6
bge1 at pci6 dev 0 function 0 Broadcom BCM5721 rev 0x11, BCM5750 B1
(0x4101): apic 2 int 17 (irq 3), address 00:19:b9:f7:a7:0b
brgphy1 at bge1 phy 1: BCM5750 10/100/1000baseT PHY, rev. 0
uhci0 at pci0 dev 29 function 0 Intel 82801GB USB rev 0x01: apic 2 int 20
(irq 11)
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
uhci1 at pci0 dev 29 function 1 Intel 82801GB USB rev 0x01: apic 2 int 21
(irq 10)
usb1 at uhci1: USB revision 1.0
uhub1 at usb1
uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
uhci2 at pci0 dev 29 function 2 Intel 82801GB USB rev 0x01: apic 2 int 22
(irq 6)
usb2 at uhci2: USB revision 1.0
uhub2 at usb2
uhub2: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub2: 2 ports with 2 removable, self powered
ehci0 at pci0 dev 29 function 7 Intel 82801GB USB rev 0x01: apic 2 int 20
(irq 11)
usb3 at ehci0: USB revision 2.0
uhub3 at usb3
uhub3: Intel EHCI root hub, rev 2.00/1.00, addr 1
uhub3: 6 ports with 6 removable, self powered
ppb6 at pci0 dev 30 function 0 Intel 82801BA AGP rev 0xe1
pci7 at ppb6 bus 7
vga1 at pci7 dev 5 function 0 ATI ES1000 rev 0x02
wsdisplay0 at vga1 mux 1: 

Re: Can anyone recommend a cheap and mature, well-supported graphics board for OpenBSD?

[Antti Harri]

On Tue, 23 Oct 2007, ropers wrote:


In case I end up making a (small) new purchase: Are there any vendors
who have been behaving well documentation-wise, and whom I should
reward with my custom?


In my opinion:
ATI.


Has anyone been a dick who should be avoided?


Nvidia.

--
Antti Harri

Re: Is the PF mailinglist still blocking gmail users?

[Peter N. M. Hansteen]

Siju George [EMAIL PROTECTED] writes:

 Just wondering if the PF mailing list is still blocking gmail users.
 Can't contact Daniel because his email ID is also on the same mail server.

It could be that gmail's pool of possible outgoing servers is a little
too big and the retries too random for greylisting to work all by
itself and benzedrine.cx isn't willing to whitelist all that much
address space.  

Fortunately gmail's SPF records appear to be up to date, so
whitelisting what comes out of there should work, if benzedrine.cx
wants to go down that route.

- P
-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.datadok.no/ http://www.nuug.no/
Remember to set the evil bit on all malicious network traffic
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: Network Time Synchronization using timed or ntpd or a Combination?

[Clint Pachl]

Darrin Chandler wrote:

On Tue, Oct 23, 2007 at 11:49:57AM -0600, Chris Kuethe wrote:
  

On 10/23/07, Boris Goldberg [EMAIL PROTECTED] wrote:


  The  ntpd  from  OBSD  is  raw  and lame yet. It takes days (!) to really
synchronize, adjusting time and clock frequency back and forth (even if you
start  with  -s) so it's too early to say that using it is right. It will
be right after it matures, gets more useful synchronization algorithm and
it's own ntpdate (or a parameter to synchronize and exit).
  

Blah blah blah.

time1 and time2.srv.ualberta.ca are both running openntpd driven by
nmea(4) sensors. As is my home workstation. They wibble around within
a microsecond or two of the sensor's time, probably due to a)
interrupt handling and b) temperature changes caused by the air
conditioner or cats sleeping on the case.



And my servers are in a windowless room under a lot of concrete and
steel, so there's no good way to get GPS or radio data, and I'm using
other time servers on the internet to sync.

They keep time very well, on sparc64 and amd64, and both are in
pool.ntp.org and score quite well. In fact, they compare favorably to
servers running the more heavyweight ntp daemons.
  


That is a very interesting anecdote. That has got to make Henning proud; 
hell I'm proud of him. The amazing thing is that the ntpd binary on my 
i386 is only 34.4K. The ntpd binary (non-OpenNTPD) on my i386 FreeBSD 
media center is 263K, not to mention all of the other ntp* binaries, 
which bring total size to 426K. Plus, OpenNTPD has privilege separation!

Re: max-src-conn-rate rule question

[david l goodrich]

Nobody?  Sad, it's still doing it.


On Sun, Oct 21, 2007 at 02:22:43PM -0500, david l goodrich wrote:
 I've set up a max-src-conn-rate rule on my gateway router to
 mitigate brute-force ssh attacks.  This router protects a /28
 subnet, 25.108.82.80/28.

 The relevant rules:

 # pfctl -sr | grep attack
 block drop in log quick proto tcp from sshd_attackers to any
 pass in log proto tcp from any to any port = ssh keep state
 (source-track rule, max-src-conn-rate 3/30, overload
 sshd_attackers flush global, src.track 30)
 #

 What the three columns of output in the below tcpdump output are:
 timestamp, rule action, and target host.  As you can tell from
 the tcpdump command, the sending host is the same in all cases,
 208.53.147.204

 # tcpdump -enr /var/log/pflog host 208.53.147.204 \
| awk '{print $1,$4,$11}' | sed s/.22:// | head -30
 reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file)
 12:09:45.849594 pass 25.103.82.80
 12:09:45.850279 pass 25.103.82.82
 12:09:45.850827 pass 25.103.82.83
 12:09:45.851310 pass 25.103.82.84
 12:09:45.852003 pass 25.103.82.85
 12:09:45.852496 pass 25.103.82.86
 12:09:45.853007 pass 25.103.82.87
 12:09:45.866580 pass 25.103.82.88
 12:09:45.867345 pass 25.103.82.89
 12:09:45.868339 pass 25.103.82.92
 12:09:45.902389 pass 25.103.82.95
 12:25:52.632295 pass 25.103.82.80
 12:25:52.632973 pass 25.103.82.82
 12:25:52.648804 pass 25.103.82.83
 12:25:52.684792 pass 25.103.82.84
 12:25:52.687989 pass 25.103.82.85
 12:25:52.688652 pass 25.103.82.86
 12:25:52.690882 pass 25.103.82.87
 12:25:52.691371 pass 25.103.82.88
 12:25:52.692290 pass 25.103.82.89
 12:25:52.695340 pass 25.103.82.92
 12:25:52.698864 pass 25.103.82.95
 13:08:36.949178 pass 25.103.82.87
 13:08:38.864585 pass 25.103.82.87
 13:08:40.452215 pass 25.103.82.87
 13:08:42.038388 pass 25.103.82.87
 13:08:46.923469 block 25.103.82.88
 13:08:49.922116 block 25.103.82.88
 13:08:50.212040 block 25.103.82.87
 13:08:51.099435 block 25.103.82.87
 #

 It seems to me like this host should have been blocked back at
 12:09:45, not 13:08:46.  Am I misunderstanding the rule?
   --david

 [demime 1.01d removed an attachment of type application/pgp-signature which
had a name of signature.asc]

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: Network Time Synchronization using timed or ntpd or a Combination?

[Theo de Raadt]

 That is a very interesting anecdote. That has got to make Henning proud; 
 hell I'm proud of him. The amazing thing is that the ntpd binary on my 
 i386 is only 34.4K. The ntpd binary (non-OpenNTPD) on my i386 FreeBSD 
 media center is 263K, not to mention all of the other ntp* binaries, 
 which bring total size to 426K. Plus, OpenNTPD has privilege separation!

Try statically linking them, and then look at the numbers again.

Re: Network Time Synchronization using timed or ntpd or a Combination?

[Christian Weisgerber]

Chris Kuethe [EMAIL PROTECTED] wrote:

 If that's not good enough for you, the ntp.org daemon is in ports.

Actually, the ntp.org daemon performs poorly on OpenBSD since we
don't supply ntp_adjtime(2).

-- 
Christian naddy Weisgerber  [EMAIL PROTECTED]

Re: max-src-conn-rate rule question

[Calomel]

David,

Was the offending client completing the 3-way handshake everytime it
connected? 

For stateful TCP connections, limits on established connections (connec-
tions which have completed the TCP 3-way handshake) can also be enforced
per source IP. The max-src-conn-rate number/seconds limit the rate of
new connections over a time interval.  The connection rate is an
approximation calculated as a moving average.

You may also want to use synproxy for ssh and take a look at
max-src-states. I have examples here: http://calomel.org/pf_config.html 

--
 Calomel @ http://calomel.org

On Tue, Oct 23, 2007 at 03:58:52PM -0500, david l goodrich wrote:
Nobody?  Sad, it's still doing it.


On Sun, Oct 21, 2007 at 02:22:43PM -0500, david l goodrich wrote:
 I've set up a max-src-conn-rate rule on my gateway router to
 mitigate brute-force ssh attacks.  This router protects a /28
 subnet, 25.108.82.80/28.

 The relevant rules:

 # pfctl -sr | grep attack
 block drop in log quick proto tcp from sshd_attackers to any
 pass in log proto tcp from any to any port = ssh keep state
 (source-track rule, max-src-conn-rate 3/30, overload
 sshd_attackers flush global, src.track 30)
 #

 What the three columns of output in the below tcpdump output are:
 timestamp, rule action, and target host.  As you can tell from
 the tcpdump command, the sending host is the same in all cases,
 208.53.147.204

 # tcpdump -enr /var/log/pflog host 208.53.147.204 \
| awk '{print $1,$4,$11}' | sed s/.22:// | head -30
 reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file)
 12:09:45.849594 pass 25.103.82.80
 12:09:45.850279 pass 25.103.82.82
 12:09:45.850827 pass 25.103.82.83
 12:09:45.851310 pass 25.103.82.84
 12:09:45.852003 pass 25.103.82.85
 12:09:45.852496 pass 25.103.82.86
 12:09:45.853007 pass 25.103.82.87
 12:09:45.866580 pass 25.103.82.88
 12:09:45.867345 pass 25.103.82.89
 12:09:45.868339 pass 25.103.82.92
 12:09:45.902389 pass 25.103.82.95
 12:25:52.632295 pass 25.103.82.80
 12:25:52.632973 pass 25.103.82.82
 12:25:52.648804 pass 25.103.82.83
 12:25:52.684792 pass 25.103.82.84
 12:25:52.687989 pass 25.103.82.85
 12:25:52.688652 pass 25.103.82.86
 12:25:52.690882 pass 25.103.82.87
 12:25:52.691371 pass 25.103.82.88
 12:25:52.692290 pass 25.103.82.89
 12:25:52.695340 pass 25.103.82.92
 12:25:52.698864 pass 25.103.82.95
 13:08:36.949178 pass 25.103.82.87
 13:08:38.864585 pass 25.103.82.87
 13:08:40.452215 pass 25.103.82.87
 13:08:42.038388 pass 25.103.82.87
 13:08:46.923469 block 25.103.82.88
 13:08:49.922116 block 25.103.82.88
 13:08:50.212040 block 25.103.82.87
 13:08:51.099435 block 25.103.82.87
 #

 It seems to me like this host should have been blocked back at
 12:09:45, not 13:08:46.  Am I misunderstanding the rule?
   --david

 [demime 1.01d removed an attachment of type application/pgp-signature which
had a name of signature.asc]

[demime 1.01d removed an attachment of type application/pgp-signature which 
had a name of signature.asc]

Re: max-src-conn-rate rule question

[Rob]

On 10/23/07, david l goodrich [EMAIL PROTECTED] wrote:
 Nobody?  Sad, it's still doing it.


 On Sun, Oct 21, 2007 at 02:22:43PM -0500, david l goodrich wrote:
  I've set up a max-src-conn-rate rule on my gateway router to
  mitigate brute-force ssh attacks.  This router protects a /28
  subnet, 25.108.82.80/28.
 
  The relevant rules:
 
  # pfctl -sr | grep attack
  block drop in log quick proto tcp from sshd_attackers to any
  pass in log proto tcp from any to any port = ssh keep state
  (source-track rule, max-src-conn-rate 3/30, overload
  sshd_attackers flush global, src.track 30)
  #
 
  What the three columns of output in the below tcpdump output are:
  timestamp, rule action, and target host.  As you can tell from
  the tcpdump command, the sending host is the same in all cases,
  208.53.147.204

I'm not a pf newbie by any means, but I'm not really qualified to
answer questions about it either. That said, I don't usually use an
'=' sign in my pf rules, and the pf faq doesn't list that as one of
the accepted operators for the port range
(http://www.openbsd.org/faq/pf/filter.html). If the rule wasn't being
parsed correctly, it would cause the behavior you're seeing. Try,

block in log quick proto tcp port ssh keep state \
   (source-track rule, max-src-conn-rate 3 / 30 overload
sshd_attackers, src.track 30)

Note that I wouldn't use a flush global directive for a rule like
this, because it can lead to a neat DoS where somebody can spoof one
of your own IP addresses and shut down any ssh sessions you have
active.

Here's a working sample from my own currently active pf file:

pass in on $ext proto tcp to server6 port smtp keep state \
   (max-src-conn 15 max-src-conn-rate 10 / 45 overload smtp-overload) \
   queue 6smtp

(FYI, the smtp-overload table moves traffic to a queue that simply
throttles the connections a little.)

- R.

Re: writing non-ascii characters via SSH

[Andrew Pantyukhin]

On Tue, Oct 23, 2007 at 09:40:08AM -0400, Juan Miscaro wrote:
 I am currently experiencing difficulty in writing text files containing
 French characters on my OpenBSD 4.0 server via SSH.
 
 On both the FreeBSD client system and on the OpenBSD server system I
 have the following: 
 
 ~/.profile:
 
 export LANG=C
 export LC_CTYPE=fr_CA.ISO8859-1
 export LC_COLLATE=fr_CA.ISO8859-1

Could you try setting LANG to fr_CA.ISO8859-1 (on each box)?

Re: Network Time Synchronization using timed or ntpd or a Combination?

[Clint Pachl]

Theo de Raadt wrote:
That is a very interesting anecdote. That has got to make Henning proud; 
hell I'm proud of him. The amazing thing is that the ntpd binary on my 
i386 is only 34.4K. The ntpd binary (non-OpenNTPD) on my i386 FreeBSD 
media center is 263K, not to mention all of the other ntp* binaries, 
which bring total size to 426K. Plus, OpenNTPD has privilege separation!



Try statically linking them, and then look at the numbers again.
  


Well, I'm not going to do that, but I think I understand the point that 
Theo is making.


(OpenBSD)
[EMAIL PROTECTED] ldd /usr/sbin/ntpd
/usr/sbin/ntpd:
   StartEnd  Type Open Ref GrpRef Name
     exe  10   0  /usr/sbin/ntpd
   05c18000 25c4c000 rlib 01   0  /usr/lib/libc.so.40.3
   0334b000 0334b000 rtld 01   0  /usr/libexec/ld.so

(FreeBSD)
[EMAIL PROTECTED] ldd /usr/sbin/ntpd
/usr/sbin/ntpd:
   libm.so.4 = /lib/libm.so.4 (0x280b)
   libmd.so.3 = /lib/libmd.so.3 (0x280c9000)
   libcrypto.so.4 = /lib/libcrypto.so.4 (0x280d6000)
   libc.so.6 = /lib/libc.so.6 (0x281cd000)

Re: Network Time Synchronization using timed or ntpd or a Combination?

[Clint Pachl]

Henning Brauer wrote:

* Boris Goldberg [EMAIL PROTECTED] [2007-10-23 15:50]:
  

CP One  system  would  get time from the NTP pool and all other servers on
CP the network would sync to the local server.
  You  don't  really  need ntpd on all systems. One (timeserver) runs ntpd,
and others use rdate, called from cron (once a day is usually enough).



that is bad advice.
it is not only much more work to set up, it also doesn't remotely yield 
the same results. ntpd is much much better, since it doesn't rely on a 
single answer from soem server to set the clock, and because it adjusts 
the clock frequency over time.

there is not much point in using rdate at all.
  


From what I have read in this thread, it looks like only one guy 
prefers the old timed and rdate tools. A few are even telling him he is 
giving bad advice when promoting the usage of these tools. Henning 
mentioned that rdate and timed are pretty much useless and others have 
said that timed is obsolete. So why don't we remove them from the source 
tree?


Last night when I was researching a way to sync my clocks I became 
confused as to what I should be using. This thread and Henning's 
OpenNTPD presentation at 
http://www.openbsd.org/papers/ntpd_sucon04/index.html definitely cleared 
things up and answered all my questions. Thanks to all that replied and 
Henning for leading the OpenNTPD project.


-pachl

Re: Network Time Synchronization using timed or ntpd or a Combination?

[Martin Schröder]

2007/10/23, Darrin Chandler [EMAIL PROTECTED]:
 pool.ntp.org and score quite well. In fact, they compare favorably to
 servers running the more heavyweight ntp daemons.

While we are talking about ntpd: Is there hope of an update of the
portable version? The debian port is still at 3.9...

Best
   Martin

PS: http://www.openntpd.org is also still at 3.9...

high-end audio drivers [was: OSS audio drivers]

[Jan Stary]

  What is the relation of OpenBSD's audio drivers to the OSS project?
  What, if anything, does opensourcing (GPL, I know) their code mean for
  our audio drivers? In particular, does that mean (future) support for
  the high-end soundcards such as M-Audio Delta?
 
 There's work in progress on adding support for Delta cards (1010,
 1010LT, 66, 44), and required features to make them usable (32bit
 encodings, 12 channel capture, higher sample rate, etc...)

Where can I get in touch with this work and possibly test it?
Is anything commited - available in curent?

Thanks

Jan

Re: max-src-conn-rate rule question

[david l goodrich]

On Tue, Oct 23, 2007 at 02:55:41PM -0700, Rob wrote:
 On 10/23/07, david l goodrich [EMAIL PROTECTED] wrote:
  Nobody?  Sad, it's still doing it.
 
 
  On Sun, Oct 21, 2007 at 02:22:43PM -0500, david l goodrich wrote:
   I've set up a max-src-conn-rate rule on my gateway router to
   mitigate brute-force ssh attacks.  This router protects a /28
   subnet, 25.108.82.80/28.
  
   The relevant rules:
  
   # pfctl -sr | grep attack
   block drop in log quick proto tcp from sshd_attackers to any
   pass in log proto tcp from any to any port = ssh keep state
   (source-track rule, max-src-conn-rate 3/30, overload
   sshd_attackers flush global, src.track 30)
   #
  
   What the three columns of output in the below tcpdump output are:
   timestamp, rule action, and target host.  As you can tell from
   the tcpdump command, the sending host is the same in all cases,
   208.53.147.204
 
 I'm not a pf newbie by any means, but I'm not really qualified to
 answer questions about it either. That said, I don't usually use an
 '=' sign in my pf rules, and the pf faq doesn't list that as one of
 the accepted operators for the port range
 (http://www.openbsd.org/faq/pf/filter.html). If the rule wasn't being
 parsed correctly, it would cause the behavior you're seeing. Try,

I don't have an = sign in my rule, either, i have it in pf.conf as:

pass in log proto tcp from any to any port ssh \
keep state (max-src-conn-rate 3/30, \
overload sshd_attackers flush global)

but when i look at my rules with pfctl -sr it shows the =.

 
 block in log quick proto tcp port ssh keep state \
(source-track rule, max-src-conn-rate 3 / 30 overload
 sshd_attackers, src.track 30)

I want to pass ssh traffic by default, so a block rule won't be
terribly helpful.

 
 Note that I wouldn't use a flush global directive for a rule like
 this, because it can lead to a neat DoS where somebody can spoof one
 of your own IP addresses and shut down any ssh sessions you have
 active.
 
 Here's a working sample from my own currently active pf file:
 
 pass in on $ext proto tcp to server6 port smtp keep state \
(max-src-conn 15 max-src-conn-rate 10 / 45 overload smtp-overload) \
queue 6smtp

Mine's pretty similar, if a bit more verbose.  And I don't use
max-src-conn or queueing.
  --david


 
 (FYI, the smtp-overload table moves traffic to a queue that simply
 throttles the connections a little.)
 
 - R.

Re: About Xen: maybe a reiterative question but ..

[Enache Adrian]

On Tue, Oct 23, 2007 at 03:16:31PM +0300, Lars NoodC)n wrote:
 Granted that quote is from a competitor (VMware, which seems to be a
 broken linux kernel) but MS has 'partnered' with XenSource and we know
 what the ultimate results will be.
 
 The choices narrow.
 Can kqemu be compiled for OBSD?  Is virtualbox an option?

I have the kqemu module working on OpenBSD.

This is OpenBSD-current, qemu from cvs with some changes, and
kqemu-1.3.0pre11 + openbsd lkm code.

With Windows 2003 as a guest it seems to do -kernel-kqemu too.

However, OpenBSD currently does not work as a guest with the kqemu
module (with linux or openbsd as the host, it doesn't matter).

Re: About Xen: maybe a reiterative question but ..

[adam . getchell]

Virtualization seems to have a lot of security benefits. Rootkits can lie to 
DomU but not Dom0, and of course snapshotting, migration etc is *really* nice. 



Dom0 in OpenBSD in a current Xen implementation (with HVM) would be a dream. 
I'd switch wholesale, and buy a CD for every server (as I do now). But 
doubtless there are a whole host of issues, kernel, SMP, bootloaders (I found 
OpenBSDs bootloader to be superior to grub in Ubuntu 7.10, it detects media bay 
HDs, and the installer is fast, efficient, and doesn't crap out on certain 
video cards/monitors), an LVM, iSCSI support -- and I have no code to 
contribute, so I will merely remain hopeful without expectation. 



I tried NetBSD Xen, but it seemed the worst of both worlds. Pf circa 3.7, hacks 
for grub, old version of Xen (2.x series IIRC) without support for the most 
interesting features, not the same level of security focus, etc. 



So I just picked the best tool for the job. 



I'm happier our webservers are now on OpenBSD with CARP failover.



--

Invincibility is in oneself, vulnerability in the opponent. -- Sun Tzu



-Original Message-

From: Luca Corti [EMAIL PROTECTED]



Date: Tue, 23 Oct 2007 10:03:42 

To:ropers [EMAIL PROTECTED]

Cc:Jeff Quast [EMAIL PROTECTED], OpenBSD-Misc misc@openbsd.org,   Nick 
Guenther [EMAIL PROTECTED]

Subject: Re: About Xen: maybe a reiterative question but ..





On Tue, 2007-10-23 at 01:11 +0200, ropers wrote:

 unavoidable. The question is, is that a worthwhile trade-off? Is this

 a reason not to support Xen? Or should the user be given that option

 regardless of the inherent limitations and consequences?



A proper Dom0 port of XEN to OpenBSD would solve this by removing the

linux dependency. However this would probably require a significant

effort on OpenBSD side and a XEN Hypervisor code audit.



Also from earlier discussion on the list it seems this kind of

virtualization may impact on security, which is in direct contrast with

OpenBSD goals. Can someone elaborate more on this?



ciao



Luca

Re: max-src-conn-rate rule question

[Rob]

On 10/23/07, david l goodrich [EMAIL PROTECTED] wrote:
 On Tue, Oct 23, 2007 at 02:55:41PM -0700, Rob wrote:
   On Sun, Oct 21, 2007 at 02:22:43PM -0500, david l goodrich wrote:
I've set up a max-src-conn-rate rule on my gateway router to
mitigate brute-force ssh attacks.  This router protects a /28
subnet, 25.108.82.80/28.
   
The relevant rules:
   
# pfctl -sr | grep attack
block drop in log quick proto tcp from sshd_attackers to any
pass in log proto tcp from any to any port = ssh keep state
(source-track rule, max-src-conn-rate 3/30, overload
sshd_attackers flush global, src.track 30)
#
 
  I'm not a pf newbie by any means, but I'm not really qualified to
  answer questions about it either. That said, I don't usually use an
  '=' sign in my pf rules, and the pf faq doesn't list that as one of
  the accepted operators for the port range
  (http://www.openbsd.org/faq/pf/filter.html). If the rule wasn't being
  parsed correctly, it would cause the behavior you're seeing. Try,

 I don't have an = sign in my rule, either, i have it in pf.conf as:

 pass in log proto tcp from any to any port ssh \
 keep state (max-src-conn-rate 3/30, \
 overload sshd_attackers flush global)

 but when i look at my rules with pfctl -sr it shows the =.

 
  block in log quick proto tcp port ssh keep state \
 (source-track rule, max-src-conn-rate 3 / 30 overload
  sshd_attackers, src.track 30)

 I want to pass ssh traffic by default, so a block rule won't be
 terribly helpful.

Whoops, that was a big ol' typo. That should've been a pass, sorry.

  Note that I wouldn't use a flush global directive for a rule like
  this, because it can lead to a neat DoS where somebody can spoof one
  of your own IP addresses and shut down any ssh sessions you have
  active.
 
  Here's a working sample from my own currently active pf file:
 
  pass in on $ext proto tcp to server6 port smtp keep state \
 (max-src-conn 15 max-src-conn-rate 10 / 45 overload smtp-overload) \
 queue 6smtp

 Mine's pretty similar, if a bit more verbose.  And I don't use
 max-src-conn or queueing.

Huh.

What's your output from pfctl -s rules -v ?

Also, I should parrot some of the earlier conversations that have been
on this list on this subject (limiting attempts at ssh attacks). Doing
this with a max-src-conn-rate rule probably isn't what you really want
to do anyway; there are some good log file analyzers which would be
better suited to this (see http://www.ossec.net/,
http://www.ossec.net/en/attacking-loganalysis.html, and
http://marc.info/?l=openbsd-miscm=118660109014882w=2); strong ssh
passwords are the best defense against dictionary attacks; etc. At
best, all you're really doing is keeping your authlog a bit leaner,
and maybe compiling a list of evildoers.

- R.

- R.

Re: About Xen: maybe a reiterative question but ..

[Theo de Raadt]

 Virtualization seems to have a lot of security benefits.

You've been smoking something really mind altering, and I think you
should share it.

x86 virtualization is about basically placing another nearly full
kernel, full of new bugs, on top of a nasty x86 architecture which
barely has correct page protection.  Then running your operating
system on the other side of this brand new pile of shit.

You are absolutely deluded, if not stupid, if you think that a
worldwide collection of software engineers who can't write operating
systems or applications without security holes, can then turn around
and suddenly write virtualization layers without security holes.

You've seen something on the shelf, and it has all sorts of pretty
colours, and you've bought it.

That's all x86 virtualization is.

Re: About Xen: maybe a reiterative question but ..

[Damien Miller]

On Tue, 23 Oct 2007, Theo de Raadt wrote:

  Virtualization seems to have a lot of security benefits.
 
 You've been smoking something really mind altering, and I think you
 should share it.
 
 x86 virtualization is about basically placing another nearly full
 kernel, full of new bugs, on top of a nasty x86 architecture which
 barely has correct page protection.  Then running your operating
 system on the other side of this brand new pile of shit.
 
 You are absolutely deluded, if not stupid, if you think that a
 worldwide collection of software engineers who can't write operating
 systems or applications without security holes, can then turn around
 and suddenly write virtualization layers without security holes.

cf. http://taviso.decsystem.org/virtsec.pdf

Re: max-src-conn-rate rule question

[Vijay Sankar]

On October 23, 2007 07:30:25 pm david l goodrich wrote:
 On Tue, Oct 23, 2007 at 02:55:41PM -0700, Rob wrote:
  On 10/23/07, david l goodrich [EMAIL PROTECTED] wrote:
   Nobody?  Sad, it's still doing it.
  
   On Sun, Oct 21, 2007 at 02:22:43PM -0500, david l goodrich wrote:
I've set up a max-src-conn-rate rule on my gateway router to
mitigate brute-force ssh attacks.  This router protects a /28
subnet, 25.108.82.80/28.
   
The relevant rules:
   
# pfctl -sr | grep attack
block drop in log quick proto tcp from sshd_attackers to any
pass in log proto tcp from any to any port = ssh keep state
(source-track rule, max-src-conn-rate 3/30, overload
sshd_attackers flush global, src.track 30)
#
   
What the three columns of output in the below tcpdump output are:
timestamp, rule action, and target host.  As you can tell from
the tcpdump command, the sending host is the same in all cases,
208.53.147.204
 
  I'm not a pf newbie by any means, but I'm not really qualified to
  answer questions about it either. That said, I don't usually use an
  '=' sign in my pf rules, and the pf faq doesn't list that as one of
  the accepted operators for the port range
  (http://www.openbsd.org/faq/pf/filter.html). If the rule wasn't being
  parsed correctly, it would cause the behavior you're seeing. Try,

 I don't have an = sign in my rule, either, i have it in pf.conf as:

 pass in log proto tcp from any to any port ssh \
 keep state (max-src-conn-rate 3/30, \
 overload sshd_attackers flush global)

 but when i look at my rules with pfctl -sr it shows the =.

  block in log quick proto tcp port ssh keep state \
 (source-track rule, max-src-conn-rate 3 / 30 overload
  sshd_attackers, src.track 30)

 I want to pass ssh traffic by default, so a block rule won't be
 terribly helpful.

  Note that I wouldn't use a flush global directive for a rule like
  this, because it can lead to a neat DoS where somebody can spoof one
  of your own IP addresses and shut down any ssh sessions you have
  active.
 
  Here's a working sample from my own currently active pf file:
 
  pass in on $ext proto tcp to server6 port smtp keep state \
 (max-src-conn 15 max-src-conn-rate 10 / 45 overload smtp-overload) \
 queue 6smtp

 Mine's pretty similar, if a bit more verbose.  And I don't use
 max-src-conn or queueing.
   --david

  (FYI, the smtp-overload table moves traffic to a queue that simply
  throttles the connections a little.)
 
  - R.

 !DSPAM:1,471e93c5217372013633067!

I tried various combinations on my test machine and noticed the following 
pattern. Setting the max-src-conn to be twice the max-src-conn-rate seems to 
work better at stopping brute-force SSH attempts. Probably there is no 
rational basis for this observation and there must be some other explanation. 
I did try a few combinations and it seemed to have had a positive impact in 
getting the IP address to the sshd_attackers table at the right 
max-src-conn-rate.

So I am wondering if

pass in log proto tcp from any to any port ssh keep state (max-src-conn 6  
max-src-conn-rate 3/30, overload sshd_attackers flush global)

would be an appropriate thing for you to try.

Anyways, hope this helps in some way.

-- 
Vijay Sankar, M.Eng., P.Eng.
President  CEO
ForeTell Technologies Limited
59 Flamingo Avenue, Winnipeg, MB Canada R3J 0X6
Phone: +1 204 885 9535, E-Mail: [EMAIL PROTECTED]

Re: About Xen: maybe a reiterative question but ..

[Ben Goren]

On 2007 Oct 23, at 5:57 PM, [EMAIL PROTECTED] wrote:

  Virtualization seems to have a lot of security benefits.

``Seems'' is the key word, here.

On hardware like an IBM mainframe that can acutally support what's
necessary for  secure virtual machines, sure. On  x86? Well, it'll
keep your kid sister out

Virtualization is  wonderful for simultaneously  running different
operating  systems on  the same  (beefy) computer,  especially for
development or testing purposes. If  you occassionally need to run
something on  an operating system  other than your  preferred one,
it's great -- saves you the extra hardware or the reboot, lets you
do snapshots, etc.

For  Windows,  it's  also  wonderful. You  basically  have  to  be
nuts  to  have  a  single  Windows server*  doing  more  than  one
thing, but virtualization  lets you do exactly  that with relative
impunity. It's like splinting a broken  leg and giving a huge shot
of  painkillers to  the victim  -- you'd  never know  the leg  was
broken.

But that's about it. I suppose running Windows virtual machines on
a real OpenBSD  machine might ``have a lot  of security benefits''
in some perverted sense of the words,  but it's not like the VM is
magically going  to protect the virtual  machines or anything. And
if  the Windows  virtual machines  can still  talk to  the outside
world  or to  each other  (via simulated  network interfaces,  for
example), even those ``security benefits'' won't mean much.

Cheers,

b

* Yes, the full stop here is appropriate.

[demime 1.01d removed an attachment of type application/pkcs7-signature which 
had a name of smime.p7s]

Re: max-src-conn-rate rule question

[david l goodrich]

On Tue, Oct 23, 2007 at 05:59:31PM -0700, Rob wrote:
 On 10/23/07, david l goodrich [EMAIL PROTECTED] wrote:
  On Tue, Oct 23, 2007 at 02:55:41PM -0700, Rob wrote:

   Note that I wouldn't use a flush global directive for a rule like
   this, because it can lead to a neat DoS where somebody can spoof one
   of your own IP addresses and shut down any ssh sessions you have
   active.
  
   Here's a working sample from my own currently active pf file:
  
   pass in on $ext proto tcp to server6 port smtp keep state \
  (max-src-conn 15 max-src-conn-rate 10 / 45 overload smtp-overload) \
  queue 6smtp
 
  Mine's pretty similar, if a bit more verbose.  And I don't use
  max-src-conn or queueing.
 
 Huh.
 
 What's your output from pfctl -s rules -v ?

From my original email...
 # pfctl -sr | grep attack
 block drop in log quick proto tcp from sshd_attackers to any
 pass in log proto tcp from any to any port = ssh keep state
 (source-track rule, max-src-conn-rate 3/30, overload
 sshd_attackers flush global, src.track 30)
 #


 
 Also, I should parrot some of the earlier conversations that have been
 on this list on this subject (limiting attempts at ssh attacks). Doing
 this with a max-src-conn-rate rule probably isn't what you really want
 to do anyway; there are some good log file analyzers which would be
 better suited to this (see http://www.ossec.net/,
 http://www.ossec.net/en/attacking-loganalysis.html, and
 http://marc.info/?l=openbsd-miscm=118660109014882w=2); strong ssh
 passwords are the best defense against dictionary attacks; etc. At
 best, all you're really doing is keeping your authlog a bit leaner,
 and maybe compiling a list of evildoers.

Understood that this is not going to be a be-all end-all from a
security perspective, and that it isn't going to save me from
being stupid and having weak passwords.  It's still a useful
mitigating control.

That said, my original question wasn't about whether or not this
is a good idea, it's about why what PF claims to do and what PF
does seem to be different.
  --david

Re: About Xen: maybe a reiterative question but ..

[bofh]

On 10/23/07, Ben Goren [EMAIL PROTECTED] wrote:
 But that's about it. I suppose running Windows virtual machines on
 a real OpenBSD  machine might ``have a lot  of security benefits''
 in some perverted sense of the words,  but it's not like the VM is
 magically going  to protect the virtual  machines or anything. And

That's why you use a virtual firewall with openbsd in front of it!!!/ducks

 if  the Windows  virtual machines  can still  talk to  the outside
 world  or to  each other  (via simulated  network interfaces,  for
 example), even those ``security benefits'' won't mean much.

Heh.  Read any of the recent advisories against vmware?  Real world
exploits are already out there.  AIUI, to fix the current set of
problems, you basically have to turn off vmware tools.

Right now, you do have to attack the guest before you can get to the
host, but I'm sure there's a malicious packet out there, somewhere,
that can tickle the system just right, and skip past all that straight
into the host.


/ducksIf you do take that as the gospel truth, please, at least, buy
the freaking CD, yeah?
-- 
This officer's men seem to follow him merely out of idle curiosity.
-- Sandhurst officer cadet evaluation.

Re: max-src-conn-rate rule question

[david l goodrich]

On Tue, Oct 23, 2007 at 05:46:45PM -0400, Calomel wrote:
 David,

 Was the offending client completing the 3-way handshake everytime it
 connected?

 For stateful TCP connections, limits on established connections (connec-
 tions which have completed the TCP 3-way handshake) can also be enforced
 per source IP. The max-src-conn-rate number/seconds limit the rate of
 new connections over a time interval.  The connection rate is an
 approximation calculated as a moving average.

 You may also want to use synproxy for ssh and take a look at
 max-src-states. I have examples here: http://calomel.org/pf_config.html

I didn't respond to this until now, because I wanted to do some
research first.  As the hosts that are being blocked by this
aren't hosts I control, I needed to set up some access on the
outside.

So it looks like i can run  'nmap -sS -p22 25.103.82.80/28' until
doomsday and it will always show as a passed connection.

But when i start telnetting to port 22 on machines in this
subnet, the fourth 'telnet' connection is blocked, no matter
which host I hit previously.  So I think that you are correct
in that the attackers are not initially completing the 3-way
handshake, and are thus not tripping the filter.

I'll look in to max-src-states, but I think now that I've shown
that the actual attack (if that's what they are) attempts are
blocked properly, I'm not terribly concerned if they can scan the
subnet.

Thanks,
  --david


 --
  Calomel @ http://calomel.org

 On Tue, Oct 23, 2007 at 03:58:52PM -0500, david l goodrich wrote:
 Nobody?  Sad, it's still doing it.
 
 
 On Sun, Oct 21, 2007 at 02:22:43PM -0500, david l goodrich wrote:
  I've set up a max-src-conn-rate rule on my gateway router to
  mitigate brute-force ssh attacks.  This router protects a /28
  subnet, 25.108.82.80/28.
 
  The relevant rules:
 
  # pfctl -sr | grep attack
  block drop in log quick proto tcp from sshd_attackers to any
  pass in log proto tcp from any to any port = ssh keep state
  (source-track rule, max-src-conn-rate 3/30, overload
  sshd_attackers flush global, src.track 30)
  #
 
  What the three columns of output in the below tcpdump output are:
  timestamp, rule action, and target host.  As you can tell from
  the tcpdump command, the sending host is the same in all cases,
  208.53.147.204
 
  # tcpdump -enr /var/log/pflog host 208.53.147.204 \
 | awk '{print $1,$4,$11}' | sed s/.22:// | head -30
  reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file)
  12:09:45.849594 pass 25.103.82.80
  12:09:45.850279 pass 25.103.82.82
  12:09:45.850827 pass 25.103.82.83
  12:09:45.851310 pass 25.103.82.84
  12:09:45.852003 pass 25.103.82.85
  12:09:45.852496 pass 25.103.82.86
  12:09:45.853007 pass 25.103.82.87
  12:09:45.866580 pass 25.103.82.88
  12:09:45.867345 pass 25.103.82.89
  12:09:45.868339 pass 25.103.82.92
  12:09:45.902389 pass 25.103.82.95
  12:25:52.632295 pass 25.103.82.80
  12:25:52.632973 pass 25.103.82.82
  12:25:52.648804 pass 25.103.82.83
  12:25:52.684792 pass 25.103.82.84
  12:25:52.687989 pass 25.103.82.85
  12:25:52.688652 pass 25.103.82.86
  12:25:52.690882 pass 25.103.82.87
  12:25:52.691371 pass 25.103.82.88
  12:25:52.692290 pass 25.103.82.89
  12:25:52.695340 pass 25.103.82.92
  12:25:52.698864 pass 25.103.82.95
  13:08:36.949178 pass 25.103.82.87
  13:08:38.864585 pass 25.103.82.87
  13:08:40.452215 pass 25.103.82.87
  13:08:42.038388 pass 25.103.82.87
  13:08:46.923469 block 25.103.82.88
  13:08:49.922116 block 25.103.82.88
  13:08:50.212040 block 25.103.82.87
  13:08:51.099435 block 25.103.82.87
  #
 
  It seems to me like this host should have been blocked back at
  12:09:45, not 13:08:46.  Am I misunderstanding the rule?
--david
 
  [demime 1.01d removed an attachment of type application/pgp-signature
which
 had a name of signature.asc]
 
 [demime 1.01d removed an attachment of type application/pgp-signature which
had a name of signature.asc]

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: About Xen: maybe a reiterative question but ..

[Adam Getchell]

On 10/23/07, Theo de Raadt [EMAIL PROTECTED] wrote:
  Virtualization seems to have a lot of security benefits.

 You've been smoking something really mind altering, and I think you
 should share it.

Sure! Here's some research one of my colleagues (with whom I've
discussed this a lot) did on the topic last year.

http://shell.cse.ucdavis.edu/~bill/virt/virt.pdf

Ormandy's paper sure is interesting, though. Certainly adds new data.
Still, it seems that taking checksums from Dom0 against DomU, with
other security layers in front of the DomUs (including a good
firewall) doesn't hurt. Layers of defense and all that.

 x86 virtualization is about basically placing another nearly full
 kernel, full of new bugs, on top of a nasty x86 architecture which
 barely has correct page protection.  Then running your operating
 system on the other side of this brand new pile of shit.

Security is really hard, no doubt about it. It just takes a bug in SSH
or IPv6 and you've got trouble. But in some cases, the issues can be
salvaged to some acceptable criterion, for some definition of
acceptable for some particular group.

Or perhaps not. That's a risk-benefit analysis.

 You've seen something on the shelf, and it has all sorts of pretty
 colours, and you've bought it.

 That's all x86 virtualization is.

Well, I bought it because it's been working for me for the past few
years, and virtualization adds useful capabilities, with or without
security benefits, for my purposes.

You and the other OpenBSD developers have created an operating system
that suits your purposes, and you kindly share it with the rest of the
world, no strings attached. I'm grateful, and use OpenBSD extensively
in ways that work with the purposes you've developed it. (Basically,
as much as I can until I encounter some showstopping problem.)

But eventually, I find I need other tools for certain things --
parallel scientific programming, SANs, running applications that don't
have a snowball's chance in hell of running on OpenBSD, writing
applications using runtimes that aren't supported well/at all on
OpenBSD, etc. etc.

Since I can't run these things on OpenBSD, I will have to run them on
someone's buggy, barely correct, proprietary security-hole ridden OS
anyways. And if I'm forced to do that, I'm going to use an
architecture that at least mitigates the common CIA issues as best as
it can, given those circumstances.

And of course, continue to use OpenBSD wherever appropriate, buy the
OpenBSD project's CDs, encourage others at my University to use it and
do the same, and make donations whenever I can.

Adam
-- 
Invincibility is in oneself, vulnerability in the opponent. -- Sun Tzu