Re: using ifstated(8) to monitor wireless connections?

[Fred Snurd]

 On Monday, October 28, 2013 6:10 AM, Stefan Sperling s...@openbsd.org wrote:
 On Sun, Oct 27, 2013 at 10:43:05PM -0700, Fred Snurd wrote:
 
 $ sudo ifconfig ath0 nwid my-id wpakey my-password
 $ ifconfig ath0ath0: flags=8822BROADCAST,NOTRAILERS,SIMPLEX,MULTICAST mtu 
 1500
     lladdr a8:54:b2:23:da:80
     priority: 4
     groups: wlan
     media: IEEE802.11 autoselect
     status: no network
     ieee80211: nwid my-id 
 wpakey not displayed wpaprotos wpa1,wpa2 wpaakms psk wpaciphers 
 tkip,ccmp wpagroupcipher tkip
 $
 
 ...which still shows that the link has not changed as expected.

 The interface isn't marked UP in the flags= line.
 So try 'ifconfig ath0 up' here.

 dhclient does this automatically before requesting a lease.


Thanks Stefan  Reyk for replying.

Further testing tonight showed that the original /etc/ifstated.conf file did 
indeed work.  I had thought that the link would be re-established quickly, but 
this was not the case.  In fact, re-establishing the link took ~3-4 minutes to 
complete (but this factors in the time the AP needed to get reinitialized 
too...).  I added logger(1) messages to my ifstated.conf(5) observing that the 
link state bounces about before stabilizing.  I don't know if this peculiarity 
is associated with the ath(4) driver, WIstron CM9 card, Alix hardware, or the 
cheap ActionTec AP used.  If there is any interest, I can submit a report with 
more details.  I simply would like to take more time determining if there is 
anything else I can observe.

Thanks again for your timely replies.

Re: system seems deadlock

[Sébastien Marie]

Hi,

Just to signal that the last change on spec_vnops.c (1.77) correct my
problem: now the system don't deadlock.

Thanks a lot.
-- 
Sebastien Marie

On Mon, Oct 21, 2013 at 09:59:43AM +0200, Sébastien Marie wrote:
 On Sat, Oct 19, 2013 at 05:54:22PM +0200, Sébastien Marie wrote:
  Hi,
  
  I fall in a system problem using tmux: the system (OpenBSD -current
  on i386) freeze (but no panic).
  
 
 The freeze seems to be a dead-lock, and tmux expose it. 
 
 ddb ps
PID   PPID   PGRPUID  S   FLAGS  WAIT  COMMAND
 [...]
  13243  1  13243  0  3   0  inode tmux
 [...]
 
 Here, tmux is waiting inode.
 
 This wait message is set here:
  ufs/ext2fs/ext2fs_vfsops.c
  831: lockinit(ip-i_lock, PINOD, inode, 0, 0);
  
  ufs/ffs/ffs_vfsops.c
  1257:lockinit(ip-i_lock, PINOD, inode, 0, 0);
 
 And if I let the system running, several others process fall in
 inode waiting (as cron, or login_passwd if I try login).
 
 
 With ddb, if I check locked vnodes, there are two on root partition.
 
 ddb show all mounts
 flags 5LOCAL,ROOTFS
 vnodecovered 0x0 syncer 0xd316aa60 data 0xd108a200
 vfsconf: ops 0xd098d7a0 name ffs num 1 ref 3 flags 0x1000
 statvfs cache: bsize 800 iosize 4000
 blocks 403383 free 375320 avail 355151
   files 102910 ffiles 100646 favail 100646
   f_fsidx {0x400, 0xc8a5ad54} owner 0 ctime 0x52640b1d
   syncwrites 325 asyncwrites = 340
   syncreads 8881 asyncreads = 0
   fstype ffs mnton / mntfrom /dev/sd0a mntspec ab8fcda4850f14e9.a
 locked vnodes:
 0xd3165ea8, 0xd316a310
 [... others partitions stripped ...]
 
 ddb show vnode 0xd3165ea8
 tag UFS(1) type VCHR(4) mount 0xd108b400 typedata 0xd0ffb100
 data 0xd3161298 usecount 2 writecount 0 holdcnt 0 numoutput 0
 
 ddb show vnode 0xd316a310
 tag UFS(1) type VDIR(2) mount 0xd108b400 typedata 0x0
 data 0xd31851ec usecount 1 writecount 0 holdcnt 3 numoutput 0
 
 
 Does someone have any clue, about what to check or how to debug this ?
 I think I will try the option VFSLCKDEBUG in kernel, but what else ?
 -- 
 Sébastien Marie

Unattended installation - install.conf per server

[Jiri B]

Hi,

how would we define specific install.conf for specific host?
We could you rewrite rules based on client's IP but what
based on other attributes (hwaddr...)?

I was thinking if it would be possible to pass such values
as HTTP headers values but our `ftp' seems to not allow us
to define own HTTP headers.

So... what is the plan?

jirib

Re: nvidia driver what do you recommend

[Peter J. Philipp]

On 10/28/13 11:44, Brett Mahar wrote:
 On Mon, 28 Oct 2013 11:20:32 +0100
 Peter J. Philipp p...@centroid.eu wrote:
 
 | I remember someone else writing to this list before saying the nvidia
 | driver is really slow.  I just upgraded my main workstation from 5.3 to
 | 5.4 and it indeed is.
 | 
 | So I'm wondering what driver I should use because the choppyness of
 | moving windows is laughable, a sad kind of laugh.
 | 
 | Do you recommend I get an ATI/AMD card?  What sorts of models would you
 | recommend?
 | 
 
 The ATI Radeon HD 5450 works great with the recently added radeon KMS code, 
 I got one for A$30 a few weeks ago, no problems seen, definitely no 
 chopppyness using mplayer -vo xv in fullscreen 1080p, did have problems with 
 a 96fps 4096x2304 video I tried out, however:-) 
 
 Brett.
 

Hi Brett,

Well I took your advice and bought this card.  I'm not a high
performance freak when it comes to monitor so I think it'll be alright.
 I paid 27 euros on amazon.de for it.  It does match my MSI N250GTS Twin
Frozr 1G in DDR3 1 GB RAM but not sure about performance, I'll have to
see. :-)

Cheers,

-peter

Re: Request to OpenBSD Dev's - Beer on offer

[Andy]

Yea its 24.. Would even be happy to offer some champers..

I think this is more of a Maudite crowd.. Connoisseurs on here...

As I understand it you would need to write a small daemon to do the BFD 
state monitoring for the transmission and reception of the heartbeats 
with various peers. The protocol is fairly simple so for an experienced 
dev this should be easy.

Then in OpenBGPD you would need to have a way of gracefully and 
forcefully immediately shutting down the BGP neighbor that matches the 
BFD peer. This could be achieved by simply having the BFD daemon call 
'bgpctl neighbor $bfdpeer down'

It is not so important for OSPF as that already has fast convergence 
time with fast hello's etc.. But for BGP this would make a world of 
difference to remove the BGP routes immediately (in less than a second) 
as soon as the BGP neighbor goes down/becomes unreachable (even if not a 
direct link (multi-hop etc)).


On 28/10/13 21:10, Dan Farrell wrote:
 I'm not sure how much a crate is, but if it's a case (24 bottles), 
 then I'll throw in a case as well for this work.
 Blanche de Chambly, anyone? Or is this more a Maudite crowd?


 Sincerely,

 Dan Farrell


 On Mon, Oct 28, 2013 at 12:54 PM, Andy a...@brandwatch.com 
 mailto:a...@brandwatch.com wrote:

 Hi all,

 Would any of the esteemed OpenBSD developers be interested in
 adding support for BFD (Bidirectional Forward Detection) to OpenBSD.

 The protocol itself seems pretty simple and provides a sub-second
 keep-alive mechanism to monitor links for routes. E.g. Upon BFD
 failure BGP or OSPF can be torn down etc thus allowing for
 sub-second re-convergence of i/eBGP!

 I can only offer a crate of beer to anyone who has the skills and
 is willing :)

 '+1's welcome from others who would be interested to show signs of
 support/interest..

 Cheers, Andy.

Re: Request to OpenBSD Dev's - Beer on offer

[Andy]

Code snippets can be seen on;

http://sourceforge.net/projects/kbfd/
http://sourceforge.net/projects/bfdd/

Editing these to compile and work on OpenBSD and run 'bgpctl neighbor 
$bfdpeer down' etc is beyond my skills..


Thanks for reading, Andy.

On Tue 29 Oct 2013 11:16:20 GMT, Andy wrote:

Yea its 24.. Would even be happy to offer some champers..

I think this is more of a Maudite crowd.. Connoisseurs on here...

As I understand it you would need to write a small daemon to do the BFD
state monitoring for the transmission and reception of the heartbeats
with various peers. The protocol is fairly simple so for an experienced
dev this should be easy.

Then in OpenBGPD you would need to have a way of gracefully and
forcefully immediately shutting down the BGP neighbor that matches the
BFD peer. This could be achieved by simply having the BFD daemon call
'bgpctl neighbor $bfdpeer down'

It is not so important for OSPF as that already has fast convergence
time with fast hello's etc.. But for BGP this would make a world of
difference to remove the BGP routes immediately (in less than a second)
as soon as the BGP neighbor goes down/becomes unreachable (even if not a
direct link (multi-hop etc)).


On 28/10/13 21:10, Dan Farrell wrote:

I'm not sure how much a crate is, but if it's a case (24 bottles),
then I'll throw in a case as well for this work.
Blanche de Chambly, anyone? Or is this more a Maudite crowd?


Sincerely,

Dan Farrell


On Mon, Oct 28, 2013 at 12:54 PM, Andy a...@brandwatch.com
mailto:a...@brandwatch.com wrote:

 Hi all,

 Would any of the esteemed OpenBSD developers be interested in
 adding support for BFD (Bidirectional Forward Detection) to OpenBSD.

 The protocol itself seems pretty simple and provides a sub-second
 keep-alive mechanism to monitor links for routes. E.g. Upon BFD
 failure BGP or OSPF can be torn down etc thus allowing for
 sub-second re-convergence of i/eBGP!

 I can only offer a crate of beer to anyone who has the skills and
 is willing :)

 '+1's welcome from others who would be interested to show signs of
 support/interest..

 Cheers, Andy.

Re: Notifies on CARP failover

[Andy]

Thanks for ideas and examples guys :)

Cheers, Andy.


On 24/10/13 14:18, Comète wrote:

I use ifstated for that. This is my config file:

init-state auto

carp_up = carp3.link.up  carp10.link.up  carp101.link.up  
carp100.link.up  carp254.link.up  carp2.link.up  carp7.link.up 
 carp4.link.up


carp_down = carp3.link.down  carp10.link.down  carp101.link.down 
 carp100.link.down  carp254.link.down  carp2.link.down  
carp7.link.down  carp4.link.down


state auto {
if $carp_up {
set-state primary
}
if $carp_down {
set-state backup
}
}

state primary {
init {
run /root/scripts/alert_ifstated.sh MASTER
}

if $carp_down {
set-state backup
}
}

state backup {
init {
run /root/scripts/alert_ifstated.sh BACKUP
}

if $carp_up {
set-state primary
}
}

This is the little script alert_ifstated.sh too:

#/bin/sh
ifconfig carp | mail -s [RTR Failover] `hostname` is now $1 
m...@address.me



Hope this helps...

Morgan


Le 24/10/2013 10:59, Andy a écrit :

Hi,

Could anyone point me in the right direction on how to have a script
be executed whenever a CARP failover or preempt event occurs?

Need to write a script to send an event message into our monitoring
systems so we can see when a change has occurred.

I haven't used ifstated yet, is this the right tool for this? and if
so could someone throw me an example if you have one?

Thanks, Andy.

Re: Request to OpenBSD Dev's - Beer on offer

[Artturi Alm]

On 10/29/13 13:45, Andy wrote:

Code snippets can be seen on;

http://sourceforge.net/projects/kbfd/
http://sourceforge.net/projects/bfdd/

Editing these to compile and work on OpenBSD and run 'bgpctl neighbor
$bfdpeer down' etc is beyond my skills..



No editing will make the license work in OpenBSD kernel, i think.

-Artturi


Thanks for reading, Andy.

On Tue 29 Oct 2013 11:16:20 GMT, Andy wrote:

Yea its 24.. Would even be happy to offer some champers..

I think this is more of a Maudite crowd.. Connoisseurs on here...

As I understand it you would need to write a small daemon to do the BFD
state monitoring for the transmission and reception of the heartbeats
with various peers. The protocol is fairly simple so for an experienced
dev this should be easy.

Then in OpenBGPD you would need to have a way of gracefully and
forcefully immediately shutting down the BGP neighbor that matches the
BFD peer. This could be achieved by simply having the BFD daemon call
'bgpctl neighbor $bfdpeer down'

It is not so important for OSPF as that already has fast convergence
time with fast hello's etc.. But for BGP this would make a world of
difference to remove the BGP routes immediately (in less than a second)
as soon as the BGP neighbor goes down/becomes unreachable (even if not a
direct link (multi-hop etc)).


On 28/10/13 21:10, Dan Farrell wrote:

I'm not sure how much a crate is, but if it's a case (24 bottles),
then I'll throw in a case as well for this work.
Blanche de Chambly, anyone? Or is this more a Maudite crowd?


Sincerely,

Dan Farrell


On Mon, Oct 28, 2013 at 12:54 PM, Andy a...@brandwatch.com
mailto:a...@brandwatch.com wrote:

 Hi all,

 Would any of the esteemed OpenBSD developers be interested in
 adding support for BFD (Bidirectional Forward Detection) to
OpenBSD.

 The protocol itself seems pretty simple and provides a sub-second
 keep-alive mechanism to monitor links for routes. E.g. Upon BFD
 failure BGP or OSPF can be torn down etc thus allowing for
 sub-second re-convergence of i/eBGP!

 I can only offer a crate of beer to anyone who has the skills and
 is willing :)

 '+1's welcome from others who would be interested to show signs of
 support/interest..

 Cheers, Andy.

Re: Unattended installation - install.conf per server

[Uwe Stuehler]

On Tue, Oct 29, 2013 at 06:16:54AM -0400, Jiri B wrote:
 Hi,
 
 how would we define specific install.conf for specific host?
 We could you rewrite rules based on client's IP but what
 based on other attributes (hwaddr...)?
 
 I was thinking if it would be possible to pass such values
 as HTTP headers values but our `ftp' seems to not allow us
 to define own HTTP headers.
 
 So... what is the plan?

The HTTP GET request can pass query arguments, so it would look like:

http://server/install.conf?mac=xx:xx:xx:xx:xx:xx...

That way a static file can be served or it can be generated by a CGI
script.

Re: Request to OpenBSD Dev's - Beer on offer

[Adam Thompson]

On 13-10-28 11:54 AM, Andy wrote:
Would any of the esteemed OpenBSD developers be interested in adding 
support for BFD (Bidirectional Forward Detection) to OpenBSD.

[...]
'+1's welcome from others who would be interested to show signs of 
support/interest..


I can only agree, BFD support would be a very nice thing to have, 
considering that in other ways OpenBSD is already a very capable 
router.  I'm not in a position right now to pay someone properly to 
implement it, but I can sustain the cost of another case or three of beer.


--
-Adam Thompson
 athom...@athompso.net

Re: Request to OpenBSD Dev's - Beer on offer

[Andy]

On Tue 29 Oct 2013 14:55:05 GMT, Adam Thompson wrote:

On 13-10-28 11:54 AM, Andy wrote:

Would any of the esteemed OpenBSD developers be interested in adding
support for BFD (Bidirectional Forward Detection) to OpenBSD.
[...]
'+1's welcome from others who would be interested to show signs of
support/interest..


I can only agree, BFD support would be a very nice thing to have,
considering that in other ways OpenBSD is already a very capable
router.  I'm not in a position right now to pay someone properly to
implement it, but I can sustain the cost of another case or three of
beer.



Amazing!

So we just need to find an alcoholic developer and we're on our way ;) 
Could maybe send some caffeine and pro plus in the mean time ..

Re: Request to OpenBSD Dev's - Beer on offer

[sven falempin]

So this is an ICMP ping with some authentification (on the gateway of a
route) ??

Why is this not overkill ?


On Tue, Oct 29, 2013 at 11:01 AM, Andy a...@brandwatch.com wrote:

 On Tue 29 Oct 2013 14:55:05 GMT, Adam Thompson wrote:

 On 13-10-28 11:54 AM, Andy wrote:

 Would any of the esteemed OpenBSD developers be interested in adding
 support for BFD (Bidirectional Forward Detection) to OpenBSD.
 [...]
 '+1's welcome from others who would be interested to show signs of
 support/interest..


 I can only agree, BFD support would be a very nice thing to have,
 considering that in other ways OpenBSD is already a very capable
 router.  I'm not in a position right now to pay someone properly to
 implement it, but I can sustain the cost of another case or three of
 beer.


 Amazing!

 So we just need to find an alcoholic developer and we're on our way ;)
 Could maybe send some caffeine and pro plus in the mean time ..




-- 
-
() ascii ribbon campaign - against html e-mail
/\

Re: Request to OpenBSD Dev's - Beer on offer

[Adam Thompson]

On 13-10-29 10:01 AM, Andy wrote:

Amazing!

So we just need to find an alcoholic developer and we're on our way ;) 
Could maybe send some caffeine and pro plus in the mean time ..


Are there any OpenBSD developers who don't like beer and/or caffeine?

Mind you, many of them are getting as old as I am, so large quantities 
of beer and caffeine may no longer be ideal.


--
-Adam Thompson
 athom...@athompso.net

Re: Request to OpenBSD Dev's - Beer on offer

[Andy]

No this is more than ping..

In essence it is, but is standardised and is supported on many vendors 
equipment including Cisco and Juniper etc as used by all our Transit 
providers..

It means that not only do we remove our BGP routes, but it means that 
our carriers also remove the routes for our ASN immediately allowing 
inbound traffic destined for us to be instantly rerouted via another one 
of the redundant Transit links for example instead of waiting a /long/ 
time for BGP..

http://en.wikipedia.org/wiki/Bidirectional_Forwarding_Detection


On 29/10/13 15:05, sven falempin wrote:
 So this is an ICMP ping with some authentification (on the gateway of a
 route) ??

 Why is this not overkill ?


 On Tue, Oct 29, 2013 at 11:01 AM, Andy a...@brandwatch.com wrote:

 On Tue 29 Oct 2013 14:55:05 GMT, Adam Thompson wrote:

 On 13-10-28 11:54 AM, Andy wrote:

 Would any of the esteemed OpenBSD developers be interested in adding
 support for BFD (Bidirectional Forward Detection) to OpenBSD.
 [...]
 '+1's welcome from others who would be interested to show signs of
 support/interest..

 I can only agree, BFD support would be a very nice thing to have,
 considering that in other ways OpenBSD is already a very capable
 router.  I'm not in a position right now to pay someone properly to
 implement it, but I can sustain the cost of another case or three of
 beer.


 Amazing!

 So we just need to find an alcoholic developer and we're on our way ;)
 Could maybe send some caffeine and pro plus in the mean time ..

Re: Request to OpenBSD Dev's - Beer on offer

[Gregory Edigarov]

On 10/28/2013 06:54 PM, Andy wrote:

Hi all,

Would any of the esteemed OpenBSD developers be interested in adding support 
for BFD (Bidirectional Forward Detection) to OpenBSD.

The protocol itself seems pretty simple and provides a sub-second keep-alive 
mechanism to monitor links for routes. E.g. Upon BFD failure BGP or OSPF can be 
torn down etc thus allowing for sub-second re-convergence of i/eBGP!

I can only offer a crate of beer to anyone who has the skills and is willing :)

'+1's welcome from others who would be interested to show signs of 
support/interest..


I still don't see how is this different from ifstated?
You can use it to ping your neighbour then issue bgpctl neighbor 
$your_fallen_neighbour down command.


--
With best regards,
 Gregory Edigarov

Re: Request to OpenBSD Dev's - Beer on offer

[Peter Hessler]

On 2013 Oct 29 (Tue) at 17:44:51 +0200 (+0200), Gregory Edigarov wrote:
:On 10/28/2013 06:54 PM, Andy wrote:
:Hi all,
:
:Would any of the esteemed OpenBSD developers be interested in adding support 
for BFD (Bidirectional Forward Detection) to OpenBSD.
:
:The protocol itself seems pretty simple and provides a sub-second keep-alive 
mechanism to monitor links for routes. E.g. Upon BFD failure BGP or OSPF can be 
torn down etc thus allowing for sub-second re-convergence of i/eBGP!
:
:I can only offer a crate of beer to anyone who has the skills and is willing 
:)
:
:'+1's welcome from others who would be interested to show signs of 
support/interest..
:
:I still don't see how is this different from ifstated?
:You can use it to ping your neighbour then issue bgpctl neighbor 
$your_fallen_neighbour down command.
:
:
:-- 
:With best regards,
: Gregory Edigarov
:

A) It's at the router level
B) *they* also run it
C) This is at ultra-tiny MS resolution
D) Somebody got paid a bonus for the RFC


-- 
A little inaccuracy sometimes saves tons of explanation.
-- H. H. Munroe, Saki

Re: Help vote for OpenBSD

[opendaddy]

Don't forget to vote!

On 9. oktober 2013 at 2:09 PM, openda...@hushmail.com wrote:

Hi,

Could you guys help me vote for OpenBSD at Digital Ocean?

https://digitalocean.uservoice.com/forums/136585-digital-ocean/suggestions/3232571-support-bsd-os-

Basically it's the only SSD cloud hosting provider 
(https://www.youtube.com/watch?v=vHZLCahai4Q)
in existence and if the response is good enough, they'll start offering 
OpenBSD.

Thanks!

O.D.

Re: Request to OpenBSD Dev's - Beer on offer

[Antoine Jacoutot]

On Tue, Oct 29, 2013 at 10:15:38AM -0500, Adam Thompson wrote:
 Are there any OpenBSD developers who don't like beer and/or caffeine?

You can try bananas, but only monkeys will step up.

-- 
Antoine

Re: Request to OpenBSD Dev's - Beer on offer

[David Coppa]

On Tue, Oct 29, 2013 at 4:53 PM, Antoine Jacoutot ajacou...@bsdfrog.org wrote:
 On Tue, Oct 29, 2013 at 10:15:38AM -0500, Adam Thompson wrote:
 Are there any OpenBSD developers who don't like beer and/or caffeine?

 You can try bananas, but only monkeys will step up.

masturbating monkeys.

/dev/urandom in chroot

[Gabriel Guzman]

Hello Misc, 

I have a web program that attempts to access /dev/urandom from within the
/var/www chroot.  Based on archive searches and googling, I've removed 
the nodev flag from that mount and have created the random devices in 
/var/www/dev/* 

This allows the program to work, but I'm wondering if there is a better
way to do this that doesn't involve removing the nodev setting from
/var.  

Would it be preferable to use a language function for getting pseudo 
random bytes instead of relying on the device?

Thanks for your time,
gabe.

Re: /dev/urandom in chroot

[Theo de Raadt]

I have a web program that attempts to access /dev/urandom from within the
/var/www chroot.  Based on archive searches and googling, I've removed 
the nodev flag from that mount and have created the random devices in 
/var/www/dev/* 

So basically remove a layer of security.  Awesome.  See what they made
you do?

The /dev/*random nodes are not specified in any standard, furthermore
once you get into chroot all bets are off (like you discovered).

This allows the program to work, but I'm wondering if there is a better
way to do this that doesn't involve removing the nodev setting from
/var.  

Rewrite it so that it uses other ways to get randomness.  The arc4random
API is exposed in various programming layers.

Would it be preferable to use a language function for getting pseudo 
random bytes instead of relying on the device?

Yes.  Definately.

Re: nvidia driver what do you recommend

[Gilles Cafedjian]

I have the same problem but on a dell laptop with integrated NVidia
chip. 
The chip is NVidia Geforce 8600M GS and since I upgraded to 5.4 my
laptop is 
unusable (very slow window movement). I'm thinking of reinstall 5.3 to
have a 
working laptop. I can't change GPU chipset. 
There is a solution to get a working window manager back? 

Thanks,
Gilles Cafedjian. 

Le 2013-10-29 11:34, Peter J. Philipp a écrit : 

 On 10/28/13 11:44, Brett Mahar wrote:
 
 On Mon, 28 Oct 2013 11:20:32 +0100 Peter J. Philipp p...@centroid.eu 
 wrote: | I remember someone else writing to this list before saying the 
 nvidia | driver is really slow. I just upgraded my main workstation from 5.3 
 to | 5.4 and it indeed is. | | So I'm wondering what driver I should use 
 because the choppyness of | moving windows is laughable, a sad kind of 
 laugh. | | Do you recommend I get an ATI/AMD card? What sorts of models 
 would you | recommend? | The ATI Radeon HD 5450 works great with the 
 recently added radeon KMS code, I got one for A$30 a few weeks ago, no 
 problems seen, definitely no chopppyness using mplayer -vo xv in fullscreen 
 1080p, did have problems with a 96fps 4096x2304 video I tried out, 
 however:-) Brett.
 
 Hi Brett,
 
 Well I took your advice and bought this card. I'm not a high
 performance freak when it comes to monitor so I think it'll be alright.
 I paid 27 euros on amazon.de for it. It does match my MSI N250GTS Twin
 Frozr 1G in DDR3 1 GB RAM but not sure about performance, I'll have to
 see. :-)
 
 Cheers,
 
 -peter

General question about openbgpd and PF

[OCEANET - Cédric BASSAGET]

Hi,
Simple and general question :
Is it a good thing to run PF on an openbgpd server (for security 
reasons), or should I de-activate PF ?


Regards,
Cédric


--
OCEANET
---
[AGENCE DU MANS]
7, rue des Frênes
ZAC de la Pointe
72190 SARGE LES LE MANS
[t] +33 (0)2.43.50.26.50
[f] +33 (0)2.43.72.21.14

[AGENCE D'ANGERS]
5, rue Fleming
Angers Technopole
49066 ANGERS
[t] +33 (0)2.41.19.28.65
[f] +33 (0)2.52.19.22.00

http://www.oceanet.com
http://www.oceanet-telecom.com

Re: /dev/urandom in chroot

[Gabriel Guzman]

On 10/29, Theo de Raadt wrote:
 I have a web program that attempts to access /dev/urandom from within the
 /var/www chroot.  Based on archive searches and googling, I've removed 
 the nodev flag from that mount and have created the random devices in 
 /var/www/dev/* 
 
 So basically remove a layer of security.  Awesome.  See what they made
 you do?

Yeah, I didn't feel like that was a great idea.  I was fairly sure the
nodev flag was put there on purpose.  

 
 The /dev/*random nodes are not specified in any standard, furthermore
 once you get into chroot all bets are off (like you discovered).
 
 This allows the program to work, but I'm wondering if there is a better
 way to do this that doesn't involve removing the nodev setting from
 /var.  
 
 Rewrite it so that it uses other ways to get randomness.  The arc4random
 API is exposed in various programming layers.
 
 Would it be preferable to use a language function for getting pseudo 
 random bytes instead of relying on the device?
 
 Yes.  Definately.

Great, thanks for confirmation on that, I'll fix the program so I don't
need to make devices inside my cozy chroot and push the changes upstream.  

gabe.

Re: Request to OpenBSD Dev's - Beer on offer

[Claudio Jeker]

On Tue, Oct 29, 2013 at 11:16:20AM +, Andy wrote:
 Yea its 24.. Would even be happy to offer some champers..
 
 I think this is more of a Maudite crowd.. Connoisseurs on here...
 
 As I understand it you would need to write a small daemon to do the BFD 
 state monitoring for the transmission and reception of the heartbeats 
 with various peers. The protocol is fairly simple so for an experienced 
 dev this should be easy.
 
 Then in OpenBGPD you would need to have a way of gracefully and 
 forcefully immediately shutting down the BGP neighbor that matches the 
 BFD peer. This could be achieved by simply having the BFD daemon call 
 'bgpctl neighbor $bfdpeer down'
 
 It is not so important for OSPF as that already has fast convergence 
 time with fast hello's etc.. But for BGP this would make a world of 
 difference to remove the BGP routes immediately (in less than a second) 
 as soon as the BGP neighbor goes down/becomes unreachable (even if not a 
 direct link (multi-hop etc)).
 

BFD should be in kernel and it should change the linkstate like the GRE
keepalive protocol does. Everything else is pretty much madness and
somewhat impossible to do.

PS: I think a I have a tree somewhere hiding with some bits added but I
never cared enough to move one. So no beer for me (even though I'm just
getting free belgium beer). 
-- 
:wq Claudio

 On 28/10/13 21:10, Dan Farrell wrote:
  I'm not sure how much a crate is, but if it's a case (24 bottles), 
  then I'll throw in a case as well for this work.
  Blanche de Chambly, anyone? Or is this more a Maudite crowd?
 
 
  Sincerely,
 
  Dan Farrell
 
 
  On Mon, Oct 28, 2013 at 12:54 PM, Andy a...@brandwatch.com 
  mailto:a...@brandwatch.com wrote:
 
  Hi all,
 
  Would any of the esteemed OpenBSD developers be interested in
  adding support for BFD (Bidirectional Forward Detection) to OpenBSD.
 
  The protocol itself seems pretty simple and provides a sub-second
  keep-alive mechanism to monitor links for routes. E.g. Upon BFD
  failure BGP or OSPF can be torn down etc thus allowing for
  sub-second re-convergence of i/eBGP!
 
  I can only offer a crate of beer to anyone who has the skills and
  is willing :)
 
  '+1's welcome from others who would be interested to show signs of
  support/interest..
 
  Cheers, Andy.

downing vlan(4) doesn't remove routes

[Adam Thompson]

(Posted last week to tech@, no bites there.  Re-summarizing here.)

I've noticed that downing a vlan(4) interface does not remove the 
associated link-local route from the default routing table.
This seems to directly contradict the ifconfig(8) manpage, which says 
This action automatically disables routes using the interface.


I can achieve the desired behaviour by deleting the vlan(4) interface, 
but I really don't want to do that.
I can also achieve the deisred behaviour by setting the IP address to 
0.0.0.0, but that also is undesirable.


Am I missing something, or is this broken?

--
-Adam Thompson
 athom...@athompso.net

bgpd(8) EGP vs IGP question

[Adam Thompson]

I've got two border gateways that peer (eBGP) with the same external AS; 
they also peer with each other (iBGP) as per normal BGP design.


Naturally, the BGP RIB contains two copies of every route; one learned 
from the external peer and one learned from the internal peer.


However, when I run bgpctl show, both routes are marked with origin 
i (i.e. IGP).


Do I have to use set origin egp in the external neighbour's stanza in 
/etc/bgpd.conf?  Doing so works, and produces the expected output, but 
should it be necessary?


--
-Adam Thompson
 athom...@athompso.net

Re: Request to OpenBSD Dev's - Beer on offer

[Kenneth R Westerback]

On Tue, Oct 29, 2013 at 03:01:22PM +, Andy wrote:
 On Tue 29 Oct 2013 14:55:05 GMT, Adam Thompson wrote:
 On 13-10-28 11:54 AM, Andy wrote:
 Would any of the esteemed OpenBSD developers be interested in adding
 support for BFD (Bidirectional Forward Detection) to OpenBSD.
 [...]
 '+1's welcome from others who would be interested to show signs of
 support/interest..
 
 I can only agree, BFD support would be a very nice thing to have,
 considering that in other ways OpenBSD is already a very capable
 router.  I'm not in a position right now to pay someone properly to
 implement it, but I can sustain the cost of another case or three of
 beer.
 
 
 Amazing!
 
 So we just need to find an alcoholic developer and we're on our way
 ;) Could maybe send some caffeine and pro plus in the mean time ..
 

Finding an alcoholic developer is not a challenge. :-)

 Ken

Re: General question about openbgpd and PF

[Loïc BLOT]

Hi,
I use PF on some OpenBSD BGP+OSPF routers on Renater (IPv4 + IPv6), it
works like a charm.
Why this question ?

pf rule are simple:

pass in quick proto tcp from $bgp_neighbor_1 to $self_peering_1 port 179
pass out quick proto tcp from $self_peering_1 to $bgp_neighbor_1 port
179


--
Best regards,
Loïc BLOT,
UNIX systems, security and network engineer
http://www.unix-experience.fr



Le mardi 29 octobre 2013 à 18:27 +0100, OCEANET - Cédric BASSAGET a
écrit :
 Hi,
 Simple and general question :
 Is it a good thing to run PF on an openbgpd server (for security
 reasons), or should I de-activate PF ?

 Regards,
 Cédric

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: bgpd(8) EGP vs IGP question

[Sebastian Benoit]

Adam Thompson(athom...@athompso.net) on 2013.10.29 15:20:04 -0500:
 I've got two border gateways that peer (eBGP) with the same external AS; 
 they also peer with each other (iBGP) as per normal BGP design.
 
 Naturally, the BGP RIB contains two copies of every route; one learned 
 from the external peer and one learned from the internal peer.
 
 However, when I run bgpctl show, both routes are marked with origin 
 i (i.e. IGP).
 
 Do I have to use set origin egp in the external neighbour's stanza in 
 /etc/bgpd.conf?  Doing so works, and produces the expected output, but 
 should it be necessary?

The origin attribute doesn't mean what you think it does!

It is a information added by the originating router of that route:

i stands for IGP (not iBGP) and means the route was redistributed from
an IGP (e.g. OSPF) into BGP.

e means EGP, meaning the route was learned by an EGP.

and ? or incomplete is used for everything else (for example static routes
being redistributed).

The origin is used in step 5 of the decision process in bgpd (see bgpd(8)),
and the set origin option can be used to change the origin of routes to
manipulate the process of selecting routes.

But you should never just use set origin on all your bgp sessions to other
ASes just because they are eBGP sessions.

/Benno

Re: bgpd(8) EGP vs IGP question

[Stuart Henderson]

On 2013-10-29, Sebastian Benoit benoit-li...@fb12.de wrote:
 It is a information added by the originating router of that route:

or in some cases, by a transit provider trying to steer traffic towards them ;)

Re: General question about openbgpd and PF

[Stuart Henderson]

On 2013-10-29, OCEANET - Cédric BASSAGET ced...@oceanet.com wrote:
 Hi,
 Simple and general question :
 Is it a good thing to run PF on an openbgpd server (for security 
 reasons), or should I de-activate PF ?

I use it, partly to mitigate ssh brute-force, partly so I can easily enable
pflow if I want to get stats, and partly so I can block crap at the borders
without having to send it over wan links.

Re: General question about openbgpd and PF

[Sebastian Benoit]

OCEANET - C?dric BASSAGET(ced...@oceanet.com) on 2013.10.29 18:27:09 +0100:
 Hi,
 Simple and general question :
 Is it a good thing to run PF on an openbgpd server (for security 
 reasons), or should I de-activate PF ?

Yes, in general you should:

At least to make sure only traffic from your own address space leaves your
network, and only traffic to your own address space enters your network,
read http://tools.ietf.org/html/bcp38

If you run BGP, chances are that you will have more than one router. In that
case you have to consider that a router does not see both directions of the
traffic. In that case use either no state or sloppy rules.

/Benno

Re: Yubikey login: bad file descriptor.

[Stuart Henderson]

On 2013-10-28, Pieter Verberne pieterverbe...@xs4all.nl wrote:
 What I actually wanted to do: I want to use two-factor authentication
 over ssh using passwd+yubikey. Is this possible? It looks like yubikey
 will 'replace' passwd authentication, and cannot supplement it.

You're right, login_yubikey does replace passwd auth. bsdauth doesn't
let you request multiple passwords. Only way I came up with to achieve
this was to have a single bsdauth method which requests an otp *and*
password, and checks both of them (used for login_totp-and-pwd in the
login_oath package)..

 Off topic:
 How safe is certificate authentication? I'll use an encrypted private
 key on my client computers. If someone gets his hands on the encrypted
 key, they can do an offline password attack, which seems less safe than
 an online attack.

Certainly less noisy..

SSH will let you require 2-factor auth with both a password-like login
method which could be a password or a yubikey, and the ssh key. See
sshd_config(5):

 AuthenticationMethods
 Specifies the authentication methods that must be successfully
 completed for a user to be granted access.  This option must be
 followed by one or more comma-separated lists of authentication
 method names.  Successful authentication requires completion of
 every method in at least one of these lists.

Coursera

[moss]

Hi,

I lurk here as I'm learning OpenBSD but I write now because I'm a little
alarmed with a feature called Signature Track on Coursera.

I'm doing a free online course on the Introduction to Philosophy run from
the University of Edinburgh. https://www.coursera.org/course/introphil The
course is so good I wanted to give a little something in return. The only
way of doing this offered was pay $50.00 for a course certificate.

However to get this they want to verify who you are. OK seems reasonable.
But on going to the Signature Track to do this
https://www.coursera.org/signature/course/introphil/970720?utm_source=sparkutm_medium=bannerbox
the verification consists of recording your typing pattern, taking a photo
from your webcam and a photo of your drivers ID (the latter is supposed to
be deleted when once it is used for  verification.)

From the FAQ
Q. How does typing pattern recognition work?
A.We will ask you to type a short phrase. Then we use the characteristics
of your unique typing pattern, such as the time (in milliseconds) between
your keystrokes and the duration you press a key down, to confirm your
identity. Small typos and minor day-to-day changes in your typing pattern
are okay.

I tried to attach a small screen dump but failed.

Now I cannot know how any of this might be used in the future can I? So
I'm giving them nothing at this point. Do you think I'm right?

Thanks
Moss

[Fwd: Coursera]

[Maurice McCarthy]

OK here is the screen dump.
Moss

- Original Message 
-
Subject: Coursera
From:McCarthy, Maurice maurice.mccar...@maerskoil.com
Date:Wed, October 30, 2013 12:47 am
To:  'm...@mythic-beasts.com' m...@mythic-beasts.com






---
Janice Control Room Operator

FPU Janice A
Maersk Oil North Sea UK Limited
Maersk House
Crawpeel Road
Altens
Aberdeen
AB12 3LG
Tel: +44 (0)1224 242000
Direct: +44 (0)1224 856732
Email: janprodcont...@maerskoil.commailto:janprodcont...@maerskoil.com



Maersk Oil North Sea UK Limited, registered in England and Wales No. 03682299.
Registered office Maersk House, Braham Street, London E1 8EP. This e-mail and 
any
files transmitted with it are confidential and intended solely for the use of 
the
individual or entity to which they are addressed. If you have received this 
e-mail
in error please notify the system manager at hotl...@maerskoil.com.

[demime 1.01d removed an attachment of type image/gif which had a name of 
image001.gif]

[demime 1.01d removed an attachment of type image/jpeg which had a name of 
Signature Track.jpg]

Coursera

[Maurice McCarthy]

Yes, I'd forgotten about demime. For anyone who is interested the screen dump 
is now
posted at https://ubuntuone.com/3PBTfO0UENZO8yS8xvVqcF

Apologies to Monty, I'd intend to reply to the list and not personally. So this 
is a
resend to the right address.

As it happens next week's lecture is on morality. That should be another fine 
place
to raise the issue. As you say though I ought to raise it with Coursera 
themselves.

Thanks
Moss


 On Wed, 30 Oct 2013, Maurice McCarthy wrote:

 OK here is the screen dump.

 Demime took those out.  But this really isn't the place
 to discuss this.  You might try Coursera's forums instead.
 They shouldn't mind a rational discussion of risks...

 m

 --
 Monty Brandenberg

OpenBSD maintenance compared to FreeBSD

[David Noel]

I started playing around with FreeBSD back in the 2.2.7 days. I'd
describe myself as a casual desktop/workstation user. Back in the day
I was attracted to OpenBSD's heavy focus on security but was pulled
towards FreeBSD due to a good friend of mine being a FreeBSD
contributor (dude, trust me, it's the way to go). Recently I've
purchased a handful of servers for a software project I've been
working on and have started reconsidering my choice of OS's.
Administering a single FreeBSD workstation isn't too much of a
headache; I've kind of gotten used to having to rebuild kernel and
world every few months as security advisories are released. But now
that I'm administering 6 of them I'm really starting to get annoyed by
the whole process: rebuild kernel... rebuild world... reboot, and then
pray that it doesn't blow up in my face (as it often does). That got
me thinking about OpenBSD. Looking at the security advisories the last
one I see was from nearly a year and a half ago! That's pretty
incredible to me. Does this mean that I could theoretically have
gotten away with a year and a half uptime? What's the catch here? I'm
sorry but I'm incredulous by how good it sounds so I have to ask. For
me the biggest selling points of an operating system are security and
maintenance. I've been wowed by ZFS, but really how often do
filesystems need to be fsck'd? --and I never take snapshots. I feel
like I could do without it. UFS+J is good enough. Given my priorities,
does it sound like OpenBSD could be the one for me?

5.4 CDs in New Zealand

[Richard Toohey]

Hi, all.

CD sets arrived today in Tauranga, New Zealand.

Thanks to Theo and all the developers and other people behind OpenBSD - 
your work is much appreciated.

Looking for a laptop in the Toronto area

[Brad Smith]

Hi,

I added an entry to want.html as I am looking for a laptop to replace 
the laptop I have at the moment which has some really bad heat related 
issues and I have been hobbling along with it for awhile now. I am in 
the Toronto area. I thought I would post to misc@ for some greater 
exposure. Is there anyone that would be able to help me out?


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.