Re: openbgpd ipv6 nexthop
* Mickael Torres [2014-08-19 20:16]: > I'm using openbgpd on a pair of carped firewall (openbsd 5.5-stable) to > announce IPv4 routes to a cisco 7600. send a few extra prefixes, these bad switches from 1999 that marketing painted differently to call it "router" really like that. > trying to do the same for IPv6, the set nexthop statement in the bgpd.conf > has no effect. The cisco receives the prefixes with the non-carp IP of each > firewall as nexthop. that smells like a bug. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual & Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: ifconfig command for IPv6 tunnel
Also, do note that this just means that this particular box has ipv6 connectivity. If you want to have clients at home behind this one, you should get another v6 network to use behind this gateway. And I agree with Adam, you got most of it correct. I would add the route command to hostname.gif0 with the ! before so it is used only when gif0 is taken up. 2014-08-20 6:38 GMT+02:00 Adam Thompson : > On 14-08-19 10:40 PM, Charles Musser wrote: > >> I'm experimenting with using IPv6 via a tunnel broker provided by an >> ISP. The tunnel works, but I want to confirm my understanding of the >> commands they gave me to set it up. These are the commands: >> >> ifconfig gif0 tunnel 50.1.94.112 72.52.104.74 >> ifconfig gif0 inet6 alias 2001:470:1f04:204::2 2001:470:1f04:204::1 >> prefixlen 128 >> route -n add -inet6 default 2001:470:1f04:204::1 >> [...] >> > > IIRC from my experimentation, you've got it exactly right. > Some tunnel brokers give you subnet masks that certain versions of OpenBSD > don't like - that turns out to not actually matter, just use whatever > ifconfig(8) want. Point in case: HE recommends using /64 for PtP links, > but OpenBSD 5.x requires /128. Since HE allocates an entire /64 per > tunnel, there is no danger in configuring it more narrowly on the client > end. > > The hostname.if(5) syntax that finally worked for me on 5.4-RELEASE was > (slightly anonymized) > >> description HE_TUNNEL_FREMONT >> tunnel 184.70.48.XXX >> dest 64.71.128.83 >> inet6 2001:470::X::2 >> dest 2001:470::X::1 prefixlen 128 >> > which perhaps adds some clarity, or perhaps confuses, depending on your > point of view. I can't remember whether (in the non-BGP case) I added the > route command as "!route -n add -inet6 default 2001:470:1f04:204::1" to the > hostname.gif0 file, or if I added it to /etc/mygate - one or the other > should work, anyway. > > -- > -Adam Thompson > athom...@athompso.net > > -- May the most significant bit of your life be positive.
Re: pkg_mgr error: "Fatal error: Ustar ... Eror while reading header"
On Mon, Aug 18, 2014 at 6:08 PM, Daniel Villarreal wrote: > Sorry. This happens for lots of different programs... just tried to use > pkg_mgr to install gif2png > > --- errors -- > Fatal error: Ustar > [ > http://ftp.openbsd.org/pub/OpenBSD/5.5/packages/amd64/gif2png-2.5.2p1.tgz][share/doc/gif2png/README]: > Error while reading header > Huh. Off hand, I don't see anything weird in that file that should make the perl Ustar.pm choke. I'm afraid further analysis will have to await espie's return... Philip Guenther
Re: rsync -a doesnt keep owner and permissions
Am 19.08.2014 17:14, schrieb Joseph Borg: Wouldn't something like duplicity work better for you in this case? Regards Sent from my iPad well as far as I understand its just another abstraction layer added to rsync and I don't want to install something that is basically using something I already have. But thanks for the sugession On 19 Aug 2014, at 16:53, Markus Rosjat wrote: Am 19.08.2014 16:40, schrieb Erling Westenvik: On Tue, Aug 19, 2014 at 04:27:11PM +0200, Markus Rosjat wrote: Is there any other thing I miss with the sudo approach? Check out --usermap, --groupmap and --chown in the man page. Haven't tried them myself but AFAIK these options were added to rsync(1) late in 2013 or early in 2014. this may work on a one file or user directory base but if I want to sync a location like /var/www/htdocs this will be a bit overkill and no I don't want to write a script for this if I can avoid it. -- Vennlig hilsen/Kind regards Erling Westenvik -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: dlopen after dlclose crash
On Mon, Aug 18, 2014 at 7:33 AM, Henri Kemppainen wrote: > Hi, I encountered this problem while trying an application that uses SDL2. > It turns out that SDL2 opens, closes, and reopens some shared objects from > the X11 sets. And doing that in the specific order it does, one of the > eventual dlopen calls will crash. Here's a minimal test case: ... > There are some other combinations of shared objects that will also result > in > the same crash. It can be worked around by changing the order in which > they > are opened or closed (changing both works too). Nothing in the man page > suggests to me that the order should be critical, so this looks like a bug. > Yep. I might dig deeper once I find the time, but perhaps someone already > familiar with the code might want to take a look at it before I waste a > week on it ;-) > The issue is the change in ld.so/library_subr.c rev 1.34. If you back that change out, the crash disappears. The problem is that no one makes changes to the linkages inside ld.so out of boredom: there was some previous program that crashed without that change, but the details weren't documented or preserved in a regress/ program. I've made a couple stabs at reproducing the original program so that we can be sure to keep it fixed when fixing this, but haven't been able to pin down a case where the committed change solved the problem. If you can figure that out, I would gladly buy you a beer or three. Elsewise we're reaching the point where we back that change out and wait for someone complain... :-( Philip Guenther
Re: ifconfig command for IPv6 tunnel
On 14-08-19 10:40 PM, Charles Musser wrote: I'm experimenting with using IPv6 via a tunnel broker provided by an ISP. The tunnel works, but I want to confirm my understanding of the commands they gave me to set it up. These are the commands: ifconfig gif0 tunnel 50.1.94.112 72.52.104.74 ifconfig gif0 inet6 alias 2001:470:1f04:204::2 2001:470:1f04:204::1 prefixlen 128 route -n add -inet6 default 2001:470:1f04:204::1 [...] IIRC from my experimentation, you've got it exactly right. Some tunnel brokers give you subnet masks that certain versions of OpenBSD don't like - that turns out to not actually matter, just use whatever ifconfig(8) want. Point in case: HE recommends using /64 for PtP links, but OpenBSD 5.x requires /128. Since HE allocates an entire /64 per tunnel, there is no danger in configuring it more narrowly on the client end. The hostname.if(5) syntax that finally worked for me on 5.4-RELEASE was (slightly anonymized) description HE_TUNNEL_FREMONT tunnel 184.70.48.XXX dest 64.71.128.83 inet6 2001:470::X::2 dest 2001:470::X::1 prefixlen 128 which perhaps adds some clarity, or perhaps confuses, depending on your point of view. I can't remember whether (in the non-BGP case) I added the route command as "!route -n add -inet6 default 2001:470:1f04:204::1" to the hostname.gif0 file, or if I added it to /etc/mygate - one or the other should work, anyway. -- -Adam Thompson athom...@athompso.net
Re: foomatic-rip 'f' exited (retcode=9)
I believe that in later versions foomatic (now called cups-filters) has deprecated support for lpd. It still works but you need to create an foomatic wrapper and use it as if= in printcap, parse lpd options and call the original foomatic-rip ... I will show you an example of such foomatic-rip wrapper as soon as I can found it... On Tue, Aug 19, 2014 at 11:25 PM, Predrag Punosevac wrote: > I had a simple printcap file for printing using lpd and foomatic-rip for > about seven years now but since past release it stop working > > predrag@oko$ uname -a > OpenBSD oko.bagdala2.net 5.6 GENERIC.MP#333 amd64 > > lp|HP|HP Photosmart 5250:\ > :lp=3D/dev/ulpt0:\ > :af=3D/etc/foomatic/HP-PhotoSmart_C5200.ppd:\ > :if=3D/usr/local/bin/foomatic-rip:\ > :sh:sd=3D/var/spool/output:\ > :lf=3D/var/log/lpd-errs: > > I am of course in the daemon group and /etc/ulpt0 is owned by daemon > with permission 664. Spooling directory has correct permission. This is > the only thing I see in log files > > Aug 19 23:10:16 oko lpd[15224]: lp: filter 'f' exited (retcode=3D9) > Aug 19 23:10:16 oko lpd[15224]: mail sent to user predrag about job > stdin on printer lp ((null)) > Aug 19 23:10:16 oko lpd[15224]: lp: job could not be printed > (cfA002oko.bagdala2.net) > > However /tmp/foomatic-rip-mF6GXB.log is a bit more revealing > > foomatic-rip version 1.0.54 running... > called with arguments: '-w132', '-l66', '-i0', '-n', 'predrag', '-j', > 'stdin', '-h', 'oko.bagdala2.net', '/etc/foomatic/lpd/lp.ppd' > No printer definition (option "-P ") specified! > > I am getting that even though I replaced my original file with the one > generated by foomatic-configure utility. > > lp|HP|HP PhotoSmart C5200:\ > :ppdfile=3D/etc/foomatic/lpd/lp.ppd:\ > :sd=3D/var/spool/output/lp:\ > :lf=3D/var/log/lpd-errs:\ > :lp=3D/dev/ulpt0:\ > :if=3D/usr/local/libexec/cups/filter/foomatic-rip:\ > :af=3D/etc/foomatic/lpd/lp.ppd:\ > :sh:\ > :mx#0: > > lp.ppd is just renamed original PPD file which I used for many years. I > remember there was a way to generate that file from that but I forgot > how to do it as it was so long time ago.=20 > > The above is obviously caused by options passed to foomatic-rip. I also > dislike the fact that one of the paths involve CUPS. > > Can somebody point to me what am I doing wrong here. I noticed that > /etc/foomatic is no longer created automatically. Also filter.conf file > is no longer needed? > > Thanks! > Predrag
foomatic-rip 'f' exited =?US-ASCII?Q?(retcode=3D9)?=
I had a simple printcap file for printing using lpd and foomatic-rip for about seven years now but since past release it stop working predrag@oko$ uname -a OpenBSD oko.bagdala2.net 5.6 GENERIC.MP#333 amd64 lp|HP|HP Photosmart 5250:\ :lp=3D/dev/ulpt0:\ :af=3D/etc/foomatic/HP-PhotoSmart_C5200.ppd:\ :if=3D/usr/local/bin/foomatic-rip:\ :sh:sd=3D/var/spool/output:\ :lf=3D/var/log/lpd-errs: I am of course in the daemon group and /etc/ulpt0 is owned by daemon with permission 664. Spooling directory has correct permission. This is the only thing I see in log files Aug 19 23:10:16 oko lpd[15224]: lp: filter 'f' exited (retcode=3D9) Aug 19 23:10:16 oko lpd[15224]: mail sent to user predrag about job stdin on printer lp ((null)) Aug 19 23:10:16 oko lpd[15224]: lp: job could not be printed (cfA002oko.bagdala2.net) However /tmp/foomatic-rip-mF6GXB.log is a bit more revealing foomatic-rip version 1.0.54 running... called with arguments: '-w132', '-l66', '-i0', '-n', 'predrag', '-j', 'stdin', '-h', 'oko.bagdala2.net', '/etc/foomatic/lpd/lp.ppd' No printer definition (option "-P ") specified! I am getting that even though I replaced my original file with the one generated by foomatic-configure utility. lp|HP|HP PhotoSmart C5200:\ :ppdfile=3D/etc/foomatic/lpd/lp.ppd:\ :sd=3D/var/spool/output/lp:\ :lf=3D/var/log/lpd-errs:\ :lp=3D/dev/ulpt0:\ :if=3D/usr/local/libexec/cups/filter/foomatic-rip:\ :af=3D/etc/foomatic/lpd/lp.ppd:\ :sh:\ :mx#0: lp.ppd is just renamed original PPD file which I used for many years. I remember there was a way to generate that file from that but I forgot how to do it as it was so long time ago.=20 The above is obviously caused by options passed to foomatic-rip. I also dislike the fact that one of the paths involve CUPS. Can somebody point to me what am I doing wrong here. I noticed that /etc/foomatic is no longer created automatically. Also filter.conf file is no longer needed? Thanks! Predrag
Re: VMWare vmx NIC order
On 14-08-19 09:59 PM, Dan Shechter wrote: I just wanted to make sure that next time I'll reboot or copy the VM, I'll have the correct bindings. If it's any consolation, if you move or copy that VM (or .vmx, at least) from one ESXi host to another, the interfaces will get assigned to the same PCI addresses, and detected/enumerated in the same order. However, there is no guarantee of that remaining true when you move from one VMware product to another (e.g. ESXi -> Workstation) or when you upgrade versions (e.g. ESXi 5.0 -> ESXi 5.1). I have seen this happen. For that matter, upgrading OpenBSD could also - at least in theory - change the detection order, too. I have not seen this happen since the 2.x days, I think, and I could easily be mistaken even there. -- -Adam Thompson athom...@athompso.net
ifconfig command for IPv6 tunnel
Hi, I'm experimenting with using IPv6 via a tunnel broker provided by an ISP. The tunnel works, but I want to confirm my understanding of the commands they gave me to set it up. These are the commands: ifconfig gif0 tunnel 50.1.94.112 72.52.104.74 ifconfig gif0 inet6 alias 2001:470:1f04:204::2 2001:470:1f04:204::1 prefixlen 128 route -n add -inet6 default 2001:470:1f04:204::1 The first and third commands make sense to me; they set up an IPv4 tunnel interface and a default route for IPv6. After reading the ifconfig(8) man page) I think I sort of understand what the second one does. Side note: the two IPv6 addresses provided by the tunnel broker are defined, in their terminology, as follows: ::1 is the "server IPv6 address" and ::2 is the "client IPv6 address". Given that, I think the following is true: - ::1 is the local address of the interface on the IPv6 network. - The "alias" parameter is superfluous in this case. I tried it without that and got the same result: an operating tunnel. - Because gif0 is a point-to-point interface, ::2 (the server IP) is interpreted as the "dest_address" parameter mentioned in the ifconfig(8) man page. - "dest_address" is the far end of the tunnel and, for point-to-point links, serves as the gateway. In this case, it leads to the broader IPv6 universe. Any confirmation, clarification or correction is much appreciated. Chuck
Re: VMWare vmx NIC order
Thanks for the through explanation. I just wanted to make sure that next time I'll reboot or copy the VM, I'll have the correct bindings. On Tue, Aug 19, 2014 at 7:13 PM, Adam Thompson wrote: > Well, VMware assigns NICs to PCI buses according to the order and/or syntax > used to define them in the vmx file, whereas OpenBSD enumerates the devices > by scanning PCI buses in a deterministic order. > Most likely you can't just change the naming without compiling a custom > kernel or liberal (reckless?) use of config(8). > You could try various manipulations of the vmx file to see what the effects > would be... But there's no direct way to manipulate PCI assignment, only > indirect. > VMware does some odd things with PCI resource allocation, I don't know if > your "problem" - which isn't really a technical problem, that I can see - is > solvable. > > One resource I know of for vmx syntax is http://sanbarrow.com/vmx.html. > > -Adam > > > > > On August 19, 2014 8:18:32 PM CDT, Dan Shechter wrote: >> >> Thanks. >> >> I do mean about re-arrange them. Or to be more precise, to make the >> aligned to what is configured in VMWare's vmx file. >> >> Do you think its not possible? >> >> On Tue, Aug 19, 2014 at 4:57 PM, Adam Thompson >> wrote: >>> >>> On 14-08-19 06:48 PM, Dan Shechter wrote: I am installing amd64 snapshot from aug 8 on vmware workstation. This VM has 5 interfaces. I have changed them all to use vmxnet3 NIC. vmx0 on openbsd is not ethernet0 in vmware, so are all other interfaces. Any idea how to match the VMware's ethernet NIC order to OpenBSD's NIC's order? >>> >>> >>> >>> If what you want to know is how to identify them, >>> look at the MAC addresses >>> in the VMware machine and inside the OpenBSD VM. >>> I don't know of any way to re-arrange them, if that's what you meant. >>> >>> -- >>> -Adam Thompson >>> athom...@athompso.net >> >> > > -- > Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: VMWare vmx NIC order
Well, VMware assigns NICs to PCI buses according to the order and/or syntax used to define them in the vmx file, whereas OpenBSD enumerates the devices by scanning PCI buses in a deterministic order. Most likely you can't just change the naming without compiling a custom kernel or liberal (reckless?) use of config(8). You could try various manipulations of the vmx file to see what the effects would be... But there's no direct way to manipulate PCI assignment, only indirect. VMware does some odd things with PCI resource allocation, I don't know if your "problem" - which isn't really a technical problem, that I can see - is solvable. One resource I know of for vmx syntax is http://sanbarrow.com/vmx.html. -Adam On August 19, 2014 8:18:32 PM CDT, Dan Shechter wrote: >Thanks. > >I do mean about re-arrange them. Or to be more precise, to make the >aligned to what is configured in VMWare's vmx file. > >Do you think its not possible? > >On Tue, Aug 19, 2014 at 4:57 PM, Adam Thompson >wrote: >> On 14-08-19 06:48 PM, Dan Shechter wrote: >>> >>> I am installing amd64 snapshot from aug 8 on vmware workstation. >>> This VM has 5 interfaces. >>> I have changed them all to use vmxnet3 NIC. >>> vmx0 on openbsd is not ethernet0 in vmware, so are all other >interfaces. >>> Any idea how to match the VMware's ethernet NIC order to OpenBSD's >NIC's >>> order? >> >> >> If what you want to know is how to identify them, look at the MAC >addresses >> in the VMware machine and inside the OpenBSD VM. >> I don't know of any way to re-arrange them, if that's what you meant. >> >> -- >> -Adam Thompson >> athom...@athompso.net -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: VMWare vmx NIC order
Thanks. I do mean about re-arrange them. Or to be more precise, to make the aligned to what is configured in VMWare's vmx file. Do you think its not possible? On Tue, Aug 19, 2014 at 4:57 PM, Adam Thompson wrote: > On 14-08-19 06:48 PM, Dan Shechter wrote: >> >> I am installing amd64 snapshot from aug 8 on vmware workstation. >> This VM has 5 interfaces. >> I have changed them all to use vmxnet3 NIC. >> vmx0 on openbsd is not ethernet0 in vmware, so are all other interfaces. >> Any idea how to match the VMware's ethernet NIC order to OpenBSD's NIC's >> order? > > > If what you want to know is how to identify them, look at the MAC addresses > in the VMware machine and inside the OpenBSD VM. > I don't know of any way to re-arrange them, if that's what you meant. > > -- > -Adam Thompson > athom...@athompso.net
Re: is there app like xosview available in OpenBSD?
sysstat(1) is in base, but is not graphical. What does using Gnome or KDE matter? As long as the necessary libraries are installed, both Gnome and KDE apps will run under any X11 environment. -Adam On August 19, 2014 8:13:31 PM CDT, Long Wind wrote: >I find xosview is available in FreeBSD >(I don't use KDE or GNOME) >Thanks! -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
is there app like xosview available in OpenBSD?
I find xosview is available in FreeBSD (I don't use KDE or GNOME) Thanks!
Re: [patch] errata 55/09, 55/10, 54/13 and 54/14 not linked in security.html
On Tue, Aug 19, 2014 at 15:48, Daniel Jakots wrote: > Hi, > > Index: security.html right idea, wrong diff. :) i decided it's too much trouble to maintain these lists in two places, so removed them all and replaced with links to the correct pages. thanks for noticing.
Re: VMWare vmx NIC order
On 14-08-19 06:48 PM, Dan Shechter wrote: I am installing amd64 snapshot from aug 8 on vmware workstation. This VM has 5 interfaces. I have changed them all to use vmxnet3 NIC. vmx0 on openbsd is not ethernet0 in vmware, so are all other interfaces. Any idea how to match the VMware's ethernet NIC order to OpenBSD's NIC's order? If what you want to know is how to identify them, look at the MAC addresses in the VMware machine and inside the OpenBSD VM. I don't know of any way to re-arrange them, if that's what you meant. -- -Adam Thompson athom...@athompso.net
VMWare vmx NIC order
Hi All. I am installing amd64 snapshot from aug 8 on vmware workstation. This VM has 5 interfaces. I have changed them all to use vmxnet3 NIC. vmx0 on openbsd is not ethernet0 in vmware, so are all other interfaces. Any idea how to match the VMware's ethernet NIC order to OpenBSD's NIC's order? Best Regards, Dan. CCIE #13685 (RS/Sec/SP) +1-407-484-1295 The CCIE troubleshooting blog: http://dans-net.com
Re: pf new queue resolution (was Relationship Between VLANs and Physical Interfaces in PF)
Daniel Melameth melameth.com> writes: > > On Wed, Aug 6, 2014 at 2:38 PM, Stuart Henderson spacehopper.org> wrote: > > In my (admittedly very limited) testing with the new queueing system, > > it hasn't done very well with low bandwidth queues (ADSL type speeds) that > > used to work OK with altq (symptom, packets being assigned to queues as > > expected, but rates not being controlled). Next step in my testing there > > will be to build a kernel with a higher HZ value (faster timer) but > > I haven't got round to that yet. > > I have observed similar issues, which makes this less usable. On a > box with a 1+GHz CPU, what are the disadvantages of doing this? OK, I've tried this with "option HZ=1" now (after getting utterly fed up with my ADSL upstream getting overwhelmed). The main disadvantage that I can see is that you're not running GENERIC. The main advantage is that queueing actually works again...
Re: troubleshooting carp [solved]
I've pinpointed the issue with my carp setup. Finally! It seems like the order of things in hostname.carp0 matters more than I thought it did. This doesn't work so well: # cat /etc/hostname.carp0 inet 192.168.16.1/24 vhid 100 pass blahblah advbase 5 advskew 0 This works however: # cat /etc/hostname.carp0 vhid 100 pass blahblah advbase 5 advskew 0 inet 192.168.16.1/24 Both result in exactly this: # ifconfig carp0 carp0: flags=28843 mtu 1500 lladdr 00:00:5e:00:01:64 priority: 0 carp: MASTER carpdev em0 vhid 100 advbase 5 advskew 0 groups: carp status: master inet 192.168.16.1 netmask 0xff00 broadcast 192.168.16.255 -The difference is that with the latter order, carp becomes "muted". Although ip-traffic and arp passes through fine, there is no sign of carp when I do tcpdump on em0. If the vhid is added before the ip-address however, carp works as expected and tcpdump can capture the carp-advertisements going out on em0. -It would be nice if someone with more insight could explain in detail why the second order in hostname.carp0 doesn't work. -I am aware that I could have had it all in one line, but because of readability etc I chose to split it into two lines.
APU.1C
Stan Gammons charter.net> writes: > On 07/29/14 04:01, Stuart Henderson wrote: >> That's to do with the traffic that the system is handling, you >> wouldn't normally expect to see all that much fragmented traffic. If >> there are lots of fragments, are you using pppoe? If so then make sure >> you either use 'scrub max-mss' or set suitable MTU on all machines on >> the lan. (In some cases you can use a larger MTU with pppoe RFC4638, >> but the re(4) driver doesn't yet support jumbo frames on the APU's nic >> so this won't be available to you). > Are there other issues with the re(4) driver on the APU besides jumbo > frames? The LED on the Ethernet ports on the one I have don't seem to > be working right. At 100 meg the amber link LED is on, but at 1 gig the > LED is off. I would have thought the green LED would be on for a 1 gig > link. Other than that, I'm pretty pleased with how OpenBSD runs on it. From the datasheet, "The RTL8111E supports customizable LED operation modes via IO register offset 18h~19h". I haven't spotted anything setting this in our driver so perhaps it's initialized to strange values by the BIOS. "Standard" behaviour is for the link led to blink when it has link at any speed, or "when this LED is high for extended periods, it indicates that a link problem exists". The datasheet is also annoyingly silent about the register config for jumbo frames. I tried to reply to this email several days ago only to learn the entire subnet my ISP assigned DCHP IP address is on several of the IP blacklist. Anyway. Did you have to sign a NDA to get the datasheet? I see on the RealTek website where they say it supports jumbo frames to 9K. Wonder if RealTek would answer some questions about the register config for jumbo frames? There is a new version of BIOS for the APU. It's dated Jul 08, 2014. It doesn't solve the LED issue though. I don't recall seeing a link LED blink. All I've seen is amber, yellow, green or not lit. I've seen the activity LED blink at a constant rate when the NIC port was attached to a switch port that's configured as a trunk port. The pcengines support forum also has a link to the coreboot source code for the APU. It looks like it requires the Sage EDK to compile though. Bummer. I'm not that great a C programmer, so I guess it doesn't matter. Stan
Google offering 5 travel grants for female computer scientists to attend EurBSDCon 2014
Via the organizers of the EuroBSDCon 2014 conference (also on the EuroBSDcon 2014 website[3]): Google EMEA Women in Tech Conference and Travel grants for female computer scientists As part of Google’s ongoing commitment to encourage women to excel in computing and technology, Google is pleased to offer Women in Tech Travel and Conference Grants to attend the EuroBSDcon 2014 conference. 5 grants, are offered which include: * Free registration for the conference * Up to 1000 EUR towards travel costs (to be paid after the conference) To be eligible for a grant, the candidate must: * Be a woman working in or studying Computer Science, Computer Engineering, or technical field related to the conference subject * Have a strong academic background * Demonstrated leadership in the workplace or in school * Attend the core day(s) of the main conference How To Apply To apply, submit the form found on their website[1] by the 31 August 2014 deadline. To find out more about this Google program, please visit their website [2]. [1] https://docs.google.com/spreadsheet/viewform?formkey=dHpHa1JJbTFSY2ZOTHFSUXEyUzNGY2c6MA [2] https://www.google.ch/edu/students/google-travel-and-conference-grants/#!europe [3] http://2014.eurobsdcon.org/sponsors/google-emea-women-in-tech-conference-and-travel-grants-for-female-computer-scientists/ -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
dlsym(): same symbols in prog and lib, segfault
This is with 5.5 release on i386 (32 bit). When main program has more than one function pointer declared with the *same names* as functions in a shared library, and initializes one (at least) with the symbol from that library with dlsym(), and references the second in some way (take address, dereference/call. etc.), and the shared library calls the second function, then the program segfaults at the point of the lib making that call, but after ld.so has printed messages like: "WARNING: symbol(fn_02) size mismatch, relink your program" apparently one for each reference to that symbol in either the main program or library. This is reliably repeatable, and is probably easier to understand in code than in my description, so a near-minimal program and Makefile are appended to this message. For the test prog try: # bug % make clean; make # workaround 1 -- initialize symbol in main prog % make clean; make fix # workaround 2 -- do not reference symbol in prog % make clean; make fix2 # still bug, different output (FPIC defaults empty) % make clean; make FPIC="-fPIC" I'm sure this was not a problem with OpenBSD 4.9 because the code that raised the issue was fine on that. -Ed FILES: /** BEGIN dltst.c */ #include #ifdef BUILDPROG #ifdef LOADRUNTIME #include void (*fn_01)(); #if FIXHACK == 1 void (*fn_02)() = 0; #else void (*fn_02)(); #endif void loadsyms() { /* * RTLD_LAZY reorders "size mismatch, relink your program" * message and backtrace is different, but segfaults IAC */ void* handle = dlopen(DLTST_SONAME, RTLD_NOW); fn_01 = dlsym(handle, "fn_01"); /* a reference to fn_02 (here and main()) will trigger bug */ #if FIXHACK != 2 fn_02 = dlsym(handle, "fn_02"); #endif } #else /* LOADRUNTIME */ void fn_01(); void fn_02(); void loadsyms() { } #endif /* LOADRUNTIME */ int main() { loadsyms(); /* look at addresses *of* and *in* pointers */ printf("From main prog; fn_01 at %p points to %p\n", &fn_01, fn_01); #if FIXHACK != 2 printf("From main prog; fn_02 at %p points to %p\n", &fn_02, fn_02); #endif /* call 1st func only; it calls the 2nd within so */ fn_01(); return 0; } #else /* BUILDPROG */ /* this section compiles for shared lib */ void fn_02() { void (*p)() = fn_02; /* look at this func address */ printf("From shared lib; %s at %p\n", __FUNCTION__, p); } void fn_01() { void (*p)() = fn_01; /* look at this func address */ printf("From shared lib; %s at %p\n", __FUNCTION__, p); p = fn_02; /* look at *2nd* func address; before segfault */ printf("From shared lib; %s -- fn_02 is at %p\n", __FUNCTION__, p); fn_02(); } #endif /* BUILDPROG */ /** END dltst.c */ ## BEGIN Makefile NAME = dltst SONAME = lib$(NAME) SRC = $(NAME).c SOSRC = so_$(NAME).c PROG = $(NAME)_lt PROGRT = $(NAME)_rt SO = $(SONAME).so # not for OpenBSD, but others use -ldl #LIBS = -ldl LIBS = # pic difference? yes, but still gets message and segfault #FPIC = -fPIC FPIC = # default: build and run program w/ runtime loading that will segfault all: run_rt # 1st run prog w/o runtime loading (no core), then as above both check compare: run_lt run_rt # workaround: initialize (assign 0) pertinent global symbol: no segfault fix: rm -f $(PROGRT) make CFLAGS="$(CFLAGS) -DFIXHACK=1" run_rt # workaround: declare but do not reference pertinent global symbol: no segfault fix2: rm -f $(PROGRT) make CFLAGS="$(CFLAGS) -DFIXHACK=2" run_rt run_rt: $(PROGRT) @echo === running $(PROGRT) -- runtime load LD_LIBRARY_PATH=$$PWD ./$(PROGRT) run_lt: $(PROG) @echo === running $(PROG) -- implicit link LD_LIBRARY_PATH=$$PWD ./$(PROG) $(SO) mk_so: $(SOSRC) $(CC) $(CFLAGS) -shared $(FPIC) -o $(SO) $(SOSRC) $(PROG) mk_prog_lt: $(SRC) $(SO) $(CC) $(CFLAGS) -DBUILDPROG -o $(PROG) $(SRC) $(LIBS) -L$$PWD -l$(NAME) # make program using runtime loading $(PROGRT) mk_prog_rt: $(SRC) $(SO) $(CC) $(CFLAGS) -DBUILDPROG -DLOADRUNTIME -DDLTST_SONAME=\"$(SO)\" -o $(PROGRT) $(SRC) $(LIBS) # copy source to new name for so; this is for clarity in gdb $(SOSRC): $(SRC) @rm -f $@; cp -p $(SRC) $@ clean: rm -f $(PROG) $(PROGRT) $(SO) $(SOSRC) *.core core ## END Makefile
openbgpd ipv6 nexthop
Hi all, I'm using openbgpd on a pair of carped firewall (openbsd 5.5-stable) to announce IPv4 routes to a cisco 7600. I set the nexthop to the carped IP and run two sessions (one from each firewall) on the non-carp IP. This is working fine on IPv4 but when trying to do the same for IPv6, the set nexthop statement in the bgpd.conf has no effect. The cisco receives the prefixes with the non-carp IP of each firewall as nexthop. When doing a bgpctl show the configured nexthop is printed: # bgpctl show rib nei ip6_cr1-of1ams out flags: * = Valid, > = Selected, I = via IBGP, A = Announced, S = Stale origin: i = IGP, e = EGP, ? = Incomplete flags destination gateway lpref med aspath origin AI*> 2a02:d48:2f:1c::1:0/125 2a02:d48:2f:1c::1:4100 0 i AI*> 2a02:d48:2f:1c::1:8/125 2a02:d48:2f:1c::1:4100 0 i AI*> 2a02:d48:2f:910::/64 2a02:d48:2f:1c::1:4100 0 i AI*> 2a02:d48:2f:911::/64 2a02:d48:2f:1c::1:4100 0 i AI*> 2a02:d48:2f:912::/64 2a02:d48:2f:1c::1:4100 0 i AI*> 2a02:d48:2f:913::/64 2a02:d48:2f:1c::1:4100 0 i AI*> 2a02:d48:2f:914::/64 2a02:d48:2f:1c::1:4100 0 i # # ifconfig carp18 inet6 carp18: flags=8843 mtu 1500 lladdr 00:00:5e:00:01:01 priority: 0 carp: BACKUP carpdev vlan18 vhid 1 advbase 1 advskew 10 groups: carp status: backup inet6 fe80::200:5eff:fe00:101%carp18 prefixlen 64 scopeid 0xe inet6 2a02:d48:2f:1c::1:4 prefixlen 125 # But on the cisco, I get the non-carp IP: #sh bgp ipv6 unicast neighbors 2A02:D48:2F:1C::1:6 received-routes BGP table version is 76, local router ID is X.X.X.X Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, x best-external Origin codes: i - IGP, e - EGP, ? - incomplete Network Next HopMetric LocPrf Weight Path * 2A02:D48:2F:1C::1:0/125 2A02:D48:2F:1C::1:6 0 65171 i *> 2A02:D48:2F:1C::1:8/125 2A02:D48:2F:1C::1:6 0 65171 i *> 2A02:D48:2F:910::/64 2A02:D48:2F:1C::1:6 0 65171 i *> 2A02:D48:2F:911::/64 2A02:D48:2F:1C::1:6 0 65171 i *> 2A02:D48:2F:912::/64 2A02:D48:2F:1C::1:6 0 65171 i Network Next HopMetric LocPrf Weight Path *> 2A02:D48:2F:913::/64 2A02:D48:2F:1C::1:6 0 65171 i *> 2A02:D48:2F:914::/64 2A02:D48:2F:1C::1:6 0 65171 i Total number of prefixes 7 A network capture shows that the UPDATE from openbgpd to the cisco contains the non-carp IP instead of the configured one. The same thing happens on the MASTER firewall. Does anyone have any idea why is this happening ? /etc/bgpd.conf: cr1_of1ams="X.X.X.X" ip6_cr1_of1ams="2A02:D48:2F:1C::1:1" AS 65171 router-id X.X.X.X network X.X.X.X/32 network X.X.X.X/29 set nexthop X.X.X.X network X.X.X.X/29 set nexthop X.X.X.X network inet static set nexthop X.X.X.X network inet connected set nexthop X.X.X.X network 2a02:d48:2f:910::/64 set nexthop 2A02:D48:2F:1C::1:4 network 2a02:d48:2f:911::/64 set nexthop 2A02:D48:2F:1C::1:4 network 2a02:d48:2f:912::/64 set nexthop 2A02:D48:2F:1C::1:4 network 2a02:d48:2f:913::/64 set nexthop 2A02:D48:2F:1C::1:4 network 2a02:d48:2f:914::/64 set nexthop 2A02:D48:2F:1C::1:4 network inet6 static set nexthop 2A02:D48:2F:1C::1:4 network inet6 connected set nexthop 2A02:D48:2F:1C::1:4 neighbor $cr1_of1ams { announceall announceIPv6 none remote-as 65071 descr cr1-of1ams local-address X.X.X.X holdtime180 holdtime min3 } neighbor $ip6_cr1_of1ams { announceall announceIPv4 none remote-as 65071 descr ip6_cr1-of1ams local-address 2A02:D48:2F:1C::1:6 holdtime180 holdtime min3 } deny to any allow to $cr1_of1ams allow to $ip6_cr1_of1ams deny to any prefix 0/0 prefixlen = 0 deny to any prefix 10/8 prefixlen >= 8 deny to any prefix 172.16/12 prefixlen >= 12 deny to any prefix 192.168/16 prefixlen >= 16 deny to any prefix 127/8 prefixlen >= 8 deny from any allow from $cr1_of1ams prefix 0/0 prefixlen = 0 allow from $ip6_cr1_of1ams prefix ::/0 prefixlen = 0 # filter bogus networks according to RFC5735 deny from any prefix 0.0.0.0/8 prefixlen >= 8 # 'this' network [RFC1122] deny from any prefix 10.0.0.0/8 prefixlen >= 8 # private space [RFC1918] deny fr
Re: IGMPv3 Issue
There is no support for SSM in the kernel so the host portion is out. The router portion for IGMPv3 should work without that. Perhaps you need to set net.inet.ip.mforwarding and multicast_router=YES in rc.conf.local as described in netstart(8)? On Tue, Aug 19, 2014 at 06:09:51PM +0300, Shteryana Shopova wrote: > Hi, > > Apps like igmpproxy use > > setsockopt(sock, IPPROTO_IP, > IP_ADD_MEMBERSHIP/IP_DROP_MEMBERSHIP/IP_ADD_SOURCE_MEMBERSHIP/... > > and rely on the underlying kernel to send the proper IGMP > Join/Leave/Membership report. OpenBSD's kernel does not (yet?) support > IGMPv3. > > cheers, > Shteryana > > > On Tue, Aug 19, 2014 at 12:59 PM, Armin TÃŒting > wrote: > > Hello, > > > > guys I need some advice on getting IGMPv3 working on 5.5. For various > > reason igmpproxy doesn't distribute IGMPv3 packets. > > > > What other options/tools/ports are available to distribute IGMPv3? > > > > Regards, > > Armin.
Re: rsync -a doesnt keep owner and permissions
Am 19.08.2014 17:06, schrieb Adam Thompson: The remote rsync command runs as your user, not as root, and so cannot set ownership. IIRC there's an environment variable you can set that specifies how to invoke the remote rsync (post-ssh, there's an end var for establishing the ssh connection, too). Set that to "sudo rsync", would be my guess. -Adam well I will give it a shot and this may be the missing piece here On August 19, 2014 9:27:11 AM CDT, Markus Rosjat wrote: Hello, this has been asked befor though but since searching the net always tells me it should work but not when I try to do it .. I'll ask again. what I want to do is: - copy keep ownership and permission when I rsync a file or directory what I get is: - I have a user on both machines who is in wheel (this should make it possible to do this) - when I $sudo rsync -a /some/random/file me@remotemachine:/tmp I get the file synced - file has owner someone:someone and 0600 - when I check the permission and owner on the remote machine - file has owner me:wheel and 0644 what I can do but dont want to: - I can enable root ssh access - I rsync as root and the owner and permission gets copied even the user doesnt exist on the remote machine Is there any other thing I miss with the sudo approach? Regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: IGMPv3 Issue
Hi, Apps like igmpproxy use setsockopt(sock, IPPROTO_IP, IP_ADD_MEMBERSHIP/IP_DROP_MEMBERSHIP/IP_ADD_SOURCE_MEMBERSHIP/... and rely on the underlying kernel to send the proper IGMP Join/Leave/Membership report. OpenBSD's kernel does not (yet?) support IGMPv3. cheers, Shteryana On Tue, Aug 19, 2014 at 12:59 PM, Armin Tüting wrote: > Hello, > > guys I need some advice on getting IGMPv3 working on 5.5. For various > reason igmpproxy doesn't distribute IGMPv3 packets. > > What other options/tools/ports are available to distribute IGMPv3? > > Regards, > Armin.
Re: rsync -a doesnt keep owner and permissions
The remote rsync command runs as your user, not as root, and so cannot set ownership. IIRC there's an environment variable you can set that specifies how to invoke the remote rsync (post-ssh, there's an end var for establishing the ssh connection, too). Set that to "sudo rsync", would be my guess. -Adam On August 19, 2014 9:27:11 AM CDT, Markus Rosjat wrote: >Hello, > >this has been asked befor though but since searching the net always >tells me it should work but not when I try to do it .. I'll ask >again. > >what I want to do is: > - copy keep ownership and permission when I rsync a file or directory > >what I get is: > - I have a user on both machines who is in wheel (this should make it >possible to do this) > - when I $sudo rsync -a /some/random/file me@remotemachine:/tmp I get >the file synced > - file has owner someone:someone and 0600 > - when I check the permission and owner on the remote machine > - file has owner me:wheel and 0644 > >what I can do but dont want to: > - I can enable root ssh access > - I rsync as root and the owner and permission gets copied even the >user doesnt exist on the remote machine > >Is there any other thing I miss with the sudo approach? > >Regards > >-- >Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de > >G+H Webservice GbR Gorzolla, Herrmann >Königsbrücker Str. 70, 01099 Dresden > >http://www.ghweb.de >fon: +49 351 8107220 fax: +49 351 8107227 > >Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! >Before you print it, think about your responsibility and commitment to >the ENVIRONMENT -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: rsync -a doesnt keep owner and permissions
Am 19.08.2014 16:40, schrieb Erling Westenvik: On Tue, Aug 19, 2014 at 04:27:11PM +0200, Markus Rosjat wrote: Is there any other thing I miss with the sudo approach? Check out --usermap, --groupmap and --chown in the man page. Haven't tried them myself but AFAIK these options were added to rsync(1) late in 2013 or early in 2014. this may work on a one file or user directory base but if I want to sync a location like /var/www/htdocs this will be a bit overkill and no I don't want to write a script for this if I can avoid it. -- Vennlig hilsen/Kind regards Erling Westenvik -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: rsync -a doesnt keep owner and permissions
On August 19, 2014 4:27:11 PM CEST, Markus Rosjat wrote: >Hello, > >this has been asked befor though but since searching the net always >tells me it should work but not when I try to do it .. I'll ask >again. > >what I want to do is: > - copy keep ownership and permission when I rsync a file or directory > >what I get is: > - I have a user on both machines who is in wheel (this should make it >possible to do this) > - when I $sudo rsync -a /some/random/file me@remotemachine:/tmp I get >the file synced > - file has owner someone:someone and 0600 > - when I check the permission and owner on the remote machine > - file has owner me:wheel and 0644 > >what I can do but dont want to: > - I can enable root ssh access > - I rsync as root and the owner and permission gets copied even the >user doesnt exist on the remote machine > >Is there any other thing I miss with the sudo approach? Do you by any chance have a forced_command set up in .ssh/authorized_keys? /Alexander
Re: rsync -a doesnt keep owner and permissions
On Tue, Aug 19, 2014 at 04:27:11PM +0200, Markus Rosjat wrote: > Is there any other thing I miss with the sudo approach? Check out --usermap, --groupmap and --chown in the man page. Haven't tried them myself but AFAIK these options were added to rsync(1) late in 2013 or early in 2014. -- Vennlig hilsen/Kind regards Erling Westenvik
rsync -a doesnt keep owner and permissions
Hello, this has been asked befor though but since searching the net always tells me it should work but not when I try to do it .. I'll ask again. what I want to do is: - copy keep ownership and permission when I rsync a file or directory what I get is: - I have a user on both machines who is in wheel (this should make it possible to do this) - when I $sudo rsync -a /some/random/file me@remotemachine:/tmp I get the file synced - file has owner someone:someone and 0600 - when I check the permission and owner on the remote machine - file has owner me:wheel and 0644 what I can do but dont want to: - I can enable root ssh access - I rsync as root and the owner and permission gets copied even the user doesnt exist on the remote machine Is there any other thing I miss with the sudo approach? Regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
[patch] errata 55/09, 55/10, 54/13 and 54/14 not linked in security.html
Hi, Index: security.html === RCS file: /cvs/www/security.html,v retrieving revision 1.417 diff -u -p -r1.417 security.html --- security.html 28 Jul 2014 16:48:23 - 1.417 +++ security.html 19 Aug 2014 13:42:42 - @@ -252,6 +252,11 @@ in OpenBSD current< before executing programs. June 6, 2014: This patch contains a number of SSL library fixes. +July 30, 2014: +Packets with illegal DHCP options can lead to memory exhaustion of +dhclient(8) and dhcpd(8). +August 9, 2014: + This patch contains a number of SSL library fixes. @@ -288,6 +293,11 @@ in OpenBSD current< Sendmail was not properly closing file descriptions before executing programs. June 6, 2014: + This patch contains a number of SSL library fixes. +July 30, 2014: +Packets with illegal DHCP options can lead to memory exhaustion of +dhclient(8) and dhcpd(8). +August 9, 2014: This patch contains a number of SSL library fixes. Cheers, -- Vigdis
Re: problem with sound card
Thank Alexandre Ratchov! I find that another sound card works fine in OpenBSD Now I don't have time/energy to bother with how to solve old ISA card problem Thanks anyway! On 8/18/14, Alexandre Ratchov wrote: > On Sun, Aug 17, 2014 at 07:24:17AM +0800, Long Wind wrote: > > sb0 is reserved for the first non-pnp card. > > > This card is not full-duplex at 44.1kHz (afaics the default) so > it's used in play-only mode by default, thus recording doesn't > work. > > You could either try to use mono at 22.05kHz (or at whatever rate > and/or channel count full-duplex works), or switch between > play-only and record-only modes (possibly register two devices in > sndiod one play-only and one record-only).
Re: rc.local mystery executables
On Fri, Aug 15, 2014 at 5:53 PM, Josh Grosse wrote: > On 2014-08-15 10:39, Scott Bonds wrote: > >> ...I'm running owncloud and a bunch of other (no doubt less secure) >> software > > > On June 29, there was a 5.5-stable update to www/owncloud to release 6.0.4 > to fix a security issue. Change/modifying /etc requires root privileges. Here we haven't only a bugged software, but some other serious issue. Ownlcoud should run with web server privileges. -- Cris, member of G.U.F.I Italian FreeBSD User Group http://www.gufi.org/
Re: [Bulk] Re: Access Point Section of the faq
previously on this list Kevin Chadwick contributed: > > on this machine it's been rock solid. > > > > Historically there have been problems where a setup could be completely > > stable, then move it to a different environment (different clients around? > > different other APs? I'm not sure) and it would hang frequently. > > Hmm, perhaps I should try it downstairs or with a tiny antenna. I also > should have a cardbus version on it's way of the same chipset combo > stated as rock solid so that should be interesting then. AR5008-3NG (AR5416+AR2133) 2GHz 3x3:2PCI/CardBus athn0 at cardbus1 dev 0 function 0 "Atheros AR5416" rev 0x01: irq 10 athn0: MAC AR5416 rev 2, RF AR2133 (2T3R), ROM rev 2 Seems stable downloading 100s of megs without any issue and from over 40 meters away compared to 20 or 2 megabytes nearby before stalls though I couldn't get it to use chan 1 that the other card would only use and where collisions may occur with many local access points using chan 1. I've also happened to moved some 15 inch subs (magnets) out of the room in the meantime so perhaps not the best test but I would still guess at the problem being to do with the chipset. I still have to do in rc.local; /sbin/ifconfig athn0 down /sbin/ifconfig chan 7 /sbin/ifconfig athn0 up to get it to work on boot. So sthen unless you need 802.11n perhaps it's worth a look at OpenBSD again. I know I am far happier with an OpenBSD access point than a Linux one and the time to set it up is amasingly quick when it works especially compared to a Linux Install rather than router. -- ___ 'Write programs that do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface' (Doug McIlroy) In Other Words - Don't design like polkit or systemd ___
Re: vio0 stops working
On Tue, Aug 19, 2014 at 11:05 AM, Kapetanakis Giannis wrote: > Hi, > > I have a random problem with an OB current (5.6 GENERIC#310 amd64) VM > running on Linux KVM. > > This server is doing radio streaming with icecast. > > It's vio0 interface stops working usually every one or two days. > > It can be brought up again by doing > # ifconfig vio0 down > # ifconfig vio0 up > # sh /etc/netstart vio0 Try this: http://blather.michaelwlucas.com/archives/2083 Ciao! David
vio0 stops working
Hi, I have a random problem with an OB current (5.6 GENERIC#310 amd64) VM running on Linux KVM. This server is doing radio streaming with icecast. It's vio0 interface stops working usually every one or two days. It can be brought up again by doing # ifconfig vio0 down # ifconfig vio0 up # sh /etc/netstart vio0 Here are some details and thanks in advance for any help. G # ping gw PING gw (10.0.0.161): 56 data bytes ping: sendto No buffer space available ping: wrote gw 64 chars, ret=-1 # netstat -m 549 mbufs in use: 348 mbufs allocated to data 197 mbufs allocated to packet headers 4 mbufs allocated to socket names and addresses 29/684/6144 mbuf 2048 byte clusters in use (current/peak/max) 0/8/6144 mbuf 4096 byte clusters in use (current/peak/max) 0/8/6144 mbuf 8192 byte clusters in use (current/peak/max) 0/8/6144 mbuf 9216 byte clusters in use (current/peak/max) 0/8/6144 mbuf 12288 byte clusters in use (current/peak/max) 0/8/6144 mbuf 16384 byte clusters in use (current/peak/max) 0/8/6144 mbuf 65536 byte clusters in use (current/peak/max) 0 Kbytes allocated to network (0% in use) 0 requests for memory denied 0 requests for memory delayed 0 calls to protocol drain routines # pfctl -i Status: Enabled for 1 days 20:20:49 Debug: err Interface Stats for vio0 IPv4 IPv6 Bytes In 161657864530 Bytes Out 20701631670 Packets In Passed160661530 Blocked1660 Packets Out Passed112040050 Blocked 138160 State Table Total Rate current entries1 searches27284140 170.9/s inserts 98220.1/s removals98210.1/s Counters match 131190.1/s bad-offset 00.0/s fragment 00.0/s short 00.0/s normalize 00.0/s memory 00.0/s bad-timestamp 00.0/s congestion 00.0/s ip-option 00.0/s proto-cksum00.0/s state-mismatch 138190.1/s state-insert 00.0/s state-limit00.0/s src-limit 00.0/s synproxy 00.0/s translate 00.0/s # ifconfig -A lo0: flags=8049 mtu 32768 priority: 0 groups: lo inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 inet 127.0.0.1 netmask 0xff00 vio0: flags=28c43 mtu 1500 lladdr 00:1a:4a:34:9f:12 priority: 0 groups: egress media: Ethernet autoselect status: active inet 10.0.0.164 netmask 0xfff8 broadcast 10.0.0.167 enc0: flags=2 priority: 0 groups: enc status: active pflog0: flags=20141 mtu 33144 priority: 0 groups: pflog # dmesg OpenBSD 5.6 (GENERIC) #310: Fri Aug 8 00:14:24 MDT 2014 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC real mem = 1056952320 (1007MB) avail mem = 1020133376 (972MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.4 @ 0x3e90 (10 entries) bios0: vendor Seabios version "0.5.1" date 01/01/2007 bios0: oVirt oVirt Node acpi0 at bios0: rev 0 acpi0: sleep states S5 acpi0: tables DSDT FACP SSDT APIC SSDT acpi0: wakeup devices acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel Core i7 9xx (Nehalem Class Core i7), 2394.37 MHz cpu0: FPU,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,SSSE3,CX16,SSE4.1,SSE4.2,x2APIC,POPCNT,NXE,LONG,LAHF cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache cpu0: ITLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped cpu0: DTLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 999MHz ioapic0 at mainbus0: apid 0 pa 0xfec0, version 11, 24 pins acpiprt0 at acpi0: bus 0 (PCI0) acpicpu0 at acpi0 pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02 pcib0 at pci0 dev 1 function 0 "Intel 82371SB ISA" rev 0x00 pciide0 at pci0 dev 1 function 1 "Intel
IGMPv3 Issue
Hello, guys I need some advice on getting IGMPv3 working on 5.5. For various reason igmpproxy doesn't distribute IGMPv3 packets. What other options/tools/ports are available to distribute IGMPv3? Regards, Armin.
Re: rc.local mystery executables
On 2014-08-15, Scott Bonds wrote: > I thought I was being reasonably careful: ssh disabled for root, > key-only login on my admin account, following stable, etc...then again, > I'm running owncloud and a bunch of other (no doubt less secure) > software. Perhaps I should separate the router and 'everything else' > roles, so that the router only has builtin OpenBSD software on it, no > packages. Then again, whatever the exploit, they could probably still > use it on the newly separated 'everything else' box. Anyway, I clearly > have a lot to learn about security. Web application security is often not that great, and popular programs are subject to a lot of investigation (phpmyadmin, owncloud, wordpress, joomla, piwik, ...) - looking through 404s in error_log on pretty much any internet-facing web server will identify some of these. To reduce risk of web applications that you run which shouldn't be accessible to the public, you can do things like use your packet filter or http daemon's access controls to prevent unauthorised users from being able to access the code at all. Or make it unroutable; only access over VPN or SSH tunnel. Other generally useful things to consider: reject (and ideally log and investigate) unexpected *outgoing* connections. Check web server logs for unusual entries. And as you have suggested, isolating services reduces the scope of a breach. > On Thu, Aug 14, 2014 at 09:23:54PM -0400, Ted Unangst wrote: >> Bad news: yeah. They appear to have screwed up their rootkit by >> installing the i386 edition, ... dsfrefr: ELF 32-bit LSB executable, Intel 80386, version 1, statically linked, stripped That isn't even for OpenBSD, file(1) would say "for OpenBSD". That's only one of the executables though; perhaps the others might be for a range of OS.. So they clearly had root and access outside of any chroot jail (if your httpd and/or php-fpm was using one) but don't seem to have done much in the way of targetted probing. Web server isn't necessarily the infection route but I'd think it was high probability; if you're lucky you might still have the evidence of the infection route in web server access logs.
Re: Why are there NSA, CSIS, and GOOGLE IDs in my ftplist.cgi
On 2014-08-16, Clint Pachl wrote: > Is the source code for ftplist.cgi and ftpinstall.cgi publicly available? It is not.
Re: rc.local mystery executables
>> OpenBSD has always rocked for providing very current versions of >> snort. barnyard2 compiles cleanly on obsd. > > The funny thing is that I have a book on Snort on my reading list. Time > to read it. I'll checkout barnyard2 as well There is a learning curve for sure. It's not something that most can set up in day or longer (I certainly didn't). It does give from you a view from Layer 7 down which is really what is needed anymore. Just to clarify, barnyard2 handles the unified2 output from snort. Compile it and check out the barnyard2.conf it generates and it will lead you to various utilities. You really don't need it right it away when you're getting started. A lot of these things require the patience to tune them or they will drive ya nuts with alerts ;) Just off the top my head a few links: www.team-cymru.org https://www.dshield.org http://emergingthreats.net/ https://www.grc.com/dns/dns.htm Working on cleaning up DNS via unbound/dnscrypt-proxy can help too. > If anyone reading this knows where I can read up on (those specific) > exploits, please let me know, perhaps I can figure out where my > vulnerability is/was if I know more about how they work. I stumbled upon malheur awhile back. No idea what to do with it, but it compiles easy on obsd. Since you found the malware files it might help. http://www.mlsec.org/malheur/
Re: rc.local mystery executables
* Scott Bonds [2014-08-19 02:28]: > The funny thing is that I have a book on Snort on my reading list. Time > to read it. or you use the time for something useful instead. did I say snake oil? ewps. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual & Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/