Re: lost+found disappeared

[Philip Guenther]

On Wed, Oct 29, 2014 at 4:11 PM, frantisek holop  wrote:
> what does it mean when /lost+found disappears?
>
> i am sure i had it a couple of days ago
> (because that is when i completely reinstalled
> the system).

How confident are you that it existed at that point?  Looking at my
own laptop, I don't see one in /.  Indeed, the only partitions with
one are those that have needed one after a crash.  newfs certainly
doesn't create one by default.


> should i recreate it by hand?

No.

> shouldn't fsck create it?

Yes, it should.  In fact, it does.


> (just had a panic again, but this
> time a blind 'boot dump' resulted
> only in a reboot)

I would be bidding on cheap computers on ebay and starting with the
plainest install possible if my box was failing like yours.


Philip Guenther

enumerate sndio devices

[Rusty]

I feel as if i am overlooking somthing obvious, but..

Is there a way to list sndio endpoints?

Specifically I was trying to attach a scope(probably one of the ffplay 
visualizations) to the main output. however I could not figure out what 
endpoints exist.

Re: lost+found disappeared

[Alexander Hall]

On 10/30/14 00:11, frantisek holop wrote:

what does it mean when /lost+found disappears?

i am sure i had it a couple of days ago
(because that is when i completely reinstalled
the system).


A reinstall does not render you any lost+found directories.



should i recreate it by hand?
shouldn't fsck create it? especially


It should, it it needs one.

/Alexander


when there were a lot of UNREF files
and an unclean shutdown...
(just had a panic again, but this
time a blind 'boot dump' resulted
only in a reboot)

-f

lost+found disappeared

[frantisek holop]

what does it mean when /lost+found disappears?

i am sure i had it a couple of days ago
(because that is when i completely reinstalled
the system).

should i recreate it by hand?
shouldn't fsck create it? especially
when there were a lot of UNREF files
and an unclean shutdown...
(just had a panic again, but this
time a blind 'boot dump' resulted
only in a reboot)

-f
-- 
it's the end of the world as we know it.

Re: Is vnconfig -k simply being superseded or removed? WAS: Re: CVS: cvs.openbsd.org: www

[Ted Unangst]

On Tue, Oct 28, 2014 at 13:31, Theo de Raadt wrote:
>>> > Nick Holland wrote:
>>> >
>>> >> encrypted vnd is going away for 5.7.  Suggeted by lists at srdn dot
>>> >> de, thanks!
>>> >
>>> > I haven't been able to find this suggestion. Has a maintenance
>>> > burdon arisen? Otherwise I would argue that it is more secure
>>> > than softraid for small files. I am fairly sure that challenges to say
>>> > it is insecure are founded on completely flawed grounds as they depend
>>> > on irrelevent circumstances atleast those currently published that I
>>> > am aware of.
>>>
>>> this has been communicated here:
>>> http://marc.info/?l=openbsd-misc&m=140146687910205&w=1
>>
>>The conclusion I took from that thread was that it was not going to
>>actually be removed? I took it to mean simply adding a strong
>>indication to users whenever used to use softraid which is better in
>>most cases. I totally agree with the warning but would prefer to still
>>have it around, if it's no problem.
>>
>>Would the word deprecated/superseded in 5.7 be more accurate on
>>upgrade56.html or is it actually being removed?
>>
>>http://marc.info/?l=openbsd-misc&m=140147517513716&w=1
> 
> I disagree with the crypto vnd code leaving the tree.  It is a
> simple reliable framework.  The wording seemed too strong.

There were some unexpected hiccups in the migration strategy that
could not be overcome by royal decree alone. :( I've updated the warning
to be a simpler suggestion.

Re: 5.6 arrived

[Richard Toohey]

On 10/30/14 07:26, Zé Loff wrote:

Sighted on my mailbox today, in Lisbon, Portugal.

Arrived today in Tauranga, New Zealand.

Re: pf rdr-to and access from internal network

[Stuart Henderson]

On 2014-10-28, Julian Smith  wrote:
> Yes, i've enabled logging and i see various items such as:
>
> ju...@server-55.my.domain:~ > sudo tcpdump -v -i pflog0

Add -e to the tcpdump line, it will show you action (block/match/pass) and
rule numbers, then check the traffic hits the expected rule (pfctl -sr -R ##
displays a rule by number).

Re: The Book of PF, 3rd ed: You own the first author signed copy and support OpenBSD!

[patrick keshishian]

On 10/27/14, Michael W. Lucas  wrote:
> On Mon, Oct 27, 2014 at 09:04:48PM +0100, Peter N. M. Hansteen wrote:
>> "Michael W. Lucas"  writes:
>>
>> > BAH! You think you can steal my idea for supporting OpenBSD? I don't
>> > think it's that easy.
>> >
>> > MY auction raised $1145.
>> >
>> > There is no way that BoPF3 can POSSIBLY raise more than that!
>> >
>> > Consider the gauntlet thrown.
>>
>> :D
>>
>> After two days, the highest bit lists as US $493.88, which means
>>
>> a) that bid was likely entered in a non-USD currency (or
>>somebody has an odd sense of humor, I'm fine with both)
>>
>> b) we're on a pretty good trajectory for beating Mr. Lucas on
>>the fundraising front
>
> Humpf.
>
> It is just BARELY possible that Mr. Hansteen's work will raise more
> money than mine. If so, it will clearly be the result of nepotism,
> collusion, and intrigue.
>
> If this happens, I'll have to write another OpenBSD book. One that
> will raise EVEN MORE MONEY than this petty little BoPF3 auction.
>
> ==ml
>
>> One again, the auction is at
>>
>> http://www.ebay.com/itm/The-Book-of-PF-3rd-ed-signed-by-the-author-First-Copy-signed-/321563281902?


Just to give this a bump: Interesting bid patterns by two
high bidders.

--patrick


>> The blog post with the nice pictures is at
>> http://bsdly.blogspot.no/2014/10/the-book-of-pf-3rd-edition-is-here.html
>>
>> And if your bid turns out not to be the successful one, please make
>> the amount of your highest bid a direct donation to OpenBSD instead.
>>
>> Even if you wouldn't consider bidding, go on, head over to
>> http://www.openbsd.org/orders.html or
>> http://www.openbsd.org/donations.html
>> and spend some money!
>>
>>  - Peter

Re: Remove print/acroread

[Antoine Jacoutot]

On Wed, Oct 29, 2014 at 07:35:33PM +, Grumpy wrote:
> > Considering most of the answers to the original question have totally
> > gone out of topic, please remove print/acroread asap so that this
> > thread dies.
> 
> Cool down, man! Hadn't enough cheese lately?

You clearly mistake me for someone else.

-- 
Antoine

Re: Remove print/acroread

[Grumpy]

> Considering most of the answers to the original question have totally
> gone out of topic, please remove print/acroread asap so that this
> thread dies.

Cool down, man! Hadn't enough cheese lately?

Re: 5.6 arrived

[Zé Loff]

Sighted on my mailbox today, in Lisbon, Portugal.

As always, special thanks to all the developers for yet another
consistent and straight on schedule release.


I'd just like to add that for the past year (at least) it has been
amazing to watch the project take some big (and some not so big steps)
forward -- LibreSSL, httpd and dropping apache, OpenSMTPD and dropping
sendmail, new queueing on pf, autoinstall, signify, ports building, and
a shitload of other stuff that I'm sure I'm forgetting or not even
realising -- and at a time when things were financially bleak for a
while.
So, a big fat thank you to everyone involved.


Cheers
Zé
-- 

Re: Remove print/acroread

[Antoine Jacoutot]

On Wed, Oct 29, 2014 at 06:22:44PM +, Артур Истомин wrote:
> On Wed, Oct 29, 2014 at 04:25:02PM +0100, Marc Espie wrote:
> > On Wed, Oct 29, 2014 at 04:11:47PM +0100, Alexandre Ratchov wrote:
> > > On Wed, Oct 29, 2014 at 08:30:32AM -0600, David Coppa wrote:
> > > > So here I am, asking on misc@...
> > > > 
> > > > Do people using acroread-7.0.9 on i386 (compat_linux) still exist
> > > > these days?
> > > > 
> > > > I'd like to rm print/acroread from cvs.
> > > > 
> > > 
> > > I don't see the point of keeping it, while we have other working
> > > pdf readers. I don't even understand why we have it at all. OK to
> > > remove it.
> > 
> > You don't use pdf form filling. Over the last few years, I've seen
> > people want to do strange things with pdf.  Most things related
> > to display work with default tools. afaik, password did not work
> > with anything BUT acrobat reader AND now mutools.
> > 
> > Form filling, in some cases (german taxes, iirr) does NOT work with
> > other tools...
> 
> Many consulates/embassy send pdf files with forms for information on
> visas acquisition. When I last time filled it, no one open source pdf
> reader can fill such forms.

Considering most of the answers to the original question have totally gone out 
of topic, please remove print/acroread asap so that this thread dies.

-- 
Antoine

Re: Remove print/acroread

[Артур Истомин]

On Wed, Oct 29, 2014 at 04:25:02PM +0100, Marc Espie wrote:
> On Wed, Oct 29, 2014 at 04:11:47PM +0100, Alexandre Ratchov wrote:
> > On Wed, Oct 29, 2014 at 08:30:32AM -0600, David Coppa wrote:
> > > So here I am, asking on misc@...
> > > 
> > > Do people using acroread-7.0.9 on i386 (compat_linux) still exist
> > > these days?
> > > 
> > > I'd like to rm print/acroread from cvs.
> > > 
> > 
> > I don't see the point of keeping it, while we have other working
> > pdf readers. I don't even understand why we have it at all. OK to
> > remove it.
> 
> You don't use pdf form filling. Over the last few years, I've seen
> people want to do strange things with pdf.  Most things related
> to display work with default tools. afaik, password did not work
> with anything BUT acrobat reader AND now mutools.
> 
> Form filling, in some cases (german taxes, iirr) does NOT work with
> other tools...

Many consulates/embassy send pdf files with forms for information on
visas acquisition. When I last time filled it, no one open source pdf
reader can fill such forms.

audio in linux emulation, skype & friends

[Alexandre Ratchov]

I thought that linux emulation has partial oss audio support which
would allow to run skype on openbsd. While searching for more
information, it appears that audio doesn't work in skype since at
least 7 years. See:

http://marc.info/?l=openbsd-misc&m=119039040500478

More "recent" versions don't even use oss audio. So what linux
binaries do have working oss audio in linux emulation? Has anyone
ever managed to use audio in linux emulation?

I belive there are none and corresponding kernel bits could go to
the attic.

Thoughts?

-- Alexandre

Re: Remove print/acroread

[Allan Streib]

Jonathan Thornburg  writes:

> +1 on Marc's point.  And US tax forms too.  (Canada doesn't yet force
> the use of fillable-pdf-forms, so I donno about those.)  Not to mention
> the new-member-application forms on a certain Credit Union I just
> joined

evince in packages does a good job with PDF fill-in forms. I used it to
do my taxes last year.

Allan

Re: 5.6 arrived

[Peter J. Philipp]

On 10/29/14 18:04, ian kremlin wrote:
> 5.6 arrived today in syracuse, new york. right on time, just as usual. :)

It arrived yesterday in Schweinfurt, Germany.  This time the seal was
not broken :-).

-peter

Re: Remove print/acroread

[David Coppa]

On Wed, Oct 29, 2014 at 6:11 PM, Alexandre Ratchov  wrote:
> On Wed, Oct 29, 2014 at 12:25:10PM -0400, Jonathan Thornburg wrote:
>> In message 
>> Alexandre Ratchov wrote [[about acroread]]
>> > I don't see the point of keeping it, while we have other working
>> > pdf readers. I don't even understand why we have it at all. OK to
>> > remove it.
>>
>> In message 
>> Marc Espie replied
>> > You don't use pdf form filling. Over the last few years, I've seen
>> > people want to do strange things with pdf.  Most things related
>> > to display work with default tools. afaik, password did not work
>> > with anything BUT acrobat reader AND now mutools.
>> >
>> > Form filling, in some cases (german taxes, iirr) does NOT work with
>> > other tools...
>>
>> +1 on Marc's point.  And US tax forms too.  (Canada doesn't yet force
>> the use of fillable-pdf-forms, so I donno about those.)  Not to mention
>> the new-member-application forms on a certain Credit Union I just
>> joined
>>
>> There's still a place in the computing world for Windoze machines. :(
>
> not sure to understand; you mean that you're using the acroread
> port on openbsd?
>

Indeed.

I'm not questioning the usefulness of Adobe Acrobat Reader.

I'm questioning the value of Acrobat Reader *7.0* running via
compat_linux on OpenBSD/i386.

Ciao!
David
-- 
"If you try a few times and give up, you'll never get there. But if
you keep at it... There's a lot of problems in the world which can
really be solved by applying two or three times the persistence that
other people will."
-- Stewart Nelson

Re: Remove print/acroread

[Alexandre Ratchov]

On Wed, Oct 29, 2014 at 12:25:10PM -0400, Jonathan Thornburg wrote:
> In message 
> Alexandre Ratchov wrote [[about acroread]]
> > I don't see the point of keeping it, while we have other working
> > pdf readers. I don't even understand why we have it at all. OK to
> > remove it.
> 
> In message 
> Marc Espie replied
> > You don't use pdf form filling. Over the last few years, I've seen
> > people want to do strange things with pdf.  Most things related
> > to display work with default tools. afaik, password did not work
> > with anything BUT acrobat reader AND now mutools.
> > 
> > Form filling, in some cases (german taxes, iirr) does NOT work with
> > other tools...
> 
> +1 on Marc's point.  And US tax forms too.  (Canada doesn't yet force
> the use of fillable-pdf-forms, so I donno about those.)  Not to mention
> the new-member-application forms on a certain Credit Union I just
> joined
> 
> There's still a place in the computing world for Windoze machines. :(

not sure to understand; you mean that you're using the acroread
port on openbsd?

Re: 5.6 arrived

[Allan Streib]

> Hopefully you agree that the file name "snapshots/amd64/install56.iso"
> is misleading? Looking at the file name I had assumed/hoped there is some
> kind of upgrade path from the "install56.iso" snapshot to the 5.6 release.
> My mistake.


As I understand it, the releases do not necessarily correspond to any
particular snapshot. The name is not misleading if you understand the
meaning of snapshots/ in the path.

Installing a snapshot is sort of a "no going back" decision. The only
real way to "go back" to a release if you're running a snapshot is to
install that release, and then restore your data.

Allan

Re: 5.6 arrived

[ian kremlin]

5.6 arrived today in syracuse, new york. right on time, just as usual. :)

On Wed, Oct 29, 2014 at 12:44 PM, Theo de Raadt  wrote:
>>Hopefully you agree that the file name "snapshots/amd64/install56.iso"
>>is misleading? Looking at the file name I had assumed/hoped there is some
>>kind of upgrade path from the "install56.iso" snapshot to the 5.6 release.
>>My mistake.
>
> It is not misleading in any way.
>
> Those two digits are looked at by the matching bsd.rd install goo.
>
> There must be two digits there.  You suggest using the ones from the
> just-released version is wrong, and we should use the next one,
> confusing other people.  It is bad either way.
>
> All of which allows me to say that you are the kind of person who
> can see something, make a wrong interpretation, get it explained,
> then double down on the argument!  But enough about you!

Re: Remove print/acroread

[Jonathan Thornburg]

In message 
Alexandre Ratchov wrote [[about acroread]]
> I don't see the point of keeping it, while we have other working
> pdf readers. I don't even understand why we have it at all. OK to
> remove it.

In message 
Marc Espie replied
> You don't use pdf form filling. Over the last few years, I've seen
> people want to do strange things with pdf.  Most things related
> to display work with default tools. afaik, password did not work
> with anything BUT acrobat reader AND now mutools.
> 
> Form filling, in some cases (german taxes, iirr) does NOT work with
> other tools...

+1 on Marc's point.  And US tax forms too.  (Canada doesn't yet force
the use of fillable-pdf-forms, so I donno about those.)  Not to mention
the new-member-application forms on a certain Credit Union I just
joined

There's still a place in the computing world for Windoze machines. :(

-- 
-- "Jonathan Thornburg [remove -animal to reply]" 

   Dept of Astronomy & IUCSS, Indiana University, Bloomington, Indiana, USA
   "There was of course no way of knowing whether you were being watched
at any given moment.  How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork.  It was even conceivable
that they watched everybody all the time."  -- George Orwell, "1984"

Re: 5.6 arrived

[Theo de Raadt]

>Hopefully you agree that the file name "snapshots/amd64/install56.iso"
>is misleading? Looking at the file name I had assumed/hoped there is some
>kind of upgrade path from the "install56.iso" snapshot to the 5.6 release.
>My mistake.

It is not misleading in any way.

Those two digits are looked at by the matching bsd.rd install goo.

There must be two digits there.  You suggest using the ones from the
just-released version is wrong, and we should use the next one,
confusing other people.  It is bad either way.

All of which allows me to say that you are the kind of person who
can see something, make a wrong interpretation, get it explained,
then double down on the argument!  But enough about you!

Re: 5.6 arrived

[Tony Abernethy]

Harald Dunkel wrote
>Hopefully you agree that the file name "snapshots/amd64/install56.iso"
>is misleading? Looking at the file name I had assumed/hoped there is some
>kind of upgrade path from the "install56.iso" snapshot to the 5.6 release.

Who is being misled?

(from an outsider)
The overriding purpose of the snapshots and their files and the names of 
those files is to assist the OpenBSD folk in producing their semiannual
release
of the next stable release of OpenBSD.
Guessing games as to which snapshot and exactly how the developers 
proceed from snapshot to CD is unlikely to be productive. I expect the exact
path is never closely duplicated from one release to the next. 
Apparently sometimes the new will not even compile on the old.
OpenBSD is one of very few places not firmly committed to preserving old
mistakes.

Re: 5.6 arrived

[Remi Locherer]

On Wed, Oct 29, 2014 at 04:54:26PM +0100, Harald Dunkel wrote:
> Hi Oliver,
> 
> On 10/28/14 14:23, Oliver Peter wrote:
> > 
> > If the difference between release and snapshot is too confusing for
> > you, you should probably just stay with release.  If you need releases
> > on time you should order a CD set next time.
> > 
> 
> Of course I understand that there is a difference between snapshot
> and release. 5.5 didn't recognize the network hardware, so I had to
> use a snapshot.
> 
> I got the CDs yesterday (by chance).
> 
> > Any please don't try to install a current 5.6 snapshot and use it like
> > it was a 5.6 release.  Please don't do that.
> > 
> 
> If I got Theo correctly then there is no such thing as a "5.6 snapshot",
> but a snapshot built from the CVS development branch, which might include
> some code for future releases beyond 5.7 or even purely experimental code.
 
Theo gave a presentation about the release process:
http://2009.asiabsdcon.org/live/abc2009-PT1.html
This helps to understand this topic.

Remi


> Hopefully you agree that the file name "snapshots/amd64/install56.iso"
> is misleading? Looking at the file name I had assumed/hoped there is some
> kind of upgrade path from the "install56.iso" snapshot to the 5.6 release.
> My mistake.
> 
> 
> Regards
> Harri

Re: 5.6 arrived

[Harald Dunkel]

Hi Oliver,

On 10/28/14 14:23, Oliver Peter wrote:
> 
> If the difference between release and snapshot is too confusing for
> you, you should probably just stay with release.  If you need releases
> on time you should order a CD set next time.
> 

Of course I understand that there is a difference between snapshot
and release. 5.5 didn't recognize the network hardware, so I had to
use a snapshot.

I got the CDs yesterday (by chance).

> Any please don't try to install a current 5.6 snapshot and use it like
> it was a 5.6 release.  Please don't do that.
> 

If I got Theo correctly then there is no such thing as a "5.6 snapshot",
but a snapshot built from the CVS development branch, which might include
some code for future releases beyond 5.7 or even purely experimental code.

Hopefully you agree that the file name "snapshots/amd64/install56.iso"
is misleading? Looking at the file name I had assumed/hoped there is some
kind of upgrade path from the "install56.iso" snapshot to the 5.6 release.
My mistake.


Regards
Harri

Re: Remove print/acroread

[Marc Espie]

On Wed, Oct 29, 2014 at 04:11:47PM +0100, Alexandre Ratchov wrote:
> On Wed, Oct 29, 2014 at 08:30:32AM -0600, David Coppa wrote:
> > So here I am, asking on misc@...
> > 
> > Do people using acroread-7.0.9 on i386 (compat_linux) still exist
> > these days?
> > 
> > I'd like to rm print/acroread from cvs.
> > 
> 
> I don't see the point of keeping it, while we have other working
> pdf readers. I don't even understand why we have it at all. OK to
> remove it.

You don't use pdf form filling. Over the last few years, I've seen
people want to do strange things with pdf.  Most things related
to display work with default tools. afaik, password did not work
with anything BUT acrobat reader AND now mutools.

Form filling, in some cases (german taxes, iirr) does NOT work with
other tools...

Re: Remove print/acroread

[Alexandre Ratchov]

On Wed, Oct 29, 2014 at 08:30:32AM -0600, David Coppa wrote:
> So here I am, asking on misc@...
> 
> Do people using acroread-7.0.9 on i386 (compat_linux) still exist
> these days?
> 
> I'd like to rm print/acroread from cvs.
> 

I don't see the point of keeping it, while we have other working
pdf readers. I don't even understand why we have it at all. OK to
remove it.

-- Alexandre

Re: Remove print/acroread

[Luis Coronado]

ok with me. I havent use OBSD on i386 in a long time and acroread does not
run on amd64.

-luis


On Wed, Oct 29, 2014 at 7:30 AM, David Coppa  wrote:

> So here I am, asking on misc@...
>
> Do people using acroread-7.0.9 on i386 (compat_linux) still exist
> these days?
>
> I'd like to rm print/acroread from cvs.
>
> Cheers!
> David
>
> > -- Forwarded message --
> > From: frantisek holop 
> > Date: Mon, Oct 27, 2014 at 7:31 PM
> > Subject: Re: remove print/acroread
> > To: po...@openbsd.org
> >
> >
> > David Coppa, 27 Oct 2014 17:08:
> > > Given this:
> > >
> > >
> http://blogs.adobe.com/adobereader/2012/06/one-year-from-now-adobe-reader-and-acrobat-9-eol.html
> > >
> > > Adobe has discontinued the support of Adobe Reader for Linux in June
> > > 2013, and the fact that our port is even older (v7.x)...
> > >
> > > Can we finally put print/acroread to the Attic?
> > >
> > > There're a lot of valid alternatives nowadays!
> >
> > the devils advocate tonight:
> > i think this should be asked on misc@ as well.
> > i dont know how many of those alternatives
> > can handle pdf forms correctly.  having said that
> > i have no idea if the ports version does.
> > for the record, i have never used this software :)
> > but maybe some other people do...
> >
> > -f
> > --
> > questions, questions!  does it ever end?!

Remove print/acroread

[David Coppa]

So here I am, asking on misc@...

Do people using acroread-7.0.9 on i386 (compat_linux) still exist
these days?

I'd like to rm print/acroread from cvs.

Cheers!
David

> -- Forwarded message --
> From: frantisek holop 
> Date: Mon, Oct 27, 2014 at 7:31 PM
> Subject: Re: remove print/acroread
> To: po...@openbsd.org
> 
> 
> David Coppa, 27 Oct 2014 17:08:
> > Given this:
> >
> > http://blogs.adobe.com/adobereader/2012/06/one-year-from-now-adobe-reader-and-acrobat-9-eol.html
> >
> > Adobe has discontinued the support of Adobe Reader for Linux in June
> > 2013, and the fact that our port is even older (v7.x)...
> >
> > Can we finally put print/acroread to the Attic?
> >
> > There're a lot of valid alternatives nowadays!
> 
> the devils advocate tonight:
> i think this should be asked on misc@ as well.
> i dont know how many of those alternatives
> can handle pdf forms correctly.  having said that
> i have no idea if the ports version does.
> for the record, i have never used this software :)
> but maybe some other people do...
> 
> -f
> --
> questions, questions!  does it ever end?!

Re: make does try BSDmakefile anymore?

[Marc Espie]

On Tue, Oct 28, 2014 at 09:56:14PM +0100, Carsten Kunze wrote:
> Hello,
> 
> in OpenBSD 5.5 make did try makefiles in order BSDmakefile -> makefile -> 
> Makefile.
> 
> In Current BSDmakefile is not tried anymore, at least not with highest 
> priority.  Is this intended?

Yes. The rationale being that this is not posix behavior at all, and it's very
easy to be explicit about it.

Re: weird problem in Germany / TCP related

[Peter J. Philipp]

On 10/29/14 13:15, Henrik Friedrichsen wrote:
> Hey,
> 
> On Wed, Oct 29, 2014 at 09:42:21AM +0100, Peter J. Philipp wrote:
>> So I'm looking for more people who use DTAG who have experienced
>> degragations (mostly noticed in running screen or tmux and having
>> switched windows and it's doggedly slow due to retransmissions).  What
>> sort of home router do you use?
> 
> Does this fit your description?
> 
> http://avm.de/nc/service/fritzbox/fritzbox-7390/wissensdatenbank/publication/show/1551_Nach-FRITZ-OS-Update-mit-einzelner-Anwendung-kein-Internetzugriff-moeglich/
> http://stadt-bremerhaven.de/fritz-os-update-twitter/
> 
> Experienced it myself, too, with a FB 7390 as of 6.20. Definitely one of
> the nastier bugs. Downgrading helped.
> 

Interesting.  Nice find!  The firmware is 6.20 indeed and same model
router.  I didn't downgrade because I had upgraded the DECT telephones
that were on the Fritz!box and wasn't sure if there would more issues
with a downgrade.

I'm going to downgrade despite next weekend and see.

What's interesting is that I could tunnel tcp per gif(4) very nicely.
It was rapid response like it should have been, but I ran into the state
timeout for whatever protocol gif(4) uses.

Regards,

-peter

Re: weird problem in Germany / TCP related

[Henrik Friedrichsen]

Hey,

On Wed, Oct 29, 2014 at 09:42:21AM +0100, Peter J. Philipp wrote:
> So I'm looking for more people who use DTAG who have experienced
> degragations (mostly noticed in running screen or tmux and having
> switched windows and it's doggedly slow due to retransmissions).  What
> sort of home router do you use?

Does this fit your description?

http://avm.de/nc/service/fritzbox/fritzbox-7390/wissensdatenbank/publication/show/1551_Nach-FRITZ-OS-Update-mit-einzelner-Anwendung-kein-Internetzugriff-moeglich/
http://stadt-bremerhaven.de/fritz-os-update-twitter/

Experienced it myself, too, with a FB 7390 as of 6.20. Definitely one of
the nastier bugs. Downgrading helped.

Re: Netasq now named Stormshield Firewalls

[Reyk Floeter]

Hi,

> Am 28.10.2014 um 21:55 schrieb Romain FABBRI 
> :
> 
> I found something interesting today playing with a Netasq F150 (rebranded 
> Stormshield firewall).
> The firewall OS (named ASQ) is based on the top of FreeBSD.
> 
> When I looked at the internal text files which contains the configuration for 
> the firewall rules I found that the rule syntax looks a lot like PF.
> 
> Simple coincidence ?

So what?

FreeBSD uses an ancient version of PF, just see the weird/obsolete NAT rules 
below.

There are OpenBSD-based firewall products with real PF from 
Esdenera, GeNUA or others. But, in either way, 
posts related to FreeBSD’s ancient PF or something like my shameless plug are 
totally off-topic on this list.

Reyk

> 
> #=
> # /usr/Firewall/ConfigFiles/Filter
> #=
> # more 02
> [Filter]
> pass from network_internals to any port web_srv
> pass from network_internals to any port ftp # Force FTP analysis
> pass from network_internals to any port mail_srv
> pass ipproto icmp type 8 code 0 from network_internals to any   # Accept PING 
> only
> 
> # more 03
> [Filter]
> pass from network_internals to any port plugins # Force plugins analysis
> pass ipproto tcp from network_internals to any  # Accept TCP only
> 
> # more 04
> [Filter]
> pass from network_internals to any port plugins # Force plugins analysis
> pass from network_internals to any  # Accept all
> 
> # more 05
> [Filter]
> pass inspection firewall log from IP_Pub-MainPool1 on out to IP_Pub_1.1.1.2 
> port microsoft-ts -> to srv-ToIP_4760 rulename "Télémaintenance"
> pass inspection firewall log from IP_Pub-MainPool1 on out to Firewall_out_1 
> port Port_4343 -> to Ctrl-Wifi rulename "Télémaintenance"
> pass inspection firewall log from Network_internals to shared-printer 
> rulename "Shared Printer" # Internet
> pass inspection firewall log from Network_Cutomer_A|Network_Phone-TOIP to 
> Network_Vlans_Impairs port ssh|Port_4343|https|telnet rulename "Admin Switch 
> + FW"# Internet
> pass inspection firewall log from Network_internals to internet rulename 
> "Internet" # Internet
> pass inspection firewall log from any to firewall_all port 
> firewall_srv|ssh|https   # Admin from everywhere
> pass inspection firewall log ipproto icmp type 8 code 0 proto none from any 
> to any  # Allow Ping from everywhere
> block inspection firewall log from any to any   # Block all
> 
> [NAT]
> nat from Network_Phone-TOIP to internet -> from IP_Pub_1.1.1.2 to original
> nat from Network_KI_EXECUTIVE to internet -> from IP_Pub_1.1.1.2 to original
> nat from VisioConférence to any on out -> from IP_Pub_1.2.3.4 arp-# 
> NAT
> nat from any on out to IP_Pub_1.2.4.5 -> beforevpn to VideoConference arp-
> # NAT
> nat from Network_internals to internet on out -> from Firewall_out_1 to 
> original

Netasq now named Stormshield Firewalls

[Romain FABBRI]

I found something interesting today playing with a Netasq F150 (rebranded 
Stormshield firewall).
The firewall OS (named ASQ) is based on the top of FreeBSD.

When I looked at the internal text files which contains the configuration for 
the firewall rules I found that the rule syntax looks a lot like PF.

Simple coincidence ?

#=
# /usr/Firewall/ConfigFiles/Filter
#=
# more 02
[Filter]
pass from network_internals to any port web_srv
pass from network_internals to any port ftp # Force FTP analysis
pass from network_internals to any port mail_srv
pass ipproto icmp type 8 code 0 from network_internals to any   # Accept PING 
only

# more 03
[Filter]
pass from network_internals to any port plugins # Force plugins analysis
pass ipproto tcp from network_internals to any  # Accept TCP only

# more 04
[Filter]
pass from network_internals to any port plugins # Force plugins analysis
pass from network_internals to any  # Accept all

# more 05
[Filter]
pass inspection firewall log from IP_Pub-MainPool1 on out to IP_Pub_1.1.1.2 
port microsoft-ts -> to srv-ToIP_4760 rulename "Télémaintenance"
pass inspection firewall log from IP_Pub-MainPool1 on out to Firewall_out_1 
port Port_4343 -> to Ctrl-Wifi rulename "Télémaintenance"
pass inspection firewall log from Network_internals to shared-printer rulename 
"Shared Printer" # Internet
pass inspection firewall log from Network_Cutomer_A|Network_Phone-TOIP to 
Network_Vlans_Impairs port ssh|Port_4343|https|telnet rulename "Admin Switch + 
FW"# Internet
pass inspection firewall log from Network_internals to internet rulename 
"Internet" # Internet
pass inspection firewall log from any to firewall_all port 
firewall_srv|ssh|https   # Admin from everywhere
pass inspection firewall log ipproto icmp type 8 code 0 proto none from any to 
any  # Allow Ping from everywhere
block inspection firewall log from any to any   # Block all

[NAT]
nat from Network_Phone-TOIP to internet -> from IP_Pub_1.1.1.2 to original
nat from Network_KI_EXECUTIVE to internet -> from IP_Pub_1.1.1.2 to original
nat from VisioConférence to any on out -> from IP_Pub_1.2.3.4 arp-# NAT
nat from any on out to IP_Pub_1.2.4.5 -> beforevpn to VideoConference arp-  
  # NAT
nat from Network_internals to internet on out -> from Firewall_out_1 to original

Re: cubieboard

[Jonathan Gray]

On Wed, Oct 29, 2014 at 08:59:11AM +0800, leeqiand wrote:
> Any one had ever install openbsd on cubieboard?
> I tried in this way.
> http://comments.gmane.org/gmane.os.openbsd.arm/915
> 
> and it gives me the same panic!
> http://permalink.gmane.org/gmane.os.openbsd.arm/916
> 
> Anyone know it?

If you try the snapshot from the 27th it may get slightly
further.

Be warned that the armv7 port and Cortex A7/Allwinner A20
support in particular are incomplete and need more work.

Re: weird problem in Germany / TCP related

[Arne Becker]

Hi.

> So I'm looking for more people who use DTAG who have experienced
> degragations (mostly noticed in running screen or tmux and having
> switched windows and it's doggedly slow due to retransmissions).  What
> sort of home router do you use?

> I invite the company Genua to look into this too since they use OpenBSD
> afaik and if they are losing customers over this it could be bad for
> their core business.

Yes, some of us use OpenBSD and are behind a FritzBox connected to a
Telekom network at home. I haven't heard of any sign of OS-dependent
degradation.

- Arne

Re: pf rdr-to and access from internal network

[Blaise Hizded]

On 10/28/2014 07:57 PM, Julian Smith wrote:
> On Tue, 28 Oct 2014 13:40:52 -0400
> trondd  wrote:
>
>> Are you telnetting to the external IP of the server from the internal
>> client?
> Yes. Actually i've tried using the external IP and the internal IP.
> Both have the same result - telnet says 'telnet: Unable to connect to
> remote host: Connection refused'.
>
> Telneting from an external machine works fine.
>
>> Have you enabled logging in pf?  Are the packets blocked or are they passed
>> by a different rule that doesn't give the expected results?
> Yes, i've enabled logging and i see various items such as:
>
> ju...@server-55.my.domain:~ > sudo tcpdump -v -i pflog0
> tcpdump: WARNING: snaplen raised from 116 to 160
> tcpdump: listening on pflog0, link-type PFLOG
> 18:51:26.909339 142-93-134-95.pool.ukrtel.net.4758 > 
> 82-68-48-10.dsl.in-addr.zen.co.uk.microsoft-ds: S [tcp sum ok] 
> 3330667214:3330667214(0) win 65535  (DF) [tos 0xc] 
> (ttl 117, id 29686, len 48)
> 18:51:27.465183 142-93-134-95.pool.ukrtel.net.4758 > 
> 82-68-48-10.dsl.in-addr.zen.co.uk.microsoft-ds: S [tcp sum ok] 
> 3330667214:3330667214(0) win 65535  (DF) [tos 0xc] 
> (ttl 117, id 29765, len 48)
> 18:51:27.909397 142-93-134-95.pool.ukrtel.net.4758 > 
> 82-68-48-10.dsl.in-addr.zen.co.uk.microsoft-ds: S [tcp sum ok] 
> 3330667214:3330667214(0) win 65535  (DF) [tos 0xc] 
> (ttl 117, id 29841, len 48)
>
> But i don't see anything when the internal
> connection is refused.
>
> I enabled logging with:
>
> sudo ifconfig pflog0 up
> sudo tcpdump -v -i pflog0
>
> For completeness, here's my pf.conf:
>
> 
> int_if="sk0"
> ext_if="rl0"
>
> tcp_services="{ 22, 80, 113 }"
> icmp_types="echoreq"
>
> # options
>
> set block-policy return
> set loginterface egress
> set skip on lo
>
> # match rules
>
> match out on egress inet from !(egress:network) to any nat-to (egress:0)
>
> # filter rules
>
> block in log
> pass out quick
>
> antispoof quick for { lo $int_if }
>
> pass in on egress inet proto tcp from any to (egress) \
> port $tcp_services
>
> pass in inet proto icmp all icmp-type $icmp_types
>
> # Redirect Undo keyserver connections to pc5:
> pass in on egress proto tcp from any to any port 5281 rdr-to pc5 port 5281
>
> # Attempting to allow 5281 to forward to pc5 from internal network. But 
> doesn't
> # work...
> pass in on $int_if proto tcp from $int_if:network to $ext_if port 5281 rdr-to 
> pc5
> pass out on $int_if proto tcp to pc5 port 5281 received-on $int_if nat-to 
> $int_if
> #pass out on egress proto tcp from any to any port 5281 received-on $int_if 
> nat-to $int_if
>
> pass in on $int_if
>
> # for our ftp server.
> pass in on egress proto tcp to port 21
> pass in on egress proto tcp to port > 49151
>
> pass in on rl0 proto tcp to port 21
> pass in on rl0 proto tcp to port > 49151
> 
>
>
> Many thanks,
>
> - Julian
>

You can try the match keyword to redirect and then pass rule

Didn't try and long time I havn't wrote pf rule, but you can try
something like that:

# change the dest ip of any packet from 5281 to pc5
match in on $ext_if inet proto tcp from port 5281 rdr-to pc5

...

pass on egress inet proto tcp from port 5281

weird problem in Germany / TCP related

[Peter J. Philipp]

I'm looking for people who may have the same problem as I.  Let me
describe it.

When I'm at my parents house using the OpenBSD laptop, my TCP
connections from there experience degragations, lost and dropped packets
somewhere in the Internet, this causes retransmissions in TCP which I
have tracked.  The other computers in that household are Linux and Mac
OS X and do not have these symptoms.

There is hints that it may be the home router a Fritz!Box but I have
compared tcpdumps and packet dumps from the routers packet dump
interface and I do see the packets dropping before it (unless that
router lies in its pcap file), so unseen by it.  Causing me to think
that the degragation is in the upstream network.

That upstream network happens to be Deutsche Telekom, germanys largest
provider.  I know it may sound crazy that these people degrade TCP,
based on some TCP OS signature, but could it be?

So I'm looking for more people who use DTAG who have experienced
degragations (mostly noticed in running screen or tmux and having
switched windows and it's doggedly slow due to retransmissions).  What
sort of home router do you use?

I'm also looking for Fritz!Box users with FritzOS 6.x firmware who have
these degragations and aren't necessarily on DTAG's network.

I guess I could change routers to find out but what if it's a
conspiracy?  Also I have created gif tunnels and experienced no
degragations which to me says there is a Deep packet inspection on
native TCP packets, somewhere, and the degragation.

I invite the company Genua to look into this too since they use OpenBSD
afaik and if they are losing customers over this it could be bad for
their core business.

BTW tickets to DTAG were opened and closed, and opened to AVM the router
manufacturer but closed on my behalf because the packet dump revealed
that drops were not on that router.

Regards,

-peter

Re: Firewall: Where is the bottleneck?

[Remi Locherer]

On Tue, Oct 28, 2014 at 10:13:54PM +0100, jum...@yahoo.de wrote:
> Hi Andy,
> 
> sorry for the delay, but a lot of more important work were between your mail
> and this answer ;).
> 
> >You can set a simple prio on a rule like;
> >pass proto tcp from $left to $right set prio (1,4)
> 
> With PRIQ I mean the scheduler priq instead of cbq.
> 
> Relevant lines of my current pf.conf rule set.
> 
> 
> ...
> altq on em0 priq bandwidth 1000Mb queue { std_em0, tcp_ack_em0 }
> queue std_em0 priq(default)
> queue tcp_ack_em0 priority 6
> 
> altq on em1 priq bandwidth 1000Mb queue { std_em1, tcp_ack_em1 }
> queue std_em1 priq(default)
> queue tcp_ack_em1 priority 6
> 
> match em0 on em0 inet proto tcp from any to any queue(std_em0, tcp_ack_em0)
> match em0 on em1 inet proto tcp from any to any queue(std_em1, tcp_ack_em1)
> ...
> 
> 
> I have read The Book of PF 2nd, but there is nothing about troubleshooting.
> What should I do to find the problem?
> 
> I have made some notes for troubleshooting purpose:
> 
> top -> Interrupts -> High CPU or network interfaces => Hardware limit systat
> -> Interrupts on CPU and network cards => Hardware limit
> bwm-ng -> Bandwidth near the theoretical limit => Hardware limit
> pfctl -si -> Look for current states, default limit to 1. The memory
> counter shows failed allocation of memory for states. Is this number is high
> and increased further => Set limit for states (pfctl -sm -> shows States
> Limit)
> sysctl kern.netlivelocks -> High number means something like two processes
> blocks each user => Hardware limit
> 
> No problem can be found with above steps:

Two more things you can check:

# netstat -m
If peak is close of equal to max raise kern.maxclusters with sysctl.

# sysctl net.inet.ip.ifq.drops
If this counter goes up try to increase net.inet.ip.ifq.maxlen with
sysctl. It defines how many packets can be queued in the ip input queue
before further packets are dropped.

Remi

> - prioritize TCP-ACK for tcp traffic
> 
> Best Regards,
> Patrick
> 
> 
> On Thu, 9 Oct 2014, Andy wrote:
> 
> >Hi,
> >
> >Just so I understand what you have done, PRIQ is not the same as queuing.
> >
> >You can set a simple prio on a rule like;
> >pass proto tcp from $left to $right set prio (1,4)
> >
> >But this doesn't manage the situations where you have lots of different
> >types/profiles of traffic on your network.
> >For example you might have some big file transfers going on which can be
> >delayed and can have a high latency but high throughput, alongside your
> >control/real-time protocols which need low latency etc.
> >Generally in this situation just using prio won't always be enough and
> >your file transfers will still swamp your Interactive SSH or VNC
> >connections etc..
> >
> >So we do something like this;
> >
> >altq on $if_trunk1 bandwidth 4294Mb hfsc queue { _wan }
> >   oldqueue _wan on $if_trunk1 bandwidth 4290Mb priority 15 hfsc(linkshare
> >4290Mb, upperlimit 4290Mb) { _wan_rt, _wan_int, _wan_pri, _wan_vpn,
> >_wan_web, _wan_dflt, _wan_bulk }
> >   oldqueue _wan_rt on $if_trunk1 bandwidth 20% priority 7 qlimit 50
> >hfsc(realtime(20%, 5000, 10%), linkshare 20%)
> >   oldqueue _wan_int on $if_trunk1 bandwidth 10% priority 5 qlimit 100
> >hfsc(realtime 5%, linkshare 10%)
> >   oldqueue _wan_pri on $if_trunk1 bandwidth 10% priority 4 qlimit 100
> >hfsc(realtime(15%, 2000, 5%), linkshare 10%)
> >   oldqueue _wan_vpn on $if_trunk1 bandwidth 30% priority 3 qlimit 300
> >hfsc(realtime(15%, 2000, 5%), linkshare 30%)
> >   oldqueue _wan_web on $if_trunk1 bandwidth 10% priority 2 qlimit 300
> >hfsc(realtime(10%, 3000, 5%), linkshare 10%)
> >   oldqueue _wan_dflt on $if_trunk1 bandwidth 15% priority 1 qlimit
> >100 hfsc(realtime(10%, 5000, 5%), linkshare 15%, ecn, default)
> >   oldqueue _wan_bulk on $if_trunk1 bandwidth 5% priority 0 qlimit 100
> >hfsc(linkshare 5%, upperlimit 30%, ecn, red)
> >
> >altq on $if_trunk2 bandwidth 4294Mb hfsc queue { _wan }
> >   oldqueue _wan on $if_trunk2 bandwidth 4290Mb priority 15 hfsc(linkshare
> >4290Mb, upperlimit 4290Mb) { _wan_rt, _wan_int, _wan_pri, _wan_vpn,
> >_wan_web, _wan_dflt, _wan_bulk }
> >   oldqueue _wan_rt on $if_trunk2 bandwidth 20% priority 7 qlimit 50
> >hfsc(realtime(20%, 5000, 10%), linkshare 20%)
> >   oldqueue _wan_int on $if_trunk2 bandwidth 10% priority 5 qlimit 100
> >hfsc(realtime 5%, linkshare 10%)
> >   oldqueue _wan_pri on $if_trunk2 bandwidth 10% priority 4 qlimit 100
> >hfsc(realtime(15%, 2000, 5%), linkshare 10%)
> >   oldqueue _wan_vpn on $if_trunk2 bandwidth 30% priority 3 qlimit 300
> >hfsc(realtime(15%, 2000, 5%), linkshare 30%)
> >   oldqueue _wan_web on $if_trunk2 bandwidth 10% priority 2 qlimit 300
> >hfsc(realtime(10%, 3000, 5%), linkshare 10%)
> >   oldqueue _wan_dflt on $if_trunk2 bandwidth 15% priority 1 qlimit
> >100 hfsc(realtime(10%, 5000, 5%), linkshare 15%, ecn, default)
> >   oldqueue _wan_bulk on $if_trunk2 bandwidth 5% priority 0 qlim