Re: OpenBGPd forward update configuration

[dsp]

On Thu, Jun 11, 2015 at 03:21:31PM -0600, dsp wrote:
> On Wed, Jun 10, 2015 at 08:18:34PM -0600, dsp wrote:
> > Hello list!
> > 
> > please excuse my probably idiotic question, but i'm still a new OpenBGPd 
> > user.
> > (5.7 release)
> > 
> > what i'm trying to achieve is:
> > a) connect to a bunch of peers but announce nothing to them. just collect 
> > their updates.
> > b) send all those updates to another peer ($livebgp)
> > 
> > my config is :
> > 
> > AS 65005
> > router-id a.b.c.d
> > route-collector yes
> > transparent-as yes
> > 
> > neighbor $livebgp {
> > remote-as   65001
> > descr   livebgp
> > holdtime180
> > multihop100
> > passive
> > holdtime min3
> > announceall
> > }
> > 
> > group peers {
> > announce none
> > holdtime180   
> > holdtime min3
> > multihop100
> > neighbor $foo {
> > remote-as   
> > descr   foo
> > }
> > ...
> > }
> allow from any
> allow to $livebgp
> 
> solved it for me. 
> sorry for the noise :)
Hello again list. 
I come back to you with this problem cause it has been bugging me for weeks now.
please if anyone has any input, share :)

So the thing is that the updates i'm getting to my $livebgp neighbor seem to 
only to be originating from 
2 of the almost 10 connected hosts in the group peers. (one of the 2 is 
actually my closest BGP router)
i'm checking with bgpctl show and seeing updates coming to me from other 
connected peers, but my openbgpd
only sends out ones from my closest AS and one more.

How can i emulate an IXP route server functionality so that my $livebgp peer 
gets ALL updates from ALL the hosts
in the group peers???

thank you very much!

DSP
> 
> DsP
> > 
> > on the livebgp side though all i'm seeing are the keepalives.
> > livebgp is doing active connection so that's why i have the passive there.
> > 
> > do you guys have any input?
> > 
> > Thank you so much!
> > 
> > DsP

IPV6 routing issue

[Giancarlo Razzolini]

HI all,

I've recently changed my ISP and they have native IPv6. My customer 
premises equipment, which is a GPON, supports both stateless as DHCPv6 
on it's LAN interface. I want to put a OpenBSD firewall between this CPE 
and my internal network. I'm using OpenBSD 5.7 stable. My CPE receive a 
/64 prefix delegation from my ISP. Unfortunately, this is a dynamic 
prefix, so I can't configure anything manually.


I've managed to get wide-dhcp6 working and requesting the prefix to 
be delegated to my internal network. After that, all I needed to do was 
to run rtadvd on my internal interface, and my internal LAN machines 
began to be autoconfigurated getting ip's from the delegated prefix.


The OpenBSD firewall has 2 ipv6 addresses. One on the WAN interface 
and another on the LAN interface. If I use ping6 to ping any ipv6 host 
from my firewall, I can ping them with no problems. But, If I ping 
setting the source to be the ipv6 address from the internal interface, 
it won't work. Also, no machine from my LAN can connect to any host 
through ipv6.


I've inspected the traffic with tcpdump, and I can see the packets 
leaving my network and getting on the destination. The problem is the 
packets never gets back. My CPE equipment keeps asking for neighbour 
solicitation asking who has the ipv6 address, but the OpenBSD firewall 
never replies, so the packts get dropped. I'm currently with PF 
disabled. But I had the same problem with it enabled and with the 
default firewall configuration. I'm trying first to get ipv6 
connectivity working to after filter the packets. Anyone had a similar 
issue?


Cheers,
Giancarlo Razzolini

Softraid Experiences

[Duncan Patton a Campbell]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


I had a situation where I needed to scan something and my 5.7 scanimage didn't 
want to work so I rebooted into 5.6 (I've been keeping my boot devices on USB)
and ran scanimage, then rebooted to 5.7, after which my softraid0 device 
came up non-op with a message saying 
"softraid0: sd2 was not shutdown properly"
and
"softraid0: trying to bring up sd2 degraded"

So now I've started to rebuild the softraid 
(at about 1% per hour) and I'm wondering what
might have happened (I got a core dump from
the scanimage) and there's some old talk of
usb devices doing things to softraid 

Dhu

- -- 

https://babayaga.neotext.ca/PublicKeys/Duncan_Patton_a_Campbell_pubkey.txt

Ne obliviscaris, vix ea nostra voco.
iF4EAREIAAYFAlWMkVsACgkQiY6AzzR1lzwUMgD/XlbSFGhpDlb/ZZvrT8NBWDbo
uJldLVHWTK5mBvvUk28A/3q7AYO4QX7C08BzgJsFdInYfaI2Yse5I7KbSFYB0Bso
=4Oys
-END PGP SIGNATURE-

Re: The Memory Sinkhole - Unleashing an x86 Design Flaw Allowing Universal Privilege

[Jean-Philippe Ouellet]

On Thu, Jun 25, 2015 at 05:39:46PM -0400, Jean-Philippe Ouellet wrote:
> And an intel microcode update:
> https://downloadcenter.intel.com/download/24290

Oops, I read the date wrong on that page.
Still though.

> And microsoft (yup) pushed an update for it:
> https://support.microsoft.com/en-ca/kb/3064209
> 
> Waiting to get the new ucode through bios updates (which will
> realistically never come) sounds like a recipie for disaster.
> 
> Does somebody smarter than me want to look into this before shit
> hits the fan for real? Does this sound like something for our
> fw_update infrastructure or similar?
> 
> 40 days until the 0day drops.

Re: The Memory Sinkhole - Unleashing an x86 Design Flaw Allowing Universal Privilege

[Jean-Philippe Ouellet]

And an intel microcode update:
https://downloadcenter.intel.com/download/24290

And microsoft (yup) pushed an update for it:
https://support.microsoft.com/en-ca/kb/3064209

Waiting to get the new ucode through bios updates (which will
realistically never come) sounds like a recipie for disaster.

Does somebody smarter than me want to look into this before shit
hits the fan for real? Does this sound like something for our
fw_update infrastructure or similar?

40 days until the 0day drops.


On Fri, Jun 05, 2015 at 09:21:27AM -0400, ertetlen barmok wrote:
> Hello, 
> 
> just a fyi, august 5-6
> 
> https://www.blackhat.com/us-15/briefings.html#the-memory-sinkhole-unleashing-an-x86-design-flaw-allowing-universal-privilege-escalation
> 
> https://news.ycombinator.com/item?id=9663249
> 
> "In x86, beyond ring 0 lie the more privileged realms of execution, where our 
> code is invisible to AV, we have unfettered access to hardware, and can 
> trivially preempt and modify the OS. The architecture has heaped layers upon 
> layers of protections on these negative rings, but 40 years of x86 evolution 
> have left a labyrinth of forgotten backdoors into the ultra-privileged modes. 
> Lost in this byzantine maze of decades-old architecture improvements and 
> patches, there lies a design flaw that's gone unnoticed for 20 years. In one 
> of the most bizarre and complex vulnerabilities we've ever seen, we'll 
> release proof-of-concept code exploiting the vast, unexplored wasteland of 
> forgotten x86 features, to demonstrate how to jump malicious code from the 
> paltry ring 0 into the deepest, darkest realms of the processor. Best of all, 
> we'll do it with an architectural 0-day built into the silicon itself, 
> directed against a uniquely vulnerable string of code running on every single 
> system."
> 
> presented by
> Christopher Domas
> https://www.blackhat.com/us-15/speakers/Christopher-Domas.html

Re: nsd configuration problem

[mxb]

Good that you solved your problem.
I'v done same work as you by converting from bind to nsd+unbound.
"The hard way" via digging Google and trying out.
You got lucky with shortcut ;)

//mxb

On 2015-06-25 21:22, Andrew Daugherity wrote:

On Wed, Jun 24, 2015 at 1:06 PM, Graham Stephens
 wrote:

---
On 24/06/2015 18:43, mxb wrote:

Hey,
this is a bit different from bind/named.

nsd is a authoritative server ONLY.
unbound is a caching server ONLY.

I use those together on the same machine.
nsd is handling all zones, unbound answers queries.

nsd.conf:
[port 5353, snip rest of cfg]

unbound.conf:

server:
  ## this one important to be able to query nsd
  do-not-query-localhost: no

  private-domain: "homelan.com"

  ## this one important to be able to query nsd
  local-zone: "78.168.192.in-addr.arpa." transparent

## forward to nsd
forward-zone:
  name: "homelan.com"
  forward-addr: 127.0.0.1@5353

## forward to nsd
forward-zone:
  name: "78.168.192.in-addr.arpa"
  forward-addr: 127.0.0.1@5353

## forward to google
forward-zone:
  name: "."
  forward-addr: 8.8.8.8

This is similar to my setup, although I used stub-zone/stub-addr
instead of forward-zone for my internal forward and reverse zones, as
that seems to make more sense based on my reading of unbound.conf(5).
(It says stub-zone is for authoritative servers, which nsd is, and
forward-zone is for recursive servers.  I'm not 100% sure I am correct
here, however.)  I also did not define a global forward-zone -- why
not just use the system DNS servers?

The important bits to actually make this work are the
'do-not-query-localhost: no' and 'local-zone: C.B.A.in-addr.arpa.
transparent' options, needed to override unbound's default behavior of
ignoring localhost and RFC1918 addresses.  It took me a while to find
this, until I discovered the proper keywords to Google for.

I think this would be a good addition to the OpenBSD FAQ.  While less
common than a simple caching resolver, it's probably not too uncommon
to have used BIND to serve a local zone and also act as a caching
resolver, and having some guidance on "how to convert your BIND setup
to unbound+nsd" would be nice.  (Good guidance, not misleading and/or
incorrect advice from ca***el.org!)  nsd on a localhost high port,
serving my old BIND zone files, and unbound forwarding to it for my
zones was easy enough, but the two "magic" options letting unbound
actually talk to nsd were somewhat less obvious.

-Andrew

Re: mail server on rental server ,cannot recieve mail

[Tuyosi Takesima]

thanks for many kind advices , but i cannot recieve mail because of limits
of my ability .
namely pop3d   is  hard to overcome ssl .
   dovecot is also hard because it is involved to mx and postfix .
i may study bind or so .

so i give up dovecot , pop3d and pop3*..

---
but but i can read  mail when i login server and use mutt although
pkd_delete dovecot .
namelyssh -l user rental server and
  mutt.
  i can read mail (japanese , of course).

the seting to read Maildir/new  is the settin of mutt.

$ cat
.muttrc
set mbox_type="Maildir"
set folder="~/Maildir"
set mbox="~/Maildir"
set spoolfile="~/Maildir"
set mask="!^\\.[^.]"
set record="+.Sent"
set postponed="+.Drafts"

mailboxes `echo -n "+ "; find ~/Maildir -maxdepth 1 -type d -name ".*"
-printf "+'%f' "`
-

i satisfied this because of conserning managing rental server .

in addition , my origin is long (tk0-123-45678.vs.sakura.ne.jp).
perhaps by this reason i cannot send mail by postfix2 , can send mail
postfix3.

my main.cf settig now is
-
myhostname = abc.vs.sakura.ne.jp
mydomain = vs.sakura.ne.jp
myorigin = $myhostname
mydestination = $myhostname localhost
inet_interfaces = all
home_mailbox = Maildir/
mynetworks = 127.0.0.0/8
compatibility_level = 2
queue_directory = /var/spool/postfix
command_directory = /usr/local/sbin
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/postfix
mail_owner = _postfix
inet_protocols = all
unknown_local_recipient_reject_code = 550
debug_peer_level = 2
debugger_command =
 PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
 ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/local/sbin/sendmail
newaliases_path = /usr/local/sbin/newaliases
mailq_path = /usr/local/sbin/mailq
setgid_group = _postdrop
html_directory = /usr/local/share/doc/postfix/html
manpage_directory = /usr/local/man
sample_directory = /etc/postfix
readme_directory = /usr/local/share/doc/postfix/readme
meta_directory = /etc/postfix
shlib_directory = no

the reason why i do use port 587 instead of 25 (master.cf) is  that port 25
blocking exist
in test period's  .

--
regards

Re: Chromium in the latest snapshot packages

[Paul de Weerd]

On Thu, Jun 25, 2015 at 04:19:42PM +, Christian Weisgerber wrote:
| > It's typical for a few ports to fail during a snapshot build.
| > Usually because of changes in the ports tree, sometimes because of
| > changes in base, sometimes just because a particular port doesn't
| > build reliably.
| 
| ... this still holds true.  The next snapshot may again have some
| holes.

Thanks for taking the time to explain this behaviour Christian, but
most of all, thanks for the very frequent pkg snapshots you (and the
other pkg builders) are pushing out.  Your effort is greatly
appreciated.

Cheers,

Paul 'WEiRD' de Weerd

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 

Re: UPDATE: www/vimb 2.9 => 2.10

[Dmitrij D. Czarkoff]

Brian Callahan said:
> Not quite with removing patches/patch-Makefile though: the install
> routine uses a GNU install extension (-D). So a patch needs to exist
> removing that.

Actually not: ports call /bin/install via wrapper that strips unknown
options.

-- 
Dmitrij D. Czarkoff

Re: Any books about OpenBSD ARM programming?

[Ingo Schwarze]

Hi,

andrew fabbro wrote on Thu, Jun 25, 2015 at 11:00:32AM -0700:
> On Wed, Jun 24, 2015 at 9:38 PM, Hrishikesh Muruk wrote:

>> The online man (man.cgi) for intro(9) is very short
>> I suppose the other man pages in section 9 (kernel
>> developer's manual) will have more details.

As a matter of principle, i make sure that the same manual pages are
available on the web and in an installed system, and that the content 
is the same.  If you find differences in content, that's a bug.

>> Is there a way to see all of the pages in section 9 using man.cgi
>> (or man)?
>> A "." in the search window with "Search with apropos query" selected
>> and the section set to 9
>>   http://goo.gl/qIxokF
>> But it does not seem to get a complete list of pages in section 9

Indeed.  What you are asking for here is a literal full stop in the
name or one-line description of a manual page.  Regular expressions 
are not the default mode for searches, see apropos(1).

> I asked Kristaps Dzonsos this question a while back and he was kind
> enough to send me the answer.  If you want to get a list of man pages
> in, say, section 9:
> 
> http://www.openbsd.org/cgi-bin/man.cgi?query=any~.*&sec=9&arch=default&manpath=OpenBSD-5.7&apropos=1

That can be improved.  The 'any' isn't needed here, matching the
empty substring is slightly faster than regular expressions, and
the arch= specification is redundant, too:

http://www.openbsd.org/cgi-bin/man.cgi?query=%3D&sec=9&manpath=OpenBSD-5.7&apropos=1

The command line equivalent is something like

  $ apropos -s 9 =
  $ apropos -s 9 Nm=

This answer was very wrong:

Mike Burns wrote on Thu, 25 Jun 2015 11:52:20 +0200:

> I had done this; perhaps there is a better way, but I don't know it:
>   $ apropos -s 9 *

The asterisk gets expanded by the shell, so the result depends on
whatever files you have in the current directory.  Something like

  $ apropos -s 9 \*
  $ apropos -s 9 '*'

wouldn't be better because apropos(1) does not treat the asterisk
as a special character but looks for manuals containing a literal 
asterisk in the title line, like usbtablet(4).

Yours,
  Ingo

Re: Any books about OpenBSD ARM programming?

[Christian Weisgerber]

On 2015-06-25, andrew fabbro  wrote:

> There was a 2nd edition of "The Design and Implementation of the FreeBSD
> Operating System" released September 2014.  I haven't looked at it - was it
> updated to reflect current design?

It was, but how is any of this relevant for OpenBSD?

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de

Re: nsd configuration problem

[Andrew Daugherity]

On Wed, Jun 24, 2015 at 1:06 PM, Graham Stephens
 wrote:
> ---
> On 24/06/2015 18:43, mxb wrote:
>> Hey,
>> this is a bit different from bind/named.
>>
>> nsd is a authoritative server ONLY.
>> unbound is a caching server ONLY.
>>
>> I use those together on the same machine.
>> nsd is handling all zones, unbound answers queries.
>>
>> nsd.conf:
>> [port 5353, snip rest of cfg]
>>
>> unbound.conf:
>>
>> server:
>>  ## this one important to be able to query nsd
>>  do-not-query-localhost: no
>>
>>  private-domain: "homelan.com"
>>
>>  ## this one important to be able to query nsd
>>  local-zone: "78.168.192.in-addr.arpa." transparent
>>
>> ## forward to nsd
>> forward-zone:
>>  name: "homelan.com"
>>  forward-addr: 127.0.0.1@5353
>>
>> ## forward to nsd
>> forward-zone:
>>  name: "78.168.192.in-addr.arpa"
>>  forward-addr: 127.0.0.1@5353
>>
>> ## forward to google
>> forward-zone:
>>  name: "."
>>  forward-addr: 8.8.8.8

This is similar to my setup, although I used stub-zone/stub-addr
instead of forward-zone for my internal forward and reverse zones, as
that seems to make more sense based on my reading of unbound.conf(5).
(It says stub-zone is for authoritative servers, which nsd is, and
forward-zone is for recursive servers.  I'm not 100% sure I am correct
here, however.)  I also did not define a global forward-zone -- why
not just use the system DNS servers?

The important bits to actually make this work are the
'do-not-query-localhost: no' and 'local-zone: C.B.A.in-addr.arpa.
transparent' options, needed to override unbound's default behavior of
ignoring localhost and RFC1918 addresses.  It took me a while to find
this, until I discovered the proper keywords to Google for.

I think this would be a good addition to the OpenBSD FAQ.  While less
common than a simple caching resolver, it's probably not too uncommon
to have used BIND to serve a local zone and also act as a caching
resolver, and having some guidance on "how to convert your BIND setup
to unbound+nsd" would be nice.  (Good guidance, not misleading and/or
incorrect advice from ca***el.org!)  nsd on a localhost high port,
serving my old BIND zone files, and unbound forwarding to it for my
zones was easy enough, but the two "magic" options letting unbound
actually talk to nsd were somewhat less obvious.

-Andrew

Re: Any books about OpenBSD ARM programming?

[andrew fabbro]

On Wed, Jun 24, 2015 at 9:38 PM, Hrishikesh Muruk  wrote:

> But it does not seem to get a complete list of pages in section 9
>

I asked Kristaps Dzonsos this question a while back and he was kind enough
to send me the answer. If you want to get a list of man pages in, say,
section 9:

http://www.openbsd.org/cgi-bin/man.cgi?query=any~.*&sec=9&arch=default&manpath=OpenBSD-5.7&apropos=1


-- 
andrew fabbro
and...@fabbro.org
blog: https://raindog308.com

Re: Any books about OpenBSD ARM programming?

[andrew fabbro]

On Wed, Jun 24, 2015 at 6:57 PM, Geoff Steckel  wrote:

> The McKusick books are a reasonable introduction to the kernel
> as it was some decades ago.


There was a 2nd edition of "The Design and Implementation of the FreeBSD
Operating System" released September 2014.  I haven't looked at it - was it
updated to reflect current design?


-- 
andrew fabbro
and...@fabbro.org
blog: https://raindog308.com

Re: panic during boot of 5.7 in de(4) running in Hyper-V

[Reyk Floeter]

On Tue, Jun 23, 2015 at 09:08:25PM -0600, Theo de Raadt wrote:
> > I looked into this last year but lost interest. It seems like the DMA buffer
> > is being placed past the UVM constraint for DMA ( eg > 4GB).
> 
> A configuration buffer is in the softc.  It should be allocated to be
> dma-reachable.
> 
> This driver is quite ugly.  Maybe the following diff works?
> 

It fixes the issue for me, with two changes below, otherwise OK.

But I still don't get any traffic with de(4) on Hyper-V here ...  or
just once in a while with dhclient  but this seems to be a
different issue.

Reyk

> Index: if_de.c
> ===
> RCS file: /cvs/src/sys/dev/pci/if_de.c,v
> retrieving revision 1.120
> diff -u -p -u -r1.120 if_de.c
> --- if_de.c   15 May 2015 11:36:30 -  1.120
> +++ if_de.c   24 Jun 2015 00:05:05 -
> @@ -49,6 +49,7 @@
>  #include 
>  #include 
>  #include 
> +#include 
>  
>  #include 
>  #include 
> @@ -2907,7 +2908,7 @@ tulip_addr_filter(tulip_softc_t * const 
>* go into hash perfect mode (512 bit multicast
>* hash and one perfect hardware).
>*/
> - bzero(sc->tulip_setupdata, sizeof(sc->tulip_setupdata));
> + bzero(sc->tulip_setupdata, TULIP_SETUP);
>   if (ac->ac_multirangecnt > 0) {
>   sc->tulip_flags |= TULIP_ALLMULTI;
>   sc->tulip_flags &= ~(TULIP_WANTHASHONLY|TULIP_WANTHASHPERFECT);
> @@ -4085,8 +4086,7 @@ tulip_txput_setup(tulip_softc_t * const 
>   sc->tulip_if.if_start = tulip_ifstart;
>   return;
>  }
> -bcopy(sc->tulip_setupdata, sc->tulip_setupbuf,
> -   sizeof(sc->tulip_setupbuf));
> +bcopy(sc->tulip_setupdata, sc->tulip_setupbuf, TULIP_SETUP);
>  /*
>   * Clear WANTSETUP and set DOINGSETUP.  Set know that WANTSETUP is
>   * set and DOINGSETUP is clear doing an XOR of the two will DTRT.
> @@ -4357,16 +4357,17 @@ tulip_busdma_init(tulip_softc_t * const 
>  {
>  int error = 0;
>  
> +sc->tulip_setupbuf = dma_alloc(TULIP_SETUP, PR_WAITOK);
> +sc->tulip_setupdata = malloc(TULIP_SETUP, M_DEVBUF, M_WAITOK);
> +
>  /*
>   * Allocate dmamap for setup descriptor
>   */
>  error = bus_dmamap_create(sc->tulip_dmatag, sizeof(sc->tulip_setupbuf), 
> 2,

Here is a missing TULIP_SETUP, it should be:

  error = bus_dmamap_create(sc->tulip_dmatag, TULIP_SETUP, 2,
TULIP_SETUP, 0, BUS_DMA_NOWAIT, &sc->tulip_setupmap);

> -   sizeof(sc->tulip_setupbuf), 0, BUS_DMA_NOWAIT,
> -   &sc->tulip_setupmap);
> + TULIP_SETUP, 0, BUS_DMA_NOWAIT, &sc->tulip_setupmap);
>  if (error == 0) {
>   error = bus_dmamap_load(sc->tulip_dmatag, sc->tulip_setupmap,
> - sc->tulip_setupbuf, sizeof(sc->tulip_setupbuf),
> - NULL, BUS_DMA_NOWAIT);
> + sc->tulip_setupbuf, TULIP_SETUP, NULL, BUS_DMA_NOWAIT);
>   if (error)
>   bus_dmamap_destroy(sc->tulip_dmatag, sc->tulip_setupmap);
>  }
> Index: if_devar.h
> ===
> RCS file: /cvs/src/sys/dev/pci/if_devar.h,v
> retrieving revision 1.33
> diff -u -p -u -r1.33 if_devar.h
> --- if_devar.h10 Feb 2015 03:51:58 -  1.33
> +++ if_devar.h24 Jun 2015 00:04:36 -
> @@ -600,8 +600,10 @@ struct _tulip_softc_t {
>   * one is the one being sent while the other is the one being
>   * filled.
>   */
> -u_int32_t tulip_setupbuf[192/sizeof(u_int32_t)];
> -u_int32_t tulip_setupdata[192/sizeof(u_int32_t)];
> +#define TULIP_SETUP  (192 / sizeof(u_int32_t))

As mentioned in another mail, this should be changed to

#define TULIP_SETUP 192

> +u_int32_t *tulip_setupbuf;
> +u_int32_t *tulip_setupdata;
> +
>  char tulip_boardid[16];  /* buffer for board ID */
>  u_int8_t tulip_rombuf[128];
>  struct device *tulip_pci_busno;  /* needed for multiport boards */

Re: out of memory and login.conf logging

[nusenu]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hello Michael,

thanks for your reply.

>> would I see any log entries in /var/log/messages if the system
>> runs out of memory and kills a process or if a limit in
>> /etc/login.conf has been overstepped by a process?
> 
> It should be easy to test this yourself. See login.conf(5) and the 
> ulimit section of ksh(1).
> 

Yes I consulted login.conf(5), but it does not mention logging (I
searched for "log" in the man page with many sentences having that
string in the context of 'login'). It does not say how one would
enable such logging - if it can be enabled. Or did I overlook something?

Currently I don't see any log entries as soon as a process hits for
example 'openfiles-max' limits.


The first part of my question (out of memory kills due to insufficient
system memory) is unrelated to login.conf - I assume.

thanks,
nusenu
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJVjDa7AAoJEFv7XvVCELh02a0QAICUJVerhY5kyxYoilRq1NQA
GAc/vLuZuLEsHlVrFCrepSQg5wg47CyEThkEJSIvi0Zn5DlAt4OfmRQmbcd3Zi0C
jZfu4zpIfblCzZSwg6RZpmdsurdT6H8fu1IEQkiUfQxId/H4WUpafA9wfHV211DB
VoG1A6Q1oCizqGx69vJxFVjVgllNdEeLL+9rysogZ2AO42pV6TuiUgzYrB9H+jyO
y4F/igUr4GB0t46GxHQySwjgD3HIfAHvER/Nva0A2bxUSeniJOzRPsAkt4mjAo+c
Y+q2TeDtdtRXaFf9y+Zl7HfEnJz+r5EoL3mJRW1h8+0J5qIh1792quYtrYkmOHPU
VRjgX6rtBGu0BDgdd3kDLE8Y0PKVMJAt4h10h4mGVC/pKy8c902g51lWeHd6Lbn4
HBxbc4F2yqy2vGorwOSqOOacRIIAIQcIRuCyiv6J4lxkGJsPj/3hece1gA8rbLDW
lP3SkDxbdvWoxyK/QYAQXQXWyqNXQU3NEzQHozJL+j3bNVlK/HZwbQ7TARzkwG3v
kc04sD6oMxNtecLmSXpiT98VJBn0A3pOVdSHsjGlOS467Z1FSh8s3cNCbvZCvkDY
iSGmUyOPEDian0DrN7FlmTEuZUNMcwVZQfmVJadlbV/Pq613YegA4HJlGmRku3TI
+ic1EC7Bzp0Sj75Cupz4
=ayEa
-END PGP SIGNATURE-

Intel Compute Stick - OpenBSD "compatible"?

[Mihai Popescu]

Hello,

Did anyone try OpenBSD on Intel Compute Stick STCK1A32WFC ?

More details here:
http://www.tweaktown.com/reviews/7099/intel-compute-stick-stck1a32wfc-2gb-windows-8-1-review/index3.html

Re: out of memory and login.conf logging

[Michael McConville]

On Thu, Jun 25, 2015 at 05:06:32PM +0200, nusenu wrote:
> would I see any log entries in /var/log/messages if the system runs
> out of memory and kills a process or if a limit in /etc/login.conf has
> been overstepped by a process?

It should be easy to test this yourself. See login.conf(5) and the
ulimit section of ksh(1).

Re: "when SSDs are not so solid" or why no TRIM support can be a good thing :)

[Karel Gardas]

On Thu, Jun 25, 2015 at 12:57 PM, Mikael  wrote:
> For having a *guaranteedly intact* storage, what is the way then?
>
> This is with the background of recent discussions that touched on
> https://www.usenix.org/legacy/events/fast08/tech/full_papers/bairavasundaram/bairavasundaram_html/index.htmland
> https://blog.algolia.com/when-solid-state-drives-are-not-that-solid/ .
>
>
>
> What about having *two SSD*:s in softraid RAID1, and as soon as any IO
> failure is found on either SSD, that one would be replaced?
>
> If the underlying read operations are made from both SSD:s each time and the
> machine has ECC RAM (??and UFS is checksummed enough??), then at least the
> OS would be able to detect corruption (??, fix anything??) and return proper
> read failures (or sigsegv) properly.

I'm afraid that as far as SSD is not signalling any issue you may end
with corrupted data in the RAM and even softraid RAID1 will not help
you. AFAIK FFS does not provide any checksumming support for user data
so this is the same issue again. I've tinkering with an idea to
enhance softraid RAID1 with checksumming support. Currently reading
papers and code to grasp some knowledge about the topic. The thread is
here: https://www.marc.info/?l=openbsd-tech&m=143447306012773&w=1 --
if you are quicker than me implementing it, then great! I'll probably
switch to some other task in OpenBSD domain. :-)

Cheers,
Karel

Re: Chromium in the latest snapshot packages

[Christian Weisgerber]

On 2015-06-22, Christian Weisgerber  wrote:

> The chromium build is very brittle and fails frequently in quasi-random
> ways.  During the latest amd64 snapshot build, chromium errored out
> twice, in slightly different ways.

I've uploaded new amd64 packages (Jun 25) that include chromium.
In fact, no packages at all should be missing.

However...

> It's typical for a few ports to fail during a snapshot build.
> Usually because of changes in the ports tree, sometimes because of
> changes in base, sometimes just because a particular port doesn't
> build reliably.

... this still holds true.  The next snapshot may again have some
holes.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de

Re: pf nat and routing question

[Andy Lemin]

> On 25 Jun 2015, at 15:46, Marko Cupać  wrote:
> 
> On Wed, 24 Jun 2015 08:17:15 -0400
> Michel Blais  wrote:
> 
>> The solution seem his explain on this link
>> 
>> ‎http://www.openbsd.org/faq/pf/rdr.html#reflect
> 
> On Thu, 25 Jun 2015 14:50:42 +0100
> Andy Lemin  wrote:
> 
>> Hi,
>> 
>> We do exactly the same thing for our wifi network. Users on wifi can
>> *only* use public IP addresses.
>> 
>> The solution is easy, you just have to consider where you do your
>> nat'ing;
> 
> Michel, Andy,
> 
> thank you for your suggestions.
> 
> I went for http://www.openbsd.org/faq/pf/rdr.html#tcpproxy
> 
> I'm satisfied with result.

Cool, but you are using a big hammer (not a sledge ;) for a nut.. And your CPU 
knows the difference. If load is v.small, then irelevant.

> 
> Regards,
> -- 
> Marko Cupać
> https://www.mimar.rs/

out of memory and login.conf logging

[nusenu]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi,

would I see any log entries in /var/log/messages if the system runs
out of memory and kills a process or if a limit in /etc/login.conf has
been overstepped by a process?

(OpenBSD 5.7)

thanks,
nusenu
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJVjBj4AAoJEFv7XvVCELh0ESUP/3m41275y7E3vzQRRzJAO2mb
+eqxMX0ReAv0h+gchJw2KnPD8XvseFT9MirNd+ucuwEyQltTOP+7sBQpDkMJz6Vj
8O63uMM1+ItALebUfDJoHJdsnL5r57t2uXcQ3bDUE7xgv+pjclGjnVl0ZXvqHkC0
qC6U4d09Hodxzb+yyFKFG5JzIOg8fRKHlYGMlbWBSgYLc9XytkqVpJaq2atfNLbl
YNHQUwntst8zEV0dQwpTHeEqMutar8WQwUomj+U/VdZfGS1kVgdqUZOiYW/rdOLR
GG6n9kvH0b3DL8PosKk8pucqkQ2lOLMt5t3XFuxbXtZjcK+8DF+sa1AfpHSNSEPR
8xdwVNRBKXCrflUOa7nBhbcV9c8ft/H8ZSuB4TAvJlGCV7Nn7iM8mTvhO0ApuGt3
vEPts6I8lUFe/DtyMWI/VO3UoAWVG/cnkndrcAafGusAs7rB+kPyEIMvzE1uhaf8
MbEm2GkyB0wX8BjxNzZil1QO5LaLijLbeeAxKuIBcVyjdvDwOw4wFCuEip+mz6ZJ
/76ARfYOcAgVcGFtLTkB10PN3xAN4ZDbEDErR6fu8/2OamYyDVqV8DSjNBbn6RlK
QRti03LIjtaqHIDEhkIY44EDJfm4GfyGuBg43PM6+TwXFPzYc6TL3L5ImQT3cd6n
RK7dbYESSOo6Dohy7XtR
=anyZ
-END PGP SIGNATURE-

Re: nsd configuration problem

[Patrik Lundin]

On Thu, Jun 25, 2015 at 11:55:06AM +0100, Graham Stephens wrote:
> I haven't used dig before, I hope these are what you're after. They do show
> different results to nslookup. These are all taken from the local machine.
> 
> dig blahms01 and dig @127.0.0.1 blahms01 return:
> 
> ; <<>> DiG 9.4.2-P2 <<>> blahms01
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 36213
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> ;; WARNING: recursion requested but not available
> 
> ;; QUESTION SECTION:
> ;blahms01.IN  A
> 
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Thu Jun 25 11:15:55 2015
> ;; MSG SIZE  rcvd: 26
> 

As you can see, the question you are asking the DNS server here is for
the domain "blahms01." which I am pretty sure you have not configured in
NSD, and this explains the REFUSED result.

dig(1) does not care about any "search" options in /etc/resolv.conf, it
will not try to create FQDNs out of the name you wrote.

> ---
> dig blahms01.domain.com and dig @127.0.0.1 blahms01.domain.com return:
> 
> ; <<>> DiG 9.4.2-P2 <<>> blahms01.domain.com
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53224
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
> 
> ;; QUESTION SECTION:
> ;blahms01.domain.com. IN  A
> 
> ;; ANSWER SECTION:
> blahms01.domain.com. 21600IN  A   10.0.10.2
> 
> ;; AUTHORITY SECTION:
> domain.com.   21600   IN  NS  blahfw01.domain.com.
> 
> ;; ADDITIONAL SECTION:
> blahfw01.domain.com. 21600IN  A   127.0.0.1
> 
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Thu Jun 25 11:18:41 2015
> ;; MSG SIZE  rcvd: 97
> 

Here we can see that you have successfully queried NSD for
blahms01.domain.com. We can also see, as was shown with nslookup, the
warning about recursion: "recursion requested but not available".
This is normal, since NSD will only serve zones it is authoritative for.

This also means you would not query NSD for "openbsd.org" for
example, since NSD will not handle such an recursive query for you. For
this you need unbound.

-- 
Patrik Lundin

Re: nsd configuration problem

[Patrik Lundin]

On Thu, Jun 25, 2015 at 02:13:15PM +0100, Graham Stephens wrote:
> OK, it seems that when I skip-read the NSD/Unbound info I got them wrong.
> Unbound sounded like a DNS cache, and NSD, unsurprisingly, a name server.

They are both name servers, but NSD is only meant to serve information
authoritatively from zones it is in control of, while unbound is only
meant to serve information it fetches from other (authoritative) DNS
servers.

>
> When I looked it didn't strike me that Unbound was meant to serve the local
> domain's name server needs - the config file on the Calomel site seems
> awfully long just for a dozen machine names.
>

While local content can be served by unbound, it is not really what it
was meant for. What you can do is configure "stub-zone" in unbound,
pointing out a local nsd process as the target. This would then allow
you to keep local zones in a master zone format like BIND does.

>
> That example also uses FQDNs -
> I hope it will let me search for "anymachine" and not
> "anymachine.myoverlylongdomainname.com" (like that old-fashioned BIND does
> so well) ? ;)
> 

Being able to search for short names is not the job of a DNS server,
it is the job of your stub resolver library.

-- 
Patrik Lundin

Re: pf nat and routing question

[Marko Cupać]

On Wed, 24 Jun 2015 08:17:15 -0400
Michel Blais  wrote:

> The solution seem his explain on this link
> 
> ‎http://www.openbsd.org/faq/pf/rdr.html#reflect

On Thu, 25 Jun 2015 14:50:42 +0100
Andy Lemin  wrote:

> Hi,
> 
> We do exactly the same thing for our wifi network. Users on wifi can
> *only* use public IP addresses.
> 
> The solution is easy, you just have to consider where you do your
> nat'ing;

Michel, Andy,

thank you for your suggestions.

I went for http://www.openbsd.org/faq/pf/rdr.html#tcpproxy

I'm satisfied with result.

Regards,
-- 
Marko Cupać
https://www.mimar.rs/

Re: pf nat and routing question

[Andy Lemin]

Hi,

We do exactly the same thing for our wifi network. Users on wifi can *only*
use public IP addresses.

The solution is easy, you just have to consider where you do your nat'ing;

You can't do bin-at, so you will need nat-to and rdr-to rules to make it
work.

E.g. The following line translates the public IP to the internal IP regardless
of whether to connection "ingresses" the firewall from the outside web, or
from your internal wifi network
match in proto tcp from any to { $ext_ip_rc5 } port { https } rdr-to
$int_ip_lard

But the nat-to is only needed on the outside interface
match out on { $if_ext } from { $int_ip_lard } to any nat-to $ext_ip_rc5

And so you will need three rules..

Ingress pass rule on the external interface, another ingress pass rule on the
wifi interface, and an egress pass rule on the DMZ interface where the server
is.

If the internal server is on the same LAN as the internal clients that *have
to use the public IP address, then an extra nat-to rule is needed.

Keep the same ingress rdr-to rule to translate the public to the private, but
you will also need an extra nat-to rule as the packet egresses the firewall to
make all connection look like they have come from the firewall.
This ensure that when the server replies, it replies back to the firewall, who
then replies back to the internal client.

Without this rule the internal server would just reply to the internal client
directly, meaning the firewall only sees the forward traffic and won't be able
to update its states properly and things won't work.

PS; Make sure to be carful about what internal firewall IP you NAT to, and you
need to remember that this limits the number of connections to the internal
server, as everyone (from internal) will appear to come from the firewall
which has a limited number of source ports...

EG; This ensure that if a firewall failover happens (with CARP) that all still
works :)
pass out on $if_lan from ($if_lan:network) to $server nat-to (carp1)

Hope this helps. A


> On 24 Jun 2015, at 12:16, Marko Cupać  wrote:
>
> Hi,
>
> my setup is actually more complicated, but for purpose of this mail I
> am going to try and keep it simple.
>
> My firewall redirects requests to some service from the Internet to
> server on private network:
>
> pass in on $ext_if inet proto tcp from any to $srv-pub port $service rdr-to
$srv-priv
>
> Internet hosts can access service without problem via its public IP
> address.
>
> Clients on internal network can access service without problem via its
> private IP address.
>
> Now, I have some clients on internal network who are forbidden
> communication with private address space, so they need to access
> service via its public IP address. Unfortunately this does not work.
>
> Hopefully someone already had this problem and will be able to point me
> in the right direction.
>
> Regards,
> --
> Marko Cupać
> https://www.mimar.rs/

Re: PF Packet Flow Diagram

[Jiri B]

> > IIRC pf packet flow is also influenced by routing which is done
> > before pf. That's why local sourced traffic for remote destination
> > cannot be redirected back to local host.
> 
> Could you help me understand this a little better? How do you mean traffic
> locally originated by the firewall cannot be redirected?
> 
> I understand FIB routing is only done after ingress processing (if no
> "route-to" is found on an matching inbound direction route).

http://comments.gmane.org/gmane.os.openbsd.misc/183179

j.

Re: nsd configuration problem

[David Dahlberg]

Am Donnerstag, den 25.06.2015, 11:42 +0100 schrieb Graham Stephens:

> I'm trying to replace several boxes (firewall, file server, mail
> server) 
> with one virtualized one. [..]

So actually you do not want to serve names of a domain (say
"thestephensdomain.com") to the Internet, but you want the OpenBSD box
to resolve names on behalf of it's clients in the LAN. 
Short answer: Do not use NSD, use unbound.

> ifconfig lo: [..]

I requested this information, because of your queries being resolved
sometimes, sometimes not. Just wanted to be sure that there are not
multiple kinds of DNS servers running on multiple lo interfaces.


> resolv.conf (no .tail):
> 
> lookup bind files
> search domain.com
> nameserver 127.0.0.1
> nameserver 208.67.222.222

This explains, why a local lookup without specifying the resolvers name
works: nslookup will use the NSD first, NSD will return "forbidden",
nslookup will then proceed to 208.67.222.222 which gives you the
expected answer.


David

Re: "when SSDs are not so solid" or why no TRIM support can be a good thing :)

[Mikael]

For having a *guaranteedly intact* storage, what is the way then?

This is with the background of recent discussions that touched on
https://www.usenix.org/legacy/events/fast08/tech/full_papers/bairavasundaram/bairavasundaram_html/index.html
and https://blog.algolia.com/when-solid-state-drives-are-not-that-solid/ .



What about having *two SSD*:s in softraid RAID1, and as soon as any IO
failure is found on either SSD, that one would be replaced?

If the underlying read operations are made from both SSD:s each time and
the machine has ECC RAM (??and UFS is checksummed enough??), then at least
the OS would be able to detect corruption (??, fix anything??) and return
proper read failures (or sigsegv) properly.

Mikael

2015-06-18 16:23 GMT+07:00 Karel Gardas :

> On Thu, Jun 18, 2015 at 9:08 AM, David Dahlberg
>  wrote:
> > Am Donnerstag, den 18.06.2015, 02:15 +0530 schrieb Mikael:
> >
> >> 2015-06-18 2:07 GMT+05:30 Gareth Nelson :
> >> No I meant, you plug in a 2TB SSD and a 2TB magnet HD, is there any way
> to
> >> make them properly mirror each other [so the SSD performance is
> delivered
> >> while the magnet disk safeguards contents] - would you use softraid
> here?
> >
> > No. If you use a RAID1, you'll get the performance of the worse of both
> > disks. To support multiple disks with different characteristics and to
> > get the most out of it was AFAIK one of motivations for Matthew Dillon
> > to write HAMMER.
> >
>
> I'm not sure about RAID1 in general, but I'm reading softraid code
> recently and based on it I would claim that you get write performance
> of the slowest drive (assuming OpenBSD schedule writes to different
> drives in parallel), but read performance slightly higher than slower
> drive since the read is done in round-robin fashion hence SSD will
> speed it a little bit.
>
> Anyway, the interesting question is if it makes sense to balance this
> interleaving reading based on actual drive performance. AFAIK this
> should be possible, but IMHO it'll not be that reliable, i.e. it'll
> not provide that much of added reliability. Since reliability is my
> concern, I'm more looking forward to see kind of virtual drive with
> implemented block checksumming in OpenBSD, that IMHO will provide some
> added reliability when run for example in RAID1 setup.
>
> Karel

Re: PF Packet Flow Diagram

[Andy Lemin]

Hi,

> On 25 Jun 2015, at 10:31, Jiri B  wrote:
>
> On Thu, Jun 25, 2015 at 10:15:08AM +0100, Andy Lemin wrote:
>> Surprised I've not had any replies for this?
>> http://s12.postimg.org/i4pggq465/Open_BSDPFPacket_Flow.jpg
>> 
>>
>> I copied this from a diagram I found some years ago which has been
photocopied
>> a few times and is now intelligible, so thought I'd quickly re-do it.
>>
>> I can't believe nothing has changed in 5 years (I think thats when the
>> original I saw was dated).
>>
>> Anyway, I try and message Henning directly and get his thoughts, and I'll
post
>> back here once its got his approval.
>>
>> Cheers, Andy.
>
> IIRC pf packet flow is also influenced by routing which is done
> before pf. That's why local sourced traffic for remote destination
> cannot be redirected back to local host.

Could you help me understand this a little better? How do you mean traffic
locally originated by the firewall cannot be redirected?

I understand FIB routing is only done after ingress processing (if no
"route-to" is found on an matching inbound direction route).

>
> If you would get more info and incorporate routing factor into diagram
> it would be great ;)

I know! :) It would be great if this was as complete as possible as it would
be really helpful to both those just starting out and the more experienced
alike.

I would also like to understand the processing for virtual interfaces? I.e.
should their be a separate Egress Processing chain for "enc0"

Also is policy based routing (created by IPSec encX tunnels) processed before
and/or independently from "rdomain" routing?

I also don't know how packet Labels and Tags are processed?

I've done a little more to it;
http://s27.postimg.org/4ul9nayvn/Open_BSDPFPacket_Flow.jpg

>
> j.

Re: Is PFSync over IPSec still broken?

[Jason McIntyre]

On Sun, Jun 21, 2015 at 03:20:34PM +0200, ??ukasz Czarniecki wrote:
> W dniu 2015-06-18 o 17:30, ??ukasz Czarniecki pisze:
> >> It's still broken because as mentioned at the end of the thread you
> >> linked IPsec state gets replicated to the peer and this is causing
> >> the "replayed" packets you're seeing. The peer already has IPsec state
> >> in memory (created by pfsync replication) which matches incoming IPsec
> >> packets directed at it. So the peer's IPsec stack ends up believing it's
> >> seen the incoming packet already (while it actually hasn't seen the packet,
> >> it just copied the IPsec state from the sender) and drops the packet.
> >>
> >> No good fix is known as of yet. I've given up on it for now.
> >>
> > 
> > Please fix this bug or remove this example from documentation.
> > For me this setup is broken since 2011.
> > http://marc.info/?l=openbsd-misc&m=130624207811609&w=2
> > 
> > Nobody cares or nobody uses?
> 

i've just committed something similar to the diff below, though i
commented out text rather than removing it.

thanks for the diff,
jmc

> # diff -u -p /usr/src/share/man/man4/pfsync.4 ./pfsync.4
> --- /usr/src/share/man/man4/pfsync.4Sun Feb  1 09:33:48 2015
> +++ ./pfsync.4  Sun Jun 21 15:14:00 2015
> @@ -112,24 +112,13 @@ An alternative destination address for
>  packets can be specified using the
>  .Ic syncpeer
>  keyword.
> -This can be used in combination with
> -.Xr ipsec 4
> -to protect the synchronisation traffic.
> -In such a configuration, the syncdev should be set to the
> -.Xr enc 4
> -interface, as this is where the traffic arrives when it is decapsulated,
> -e.g.:
> -.Bd -literal -offset indent
> -# ifconfig pfsync0 syncpeer 10.0.0.2 syncdev enc0
>  .Ed
>  .Pp
>  It is important that the pfsync traffic be well secured
>  as there is no authentication on the protocol and it would
>  be trivial to spoof packets which create states, bypassing the pf ruleset.
> -Either run the pfsync protocol on a trusted network \- ideally a network
> -dedicated to pfsync messages such as a crossover cable between two
> firewalls,
> -or specify a peer address and protect the traffic with
> -.Xr ipsec 4 .
> +Run the pfsync protocol on a trusted network \- ideally a network
> +dedicated to pfsync messages such as a crossover cable between two
> firewalls.
>  .Sh EXAMPLES
>  .Nm
>  and
> @@ -219,10 +208,8 @@ net.inet.carp.preempt=1
>  .Sh SEE ALSO
>  .Xr bpf 4 ,
>  .Xr carp 4 ,
> -.Xr enc 4 ,
>  .Xr inet 4 ,
>  .Xr inet6 4 ,
> -.Xr ipsec 4 ,
>  .Xr netintro 4 ,
>  .Xr pf 4 ,
>  .Xr hostname.if 5 ,
> @@ -244,3 +231,8 @@ protocol and kernel implementation were significantly
>  and
>  .Ox 4.5 .
>  The two protocols are incompatible and will not interoperate.
> +.Sh BUGS
> +The
> +.Nm
> +protocol does not work over IPsec tunnels.
> +

Re: Any books about OpenBSD ARM programming?

[Mike Burns]

On 2015-06-25 09.39.23 +0530, Hrishikesh Muruk wrote:
> Is there a way to see all of the pages in section 9 using man.cgi (or man)?

I had done this; perhaps there is a better way, but I don't know it:

$ apropos -s 9 *

Re: PF Packet Flow Diagram

[Jiri B]

On Thu, Jun 25, 2015 at 10:15:08AM +0100, Andy Lemin wrote:
> Surprised I've not had any replies for this?
> http://s12.postimg.org/i4pggq465/Open_BSDPFPacket_Flow.jpg
> 
> 
> I copied this from a diagram I found some years ago which has been photocopied
> a few times and is now intelligible, so thought I'd quickly re-do it.
> 
> I can't believe nothing has changed in 5 years (I think thats when the
> original I saw was dated).
> 
> Anyway, I try and message Henning directly and get his thoughts, and I'll post
> back here once its got his approval.
> 
> Cheers, Andy.

IIRC pf packet flow is also influenced by routing which is done
before pf. That's why local sourced traffic for remote destination
cannot be redirected back to local host.

If you would get more info and incorporate routing factor into diagram
it would be great ;)

j.

Re: PF Packet Flow Diagram

[Andy Lemin]

Surprised I've not had any replies for this?
http://s12.postimg.org/i4pggq465/Open_BSDPFPacket_Flow.jpg


I copied this from a diagram I found some years ago which has been photocopied
a few times and is now intelligible, so thought I'd quickly re-do it.

I can't believe nothing has changed in 5 years (I think thats when the
original I saw was dated).

Anyway, I try and message Henning directly and get his thoughts, and I'll post
back here once its got his approval.

Cheers, Andy.


> On 23 Jun 2015, at 14:27, Andy Lemin  wrote:
>
> Haha, Oops! thanks Doug..
>
> Here it is instead..
>
> http://s12.postimg.org/i4pggq465/Open_BSDPFPacket_Flow.jpg

>
> Cheers, Andy.
>
>
>> On 23 Jun 2015, at 14:13, Doug Hogan mailto:d...@acyclic.org>> wrote:
>>
>> On Tue, Jun 23, 2015 at 11:56:17AM +0100, Andy Lemin wrote:
>>> I was updating an old copy of the PF flow diagram I had lying around and
>>> thought I'd post here quickly for comments / additions / corrections?
>>>
>>> Would be nice to update this and make it comprehensive as possible.
>>>
>>> [demime 1.01d removed an attachment of type application/pdf which had a
name of OpenBSDPFPacketFlow.pdf]
>>> [demime 1.01d removed an attachment of type image/jpeg which had a name of
OpenBSDPFPacketFlow.jpeg]
>>
>> The attachments were stripped when sent to the list.

Re: beaglebone rj45 cape

[Stuart Henderson]

On 2015-06-24, Richo Healey  wrote:
> On 25/06/15 00:18 +0200, Martijn van Duren wrote:
>>Hello misc@,
>>
>>I'm currently looking into a managed switch for my home and I would
>>like to achieve this with OpenBSD's bridge(4) option and pf. The
>>throughput shouldn't be too high (at most some video streaming to my
>>tv and "generic" websurfing) and preferably with low power usage.
>>
>>I found the following board which at first glance seems to do exactly
>>what I need [1].
>>What I would like to know if there's a good chance (or even a
>>guarantee) that it would work with OpenBSD, before I spend my hard
>>earned money on it.
>>If it is expected not to work, would there be an alternative (12 ports
>>plus would be preferred) that would work?
>>
>>Sincerely,
>>
>>Martijn van Duren
>>
>>[1] http://rgb-123.com/product/beaglebone-black-rj45-cape/
>>
>
> It appears that this device is for controlling LEDs, and speaks RS-485. From
> my quick read it doesn't appear to know anything about ethernet.
>

Also you are not going to be happy using a BBB with bridge(4) as
an alternative to a switch...

Re: Fwd: Re: Q: Assistance with pf.conf rules

[Stuart Henderson]

On 2015-06-24, John Nyhuis  wrote:
> bond0 is a virtual interface that consists of two LACP bonded NICs.

This doesn't sound like OpenBSD...

Re: Any books about OpenBSD ARM programming?

[David Dahlberg]

Am Mittwoch, den 24.06.2015, 17:26 +0200 schrieb Piotr Kubaj:

> I want to install OpenBSD on my BeagleBone Black and write some 
> simple
> programs using I/O pins. Are there any tutorials on this?

Additionally to what the others did say, you probably should have a
look into the (code of the) gpioctl tool, as this basically a minimal
wrapper for the functionality that you're intending to use. 

David

Re: nsd configuration problem

[David Dahlberg]

Am Mittwoch, den 24.06.2015, 18:02 +0100 schrieb Graham Stephens:
> I've tried to set up nsd on 5.7 x64 and it's not working as it 
> should, 
> but I'm lost as to where to look to correct the issue. I was hoping 
> for 
> some pointers. :)

Okay. First of all, I hope you are aware of the difference between an
authoritative name server and a (recursive) resolver? NSD is an
authoritative name server. 

> Starting nsd causes three processes to start - is this normal?

It is.

> If I use "nslookup blahname 127.0.0.1" from the local host, I get a 
> response as expected.

I do not really know the nslookup tool. What are the contents of
"/etc/resolve.conf[.tail]", what are the results of "ifconfig lo" and
"netstat -anf inet[6]"?


> Just using "nslookup blahname" gives as error of:
> ";; Got recursion not available from 127.0.0.1, trying next server".
> 
>  From another machine on the lan, using "nslookup blahname" returns:
> 
> "Server: blahname2.domain.com
>   Address: 10.0.2.1
> 
> *** blahname2.domain.com can't find blahname: Query refused"

Both results look the same (although probably generated by a different
tool?) and tell you, that recursion is not allowed.

> Any ideas what the issue(s) might be?

If you would please elaborate a bit about your setup and what you're
intending to achieve, then I would probably tell you that you should
use unbound (a resolver) instead of NSD (an authoritative name server).

David