Re: Firewall question: is using a NIC with multiple jacks considered insecure?
On 2015-07-27, Quartz qua...@sneakertech.com wrote: Some years ago I remember reading that when using OpenBSD (or any OS, really) as a router+firewall it was considered inadvisable from a security standpoint to have the different networks all attached to a single network card with multiple ethernet ports. The thinking being that it was theoretically possible for an attacker to exploit bugs in the card's chip to short circuit the path and route packets directly across the card in a way pf can't control. It was also suggested that in addition to using different physical cards, the cards should really use different chipsets too, in case an unknown driver bug allows a short circuit. Those are not realistic concerns. -- Christian naddy Weisgerber na...@mips.inka.de
Re: Firewall question: is using a NIC with multiple jacks considered insecure?
turning out rather difficult to find a case that's small enough to fit. I'd really like to use an itx system with multiple onboard ethernet jacks and cram it into something like a MiniBox M350 or Antec ISK110, but I'm not sure A Lanner FW7525 or even an Alix APU don't seem to be much larger... They're not, but they also lack a bunch of features we need. This is a little off-topic, but I should clarify that although this device's primary purpose is a firewall+router, it also has to provide a handful of other network related services that set a few requirements vis a vis hardware. Pre-fab appliance type devices always seem to fail at least one of these requirements. They also don't address the separate NICs issue, so if it turns out that that's not a problem anyway, a mini-itx board would be a much better choice for our situation.
Re: Firewall question: is using a NIC with multiple jacks considered insecure?
On Mon, Jul 27, 2015 at 12:46 PM, Quartz qua...@sneakertech.com wrote: Some years ago I remember reading that when using OpenBSD (or any OS, really) as a router+firewall it was considered inadvisable from a security standpoint to have the different networks all attached to a single network card with multiple ethernet ports. The thinking being that it was theoretically possible for an attacker to exploit bugs in the card's chip to short circuit the path and route packets directly across the card in a way pf can't control. It was also suggested that in addition to using different physical cards, the cards should really use different chipsets too, in case an unknown driver bug allows a short circuit. I swear I read this somewhere on the website, but I can't seem to find it now and I'm wondering if the concept is even still valid. The impetus here is that I'm building a router+firewall for a cramped location and it's turning out rather difficult to find a case that's small enough to fit. I'd really like to use an itx system with multiple onboard ethernet jacks and cram it into something like a MiniBox M350 or Antec ISK110, but I'm not sure if that's a good idea, security wise. Any thoughts? It is certainly possible theoretically but you'll have to go to very great lengths to imagine a scenario where a remote attacker could exploit such a flaw. It's next to impossible identify the make and model of the NIC that holds an IP address (if it is even directly bound to a NIC, CARP and other similar technologies get in the way if used), the attacker would first have to aquire this information trough other means. -Kimmo
Re: dhclient.conf alias declarations?
On Mon, Jul 27, 2015 at 01:34:09PM +0300, Kimmo Paasiala wrote: ...I can live without the alias address, it would have been a convinient way to access the ADSL modem on the WAN side from inside the LAN network. Perhaps you could add an ifconfig(8) command to rc.local(8) to set the alias. Or, you might be able to do what you desire with isc-dhcp-client.
amd(8) - am-utils code transition (or am-utils new port)?
Dear misc@ readers, Some weeks ago I realized that OpenBSD amd(8) lacks NFSv3 support (see [1], [2]), which could increasingly become a serious limitation when dimension of shared files exceed the 2GB limit. Considering that the patch in [2] isn't working for me (maybe the OpenBSD NFS server requires a proper treatment of the mount protocol version on the client side as suggested by Philip Guenther?), I started working on a more complete patch, starting from FreeBSD's amd(8), but without luck, since the codes diverge significantly (and, most important, I'm definitely not an expert programmer...) So I tried to use the am-utils ([3]) latest version (6.2) and I noticed that, apart from a minor modification to the OpenBSD specific configuration (which could be discussed with the author), it compiles flawlessly and works as expected (in order to tackle the command name conflicts, I'm temporary renaming amd/amq in base, and starting the daemon through rc.local). I'm just wondering if: 1) there is a specific reason why the am-utils code is not imported in the base system, or it is only due to lack of devs' interest / manpower; 2) building a port might be a solution (I could try to work on that, just give me some hints on the cleanest way to avoid the command name conflict). Any feedback/hints are welcome, of course! Thanks in advance for your time [1] http://marc.info/?l=openbsd-miscm=143480317120952w=2 [2] http://marc.info/?l=openbsd-bugsm=142049488315510w=2 [3] http://www.am-utils.org/ -- Alessandro DE LAURENZIS [mailto:just22@gmail.com] LinkedIn: http://it.linkedin.com/in/delaurenzis
Re: Update to /etc/services
BTW your diff was line-wrapped, and the BFD entries used spaces instead of tabs, so I hand applied it. Thank you. Sorry for the BFD entries, I copied/pasted from the IANA document and missed that. BTW, what is the prefered way to send diff with lines longer than 80 characters ? I use mutt, should I remove set wrap from my vi configuration ? Denis
Re: Firewall question: is using a NIC with multiple jacks considered insecure?
2015-07-27 11:46 GMT+02:00 Quartz qua...@sneakertech.com: turning out rather difficult to find a case that's small enough to fit. I'd really like to use an itx system with multiple onboard ethernet jacks and cram it into something like a MiniBox M350 or Antec ISK110, but I'm not sure A Lanner FW7525 or even an Alix APU don't seem to be much larger... Best Martin
Re: dhcpd.interfaces question
So if I want to have a vlan interface providing dhcp I need to put dhcpd_flags=vlanXX in rc.conf.local ? regards MArkus Am 27.07.2015 um 14:09 schrieb Jiri B: On Mon, Jul 27, 2015 at 02:02:45PM +0200, Markus Rosjat wrote: Hi there, I just want to setup a dhcp for a Vlan on a openbsd 5.5 box and somehow I can't find the dhcpd.interfaces file. Is there a change in the configuration since 5.x ? On a 4.9 installation I still have this file. No idea but putting interface name in 'dhcpd_flags' is the way to go. j. -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: Firewall question: is using a NIC with multiple jacks considered insecure?
Though, of course, if you have been actively developing your system, or if you have already been subject to other root attempts, a root attempt runs a significant risk of crashing it. (And if you have been developing a lot, there's a decent chance you'll have already crashed it so many times that you will not be able to distinguish the root attempt from your own work. Or, maybe you will - it depends on the nature of the update.) -- Raul On Mon, Jul 27, 2015 at 9:52 AM, Joseph Crivello josephcrive...@gmail.com wrote: If someone successfully attacks the firmware on any of your network cards, you are screwed no matter what. Any modern network card is going to have the ability to issue DMAs and can easily root your entire system.
dhcpd.interfaces question
Hi there, I just want to setup a dhcp for a Vlan on a openbsd 5.5 box and somehow I can't find the dhcpd.interfaces file. Is there a change in the configuration since 5.x ? On a 4.9 installation I still have this file. Regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: dhcpd.interfaces question
On Mon, Jul 27, 2015 at 02:02:45PM +0200, Markus Rosjat wrote: Hi there, I just want to setup a dhcp for a Vlan on a openbsd 5.5 box and somehow I can't find the dhcpd.interfaces file. Is there a change in the configuration since 5.x ? On a 4.9 installation I still have this file. No idea but putting interface name in 'dhcpd_flags' is the way to go. j.
Re: dhclient.conf alias declarations?
...I can live without the alias address, it would have been a convinient way to access the ADSL modem on the WAN side from inside the LAN network. Perhaps you could add an ifconfig(8) command to rc.local(8) to set the alias. As previously said any ifconfig aliasing command removes the DHCP obtained configuration which breaks the expected address reception from the DHCP server. Currently at the moment it's either DHCP or have alias, or not documented / known to me how to solve it. Please consider this real scenario. Sometimes it's not possible to reach the modem if it uses the so called IP extension to pass the external IP by DHCP (in the modem) to the OpenBSD box external interface. In this case, not having the option to manually add the alias declaration in the hostname.if leaves you without connection to the modem LAN interface. This is a deal breaker as not being able to control the modem you lose chances of resetting it when it stops passing traffic, monitor stats, logs etc. Not to mention the fact that it was not within reach how to set a default gateway on the OpenBSD box assigned by the ISP as a static route upon DHCP reception of the external IP so that the OpenBSD box would be able to access the Internet. The gateway is a different IP with each lease and is not in the DHCP address space, so requires manual addition of the route to be able to reach it via the modem. This was the second show stopper and had to rest the case. If anyone had the same issue, please advise if it has a solution. This lead to abandon the passing of external IP address (IP extension) to the OpenBSD system and forced use of the NAT in the modem which is flawed anyway and can't handle that much connections due to its limited resources. So, sometimes the fact you can't use DHCP with aliasing another IP is not that easy to live with. One could imagine more use cases when DHCP and aliasing an IP is required. Please can someone say if this is possible to achieve using base dhclient? Or, you might be able to do what you desire with isc-dhcp-client. That's not nice to handle, and creates another set of problems. This does not solve the need to have a alias capability after / with dhclient in base.
Re: rdomain with BGP dynamic route
Hello, I think this is what I tried a while ago, which is not possible. Cf http://openbsd-archive.7691.n7.nabble.com/Multi-VRF-bgpd-no-MPLS-td248639.html Bgpd.conf(5) says : Currently the routing table must belong to the default routing domain -- Cordialement, Pierre BARDOU -Message d'origine- De : XU, YANG (YANG) [mailto:y...@research.att.com] Envoyé : dimanche 26 juillet 2015 14:28 À : misc@openbsd.org Objet : Re: rdomain with BGP dynamic route Thanks for the info. I read the rdomain configuration section. My problem is how to put prefix learned dynamically from a BGP neighbor to a specific rdomain (not default rdomain 0). Sadly, I still don't know if that's possible. Regards, -Yang From: owner-m...@openbsd.org [owner-m...@openbsd.org] On Behalf Of Alexander Salmin [alexan...@salmin.biz] Sent: 25 July 2015 17:36 To: misc@openbsd.org Subject: Re: rdomain with BGP dynamic route Hey, man 5 bgpd.conf See section Routing Domain Configuration and parameters export-target and import-target. I suspect that is what you want. Alexander Salmin On 2015-07-24 13:47, XU, YANG (YANG) wrote: Let me describe it in another way. Can I create a new rdomain as a VRF and use the rdomain to import/export customer's prefix through BGP? I will greatly appreciate it if you can provide any information. I have seen some information online, but prefix is either from static configuration or connected network. In my case, I need to support dynamic routes from BGP in VRF. Thanks, -Yang From: owner-m...@openbsd.org [owner-m...@openbsd.org] On Behalf Of XU, YANG (YANG) Sent: 23 July 2015 08:06 To: misc@openbsd.org Subject: rdomain with BGP dynamic route Hi all, I am configuring OpenBSD bgpd so that it can relay the routes learned from customer BGP servers to a route reflector (RR). Customer BGP servers only speak IPv4 BGP, so my OpenBSD bgpd needs to add different route-distinguisher and route-target to the dynamic routes learned from each customer BGP neighbor before forwarding to RR. As I understand, I should be able to use rdomain to implement this. What I really need conceptually is to attach a BGP neighbor to a rdomain, so that dynamic routes learned from that BGP neighbor are added to the specified rdomain. But I failed to find a way to do this in OpenBSD. Does anyone know if this is possible and give me an BGP configure example? Many thanks in advance, -Yang
Re: doas.conf: omitting [as root] allows me to run a command as everybody?
On Mon, Jul 27, 2015 at 03:13:55PM +0200, Marc Espie wrote: On Mon, Jul 27, 2015 at 02:40:53PM +0200, Theo Buehler wrote: So omitting [as identity] allows me to run as every user, not just as root? Is this intentional? I think it's intentional. It's definitely what I would expect [as identity] is a restrictive modifier. If you want to only be able to run as root, you write as root. Ok thanks, this makes sense, but it is not quite clear (to me) from the docs that this is a restrictive quantifier. The the bit I quoted from the man page on as target sais The default is root., not root and everybody else. (Sorry I should have written as target, not as identity in my mail) How would you phrase things if it wasn't the case ?.. As indicated above I would probably write something like as root and every other user instead of simply as root.
Re: Firewall question: is using a NIC with multiple jacks considered insecure?
On Mon, Jul 27, 2015 at 7:37 AM, Christian Weisgerber na...@mips.inka.de wrote: On 2015-07-27, Quartz qua...@sneakertech.com wrote: Some years ago I remember reading that when using OpenBSD (or any OS, really) as a router+firewall it was considered inadvisable from a security standpoint to have the different networks all attached to a single network card with multiple ethernet ports. The thinking being that it was theoretically possible for an attacker to exploit bugs in the card's chip to short circuit the path and route packets directly across the card in a way pf can't control. It was also suggested that in addition to using different physical cards, the cards should really use different chipsets too, in case an unknown driver bug allows a short circuit. Those are not realistic concerns. Intel 82574L packet of death comes to mind as one example of a bug in the EEPROM that allowed an attacker to bring down an interface: http://blog.krisk.org/2013/02/packets-of-death.html These days you have bypass features in hardware that allow packets to flow from one interface to another even if the firewall is turned off. Who knows what other bugs in such functionality will be discovered in the future? Having said that, just throwing random chipsets into the mix is probably not the right solution. You may actually be increasing your attack surface. If this is a real concern for you, I think multiple firewalls, one behind the other (and using different chipsets, if you really want to), is a better way to go.
doas.conf: omitting [as root] allows me to run a command as everybody?
I'm not sure whether this is a misunderstanding on my side or a bug. Suppose I have the following /etc/doas.conf $ cat /etc/doas.conf permit nopass theo cmd /usr/bin/touch args /tmp/doastest/foo I would expect from the excerpt as targetThe target user the running user is allowed to run the command as. The default is root. from doas.conf(5). That I can run $ /usr/bin/doas /usr/bin/touch /tmp/doastest/foo and maybe $ /usr/bin/doas -u root /usr/bin/touch /tmp/doastest/foo However, I have another user $ user info builder login builder passwd * uid 1005 groups builder wheel wsrc change NEVER class pbuild gecos builder dir /nonexistent shell /sbin/nologin expire NEVER And doing the following experiment yielded an unexpected result: $ pwd /tmp/doastest $ ls -al total 8 drwxrwxrwx 2 theo wheel 512 Jul 27 14:38 . drwxrwxrwt 10 root wheel 1024 Jul 27 14:30 .. $ /usr/bin/doas -u builder /usr/bin/touch /tmp/doastest/foo 1832 14:35 doastest $ ls -l total 0 -rw-r--r-- 1 builder wheel 0 Jul 27 14:35 foo $ So omitting [as identity] allows me to run as every user, not just as root? Is this intentional?
Re: dhcpd.interfaces question
That is correct -- I use the same configuration. If there are multiple VLAN (or other) interface, separate them with a space. Sent from my iPhone On Jul 27, 2015, at 5:28 AM, Markus Rosjat ros...@ghweb.de wrote: So if I want to have a vlan interface providing dhcp I need to put dhcpd_flags=vlanXX in rc.conf.local ? regards MArkus Am 27.07.2015 um 14:09 schrieb Jiri B: On Mon, Jul 27, 2015 at 02:02:45PM +0200, Markus Rosjat wrote: Hi there, I just want to setup a dhcp for a Vlan on a openbsd 5.5 box and somehow I can't find the dhcpd.interfaces file. Is there a change in the configuration since 5.x ? On a 4.9 installation I still have this file. No idea but putting interface name in 'dhcpd_flags' is the way to go. j. -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: doas.conf: omitting [as root] allows me to run a command as everybody?
On Mon, Jul 27, 2015 at 02:40:53PM +0200, Theo Buehler wrote: So omitting [as identity] allows me to run as every user, not just as root? Is this intentional? I think it's intentional. It's definitely what I would expect [as identity] is a restrictive modifier. If you want to only be able to run as root, you write as root. How would you phrase things if it wasn't the case ?..
Re: Firewall question: is using a NIC with multiple jacks considered insecure?
It is certainly possible theoretically but you'll have to go to very great lengths to imagine a scenario where a remote attacker could exploit such a flaw. It's next to impossible identify the make and model of the NIC that holds an IP address (if it is even directly bound to a NIC, CARP and other similar technologies get in the way if used), the attacker would first have to aquire this information trough other means. Well, I'm not convinced that needing to identify the card first is really a requirement- I feel it's more likely an attacker using these techniques would just blast out a bunch of probes and figure it out based on what bounces back, similar concept to port knocking. I wish I could find/remember where on openbsd.org this was mentioned and use the wayback machine or something, because it seemed like whoever wrote about it knew what they were talking about.
Re: Firewall question: is using a NIC with multiple jacks considered insecure?
If someone successfully attacks the firmware on any of your network cards, you are screwed no matter what. Any modern network card is going to have the ability to issue DMAs and can easily root your entire system.
Re: Intel Atom?
On 2015-07-27 11:22, Quartz wrote: What's Intel Atom support like these days? I remember they used to be a little weird. Are they handled pretty much like any other x86 chip now or are some things still unsupported? Are they capable of handling pf on a saturated 100-base-t connection? How about gig-e? There's a huge range of Atom processors. Some are 32-bit only single- core, there are models which are 64-bit capable and multi-core. There are a wide range of clock speeds, cache sizes, and bus speeds. http://ark.intel.com/products/family/29035/Intel-Atom-Processor#@All I have an Asus 1005HA netbook with an Atom N270. As it's a workstation, I can't speak to router performance. But the processor: single-core, 32-bit only, has always appaered to be a normal x86. I just can't disable HT in the BIOS. I don't have a recent dmesg available as I don't have the device with me at the moment. Here's an excerpt from one I'd sent to misc@ a couple of years ago that I just grabbed from marc.info. This one is GENERIC, I normally use GENERIC.MP -- though to be honest, I do not perceive a performance delta between the two. OpenBSD 5.4-current (GENERIC) #93: Fri Oct 25 09:18:15 MDT 2013 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Atom(TM) CPU N270 @ 1.60GHz (GenuineIntel 686-class) 1.60 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI \ ,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,SSE3,DTES64,MWAIT,DS-CPL,EST,TM2,SSSE3,xTPR,PDCM, \ MOVBE,LAHF,PERF real mem = 1064497152 (1015MB)
Re: dovecot startup failure (5.7-stable)
On Sat, 25 Jul 2015 13:51:32 +0200 Tor Houghton t...@bogus.net wrote: Hi, Hi, It appears that the dovecot package won't start at boot time unless the ulimit is raised for open files: .. Jul 25 13:39:53 duck dovecot: master: Error: open(/var/dovecot/login-master-notifyda2290c6851a9f03) failed: Too many open files .. If I add the following to /etc/login.conf -- dovecot:\ :openfiles-cur=1024:\ :tc=daemon: it starts OK. I suppose it's either do the above, or change the defaults in /etc/dovecot/conf.d/10-master.conf .. ? Regards, Tor I never hit that specific issue while running current. dovecot:\ :openfiles-cur=512:\ :openfiles-max=2048:\ :tc=daemon: This is the recommended values for dovecot as stated by /usr/local/share/doc/pkg-readmes/dovecot-2.2.18p0 Does dovecot start up properly if you set openfiles-max? That's the only difference I see between your setup and dovecot seems to start up fine with openfiles-cur=512 on my box (amd64 snapshot Jul 20). Regards, Adam
dmesg: Intel Atom C2758 - SuperMicro A1SRi-2758F with LSI SAS9211-8i
dmesg from a box that was en route to becoming a FreeNAS system. Everything I cared about as far as networking and disk management worked with one issue. smartctl was uneven about whether it get could get stats from the disks connected throught the LSI (mpii0). The first two requests would work. Usually the third and subsequent would fail. Disk r/w operations would continue to work without issue. --Aaron OpenBSD 5.7 (GENERIC.MP) #881: Sun Mar 8 11:04:17 MDT 2015 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 34314604544 (32724MB) avail mem = 33397235712 (31850MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.8 @ 0x7f4d8000 (53 entries) bios0: vendor American Megatrends Inc. version 1.1 date 01/09/2015 bios0: Supermicro A1SAi acpi0 at bios0: rev 2 acpi0: sleep states S0 S5 acpi0: tables DSDT FACP FPDT FIDT SPMI MCFG WDAT UEFI APIC BDAT HPET SSDT HEST BERT ERST EINJ acpi0: wakeup devices PEX1(S0) PEX2(S0) PEX3(S0) PEX4(S0) EHC1(S0) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimcfg0 at acpi0 addr 0xe000, bus 0-255 acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Atom(TM) CPU C2758 @ 2.40GHz, 2400.45 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS cpu0: 1MB 64b/line 16-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 99MHz cpu0: mwait min=64, max=64, C-substates=0.2.0.0.0, IBE cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Atom(TM) CPU C2758 @ 2.40GHz, 2399.99 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS cpu1: 1MB 64b/line 16-way L2 cache cpu1: smt 0, core 1, package 0 cpu2 at mainbus0: apid 4 (application processor) cpu2: Intel(R) Atom(TM) CPU C2758 @ 2.40GHz, 2400.01 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS cpu2: 1MB 64b/line 16-way L2 cache cpu2: smt 0, core 2, package 0 cpu3 at mainbus0: apid 6 (application processor) cpu3: Intel(R) Atom(TM) CPU C2758 @ 2.40GHz, 2399.99 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS cpu3: 1MB 64b/line 16-way L2 cache cpu3: smt 0, core 3, package 0 cpu4 at mainbus0: apid 8 (application processor) cpu4: Intel(R) Atom(TM) CPU C2758 @ 2.40GHz, 2400.00 MHz cpu4: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS cpu4: 1MB 64b/line 16-way L2 cache cpu4: smt 0, core 4, package 0 cpu5 at mainbus0: apid 10 (application processor) cpu5: Intel(R) Atom(TM) CPU C2758 @ 2.40GHz, 2399.99 MHz cpu5: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS cpu5: 1MB 64b/line 16-way L2 cache cpu5: smt 0, core 5, package 0 cpu6 at mainbus0: apid 12 (application processor) cpu6: Intel(R) Atom(TM) CPU C2758 @ 2.40GHz, 2400.00 MHz cpu6: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS cpu6: 1MB 64b/line 16-way L2 cache cpu6: smt 0, core 6, package 0 cpu7 at mainbus0: apid 14 (application processor) cpu7: Intel(R) Atom(TM) CPU C2758 @ 2.40GHz, 2399.99 MHz cpu7: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS cpu7: 1MB 64b/line 16-way L2 cache cpu7: smt 0, core 7, package 0 ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20,
Re: Firewall question: is using a NIC with multiple jacks considered insecure?
These days you have bypass features in hardware that allow packets to flow from one interface to another even if the firewall is turned off. Can you elaborate on this? Also, that brings up another point wrt motherboards with multiple jacks; are bios attacks something to worry about? Having said that, just throwing random chipsets into the mix is probably not the right solution. You may actually be increasing your attack surface. That's always a possibility yes. If this is a real concern for you, The thing is I don't really know if this should be a realistic concern, that's why I'm asking. A motherboard with multiple ports would certainly be more convenient, but it's not worth it if it would compromise security.
Intel Atom?
What's Intel Atom support like these days? I remember they used to be a little weird. Are they handled pretty much like any other x86 chip now or are some things still unsupported? Are they capable of handling pf on a saturated 100-base-t connection? How about gig-e?
Re: Firewall question: is using a NIC with multiple jacks considered insecure?
On 2015-07-27, Quartz qua...@sneakertech.com wrote: This is a little off-topic, but I should clarify that although this device's primary purpose is a firewall+router, it also has to provide a handful of other network related services that set a few requirements vis a vis hardware. Depends what they are, but those other services are far more likely to be a problem than a multiport NIC.
Re: Firewall question: is using a NIC with multiple jacks considered insecure?
Em 27-07-2015 09:13, Kimmo Paasiala escreveu: It's next to impossible identify the make and model of the NIC that holds an IP address With IPv6 and poor configuration, a remote attacker already have that information. MAC addresses reveal a lot of information about a NIC. Cheers, Giancarlo Razzolini
Re: Intel Atom?
FWIW here's the DMESG from the system I just put in place. Case, power supply and all I was at around $350 total. It's making an excellent router/firewall: OpenBSD 5.7 (GENERIC.MP) #881: Sun Mar 8 11:04:17 MDT 2015 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 4262907904 (4065MB) avail mem = 4145512448 (3953MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xef280 (18 entries) bios0: vendor American Megatrends Inc. version P1.20 date 07/22/2013 bios0: ASRock AD2550R/U3S3 acpi0 at bios0: rev 2 acpi0: sleep states S0 S1 S4 S5 acpi0: tables DSDT FACP APIC MCFG HPET acpi0: wakeup devices P0P2(S4) USB0(S4) USB1(S4) USB2(S4) USB5(S4) EUSB(S4) USB3(S4) USB4(S4) USB6(S4) USBE(S4) PS2K(S4) PS2M(S4) UAR1(S4) GBE_(S4) PEX0(S4) PEX1(S4) [...] acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Atom(TM) CPU D2550 @ 1.86GHz, 1867.04 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,NXE,LONG,LAHF,PERF,ITSC cpu0: 512KB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 7 var ranges, 88 fixed ranges cpu0: apic clock running at 133MHz cpu0: mwait min=64, max=64, C-substates=0.1.0.0.0, IBE cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Atom(TM) CPU D2550 @ 1.86GHz, 1866.74 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,NXE,LONG,LAHF,PERF,ITSC cpu1: 512KB 64b/line 8-way L2 cache cpu1: smt 1, core 0, package 0 cpu2 at mainbus0: apid 2 (application processor) cpu2: Intel(R) Atom(TM) CPU D2550 @ 1.86GHz, 1866.74 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,NXE,LONG,LAHF,PERF,ITSC cpu2: 512KB 64b/line 8-way L2 cache cpu2: smt 0, core 1, package 0 cpu3 at mainbus0: apid 3 (application processor) cpu3: Intel(R) Atom(TM) CPU D2550 @ 1.86GHz, 1866.74 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,NXE,LONG,LAHF,PERF,ITSC cpu3: 512KB 64b/line 8-way L2 cache cpu3: smt 1, core 1, package 0 ioapic0 at mainbus0: apid 0 pa 0xfec0, version 20, 24 pins acpimcfg0 at acpi0 addr 0xe000, bus 0-255 acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 6 (P0P2) acpiprt2 at acpi0: bus 1 (PEX0) acpiprt3 at acpi0: bus 2 (PEX1) acpiprt4 at acpi0: bus 3 (PEX2) acpiprt5 at acpi0: bus -1 (PEX3) acpiprt6 at acpi0: bus 4 (PEX4) acpiprt7 at acpi0: bus 5 (PEX5) acpicpu0 at acpi0 acpicpu1 at acpi0 acpicpu2 at acpi0 acpicpu3 at acpi0 acpibtn0 at acpi0: SLPB acpibtn1 at acpi0: PWRB acpivideo0 at acpi0: GFX0 acpivout0 at acpivideo0: DD02 pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 vendor Intel, unknown product 0x0bf3 rev 0x04 vga1 at pci0 dev 2 function 0 Intel GMA 3600 rev 0x0b intagp at vga1 not configured wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) uhci0 at pci0 dev 26 function 0 Intel 82801JI USB rev 0x00: apic 0 int 16 uhci1 at pci0 dev 26 function 1 Intel 82801JI USB rev 0x00: apic 0 int 21 uhci2 at pci0 dev 26 function 2 Intel 82801JI USB rev 0x00: apic 0 int 18 ehci0 at pci0 dev 26 function 7 Intel 82801JI USB rev 0x00: apic 0 int 18 ehci0: timed out waiting for BIOS usb0 at ehci0: USB revision 2.0 uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1 azalia0 at pci0 dev 27 function 0 Intel 82801JI HD Audio rev 0x00: msi azalia0: no supported codecs ppb0 at pci0 dev 28 function 0 Intel 82801JI PCIE rev 0x00: msi pci1 at ppb0 bus 1 ppb1 at pci0 dev 28 function 1 Intel 82801JI PCIE rev 0x00: msi pci2 at ppb1 bus 2 xhci0 at pci2 dev 0 function 0 vendor Etron, unknown product 0x7052 rev 0x00: msi usb1 at xhci0: USB revision 3.0 uhub1 at usb1 Etron xHCI root hub rev 3.00/1.00 addr 1 ppb2 at pci0 dev 28 function 2 Intel 82801JI PCIE rev 0x00: msi pci3 at ppb2 bus 3 ahci0 at pci3 dev 0 function 0 Marvell 88SE9172 SATA rev 0x11: msi, AHCI 1.0 scsibus1 at ahci0: 32 targets ppb3 at pci0 dev 28 function 4 Intel 82801JI PCIE rev 0x00: msi pci4 at ppb3 bus 4 em0 at pci4 dev 0 function 0 Intel 82574L rev 0x00: msi, address d0:50:99:64:a4:42 ppb4 at pci0 dev 28 function 5 Intel 82801JI PCIE rev 0x00: msi pci5 at ppb4 bus 5 em1 at pci5 dev 0 function 0 Intel 82574L rev 0x00: msi, address d0:50:99:64:a4:43 uhci3 at pci0 dev 29 function 0 Intel 82801JI USB rev 0x00: apic 0 int 23 uhci4 at pci0 dev 29 function 1 Intel 82801JI USB rev 0x00: apic 0 int 19 uhci5 at pci0
Re: Intel Atom?
Michael McConville wrote: (especially when the proxied traffic is TLS-encrypted) Disregard that clause. It's obviously the end-points that handle TLS sessions, not the exit relay.
Re: dmesg: Intel Atom C2758 - SuperMicro A1SRi-2758F with LSI SAS9211-8i
On Mon, Jul 27, 2015 at 10:59:02AM -0500, Aaron Poffenberger wrote: dmesg from a box that was en route to becoming a FreeNAS system. Everything I cared about as far as networking and disk management worked with one issue. smartctl was uneven about whether it get could get stats from the disks connected throught the LSI (mpii0). The first two requests would work. Usually the third and subsequent would fail. Disk r/w operations would continue to work without issue. --Aaron Not easy to tell without seeing disklabel/bioctl output: Are you running softraid crypto on top of softraid raid1? My question is unrelated to your smartctl question. I'm just asking because AFAIK stacking softraid volumes is not supported yet. sd0 at scsibus2 targ 0 lun 0: ATA, HGST HDN724040AL, MJAO SCSI3 0/direct fixed naa.5000cca249d4800d sd0: 3815447MB, 512 bytes/sector, 7814037168 sectors sd1 at scsibus2 targ 1 lun 0: ATA, HGST HDN724040AL, MJAO SCSI3 0/direct fixed naa.5000cca249d4599d sd1: 3815447MB, 512 bytes/sector, 7814037168 sectors ahci1 at pci0 dev 24 function 0 Intel Atom C2000 AHCI rev 0x02: msi, AHCI 1.3 scsibus3 at ahci1: 32 targets sd2 at scsibus3 targ 0 lun 0: ATA, OCZ-VERTEX3, 2.22 SCSI3 0/direct fixed naa.5e83a97e9c46465c sd2: 85857MB, 512 bytes/sector, 175836528 sectors, thin sd3 at scsibus1 targ 0 lun 0: ATA, HGST HDN724040AL, A5E0 SCSI4 0/direct fixed naa.5000cca24cdd740e sd3: 3815447MB, 512 bytes/sector, 7814037168 sectors sd4 at scsibus1 targ 1 lun 0: ATA, HGST HDN724040AL, A5E0 SCSI4 0/direct fixed naa.5000cca24cdc2af9 sd4: 3815447MB, 512 bytes/sector, 7814037168 sectors sd5 at scsibus1 targ 2 lun 0: ATA, HGST HDS724040AL, A580 SCSI4 0/direct fixed naa.5000cca23df04379 sd5: 3815447MB, 512 bytes/sector, 7814037168 sectors sd6 at scsibus1 targ 3 lun 0: ATA, HGST HDS724040AL, A580 SCSI4 0/direct fixed naa.5000cca24cc22026 sd6: 3815447MB, 512 bytes/sector, 7814037168 sectors sd7 at scsibus5 targ 1 lun 0: OPENBSD, SR RAID 1, 005 SCSI2 0/direct fixed sd7: 3815447MB, 512 bytes/sector, 7814036576 sectors softraid0: volume sd7 is roaming, it used to be sd5, updating metadata softraid0: roaming device sd2a - sd4a sd8 at scsibus5 targ 2 lun 0: OPENBSD, SR RAID 1, 005 SCSI2 0/direct fixed sd8: 3815447MB, 512 bytes/sector, 7814036576 sectors softraid0: volume sd8 is roaming, it used to be sd6, updating metadata softraid0: roaming device sd1a - sd5a softraid0: roaming device sd0a - sd6a sd9 at scsibus5 targ 3 lun 0: OPENBSD, SR RAID 1, 005 SCSI2 0/direct fixed sd9: 3815447MB, 512 bytes/sector, 7814036576 sectors softraid0: volume sd9 is roaming, it used to be sd7, updating metadata softraid0: roaming device sd4a - sd0a softraid0: roaming device sd3a - sd1a root on sd2a (30a8a089ec1d5993.a) swap on sd2b dump on sd2b sd10 at scsibus5 targ 4 lun 0: OPENBSD, SR CRYPTO, 005 SCSI2 0/direct fixed sd10: 3815447MB, 512 bytes/sector, 7814035984 sectors softraid0: volume sd10 is roaming, it used to be sd7, updating metadata softraid0: roaming device sd5a - sd7a sd11 at scsibus5 targ 5 lun 0: OPENBSD, SR CRYPTO, 005 SCSI2 0/direct fixed sd11: 3815447MB, 512 bytes/sector, 7814035984 sectors softraid0: volume sd11 is roaming, it used to be sd8, updating metadata softraid0: roaming device sd6a - sd8a sd12 at scsibus5 targ 6 lun 0: OPENBSD, SR CRYPTO, 005 SCSI2 0/direct fixed sd12: 3815447MB, 512 bytes/sector, 7814035984 sectors softraid0: volume sd12 is roaming, it used to be sd10, updating metadata softraid0: roaming device sd7a - sd9a hw.sensors.cpu0.temp0=40.00 degC hw.sensors.softraid0.drive0=online (sd7), OK hw.sensors.softraid0.drive1=online (sd8), OK hw.sensors.softraid0.drive2=online (sd9), OK hw.sensors.softraid0.drive3=online (sd10), OK hw.sensors.softraid0.drive4=online (sd11), OK hw.sensors.softraid0.drive5=online (sd12), OK
Re: Intel Atom?
I just posted a dmesg from a SuperMicro motherboard with 8-core Intel Atom C2758. Yeah, I've heard about that board. I think it's a tad overkill for our situation though :) Depending on how you configure your disks the 8-core C2758 should be able to saturate a single gig-e nic. Our system will be mainly a router rather than a file server, so I'm mostly concerned with how well it would handle network-to-network rather than disk-to-network. Lemme put it a different way: a 500mhz P3 can handle pf on a saturated 100bt connection no sweat. I know Atoms are slower clock-for-clock, how do they compare (in general) and are there any OpenBSD specific concerns?
Re: Intel Atom?
FWIW here's the DMESG from the system I just put in place. pchb0 at pci0 dev 0 function 0 vendor Intel, unknown product 0x0bf3 rev 0x04 ehci0: timed out waiting for BIOS xhci0 at pci2 dev 0 function 0 vendor Etron, unknown product 0x7052 ehci1: timed out waiting for BIOS I admit I'm not great at reading DMESGs, but these are the sorts of things that worry me.
Re: dhclient.conf alias declarations?
On 2015-07-26, Kimmo Paasiala kpaas...@gmail.com wrote: Hello, I'm in the process of migrating my router/firewall system from FreeBSD to OpenBSD and I came across a minor problem. I want to have a static alias address on an interface that is otherwise configured with DHCP. What I had in FreeBSD was this entry in /etc/dhclient.conf: alias { interface vr0; fixed-address 192.168.1.200; option subnet-mask 255.255.255.0; } This seems to be silently ignored on OpenBSD 5.7 and the dhclient.conf manual page makes no mention of alias declarations. How am I supposed to achieve the same effect? I need to do this sometimes too. The only way to do this with dhclient(8) in recent versions of OpenBSD is to fetch the lease, pkill -9 dhclient, then add the alias. Otherwise use an alternative DHCP client from packages.
Re: Intel Atom?
I just deployed an OpenBSD 5.7 firewall/router/dhcp/dns using this motherboard: http://www.newegg.com/Product/Product.aspx?Item=N82E16813157417 It uses the Intel Atom D2550 1.86GHz 2-Core chip and has dual 1000 Mbps Intel NICs on the motherboard. I am running the amd64 binaries on it and it's serving its purpose really well. Thanks, Bryan On Mon, Jul 27, 2015 at 11:44 AM, Josh Grosse j...@jggimi.homeip.net wrote: On 2015-07-27 11:22, Quartz wrote: What's Intel Atom support like these days? I remember they used to be a little weird. Are they handled pretty much like any other x86 chip now or are some things still unsupported? Are they capable of handling pf on a saturated 100-base-t connection? How about gig-e? There's a huge range of Atom processors. Some are 32-bit only single- core, there are models which are 64-bit capable and multi-core. There are a wide range of clock speeds, cache sizes, and bus speeds. http://ark.intel.com/products/family/29035/Intel-Atom-Processor#@All I have an Asus 1005HA netbook with an Atom N270. As it's a workstation, I can't speak to router performance. But the processor: single-core, 32-bit only, has always appaered to be a normal x86. I just can't disable HT in the BIOS. I don't have a recent dmesg available as I don't have the device with me at the moment. Here's an excerpt from one I'd sent to misc@ a couple of years ago that I just grabbed from marc.info. This one is GENERIC, I normally use GENERIC.MP -- though to be honest, I do not perceive a performance delta between the two. OpenBSD 5.4-current (GENERIC) #93: Fri Oct 25 09:18:15 MDT 2013 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Atom(TM) CPU N270 @ 1.60GHz (GenuineIntel 686-class) 1.60 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI \ ,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,SSE3,DTES64,MWAIT,DS-CPL,EST,TM2,SSSE3,xTPR,PDCM, \ MOVBE,LAHF,PERF real mem = 1064497152 (1015MB)
Re: dmesg: Intel Atom C2758 - SuperMicro A1SRi-2758F with LSI SAS9211-8i
On 7/27/15 11:20, Stefan Sperling wrote: On Mon, Jul 27, 2015 at 10:59:02AM -0500, Aaron Poffenberger wrote: dmesg from a box that was en route to becoming a FreeNAS system. Everything I cared about as far as networking and disk management worked with one issue. smartctl was uneven about whether it get could get stats from the disks connected throught the LSI (mpii0). The first two requests would work. Usually the third and subsequent would fail. Disk r/w operations would continue to work without issue. --Aaron Not easy to tell without seeing disklabel/bioctl output: Are you running softraid crypto on top of softraid raid1? My question is unrelated to your smartctl question. I'm just asking because AFAIK stacking softraid volumes is not supported yet. You're absolutely right about the stacked softraid: mirror then crypt. I knew the risks going in. For an unsupported feature, it was amazingly rock solid. ;-) sd0 at scsibus2 targ 0 lun 0: ATA, HGST HDN724040AL, MJAO SCSI3 0/direct fixed naa.5000cca249d4800d sd0: 3815447MB, 512 bytes/sector, 7814037168 sectors sd1 at scsibus2 targ 1 lun 0: ATA, HGST HDN724040AL, MJAO SCSI3 0/direct fixed naa.5000cca249d4599d sd1: 3815447MB, 512 bytes/sector, 7814037168 sectors ahci1 at pci0 dev 24 function 0 Intel Atom C2000 AHCI rev 0x02: msi, AHCI 1.3 scsibus3 at ahci1: 32 targets sd2 at scsibus3 targ 0 lun 0: ATA, OCZ-VERTEX3, 2.22 SCSI3 0/direct fixed naa.5e83a97e9c46465c sd2: 85857MB, 512 bytes/sector, 175836528 sectors, thin sd3 at scsibus1 targ 0 lun 0: ATA, HGST HDN724040AL, A5E0 SCSI4 0/direct fixed naa.5000cca24cdd740e sd3: 3815447MB, 512 bytes/sector, 7814037168 sectors sd4 at scsibus1 targ 1 lun 0: ATA, HGST HDN724040AL, A5E0 SCSI4 0/direct fixed naa.5000cca24cdc2af9 sd4: 3815447MB, 512 bytes/sector, 7814037168 sectors sd5 at scsibus1 targ 2 lun 0: ATA, HGST HDS724040AL, A580 SCSI4 0/direct fixed naa.5000cca23df04379 sd5: 3815447MB, 512 bytes/sector, 7814037168 sectors sd6 at scsibus1 targ 3 lun 0: ATA, HGST HDS724040AL, A580 SCSI4 0/direct fixed naa.5000cca24cc22026 sd6: 3815447MB, 512 bytes/sector, 7814037168 sectors sd7 at scsibus5 targ 1 lun 0: OPENBSD, SR RAID 1, 005 SCSI2 0/direct fixed sd7: 3815447MB, 512 bytes/sector, 7814036576 sectors softraid0: volume sd7 is roaming, it used to be sd5, updating metadata softraid0: roaming device sd2a - sd4a sd8 at scsibus5 targ 2 lun 0: OPENBSD, SR RAID 1, 005 SCSI2 0/direct fixed sd8: 3815447MB, 512 bytes/sector, 7814036576 sectors softraid0: volume sd8 is roaming, it used to be sd6, updating metadata softraid0: roaming device sd1a - sd5a softraid0: roaming device sd0a - sd6a sd9 at scsibus5 targ 3 lun 0: OPENBSD, SR RAID 1, 005 SCSI2 0/direct fixed sd9: 3815447MB, 512 bytes/sector, 7814036576 sectors softraid0: volume sd9 is roaming, it used to be sd7, updating metadata softraid0: roaming device sd4a - sd0a softraid0: roaming device sd3a - sd1a root on sd2a (30a8a089ec1d5993.a) swap on sd2b dump on sd2b sd10 at scsibus5 targ 4 lun 0: OPENBSD, SR CRYPTO, 005 SCSI2 0/direct fixed sd10: 3815447MB, 512 bytes/sector, 7814035984 sectors softraid0: volume sd10 is roaming, it used to be sd7, updating metadata softraid0: roaming device sd5a - sd7a sd11 at scsibus5 targ 5 lun 0: OPENBSD, SR CRYPTO, 005 SCSI2 0/direct fixed sd11: 3815447MB, 512 bytes/sector, 7814035984 sectors softraid0: volume sd11 is roaming, it used to be sd8, updating metadata softraid0: roaming device sd6a - sd8a sd12 at scsibus5 targ 6 lun 0: OPENBSD, SR CRYPTO, 005 SCSI2 0/direct fixed sd12: 3815447MB, 512 bytes/sector, 7814035984 sectors softraid0: volume sd12 is roaming, it used to be sd10, updating metadata softraid0: roaming device sd7a - sd9a hw.sensors.cpu0.temp0=40.00 degC hw.sensors.softraid0.drive0=online (sd7), OK hw.sensors.softraid0.drive1=online (sd8), OK hw.sensors.softraid0.drive2=online (sd9), OK hw.sensors.softraid0.drive3=online (sd10), OK hw.sensors.softraid0.drive4=online (sd11), OK hw.sensors.softraid0.drive5=online (sd12), OK
Re: Intel Atom?
I just deployed an OpenBSD 5.7 firewall/router/dhcp/dns using this motherboard: http://www.newegg.com/Product/Product.aspx?Item=N82E16813157417 As a side question, is that a female usb connector planted vertically right on the motherboard? It uses the Intel Atom D2550 1.86GHz 2-Core chip and has dual 1000 Mbps Intel NICs on the motherboard. I am running the amd64 binaries on it and it's serving its purpose really well. How hard have you pushed the network IO?
Re: Intel Atom?
There's a huge range of Atom processors. Some are 32-bit only single- core, there are models which are 64-bit capable and multi-core. There are a wide range of clock speeds, cache sizes, and bus speeds. I know, I was mainly looking for general opinion about support and performance. IIRC, back in ~08-09 when Atoms first came out there used to be issues with maybe DMA or something that caused some models to be way slower than specs would indicate, and I was wondering if that was mostly a thing of the past, or if ACPI/64bit/MP/whatever doesn't work right on certain model lines or something. Or basically any issue software or hardware that would make some models not be able to handle high traffic.
Re: Intel Atom?
On the USB connector I didn't notice it when I installed the board but I can look when I get home in a couple of days. I haven't pushed it to breaking but it has yet to present a bottleneck. Thanks, Bryan On Jul 27, 2015, at 1:14 PM, Quartz qua...@sneakertech.com wrote: I just deployed an OpenBSD 5.7 firewall/router/dhcp/dns using this motherboard: http://www.newegg.com/Product/Product.aspx?Item=N82E16813157417 As a side question, is that a female usb connector planted vertically right on the motherboard? It uses the Intel Atom D2550 1.86GHz 2-Core chip and has dual 1000 Mbps Intel NICs on the motherboard. I am running the amd64 binaries on it and it's serving its purpose really well. How hard have you pushed the network IO?
Re: Intel Atom?
I've been using an atom for a firewall/VPN for a couple of years. Works great On Monday, July 27, 2015, Quartz qua...@sneakertech.com wrote: What's Intel Atom support like these days? I remember they used to be a little weird. Are they handled pretty much like any other x86 chip now or are some things still unsupported? Are they capable of handling pf on a saturated 100-base-t connection? How about gig-e?
Re: Intel Atom?
Here's the dmesg for my Tor exit relay, which runs on a D2700. It moves about 2.0-4.5 MB/s in each direction. Hmmm that's nowhere near as fast as what we do, and not even as fast as a P3. It seems to be running at full capacity doing so, I don't know much about tor. When you say full capacity, do you mean the hardware was maxed out, or that you were doing the most that the tor network would allow you?
Re: Intel Atom?
Quartz wrote: Here's the dmesg for my Tor exit relay, which runs on a D2700. It moves about 2.0-4.5 MB/s in each direction. Hmmm that's nowhere near as fast as what we do, and not even as fast as a P3. Do you have 4,500-7,000 open connections? That slows my machine's networking down quite a bit, but I think it's pretty rare for a small router to have that many. Another complication that doesn't apply to you is Tor's crypto. I don't know how many AES and ed25519 operations Tor demands per network packet, but (especially when the proxied traffic is TLS-encrypted) it's quite a few. No AES-NI, either. It seems to be running at full capacity doing so, I don't know much about tor. When you say full capacity, do you mean the hardware was maxed out, or that you were doing the most that the tor network would allow you? The machine seems maxed out. If I recall correctly, netperf lets me move ~100 Mbps in each direction, as the dedicated server provider advertised. Regardless, my current setup uses all of my allotted monthly bandwidth, so I'm not looking to change anything.
Re: Intel Atom?
On 7/27/15 10:22, Quartz wrote: What's Intel Atom support like these days? I remember they used to be a little weird. Are they handled pretty much like any other x86 chip now or are some things still unsupported? Are they capable of handling pf on a saturated 100-base-t connection? How about gig-e? I just posted a dmesg from a SuperMicro motherboard with 8-core Intel Atom C2758. As noted in the email, everything I cared about worked. I didn't try to saturate the system but was able to run multiple rsync sessions. I started with one rsync session from two 7200 RPM Hitachi NAS drives configured with stacked softraid (mirror + crypto). I'm reasonably certain I was getting 40 - 45 MB/s which prompted me to run a second rsync from another stacked mirror+crypto set to the same target. Adding the second rsync slowed the first a bit. I think I was seeing 38 - 40 MB/s per stream. Depending on how you configure your disks the 8-core C2758 should be able to saturate a single gig-e nic. The SuperMicro board I was using has 4 intel nics + a separate IPMI nic. There's also a 4-core version of the board. There's also a C2750 version of the board (4 and 8 core models) which has turbo boost. ServerTheHome tested the 2758 and 2750 against the Xeon E3 (and others). The Xeon comes out on top as you would expect but for file serving, you may find them acceptable. http://www.servethehome.com/intel-atom-c2750-8-core-avoton-rangeley-benchmarks-fast-power/ http://www.servethehome.com/intel-atom-c2758-benchmarks-8-core-rangeley-tested/ --Aaron
Re: Intel Atom?
Here's the dmesg for my Tor exit relay, which runs on a D2700. It moves about 2.0-4.5 MB/s in each direction. It seems to be running at full capacity doing so, but that's with 3,000-5,000 open files and 4,500-7,000 open connections. So, I think you'll be able to get a lot out of one of these CPUs. OpenBSD 5.7-stable (GENERIC.MP) #0: Fri Jun 19 13:20:46 EDT 2015 root@exit:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 2112454656 (2014MB) avail mem = 2052362240 (1957MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.7 @ 0x7ee98000 (27 entries) bios0: vendor Intel Corp. version MUCDT10N.86A.0069.2012.0323.1358 date 03/23/2012 bios0: Intel Corporation D2700MUD acpi0 at bios0: rev 2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP SSDT APIC MCFG HPET acpi0: wakeup devices SLT1(S4) PS2M(S4) PS2K(S4) UAR1(S3) UAR2(S3) USB0(S3) USB1(S3) USB2(S3) USB3(S3) USB7(S3) PXSX(S4) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) [...] acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Atom(TM) CPU D2700 @ 2.13GHz, 2133.73 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,NXE,LONG,LAHF,PERF,ITSC cpu0: 512KB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 7 var ranges, 88 fixed ranges cpu0: apic clock running at 133MHz cpu0: mwait min=64, max=64, C-substates=0.1.0.0.0, IBE cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Atom(TM) CPU D2700 @ 2.13GHz, 2133.41 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,NXE,LONG,LAHF,PERF,ITSC cpu1: 512KB 64b/line 8-way L2 cache cpu1: smt 1, core 0, package 0 cpu2 at mainbus0: apid 2 (application processor) cpu2: Intel(R) Atom(TM) CPU D2700 @ 2.13GHz, 2133.41 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,NXE,LONG,LAHF,PERF,ITSC cpu2: 512KB 64b/line 8-way L2 cache cpu2: smt 0, core 1, package 0 cpu3 at mainbus0: apid 3 (application processor) cpu3: Intel(R) Atom(TM) CPU D2700 @ 2.13GHz, 2133.41 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,NXE,LONG,LAHF,PERF,ITSC cpu3: 512KB 64b/line 8-way L2 cache cpu3: smt 1, core 1, package 0 ioapic0 at mainbus0: apid 8 pa 0xfec0, version 20, 24 pins ioapic0: misconfigured as apic 0, remapped to apid 8 acpimcfg0 at acpi0 addr 0xe000, bus 0-63 acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 2 (P0P1) acpiprt2 at acpi0: bus 1 (RP01) acpiprt3 at acpi0: bus -1 (RP02) acpiprt4 at acpi0: bus -1 (RP03) acpiprt5 at acpi0: bus -1 (RP04) acpicpu0 at acpi0 acpicpu1 at acpi0 acpicpu2 at acpi0 acpicpu3 at acpi0 acpibtn0 at acpi0: PWRB acpibtn1 at acpi0: SLPB acpivideo0 at acpi0: GFX0 acpivout0 at acpivideo0: DD02 pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 vendor Intel, unknown product 0x0bf3 rev 0x03 vga1 at pci0 dev 2 function 0 Intel GMA 3600 rev 0x09 intagp at vga1 not configured wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) azalia0 at pci0 dev 27 function 0 Intel 82801GB HD Audio rev 0x02: msi azalia0: codecs: Realtek ALC662 audio0 at azalia0 ppb0 at pci0 dev 28 function 0 Intel 82801GB PCIE rev 0x02: msi pci1 at ppb0 bus 1 em0 at pci1 dev 0 function 0 Intel 82574L rev 0x00: msi, address 00:22:4d:9d:93:e8 uhci0 at pci0 dev 29 function 0 Intel 82801GB USB rev 0x02: apic 8 int 23 uhci1 at pci0 dev 29 function 1 Intel 82801GB USB rev 0x02: apic 8 int 19 uhci2 at pci0 dev 29 function 2 Intel 82801GB USB rev 0x02: apic 8 int 18 uhci3 at pci0 dev 29 function 3 Intel 82801GB USB rev 0x02: apic 8 int 16 ehci0 at pci0 dev 29 function 7 Intel 82801GB USB rev 0x02: apic 8 int 23 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1 ppb1 at pci0 dev 30 function 0 Intel 82801BAM Hub-to-PCI rev 0xe2 pci2 at ppb1 bus 2 pcib0 at pci0 dev 31 function 0 Intel NM10 LPC rev 0x02 ahci0 at pci0 dev 31 function 2 Intel 82801GR AHCI rev 0x02: msi, AHCI 1.1 scsibus1 at ahci0: 32 targets sd0 at scsibus1 targ 0 lun 0: ATA, WDC WD5003ABYX-0, 01.0 SCSI3 0/direct fixed naa.50014ee0ad49cde9 sd0: 476940MB, 512 bytes/sector, 976773168 sectors ichiic0 at pci0 dev 31 function 3 Intel 82801GB SMBus rev 0x02: apic 8 int 19 iic0 at ichiic0 lm1 at iic0 addr 0x2d: W83627DHG spdmem0 at iic0 addr 0x51: 2GB DDR3 SDRAM PC3-8500 SO-DIMM usb1 at uhci0: USB revision 1.0 uhub1 at usb1 Intel
Re: Firewall question: is using a NIC with multiple jacks considered insecure?
On Mon, Jul 27, 2015 at 11:10 AM, Quartz qua...@sneakertech.com wrote: These days you have bypass features in hardware that allow packets to flow from one interface to another even if the firewall is turned off. Can you elaborate on this? Search for intel nic bypass mode and you'll find lots of details. It's an increasingly common feature in server network adapters. If the host OS is down, the NIC continues forwarding packets between two ports without any processing. Some older implementations used a physical jumper to enable or disable this feature. Now it's all done in software and can even be configured remotely. For example: http://www.lannerinc.com/applications/product-features/lan-bypass
Re: Intel Atom?
On 2015-07-27, Aaron Poffenberger a...@hypernote.com wrote: The SuperMicro board I was using has 4 intel nics + a separate IPMI nic. N.B. on the recent SuperMicro boards I have, if the IPMI nic is unconnected, standard settings are to run IPMI on the first main NIC instead. This isn't really safe even if you do change the password from the default...
Re: Update to /etc/services
On 2015-07-27, Denis Fondras open...@ledeuns.net wrote: BTW your diff was line-wrapped, and the BFD entries used spaces instead of tabs, so I hand applied it. Thank you. Sorry for the BFD entries, I copied/pasted from the IANA document and missed that. No worries. BTW, what is the prefered way to send diff with lines longer than 80 characters ? I use mutt, should I remove set wrap from my vi configuration ? Assuming vim because vi(1) doesn't know about set wrap - if you use :r to read in the diff from a file it won't wrap anyway; otherwise if you're pasting it in from the clipboard then set paste is probably the best way as it will turn off wrapping and any other auto-formatting that might be enabled.
Re: SPARC minimum hardware specification
We're hurtling towards the 5.8 release and, as usual, ports and packages on non-x86 platforms are in dire shape. If you want to put your money where your mouth is, take a look at recent build logs and start fixing some of those problems. http://build-failures.rhaalovely.net/ sparc64, powerpc, alpha, hppa, ... Yes, this requires skill and effort. -- Christian naddy Weisgerber na...@mips.inka.de
Re: Firewall question: is using a NIC with multiple jacks considered insecure?
Joseph Crivello [josephcrive...@gmail.com] wrote: If someone successfully attacks the firmware on any of your network cards, you are screwed no matter what. Any modern network card is going to have the ability to issue DMAs and can easily root your entire system. If you are running OpenBSD or Bitrig and you have VT-d enabled, someone is working on bringing iommu functionality to both OSes right now. This can prevent runaway DMA. Kinda cool, ya know!
Re: ipv6 kernel pppoe + slaac problem
On 2015-07-25, Holger Glaess gla...@glaessixs.de wrote: hi if i start dhcpcd i got dhcpcd[26307]: version 6.4.2 starting dhcpcd[26307]: IPV6CTL_ACCEPT_RTADV: Operation not supported dhcpcd[26307]: kernel does not report IPv6 address flag changes dhcpcd[26307]: polling tentative address flags periodically instead dhcpcd[26307]: IPV6CTL_ACCEPT_RTADV: Operation not supported it is an current ( 5.8-beta ) system. Holger Can you try 6.9.1 from -current ports please? (I updated it recently so packages might not be there yet).
Re: Intel Atom?
On 7/27/15 14:34, Stuart Henderson wrote: On 2015-07-27, Aaron Poffenberger a...@hypernote.com wrote: The SuperMicro board I was using has 4 intel nics + a separate IPMI nic. N.B. on the recent SuperMicro boards I have, if the IPMI nic is unconnected, standard settings are to run IPMI on the first main NIC instead. This isn't really safe even if you do change the password from the default... Good point. All my SuperMicro boards have the same feature.
Re: doas.conf: omitting [as root] allows me to run a command as everybody?
On July 27, 2015 3:22:13 PM GMT+02:00, Theo Buehler t...@math.ethz.ch wrote: On Mon, Jul 27, 2015 at 03:13:55PM +0200, Marc Espie wrote: On Mon, Jul 27, 2015 at 02:40:53PM +0200, Theo Buehler wrote: So omitting [as identity] allows me to run as every user, not just as root? Is this intentional? I think it's intentional. It's definitely what I would expect [as identity] is a restrictive modifier. If you want to only be able to run as root, you write as root. Ok thanks, this makes sense, but it is not quite clear (to me) from the docs that this is a restrictive quantifier. The the bit I quoted from the man page on as target sais The default is root., not root and everybody else. (Sorry I should have written as target, not as identity in my mail) How would you phrase things if it wasn't the case ?.. As indicated above I would probably write something like as root and every other user instead of simply as root. Assuming you are properly quoting the docs, and I have no reason to believe otherwise, it should certainly not say as root, but rather as anyone.
Re: rdomain with BGP dynamic route
Pierre, Thanks for forwarding the information to me. Yes, what you tried was related, especially the overlapping addresses of clients. What I want to do is to assign different RD to different VRF routes learned dynamically from clients. Based on what I heard and read so far, I just assume it's not doable. Thanks again, -Yang -Original Message- From: BARDOU Pierre [mailto:bardo...@mipih.fr] Sent: Monday, July 27, 2015 8:47 AM To: XU, YANG (YANG) y...@research.att.com; misc@openbsd.org Subject: RE: rdomain with BGP dynamic route Hello, I think this is what I tried a while ago, which is not possible. Cf http://openbsd-archive.7691.n7.nabble.com/Multi-VRF-bgpd-no-MPLS-td248639.html Bgpd.conf(5) says : Currently the routing table must belong to the default routing domain -- Cordialement, Pierre BARDOU -Message d'origine- De : XU, YANG (YANG) [mailto:y...@research.att.com] Envoyé : dimanche 26 juillet 2015 14:28 À : misc@openbsd.org Objet : Re: rdomain with BGP dynamic route Thanks for the info. I read the rdomain configuration section. My problem is how to put prefix learned dynamically from a BGP neighbor to a specific rdomain (not default rdomain 0). Sadly, I still don't know if that's possible. Regards, -Yang From: owner-m...@openbsd.org [owner-m...@openbsd.org] On Behalf Of Alexander Salmin [alexan...@salmin.biz] Sent: 25 July 2015 17:36 To: misc@openbsd.org Subject: Re: rdomain with BGP dynamic route Hey, man 5 bgpd.conf See section Routing Domain Configuration and parameters export-target and import-target. I suspect that is what you want. Alexander Salmin On 2015-07-24 13:47, XU, YANG (YANG) wrote: Let me describe it in another way. Can I create a new rdomain as a VRF and use the rdomain to import/export customer's prefix through BGP? I will greatly appreciate it if you can provide any information. I have seen some information online, but prefix is either from static configuration or connected network. In my case, I need to support dynamic routes from BGP in VRF. Thanks, -Yang From: owner-m...@openbsd.org [owner-m...@openbsd.org] On Behalf Of XU, YANG (YANG) Sent: 23 July 2015 08:06 To: misc@openbsd.org Subject: rdomain with BGP dynamic route Hi all, I am configuring OpenBSD bgpd so that it can relay the routes learned from customer BGP servers to a route reflector (RR). Customer BGP servers only speak IPv4 BGP, so my OpenBSD bgpd needs to add different route-distinguisher and route-target to the dynamic routes learned from each customer BGP neighbor before forwarding to RR. As I understand, I should be able to use rdomain to implement this. What I really need conceptually is to attach a BGP neighbor to a rdomain, so that dynamic routes learned from that BGP neighbor are added to the specified rdomain. But I failed to find a way to do this in OpenBSD. Does anyone know if this is possible and give me an BGP configure example? Many thanks in advance, -Yang
aucat problems
Hi, i have some trouble, configuring my audio devices: I want to record with my internal microphone (Thinkpad x220i) or/and my headphones with aucat, but I can't configure it according to FAQ because the output from mixerctl is somehow, different. inputs.dac-0:1_mute=off inputs.dac-0:1=153,153 inputs.dac-2:3_mute=on inputs.dac-2:3=153,153 inputs.beep=108 record.adc-0:1_source=mic2 record.adc-0:1_mute=off record.adc-0:1=126,126 record.adc-2:3_source=mic2 record.adc-2:3_mute=off record.adc-2:3=126,126 record.adc-4:5_source=mic2 record.adc-4:5_mute=off record.adc-4:5=126,126 inputs.sel_source=mic outputs.sel=126,126 inputs.sel2_source=mic outputs.sel2=126,126 outputs.hp_source=dac-0:1 outputs.hp_boost=off outputs.mic_source=dac-0:1 outputs.mic_dir=input-vr80 outputs.mic_eapd=on outputs.spkr_source=dac-2:3 inputs.mic2=126,126 inputs.mix_source=dac-0:1,dac-2:3 inputs.mix_dac-0:1=126,126 inputs.mix_dac-2:3=126,126 outputs.hp_sense=plugged outputs.mic_sense=plugged outputs.spkr_muters=hp,mic outputs.master=155,155 outputs.master.mute=off outputs.master.slaves=dac-0:1,dac-2:3 record.volume=126,126 record.volume.mute=off record.volume.slaves=adc-0:1,adc-2:3,adc-4:5 I am not sure which settings must be changed to record with the internal microphone. When i start aucat, I can't hear anything. Thanks for your help.
Re: aucat problems
I am not sure which settings must be changed to record with the internal microphone. When i start aucat, I can't hear anything. I've had the same trouble figuring out which set of settings control the selection of the internal and external microphone on my laptop. Wild guess it might be related to the way settings interact with each other, namely record, input select, ADC source, mix source etc. Probably these map 1:1 to the hardware features of the respective audio device but to me as a user that's a great riddle as well and no mixer program solved it for me yet (though I've not checked on that for a while). Here is my audio device and mixer settings if you would like to compare with the ones you try with: OpenBSD 5.8 GENERIC.MP#1062 i386 azalia0 at pci0 dev 27 function 0 Intel 82801GB HD Audio rev 0x02: msi azalia0: codecs: Realtek ALC269 audio0 at azalia0 $ mixerctl -av inputs.dac-0:1=192,192 inputs.dac-2:3=192,192 record.adc-0:1_mute=off [ off on ] record.adc-0:1=125,125 record.adc-2:3_mute=off [ off on ] record.adc-2:3=125,125 inputs.mix_source=mic2,beep { mic2 beep } inputs.mix_mic2=0,0 inputs.mix_beep=120,120 inputs.mix2_source=dac-0:1,mix { dac-0:1 mix } inputs.mix3_source=dac-2:3,mix { dac-2:3 mix } outputs.spkr_source=mix3 [ mix2 mix3 ] outputs.spkr_mute=off [ off on ] outputs.spkr_eapd=on [ off on ] outputs.hp_source=mix2 [ mix2 mix3 ] outputs.hp_mute=off [ off on ] outputs.hp_boost=off [ off on ] outputs.hp_eapd=on [ off on ] outputs.mic2_source=mix2 [ mix2 mix3 ] outputs.mic2_mute=on [ off on ] inputs.mic2=85,85 outputs.mic2_dir=input-vr80 [ none output input input-vr0 input-vr50 input-vr80 input-vr100 ] record.adc-2:3_source=mic [ mic2 beep mic mix ] record.adc-0:1_source=mic2,beep,mix { mic2 beep mix } outputs.hp_sense=plugged [ unplugged plugged ] outputs.mic2_sense=plugged [ unplugged plugged ] outputs.spkr_muters=mic2 { hp mic2 } outputs.master=255,255 outputs.master.mute=off [ off on ] outputs.master.slaves=dac-0:1,dac-2:3,spkr,hp { dac-0:1 dac-2:3 spkr hp mic2 } record.volume=125,125 record.volume.mute=off [ off on ] record.volume.slaves=adc-0:1,adc-2:3 { adc-0:1 adc-2:3 mic2 } I would as well appreciate if somebody could tip which set of options would define internal and then external microphone selection. Reference manual is azalia(4)
Re: aucat problems
I am not sure which settings must be changed to record with the internal microphone. When i start aucat, I can't hear anything. I've had the same trouble figuring out which set of settings control the selection of the internal and external microphone on my laptop. Wild guess it might be related to the way settings interact with each other, namely record, input select, ADC source, mix source etc. Probably these map 1:1 to the hardware features of the respective audio device but to me as a user that's a great riddle as well and no mixer program solved it for me yet (though I've not checked on that for a while).
Re: Intel Atom?
Here's the dmesg for my Tor exit relay, which runs on a D2700. It moves about 2.0-4.5 MB/s in each direction. Hmmm that's nowhere near as fast as what we do, and not even as fast as a P3. I have an N280 1000/1666 MHz netbook which is roughly the same computation power as a P3 750 MHz (reference md5 -tt), and a D525 1800 MHz (Supermicro board) with 2 GigE ports (1 shared IPMI) which is more than twice the N280. The nice thing is that N280 works even when the fan blocks continuously for long periods without thermal shutdown on the lower CPU frequency. The D525 is quite older than the new systems suggested in the thread, and fully saturates the 100 Mbps LAN with SSH so no worries, external networks is 100 Mbps. That's a 50 Watt system, main issue is heat in the mini-ITX case and fans are noisy for my delicate ears, had to add 2x 60 mm fans to keep it from overheating. Mainboard is picky on RAM so select a good compatible ECC module provider if the system supports it (newer Atoms). The D525 was a bit pricey for me at the time, but works since 2011 without concern. It seems to be running at full capacity doing so, I don't know much about tor. When you say full capacity, do you mean the hardware was maxed out, or that you were doing the most that the tor network would allow you? Recommendation for a very capable router are C2750/C2758 Supermicro board and a case that can use 12 cm fans if you're going to be listening to it. Reference mainboard models: A1SAi-2750F or A1SRi-2758F, those about roughly as half as the computing power of Xeon E3-1230/1245. If I was picking now I'd go for the Xeon E3 anyway instead + dmesg is invaluable.
Re: Intel Atom?
On Mon, Jul 27, 2015 at 7:14 PM, li...@wrant.com wrote: The D525 is quite older than the new systems suggested in the thread, and fully saturates the 100 Mbps LAN with SSH so no worries, external networks is 100 Mbps. snip Recommendation for a very capable router are C2750/C2758 Supermicro board and a case that can use 12 cm fans if you're going to be listening to it. Reference mainboard models: A1SAi-2750F or A1SRi-2758F, those about roughly as half as the computing power of Xeon E3-1230/1245. I have several of the SuperMicro 5015A based systems, most with the D510 processor and one here with the D525 but never had a problem with it overheating and use it with a picoPSU as the noise from the stock PSU was just too much (the D510 based systems are much quieter than the D525 one). I did replace one of the D510 based systems (a heavily used one) with a new one using SuperMicro's 5018D board and elected the Core i3 4160 over the Xeon's as I didn't think the extra cores provided by a Xeon helped firewall usage and the HyperThreading on the i3 (which supports the ECC memory needed for this board) can be disabled. Only problem with this board is that OpenBSD's support of one of the onboard nic's, the Intel i217-LM, is questionable (it did not work for me), so I needed to pick up a PCI-E add in nic. Note that also the IPMI interface is separate from the other two embedded interfaces in this system (X10SLL-F board).
Re: ipv6 kernel pppoe + slaac problem
Em 27-07-2015 18:16, Stuart Henderson escreveu: Can you try 6.9.1 from -current ports please? (I updated it recently so packages might not be there yet). You can try using the wide-dhcp6 too. But, I couldn't make it work because my upstream router would delegate the prefix, but not route the packets to my OpenBSD firewall. So, some form of NDP proxying is required. Nothing in the base or in the ports can do that, AFAIK. I ended up deploying a bridge. I also have the same issue, the prefix delegation from my ISP is dynamic, not static so, every time my router gets restarted, I get a new prefix from it. If your prefix delegation solution doesn't account for it, you might need some form of monitoring (ifstated comes to mind), to reload both your dhcp and rtadvd. IIRC, OpenBSD isn't yet RFC 7084 ready (I have my doubts whether it even should be). One of the core things is, if the router lose global IPv6 connectivity, it MUST stop advertising itself as a IPv6 router. And rtadvd doesn't do that yet AFAIK. Truth is, most ISP's are ing up IPv6 deployment. Some of them are doing it for the money (charging more for something that should be default, as static PD). Others are doing it because of plain and simple lack of knowledge. Cheers, Giancarlo Razzolini
Re: Firewall question: is using a NIC with multiple jacks considered insecure?
On Mon, Jul 27, 2015 at 10:52 PM, Joseph Crivello josephcrive...@gmail.com wrote: If someone successfully attacks the firmware on any of your network cards, you are screwed no matter what. Any modern network card is going to have the ability to issue DMAs and can easily root your entire system. (Somewhat of a rhetorical question, but ...) How hard would it be to design and assemble one's own NIC, and use said design to construct one's own switch? (I daydream too much. Right now I'm daydreaming of a switch-on-a-card. It's been a while since I've seen such things advertised, but maybe I'm not looking in the right places nowadays.) -- Joel Rees Be careful when you look at conspiracy. Arm yourself with knowledge of yourself, as well: http://reiisi.blogspot.jp/2011/10/conspiracy-theories.html
Re: dhclient.conf alias declarations?
On Mon, Jul 27, 2015 at 4:21 AM, Edgar Pettijohn ed...@pettijohn-web.com wrote: On 07/26/15 19:10, Kimmo Paasiala wrote: On Mon, Jul 27, 2015 at 3:00 AM, Kimmo Paasiala kpaas...@gmail.com wrote: On Mon, Jul 27, 2015 at 2:33 AM, Josh Grosse j...@jggimi.homeip.net wrote: On 2015-07-26 19:12, Kimmo Paasiala wrote: Hello, I'm in the process of migrating my router/firewall system from FreeBSD to OpenBSD and I came across a minor problem. I want to have a static alias address on an interface that is otherwise configured with DHCP. What I had in FreeBSD was this entry in /etc/dhclient.conf: alias { interface vr0; fixed-address 192.168.1.200; option subnet-mask 255.255.255.0; } This seems to be silently ignored on OpenBSD 5.7 and the dhclient.conf manual page makes no mention of alias declarations. How am I supposed to achieve the same effect? -Kimmo Perhaps something like this in your /etc/hostname.vr0 instead would work for you? dhcp !ifconfig vr0 alias 192.168.1.200/32 No, doesn't work. Interestingly doing the alias manually when dhclient is running and vr0 has a public IP address from DHCP: sudo ifconfig vr0 alias 192.168.1.200/24 This kills dhclient(8) completely and removes the main address. Any other ideas? -Kimmo The system log /var/log/messages reveals: Jul 27 03:01:30 firewall dhclient[23894]: 192.168.1.200 added to vr0; exiting Why is this done in so bizarre fashion? It is not unusual to want to have a static alias address on an interface that is otherwise configured with DHCP. -Kimmo I can't test this, but from what I'm reading I think this should work /etc/hostname.vr0 dhcp alias 192.168.1.200 netmask 255.255.255.0 Unfortunately that doesn't work either, ifconfig complains about invalid options. It looks like you can only add media options etc. with dhcp. I can live without the alias address, it would have been a convinient way to access the ADSL modem on the WAN side from inside the LAN network. -Kimmo
Firewall question: is using a NIC with multiple jacks considered insecure?
Some years ago I remember reading that when using OpenBSD (or any OS, really) as a router+firewall it was considered inadvisable from a security standpoint to have the different networks all attached to a single network card with multiple ethernet ports. The thinking being that it was theoretically possible for an attacker to exploit bugs in the card's chip to short circuit the path and route packets directly across the card in a way pf can't control. It was also suggested that in addition to using different physical cards, the cards should really use different chipsets too, in case an unknown driver bug allows a short circuit. I swear I read this somewhere on the website, but I can't seem to find it now and I'm wondering if the concept is even still valid. The impetus here is that I'm building a router+firewall for a cramped location and it's turning out rather difficult to find a case that's small enough to fit. I'd really like to use an itx system with multiple onboard ethernet jacks and cram it into something like a MiniBox M350 or Antec ISK110, but I'm not sure if that's a good idea, security wise. Any thoughts?
Re: Intel Atom?
Recommendation for a very capable router are C2750/C2758 Supermicro So, do you think we'd *need* a board like that? The reason I ask is that they're nearly twice the price of other dual-gigE Atom boards, and the ECC SODIMMs don't help. If you're saying that an old D525 can handle our traffic needs and is well supported, I'm don't think springing for this board makes sense.
Re: Sluggish/laggy browser behaviour
I can pretty much confirm this on an X220i, I have sort of come to terms with it, but it is definitely noticeable (in chromium and firefox). X220 here. Also, when I play clips on YouTube, playback sometimes hangs for half a second. That is with a snapshot from today. To be safe, I also recompiled sndio from CVS to make sure I didn't miss the previously mentioned patch. While it does seem to have improved the situation, it's not entirely fixed. Noticed this, too. Running with hw.perfpolicy=high solves it for me, unless there is heavy disk I/O then it starts stuttering again. My guess is that this is due to missing SMP features/support, but I'm not entirely sure. My guess is that disk I/O takes precedence, and cpu C-state transitions should be avoided while audio/video playback...