Harmonize make commands style

2016-05-24 Thread Mario St-Gelais 
--- guide.html  Tue May 24 19:10:11 2016
+++ guide_mine.html Tue May 24 19:13:02 2016
@@ -282,7 +282,7 @@
 
 
 All files in DISTFILES are usually processed during
-make extract.
+make extract.
 EXTRACT_ONLY may be used to limit extraction to a subset of files
 (possibly empty).
 The customary use of this variable is to customize extraction: for instance,

BL460c G1 issues

2016-05-24 Thread Steve Shockley 
I have an HP BL460c blade I'm using with OpenBSD.  I was able to get 5.8 
to install by disabling ACPI; since I'm lazy I didn't submit a bug 
report.  I tried to upgrade to 5.9 (and -current), but booting from the 
CD ends with:

wskbd0 at pckbd0: console keyboard, using wsdisplay1

This might be similar to 
http://marc.info/?l=openbsd-misc=145182865626553, but the BIOS of this 
machine doesn't give the option to disable cores/sockets.  Details with 
5.8 are below.


Crash with ACPI enabled:
booting hd0a:/bsd: 6683948/
booting hd0a:/bsd: 6683948+2138976+254984+0+598016 
[72+563184+374279]=0xa210c0

entry point at 0x1000160 [7205c766, 3404, 24448b12, 4060a304]
The Regents of the University of California.  All rights 
reserved.
Copyright (c) 1995-2015 OpenBSD. All rights reserved.  
http://www.OpenBSD.org

[ using 938176 bytes of bsd ELF symbol table ]
Copyright (c) 1982, 1986, 1989, 1991, 1993
OpenBSD 5.8 (GENERIC.MP) #1: Wed Mar 16 10:03:13 CET 2016

r...@stable-58-amd64.mtier.org:/binpatchng/work-binpatch58-amd64/src/sys/arch/amd64/compile/GENERIC.MP

real mem = 6423851008 (6126MB)
avail mem = 6225272832 (5936MB)
acpi0 at bios0: rev 2
acpi0: sleep states S0 S4 S5
acpi0: tables DSDT FACP SPCR MCFG HPET SPMI ERST APIC  BERT HEST 
SSDT

acpi0: wakeup devices PCI0(S5)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimcfg0 at acpi0 addr 0xe000, bus 0-255
acpihpet0 at acpi0: 14318179 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0panic: cpu at apic id 0 already attached?
Stopped at  Debugger+0x9:   leave
Debugger() at Debugger+0x9
panic() at panic+0xfe
cpu_attach() at cpu_attach+0x371
config_attach() at config_attach+0x1bc
acpimadt_attach() at acpimadt_attach+0x544
config_attach() at config_attach+0x1bc
acpi_attach() at acpi_attach+0x471
config_attach() at config_attach+0x1bc
bios_attach() at bios_attach+0x23b
config_attach() at config_attach+0x1bc
end trace frame: 0x81a27e60, count: 0
RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS 
PANIC!
IF RUNNING SMP, USE 'mach ddbcpu <#>' AND 'trace' ON OTHER PROCESSORS, 
TOO.

DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION!
ddb{0}>
ddb{0}> ps
   PID   PPID   PGRPUID  S   FLAGS  WAIT  COMMAND
   *0 -1  0  0  7 0x10200swapper
ddb{0}>

dmesg with acpi disabled:
OpenBSD 5.8 (GENERIC.MP) #1: Wed Mar 16 10:03:13 CET 2016

r...@stable-58-amd64.mtier.org:/binpatchng/work-binpatch58-amd64/src/sys/arch/amd64/compile/GENERIC.MP

real mem = 6423851008 (6126MB)
avail mem = 6225272832 (5936MB)
User Kernel Config
UKC> disable acpi
362 acpi0 disabled
UKC> quit
Continuing...
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xee000 (73 entries)
bios0: vendor HP version "I15" date 05/02/2011
bios0: HP ProLiant BL460c G1
acpi at bios0 not configured
mpbios0 at bios0: Intel MP Specification 1.4
cpu0 at mainbus0: apid 4 (boot processor)
cpu0: Intel(R) Xeon(R) CPU X5355 @ 2.66GHz, 2667.14 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,LONG,LAHF,PERF,SENSOR

cpu0: 4MB 64b/line 16-way L2 cache
cpu0: smt 0, core 0, package 1
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 333MHz
cpu0: mwait min=64, max=64, C-substates=0.2, IBE
cpu1 at mainbus0: apid 0 (application processor)
cpu1: Intel(R) Xeon(R) CPU X5355 @ 2.66GHz, 2666.76 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,LONG,LAHF,PERF,SENSOR

cpu1: 4MB 64b/line 16-way L2 cache
cpu1: smt 0, core 0, package 0
cpu2 at mainbus0: apid 1 (application processor)
cpu2: Intel(R) Xeon(R) CPU X5355 @ 2.66GHz, 2666.76 MHz
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,LONG,LAHF,PERF,SENSOR

cpu2: 4MB 64b/line 16-way L2 cache
cpu2: smt 0, core 1, package 0
cpu3 at mainbus0: apid 2 (application processor)
cpu3: Intel(R) Xeon(R) CPU X5355 @ 2.66GHz, 2666.76 MHz
cpu3: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,LONG,LAHF,PERF,SENSOR

cpu3: 4MB 64b/line 16-way L2 cache
cpu3: smt 0, core 2, package 0
cpu4 at mainbus0: apid 3 (application processor)
cpu4: Intel(R) Xeon(R) CPU X5355 @ 2.66GHz, 2666.76 MHz
cpu4: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,LONG,LAHF,PERF,SENSOR

cpu4: 4MB 64b/line 16-way L2 cache
cpu4: smt 0, core

Re: Is loss of read-only /usr permanent?

2016-05-24 Thread lists 
Tue, 24 May 2016 16:44:09 +0100 Kevin Chadwick 
> > [WARNING! Shameless self-promotion below!]
> > I have solved my need for read-only OpenBSD in a following manner:
> > https://www.mimar.rs/blog/how-to-increase-openbsds-resilience-to-power-outage
> > s/  
> 
> write your own boot seed... doh! why didn't I think of that already,
> though I'm still unsure why rc.shutdown can't happen before the seed
> write to /etc

I like that OpenBSD users (like me) post OpenBSD experiences online,
no matter how precise the technical information is, man pages exist.

Kevin, it's fine if you switch your bias in a productive discussion,
but contradicting any position without bit of wisdom, you figure it.
Also just maybe too few people want to continue reading this thread.

Re: tp-link tl-wn722n athn0: could not load firmware

2016-05-24 Thread Mihai Popescu 
Just for the record, I have tried this dongle on a different computer,
Intel based and the result is the same. I found a dmesg with this
model showing the MAC, but my model shows no MAC. Maybe this is a
different revision with a slighty different chip. No big deal.

Thanks.

Re: Is loss of read-only /usr permanent?

2016-05-24 Thread Kevin Chadwick 
> [WARNING! Shameless self-promotion below!]
> I have solved my need for read-only OpenBSD in a following manner:
> https://www.mimar.rs/blog/how-to-increase-openbsds-resilience-to-power-outage
> s/

write your own boot seed... doh! why didn't I think of that already,
though I'm still unsure why rc.shutdown can't happen before the seed
write to /etc

Cheers

-- 

KISSIS - Keep It Simple So It's Securable

Re: Flaw in ipsec.conf(5)?

2016-05-24 Thread Philipp Buehler 

Am 24.05.2016 10:53 schrieb Bruno Flueckiger:

As a result of my tests I've created the diff below for ipsec.conf(5). 
Is

this ok or did I miss something?



You missed the 'set skip on enc0' a bit up.

--
pb

synproxy state timeout

2016-05-24 Thread Kapetanakis Giannis 

Hi,

I have a couple of questions regarding the timeout of PROXY:SRC states 
in a syn-flood DOS scenario (+spoofing). My need is for quick state 
deletion of invalid connections on the firewall/router (not on the server).


I've noticed that only tcp.first is taken into account for state expiry.

   age 00:00:05, expires in 00:00:00, 0:0 pkts, 0:0 bytes, rule 0

Then probably the interval timeout is being used for state to be 
completely purged from state table. How does this work because I've seen 
age reaching up to 20sec and sometimes a lot less. I cant get a certain 
clue of which timers are being used.


Also if I'm syncing states between firewalls (on the synproxy rule) then 
the entry from

pfctl -si | grep "current entries" is a lot bigger than
pfctl -ss | wc -l

In real attacks it gets up to 1.5M vs 500K

If I do no-sync then the two entries are almost the same. How pfsync 
increases the number of states? (I have set skip on $sync_if)


I'm using tcp.first 5 and interval 5. I'm also playing with adaptive 
start/end.

Any more recommendations apart from provider's help in mitigation?

best regards,

G

Re: is my dns server/ routing borked??, i could need some advice

2016-05-24 Thread lists 
> >>> For some reasons, i notice that i am not able to access some website 
> >>> in
> >>> the first 10 minutes when i have my machine turned on.
> >>
> >> If you have a broadband on premises equipment like a converter, modem,
> >> router, switch etc, you may consider replacing these, as with age some
> >> of them degrade (in capacitors, solder joints, jacks) and such devices
> >> have trouble working reliably until it warms up (or when they 
> >> overheat).
> >>
> >> To report further details to the list, please start a new empty 
> >> message.
> >
> > Well,the modem hardware is new.
> > my switches are ok, i have a local server that is up for 24/7, en even
> > that machine is loosing contact to the website.  
> 
>  So you're absolutely sure the hardware environment is fine.  There are
>  two important tactics to employ then in troubleshooting.  First one is
>  to bypass every equipment and connect the troubleshooting device direct
>  to the upstream connection.  Then ensure you have full connectivity and
>  move down the line to the point you find your issue.  You would follow
>  this with the second tactic, drop the configuration from zero and make
>  sure you have working connectivity and then start adding each piece of
>  the software set up, until you find the part that generates the issues.
>    
> > it is pure a dns isue, but what i can resolv, i rewrote the complete
> > named stuff, added even the DNS server pool from that website, heck,
> > still no result...  
> 
>  Try unbound / nsd and see if this gives you a different result.  It is
>  often just such a simple common issue, that it's hidden in plain sight.
> 
>  Once you have found it, please report to the list your process+results.  
>    
> >>>
> >>> This gonna be fun for me.
> >>> But i will do it.
> >>
> >> I know very well what you mean.  Then, if you want to cut time short,
> >> you can preemptively start looking direct into the suspected trouble
> >> zone, either hardware, equipment configuration and/or software set up.
> >>
> >> With this second approach, you can ask a direct question once you find
> >> the point of hesitation and/or concern.  Just walking the trouble path
> >> is often enough to get you out of the "unseeing" mode and find it quick.  
> > 
> > One more important thing, if you are using the ISP provided name servers
> > or name service from the broadband equipment (duh), you can bypass these
> > and use own local direct resolving recursive name server on your gateway.
> 
> but i looked this morning in my modem, i readed somewhere the thing
> should get new firmware, and surpricingly it had a option in the dns
> section where i can add 8 more dns servers.

If you want to resolve it (pun intended), try not putting more name
servers after the one with the issues, but ONE only without issues.

This means instead of the other name servers, put a local recursive
resolving name server, e.g. unbound(8) facing your internal clients:

unbound - Unbound DNS validating resolver
[http://man.openbsd.org/unbound]

Don't forget to edit your /var/unbound/etc/unbound.conf file as per:

unbound.conf - Unbound configuration file
[http://man.openbsd.org/unbound.conf]

Also, make sure your DHCP server provides the local internal listening
IP address of the local unbound(8) name server to your local clients.

If in doubt, disable all name servers and DHCP options in your modem
and simply use unbound(8) and dhcpd(8) on your local OpenBSD gateway

dhcpd - Dynamic Host Configuration Protocol (DHCP) server
[http://man.openbsd.org/dhcpd]

dhcpd.conf - DHCP server configuration file
[http://man.openbsd.org/dhcpd.conf]

Flaw in ipsec.conf(5)?

2016-05-24 Thread Bruno Flueckiger 
Hi,

I've tested IPsec connections in my lab. The setup looks like this:

[cli] <-- vlan10 --> [gw1] <> [inet] <> [gw2] <-- vlan20 --> [srv]
  IPsec=

During the testing I think I've found a flaw in ipsec.conf(5). According
to the man page the esp packets need to be passed on interface sk0:

block on sk0
block on enc0
 
pass  in on sk0 proto udp from 192.168.3.2 to 192.168.3.1 \
port {500, 4500}
pass out on sk0 proto udp from 192.168.3.1 to 192.168.3.2 \
port {500, 4500}
 
pass  in on sk0 proto esp from 192.168.3.2 to 192.168.3.1
pass out on sk0 proto esp from 192.168.3.1 to 192.168.3.2
 
My test setup didn't allow communication between [cli] and [srv]. Checking
the reason on [gw1] using tcpdump -nettti pflog0 shows that esp packets
are blocked by pf on enc0. So I included the interface enc0 in the pass
rules for esp packets. After this the connections work as expected.

As a result of my tests I've created the diff below for ipsec.conf(5). Is
this ok or did I miss something?

Cheers,
Bruno

Index: sbin/ipsecctl/ipsec.conf.5
===
RCS file: /cvs/src/sbin/ipsecctl/ipsec.conf.5,v
retrieving revision 1.151
diff -u -p -r1.151 ipsec.conf.5
--- sbin/ipsecctl/ipsec.conf.5  9 Dec 2015 21:41:50 -   1.151
+++ sbin/ipsecctl/ipsec.conf.5  24 May 2016 08:24:49 -
@@ -513,8 +513,8 @@ pass  in on sk0 proto udp from 192.168.3
 pass out on sk0 proto udp from 192.168.3.1 to 192.168.3.2 \e
port {500, 4500}
 
-pass  in on sk0 proto esp from 192.168.3.2 to 192.168.3.1
-pass out on sk0 proto esp from 192.168.3.1 to 192.168.3.2
+pass  in on {sk0 enc0} proto esp from 192.168.3.2 to 192.168.3.1
+pass out on {sk0 enc0} proto esp from 192.168.3.1 to 192.168.3.2
 
 pass  in on enc0 proto ipencap from 192.168.3.2 to 192.168.3.1 \e
keep state (if-bound)

Re: is my dns server/ routing borked??, i could need some advice

2016-05-24 Thread Ton Muller 
On 23-5-2016 8:45, li...@wrant.com wrote:
>>> For some reasons, i notice that i am not able to access some website in
>>> the first 10 minutes when i have my machine turned on.  
>>
>> If you have a broadband on premises equipment like a converter, modem,
>> router, switch etc, you may consider replacing these, as with age some
>> of them degrade (in capacitors, solder joints, jacks) and such devices
>> have trouble working reliably until it warms up (or when they overheat).
>>
>> To report further details to the list, please start a new empty message. 
>>  
>
> Well,the modem hardware is new.
> my switches are ok, i have a local server that is up for 24/7, en even
> that machine is loosing contact to the website.

 So you're absolutely sure the hardware environment is fine.  There are
 two important tactics to employ then in troubleshooting.  First one is
 to bypass every equipment and connect the troubleshooting device direct
 to the upstream connection.  Then ensure you have full connectivity and
 move down the line to the point you find your issue.  You would follow
 this with the second tactic, drop the configuration from zero and make
 sure you have working connectivity and then start adding each piece of
 the software set up, until you find the part that generates the issues.
 
> it is pure a dns isue, but what i can resolv, i rewrote the complete
> named stuff, added even the DNS server pool from that website, heck,
> still no result...

 Try unbound / nsd and see if this gives you a different result.  It is
 often just such a simple common issue, that it's hidden in plain sight.

 Once you have found it, please report to the list your process+results.  
>>>
>>> This gonna be fun for me.
>>> But i will do it.  
>>
>> I know very well what you mean.  Then, if you want to cut time short,
>> you can preemptively start looking direct into the suspected trouble
>> zone, either hardware, equipment configuration and/or software set up.
>>
>> With this second approach, you can ask a direct question once you find
>> the point of hesitation and/or concern.  Just walking the trouble path
>> is often enough to get you out of the "unseeing" mode and find it quick.
> 
> One more important thing, if you are using the ISP provided name servers
> or name service from the broadband equipment (duh), you can bypass these
> and use own local direct resolving recursive name server on your gateway.
> 


as say's.
took again a look at my config's

And made these changes.

dhcpd.conf.
Added 2nd nameserver
option  domain-name-servers 192.168.0.240, 192.168.1.240;
was
option  domain-name-servers 192.168.0.240;
dont ask me why, but this did the trick for most websited.


resolv.conf
WAS
## resolv.conf ##
 # Generated by re0 dhclient
search xs4non.nl
nameserver 192.168.0.240
nameserver 192.168.1.240
nameserver 8.8.8.8
nameserver 8.8.4.4
lookup file bind

is now.
# Generated by re0 dhclient
domain xs4non.nl
nameserver 127.0.0.1
nameserver 8.8.8.8
nameserver 8.8.4.4

fixed most of the rest of borked websites,
 ex 1.
that still gives some ping isues.

but i looked this morning in my modem, i readed somewhere the thing
should get new firmware, and surpricingly it had a option in the dns
section where i can add 8 more dns servers.
so i added there als the google dns (unless some1 has beter adresses)

now its, waiting time

and i revamped named.conf
personaly i think i have a isue in it.
but,. i am still doing the error tree search..

Tony.