Harmonize make commands style
--- guide.html Tue May 24 19:10:11 2016 +++ guide_mine.html Tue May 24 19:13:02 2016 @@ -282,7 +282,7 @@ All files in DISTFILES are usually processed during -make extract. +make extract. EXTRACT_ONLY may be used to limit extraction to a subset of files (possibly empty). The customary use of this variable is to customize extraction: for instance,
BL460c G1 issues
I have an HP BL460c blade I'm using with OpenBSD. I was able to get 5.8 to install by disabling ACPI; since I'm lazy I didn't submit a bug report. I tried to upgrade to 5.9 (and -current), but booting from the CD ends with: wskbd0 at pckbd0: console keyboard, using wsdisplay1 This might be similar to http://marc.info/?l=openbsd-misc=145182865626553, but the BIOS of this machine doesn't give the option to disable cores/sockets. Details with 5.8 are below. Crash with ACPI enabled: booting hd0a:/bsd: 6683948/ booting hd0a:/bsd: 6683948+2138976+254984+0+598016 [72+563184+374279]=0xa210c0 entry point at 0x1000160 [7205c766, 3404, 24448b12, 4060a304] The Regents of the University of California. All rights reserved. Copyright (c) 1995-2015 OpenBSD. All rights reserved. http://www.OpenBSD.org [ using 938176 bytes of bsd ELF symbol table ] Copyright (c) 1982, 1986, 1989, 1991, 1993 OpenBSD 5.8 (GENERIC.MP) #1: Wed Mar 16 10:03:13 CET 2016 r...@stable-58-amd64.mtier.org:/binpatchng/work-binpatch58-amd64/src/sys/arch/amd64/compile/GENERIC.MP real mem = 6423851008 (6126MB) avail mem = 6225272832 (5936MB) acpi0 at bios0: rev 2 acpi0: sleep states S0 S4 S5 acpi0: tables DSDT FACP SPCR MCFG HPET SPMI ERST APIC BERT HEST SSDT acpi0: wakeup devices PCI0(S5) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimcfg0 at acpi0 addr 0xe000, bus 0-255 acpihpet0 at acpi0: 14318179 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0panic: cpu at apic id 0 already attached? Stopped at Debugger+0x9: leave Debugger() at Debugger+0x9 panic() at panic+0xfe cpu_attach() at cpu_attach+0x371 config_attach() at config_attach+0x1bc acpimadt_attach() at acpimadt_attach+0x544 config_attach() at config_attach+0x1bc acpi_attach() at acpi_attach+0x471 config_attach() at config_attach+0x1bc bios_attach() at bios_attach+0x23b config_attach() at config_attach+0x1bc end trace frame: 0x81a27e60, count: 0 RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS PANIC! IF RUNNING SMP, USE 'mach ddbcpu <#>' AND 'trace' ON OTHER PROCESSORS, TOO. DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION! ddb{0}> ddb{0}> ps PID PPID PGRPUID S FLAGS WAIT COMMAND *0 -1 0 0 7 0x10200swapper ddb{0}> dmesg with acpi disabled: OpenBSD 5.8 (GENERIC.MP) #1: Wed Mar 16 10:03:13 CET 2016 r...@stable-58-amd64.mtier.org:/binpatchng/work-binpatch58-amd64/src/sys/arch/amd64/compile/GENERIC.MP real mem = 6423851008 (6126MB) avail mem = 6225272832 (5936MB) User Kernel Config UKC> disable acpi 362 acpi0 disabled UKC> quit Continuing... mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xee000 (73 entries) bios0: vendor HP version "I15" date 05/02/2011 bios0: HP ProLiant BL460c G1 acpi at bios0 not configured mpbios0 at bios0: Intel MP Specification 1.4 cpu0 at mainbus0: apid 4 (boot processor) cpu0: Intel(R) Xeon(R) CPU X5355 @ 2.66GHz, 2667.14 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,LONG,LAHF,PERF,SENSOR cpu0: 4MB 64b/line 16-way L2 cache cpu0: smt 0, core 0, package 1 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 333MHz cpu0: mwait min=64, max=64, C-substates=0.2, IBE cpu1 at mainbus0: apid 0 (application processor) cpu1: Intel(R) Xeon(R) CPU X5355 @ 2.66GHz, 2666.76 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,LONG,LAHF,PERF,SENSOR cpu1: 4MB 64b/line 16-way L2 cache cpu1: smt 0, core 0, package 0 cpu2 at mainbus0: apid 1 (application processor) cpu2: Intel(R) Xeon(R) CPU X5355 @ 2.66GHz, 2666.76 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,LONG,LAHF,PERF,SENSOR cpu2: 4MB 64b/line 16-way L2 cache cpu2: smt 0, core 1, package 0 cpu3 at mainbus0: apid 2 (application processor) cpu3: Intel(R) Xeon(R) CPU X5355 @ 2.66GHz, 2666.76 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,LONG,LAHF,PERF,SENSOR cpu3: 4MB 64b/line 16-way L2 cache cpu3: smt 0, core 2, package 0 cpu4 at mainbus0: apid 3 (application processor) cpu4: Intel(R) Xeon(R) CPU X5355 @ 2.66GHz, 2666.76 MHz cpu4: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,LONG,LAHF,PERF,SENSOR cpu4: 4MB 64b/line 16-way L2 cache cpu4: smt 0, core
Re: Is loss of read-only /usr permanent?
Tue, 24 May 2016 16:44:09 +0100 Kevin Chadwick> > [WARNING! Shameless self-promotion below!] > > I have solved my need for read-only OpenBSD in a following manner: > > https://www.mimar.rs/blog/how-to-increase-openbsds-resilience-to-power-outage > > s/ > > write your own boot seed... doh! why didn't I think of that already, > though I'm still unsure why rc.shutdown can't happen before the seed > write to /etc I like that OpenBSD users (like me) post OpenBSD experiences online, no matter how precise the technical information is, man pages exist. Kevin, it's fine if you switch your bias in a productive discussion, but contradicting any position without bit of wisdom, you figure it. Also just maybe too few people want to continue reading this thread.
Re: tp-link tl-wn722n athn0: could not load firmware
Just for the record, I have tried this dongle on a different computer, Intel based and the result is the same. I found a dmesg with this model showing the MAC, but my model shows no MAC. Maybe this is a different revision with a slighty different chip. No big deal. Thanks.
Re: Is loss of read-only /usr permanent?
> [WARNING! Shameless self-promotion below!] > I have solved my need for read-only OpenBSD in a following manner: > https://www.mimar.rs/blog/how-to-increase-openbsds-resilience-to-power-outage > s/ write your own boot seed... doh! why didn't I think of that already, though I'm still unsure why rc.shutdown can't happen before the seed write to /etc Cheers -- KISSIS - Keep It Simple So It's Securable
Re: Flaw in ipsec.conf(5)?
Am 24.05.2016 10:53 schrieb Bruno Flueckiger: As a result of my tests I've created the diff below for ipsec.conf(5). Is this ok or did I miss something? You missed the 'set skip on enc0' a bit up. -- pb
synproxy state timeout
Hi, I have a couple of questions regarding the timeout of PROXY:SRC states in a syn-flood DOS scenario (+spoofing). My need is for quick state deletion of invalid connections on the firewall/router (not on the server). I've noticed that only tcp.first is taken into account for state expiry. age 00:00:05, expires in 00:00:00, 0:0 pkts, 0:0 bytes, rule 0 Then probably the interval timeout is being used for state to be completely purged from state table. How does this work because I've seen age reaching up to 20sec and sometimes a lot less. I cant get a certain clue of which timers are being used. Also if I'm syncing states between firewalls (on the synproxy rule) then the entry from pfctl -si | grep "current entries" is a lot bigger than pfctl -ss | wc -l In real attacks it gets up to 1.5M vs 500K If I do no-sync then the two entries are almost the same. How pfsync increases the number of states? (I have set skip on $sync_if) I'm using tcp.first 5 and interval 5. I'm also playing with adaptive start/end. Any more recommendations apart from provider's help in mitigation? best regards, G
Re: is my dns server/ routing borked??, i could need some advice
> >>> For some reasons, i notice that i am not able to access some website > >>> in > >>> the first 10 minutes when i have my machine turned on. > >> > >> If you have a broadband on premises equipment like a converter, modem, > >> router, switch etc, you may consider replacing these, as with age some > >> of them degrade (in capacitors, solder joints, jacks) and such devices > >> have trouble working reliably until it warms up (or when they > >> overheat). > >> > >> To report further details to the list, please start a new empty > >> message. > > > > Well,the modem hardware is new. > > my switches are ok, i have a local server that is up for 24/7, en even > > that machine is loosing contact to the website. > > So you're absolutely sure the hardware environment is fine. There are > two important tactics to employ then in troubleshooting. First one is > to bypass every equipment and connect the troubleshooting device direct > to the upstream connection. Then ensure you have full connectivity and > move down the line to the point you find your issue. You would follow > this with the second tactic, drop the configuration from zero and make > sure you have working connectivity and then start adding each piece of > the software set up, until you find the part that generates the issues. > > > it is pure a dns isue, but what i can resolv, i rewrote the complete > > named stuff, added even the DNS server pool from that website, heck, > > still no result... > > Try unbound / nsd and see if this gives you a different result. It is > often just such a simple common issue, that it's hidden in plain sight. > > Once you have found it, please report to the list your process+results. > > >>> > >>> This gonna be fun for me. > >>> But i will do it. > >> > >> I know very well what you mean. Then, if you want to cut time short, > >> you can preemptively start looking direct into the suspected trouble > >> zone, either hardware, equipment configuration and/or software set up. > >> > >> With this second approach, you can ask a direct question once you find > >> the point of hesitation and/or concern. Just walking the trouble path > >> is often enough to get you out of the "unseeing" mode and find it quick. > > > > One more important thing, if you are using the ISP provided name servers > > or name service from the broadband equipment (duh), you can bypass these > > and use own local direct resolving recursive name server on your gateway. > > but i looked this morning in my modem, i readed somewhere the thing > should get new firmware, and surpricingly it had a option in the dns > section where i can add 8 more dns servers. If you want to resolve it (pun intended), try not putting more name servers after the one with the issues, but ONE only without issues. This means instead of the other name servers, put a local recursive resolving name server, e.g. unbound(8) facing your internal clients: unbound - Unbound DNS validating resolver [http://man.openbsd.org/unbound] Don't forget to edit your /var/unbound/etc/unbound.conf file as per: unbound.conf - Unbound configuration file [http://man.openbsd.org/unbound.conf] Also, make sure your DHCP server provides the local internal listening IP address of the local unbound(8) name server to your local clients. If in doubt, disable all name servers and DHCP options in your modem and simply use unbound(8) and dhcpd(8) on your local OpenBSD gateway dhcpd - Dynamic Host Configuration Protocol (DHCP) server [http://man.openbsd.org/dhcpd] dhcpd.conf - DHCP server configuration file [http://man.openbsd.org/dhcpd.conf]
Flaw in ipsec.conf(5)?
Hi, I've tested IPsec connections in my lab. The setup looks like this: [cli] <-- vlan10 --> [gw1] <> [inet] <> [gw2] <-- vlan20 --> [srv] IPsec= During the testing I think I've found a flaw in ipsec.conf(5). According to the man page the esp packets need to be passed on interface sk0: block on sk0 block on enc0 pass in on sk0 proto udp from 192.168.3.2 to 192.168.3.1 \ port {500, 4500} pass out on sk0 proto udp from 192.168.3.1 to 192.168.3.2 \ port {500, 4500} pass in on sk0 proto esp from 192.168.3.2 to 192.168.3.1 pass out on sk0 proto esp from 192.168.3.1 to 192.168.3.2 My test setup didn't allow communication between [cli] and [srv]. Checking the reason on [gw1] using tcpdump -nettti pflog0 shows that esp packets are blocked by pf on enc0. So I included the interface enc0 in the pass rules for esp packets. After this the connections work as expected. As a result of my tests I've created the diff below for ipsec.conf(5). Is this ok or did I miss something? Cheers, Bruno Index: sbin/ipsecctl/ipsec.conf.5 === RCS file: /cvs/src/sbin/ipsecctl/ipsec.conf.5,v retrieving revision 1.151 diff -u -p -r1.151 ipsec.conf.5 --- sbin/ipsecctl/ipsec.conf.5 9 Dec 2015 21:41:50 - 1.151 +++ sbin/ipsecctl/ipsec.conf.5 24 May 2016 08:24:49 - @@ -513,8 +513,8 @@ pass in on sk0 proto udp from 192.168.3 pass out on sk0 proto udp from 192.168.3.1 to 192.168.3.2 \e port {500, 4500} -pass in on sk0 proto esp from 192.168.3.2 to 192.168.3.1 -pass out on sk0 proto esp from 192.168.3.1 to 192.168.3.2 +pass in on {sk0 enc0} proto esp from 192.168.3.2 to 192.168.3.1 +pass out on {sk0 enc0} proto esp from 192.168.3.1 to 192.168.3.2 pass in on enc0 proto ipencap from 192.168.3.2 to 192.168.3.1 \e keep state (if-bound)
Re: is my dns server/ routing borked??, i could need some advice
On 23-5-2016 8:45, li...@wrant.com wrote: >>> For some reasons, i notice that i am not able to access some website in >>> the first 10 minutes when i have my machine turned on. >> >> If you have a broadband on premises equipment like a converter, modem, >> router, switch etc, you may consider replacing these, as with age some >> of them degrade (in capacitors, solder joints, jacks) and such devices >> have trouble working reliably until it warms up (or when they overheat). >> >> To report further details to the list, please start a new empty message. >> > > Well,the modem hardware is new. > my switches are ok, i have a local server that is up for 24/7, en even > that machine is loosing contact to the website. So you're absolutely sure the hardware environment is fine. There are two important tactics to employ then in troubleshooting. First one is to bypass every equipment and connect the troubleshooting device direct to the upstream connection. Then ensure you have full connectivity and move down the line to the point you find your issue. You would follow this with the second tactic, drop the configuration from zero and make sure you have working connectivity and then start adding each piece of the software set up, until you find the part that generates the issues. > it is pure a dns isue, but what i can resolv, i rewrote the complete > named stuff, added even the DNS server pool from that website, heck, > still no result... Try unbound / nsd and see if this gives you a different result. It is often just such a simple common issue, that it's hidden in plain sight. Once you have found it, please report to the list your process+results. >>> >>> This gonna be fun for me. >>> But i will do it. >> >> I know very well what you mean. Then, if you want to cut time short, >> you can preemptively start looking direct into the suspected trouble >> zone, either hardware, equipment configuration and/or software set up. >> >> With this second approach, you can ask a direct question once you find >> the point of hesitation and/or concern. Just walking the trouble path >> is often enough to get you out of the "unseeing" mode and find it quick. > > One more important thing, if you are using the ISP provided name servers > or name service from the broadband equipment (duh), you can bypass these > and use own local direct resolving recursive name server on your gateway. > as say's. took again a look at my config's And made these changes. dhcpd.conf. Added 2nd nameserver option domain-name-servers 192.168.0.240, 192.168.1.240; was option domain-name-servers 192.168.0.240; dont ask me why, but this did the trick for most websited. resolv.conf WAS ## resolv.conf ## # Generated by re0 dhclient search xs4non.nl nameserver 192.168.0.240 nameserver 192.168.1.240 nameserver 8.8.8.8 nameserver 8.8.4.4 lookup file bind is now. # Generated by re0 dhclient domain xs4non.nl nameserver 127.0.0.1 nameserver 8.8.8.8 nameserver 8.8.4.4 fixed most of the rest of borked websites, ex 1. that still gives some ping isues. but i looked this morning in my modem, i readed somewhere the thing should get new firmware, and surpricingly it had a option in the dns section where i can add 8 more dns servers. so i added there als the google dns (unless some1 has beter adresses) now its, waiting time and i revamped named.conf personaly i think i have a isue in it. but,. i am still doing the error tree search.. Tony.