Re: Laptop Recommendations?

[Alex McWhirter]

I'm not sure if anything new is a good choice, particularly because of a lack 
of current GPU / WiFi drivers. I usually pick up something about a year or two 
old on refurb \ second hand market. Dell's business line (latitude / precision) 
have treated me well in the past. Just stick with Intel or and graphics.On Nov 
10, 2016 12:47 AM, Nathan Koch  wrote:
>
> Greetings Fair BSD Wizards, 
> I am new to the lists. I am currently shopping for a new Xmas present for 
> myself and am looking for a laptop that's portable and lightweight. 
> Preferably fast, cheap (close to free),  light, and secure. If you have any 
> recommendations before the stormy winter hits the prairies please let me 
> know. 
>
> Thank you. 
> Nate 
>
>  
> Sailing the South Saskatchewan. 

Re: usage of pf overload table option inside anchors

[Jan Kalkus]

> On Nov 9, 2016, at 10:37 PM, Jan Kalkus  wrote:
>
>> Hi,
>>
>> How does one use the overload state option inside an anchor?
>>
>> I'm running -current (7th november snapshot) 64bit, sample pf
>> configurations follow with two different configuration attempts.
>> Both print the following warning:
>>
>> pfctl: warning: namespace collision with  global table.
>>
>>
>> sample pf configurations below:
>>
>> table 
>> icmp_types = "{ echoreq, unreach }"
>> ext_if=""
>> int_if="{ em1 em2 em3 }"
>> int_networks="{ em1:network, em2:network, em3:network }"
>> v6broker=""
>> v6resolver=""
>> mediacenter=""
>> set skip on lo
>> set loginterface egress
>> block drop in all
>> antispoof quick for (egress)
>>
>> match proto { udp tcp } to port { domain ntp } set prio 6
>> match proto tcp to port ssh set prio 6
>> match in all scrub (no-df max-mss 1440)
>> anchor "inet" on $ext_if {
>>block quick from 
>>block all
>>pass inet proto ipv6 from ($ext_if) to $v6broker tag GOOD
>>pass inet proto icmp all icmp-type $icmp_types tag GOOD
>>pass in inet proto {tcp,udp} from any to any port 4 rdr-to
>> $mediacenter tag GOOD
>>pass in inet proto tcp from any to any port {80,443} tag GOOD
>>pass in inet proto tcp from any to any port 22 keep state (max-src-conn
>> 50, max-src-conn-rate 3/15, overload  flush global ) tag GOOD
>>pass out from (self) to any tag GOOD
>>pass out inet from $int_networks to any nat-to (egress) tag GOOD
>>match out inet from $int_networks to any nat-to (egress) tag GOOD
>>pass out inet6 from  em2:network to any tag GOOD
>>pass out inet6 proto udp from em2:network to $v6resolver port 53 tag
>> GOOD
>>block quick inet ! tagged GOOD
>>}
>>
>> # > pfctl -f /etc/pf.conf
>> pfctl: warning: namespace collision with  global table.
>>
>>
>>
>>
>> table 
>> icmp_types = "{ echoreq, unreach }"
>> ext_if=""
>> int_if="{ em1 em2 em3 }"
>> int_networks="{ em1:network, em2:network, em3:network }"
>> v6broker=""
>> v6resolver=""
>> mediacenter=""
>> set skip on lo
>> set loginterface egress
>> block drop in all
>> antispoof quick for (egress)
>>
>> match proto { udp tcp } to port { domain ntp } set prio 6
>> match proto tcp to port ssh set prio 6
>> match in all scrub (no-df max-mss 1440)
>> anchor "inet" on $ext_if {
>>block quick from 
>>block all
>>pass inet proto ipv6 from ($ext_if) to $v6broker tag GOOD
>>pass inet proto icmp all icmp-type $icmp_types tag GOOD
>>pass in inet proto {tcp,udp} from any to any port 4 rdr-to
>> $mediacenter tag GOOD
>>pass in inet proto tcp from any to any port {80,443} tag GOOD
>>pass in inet proto tcp from any to any port 22 keep state (max-src-conn
>> 50, max-src-conn-rate 3/15, overload  flush global ) tag GOOD
>>pass out from (self) to any tag GOOD
>>pass out inet from $int_networks to any nat-to (egress) tag GOOD
>>match out inet from $int_networks to any nat-to (egress) tag GOOD
>>pass out inet6 from  em2:network to any tag GOOD
>>pass out inet6 proto udp from em2:network to $v6resolver port 53 tag
>> GOOD
>>block quick inet ! tagged GOOD
>>}
>>
>> # > pfctl -f /etc/pf.conf
>> pfctl: warning: namespace collision with  global table.
>>
>>
>> Thank you for your help,
>> Pedro Caetano
>>
>
> Hi Pedro,
>
> In my experience, you only need the `global' table from main pf.conf.
>
> Subsequent anchors can reference `global' tables (tables that have been
defined in pf.conf), but not the other way around.
>
> - Jan

Apologies, I misinterpreted your configurations.

I would first compare the outputs of the following two commands:

`pfctl -s Tables’
`pfctl -a inet -s Tables’

to make sure there are no overlapping tables between the two.

I have also had trouble with table collisions when accidentally creating a
table with an identical name inside an anchor. I usually clear out the
duplicate table from that anchor with a reboot.

- Jan

Laptop Recommendations?

[Nathan Koch]

Greetings Fair BSD Wizards,
I am new to the lists. I am currently shopping for a new Xmas present for 
myself and am looking for a laptop that's portable and lightweight. Preferably 
fast, cheap (close to free),  light, and secure. If you have any 
recommendations before the stormy winter hits the prairies please let me know.

Thank you.
Nate


Sailing the South Saskatchewan. 

Re: usage of pf overload table option inside anchors

[Jan Kalkus]

> Hi,
>
> How does one use the overload state option inside an anchor?
>
> I'm running -current (7th november snapshot) 64bit, sample pf
> configurations follow with two different configuration attempts.
> Both print the following warning:
>
> pfctl: warning: namespace collision with  global table.
>
>
> sample pf configurations below:
>
> table 
> icmp_types = "{ echoreq, unreach }"
> ext_if=""
> int_if="{ em1 em2 em3 }"
> int_networks="{ em1:network, em2:network, em3:network }"
> v6broker=""
> v6resolver=""
> mediacenter=""
> set skip on lo
> set loginterface egress
> block drop in all
> antispoof quick for (egress)
>
> match proto { udp tcp } to port { domain ntp } set prio 6
> match proto tcp to port ssh set prio 6
> match in all scrub (no-df max-mss 1440)
> anchor "inet" on $ext_if {
> block quick from 
> block all
> pass inet proto ipv6 from ($ext_if) to $v6broker tag GOOD
> pass inet proto icmp all icmp-type $icmp_types tag GOOD
> pass in inet proto {tcp,udp} from any to any port 4 rdr-to
> $mediacenter tag GOOD
> pass in inet proto tcp from any to any port {80,443} tag GOOD
> pass in inet proto tcp from any to any port 22 keep state (max-src-conn
> 50, max-src-conn-rate 3/15, overload  flush global ) tag GOOD
> pass out from (self) to any tag GOOD
> pass out inet from $int_networks to any nat-to (egress) tag GOOD
> match out inet from $int_networks to any nat-to (egress) tag GOOD
> pass out inet6 from  em2:network to any tag GOOD
> pass out inet6 proto udp from em2:network to $v6resolver port 53 tag
> GOOD
> block quick inet ! tagged GOOD
> }
>
> # > pfctl -f /etc/pf.conf
> pfctl: warning: namespace collision with  global table.
>
>
>
>
> table 
> icmp_types = "{ echoreq, unreach }"
> ext_if=""
> int_if="{ em1 em2 em3 }"
> int_networks="{ em1:network, em2:network, em3:network }"
> v6broker=""
> v6resolver=""
> mediacenter=""
> set skip on lo
> set loginterface egress
> block drop in all
> antispoof quick for (egress)
>
> match proto { udp tcp } to port { domain ntp } set prio 6
> match proto tcp to port ssh set prio 6
> match in all scrub (no-df max-mss 1440)
> anchor "inet" on $ext_if {
> block quick from 
> block all
> pass inet proto ipv6 from ($ext_if) to $v6broker tag GOOD
> pass inet proto icmp all icmp-type $icmp_types tag GOOD
> pass in inet proto {tcp,udp} from any to any port 4 rdr-to
> $mediacenter tag GOOD
> pass in inet proto tcp from any to any port {80,443} tag GOOD
> pass in inet proto tcp from any to any port 22 keep state (max-src-conn
> 50, max-src-conn-rate 3/15, overload  flush global ) tag GOOD
> pass out from (self) to any tag GOOD
> pass out inet from $int_networks to any nat-to (egress) tag GOOD
> match out inet from $int_networks to any nat-to (egress) tag GOOD
> pass out inet6 from  em2:network to any tag GOOD
> pass out inet6 proto udp from em2:network to $v6resolver port 53 tag
> GOOD
> block quick inet ! tagged GOOD
> }
>
> # > pfctl -f /etc/pf.conf
> pfctl: warning: namespace collision with  global table.
>
>
> Thank you for your help,
> Pedro Caetano
>

Hi Pedro,

In my experience, you only need the “global” table from main pf.conf.

Subsequent anchors can reference “global” tables (tables that have been
defined in pf.conf), but not the other way around.

- Jan

Re: Dell R930 server

[Theo de Raadt]

>What about my questions ?

the work can be done by someone with technical skills who has the
hardware and the need to do it.

Re: Dell R930 server

[Luis Coronado]

the only question I see is the question about the questions.

-l

On Wed, Nov 9, 2016 at 4:42 PM, Friedrich Locke 
wrote:

> What about my questions ?
>
> Thanks.

Dell R930 server

[Friedrich Locke]

What about my questions ?

Thanks.

using httpd's pattern support?

[Michael W. Lucas]

Hi,

I'm writing a book on OpenBSD's web stack.

If you're using httpd's Lua pattern support ('location match' or
'server match'), I'd be interested in hearing what you're using it
for. I'm collecting use cases.

If you can share snippets of httpd.conf, that would be VERY helpful.

Please reply off-list. I've set the reply-to, but no idea if that will
survive the mailing list.

Thanks,
==ml


-- 
Michael W. Lucas  -  mwlu...@michaelwlucas.com, Twitter @mwlauthor 
http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/

Re: Dell R930 server

[Ax0n]

"Nobody in their right mind would use OpenBSD for that."

That's how literally all of the projects I've used OpenBSD for have started.

On Nov 9, 2016 2:39 AM, "Martin Schröder"  wrote:

> 2016-11-09 9:06 GMT+01:00 ludovic coues :
> > I would say big data.
> >
> > Stackexchange have a pair of SQL Server, with 384Go of memory for
> > stackoverflow and 768 for everything else, a Redis server with 256, a
> > server for elasticsearch with 192 and same quantity for an HAProxy
> > server.
>
> None of this is the domain of OpenBSD and nobody in his right mind
> wants to run Stackexchange on OpenBSD.
>
> Or are you suggesting that SAP should port HANA to OpenBSD?
>
> Best
>Martin

Re: dkimproxy_out doesn't sign my outgoing messages

[Walter Alejandro Iglesias]

On Wed, Nov 09, 2016 at 06:13:47PM +0100, Walter Alejandro Iglesias wrote:
> Taking in care /etc/rc.d/dkimproxy_out flags:
> 
> daemon_flags="--conf_file=/etc/dkimproxy_out.conf --user=_dkimproxy 
> --group=_dkimproxy"
> 
> These files should be owned by _dkimproxy user and group.
> 

It worked!


Big thanks trondd!  (Next time I promise to read the logs more carefully)

Re: dkimproxy_out doesn't sign my outgoing messages

[Walter Alejandro Iglesias]

On Wed, Nov 09, 2016 at 11:57:18AM -0500, trondd wrote:
> Should also be in the maillog.

Hey, I think I found the problem:

Nov  9 10:37:12 server dkimproxy.out[38514]: signing error: Error: cannot read 
/var/dkimproxy/default.private: Permission denied


The permissions are:

# ls -l /var/dkimproxy/
total 8
-rw---  1 root  wheel  887 Nov  9 10:50 default.private
-rw---  1 root  wheel  313 Nov  9 10:50 default.txt


Taking in care /etc/rc.d/dkimproxy_out flags:

daemon_flags="--conf_file=/etc/dkimproxy_out.conf --user=_dkimproxy 
--group=_dkimproxy"

These files should be owned by _dkimproxy user and group.

Re: dkimproxy_out doesn't sign my outgoing messages

[Walter Alejandro Iglesias]

trondd,

Your response was also useful to me in another more important way.

I took a look to the headers of your message and I observe gmail says
your dkim is correct:

Authentication-Results: mx.google.com;
dkim=pass header.i=@kagu-tsuchi.com;

However, I had to rescue your message from my gmail SPAM folder!

So, I wonder if all these efforts are in vain. :-)

(I'm starting to think spammers are sponsored by them)

Re: dkimproxy_out doesn't sign my outgoing messages

[trondd]

On Wed, November 9, 2016 11:39 am, Walter Alejandro Iglesias wrote:
> On Wed, Nov 09, 2016 at 09:27:58AM -0500, trondd wrote:
>> On Wed, November 9, 2016 9:14 am, Walter Alejandro Iglesias wrote:
>> > Hi everyone,
>> >
>> > First of all, is dkimproxy a work in progress?
>> >
>> > If it's not, then the long one.  I've tried something similar to
>> > the example in smtpd.conf(5).  Outgoing messages don't get signed.
>> >
>> >
>> > # dkim-genkey -s default -d mydomain.com -r -D /var/dkimproxy
>> >
>> > /etc/dkimproxy_out.conf
>> > ---
>> > listen127.0.0.1:10027
>> > relay 127.0.0.1:10028
>> > domainmydomain.com
>> > signature dkim(c=relaxed)
>> > signature domainkeys(c=nofws)
>> > keyfile   /var/dkimproxy/default.private
>> > selector  default
>> >
>> >
>> > /etc/mail/smptd.conf
>> > ---
>> > egress_int="em0"
>> > server="server.mydomain.com"
>> > ca $server certificate "/etc/ssl/acme/chain.pem"
>> >
>> > table aliases file:/etc/mail/aliases
>> > table valiases file:/etc/mail/valiases
>> > table vdomains file:/etc/mail/vdomains
>> > table addresses file:/etc/mail/addresses
>> > table users file:/etc/mail/users
>> >
>> > pki $server certificate "/etc/ssl/acme/cert.pem"
>> > pki $server key "/etc/ssl/acme/private/privkey.pem"
>> >
>> > listen on lo0
>> > listen on lo0 port 10028 tag DKIM
>> > listen on $egress_int port 25 tls pki $server
>> > listen on $egress_int port 465 smtps pki $server auth senders 
>> > masquerade
>> >
>> > accept from any for domain  virtual  deliver to
>> mbox
>> > accept for local alias  deliver to mbox
>> > accept tagged DKIM for any relay
>> > accept from local sender  for any relay via
>> > smtp://127.0.0.1:10027
>> >
>> >
>> > Do I need to do something else?  (running current)
>> >
>> >
>> >Walter
>> >
>>
>> Did you add the public key part to DNS for your domain?  What's going on
>> in maillog?
>
> I forgot to mention that, yes, I added the DNS record and checked its
> validity using this site:
>
> http://dkimcore.org/tools/keycheck.html
>
> That tells me it's ok.  Then I been sending to this testing address:
>
> check-a...@verifier.port25.com
>
> where I'm told (in a replay to my same address) the message isn't signed.
>
> /var/log/maillog just shows the message as correctly delivered:
>
> Nov  9 14:16:39 server smtpd[68603]: 44fc40aeb913cba0 mta event=delivery
> evpid=1da22dbaa5825b53 from=<.*@mydomain.com>
> to= rcpt=<-> source="192.168.1.101"
> relay="??.??.??.??" (verifier.port25.com)" delay=2s result="Ok" stat="250
> 2.6.0 message received"
>
>
>>  Are the mails being forwarded to dkimproxy_out and back into
>> smtpd as expected?
>>
>
> How can I check this?
>

Should also be in the maillog.  You should see smtpd accept the initial
connection and relay it to 127.0.0.1 10027.  Then accept a new connection
from 127.0.0.1 or localhost and relay to the destination.

If you don't see that, you can use tcpdump to see if the proxy is ever
contacted.  You can also trace which rules smtpd matched on.  man smtpctl
and search for trace.

I run this at home, but can't access the machine from where I am.  I can
double check your configs later.

Re: dkimproxy_out doesn't sign my outgoing messages

[Walter Alejandro Iglesias]

On Wed, Nov 09, 2016 at 09:27:58AM -0500, trondd wrote:
> On Wed, November 9, 2016 9:14 am, Walter Alejandro Iglesias wrote:
> > Hi everyone,
> >
> > First of all, is dkimproxy a work in progress?
> >
> > If it's not, then the long one.  I've tried something similar to
> > the example in smtpd.conf(5).  Outgoing messages don't get signed.
> >
> >
> > # dkim-genkey -s default -d mydomain.com -r -D /var/dkimproxy
> >
> > /etc/dkimproxy_out.conf
> > ---
> > listen127.0.0.1:10027
> > relay 127.0.0.1:10028
> > domainmydomain.com
> > signature dkim(c=relaxed)
> > signature domainkeys(c=nofws)
> > keyfile   /var/dkimproxy/default.private
> > selector  default
> >
> >
> > /etc/mail/smptd.conf
> > ---
> > egress_int="em0"
> > server="server.mydomain.com"
> > ca $server certificate "/etc/ssl/acme/chain.pem"
> >
> > table aliases file:/etc/mail/aliases
> > table valiases file:/etc/mail/valiases
> > table vdomains file:/etc/mail/vdomains
> > table addresses file:/etc/mail/addresses
> > table users file:/etc/mail/users
> >
> > pki $server certificate "/etc/ssl/acme/cert.pem"
> > pki $server key "/etc/ssl/acme/private/privkey.pem"
> >
> > listen on lo0
> > listen on lo0 port 10028 tag DKIM
> > listen on $egress_int port 25 tls pki $server
> > listen on $egress_int port 465 smtps pki $server auth senders 
> > masquerade
> >
> > accept from any for domain  virtual  deliver to mbox
> > accept for local alias  deliver to mbox
> > accept tagged DKIM for any relay
> > accept from local sender  for any relay via
> > smtp://127.0.0.1:10027
> >
> >
> > Do I need to do something else?  (running current)
> >
> >
> > Walter
> >
> 
> Did you add the public key part to DNS for your domain?  What's going on
> in maillog?

I forgot to mention that, yes, I added the DNS record and checked its
validity using this site:

http://dkimcore.org/tools/keycheck.html

That tells me it's ok.  Then I been sending to this testing address:

check-a...@verifier.port25.com

where I'm told (in a replay to my same address) the message isn't signed.

/var/log/maillog just shows the message as correctly delivered:

Nov  9 14:16:39 server smtpd[68603]: 44fc40aeb913cba0 mta event=delivery 
evpid=1da22dbaa5825b53 from=<.*@mydomain.com> 
to= rcpt=<-> source="192.168.1.101" 
relay="??.??.??.??" (verifier.port25.com)" delay=2s result="Ok" stat="250 2.6.0 
message received"


>  Are the mails being forwarded to dkimproxy_out and back into
> smtpd as expected?
> 

How can I check this?

Re: low bandwidth results with IPSEC enabled between two PC Engines APU2C2

[Christian Weisgerber]

On 2016-11-09, "Comète"  wrote:

> I've made some bandwidth tests (on 6.0 stable - amd64) between two APU2C
> boxes connected with an Ethernet cable and an IPSEC VPN using IKEDv2. I get a
> maximum bandwidth of 66 Avg Mbps when IPSEC is enable which is, I think, very
> low for an AES-NI enabled processor.

Well, it still is a slow processor.  For best performance, I'd add
"childsa enc aes-128-gcm" to the iked configuration.  The default
cipher is aes-256-cbc with hmac-sha2-256, and the latter has a
noticeable performance impact.

> And about 30 seconds after the test is
> started, I don't know why, the connection is lost and I have restart IKED
> daemon on the "passive" host.

Every half gigabyte of transferred data, iked rekeys.  There is a
longstanding bug there that causes the ikeds to lose synchronization.
They will eventually resync on their own, but it takes several
minutes.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de

Re: low bandwidth results with IPSEC enabled between two PC Engines APU2C2

[Stuart Henderson]

On 2016-11-09, =?utf-8?B?Q29tw6h0ZQ==?=  wrote:
> Hi,
>
> I've made some bandwidth tests (on 6.0 stable - amd64) between two APU2C
> boxes connected with an Ethernet cable and an IPSEC VPN using IKEDv2. I get a
> maximum bandwidth of 66 Avg Mbps when IPSEC is enable which is, I think, very
> low for an AES-NI enabled processor.

Try it with aes-128-gcm.

>  And about 30 seconds after the test is
> started, I don't know why, the connection is lost and I have restart IKED
> daemon on the "passive" host.

Anything in logs? Anything on-screen if you run iked -vd?

Re: dkimproxy_out doesn't sign my outgoing messages

[trondd]

On Wed, November 9, 2016 9:14 am, Walter Alejandro Iglesias wrote:
> Hi everyone,
>
> First of all, is dkimproxy a work in progress?
>
> If it's not, then the long one.  I've tried something similar to
> the example in smtpd.conf(5).  Outgoing messages don't get signed.
>
>
> # dkim-genkey -s default -d mydomain.com -r -D /var/dkimproxy
>
> /etc/dkimproxy_out.conf
> ---
> listen127.0.0.1:10027
> relay 127.0.0.1:10028
> domainmydomain.com
> signature dkim(c=relaxed)
> signature domainkeys(c=nofws)
> keyfile   /var/dkimproxy/default.private
> selector  default
>
>
> /etc/mail/smptd.conf
> ---
> egress_int="em0"
> server="server.mydomain.com"
> ca $server certificate "/etc/ssl/acme/chain.pem"
>
> table aliases file:/etc/mail/aliases
> table valiases file:/etc/mail/valiases
> table vdomains file:/etc/mail/vdomains
> table addresses file:/etc/mail/addresses
> table users file:/etc/mail/users
>
> pki $server certificate "/etc/ssl/acme/cert.pem"
> pki $server key "/etc/ssl/acme/private/privkey.pem"
>
> listen on lo0
> listen on lo0 port 10028 tag DKIM
> listen on $egress_int port 25 tls pki $server
> listen on $egress_int port 465 smtps pki $server auth senders 
> masquerade
>
> accept from any for domain  virtual  deliver to mbox
> accept for local alias  deliver to mbox
> accept tagged DKIM for any relay
> accept from local sender  for any relay via
> smtp://127.0.0.1:10027
>
>
> Do I need to do something else?  (running current)
>
>
>   Walter
>

Did you add the public key part to DNS for your domain?  What's going on
in maillog?  Are the mails being forwarded to dkimproxy_out and back into
smtpd as expected?

dkimproxy_out doesn't sign my outgoing messages

[Walter Alejandro Iglesias]

Hi everyone,

First of all, is dkimproxy a work in progress?

If it's not, then the long one.  I've tried something similar to
the example in smtpd.conf(5).  Outgoing messages don't get signed.


# dkim-genkey -s default -d mydomain.com -r -D /var/dkimproxy

/etc/dkimproxy_out.conf
---
listen127.0.0.1:10027
relay 127.0.0.1:10028
domainmydomain.com
signature dkim(c=relaxed)
signature domainkeys(c=nofws)
keyfile   /var/dkimproxy/default.private
selector  default


/etc/mail/smptd.conf
---
egress_int="em0"
server="server.mydomain.com"
ca $server certificate "/etc/ssl/acme/chain.pem"

table aliases file:/etc/mail/aliases
table valiases file:/etc/mail/valiases
table vdomains file:/etc/mail/vdomains
table addresses file:/etc/mail/addresses
table users file:/etc/mail/users

pki $server certificate "/etc/ssl/acme/cert.pem"
pki $server key "/etc/ssl/acme/private/privkey.pem"

listen on lo0
listen on lo0 port 10028 tag DKIM
listen on $egress_int port 25 tls pki $server
listen on $egress_int port 465 smtps pki $server auth senders  masquerade

accept from any for domain  virtual  deliver to mbox
accept for local alias  deliver to mbox
accept tagged DKIM for any relay
accept from local sender  for any relay via smtp://127.0.0.1:10027


Do I need to do something else?  (running current)


Walter

Re: Wrong Guest OS type in VMware ESXi 5.5.0.3568722

[Alexei Malinin]

On 11/09/16 03:24, Bryan Vyhmeister wrote:
> On Tue, Nov 08, 2016 at 09:57:29PM +0300, Alexei Malinin wrote:
>>> Synopsis:   Wrong Guest OS type in VMware ESXi 5.5.0.3568722
>>> Description:
>>  OpenBSD kernel reports wrong Guest OS type to VMware ESXi.
>>> Fix:
>>  Maybe somewhere in sys/dev/pv/hyperv.c: hv_fake_version()...
> The sys/dev/pv/hyperv.c driver is for running OpenBSD under HyperV, not
> VMware. It's the vmt(4) driver you are looking for. Starting on line 522
> of sys/dev/pv/vmt.c, there is a comment:
>
> "Host doesn't like it if we send an OS name it doesn't
> recognise, so use the closest match, which happens
> to be FreeBSD."
>
> I am not sure why vmt(4) reports as 32-bit rather than 64-bit but that
> doesn't really matter. The root cause is that VMware does not support
> OpenBSD as a officially supported guest operating system. This would
> make a difference if there were VMware Tools from VMware but since
> vmt(4) is implementing the required functions, it doesn't really matter.
> OpenBSD works just fine under VMware ESXi and I have been using it that
> way for at least six years running as "Other (64-bit)" before vmt(4) was
> available.

Thank you for the explanation, Bryan.
"32-bit" confused me, and I tried to find where I could change "32" to
"64" but I couldn't - should I hack vmware tools?


--
Alexei Malinin

low bandwidth results with IPSEC enabled between two PC Engines APU2C2

[Comète]

Hi,

I've made some bandwidth tests (on 6.0 stable - amd64) between two APU2C
boxes connected with an Ethernet cable and an IPSEC VPN using IKEDv2. I get a
maximum bandwidth of 66 Avg Mbps when IPSEC is enable which is, I think, very
low for an AES-NI enabled processor. And about 30 seconds after the test is
started, I don't know why, the connection is lost and I have restart IKED
daemon on the "passive" host.
If I disable the VPN, I get a maximum of 439 Avg
Mbps which is not fabulous for a 1 Gbps link but quite better than 66 Mbps.
The tests were made with tcpbench: tcpbench a.a.a.a on one host and tcpbench
-s on the other one.

No optimisation at all in sysctl.conf, only a default
install.

This is the IKEDv2 configuration file on host 2:

ikev2 "HDV" active
esp from $local_gw to $remote_gw \
  from $LAN_LOCAL to $LAN_HDV_INFRA
\
  peer $remote_gw srcid $local_gw psk "testpassword"

and the IKEDv2
configuration file on host 1:

ikev2 "HDV-CEV" passive esp from $local_gw to
$remote_gw \
  from $LAN_HDV_INFRA to $LAN_CEV \
  peer
$remote_gw srcid $local_gw psk "testpassword"

My question is, is there any
optimisation I can set somewhere to get a better result with max bandwidth ?
Thanks !

Morgan

Re: Dell R930 server

[Martin Schröder]

2016-11-09 9:06 GMT+01:00 ludovic coues :
> I would say big data.
>
> Stackexchange have a pair of SQL Server, with 384Go of memory for
> stackoverflow and 768 for everything else, a Redis server with 256, a
> server for elasticsearch with 192 and same quantity for an HAProxy
> server.

None of this is the domain of OpenBSD and nobody in his right mind
wants to run Stackexchange on OpenBSD.

Or are you suggesting that SAP should port HANA to OpenBSD?

Best
   Martin

Re: Dell R930 server

[ludovic coues]

I would say big data.

Stackexchange have a pair of SQL Server, with 384Go of memory for
stackoverflow and 768 for everything else, a Redis server with 256, a
server for elasticsearch with 192 and same quantity for an HAProxy
server.

And that's just a successful website. They aren't a search engine or a
social network

2016-11-08 23:38 GMT+01:00 Mihai Popescu :
> | Does OBSD "see" all the 96*128G memory available ?
>
> Out of curiosity, what does need such a memory today? Do you want to
> use a ramdisk?
>
> Thanks.
>



-- 

Cordialement, Coues Ludovic
+336 148 743 42