Re: PC-Engines Wireless - PPPOE timeouts.

2016-12-15 Thread Mihai Popescu
> OpenBSD 5.7 (GENERIC.MP) #881: Sun Mar  8 11:04:17 MDT 2015

5.7 is not supported anymore. Besides that, there is a huge
improvement of wireless stuff in -current. I can't believe you didn;t
notice that. Are you serious by not upgrading?



Re: Encrypted data partition

2016-12-15 Thread Julian Suschlik
> Also in most cases ssh does not support changing mtime of symlinks,
> which is required for fast data synchronization (compare mtime
> instead of readlink).  For this reason I even use USB when the two
> systems are in the same network.
>
> So it would really be great to have an up-to-date EncFS...

What about an encrypted backup to the USB drive and restore on the other
host? Preserves links and permissions. Can do deduplication and updates.
Borgbackup does this. You can carry binaries of the software for Linux and
OpenBSD on the USB drive.

Julian



Re: Encrypted data partition

2016-12-15 Thread Stefan Sperling
On Thu, Dec 15, 2016 at 07:24:24AM +0100, Carsten Kunze wrote:
> So it would really be great to have an up-to-date EncFS...

This might be a good opportunity for you to give ports development a go
;-)

http://www.openbsd.org/faq/ports/index.html



Re: How to make spamd more annoying ?

2016-12-15 Thread Stuart Henderson
On 2016-12-14, OpenBSD lists  wrote:
>
> Beside, this is only enabled on my primary server, the secondary server 
> will still accept email where the sender doesn't listen for SMTP.  A 
> legitimate email server would detect the failure and try again with the 
> next MX record.  Marketing and spam servers tend to see a single failure 
> and just carry on with spamming the next person.

Not for many years. They do retry, and they do try alternative MX (though
sometimes in the reverse order). In my opinion a secondary MX (if you list
one at all) should have *stronger* filtering than the primary. You don't
want something entering the queue on a secondary unless you're pretty sure
the primary is going to want to see it.



Re: How to make spamd more annoying ?

2016-12-15 Thread Boudewijn Dijkstra
Op Wed, 14 Dec 2016 18:07:15 +0100 schreef Craig Skinner  
:

On Tue, 13 Dec 2016 18:29:00 + (UTC) Mik J wrote:

I use spamlogd so that every outgoing mail adds the remote mx IP in
my whitelist.


As with many domains, large mail services deploy/out source separate
inbound & outbound clusters, so spamlogd'ing outbound mail wont help.

These spamlogd flags seem to work best here:

spamlogd_flags='-I -Y ... -Y ... -Y '



I'm not sure I understood what this patch does.
It's used to give some additional statistics?



spamd expires trapped IP addresses after 24 hours.

Boudewijn's patch keeps them trapped while they continue to spam.
His stats prove it works.


My stats just prove that senders exist who will happily continue delivery  
attempts for weeks or months.  ;)


To see that it works, you have to turn on verbose logging and realise that  
spammers who get greytrapped sometimes also use valid envelope-to  
addresses. My patch is intended to reduce the chances of those spammers  
getting whitelisted. It can also be used as an ad-hoc blacklist for e.g.  
senders of daily newsletters who refuse to unsubscribe you.



I read somewhere that gmail servers change their IPs when they retry
to send the mails.


This tool helps to auto white list silly round robin senders:
http://web.Britvault.Co.UK/products/ungrey-robins/

(SPF lists are often not trustworthy.)


Whitelisting an address simply because it appears on an SPF record of a  
domain used for legitimate mail, is indeed a bad idea.  SPF was never  
meant for that.


SPF can be used for accept/reject decisions, but your policy of what to do  
with a certain SPF result should be based on your level of trust in the  
publishing domain.




--
Boudewijn Dijkstra
Indes-IDS B.V.
+31 345 545 535



Re: Encrypted data partition

2016-12-15 Thread Carsten Kunze
Julian Suschlik  wrote:

> What about an encrypted backup to the USB drive and restore on the other
> host? Preserves links and permissions. Can do deduplication and updates.
> Borgbackup does this. You can carry binaries of the software for Linux and
> OpenBSD on the USB drive.

Indeed an interesting tool.  Unfortunately I already have a special data sync 
tool (does not encrypt).  So I need a transparent encryption file system layer 
:)

Carsten



Re: How to make spamd more annoying ?

2016-12-15 Thread Stuart Henderson
On 2016-12-13, Mik J  wrote:
> Peter, you use greylists but I read somewhere that gmail servers change their
> IPs when they retry to send the mails.

It used to be common to attempt a few deliveries from a "main" smarthost and
then push to a "slow retry" host, it seemed that this was particularly popular
with some larger Exim users.

Nowadays it's more likely that the sending servers at large mail providers
are just behind NAT pools (and in some cases, also multiple SMTP senders
running from a common queue). No point wasting precious v4's when the
bottleneck is storage i/o.



Openbgpd emulation on GNS3

2016-12-15 Thread Karthik Veeragoni
Hi guys,

I'm trying to emulate the Openbsd's Openbgpd on GNS3. Here is the topology
for same:


[image: Inline image 2]


*My-bgp-router: 10.0.0./8 *

*ISP1: 20.0.0./8 *

*ISP2: 30.0.0./8 *





*On the ISP machines I'm unable to recieve any kind of messages. Any help
is appreciatedNeigbors output on both the ISPs$ bgpctl sh nei   *

  BGP neighbor is 10.0.0.100, remote AS 10286
  Description: my-bgp-router
  BGP version 4, remote router-id 0.0.0.0
  BGP state = Active
  Last read Never, holdtime 240s, keepalive interval 80s

  Message statistics:
Sent   Received
  Opens0  0
  Notifications   0  0
  Updates 0  0
  Keepalives 0  0
  Route Refresh0  0
  Total  0  0

  Update statistics:
  Sent   Received
  Updates  0  0
  Withdraws   0  0
  End-of-Rib   0  0

  Local host: (unknown), Local port:
  Remote host:  (unknown), Remote port:

*=*



*Neigbors output on both the my-bgp-router$ bgpctl sh nei   *

  BGP neighbor is 30.0.0.100, remote AS 
  Description: ISP2
  BGP version 4, remote router-id 0.0.0.0
  BGP state = Active
  Last read Never, holdtime 240s, keepalive interval 80s

  Message statistics:
  Sent   Received
  Opens   80  0
  Notifications0  0
  Updates  0  0
  Keepalives   0  0
  Route Refresh0  0
  Total   80  0

  Update statistics:
  Sent   Received
  Updates  0  0
  Withdraws0  0
  End-of-Rib   0  0

  Local host:30.0.0.101, Local port:  11478
  Remote host:   30.0.0.100, Remote port:   179

BGP neighbor is 20.0.0.100, remote AS 
 Description: ISP1
  BGP version 4, remote router-id 0.0.0.0
  BGP state = Active
  Last read Never, holdtime 240s, keepalive interval 80s

  Message statistics:
  Sent   Received
  Opens 89  0
  Notifications 0   0
  Updates   0   0
  Keepalives   0   0
  Route Refresh  0   0
  Total   89  0

  Update statistics:
  Sent   Received
  Updates  0  0
  Withdraws   0  0
  End-of-Rib   0  0

  Local host:   20.0.0.101, Local port:  14661
  Remote host:   20.0.0.100, Remote port:   179

Regards,
Karthik V

[demime 1.01d removed an attachment of type image/png which had a name of 
image.png]



Re: Encrypted data partition

2016-12-15 Thread Carsten Kunze
Stefan Sperling  wrote:

> > So it would really be great to have an up-to-date EncFS...
> 
> This might be a good opportunity for you to give ports development a go
> ;-)

I even would be interested, but I need it for both OpenBSD *and* NetBSD.  A 
year ago I tried to update their pkgsrc version 1.2 to a current version, which 
did compile but not work.  My hope was to port the working OpenBSD package to 
NetBSD :)

If upstream would have any interest to give debug support on NetBSD, I'd like 
to update the OpenBSD package too.

Carsten



Re: Encrypted data partition

2016-12-15 Thread Jiri B
On Thu, Dec 15, 2016 at 11:47:56AM +0100, Carsten Kunze wrote:
> Julian Suschlik  wrote:
> 
> > What about an encrypted backup to the USB drive and restore on the other
> > host? Preserves links and permissions. Can do deduplication and updates.
> > Borgbackup does this. You can carry binaries of the software for Linux and
> > OpenBSD on the USB drive.
> 
> Indeed an interesting tool.  Unfortunately I already have a special data sync 
> tool (does not encrypt).  So I need a transparent encryption file system 
> layer :)

What about git-annex to sync from any "client" via a remote storage?
It can do encryption and it does sync...
(syncthing does not save data to remote storage, it does sync only
alive clients.)

Although it is written in haskell and hs-xmpp is a problem if you would
need this part of git-annex working.

j.



Re: PC-Engines Wireless - PPPOE timeouts.

2016-12-15 Thread Stuart Henderson
On 2016-12-15, Patrick Dohman  wrote:
> Stuart
>
> Please see below for more info:
>
> Please note the 5.7 dmesg is subsequent to a reboot.

Thanks. I was wondering about a bug with LCP echoes I accidentally
introduced that made it into 5.9 (fixed for 6.0).

Nothing stands out from what you've sent. Some possibilities:

- connection somewhere between the APU and the ISP really is dropping out
(are you using the same cable for the different locations you placed the APU
in? could a cable be bad? check for errors on the ethernet interface)

- machine too busy to handle traffic - maybe tail -f /var/log/messages in the
background while "vmstat -w 10" or something is running (maybe under "script"),
look for the timeouts in the output and see what cpu is doing at the time

> pass out quick on egress inet6 proto { tcp, udp } from { (pppoe0:network),
> (athn0:network), (re2:network) } modulate state

btw using (...) causes an extra address lookup to be done when the rule
is evaluated (i.e. when a packet doesn't match existing state) - you may need
this for pppoe0 but you can save a bit of cpu with

  pass out quick on egress inet6 proto { tcp, udp } from { (pppoe0:network),
  athn0:network, re2:network } modulate state

(and same for the v4 rule)

> ### --- Optional Runtime Options --- ###
> set optimization conservative

not likely to be the problem, but you're pretty unlikely to need that.



Re: Hardware recommendations for compact 1U firewall

2016-12-15 Thread Stuart Henderson
On 2016-12-15, Aaron Mason  wrote:
> All
>
> I'm looking for a 1U appliance that I can re-purpose into a firewall
> using OpenBSD.  I've tried the near-free method by using an old Lacie
> Ethernet Disk appliance I had lying around, but it turns out the
> onboard SATA chipset is toast on this particular unit (it freezes at
> CDBOOT when it detects hard drives and the BIOS freezes when I set it
> to IDE mode with drives attached, plus it only has one onboard NIC and
> one PCI slot, so I can't install another SATA card without removing
> the other NIC I installed), so I'm looking for other options that fit
> a limited budget.
> 
> The most important criteria are that it must be 1U and it must fit
> within a 420mm (~16.5") space (for reasons I will explain below).  I
> have a couple of Sun Netra X1s that meet the need, but I can't push
> more than ~60mbps over the onboard FE ports and they run quite hot to
> the point of causing kernel panics.
>
> For a bit of context - I manage network and systems for a group that
> run regular LAN parties at a local university, and our network
> infrastructure lives in a 4RU flight case (with 420mm between the
> front and rear vertical rails) currently occupied by three HP
> switches.  We're currently using a Sun V20Z (admittedly running
> pfSense, a decision made before I took over) but it's rather
> cumbersome to carry along with three Dell 1950s (two VM hosts and a
> Steam cache) and a Dell 2950 (NAS, provides iSCSI to VM hosts).  We
> don't usually get more than 35 players and we don't do any complex
> filtering on the firewall.
>
> I've been considering looking at old firewall appliances like Nokias,
> Sonicwalls, Watchguards or Barracudas - has anyone had any luck with
> getting OpenBSD on any of those or other such appliances?
> 
> Gigabit ports would be nice (the university finally bought gigabit PoE
> switches) but will accept Fast Ethernet if my budget says no.

IMHO, you can get a fairly useful decent second-hand machine for a low
enough price that it's not worth the hassle repurposing or using something
from before GE was common, they're going to be more hassle to get working,
and old enough that you may well run into things failing through age.

How about a Dell R210 or an R210 II off ebay? 400mm deep, 2 nics onboard,
if you need more ports then dual-port PCIe nics are pretty cheap.
If you want to cut down on weight+noise at the expense of more cost
and a less powerful cpu, maybe APU2 in a 1U case or something like
supermicro SYS-5018A-FTN4.



Re: Encrypted data partition

2016-12-15 Thread Stuart Henderson
In gmane.os.openbsd.misc, you wrote:
> On Thu, Dec 15, 2016 at 07:24:24AM +0100, Carsten Kunze wrote:
>> So it would really be great to have an up-to-date EncFS...
>
> This might be a good opportunity for you to give ports development a go
> ;-)
>
> http://www.openbsd.org/faq/ports/index.html
>

Possibly not the best beginner task, here's a start at it, but it needs
more work (doesn't build).

? encfs.ii
Index: Makefile
===
RCS file: /cvs/ports/security/encfs/Makefile,v
retrieving revision 1.8
diff -u -p -r1.8 Makefile
--- Makefile1 Oct 2016 11:54:17 -   1.8
+++ Makefile15 Dec 2016 12:14:55 -
@@ -1,12 +1,17 @@
 # $OpenBSD: Makefile,v 1.8 2016/10/01 11:54:17 naddy Exp $
 
-BROKEN-hppa =  configure: error: Could not link against 
boost_serialization-boost_serialization
+BROKEN-hppa =  configure: error: Could not link against 
boost_serialization-boost_serialization
 BROKEN-sparc64 =   configure: error: Could not link against 
boost_serialization-boost_serialization
+
 COMMENT =  fuse-based cryptographic filesystem
-DISTNAME = encfs-1.7.4
-REVISION = 1
+
+V =1.9.1
+DISTNAME = encfs-$V
+
 SHARED_LIBS =  encfs   0.0 # 6.1
+
 CATEGORIES =   security
+
 HOMEPAGE = http://www.arg0.net/encfs
 
 # GPLv3
@@ -15,20 +20,18 @@ PERMIT_PACKAGE_CDROM =  Yes
 WANTLIB =  boost_filesystem boost_serialization boost_system c \
crypto fuse m pthread rlog ssl stdc++
 
-MASTER_SITES = ${MASTER_SITE_GOOGLECODE:=encfs/}
-EXTRACT_SUFX = .tgz
+MASTER_SITES = https://github.com/vgough/encfs/releases/download/v$V/
+
+MODULES =  devel/cmake \
+   gcc4
+MODGCC4_ARCHS =*
+MODGCC4_LANGS =c++
 
-MODULES =  devel/gettext
+BUILD_DEPENDS =devel/gettext-tools
 LIB_DEPENDS =  devel/boost \
+   devel/gettext \
devel/rlog

-CONFIGURE_STYLE =  gnu
-CONFIGURE_ARGS +=  --with-boost-serialization=boost_serialization \
-   --with-boost-filesystem=boost_filesystem \
-   --with-boost-system=boost_system
-# TODO convert code to use utimensat() instead of lutimes()
-CONFIGURE_ENV +=   CPPFLAGS="-Dlutimes=utimes -D_DIRENT_HAVE_D_TYPE"
-
 do-test:
${WRKSRC}/encfs/test
 
Index: distinfo
===
RCS file: /cvs/ports/security/encfs/distinfo,v
retrieving revision 1.1.1.1
diff -u -p -r1.1.1.1 distinfo
--- distinfo17 Jan 2014 10:10:58 -  1.1.1.1
+++ distinfo15 Dec 2016 12:14:55 -
@@ -1,2 +1,2 @@
-SHA256 (encfs-1.7.4.tgz) = KC7w8E8t17o1J7RWIfq0hbfMUQws7uEWYA0DSNwhcKg=
-SIZE (encfs-1.7.4.tgz) = 931048
+SHA256 (encfs-1.9.1.tar.gz) = ZyA67/egbOe+g99JSNspa+iaAM/+EQigpByW10gRBqQ=
+SIZE (encfs-1.9.1.tar.gz) = 455910
Index: patches/patch-encfs_encfs_cpp
===
RCS file: patches/patch-encfs_encfs_cpp
diff -N patches/patch-encfs_encfs_cpp
--- /dev/null   1 Jan 1970 00:00:00 -
+++ patches/patch-encfs_encfs_cpp   15 Dec 2016 12:14:55 -
@@ -0,0 +1,12 @@
+$OpenBSD$
+--- encfs/encfs.cpp.orig   Thu Dec 15 11:57:09 2016
 encfs/encfs.cppThu Dec 15 11:59:59 2016
+@@ -497,7 +497,7 @@ int encfs_utime(const char *path, struct utimbuf *buf)
+ 
+ int _do_utimens(EncFS_Context *, const string &cyName,
+ const struct timespec ts[2]) {
+-#ifdef HAVE_UTIMENSAT
++#if 1 /* ifdef HAVE_UTIMENSAT; cmake check fails */
+   int res = utimensat(AT_FDCWD, cyName.c_str(), ts, AT_SYMLINK_NOFOLLOW);
+ #else
+   struct timeval tv[2];
Index: patches/patch-encfs_encfssh
===
RCS file: patches/patch-encfs_encfssh
diff -N patches/patch-encfs_encfssh
--- patches/patch-encfs_encfssh 9 May 2015 12:18:58 -   1.1
+++ /dev/null   1 Jan 1970 00:00:00 -
@@ -1,13 +0,0 @@
-$OpenBSD: patch-encfs_encfssh,v 1.1 2015/05/09 12:18:58 jca Exp $
-
-- no fusermount(1) on OpenBSD, umount(8) is enough
-
 encfs/encfssh.orig Sun Nov 29 23:04:12 2009
-+++ encfs/encfssh  Thu May  7 19:58:09 2015
-@@ -63,5 +63,5 @@ orig_dir=$(pwd)
- cd $unenc_dir
- 
- # Set the shell up
--exec /bin/sh -c "$SHELL ; cd $orig_dir ; fusermount -u $unenc_dir ; if ! 
$unenc_dir_given; then rmdir $unenc_dir; fi"
-+exec /bin/sh -c "$SHELL ; cd $orig_dir ; umount $unenc_dir ; if ! 
$unenc_dir_given; then rmdir $unenc_dir; fi"
- 
Index: patches/patch-encfs_main_cpp
===
RCS file: /cvs/ports/security/encfs/patches/patch-encfs_main_cpp,v
retrieving revision 1.3
diff -u -p -r1.3 patch-encfs_main_cpp
--- patches/patch-encfs_main_cpp9 May 2015 12:18:24 - 

Re: Openbgpd emulation on GNS3

2016-12-15 Thread Marko Cupać
On Thu, 15 Dec 2016 16:26:00 +0530
Karthik Veeragoni  wrote:

> Hi guys,
>
> I'm trying to emulate the Openbsd's Openbgpd on GNS3. Here is the
> topology for same:

Lat time I checked some 8 years ago when I was preparing my CCNA, GNS3
was visual front-end to dynamips/dynagen cisco ios emulator and lab
provisioning tool.

In which way is this related to OpenBSD? Do you use OpenBSD as a OS
where you install GNS3 package? Or are you bridging emulated cisco
router to real network and trying to make it talk BGP to OpenBSD?

Regards,
--
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/



Re: PC-Engines Wireless - PPPOE timeouts.

2016-12-15 Thread Tom
On Thu, 15 Dec 2016 11:05:08 + (UTC)
Stuart Henderson  wrote:

> On 2016-12-15, Patrick Dohman  wrote:
> > Stuart
> >
> > Please see below for more info:
> >
> > Please note the 5.7 dmesg is subsequent to a reboot.  
> 
> Thanks. I was wondering about a bug with LCP echoes I accidentally
> introduced that made it into 5.9 (fixed for 6.0).
> 
> Nothing stands out from what you've sent. Some possibilities:
> 
> - connection somewhere between the APU and the ISP really is dropping
> out (are you using the same cable for the different locations you
> placed the APU in? could a cable be bad? check for errors on the
> ethernet interface)
> 
> - machine too busy to handle traffic - maybe tail
> -f /var/log/messages in the background while "vmstat -w 10" or
> something is running (maybe under "script"), look for the timeouts in
> the output and see what cpu is doing at the time
> 
> > pass out quick on egress inet6 proto { tcp, udp } from
> > { (pppoe0:network), (athn0:network), (re2:network) } modulate
> > state  
> 
> btw using (...) causes an extra address lookup to be done when the
> rule is evaluated (i.e. when a packet doesn't match existing state) -
> you may need this for pppoe0 but you can save a bit of cpu with
> 
>   pass out quick on egress inet6 proto { tcp, udp } from
> { (pppoe0:network), athn0:network, re2:network } modulate state
> 
> (and same for the v4 rule)
> 
> > ### --- Optional Runtime Options --- ###
> > set optimization conservative  
> 
> not likely to be the problem, but you're pretty unlikely to need that.
> 

Hello Stuart,

 I am long time reader of this mailing list (since 5.1 when I started
with OpenBSD). This thread is my first input.

> Thanks. I was wondering about a bug with LCP echoes I accidentally
> introduced that made it into 5.9 (fixed for 6.0).
could you please point me to the changes you are talking about here.

I started using pppoe in 5.9 and the LCP-echo gave me a hard time. I
frequently told my ISP (Deutsche Telekom) to drop the line because I
was hitting the MAXALIVECNT value in if_spppsubr. This happened as soon
as I was in the "lucky" situation that nobody was penetrating me on
ports like ssh, telnet or smtp from outside. I made a modification to
send 'sp->pp_alivecnt' to syslog anytime it was changed in addition to
packet capturing. It turned out that my ISP sends LCP-keepalives in a
45s interval and not every 15s. This means I might eventually get my
first LCP-echo from the provider when pppoe is already timing out. I
would be glad though if there was a way to address this problem without
a custum kernel.


Thanks,
Thomas Braun



doas prompting for password in script

2016-12-15 Thread jungle Boogie
Hi All,

Should I be prompted for a password during this scenario?

$ doas date
doas (jun...@openbsd.my.domain) password:
Thu Dec 15 08:55:39 PST 2016
$ ./date.sh
doas (jun...@openbsd.my.domain) password:
Thu Dec 15 08:55:46 PST 2016

As you see, only seconds past from both commands and yet, I'm prompted
for my password again.

-- 
---
inum: 883510009027723
sip: jungleboo...@sip2sip.info



Re: Hardware recommendations for compact 1U firewall

2016-12-15 Thread Ryan Freeman
On Thu, Dec 15, 2016 at 11:30:31AM +, Stuart Henderson wrote:
> On 2016-12-15, Aaron Mason  wrote:
> > All
> >
> > I'm looking for a 1U appliance that I can re-purpose into a firewall
> > using OpenBSD.  I've tried the near-free method by using an old Lacie
> > Ethernet Disk appliance I had lying around, but it turns out the
> > onboard SATA chipset is toast on this particular unit (it freezes at
> > CDBOOT when it detects hard drives and the BIOS freezes when I set it
> > to IDE mode with drives attached, plus it only has one onboard NIC and
> > one PCI slot, so I can't install another SATA card without removing
> > the other NIC I installed), so I'm looking for other options that fit
> > a limited budget.
> > 
> > The most important criteria are that it must be 1U and it must fit
> > within a 420mm (~16.5") space (for reasons I will explain below).  I
> > have a couple of Sun Netra X1s that meet the need, but I can't push
> > more than ~60mbps over the onboard FE ports and they run quite hot to
> > the point of causing kernel panics.
> >
> > For a bit of context - I manage network and systems for a group that
> > run regular LAN parties at a local university, and our network
> > infrastructure lives in a 4RU flight case (with 420mm between the
> > front and rear vertical rails) currently occupied by three HP
> > switches.  We're currently using a Sun V20Z (admittedly running
> > pfSense, a decision made before I took over) but it's rather
> > cumbersome to carry along with three Dell 1950s (two VM hosts and a
> > Steam cache) and a Dell 2950 (NAS, provides iSCSI to VM hosts).  We
> > don't usually get more than 35 players and we don't do any complex
> > filtering on the firewall.
> >
> > I've been considering looking at old firewall appliances like Nokias,
> > Sonicwalls, Watchguards or Barracudas - has anyone had any luck with
> > getting OpenBSD on any of those or other such appliances?
> > 
> > Gigabit ports would be nice (the university finally bought gigabit PoE
> > switches) but will accept Fast Ethernet if my budget says no.
> 
> IMHO, you can get a fairly useful decent second-hand machine for a low
> enough price that it's not worth the hassle repurposing or using something
> from before GE was common, they're going to be more hassle to get working,
> and old enough that you may well run into things failing through age.
> 
> How about a Dell R210 or an R210 II off ebay? 400mm deep, 2 nics onboard,
> if you need more ports then dual-port PCIe nics are pretty cheap.
> If you want to cut down on weight+noise at the expense of more cost
> and a less powerful cpu, maybe APU2 in a 1U case or something like
> supermicro SYS-5018A-FTN4.

I can second that :-).  I have a Sunfire v120 w/dual 100mbit nics, but
had to stop using it as large amounts of throughput was causing panics
I couldn't figure out + keep housemates happy.

I ended up with a Dell R210 and couldn't be happier.  It has been 100%
stable since installation almost exactly a year ago now.

FWIW -- noise was almost unbearable with the sunfire v120, but the r210
is actually nicely quiet.  The fans spin down and I rarely hear it, it
blends in with the 24 port gigabit poe switch I have.

Cheers,
-ryan



Re: doas prompting for password in script

2016-12-15 Thread Ax0n
For now, you may want to use the "nopass" keyword and set up
highly-restrictive rules. The last matching rule determines the action
taken, so you can have more general rules up top, and more specific ones
that don't require a password toward the end. For example, my wireless
network manager script relies on the ability to kill off the DHCP client
and do some other things with ifconfig.

permit nopass :wheel as root cmd /usr/bin/pkill args dhclient
permit nopass :wheel as root cmd /sbin/ifconfig
permit nopass :wheel as root cmd /sbin/dhclient

In -CURRENT, doas.conf has a "persist" keyword that will only prompt once
per session. This isn't available in OpenBSD 6.0, but should work when 6.1
is released. Here's a fairly minimal rule that would allow wheel group
users to do whatever they want with doas after authenticating once:

permit persist :wheel


On Thu, Dec 15, 2016 at 10:56 AM, jungle Boogie 
wrote:

> Hi All,
>
> Should I be prompted for a password during this scenario?
>
> $ doas date
> doas (jun...@openbsd.my.domain) password:
> Thu Dec 15 08:55:39 PST 2016
> $ ./date.sh
> doas (jun...@openbsd.my.domain) password:
> Thu Dec 15 08:55:46 PST 2016
>
> As you see, only seconds past from both commands and yet, I'm prompted
> for my password again.
>
> --
> ---
> inum: 883510009027723
> sip: jungleboo...@sip2sip.info



Re: doas prompting for password in script

2016-12-15 Thread jungle Boogie
On 15 December 2016 at 09:21, Ax0n  wrote:
> In -CURRENT, doas.conf has a "persist" keyword that will only prompt once
> per session. This isn't available in OpenBSD 6.0, but should work when 6.1
> is released. Here's a fairly minimal rule that would allow wheel group users
> to do whatever they want with doas after authenticating once:

DOH! I forgot to mention that I'm running a snapshot from this morning.

OpenBSD 6.0-current (GENERIC.MP) #38: Thu Dec 15 08:24:17 MST 2016
bu...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP

by doas.conf:
permit persist :wheel
permit persist keepenv jungle as root

With this, should I be re-prompted for the password?


-- 
---
inum: 883510009027723
sip: jungleboo...@sip2sip.info



Re: doas prompting for password in script

2016-12-15 Thread Ax0n
I don't know how doas is keeping track of a session. If it's by interactive
tty session only, that could cause problems with non-interactive scripts.
I'll let someone closer to the code answer that question.

On Thu, Dec 15, 2016 at 11:25 AM, jungle Boogie 
wrote:

> On 15 December 2016 at 09:21, Ax0n  wrote:
> > In -CURRENT, doas.conf has a "persist" keyword that will only prompt once
> > per session. This isn't available in OpenBSD 6.0, but should work when
> 6.1
> > is released. Here's a fairly minimal rule that would allow wheel group
> users
> > to do whatever they want with doas after authenticating once:
>
> DOH! I forgot to mention that I'm running a snapshot from this morning.
>
> OpenBSD 6.0-current (GENERIC.MP) #38: Thu Dec 15 08:24:17 MST 2016
> bu...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
>
> by doas.conf:
> permit persist :wheel
> permit persist keepenv jungle as root
>
> With this, should I be re-prompted for the password?
>
>
> --
> ---
> inum: 883510009027723
> sip: jungleboo...@sip2sip.info



Re: Hardware recommendations for compact 1U firewall

2016-12-15 Thread Jack Peirce
On 2016-12-15, Stuart Henderson  wrote:

> If you want to
cut down on weight+noise at the expense of more cost
> and a less powerful
cpu, maybe APU2 in a 1U case or something like
> supermicro SYS-5018A-FTN4.

I
can second this recommendation, it's what I use at home.



Re: doas prompting for password in script

2016-12-15 Thread trondd
On Thu, December 15, 2016 12:28 pm, Ax0n wrote:
> I don't know how doas is keeping track of a session. If it's by
> interactive
> tty session only, that could cause problems with non-interactive scripts.
> I'll let someone closer to the code answer that question.
>

It's tied to the shell.

http://www.tedunangst.com/flak/post/doas-mastery

"If you have multiple shell logins to a machine, each login will require
authentication. Additionally, the authentication information includes the
parent shell process ID. This means that executing doas again in a shell
script will require authentication."

> On Thu, Dec 15, 2016 at 11:25 AM, jungle Boogie 
> wrote:
>
>> On 15 December 2016 at 09:21, Ax0n  wrote:
>> > In -CURRENT, doas.conf has a "persist" keyword that will only prompt
>> once
>> > per session. This isn't available in OpenBSD 6.0, but should work when
>> 6.1
>> > is released. Here's a fairly minimal rule that would allow wheel group
>> users
>> > to do whatever they want with doas after authenticating once:
>>
>> DOH! I forgot to mention that I'm running a snapshot from this morning.
>>
>> OpenBSD 6.0-current (GENERIC.MP) #38: Thu Dec 15 08:24:17 MST 2016
>> bu...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
>>
>> by doas.conf:
>> permit persist :wheel
>> permit persist keepenv jungle as root
>>
>> With this, should I be re-prompted for the password?
>>
>>
>> --
>> ---
>> inum: 883510009027723
>> sip: jungleboo...@sip2sip.info



Re: Hardware recommendations for compact 1U firewall

2016-12-15 Thread Hrvoje Popovski
On 15.12.2016. 12:30, Stuart Henderson wrote:
> If you want to cut down on weight+noise at the expense of more cost
> and a less powerful cpu, maybe APU2 in a 1U case or something like
> supermicro SYS-5018A-FTN4.

has anyone dmesg from SYS-5018A-FTN4 box? i'm interesting in intel qat

thank you ...



Re: doas prompting for password in script

2016-12-15 Thread jungle Boogie
On 15 December 2016 at 10:42, trondd  wrote:
> On Thu, December 15, 2016 12:28 pm, Ax0n wrote:
>> I don't know how doas is keeping track of a session. If it's by
>> interactive
>> tty session only, that could cause problems with non-interactive scripts.
>> I'll let someone closer to the code answer that question.
>>
>
> It's tied to the shell.
>
> http://www.tedunangst.com/flak/post/doas-mastery
>
> "If you have multiple shell logins to a machine, each login will require
> authentication. Additionally, the authentication information includes the
> parent shell process ID. This means that executing doas again in a shell
> script will require authentication."
>


Ah, I knew I should have checked Ted's blog!



Re: Hardware recommendations for compact 1U firewall

2016-12-15 Thread Bryan Vyhmeister
On Thu, Dec 15, 2016 at 07:51:40PM +0100, Hrvoje Popovski wrote:
> On 15.12.2016. 12:30, Stuart Henderson wrote:
> > If you want to cut down on weight+noise at the expense of more cost
> > and a less powerful cpu, maybe APU2 in a 1U case or something like
> > supermicro SYS-5018A-FTN4.
> 
> has anyone dmesg from SYS-5018A-FTN4 box? i'm interesting in intel qat

There is no support for Intel QAT (sometimes called Quick Assist) in
OpenBSD and that's not likely to change anytime soon. Some support is
supposedly coming to FreeBSD (by way of pfSense and some commerical
sponsorship or something) but I have not seen anything recently about
that.

Because Intel QAT is not supported, it is better to use one of the
Supermicro A1SAi boards (for the slight speed increase) rather than the
A1SRi-2758F that comes in the SYS-5018A-FTN4. The A1SRi boards do work
fine though.

I put together my own systems like this which only takes a few minutes
with Supermicro parts. I use the same case which is the Supermicro
CSE-505-203B, a few Noctua 40mm fans (which are much quieter and
probably not necessary), and then one of the A1SAi-2750F, A1SAi-2550F,
A1SRM-LN7F-2758F, A1SRM-LN7F-2358F, A1SRi-2758F, or A1SRi-2558F. I also
have a few A1SAM-2550F boards but those are not booting from USB sticks
for some reason. All of the others above work just fine. All that's left
is some sort of storage (like a 64GB SanDisk SSD, Supermicro SuperDom,
or USB stick with resflash) and memory (I use Kingston ECC SO-DIMMs) and
it works great. I have quite a few of these at tower sites, datacenter
installations, and as home and business routers. As a bonus, all of the
above can be powered directly from 12V if you want to wire them up that
way. I have started doing that at DC sites and to run from batteries.

Where portability is needed, the CSE-505-203B fits great in any of the
SKB short depth cases like hte SKB R4S or R6S.

Below is a dmesg for the A1SRi-2758F. This particular router is running
BGP, OSPF, and CARP on the inside as well as DNS and DHCP. It is running
5.8 so not the most recent (it is due to be upgraded in the next week)
but Intel QAT does show up as:

vendor "Intel", unknown product 0x1f18 (class processor subclass Co-processor, 
rev 0x02) at pci0 dev 11 function 0 not configured

Bryan



OpenBSD 5.8-stable (GENERIC.MP) #9: Thu May 26 22:05:56 PDT 2016
r...@amd64.example.com:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 17134739456 (16340MB)
avail mem = 16611545088 (15842MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0x7f4ee000 (53 entries)
bios0: vendor American Megatrends Inc. version "1.1" date 01/09/2015
bios0: Supermicro A1SAi
acpi0 at bios0: rev 2
acpi0: sleep states S0 S5
acpi0: tables DSDT FACP FPDT FIDT SPMI MCFG WDAT UEFI APIC BDAT HPET SSDT
acpi0: wakeup devices PEX1(S0) PEX2(S0) PEX3(S0) PEX4(S0) EHC1(S0)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimcfg0 at acpi0 addr 0xe000, bus 0-255
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Atom(TM) CPU C2758 @ 2.40GHz, 2400.45 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT
cpu0: 1MB 64b/line 16-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 99MHz
cpu0: mwait min=64, max=64, C-substates=0.2.0.0.0.0.3, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Atom(TM) CPU C2758 @ 2.40GHz, 2399.99 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT
cpu1: 1MB 64b/line 16-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 4 (application processor)
cpu2: Intel(R) Atom(TM) CPU C2758 @ 2.40GHz, 2399.99 MHz
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT
cpu2: 1MB 64b/line 16-way L2 cache
cpu2: smt 0, core 2, package 0
cpu3 at mainbus0: apid 6 (application processor)
cpu3: Intel(R) Atom(TM) CPU C2758 @ 2.40GHz, 2399.99 MHz
cpu3: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT
cpu3: 1MB 64b/line 

Re: Hardware recommendations for compact 1U firewall

2016-12-15 Thread Jordon
About a year ago i replaced my Soekris net5501 with the following system:
   Supermicro A1SAi-2550F (4 core Atom with 4 NICS + IPMI)
   Supermicro SC505-203B (1U case where the back of the mob comes out the
front)
   Kingston KVR16LSE11/4 (4GB SO-DIMM)

I also used a SATA-DOM because I was going for low power, but a USB flash
drive would work and be a lot cheaper.
Under normal usage, it pulls about 15 watts.

I have been running pfSense on it with no problems.
I also have the 8-core version of this board (2750) in my NAS which is running
FreeNAS.
I’m pretty sure that at some point while testing these boards, I ran OpenBSD
on them without any issues.

Those last families of Atoms are a bit underrated in my book.

Jordon




> On Dec 15, 2016, at 1:45 PM, Bryan Vyhmeister  wrote:
>
> On Thu, Dec 15, 2016 at 07:51:40PM +0100, Hrvoje Popovski wrote:
>> On 15.12.2016. 12:30, Stuart Henderson wrote:
>>> If you want to cut down on weight+noise at the expense of more cost
>>> and a less powerful cpu, maybe APU2 in a 1U case or something like
>>> supermicro SYS-5018A-FTN4.
>>
>> has anyone dmesg from SYS-5018A-FTN4 box? i'm interesting in intel qat
>
> There is no support for Intel QAT (sometimes called Quick Assist) in
> OpenBSD and that's not likely to change anytime soon. Some support is
> supposedly coming to FreeBSD (by way of pfSense and some commerical
> sponsorship or something) but I have not seen anything recently about
> that.
>
> Because Intel QAT is not supported, it is better to use one of the
> Supermicro A1SAi boards (for the slight speed increase) rather than the
> A1SRi-2758F that comes in the SYS-5018A-FTN4. The A1SRi boards do work
> fine though.
>
> I put together my own systems like this which only takes a few minutes
> with Supermicro parts. I use the same case which is the Supermicro
> CSE-505-203B, a few Noctua 40mm fans (which are much quieter and
> probably not necessary), and then one of the A1SAi-2750F, A1SAi-2550F,
> A1SRM-LN7F-2758F, A1SRM-LN7F-2358F, A1SRi-2758F, or A1SRi-2558F. I also
> have a few A1SAM-2550F boards but those are not booting from USB sticks
> for some reason. All of the others above work just fine. All that's left
> is some sort of storage (like a 64GB SanDisk SSD, Supermicro SuperDom,
> or USB stick with resflash) and memory (I use Kingston ECC SO-DIMMs) and
> it works great. I have quite a few of these at tower sites, datacenter
> installations, and as home and business routers. As a bonus, all of the
> above can be powered directly from 12V if you want to wire them up that
> way. I have started doing that at DC sites and to run from batteries.
>
> Where portability is needed, the CSE-505-203B fits great in any of the
> SKB short depth cases like hte SKB R4S or R6S.
>
> Below is a dmesg for the A1SRi-2758F. This particular router is running
> BGP, OSPF, and CARP on the inside as well as DNS and DHCP. It is running
> 5.8 so not the most recent (it is due to be upgraded in the next week)
> but Intel QAT does show up as:
>
> vendor "Intel", unknown product 0x1f18 (class processor subclass
Co-processor, rev 0x02) at pci0 dev 11 function 0 not configured
>
> Bryan
>
>
>
> OpenBSD 5.8-stable (GENERIC.MP) #9: Thu May 26 22:05:56 PDT 2016
>r...@amd64.example.com:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> real mem = 17134739456 (16340MB)
> avail mem = 16611545088 (15842MB)
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0: SMBIOS rev. 2.8 @ 0x7f4ee000 (53 entries)
> bios0: vendor American Megatrends Inc. version "1.1" date 01/09/2015
> bios0: Supermicro A1SAi
> acpi0 at bios0: rev 2
> acpi0: sleep states S0 S5
> acpi0: tables DSDT FACP FPDT FIDT SPMI MCFG WDAT UEFI APIC BDAT HPET SSDT
> acpi0: wakeup devices PEX1(S0) PEX2(S0) PEX3(S0) PEX4(S0) EHC1(S0)
> acpitimer0 at acpi0: 3579545 Hz, 24 bits
> acpimcfg0 at acpi0 addr 0xe000, bus 0-255
> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: Intel(R) Atom(TM) CPU C2758 @ 2.40GHz, 2400.45 MHz
> cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX
,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,
NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT
> cpu0: 1MB 64b/line 16-way L2 cache
> cpu0: smt 0, core 0, package 0
> mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
> cpu0: apic clock running at 99MHz
> cpu0: mwait min=64, max=64, C-substates=0.2.0.0.0.0.3, IBE
> cpu1 at mainbus0: apid 2 (application processor)
> cpu1: Intel(R) Atom(TM) CPU C2758 @ 2.40GHz, 2399.99 MHz
> cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX
,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,
NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT
> cpu1: 1MB 64b/line 1

Re: mounting tmpfs ???

2016-12-15 Thread Stuart Henderson
On 2016/12/15 11:23, sven falempin wrote:
> 
> 
> On Wed, Dec 14, 2016 at 11:36 AM, Stuart Henderson  > wrote:
> 
> On 2016/12/14 11:07, sven falempin wrote:
> > On Wed, Dec 14, 2016 at 10:51 AM, Stuart Henderson <
> s...@spacehopper.org>
> > wrote:
> >
> > > On 2016/12/14 10:44, sven falempin wrote:
> > > > [130]-[~]
> > > > # ktrace mount_tmpfs -s20M tmpfs /foo
> > > > mount_tmpfs: tmpfs on /foo: Operation not supported
> > > > [1]-[~]
> > > > # ls -ld /foo
> > > > drwxr-xr-x  2 root  wheel  512 Dec 14 16:26 /foo
> > >
> > > 
> > > revision 1.229
> > > date: 2016/07/25 19:52:56;  author: deraadt;  state: Exp; 
> lines: +2 -2;
> > > commit
> > > id: SKJd8VyGOLxZLj1g;
> > > disable tmpfs because it receives zero maintainance.
> > > 
> > >
> > >
> > Okay,
> >
> > i am using this daily, what can i do !?
> > besides compiling my own 'unsuported' kernel . . .
> 
> Switch to mfs?
> 
> 
> 
> tmpfs was supposed to replace  mfs, afaik
> a memory problem, shall we maintain mfs better
> and dump tmpfs or fix tmpfs which is 'better than mfs' ?

You can do whichever you like, I'm not telling you what to spend
your time on :-)

Though I'm not aware of anything that needs doing to mfs really,
it works as expected.



Re: Hardware recommendations for compact 1U firewall

2016-12-15 Thread Hrvoje Popovski
On 15.12.2016. 20:45, Bryan Vyhmeister wrote:
> There is no support for Intel QAT (sometimes called Quick Assist) in
> OpenBSD and that's not likely to change anytime soon. Some support is
> supposedly coming to FreeBSD (by way of pfSense and some commerical
> sponsorship or something) but I have not seen anything recently about
> that.

tnx for dmesg and info ...



Re: Hardware recommendations for compact 1U firewall

2016-12-15 Thread OpenBSD lists

Jordon wrote:

About a year ago i replaced my Soekris net5501 with the following system:
Supermicro A1SAi-2550F (4 core Atom with 4 NICS + IPMI)
Supermicro SC505-203B (1U case where the back of the mob comes out the
front)
Kingston KVR16LSE11/4 (4GB SO-DIMM)

I also used a SATA-DOM because I was going for low power, but a USB flash
drive would work and be a lot cheaper.
Under normal usage, it pulls about 15 watts.

I have been running pfSense on it with no problems.
I also have the 8-core version of this board (2750) in my NAS which is running
FreeNAS.
I’m pretty sure that at some point while testing these boards, I ran OpenBSD
on them without any issues.

Those last families of Atoms are a bit underrated in my book.

Jordon



I recently replaced a pair of Soekris 6501's (BIOSes on both went blank) 
with some SuperMicro X11SBA-LN4F-O boards, SATA-DOM-064s, the 
CSE505-203B and 4 GB 1600 Mhz DRR3 sticks.


Draws so little power that it looks like the Power Supply is wasting 
more in the AC-DC conversion process than the system itself is using. 
Considering replacing it with a 60w 12v power adapter like some of the 
other systems use.


Memory latency is very low and very consistent since the CPU cores and 
the memory run at the same frequency.


I was considering the A1SAi-2550F, but these were cheaper, lower power, 
had a shorter time to ship, and don't have the Intel Management Engine 
in them.


Only problem is that most of the sensors don't seem to be supported:

# sysctl hw.sensors
hw.sensors.cpu0.temp0=39.00 degC
hw.sensors.acpitz0.temp0=26.80 degC (zone temperature)
#


dmesg / pcidump / dmidecode:

OpenBSD 6.0 (GENERIC.MP) #2319: Tue Jul 26 13:00:43 MDT 2016
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 8482304000 (8089MB)
avail mem = 8220753920 (7839MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xecef0 (58 entries)
bios0: vendor American Megatrends Inc. version "1.0" date 08/25/2015
bios0: Supermicro Super Server
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP APIC FPDT FIDT SPMI MCFG SSDT SSDT SSDT UEFI 
LPIT CSRT
acpi0: wakeup devices XHC1(S4) HDEF(S4) PXSX(S4) RP01(S4) PXSX(S4) 
RP02(S4) PXSX(S4) RP03(S4) PXSX(S4) RP04(S4) BRCM(S0) BRC1(S0) PWRB(S4)

acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Pentium(R) CPU N3700 @ 1.60GHz, 1600.46 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT

cpu0: 1MB 64b/line 16-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 79MHz
cpu0: mwait min=64, max=64, C-substates=0.2.0.0.0.0.3.3, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Pentium(R) CPU N3700 @ 1.60GHz, 1600.00 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT

cpu1: 1MB 64b/line 16-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 4 (application processor)
cpu2: Intel(R) Pentium(R) CPU N3700 @ 1.60GHz, 1600.00 MHz
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT

cpu2: 1MB 64b/line 16-way L2 cache
cpu2: smt 0, core 2, package 0
cpu3 at mainbus0: apid 6 (application processor)
cpu3: Intel(R) Pentium(R) CPU N3700 @ 1.60GHz, 1600.00 MHz
cpu3: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT

cpu3: 1MB 64b/line 16-way L2 cache
cpu3: smt 0, core 3, package 0
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 115 pins
acpimcfg0 at acpi0 addr 0xe000, bus 0-255
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (RP01)
acpiprt2 at acpi0: bus 2 (RP02)
acpiprt3 at acpi0: bus 3 (RP03)
acpiprt4 at acpi0: bus 4 (BR19)
acpiprt5 at acpi0: bus 5 (BR1A)
acpiprt6 at acpi0: bus 6 (BR1B)
acpiprt7 at acpi0: bus 7 (BR1C)
acpiprt8 at acpi0: bus 9 (RP04)
acpiprt9 at acpi0: bus 10 (BR16)
acpiec0 at acpi0: not present
acpicpu0 at acpi0
C2: state 6: substate 8 >= num 3
C3: state 7: substate 4 >= num 3: C1(1000@

Re: Hardware recommendations for compact 1U firewall

2016-12-15 Thread Bryan Vyhmeister
On Thu, Dec 15, 2016 at 02:04:04PM -0800, OpenBSD lists wrote:
> I recently replaced a pair of Soekris 6501's (BIOSes on both went blank)
> with some SuperMicro X11SBA-LN4F-O boards, SATA-DOM-064s, the CSE505-203B
> and 4 GB 1600 Mhz DRR3 sticks.
> 
> Draws so little power that it looks like the Power Supply is wasting more in
> the AC-DC conversion process than the system itself is using. Considering
> replacing it with a 60w 12v power adapter like some of the other systems
> use.
> 
> Memory latency is very low and very consistent since the CPU cores and the
> memory run at the same frequency.
> 
> I was considering the A1SAi-2550F, but these were cheaper, lower power, had
> a shorter time to ship, and don't have the Intel Management Engine in them.
> 
> Only problem is that most of the sensors don't seem to be supported:
> 
> # sysctl hw.sensors
> hw.sensors.cpu0.temp0=39.00 degC
> hw.sensors.acpitz0.temp0=26.80 degC (zone temperature)

I also have three X11SBA-LN4F and two X11SBA-F boards. They also have
the benefit of using mSATA SSDs which most of the Atom C2X5X boards
(except for A1SRM-LN5F/LN7F) do not. They can also run direct from DC.
One of my projects for the new year is get these up and running but I
did notice the same with sensors. Prior to shortly before 6.0, xhci(4)
would fail (I forget the message) and the machine was unusable for
OpenBSD. Now that xhci(4) has been fixed, it works fine.

I asked Supermicro about the 12V voltage range and they said 12V +/- 10%
on A1SAi/A1SRi and 12V +/- 5% on the X11SBA. I was originally planning
on hooking these direct to batteries but decided to use a DC-DC power
supply from mini-box.com which allows hooking to 12V or 24V battery
banks without being worried about voltage changes. I put this in the
CSE-505-203B case in place of the original power supply.

One of my goals is to run performance tests between the A1SAi/A1SRi
boards and the X11SBA.

Bryan



Re: mounting tmpfs ???

2016-12-15 Thread sven falempin
On Thu, Dec 15, 2016 at 4:32 PM, Stuart Henderson 
wrote:

> On 2016/12/15 11:23, sven falempin wrote:
> >
> >
> > On Wed, Dec 14, 2016 at 11:36 AM, Stuart Henderson  > > wrote:
> >
> > On 2016/12/14 11:07, sven falempin wrote:
> > > On Wed, Dec 14, 2016 at 10:51 AM, Stuart Henderson <
> > s...@spacehopper.org>
> > > wrote:
> > >
> > > > On 2016/12/14 10:44, sven falempin wrote:
> > > > > [130]-[~]
> > > > > # ktrace mount_tmpfs -s20M tmpfs /foo
> > > > > mount_tmpfs: tmpfs on /foo: Operation not supported
> > > > > [1]-[~]
> > > > > # ls -ld /foo
> > > > > drwxr-xr-x  2 root  wheel  512 Dec 14 16:26 /foo
> > > >
> > > > 
> > > > revision 1.229
> > > > date: 2016/07/25 19:52:56;  author: deraadt;  state: Exp;
> > lines: +2 -2;
> > > > commit
> > > > id: SKJd8VyGOLxZLj1g;
> > > > disable tmpfs because it receives zero maintainance.
> > > > 
> > > >
> > > >
> > > Okay,
> > >
> > > i am using this daily, what can i do !?
> > > besides compiling my own 'unsuported' kernel . . .
> >
> > Switch to mfs?
> >
> >
> >
> > tmpfs was supposed to replace  mfs, afaik
> > a memory problem, shall we maintain mfs better
> > and dump tmpfs or fix tmpfs which is 'better than mfs' ?
>
> You can do whichever you like, I'm not telling you what to spend
> your time on :-)
>
> Though I'm not aware of anything that needs doing to mfs really,
> it works as expected.
>
>
I moved from mfs to tmpfs , i ll move back
i have a vague memory of some not free
memmory on mfs.


-- 
() ascii ribbon campaign - against html e-mail
/\



Re: Hardware recommendations for compact 1U firewall

2016-12-15 Thread Aaron Mason
A search on fleabay shows that, in Australia, they still fetch >$300,
out of my price range. :(

On Thu, Dec 15, 2016 at 10:30 PM, Stuart Henderson  wrote:
> On 2016-12-15, Aaron Mason  wrote:
>> All
>>
>> I'm looking for a 1U appliance that I can re-purpose into a firewall
>> using OpenBSD.  I've tried the near-free method by using an old Lacie
>> Ethernet Disk appliance I had lying around, but it turns out the
>> onboard SATA chipset is toast on this particular unit (it freezes at
>> CDBOOT when it detects hard drives and the BIOS freezes when I set it
>> to IDE mode with drives attached, plus it only has one onboard NIC and
>> one PCI slot, so I can't install another SATA card without removing
>> the other NIC I installed), so I'm looking for other options that fit
>> a limited budget.
>>
>> The most important criteria are that it must be 1U and it must fit
>> within a 420mm (~16.5") space (for reasons I will explain below).  I
>> have a couple of Sun Netra X1s that meet the need, but I can't push
>> more than ~60mbps over the onboard FE ports and they run quite hot to
>> the point of causing kernel panics.
>>
>> For a bit of context - I manage network and systems for a group that
>> run regular LAN parties at a local university, and our network
>> infrastructure lives in a 4RU flight case (with 420mm between the
>> front and rear vertical rails) currently occupied by three HP
>> switches.  We're currently using a Sun V20Z (admittedly running
>> pfSense, a decision made before I took over) but it's rather
>> cumbersome to carry along with three Dell 1950s (two VM hosts and a
>> Steam cache) and a Dell 2950 (NAS, provides iSCSI to VM hosts).  We
>> don't usually get more than 35 players and we don't do any complex
>> filtering on the firewall.
>>
>> I've been considering looking at old firewall appliances like Nokias,
>> Sonicwalls, Watchguards or Barracudas - has anyone had any luck with
>> getting OpenBSD on any of those or other such appliances?
>>
>> Gigabit ports would be nice (the university finally bought gigabit PoE
>> switches) but will accept Fast Ethernet if my budget says no.
>
> IMHO, you can get a fairly useful decent second-hand machine for a low
> enough price that it's not worth the hassle repurposing or using something
> from before GE was common, they're going to be more hassle to get working,
> and old enough that you may well run into things failing through age.
>
> How about a Dell R210 or an R210 II off ebay? 400mm deep, 2 nics onboard,
> if you need more ports then dual-port PCIe nics are pretty cheap.
> If you want to cut down on weight+noise at the expense of more cost
> and a less powerful cpu, maybe APU2 in a 1U case or something like
> supermicro SYS-5018A-FTN4.
>



-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse