Re: Raspberry Pi support in 6.4
On Fri, Jan 18, 2019 at 07:02:11AM +, Michael Joy wrote: I'd be more than willing to a Pinebook for testing. I wanted one anyway. If I end up buying one, I'll buy one for you too :)
How to control multiple line channels in USB audio
Hey, I have an ESI MAYA44 USB+ (https://www.esi-audio.com/products/maya44usb+/) with 8 channels (2 stereo input + 2 stereo output) and a headphone jack: uaudio0 at uhub0 port 3 configuration 1 interface 0 "ESI Audiotechnik GmbH MAYA44 USB+" rev 1.00/3.01 addr 2 uaudio0: audio rev 1.00, 8 mixer controls audio0 at uaudio0 uhidev0 at uhub0 port 3 configuration 1 interface 3 "ESI Audiotechnik GmbH MAYA44 USB+" rev 1.00/3.01 addr 2 uhidev0: iclass 3/0 uhid0 at uhidev0: input=8, output=8, feature=0 I would like to unmute the two stereo input channels to have them play at the same time via one of the output channels. However, I'm struggling a little. It seems that mixerctl has given both line channels the same identifier, so I can only unmute one of them. Also, only one output is listed although this card has two: inputs.line.mute=on inputs.line=191,191 inputs.line.mute=on inputs.line=191,191 outputs.spkr.mute=off outputs.spkr=255,255 record.line.mute=off record.line=0,0 record.enable=sysctl audioctl output: name=uaudio0 mode= pause=0 active=0 nblks=2 blksz=960 rate=48000 encoding=s16le play.channels=2 play.bytes=0 play.errors=0 record.channels=2 record.bytes=0 record.errors=0 Any idea what I'm missing?
Re: Raspberry Pi support in 6.4
On 2019-01-18, Frank Beuth wrote: > (misc got dropped?) Yes, your mail was off-list so I replied off-list. > On Thu, Jan 17, 2019 at 04:28:05PM +, Stuart Henderson wrote: >> > I'll take a look at that. Why would you prefer the PINE64 over the RBP? >> >> Partly due to the improved storage/connectivity options (especially on >> rockpro64) but largely because there seems a bit more developer interest >> in them than in the rpi. > > Is it binary-blob-free? > > The Pinebook looks great, and a quick glance at the archives raises hopes > that > the answer is "yes, the proprietary firmware has been replacd by u-boot": > https://marc.info/?l=openbsd-tech=150417320727503=2 > https://marc.info/?l=openbsd-tech=150416800125742=2 > https://marc.info/?l=openbsd-misc=150324117732158=2 > > Still can't tell whether you need a 3.3v serial console adapter to install on > the Pinebook. (it has a built in display!) > >
Re: setup authoritative DNS for myself with nsd + unbound
On 1/18/2019 11:10 AM, Kaya Saman wrote: It really depends on what you want/need. If you would like to host your own DNS servers, then multi location is a good idea: Example: Master NS1 in LA and Slave NS2 in Miami. I have no idea about GoDiddy but my US based domain hosting company let's me specify my own ns servers, as their DNS hosting is a little limited for what I need. Just whack Bind9 onto both systems in master/slave setup, and away you go. DNS isn't really complicated so you should be up and running in no time. ;-) Once that's done a good online tool for checking certain parts of the domain is: https://mxtoolbox.com/ but then don't forget your local tools such as nslookup and dig!! Regards, Kaya On 1/18/19 6:38 PM, Chris Bennett wrote: I have had problems with setting up DNS for myself and I need it to be authoritative. I have my domains registered with Godaddy and they do not support for domains not hosted on their servers. I have been using their DNS without big problems, except that I'm not getting proper results with regards to email. I've got a pretty bad problem with spam. I now have two servers, each with a different company. Will that then solve the problems with PTR, DKIM and DMARC? I also particularly hate the web GUI that Godaddy uses and it's SOA record is much too long timewise. Should I set it up with just one of my servers or both? One is in Los Angeles and the other is in Miami. Do I need to use a different one to cover the other server or can I just use the same one to cover the email stuff like DKIM and DMARC? Since I'm having problems from the ground up, this seems like a good idea to start at. I'm also seeing conflicting advice on whether I should use multiple A records for subdomains, like www. smtp. etc. or CNAME. Plus it's not clear to me whether to use records like _smtp.tcp or not bother with those. I have spent a lot of time reading pages on all of these subjects but I have yet to find a complete example of all DNS records for a site. Would anyone care to share one with me? Thanks, Chris Bennett GoDaddy allows you to specify your own NS records in DNS. For a while I was using Hurricane Electric's DNS hosting service (https://dns.he.net/). It supports A, , CNAME, ALIAS, MX, NS, TXT, CAA, AFSDB, HINFO,RP, LOC, NAPTR, PTR, SSHFP, SPF, and SRV records. They also have 5 dual-stack clusters for DNS hosted on different AS numbers and in different datacenters. They also support Dynamic DNS using curl calls. Its also free. I used to use them before moving all my stuff out of the US and onto equipment I control.
Re: setup authoritative DNS for myself with nsd + unbound
On Fri, Jan 18, 2019 at 10:38:12AM -0800, Chris Bennett wrote: > I have had problems with setting up DNS for myself and I need it to be > authoritative. This means you need at least two servers for this, that will be running nsd (as supplied in base) or another authoritative dns server. Pick one to be the master unless you want to make both replicants and have a hidden master. It's up to you. Once you have a master picked it is the only place where you do zone changes and reloads. Configure DNS notify to let the replicants (also called slaves sometimes) know to transfer a certain zone. For transferring which is done over TCP you should use TSIG keys, but if you can't set up an IPSEC tunnel to protect the exchange between the master and replicant. > I have my domains registered with Godaddy and they do not support for > domains not hosted on their servers. I have been using their DNS without > big problems, except that I'm not getting proper results with regards to > email. I've got a pretty bad problem with spam. I now have two servers, > each with a different company. Perfect. Set up the zones first start nsd and use dig to debug before you tell godaddy to use your own authoritative nameservers (this can be done through their web-interface). > Will that then solve the problems with PTR, DKIM and DMARC? PTR is reverse DNS usually inside in-addr.arpa. or ip6.int. hierarchy. The authority over your subnets is your ISP's who you host with and they may forward in-addr.arpa requests to your nameservers, usually it's uncommon for them to do this as reverse hardly changes, they have a web-interface usually where you can leave your reverse domain hostname for IP. I don't know anything about DKIM or DMARC as I use only SPF. > I also particularly hate the web GUI that Godaddy uses and it's SOA > record is much too long timewise. I'm having some hard time understanding this, usually SOA is used between authoritative nameservers to have some values for refresh, retry, expire. It usually is not relevant for A lookups for example. > Should I set it up with just one of my servers or both? Two servers minimum. You won't be sorry. > One is in Los Angeles and the other is in Miami. > Do I need to use a different one to cover the other server or can I just > use the same one to cover the email stuff like DKIM and DMARC? Hmm, yes when one is down the other takes over redundancy is built-in to DNS. The two servers are usually synchronized with AXFR's. Make sure that your AXFR is safe. Use TSIG if you can, IPSEC if you have no choice between the two servers. > Since I'm having problems from the ground up, this seems like a good > idea to start at. DNS is defined in RFC 1034 and 1035 in its most basic form. Perhaps you want to scan through those. > I'm also seeing conflicting advice on whether I should use multiple A > records for subdomains, like www. smtp. etc. or CNAME. I'd start with A records, CNAME's can get you in trouble (for example using them in the apex of a zone, which is illegal). > Plus it's not clear to me whether to use records like _smtp.tcp or not > bother with those. I'm not sure what you mean here... the form _service._tcp.something. is used in SRV resource records, for services like SIP...I am unaware of it using SRV for mail. There is TLSA RR's that use _25._tcp.hostname.tld. for things such as DANE, but that's pretty hardcore stuff for a newbie. I'd establish a simple setup at first and grow with it. > I have spent a lot of time reading pages on all of these subjects but I > have yet to find a complete example of all DNS records for a site. > Would anyone care to share one with me? A good list is found on wikipedia: https://en.wikipedia.org/wiki/List_of_DNS_record_types You likely need only the basic ones, MX, A, , NS, SOA, TXT, and maybe PTR. After you have some experience with these plaintext RR's you can go further and add DNSSEC to your setup to have integrity. For this I'd recommend you get a book. Getting a book for this is a good idea anyhow, either way. > Thanks, > Chris Bennett Regards, -peter
Re: setup authoritative DNS for myself with nsd + unbound
It really depends on what you want/need. If you would like to host your own DNS servers, then multi location is a good idea: Example: Master NS1 in LA and Slave NS2 in Miami. I have no idea about GoDiddy but my US based domain hosting company let's me specify my own ns servers, as their DNS hosting is a little limited for what I need. Just whack Bind9 onto both systems in master/slave setup, and away you go. DNS isn't really complicated so you should be up and running in no time. ;-) Once that's done a good online tool for checking certain parts of the domain is: https://mxtoolbox.com/ but then don't forget your local tools such as nslookup and dig!! Regards, Kaya On 1/18/19 6:38 PM, Chris Bennett wrote: I have had problems with setting up DNS for myself and I need it to be authoritative. I have my domains registered with Godaddy and they do not support for domains not hosted on their servers. I have been using their DNS without big problems, except that I'm not getting proper results with regards to email. I've got a pretty bad problem with spam. I now have two servers, each with a different company. Will that then solve the problems with PTR, DKIM and DMARC? I also particularly hate the web GUI that Godaddy uses and it's SOA record is much too long timewise. Should I set it up with just one of my servers or both? One is in Los Angeles and the other is in Miami. Do I need to use a different one to cover the other server or can I just use the same one to cover the email stuff like DKIM and DMARC? Since I'm having problems from the ground up, this seems like a good idea to start at. I'm also seeing conflicting advice on whether I should use multiple A records for subdomains, like www. smtp. etc. or CNAME. Plus it's not clear to me whether to use records like _smtp.tcp or not bother with those. I have spent a lot of time reading pages on all of these subjects but I have yet to find a complete example of all DNS records for a site. Would anyone care to share one with me? Thanks, Chris Bennett
setup authoritative DNS for myself with nsd + unbound
I have had problems with setting up DNS for myself and I need it to be authoritative. I have my domains registered with Godaddy and they do not support for domains not hosted on their servers. I have been using their DNS without big problems, except that I'm not getting proper results with regards to email. I've got a pretty bad problem with spam. I now have two servers, each with a different company. Will that then solve the problems with PTR, DKIM and DMARC? I also particularly hate the web GUI that Godaddy uses and it's SOA record is much too long timewise. Should I set it up with just one of my servers or both? One is in Los Angeles and the other is in Miami. Do I need to use a different one to cover the other server or can I just use the same one to cover the email stuff like DKIM and DMARC? Since I'm having problems from the ground up, this seems like a good idea to start at. I'm also seeing conflicting advice on whether I should use multiple A records for subdomains, like www. smtp. etc. or CNAME. Plus it's not clear to me whether to use records like _smtp.tcp or not bother with those. I have spent a lot of time reading pages on all of these subjects but I have yet to find a complete example of all DNS records for a site. Would anyone care to share one with me? Thanks, Chris Bennett
Re: Slow VPN Performance
To be more precise: I use net/ifstat for current bw testing. If I push data by netcat over public IPs, it is up to 5MB/s. If I push data by netcat through VPN, it is up to 400KB/s. Endusers in LANs also complain about VPN bw. > You should use curl + nginx (with tmpfs) or iperf for bw testing. I do not need to get very exact bw. My "netcat test" shows that data transfer over VPN is ~10 times slower. > Have you tried your NC on the loopback as a reference ? $ time nc -N 127.0.0.1 1234 < 50MB.test 0.054u 1.476s 0:10.54 14.4% 0+0k 1281+1io 0pf+0w > is the HEADER compression activated ? I do not know. How can I check it out? > just drop the all sendbug data if you actually want to help. OpenBSD 6.3 (GENERIC) #0: Wed Apr 25 16:38:25 CEST 2018 rdk@RAC_fw63:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Geode(TM) Integrated Processor by AMD PCS ("AuthenticAMD" 586-class) 500 MHz cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX,MMXX,3DNOW2,3DNOW real mem = 536363008 (511MB) avail mem = 512651264 (488MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: date 20/80/26, BIOS32 rev. 0 @ 0xfac40 pcibios0 at bios0: rev 2.0 @ 0xf/0x1 pcibios0: pcibios_get_intr_routing - function not supported pcibios0: PCI IRQ Routing information unavailable. pcibios0: PCI bus #0 is the last bus bios0: ROM list: 0xc8000/0xa800 cpu0 at mainbus0: (uniprocessor) mtrr: K6-family MTRR support (2 registers) amdmsr0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) 0:20:0: io address conflict 0x6100/0x100 0:20:0: io address conflict 0x6200/0x200 pchb0 at pci0 dev 1 function 0 "AMD Geode LX" rev 0x33 glxsb0 at pci0 dev 1 function 2 "AMD Geode LX Crypto" rev 0x00: RNG AES vr0 at pci0 dev 6 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 11, address 00:00:24:cd:90:10 ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, model 0x0034 vr1 at pci0 dev 7 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 5, address 00:00:24:cd:90:11 ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, model 0x0034 vr2 at pci0 dev 8 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 9, address 00:00:24:cd:90:12 ukphy2 at vr2 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, model 0x0034 vr3 at pci0 dev 9 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 12, address 00:00:24:cd:90:13 ukphy3 at vr3 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, model 0x0034 glxpcib0 at pci0 dev 20 function 0 "AMD CS5536 ISA" rev 0x03: rev 3, 32-bit 3579545Hz timer, watchdog, gpio, i2c gpio0 at glxpcib0: 32 pins iic0 at glxpcib0 pciide0 at pci0 dev 20 function 2 "AMD CS5536 IDE" rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: wd0: 1-sector PIO, LBA48, 7629MB, 15625216 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 pciide0: channel 1 ignored (disabled) ohci0 at pci0 dev 21 function 0 "AMD CS5536 USB" rev 0x02: irq 15, version 1.0, legacy support ehci0 at pci0 dev 21 function 1 "AMD CS5536 USB" rev 0x02: irq 15 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 configuration 1 interface 0 "AMD EHCI root hub" rev 2.00/1.00 addr 1 isa0 at glxpcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo com0: console com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo pckbc0 at isa0 port 0x60/5 irq 1 irq 12 pckbc0: unable to establish interrupt for irq 12 pckbd0 at pckbc0 (kbd slot) wskbd0 at pckbd0: console keyboard pcppi0 at isa0 port 0x61 spkr0 at pcppi0 nsclpcsio0 at isa0 port 0x2e/2: NSC PC87366 rev 9: GPIO VLM TMS gpio1 at nsclpcsio0: 29 pins npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 usb1 at ohci0: USB revision 1.0 uhub1 at usb1 configuration 1 interface 0 "AMD OHCI root hub" rev 1.00/1.00 addr 1 ugen0 at uhub1 port 1 "American Power Conversion Smart-UPS C 1500 FW:UPS 10.0 / ID=1005" rev 2.00/1.06 addr 2 vscsi0 at root scsibus1 at vscsi0: 256 targets softraid0 at root scsibus2 at softraid0: 256 targets root on wd0a (3f37e17802c01339.a) swap on wd0b dump on wd0b > You should use curl + nginx (with tmpfs) or iperf for bw testing. > > don't drop data, maybe the driver of the ethernet card is crappy ? > > just drop the all sendbug data if you actually want to help. > > Have you tried your NC on the loopback as a reference ? > is the HEADER compression activated ? On Fri, 18 Jan 2019 09:28:45 -0500 sven falempin wrote: > On Fri, Jan 18, 2019 at 8:58 AM Radek wrote: > > > I have configured Site-to-Site ikev2 VPN between two routers (Soekris > > net5501-70). > > Over the internet my transfer speed between these machines is up to > > 5000KB/s (it is OK). > > Over the VPN it is up to 400KB/s only. > > > > Is there any way to squeeze more performance out from these hardware and > > speed up the VPN? > > > > Tested with netcat: > > $ nc 10.0.15.254 1234 < 49MB.test > > $ nc -l 1234 > 49MB.test > > > >
Re: Slow VPN Performance
On Fri, Jan 18, 2019 at 8:58 AM Radek wrote: > I have configured Site-to-Site ikev2 VPN between two routers (Soekris > net5501-70). > Over the internet my transfer speed between these machines is up to > 5000KB/s (it is OK). > Over the VPN it is up to 400KB/s only. > > Is there any way to squeeze more performance out from these hardware and > speed up the VPN? > > Tested with netcat: > $ nc 10.0.15.254 1234 < 49MB.test > $ nc -l 1234 > 49MB.test > > $ cat /etc/iked.conf > ikev2 quick active esp from $local_gw to $remote_gw \ > from $local_lan to $remote_lan peer $remote_gw \ > psk "pass" > > $ dmesg | head > OpenBSD 6.3 (GENERIC) #0: Wed Apr 25 16:38:25 CEST 2018 > rdk@RAC_fw63:/usr/src/sys/arch/i386/compile/GENERIC > cpu0: Geode(TM) Integrated Processor by AMD PCS ("AuthenticAMD" 586-class) > 500 MHz > cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX,MMXX,3DNOW2,3DNOW > real mem = 536363008 (511MB) > avail mem = 512651264 (488MB) > mpath0 at root > scsibus0 at mpath0: 256 targets > mainbus0 at root > bios0 at mainbus0: date 20/80/26, BIOS32 rev. 0 @ 0xfac40 > > > You should use curl + nginx (with tmpfs) or iperf for bw testing. don't drop data, maybe the driver of the ethernet card is crappy ? just drop the all sendbug data if you actually want to help. Have you tried your NC on the loopback as a reference ? is the HEADER compression activated ? -- -- - Knowing is not enough; we must apply. Willing is not enough; we must do
Re: Slow VPN Performance
I have configured Site-to-Site ikev2 VPN between two routers (Soekris net5501-70). Over the internet my transfer speed between these machines is up to 5000KB/s (it is OK). Over the VPN it is up to 400KB/s only. Is there any way to squeeze more performance out from these hardware and speed up the VPN? Tested with netcat: $ nc 10.0.15.254 1234 < 49MB.test $ nc -l 1234 > 49MB.test $ cat /etc/iked.conf ikev2 quick active esp from $local_gw to $remote_gw \ from $local_lan to $remote_lan peer $remote_gw \ psk "pass" $ dmesg | head OpenBSD 6.3 (GENERIC) #0: Wed Apr 25 16:38:25 CEST 2018 rdk@RAC_fw63:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Geode(TM) Integrated Processor by AMD PCS ("AuthenticAMD" 586-class) 500 MHz cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX,MMXX,3DNOW2,3DNOW real mem = 536363008 (511MB) avail mem = 512651264 (488MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: date 20/80/26, BIOS32 rev. 0 @ 0xfac40 On Wed, 24 Oct 2012 10:28:43 + (UTC) Stuart Henderson wrote: > On 2012-10-24, Michael Sideris wrote: > > Also, OpenBSD 5.2 is around the corner and you never know what that might > > bring. > > There's a commit from just after 5.2 which is relevant to some > packet forwarding setups, which might be of interest.. > > http://www.openbsd.org/cgi-bin/cvsweb/src/sys/netinet/ip_input.c?r1=1.197;f=h#rev1.197 > -- radek
Re: Blocking "shodan.io" - What are my options?
Sorry, I haven't tried it yet. I'll do it ASAP. On Tue, 15 Jan 2019 21:05:32 -0600 ed...@pettijohn-web.com wrote: > On Sun, Jan 13, 2019 at 01:39:13PM -0600, ed...@pettijohn-web.com wrote: > > On Sun, Jan 13, 2019 at 08:04:32PM +0100, Radek wrote: > > > Hi, > > > > > > I would gladly play with your script. Would you please share it @misc. > > > Maybe our community could develope it further... > > Just curious if anyone has tried it out. I've been running it for about > 48 hours now and it doesn't appear to be having any issues. Plus my pf > table is growing. > > $ doas pfctl -t badguys -T show | wc -l > 697 > > I have it running on about 10 ports. Obviously the majority of the scans > are on 22, but I was surprised to see so many on 23. > > $ egrep "23$" /var/log/messages | wc -l > 247 > > Edgar > > > > > > > On Sun, 13 Jan 2019 12:43:15 -0600 > > > ed...@pettijohn-web.com wrote: > > > > > > > On Fri, Jan 11, 2019 at 09:30:38AM +1100, Aaron Mason wrote: > > > > > I knew it wouldn't trigger on the first attempt, but I had a sneaking > > > > > suspicion that you'd need something to listen on that port. Is there > > > > > a way to achieve what we seek, in that case, without userland tools? > > > > > > > > > > On Thu, Jan 10, 2019 at 9:18 PM Stuart Henderson > > > > > wrote: > > > > > > > > > > > > On 2019-01-09, Aaron Mason wrote: > > > > > > > Hi Jordan > > > > > > > > > > > > > > I've set it up to try it, but I'm not having much luck. Even > > > > > > > when I > > > > > > > trigger more than one, it still doesn't populate the bad_hosts > > > > > > > table, > > > > > > > even again when I extend the rate period to 86400 seconds. I've > > > > > > > added > > > > > > > logging so I know the rule is triggering. See below. > > > > > > > > > > > > max-src-conn-rate is only triggered when a TCP connection is > > > > > > established, you need to have something listening (and it will only > > > > > > trigger on the *second* connection). > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > Aaron Mason - Programmer, open source addict > > > > > I've taken my software vows - for beta or for worse > > > > > > > > > > > > > I wrote a little daemon to do what we're looking for. It listens on > > > > specified ports, accepts the connection and executes a script so you can > > > > either use something like logger or pfctl, etc to do what you want with > > > > the address it connected from. If anyone wants to play with it let me > > > > know and I'll send you the tarball. > > > > > > > > Edgar > > > > > > > > > > > > > -- > > > radek > > > > It can be obtained at http://www.pettijohn-web.com/void-1.0.0.tar.gz > > > > The manual isn't quite complete. The supplied script could really use > > some help as well as an rc script. The makefile is also cobbled > > together. It is pledged and unveiled. I think it can have a few of the > > pledges removed, but I haven't gotten that far. I think it is unveiled > > correctly, but this was my first time playing with it. > > > > The only requirement is libevent2 to aid in portability, which was the > > driving force behind executing a script so that it could tie into > > whatever packet filter is in use. Any constructive suggestions and > > patches are more than welcome. > > > > Enjoy. > > > > Edgar > > -- radek